New Rules Released Under HITECH Act

   insurance

ACA International

The Health Information Technology for Economic and Clinical Health (HITECH) Act, passed in February 2009 as part of the American Recovery and Reinvestment Act of 2009, is intended to incentivize the modernization of health care without sacrifice to the privacy or security of patients’ sensitive information.

To achieve this undertaking, the HITECH Act provides funding for health information technology and incentives for providers to use and adopt electronic health record (EHR) technology. The HITECH Act also makes significant updates to the Health Information Portability and Accountability Act’s (HIPAA) Privacy and Security Rules.

While compliance with most of the changes under the HITECH Act was required by February 2010, several provisions require federal agencies to promulgate regulations in order to implement provisions of the HITECH Act.

Three federal agencies recently released important rules  expanding the scope of HIPAA’s privacy, security and enforcement requirements and regarding the electronic health records incentive program under the HITECH Act.

Proposed Privacy and Security Rules
The U.S. Department of Health and Human Services (HHS) announced proposed rules on July 8, 2010 that modify HIPAA’s Privacy, Security and Enforcement Rules pursuant the HITECH Act to strengthen patient privacy rights.
The proposed rules expand individuals’ rights to access their information and to restrict certain types of disclosures of protected health information to health plans. The proposed rules also require business associates of HIPAA-covered entities to be under most of the same rules as the covered entities.

The proposed rules also set new limitations on the use and disclosure of protected health information for marketing and fundraising and prohibit the sale of protected health information without patient authorization, unless an exception exists. The rule proposes an exception from the authorization requirement for disclosures of protected health information for payment purposes or health care operational purposes.

HHS is also looking more closely at entities not covered by HIPAA rules to understand better how they handle personal health information and to determine whether additional privacy and security protections are needed for these entities.

Electronic Health Records Incentive Final Rules
On July 13, 2010, the Centers for Medicare & Medicaid Services (CMS) and the Office of the National Coordinator for Health Information Technology (ONC) announced two complementary final rules implementing the EHR incentive program under the HITECH Act.

Under the HITECH Act, eligible health care professionals and hospitals can qualify for Medicare and Medicaid incentive payments when they adopt certified EHR technology and use it to achieve specified objectives. One of the two regulations announced defines the “meaningful use” objectives providers must meet to qualify for the bonus payments, and the other regulation identifies the technical capabilities required for certified EHR technology.

The CMS regulations specify objectives providers must achieve to qualify for incentive payments, while the ONC regulations specify technical capabilities EHR technology must have to be certified and to support providers in achieving the “meaningful use” objectives.

One of the key changes implemented by the CMS final rule includes dividing the requirements into a “core” group of requirements and an additional “menu” of procedures from which providers may choose to qualify for the incentive. The “core” requirements must be satisfied while the additional “menu” requirements can be implemented as they relate to the providers’ individual business needs.

The major changes set forth by the rules are listed below.

The final CMS rule:

  • Specifies criteria eligible professionals (EPs), eligible hospitals and critical access hospitals (CAHs) must meet to demonstrate meaningful use and qualify for incentive payments;
  • Includes both “core” criteria all providers must meet to qualify for payments, while also allowing provider choice among a “menu set” of additional criteria; and
  • Outlines a phased approach to implement the requirements for demonstrating meaningful use. This approach initially establishes criteria for meaningful use based on currently available technological capabilities and providers’ practice experience. CMS will establish graduated criteria for demonstrating meaningful use through future rulemaking, consistent with anticipated developments in technology and providers’ capabilities.

The final ONC rule:

  • Sets initial standards, implementation specifications and certification criteria for EHR technology under the incentive program;
  • Coordinates the standards required of EHR systems with the meaningful use requirements for eligible professionals and hospitals; and
  • Assures providers the certified EHR technology they adopt is capable of performing the required functions to comply with CMS’ meaningful use requirements and other administrative requirements of the Medicare and Medicaid EHR incentive programs.