Author: Ann Feldkamp Triebsch

The New HIPAA Rules are Out!

Ann Feldkamp Triebsch Federal Law Resources, Health Information Technology, HITECH Law, Privacy & Security , , , , ,

by Ann F. Triebsch

(Updated January 27, 2013)

On January 17, 2013, the Department of Health & Human Services (HHS), Office for Civil Rights (OCR), released the final HIPAA Omnibus Rule (Omnibus Rule) implementing the HITECH Act of 2009 and the Genetic Information Nondiscrimination Act of 2008 (GINA). The Omnibus Rule greatly enhances a patient’s privacy protections, provides individuals new rights to their health information, and strengthens the government’s enforcement capabilities. The regulations are published in the January 25, 2013 Federal Register, and will be effective on March 26, 2013, with compliance required by September 23, 2013.

We will discuss the highlights of the new regulations, topic by topic, in this blog over the next few weeks, but we begin with a key piece of information relevant to existing business associate agreements. The new regs substantially increase the privacy responsibilities of a business associate that receives protected health information, such as contractors and subcontractors. Business associates may also be liable for increased penalties for noncompliance based on the level of negligence, up to a maximum penalty of $1.5 million.

All of the new requirements will need to be reflected in business associate agreements (BAAs). If your current business associate agreement was signed on or before January 24, 2013, it will be deemed HIPAA compliant through September 23, 2014 (at which time the agreement will need to have been amended for compliance with the Omnibus Rule). After January 24, 2013, any new BAAs signed should comply with the Omnibus Rule, and be in place by September 23, 2013.

To read the Omnibus Rule, click here.

OIG First Year Assessment of the EHR Incentive Program

Ann Feldkamp Triebsch Health Information Technology

by Ann F. Triebsch

 The HHS OIG released a report on November 28, 2012, assessing CMS’ first-year performance in overseeing the Medicare EHR Incentive Program.   The OIG did not give CMS high marks, but its primary recommended solution is being rejected, as it may have done more harm than good under the circumstances.   

 Self-Reporting Insufficient Basis.  Under the program, providers implementing EHR systems and attesting that they are “meaningfully us[ing]” them as defined by HITECH receive financial incentives, which can help offset the not-insubstantial costs of the systems.  The gathering of data for the attestation to CMS can be a time-consuming process.  CMS checks the data submissions via its own computer logic, and if the submission is approved, the incentive payment is sent. In its report, OIG says CMS has paid out about $4 billion in incentive payments to providers to date, with a total of $6.6 billion estimated by 2016.  However, OIG points out that because the computer logic checks are not complete or fool-proof, but rather rely on self-reported data, the incentive program is “vulnerable” to fraud, paying incentives where meaningful use requirements are not fully met.  OIG recommended that CMS undertake prepayment reviews of substantiating documentation from certain providers, based on risk analyses, rather than using the “pay and chase” model it is moving away from.

Sticking with the Plan.  CMS declined to follow OIG’s prepayment review recommendation, citing the increased up-front burden on providers, as well as delayed incentive payments.   CMS put it politely, but we couldn’t agree more.  Providers have incurred substantial debt to purchase these EHR systems, and some are throwing up their hands, or worse, in frustration as they make the switch from paper, input so much new data, learn their new systems and try to integrate them with other existing systems.  To delay the incentive payments, which are the carrot to encourage providers to adopt this technology that CMS and the Obama administration so fervently want, especially in the absence of any suspected or proven abuse to date, would be politically untenable, and counterproductive to the worthy goals of HITECH. 

 Other Recommendations.  CMS did agree with OIG’s other recommendation to issue guidance on the types of documentation it expects providers to maintain to support their compliance with the “meaningful use” requirements, and indicated it would soon be posting a FAQ document on this subject.  OIG recommended that the Office of the National Coordinator for Health Information Technology (ONC) require certified EHR technology to be capable of producing reports for yes/no meaningful use measures, where possible, which is not a current capability in many systems, and that it improve the certification process to ensure accurate EHR reports.  ONC concurred with these two recommendations.

While verification of meaningful use attestations always would have been a possible topic for CMS audits of providers, this OIG assessment of the first year of the EHR Incentive Program may provoke CMS to investigate the topic more closely.  But for now, CMS made a well-considered decision to keep its resources where they are, and not begin a witch-hunt when there is no sign of widespread evil intent.

Electronic Health Records Already in OIG’s Sights for 2013!

Ann Feldkamp Triebsch Electronic Health Records, Fraud and Abuse, Health Information Technology, HITECH Law , , , ,

by Ann Triebsch

The 2013 Work Plan released October 2, 2012, by the HHS Office of the Inspector General (OIG), demonstrates that even the health care industry’s brand-new electronic health records (EHR) initiative is already under scrutiny for potentially abusive and erroneous practices by some providers.  The Work Plan lists three activities that indicate that the OIG is not planning to let any bad habits (or bad actors) get established as providers get comfortable with their new EHR systems.

Continue reading