Federal financial incentives amounting to as much as $44,000 per practice over the next two years have certainly increased physician interest in electronic health records, but many doctors remain daunted by the sheer variety of EHR systems and the practical challenges of implementation.

Further, new and more restrictive security regulations may quell their newfound enthusiasm for EHRs.

The American Recovery & Reinvestment Act (aka “the stimulus package”) allocated more than $20 billion for development and expansion of health care information technology (HIT). Roughly $17 billion will go directly to physicians and hospitals to implement EHR systems. These incentives will be dispensed via Medicare and Medicaid to practices that become “meaningful EHR users” by 2015.

HIT Overdrive

The stimulus money has thrown the EHR/HIT industry into overdrive, hence the astonishing number of systems on display at conferences like the Medical Group Management Association’s annual meeting. Sessions on how to capitalize on ARRA incentives and how to select EHRs were big draws at MGMA, and also at the American Academy of Family Physicians’ scientific assembly.

Doctors who want to go digital confront many unknowns. Among them, the precise definition of “meaningful user” and the fed’s criteria for qualifying EHR systems. Incentive payments will only be made to practices that choose certified “meaningful use” systems.

At the end of December, the Centers for Medicare and Medicaid Services released its long-awaited proposal for meaningful use, in an exhaustive 700-page HIT “master plan.” Medical organizations are struggling to make sense of it, and EHR developers are scrambling to comply. Many doctors are simply watching and waiting. No one wants to get stuck with an EHR system that ends up not qualifying for the federal programs.

“On the one hand, it’s good to wait. On the other hand, if you wait too long, you may not qualify for all the federal funds in years 1 and 2, which is when the bulk of the money is going to be spent. Total disbursement starts to drop off after 2013,” explained David Kibbe, MD, at an EHR session at the AAFP conference.

Dr. Kibbe, a Pittsboro, NC, family physician, and AAFP senior advisor on health IT, advises doing as much due diligence as possible, on a wide variety of systems. “Select a few you like and talk to the vendors. Find out what they’re doing to make sure they will be certified as meaningful use systems.”

Finding Guidance

Primary care organizations can provide guidance, offering physicians an array of tools for evaluating IT companies, implementing systems, and taking advantage of the stimulus dollars. The AAFP’s Center for Health Information Technology (http://www.centerforhit.org/) includes frequent regulatory, practice assessment tools, and vendor evaluation guidelines.

Recently, AAFP subsidiary TransforMED teamed up with Welch Allyn, a leading manufacturer of frontline diagnostic tools, on a consulting program called EHR Preparation and Selection Services. The program guides you through the complex process of EHR vendor selection.

“Most medical practices have neither the time nor resources to properly prepare,” said Jay Mangicaro, senior manager, Integrated Partners, at Welch Allyn. “Our new EHR Preparation and Selection Services program offers an optimal mix of expert consulting, an easy-to-follow project plan, and an intuitive online tool that addresses the challenges associated with selecting an EHR vendor.”
The service will be particularly valuable if you plan to seek “Patient Centered Medical Home” designation. According to TransforMED’s CEO, Dr. Terry McGeeney, “EHR selection and implementation are fundamental steps toward becoming a medical home. We at TransforMED are pleased to collaborate with Welch Allyn on a product that will ease the frustration and uncertainty associated with selecting and successfully implementing this technology.” (Dr. McGeeney will be a keynote speaker at HPC’s upcoming Heal Thy Practice conference, June 10-13 in Charlotte, NC. Visit www.holisticprimarycare.net for more info).

HIPAA on Steroids

The stimulus incentives will, no doubt, encourage more solo and small group practitioners to get into EHR, but the new Health Information Technology for Economic and Clinical Health Act (HITECH) could be a big buzz-kill.

HITECH, slated for implementation over the next 3 months, imposes significant—some would say onerous—responsibility on medical practices in the event of a breach of protected personal health information (PHI).
Think of HITECH as a turbo-charged HIPAA, said Gerry Hinkley, partner with Davis Wright Tremaine, a San Francisco law firm specializing in HIT.

“The statutes giveth, and the regulations taketh away,” said Mr. Hinkley of the conflicting relationships between ARRA’s carrots and HITECH’s sticks. HITECH covers many IT issues, but the most worrisome to the average practitioner are those pertaining to security breaches, said Mr. Hinkley, speaking at the MGMA’s annual meeting.

Under HITECH, if an EHR security breach occurs, the medical practice must notify each individual whose PHI has been accessed, modified, or inappropriately disclosed as soon as possible, but definitely within 60 days. The practice must also post information on its website indicating that a breach has occurred.

If the breach potentially affects more than 500 residents of a state, the practice must notify local newspapers and other media, as well as the office of the secretary of Health & Human Services in Washington, DC.

“You need to state what happened, when, when it was discovered, the specifics of what was breached, what course of action affected patients have, and what you are doing to mitigate the damage,” said Mr. Hinkley. These rules have actually been in effect since late September, but enforcement won’t start until March.

Who Determines Harm?

The law defines “breach” as unauthorized acquisition, access, use, or disclosure of PHI that compromises the security or privacy of PHI and carries significant risk of financial, reputational or other harm to the subjects of the record(s) in question.

Currently, determination of “harm” rests with the medical practice. But Mr. Hinkley expects that to change. “A lot of congressmen are of the mind that it is the patient who should determine what constitutes harm.”

The regs do distinguish between mistaken access to a patient’s health record by an authorized medical professional, and intentional access by an unauthorized individual. The former is not considered a breach, while the latter is punishable. “This is really about preventing leakage of sensitive information to unauthorized persons,” he said in defense of the rules.

“Oh, No! I Lost My Blackberry…”

So, if you lose a PDA or laptop containing patient health records, must you call the local news and the secretary of HHS?

That depends on how well the information is encrypted. If the patient files are easily opened then, yes, losing your PDA constitutes a breach. But if the records are well encrypted and password-protected, the PHI is secure and unbreachable even if the device itself ends up in unauthorized hands.

“You really need to talk to your (EMR system) vendors about how they encrypt patient data,” Mr. Hinkley advised.

Emails and text messages between you and your patients could be considered breachable personal health information. Fortunately, it’s easy to minimize risk by confining all your e-communications with patients to secure online portals rather than ordinary emails or text messages.

Your Brother’s Keeper

HITECH extends a practice’s PHI security responsibility to all “business associates.” That includes other clinics, vendors, health information exchanges, regional health information organizations, e-prescribing gateways, IT vendors, and any other entities sending or receiving sensitive information. Associates are required to quickly report potential breaches to you, but the burden is on you to ensure that associates are in compliance.

That means all your contracts—especially new ones—need to have language addressing PHI security and insisting on compliance with HIPAA and HITECH. Under the new rules, you are your associates’ keeper.

Both HIPAA and HITECH stipulate that exchange of PHI must be for “meaningful use,” and that only the “minimum necessary” amount of information should be transferred. Currently, the disclosing party determines what is “minimum necessary” information in a given clinical situation. But there could be serious penalties if that determination is contested.

Meaningful Minimum

Mr. Hinkley said that both “minimum necessary” and “meaningful use” are vaguely defined in the existing law, leaving a lot of room for interpretation …and risk. “If you act unreasonably as far as disclosing more information than is necessary, there’s some significant enforcement risk.”

Medical groups and healthcare IT organizations are pushing HHS to clarify the terms “minimum necessary” and “meaningful use,” so that the ground rules and boundaries are well defined. Mr. Hinkley said to expect more clear definitions over the next 6 months. He does not expect the Fed to start enforcing this aspect of HITECH until late summer 2010.

Will Patients Hold the Reins?

Under the new laws, patients have the right to “individually requested privacy restrictions.” Specifically, they have the right to prohibit a practice from disclosing any information to insurers about any self-pay services.

The rule is an effort to protect patients from insurance company abuses around preexisting or potentially high-risk conditions. For example, a patient now has the right to pay out of pocket for an HIV test and know that his or her status will not be reported to an insurer that might cut coverage or hike the premiums if the patient were found to be HIV-positive.

Expect heavy HHS enforcement of privacy restriction rights, Mr. Hinkley said. “The Office of Civil Rights in HHS will step up efforts to make the public aware of this. It applies to anything a patient wants to do outside the scope of a health plan. So you will need to have procedures to document these requests and policies about how you’re going to manage them.”

HITECH’s Sharp Teeth

Penalties for breaches of PHI and other HIPAA/HITECH violations are significant, ranging from $50,000 to $1.5 million per violation if judges deem that “willful neglect” was involved. But even “unknowing” violations can cost as much as $25,000 per incident. This is not including any criminal penalties associated with violations.

Mr. Hinkley said to expect significantly ramped up enforcement of HIPAA & HITECH beginning this Spring. “This is a great time to do a “HIPAA compliance tune-up.” Go back and review your EMR system, all your practice procedures, talk to your vendors, and make sure everything is in compliance.”