Welcome to the Electronic Jungle: E-Prescribing, Medicare Part D, and HIPAA
Electronic prescribing ("e-prescribing") has become the latest in a string of vogue technology innovations affecting the medical community that have drawn legal attention. The transmission of electronic prescriptions stands to revolutionize medication delivery and promises to offer multiple benefits to hospitals, prescribing physicians, pharmacists, and patients.
E-prescribing technology comes with legal compliance obligations that must be addressed in order to prevent potential payment rejection, business loss, and government enforcement under the Health Insurance Portability and Accountability Act of 1996, as amended ("HIPAA"). Specifically, health care providers who engage in e-prescribing on behalf of patients seeking Medicare prescription reimbursement will soon be required to transmit such prescription requests in strict accordance with HIPAA. This Commentary focuses on the recent e-prescribing rules that require application of the already existing HIPAA requirements to e-prescribing under Medicare’s Part D retiree prescription drug benefit program ("Part D"), which brings health care one step closer to a uniform national electronic infrastructure.
E-Prescribing: The Future is Here
Essentially, e-prescribing involves the use of an electronic device to facilitate the transmission of a medication order to a pharmacist in order to have a patient prescription filled. To accomplish this, health care providers typically use a personal digital assistant ("PDA"), which is a hand-held computer device or some variation thereof that provides computing and data storage capabilities and supports the electronic transmission of prescriptions from health care provider to pharmacist. Although lacking portability and the same level of convenience, personal computers may also be used to accomplish this task. But whatever hardware is chosen to perform the e-prescribing function, invariably an electronic transmission via the internet takes place in order for an electronic communication to occur and the prescription to be ultimately filled for the patient.
E-prescribing provides several advantages over traditional handwritten prescription methods. For example, there are as many as 7,000 deaths annually in the United States from incorrect prescriptions, according to the National Association of Boards of Pharmacies, and 25 percent of all medication errors result from illegible prescriptions, according to the Pennsylvania-based Institute for Safe Medication Practices.1 As prescription dispensing is expected to increase each year, there are bound to be proportional increases in the number of fatalities and errors. E-prescribing enables the transmission of legible prescriptions, which in turn greatly minimizes or even eliminates the interpretation errors that can occur with handwritten prescriptions. Physician staff may also use their time more efficiently because they spend less time on the telephone with a pharmacy clarifying and renewing prescriptions. Furthermore, transmission time for electronic prescriptions is virtually instantaneous, so patients have overall reduced waiting times for prescriptions. Moreover, payors demand formulary adherence, patient compliance, and cost-effective medications prescribed at all times, as well as critical mass of prescribers engaged in e-prescribing. Additionally, many third-party prescription-processing companies that provide e-prescribing support can track patient and prescribing physician information for every drug prescription. This information can be made available any time to the prescribing health care providers and pharmacists to reduce errors arising from duplicate prescriptions, drug-drug interactions, drug-food interactions, incorrect dosage strengths, and a host of other pharmaceutical care issues facing pharmacists and physicians alike, in the course of their respective professional practices. It has been determined that more than 8.8 million adverse drug events occur each year in ambulatory care, of which three million are preventable.2
Medicare Part D and HIPAA
On December 8, 2003, President George W. Bush signed into law the Medicare Prescription Drug, Improvement and Modernization Act of 2003 ("MMA").3 Section 101 of the MMA establishes Part D, which becomes effective January 1, 2006. Section 101 of the MMA requires, among other things, that electronic prescriptions intended for Part D beneficiaries comply with uniform standards mandated by Centers for Medicare & Medicaid Services ("CMS"), including standards mandated by HIPAA.
On November 7, 2005, CMS issued final rules that set forth standards for the transmission of electronic prescriptions intended to regulate e-prescribing and other medical information related to Part D-covered drugs that are transmitted electronically.4 The rules directly obligate providers who choose to communicate electronically, as well as Part D plans, to comply with already established HIPAA "administrative simplification" provisions.
HIPAA included a series of "administrative simplification" provisions that required the Department of Health and Human Services to adopt national standards for electronic health care transactions. These standards are known as HIPAA Transactions and Code Set Rules, and they went into effect October 16, 2003.5 These HIPAA standards establish standardized formats for electronic claims and insurance transactions and standardize bill codes and formats nationally. Health care transactions affected by these standards include health claims and equivalent encounter information, enrollment and disenrollment in a health plan, eligibility for a health plan, health care payment and remittance advice, health plan premium payments, health claim status, referral certification and authorization, and coordination of benefits. The Part D regulations describe with particularity which of these HIPAA standards apply to providers engaged in e-prescribing as well as to Part D plans.
The HIPAA Privacy Rules, which went into effect April 14, 2003, are intended to safeguard protected health information created or maintained by health plans, including Part D plans, along with health care clearinghouses and health care providers who engage in certain electronic transactions (each a "Covered Entity").6 Prescriptions contain protected health information, and when health care providers prescribe electronically, they become subject to the Privacy Rules. For example, a provider using a PDA to e-prescribe would be subject to HIPAA’s Privacy Rules.
The HIPAA Security Rules, which went into effect April 20, 2005, are intended to implement national standards for safeguards to protect the confidentiality, integrity, and availability of protected health information that is stored, transmitted, created, or received in electronic form (known as electronic protected health information, or "ePHI").7 Health care providers8 de facto transmit ePHI when engaging in e-prescribing, and as a result, the HIPAA Security Rules will also apply to them when transacting for a Part D-plan prescription drug.
Under the final e-prescribing regulations, CMS is promulgating required standards in two waves. The standards span a broad range of necessary modalities of electronic communication to support the e-prescribing process under the final rules. Some standards that have been promulgated to date but that need to undergo further testing include RxNorm,9 provider identifiers,10 prior authorization,11 and fill status notification.12 It is probable that additional standards may be introduced over time as CMS determines that a need exists to innovate further in support of e-prescribing. This first set consists of initial uniform standards that were to be adopted by September 1, 2005, using recommendations from the National Committee on Vital and Health Statistics ("NCVHS"). These standards are required to undergo a test pilot program in 2006, the results of which will be used to implement the second and final set of required standards, which must be published no later than April 1, 2008 and implemented no later than April 1, 2009. NCVHS was required to consult with physicians, pharmacists, hospitals, pharmacies, state boards of medicine, state boards of pharmacy, pharmacy benefit managers, and experts on e-prescribing before making its recommendations to CMS.
Health care providers are currently not required to e-prescribe for Part D drugs, but if they choose to do so after the final e-prescribing standards are effective, they will be required to comply with the final standards, which means they must then be fully HIPAA-compliant. On the other hand, Part D plans must comply with the e-prescribing initial standards by January 1, 2006, meaning they must be ready to accept any transmissions by providers engaged in e-prescribing using the Electronic Transactions and Code Set Standards. Part D health plans are HIPAA Covered Entities, and they include prescription drug programs ("PDPs"), fallback PDPs, private fee-for-service plans, Medicare advantage prescription drug programs, Medicare cost-reimbursement plans, and Part D reimbursement programs such as PACE.13
Two standard transactions that are part of the Part D electronic presecription rules and that won’t be required to undergo pilot testing include the NCPDP Telecommunication Standard for Health Care Claims (used for eligibility inquiries and responses between pharmacies and health plans) and the ASC X12N 270/271 Eligibility Inquiry and Response Standard (used for eligibility inquiries between providers who are e-prescribing and health plans).14 A health care provider who e-prescribes and Part D health plans that receive such prescriptions for covered drugs must communicate by way of the transaction standard set forth by these standard transactions. It follows that they must also comply with all the other HIPAA standards because they are engaging in a so-called "covered transaction." In short, a health care provider would become a Covered Entity subject to the HIPAA Rules if it began e-prescribing for prescription drugs covered under Part D.
Electronic prescriptions, by definition, contain protected health information that is the subject of HIPAA. Health care providers, e.g., hospitals, physicians, pharmacies, and pharmacists, must appreciate the compliance obligations required by the e-prescribing regulations as they relate to HIPAA. The Part D electronic prescription rules are drafted to be consistent with HIPAA. As a result, the administrative burdens that a Covered Entity endured initially when the HIPAA "administrative simplification" provisions were introduced must be extended to contemplate Part D’s e-prescribing HIPAA compliance requirements. To the extent a health care provider was not HIPAA-compliant previous to Part D and now wants to e-prescribe for Part D drugs, a full HIPAA compliance review should be undertaken.
HIPAA and Part D—Compliance Now
The HIPAA compliance regime has been in place for a few years, depending on the effective date of the applicable "administrative simplification" provision. With new laws such as MMA promulgating a retiree prescription drug benefit under Part D, HIPAA compliance becomes even more important. E-prescribing and other health technology innovations are no longer a futuristic concept but rather are becoming a competitive business norm today, and legal compliance with the HIPAA standards must be undertaken by Covered Entities. Providers (who choose to e-prescribe) and other Covered Entities that do not become compliant with HIPAA in light of requirements such as those set forth by the Part D rules will very soon face not only legal noncompliance issues but also possible adverse business consequences.
Although the deadline for HIPAA compliance has officially passed, a significant percentage of covered health care organizations still have not achieved basic HIPAA compliance, according to a recent industry survey.15 The degrees of noncompliance reported are variable, with some organizations implementing the HIPAA requirements but not fully institutionalizing HIPAA practices, while others have reported that deciding not to implement many, if not all, of the HIPAA requirements.16 The two most frequently reported reasons for HIPAA noncompliance in the latest survey were "no public relations or brand problems anticipated with noncompliance" and "no anticipated legal consequences for noncompliance."17 The statistics in the survey demonstrated that although HIPAA is in effect and applicable to Part D e-prescribing, the health care industry may not be keeping pace with these laws and supporting regulations with respect to their compliance obligations.
Despite the lack of compliance by payors and health care providers, HIPAA violation penalties can be significant if and when they are enforced by the federal government.18 Consider this:
- Each wrongful disclosure carries a maximum fine of $50,000 and up to one year’s imprisonment.
- Each disclosure made under false pretenses carries a maximum fine of $100,000 and up to five years’ imprisonment.
- Any disclosure with the intent to sell carries a maximum fine of $250,000 and up to 10 years’ imprisonment.
- Civil monetary penalties are $100 per violation, with a maximum penalty of $25,000 per year, per violation.
Moreover, a Covered Entity that ignores HIPAA compliance could subject itself to bad publicity, with risk of damaging its brand name and losing the trust of its patients or customers through its noncompliance. Part D health plans not ready to accept prescription claims through a required HIPAA and Part D standard will be violating the law. With respect to health care providers, failure to utilize HIPAA and Part D standards can result in patient dissatisfaction and lost revenues as a result of rejected claims. CMS has recently stated that as of October 1, 2005, only standard electronic transactions will be accepted for payment throughout the Medicare system, which includes Part D. Noncompliant claims submitted to Medicare on or after October 1, 2005, will be rejected and returned to the Covered Entity.
For further information, please contact your principal Firm representative or one of the lawyers listed below. General e-mail messages may be sent using our "Contact Us" form, which can be found at www.jonesday.com.
Kevin D. Lyles
1. The major cause of injury according to the Institute for Safe Medication Practices results from miscommunication due to illegible handwriting, unclear abbreviations and dose designations, unclear telephone or verbal orders, and ambiguous orders/fax-related problems.
2. Center for Information Technology Leadership. The Value of Computerized Provider Order Entry in Ambulatory Settings, 2003 Institute of Medicine, Committee on Quality in Healthcare in America. To Err is Human: Building a Safer Health System, Washington, D.C., National Academy Press; 1999.
3. Pub. L. 108-173.
4. 42 CFR Part 423.
5. 45 CFR Parts 160 and 162.
6. 45 CFR Part 164, Subpart E.
7. 45 CFR Part 164, Subpart C.
8. 42 U.S.C. § 1395x(u).
9. This provides standardized nomenclature for clinical drugs.
10. This provides uniform national identifiers for dispensers and prescribers.
11. This is a protocol used between a prescriber and a payor to determine, in advance, if a particular treatment medication, procedure, service, or device will be covered.
12. This provides verification whether a patient has filled an electronically prescribed medication.
13. 42 U.S.C. § 1395x(u).
14. Medicare Program; E-Prescribing and the Prescription Drug Program Proposed Rule, 70 Fed. Reg. 6261 (Feb. 4, 2005)
15. The sixth annual tracking and reporting survey, called the U.S. Healthcare Industry HIPAA Survey, was conducted in the summer of 2005 and was sponsored by the Healthcare Information and Management Systems Society (HIMSS) and Phoenix Health Systems.
16. See Id.
17. See Id.
18. The Department of Justice is responsible for administering the penalties and fines.
Jones Day Commentaries are a publication of Jones Day and should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information purposes only and may not be quoted or referred to in any other publication or proceeding without the prior written consent of the Firm, to be given or withheld at its discretion. The mailing of this publication is not intended to create, and receipt of it does not constitute, an attorney-client relationship.