Ongoing Challenges to Private Practice: HIPAA-HITECH

What those in the "business of medicine" need to know.

By Richard J. Ruckman, MD, FACS

As many of my colleagues have said, "We receive wonderful training in the practice of medicine but little in the business of medicine." That has certainly been my experience for the past 30 years as I have had both the joys and challenges of owning and managing two offices, two optical shops and an ASC. What measure of success that I have had can be attributed to great employees, good advisors and my attention to the economic and governmental issues that affected our practice.

Regarding the practice and business of medicine, 2010 has been especially important for government issues with the release of the Electronic Health Record Incentive Program Final Rule on July 28.¹ This Final Rule defines the criteria for implementing so-called "meaningful use" of EHR, as originally mandated by 2009's Health Information Technology for Economic and Clinical Health (HITECH) Act.^2,3

Although the "meaningful" adoption of EHR will have the most profound long-term influence on our practice, HITECH also expanded on the privacy and security safeguards of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). As is well known, HIPAA established privacy and security requirements for protected health information (PHI).⁴

Let's examine how we can expect HIPAA and HITECH to affect our practices.

The Details

■ HIPAA. Here's a refresher course on the HIPAA Privacy Rule: It establishes national standards to protect patients' medical records and other personal health information. It applies to health plans, healthcare clearinghouses and to healthcare providers that perform certain healthcare transactions electronically.

The Rule requires safeguards to protect the privacy of personal health information. It also sets limits and conditions on the uses and disclosure of such information that may be made without authorization from the patient. Additionally, the Rule gives patients rights over their health information, such as the right to examine and obtain a copy of their health records, and to request corrections to those records.⁵

Since July 2009, enforcement of the privacy rule and the security rule has been delegated to the Office for Civil Rights, and complaints against a covered entity will be addressed through that office.⁶

■ So what will practices see?

► Additional rights of patients.
►More stringent requirements for "business associates."
► Required notification of privacy breaches.
► Restrictions on the use of data for marketing.
► Stiffer penalties for noncompliance.

■ Patient rights. HIPAA defined our requirements for PHI to include any media: oral, paper or electronic. It permitted release of protected information to covered entities such as providers, but also to insurance companies. With HITECH, patients may:

► Restrict disclosure of their PHI to a healthcare plan for payment, not treatment, and if the provider has been paid in full.
► Request an accounting of routine disclosures of their PHI used for treatment, payment, and healthcare operations for up to three years.
► Designate a third party as the recipient of PHI.
► Limit the sale and marketing of PHI.

There are now more stringent requirements for "business associates," requiring compliance with both HIPAA privacy and security rules. This has been coupled with a stronger definition of breach of security, with more power to enforce and correspondingly higher penalties for "willful neglect."⁷

The take-home message is the need to educate your staff regarding new issues with patient rights, as well as to update business associate agreements.

Security Expanded

The Security Rule of HIPAA has also been expanded. It now includes the following:

► Administrative Safeguards

• Implement policies and procedures to prevent, detect and correct security violations
• Assigned security responsibility
• Workforce security
• Information access management
• Security awareness and training
• Security incident procedure
• Contingency plan — response to natural disasters
• Periodic evaluation
• Business associate contracts

► Physical Safeguards

• Facility access control — limits physical access to electronic information systems
• Workstation use
• Workstation security
• Device and media controls

► Technical Safeguards

• Access controls — technical policies and procedures that allow access only to those so authorized
• Audit controls
• Integrity of PHI
• Person or entity authentication
• Transmission security⁸

EHR Guidelines and You

The privacy and security requirements of HITECH are important to incorporate into practice but by far the greater impact for ophthalmologists will be the guidelines for adopting electronic health records.

HITECH has appropriated $19.2 billion in federal funds to accelerate adoption of meaningful use. Medicare will pay up to $44,000 per provider starting in 2011 for those who demonstrate "meaningful use of certified software."

The bonus is weighed 70% in the first two years to favor early adoption. If you are not a "meaningful EHR user" by 2015, your Medicare fee schedule will be reduced by 1%, in 2016 by 2%, in 2017 by 3% and in subsequent years by 3% to 5%.9 You can participate as a Medicare or Medicaid provider, but not both, and ASCs are specifically excluded from the incentive payments.

Define "Meaningful"

"Meaningful use" will require the following:

► Use of certified EHR technology with e-prescribing capability.
► Connectivity (interoperability) for the exchange of patient's health information.
► Compliance with clinical quality measure reporting (Physician Quality Reporting Initiative, or PQRI).

The rule has 25 criteria that may apply, with the option for a provider to defer up to five of the criteria with certain restrictions.¹⁰ Medicare expects that by 2019 between 36% to 70% of EPs will demonstrate "meaningful use."¹¹ (For a discussion of the objectives/measures that physicians must fulfill, see the "Path to Paperless" column in OM's September issue.)

On October 1, the Certification Commission for Health Information Technology (CCHIT) announced that it tested and certified 33 EHR products under the Commission's ONC-ATCB program, which certifies that the EHRs are capable of meeting the 2011/2012 criteria supporting Stage 1 meaningful use. The certifications include 19 complete EHRs, which meet all the 2011/2012 criteria for either eligible provider or hospital technology, and 14 EHR modules, which meet one or more, but not all, the criteria. For additional information go to: http://www.cchit.org/media/news/2010/10/commission-announces-first-onc-atcb-20112012-certifications.

One Real-World Experience

My experience is that this will continue to be a long process, expensive both in time and money. Over the past year, we have integrated EHR into our business offices, optical shops and clinics but have yet to fully implement EHR into our ASC. Rather than enter more than 25,000 active patient records into EHR, we feel that it has been more cost effective to enter pertinent information from the paper record when the patient schedules his next appointment. This assures us that our EHR database reflects active patients.

Also, this gradual introduction has allowed us to adjust templates to our style of practice and train staff on the importance of due diligence in data entry. Simple questions such as, "Does your EHR default to ‘+’ or ‘−’ on refractions?" can have a profound influence on the accuracy of your records.

We have both wireless and hardwire capability but chose to stay with hardwire, using stationary laptops in most work areas for the speed, avoiding loss of connectivity, and the ease of access by many providers as a patient moves through the office.

There are other costs to consider. To maintain real-time connectivity between our two offices, we have had to add a second T-1 line at an additional cost of $800 per month. Also, we have had to add a hardware firewall for secure remote access for employees and remote support from our software vendor. In addition, since our backups have increased, we have had to change the way we backup our system. This means adding hardware for the backups and purchasing offsite backup services from a third party — another expense.

Even though current instruments such as autorefractors, AVFs and retinal cameras are "EHR compatible," we found that to truly integrate them into EHR required the assistance of a parttime IT person. This staff person has frequently had to resolve software problems or even add hardware to make the devices work with the network.

We now have the problem of older but still functioning equipment, such as one of our fundus cameras, which is now obsolete since it cannot be EHR compatible. What this all means is that the promise of a $44,000 bonus just barely starts to cover the cost of conversion. Our goal is no longer "what we get now" by converting, but "what we lose" if we do not convert by 2017.

The Upshot

So what have been my lessons?

► On EHR:

• Start early — EHR conversion is a much more drawn-out process than I ever imagined.
• The Final Rule is out. Go with a vendor who can deliver certified EHR technology.
• Plan on employing at least a part-time IT person.
• Due to the expense involved with EHR, this may be a good time to look at practice consolidation.

► On HIPAA/HITECH:

• Involve the staff in update in-service
• Have a "compliance officer" to monitor office activities and HIPAA updates.
• Review compliance programs and business associate contracts and arrangements.

EHR is a financial and emotional burden, but there is no a choice for those who depend on Medicare/Medicaid and want to remain in a viable practice. We are trying to survive in an environment of changing rules and regulations. While this is stressful, the situation is manageable if we use all our resources: our peers, consultants and our national organizations, such as AAO, ASCRS and OOSS. OM

References

1. Federal Register, Part II, Department of Health and Human Services, Centers for Medicare and Medicaid Services, 42 CFR Parts 412, 413, 422 et al. Medicare and Medicaid Programs; Electronic Health Record Incentive Program, Final Rule, Wednesday, July 28, 2010.
2. "American Recovery and Reinvestment Act of 2009," Tuesday, January 6, 2009
3. Federal Register, Part II, pp 44315-44316.
4. "Health Insurance Portability and Accountability Act of 1996," Public Law, 104-191, 104th Congress, August 21, 1996.
5. The Privacy Rule, 45 CFR Part 160 and Subparts A and E of Part 164. Available at: http://www.hhs.gov/ocr/privacy/hipaa/administrative/privacyrule/index.html. Accessed September 21, 2010.
6. http://www.hhs.gov/ocr/privacy Accessed September 21, 2010.
7. "American Recovery and Reinvestment Act of 2009," Tuesday, January 6, 2009, Title XIII, Subtitle D-Privacy, Section 13410.
8. Electronic Code of Federal Regulations (eCFR), Title 45, Public Welfare, Part 164, Security and Privacy, Subsection 300-316. Available at: http://www.gpoaccess.gov/ecrf/. Accessed September 13, 2010.
9. Federal Register, Part II, p 44447.
10. Ibid., pp 44370-44375.
11. Ibid., Table 22, p 44550.

Richard J. Ruckman, MD, FACS, has been in practice since 1978, specializing in cataract surgery. He is medical director of The Center For Sight, located in Lufkin, Texas, and may be reached by e-mail at rruckman@thecenterforsight.com.