27 Trial Lawyer • Summer 2023 individual in a designated record set, for as long as the protected health information is maintained in the designated record set.” 45 C.F.R. § 164.524(a)(1). With the enactment of the HITECH Act in 2009, Congress expanded HIPAA to include individuals’ rights to obtain electronic health records, and added stronger privacy and security requirements to protect health information. The 2016 Cures Act responded to a growing concern that healthcare software developers and providers sought to restrict the amount and types of information accessible to individuals by adding “information blocking” provisions. In response to the Cures Act, the HHS promulgated rules requiring that healthcare technology be capable of providing all metadata to individuals. HHS defined the types of metadata that certified technology must be capable of producing. See 45 C.F.R. § 170.210(e), (h). With respect to audit trails, HHS regulations require that the healthcare technology must be able to record all actions made to an electronic health record and indicate whether the audit trail has been altered in any way, among other things. See Judge James N. O’Hara’s order in Prieto v. Rush University Medical Center, Cook County Illinois Circuit Court, Case No. 2018 L 003531, January 18, 2022). The vast majority of medical facilities now use electronic medical records systems. The 2009 HITECH Act requires healthcare providers to convert all medical charts to a digital format. The Act includes incentives to purchase certified EMR systems and create privacy standards and regulations. It also authorizes Medicare and Medicaid to provide payments to hospitals and physicians who demonstrate “meaningful use” of electronic health records. Healthcare organizations that do not implement EMR systems and/or demonstrate their “meaningful use,” will see a reduction in Medicare reimbursements of up to 5%. See Audit Trail p 28
RkJQdWJsaXNoZXIy MTY1NDIzOQ==