Year: 2013

February 28th Deadline for EPs To File Attestation for EHR Incentives and CQMs

Margaret Young Levi EHR Certification Standards, Electronic Health Records, Eligible Professional Incentives, Health Information Technology, HITECH Law, Meaningful Use, Physician EMR Stimulus

The deadline is fast approaching for eligible professionals (“EPs”) to file attestations to receive electronic health record (“EHR”) incentives available under Medicare’s Health Information Technology for Economic and Clinical Health Act of 2009 (“HITECH Act”). 

To receive an EHR incentive payment, EPs, such as physicians, dentists, podiatrists, optometrists and chiropractors, must show they are “meaningfully using” their EHRs in ways that can positively improve patient care by meeting certain objectives and reporting certain clinical quality measures (“CQMs”).  EPs must also file an attestation that they have met the thresholds and all of the requirements of the Medicare EHR Incentive Program.  EPs who participate in the Medicare EHR Incentive Program in 2012 must submit the CQMs and file an attestation with CMS for the 2012 program year by February 28, 2013. 

If you are participating in the pilot program to submit your CQM data electronically, please be aware that your window to file is limited because of a planned system downtime.  You will be unable to file your CQM data beginning at 11:59 p.m. ET tomorrow, Friday, February 22 through Sunday, February 24 at 11:59 p.m. ET because CMS has a system outage already scheduled that will affect CQM filing.  (We understand, but have been unable to verify, that you may still file an attestation during the outage.)  The Centers for Medicare & Medicaid Services (“CMS”) warns that “[f]ailure to submit your CQMs electronically by 11:59pm ET on February 28 will result in your attestation being rejected for the 2012 program year.” 

We also recommend you not wait until the last minute—as CMS expects a high volume of users on both the Physician Quality Reporting System (“PQRS”) and EHR Incentive Program systems over the next week.  Please keep this in mind when planning for your CQM data submission and completion of your 2012 attestation. 

For additional information regarding the EHR Incentive Program, check out CMS’ EHR Incentive Programs website.  Its Educational Materials in particular are quite helpful.  In addition, CMS has recently updated its frequently asked questions (“FAQs”) related to the EHR Incentive Programs.    

The New HIPAA Rules are Out!

Ann Feldkamp Triebsch Federal Law Resources, Health Information Technology, HITECH Law, Privacy & Security , , , , ,

by Ann F. Triebsch

(Updated January 27, 2013)

On January 17, 2013, the Department of Health & Human Services (HHS), Office for Civil Rights (OCR), released the final HIPAA Omnibus Rule (Omnibus Rule) implementing the HITECH Act of 2009 and the Genetic Information Nondiscrimination Act of 2008 (GINA). The Omnibus Rule greatly enhances a patient’s privacy protections, provides individuals new rights to their health information, and strengthens the government’s enforcement capabilities. The regulations are published in the January 25, 2013 Federal Register, and will be effective on March 26, 2013, with compliance required by September 23, 2013.

We will discuss the highlights of the new regulations, topic by topic, in this blog over the next few weeks, but we begin with a key piece of information relevant to existing business associate agreements. The new regs substantially increase the privacy responsibilities of a business associate that receives protected health information, such as contractors and subcontractors. Business associates may also be liable for increased penalties for noncompliance based on the level of negligence, up to a maximum penalty of $1.5 million.

All of the new requirements will need to be reflected in business associate agreements (BAAs). If your current business associate agreement was signed on or before January 24, 2013, it will be deemed HIPAA compliant through September 23, 2014 (at which time the agreement will need to have been amended for compliance with the Omnibus Rule). After January 24, 2013, any new BAAs signed should comply with the Omnibus Rule, and be in place by September 23, 2013.

To read the Omnibus Rule, click here.

The Long-Awaited HIPAA Omnibus Rule Has Been Issued!

Margaret Young Levi Health Information Technology

Earlier today we predicted the long-awaited HIPAA-HITECH Omnibus Rule under the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act) would soon be released–and we were correct! 

Today the U.S. Department for Health & Human Services (HHS) issued a press release announcing the Rule would be as published on 01/25/2013. Click here to view the press release.  HHS believes “the changes in the final rulemaking provide the public with increased protection and control of personal health information”  by expanding requirements for business associates, increasing penalties for non-compliance, and clarifying HHS must be notified of breaches. The Rule expands patient’s rights to access and control use and disclosure of protected health infromation. 

A pre-publication PDF version of the Rule may be viewed here.

Long-awaited HIPAA Omnibus Rule may be released soon

Margaret Young Levi Federal Law Resources, Health Information Technology, HITECH Law, Privacy & Security

“Rumor has it” that the long-awaited HIPAA-HITECH Omnibus Rule under the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act) will be released the week of January 21st or 28th. While similar rumors have abounded for many months, this one may have some merit.

It is reasonable to expect the Office of Management and Budget (OMB) to release the final OMNIBUS regulations as soon as late January or early February based on the fact that the OMB has had the rule for almost a year to perform a perfunctory final review. The Department for Health and Human Services (HHS) released the Rule to OMB for review, one of the last steps before publication in the Federal Register, on March 24, 2012. OMB had the standard 90-day period to perform its review, but requested an extension. Some have speculated that the pending election last year may have played a part in delaying the Rule.

The Modern Healthcare’s IT Everything blog also posted recently that “in February, there is a HIPAA summit mid-month” that “calls for regulators to give a talk on the final rule.” Read more here.

The much-anticipated HIPAA Rule is expected to contain implementing regulations for the following aspects of the HITECH Act: 1) data breach enforcement and penalty levels; 2) data breach notification requirements; 3) application of the HIPAA Security Rule requirements directly to business associates and subcontractors; 4) use of genetic information by health plans; 5) use of patient health information (PHI) for marketing and fundraising. HHS has said the final Rule will contain “significant modifications” to the current HIPAA Privacy Rule. The final Rule will not address the proposed change to the HIPAA Privacy Rule’s standard on accounting for disclosures (i.e., access by whom, when and for what purpose), a controversial proposal that was complex, burdensome and potentially very costly.

We also have heard that a notice of proposed rulemaking would be out in March proposing a methodology by which people harmed by a HIPAA violation could share in any settlement or civil monetary penalty.

Stay tuned . . .

OIG First Year Assessment of the EHR Incentive Program

Ann Feldkamp Triebsch Health Information Technology

by Ann F. Triebsch

 The HHS OIG released a report on November 28, 2012, assessing CMS’ first-year performance in overseeing the Medicare EHR Incentive Program.   The OIG did not give CMS high marks, but its primary recommended solution is being rejected, as it may have done more harm than good under the circumstances.   

 Self-Reporting Insufficient Basis.  Under the program, providers implementing EHR systems and attesting that they are “meaningfully us[ing]” them as defined by HITECH receive financial incentives, which can help offset the not-insubstantial costs of the systems.  The gathering of data for the attestation to CMS can be a time-consuming process.  CMS checks the data submissions via its own computer logic, and if the submission is approved, the incentive payment is sent. In its report, OIG says CMS has paid out about $4 billion in incentive payments to providers to date, with a total of $6.6 billion estimated by 2016.  However, OIG points out that because the computer logic checks are not complete or fool-proof, but rather rely on self-reported data, the incentive program is “vulnerable” to fraud, paying incentives where meaningful use requirements are not fully met.  OIG recommended that CMS undertake prepayment reviews of substantiating documentation from certain providers, based on risk analyses, rather than using the “pay and chase” model it is moving away from.

Sticking with the Plan.  CMS declined to follow OIG’s prepayment review recommendation, citing the increased up-front burden on providers, as well as delayed incentive payments.   CMS put it politely, but we couldn’t agree more.  Providers have incurred substantial debt to purchase these EHR systems, and some are throwing up their hands, or worse, in frustration as they make the switch from paper, input so much new data, learn their new systems and try to integrate them with other existing systems.  To delay the incentive payments, which are the carrot to encourage providers to adopt this technology that CMS and the Obama administration so fervently want, especially in the absence of any suspected or proven abuse to date, would be politically untenable, and counterproductive to the worthy goals of HITECH. 

 Other Recommendations.  CMS did agree with OIG’s other recommendation to issue guidance on the types of documentation it expects providers to maintain to support their compliance with the “meaningful use” requirements, and indicated it would soon be posting a FAQ document on this subject.  OIG recommended that the Office of the National Coordinator for Health Information Technology (ONC) require certified EHR technology to be capable of producing reports for yes/no meaningful use measures, where possible, which is not a current capability in many systems, and that it improve the certification process to ensure accurate EHR reports.  ONC concurred with these two recommendations.

While verification of meaningful use attestations always would have been a possible topic for CMS audits of providers, this OIG assessment of the first year of the EHR Incentive Program may provoke CMS to investigate the topic more closely.  But for now, CMS made a well-considered decision to keep its resources where they are, and not begin a witch-hunt when there is no sign of widespread evil intent.