GAO-04-991R, HHS's Efforts to Promote Health Information Technology and Legal Barriers to Its Adoption


This is the accessible text file for GAO report number GAO-04-991R 
entitled 'HHS's Efforts to Promote Health Information Technology and 
Legal Barriers to Its Adoption' which was released on August 13, 2004.

This text file was formatted by the U.S. Government Accountability 
Office (GAO) to be accessible to users with visual impairments, as part 
of a longer term project to improve GAO products' accessibility. Every 
attempt has been made to maintain the structural and data integrity of 
the original printed product. Accessibility features, such as text 
descriptions of tables, consecutively numbered footnotes placed at the 
end of the file, and the text of agency comment letters, are provided 
but may not exactly duplicate the presentation or format of the printed 
version. The portable document format (PDF) file is an exact electronic 
replica of the printed version. We welcome your feedback. Please E-mail 
your comments regarding the contents or accessibility features of this 
document to Webmaster@gao.gov.

This is a work of the U.S. government and is not subject to copyright 
protection in the United States. It may be reproduced and distributed 
in its entirety without further permission from GAO. Because this work 
may contain copyrighted images or other material, permission from the 
copyright holder may be necessary if you wish to reproduce this 
material separately.

August 13, 2004:

The Honorable Judd Gregg:

Chairman:

Committee on Health, Education, Labor, and Pensions:

United States Senate:

Subject: HHS's Efforts to Promote Health Information Technology and 
Legal Barriers to Its Adoption:

Dear Mr. Chairman:

Studies published by the Institute of Medicine and others have 
indicated that fragmented, disorganized, and inaccessible clinical 
information adversely affects the quality of health care and 
compromises patient safety.[Footnote 1] Health information technology 
(IT)--technology used to collect, store, retrieve, and transfer 
clinical, administrative, and financial health information 
electronically--is seen as a promising solution to this problem. 
Technologies such as electronic health records (EHR)[Footnote 2] and 
bar coding of certain human drug and biological product labels have 
been shown to save money and reduce medical errors. However, only a 
small number of U.S. health care providers have fully adopted health 
IT. Significant financial, technical, cultural, and legal barriers to 
the adoption of health IT exist. These include a lack of access to 
capital, a lack of data standards, and resistance from health care 
providers.

The Department of Health and Human Services (HHS), as a regulator, 
purchaser, health care provider, and sponsor of research, education, 
and training, has been working to promote the use of IT in public and 
private health care settings.[Footnote 3] There is no comprehensive 
catalogue of HHS's health IT efforts, however, and little is known 
about the nature and extent of the legal barriers and HHS's efforts to 
address them.

You asked us to review HHS's activities to promote health IT. We 
examined the following questions: (1) What are the major HHS 
initiatives for promoting the adoption of health IT by public and 
private health care providers? (2) What are the legal barriers to the 
adoption of health IT by health care providers, and what is HHS doing 
to surmount them? Enclosure I contains the briefing on the results of 
our study that we discussed with your staff on July 13, 2004.

To describe HHS's health IT initiatives, we asked HHS to identify its 
major activities in this area, reviewed agency documents, interviewed 
relevant HHS officials, and incorporated information from our earlier 
work on health IT. We primarily focused on health IT used in clinical 
health care delivery (e.g., EHR) and did not examine disease 
surveillance systems and telemedicine. Some HHS IT initiatives we 
describe have recently been implemented or are still in the planning 
stages, and so results to date are limited. In addition, the status of 
the initiatives is subject to change pending completion of an 
organizational review by the newly established HHS Office of the 
National Coordinator for Health Information Technology (ONCHIT). To 
identify legal barriers, we reviewed the literature and interviewed HHS 
and other federal officials, health care providers, health care 
attorneys, and other health IT experts. We did not address barriers 
that may be associated with privacy and security issues. We performed 
our work from May 2004 through August 2004 in accordance with generally 
accepted government auditing standards.

Summary:

HHS reported that it has 19 major health IT initiatives that cover a 
broad range of activities and participants. In fiscal year 2004, HHS 
provided about $228 million for these initiatives. Some of them--the 
Council on the Application of Health Information Technology (CAHIT), 
the National Health Information Infrastructure (NHII), the Consolidated 
Health Informatics (CHI) Initiative, and the Federal Health 
Architecture (FHA)--are designed to provide overall leadership and 
coordination for health IT across HHS, other federal agencies, and 
other public-and private-sector organizations. The majority of 
initiatives and most of the funding, however, are for health IT 
programmatic activities and grant programs administered by HHS 
operating divisions such as the Agency for Healthcare Research and 
Quality (AHRQ) and the Centers for Medicare and Medicaid Services 
(CMS). These initiatives range from support for the development of 
standard clinical terminologies to funding of demonstrations of health 
information systems. On July 21, 2004, the National Health Information 
Technology Coordinator delivered a framework for strategic action to 
the Secretary of HHS for promoting the adoption of health IT.

Various laws present barriers to adoption of health IT, and at the time 
of our review HHS's efforts to address these barriers had been limited 
in scope. Experts we interviewed indicated that beyond legal issues 
related to the privacy and security of health information, there are 
various laws--some specifically health-related and some not--that 
present barriers to the adoption of health IT. These laws involve fraud 
and abuse, antitrust, federal income tax, intellectual property, 
malpractice, and state licensing. In the area of fraud and abuse, for 
example, both the Physician Self-Referral (Stark) Law and the Anti-
kickback Law present barriers by impeding the establishment of 
arrangements between providers--such as the provision of IT resources-
-that would otherwise promote the adoption of health IT. Because the 
laws frequently do not address health IT arrangements directly, health 
care providers are uncertain about what would constitute violations of 
the laws or create a risk of litigation. To the extent there are 
uncertainties and ambiguity in predicting legal consequences, health 
care providers are reluctant to take action and make significant 
investments in health IT. HHS has attempted to address some of the 
legal barriers posed by the fraud and abuse laws, but experts told us 
these efforts have not been sufficient to overcome the reluctance of 
the providers. Further, little attempt has been made by other federal 
agencies to address other laws that may present barriers.

Agency Comments:

HHS reviewed a draft of this report and provided comments. HHS asked us 
to highlight other actions it has taken to advance health IT in areas 
such as privacy and security standards, disease surveillance systems, 
and telemedicine. However, as we noted in the report, our work was 
focused on health IT used in clinical health care delivery (EHR, for 
example) and not on other health IT issues. HHS emphasized that the 
federal anti-kickback and self-referral statutes provide important 
protections against fraud and abuse, and that exceptions or safe 
harbors from these statutes must be carefully crafted to exclude 
abusive arrangements. We recognize the significant role these laws play 
in deterring fraud and abuse, but the experts we consulted consistently 
told us that these laws present barriers to the adoption of health IT. 
In particular, we found that there was uncertainty about what would 
constitute a violation of the law and this uncertainty itself created a 
barrier for promoting beneficial health IT arrangements. HHS's written 
comments and our more detailed responses to them are in enclosure II. 
HHS also provided technical comments, which we incorporated as 
appropriate.

We are sending copies of this report to the Secretary of Health and 
Human Services and other interested officials. We will also provide 
copies to others on request. In addition, the report will be available 
at no charge on the GAO Web site at http://www.gao.gov. If you or your 
staff have any questions or need additional information, please contact 
me at (202) 512-7119. Another contact and key contributors are listed 
in enclosure III.

Sincerely yours,

Signed by: 

Janet Heinrich:

Director, Health Care--Public Health Issues:

Enclosures - 3:

Enclosure I: 

[See PDF for images]

[End of slide presentation]

[End of section]

Enclosure II: Comments from the U.S. Department of Health and Human 
Services: 

DEPARTMENT OF HEALTH & HUMAN SERVICES:	
Office of inspector General:

AUG 9 2004:

Ms. Janet Heinrich:
Director, Health Care - Public Health Issues: 
United States Government Accountability Office: 
Washington, D.C. 20548:

Dear Ms. Heinrich:

Enclosed are the Department's comments on your draft correspondence 
entitled, "HHS's Efforts to Promote Health Information Technology and 
Legal Barriers to Its Adoption" (GAO-04-991 R). The comments represent 
the tentative position of the Department and are subject to 
reevaluation when the final version of this report is received.

The Department provided several technical comments directly to your 
staff.

The Department appreciates the opportunity to comment on this draft 
report before its publication. 

Sincerely,

Signed by: 

Dara Corrigan:

Acting Principal Deputy Inspector General:

Enclosure:

The Office of Inspector General (OIG) is transmitting the Department's 
response to this draft report in our capacity as the Department's 
designated focal point and coordinator for Government Accountability 
Office reports. OIG has not conducted an independent assessment of 
these comments and therefore expresses no opinion on them.

Department of Health and Human Services Comments on Government 
Accountability Office's Correspondence entitled "HHS 's Efforts to 
Promote Health Information Technology And Legal Barriers to Its 
Adoption "(GAO-04-991R):

Department of Health and Human Services (HHS) Secretary Tommy G. 
Thompson enthusiastically supports the promotion of health information 
technology (HIT) and has been actively supporting it. In May and late 
July, he held summits on HIT, noting that "America needs to move much 
faster to adopt information technology in our health care system." He 
is moving HHS forward with the appointment of Dr. David Brailer, the 
release of the Framework for Strategic Action, and the launching of the 
slide show "Decade of HIT." GAO's proposed correspondence provides a 
baseline to kick-off the decade.

1. A general weakness of the slide presentation is that it focuses 
narrowly on the electronic health records (EHR) and does not 
acknowledge systems issues of interoperability among providers, the 
personal health record, or linkages to public health. There is also no 
sense of the challenge for public policy in developing appropriate 
incentives for the adoption of the EHR in the private sector.

2. This report does not address the efforts HHS has made to advance HIT 
by adopting privacy and security standards for health information, as 
well as standards for electronic transactions. It should be noted that 
HHS has adopted, under Health Insurance Portability and Accountability 
Act, final rules regarding the privacy and security of health 
information and standards for electronic transactions. The Department 
has begun enforcing the Privacy Rule and Transactions Rule, and will 
begin enforcing the Security Rule in April 2005. While there are some 
issues that may need to be worked out with respect to compliance with 
the Privacy and Security Rules in adopting HIT, these protections help 
address one of the President's goals set forth in his Executive Order 
and could help overcome significant barriers to adoption of HIT.

3. The report fails to address the risk of fraud or abuse that might 
arise when hospitals or other entities give valuable items or services 
to potential referral sources. The Federal anti-kickback statute and 
the Federal physician self-referral law provide important protections 
against fraud and abuse. In enacting these statutes, Congress sought to 
curb improper financial incentives that distort medical decision-
making, potentially harming the Federal health care programs and their 
beneficiaries. Improper financial incentives can lead, directly or 
indirectly, to overutilization of items and services, increased costs 
to programs and beneficiaries, compromised medical judgment, and unfair 
competition.

In this regard, the first bullet on page 48 of Enclosure 1 appears to 
suggest, inappropriately, that "all arrangements that parties may wish 
to establish to promote the adoption of HIT" should be subject to a 
physician self-referral exception or anti-kickback statute safe harbor. 
In addition, on page 46 of the enclosure, GAO asserts that physician 
reluctance to pay for HIT is the only reason hospitals might wish to 
furnish physicians with HIT hardware, software, or other resources. 
There is legitimate concern, however, that hospitals or other providers 
or suppliers may provide free or deeply 
discounted HIT to physicians (particularly physicians whom they do not 
employ) in an effort to influence referral decisions, which may result 
in fraud or abuse. For example, an arrangement that links the provision 
of free HIT to the generation of a volume of referrals for the entity 
providing the HIT could result in physicians over-ordering services or 
inappropriately steering beneficiaries to particular providers (and 
potentially restricting beneficiary choice) in order to "earn" the free 
HIT. Similarly, larger entities with deeper pockets and greater ability 
to fund HIT may compete for referrals of Federal health care program 
business by offering free HIT, potentially disadvantaging smaller or 
publicly-funded entities, such as some community hospitals.

Accordingly, we believe the report should recognize that creating 
physician self-referral law exceptions and anti-kickback statute safe 
harbors requires careful consideration of the potential for fraud and 
abuse. Any exceptions or safe harbors would need to be crafted 
carefully to exclude abusive arrangements.

4. We disagree with the assertion that "[b]ecause [fraud and abuse laws 
and other laws] frequently do not address HIT arrangements directly, 
health care providers are uncertain about what would constitute 
violations of those laws or create a risk of litigation" (page 3 of the 
report and page 45 of Enclosure 1). We disagree that Federal health 
care program fraud and abuse laws are unclear or that parties do not 
understand what the laws prohibit. The fact that these and other laws 
do not specifically address HIT arrangements does not mean that their 
applicability to such arrangements is unclear or unpredictable.

5. We disagree with the suggestion in the third bullet on page 48 of 
Enclosure 1 that an Office of Inspector General (OIG) advisory opinion 
is of limited practical value. A favorable advisory opinion ensures 
that the recipient will not be subject to OIG sanctions. We believe the 
bullet would be more accurate if it stated that "such case-by-case 
guidance is not an appropriate mechanism for addressing broader 
industry concerns." We believe this statement more clearly reflects the 
intent of the bullet point.

6. Also on page 46 of Enclosure 1, it should be noted that the Centers 
for Medicare and Medicaid Services (CMS) has accepted public comments 
and is currently engaged in rulemaking with respect to the community-
wide HIT exception, including the definition of the term "community-
wide."

7. The report concludes in several places that the Federal physician 
self-referral law and anti-kickback statute inhibit arrangements 
between physicians and hospitals or other entities that would promote 
adoption of HIT. We think it worth noting that barriers exist unrelated 
to these statutes, including cost and physician resistance to the use 
of HIT.

8. We do not believe that there is unanimous agreement that hospitals 
should pay for HIT used by physicians who are not employed by hospitals 
and who will use the IT resources in the context of their own office 
practices.

9. We note that the report appears to suggest that HHS has failed to 
address antitrust, tax, intellectual property, malpractice liability, 
and state licensing laws. HHS has no legal jurisdiction over those 
laws.

10. The report neglects to mention the role of the National Committee 
on Vital Health Statistics (NCVHS) as specified in the Medicare 
Prescription Drug, Improvement and Modernization Act, and progress to 
date. NCVHS is mentioned later in several places, but there is no 
context for this information.

11. GAO provided guidance that telehealth/telemedicine initiatives 
should be excluded in the inventory of programs. Health Resources and 
Services Administrations program incorporates many of the goals and 
activities described in the GAO slides. Therefore, it may now be 
relevant to include information about the Telehealth Network Grant 
Program. 

GAO's Responses to HHS's Comments:

HHS provided 11 specific comments about various issues in the draft 
report, and our response to these comments is as follows:

Background and Scope of Work:

HHS commented that our briefing slides had a narrow focus and did not 
acknowledge other actions it has taken in areas such as 
interoperability, privacy and security standards for health 
information, and telehealth/telemedicine (comments 1, 2, and 11). We 
were specifically asked by our requestor to focus our work on health IT 
used in clinical health care delivery (e.g., EHR) and not on other 
health IT issues. In addition, we were asked to look at specific legal 
barriers to the adoption of health IT that did not include privacy and 
security concerns. HHS also said that besides the self-referral and 
anti-kickback laws, there are other barriers to the adoption of health 
IT, including cost and physician resistance (comment 7). We described 
those barriers on page 12. HHS provided additional information about 
the role of the National Committee on Vital and Health Statistics as 
specified in the Medicare Prescription Drug, Improvement, and 
Modernization Act of 2003 (comment 10). We added this information to 
the background section of our briefing slides.

Legal Barriers:

HHS stated that we failed to address the risk of fraud and abuse when 
hospitals or other entities give valuable items or services to 
potential referral sources (comment 3). We recognize the role the 
federal fraud and abuse laws play in deterring such health care 
violations but experts consistently told us that these laws present a 
barrier to the adoption of health IT. We revised our report in response 
to HHS's comment that is difficult to craft appropriate safe harbors 
that would prevent fraud and abuse.

HHS disagreed that fraud and abuse and other relevant laws are unclear 
and that health care providers are uncertain about what may constitute 
violations of those laws or create risks of litigation (comment 4). 
However, health care providers, attorneys, and other experts 
consistently told us that they were uncertain about the application of 
the laws to health care IT and what may constitute statutory violations 
or create risks of litigation. This uncertainty constitutes a barrier 
for promoting beneficial health IT arrangements.

HHS disagreed with our conclusion that an Office of Inspector General 
advisory opinion is of limited practical value and suggested 
alternative wording (comment 5). We revised the wording as suggested. 
In its technical comments, HHS also noted that the Secretary can issue 
an advisory opinion on whether a health IT arrangement would violate 
the self-referral law, and we added this information to our report. We 
also revised our report to reflect that CMS has accepted public comment 
on the March 26, 2004 interim rule and is currently engaged in 
rulemaking with respect to the definition of "community-wide" (comment 
6).

HHS said that there is not unanimous agreement that hospitals should 
pay for health IT used by physicians who are not employed by hospitals 
and who will use the IT resources in their office practices (comment 
8). We did not suggest that hospitals should pay for health IT for 
physicians. Experts told us that if hospitals want to develop such 
arrangements, the fraud and abuse laws may be barriers.

Finally, HHS clarified that HHS has no legal jurisdiction over 
antitrust, tax, intellectual property, malpractice liability and state 
licensing laws and therefore cannot address these barriers (comment 9). 
We revised our report to make this distinction clear.

[End of section]

Enclosure III: GAO Contact and Staff Acknowledgments:

GAO Contact:

Martin T. Gahart, (202) 512-3596:

Acknowledgments:

In addition to the person named above, Gigi Barsoum, Anne Dievler, M. 
Saad Khan, Roseanne Price, M. Yvonne Sanchez, and Craig Winslow made 
key contributions to this report.

(290385):

FOOTNOTES

[1] See, for example, Institute of Medicine. Crossing the Quality 
Chasm: A New Health System for the 21st Century: (Washington, D.C.: 
National Academy Press, 2001).

[2] An EHR generally includes a longitudinal collection of electronic 
health information about the health of an individual or the care 
provided; immediate electronic access to patient-and population-level 
information by authorized users; decision support to enhance the 
quality, safety, and efficiency of patient care; and support of 
efficient processes for health care delivery.

[3] Outside of HHS, the Department of Veterans Affairs (VA) and the 
Department of Defense (DOD) are considered by experts to be leaders in 
the use of health IT, particularly in the adoption of EHR systems for 
their constituents.