Posted on June 19, 2009 by David Kopans

AMA Adopts New Guidelines on Responding to Breaches of Patient Records

On June 15, 2009, the American Medical Association (AMA) approved new guidelines for physicians on responding to breaches of patients' electronic medical records (EMR).

According to the AMA Council on Ethical and Judicial Affairs (CEJA) in its report, CEJA Report 3-A-09, these guidelines are intended to fill an important gap in the AMA's policy, which, until now, did not "address physicians' ethical responsibilities in the event the security of electronic records is breached and patient data are inappropriately accessed." The CEJA identified the need for the guidelines particularly in light of the newly enacted American Recovery and Reinvestment Act of 2009 (ARRA), which amended the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to mandate that patients be notified in the event of certain breaches of their medical records.

As adopted, the guidelines state:

"When there is reason to believe that patients’ confidentiality has been compromised by a breach of the electronic medical record, physicians should:

  1. Ensure that patients are promptly informed about the breach and potential for harm, either by disclosing directly (when the physician has administrative responsibility for the EMR), participating in efforts by the practice or health care institution to disclose, or ensuring that the practice or institution takes appropriate action to disclose.
  2. Follow ethically appropriate procedures for disclosure, which should at minimum include: 
    1. carrying out the disclosure in a private setting and within a time frame that provides patients ample opportunity to take steps to minimize potential adverse consequences; and
    2. describing what information was breached; how the breach happened; what the consequences may be; what corrective actions have been taken by the physician, practice, or institution; and what steps patients themselves might take to minimize adverse consequences.
  3. Support responses to security breaches that place the interests of patients above those of the physician, medical practice, or institution.
  4. To the extent possible, provide information to patients to enable them to mitigate potential adverse consequences of inappropriate disclosure of their personal health information, such as credit monitoring services or identity theft hotline."

Now, physicians and other health care providers who intend to establish policies to address responses to breaches of their patients' EMR must not only take into account the above AMA guidelines and the recent amendments to HIPAA but they also must remember to consult the applicable laws of their own state.

Tags: , , , , , , , , , ,
Posted on June 18, 2009 by David Kopans

CMS Posts Summary of ARRA and Incentive Payments for EHR

On June 16, 2009, the Centers for Medicare & Medicaid Services (CMS) released a fact sheet on the Medicare and Medicaid Health Information Technology: Title IV of the American Recovery and Reinvestment Act (ARRA). The fact sheet details the Medicare and Medicaid incentive payments for meaningful users of electronic health information (EHR). In addition to the summary of ARRA, the fact sheet contains a section on Frequently Asked Questions about the incentive payments.

According to this fact sheet, CMS expects to publish a proposed rule to define "meaningful use" of EHR and to establish the criteria for the incentive payments by late 2009.

Tags: , , , , , , , , , ,
Posted on June 18, 2009 by David Kopans

First Steps in Defining "Meaningful Use" of Electronic Health Records

On June 16, 2009, the Health Information Technology (HIT) Policy Committee held a meeting to begin defining the "meaningful use" of electronic health records (EHR). Under the American Recovery and Reinvestment Act (ARRA), only "meaningful EHR users" will be eligible to receive Medicare and Medicaid incentive payments for adopting EHRs. The ARRA broadly defines a meaningful EHR user as one who demonstrates (1) the meaningful use of certified EHR; (2) the electronic exchange of health information to improve quality of health care; and (3) the submission on clinical quality and other measures using certified EHR technology.

The HIT Policy Committee developed a "Meaningful Use Matrix" that establishes proposed objectives that hospitals and physicians would have to meet to receive the incentive payments. The committee believes that this matrix "represents a set of objectives and care processes that . . . should inform the ultimate definition of meaningful use."

The Office of the National Coordinator for Health Information Technology (ONC) is now seeking public comments on the HIT Policy Committee's recommendations through Friday, June 26, 2009. The Centers for Medicare & Medicaid Services expects to publish a proposed rule to define "meaningful use" of EHR and to establish the criteria for the incentive payments by late 2009.

Tags: , , , , , , , , , ,