Proposed Rule on Electronic Health Records (EHRs) Threatens Privacy:

Health Freedom Watch
March 2010

Contents:vacy

Proposed Rule on Electronic Health Records (EHRs) Threatens Privacy: SUBMIT COMMENTS BY MARCH 15, 2010
What Data Would Be Tracked Electronically in EHRs?
IHF's Public Comments on Proposed "Electronic Health Record Incentive Program"


--------------------------------------------------------------------------------

Proposed Rule on Electronic Health Records (EHRs) Threatens Privacy

Submit Comments by Monday, March 15, 2010

The Centers for Medicare and Medicaid Services (CMS) has proposed a rule that would lead to the creation and sharing of electronic health records (EHRs) for a majority of Americans without their consent. The rule would accomplish this initially through incentive payments for physicians and other providers who create “certified” EHRs and submit electronic data to CMS.1 To be considered “meaningful users” of EHRs, the rule would require doctors and hospitals to submit data for a majority of all their patients—not just those on Medicare and Medicaid.

Who Will Be Affected?

CMS estimates that some 624,000 physicians, hospitals, and other providers (chiropractors, dentists, optometrists, and podiatrists) would be affected by the EHR incentive program.2 Physicians who want to qualify as “meaningful users” would be required to purchase “certified” EHRs,3 and they would have to collect and submit demographic and medical data, in addition to “quality measures,” the number of which would be increased in later years.4 (See summary in table below.)

Mandatory or Voluntary?

While the rule would take effect in October 2010 as an incentive program, Medicare physicians who don’t create and share EHR data after 2015 would face financial penalties. CMS notes that under the rule, “The investments needed to meet the meaningful use standards and obtain incentive funding are voluntary, and hence not ‘mandates’ within the meaning of the statute. However, the potential reductions in Medicare reimbursement after FY 2015 are effectively mandates.”5 (Emphasis added.)

How Much Will Physicians and Hospitals Have to Pay for EHRs and Maintenance?

CMS estimates that each physician and provider would spend about $54,000 to purchase certified EHR technology and approximately $10,000 a year for maintenance. Hospitals are projected to spend about $5 million each to establish certified EHRs and approximately $1 million a year for maintenance.6

How Much Will Doctors Get Paid?

Medicare physicians (and other qualifying providers) could receive up to a total of $41,000 over five years for complying with the rule. The payments would be as follows (beginning October 1, 2010):

Year 1 - $15,000 ($18,000 if the first payment is in first or second year of program)
Year 2 - $12,000
Year 3 - $8,000
Year 4 - $4,000
Year 5 - $2,0007

Incentive payments would end in 2014. Then penalties or reductions in Medicare payments would be imposed beginning in 2015 for those who do not comply.8

(Note: The method for determining hospital incentive payments is complicated; it can be found on page 1997 of the proposed rule.)

How Will the EHR Program Affect National Health Spending?

The incentive program was created by the Health Information Technology for Economic and Clinical Health (HITECH) Act, a section of law included in the American Recovery and Reinvestment Act (ARRA).9 The ARRA requires several federal rules to facilitate the adoption and utilization of EHRs. The purported goal is to reduce costs and increase quality of care. However, the Congressional Budget Office (CBO) estimates that “On net...accelerated adoption of health IT that would result from implementing the HITECH Act would reduce costs in the health care system by about 0.3 percent during the 2011-2019 period.”10 Moreover, the CBO “anticipates near-universal adoption of health IT over the next quarter century even without legislative action. As a result, the 0.3 percent reduction in health care costs...would diminish in later years, when the use of health IT will be more pervasive in any event” (emphasis added).11

Additionally, in its proposal CMS notes that “the ultimate impact of certified EHR technology on expenditures for medical treatments (for example, reducing errors, expedited treatment) cannot be known with certainty at this time.”12

How Will Privacy Be Affected?

As noted, patient consent would not be required before personal health information is shared for many purposes. That is because EHRs will be governed by the HIPAA privacy rule, which permits such information to be shared, without consent, for purposes related to, among other things, treatment, payment, and health-care operations. [See 45 CFR Subtitle A, Subpart E—Privacy of Individually Identifiable Health Information; section 164.502(a)(1)(ii) “Permitted uses and disclosures.”]

Thus, under the HIPAA privacy rule, individuals do not have the final say over whether their personally identifiable health information—including genetic information—is shared with more than 600,000 health-related organizations.

Importantly, another federal rule establishing standards for certifying EHRs does not provide strong enough security protections, according to John Moehrke, a principal engineer specializing in standards architecture in interoperability, security, and privacy for GE Healthcare, who wrote in a blog post titled “Meaningful Use Clearly Does Not Mean Secure Use”:

“We have waited long and hard for the definition of Meaningful Use. We now have the ‘Initial Set of Standards, Implementation Specifications, and Certification Criteria for Electronic Health Record Technology’ Interim Final Rule (IFR), and it is very disappointing….The requirements for security in the IFR are useless and dangerous.”13

Where Does One Submit Public Comments about the Proposed Rule?

Individuals/organizations should submit their comments electronically online here: http://www.regulations.gov/search/Regs/home.html#submitComment?R=0900006480a7c4a8


The rule was proposed January 13, and public comments are due by March 15 at 5 p.m. ET:


For information on submitting comments via courier, see instructions on page 1844 of the proposed rule.


For further information, contact Elizabeth Holland at (410) 786-1309 regarding EHR incentive program issues. (Note: CMS is not accepting fax submissions.)
What Issues Should Be Considered in Submitting Public Comments?

There are significant freedom and privacy implications with this proposed rule, for both physicians and patients. See the Institute for Health Freedom’s comment below, and feel free to excerpt from it.



--------------------------------------------------------------------------------

What Data Would Be Tracked Electronically in EHRs?

Under the proposed federal rule cited above, Medicare and Medicaid physicians (and other providers) must comply with data collection and reporting elements required by CMS to receive the incentive payments. Following are excerpts of data elements that Medicare physicians/providers would be required to track electronically in EHRs (see pages 1993-1994 of the rule):

Physician/Provider Must:
As Measured By:

Record the following demographics:
(A) Preferred language.
(B) Insurance type.
(C) Gender.
(D) Race.
(E) Ethnicity.
(F) Date of birth.
(G) For eligible hospitals, the date and cause of death in the event of mortality.

Note: A related federal interim rule that establishes standards for “certified” EHRs states that the date, time, patient identification, and user identification must be recorded when electronic health information is created, modified, deleted, or printed.14 However, it is not clear what type of patient identifier the federal government is going to require be used.
At least 80 percent of all unique patients seen or admitted have the demographics specified in (A) through (G) of this section.

(A) Record and chart changes in:
(1) Height.
(2) Weight.
(3) Blood pressure.

(B) Calculate and display the body mass index (BMI) for patients 2 years and older.

(C) Plot and display growth charts for children 2 to 20 years including body mass index.
For at least 80 percent of all unique patients age 2 years or older seen or admitted; record blood pressure and BMI; and plot the growth chart for children age 2 to 20 years old.



Capability to submit electronic data to immunization registries and actual submission where required and accepted.
Performed at least one test of certified EHR technology's capability to submit electronic data to immunization registries.

Capability to provide electronic syndromic surveillance data to public health agencies and actual transmission according to applicable law and practice.
Performed at least one test of certified EHR technology's capacity to provide electronic syndromic surveillance data to public health agencies (unless none of the public health agencies to which provider submits such information has the capacity to receive the information electronically).

Generate lists of patients by specific conditions to use for quality improvement, reduction of disparities, research and outreach.
Generate at least one report listing patients of the doctor or hospital with a specific condition.

Report clinical quality measures to CMS (in the case of Medicaid providers, the States).
Successfully report to CMS (or, in the case of Medicaid EPs, the States) clinical quality measures in the form and manner specified by CMS.

Submit claims electronically to public and private payers.
At least 80 percent of all claims filed electronically by the physician/provider or hospital.

Incorporate clinical lab-test results into EHR as structured data.
At least 50 percent of all clinical lab tests results ordered or authorized during the EHR reporting period whose results are either in a positive/negative or numerical format are incorporated in certified EHR technology as structured data.

Check insurance eligibility electronically from public and private payers.
Insurance eligibility is checked electronically for at least 80 percent of all unique patients seen or admitted.

Record smoking status for patients 13 years old or older.


At least 80 percent of all unique patients 13 years old or older seen or admitted have “smoking status” recorded.

Implement five clinical decision support rules relevant to specialty or high clinical priority, including for diagnostic test ordering, along with the ability to track compliance with those rules.
Implement five clinical decision support rules relevant to the clinical quality metrics reported under this subpart.

Send reminders to patients per patient preference for preventive/follow-up care.
Reminder sent to at least 50 percent of all unique patients seen by physicians/providers that are 50 years of age and over.

Provide patients with timely electronic access to their health information (including diagnostic test results, problem list, medication lists, and allergies) within 96 hours of the information being available to the physician/provider.
At least 10 percent of all unique patients seen by the physician/provider are provided timely electronic access to their health information.

Provide patients with an electronic copy of their health information (including diagnostic test results, problem list, medication lists, and allergies) upon request.
At least 80 percent of all patient requests for an electronic copy of their health information are provided it within 48 hours.

Provide clinical summaries to patients for each office visit.
Clinical summaries provided to patients for at least 80 percent of all office visits.

Provide summary care record for each transition of care and referral.
Provide summary of care record for at least 80 percent of transitions of care and referrals.

Generate and transmit permissible prescriptions electronically (eRx).
At least 75 percent of all permissible prescriptions written by physician are transmitted electronically using certified EHR technology.

Use computerized provider order entry (CPOE).
CPOE is used for at least 80 percent of all orders.

Implement drug-drug, drug-allergy, drug-formulary checks.
This functionality has been enabled.

Maintain active medication list.
At least 80 percent of all unique patients seen or admitted have at least one entry (or an indication of “none”' if the patient is not currently prescribed any medication) recorded.

Maintain active medication allergy list.
At least 80 percent of all unique patients seen or admitted have at least one entry (or an indication of “none”' if the patient has no medication allergies) recorded.

Perform medication reconciliation at relevant encounters and each transition of care.
Perform medication reconciliation for at least 80 percent of relevant encounters and transitions of care.

Capability to exchange key clinical information among providers of care and patient authorized entities electronically.
Perform at least one test of certified EHR technology's capacity to electronically exchange key clinical information.

Protect electronic health information created or maintained by certified EHR technology through the implementation of appropriate technical capabilities. [Note: The rule does not provide for patient opt-in or opt-out.]
Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1) and implement security updates as necessary.

Maintain an up-to-date problem list of current and active diagnoses based on ICD-9-CM or SNOMED CT [reg].
At least 80 percent of all unique patients seen or admitted have at least one entry or an indication of none recorded.


Source: Electronic Health Record Incentive Program (Proposed Rule), Federal Register, Vol. 75, No. 8, January 13, 2010, pages 1993-1994.

[Back to Contents]



--------------------------------------------------------------------------------

IHF's Public Comments on Proposed "Electronic Health Record Incentive Program"

To: HHS Secretary Kathleen Sebelius
From: Institute for Health Freedom
Date: March 8, 2010

Re: Public Comments on Proposed Rule “Medicare and Medicaid Programs: Electronic Health Record Incentive Program” (File Code CMS-0033-P).

Dear Secretary Sebelius:

Thank you for the opportunity to submit public comments on the proposed rule to pay physicians, hospitals and other providers to create and share patients’ electronic health records (EHRs) with CMS. I am submitting the following comments on behalf of the Institute for Health Freedom, a Washington-based patients’ rights group that focuses on patients’ freedom to choose their health care and maintain their health privacy.

EHRs Raise Serious Privacy Concerns

The proposed rule raises serious privacy concerns because patient consent is not required before patients’ personal health information is shared for many purposes. Under the proposed rule, electronic health records (EHRs) will be governed by the HIPAA privacy rule which permits such information to be shared—without patients’ consent—for purposes related to, among other things, treatment, payment, and health-care operations.

[See 45 CFR Subtitle A, Subpart E—Privacy of Individually Identifiable Health Information; section 164.502(a)(1)(ii) “Permitted uses and disclosures.”]

All told, under the HIPAA privacy rule, individuals do not have the final say over whether their personally identifiable health information—including genetic information—is shared with more than 600,000 health-related organizations. Thus, facilitating the creation and sharing of EHRs (governed by the HIPAA privacy rule) is a recipe for invading Americans’ health privacy. Until patient consent is restored, there are no meaningful health-privacy protections for Americans’ EHRs.

Security Concerns

Also, the companion rule15 establishing standards for certifying EHRs does not provide strong enough security protections, according to John Moehrke, a principal engineer specializing in standards architecture in interoperability, security, and privacy for GE Healthcare, who wrote in a blog post titled “Meaningful Use Clearly Does Not Mean Secure Use”:

“We have waited long and hard for the definition of Meaningful Use. We now have the ‘Initial Set of Standards, Implementation Specifications, and Certification Criteria for Electronic Health Record Technology’ Interim Final Rule (IFR), and it is very disappointing….The requirements for security in the IFR are useless and dangerous.”16 (Emphasis added)
Without Patient-Consent Rights, EHRs Could Decrease Quality of Care

Moreover, without providing for opt-out and consent provisions, EHRs could lead to reduced quality and increase the costs of health care. This is because studies show that without true privacy rights, patients won’t be forthcoming about personal details and, therefore, incur further expenses in getting, or avoiding, care. Richard Sobel, former senior Research Associate in the Program in Psychiatry and the Law at Harvard Medical School, examined this issue in a 2007 Hastings Center Report article “The HIPAA Paradox: The Privacy Rule That’s Not” (the following are excerpts):

“HIPAA is often described as a privacy rule. It is not. In fact, HIPAA is a disclosure regulation, and it has effectively dismantled the longstanding moral and legal tradition of patient confidentiality.”
“A 1999 California HealthCare Foundation (CHCF) study found that one in seven patients (15 percent nationally) was taking at least one of six possible measures to hide information from their providers, including going to different doctors or paying out of pocket.”
“A 2005 follow-up that asked only four of those six questions found one in eight patients (13 percent on average) were practicing ‘privacy-protective behaviors.’ If all six questions [asked in the 1999 survey cited above] had been repeated, about 20 percent to 22 percent would have indicated that they pursued privacy protective behaviors.”
“As more people become aware that they do not control their medical information under HIPAA, the number avoiding treatment is likely to grow.”
“Congress should incorporate a patient consent provision into any legislation on electronic health information.”17
While CMS will be hearing about potential cost-savings from EHRs, it should seriously consider the lack of patient consent and costs of not allowing Americans to opt out of a national EHR system: more patients will withhold private information as they lose trust in the confidential doctor-patient relationship and lose control over the widespread disclosure of their most personal information. The additional expenses could exceed by multiples the comparatively small estimated cost of incorporating consent into the HIPAA regulations. So, for both ethical and financial reasons, confidentiality and consent are both cost-effective and essential for improving the quality of health care.

Cost-Savings Not Assured with EHRs

As you know, the EHR incentive program was created by the Health Information Technology for Economic and Clinical Health (HITECH) Act, a section of law included in the American Recovery and Reinvestment Act (ARRA).18 The ARRA requires several federal rules to facilitate the adoption and utilization of EHRs. The purported goal is to reduce costs and increase quality of care.

However, the Congressional Budget Office (CBO) estimates that “On net ... accelerated adoption of health IT that would result from implementing the HITECH Act would reduce costs in the health care system by about 0.3 percent during the 2011-2019 period.”19 Moreover, CBO “anticipates near-universal adoption of health IT over the next quarter century even without legislative action. As a result, the 0.3 percent reduction in health care costs…would diminish in later years, when the use of health IT will be more pervasive in any event” (emphasis added).20

Additionally, in its proposal CMS notes that “the ultimate impact of certified EHR technology on expenditures for medical treatments (for example, reducing errors, expedited treatment) cannot be known with certainty at this time.”21

Recommendation: No Federal Funding to Invade Americans’ Health Privacy

The Institute for Health Freedom strongly recommends that no federal funds be spent on collecting and sharing patients’ personal health information electronically without first obtaining patients’ consent. In a country that advocates democracy and freedom, U.S. tax dollars should not be used to invade Americans’ health privacy. Our federal policies should not encourage physicians to breach their Hippocratic Oath with threats of financial penalties for keeping patients’ health information private. Instead, we can promote technology without sacrificing privacy by ensuring strong patient-consent rights.

Upholding patient-consent rights is the only way to ensure meaningful health-privacy rights and the ethical uses of EHRs.

Thank you in advance for addressing the privacy concerns of many Americans.

Sincerely,
Sue A. Blevins, President
Institute for Health Freedom

[Back to Contents]



--------------------------------------------------------------------------------

References

1. Electronic Health Record Incentive Program (Proposed Rule), Federal Register, Vol. 75, No. 8, January 13, 2010, p. 1993.

2. Electronic Health Record Incentive Program (Proposed Rule), Federal Register, Vol. 75, No. 8, January 13, 2010, pp. 1974 and 1996.

3. Electronic Health Record Incentive Program (Proposed Rule), Federal Register, Vol. 75, No. 8, January 13, 2010, p. 1976.

4. Electronic Health Record Incentive Program (Proposed Rule), Federal Register, Vol. 75, No. 8, January 13, 2010, p. 1974.

5. Electronic Health Record Incentive Program (Proposed Rule), Federal Register, Vol. 75, No. 8, January 13, 2010, p. 1975.

6. Electronic Health Record Incentive Program (Proposed Rule), Federal Register, Vol. 75, No. 8, January 13, 2010, p. 1974.

7. Electronic Health Record Incentive Program (Proposed Rule), Federal Register, Vol. 75, No. 8, January 13, 2010, p. 1996.

8. Electronic Health Record Incentive Program (Proposed Rule), Federal Register, Vol. 75, No. 8, January 13, 2010, p. 1996.

9. Electronic Health Record Incentive Program (Proposed Rule), Federal Register, Vol. 75, No. 8, January 13, 2010, p. 1846.

10. Congressional Budget Office, Letter to Congressman Rangel Regarding Effect of Health Information Technology for Economic and Clinical Health (HITECH) on Federal Direct Spending, January 21, 2009.

11. Congressional Budget Office, Letter to Congressman Rangel Regarding Effect of Health Information Technology for Economic and Clinical Health (HITECH) on Federal Direct Spending, January 21, 2009.

12. Electronic Health Record Incentive Program (Proposed Rule), Federal Register, Vol. 75, No. 8, January 13, 2010, p. 1975.

13. Blog entry titled “Meaningful Use Clearly Does Not Mean Secure Use,” by John Moehrke, January 5, 2010: http://healthcaresecprivacy.blogspot.com/2010/01/meaningful-use-clearly-does-not-mean.html (link active on March 8, 2010).

14. “Health Information Technology: Initial Set of Standards, Implementation Specifications, and Certification Criteria for Electronic Health Record Technology,” Federal Register, Vol. 75, No. 8, January 13, 2010, p. 2035.

15. “Health Information Technology: Initial Set of Standards, Implementation Specifications, and Certification Criteria for Electronic Health Record Technology,” Federal Register, Vol. 75, No. 8, January 13, 2010, p. 2035.

16. Blog entry titled “Meaningful Use Clearly Does Not Mean Secure Use,” by John Moehrke, January 5, 2010: http://healthcaresecprivacy.blogspot.com/2010/01/meaningful-use-clearly-does-not-mean.html (link active on March 8, 2010).

17. “The HIPAA Paradox: The Privacy Rule That’s Not,” by Richard Sobel, Hastings Center Report, July-August 2007: http://www.pipatl.org/people/sobel/theprivacyrule.pdf

18. Electronic Health Record Incentive Program (Proposed Rule), Federal Register, Vol. 75, No. 8, January 13, 2010, p. 1846.

19. Congressional Budget Office, Letter to Congressman Rangel Regarding Effect of Health Information Technology for Economic and Clinical Health (HITECH) on Federal Direct Spending, January 21, 2009.

20.Congressional Budget Office, Letter to Congressman Rangel Regarding Effect of Health Information Technology for Economic and Clinical Health (HITECH) on Federal Direct Spending, January 21, 2009.

21. Electronic Health Record Incentive Program (Proposed Rule), Federal Register, Vol. 75, No. 8, January 13, 2010, p. 1975.


--------------------------------------------------------------------------------

Health Freedom Watch is published by the Institute for Health Freedom. Editor: Sue Blevins; Assistant Editor: Deborah Grady. Copyright 2009 Institute for Health Freedom.