Health Information Technology: Opportunities in an Evolving Compliance Environment

Recent events have enhanced interest in the opportunities and challenges related to implementing electronic health information systems. Among other developments:

• In April, 2004, the President called for the adoption of "electronic health records" ("EHR") by 2014, and established the new position of National Coordinator for Health Information Technology in the Department of Health and Human Services ("HHS") in furtherance of that goal;
  
• In July, 2004, HHS published its "Health IT Strategic Framework" outlining a series of goals and strategic initiatives designed to convert the nation's health information systems from a disjointed, individualistic model, to a sophisticated, integrated and well-coordinated electronic system;
  
• In July, 2004, the Federal Trade Commission and Department of Justice issued a joint report on antitrust issues in health care, which, emphasized (among other things) the importance of greater information flow in developing greater consumer awareness and more competitive reimbursement models, such as "pay for performance;" and
  
• In August, 2004, the Government Accountability Office (GAO) published a report reviewing HHS's efforts to promote health information technology (IT) development, in which it highlighted the legal barriers impeding innovation and changes in health IT arena.

These recent proclamations and analyses emphasize the opportunities for a health care system that is truly "wired" and based on a more contemporary system of electronic health records and information. The GAO report also points out the potential drag on rapid innovation, development and implementation of a more comprehensive health IT strategy imposed by today's actual legal environment.

Yet despite the underlying climate of legal and regulatory uncertainty noted in the GAO study, there are signs that the regulatory fog may be starting to clear. A number of recent developments as described below have helped to streamline the landscape and give hope that helpful innovation may yet take root and thrive in various segments of the health care industry in the not-too-distant future.

The following discussion surveys some of the principal areas of regulatory concern confronting health IT initiatives and suggests preliminary steps to move forward in a legally compliant manner.

Stark. In general terms, the Stark law prohibits physicians from making referrals for certain ancillary services to entities with which the physician (or his/her family members) have financial relationships, unless an exception applies. Given the cost of health IT development and implementation, the logical starting point for developing an integrated system in many local communities might be the hospital/medical staff relationships, under the initial financial auspices of the (usually) better-funded hospital. Unfortunately, such endeavors have historically been viewed to create impermissible financial relationships that could result in Stark law violations.

Helpfully, the "Phase II interim final rule" to the Stark law, effective July 26, 2004, created a new exception for "community-wide health information systems." This exception generally provides that a "community-wide health information system" will not create a prohibited compensation arrangement that implicate the Stark law's self-referral ban under certain circumstances. Specifically, the rule permits for community-wide health information systems consisting of items or services of information technology that are provided by a entity that furnishes services subject to the Stark law (e.g., a hospital), to a physician, where such items and technology allow access to, and sharing of, electronic health care records in order to enhance the "community's overall health." Additional requirements of the exception include:

1. The items or services provided to physicians must be part of a "community-wide health information" system, made available to physicians for use as part of such a system, and not provided in any manner that takes into account the physician's referrals;



2. The system must be available to all providers, practitioners and residents of the community who desire to participate – not just a select few; and



3. The arrangement must not violate the anti-kickback statute or certain other state or federal laws.

The rule provides that such community-wide systems can also include complementary drug information systems, general health information, medical alerts and related information for patients served by community providers and practitioners.

The new exception poses problems as well as possible solutions in that key terms such as "community-wide health information system" are not defined in a sufficiently precise manner to provide a high level of compliance comfort for many potential "communities." Nonetheless, the new exception provides a good start and may be particularly available for use by certain rural and/or discretely defined communities.

The rule is clear in stating that the entity may only provide IT items and services that are necessary to enable a physician to participate in the health information system. Thus, the new exception won't enable hospitals and other providers to replace existing computers or other pre-existing health IT capabilities in physician practices. Likewise, the IT items and services must "principally" be used by the physician as part of the system, so it is doubtful, for example, that a particular piece of hardware supplied as part of the system could properly be used for purposes outside of the community-wide system.
Lastly, the final compliance requirement – that the arrangement must not violate the anti-kickback statute and that all claims and billing must comply with applicable Federal and State laws and regulations – highlights the second compliance risk area discussed below.

Anti-kickback Statute. The Medicare anti-kickback statute prohibits the offer, solicitation, or payment of any remuneration -- essentially anything of value -- in exchange for the referral of patient service opportunities paid for under any federal health care program. The law is far-reaching, with potential application to virtually any financial or other relationship involving possible referral sources. Voluntarily, "safe harbor" provisions have been promulgated to describe the features of arrangements that will be deemed to be safe and compliant with the law.

When it comes to health IT, a strategy involving hospital adoption of community IT systems for use by physicians and others to support improved health care, will confront potential barriers in the form of the anti-kickback statute. A hospital (or other health care organization's) provision of health IT items or services on a free or below-market rate could serve as the basis for an anti-kickback statute violation and even result in potential or administrative criminal sanctions and monetary penalties under certain circumstances. Even though the Phase II Stark law rule provides a new health IT related exception, no similar anti-kickback safe harbor provision exists. The laws are themselves enforced by different agencies of federal government within the Department of Health and Human Services (DHHS) (i.e., CMS and OIG). As a result, health care providers and communities are forced to rely on existing safe harbors or to choose strategies that are based on rational, but perhaps uncertain, compliance with the anti-kickback statute itself.

The particular anti-kickback compliance strategies that apply to a given health IT project will always depend on the terms of the specific arrangement. Nonetheless, safe harbor provisions can be used to support legitimate health IT strategies so long as the parties are truly willing both to play by the defined legal rules and to accept management activities and safeguards that accompany anti-kickback law compliance. Key elements of legitimate arrangements related to health IT will include:

• Fair market value payments by physicians and others involved in the network in exchange for items and services they acquire from the health IT system;
  
• Documented (written) transactions that include commercially reasonable terms;
  
• Advanced definition of the terms – e.g., time and frequency of use; and
  
• Arrangements that are legitimately for the benefit of promoting community health, and are not a prohibited covert effort to induce referrals.

Anti-kickback compliance challenges may initially be viewed as a mountain that is difficult to scale. Yet close attention to the nature of community-based health IT systems may help erode (if not remove) this perceived compliance barrier. Transactions in which referral sources are providing items or services on terms that seem "too good to be true" will in fact probably create compliance problems. But so long as community providers are willing to pay fair market value for the services they receive, then such arrangements can generally be crafted in a compliant manner.

This means, for example, that local hospitals might serve as the hub for a community-wide health IT network, while individual physicians, their practices and other health care organizations could access the system at fair market value from remote but integrated locations. The compliance challenges with such an arrangement cannot be eliminated, but it is fair to say that such a diverse hospital/physician community-wide system should be feasible with careful attention to detail.

Other Legal Concerns. Of course, there is more to the legal environment than the Stark and anti-kickback laws – although these two proscriptions typically present the most onerous barriers to innovation in health care. Other laws that can serve as compliance challenges include those discussed below:

• Exempt organization requirements applicable to hospitals, academic medical centers and other organizations that are exempt from taxation under Internal Revenue Code Section 501(c)(3). Whenever a tax-exempt health care organization is involved, concerns about "private inurement," "private benefit," "excess benefit transactions," and related issues potentially arise. All such concerns are initially based on the objective of protecting the exempt organization's assets and providing appropriate community benefits. These requirements present a formidable, but not insurmountable challenge since bona fide transactions complying with Stark and the anti-kickback statute can also generally be crafted to comply with applicable exempt organization concerns.
  
• Intellectual property concerns related to potential improper use and/or appropriation of protected data and systems. By definition, health IT relies on sophisticated information systems including software with unique capabilities – elements of which may appropriately be protected by copyright and related intellectual property laws. As with other issues, although the IP concerns are significant, appropriate systems of licensing, user agreements and similar arrangements within a single community can be structured to get the community-based health IT strategy (or other health IT strategy) off the drawing board.
  
• HIPAA (the acronym for the Health Insurance Portability and Accountability Act) concerns arise on a daily basis in health care. Given HIPAA's standardization, privacy and security objectives which anticipate a more efficient electronic health care system, one would expect that HIPAA would facilitate rather than impede a more comprehensive health IT strategy. Nonetheless, as with HIPAA in general, a comprehensive strategy is not, and never will be, subject to easy, cookie-cutter solutions. However, HIPAA's privacy law provisions related to organized health care arrangements ("OHCAS") and related system-wide collaborations, as well as more general requirements related to the use and disclosure of protected health information in connection with health care treatment, payment and operations, can usually be addressed in a manner which permits health IT programs to move forward in a feasible manner.
  
• Antitrust concerns also can serve as a potential barrier whenever any group of otherwise unrelated providers in a particular market come together for any common competitively sensitive purpose. Yet as with HIPAA, applicable antitrust principles may actually help facilitate the development of integrated community-wide health IT systems. Whether as a vehicle to implement desirable "clinical integration" pursuant to FTC/DOJ guidelines to promote enhanced efficiency or otherwise, health IT strategies that are focused on enhancing service and more efficiently delivering health care to health plan beneficiaries or other consumers are likely to help minimize anti-trust concerns within the universe of potential health IT barriers.
  
• State privacy and other laws. Perhaps the greatest unknown related to the development of health IT systems is the myriad of individual state laws that may impose unwieldy restrictions on innovative action. As with any innovative business arrangement in health care, a close review of state laws is essential before any new community-wide system gets off the drawing board.

Faced with rising costs and declining reimbursement presented by today's health care delivery system, hospitals, physicians and others may benefit from implementing new health information system capabilities which improve care and reduce costs. The legal environment affecting such systems will often create potential barriers, but continuing evolution of the regulatory landscape may help move at least some communities forward, thereby promoting development of more comprehensive health IT systems in a beneficial manner.