Last year, The Health Information Technology for Economic and Clinical Health Act (HITECH) became law. The HITECH Act will reimburse eligible professionals up to $44,000 under Medicare and up to $64,000 for purchasing and implementing a qualified EHR system. As you know, XLEMR is making every effort to ensure our software will support the yet to be defined requirements for meaningful use certification.

However, the HITECH Act also expands the scope of HIPAA in terms of penalties, compliance, and enforcement. Until recently, HIPAA has been laxly enforced. The HITECH Act significantly increases the risk exposure of non-compliance. We strongly recommend you begin allocating resources for full HIPAA security rule compliance. Even if you do not wish to participate in HITECH, you still must comply. Please take a moment to review the changes outlined below:

HITECH Stage 1 objective - Ensure adequate privacy and security protections for personal health information :

• Goal - Ensure privacy and security protections through operating policies, procedures, and technologies.
• Measures - Conduct or review a security risk analysis, and implement security updates as necessary.
• Full HIPAA security rule compliance not required for stage 1 . Stage 3 may require full security rule compliance.

Expanded HIPAA requirements under HITECH:

• Mandatory penalties up to $250,000 with repeat violations up to $1.5 Million imposed for “willful neglect.”
• Penalties may extend to business associates.
• State Attorney Generals may sue providers on behalf of state residents. Previously, only the Office of Civil Rights was allowed to sue providers.
• HHS is required to conduct periodic audits of covered entities and business associates. Previously, no audits were required.
• Imposes data breach notification requirements for unauthorized uses and disclosures of unsecured PHI. A breach of more than 500 records requires providers to notify HHS. Provider’s name will be posted on HHS website. Local media may need to be notified.

Please feel free to contact me if you have any questions about the changes to HIPAA law or how this might affect your practice. Although every practice should work towards full compliance, it is essential to start with a security risk analysis. A risk analysis will help you prioritize your remediation, and it is also necessary to qualify for meaningful use. Please let us know if you would like more information about risk assessments. In the mean time, please feel free to take our brief HIPAA quiz.

A Personal Health Record (PHR) is a device or software that allows patients to keep track of and manage their health information. Many PHRs are contained on a USB thumb drive designed to be carried at all times. Some USB drives are built into bracelets, necklaces, or are shaped so they will fit into a wallet. Other PHRs might be web-based using a patient portal such as Microsoft Health Vault, or the now-defunct Google Health.

According to a brief by Deloitte, PHRs may provide the means for consumers to enhance self-care, which can help reduce the cost of health care. Despite the benefits offered by PHR, they have not been very popular. Several factors have limited their adoption, such as the lack of interoperability standards, the slow adoption rate of electronic health records (EHR), and privacy concerns. Many older patients are also reluctant to embrace technology.

However, another recent article states that nearly all web users have searched for medical information online, most of them after talking with their doctor. The Deloitte article also goes on to state that twice as many patients belonging to generations X and Y want PHRs compared to Baby Boomers and seniors. Personal health records seem to be gaining popularity.

Several of the final meaningful use requirements require patients to have electronic access to their health records. In case you are unfamiliar, the HITECH Act will reimburse physicians for purchasing EHR systems and using them according to established guidelines known as meaningful use. These requirements ensure a minimum level of use and create a standard set of features all EHRs must provide.

For example, providers are required to provide electronic copies of health information including test results, problem lists, medication lists, and medicinal allergy lists. PHRs can also help exchange clinical information between providers, which will help improve patient care and reduce the amount of paperwork required. PHRs can also store summary of care records, which are useful when patients transition to another provider or care setting.

Providers should consider offering their patients a PHR. They should find a PHR system that is flexible, and will help them qualify for meaningful use. PHRs have much more legitimacy in the eyes of the patient when they come recommended from physicians, compared to direct business-to-consumer sales. Providers may even be able to partner with a vendor to retail PHRs to their patient. In these days of ever-declining reimbursements, it helps to have legitimate additional revenue streams. In any case, PHRs will be a crucial part of qualifying for meaningful use.