MaSSSoftech

Over the past decade, electronic transactions have slowly supplanted paper-based systems in many industries. For example, individuals and Wall Street brokerage firms employ electronic trading; federal and state taxpayers increasingly e-file their returns; and attorneys e-file pleadings and federal court documents. However, a physician jotting notes on a paper chart, which will then be stored in a large filing cabinet, remains the norm.

In February, President Barack Obama signed a $787 billion economic stimulus bill, the American Recovery and Reinvestment Act of 2009, Pub. L. No. 111-005, 123 Stat. 115 (2009), which contains the Health Information Technology for Economic and Clinical Health Act encouraging health care providers to adopt electronic medical records. With billions of dollars allocated toward the digitalization of health care, the era of electronic medical records has begun in earnest.

FEDERAL HITECH ACT

The stimulus package contains several legislative and administrative initiatives to promote the use of health information technology and electronic health records in Medicare and Medicaid. The statute is designed to "assist health care providers to adopt, implement, and effectively use certified EHR technology that allows for the electronic exchange and use of health information." The law allocates more than $19 billion for health care technology implementation, including $17 billion in incentives for health care IT adoption, in the form of increases in Medicare fees. In essence, it gives certain eligible providers incentive payments, beginning in fiscal year 2011, for the adoption and "meaningful use" of a certified health care IT system.

When the incentive period expires, the statute will induce continued digitalization through deterrence. For example, those physicians and hospitals that have not adopted EHR technology by 2015 will be assessed financial penalties in the form of lower Medicare fee reimbursement.

Under the plan, eligible physicians could receive up to $44,000 over five years and hospitals up to $15.9 million if they institute and make "meaningful" use of electronic health records.[FOOTNOTE 1] Currently, "meaningful use" is a vague standard that will be developed by the Department of Health and Human Services by the end of 2009 and closely watched by software makers that need to market their EHR software packages to physicians as making "meaningful use" of EHR and therefore qualifying physicians for stimulus money reimbursement.

Accordingly, this past spring, the Health IT Policy Committee of HHS released an initial outline of what would constitute meaningful use, including a list of benchmarks to be met over the course of the next six years, with the early goals achievable through today's technology and the later goals achievable with technology that has not yet come to market.

Initially, meaningful use would achieve data capture and sharing, then involve advanced clinical processes, and finally effect improved outcomes. For example, by 2011, systems should permit the capture of coded health data and lab results and electronic prescribing; by 2013, systems should provide care coordination and clinical decision support at the point of care; and by 2015, the capabilities should include data sharing and outcome management that achieves the desired outcomes, efficiencies and cost savings for the health system, such as reducing preventable hospitalizations and redundant lab tests.[FOOTNOTE 2]

STATE INITIATIVES

State governments are also encouraging, and in some cases, mandating the adoption of interoperable electronic health records. In recent years, at least 132 HIT-related bills were enacted in 44 states and the District of Columbia.[FOOTNOTE 3]

The new initiatives involve such issues as data privacy, e-prescription programs, health care data exchange, and incentives and mandates for electronic health record adoption. For example, Massachusetts (M.G.L. Chapter 305 in the Acts of 2008) requires an interoperable Certification Commission for Healthcare Information Technology-certified electronic health record system on or before Oct. 1, 2015, as a condition of hospital licensure and Minnesota [Minn. Stat. §62J.495 (2007)] requires all providers to employ interoperable health records by 2015 within their hospital system or clinical practice setting.

In addition, recent Minnesota regulations took effect in July requiring providers to use e-billing to submit claims to institutional payers and Wisconsin previously established tax credits to physicians who install electronic medical record software or hardware [Wis. Stat. Ch. 71.07(5i)].

The switch from paper-based record keeping to electronic medical records is designed to, among other things, decrease the number of adverse events resulting from medical and prescription errors, as well as drive down health care costs resulting from inefficiency and duplicative care and administrative overhead.[FOOTNOTE 4]

It will also purportedly improve public health reporting and the coordination of care and information among hospitals, laboratories and physician offices via a nationwide infrastructure for the secure exchange of patient information using certified, national interoperability standards.

Without the HITECH Act, the Congressional Budget Office estimated that approximately 45 percent of hospitals and 65 percent of physicians would have adopted qualifying health care IT by 2019, but that the act's incentives would boost those adoption rates to about 70 percent for hospitals and about 90 percent for physicians.[FOOTNOTE 5]

BARRIERS ABOUND

However, there are numerous barriers to expanding the use of electronic medical records. First, providers are typically reluctant to implement health care IT systems because upfront costs can run between $25,000 to $45,000 per physician, with cost savings often inuring to health insurers or other entities.[FOOTNOTE 6]

The new federal law and other state initiatives have attempted to spur development of health care IT systems with financial incentives; though, the long-standing culture of paper-based charts and records will not go away overnight.[FOOTNOTE 7]

On top of hardware and software costs, medical personnel will also require training on new systems to prevent delays and errors and to overcome their initial reticence toward a new method of recordkeeping.

Second, HIT systems must be interoperable nationwide to facilitate the seamless sharing of medical records and lab results within a framework that adequately protects patient privacy.[FOOTNOTE 8]

Since 2004, the Office of the National Coordinator for Health Information Technology has sought to harmonize health care data standards, and with the passage of the HITECH Act, the ONC has been allotted $2 billion to achieve its goals. In addition, advisory committees have been formed on health care IT that are charged with working with the private sector to design an interoperable health care IT network.

Consistent with this mission, the HITECH Act established the HIT Standards Committee, which is responsible for recommending to the ONC interoperability standards and specifications, and certification criteria for the electronic exchange and use of health information.

In coordination with the HIT Standards Committee, the director of the National Institute for Standards and Technology is responsible for testing such standards and implementation specifications. This will likely be done by certifying certain organizations to perform such tasks, such as the Certification Commission for Healthcare Information Technology, a private nonprofit organization whose mission is to accelerate the adoption of interoperable health information technology by creating a credible, efficient certification process.

In addition, the Healthcare Information Technology Standards Panel, a strategic partnership established through a contract with the HHS, announced several new interoperability standards for electronic health records to conform to requirements in the Recovery Act.[FOOTNOTE 9]

Moreover, one Senate bill, the Health Information Technology Public Utility Act of 2009 (S.890), would seek to facilitate nationwide health care IT adoption, particularly among rural providers, and establish a grant program to build upon the VistA open source electronic medical records software model that is currently being used by the U.S. Department of Veteran Affairs.

Lastly, there are outstanding privacy issues concerning electronic medical records, including data security, breach notification standards and patients' general rights to privacy. Accordingly, the Recovery Act, among other things, extends the Health Insurance Portability and Accountability Act Privacy Rule and Security Rule to the business associates that process health records on behalf of medical providers. See HITECH Act, §13404.

The law also requires covered entities and business associates to comply with nationwide breach notification procedures in the event of the disclosure of unsecured protected health information. See HITECH Act, §13402, 13407.

The act also prohibits the sharing of health care data, but outlines multiple exceptions, including data sharing for certain research or public health purposes or treatment of an individual, or data sharing authorized by the HSS secretary. See HITECH Act, §13405(d).

Such sharing of data has prompted one individual to file a putative class action lawsuit that claims the HITECH Act's requirements of electronic health record adoption and information exchange violate patients' privacy rights under HIPAA and the common law. See Heghmann v. Sebelius, No. 09-05880 (S.D.N.Y. Complaint filed June 25, 2009).

CLOUD COMPUTING

With the mandate that hospitals and physicians begin adopting electronic medical records, what might such a system look like in the medical office setting? Typically, a company might buy software or contract with a software vendor to install custom software designed for its particular business needs. However, with the continued growth of the Internet and high-speed broadband access, the cloud computing model is one option with physicians adopting health care IT with the aid of the federal stimulus bill incentives.

While cloud computing has many definitions, the National Institute of Standards defines it as "a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction."

According to the Open Cloud Manifesto, whose members include tech companies like IBM, Sun, Red Hat, cloud computing has several important characteristics, including scalability on demand, data center streamlining and minimized startup costs. Ultimately, cloud computing is about furnishing computing resources on a subscription basis from a provider that handles infrastructure and system management such that customers can access their applications and data freely.

One cloud computing model is software as a service, which involves the delivery of software services remotely on a subscription basis. Under the SaaS model, the software and the data storage are hosted and delivered by the software vendor to the customer over the Internet, allowing the licensed customer to use the program without the capital expense of purchasing business hardware and licensed copies of software.

Instead, the customer pays a monthly subscription fee for a Web-based service. This arrangement eliminates the burden of a complex installation or development effort as well as the challenges of maintaining and supporting a proprietary system on internally-owned hardware. However, health care providers would necessarily have diminished control of the application, the timing of system updates and possibly limited opportunity for customization beyond add-on modules and other options.

Since the passage of the stimulus package, at least one technology company announced plans to provide bridge loans to physicians to implement its health care IT systems, with interest beginning after the physicians receive federal stimulus reimbursements.[FOOTNOTE 10]

VENDOR AGREEMENTS

As a practical matter, the SaaS model presents certain concerns that should be considered before a health care provider enters into an agreement with a health care IT software vendor. System downtime is unwanted for all businesses, but for health care providers, an inability to access patient records could have drastic effects.

In negotiating service level agreements with the SaaS provider, health care providers should discuss system outages, disaster recovery options and backup plans with the SaaS provider and determine what alternative client applications would be available should the system go down and whether such electronic information would then be integrated into the existing database when normal service is restored.

Customers might also inquire about where the data will reside. The location of the SaaS provider's servers could implicate certain state or foreign laws regarding data transfer, data breach notification, personal jurisdiction or the exposure of data to foreign governmental subpoenas.

Privacy and data security issues are also a concern in the cloud computing model and much of the customer-vendor relationship is predicated on trusting the Saas provider's security model. Given the heightened confidentiality surrounding medical records, customers must determine what, if any, access the SaaS provider has to the patient data and whether the data stored at the SaaS provider will be encrypted.

Similarly, customers should ensure that the provider has instituted tight security controls to prevent data breaches and examine whether the SaaS provider performs regular security audits of its system.

Lastly, a customer may wish to negotiate certain data security compliance provisions into the license agreement so as to fulfill contractual or regulatory requirements. For instance, beyond the HITECH Act's data security breach notification mandates, recent Massachusetts data security regulations require that covered businesses take all reasonable steps to verify that any third-party service provider with access to personal consumer information has the capacity to protect such personal information.

Richard Raysman is a partner at Holland & Knight and Peter Brown is a partner at Baker & Hostetler. They are co-authors of "Computer Law: Drafting and Negotiating Forms and Agreements" (Law Journal Press). Edward A. Pisacreta, a partner at Holland & Knight, contributed to the preparation of this article.