Author: Kathie McDonald-McClure

AHIMA Issues Guidance on Appropriate Use of Copy and Paste in EHRs

Kathie McDonald-McClure EHR Certification Standards, Electronic Health Records, Fraud and Abuse, Health Information Technology, HITECH Law, Meaningful Use , , , , , ,

16354859As we have written about in previous posts, the Office of Inspector General (OIG) for the United States Department of Health and Human Services (HHS) has been critical of the copy/paste function that is available in electronic health record (EHR) technology developed by software vendors.  (See “Electronic Health Records in OIG’s Sights for 2013“, October 20, 2012; “OIG recommends fraud safeguards in hospital EHR technology“, December 11, 2013; “OIG Report on CMS’ EHR Audit Practices Concludes The Practices Are Not Very Sophisticated“, February 11, 2014)  As our February 11, 2014 post concludes, while turning off the copy/paste functionalities are not the immediate solution to preventing a misuse of the function, health care providers should implement standards for its use.  The American Health Information Management Association (AHIMA) recently issued guidance, “Appropriate Use of the Copy and Paste Functionality in Electronic Health Records,” dated March 17, 2014, discussing the availability and appropriate use of the copy and paste function.

AHIMA supports maintaining the copy/paste functionality in ONC’s EHR certification standards and allowing for its use in CMS Conditions of Participation.  AHIMA encourages CMS to augment provider education and training materials on the appropriate use of copy/paste in order to reduce the risk that it may pose to quality of care, patient safety and fraudulent documentation.  Importantly, AHIMA recommends that health care providers implement policies and procedures to guide users of EHRs on the proper use of copy/paste functionalities.  To read the AHIMA guidance, click here.

March 1, 2014 is Deadline to Report Breaches Affecting Less than 500

Kathie McDonald-McClure Electronic Health Records, Federal Law Resources, Health Information Technology, HITECH Law , , , ,

strike before midnightSaturday, March 1, 2014, is the deadline for entities covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to report to the U.S. Department of Health & Human Services Office for Civil Rights (OCR) all “small breaches” of unsecured protected health information that occurred during 2013.  Entities subject to this deadline include a health care provider that conducts certain transactions in electronic form, health plans and health care clearinghouses.  A “small breach” is a breach affecting less than 500 individuals.

Although affected individuals must be notified within 60 days of the breach’s discovery, the breach itself also must be reported to OCR within 60 days of the close of the calendar year in which it was discovered, or by March 1 of the following year.  The notice must be submitted electronically.  A separate breach notification form must be completed for each breach.  To submit breach notification reports to OCR, click here.

Remember: HIPAA, as amended by the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 and the HIPAA Omnibus Rule, has a new definition of a “breach” that became effective March 26, 2013.  It is OCR’s position that a breach is presumed—unless an entity can demonstrate that there is a Low Probability that the data has been Compromised (LoProCo). With any loss, theft or potential unauthorzed access to unsecured protected health information, entities should immediately perform a risk assessment and look at certain factors to decide whether there is a low probability of compromise or LoProCo. If a LoProCo analysis is not done, a breach is presumed and, even if under a LoProCo analysis it would not have been a breach, a loss, theft or unauthorized access of unsecured protected health information must be reported as a breach to OCR.  For more information about the LoProCo analysis, see our previous post on December 1, 2013, here.

CMS Provides Detailed Instructions on Deadline Extension for 2013 MU Attestation

Kathie McDonald-McClure Electronic Health Records, Eligible Professional Incentives, Health Information Technology, HITECH Law, Hospital EHR Incentives , , , , ,

strike before midnightOn Friday, February 7, 2014, the Centers for Medicare and Medicaid Services (CMS) announced an extension until 11:59 pm on March 31, 2014 for Eligible Professionals to submit their 2013 EHR Meaningful Use (MU) attestation.  In addition, Eligible Hospitals that had trouble submitting their 2013 MU attestation may be able to retroactively submit their attestation to avoid the 2015 payment adjustment but must contact CMS by March 15, 2014 at 11:59 pm to do so.  Note that only the attestation deadline is being moved. The requirement to meet MU by September 30, 2013 for Eligible Hospitals and by December 31, 2013 for Eligible Professionals in order to avoid the 2015 payment adjustment is not affected.

What’s new from our previous post about this?  Today, CMS published specific instructions on how to take advantage of the extensions of the 2013 MU attestation deadlines in its MLN Connects, Weekly Provider eNews dated Thursday, February 13, 2014.  Scroll to the section titled “New EHR Attestation Deadline for Eligible Professionals: March 31” which provides instructions for both Eligible Professionals and Eligible Hospitals.  CMS also updated the Eligible Professional 2013 attestation deadline on its EHR Incentive Programs home page.

OIG Report on CMS’ EHR Audit Practices Concludes The Practices Are Not Very Sophisticated

Kathie McDonald-McClure EHR Certification Standards, Electronic Health Records, Fraud and Abuse, Health Information Technology , , ,

By Ann Triebsch and Kathie McDonald-McClure

Female HCP viewing a computer screenFollowing our blog post on December 11, 2013 about Part One of a report from the Office of the Inspector General for the United States Department of Health and Human Services (OIG) about fraud safeguards in electronic health records (EHRs), the OIG recently issued Part Two of its report.  Dated January 2014, the report is entitled, “CMS and Its Contractors Have Adopted Few Program Integrity Practices to Address Vulnerabilities in EHRs”.  That title pretty well sums up the report’s findings about the audits conducted by contractors for the Centers for Medicare and Medicaid Services (CMS).

The OIG’s January 2014 report and the earlier December 2013 report both rely heavily on a 2007 study by RTI International (RTI), which was performed under a contract with the Office of the National Coordinator for Health Information Technology (ONC).  The RTI Study made recommendations for enhancing data quality and integrity in EHRs. The recommendations were aimed at both strengthening some EHR benefits and providing tools within the EHR for detecting inappropriate documentation practices that are unique to EHRs.  The OIG investigated whether those tools have been put into full force. Continue reading

CMS Extends Eligible Professional MU Attestation Deadline until March 31, 2014

Kathie McDonald-McClure Electronic Health Records, Eligible Professional Incentives, Health Information Technology, HITECH Law, Hospital EHR Incentives, Meaningful Use ,

On Friday, February 7, 2014, the Centers for Medicare and Medicaid Services (CMS) announced an extension until 11:59 pm on March 31, 2014 for Eligible Professionals to submit their 2013 EHR Meaningful Use (MU) attestation.  In addition, Eligible Hospitals that had trouble submitting their 2013 MU attestation may be able to retroactively submit their attestation to avoid the 2015 payment adjustment but must contact CMS by March 15, 2014 at 11:59 pm to do so.  Note that only the attestation deadline is being moved. The requirement to meet MU by September 30, 2013 for Eligible Hospitals and by December 31, 2013 for Eligible Professionals in order to avoid the 2015 payment adjustment is not affected.

(We would provide a link to this CMS announcement but it currently is not readily available on the CMS EHR Incentive Program website and, in fact, CMS has not yet updated the EP deadline on its home page for the Program. When and if additional details become available on the CMS webpage, we’ll post it here!)