|Home | About | Journals | Submit | Contact Us | Français|
Since the passage of the Health Information Technology for Economic and Clinical Health (HITECH) Act provisions included in the American Recovery and Reinvestment Act (ARRA) in February 2009, the government has released three sets of statutorily required regulations: one addressing breach notification requirements for protected health information (PHI) and two addressing Medicare and Medicaid incentives for meaningful use of electronic health records (EHRs).1 These regulations build on the framework and financial support authorized under ARRA for increased use of EHRs and enhanced privacy and security provisions for PHI.
The first rule, released by the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) on August 24, 2009, addresses notification requirements in the event of a breach of unsecured PHI.2 The second rule, released by the HHS Centers for Medicare and Medicaid Services (CMS) on December 30, 2009, addresses incentive payments available under the Medicare and Medicaid programs for hospitals, physicians, and other healthcare providers that qualify as “meaningful users” of EHRs.3 The third rule, released by the HHS Office of the National Coordinator for Health Information Technology (ONC), details, among other things, the certification criteria for EHR technology.4 These rules strongly encourage greater use of EHRs and other types of health information technology (HIT) while protecting information privacy and security. However, as discussed below, there remain critical issues that will need to be addressed as providers and other stakeholders take the next steps toward secure electronic health information exchange.
Over the past five years, federal policymakers have supported the increased use of HIT through executive orders, regulatory reforms, and legislation in recognition of its potential to decrease costs, improve health outcomes, coordinate care, and improve public health.5–11 The passage of ARRA significantly changed the regulatory landscape by authorizing substantial financial and technical support for the adoption and use of EHRs and enhancing information privacy and security requirements.12 One of the most comprehensive pieces of economic legislation ever enacted, ARRA provides hundreds of billions of dollars in healthcare spending, including more than $49 billion in discretionary appropriations and mandatory spending to support and promote the adoption of HIT generally and EHRs in particular.13 In addition, the legislation makes comprehensive reforms in health law and policy, particularly in the areas of health information privacy law and laws governing provider payments under Medicare and Medicaid.14 These provisions are included in HITECH.
HITECH employs both “carrots” and “sticks” to encourage the adoption and use of EHRs. It authorizes CMS to provide monetary incentives to eligible healthcare providers under Medicare and Medicaid to encourage the purchase and use of EHR systems, and it threatens financial penalties in the form of reduced Medicare payments for nonadopters. Incentive payments are conditioned on the ability of providers to demonstrate “meaningful use” of EHRs, defined by the statute as (1) use of certified EHR technology in a demonstrably meaningful manner, including e-prescribing; (2) use of certified EHR technology that allows for the electronic exchange of health information to improve the quality of healthcare, such as promoting care coordination; and (3) reporting on clinical quality measures and other measures selected by the Secretary using certified EHR technology.15
HITECH's Medicare incentive payments are targeted at physicians practicing in fee-for-service settings, hospitals, and, in certain cases, Medicare Advantage (MA) organizations (see Table Table1).1). Physicians are eligible for the incentive payments without regard to their Medicare patient load, except in the case of those practicing in MA organizations. Beginning in 2011, physicians who can demonstrate meaningful use of a certified EHR system can receive bonus Medicare payments for up to five years. The payment is equal to an additional 75 percent of the physician's allowable Medicare charges for the given year, subject to caps.16 Physicians who predominately serve beneficiaries in health professional shortage areas (HPSAs) are eligible for 10 percent higher payment caps.17 Beginning in 2015, physicians who are not meaningful users of EHRs will be penalized in the form of reduced Medicare fees at the rate of 1 percent per year. The Secretary retains authority to reduce Medicare payments by a total of 5 percent if fewer than 75 percent of eligible professionals (EPs) are meaningful EHR users by 2018.18
A similar incentive system is established for eligible acute care and critical access hospitals, with payments beginning in 2011 and phasing down by 25 percent per year over four years. Reduced incentive payments are available for hospitals that become meaningful users in 2013 or 2014, but incentives are unavailable for new adopters after 2015. Beginning in 2015, hospitals face penalties for nonadoption in the form of reduced reimbursements as well.19–21
HITECH gives a dramatic and explicit boost to state funding efforts for HIT under Medicaid (see Table Table2).2). The law provides for a 100 percent federal contribution to enable EHR adoption by several classes of Medicaid providers who serve a high volume of Medicaid patients and, in the case of Federally qualified health centers and rural health clinics, needy patients. Eligible providers must agree to waive any right to Medicare HIT incentive payments.22,23
The Medicaid incentive program makes financing available for implementation or technology upgrades to providers who might not have funds of their own to invest.24 Following an initial start-up payment, subsequent payments are conditioned on meaningful use of the EHR technology as defined by each individual state. While the Secretary of Health and Human Services is obligated to implement HITECH's Medicare HIT incentives, Medicaid implementation is an optional state undertaking.
In order to qualify for the Medicaid incentive payments, a provider's patient load must be at least 30 percent Medicaid; providers practicing “predominately” in rural health clinic or Federally qualified health center settings are accorded broader eligibility criteria that allow payment if at least 30 percent of their patients are “needy individuals” (which includes Medicaid, State Children's Health Insurance Program [SCHIP] beneficiaries, and those receiving uncompensated care or paying on a sliding-scale basis).25 Pediatricians can qualify for a reduced incentive payment if 20 percent of their patients are Medicaid beneficiaries.26
As with the Medicare incentive program, Medicaid incentives begin in 2011 and phase down thereafter. Eligible providers may receive up to 85 percent of net average allowable costs, up to a maximum level of $25,000 for the first year and $10,000 for each subsequent year. An initial payment to cover the cost of purchasing or upgrading certified technology including training and other support services can therefore equal up to $21,250. Eligible providers may then receive up to $8,500 per year for five years for operation and maintenance, as long as they continue to demonstrate meaningful use.27 Providers receiving payments must cover any additional costs incurred in setting up and maintaining their HIT systems. Acute care hospitals with more than 10 percent of their patients on Medicaid and children's hospitals of any Medicaid patient volume can receive incentive payments for the purchase of EHR technology up to the amount allowed under the Medicare incentive program for hospitals.28 Providers who adopt EHRs after 2016 will not be eligible for incentive payments.
Non-hospital-based physicians (including pediatricians) are therefore eligible to receive up to $63,750 if they have at least 30 percent Medicaid patient volume under the program. An alternative payment schedule and patient-mix criteria are provided for non-hospital-based pediatricians who have at least 20 percent Medicaid patient volume, who may receive up to $42,500. The choice for physicians between the two incentive programs is significant: for early adopters, potential Medicaid incentive payments could be significantly higher than under the Medicare program.29
Critical to the implementation of the Medicare and Medicaid incentive payment programs is the concept of “meaningful use.” As required by HITECH, CMS released a notice of proposed rulemaking (NPRM) on December 30, 2009, defining the terms and conditions under which an EP or hospital can qualify for Medicare or Medicaid incentive payments.30 Although HITECH gives state Medicaid agencies flexibility to develop a definition of meaningful use that may differ from that used by Medicare, CMS proposes using the same criteria for both the Medicare and Medicaid programs. However, the proposed rule does allow state Medicaid agencies to add additional requirements.
CMS proposes a three-stage approach for the implementation and development of “meaningful use” criteria to allow for the development of an infrastructure for health information exchange.31 Stage 1 criteria, which are proposed in the current NPRM, primarily address the capture of health information.32 Stage 2 criteria, which will be proposed by the end of 2011, will expand upon the initial criteria to include more robust requirements for health information exchange, such as continuous quality improvement at the point of care and structured information exchange (e.g., electronic transmission of orders entered using computerized provider order entry (CPOE) and electronic transmission of diagnostic test results).33 Stage 3 criteria, which will be proposed by the end of 2013, will include even more robust requirements, designed to focus on improving population health and promoting improvements in quality, safety, and efficiency; decision support for national high-priority conditions; patient access to self-management tools; and access to comprehensive patient data.34
The proposed Stage 1 “meaningful use” criteria include a set of 25 objectives and measures to be met by EPs and a set of 23 objectives and measures to be met by hospitals.35 These objectives and measures are categorized by care goals (which in turn are grouped under broader health-outcome policy priorities) that are focused on improving quality, safety, and efficiency and reducing health disparities; engaging patients and families; improving care coordination; improving population and public health; and ensuring adequate privacy and security protections for personal health information.36 Within these priorities, Stage 1 criteria include electronic capture of health information in a coded format; tracking of key clinical conditions; communication of tracked information for care coordination purposes; implementation of clinical decision support tools to facilitate disease and medication management; and reporting of clinical quality measures and public health information. The Stage 1 criteria will serve as the complete criteria for meaningful use until the further phases have been defined by subsequent rulemaking.
The Stage 1 “meaningful use” objectives primarily reflect the recommendations of the HIT Policy Committee, with certain exceptions (e.g., CMS does not propose to include “Record Advance Directive” as an objective, which would have required EPs and hospitals to record in an EHR the presence or absence of advance directives for patients over the age of 65).37,38 Moreover, unlike the HIT Policy Committee, CMS has paired each objective with a measure so that an EP or hospital can demonstrate having fulfilled a particular “meaningful use” criterion.39 On February 17, 2010, the HIT Policy Committee provided additional recommendations to CMS that, among other things, would allow EPs and hospitals to defer compliance with up to five “meaningful use” criteria from Stage 1 to Stage 2.40
To address the final prong of HITECH's definition of “meaningful use,” which requires reporting on clinical quality measures, the NPRM also includes a set of proposed quality measures for EPs and hospitals to use to qualify for an incentive payment.41 More specifically, EPs must report a core group of four clinical quality measures regarding tobacco use, blood pressure management, and drugs to be avoided in the elderly and one applicable specialty group of clinical quality measures.42,43 The vast majority of the quality measures are currently being used by the Physician Quality Reporting Initiative (PQRI) and are endorsed by the National Quality Forum (NQF) or approved by the AQA (formerly the Ambulatory Care Quality Alliance). A separate set of clinical quality measures is included for hospitals.44 Some of the hospital quality measures included in the NPRM are currently in use for the Reporting Hospital Quality Data for Annual Payment Update (RHQDAPU) program, but many are not. In addition, CMS proposes additional alternative clinical quality measures for hospitals participating in the Medicaid incentive program.
Comments were due on the proposed “meaningful use” rule by March 15, 2010, and CMS expects to release a final rule in summer 2010.
Since 2005, ONC has contracted with a private organization, the Certification Commission for Health Information Technology (CCHIT), to certify EHRs as having specific basic capabilities.45 Many of the EHRs certified thus far are difficult to use, however, and are not designed to meet ARRA's goals of improving quality and efficiency in the healthcare system. Not only must the standards developed by ONC for a “certified EHR” be designed to meet those goals, but physicians and hospitals also will have to use the EHRs effectively in order to do so.46
On the same day that CMS released the “meaningful use” NPRM, ONC released an interim final regulation describing the standards and certification criteria that EHRs must meet for EPs and hospitals to receive “meaningful use” payments.47 This initial set of standards reflects many of the recommendations made by the HIT Standards Committee in August 2009.48 They are intended to begin the process of defining a common language to enable the accurate and secure exchange of health information across EHR systems. In particular, the rule describes formats for clinical summaries and prescriptions; terms to describe clinical problems, procedures, laboratory tests, medications, and allergies; and standards for the secure transmission of information on the Internet. The rule also provides guidance on criteria that will be required for an EHR technology to be deemed certified.
Use of a certified EHR is one of the key requirements of “meaningful use” as defined in HITECH and the NPRM for providers to receive available incentive payments. This set of standards became effective 30 days after publication in the Federal Register (February 15, 2010); however, comments were accepted through March 15, 2010, and a final rule is expected later in 2010.
In response to concerns related to the perceived ease of access to electronic data, and in recognition of the fact that protecting individuals' health information is necessary in order to build public trust in electronic health information systems, Congress crafted HITECH to significantly revise health information privacy and security law, particularly the Health Insurance Portability and Accountability Act (HIPAA).49,50 The statute broadens HIPAA's reach and strengthens its privacy and security standards, in addition to adding new provisions related to enforcement and entities not covered by HIPAA. To date, only regulations addressing breach notification requirements have been released. Regulations are expected later this year addressing new requirements for business associates, including the direct application of HIPAA penalties to all business associates.
The regulations that have been released address privacy and security breach notices. Although a number of states have enacted laws requiring businesses to notify consumers of breaches of the security of their personal information in electronic databases, HIPAA has no strict notification requirement. HITECH established the first national data security breach notification law by requiring covered entities to notify individuals whose unsecured PHI has been disclosed as a result of a privacy or security breach.51 In certain cases, the covered entity must also notify the Secretary of HHS and the general public. If a breach is discovered by a business associate, the business associate is required to notify the covered entity and identify each individual who is reasonably believed to have been affected. Unlike many state notification laws, the new federal law is not limited to breaches of the security of online information or restricted to financially sensitive information, such as Social Security numbers. HITECH does not preempt state requirements that are more restrictive and does not apply to certain unintentional disclosures of PHI.52
The statute applies similar breach notification requirements to vendors of PHRs, businesses that offer products or services through the Web site of a PHR vendor or a covered entity that offers PHRs, and entities that access information in or send information to a PHR.53 As required by HITECH, the HHS OCR and the Federal Trade Commission (FTC) issued rules implementing the breach notification requirements for both covered and noncovered entities respectively in August 2009.54,55 The regulations largely reflect the provisions in HITECH and became effective September 23, 2009, although HHS indicated that no penalties would be imposed prior to February 22, 2010. Also, as required by HITECH, the government has posted the initial lists of covered entities that have reported breaches of unsecured protected health information affecting more than 500 individuals.56
It is notable, however, that several provisions of the OCR regulations have been interpreted as more relaxed than HITECH's requirements in defining new substantive standards for breach notification. For example, the regulations establish a harm threshold that relieves covered entities and business associates of the responsibility to notify individuals of improper disclosures that pose little or no risk of harm.57 This relaxation of the statute's requirements, however, is accompanied by a new requirement for these organizations to conduct and document risk assessments of all improper uses or disclosures.58 In addition, the OCR regulations clarify that improper uses or disclosures of limited data sets (a data set, defined by the HIPAA Privacy Rule, that is stripped of a number of categories of patient-identifying information and can be used pursuant to a data use agreement for research, public health, and healthcare operations purposes) do not trigger breach notification requirements.59,60 The regulations also expand the statutory exception for disclosures by authorized persons who work at the same facility by defining “facility” to mean any covered entity, business associate, or organized healthcare arrangement.61 This language effectively broadens the exception to include inadvertent, improper data exchanges within the same organization, even if they do not occur within the same physical facility.62 The regulations also take steps to harmonize FTC and OCR requirements for PHR vendors that may be subject to both FTC and OCR regulations.63 Finally, the regulations reinforce the OCR guidance released April 17, 2009, that provides a safe harbor by specifying encryption and other methods for securing PHI, thereby eliminating notification requirements in the event of a breach of such information.64 An annual update to this guidance on the safe harbor for encryption and other methods of securing PHI will be released in the near future.65
ARRA's HITECH provisions reflect a shared conviction among the presidential administration, Congress, and many healthcare experts that electronic information exchange is essential to improving health and healthcare. HIT, however, is not an end in itself but a means of improving the quality of healthcare, the health of populations, and the efficiency of healthcare systems.
As the current proposed and interim final rules illustrate, a number of implementation challenges lie ahead. With significant financial support comes a new set of complex statutory and regulatory requirements that will require financial and technical assistance for providers and federal and state agencies to implement. Furthermore, these requirements will require changes in workflow processes and systems that will depend upon both resources and time to modify and implement. ONC has begun the process of assisting these developments by issuing a range of HITECH grantmaking and policy guidance on, for example, the State Health Information Exchange Cooperative Agreement Program, the Health Information Technology Extension Program, the Strategic Health IT Advanced Research Projects Program, and a series of educational and training programs.66
In addition, the regulations discussed in this article represent merely the first phase of HITECH-related rulemaking. For example, CMS has provided only guidance on Stage 1 criteria for meaningful use with nominal mention of what can be expected from future rulemaking for Stages 2 and 3. Future rulemaking is also expected to clarify the application of new HITECH requirements to business associates later in 2010. An annual update to the guidance addressing encryption and other methods to secure PHI and new guidance addressing the application of the minimum necessary standard to the disclosure of PHI are also anticipated later in 2010.67,68
Finally, a number of other HITECH provisions that did not require regulatory rulemaking became effective on February 17, 2010. These include application of HIPAA requirements and penalties directly to business associates; expansion of the definition of business associate to include certain entities not previously covered by HIPAA, including health information exchanges, regional health information organizations, and other organizations that transmit PHI to a covered entity or its business associate and require routine access to PHI; and defining safe-harbor status for limited data sets as meeting the minimum necessary standard.69–71 These changes also require resources and technical support to implement and represent a significant shift in current practices.
Providers, vendors, and other stakeholders should continue to pay close attention to these and related requirements as the implementation of HITECH gathers speed. Taken in their entirety, the provisions of HITECH and implementing regulations represent a transformational shift in the delivery of healthcare in America from a paper-based to an electronic system that supports improvements in the quality and efficiency of care.
This article relies in part on an earlier paper produced by the Robert Wood Johnson Foundation, the George Washington University Medical Center, and the Institute for Health Policy at Massachusetts General Hospital and Partners Health System. See Goldstein, M. M., L. Repasch, and S. Rosenbaum. “Recent Federal Initiatives in Health Information Technology.” In C. DesRoches and A. Jha (Editors), Health Information Technology in the United States: On the Cusp of Change, 2009. Robert Wood Johnson Foundation, 2008. Available at http://www.rwjf.org/pr/product.jsp?id=50308.
Melissa M. Goldstein, School of Public Health and Health Services at the George Washington University Medical Center in Washington, DC.
Hyatt Thorpe Jane, School of Public Health and Health Services at the George Washington University Medical Center in Washington, DC.