HITECH, meaningful use rules bring concerns for risk managers
HITECH, meaningful use rules bring concerns for risk managers
Marketing provisions could affect hospital fundraising
The proposed final rule for Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 probably will change little when it becomes the final rule, and that means there will be some significant changes for health care providers, says Kevin Ryan, JD, an attorney with the law firm of Much Shelist in Chicago.
Providers have become fairly comfortable with their processes for complying with HIPAA and ensuring information security, Ryan says, but now they will have to review their policies and procedures to make sure they are in compliance.
"People will really have to take notice of these changes and what impact they are going to have on them," he says. "These changes involve fundraising, marketing, breach notification, and other issues. Policies are going to have to be changed and employees are going to have to be trained."
The Department of Health & Human Services (HHS) released the proposed rule that HHS says will make HIPAA more workable and effective. (For the proposed rule, go to http://www.regulations.gov/search/Regs/home.html#documentDetail?R=0900006480b195a0 ).
The proposed regulations will not be effective until publication of a final rule, which is expected September 14 60 days after they were published in the July 14 Federal Register.
The proposed rules focus on business associates, enforcement, and other privacy and security topics. The big news in the proposed rules is that they would require business associates to comply with the HIPAA security rule and the privacy provisions of HITECH. Of greater concern, covered entities will be held directly liable for the violations of business associates who are agents of the provider. In addition, the rules also would require amendments to business associate contracts and notices of privacy practices.
The good news is that the proposed regulations would require no changes to minimum necessary practices. However, the proposed rules would make changes unrelated to the HITECH Act. For instance, the rules would allow providers to discuss health records of decedents with family members and friends who are not personal representatives of the deceased. Providers also would be freed from all privacy restrictions after 50 years. HHS also is proposing more flexibility for research authorizations and allowing providers to disclose immunization information to schools.
The proposed rules would modify the privacy, security, and enforcement rules of the Health Insurance Portability and Accountability Act (HIPAA) to implement changes required by HHS.
The 864-page meaningful use final rule also was released recently by HHS a more flexible and less burdensome rule than the proposed rule that was released in January. The final rule eases the criteria for stage one of the meaningful use program, in which reward payments begin in 2011. Providers now can qualify for the financial rewards by meeting fewer criteria.
Marketing needs more oversight
The HITECH rules provides no clarity for providers struggling to understand what exactly they must do to comply with privacy rules, says Jacqueline Saue, JD, a partner with the law firm of Foley & Lardner in Washington, DC. The marketing provisions of the privacy rule have always been murky to many providers, she says, and many have especially struggled to determine under what circumstances they can promote services or products provided by outside vendors, without obtaining individual authorizations.
"The proposed rule only complicates this determination by requiring an individual authorization if a covered entity receives financial remuneration, defined broadly to include even an indirect payment made on behalf of a vendor for promoting the vendor's services or products, with very limited exceptions," Saue says. "Those exceptions could involve providing the individual with notice and an opportunity to opt out of receiving future promotions or limiting the amount of financial remuneration being paid by the vendor. We doubt that providers will find the marketing provisions of the proposed rule to be much of an improvement over the existing ones."
Saue notes that currently, many clients are interested in exploring business opportunities that would involve the mining of databases containing protected health information (PHI). However, the proposed rule under HITECH presents another hurdle to maximizing the value of such databases by prohibiting the disclosure of PHI, in exchange for direct or indirect remuneration, unless a covered entity obtains individual authorizations, with very limited exceptions. This hurdle may prove insurmountable for many providers, she says.
The proposed rules include provisions about business associates, enforcement, and other privacy and security topics. The part that troubles providers the most is the one requiring business associates to comply with the HIPAA security rule and the privacy provisions of the HITECH Act.
"Perhaps the biggest losers under the proposed rule are downstream business associates, who would not only be required to comply with the same provisions of the privacy and security rules applicable to the first-tier business associate, but would also be subject to the same penalties for non-compliance," Saue says.
Don't have to audit associates
Ryan agrees, saying the change in approach to business associates may have the most impact from the HITECH rule. Business associates would now be liable for civil and criminal penalties just as covered entities can be, he explains.
"That is a huge change," Ryan says.
Providers must have contracts with business associates that require the associates to comply with HIPAA, and providers have obligations to discontinue the relationship or even report the associate if there is reason to believe the company is not complying, Ryan says. Failure to do so when you have knowledge that the associate is not complying could result in civil and criminal penalties being levied against the provider, he says.
"But there is nothing in the act that says the health care provider is supposed to be out doing audits of their associates," Ryan says. "It's when they become aware of the wrongdoing that they have an obligation to act. They're not expected to go out and investigate each of their business associates."
Fundraising could pose problems
Fundraising may require more oversight than in the past, says Lior Blik, chief information officer at Hoboken (NJ) University Medical Center. The new HITECH rules put limits on how data can be used in fundraising, most prominently by requiring that providers obtain permission from patients before protected patient information can be used in fundraising.
"We're going to see a change in fundraising from a process perspective," Blik says. "This is an area where we haven't had too much worry about compliance in the past, but now HHS is saying they take this seriously."
Blik says the biggest change for his hospital will be the operation of the hospital foundation. Fundraising activities by the foundation will require strict adherence to the HITECH rules, and Blik worries that the effort to comply will slow down the providers' work and result in less funding. His hospital now seeks permission of patients to use their information in fundraising efforts, and Blik says many hospitals will need to develop policies and procedures to ensure HITECH compliance.
Change policies, notification
Ryan also notes that the proposed rule under HITECH gives patients more power to opt out of having certain information shared with others. The rule outlines situations in which the patient may make that request and the provider is obligated to honor it, such as when a patient has paid for out-of-plan services by cash.
Ryan advises risk managers to take these steps:
Review policies to make sure you have included the most recent provisions regarding breach notification and the most current statutory language regarding an individual's right to get disclosures, and the restrictions on disclosures.
Change the notice to patients of privacy rights, so that patients understand their rights under the current law.
Blik points out that documentation will be important. Any policy developed to ensure HITECH compliance must include provisions for documenting the process, he says.
"Don't forget that documentation is always your best defense," Blik says. "You can't just remind people to document. You have a system, a process, in place that makes everyone document instead of just hoping they will."
Sources
Lior Blik, Chief Information Officer, Hoboken University Medical Center, Hoboken, NJ. Telephone: (201) 418-1813.
Kevin Ryan, JD, Attorney, Much Shelist, Chicago. Telephone: (312) 521-2429. E-mail: [email protected].
Jacqueline Saue, JD, Partner, Foley & Lardner, Washington, DC. Telephone: (202) 672-5306. E-mail: [email protected].
The proposed final rule for Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 probably will change little when it becomes the final rule, and that means there will be some significant changes for health care providers, says Kevin Ryan, JD, an attorney with the law firm of Much Shelist in Chicago.Subscribe Now for Access
You have reached your article limit for the month. We hope you found our articles both enjoyable and insightful. For information on new subscriptions, product trials, alternative billing arrangements or group and site discounts please call 800-688-2421. We look forward to having you as a long-term member of the Relias Media community.