While 80 percent of the industry obsesses about the technology pieces of HITECH, savvy lawyers like Verrill Dana’s Kate Healy know the privacy and security regulations are every bit as important. Why? Namely because breaches now carry much heavier burdens on the health systems in which they occur, requiring notification of the local news outlets, and allowing attorneys general to bring suits on behalf of the aggrieved. Recently, HCI Editor-in-Chief Anthony Guerra had a chance to chat with Healy about what CIOs need to know about HITECH’s security side.
AG: Give me a brief overview of your firm and the services you’re providing to hospitals in this space.
KH: Our firm is a large multi-specialty firm, and I am a partner in the healthcare industry group at Verrill Dana, and I’m also the chair of the health technology group. My entire practice is focused on providing legal advice to a wide variety of healthcare organizations, and that includes hospitals and physician groups, and I also represent the statewide health information exchange in Maine called HealthInfoNet.
In terms of the services that we provide specifically to hospitals, we do provide a wide range, and I, in particular, provide regulatory compliance advice and health information technology advice, including advising clients about compliance with, and the application of, both privacy and security standards. That’s a brief overview.
AG: Tell me what the stimulus has done to your business, but more importantly, what it’s done to the healthcare industry. Has it created a beehive of activity, is there incredible amount of curiosity, are people lawyering up because they know they're going to need them for doing big deals with vendors?
KH: I think that the HITECH Act--and of course, it’s been a little over two months since the act was actually signed by President Obama--I think that it has prodded people to push their EHR systems further and take a hard look at whether they will begin to meet the requirements for meaningful use under the act so that they can actually get the incentive payments that are contemplated under the act. I think that it’s a little too soon to say whether everyone is lawyering up, but I certainly see and have requests already for advice and review of existing business associate agreements, and I think that that has only begun.
AG: So it’s definitely stimulating the economy in one way.
KH: It is, it’s stimulating the economy, and I think it’s prodding people to move forward with projects that had otherwise been put on hold.
AG: What would you say is the overview of the act, sort of ‘HITECH For Dummies’ that our readers should know about? I think they do know the basic outline, but I want to make sure we’re not missing anything that you think is important.
KH: I think the big picture is that the HITECH Act includes both new opportunities and responsibilities in the area of health information technology. And the opportunities are the incentive payments, and those incentive payments for hospitals really begin in 2011. Hospital CIOs should know that beginning roughly in Oct. 1, 2010, they should be prepared to have their organization meet the requirement of meaningful use of certified electronic health records.
In order to do that, they need to demonstrate that they're using electronic health records in a meaningful way; that standard has yet to be really fleshed out. They also need to be able to connect the electronic health record in a manner that provides for the electronic exchange of health information to improve quality of care. That has implications, I think, for systems to look at exchanging health information across care continuums. I think that they also need to be prepared to participate and provide clinical quality reports to the secretary of HHS; that will also be required. They need to be on the lookout for the issuance of initial standards and implementation specifications and certification criteria for electronic health records.
Those, we hope, will be coming out by Dec. 31, 2009. They also need to know that the standards for meaningful use will really evolve. So as they approach their vendor contracts, they need to consult with legal counsel and obtain vendors’ agreement to work with them, so that they continue to meet the standards that are issued, so the hospitals can continue to receive incentive payments.
AG: So you would say that people cannot wait until Dec. 31; they have to get some idea in their head of what meaningful use is and start working towards it?
KH: Yes. I think they need to assess what the current status of their electronic health record capability is, and then they need to get an idea of where they need to go. They need to develop a plan for bringing their systems up to speed, so they need to start making contact with legal counsel now, and their vendors.
They also need to be mindful of the other provisions in the act. They need to be mindful that there will be financial penalties that will begin in 2015 if the standards aren’t met, and I don’t think there has been a lot of discussion about the penalties. There are additional responsibilities.
As you may know, business associates are organizations that actually perform a function or activity involving the use or disclosure of Protected Health Information on behalf of organizations, like hospitals, or provide certain services to them. They now will be subject to a number of the requirements under the privacy and security provisions of HIPAA as a result of the HITECH Act. There has been clarification that certain new organizations, such as health information exchanges and e-prescribing gateways and personal health record vendors all meet the definition of business associates. These entities will need to take a look at their operations and now comply with certain privacy and security standards.
In addition to that, business associates are going to be required to notify hospitals of a data breach. Hospitals will need to look at their existing business associate agreements and actually tailor them to meet the notification requirements. Business associates also have to comply with the administrative physical and technical requirements of the privacy and security standards, and they need to use and disclose Protected Health Information in compliance with the privacy provisions of existing business associate agreements.
In addition to that, business associates will now be subject to civil and criminal enforcement, and that is new. I think that the notification of breach requirements for both covered entities and business associates will require hospitals to make adjustments and start planning now how they’ll respond to a breach of security of Protected Health Information, because they only have 60 days from the time of a breach to notify an affected individual of the breach. They can't really wait until the breach occurs because they’ll be scrambling in order to figure out how to proceed at that point in time. I think that’s going to be a big change as well for both covered entities, that is hospitals, and for business associates.
The accounting of disclosures requirement is also potentially a big change, and that means that the covered entity, the hospital, now needs to account for disclosures of Protected Health Information for treatment, payment, and healthcare operations purposes when the disclosure is made through an electronic health record. So every time a hospital makes a disclosure of patient information to another provider, a specialist or an outside laboratory, they need to keep a record of that disclosure and they need to be able to provide that to a patient who requests it for up to three years. That’s a big change for hospitals.
There is a lot going on. The other thing that I would just mention is that the HITECH Act really imposes, I think, both improved enforcement and an increased penalties for privacy and security violations. The act allows state attorneys general to bring a civil action on behalf of residents of a state to enjoin HIPAA privacy violations or obtain monetary damages on behalf of the residents of a state for such violations. It gives courts the discretion to award attorneys' fees to the state in a successful action. Until now, we really thought that there didn’t appear to be the resources committed to prosecuting HIPAA security and privacy violations. And now with the new attorneys’ fees provision, that really changes the landscape because states won't necessarily lose financially in the event they take on this responsibility of prosecuting privacy and security violations. So that’s really intended to allay the concerns, I think, of consumers and privacy rights advocates who have traditionally criticized HIPAA for weak enforcement and penalty provisions.