As the new administration settles in, electronic medical records (EMR) are seeing an increased focus in political discussions. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) set the groundwork for initial guidelines on the privacy and security of EMR. Yet the recent political call for a nation-wide system of electronic medical records raises additional issues for legal counsel and related risk management professionals to consider. When looking at HIPAA in 2009, the areas to contemplate concern both proposed legislation and existing enforcement of HIPAA compliance. Considering the discussion of a national EMR system during the inauguration, this article looks at both the recent trends seen in proposed legislation for modifications to HIPAA as well as the increase in compliance audits under the present guidelines.
Trends in Proposed Legislation
Looking back at the 110th Congress, trends can be identified from past legislative attempts to expand and modify the existing rules regarding EMR. The most significant attempt involved the House Committee on Energy and Commerce’s approval of the Protecting Records, Optimizing Treatment and Easing Communications through Healthcare Technology Act of 2008 (PROTECHT). While this bill did not become law, PROTECHT may yet see reintroduction. It passed Committee but never saw a House vote considering the significant issues occupying Congress during the closing days of 2008.
PROTECHT was aimed at strengthening the quality of health care and encouraging electronic records while also increasing privacy rules and health care information security. PROTECHT’s provisions sought stricter HIPAA compliance requirements for business associates of health care providers and extended HIPAA’s civil and criminal penalties to business associates. To encourage EMR use, PROTECHT proposed $560 million in grants and loans to providers to exchange health information electronically and establish electronic medical records systems in rural areas. The proposed bill’s guidelines also mandated steps a health care provider must take after a security breach has been identified. The steps included a requirement that health care providers and/or business associates notify everyone whose unencrypted health information was, or was reasonably believed to be, accessed or breached.
PROTECHT also would have created the Office of the National Coordinator for Health Information Technology (ONC-HIT). The permanent ONC-HIT would set specific standards for EMR systems. Just as FCC regulations deal with the interoperability of telecommunication systems, the ONC-HIT would be charged with ensuring that electronic health information systems are cross-compatible under the auspices of the Department of Health and Human Services (HHS). As the variety of electronic systems for health care providers to choose from grows, so does the concern that information can be shared across platforms.
Along the same lines of PROTECHT, the 110th Congress saw the introduction of two other EMR related bills: the Promoting Health Information Technology Act and the Health-e Information Technology Act of 2008. While neither of these bills reached Committee vote, they also reflect a movement to propose changes to electronic medical record keeping. Both proposed pieces of legislation contained specific provisions about the interoperability of EMR systems. They, like PROTECHT, sought to provide additional civil penalties for HIPAA violations.
These pieces of proposed legislation, whether they will be reintroduced or completely overhauled, must now be viewed in the backdrop of the new administration and Congress. The inauguration highlighted new goals on modernizing the nation’s health care system, i.e., electronic medical records, and a plan to be fully computerized within five years. A fully electronic national EMR system is a massive task.
Looking at recent activity in Massachusetts provides some insight into the scope of this project. Massachusetts recently provided estimates for a statewide program to fully computerize its roughly 14,000 physicians’ offices and 63 hospitals within the next three to five years. Using a pilot program as a measuring stick, Massachusetts legislators estimate that it will cost about $340 million to build their statewide computer system, with a cost of $2 million per hospital.
By looking at the Massachusetts numbers, the potential cost of a national EMR system could be massive. With the Census Bureau identifying 7,569 hospitals across the United States and the innumerable independent clinics, the logistical and financial planning for this endeavor is enormous.
Increases in HIPAA Audits
The second major landmark in the evolution of HIPAA and EMR regulation is the current implementation of HIPAA audits. In 2007, HHS conducted its first HIPAA audit of Piedmont Hospital in Atlanta. In 2008, the Centers for Medicare and Medicaid announced that they planned 15-20 hospital audits across the country. The first reported HIPAA-related settlement occurred in 2008 between HHS and a health system based in Seattle including compliance issues and a fine of $100,000.
The HIPAA audits appear to focus on specific issues like policies and procedures for record privacy, confidentiality of the private/protected health information of patients, and the evaluation of security violation action plans. Other security measures including employee background checks, internal restrictions on accessibility of private information and physical security measures are all examined to determine if they fit within the guidelines established under HIPAA.
As additional information about the audits becomes available, the lesson learned is that health care providers need to ensure compliance with the HIPAA Security Rule. Privacy consultants are emphasizing the need to conduct internal audits in preparation for potential HHS audits. Simple questions and basic examinations which can easily be conducted internally, or using an outside auditor, can shed light on possible shortcomings. Are emails monitored for the transmission of patient information? Are the burning of CDs and DVDs controlled or monitored? Are wireless networks secure? Who has access to them and the information on them? Is patient information being transported to and from employee’s private residences or private home computers? These simple questions are just some of the many that need to be asked when conducting a mock or internal audit of a medical provider’s HIPAA compliance. In the light of proposed legislation like PROTECHT, business associates of HIPAA covered entities now need to look with heightened awareness at their security measures as well.
Health care providers must take a step back and ask themselves what must be done now as opposed to in the next five years. The new administration may be focused on the future, but health care providers must ensure that they are ready for a HIPAA audit today. Business associates of covered entities must also be ready for what the future of HIPAA holds as business associates may soon face the same or increased penalties along with health care providers.
With the looming issue of interoperability of EMR systems, the federal government also has its hands full. Looking at the initial focus of the HIPAA audits and the ideas behind the recent attempts at modifying electronic medical record legislation, we can begin to see the forthcoming changes to the guidelines in dealing with electronic medical records. The question now is when will these changes occur?
Stephen T. Sigler is a shareholder and trial lawyer at Neil Dymott Hudson. He specializes in civil litigation with emphasis in general and professional liability. Mr. Sigler may be reached at (619)238-1712.