On May 13, 2010, the United States District Court for the Southern District of New York rejected the privacy challenge to the Health Information Technology for Economic and Clinical Health Act (HITECH Act) asserted by Beatrice M. Heghmann, a registered nurse, and Robert A. Heghmann, her husband and attorney, against Kathleen Sebelius, Secretary of the Health & Human Services (HHS), Nancy-Ann DeParle, Director, White House Office of Health Reform, and Charlene Frizzera, Administrator, Centers For Medicare and Medicaid Services (CMS). The Plaintiffs alleged that HITECH violates the HIPAA Privacy Rule, the Privacy Act, and Federal Common Law.
Federal Law Resources
Health Insurance Portability and Accountability Act
Conversion to electronic health record and retention of paper records
Editor’s Note: Due to the continued popularity of this post, this article was reviewed and updated on September 30, 2013. For the later version, click here.
Update: On August 8, 2010, Medicare issued MLN Matters Article SE1022 on Medical Record Retention and Media Formats for Medical Records, which states that the Centers for Medicare and Medicaid Services (CMS) requires records of providers submitting cost reports (most hospitals) to be retained in their original or legally reproduced form (which may be electronic), for at least 5 years after closure of the cost report.
Many hospitals have electronic health records (EHRs) that are hybrid digital records. While the hospital may be using electronic data entry in the ER, inpatient nursing care, pharmacy, lab, and pre-op anesthesia, oftentimes, these EHRs are not integrated and, thus, are not merged into a single EHR. The short-term solution may have been to scan printed records from some department, like lab or pharmacy, into the patient’s on-line digital record. As a result, the hospital’s “electronic health record” contains information that is not captured in a “coded format.” For one, this will not meet the Stage One “meaningful use” criteria under the HITECH Act.
But let’s assume that the hospital can overcome this hurdle by working with vendors to integrate these records in a way that will meet HITECH EHR certification standards. If the hospital has been maintaining certain portions of patient records in a paper format, what does it do with those paper records after converting to an EHR? If the hospital scans all the paper patient records into its EHR, how long should the hospital retain the paper record after it is scanned into their EHR?
Continue readingUse of electronic communications with patients
The Office of National Coordinator for Health Information Technology (ONC) and its HIT Policy Committee worked hard throughout the summer to develop a framework for the “meaningful use” standards required to qualify for electronic health record (EHR) adoption stimulus funds available under the Health Information Technology for Economic and Clinical Health Act (HITECH Act). When I saw the survey that HIMSS released today regarding the use of social networking tools to communicate with patients, it reminded me of the “meaningful use” standard that centers on “engaging patients and families.” The stated goal of this standard is to “Provide patients and families with timely access to data, knowledge, and tools to make informed decisions and to manage their health.” Although it’s doubtful today that social networking tools would be accepted as meeting this goal for purposes of the EHR stimulus funds, it did get me to thinking about the use of technology to literally communicate with patients and, in particular, the studies that have been done in regard to using technology, such as e-mail and texting, to communicate with patients.
State surveyors not to determine whether EHR meets HIPAA Privacy and Security Rules; Providers and Suppliers must provide access to EHR to Surveyors
In a letter to State Survey Agency Directors dated August 14, 2009, the Centers for Medicare and Medicaid Services (CMS) gave state surveyors guidance regarding surveys of facilities that use electronic health records (EHRs). CMS first stated its support and commitment to the goal that, by 2014, most Americans “will have access to health care providers who use EHRs.” CMS notes that the expanded use of EHRs will cause surveyors to encounter more and more situations where there is no paper-based record immediately available for review. In addition, there may be concerns about the scope of responsibility of State Survey Agencies in enforcing the Conditions of Participation (CoPs), Conditions for Coverage or Conditions for Certification (CfCs) applicable to the surveyed provider or supplier. The CoPs and CfCs include requirements respecting confidentiality of clinical information stored in an EHR.
HHS and FTC Issue Breach Notification Rules
On August 17, 2009, the Federal Trade Commission (FTC) issued its final rule requiring vendors of “personal health records” to notify consumers when the security of their electronic health information is breached. On August 19, 2009, the U.S. Department of Health and Human Services (HHS) issued its interim final rule requiring health care providers, health plans, and other entities covered by the Health Insurance Portability and Accountability Act (HIPAA) to notify individuals when their health information is breached. These rules were issued pursuant to the Health Information Technology for Economic and Clinical Health Act (HITECH), which is part of the American Recovery and Reinvestment Act of 2009 (ARRA). HITECH required FTC and HHS to collaborate on development of the breach notification rules. The FTC’s press release and a link to its Breach Notification Rule is available here. The HHS press release and Breach Notification Rule is available here. HHS published the Breach Notification Rule in the Federal Register on August 24, 2009.
wyatthitechlaw.com 