On Friday, November 6, 2013, the Centers for Medicare & Medicaid Services (CMS) and the Office of National Coordinator of Health Information Technology (ONC) announced its proposal to extend the timeline by which eligible healthcare providers must demonstrate a “meaningful use” (MU) of a certified electronic health record (EHR) in compliance with the MU Stage 2 criteria set forth in regulations issued pursuant to the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009. Originally, eligible providers who demonstrated Stage 1 MU by the end of 2013 would have had to demonstrate at least 3 months of Stage 2 MU by September 30, 2014 for eligible hospitals and critical access hospitals (CAHs) and by December 31, 2014 for eligible professionals, do one more year of Stage 2 in 2015, and then move to Stage 3 by 2016. The CMS – ONC apparently will give all eligible providers more time to stay in Stage 2, stating: “Under the revised timeline, Stage 2 will be extended through 2016 and Stage 3 will begin in 2017 for those providers that have completed at least two years in Stage 2.” In essence, the start of Stage 3 is being delayed and, apparently (pending further rule making), nothing else.
By Margaret Levi and Kathie McDonald-McClure
As we previously reported in a blog post on September 24, 2013, an eligible professional, eligible hospital, or critical access hospital receiving an incentive payment for the meaningful use (MU) of electronic health records (EHRs) will likely be subject to a stringent audit from either Medicare or Medicaid. The fact that these MU audits are underway is now fully evident.
We have heard from several sources that CMS auditors are hitting Tennessee and Kentucky hospitals and physician practices and demanding repayment of meaningful use incentive monies if providers cannot fully back up their attestations for Stage 1 compliance in every respect.
Even as health care providers have moved to convert from paper to electronic health records, it remains just as important to continue to protect paper health information records. While the majority of data breaches involve mobile devices such as laptops and flash drives, a significant number of large data breaches (those affecting 500 or more individuals) Continue Reading →
by Margaret Young Levi and Kathie McDonald-McClure
The U.S. Department of Health & Human Services Office for Civil Rights (“OCR”) has a new acronym, “LoProCo,” relating to assessing data breaches under HIPAA, as amended by the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 and the HIPAA Omnibus Rule that became effective March 26, 2013.
It is OCR’s position that a breach is Continue Reading →
Saturday, November 30, 2013, is the last day for hospitals and critical access hospitals (CAHs) to register and attest to receive an incentive payment for FY2013 under the Medicare Electronic Health Record (EHR) Incentive Program. In the flurry of Thanksgiving activities, holiday travel and Black Friday shopping, don’t forget to take advantage of this deal. The Centers for Medicare and Medicaid Services (CMS) has posted a reminder of these deadlines on its Medicare & Medicaid EHR Incentive Program Registration & Attestation System webpage.
Continue Reading →
NOTE: On February 18, 2010, we posted an article about what to do with paper medical records when converting to an electronic health record (EHR). To date, this has been the most popular article on the HITECH Law Blog. We decided to re-review the topic, update it, and repost it. Actually, not much has changed in the way of the law applicable to this topic. So, the article below reiterates most of the tips from our original article with a few refinements, including additional information about retention periods.
Many hospitals have electronic health records (EHRs) that are hybrid digital records. While the hospital may be using electronic data entry in the emergency department, inpatient nursing care, pharmacy, lab, and pre-op anesthesia, oftentimes, these EHRs are not integrated and, thus, are not merged into a single EHR. The short-term solution may have been to scan printed records from some department, like lab or pharmacy, into the patient’s on-line digital record. As a result, the hospital’s “electronic health record” contains information that is not captured in a “coded format.” For one, this will not meet the “meaningful use” criteria under the HITECH Act.
But let’s assume that the hospital can overcome this hurdle by working with vendors to integrate these records in a way that will meet HITECH EHR certification standards. If the hospital has been maintaining certain portions of patient records in a paper format, what does it do with those paper records after converting to an EHR? If the hospital scans all the paper patient records into its EHR, how long should the hospital retain the paper record after it is scanned into their EHR?
More and more, health care providers are employing laptops, tablets, smartphones and other portable electronic devices in their work. And more and more, laptops and other portable electronic devices are involved in breaches of patient data. According to the Office of Civil Rights (OCR) website, 265 (or 39%) of the 674 total data breaches affecting 500 or more individuals reported to date involve either laptops or other portable electronic devices.
In order to better protect the patient information on these devices, the U.S. Department of Health and Human Services (HHS) conducted a Mobile Device Roundtable last year and solicited public comments to gather tips and information HHS considers “would be most useful to health care providers and professionals using mobile devices in their work.” These HHS tips, information and videos may help you protect and secure health information patients entrust to you when using mobile devices. Review these tips and make sure you fully analyze these devices and their movement as part of your risk analysis and risk management plans.
by Ann F. Triebsch
As we indicated in a posting last October and in a more recent August post , audits are now underway to verify that providers who received incentive monies from the Centers for Medicare and Medicaid Services (CMS) under the Health Information Technology for Economic and Clinical Health (HITECH) Act for implementation of a certified electronic health record (EHR) have indeed met the “meaningful use” (MU) criteria. The Office of the National Coordinator for Health Information Technology (ONC) has contracted with Garden City, NY-based Fagliozzi and Company to conduct these audits. The audits are designed to verify that providers receiving incentive payments are using certified EHR technology in a meaningful way. These audits can be a hassle, and there are risks if you cannot promptly provide what is requested—even if you are complying with the MU criteria.
Late last week the Office for Civil Rights (OCR) of the United States Department of Health & Human Services (HHS) announced a delay in its enforcement of the requirement that certain laboratories revise their notices of privacy practices (NPPs).
As we have previously posted on the HITECH Law Blog, HHS has in the works revisions to the Clinical Laboratory Improvement Act of 1988 (CLIA) regulations concerning whether a lab must release results directly to patients. Rather than forcing labs to revise their NPPs by September 23, 2013 (today) and then revise them again when the new CLIA regulations are final, HHS chose to delay enforcement until the new CLIA-specific rule is released.
This delay applies to HIPAA-covered, CLIA-certified or CLIA-exempt laboratories that are not required to provide an individual with access to his or her laboratory test reports under the HIPAA Privacy Rule because the information is subject to the exceptions to the right of access. The delay does not apply to laboratories that operate as part of a larger legal entity, such as a hospital, and by virtue of that relationship, do not have their own, laboratory-specific, NPPs.
To read more about the HHS Proposed Rule that will enable direct access to laboratory test results by patients, see our September 14, 2011 blog post. To read the Proposed Rule, click here.
by Ann F. Triebsch
We’ve all heard about HIPAA privacy breaches until we think there couldn’t be anything else to worry about. Think again—the Federal Trade Commission (FTC) is prosecuting privacy breaches in the health care industry as a violation of Section 5 of the FTC Act. The Department of Health and Human Services (HHS) Office of Civil Rights (OCR) is charged with enforcing HIPAA, but some of those same privacy breaches can be scrutinized by the FTC to determine if they are “unfair or deceptive acts or practices in or affecting commerce”, which the FTC Act prohibits. On August 29, 2013, the FTC filed suit in Federal District Court in Atlanta against LabMD, a medical testing laboratory, and its president, to compel it to comply with an investigative demand for information on whether it failed to properly protect private information of about 9,000 consumers (FTC v. LabMD, U.S.D.C. N.D. Ga., Case No. 1:12-CV-3005) .
by Margaret Young Levi
Reminder: the clock is ticking for covered entities and business associates to come into compliance with new requirements under HITECH-HIPAA Omnibus Rule. Monday, September 23, 2013 is the deadline for covered entities and business associates to put into place new Business Associate Agreements (“BAAs”). As we blogged on March 4th, any new BAAs signed after January 24, 2013 should comply with added requirements under the Omnibus Rule. These new agreements must be signed and in place by September 23, 2013.
Current BAAs (those signed on or before January 24, 2013) will be grandfathered and deemed HIPAA compliant through September 23, 2014, at which time the BAA will need to have been amended for compliance with the Omnibus Rule.
As a first step, covered entities should verify that they have identified all of their business associates, particularly in light of the revised definition of “business associate” in the Omnibus Rule. Covered entities should enter into compliant BAAs with any newly identified Business Associates or with existing business associates if the agreements are renewed after January 24th (excluding those BAAs that automatically renewed).
Business associates will now be directly liable for their actions under HIPAA and should take steps to identify their downstream business associates, called “subcontractors” and enter into BAAs with those subcontractors.
See our March 4, 2013 post for additional details.
It has been widely reported that WellPoint Inc. recently agreed to pay a $1.7 million fine to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy and Security Rules. The U.S. Department for Health & Human Services’ (“HHS”) press release asserts that WellPoint failed to “implement appropriate administrative and technical safeguards” required by HIPAA when it left an online application database unsecured and exposed the electronic protected health information (“PHI”) of more than 600,000 individuals. WellPoint self reported this issue when it submitted a breach notification required under the Health Information Technology for Economic and Clinical Health (“HITECH”) Act. This breach highlights the importance of ensuring that PHI is secured when system updates are performed.
Last week, the Department of Health and Human Service’s (HHS) Office of the National Coordinator for Health Information Technology (ONC) announced its new Certified HIT Mark, similar to the Good Housekeeping Seal of Approval. The Certified HIT Mark provides a way for consumers to feel confident at a glance that “the HIT meets all applicable requirements under the ONC HIT Certification Program.”
The ONC Certification Program ensures that electronic health record technologies meet the standards and certification criteria adopted by HHS to help providers and hospitals achieve Meaningful Use objectives and measures under the Health Information Technology for Economic and Clinical Health (HITECH) Act. Additional information from the ONC about the standards and certification criteria, certified health IT product list, and the health IT certification program may be found here.
The U.S. Department for Health & Human Services (HHS) announced it is releasing technical corrections to the HIPAA Omnibus Rule tomorrow. These technical corrections are “to address public comment received on the interim final Breach Notification Rule, and to make certain other modifications to the HIPAA Rules to improve their workability and effectiveness and to increase flexibility for and decrease burden on the regulated entities.” HHS “determined that the corrections in this final rule are minor, routine determinations in which the public would not be particularly interested, or about which the public has already been put on notice, given the context of the errors or omissions to be corrected.”
These technical corrections are scheduled to be published on June 7, 2013, but until then, you can download the pre-publication, PDF version here.
On May 22, 2013, Kathleen Sebelius, Secretary of the United States Health & Human Services Department, announced that over 50 percent of doctors and over 80 percent of hospitals are making a “meaningful use” of electronic health records (EHRs) and have received incentives for such use. By comparison, in 2008, just nine percent had adopted EHRs. Secretary Sebelius credits the “dramatic increase” in adoption of EHRs to the Health Information Technology for Economic and Clinical Health Act (HITECH Act) that was passed as part of the American Recovery and Reinvestment Act of 2009 (ARRA). The HITECH Act awards incentives to eligible professionals (physicians) and hospitals who make a “meaningful use” of EHR technology that has been certified by the HHS Office of National Coordinator of Health Information Technology (ONC). The HHS press release with further information is available here.
On April 25, 2013, the Officer of National Coordinator for Health Information Technology (ONC) announced that it had revoked certification for two electronic health record (EHR) products that the ONC had previously certified for use as part of the incentive program implemented pursuant to the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act). The products for which ONC revoked certification are EHRMagic-Ambulatory and EHRMagic-Inpatient. The ONC’s press release with additional information is available here.
Whether the providers who purchased these products in reliance on the previous ONC certification will be able to recoup their investment in these products may depend on the terms of any vendor agreement signed between the parties. For providers who are purchasing ONC-certified products, this development highlights the importance of examining the provider’s EHR vendor agreement to ensure that it contains adequate warranty and indemnification provisions that will protect the provider in case the vendor’s product is de-certified by the ONC. Importantly, without “certified EHR technology”, the provider will not qualify for the HITECH Act’s meaningful use incentive payments.
Kentucky Health Information Exchange (KHIE) sends out alert on Thursday, April 18, 2013, indicating that it will accept applications from 13 providers who are seeking financial assistance to qualify for the HITECH Act’s Meaningful Use incentive payments.
By Ann F. Triebsch and Kathie McDonald-McClure
Barely two weeks after Rep. Jim McDermott (D-Wash) sent a letter to the HHS Office of the Inspector General (OIG) requesting that the Anti-Kickback Statute’s “safe harbor” allowing hospitals to donate electronic health record (EHR) items and services to physicians be extended, the OIG has proposed a rule to do exactly that. On April 10, 2013, the OIG proposed a rule to extend the Anti-Kickback Statute safe harbor from December 31, 2013, to December 31, 2016. On the same date, the Centers for Medicare & Medicaid Services (CMS) proposed a complementary rule to extend the Stark Law’s similar EHR exception to December 31, 2016.
The anti-kickback “safe harbor” allowing hospitals to donate electronic health record (“EHR”) equipment to physicians who may refer patients to their facility is set to expire on December 31, 2013, but efforts have begun to have the safe harbor extended. The safe harbor, created in 2006, allows hospitals to donate EHR and electronic prescribing technology to practices for the purpose of setting up or improving EHR systems, provided that the practice covers 15% of the cost of the EHR technology, without risk of anti-kickback enforcement. The purpose was to incentivize the meaningful use of EHR systems, and Medicare incentive payments for EHR adoption will continue through 2016.
Rep. Jim McDermott (D-Wash.) sent a letter on March 28 to Greg Demske, chief counsel of the HHS Office of Inspector General, asking OIG to extend the safe harbor provision. He emphasized Washington’s goal of reducing healthcare costs and eliminating wasteful spending, and pointed out that an extension would further that goal. He called the safe harbor provision “a common-sense policy” that “encourages collaboration among providers, yet also contains rigorous requirements that providers must meet in order to protect the Medicare and Medicaid programs from the few unscrupulous providers who would donate electronic health record software in exchange for referrals.” Earlier this year, the Federation of American Hospitals also showed support for renewing the EHR safe harbor.
To read Rep. McDermott’s letter, click here.
To read the Federation of American Hospitals letter, click here.
Stay tuned for further action on an extension.
A new bill entitled the “Electronic Health Records Improvement Act” has been introduced in the U.S. House of Representatives. Its stated purpose is to “amend certain requirements and penalties implemented under the Medicare and Medicaid programs by the HITECH Act of 2009, which would otherwise impede eligible professionals from adopting electronic health records to improve patient care.” Most notably, this bill proposes two new exemptions to the requirements to be a meaningful user of electronic health records (“EHRs”) that will be beneficial to solo physician practices and physicians nearing retirement:
- Eligible Professionals in Small Physician Practices. A physician who is a solo practitioner in 2015 would be exempt from the application of the downward payment adjustment for not demonstrating EHR meaningful use during the payment years 2015-2017. Implementing EHRs require significant investments in time for vendor selection, capital, and staff resources—and solo practitioners typically do not have the necessary resources to invest in EHRs. This exemption allows undercapitalized solo practitioners an additional three years to become a meaningful EHR user.
- Exception for Certain Physicians Near Retirement Age. A physician who will be eligible for Social Security by December 31, 2015 (or will be eligible during the 5-year period following that date) is also exempt from the application of the downward payment adjustment for not demonstrating EHR meaningful use during the payment years 2015-2017. This exemption will encourage physicians nearing retirement to continue practicing medicine for several more years instead of retiring early to avoid implementing an EHR. (Because this section of the Bill uses the terms “eligible professional” (in the text) and “physician” (in the title), there is some question as to whether this exception applies only to physicians nearing retirement or also applies to other types of eligible professionals, such as dentists, chiropractors, podiatrists, and optometrists. Hopefully, this confusion will be clarified if this Bill progresses into law.)
Here is a link to H.R. 1331. This Bill is currently in committee, and we will watch its progress closely.
The final HIPAA-HITECH Omnibus Rule (Omnibus Rule), released in January, substantially increases the privacy responsibilities of a business associate that receives protected health information, such as contractors and subcontractors. These new requirements will need to be reflected in business associate agreements (BAAs) between the covered entity and the business associate as well as in agreements between a business associate and its subcontractor.
For example, BAAs must now contain provisions requiring business associates to notify the covered entity of any data breaches. Moreover, the Omnibus Rule expanded the definition of “business associates” to include subcontractors, which means business associates must now enter into BAAs with their subcontractors who access PHI.
The Department of Health & Human Services (HHS), Office for Civil Rights (OCR) has posted sample BAA provisions on its website to help covered entities and business associates more easily comply with the additional BAA requirements found in the Omnibus Rule. While these sample provisions are written for use in a contract between a covered entity and its business associate, the language may be tailored for purposes of a contract between a business associate and its subcontractor.
These sample provisions do not constitute a sample contract but are only a starting point. It is not enough to print and sign these provisions. As OCR warns, “These provisions address only concepts and requirements set forth in the HIPAA Privacy, Security, Breach Notification, and Enforcement Rules, and alone may not be sufficient to result in a binding contract under State law. They do not include many formalities and substantive provisions that may be required or typically included in a valid contract. Reliance on this sample may not be sufficient for compliance with State law, and does not replace consultation with a lawyer or negotiations between the parties to the contract.” Moreover, there are common concepts in BAAs that are notably missing from the sample provisions, such as indemnification, notification, and mitigation, which should be considered for inclusion with any BAA.
If your current BAA was signed on or before January 24, 2013, then it will be deemed HIPAA compliant through September 23, 2014 (at which time the BAA will need to have been amended for compliance with the Omnibus Rule). Any new BAAs signed after January 24, 2013 should comply with the new requirements under Omnibus Rule, and be in place by September 23, 2013.
by Ann F. Triebsch
(Updated January 27, 2013)
On January 17, 2013, the Department of Health & Human Services (HHS), Office for Civil Rights (OCR), released the final HIPAA Omnibus Rule (Omnibus Rule) implementing the HITECH Act of 2009 and the Genetic Information Nondiscrimination Act of 2008 (GINA). The Omnibus Rule greatly enhances a patient’s privacy protections, provides individuals new rights to their health information, and strengthens the government’s enforcement capabilities. The regulations are published in the January 25, 2013 Federal Register, and will be effective on March 26, 2013, with compliance required by September 23, 2013.
We will discuss the highlights of the new regulations, topic by topic, in this blog over the next few weeks, but we begin with a key piece of information relevant to existing business associate agreements. The new regs substantially increase the privacy responsibilities of a business associate that receives protected health information, such as contractors and subcontractors. Business associates may also be liable for increased penalties for noncompliance based on the level of negligence, up to a maximum penalty of $1.5 million.
All of the new requirements will need to be reflected in business associate agreements (BAAs). If your current business associate agreement was signed on or before January 24, 2013, it will be deemed HIPAA compliant through September 23, 2014 (at which time the agreement will need to have been amended for compliance with the Omnibus Rule). After January 24, 2013, any new BAAs signed should comply with the Omnibus Rule, and be in place by September 23, 2013.
To read the Omnibus Rule, click here.
by Ann F. Triebsch
The HHS OIG released a report on November 28, 2012, assessing CMS’ first-year performance in overseeing the Medicare EHR Incentive Program. The OIG did not give CMS high marks, but its primary recommended solution is being rejected, as it may have done more harm than good under the circumstances.
Self-Reporting Insufficient Basis. Under the program, providers implementing EHR systems and attesting that they are “meaningfully us[ing]” them as defined by HITECH receive financial incentives, which can help offset the not-insubstantial costs of the systems. The gathering of data for the attestation to CMS can be a time-consuming process. CMS checks the data submissions via its own computer logic, and if the submission is approved, the incentive payment is sent. In its report, OIG says CMS has paid out about $4 billion in incentive payments to providers to date, with a total of $6.6 billion estimated by 2016. However, OIG points out that because the computer logic checks are not complete or fool-proof, but rather rely on self-reported data, the incentive program is “vulnerable” to fraud, paying incentives where meaningful use requirements are not fully met. OIG recommended that CMS undertake prepayment reviews of substantiating documentation from certain providers, based on risk analyses, rather than using the “pay and chase” model it is moving away from.
Sticking with the Plan. CMS declined to follow OIG’s prepayment review recommendation, citing the increased up-front burden on providers, as well as delayed incentive payments. CMS put it politely, but we couldn’t agree more. Providers have incurred substantial debt to purchase these EHR systems, and some are throwing up their hands, or worse, in frustration as they make the switch from paper, input so much new data, learn their new systems and try to integrate them with other existing systems. To delay the incentive payments, which are the carrot to encourage providers to adopt this technology that CMS and the Obama administration so fervently want, especially in the absence of any suspected or proven abuse to date, would be politically untenable, and counterproductive to the worthy goals of HITECH.
Other Recommendations. CMS did agree with OIG’s other recommendation to issue guidance on the types of documentation it expects providers to maintain to support their compliance with the “meaningful use” requirements, and indicated it would soon be posting a FAQ document on this subject. OIG recommended that the Office of the National Coordinator for Health Information Technology (ONC) require certified EHR technology to be capable of producing reports for yes/no meaningful use measures, where possible, which is not a current capability in many systems, and that it improve the certification process to ensure accurate EHR reports. ONC concurred with these two recommendations.
While verification of meaningful use attestations always would have been a possible topic for CMS audits of providers, this OIG assessment of the first year of the EHR Incentive Program may provoke CMS to investigate the topic more closely. But for now, CMS made a well-considered decision to keep its resources where they are, and not begin a witch-hunt when there is no sign of widespread evil intent.
On December 7, 2012, the Office of the National Coordinator for Health Information Technology (ONC) and Centers for Medicare & Medicaid Services (CMS) published an interim final rule with comment period to make revisions to the 2014 Edition Electronic Health Record (EHR) and revisions to the EHR Incentive Program. Specifically, this rule will:
- Replace the Data Element Catalog (DEC) standard and the Quality Reporting Document Architecture (QRDA) Category III standard adopted in the final rule published on September 4, 2012 with updated versions of those standards.
- Revise the Medicare and Medicaid EHR Incentive Programs by adding an alternative measure for the Stage 2 meaningful use (MU) objective for hospitals to provide structured electronic laboratory results to ambulatory providers, correcting the regulation text for the measures associated with the objective for hospitals to provide patients the ability to view online, download, and transmit information about a hospital admission, and making the case number threshold exemption for clinical quality measure (CQM) reporting applicable for eligible hospitals and critical access hospitals (CAHs) beginning with FY 2013.
- Provide notice of CMS’s intention to issue technical corrections to the electronic specifications for CQMs released on October 25, 2012.
This interim final rule will be effective January 5, 2012.
by Ann Triebsch
The 2013 Work Plan released October 2, 2012, by the HHS Office of the Inspector General (OIG), demonstrates that even the health care industry’s brand-new electronic health records (EHR) initiative is already under scrutiny for potentially abusive and erroneous practices by some providers. The Work Plan lists three activities that indicate that the OIG is not planning to let any bad habits (or bad actors) get established as providers get comfortable with their new EHR systems.
Stage 2 of Meaningful Use under the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act) requires providers who want the HITECH Act’s EHR incentive payments to ensure that at least some patients are engaged and are actually using their electronic health records (EHRs). The Final Rule for the Stage 2 criteria call for eligible professionals (EPs), eligible hospitals and critical access hospitals (CAHs) to provide a means for patients to access their health care information online. EPs must also provide a means for patients to send secure messages electronically, however, patients have to actually use these services in order for providers to meet these new measures for making a Meaningful Use of certified EHRs.
First, the Centers for Medicare & Medicaid Services (CMS) released the long-awaited final rule to govern Stage 2 of the Medicare and Medicaid Electronic Health Record (EHR) Incentive Programs. The rule specifies the Stage 2 criteria that eligible professionals (EPs), eligible hospitals, and critical access hospitals (CAHs) must meet in order to continue to participate in the EHR Incentive Programs.
- Click here for the full text of CMS’s final rule.
- Click here to see the fact sheet on CMS’s final rule.
Second, the Office of the National Coordinator for Health Information Technology (ONC) also announced a related final rule, which specifies the technical capabilities and related standards and implementation specifications that Certified EHR Technology will need to include to support the achievement of meaningful use by EPs, eligible hospitals, and CAHs under the EHR Incentive Programs.
- Click here for the full text of the ONC rule.
- Click here to read a fact sheet on ONC’s standards and certification criteria final rule.
Stay tuned. We will be posting more about these final rules in the days to come.
In order to receive Medicare EHR incentive payments, providers must attest to CMS that they meet Meaningful Use (MU) criteria using certified EHR technology. Any provider attesting to receive an EHR incentive payment for either the Medicare EHR Incentive Program or the Medicaid EHR Incentive Program potentially may be subject to an audit. If an audit finds a provider is not eligible for an EHR incentive payment because it does not meet MU criteria, then the incentive payment will be recouped. Here’s what providers need to know to prepare for an audit:
In our November 2011 blog post, we told you about the launch of HIPAA privacy and security audits mandated by Section 13411 of the Health Information Technology for Economic and Clinical Health Act (HITECH Act). KMPG, Inc. was awarded the contract to develop the audit protocol and conduct these audits last fall and, on March 1, 2012, completed its initial group of 20 audits aimed at testing the audit protocol. The United States Department of Health & Human Services’ (HHS) Office of Civil Rights (OCR) recently issued a preliminary report of the results (click here to see OCR’s slide presentation of the 2012 HIPAA Privacy and Security Audits Report).
The Office of the National Coordinator for Health Information Technology (ONCHIT) recently released a 47-page Guide to Privacy and Security of Health Information. The Guide provides direction to providers on protecting patient privacy and securing their health information in an electronic health record (EHR) for purposes of complying with the Heath Insurance Portability and Accountability Act (HIPAA) as amended by the Health Information Technology for Economic and Clinical Health (HITECH) Act. The Guide also addresses compliance with certain Meaningful Use (MU) standards that have been promulgated pursuant to the HITECH Act’s incentive program for adopting and implementing EHRs.
On Thursday, February 23, 2012, the Centers for Medicare and Medicaid Services (CMS), pursuant to the Health Information Technology for Economic and Clinical Health (HITECH) Act, released a 455-page Proposed Rule specifying the Stage 2 criteria that eligible professionals (EPs), eligible hospitals and critical access hospitals (CAHs) must meet in order to qualify for Medicare and/or Medicaid incentives related to electronic health records (EHRs). The Proposed Rule also proposes to modify certain Stage 1 criteria, as well as criteria that apply regardless of Stage, as previously published in the Final Rule on July 28, 2010 in the Federal Register. The proposed provisions related to Medicaid (calculations of patient volume and hospital eligibility) would take effect shortly after the finalization of the Proposed Rule and would not be subject to the proposed one-year delay for Stage 2 meaningful use of a certified EHR. The Proposed Rule states that the changes to Stage 1 would take effect for 2013, but that most changes would be optional until 2014. Last but not least, the Proposed Rule addresses the Medicare payment adjustments that will take place for EPs, eligible hospitals and CAHs who fail to demonstrate a meaningful use of certified EHRs by 2015 and proposed exceptions to such adjustments.
The deadline is quickly approaching for mandatory data breach reporting to the United States Department of Health & Human Services (HHS) under the Health Information Technology for Economic and Clinical Health Act (HITECH Act). Covered entities must report data breaches involving less than 500 individuals to HHS within 60 days following the end of the calendar year in which the breach occurred. Because 2012 is a leap year, covered entities that experienced a data breach involving fewer than 500 individuals in 2011 should submit data breach notification reports to HHS by February 29, 2012.
On November 30, 2011, U.S. Department of Health and Human Services (HHS) Secretary Kathleen Sebelius issued a press release announcing proposed steps to encourage physicians and hospitals to adopt electronic health records (EHRs) this year and receive incentive payments made available under the Health Information Technology for Economic and Clinical Health (HITECH) Act), which was part of the American Recovery and Reinvestment Act of 2009 (ARRA).
Under the HITECH Act, physicians and hospitals have the opportunity to earn financial incentives from Medicare and Medicaid if they demonstrate the adoption and meaningful use of certified EHRs in a series of three stages. Under the current rules, physicians and hospitals that adopt EHRs in 2011 and attest to meeting Stage 1 meaningful use standards by February 28, 2012 must meet Stage 2 standards in 2013. If they wait until 2012 to attest to Stage 1, providers could delay Stage 2 compliance until 2014. To encourage more providers to adopt EHRs in 2011, instead of waiting until 2012, HHS proposes to allow providers who qualify for Stage 1 meaningful use in 2011 an extension until 2014 to meet Stage 2 standards. HHS clarified that providers first attesting to meaningful use in 2011 qualify for both 2011 and 2012 incentive payments.
These proposed steps are consistent with June 2011 recommendations from the Health IT Policy Committee (HITPC). As we reported this summer, HITPC advocated that providers who begin to attest to meaningful use in 2011 be provided an extra year “to phase in the stage 2 expectations (i.e., Stage 2 for those who attest in 2011 would begin in 2014).” HHS listened!
HHS intends to publish this extension in the Stage 2 meaningful use Notice of Proposed Rulemaking (NPRM) in February 2012.
At the same time, HHS also released new data from the Centers for Disease Control and Prevention (CDC) showing increased adoption of EHRs by physicians. The CDC report documented that physicians’ adoption of health information technology (IT) doubled in two years, and 52% of physicians intend to apply for meaningful use incentives, up from 41% in 2010. Click here to access additional information about achieving meaningful use, including the CDC report.
The Centers for Medicare and Medicaid Services (CMS) announced today, October 20, 2011, that the use of certified electronic health records (EHRs) will be the highest-weighted quality measure for an Accountable Care Organization (ACO) under the new Medicare Shared Savings Program.
ACOs are designed to encourage primary care doctors, specialists, hospitals, and other health care providers to coordinate their care. The CMS Final Rule on ACOs bases the amount of shared savings that an ACO may receive for its performance on four domains of quality: 1) quality standards on patient experience; 2) care coordination and patient safety; 3) preventive health; and 4) at-risk populations. To earn shared savings the first performance year, providers must report across all four domains of quality, which include a total of 33 quality measures. Providers will begin to share in savings based on how well they perform on 23 of the 33 quality measures in the second performance year and on 32 of the 33 measures in the third performance year.
Measure 20 of the 33 quality measures requires ACOs to report the percentage of primary care providers (PCPs) who successfully qualify for an EHR Incentive Program payment. CMS expanded the scope of PCPs who can be counted in this measure by eliminating the requirement that the PCP be a “meaningful EHR user” as defined in 42 C.F.R. § 495.4 of the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009. CMS stated that it “decided to . . . expand [measure 20] to include any PCP who successfully qualifies for an EHR Incentive Program incentive rather than only including those deemed meaningful users.”
After the passage of the Health Information Technology for Economic and Clinical Health (HITECH) Act in 2009, the interest in storing and accessing health information online increased, prompting increased concerns about the privacy and security of such information. In September 2011, the Office of the National Coordinator for Health Information Technology (ONC) released a Personal Health Record (PHR) Model Privacy Notice for public use. This Model Notice meets ONC’s initial goal in a multi-phased, consumer project to increase consumer awareness of PHR companies’ data practices. The next phase seeks to empower consumers by providing them with an easy way to compare the data practices of two or more PHR companies. Continue Reading →
On September 12, 2011, the Office of National Coordinator (ONC) for the United States Department of Health & Human Services (HHS) announced a Proposed Rule that will enable direct access to laboratory test results by patients. Under the Clinical Laboratory Improvement Amendments of 1988 (CLIA), laboratories must hold a CLIA certificate in order to perform one of three levels of complex laboratory tests regulated by CLIA. Even before the passage of the Health Information Technology for Economic and Clinical Health Act (HITECH Act), concerns have been expressed regarding the lack of clarity under state law, and the literal prohibition in some states, regarding whether a CLIA laboratory that is independent (as opposed to hospital based) may release laboratory test results directly to a patient. Continue Reading →
UPDATE: On July 6, 2011, Farzad Mostashari, M.D., ONC Chief, backed the ONC Policy Committee’s recommendation to delay implementing Stage 2 meaningful use criteria.
On June 16, 2011, Paul Tang, M.D. , as Vice Chair of the Health IT Policy Committee for the Office of National Coordinator (ONC), wrote a letter to Farzad Mostashari, M.D., the ONC National Coordinator, requesting a delay in implementing Stage 2 of the meaningful use criteria that eligible healthcare providers must meet in order to obtain the monetary incentives for adoption of electronic health records (EHRs). The monetary incentives were established pursuant to the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act), which was part of the American Recovery and Reinvestment Act of 2009 (ARRA). Dr. Tang states in the letter:
The HITPC has heard from both the vendor community and the provider community that the current schedule for compliance with stage 2 meaningful use objectives in 2013 poses a nearly insurmountable timing challenge for those who attest to meaningful use in 2011. With the anticipated release of the final rule for stage 2 in June, 2012, it would require EHR vendors to design, develop, and release new functionality, and for eligible hospitals to upgrade, implement and begin using the new functionality by the beginning of the reporting year in October of 2012. After careful consideration of the trade-offs between the urgency with which new functionality is needed and the ability to safely deliver and to effectively use the new functionality, the HITPC recommends that—only for those who begin to attest to MU in 2011—an extra year be provided to phase in the stage 2 expectations (ie., Stage 2 for those who attest in 2011 would begin in 2014).
The Committee asserts that the delay would only affect providers who implement Stage 1 in 2011. This assumes that providers who wait until 2012 to implement Stage 1 would not have been ready to implement Stage 2 until 2014 anyway. The letter also sets forth the proposals for stengthening Stage 1 criteria in Stage 2. The Committee voted 12 to 5 in favor of the recommendations in the letter. To read the entire 14-page letter, click here.
What do the Physician Quality Reporting Incentives Program (PQRI) and Hospital Inpatient Value Based Purchasing (VBP) Program have in common with the recently released proposed regulation for establishing an Accountable Care Organization (ACO)? Answer: The meaningful use measures established by the Centers for Medicare and Medicare Services (CMS) for qualifying for incentives under the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH). Of course!
On April 7, 2011, CMS published the Proposed Rule on Medicare Shared Savings Program: Accountable Care Organizations in the Federal Register. The Proposed Rule sets forth the requirements that an ACO must meet in order to qualify for the cost savings that will be available to qualifying providers. Among the requirements, CMS incorporates the EHR meaningful use incentives, stating:
[T]he ACO should have a process in place (or clear path to develop such a process) to electronically exchange summary of care information when patients transition to another provider or setting of care, both within and outside the ACO, consistent with meaningful use requirements under the EHR Incentive program.
Now Medicare providers have another reason to get on board sooner rather than later with the implementation of a certified electronic health record (EHR).
Stay tuned to the HITECH Law Blog for a post that will have a more in-depth review of how the ACO requirements may impact providers in regard to the implementation and use of certified EHRs, including a review of the overlapping measures for PQRI, Hospital VBP Programs, HITECH EHR incentives and ACOs. In the meantime, to read more about the HITECH meaningful use measures utilized in the CMS Hospital VPB Program, see the article, “Certified EHRs Expected to Transmit Data for Medicare’s New Hospital Inpatient Value-Based Purchasing Program,” posted to the HITECH Law Blog on February 8, 2011.
On January 13, 2011, the Centers for Medicare and Medicaid Services (CMS) released its Proposed Rule on the Medicare Hospital Inpatient Value-Based Purchasing (VBP) Program. The VPB Program is being established per the directive of the Patient Protection and Affordable Access to Care Act of 2010 (PPACA). CMS is to begin making incentive payments under the VBP Program for discharges on or after October 1, 2012.
Seven years before PPACA required CMS to establish the VBP Incentive Program, the Medicare Prescription Drug, Improvement, and Modernization Act of 2003 (MMA) gave CMS authority to establish the Hospital Inpatient Quality Reporting (IQR) Program. The clinical quality measures that CMS has adopted for the IQR Program will feed into the measures for the VBP Program.
The IQR Program measures were generally based on recommendations from the National Quality Forum (NQF), a voluntary consensus standard-setting organization with a diverse representation of consumer, purchaser, provider, academic, clinical, and other health care stakeholder organizations. The IQR measures began as a set of 10 quality indicators that have since expanded to 45 clinical quality measures for the FY 2011 IQR program payment determination. The FY 2011 IQR hospital measures focus on four topics: 1) Acute Myocardial Infarction (AMI); 2) Heart Failure (HF); 3) Pneumonia (PN); and 4) Surgical Care Improvement Project (SCIP).
So how does this relate to the Health Information Technology for Economic and Clinical Health Act (HITECH Act) and a hospital’s “meaningful use” of a “certified EHR“? Ahhh, there is a method to the madness. As the CMS VBP Proposed Rule points out, the Hospital IQR program and the Hospital VBP Program have “important areas of overlap and synergy with regard to the reporting of quality measures under the HITECH Act.”
CMS notes in the Proposed Rule that the certification standards for EHRs under the HITECH Act are directed at enabling EHR submission of quality measures. CMS is striving “to align the [VPB] measures with the adoption of meaningful use standards for health information technology (HIT), so the collection of performance information is part of care delivery.” As a result, CMS anticipates that hospitals will use their certified EHRs for the reporting of clinical quality measures under both the Hospital IQR program and the subsequent Hospital VBP Program.
The proposed initial measures for the FY 2013 Hospital VBP Program include 18 measures. Of these 18 measures, 17 measures will focus on the four clinical process of care topics set forth for the 2011 IQR Program (AMI, HF, PN, and SCIP), and will add Healthcare-Associated Infections (HAI). The 18th measure will include a measure from the Hospital Consumer Assessment of Healthcare Providers and Systems Survey (HCAHPS) that will fall under a patient experience of care domain.
The proposed performance period is to begin July 1, 2011 and will continue through March 31, 2012 for the FY 2013 payment determination. This is already less than five months away! Another reason for Eligible Hospitals under the HITECH Act to focus on implementation of a certified EHR. Did I hear someone ask how the VBP incentive payments will be funded? Answer: By a reduction of the Fiscal Year 2013 base operating DRG payments for each discharge of 1%. “What one hand giveth, the other hand taketh away.” (Unknown)
For more information about the IQR Program, visit QualityNet. For additional details about the VBP Program, see the Proposed Rule. CMS will accept comments on the VBP Proposed Rule until March 8, 2011. CMS expects to issue a final rule in 2012.
Update: On December 29, 2010, HHS published in the Federal Register a “Correcting Amendment” to its Final Rule on Meaningful Use, which can be viewed here.
HHS Secretary Kathleen Sebelius wasted no time in putting the brand new CMS Director to work on July 13, 2010, in announcing the release of two rules under the Health Information Technology for Clinical and Economic Health Act (HITECH), including the Final Rule on Meaningful Use and the Final Rule on Initial Set of EHR Standards and Certification Criteria. Donald M. Berwick, MD, MPP, FRCP, was sworn in as Director of the Centers for Medicare and Medicaid Services on Monday afternoon, July 12, 2010, and by the next morning was primed to discuss the important role of health information technology (HIT) in America. In addition to Dr. Berwick’s participation at the press briefing, other participants included David Blumenthal, MD, the Chief Coordinator for the HHS Office of National Coordinator of HIT (ONC), Regina Benjamin, MD, U.S. Surgeon General, and Regina Holiday, an individual who shared a personal experience involving access to health information and how such access impacts the care of patients.
Quick Reference: The CMS Fact Sheet on both Final Rules is available here.