Meaningful Use, Mobile Health, and Patient Engagement

January 31, 2014 by · 1 Comment
Filed under: Electronic Medical Records 

Donna Hanrahan_Headshot (2)Advancements in information and communication technologies are fundamentally changing the way doctors and patients interact. These technologies, including electronic health records (EHRs) and mobile health (mHealth) tools, are transforming the industry and driving stakeholders across the healthcare landscape to reevaluate and transform how they provide services. mHealth holds promise for catalyzing improvement along the healthcare value chain, thus maximizing professionals’ time and productivity and improving the quality of care. Moreover, mobile health technologies have great potential to drive patient engagement and promote “patient-centered care.”

The Health Information Technology for Economic and Clinical Health (HITECH) Act & “Meaningful Use”

Healthcare providers are incorporating healthcare technology and implementing electronic health record (EHR) systems at an accelerated rate in recent years, largely due to the Health Information Technology for Economic and Clinical Health (HITECH) Act. The HITECH Act was created as a part of the American Recovery and Reinvestment Act of 2009. The $27 billion dollar piece of legislation offers eligible providers incentives for expanding the use of healthcare information technology. This includes promoting the “meaningful use” of EHRs. The “meaningful use” standard was designed for physicians to use technology to improve quality of care and health outcomes for patients, as well as to lower costs by eliminating repeat medical tests and reducing preventable medical errors that pervade the health-care system today. This legislation has been extremely effective in persuading healthcare providers to use electronic health records. EHRs, in conjunction with other healthcare information technologies such as mobile health (mHealth) tools, have vast potential to improve patient health by promoting patient-centered care.

The HITECH Act offers eligible healthcare professionals and hospitals incentives for expanding the use of healthcare information technology and meeting the “meaningful use” requirements, namely electronic health records. The Department of Health and Human Services (HHS) defines meaningful use as using certified healthcare information technology: (1) to improve quality, safety, efficiency, and reduce health disparities; (2) to engage patients and families; (3) to improve care coordination, and population health; and (4) to maintain the privacy and security of patient health information. The “meaningful use” framework incentivizes enhancement of clinical care and quality by encouraging healthcare professionals to take advantage of instantaneous and patient-specific information. Incentive payments are made available through the Medicaid and Medicare programs. Eligible professionals and hospitals that meet the criteria can be rewarded up to $44,000 in Medicare and $63,750 in Medicaid payments over 5 years. After 2015, physicians who fail to meaningfully use EHRs will be subject to reductions in Medicare and Medicaid reimbursement. To receive payments, eligible professionals and hospitals must meet “meaningful use” criteria, including e-prescribing, patient-specific health education, and the use of drug interaction software to ensure patient safety.

Unlocking the Value of Mobile Health Technology in Healthcare Settings

Mobile health applications connect patients with providers, coordinate care, and promote self-management of health conditions. Smartphone and tablet applications are projected to be an efficient way to get patients involved in their care, help grow healthcare practices, and build trust between the physician and patient. One recent survey by eClinicalWorks suggests that 93% of physicians believe mHealth apps have the potential to improve patient outcomes and 89% are likely to recommend a mobile health app to a patient. Appointment scheduling applications, secure messaging platforms, and patient education tools have rich clinical and business value to modern medical practice.

Incorporating mHealth technologies benefit healthcare professionals, healthcare consumers, and the healthcare industry alike. For healthcare professionals, applying mobile technologies can help lower administrative costs, cultivate customer interactions, enhance customer service, boost business performance, and help meet stage 2 of the meaningful use requirements. For patients, mobile technologies can improve engagement and disease management, provide education, allow for self-monitoring, and guide users to facilities for appropriate levels of care. For the pharmaceutical and medical device industries, applying mobile technologies into marketing and outreach campaigns can serve to cultivate consumer interactions, boost business performance, enhance consumer trust by providing reliable and relevant information to patients, and importantly allow educated patients to advocate for certain aspects of their care. Accordingly, there is great value to unlock for all key stakeholders in the healthcare landscape to develop a core framework that involves the use of innovative mobile and digital technologies.


HIPAA, HITECH & Beyond: Protecting Heathcare Data in our Cyber World

Hitech PrivacyThis program will examine the most current issues, enforcement trends, and regulations relevant to healthcare data privacy experts who counsel hospitals, providers, and other healthcare facilities.

In collaboration with the Bergen County Prosecutor’s Office; 6 NJ/NY CLE credits. Click here for more information or to register.


Helen Oscislawski, Privacy Risk Assessments and Privacy Challenges

Helen Oscislawski is the founder of Oscislawski, LLC in Princeton.  She provides legal guidance on HIPAA, HITECH, state privacy laws, electronic health information exchanges and health information technology to HIEs, RHIOs and ACOs, and counsels other healthcare clients in various matters.

Ms. Oscislawski was appointed by Governor Jon Corzine in 2008 to the New Jersey Health Information Technology Commission (NJHITC) and was reappointed to the NJHITC by Governor Chris Christie in 2010 where she also served as Chair of the Privacy and Security Committee for NJHIT Coordinator. She is the primary author of Update to Privacy and Security Compliance Manual, which was developed for the New Jersey Hospital Association and, most recently, she has developed and authored several editions of the HIPAA-HITECH Helpbook, a manual that combines tools and sample forms that address HITECH changes, state law and other considerations and Meaningful Use and Health Information Exchanges.

Before founding Oscislawski, LLC, Ms. Oscislawski was a healthcare attorney at Fox Rothchild in Princeton, New Jersey, where she counseled healthcare clients on a wide range of legal matters. She received her BA from Rutgers University, Douglass College and her JD from Rutgers School of Law.

Frank Pasquale, Professor of Law, Seton Hall Law School, The Past, Present and Future of Health Privacy

Professor Frank Pasquale is the Schering-Plough Professor in Health Care Regulation and Enforcement at Seton Hall Law School. Professor Pasquale has taught information and health law at Seton Hall since 2004.  He has published over 20 scholarly articles. His research agenda focuses on challenges posed to information law by rapidly changing technology, particularly in the health care, internet, and finance industries.

Professor Pasquale is an Affiliate Fellow of Yale Law School’s Information Society Project.  He has been named to the Advisory Board of the Electronic Privacy Information Center. He has served on the executive board of the Health Law Section of the American Association of Law Schools (AALS), and has served as chair of the AALS Section on Privacy and Defamation.

Professor Pasquale received his BA from Harvard University (summa cum laude), his M.Phil. from Oxford University, and his JD from Yale Law School.

Jaime S. Pego, Director, Healthcare Advisory Services, KPMG LLP, (along with Joy Pritts, Mark Swearingen, and Frank Pasquale, Moderator) Panel Discussion: The Practical Steps Necessary to Promote Privacy and Cybersecurity in Modern Healthcare Organizations

Jaime S. Pego is a Director in the Short Hills, New Jersey, office of KPMG LLP’s Healthcare Advisory Services Practice and serves as the firm’s National HIPAA Privacy Director. She has substantial experience in healthcare regulatory compliance and healthcare-related advisory services.

Ms. Pego works with a variety of healthcare clients to assist with identifying and preventing compliance risks and complying with federal and state regulations. Her work for KPMG includes serving as lead director for OCR HIPAA audits, as well as acting as Privacy Lead for the KPMG HIPAA national service line assisting covered entities and business associates with HIPAA compliance. She has conducted internal investigations concerning a variety of topics, including fraud and abuse, HIPAA violations, as well as other legal and regulatory matters, and researched and developed compliance policies for institutions in the areas of gifting under the Anti-Kickback Statute and Stark Law, the DRA, HIPAA, EMTALA and others. She participates in the KMPG National HIPAA working group to develop tools and methodologies for client needs, and conducts and manages ICD-10 Impact Assessment at a variety of healthcare organizations to help identify gaps in ICD-10 readiness. She has also served as the firm’s lead manager for health care reform legislative analysis and research.

Prior to coming to KPMG, Ms. Pego was a Local Compliance Officer at a teaching hospital and outpatient center for one of New Jersey’s largest health care systems and has worked with some of the country’s leading health systems. She received her BA from American University and her JD from Seton Hall University School of Law, with a Concentration in Health Law, and is Certified in Healthcare Compliance (CHC) by the Health Care Compliance Association (HCCA).

Joy Pritts, Chief Privacy Officer, ONC, HHS, Meaningful Use Regulations: What Providers Need To Know To Comply

Joy Pritts joined the Office of the National Coordinator for Health Information Technology (ONC), Department of Health & Human Services in February 2010 as its first Chief Privacy Officer. Ms. Pritts provides critical advice to the Secretary and the National Coordinator in developing and implementing ONC’s privacy and security programs under HITECH. She works closely with the Office for Civil Rights and other operating divisions of HHS, as well as with other government agencies to help ensure a coordinated approach to key privacy and security issues.

Prior to joining ONC, Ms. Pritts held a joint appointment as a Senior Scholar with the O’Neill Institute for National and Global Health Law and as a Research Associate Professor with the Health Policy Institute, Georgetown University. She has an extensive background in confidentiality laws including the HIPAA Privacy Rule, federal alcohol and substance abuse treatment confidentiality laws, the Common Rule governing federally funded research, and state health information privacy laws.

Ms. Pritts received her BA from Oberlin College and her JD from Case Western Reserve University.

Anna Spencer, Esq., Sidley Austin, LLP, Data Breaches/Data Breach Notification Requirements and the Need for Encryption

Anna Spencer is a partner in Sidley Austin’s Washington, D.C. office whose practice focuses on health care. Ms. Spencer primarily works on matters involving the privacy and security of health information and she is the firm’s global coordinator for health information privacy. She regularly counsels a broad range of clients on healthcare information privacy and security issues. This includes assisting clients with respect to HIPAA and HITECH and has significant experience in investigating and responding to data breaches and information security incidents. She has represented clients in connection with data breach reporting obligations under the HITECH regulations for breaches of protected health information and defended health care providers in investigations initiated by the Office of Civil Rights, Department of Health and Human Services.

On behalf of covered entities and entities that qualify as HIPAA business associates, Ms. Spencer has developed multiple HIPAA privacy and security compliance and training programs. She has negotiated hundreds of Business Associate Agreements on behalf of various clients.

Ms. Spencer has spoken on privacy/security matters on behalf of numerous groups such as BNA and the American Conference Institute. She has authored a variety of articles on privacy/security issues, Medicare coverage, and fraud and abuse. She is currently authoring a book for BNA on health information privacy.  Ms. Spencer received her BA from Sewanee and her JD from Vanderbilt University School of Law.

Mark Swearingen, Esq., Hall, Render, Killian, Heath & Lyman, PC, HIPAA and HITECH Trends (Enforcement and Otherwise)

Mark Swearingen coordinates the HIPAA practice and provides counsel on health information privacy and security matters such as breach response and notification and the creation, use, disclosure, retention and destruction of medical records and other health information at the Indianapolis law firm, Hall, Render, Killian, Heath & Lyman, P.C. His counsel to clients also includes a variety of health care topics related to regulatory compliance, physician and clinical services contracting, risk management and Independent Review Organization services. He has provided such services to a broad spectrum of health system, hospital, physician practice, diagnostic imaging center, ambulatory surgical center and long-term care facility clients.

Mr. Swearingen has spoken and written nationally and regionally on numerous topics, including antitrust, electronic medical records and health information privacy and confidentiality. He is an adjunct professor of a course in Law and Medicine at the Indiana University School of Informatics at IUPUI.

Mr. Swearingen received his BA from Indiana University and his JD from Seton Hall Law School.



March 25, 2013 by · Leave a Comment
Filed under: Health Law 

Seton Hall Professor and Health Care Regulation Expert Frank Pasquale to Present Draft White Paper Outlining Options and then Moderate a Discussion on its Pros and Cons with Fellow Academics

pasquale_frank_lg11Washington, D.C. – Seton Hall University School of Law hosted an academic roundtable discussion on how our current healthcare law will respond to the new technology environment – in particular, maintaining privacy for consumers as the health industry expands adoption of cloud computing, on Friday, March 22, 2013. Seton Hall Professor Frank Pasquale moderated the event, “The Future of HIPAA and The Cloud,” and also released a white paper he coauthored with Tara Adams Ragone on the challenges that cloud computing technologies pose to the Health Insurance Portability and Accountability Act (HIPAA).

As the recent HIPAA Omnibus Rule showed, regulation must both reflect and shape technological advances. As stakeholders face new challenges and opportunities, the roundtable asked: What is the future of HIPAA in the cloud? How will patient data be used? What is the role for third party vendors? And who should be held responsible for security breaches in the cloud?

White paper abstract:

This white paper examines how cloud computing generates new privacy challenges for both healthcare providers and patients, and how American health privacy laws may be interpreted or amended to address these challenges. Given the current implementation of Meaningful Use rules for health information technology and the Omnibus HIPAA Rule in health care generally, the stage is now set for a distinctive law of “health information” to emerge. HIPAA has come of age of late, with more aggressive enforcement efforts targeting wayward healthcare entities. Nevertheless, more needs to be done to assure that health privacy and all the values it is meant to protect are actually vindicated in an era of ever faster and more pervasive data transfer and analysis.

After describing how cloud computing is now used in healthcare, this white paper examines nascent and emerging cloud applications. Current regulation addresses many of these scenarios, but also leaves some important decision points ahead. Business associate agreements between cloud service providers and covered entities will need to address new risks. To meaningfully consent to new uses of protected health information, patients will need access to more sophisticated and granular methods of monitoring data collection, analysis, and use. Policymakers should be concerned not only about medical records, but also about medical reputations used to deny opportunities. In order to implement these and other recommendations, more funding for technical assistance for health privacy regulators is essential.


Recommended Reading: Interoperability and Preemption

September 18, 2012 by · Leave a Comment
Filed under: Recommended Reading 

tara-ragoneI highly recommend two recent articles that consider the intersection of HIPAA preemption doctrine, interoperability of electronic health record (“EHR”) databases, privacy, and confidentiality.

In her article, “Institutional Competence to Balance Privacy and Competing Values: The Forgotten Third Prong of HIPAA Preemption Analysis,” Barbara J. Evans takes on the well-settled belief — or “rumor,” as she calls it –  that the HIPAA “Privacy Rule merely sets a floor of privacy protection that leaves states free to set stricter privacy standards.”  (A draft of this article is available on SSRN, and it will be published in the University of California-Davis Law Review in 2013.)  Although this general rule of HIPAA preemption  is largely accurate, the article argues that it is wrong with respect to an enumerated “class of public health activities that Congress deemed to have high social value,” including “reporting of disease or injury, child abuse, birth, or death, public health surveillance, or public health investigation or intervention.”

Professor Evans begins with a textual argument, pointing out that HIPAA’s statutory text specifically includes a third prong, while HIPAA’s Privacy Rule, one of HIPAA’s key implementing regulations, collapses the statutory language into two prongs.  The article maintains that in doing so, the “Privacy Rule ignored a clear statutory instruction to preempt state privacy law in a specific circumstance where Congress determined that individual privacy interests should give way to competing public interests.”  In this specific public health context, she continues, “the HIPAA statute creates what might be called a ‘canopy,’ to shelter specific socially important data uses from more stringent privacy laws.”  The author buttresses her analysis with legislative and regulatory history as well as a comparison with the structure of ERISA preemption provisions.

Noting that the statute speaks directly to this issue, Professor Evans maintains that the public health portion of the Privacy Rule is not entitled to Chevron or Skidmore deference where its interpretation is contrary to the statute and the agency did not offer a persuasive account to justify its interpretations. Rather, “the HIPAA statute preempts state privacy laws — even ones that are more stringent than the HIPAA privacy Rule — in situations where state laws would interfere with public health surveillance and investigations.”

Professor Evans attributes the inconsistency between the Privacy Rule and HIPAA to politically savvy rather than incompetent agency drafting.  She asserts that HHS was aware that states were afraid that their privacy laws would be preempted, and thus the agency took a modest approach in the Privacy Rule, leaving unspoken the effect of the third prong on more stringent state laws in the limited context of enumerated public health activities.  The statutory text, however, reflects Congress’s choice to  ”trust[] no institution other than itself” to “strike the balance between privacy and competing public interests.”  There was a conscious choice not to permit a patchwork of varying state laws to frustrate the development of multi-state, interoperable databases needed for the enumerated public health activities.

This article breathes new life into statutory language that has been largely overlooked in the sixteen years since HIPAA’s enactment and is critical reading for anyone interested in public health surveillance, investigation, and privacy law.  Professor Evans argues that facilitating access to large-scale, multi-state, interoperable databases of health-related data for tens or even hundreds of millions of people could speed “the detection of drug safety risks, unmask[] ineffective or wasteful treatments, and understand[] disparities in health outcomes among various populations subgroups,” while “unduly restrict[ing] access to data and biospecimens can very literally kill people.”

The article closes with an invitation to scholars for further “dialogue about [HIPAA']s forgotten preemption provision,” an invitation the health law community would be wise to accept.  While she readily acknowledges that her conclusions are unorthodox,  they will undoubtedly generate substantial and serious academic discussion.

Another important article for interoperability policymaking is Leslie P. Francis‘s article, “Skeletons in the Family Medical Closet: Access of Personal Representatives to Interoperable Medical Records,” which recently was posted to SSRN and was published in volume 4, issue 2 of the 2011 Saint Louis University Journal of Health Law & Policy.

With HIPAA’s Privacy Rule and the HITECH Act, federal law now grants patients the right to access their own medical records, including EHRs, with some limitations for certain records, such as psychotherapy notes.  Importantly,  personal representatives now generally enjoy the same rights of access to medical records that patients themselves hold, consistent with state law.

In addition, although HIPAA preempts state laws that are inconsistent with federal law, HIPAA generally (see Professor Evan’s important caveat above) does not preempt state laws that protect privacy more stringently than federal law.  A state law is deemed more stringent when, for example, it provides individuals with greater access to their health information.  As a result, “states may expand the individual right of access to health information, but may not contract it.”

The article points out an unintended consequence of such an expansion, however, given federal law on access: states that provide equal rights of access to patients and their representatives would be expanding personal representative access in step with any increased rights for patients.

But given the breadth of interoperable EHRs, patients may not want or expect their personal representatives to have access equal in scope to their own.  Interoperable EHRs may very well  contain records of medical care that are not directly relevant to the patients’ current care and that patients may not want their personal representatives to see.  Professor Francis offers the example of an older patient being treated for a stroke who may not want her child to learn about her prior, unrelated pregnancy termination or psychiatric history – what Professor Francis calls “the metaphorical skeletons in her closet.”

The article thus explores the extent to which states may protect patient privacy and confidentiality in this legal framework by regulating personal representatives’ access to patient records.    For example, although states generally either grant or deny personal representatives access to patient records, Professor Francis details how some have been more nuanced.  For example, some permit patients to use advance directives to define the scope of access by personal representatives, such as on a need to know basis, while others restrict personal representative access to mental health or substance abuse treatment records.

Given the importance of respect for private autonomy, Professor Francis then makes four recommendations:

(1)    Advance directive statutes should permit competent patients to designate the scope of their personal representatives’ access to interoperable medical records, ideally with respect to specific types of information, such as mental health, substance abuse, and reproductive history, and options such as all information, information only as needed to make care decisions, or no information.

(2)    When patients do not have advance directives, there should be a presumption that personal representatives only have access to records needed for decision making about their care.

(3)    Interoperable medical records should be designed to permit special management of sensitive medical information, such as mental health or substance abuse treatment records, to which personal representatives would have access only when necessary for emergency care.

(4)    These recommendations generally should apply regardless if patients have mental illness or cognitive disabilities.


Graduate Certificate Program in Pharmaceutical & Medical Device Law & Compliance to Start Again, October 7, 2012

Seton Hall Law School’s Center for Health & Pharmaceutical Law & Policy starts classes again on October 7th for the Graduate Certificate in Pharmaceutical & Medical Device Law & Compliance. The priority application date is September 24, 2012.

The Graduate Certificate in Pharmaceutical & Medical Device Law & Compliance is a non-degree program designed for individuals who seek in-depth knowledge about legal, regulatory, and ethical issues related to the pharmaceutical and medical device industries. Taught exclusively online, it offers students nationwide a targeted immersion in key substantive issues along with the practical skills necessary to research and communicate effectively about the law.

The intensive program is geared to busy professionals who want to cover a significant amount of material in a relatively short period of time. The program is open to students who have earned a baccalaureate degree from an accredited college or university. It is specifically designed to meet the needs of mid- to senior-level professionals in the health care industry, but highly motivated students from other backgrounds are also welcome to apply. It is not necessary to have prior academic or work experience in health care in order to do well in the program.

Additional information and registration is available here.

Why study pharmaceutical and medical device law at Seton Hall School of Law?

Seton Hall Law School has specialized in health law for more than a decade, and its health law program is consistently ranked among the top ten in the nation by U.S. News & World Report.  The Law School’s health law faculty specialize in a wide range of health law topics, including healthcare organizations, nonprofit governance, healthcare financing, healthcare fraud and abuse, food and drug law, research with human subjects, genetics and the law, public health law, and bioethics.  In addition to training future lawyers, Seton Hall Law offers a Master’s of Science in Jurisprudence degree for individuals working in the health care industry, as well as an innovative compliance certification program for pharmaceutical and medical device professionals.  Seton Hall Law is also a center for scholarship and public policy development related to health care, particularly through its Center for Health & Pharmaceutical Law & Policy, whose mission is to foster informed dialogue among policymakers, consumer advocates, the medical profession, and industry.


Next Page »