Acronyms such as ARRA and HITECH are colliding with terms like “meaningful use” and “breach notification” to influence radiology and patient privacy issues

Deep within the $728 billion Stimulus Package lies a relatively modest $19 billion dedicated to electronic health records (EHRs) and other health information technology projects. Weighing in at more than 300 pages, the governing package is technically known as the American Recovery and Reinvestment Act (ARRA), HR 1, and “the Act.”

Signed by President Barack Obama on February 17, 2009, the Act aims to boost health IT infrastructures toward the goal of creating a nationwide health information network. For radiologists and other clinicians, most of the relevant details can be found within the Health Information Technology for Economic and Clinical Health Act (HITECH Act), which is part and parcel of the ARRA.

EHRs and EMRs have been on the radar for a long time, with the first significant mention coming in 2004 when President George W. Bush set a 10-year goal to get most Americans a personal EHR. The idea is similar to EMR, but the differences can be vast depending on the level of complexity that practitioners choose.

The HITECH Act hints at these levels by dangling the carrot of incentive money for clinicians who can demonstrate “meaningful use” of a certified EHR system. Heidi Echols, JD, says that while the definition of meaningful use is still evolving, there are some concrete guidelines that radiologists should know about. “Right now, the government has defined meaningful for non-hospital-based physicians and for hospitals,” said Echols, a partner at Chicago-based McDermott Will & Emery LLP. “For non-hospital-based physicians, meaningful use includes the use of e-prescribing. It also includes using the technology in a way so that it is connected to provide for electronic exchange of information to improve quality—and it includes the ability to submit information to the Department of Health and Human Services (HHS) on clinical quality measures.”

Echols says radiologists who provide most of their services within a hospital are probably not going to be eligible for proposed physician incentives because they are hospital-based. For radiologists who operate outside a hospital, merely scanning a health record and filing it away will not count as “meaningful use.”

While the exact financial nature of the incentives has yet to be outlined, it is likely those enticements will gradually taper off in the coming years, eventually morphing to penalties. “They don’t use the term ‘penalty’; they use the term ‘adjustment,'” said Echols. “But they do have adjustments in the reimbursement rates. For physicians, those adjustments start in 2015 with Medicare reimbursement rate reductions of 1% to 3% depending on the year. For hospitals, beginning in 2015, their market basket adjustment will be reduced by a certain amount if they are not a ‘meaningful’ EHR user.”

Security Concerns

With incentives for adoption and possible “adjustments” for those who don’t comply, the potential is there for massive EHR expansion. With the expansion, the government will seek through the HITECH Act to protect that information.

Heidi Echols, JD
Lisa A. Gallagher, BSEE, CISM, CPHIMS
Anna Slomovic, PhD

According to a white paper put out by Echols’ firm, HITECH specifically codifies the Office of the National Coordinator for Health Information Technology under HHS, and provides an administrative process to coordinate health IT policy and standards. “The HITECH Act also expands the reach of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), extending it to business associates,” write attorneys for McDermott Will & Emery LLP. “It imposes a nationwide security breach notification law for entities that possess electronic protected health information, and it makes other significant modifications to HIPAA.”

Lisa A. Gallagher, BSEE, CISM, CPHIMS, senior director, Privacy and Security, for the Healthcare Information and Management Systems Society (HIMSS), says the new breach notification provision means all covered entities must notify affected individuals within 60 days of a breach. If 500 or more people are affected, organizations will need to notify the HHS Secretary and provide notification via media outlets. “When you go over that 500 threshold, they are assuming there will be a certain percentage that will be hard to contact due to address changes and changes in phone number,” said Gallagher. “The exact content of the breach notification is going to be determined via future rule making.”

With breach notification laws already in many states, Gallagher stresses that covered entities must pay attention and understand the differences between state law and federal law. “If you are not already doing it, it is a pretty significant change,” emphasized Gallagher. “It’s going to require you to understand the capability of your processes to provide this kind of notification in the 60-day window. And organizations must now look at how they discover breaches, and what happens when they do.”

HHS recently issued guidance on how health care organizations can avoid the need to provide data breach notifications by making their data unusable, unreadable, or indecipherable. Anna Slomovic, PhD, chief privacy officer at Anakam Inc, notes that HHS has taken a comprehensive approach in its guidance. Specifically, the guidance includes encryption processes tested by the National Institute of Standards and Technology for the protection of data while it is in storage, in transit, and when it needs to be destroyed.

While health care organizations are not required to follow the guidance, if they do, they will have “safe harbor” under the HITECH Act. “Many organizations already encrypt data in motion,” said Slomovic. “However, in spite of highly publicized breaches, far fewer encrypt data in their databases, laptops, and other storage devices. When radiologists consider the financial and reputational costs of providing data breach notification, encryption will become much more attractive.”

Gallagher points out that if data is encrypted and gets breached, HHS officials assume the chances of it being readable are low, and therefore the notification is not necessary. Slomovic adds that HHS has provided specific encryption standards because there are inferior products out there that are easily broken and not worth the money. Like everything else, encryption works well only if it is done properly.

Marian Reed, director of security and technology at McKesson Provider Technologies, Alpharetta, Ga, emphasizes that there will likely be a significant “performance cost” associated with any encryption system. For radiologists used to quickly accessing on-screen images, that cost could take the form of additional waiting time. “It is going to take a much longer time to unencrypt that image and display it,” said Reed. “It remains to be seen as to what exactly that performance hit will be. A lot depends on how the data is stored in the database and the supporting encryption technology that is used. You can’t just say encryption will cost you five times the current performance rate. It is really an unknown, because we have not undertaken this level of encryption within health care.”

Impact on Teleradiology

For radiology practices that rely on teleradiology, there have long been concerns about the “reading” physician not being licensed in the state where the patient is located. HITECH, and the enhanced HIPAA enforcement it brings, means that teleradiology will again be scrutinized. Business associates performing services for radiologists will be covered under the Obama administration’s revisions. “The security breach law applies to the covered entities, it applies to business associates, and it also applies to vendors of personal health records,” said Echols. “The extension of HIPAA security to business associates is essentially going to require most business associates to be much more robust in their privacy and security policies, and I think we are going to see covered entities asking to see policies and procedures more than they have in the past.”

With teleradiology expanding to far-flung destinations such as Australia where bright-eyed doctors do readings during the American night, the definition of business associates will likely extend farther than ever. “Business associates such as these are now likely covered by the US statutes, and by HIPAA,” said Gallagher. “I’m not sure about enforcement of overseas entities, but I think they are obligated to follow the security procedures. This has got to become the standard way of doing business. There is a risk, not only to the patient, but also to the organization if they send data to someone who does not have adequate security practices. That risk is going to outweigh the benefits of the outsourced labor.”

With billions up for grabs, Echols believes that most providers anticipate there will be some government help to fund the move to EHRs. However, even with the hefty sums allocated, will it be enough? “There is a little bit of frustration because people are uncertain as to exactly what they have to do to be eligible for the funding,” said Echols. “I have heard, particularly from the physician side, that the likely amounts of incentives are not going to be enough to really promote the use of EHR systems. Physicians feel that their costs will far exceed the incentive payments.”

Follow the Money*

  • Tax Relief: $288 Billion
  • State and Local Fiscal Relief: $144 Billion
  • Infrastructure and Science: $111 Billion
  • Protecting the Vulnerable: $81 Billion
  • Education and Training: $53 Billion
  • Energy: $43 Billion
  • Other: $8 Billion
  • Total = $728 Billion

*Courtesy of

Physicians aren’t the only ones who are covered by the HITECH tentacles. Business associates, such as billing companies, are certainly covered by HIPAA, as designated by the new legislation. In the past, business associates have been indirectly covered by HIPAA only through contract with covered entities. Echols says that covered entities such as radiology groups will continue to be required to have a contract with the billing company, or anybody else that is performing a service that requires access to protected health information—even though the business associate is now directly covered by HIPAA. Slomovic adds that now these business associates will have a direct obligation to follow HIPAA, and will be subject to enforcement by HHS.

While a solid figure is hard to pin down, some estimates show that roughly 7% of health care practices/facilities are participating with EHRs to varying degrees, and the majority of those are medical networks and organizations. Patient safety and practice efficiency are often cited by government officials as reasons for the push, but the ability to track reimbursement and reduce fraud is an additional benefit. After all, paper records can be difficult to audit, but electronic data is much more manageable.

As a society, Gallagher believes the path toward EHRs is inevitable in an environment where patients/customers are increasingly seeking to have their rights recognized with regard to health information. “It is a trend that is becoming more and more accepted,” said Gallagher. “It will only continue, and it is something that radiologists are going to have to deal with.”

Greg Thompson is a contributing writer for Axis Imaging News.