March 2011: Volume 37, Number 3
Privacy in the Era of EHRs
What’s the Lab’s Responsibility?
By Bill Malone
The federal government, as well as many in healthcare, have touted the move to electronic health records (EHR) as key to boosting more coordinated and efficient care. Starting this year, physicians and hospitals can begin cashing in on government incentives for deploying EHRs, and regulators have made it clear that lab data is a critical component. But while both consumer advocates and regulators have ramped up pressure on providers to maintain the privacy and security of patient health information, at the same time EHRs will ostensibly allow more sharing of information, potentially pulling labs and other providers in two directions.
According to legal and regulatory experts, lab data need not be immobilized between these apparently competing agendas. However, laboratorians will have to be aware of exactly how their data are used to avoid pitfalls as physicians and hospitals rush to take advantage of incentive payments (See Box, below). As early adopters of information technology (IT) in healthcare, labs are generally well-equipped to plug into emerging electronic systems, such as EHRs and electronic health information exchanges (HIE). However, the current patchwork of state and federal laws that apply to privacy, which is in flux, will require laboratorians to take an active role in how test results are used and by whom.
Recent changes to the Health Insurance Portability and Accountability Act of 1996 (HIPAA), along with rules governing what providers must accomplish in order to receive EHR incentive payments, have added to this tension, according to Jane Pine Wood, Esq., an attorney with McDonald Hopkins LLC in Dennis, Mass. “While the government to date has taken the approach that HIPAA should not be used to restrict healthcare professionals’ sharing information, labs still need to be very careful when they’re putting together electronic interfaces,” she said. “Among other concerns, they need to consider the true scope of access, something I don’t always see people thinking about.” Wood represents labs and other healthcare providers.
Providers Line Up for EHR Incentives
Hospitals Lead the Way in Adoption
Four-fifths of the nation’s hospitals, and 41% of office-based physicians, currently intend to take advantage of federal incentive payments in exchange for adopting electronic health record (EHR) technology, according to a survey released by the Office of the National Coordinator for Health Information Technology (ONC). The registration period opened for the Medicare and Medicaid EHR Incentive Programs in January 2011.
The survey numbers represent a reversal of the low interest in EHR adoption in previous years, according to David Blumenthal, MD, the National Coordinator for Health Information Technology. “For years we have known that electronic health records would improve care for patients and bring about greater cost-effectiveness in our health sector, yet adoption rates by healthcare providers remained low,” Blumenthal said in a statement. “In 2009, Congress and the President authorized major new federal support for EHR adoption and use, and in combination with medical professional and hospital leadership. I believe we are seeing the tide turn toward widespread and accelerating adoption and use of health IT.”
The survey found that 81% of hospitals plan to achieve meaningful use of EHRs and take advantage of incentive payments. About two-thirds responded that they will enroll during the first stage of the incentive program, 2011–2012.
Office-based physicians have not been as eager. Only 41% said they were planning to achieve meaningful use of certified EHR technology and take advantage of the incentive payments. Four-fifths of these, or about one-third of all office-based physicians (32.4 %), responded that they will enroll during the first stage of the programs. Only 14% indicated that they were not yet planning to apply for meaningful use incentives at all.
The data also showed that increasing numbers of primary care physicians have already adopted a basic EHR system, rising by 50%—from 19.8% of primary care physicians in 2008 to 29.6% in 2010. Basic EHRs provide a beginning point for use of EHRs in physician offices, but most physicians would need to further upgrade their EHR or their use of the system in order to qualify for meaningful use incentive payments, according to ONC.
Incentive payments for the adoption and meaningful use of certified EHR technology were authorized in the Health Information Technology Economic and Clinical Health Act (HITECH) in 2009. Non-hospital-based physicians and other eligible professionals can obtain incentive payments of as much as $44,000 under Medicare or $63,750 under Medicaid. Under both Medicare and Medicaid, eligible hospitals may receive millions of dollars for implementing and meaningfully using certified EHR technology.
To qualify for incentive payments under the Medicare EHR Incentive Program, providers must achieve meaningful use of certified EHR technology, under regulations issued by CMS and ONC. Medicaid providers can receive their first year’s incentive payment for adopting, implementing, and upgrading certified EHR technology, but must demonstrate meaningful use in subsequent years in order to qualify for additional payments.
Who’s Afraid of Health IT?
Although labs have not usually been at the forefront of privacy breaches, widely publicized scandals have put privacy in the media spotlight, with cases including both electronic and paper records. Most recently, hospital officials at Tucson’s University Medical Center fired three employees after they accessed confidential medical records about victims of the January 8 shooting rampage that critically injured Representative Gabrielle Giffords (D-Utah).
Hitting closer to home for labs, a Boston Globe reporter discovered tens of thousands of paper pathology reports dumped at a recycling center in August 2010. An investigation uncovered that the former owner of a billing company which served four community hospitals in Massachusetts abandoned the pathology reports without shredding them after selling the company.
The breach notification rule under HIPAA—revised in July 2010 with new updates expected this year—requires providers to go public with any breach that affects 500 or more individuals’ records. The provider must notify the news media, the individuals affected, and the secretary of Health and Human Services (HHS). According to information available on HHS’s HIPAA website, breaches have hit providers from many angles: emails with patient information going to wrong accounts, thefts or loss of both paper and electronic records, hacking incidents involving IT systems, and unauthorized access by providers themselves.
Despite the constant privacy threats and embarrassing public notifications, Wood emphasized that so far regulators have reserved harsh punishments—including jail time—only for those who have breached private records with malicious intent. “Looking at the penalties that have been assessed to date, most people would say they were deserved. The book has been thrown at people who have actually stolen data to misuse it. But there seems to be a real recognition that no provider is perfect and accidents are going to happen,” she said. “I’ve seen cases where penalties and sanctions were imposed, but I don’t see any that really give me heartburn from an enforcement standpoint. On the whole, the government has been fairly reasonable.”
Providers have responded to the breach notification regulations by making sure they have good policies and procedures in place that deal with each kind of possible breach, according to Greg Root, Esq., CEO and general counsel of lab consulting firm CodeMap. “The breach notification requirements are on everyone’s list to have policies to protect yourself, including both large scale and smaller breaches,” he said. “One thing is that if a provider does inadvertently disclose protected health information, you must go back to the recipient and ask that they destroy and disregard that information. I’ve also drafted many policies that heavily control laptops and other portable electronic devices and cover who can have them and when they can move around. My view is that laptops, for instance, should never have protected health information on them, because they get stolen all the time. It should all be on the server.”
The focus on privacy that has generated both public anxiety and regulatory scrutiny will probably always run parallel to advances in health IT, observed Rodney Forsman, emeritus assistant professor of Laboratory Medicine and Pathology at Mayo College of Medicine and president-elect of the Clinical Laboratory Management Association. “At Mayo, we went from paper systems to a laboratory information system in 1978, and at that time IT itself raised the issue of patient confidentiality and the ability to lock down data with user access codes,” he said. “I remember thinking it was a little peculiar, because at the time we had filing cabinets sitting around and anyone could pull a drawer open and see a carbon copy of someone’s results, so suddenly things changed—not our sensitivity about privacy—but the need to decide who would be authorized to see certain information.” Meanwhile, the ability to track and enforce privacy policies has also advanced along with electronic records systems themselves, Forsman noted, including programs that monitor who accesses patient records.
Some in healthcare worry that the debate about privacy will push lawmakers and regulators too far, undermining the benefits of EHRs. Stephan O’Neill, vice president of information services at Hartford Hospital in Hartford, Conn., has first-hand experience navigating the legal and regulatory snares that await hospitals that try to connect electronically with other providers and exchange data. O’Neill helped launched a plan to develop an HIE among 20 hospitals, private group practices, and other organizations across Connecticut called Transforming Healthcare in Connecticut Communities (THICC). Progress has been slow so far, in part due to complexities involved in establishing a data use and reciprocal support agreement (DURSA), a legal contract among providers participating in the HIE that lays the ground rules for privacy and security of patient records.
“In some ways, I think regulators are leaning too far on the side of privacy, because many of the restrictions can prevent the effective use of the HIE, and I don’t think there is a better tool out there right now to improve patient care than having the ability to exchange this information,” O’Neill said. “The fear, of course, is that someone is in there browsing around and trying to steal data for some reason, but the instances of this are so rare, and when they do occur, those responsible end up serving jail time. So I think the preventive measures we’ve had in place are working. But as we keep layering on additional requirements to check this or check that, it lessens the value of the health information exchange and increases the difficulty for providers using it—and sometimes that just means that they will not use it.”
Questions of Access and Exchange
The pendulum between EHR access and privacy has swung back and forth, as technological innovations over time lead to push-back from privacy advocates. Now the clock is moving in fast-forward, with deadlines for receiving government EHR incentives quickly approaching. In the midst of this frantic era of change, laboratorians will do well to think through each new connection they make to another party’s electronic systems, advised Wood.
“IT is now becoming trickier. For example, many physicians are asking for a bi-directional interface—they want not only to send requisitions, but also to access any other results that may be housed in the lab system about their patients,” she said. “Some labs will say, ‘okay, here’s the password’—but that password may give access to all the patient information in the lab, not just that doctor’s patients. Most people can do some software fix and take care of these issues, but they’re not always thinking about it upfront.” A hospital setting is different, due to that fact that the physician on call who needs to access a patient’s records might not be the ordering provider or even the primary provider for that patient, she added.
HHS has built several lab components into the meaningful use provisions required for providers to be eligible for EHR incentive payments. One is exchanging clinical information, including lab results. To pass muster, the information must be able to move between different legal entities with distinct government-certified EHR technology—not only between organizations that share the same technology.
In general, exchanging lab information via EHRs should not be a problem, according to Root. “Usually it’s not a problem to share, because there is nothing that restricts the ordering provider from sharing with other providers who might be involved in the patient’s treatment,” he said. “Often I see labs receiving requests from other physicians who are also treating the same patient, but the lab then has to direct that physician back to the original ordering physician to get the information from him, or get some sort of authorization form from the ordering physician. Once it gets back to the ordering physician, then lab information should be able to be shared, but in most circumstances, the lab is restricted from the get-go to reporting only to the ordering physician.”
On the technical side, O’Neill indicated that labs in Connecticut have not had too many problems. “One interesting requirement to qualify for government EHR incentives is that we send lab results back and forth as discrete data. But I would say almost every hospital in the U.S., and most physician practices, should be able to do that if they have a decent EHR product that uses HL7,” he said. HL7 stands for Health Level Seven, an international healthcare informatics interoperability standard.
Eventually, HIEs could become clearinghouses for lab data, but so far providers have balked at tackling that step. “We can provide access to lab results through an HIE, but the ordering provider still owns it. At this point, we cannot just send all the results to the HIE directly,” O’Neill said. “However, it would increase the value of HIEs substantially is if they in fact became the clearinghouses for key clinical data like lab results. The providers would get used to going there to get the information they need, but until then we’ll keep running up against both state and federal regulatory issues.”
CLIA and State Laws
Although ordering providers themselves are usually free to share data with colleagues via EHRs, labs must also comply with both the Clinical Laboratory Improvement Amendments (CLIA) and restrictions in most states on how results may be delivered and to whom. CLIA will not be a barrier to implementation of EHRs due to the flexibility built into recently updated guidance, according to Judith Yost, MA, MT(ASCP), director of the Division of Laboratory Services for the Centers for Medicare and Medicaid Services (CMS), the agency that oversees CLIA and clinical laboratory operations. No changes to the regulations were necessary to accomplish this.
CMS sent out a memorandum to state survey agency directors in March 2010, revising the CLIA lab survey procedures and interpretive guidelines to accommodate electronic exchange of lab data and combat misinformation on the subject, Yost said. “This document provides labs with clarification on policy to assure labs, vendors and, other stakeholders that CLIA does not pose barriers to using EHRs.”
According to Yost, the most important concept outlined in the memorandum is that of an agent, defined as an individual or entity legally acting on behalf of the authorized person to receive test results. A lab’s responsibilities for delivering results end once the lab has transmitted results to the authorized person or agent. In order to smooth the process of sharing and exchanging information, ordering providers can designate the EHR or HIE as their agent. “There does have to be some sort of documented pre-arrangement with the lab to allow that to happen. The lab can set up a standardized process using the concept of agent so that the lab automatically knows that results can go to the EHR or health exchange. This way the physician doesn’t have to specify the agent on each order.”
However, CMS is not the only regulatory body that labs need to deal with, so each connection a lab makes with a provider has to square with a matrix of HIPAA, CLIA, and state boundaries and obligations. In general, stricter state laws trump HIPAA and CLIA requirements. Laws in 26 states and territories do not define who is authorized to receive lab results, while 29 others have varying interpretations, eight of which limit reporting of results only to the ordering provider. (See Map, click here). As labs ensure that they follow the rules that apply to their location, they should also keep in mind that many states are revising their laws as EHRs become widespread.
Due to the patchwork of state laws, as well as the fact that the vast majority of a patients’ care takes place within their state, the National Health Information Network (NHIN) sponsored by HHS has not taken off, noted O’Neill. HHS intended NHIN to be a network of networks, linking HIEs, integrated delivery networks, pharmacies, government, labs, providers, payers, and other stakeholders. “There has not been that much demand for the NHIN, and it has not had that much use outside of federal agencies themselves,” he said. “A lot of interest has fallen by the wayside, and more people are now pushing the idea of the NHIN direct, which is really nothing more than a secure e-mail messaging process that’s point-to-point between providers.”
Other EHR Concerns
The push for EHRs has the potential to cause other headaches for labs as well. One issue that remains controversial is the safe harbor provisions that allow labs to pay up to 85% of the cost of EHRs to physicians without violating federal fraud and abuse laws. The Office of Inspector General (OIG) and CMS both published exceptions to the Anti-kickback Statute and the Stark law for health IT. Wood has observed what she calls extortion, where referring physicians solicit this money from labs in exchange for their business—a move that is not legal. “It’s difficult because to fall within the safe harbor for these donations they cannot be conditioned upon referrals. Having said that, as a practical matter, no one will make a donation unless there is at least an implicit understanding that there will be referrals as a result,” she said. “Clients have told me that physicians have said upfront, ‘you can only get our business if you help us with an EHR.’ If they suggest it, especially in writing, that’s not a good situation. Many labs have to cough up the money as much as it kills them. We’re just not in an environment of any real threat of enforcement on this particular issue.”
On the other hand, because of the high cost of an EHR, such extortion has so far been fairly limited, countered Root. “Even though many labs and other providers have considered providing those types of services, the cost is so high that most labs can’t afford to go out and aggressively do this. We’re talking hundreds of thousands of dollars, even with medium-sized practices,” he said. “I’ve seen some labs doing it, and they’re pretty good about following the rules and making sure that the recipients that get these services do pay their 15 percent, but for most it’s just too expensive to be a viable business practice.”
Wood also warned labs about other situations where they’re asked to share records, especially during a time with increasing numbers of electronic audits by third parties serving regulators or other entities. One of Wood’s clients received a letter from a private contracting company performing audits on behalf of a Medicare Advantage plan. The company requested 250 patient records form the lab. “In this kind of situation, the lab needs to ask, ‘where is the authorization?’” she said. “If it’s a Medicare Advantage plan, they can get access, but I need to establish that I’m dealing with someone who really is who they say they are. This will become more acute as labs cope with more and more audits. Labs must make sure that access to their data, even via auditing functions, is being given to the appropriate people.”
As labs connect to EHRs within hospitals or with physician practices, they will need to lean heavily on their chief compliance officers, IT support, and other colleagues to make wise decisions about where and how lab results are delivered. Although adoption of EHRs may not advance quickly in all areas, both physicians and the public overwhelmingly agree that health IT is a key solution to healthcare quality and costs, a trend highlighted in a survey conducted by the Markle Foundation that was released in January. In the survey, approximately 80% of the public and 85% of physicians said that the government should require physicians and hospitals to share information to reduce medical errors and cut costs. Three-quarters of physicians said they would prefer computer-based means of sharing patient information with each other, although only 17% indicated they currently use such methods as their predominant means of sharing patient information.
AACC Members Respond to Healthcare Reform
Survey Finds Mixed Bag of Angst, Approval, and Uncertainty
A survey of AACC members conducted in January found that a slight majority believe the healthcare reform law will benefit the country. However, many are dubious that the law will bode well specifically for labs.
Do you believe the passage of the recent health care reform law is a positive development for the United States?
On balance, do you believe that HCR is a positive development for clinical laboratories?
Do you believe HCR will improve the quality of patient care?
Do you believe your amount of testing will increase or decrease?
Do you expect HCR to help or hurt the financial viability of your institution?