While 80 percent of the industry obsesses about the technology pieces of HITECH, savvy lawyers like Verrill Dana’s Kate Healy know the privacy and security regulations are every bit as important. Why? Namely because breaches now carry much heavier burdens on the health systems in which they occur, requiring notification of the local news outlets, and allowing attorneys general to bring suits on behalf of the aggrieved. Recently, HCI Editor-in-Chief Anthony Guerra had a chance to chat with Healy about what CIOs need to know about HITECH’s security side.
AG: Give me a brief overview of your firm and the services you’re providing to hospitals in this space.
KH: Our firm is a large multi-specialty firm, and I am a partner in the healthcare industry group at Verrill Dana, and I’m also the chair of the health technology group. My entire practice is focused on providing legal advice to a wide variety of healthcare organizations, and that includes hospitals and physician groups, and I also represent the statewide health information exchange in Maine called HealthInfoNet.
In terms of the services that we provide specifically to hospitals, we do provide a wide range, and I, in particular, provide regulatory compliance advice and health information technology advice, including advising clients about compliance with, and the application of, both privacy and security standards. That’s a brief overview.
AG: Tell me what the stimulus has done to your business, but more importantly, what it’s done to the healthcare industry. Has it created a beehive of activity, is there incredible amount of curiosity, are people lawyering up because they know they're going to need them for doing big deals with vendors?
KH: I think that the HITECH Act--and of course, it’s been a little over two months since the act was actually signed by President Obama--I think that it has prodded people to push their EHR systems further and take a hard look at whether they will begin to meet the requirements for meaningful use under the act so that they can actually get the incentive payments that are contemplated under the act. I think that it’s a little too soon to say whether everyone is lawyering up, but I certainly see and have requests already for advice and review of existing business associate agreements, and I think that that has only begun.
AG: So it’s definitely stimulating the economy in one way.
KH: It is, it’s stimulating the economy, and I think it’s prodding people to move forward with projects that had otherwise been put on hold.
AG: What would you say is the overview of the act, sort of ‘HITECH For Dummies’ that our readers should know about? I think they do know the basic outline, but I want to make sure we’re not missing anything that you think is important.
KH: I think the big picture is that the HITECH Act includes both new opportunities and responsibilities in the area of health information technology. And the opportunities are the incentive payments, and those incentive payments for hospitals really begin in 2011. Hospital CIOs should know that beginning roughly in Oct. 1, 2010, they should be prepared to have their organization meet the requirement of meaningful use of certified electronic health records.
In order to do that, they need to demonstrate that they're using electronic health records in a meaningful way; that standard has yet to be really fleshed out. They also need to be able to connect the electronic health record in a manner that provides for the electronic exchange of health information to improve quality of care. That has implications, I think, for systems to look at exchanging health information across care continuums. I think that they also need to be prepared to participate and provide clinical quality reports to the secretary of HHS; that will also be required. They need to be on the lookout for the issuance of initial standards and implementation specifications and certification criteria for electronic health records.
Those, we hope, will be coming out by Dec. 31, 2009. They also need to know that the standards for meaningful use will really evolve. So as they approach their vendor contracts, they need to consult with legal counsel and obtain vendors’ agreement to work with them, so that they continue to meet the standards that are issued, so the hospitals can continue to receive incentive payments.
AG: So you would say that people cannot wait until Dec. 31; they have to get some idea in their head of what meaningful use is and start working towards it?
KH: Yes. I think they need to assess what the current status of their electronic health record capability is, and then they need to get an idea of where they need to go. They need to develop a plan for bringing their systems up to speed, so they need to start making contact with legal counsel now, and their vendors.
They also need to be mindful of the other provisions in the act. They need to be mindful that there will be financial penalties that will begin in 2015 if the standards aren’t met, and I don’t think there has been a lot of discussion about the penalties. There are additional responsibilities.