AG: I wrote a recent edit memo about the idea that with government money comes oversight and having to live up to expectations set by others. My question is, what do you think the government will require in terms of oversight of these programs? Hospitals and physicians will have to prove meaningful use, but will that be a yearly event? Will there be snap inspections like JCAHO does on the pure clinical side? Will the government ever attempt to recover some of its money if an organization falls out of compliance?
ES: The law says that a meaningful user has to be able to document meaningful use. And while I hate to bring it up, if you falsify your documentation to the government, it triggers all of those program-integrity aspects of dealing with government health programs. I don’t think that funds which are offered as incentive payments will be exempt from the False Claims Act, fraud and abuse laws, you name it.
SF: We think the regulations are going to specify whether it’s by an affidavit or what kind of proof there has to be, but I don’t think that’s going to be a big issue.
ES: I can almost assure you that there will be a certification at some level, and a false certification submitted to the government creates big problems.
AG: JCAHO, at this point, comes in and checks that hospitals meet certain standards. I believe there are surprise visits, they come in and make sure everything is clinically proper. Do you picture a program like that, where there would be random inspections?
ES: I do not. I didn’t see anything in the law that suggested the government is going to do site surveys or inspections or anything like that. I mean, they simply don’t have the resources to do it.
AG: Do you think they have resources to run this program, as much as we know of it now?
ES: Yes, I do. In terms of what it is that has to be done. I mean they’ve got to staff up in the Office of the National Coordinator, but they’re going to run it out of that office, and they have appropriated funds for that office in amounts that exceed anything that has been done in the past. And CMS is going to clearly play a big role on the payment side. CMS has – that’s a big bureaucracy there, they’ve got a lot of people. I suspect that they’ll be a part of it.
SF: I think they’re going to be very busy; they’ve got a lot of regulations to write over the next 10 months, so they’re going to be pretty busy during that time.
AG: We’ve seen cases before with the Stark relaxation, where the guidance was not sufficient to get people to move. They were concerned about their nonprofit status, and it was only about six months later that the OIG clarified it to the point that there was some movement. Is it possible that the guidelines which come out will have some holes in them that cause people not to move forward, and we may see some deadline sliding as we’ve see in other cases?
ES: I think that’s always a risk. I mean the Stark exception, to which you referred, was an unusual set of circumstances because you had exempt organizations who had to account to the Internal Revenue Service, essentially making resources available to physicians who are not exempt, and there’s that whole body of law with that. What you described unquestionably happened, and it took the IRS a while to get caught up with everybody else in that process. I don’t see that happening here because, if you will, the funds flow is much more precise, it’s much more vertical, it’s money to hospitals, it’s money to physicians and those types of pathways for the flow of money have been well established under the Medicare program for many, many years. They do know how to get money to providers.
AG: Is there anything else that I’m missing that you want to touch on?
SF: I would say there are a couple of important issues that hospitals still need to think about that are major changes. One is the breach notification rules, because now, for the first time, there are federal breach notification rules that govern what happens if PHI that’s held in an electronic health record is breached in some way. That’s brand new. Some states have had that, but now there are federal rules that govern that and they talk in very great detail about who has to be notified, what the form of the notification is, what the timing of the notification is. So hospitals are going to need to develop policies and procedures, if they don’t already have them, that govern that whole area of breach.
The other thing that’s going to come out in a much shorter time is that HITECH requires the government to come out, I believe it’s within 60 days, with guidance for what kind of technology would absolve you from performing breach notifications. All of the major issues that have come up in this area, like that Providence case last year, involved people who had laptops stolen from the back of their cars or hard drives that had all kinds of PHI on them from the hospital, they were all hospital employees. And if those laptops were the kind of laptops that we use at our firm, they’re encrypted. And so if you have encrypted technology, you don’t even have to give it a notice. If you’ve got a laptop that’s stolen and it’s encrypted, there’s not even a requirement to notify anybody because it’s protected. So this is something that we’ll know about in 60 days, they’re going to describe exactly what kind of encryption technology is required.
But in the meantime, this is something that I’ve been talking about for the last several years to encourage hospitals, because every time I go into a hospital and everybody has these little thumb drives and I say, ‘Is that password protected, is it encrypted?’ In nine out of 10 cases, it’s not. And the same goes for laptops. There are things that hospitals can do right now – I’m not saying to retrofit your entire system, but certainly when you’re buying new equipment, new hard drives, new thumb drives, new laptops, they should have encryption technology that is certainly good enough to keep anybody, except maybe the NSA, from getting at that data. And so there are things that people can do right now and again, we’ll know in 60 to 90 days what the government says is the kind of technology that is considered state of the art. That’s an important area.
The other thing I want to mention quickly is PHR, because they are covered under breach notification rules and, for the first time, they include commercial personal health record vendors. I had thought it was pretty clear, I didn’t think there was any issue about it. But a few weeks ago, Google came out with a statement that said they do not consider themselves governed by the PHR provisions of the Stimulus Bill, which I was just amazed at because the language of it seems to directly cover products like Google Health, Microsoft Vault, anybody, any commercial vendor that sells personal health records. But I think hospitals have to be very careful, because a number of hospitals have entered into agreements with Google Health and Microsoft. Recently I saw an article that said the Mayo Clinic is putting on hold its deal with Microsoft Vault to automatically transfer information, but they have not yet signed the business associate agreement and, until they work that out, they’re not going to do it.
AG: Do you think Google is on solid ground?
SF: For whatever reason, I think they’re posturing, and I don’t believe they’re on solid ground. If I were giving advice to Google, I would say this is what the statute says and you’re covered. I clearly think they do not want to be covered because right now the only thing that protects your information if you use Google Health is a contract, an online contract which can be changed at any time. So I think both consumers and covered entities need to be very careful in their dealings with any commercial personal health record vendor, especially if they’re not willing to sign a business associate agreement (BAA).
Of course, there is one last issue on the BAAs, and that is I don’t think there’s a consensus yet about whether existing business associate agreements need to be modified. Some people are saying that all of your existing BAAs with your existing vendors have to be modified to take into account the new rules, and others are saying, ‘No, we’ll wait and see what the regulations say.’
ES: I don’t have a definitive position on that. A supplemental thought that I would add on to the whole issue of privacy and security is as follows, the penalties under the law have been increased greatly and enforcement of the law has now been extended beyond just the office for civil rights and CMS, which has been enforcement experience to date with state attorney generals. One of the few provisions that took effect on Feb. 17 when the law was signed was the provision that allows state attorneys general to enforce the HIPAA provisions in the statute, and that’s a whole new ballgame. There are some very aggressive state attorneys general out there who will not wait to go after some of these things in a much more aggressive way than the federal government has gone after them in the past. So for CIOs who have not given a priority to enhancing some of their security measures along the lines which Steve just described, that should be a wakeup call.
SF: And related to that, BAAs now, for the first time, are subject directly to some of the privacy and security rules under HIPAA that, in the past, they were only indirectly, contractually subject to. In the business associate agreement, it has said you will comply with the following obligations. But now certain regulations apply directly to them, which is another reason why I think Google Health doesn’t want to sign a BAA because they do not want somebody else looking over their shoulder, or certainly having a state attorney general be able to look at exactly what kind of privacy and security they really provide.