Information Technology and EMR

Is your office photocopy machine a HIPAA time-bomb?  Affinity Health Plan recently learned that the answer is yes, to the tune of a $1.2 million settlement with the US Department of Health and Human Services Office for Civil Rights (OCR).  Affinity is a not-for-profit managed care organization which includes one of the New York metropolitan area’s largest Medicaid managed care programs.  In 2010, Affinity made a mandatory breach report to OCR when it learned that the protected health information (PHI) of over 300,000 individuals was found on the hard drives of multiple photocopiers that Affinity had leased.  Affinity failed to have the hard drives wiped or destroyed prior to the return of the copiers at the end of the leases.

As HIPAA Covered Entities, healthcare organizations from hospitals and inpatient facilities to physician practices and health plans should take note of this matter.   For Covered Entities, this may mean new policies covering copiers and other hard drives containing PHI, revised risk analyses and safeguards, and revised Business Associate Agreements (BAAs).

Additionally, Business Associates of healthcare organizations, including consultants, lawyers, accountants, and billing companies, who may possess protected health information should also pay close attention.  Under the Omnibus Rule, finalized earlier this year and taking effect on September 23, 2013, business associates will be directly responsible for compliance with the privacy and security provisions HIPAA, HITECH and the Ominbus Rule. This means developing their own policies and procedures, conducting internal risk assessments and audits, and implementing physical and electronic safeguards to protect PHI.  Business Associates should carefully read new or revised BAAs they receive from Covered Entities to better understand their obligations.

The health care attorneys at Farrell Fritz understand HIPAA, can help your organization move toward compliance with new and old requirements, and minimize your risk of substantial fines.


On January 2, 2013, the US Department of Health and Human Services announced a $50,000 settlement with Hospice of North Idaho for a data breach involving the theft of a lost, unencrypted laptop computer containing the health information of 441 patients.

This settlement is the first for a reported breach affecting fewer than 500 individuals.   HHS Office of Civil Rights Director Leon Rodriguez stated that “This action sends a strong message to the health care industry that, regardless of size, covered entities must take action and will be held accountable for safeguarding their patients’ health information.”

A few takeaways from this settlement:

  • All HIPAA covered entities should conduct initial and ongoing risk assessments regarding use of electronic PHI;
  • Providers should develop and adopt policies and procedures regarding the use of mobile devices such as laptops, tablets, and smart phones containing electronic PHI, and appropriate safeguards to implement;
  • Think about who should have access to the devices, how they are protected or encrypted, where they are stored;
  • Providers should carefully investigate all data breaches, no matter how small;
  • After an investigation, review the provisions of the HITECH Act regarding breach notification; must the provider notify HHS immediately, notify the affected individuals, or take other measures?
  • Consult with counsel familiar with HIPAA, HITECH and data breaches to ensure that all Federal and State obligations are being met with an appropriate investigation, response, remedial assessments and policies and procedures.


   The Health Information Technology for Economic and Clinical Health Act (the “HITECH”) Act of 2009 aims to have all hospitals and physicians use electronic health records (“EHRs”) for all persons in the United States by 2014.  Federal and State financial incentives, electronic billing requirements, and the need for ever-increasing collaboration and sharing of information among providers have lead to a growing embrace of EHRs across the health care system.

   The U.S. Department of Health and Human Services Office of the Inspector General (the “OIG”) recently issued its Work Plan for Fiscal Year 2013.  One of the OIG’s goals for 2013 is to identity fraud and abuse vulnerabilities in EHR systems and to determine how certified EHR systems address those vulnerabilities.

Letters and Surveys Sent By OIG

  The OIG has already begun to implement the Work Plan with respect to its review of EHR systems.  In October 2012, at least ten hospitals received an 18-page, 54-question survey requesting detailed information on their EHR systems.  The survey comes on the heels of a letter that was sent on September 24, 2012 from HHS and the Department of Justice to health care providers indicating that “there are troubling indications that some providers are using [EHR] technology to game the system, possibly to obtain payments to which they are not entitled.”

  It is expected that the responses to the survey will be used by the OIG to prepare a report which will be published during fiscal year 2013.  According to a recent article posted on HealthLeaders Media, some of the questions in the OIG survey include:

  • How diagnoses and procedures are coded (manually, automatically with coding software, or other);
  • User authorization methods (unique user ID, password, tokens, biometrics, public key);
  • Access management (session time-out, minimum password configuration rules, regular changing of passwords, user agreements or contracts to prevent sharing of passwords, or other);
  • Barriers to allowing outside entities access (lack of software or hardware support, insufficient staffing, funding restrictions, performance concerns, privacy concerns, etc.);
  • How physician progress notes are entered into the EHR (free text, via structured templates);
  • Whether narrative nursing notes are directly entered into the EHR or handwritten and scanned into the EHR, and if so, why;
  • Whether patients have access to the EHR, and if so, how.

Steps to Ensure Proper Functioning of an EHR

  There are certain steps that hospitals and physicians can take in order to ensure that their EHR system is functioning properly.  First, considerable time and research should be spent on selecting an EHR vendor to ensure that the EHR system will be a good fit for the practice.  Issues to be addressed should include: What features does the vendor’s system include that competitors may not offer?  What kind of training and support is provided by the vendor and how and when is that support available?  What is the size of the vendor’s customer base and has its software been implemented in similar practices and work environments?  Legal review of acquisition documents, service/support agreements, and hardware or hosting agreements is a key component of the process.

  Second, it is essential that hospitals and physicians receive appropriate training in the use of the system and that sufficient time is allotted for staff education.  Written manuals should be provided to staff members that, along with a detailed guide to the EHR system, include quick, one-page “cheat sheets” for easy reference by users.  Third, hospitals and physician practices should set realistic goals and expectations.  Because it is unlikely that things will go smoothly from the get-go, practitioners should set aside time on a regular basis, as frequently as every 60-90 days, to reevaluate their EHR system and see if improvements or changes should be made to the system or processes.  This will also provide an opportunity to determine if any member of the team needs additional training on the system.

  In light of the OIG’s Work Plan and increasing scrutiny on EHR systems, it is essential that hospitals and physicians take measures to ensure that their EHR systems are working properly and are being use appropriately.

In order for an accountable care organization to succeed, there must be a workable method for collaboration among the providers.  How do providers of care effectively communicate amongst one other?  What is the optimum means of memorializing a patient’s medical history and present health status so that all providers of care are basing their decisions on the same data?  And how do, for example, a surgeon and cardiologist communicate best to ensure a patient’s risks of undergoing surgery are fully assessed and yet not one day extra is spent as an inpatient than absolutely necessary?

These very issues confront providers each and every day in their offices, surgery centers, clinics and hospitals.  When a patient is admitted to a hospital because a colonoscopy indicates that a cancerous section of the colon should be removed, how is the process of caring for that patient met and coordinated from admission to discharge?  A recent experience of mine exposed the communication barriers among the various providers of care in the inpatient setting causing inefficiencies, avoidable delays and unnecessary days in the hospital.

Importance of Information Technology

Having a single provider coordinate all of the care will help increase the quality of the care and decrease wasted resources.  An invaluable tool to accomplish this coordination of efforts is to make all of the medical information concerning a patient readily available to all of the caregivers.  The manner in which the health data is organized and presented should be standardized so all providers can zero in on the information sought at any moment.  Every provider should be able to view a screen or screens of data that capture an individual’s medical history, current and history of medications as well as their present physical condition, both subjectively and objectively.  Thick and unruly medical charts must be made a thing of the past.

Kaiser Permanente physicians, for example, follow patients closely because their performance with regard to quality of care and patient satisfaction are determining factors in whether or not they receive a bonus.  Financial incentives are not new, but they work.  Physicians within the Kaiser Permanente system use a comprehensive health information process that coordinates medical records in and out patient, scheduling appointments, registration, all of which yield efficiency and effectiveness.   Elimination of wasted resources is the goal.

Perhaps we will have to accept that it will be a slow process until physicians and their staffs are able to fully adopt health information technology and learn to use it effectively.  Doing so in a standardized fashion will assist with the delivery of high quality and effective care while eliminating wasted resources.  Too much time is currently wasted waiting for diagnostic test results or communication between health care providers.  The by-product of unnecessary waiting and communication gaps is wasted resources.  With a growing population and people living longer, health care resources will become precious.  This will drive the need to become frugal and efficient when using health care resources because they are not limitless.

The US Department of Health and Human Services Office of Civil Rights (“OCR”) recently released its HIPAA audit protocol.  Audits of HIPAA compliance were mandated by the 2009 Health Information Technology for Economic and Clinical Health (“HITECH”) Act, which amended many parts of HIPAA and included breach notification requirements.

The OCR conducted a number of pilot audits of compliance with privacy, security and breach notification requirements of HIPAA covered entities beginning in 2011, and will continue the test phase through December 2012 with a total of 115 such audits.

Protocol Modules

The protocol is divided into two modules: (1) Security, and (2) Privacy and Breach Notification.  The Security module contains 77 entries, covering Security Rule requirements for administrative, physical, and technical safeguards.  The Privacy and Breach Notification module contains 88 entries, and covers Privacy Rule requirements for (1) notice of privacy practices for PHI, (2) rights to request privacy protection for PHI, (3) access of individuals to PHI, (4) administrative requirements, (5) uses and disclosures of PHI, (6) amendment of PHI, and (7) accounting of disclosures, as well as Breach Notification Rule requirements.

Lax Enforcement No More

At a recent OCR/National Institute of Standards and Technology (NIST) HIPAA Security Conference, one OCR official stated that “It is no longer acceptable to be noncompliant.”  Another official noted that OCR was finding significant issues with security of electronic data, and that many covered entities were failing to conduct risk assessments, and failing to adequately address identified risks.

In the past, OCR had been accused of lax or non-existent enforcement of HIPAA and HITECH violations.  However, recent record-breaking fines of over $1M against several providers which had committed HIPAA breaches, combined with the full audit program being implemented along with the audit protocols, suggest that the OCR is ramping up its enforcement efforts in a big way.  Covered entities will need to take strong actions to comply with the numerous requirements of the laws.

Steps to Take to Comply

The first step toward increased compliance is to conduct a self-audit.  The new audit protocols lay out exactly what the OCR will be looking at in an audit, and will help covered entities identify areas of weakness.  This audit can be conducted by the covered entity itself, or with the guidance of legal counsel or consultants familiar with HIPAA and HITECH requirements.  Once areas are identified, the provider should prioritize by levels of importance and risk, and begin to implement new or revised policies and procedures to address the issues.

The recent increase of prescription drug abuse led both chambers of the New York State Legislature to pass the Internet System for Tracking Over-Prescribing (I-STOP) Act on June 11, 2012.  The legislation seeks to tighten control over certain controlled substances in an effort to decrease criminal diversion and abuse of such prescription drugs which can result in addiction, violence, family conflicts and increased costs to business and the health care system.

A major focus of the I-STOP Act is the creation of a “real time” Prescription Monitoring Program Registry which is aimed at shrinking the number of fraudulent prescriptions, minimizing doctor-shopping and reducing the over-prescribing of controlled substances.  The registry will contain patient history information of no less than six months and no more than five years.  Among other things, the registry will contain information including the patient’s name and address, the date the prescription was issued and the date it was dispensed, the metric quantity of drug dispensed, the supply of drug by number of days and the prescriber’s name.

Duty to Check Registry

The legislation imposes a duty upon practitioners to check the registry before prescribing certain controlled substances.  Practitioners may designate an employee or contractor to access the registry of their behalf, however, if the following conditions are met: (1) the practitioner takes reasonable steps to ensure that the designee is competent in the use of the registry; (2) the practitioner remains responsible for the designee’s access to the registry, including remaining responsible for any breach of patient confidentiality; and (3) the ultimate decision as to whether or not to prescribe or dispense a controlled substance remains with the practitioner and is reasonably informed by the relevant controlled substance history information obtained from the registry.  Practitioners, pharmacists and those persons acting on behalf of practitioners and pharmacists, who act with reasonable care and in good faith, are provided immunity against any civil liability arising from the reliance by such person upon false, incomplete or inaccurate information submitted to or reported by the registry.

There are exceptions to the duty to consult the registry before prescribing certain controlled substances.  For example, the duty does not apply to: (1) veterinarians; (2) a practitioner prescribing a controlled substance that is to be administered in the prescriber’s office; (3) a practitioner prescribing a controlled substance for use within an institution such as a hospital or clinic; (4) a practitioner prescribing a controlled substance in an emergency room setting if the prescription is for no more than a five-day supply; (4) practitioners when it is not reasonably possible for the practitioner to access the registry in a timely manner; or (5) practitioners where the registry is not operational or cannot be accessed due to a temporary technological or electrical failure.

E-Prescribing and Other Requirements

In addition to the Prescription Monitoring Program Registry, the legislation also requires that all prescriptions be issued electronically by December 31, 2014, updates New York State’s  controlled substance schedules, calls for practitioners to be educated regarding the overprescribing of controlled substances and general pain management and requires the  Department of  Health to establish a safe disposal program to facilitate consumer disposal of unused medications.  The legislation will be sent to Governor Andrew Cuomo, who is expected to sign the legislation into law.