By: Katrina Henderson

President Obama’s 2009 stimulus plan set forth billions of dollars worth of incentives for medical health providers in order to urge them to begin using electronic medical records (EMR). The plan hoped to encourage health care providers to streamline medical care, due to the fact that EMR systems are both more efficient and accurate than paper records. The use of electronic records helps to reduce paperwork, eliminate handwriting errors, coordinate patient care, eliminate unnecessary tests and procedures, as well as provide direct access to health records.


Since this stimulus plan was put in place, the switch to electronic medical records has been quite large. By early 2012, the U.S. Department of Health and Human Services had already spent 25.9 billion on electronic health information systems. Recent research regarding family doctors, which are the largest group of primary care physicians, suggests that in 2011, about 68 percent of family doctors were using electronic health records. This percentage shows the use of such records has doubled between 2005 and 2011. Many health care providers still have concerns regarding these records. The first regarding EMR system is the cost of implementation and training. The second concern is patient privacy and who has access to this protected health information.


When it comes to privacy, the Health Information Portability and Accountability Act (HIPAA) attempts to mitigate any concerns by enacting rules to protect patient privacy. These rules, most recently tweaked by the HIPAA Omnibus Rule, create safeguards, which Covered Entities, and now their Business Associates, must implement in order to better protect patients’ personal health information. The over 500 pages of the Omnibus Rule are quite a lot to grasp. Included within the rules are four final rules, which (1) modify the HIPAA privacy, Security, and Enforcement Rules mandated by the Health Information Technology for Economic and Clinical Health Act (HITECH), (2) incorporate increased penalty structure within the HIPAA Enforcement Rule, (3) replace the “harm” threshold with a more objective standard under Breach Notification for Unsecured Protected Health information, and (4) prohibit most health plans from the use or disclosure of genetic information for underwriting purposes.


The Rule became effective on March 26, 2013. Covered Entities and Business associates still have 180 days past the effective date to become compliant with the Rule’s provisions. It is too soon to tell whether or not the new rules will be effective in terms of increasing health information privacy. For now the questions many health care providers and the U.S. Department of Health and Human Services may be asking are how much will compliance with these new rules cost and will the government incentives be enough to cover those expenses. It does not seem as though expansion of the use of EMR systems will slow due to the fact that physicians will be assessed a penalty for not adopting an EMR system by 2015. However, there may be a push for more guidance and financial assistance with implementation and compliance measures, especially by the newly liable Business Associates.