August has traditionally been a sleepy month for government regulatory agencies, but this year, Washington’s usual summer torpor was interrupted by a rush of new initiatives, as more than three-quarters of a trillion dollars from the American Recovery and Reinvestment Act (www.recovery.gov
) surged into a mind- boggling range of projects. One of these efforts, the Health Information Technology for Economic and Clinical Health (HITECH) Act, provides a billion-dollar bolus of funding for electronic health records (EHRs).
Speaking at an August 20 press conference (http://tinyurl. com/yes4cgl
), Secretary of Health and Human Services (HHS) Kathleen Sebelius explained, “We’re announcing $1.2 billion in grants directed to two primary areas; the first is helping doctors and hospitals adopt EHRs and get assistance from regional health centers, and the second is to help support health information exchange—help states set up systems where we’ll be able to communicate across the lines of healthcare agencies.” Sebelius added that “this is just the first wave of resources invested in health technology, aimed at really transforming our paper-driven system to an electronic system over the next several years.”
Health IT proponents cheered the new funding, but many have reservations about other aspects of the Act. In particular, HITECH is shining a spotlight on the problem of data security in health IT, an issue that has long been regarded as the field’s biggest challenge.HIPAA reaches out
HHS officials agree. “Security is absolutely essential, it’s foundational, and we are tasked by the law to develop new methods and to examine technologies for assuring security, and we are going to be asking our health IT policy committee to look directly at that subject in the very near future, so we understand that that’s critical,” said David Blumenthal, MD, National Coordinator for Health Information Technology (http://tinyurl.com/y88ah3h
Indeed, HITECH already implements some new security requirements. Most notably, the Act expands the coverage of the earlier Health Insurance Portability and Accountability Act (HIPAA). Previously, entities such as hospitals and clinics were covered by HIPAA, but their contractors, software vendors, and other business associates were not, a loophole that incensed many privacy advocates. Under HITECH, all of these business associates will now be subject to HIPAA’s stringent security requirements and legal penalties (http://tinyurl.com/y8qecob
“HITECH is a real game changer with respect to the legal obligations of business associates, and it’s going to have a significant impact on business associate relationships and all vendor relationships,” says Reece Hirsch, a partner in the law firm of Morgan, Lewis & Bockius in San Francisco, CA. Hirsch, who specializes in healthcare regulation, adds that “there are a whole host of new individual rights with respect to [personal health information] for patients, and... they all relate to rights of patients with respect to EHRs.”
Most of the new rules will take effect in February, a deadline that has some vendors sweating. “For large business associate organizations like a major outsourcing company, let’s say, it’s highly likely that they’ve already implemented a comprehensive security compliance program, [but] for smaller business associates, particularly those who aren’t exclusively dedicated to the healthcare industry, they may have a lot of work to do, because between now and February 18, they’ll be required to get that kind of formal, comprehensive security compliance program in place,” says Hirsch, who recently presented a Webinar reviewing the changes (http://tinyurl.com/y8qecob
Although the business associate rules will affect most physicians indirectly, other HITECH measures will have a direct impact. For example, the new funding includes “almost $600 million of support for what are called regional extension centers... whose purpose is to support physicians and hospitals in the adoption and meaningful use of EHRs, and... approximately $600 million in support for state- designated entities to promote health information exchange within their jurisdictions,” according to Blumenthal (http://tinyurl.com/yes4cgl
).Making tinfoil hats fashionable
HITECH also provides for a series of incentive payments for Medicare and Medicaid providers to spur them to adopt EHRs between 2011 and 2015, after which the government will begin penalizing those who have not adopted them (see Timeline). For cash-strapped hospitals and overworked physicians, those dates appear imminent, but public health officials argue that deadlines are an essential component of the legislation.