Privacy

Will New Congress Alter HITECH Plans? EHR Incentives Likely Safe, But Privacy Regs Will Be Scrutinized
Republicans have pledged to block the spending of any economic stimulus money not yet spent, but it's unlikely they'll try to pull the plug on the federal HITECH Act incentive payments for use of electronic health records several observers say.

But they expect the new Congress will keep a very close eye on the pending privacy and security regulations to implement the HITECH Act mandates, perhaps enacting legislation to fix any rules prepared by the Obama Administration that fail to meet expectations.

As a result of Tuesday's election, Republicans gained a majority position in the House and picked up seats in the Senate, where the Democrats still are in the majority. And that could be a recipe for gridlock.

HITECH a Secondary Issue?

Republicans, however, have made it clear that they'll look for any opportunity to repeal some or all of the healthcare reform package. Observers say that means the HITECH Act likely won't get as much attention, even though the EHR incentives are funded by President Obama's economic stimulus package.

"One of the things that the Republican 'pledge to America' includes is a plan to take away any unobligated stimulus money," says Dave Roberts, vice president of government relations at the Healthcare Information and Management Systems Society. "I don't think that's going to apply to the HITECH provisions. Folks on the Hill tell me that health IT is a bipartisan issue. Democrats and Republicans see it as a way to improve healthcare."

Nevertheless, Republicans will closely scrutinize all spending, Roberts acknowledges. "And they're going to take a close look at all the provisions of the HITECH Act to make sure they're being implemented as directed by Congress."

Even if the presumed new speaker of the House, John Boehner, R-Ohio, was to push for spending cuts, such as eliminating the EHR incentives, getting such a proposal approved would prove very difficult, Roberts argues. "With the two chambers of Congress controlled by different parties, getting them to agree on something will be next to impossible," he says.

In addition, President Obama, who is strongly supportive of healthcare IT, likely would veto any cuts in HITECH spending, notes Rob Tennant, senior policy adviser for the Medical Group Management Association. And overriding a veto would prove extremely difficult.

"It's pretty clear that Republicans agree with Democrats that healthcare IT is one lever to improve the nation's healthcare system ... and they don't agree on much when it comes to healthcare," Tennant says.

Defending HITECH Action

Congress could press the secretary of Health and Human Services and its Office of the National Coordinator for Health IT to defend their HITECH game plan, says Dan Rode, vice president for policy and government relations at the American Health Information Management Association. And such a probe has the potential to affect spending in 2012, he says.

Some new Republican members of Congress also might make an effort to expand eligibility for the EHR incentives beyond hospitals and physicians to include, for example, long-term care facilities, Rode says. "If we are going to achieve continuity of care and have a true picture of U.S. health via population health reporting, then we have to get other sectors up to speed," he says.

"Of course, a lot will depend on the makeup of committees in Congress and the overall agenda of Congress when such questions arise."

Hospitals and clinics can begin applying for the HITECH Medicare and Medicaid EHR incentives in January, with payments slated to begin in May. "It is possible that if there are few takers, a Congressional committee might raise the question of whether there should be changes in the program or whether the funding should be diverted or cancelled," Rode says.

Privacy, Security Issues

Federal regulators are continuing to work on a number of rules to carry out provisions of the HITECH Act. These include a final version of the breach notification rule; modifications of the HIPAA privacy, security and enforcement rules; guidelines for protecting personal health records and more.

"The administration is charged with getting these regulations right and meeting Congressional intent," says Roberts of HIMSS. "Privacy and security are key issues that both political parties are interested in. As a result, Congress will scrutinize the emerging HITECH regulations and consider introducing legislation to fix any rules that don't meet their expectations for carrying out the HITECH mandates, he adds.

Rode says that if hospitals or other constituencies are unhappy with any of the regulations, "they may go back to the new Congress for a fix."

Several members of Congress have already expressed their displeasure with the harm standard in the interim final breach notification rule. Regulators recently pulled the proposed final version of the rule for revisions that are still pending. The harm standard enables healthcare organizations to conduct a risk assessment to determine whether a breach poses a great enough risk of harm to merit reporting it to those affected, as well as federal authorities.

"What might happen is that the administration may feel it necessary to concede to Congress this point in the interest of cooperation and have HHS revise the final rule to remove the offending provision," says security expert Mac McMillan, CEO of Cynergistek.

Breach Notification

But McMillan says a key concern is whether the proposed national breach notification law, known as the Data Security and Breach Notification Act of 2010, will apply to healthcare.

"Healthcare groups have lobbied that because HITECH already provides a breach notification requirement, this new law should not apply to healthcare," he says. "But if Congress feels the harm standard is not consistent with their intent, they might just rethink whether the new law should apply to healthcare. The penalties under that law are more severe than HITECH. So hopefully, due consideration will be given to these decisions."

The HHS Office for Civil Rights has published a list of nearly 190 major health information breaches dating back to September 2009, as required under the HITECH Act. "We all know that those are just the tip of the iceberg," McMillan says. "So relaxing or delaying anything that would serve to address privacy and security would not be favorably viewed."


About the Author

Howard Anderson

Howard Anderson

News Editor, ISMG

Howard J. Anderson is news editor of Information Security Media Group and was founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 34 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.





Around the Network