HIT Safe Harbor: What Is Safe, What Is Not
PACS for the Practice: Utah Imaging Associates improves service and generates new business through use of PACS
NCVHS to HHS: New National Health Information Network Calls for HIPAA Overhaul

HIT Safe Harbor: What Is Safe, What Is Not

By Cat Vasko

Health care information technology (HIT) continues to pick up speed as new Health and Human Services (HHS) regulations—and a slew of state and federal bills—have kept the issue in the headlines and in the forefront of legislators’ minds. As cumbersome pen-and-paper records gradually are supplanted by EHRs and film is replaced by digital imaging, power players in the health care industry are scrambling to manage the up-front costs, both financial and intangible, of switching to a computer-based system that the RAND Corp, Santa Monica, Calif, estimates could save $80 billion a year.

On August 1, HHS Secretary Mike Leavitt announced final regulations to support physician adoption of electronic prescribing and EHR technology. “Electronic health records help doctors provide higher-quality patient care and improved efficiency with less hassle,” Leavitt said. “By removing barriers, these regulation changes will help physicians get these systems in place and working for patients faster.” The rules, displayed by the Centers for Medicare and Medicaid Services (CMS) and the Office of Inspector General (OIG), create new exceptions and safe harbors to federal fraud and abuse laws, allowing the donation of some HIT products and services under certain circumstances.

The CMS rule creates two new exceptions to the physician self-referral law; the OIG rule establishes similar safe harbors from the federal anti-kickback statute. These new rules establish the conditions under which entities furnishing designated health services may donate to physicians interoperable EHR software, information technology, and training services, and under which hospitals and certain other entities may provide physicians with hardware, software, or IT and training services necessary and used solely for electronic prescribing.

“What they’ve done now is effectively created some bright lines,” said Ken Davis, a partner at Katten Muchin Rosenman LLP, Chicago, focusing on the health care and e-health sectors. “The classic example is, ‘We’re a radiology practice wanting to give access to our PACS—how far can we go?’ Before this [ruling], it wasn’t clear the extent to which you could support practices by enabling interconnectivity, putting a read screen in the office, putting in a more powerful computer, and so on. What they’ve essentially done is clarified what items can be provided and what items can’t be provided.

“The exception,” Davis continued, “would cover such items as software, upgrades to the software, software support, interconnectivity—these sorts of things. What they’ve said you can’t provide is hardware and hardware-like items. The elements they’ve laid out are pretty straightforward: Software has to be interoperative, the donor cannot take any action to restrict its use, you cannot make donating the item contingent upon ordering services, and the deal has to be set out in writing.”

Cost-Sharing Provision

However, one requirement to the new regulations could prove insurmountable for many: a cost-sharing provision stating that the recipient must pay 15% of the donor’s costs. “Take a half-million dollar PACS solution,” Davis said. “Let’s assume $100,000 of that is for software. The referring physician would then have to pay $15,000. Candidly, I’m not sure they’re going to be willing to pay that.” The 15% cost-sharing was introduced as an alternative to a set cap on the value of what donors can offer recipients.

Davis also stressed that the value of the exception to radiologists might actually be questionable, in practical terms, because so much software is Web-based. “Most of the time when referring physicians are using a PACS, they don’t need the highest quality image they can get,” he said. “So if they can just dial in and access something for a diagnostic tool, I really question whether that would constitute remuneration, for Stark purposes.” He appended a note of caution, as well: “Now that you have set rules, the disadvantage is, there is no longer any ambiguity regarding what constitutes remuneration.”

Corresponding with the President’s goal of nationwide EHR adoption by 2014, the exceptions and safe harbors will sunset on December 31, 2013.

The new HHS regulations came on the heels of a series of state and federal bills designed, in one way or another, to facilitate the adoption of HIT. According to a report1 released by the eHealth Initiative (eHI), Washington, DC, a consortium of players in the health care industry, 38 state legislatures introduced 121 bills promoting HIT in 2005 and 2006; 36 bills in 24 states have been signed into law, including eight bills in seven states that contain provisions for funding IT efforts. Governors in 10 states have signed executive orders to develop IT planning and advisory programs. And last month, a federal bill designed to promote the adoption of EHRs was passed by the House; already approved by the Senate, the bill was scheduled to go to committee in September.

As enthusiasm mounts for the initiatives, however, so does skepticism of the widely touted $80 billion savings estimate. An August 20 article in The New York Times2 notes that unleashing the full power of personalized medicine could actually increase costs, qualifying the notion that the high up-front price of conversion will be offset in the long run. The article also refers to those stakeholders in the health care field with something to lose from the proliferation of information, such as the pharmaceutical industry, and observes that “efficient markets can be ruthless and unpredictable, threatening incumbent powers and producing losers as well as winners.”

A recent study3 by The Insight Research Corp, Boonton, NJ—which noted the potential savings from health IT adoption and projected an $8.1 billion health telecommunications market by 2011—concurred: “The US government tries to influence health care technology, but the private sector will dictate the future of health care technology solutions.”

Cat Vasko is associate editor of  Axis Imaging News.


  1. eHealth Initiative. State policy makers taking action to drive improvements in healthcare quality and safety through information technology. August 16, 2006. Available at: www.ehealthinitiative.org/news/statereport081606.mspx. Accessed August 25, 2006.
  2. Lohr S. Smart care via a mouse, but what will it cost? New York Times. August 20, 2006. Available at: www.nytimes.com/2006/08/20/business/yourmoney/20info.html. Accessed August 25, 2006.
  3. The Insight Research Corp. Telecommunications, IT, and healthcare: wireless networks, digital healthcare, and the transformation of US healthcare, 2006-2011. Available at: www.insight-corp.com/reports/telehealth.asp. Accessed August 25, 2006.

PACS for the Practice: Utah Imaging Associates improves service and generates new business through use of PACS

By Renee Diiulio

“One of the surprising effects of this project is that as a result of the improvement in quality of service provided as a group, we’ve had five outside hospitals contract with us for their nighttime reading. I even received a call from a hospital outside of the state.”
—Greig Huggins
Utah Imaging Associates

When Utah Imaging Associates (UIA), Salt Lake City, first decided it needed a PACS solution, it was to establish an efficient method of moving images around the company’s network of hospitals and imaging centers, particularly at night. Now, 21.5 years later, the installation of the PACS can be credited not only with improving quality of care for patients and quality of life for radiologists but also with improving the quality of the company’s bottom line.

“One of the surprising effects of this project is that as a result of the improvement in quality of service provided as a group, we’ve had five outside hospitals contract with us for their nighttime reading,” says Greig Huggins, vice president of business development for UIA. Calls inquiring about service continue to come in from other hospitals and smaller clinics, particularly those in rural areas of Utah. “I even received a call last week from a hospital outside of the state,” he says. One contract the company signed as a result of PACS will be worth $600,000 annually.

Better Quality

Potential clients are impressed that the group of 27 radiologists serves five hospitals and three imaging centers with a turnaround time of 15 to 20 minutes after a study is received. “We are able to keep the hospital systems read up until 10 o’clock at night, when reading is handed over to [the practice’s in-house] nighthawk service,” Huggins explains. He estimates that UIA handles roughly 400,000 examinations annually, with 50,000 to 75,000 of these done outside of PACS.

During the day, the radiologists can access the system to read from any of the networked facilities, including the eight institutions with which UIA holds exclusive contracts. Radiologists are required to be at these sites during the day, but some do not generate enough examinations to keep a radiologist occupied. Through the PACS, they can use downtime to read examinations from other, busier sites.

Before the PACS was installed, a radiologist also was required to be on call at each of the five hospitals in the network every night from 10 pm to 7:30 am. “It worked out so that the radiologists were on call about every third or fourth night, which—naturally—they didn’t like,” he says.

With the installation of the PACS, a NovaPACS system from NovaRad Corp, American Fork, Utah, one radiologist now reads examinations from all five hospitals at one central location. “That one doctor knows he won’t be getting any sleep, but our radiologists now serve 2 weeks of nighthawk duty a year, and they are done. They love it. Their quality of life improved immediately,” Huggins notes.

And their efficiency, as a whole, also improved. The group saved somewhere between one half and three quarters of the cost of a full-time radiologist, he says. Huggins values this at about $400,000 annually and adds that UIA did not have to recruit this year.

The system also enabled quality improvements by supporting a move to subspecialty reading. “The ability to move our complex, subspecialty exams to where the subspecialist is has been priceless. There has been no way to measure it, but getting the study read by the right person right away has helped the overall perception of our group,” Huggins says. As evidence, he offers the new contracts that have been signed.

Better Economics

The transition has been smooth. The NovaPACS system already was in use at some of the sites before the group deployed it systemwide. So, during working hours, the physicians who knew the program taught it to those who did not. Huggins handled training of nighthawk readers who had not worked with the system previously. “It was a relatively painless process,” he says.

Having NovaPACS at some sites in the system was one of the reasons UIA decided to purchase the NovaPACS for use within all of them. Other criteria included performance and cost. Pricing for NovaPACS is based on a subscription model that takes into account the department’s image load and number of radiology workstations. The cost includes software, hardware, training, integration services, and support. Initial fees range from $20,000 to $60,000, and monthly fees are significantly less than what a facility would typically spend on film, according to NovaRad.

The biggest challenges lay in the political and technical details. “We had to get approval from the two hospital systems involved to shift work, and then we had to establish interfaces with their RIS [programs],” he says. With two hospital networks involved, obtaining approvals was a challenge, but UIA reassured management that the quality of care would improve and remain HIPAA-compliant. Integration was equally challenging; two hospitals have not integrated their RIS solutions with the PACS at all. “But we could replicate and install a system, even bring a new facility online, in 2 or 3 days’ time if we had the equipment. That was the easy part,” says Huggins, who noted that the system installation was completed over 6 months and has been in use for 2 years.

UIA’s next challenge is to improve efficiency even more with the setup of a centralized reading station outside of the hospital environment. “Radiologists get interrupted all day long. We plan to install more PACS reading stations outside of the hospitals at a small clinic we own where we normally would not have a radiologist reading all day. But if we staff the hospital with fewer radiologists by moving them off-site, they will be able to read more,” he notes. Huggins expects the move will enable UIA to realize even greater return on investment per radiologist.

Greater efficiency likely will enable the company to take on more contracts, adding further to the unexpected revenue generation that accompanied the switch to PACS. “The idea was to make the radiology group more efficient,” Huggins says, but he has found the new business opportunities that continue to present themselves “refreshing.”

Renee Diiulio is a contributing writer for Axis Imaging News.

NCVHS to HHS: New National Health Information Network Calls for HIPAA Overhaul

In a letter to Department of Health and Human Services (HHS) Secretary Mark Leavitt, the National Committee on Vital and Health Statistics (NCVHS), led by privacy subcommittee chairman Mark Rothstein, recommends 26 measures to ensure the privacy and confidentiality of medical records under the new National Health Information Network (NHIN). Beyond that, however, Rothstein sees the establishment of NHIN as an opportunity to rethink all aspects of privacy regulation.

The letter—requested by David Brailer, former national health information technology coordinator, and submitted on June 22—notes that HHS’ previously established privacy rule, which is the only national regulation governing strictly medical information, is vastly inadequate to ensure proper confidentiality within the new NHIN framework.

“In an age in which electronic transactions are increasingly common and security lapses are widely reported, public support for the NHIN depends on public confidence and trust that personal health information is protected,” the letter reads. “Throughout our hearings and in drafting this report and recommendations, it became clear to the members of the NCVHS that devising and establishing an NHIN involves difficult trade-offs.”

Such issues as marketing, optional patient participation, patient-controlled access, enforcement, and penalties are all touched upon in the 26 recommendations. The NCVHS had difficulty agreeing on the recommendations as a future framework; however, Simon Cohen, NCVHS chairman and executive director for health information policy at Kaiser Permanente, Oakland, Calif, urged fellow committee members to set aside personal positions on the issues. “The value of this letter is that it does a tremendous job of taking us a big step forward in framing the issues,” he said at a recent 2-day NCVHS meeting in Washington, DC. “I feel like the framing of the issues is so well done in this, the value is so high, that I just want to make sure the letter gets passed.”

HHS has yet to respond to the letter, but Rothstein told Report on Patient Privacy1 that HHS had ignored NCVHS’ recommendations on the issue in the past. “I think it would be a mistake to try to shoehorn the NHIN into the privacy rule framework,” he said. “I think [this] is a chance to rethink everything.”

To view the letter in its entirety, visit www.ncvhs.hhs.gov/060622lt.htm.

—C. Vasko


  1. AISHealth.com’s Business News of the Week. NCVHS privacy chair sees NHIN as ‘a chance to rethink everything’ in privacy regulation. July 12, 2006. Available at: www.aishealth.com/Bnow/071206b.html. Accessed August 24, 2006.

NCVHS’ 26 Recommendations for NHIN Privacy

  1. The method by which personal health information is stored by health care providers should be left to the health care providers.
  2. Individuals should have the right to decide whether they want to have their personally identifiable electronic health records accessible via the NHIN. This recommendation is not intended to disturb traditional principles of public health reporting or other established legal requirements that might or might not be achieved via NHIN.
  3. Providers should not be able to condition treatment on an individual’s agreement to have his or her health records accessible via the NHIN.
  4. HHS should monitor the development of opt-in/opt-out approaches; consider local, regional, and provider variations; collect evidence on the health, economic, social, and other implications; and continue to evaluate in an open, transparent, and public process, whether a national policy on opt-in or opt-out is appropriate.
  5. HHS should require that individuals be provided with understandable and culturally sensitive information and education to ensure that they realize the implications of their decisions as to whether to participate in the NHIN.
  6. HHS should assess the desirability and feasibility of allowing individuals to control access to the specific content of their health records via the NHIN and, if so, by what appropriate means. Decisions about whether individuals should have this right should be based on an open, transparent, and public process.
  7. If individuals are given the right to control access to the specific content of their health records via the NHIN, the right should be limited, such as by being based on the age of the information, the nature of the condition or treatment, or the type of provider.
  8. Role-based access should be employed as a means to limit the personal health information accessible via the NHIN and its components.
  9. HHS should investigate the feasibility of applying contextual access criteria to EHRs and the NHIN, enabling personal information disclosed beyond the health care setting on the basis of an authorization to be limited to the information reasonably necessary to achieve the purpose of the disclosure.
  10. HHS should support research and technology to develop contextual access criteria appropriate for application to EHRs and inclusion in the architecture of the NHIN.
  11. HHS should convene or support efforts to convene a diversity of interested parties to design, define, and develop role-based access criteria and contextual access criteria appropriate for application to EHRs and the NHIN.
  12. HHS should work with other federal agencies and Congress to ensure that privacy and confidentiality rules apply to all individuals and entities that create, compile, store, transmit, or use personal health information in any form and in any setting, including employers, insurers, financial institutions, commercial data providers, application service providers, and schools.
  13. HHS should explore ways to preserve some degree of state variation in health privacy law without losing systemic interoperability and essential protections for privacy and confidentiality.
  14. HHS should harmonize the rules governing the NHIN with the HIPAA Privacy Rule as well as other relevant federal regulations, including those regulating substance abuse treatment records.
  15. HHS should incorporate fair information practices into the architecture of the NHIN.
  16. HHS should use an open, transparent, and public process for developing the rules applicable to the NHIN, and it should solicit the active participation of affected individuals, groups, and organizations, including medically vulnerable and minority populations.
  17. HHS should develop a set of strong enforcement measures that produces high levels of compliance with the rules applicable to the NHIN on the part of custodians of personal health information, but does not impose an excessive level of complexity or cost.
  18. HHS should ensure that policies requiring a high level of compliance are built into the architecture of the NHIN.
  19. HHS should adopt a rule providing that continued participation in the NHIN by an organization is contingent on compliance with the NHIN’s privacy, confidentiality, and security rules.
  20. HHS should ensure that appropriate penalties be imposed for egregious privacy, confidentiality, or security violations committed by any individual or entity.
  21. HHS should seek to ensure through legislative, regulatory, or other means that individuals whose privacy, confidentiality, or security is breached are entitled to reasonable compensation.
  22. HHS should support legislative or regulatory measures to eliminate or reduce as much as possible the potential harmful discriminatory effects of personal health information disclosure.
  23. NCVHS endorses strong enforcement of the HIPAA Privacy Rule with regard to business associates, and, if necessary, HHS should amend the Rule to increase the responsibility of covered entities to control the privacy, confidentiality, and security practices of business associates.
  24. Public and professional education should be a top priority for HHS and all other entities of the NHIN.
  25. Meaningful numbers of consumers should be appointed to serve on all national, regional, and local boards governing the NHIN.
  26. HHS should establish and support ongoing research to assess the effectiveness and public confidence in the privacy, confidentiality, and security of the NHIN and its components.