On September 5, 2014, the Federation of State Medical Boards, a nonprofit organization representing the 70 state medical and osteopathic boards nationwide, announced the completion of its drafting process for its Interstate Medical Licensure Compact (“Compact”). Finalizing the Compact is a critical step toward removing one of the major barriers preventing a greater proliferation of telehealth technologies and services. Under the Compact, a physician who is licensed in his or her principal state and who meets certain educational, certification, and disciplinary criteria would be eligible to apply for an expedited medical license in another state that has adopted the Compact. Adoption of the Compact by states not only will increase license portability for physicians by alleviating the traditional rigid state licensure requirements that impede the practice of telehealth, but also will help improve access to health care for patients across the nation who will benefit from greater adoption of telehealth. You can read more here.
On September 23 and 24, 2014, the National Institute of Standards and Technology (“NIST”) and the Department of Health and Human Services Office of Civil Rights (“HHS OCR”) hosted their annual HIPAA conference “Safeguarding Health Information: Building Assurance through HIPAA security.”
OCR officials and key industry leaders engaged in dialogue regarding developments and trends in data breach incidents with respect to health information as well as stakeholder responses and best practices to mitigate risk and respond to potential incidents.
VULNERABILITY AWARENESS: ASSESSING RISK
In her opening remarks, OCR Director Jocelyn Samuels highlighted the observation that information privacy compliance is poorly prioritized within organizations. Specifically, Samuels identified the lack of widespread risk analysis and vulnerability assessment activities at the enterprise level as a key area meriting internal and agency prioritization. Samuels reiterated that organizations dealing in protected health information (“PHI”) should, and in fact must, undertake to routinely assess and investigate vulnerability as part of an effective compliance program.
The aspiration of enterprise-wide security protocol for PHI, and adoption thereof, continues to be an ongoing work-in-progress. This is especially true given the often divergent priorities within large provider systems and the endemic evolution of “local” IT systems that integrate with the sanctioned IT environment but often create network porosity and points of vulnerability. Embracing comprehensive, end-to-end, privacy and security policies and procedures that serve the IT needs of the organization while operating within the security protocol established by the system is imperative to establish and maintain network integrity and compliance with the HIPAA Security Rule (“Security Rule”).
IF YOU LOOK FOR IT, YOU WILL FIND IT
OCR representative Linda Sanches proposed the thesis that “the question is not if you will have a breach, but more so when.” To this end, the initial step to preparedness is the undertaking of a risk analysis as required by the Security Rule. Stakeholders expressed frustration with the broadly stated requirements of the Security Rule that are non-specific as to what precise set of activities constitute compliance and how much is in fact enough. This uncertainty adds to existing organizational tensions between resource allocations to business objectives versus compliance obligations with respect to the establishment and implementation of a reasonable compliance program. Sanches indicated that a defensible and reasonable approach is what is required to establish compliance.
LESSONS FROM THE FIELD: REPORT FROM OCR
Iliana Peters, Senior Advisor for HIPAA Compliance and Enforcement at HHS OCR, reported on recent enforcement activities as well as OCR’s regulatory agenda. With respect to reported incident activity, through August 31, 2014, theft and loss accounted for 51% and 9% of breach incidents, respectively followed by unauthorized access/disclosure at 18% among a total of 1176 reported breaches involving more than 500 people and in excess of 122,000 smaller breaches.
With respect to OCR’s regulatory agenda, Peters indicated that OCR is working on providing additional guidance and clarification to the Omnibus Final Rule including a breach safe harbor update, breach risk assessment tool, and clarification of the standards for minimum necessary. Peters also explained how the audit pilot program which is anticipated to go live in the near future will create a new enforcement channel for OCR outside of the breach response protocol. She commented that although the audits will be mostly desk audits with shorter timelines than investigations, they will require covered entities and business associates to have their documents in order and respond quickly to requests. Peters continued to state that “audits will be an enforcement tool which will result in compliance reviews and could result in enforcement actions up to and including civil monetary penalties. Peters stated “we may come to you because of an audit or a breach, but if we find gaps in the compliance program while there, we can’t walk away; it is our job to see it through”
RISK ELIMINATION: THE HOLY GRAIL
The global advice from OCR over the course of the conference was preparedness. To that end, however, the best that healthcare stakeholders can aspire to is effective mitigation of risk. OCR repeatedly stressed that “it is really important that covered entities and business associates prepare as much as possible” and take affirmative steps to protect their data. A comprehensive and documented risk analysis is the key to identifying system vulnerabilities and stakeholders should undertake to conduct or update their risk analyses and work in concert with organizational management to prioritize security compliance.
The increasing prevalence of mobile technology in the healthcare sector continues to create compliance concerns for physician practices and other health care entities. While the Office of Civil Rights (OCR) of the Department of Health and Human Services, has traditionally focused on technology breaches within larger health systems, smaller physician practices and health care entities must also ensure that their policies and practices related to mobile technology do not foster non-compliance and create institutional risk.
Physicians Integrate Mobile Technology Into Daily Practice
The Physicians Practice’s 2014 Technology Survey found that only 31 percent of more than 1,400 survey respondents reported implementing policies and rules to address bring your own device (“BYOD”) practices. With more than 80 percent of doctors using mobile devices at work and integrating their personal devices into their professional practice, these devices could potentially represent a significant privacy and security risk.
The HIPAA Security Rule applies when any protected health information (PHI) is accessed and communicated through a mobile device, such as texting a patient’s name and phone number for follow-up calls. In the annual OCR report to Congress on breaches of unsecured PHI for calendar years 2011 and 2012, OCR reported that information loss or theft from mobile devices was among the top three sources of breached PHI in 117 of the 222 reported breaches in 2012. Additionally, the Physicians Practice’s 2014 Technology Survey indicated that only 61 percent of the respondents surveyed reported securely backing data on a second server or via another method, thereby not complying with the HIPAA Security Rule which requires covered entities to create and maintain retrievable copies of electronic protected health information (ePHI).
OCR Enforcement Areas, Especially Among Small Breaches, Continue to Grow
OCR officials routinely remind covered entities and business associates to understand their obligations with respect to mobile device security – obligations that continue to become more complex to satisfy as the use of mobile technology in the workplace proliferates. Simultaneously, OCR continues to increase enforcement of data breaches by entities subject to the HIPAA Security Rule. Significantly, this enforcement expansion has included smaller entities and breaches affecting fewer than 500 individuals. OCR expects HIPAA Security Rule enforcement to continue its trend and increase going forward in 2014
Physician practices and health care entities should conduct a thorough risk assessment which addresses the use of mobile devices and storage of mobile device data in their environment. Additionally, policies and procedures should be developed to manage the risk associated with mobile devices to a business tolerable level. Risk management plans and security evaluations should be updated and conducted periodically. Additionally, physician practices and health care entities must remember that their business associates must also comply with the HIPAA Security Rule. Thus, some diligence on the use of mobile devices in their business associates environment is advisable. In practice, over 20 percent of HIPAA data breaches have been traced to noncompliant business associates. While the risk may be significant, with proper staff training to identify and address questionable HIPAA behaviors, physician practices and health care entities can minimize the risk of OCR enforcement and large settlement costs associated with mobile devices.
On May 20, 2014, the Secretary of the Department of Health and Human Services (HHS) submitted the agency’s Annual Report to Congress on Breaches of Unsecured Protected Health Information for Calendar Years 2011 and 2012 (“Breach Report”). This report provides valuable insight for healthcare entities regarding their data security and enforcement priorities.
Section 13402(i) of the Health Information Technology for Economic and Clinical Health Act (HITECH) requires the Secretary of Health and Human Services to prepare an annual report regarding the number and nature of breaches report to HHS, as well as the actions taken in response to those breaches.
By way of background, HITECH requires that both covered entities and business associates (as defined under HIPAA) provide notifications after a breach of unsecured protected health information (PHI). These required notifications include the affected individuals, HHS, and also media outlets in cases where the breach includes more than 500 residents of a state or jurisdiction. However, HHS has issued guidance explaining that encryption and destruction make PHI “unusable, unreadable, or indecipherable to unauthorized persons” and, thus, loss of such secured PHI does not trigger the breach notification requirements.
Healthcare providers accounted for the majority of breaches affecting 500 or more individuals in both 2011 and 2012 while business associates and health plans accounted for the remainder, as illustrated below.
Theft of PHI was the leading cause of a breach in both 2011 and 2012 followed by loss of PHI and unauthorized access/disclosures. In 2011, theft was the cause for 24% of the total number of individuals affected by a breach and loss accounted for 54% of individuals affected. This high affected rate due to loss was the result of single breach incident involving a business associate and loss of back-up tapes containing information on 4.9 million individuals. In 2012, the causes of breach returned to expected rates with 36% of individuals affected due to theft and 13% due to loss. The below tables outline the frequency of breach causes in 2011 and 2012 as well as the sources of the breached information in each year.
|Causes of Data Breach||2011||2012|
|Loss of PHI||17%||12%|
|Sources of Breach||2011||2012||Change|
|Other Portable Device||13%||9%||(4%)|
|Electronic Medical Records||2%||2%||0|
HITECH authorizes and requires HHS to conduct periodic audits of covered entities and business associates to ensure compliance with HIPAA rules. Unlike compliance reviews (which occur after a major breach) or compliance investigations, these audits are not triggered by an adverse event or incident. Instead, they are “based on application of a set selection criteria.”
The Office for Civil Rights (OCR) (the office within HHS that is responsible for administering the Breach Notification Rules) implemented a pilot program of the audit process to assess the privacy and security compliance which was described in the Breach Report. The audit revealed that 31 out of 101 audited entities had at least one negative audit finding related to the Breach Notification Rule. Specifically, the audit examined the following four areas: (1) notification to individuals, (2) timeliness of notification, (3) methods of individual notification, and (4) burden of proof. All four areas had a similar number of deficiencies noted.
Implications and Recommendations for Healthcare Entities
Breaches involving 500 or more individuals accounted for less than 1% of reports filed with HHS, yet represent almost 98% of the individuals affected by a PHI breach. It is likely that OCR will continue investing significant resources into large scale PHI breaches due to the extensive impact of these breaches. Additionally, theft remains one of the top causes of PHI breaches and covered entities and business associates must take appropriate measures to ensure that any PHI stored or transported on portable electronic devices is properly safeguarded. Chronic vulnerabilities include:
Encryption: Even if a device is stolen or misplaced, the Breach Notification Rule will not apply if the data is properly encrypted. Thus, it is imperative that covered entities and business associates encrypt portable electronic devices (such as laptops) and all CDs or USB thumb drives.
Access Control: Healthcare entities must pay close attention to the physical access to and proper disposal of devices that contain PHI. Server rooms should be locked with limited access, and the physical access to buildings, floors, and offices should be secured to prevent theft of desktop computers containing PHI.
Disposal: Electronic devices need to be purged and the data securely erased (also known as “scrubbed”) prior to the device being discarded, recycled, sold, or transferred to a third party, such as a leasing company. Such devices include computers, external storage media, and photocopiers.
Lastly, as explained in the Breach Report discussion of OCR’s audit pilot program, covered entities most often explain noncompliance with the various aspects of the Breach Notification Rule by pleading unawareness of the requirements of the Rules. Covered entities and business associates should ensure that comprehensive privacy and security policies and procedures are developed and implemented to mitigate the risks of a breach and to effectively respond to a breach should one occur.
Earlier this week, a popular source of regulatory news published an article claiming FDA “finalized a new rule this week that prohibits manufacturers from using so-called “split-predicates”. However, it appears that the article may instead be referencing the Final Guidance for Industry and Food and Drug Administration Staff entitled “The 510(k) Program: Evaluating Substantial Equivalence in Premarket Notifications [510(k)]” that FDA published earlier this week. Unfortunately, as often occurs on the Internet, the post was disseminated by several other popular sources of regulatory news.
This confusion comes a little less than three months after four Senator’s sent a letter to FDA raising concerns about FDA draft guidance “becoming the default FDA policy and position.”
Guidances and final rules carry different legal weight. Final regulations are legislative rules that have the force of law. Whereas, guidances do not set new legal standards, impose legal requirements or have the force of law. Instead guidances are issued to help interpret or clarify an existing regulation.
FDA certainly understands this difference. As FDA notes, “FDA regulations are  federal laws, [even though] they are not part of the [federal Food Drug & Cosmetic Act (FD&C Act)].” Whereas, “FDA guidance describes the agency’s current thinking on a regulatory issue [but guidance] is not legally binding on the public or FDA.”
FDA also emphasizes this latter point in many of its guidance documents by including the following disclaimer:
This guidance represents the Food and Drug Administration’s (FDA’s) current thinking on this topic. It does not create or confer any rights for or on any person and does not operate to bind FDA or the public. You can use an alternative approach if the approach satisfies the requirements of the applicable statutes and regulations. If you want to discuss an alternative approach, contact the FDA staff responsible for implementing this guidance. If you cannot identify the appropriate FDA staff, call the appropriate number listed on the title page of this guidance.
Unfortunately, not everyone fully appreciates the difference between rules and guidance. The recent confusion suggests that there is a disconnect between FDA’s position on the difference between guidance and final rules and the understanding of at least some in industry. Therefore, as FDA reviews its current guidance development practice, it is important that FDA look for ways to ensure (draft or final) guidance is just that, guidance. For example,
- FDA should make the guidance development process more efficient and so that there is a significant difference between the time it takes to publish a final guidance and the time it takes to implement a final rule;
- If a manufacturer uses an alternative approach and provides reasonable support for taking such an approach, FDA should be required to provide a reasonably explanation as to why the alternative is insufficient;
- FDA should include a process for quickly and efficiently incorporating alternative approaches into existing final guidance.
One of the largest hurdles to the growth of telehealth—the lack of a streamlined process for obtaining physician licensure in multiple states—is one step closer to being scaled. The Federation of State Medical Boards (“FSMB”) recently released a revised draft of its Interstate Medical Licensure Compact (“Compact”). This revised draft is a continuation of efforts by FSMB and its member boards to study the feasibility of an interstate license portability. Additionally, the revised draft of the Compact reflects changes based upon comments received from FSMB member boards and other stakeholders since the draft was released by FSMB earlier this year. Adoption of the Compact is critical to the interstate practice of telehealth. You can read the full alert here.
By Brandon Ge and Alaap Shah
The Department of Health and Human Services (“HHS”) is taking laudable steps to improve notices of privacy practices (“NPPs”) and make them more clear, understandable, and user-friendly. Under the HIPAA Privacy Rule, individuals are entitled to a receive an NPP informing them of how their health information may be used and shared, as well as how to exercise their health privacy rights. Health plans and health care providers must develop and distribute NPPs that clearly explain these rights and practices. Unfortunately, to date NPPs have been poorly designed, hard to navigate and unclear with regard to patient rights or company obligations regarding use and disclosure of health information.
Privacy is just as much about protecting patients’ rights to data as it is about protecting data. The HIPAA Omnibus Rule, CLIA Rule, and others are designed to improve patient access to their medical records, empowering them to actively manage their health. The digitization of medical records, in the form of electronic health records, personal health records, patient portals, and the like, facilitates patient engagement in healthcare if used properly. However, ineffective NPPs create barriers for patient understanding their rights.
NPPs that clearly convey patients’ privacy rights are critical in enabling patients to take a more active role in healthcare. Conversely, if patients do not understand NPPs, then they won’t have a good sense of their privacy rights, including their right to access their health information. Some critiques regarding NPPs include that they are frequently lengthy and include legalese that the general public has difficulty understanding. To remedy these concerns, some suggest simplifying language and “layering” the notice—that is, including a short summary of the individual’s rights as a first layer and including a longer, more detailed explanation as a second layer—would go a long way toward improving the readability of NPPs.
In an effort to address criticisms of NPPs, last month, the Office of the National Coordinator for Health Information Technology (“ONC”) collaborated with the HHS, Office for Civil Rights (“OCR”) to develop model NPPs that clearly convey the required information to patients in an accessible format. Covered entities can customize these model NPPs and then display them and distribute them to patients.
ONC and OCR have also thrown down the gauntlet and established the Digital Privacy Notice Challenge, which will award $15,000 to the creators of the best online NPP (second place wins $7,000 and third place gets $3,000). The challenge calls for designers, developers, and privacy experts to use the model notices as a baseline and create an online NPP that is clear, effectively informs patients of their privacy rights, and is easily integrated online. Once submissions are finalized, the public will have two weeks to vote on the best submission.
The submission period ends on April 7, 2014, and winners will be announced in May or June of 2014.
Does your organization think it has what it takes to win this challenge?
Follow Alaap Shah on Twitter: @HealthITLawyers
A significant barrier to the interstate practice of telehealth is closer to being broken down. The Federation of State Medical Boards (FSMB) has completed and distributed a draft Interstate Medical Licensure Compact, designed to facilitate physician licensure portability that should enhance the practice of interstate telehealth. Essentially, the compact would create an additional licensing pathway, through which physicians would be able to obtain expedited licensure in participating states. As the FSMB notes in its draft, the compact “complements the existing licensing and regulatory authority of state medical boards, ensures the safety of patients, and provides physicians with enhanced portability of their license to practice medicine outside their state of primary licensure.” This is a potentially significant development because burdensome state licensure requirements have been a major impediment to the interstate practice of telehealth. A physician practicing telehealth is generally required to obtain a medical license in the state where the patient—not the physician—is located. As a consequence, physicians wishing to treat patients in multiple states need to obtain a license in each of those states in order to practice medicine lawfully, a lengthy and expensive process.
While the draft compact shares some of the same features as the Nurse Licensure Compact (NLC) (launched in 2000 to facilitate nurse mobility and improve access to care), a key difference is in the process for obtaining multistate licensure. Under the draft compact physicians have to submit an application, register, and pay certain fees to obtain licensure in other participating states. Nurses under the NLC, on the other hand, only need to declare that their home state is an NLC state, and the privilege to practice in other NLC states is automatically activated—no separate applications or fees are required. You can read a more comprehensive analysis of the FSMB draft compact here.
If you have tuned into the news over the last few months, you are likely aware that several major corporations—including one of the nation’s largest retail chains—have suffered data breaches. These breaches have affected hundreds of millions of consumers, and in some cases exposed sensitive financial data such as credit card information, as well as personal information including names, mailing addresses, phone numbers, email addresses, usernames and passwords.
There is no doubt that a primary concern raised by these data breaches is risk to consumers’ financial wellbeing. Chiefly, hackers that seek out personal information tend to sell or use the data to commit identity theft and credit card fraud. Yet, an often overlooked concern involves risk to the medical wellbeing of individuals. It is commonplace for retail chains to operate pharmacies within their facilities where electronic protected health information (“e-PHI”) is received, used, stored and transmitted. Although current information regarding known breaches does not indicate that pharmacy files were accessed, the vulnerability of e-PHI stored by these entities is a serious concern in the field of health care privacy. To manage these risks, entities should take heed of the privacy and security concerns raised in the most recent data breaches, and proactively craft comprehensive and sophisticated approaches to data security.
Historically, data security is reactive in nature: corporations store data on their systems; hackers break into the systems (or the systems of their business partners); companies, if aware of the breach, modify their security to prevent a similar data breach; hackers find a different weakness and again breach the system. This cycle continues ad infinitum.
While there is definitely value in defensive security, as cybersecurity risks grow and lead to increasing volume of data breach, healthcare entities may want to consider strategies to remain on the offensive when it comes to data security of e-PHI. The laws applicable to the security of e-PHI provide a flexible framework to address these risks, but most entities have not designed effect risk management programs to address risk proactively. Nevertheless, the HIPAA Security Rule requires entities to implement a number of technical safeguards which can be used proactively. For example, HIPAA requires audit controls to ensure entities have sufficient awareness about system activity (and specifically malicious activity). If reasonable and appropriate controls are put in place relative to these safeguards, companies can thwart hackers from gaining unauthorized access to e-PHI.
Offensive security requires a proactive mindset and approach to protecting computer systems, networks, and protected information from attack. While proactive security can take several forms, some liken the proactive approach to purchasing insurance. Assets are invested and measures are taken to protect against the risk that something will occur resulting in liability or loss. In the modern digital world it is often not a question of “if” but rather “when” a company will experience a data breach. According to a 2012 independent study by the Ponemon Institute, a staggering 94 percent of health care organizations have had at least one data breach in the last two years alone. The same study estimated that overall economic impact of a breach has risen six-fold over the last few years and now costs millions. With this in mind, here are just a few reasons why proactive data security should be a priority for health care entities:
1) Rapid & Continuous Evolution of Cyber Security Threats. Hackers are not only more sophisticated, they are more prevalent; threats to cyber security do not remain static in nature or volume. This unrelenting growth may be a result of the success rate of the illicit activity. Merely reacting to hackers’ successful attempts puts the industry at a major disadvantage because hackers are incentivized to evolve.
2) Ignorance. It is a common misconception that data security breaches are rare—more often data breaches go undetected or unreported. The simple truth is that no organization is immune, and may be an unwitting victim of a breach at any moment.
3) Monetary & Reputational Damage. Data breaches have a reverberating effect on a company. Damages are not limited to fines or sanctions, and they exceed the cost of mitigating the breach for consumers. Frequently, the greatest damage done is that to the company’s reputation. Consumers may second-guess their choice of providers based on an organization’s perceived failures, and the company’s reputation across the industry may diminish their competitive advantage for years to follow.
What Your Company Can Do
The prevalence of data breaches has led many to ask the question “Is proactive data security the solution?” There are many proactive measures that healthcare entities can implement to combat data breaches, the following summarizes just a few.
A risk assessment is the first critical step a health care entity should take when implementing a proactive data security plan. The HIPAA Security rule requires conducting risk assessments. Further, The National Institute of Standards and Technology (NIST) have placed great emphasis on conducting risk assessments as the foundation for data security. Risk assessments systematically identify vulnerabilities that even the most sophisticated organizations may not have anticipated. Identification of vulnerabilities can help a company stay ahead of hackers by knowing where to utilize security resources.
Depending on the size of the company, data security may be a dual function for the company’s IT Department. Based on the severity of the potential risk, security should not be just one of many tasks for the IT department. According to a 2013 Ponemon Study, the average cost of a data breach exceeds $5 million without even considering reputational harm. Studies show that each year U.S. hospitals alone incur costs of an estimated $1.6 billion each year for security incidences. Although certain actions might initially seem redundant, measures such as establishing a dedicated data security team or department, appointing specific data-security personnel within an IT department, or investing in robust data security software and hardware, are all worthwhile investments which will likely prove less costly than a data breach.
HIPAA requires organizations to implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use e-PHI. Audit controls must be sufficient to examine system activity comprehensively. NIST audit control standards provide substantial guidance on conducting proactive system monitoring and activity logging. Audit controls give a company visibility into their own system, allowing them to recognize suspicious activity early in order to limit exposure and ultimately prevent full-blown data breach.
Conduct Breach Drills
Preparation is the key to mitigating damage that cannot be prevented. Similar to a fire drill, companies should maintain a plan for implementation in case of a data breach, and that plan should be put to practice regularly. HHS has teamed with HITRUST to launch CyberRx, an industry-wide effort to simulate cyberattacks. Twelve organizations will participate in these simulated cyber-attacks. The goal of CyberRx is to help industry participants identify ways to better prepare for, and respond to cyber-attacks. This is an exercise of great value and can be done independent of HHS. By preparing to respond to a breach, companies can ensure that damage will be contained as efficiently and effectively as possible when one occurs.
For updates on Health Privacy and Security follow Marshall Jackson on Twitter: @MJacksonJr_ESQ
Follow Alaap Shah on Twitter: @HealthITLawyers
By: Alaap Shah and Marshall Jackson
With the New Year, come new protections for health care entities and individuals utilizing electronic health records (EHRs). On December 27, the U.S. Department of Health and Human Services, Office of Inspector General (OIG) and the Centers for Medicare and Medicaid Services (CMS), issued final rules regarding the Stark Exception and the Anti-Kickback Safe Harbor permitting certain health care organizations to subsidize up to 85% of the donor’s cost of certain EHR items and services (the “Final Rules”). The Final Rules amended the 2006 original rule (the “Original Rule”). The Final Rules:
- Extend the expiration of the protections from December 31, 2013 to December 31, 2021;
- Exclude laboratory companies from the list of eligible “Protected Donors” that may donate EHR items and services;
- Update the provisions under which an EHR donor or recipient can ascertain, with certainty, that EHR is interoperable;
- Remove requirements that donated EHR include e-prescribing capabilities; and
- Clarify the requirement prohibiting any action that limits or restricts the use, compatibility, or interoperability of donated EHRs.
Under the Original Rule, EHR donation regulations were set to expire on December 31, 2013. The Final Rules extend the expiration of the protections until December 31, 2021.
As a change from the Original Rule, the protections under the Final Rules no longer extend to laboratory companies as a type of entity that may donate EHR items and services. However, this exclusion under the Final Rules does not apply to hospitals who furnish clinical laboratory services through a laboratory that is a department of the hospital. It should be noted that a hospital-affiliated or hospital-owned company that furnishes laboratory services, which have a billing number assigned to the company as opposed to the hospital, would be excluded from the protections under the Final Rules.
The Original Rule required that donated or subsidized software be “interoperable”. The rule stated that software is interoperable if a certifying body recognized by the Secretary of the Department of Health and Human Services certified the software within 12 months of the time it was provided to a physician. Under the Final Rules, software is deemed to be interoperable if, on the date it is provided to the physician, it has been certified by a certifying body authorized by the National Coordinator for Health Information Technology to an edition of EHR certification criteria. Significantly, the protections under the Final Rules are not limited to donations to individuals and entities eligible to participate in the EHR Incentive Programs (the “Meaningful Use Program”), but also extend to other entities and individuals if the donations meet the conditions of the safe harbor.
DATA LOCK-IN AND EXCHANGE
In order to foster the free exchange of data, the Final Rules have made limited clarifications to require that a donor not take any action to limit or restrict the use, compatibility or interoperability of the items or services with other electronic prescribing or EHR systems. The Final Rules included examples, making it clearer that this prohibition applies to any donor action that limits the use of donated software with any other health information technology.
The Original Rule required that donated software contain an electronic prescribing capability. However, under the Final Rules, effective March 27, 2014, the requirement that the donated software contain an electronic prescribing capability has been eliminated.
THE WINNERS AND LOSERS
The Final Rule attempts to strike the right balance between competing interests. On the one hand, the Final Rule seeks to foster continued adoption of EHRs and increased interoperability, which are ongoing goals within CMS, ONC and much of the healthcare industry. On the other hand, OIG has shifted its position to better control risks associated with misuse of EHR donation by certain entities that seek to secure kickbacks. Recognizing these competing concerns, OIG has extended the safe harbor and improved alignment with ONC to ensure companies have better guidance to meet the interoperability requirements. Therefore many organizations emerge as winners under the Final Rule, including EHR vendors, protected EHR donors and EHR recipients. However, laboratory companies are at a significant loss as a result of OIG’s tightening of the definition of “Protected Donor”.
Follow Alaap Shah on Twitter: @HealthITLawyers