E-Health

#

Electronic health information systems not only strategically support our health care delivery system, but also raise attendant compliance issues and concerns.

#
Electronic information systems are increasingly becoming a crucial aspect of health care in the United States.  The HITECH Act commits substantial federal resources to the development and implementation of a national electronic health system infrastructure.  Electronic medical records (“EMR”) are no longer the far-off dream of providers.  They are rapidly becoming standard industry practice. But as with any quickly changing aspect of the health care landscape, compliance and regulatory risks arise. Aegis Compliance & Ethics Center, LLP consultants assist clients with a host of E-Health  issues, including:

  • Assessing applicable State E-Health Regulations:  States are increasingly injecting themselves into the electronic exchange of health information and transmitting health care information landscape. The states vary in their requirements and legislation.
  • HIPAA Security/HITECH/Breach Notification:  These amended and new regulations require a host of security measures for all electronic health information.  Providers are not always cognizant of  these regulations and they are in danger of being assessed civil money penalties by OCR and HHS if they are not cognizant of their obligations under those rules. A health care organization’s compliance and regulatory challenges are further magnified by the proliferation of hand-held and portable devices.  Providers and practitioners routinely rely upon and utilize PDAs, smart phones and portable electronic devices to support the provision of health care services.  Organizations need to be cognizant of the opportunities and challenges associated with the use of those devices to access and maintain electronic health information.

  • HIPAA Privacy/HITECH:  The HIPAA Privacy Rule controls who can use or disclose health information, including shared record systems. If an EMR system is part of a cooperative venture or shared electronic warehouse, there may be limits on what can or cannot be done with the health information. Before a provider begins participating in an electronic medical records warehouse -- or pays to help set up a shared electronic warehouse, they should understand the legal limits of the use of the shared information.

  • What Rules Control an EMR?:  If the data of an EMR system is physically housed outside the state where the provider is located or where the practitioner practices, then they may need to look to laws outside their state for regulatory compliance of the EMR. Most states will have jurisdiction over any health information that resides within the state borders -- the physical location of the patient is often not relevant. If a provider is using a vendor to set up an EMR and the vendor houses the data out-of-state, then the provider should know what questions to ask the vendor and what contractual obligations that should be in the service agreement to ensure the provider is not caught in the regulatory traps of other states. If the data is housed in another country, then that other country's laws may limit the use of the data. Providers should understand these risks and limitations when choosing an EMR vendor.

  • EMR and Risk Management:  The Double-edged Sword of Audit Trails -- The audit trails an EMR system has can be both an important tool in regulatory compliance and monitoring quality of patient care, but it is also a malpractice roadmap for plaintiffs' lawyers. Providers should understand those issues.