Providers Talk, CMS Listens: CMS Announces Plan to Modify Meaningful Use Requirements

January 30, 2015January 30, 2015 Margaret Young Levi Electronic Health Records, Health Information Technology, HITECH Law, Hospital EHR Incentives, Meaningful Use Centers for Medicare & Medicaid Services, CMS, EHR Incentive Program, Electronic Health Records, Incentive Programs, Medicaid EHR Incentive Programs, Medicaid Electronic Health Record, Medicare EHR Incentive Programs, providers

On January 29, 2015, Centers for Medicare & Medicaid Services (CMS) announced its intent to make changes to the Medicare and Medicaid Electronic Health Record (EHR) Incentive Programs beginning in 2015, which aim to “help to reduce the reporting burden on providers.”

Providers have expressed concerns about the EHR Incentive Programs’ requirements and their burden on providers. In response to those concerns, CMS is considering whether to:

Shorten the EHR reporting period in 2015 to 90 days to accommodate these changes.
Realign hospital EHR reporting periods to the calendar year to allow eligible hospitals more time to incorporate 2014 Edition software into their workflows and to better align with other CMS quality programs.
Modify other aspects of the program to match long-term goals, reduce complexity, and lessen providers’ reporting burdens.

CMS is expected to engage in rulemaking this spring to implement these changes to the EHR Incentive Programs. These changes will not be included in the proposed regulations regarding Stage 3 meaningful use requirements and criteria that CMS plans to issue by early March 2015 and which will apply in 2017 and subsequent years.

THE HIPAA SECURITY RISK ANALYSIS

December 12, 2014December 12, 2014 Margaret Young Levi Electronic Health Records, Eligible Professional Incentives, Federal Law Resources, Health Information Technology, HITECH Law, Hospital EHR Incentives, Meaningful Use, Physician EMR Stimulus HIPAA risk assessment, Privacy & Security, security risk analysis

Under the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act), eligible hospitals and critical access hospitals and eligible professionals must make a “meaningful use” of “certified electronic health technology” or face reductions in Medicare reimbursement. Conducting or reviewing a security risk analysis is a core objective in the meaningful use requirements of the Medicare and Medicaid electronic health record (“EHR”) incentive programs. These security risk analyses have been Continue reading →

CMS Extends 2014 Meaningful Use Attestation and Quality Deadlines

November 25, 2014November 25, 2014 Margaret Young Levi Health Information Technology, HITECH Law, Hospital EHR Incentives, Hospital EHR Stimulus, Meaningful Use deadline, extension of 2014 meaningful use attestation

On November 24, 2014, CMS announced a one-month extension of the deadline for eligible hospitals and Critical Access Hospitals (CAHs) to attest to meaningful use for the Medicare Electronic Health Record (EHR) Incentive Program 2014 reporting year. Medicare eligible hospitals must attest to meeting meaningful use requirements each year to receive an incentive and to avoid a payment adjustment. The deadline is being extended from 11:59 pm EST on November 30, 2014 to 11:59 pm EST on December 31, 2014, and CMS states this will “allow more time for hospitals to submit their meaningful use data and receive an incentive payment for the 2014 program year, as well as avoid the 2016 Medicare payment adjustment.”

CMS also extended the deadline for eligible hospitals and CAHs to electronically submit clinical quality measures (CQMs) until December 31, 2014.

Please note that these extensions are only for the Medicare EHR Incentive Program and will not affect the deadlines for the Medicaid EHR Incentive Program.

Upcoming Deadlines:

December 31, 2014 at 11:59 pm ET: Attestation deadline for Medicare eligible hospitals and CAHs for the 2014 program year
December 31, 2014: Deadline for hospitals and CAHs to submit eCQMs.
December 31, 2014: End of 2014 calendar year and end of the 2014 reporting period for eligible professionals
February 28, 2015: Attestation deadline for Medicare eligible professionals.

For additional information, check out the EHR Incentives Programs website.

FDA Issues Cybersecurity Guidance to Medical Device Manufacturers

October 20, 2014October 29, 2014 Margaret Young Levi Health Information Technology, Privacy & Security cybersecurity, FDA, medical device

The U.S. Food & Drug Administration (FDA) has issued guidance setting forth its current thinking on issues related to cybersecurity of medical devices.

Because medical devices increasingly store or transmit sensitive patient health information, there are increased security risks of unauthorized access, modification, misuse or denial of use, or the unauthorized use of this information. Medical devices that connect to other devices or to the Internet or which have USB or other data ports are especially vulnerable. The FDA notes that “[f]ailure to maintain cybersecurity can result in compromised device functionality, loss of data (medical or personal) availability or integrity, or exposure of other connected devices or networks to security threats. This in turn may have the potential to result in patient illness, injury, or death.” Continue reading →

September 22, 2014 Deadline for Business Associate Agreements

August 22, 2014August 26, 2014 Margaret Young Levi Health Information Technology, HITECH Law, Privacy & Security, Uncategorized BAA, business associate, Business Associate Agreement, contractor, covered entity, HITECH Act, Omnibus Rule, Privacy & Security, privacy and security of protected health information

September 22nd Deadline Fast Approaching

The final HIPAA Omnibus Rule (Omnibus Rule), published in the Federal Register on January 25, 2013, substantially increased the privacy and security responsibilities of a “business associate” of a “covered entity”, as those terms are defined by the Health Insurance Portability and Accountability Act of 1996 (HIPAA)(see discussion later in this post regarding the expansion of the “business associate” definition). Among other changes, the Omnibus Rule requires a covered entity and business associate to revise their business associate agreement (BAA) to reflect the business associate’s new obligations. All BAAs signed after January 24, 2013 should already include new language necessary to comply with the Omnibus Rule. BAAs that were signed on or before January 24, 2013 were deemed compliant until September 22, 2014; however, if renewed or modified before that date then they must be brought into actual compliance at that time. Covered entities and business associates must ensure that all BAAs are compliant with the Omnibus Rule before the September 22, 2014 deadline. Continue reading →

A legal blog about consumer privacy and data security in a high-tech world

Author: Margaret Young Levi