Most rehab providers have been comfortably settled in with their privacy and security compliance under the Health Insurance Accountability and Affordability Act (HIPAA) since the rollout of facility privacy policies and procedures as mandated in 2003. For many providers, HIPAA compliance is now status quo, almost a ho-hum as patients waive detailed discussion of their privacy rights and pose few privacy questions to providers. Most security breaches that have been reported in the press surround privacy leaks regarding the medical records of celebrities like Britney Spears and George Clooney, or security breaches of computer systems including “lost” laptops or data files that have been hacked. Things are about to change again, so it’s back to business in understanding what is coming down the road with the electronic medical record (EMR) and the updated HIPAA standards.

From a health care industry perspective, the issue of health care reform under the new administration and a recovering economy looms large. The American Recovery and Reinvestment Act of 2009 aka the Stimulus Package contains Title XIII “the HITECH Act” or the Health Information Technology for Economic and Clinical Health Act. The full text of the bill can be found through a link on WhiteHouse.gov, and provides 407 pages of exciting reading. President Barack Obama has worded this change to the EMR as the “move to 21st century health technology.”

As a rehab provider, imagine ridding your office of file cabinets holding patient charts that have been fattened with daily encounter notes, evaluations, progress notes, discharge notes, patient medical histories, copies of insurance cards, and other assorted tidbits of information necessary to support the medical record. Your new system will assist the front office in patient registration, provide expert guidance to the therapist in developing patient treatment plans and documenting evaluation tests and measurements, and offer enhanced billing and collection processes, and coordination with other health professionals. If all goes as planned, the patient will not have to fill out medical history forms at every provider’s office and that information will be contained in the patient electronic health record (EHR).

Key highlights of the new requirements for a nationwide health information technology structure include:

  • Establishes an Office of the National Coordinator for Health Information Technology (ONCHIT) and requires the Department of Health and Human Services to develop the initial HIT standards by next year (2010). The HIT Policy and Standards Committees will include both public and private stakeholders from physician, hospital, and various provider groups.
  • Nineteen billion dollars in stimulus has been allocated for HIT. Two billion dollars is to be used for HIT grants, which therapists will be eligible to apply for. The remaining $17 billion in funds will be allocated toward Medicare and Medicaid bonus payments to assist providers in implementation of HIT. Those providers with early adoption of the EMR stand to receive a larger share of the pie over the 5-year period of enhanced Medicare and Medicaid reimbursements.
  • Improved and expanded federal privacy and security protections for health information that have significant impact on a provider with respect to accounting for disclosures, reporting of accidental exposures and breaches, and the increased level of oversight and fines associated with these incidents.

Let’s take a look at that last provision on privacy and security features. The Office of Civil Rights is the enforcer for HIPAA, and they provided the following notice on their Web site:

“On April 17, 2009, HHS issued guidance specifying the technologies and methodologies that render protected health information unusable, unreadable, or indecipherable to unauthorized individuals, as required by the Health Information Technology for Economic and Clinical Health (HITECH) Act passed as part of the American Recovery and Reinvestment Act of 2009 (ARRA). This guidance relates to two forthcoming breach notification regulations—one to be issued by HHS for covered entities and their business associates under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) (Sec 13402 of HITECH) and one to be issued by the Federal Trade Commission (FTC) for vendors of personal health records and other non-HIPAA covered entities (Sec 13407 of HITECH). HITECH requires these regulations to be published within 180 days of enactment. If the entities subject to the regulations apply the technologies and methodologies specified in the guidance to secure information, they will not be required to provide the notifications required by the regulations in the event the information is breached.”

If that doesn’t have you confused enough, the HITECH Act specifies the “meaningful use of technology” requirement in the adoption of EMR.

An eligible provider will be treated as a meaningful user of EHR technology if they meet the following three criteria:

Nancy J. Beckley
  1. The eligible professional demonstrates to the satisfaction of the Secretary that, during the period, the professional is using a certified EHR technology in a meaningful manner, which will include the use of electronic prescribing as determined to be appropriate by the Secretary.
  2. The eligible professional demonstrates to the satisfaction of the Secretary that, during such period, such certified EHR technology is connected in a manner that provides, in accordance with law and standards applicable to the exchange of information, for the electronic exchange of health information to improve the quality of health care such as promoting cure coordination.
  3. The eligible professional submits information on clinical quality measures (which shall be selected by the Secretary and who will provide preference to measures that have been endorsed by the consensus-based entity regarding performance measurement with which the Secretary has a contract under Section 1890(a) of the Social Security Act).

Are you confused yet? When the original HIPAA deadline for electronic transactions and codes (October 2003) was looming, CMS provided a checklist of questions to ask vendors, third-party administrators, or clearinghouses to ensure their compliance. There are a lot of questions to ask a potential EMR vendor when selecting your system. The challenge will be being able to ask the right questions, and not succumb to the pressures of a vendor to purchase an EMR system sooner than later.

While the stakes are incredibly high for the nation’s hospitals as well as physicians, they are also high for all providers. It is wise to keep abreast of the rule-making process and watch the associations that have been vigilant in analysis and interpretation of the standards and have provided appropriate commentary throughout the process. The government’s initiative is aggressive, costly for both providers and taxpayers, and challenges all providers to be diligent in their approach to the adoption of the standards.

As a final note, there are two other health information technology initiatives as noted in the January 16, 2009, CMS publication of two final rules, one of the HIPAA X12 5010/CMS-0009-F transactions standards to be implemented in 2010 as well as the Final Rule for ICD-10/CMS-0013-F to be implemented in 2013.

There is a lot of traffic on the information highway, stay tuned, and keep your eyes on the road.


Nancy J. Beckley, MS, MBA, CHC, is the president of Bloomingdale Consulting Group and Rehabilitation Seminars (www.bloomingdaleconsulting.com), Tampa, Fla, area. She can be reached at (888) 999-0275, or e-mail .