Initial reactions to the long-awaited decision last week by the Internal Revenue Service to join HHS and the CMS in clearing a path for hospitals to subsidize healthcare information technology systems to affiliated physicians were overwhelmingly positive.
But in the passing of a few days and with sober reflection, not everyone sees the new IRS policy as an unalloyed good thing.
Healthcare lawyer Andrew Blustein, a partner with Garfunkel, Wild & Travis, Great Neck, N.Y., while joining the early voices saying the IRS ruling is "wonderful news," also urged caution. "It's a major step forward, but people need to realize there are some additions (in the ruling) that may not fit their particular program."
HHS and the CMS last summer issued safe harbors to the federal anti-kickback law and exceptions to Stark laws prohibiting inducements for referrals in separate documents totaling more than 70 pages. Hospitals can qualify for the HHS and CMS dispensations by providing under specific conditions subsidized electronic medical-records systems and support to physician practices.
After the HHS and CMS rulings, attention turned almost immediately to the IRS. Not-for-profit hospitals were cautioned by their lawyers that IT contributions to for-profit organizations such as physician practices, though legal under the new Stark and anti-kickback modifications, could still jeopardize hospitals' tax-exempt status.
By November 2006, the American Hospital Association sent a letter to Lois Lerner, director of the exempt organizations division at the IRS, asking for a broad ruling favoring the IT subsidies. Lerner's response came last Friday in a two-page "field directive" memo she sent to two department directors under her division.
It said: "We will not treat the benefits a hospital provides to its medical staff physicians as impermissible private benefit or inurement in violation of section 501(c)(3) of the code if the benefits fall within the range of health IT items and services that are permissible under the HHS EHR regulations and the hospital operates in the manner described below."
The IRS conditions were:
- Hospitals must enter into health IT subsidy agreements with physicians receiving IT items and services.
- Hospitals and physicians must comply with HHS rules.
- "The health IT subsidy arrangements provide that, to the extent permitted by law, the hospital may access all of the electronic medical records created by a physician using the health IT items and services subsidized by the hospital."
- "The hospital ensures that the health IT items and services are available to all of its medical staff physicians."
- "The hospital provides the same level of subsidy to all of its medical staff physicians or varies the level of subsidy by applying criteria related to meeting the healthcare needs of the community."
The key provisions of the HHS and CMS policies dovetailed, but the IRS memo outlines some unique features, according to Blustein.
"The biggest one is that (the offered IT system) has to be open to all of the medical staff physicians," Blustein said. "Everyone needs to consider if that's what they want to do. For some, the cost to extend IT to everyone may be prohibitively high."
Blustein said before hospitals rush out and implement their physician IT subsidy strategies, they "need to pause a little to see if the IRS is further narrowing the safe harbor. Did they give something with one hand, but take it away with another?"
Stephen Clarke is an official within the rulings and agreements section of the exempt organizations division of the IRS who worked on developing the IT policy and was named in the memo as a spokesman for the agency.
"We've received a lot of pressure to put this out, but we had to understand all the issues," Clarke said. "It took a while to hear everyone out."
The IRS has no plans to issue a public, more comprehensive ruling beyond what was in the May 11 field directive, he said, which was a two-page internal communication document from Lerner to two department heads in her division.
Clarke said while the memo requires a hospital that makes its IT services available to any physician on its medical staff must also make the same services available to all physicians on the hospital's medical staff, it does not require the hospital to provide subsidized services to all physicians or the same level of subsidy to all. Thus, the hospital could charge some physicians fair-market value for the services, while subsidizing the costs of others under certain conditions, Clarke said.
"If the hospital is distinguishing between physician groups, it should do so based on some objective criteria that are beneficial to the community," Clarke said. "For example, if a hospital determines that providing electronic helathcare software to a pediatric department has greater benefit to the community, the hospital could roll that out first, as opposed to rolling it out to insiders who are physicians on its medical staff."
Further, the IRS does not intend that its policy outline be the be-all and end-all to hospital IT subsidy programs.
"We're not saying that if it doesn't fit this mold it's automatically going to create an impermissible private benefit," Clarke said. "But if it varies from what's here, the hospital wouldnt be able to rely on this directive; wed have to see the facts and circumstances. If a hospital isnt sure if this directive applies, they could always request a private-letter ruling from us."
Another provision unique to the IRS memo is the requirement that, "to the extent permitted by law, the hospital may access all (emphasis added) of the electronic medical records created by a physician using the health IT items and services subsidized by the hospital."
"Here was our concern," Clarke said. "We have private benefit and private inurement restrictions that we are enforcing. A hospital cannot generate impermissible private benefit for third parties. It has to be incidental. The hospital and its patients need to benefit from that in a way that's primary and any benefit to the doctor needs to be incidental.
Hospitals could use the data gleaned from the subsidized physicians, including those of patients of the physician who are not patients of the hospital, for a number of purposes, such as quality improvement analysis, thus enhancing the benefit to the hospital of providing the IT service, Clark said. But, "if the doctor is using the software primarily to manage their own practice and (the doctor) only does that internally and doesn't make that information available to the hospital and the community, then the software appears to (primarily) benefit the physician," Clark said.
Privacy experts, while their opinions varied, seemed less than thrilled.
Robert Gellman, a Washington lawyer and privacy consultant, said in an e-mail that "the words 'to the extent permitted by law' seem to incorporate any HIPAA limitations." But, Gellman said, "HIPAA erects so few barriers that it may not be meaningful in this context or in others.
"I would say that the BA (business associate) agreement should protect patients' privacy interests," Gellman wrote, "and if the hospitals (who will surely write the agreements) are honest brokers, there shouldn't be any bad implications for privacy.."
Joy Pritts, a lawyer and an associate research professor with the Health Policy Institute at Georgetown University, was more strident about the privacy implications.
"It's disturbing," Pritts said. "Clearly, IRS wants to ensure that there isn't impermissible private benefit to the doctors. But it seems that IRS has gone a little overboard.
Maybe the IRS doesn't understand the breadth of this requirement," she said. "HHS interprets the HIPAA Privacy Rule as allowing providers to disclose medical records for treatment of any individualnot just the subject of the information. This has the potential to seriously undermine patient privacy."
Mark Rothstein is chairman of the privacy and security subcommittee of the National Committee on Vital and Health Statistics, which had held multiple public hearings on the implications of healthcare IT on patient privacy issues.
"I think the key language is 'to the extent permitted by law,' " Rothstein said. "HIPAA does not permit this access."
Deborah Peel, founder of Austin, Texas-based, Patient Privacy Rights Foundation, in an e-mail, said the group "deplores" the memorandum, decrying what she called "a dirty little secret"that many hospitals sell patient data as a revenue source. "By 'giving' physicians electronic records that they can data-mine, hospitals have just massively enhanced the value of the data they sell to third parties. Physicians who accept EHRs that will be data-mined by hospitals are accepting a 'gift' that violates medical ethics and the laws of every state."
Physician leaders were generally supportive, although some of them, too, counseled caution and questioned the privacy implications.
Physician Joseph Heyman is a member of the board of trustees of the American Medical Association who has served as the AMA's point man on healthcare IT uses. In an e-mail, Heyman said the AMA is "encouraged by the IRS ruling as the cost of HIT implementation has long been a barrier to widespread adoption. Setting guidelines for tax-exempt organizations that donate HIT to physician practices can help encourage additional donations and alleviate the financial burden to physicians. We continue to believe that appropriate clinical information exchange that protects our patients' privacy can help improve America's healthcare delivery system as long as we can continue to protect the privacy patient information."
Asked specifically about the requirement that physicians share all of the records with the hospital that provides them IT services, Heyman responded: "Safeguarding the privacy and confidentiality of patient records is of utmost importance."
David Kibbe, senior adviser to the American Academy of Family Physicians, and a principal of the Kibbe Group, an IT consultancy, said the IRS, by saying hospitals may have access to physician data, appears to be supporting language in the HHS and CMS rulings that requires the systems allowed by their waivers to be interoperable.
"It certainly would not help the community if those were noninteroperable systems that were owned and operated by the practice for the benefit that goes on in that practice," Kibbe said. But, he said, "Also, it would be unacceptable to most physicians in the community if they were forced to use a hospital's system. What it says to the physician is that you have to negotiate with the hospital so you are not forced to use a product or service that is not good in primary care, or doesnt create another data island for you."
That said, Kibbe added that "We are certainly concerned about the control issue. The AAFP members are hearing from their hospitals that they're going to purchase EMRs (for them), but you have to use what the hospital wants. What theyre really talking about is single-vendor connectivity."
"Some are saying this is a great opportunity; we havent been able to afford this and now they can do it," Kibbe said. "But on the other hand, they don't want a bad product and they dont want to tie their hands to one hospital."
Lyle Berkowitz is a practicing internist, president of Back 9 Healthcare Consulting, and medical director of clinical information systems at Northwestern Memorial Physicians Group in Chicago.
According to Berkowitz, hospitals had been holding off on entering into arrangements with their affiliated physicians until the IRS shoe finally dropped.
"With that said," Berkowitz commented in an e-mail, a subsidizing hospital having access to a physicians patient's EMRs "will definitely spook a lot of doctors."
"Relationships between hospital management and independent physicians are often rocky," he added, and something like this will increase paranoia levels further. When discussing this subject, I have even heard these same doctors say things like 'Will they try and steal my patients?' or 'Will they do quality review of my care and get rid of me if I don't meet some criteria they create?'
"And even when we get past this hurdle, the next question is whether this is really a good value for independent physicians," Berkowitz said. "Just because a hospital sponsors a system and makes it cheaper does not help physicians if the end result is still a system that slows them down and does not increase revenues."
Robert Tennant, senior policy adviser for the Medical Group Management Association, sees the IRS ruling as a mixed blessing for groups.
"It's positive that they sort of gave the green light for nonprofit hospitals," Tennant said. "At the same time, we're certainly counseling our members to perform the same type of due diligence as if they were outright purchasing a system for their offices. As someone said, a bad EHR is worse than no EHR."
Doctors "need to understand there are significant costs to be borne beyond what is provided by the hospital and the 15% co-payment, including the hardware and the ongoing maintenance as well," Tennant said. (Under the HHS rulings last summer, hospitals could subsidize no more than 85% of the cost of the IT systems they were providing.)
One question the MGMA has about the ruling is its scope.
"We've had trouble getting a real good definition of community," Tennant said.
In addition, the MGMA also sees the ability of the hospitals to data-mine physician records as a concern.
"I think they (the IRS) are trying to find a hook for the hospital, he said. Why would a hospital want to enter these types of arrangements? They may have access to a large pool of data that they may do various things with, benchmarking or analysis. However, it raises all sorts of issues."
The language of the clause says hospitals, "may have access," Tennant notes, but, "I wonder if that will be interpreted as 'should.' "
Tennant said he recalls no similar provisions in the CMS and HHS rules of last August, "This is something out of the blue."
Tennant said the IRS may be attempting to foster interoperability with the provision, as Kibbe suggests, "But in my mind, that's when the hospital and the physician have the same patient, and they'd be able to access the discharge summary or the last five EKGs. That makes a lot of sense, if it's by consent of both parties."
Another question is whether, under HIPAA, a hospital can access data of a patient who is not its own. By Tennant's read, HIPAA has a provision that could be stretched to cover the possibility.
"It's called other healthcare operations," Tennant said. The current HIPAA privacy rule, as it was amended by HHS in 2002, gives "regulatory permission" to hospitals for the sharing of data without patient consent for treatment, payment and other healthcare operations, a reversal of the original privacy rule HHS created in 2000 that required patient consent for treatment, payment and other healthcare operations.
"Practices may or may not want to share access to their data, but unfettered access is going to be an issue," Tennant said.
Clarke, the IRS official, said although the agency has no plans to produce a more detailed version of the policy memorandum, it is not written in stone, either. "There is only so far we can go with a directive like this," Clarke said. "I know we cant satisfy everyone."What do you think? Write us with your comments at [email protected]. Please include your name, title and hometown.