Health Information Technology

CMS Issues COVID-19 Related Extension of the Deadline for Hospitals to Implement Electronic Patient Event Notifications

Kathie McDonald-McClure Cures Act and Program Interoperability, Health Information Technology , , , , ,

by Margaret Young Levi and Kathie McDonald-McClure

Post-Note: On April 30, 2021, the requirements for hospitals with certain EHR capabilities to send admission, discharge and transfer notifications to other providers went into effect. See CMS webpage, “Policies and Technology for Interoperability and Burden Reduction“.

Last year, we wrote about the CMS Proposed Rule on Hospital EHR “Electronic Patient Event Notifications” in which CMS proposed new Medicare Conditions of Participation (CoPs) for hospitals that will require the hospital to send electronic event notifications to primary care or post-acute care providers identified by the patient when a patient has been admitted, discharged, or transferred (ADT Notifications).  ADT Notifications are an outgrowth of the 21st Century CURES Act passed by a bi-partisan majority of Congress and signed into law on December 13, 2016 (CURES Act). The CURES Act contains aggressive goals to promote the interoperability of electronic health records and patient access to their health information.

The objective of ADT Notifications is to improve care coordination and patient outcomes. These ADT Notifications are to be integrated into either the hospital’s interoperable certified electronic health record technology (CEHRT) or other electronic administrative system such as a registration system. An ADT Notification will be required when the patient is:

  • registered in the Emergency Department (ED) or as an observational stay;
  • admitted to the hospital (regardless if the patient was admitted from the ED, from an observation stay, or as a direct admission from home, from their practitioner’s office, or as a transfer from some other facility);
  • transferred from the ED or inpatient care; or
  • discharged from the ED, observational stay or inpatient services unit.
Continue reading

Kentucky Medicaid Further Expands Telehealth Coverage

WyattLLP Data Privacy & Security, Health Information Technology, HIPAA , , , , ,

By Lindsay K. Scott

Following expansion by the Department of Human Health Services’ Office for Civil Rights (“OCR”) and the Centers for Medicare and Medicaid Services (“CMS”) of federal telehealth services and relaxation of certain requirements, Kentucky Medicaid is following suit.

On March 17, 2020, the Centers for Medicare and Medicaid Services published guidance expanding the use of telehealth and relaxing restrictions on its use. The Office for Civil Rights, the agency responsible for enforcement of HIPAA, followed up with guidance making it clear that it will not enforce penalties for the use of technology that is not HIPAA compliant, when used in the good faith provision of telehealth services:

Under this Notice, covered health care providers may use popular applications that allow for video chats, including Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, or Skype, to provide telehealth without risk that OCR might seek to impose a penalty for noncompliance with the HIPAA Rules related to the good faith provision of telehealth during the COVID-19 nationwide public health emergency.  Providers are encouraged to notify patients that these third-party applications potentially introduce privacy risks, and providers should enable all available encryption and privacy modes when using such applications.

Continue reading

HHS Office for Civil Rights Issues Telehealth HIPAA Guidance during COVID-19 Emergency

Kathie McDonald-McClure Health Information Technology, HIPAA , , ,

On March 17, 2020, the Office for Civil Rights (“OCR”), the agency within the Department of the United States Health & Human Services (“HHS”) responsible for enforcement of HIPAA, issued the following guidance: “Notification of Enforcement Discretion for telehealth remote communications during the COVID-19 nationwide public health emergency.” Pursuant to Telehealth regulatory waivers issued by the HHS Centers for Medicare & Medicaid Services (“CMS”) effective during the COVID-19 Public Health Emergency (“PHE”), providers can use telehealth at any location including in a patient’s home. As more fully explained in its Telehealth Fact Sheet March 17, 2020, HHS stated:

“The provider must use an interactive audio and video telecommunications system that permits real-time communication between the distant site and the patient at home. …  It is imperative during this public health emergency that patients avoid travel, when possible, to physicians’ offices, clinics, hospitals, or other health care facilities where they could risk their own or others’ exposure to further illness.” Continue reading

CMS Proposed Rule on Hospital EHR “Electronic Patient Event Notifications”

Kathie McDonald-McClure Cures Act and Program Interoperability, Data Privacy & Security, EHR Certification Standards, Electronic Health Records, Health Information Technology, HIPAA, HITECH Law , , , , ,

By Kathie McDonald-McClure and Margaret Young Levi

Doctor Speaking with Patient

Summary: CMS proposes new Medicare Conditions of Participation (CoPs) for hospitals that will require the hospital EHR to send electronic event notifications to post-acute care providers when a patient has been admitted, discharged, or transferred.  What must hospitals do, and how much time is needed, to operationalize the new CoPs, considering a process will need to be developed that identifies providers who should and can receive these event notices? What will be required, and how much time is needed, to reconfigure EHRs to send the notifications and demonstrate compliance with the multiple facets of the CoP?  Will PAC providers be obligated to operationalize the receipt and use of these notifications under the IMPACT Act?  CMS is seeking stakeholder input on its proposal, including a reasonable time frame for implementation. Comments are due June 3, 2019.* Continue reading

Healthcare Privacy Practices Notice Must Include Nondiscrimination Notice

WyattLLP Cyber Security and Cyber Crime, Data Privacy & Security, Health care reform, Health Information Technology, HIPAA, Privacy & Security

By Margaret Young Levi and Kathie McDonald-McClureprivacy policy

Among the many mandates of the Affordable Care Act (ACA) (a/k/a “Obama Care”) still in force today is Section 1557. Section 1557 prohibits discrimination on the basis of race, color, national origin, sex, age, or disability in certain health programs or activities. The U.S. Department of Health & Human Services (HHS) Office for Civil Rights (OCR) is the agency vested with responsibility for implementing and enforcing Section 1557. On May 16, 2016, OCR issued a Final Rule that requires entities covered by the ACA to notify beneficiaries, enrollees, applicants, or members of the public of Section 1557’s nondiscrimination prohibitions. This notice must be included in the entity’s “significant” publications and communications.

You might ask, “Why am I reading about this on a legal blog about privacy and security?”  This is because OCR determined that the Notice of Privacy Practices, which healthcare providers and health plans issue to patients and plan members, is a “significant” publication or communication. As a result, health care providers and health plans that are subject to both Section 1557 and the Privacy Rule under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) must add the Section 1557 nondiscrimination notices and taglines to their Notice of Privacy Practices. Health plans should add such notices and taglines to their Summary of Benefits and Coverage as well.

Continue reading