Practical Tips and How to Avoid Pitfalls When Sharing Electronic Health Records Within a Health Care

1
Practical Tips and How to Avoid Pitfalls When
Sharing Electronic Health Records Within a Health
Care System

• Sarah Coyne (Quarles Brady LLP)
• Heather Fields (Reinhart Boerner Van Deuren SC)
• HIPAA COW Fall Conference
• September 21, 2007

2
Legal Barriers in Wisconsin

• HIPAA
• Stark / AKS
• Wisconsin general records 146.82
• Wisconsin hospital regulations
• Wisconsin mental health act and regulations
• Wisconsin pharmacy law (e.g. remote dispensing)
• Electronic signature requirements
• Mishmash of other WI laws
• DQA (or is it OQA? Or BQA?) memos
• CMS conditions of participation
• Other CMS memos/ guidance (SOM)
• 42 CFR Part 2
• Accrediting agencies (e.g., Joint Commission)
• Retention requirements
• Potential for patient care/ privacy claims

3
Non-Legal Barriers

• Social/ Organizational (resistance to change)
• Technological barriers
• To scan or not to scan (managing paper)
• Who owns the record
• What happens in the event of dissolution/
  disconnection

4
So Why Do It?

• Remember the original ONCHIT goals
• Inform clinical practice
• Interconnect clinicians
• Personalize care
• Improve population health

5
Basic Components of EMR

• Computerized orders for prescriptions
• Computerized orders for diagnostic tests
• Reporting of test/ lab results
• Practitioner notes

6
The VA Model

• Veterans Health Information Systems and
  Technology Architecture (VistA)
• Graphical interface providers may review
  patient's VA record at any of the 1000 VA
  facilities
• Limited somewhat in scope

7
Managing the Legal Barriers.
8
HIPAA

• Each entity within the health system may have its
  own privacy and security policies/ documentation
• Cross-walk them and decide which can be jointly
  managed in connection with the EMR

9
HIPAA Pitfalls to Manage up Front

• Tracking stuff
• Required documentation
• Requested amendments
• Restricted modes of communication
• Accountable disclosures
• Access to designated record set
• Restricted disclosures
• Patient authorizations

10
HIPAA more pitfalls

• Business Associate management/ tracking
• User role-based access/ minimum necessary for
  that job description
• User identification
• Sanctions
• Coordination of multiple security or privacy
  officers

11
HIPAA more pitfalls

• Joint training?
• Joint response to complaints what if only one
  entity in the health system is the subject of a
  complaint sharing liability

12
Wisconsin 146.82 Redisclosure

• The Issue 146.82(2)(b)
• How it affects transfer of information among
  related entities
• DHFS may not directly monitor
• Solution legislative?

13
146.82(2)(b)

• Except as provided in s. 610.70 (3) and (5),
  unless authorized by a court of record, the
  recipient of any information under par. (a) shall
  keep the information confidential and may not
  disclose identifying information about the
  patient whose patient health care records are
  released.

14
DHFS Letter

• Providers requested an opinion that
• Wis. Stat. 146.82(2)(b) does not apply to patient
  records for continuity of care
• Including in the EMR context

15
146.82(2)(b) cont.

• DHFS said
• Reasonable minds disagree about this
• Cannot give that opinion
• Identified by eHealth workgroup
• Workgroup said appropriate to seek statutory
  change to ensure redisclosure is lawful
• "Even for the purposes of further treatment"

16
146.82(2)(b)

• DQA staff has stated that "enforcement of
  146.82(2)(b) is not part of their survey or
  review process."
• Suggests inclusion of consent to disclosure for
  continuity of care on patient authorization forms
  (butthat's not one of the options, technically).

17
Stark / AKS

• The exceptions and safe harbors establish the
  conditions under which
• Entities furnishing DHS (and certain other
  entities under the safe harbor) may donate to
  physicians (and certain other recipients under
  the safe harbor) interoperable electronic health
  records software, information technology and
  training services.
• Hospitals and certain other entities may provide
  physicians (and certain other recipients under
  the safe harbor) with hardware, software, or
  information technology and training services
  necessary and used solely for electronic
  prescribing.

18
Wisconsin Hospital Regulations

• HFS 124 contains particular requirements for
  medical records electronic or not
• Clinics not as closely regulated
• Shared records must meet the more stringent
  hospital requirements

19
Wisconsin Mental Health Act and Regulations
Pitfalls

• Informed Consent Form 51.30(2)
• Designated recipient (DHFS to IT dept.)
• Designated purpose (DHFS must specify to
  patients in writing)
• Particular information to be disclosed (DHFS
  can't just say "any and all treatment record
  information")
• Expiration date (DHFS OK to specify an
  expiration date in the future, must be confined
  period of time)
• 92.03(1) Statement (DHFS must occur, even with
  EMR)

20
Mental Health Pitfalls

• Recent law changes allow at least sharing of
  medication list
• Contemplated revisions 51.30 workgroup how
  far should the sharing go?
• Privacy vs. Patient Care

21
Wisconsin Ehealth Action Plan

• Patient Care
• Information Exchange
• Consumer Interests
• Financing
• Governance

22
Electronic Signature Requirements

• CMS CoP 482.24 (2006 revisions)
• Proposed HIPAA requirements for electronic
  standards
• Ch. 137
• June 27, 1997 DHFS memo re electronic signature
  in electronic recordkeeping

23
DQA (or is it OQA? or BQA?) Memos

• Authentication of orders

24
42 CFR Part 2

• Bottom line even among related entities, can't
  easily include AODA records in joint EMR
• Consent needed for more disclosures
• Personal representative concept more stringent
• Redisclosure is prohibited like WI
• Accompanying statement required

25
Accrediting agencies (e.g. Joint Commission)

• If one of the related entities is not, and the
  other is not EMR must comply with accreditation
  standards.

26
Retention Requirements

• Each entity must be responsible for maintaining
  its own records for the required periods of time
• Easier to keep records permanently in EMR
  environment

27
Potential for Patient Care/ Privacy Claims

• Key issue to be negotiated up front
• Agreement between separate legal entities
• Insurance
• Indemnification
• Complaint management process Joint response

28
Non-Legal Barriers..
29

• Wisconsin funding sources
• Federal funding sources (ARHQ)
• Tax breaks
• Shared funding may be a tricky upfront
  negotiation, between related entities

30
Social/ Organizational (resistance to change)

• Clashing cultures
• Educating employees
• Patient awareness
• Trust

31
Technological Barriers

• Software
• Networking
• Programming/ IT support

32
"Legal" EMR

• Of one entity in the system but not another?

33
To Scan Or Not to Scan (Managing Paper)

• Will you ever need the paper?
• Costs/ administrative costs of scanning
• Some practitioners are wedded to paper
• "Psychotherapy notes"

34
Who Owns the Record

• Patients?
• Entities
• If shared co-owners? (Address via agreement
  between legally separate entities)

35
What Happens in the Event of Dissolution/
Disconnection

• Address it in the agreement

36
Summary points

• Many of the issues in sharing between related
  entities are the same as those between unrelated
  entities
• May still need agreements
• Address thorny issues (liability, insurance,
  governance, financing, patient awareness,
  scanning, etc.) UP FRONT