The recent promise of $19 billion in federal aid for the adoption of health information technology such as electronic health records (EHRs) has piqued the interest of many physicians – from early adopters, who are eager to recoup their investments, to EHR skeptics, who are still deciding whether to make the leap. This unprecedented level of funding was established by the Health Information Technology for Economic and Clinical Health (HITECH) Act, which was signed into law on Feb. 17 as part of the American Recovery and Reinvestment Act (ARRA), commonly referred to as the economic stimulus package. The legislation relies on a combination of incentives and penalties to encourage providers to adopt health information technology. It also makes some potentially cumbersome changes to the information privacy and security rules established under the Health Insurance Portability and Accountability Act, or HIPAA.
To help physicians make sense of the new regulations, this article offers answers to commonly asked questions.
The "meaningful-use" criteria, which physicians will have to follow in order to qualify for the federal EHR incentives, have been approved. See the update: "A Physician's Guide to the Medicare and Medicaid Incentive Programs: The Basics."
How much money is available to physician practices?
The health IT portion of the stimulus package contains $2 billion for the Office of the National Coordinator for Health Information Technology to use to promote health IT adoption and health information exchange, primarily through grants or loans that will be made available through state governments. Grants or loans may be available to physician practices to help purchase EHRs; however, we will not know for sure until such programs are put in place.
The other $17 billion in the health IT portion of the stimulus package goes to the Centers for Medicare & Medicaid Services (CMS) for incentive payments to physicians.
Any physician who participates in the Medicare Part-B program and “meaningfully” uses a “qualified” EHR system will be eligible to receive the incentive payments. Payments will be sent to the individual physician, not to the practice. To qualify for the Medicaid incentives, a physician's caseload must be made up of at least 30 percent Medicaid patients. Physicians may not receive both Medicaid and Medicare incentives.
Hospital-based physicians are not eligible to participate in either incentive program, although hospitals can. For more information on the amount you could receive, see the table below.
Will physicians get money up front to help purchase EHRs?
In general, there will not be up-front money to help physicians purchase EHRs. As noted above, grants may be distributed to the states to help with EHR adoption and health information exchange. It is likely that rural and underserved areas will be given priority.
When can I receive the incentive payments from CMS?
Medicare incentive payments will be made between 2011 and 2016. Incentive amounts will depend on when during this period you begin meaningfully using a qualified system. (See the table below.) Scheduling of Medicaid incentive programs will be left up to the states, with the stipulation that programs must begin by 2016.
MAXIMUM INCENTIVE PAYMENT AMOUNTS
Physicians who begin using a qualified EHR by 2011 or 2012 could receive up to $44,000 over five years from the Centers for Medicare & Medicaid Services, assuming they have at least $24,000 in Medicare allowed charges per year. Under Medicare, the incentive amount is based on 75 percent of the physician's Medicare allowed charges for the year, up to the year's maximum incentive amount.
Alternatively, a physician may choose the Medicaid incentive, which pays up to $21,250 in year one (85 percent of a $25,000 maximum) for health information technology adoption and implementation and up to $8,500 over the next four years (85 percent of a $10,000 maximum) for operation and maintenance. To qualify for the Medicaid incentives a physician's caseload must include at least 30 percent Medicaid patients.
Physicians may not receive both Medicaid and Medicare incentives.
Note: For providers in federally designated health professional shortage areas, incentive payments will be 10 percent greater.
|Year meaningful use is first demonstrated
|Year 1 (no later than 2016)
If I already have an EHR, can I qualify for the incentives?
As long as your EHR meets the standards that are to be announced by Dec. 31, 2009, you can qualify for the incentives. Although those standards are not currently defined, the legislation does require functionalities such as the following:
Physician order entry,
Health information exchange,
It's possible that some EHR products that are currently certified by the Certification Commission for Healthcare Information Technology (CCHIT) may not qualify for the incentives, as CCHIT criteria do not fully encompass the potential requirements for a “qualified system.” Who will be certifying EHRs for the incentive program is still unknown.
What do I have to do to qualify for the incentives?
You must use a “qualified system” and demonstrate “meaningful use” of that system, according to the legislation. However, these terms still need to be defined by the Secretary of Health and Human Services.
The AAFP and more than 70 other organizations recently signed onto a consensus statement drafted by the Markle Foundation's Connecting for Health collaborative, which proposes the following definition for meaningful use of health IT systems: “Demonstrates that the provider makes use of, and the patient has access to, clinically relevant electronic information about the patient to improve patient outcomes and health status, improve the delivery of care, and control the growth of costs.”
The consensus statement proposes the use of a more lenient definition from 2011 to 2012: “Demonstrates that the provider makes use of, and the patient has access to, clinically relevant electronic information about the patient to improve medication management and coordination of care.”
It's likely that the definition of meaningful use will expand over time to encompass more ambitious health improvement aims.
Will there be any money to help with implementation?
Yes. Part of the $2 billion allocated to the Office of the National Coordinator for Health Information Technology must go toward establishing a health information technology extension program (modeled after the agriculture extension program). Regional extension offices will help physician practices and others to adopt, implement and effectively use health information technology.
Are there any penalties if we don't adopt an EHR?
Yes. In the Medicare program, penalties for not adopting an EHR are scheduled to begin in 2015 with a 1 percent reduction in Medicare payments. Penalties will increase to 2 percent in 2016 and 3 percent in 2017. The Secretary of Health and Human Services has the option of extending these penalties beyond 2017 and increasing the amount to a maximum of 5 percent if fewer than 75 percent of physicians are using EHRs.
Will the government incentives cover the full cost of an EHR?
The government funds are intended to offset the costs of health information technology, not to cover them fully. A recent report from PriceWaterhouseCoopers estimated that a three-physician practice could spend from $173,750 to $296,000 for an EHR package complete with software, implementation, training and software maintenance.1
What should a practice do if it is currently in the process of buying an EHR?
If you're well into the process and have already selected a system, proceed with the purchase but make sure your vendor will support future requirements related to the government incentives. If you're not far along in choosing and buying a system, you may want to wait a few months until the final details of the regulations are released.
Existing users may have to upgrade their systems and buy additional products and services to meet the federal requirements.
How will the HIPAA amendments affect medical practices?
Family physicians who use EHRs will need to consult with their vendors about the security of their patient data and the EHR's ability to produce the disclosure reports that will now be required. Physicians will also need to implement safeguards, such as data encryption and secure passwords, and should make sure that their staff – particularly new staff – are up-to-date on privacy policies and procedures.
Physicians' business associates (clearinghouses, accountants, etc.) will now be required to comply fully with the HIPAA privacy and security rules as well.
Is it true that practices will have to track every time they disclose a patient's medical information even if the disclosure is for payment purposes?
Yes. The HITECH Act requires covered entities with EHRs to produce, upon an individual's request, an accounting of all disclosures of the individual's protected health information (PHI), including disclosures made for treatment, payment and health care operations, over a three-year period. This expands current law, which requires accounting of non-routine disclosures only, such as those for research. Many EHR systems will need to be updated to be able to track all types of disclosures.
The Secretary of Health and Human Services is required to issue regulations that specify what information should be included about each disclosure, taking into consideration patients' interests in learning about how their PHI is disclosed as well as the administrative burden of accounting for disclosures. Once the regulations are final, practices may need to modify their HIPAA forms.
When do the new HIPAA regulations go into effect?
The regulations don't kick in for current EHR users until Jan. 1, 2014; however, at that time, patients are expected to be able to request an accounting of disclosures of their electronic PHI dating back three years.
Do practices have to follow these regulations if they don't use an EHR?
No, the new disclosure provisions apply only to covered entities that have an EHR.
What else do the HIPAA amendments require?
In the event of a breach of patients' privacy (e.g., the theft of a laptop computer containing patient information from your office), the practice must notify the affected individuals in writing by first-class mail or by electronic mail if specified as a preference by the individual. If 10 or more individuals' contact information is out-of-date, a conspicuous posting on the practice's home page or notice in major print or broadcast media may serve as a substitute form of notice. If the breach has affected the unsecured PHI of more than 500 patients, notice must also be provided to prominent media outlets. Further, the practice must notify Health and Human Services of a breach; notice must be immediate if it affects 500 or more individuals. HHS will post these notices on its web site.
Are there fines for breach of patient privacy?
Yes. The HITECH Act expands the penalties for violating HIPAA requirements. In place of the current penalty of $100 per violation, the HITECH Act adds a new tiered-penalty structure based on the practice's level of knowledge of the violation:
In circumstances in which the entity did not know (and would not have known despite reasonable diligence) that it violated these provisions, the entity will be subject to a penalty of at least $100 per violation, not to exceed $25,000 per calendar year for all violations of an identical requirement or prohibition.
If a violation is due to reasonable cause and not to willful neglect, the entity will be subject to a penalty of at least $1,000 per violation, not to exceed $100,000 per calendar year for all violations of an identical requirement or prohibition.
If a violation is due to willful neglect but the failure to comply is corrected within 30 days of when the entity knew or should have known that the failure to comply occurred, the entity is subject to a penalty of $10,000 per violation, not to exceed $250,000 per calendar year for all violations of an identical requirement or prohibition.
If a violation is due to willful neglect and is not corrected within 30 days, the entity is subject to a penalty of at least $50,000 per violation, not to exceed $1.5 million per calendar year for all violations of an identical requirement or prohibition.
The HITECH Act also allows state attorneys general to seek damages on behalf of state residents in an amount equal to $100 per violation (for a maximum of $25,000 per year).
While this unprecedented investment in health information technology is seen as a positive development overall, there are some cautions. First, widespread adoption of EHRs over the next five years could stress physician practices and cause short-term declines in productivity. Second, the emphasis on EHRs could hinder the adoption of equally beneficial health information technologies that have fewer implementation hassles, such as e-prescribing or e-visits. (Read the related opinion piece.) Third, the “free money” for health information technology could essentially reward EHR vendors without the market requiring them to first improve their products. Finally, physicians may be hesitant to participate in yet another government incentive program, given the recent difficulties many of them have faced with the Physician Quality Reporting Initiative.
Despite these serious obstacles, an investment in our nation's health information technology infrastructure is much needed and long overdue. The complexities of modern medical practice will increasingly require the use of electronic records, which will enable physicians to track their patients' health in new and exciting ways.