On February 22, 2010, as required by section 13402(e)(4) of the HITECH Act, the Office of Civil Rights (OCR) website posted a list of the covered entities that have reported breaches of unsecured protected health information affecting more than 500 individuals. By posting this information on the OCR website, OCR has met its HITECH Act obligation, which required Health and Human Services (HHS) make this information public by posting it on an HHS website. The 36 impacted organizations are located around the country and run the gamut from the very small to one of the largest health plans in the country.
Although the majority of the breaches posted involved lost media and laptops, there were instances involving paper records, including several instances of mailings that included protected information. As well, there were a number of instances of hacking with a few involving compromises of business associates.
It remains to be seen whether this public display will shame companies into not losing laptops or being the victim of a theft. What is clear, however, is that having your name listed on a public site will open you up to more potential litigation expense.
Electronic health records (EHR) should be on the risk management fast track. First, the FTC promulgated regulations that will require most hospitals to implement a written ID theft prevention program by June 2010. California and a few other states have already started requiring that healthcare providers implement technical and physical safeguards to protect patient medical information. And now, Title XIII of the American Recovery and Reinvestment Act of 2009, also known as the Health Information Technology for Economic and Clinical Health Act (the HITECH Act), has its implementing regulations just now starting to change the EHR landscape. Thankfully, the HITECH Act provides significant funding for the development of this nationwide health information technology infrastructure. Specifically, the law provides financial incentives through the Medicare program to encourage physicians and hospitals to adopt and use certified EHR .
The keys to the EHR kingdom turn on whether you are actually a “meaningful EHR user”. Although some guidance was provided by a HHS working committee in June 2009, and further guidance in the form of a proposed rule was provided on December 30, 2009, a final rule on the definition has yet to be delivered.
According to the HHS December 30, 2009 Press Release, “The proposed rule would define the term “meaningful EHR user” as an eligible professional or eligible hospital that, during the specified reporting period, demonstrates meaningful use of certified EHR technology in a form and manner consistent with certain objectives and measures presented in the regulation. These objectives and measures would include use of certified EHR technology in a manner that improves quality, safety, and efficiency of health care delivery, reduces health care disparities, engages patients and families, improves care coordination, improves population and public health, and ensures adequate privacy and security protections for personal health information.”
What exactly does this nested and partially circular definition mean to someone looking for guidance? Not very much. Until such time as the term “meaningful EHR user” is finalized, the door remains open as to just how far-reaching the HITECH Act will become.