Perhaps one of the biggest changes in health information technology policy this year has been the growing number of agencies sharing the oversight of the industry. Providers and stakeholders are contending with a larger regulatory landscape as they implement health information technology and adopt electronic health record (EHR) systems.
The stimulus law of 2009 included the Health Information Technology for Economic and Clinical Health, or HITECH Act, a $20 billion program designed to bolster jobs in the health care IT segment and provide financial incentives to hospitals and doctors who integrate the use of EHR systems into their clinical practice. To support these EHR Incentive Programs, the act established the groundwork for numerous new regulations in privacy, security, IT standards and quality reporting; and above all, the meaningful use blueprint for exactly how providers are supposed to use their EHR systems.
The Centers for Medicare & Medicaid Services (CMS) and the Office of the National Coordinator for Health IT (ONC) share the bulk of regulating all those programs. Several federal agencies -- and some organizations at the state level -- that previously had no role in health care oversight are now finding themselves in the spotlight, however. Here's a look at the new health IT policy players that have emerged in 2010.
National Institute of Standards and Technology (NIST): Vendors didn't escape the regulatory overhaul. EHR products used by doctors to meet meaningful use criteria under the EHR Incentive Programs must undergo the EHR software certification process established by the ONC. To that end, the NIST was charged with overseeing part of the EHR standards development process. Vendors must follow the institute's test procedures to ensure their products are certified.
Office for Civil Rights (OCR): Along with regulating the use of EHR systems, the HITECH Act carried with it more stringent privacy and security compliance rules. Fortifying the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the HITECH Act mandated that the OCR maintain an account of security lapses. Data breach notifications are assigned to one of four tiers according to the severity of the breach, with the most severe being posted on the OCR's website and reported publicly. Organizations involved can be fined, with maximum fines reaching $1.5 million per year.
The OCR also gained additional regulatory power to ensure that health care providers' business associates are considered covered entities and therefore are required to comply with all HIPAA privacy and security rules. Finally, state attorneys general (in addition to the OCR) have been given more authority to sue health care organizations involved in data breaches.
As additional HIPAA provisions are brought online in 2011, expect more health IT policy activity from the Federal Trade Commission and the Office for Civil Rights.
Federal Trade Commission (FTC): The agency usually charged with protecting consumers from a variety of antitrade practices also gets into the privacy and security arena through the HITECH Act. The FTC issued a rule that's a companion to OCR's regulations but has its own requirements for breach notifications involving covered entities and business associates.
Drug Enforcement Agency (DEA): Electronic prescribing of medications is a large component of the meaningful use program. The DEA, which already regulates certain drugs, has created health IT policy rules that organizations must follow if they want to begin e-prescribing controlled substances. The purpose of these rules is to save health care staff time and reduce errors by making it unnecessary for them to fill out paper prescriptions, but they also require that prescribers meet the DEA's rigorous regulations for controlled medications.
Food and Drug Administration (FDA): Many IT advocates say EHR systems can improve patient care by reducing errors and helping doctors to make better clinical decisions. Others, however, are concerned about EHR safety, suggesting that the software itself might lead to more errors if it is not incorporated into physicians' workflow properly.
The FDA, which already regulates medical device safety, is weighing options for including EHR systems in that process. The agency also maintains a reporting system that can be used by anyone from doctors to patients to report safety issues related to malfunctioning or misused technology.
Looking ahead: As additional HIPAA provisions are brought online in 2011, providers can expect more health IT policy activity from the FTC and the OCR. The latter agency expects to issue clarifications next year about data breaches' harm threshold. Moreover, even as providers are struggling with implementing Stage 1 meaningful use criteria, policymakers with ONC hope to have the first drafts of Stage 2 criteria ready for circulation by mid-2011.
Let us know what you think about the story; email Jean DerGurahian, News Writer.