HITECH Law

CMS Extends 2014 Meaningful Use Attestation and Quality Deadlines

Margaret Young Levi Health Information Technology, HITECH Law, Hospital EHR Incentives, Hospital EHR Stimulus, Meaningful Use ,

strike before midnightOn November 24, 2014, CMS announced a one-month extension of the deadline for eligible hospitals and Critical Access Hospitals (CAHs) to attest to meaningful use for the Medicare Electronic Health Record (EHR) Incentive Program 2014 reporting year. Medicare eligible hospitals must attest to meeting meaningful use requirements each year to receive an incentive and to avoid a payment adjustment. The deadline is being extended from 11:59 pm EST on November 30, 2014 to 11:59 pm EST on December 31, 2014, and CMS states this will “allow more time for hospitals to submit their meaningful use data and receive an incentive payment for the 2014 program year, as well as avoid the 2016 Medicare payment adjustment.”

CMS also extended the deadline for eligible hospitals and CAHs to electronically submit clinical quality measures (CQMs) until December 31, 2014.

Please note that these extensions are only for the Medicare EHR Incentive Program and will not affect the deadlines for the Medicaid EHR Incentive Program.

Upcoming Deadlines:

  • December 31, 2014 at 11:59 pm ET: Attestation deadline for Medicare eligible hospitals and CAHs for the 2014 program year
  • December 31, 2014: Deadline for hospitals and CAHs to submit eCQMs.
  • December 31, 2014: End of 2014 calendar year and end of the 2014 reporting period for eligible professionals
  • February 28, 2015: Attestation deadline for Medicare eligible professionals.

For additional information, check out the EHR Incentives Programs website.

September 22, 2014 Deadline for Business Associate Agreements

Margaret Young Levi Health Information Technology, HITECH Law, Privacy & Security, Uncategorized , , , , , , , ,
September 22nd Deadline Fast Approaching
September 22nd Deadline Fast Approaching

The final HIPAA Omnibus Rule (Omnibus Rule), published in the Federal Register on January 25, 2013, substantially increased the privacy and security responsibilities of a “business associate” of a “covered entity”, as those terms are defined by the Health Insurance Portability and Accountability Act of 1996 (HIPAA)(see discussion later in this post regarding the expansion of the “business associate” definition).  Among other changes, the Omnibus Rule requires a covered entity and business associate to revise their business associate agreement (BAA) to reflect the business associate’s new obligations.  All BAAs signed after January 24, 2013 should already include new language necessary to comply with the Omnibus Rule.  BAAs that were signed on or before January 24, 2013 were deemed compliant until September 22, 2014; however, if renewed or modified before that date then they must be brought into actual compliance at that time.  Covered entities and business associates must ensure that all BAAs are compliant with the Omnibus Rule before the September 22, 2014 deadline. Continue reading

Federal Government Report Summarizes Health Care Privacy Compliance Efforts

Margaret Young Levi Electronic Health Records, Federal Law Resources, Health Information Technology, HITECH Law , , , , , , ,

government buildingThe U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has issued two reports to Congress required by Section 13402(i) of the Health Information Technology for Economic and Clinical Health (HITECH) Act:

–“Annual Report to Congress on Breaches of Unsecured Protected Health Information For Calendar Years 2011 and 2012” (the Breach Report); and

–“Annual Report to Congress on HIPAA Privacy, Security, and Breach Notification Rule Compliance For Calendar Years 2011 and 2012” (the Compliance Report).

Both of OCR’s reports (as well as previous annual reports) may be accessed here. This post discusses the Compliance Report. We summarized the Breach Report in a separate post entitled “Federal Government Report on Data Breaches in Health Care.”

OCR is the office responsible for administering and enforcing the HIPAA Privacy, Security, and Breach Notification Rules. The Compliance Report summarizes OCR’s compliance and enforcement activity with respect to the HIPAA Privacy, Security, and Breach Notification Rules.

Continue reading

Federal Government Report on Data Breaches in Health Care

Margaret Young Levi Electronic Health Records, Federal Law Resources, Health Information Technology, HITECH Law , , , ,

government buildingThe U.S. Department of Health and Human Services, Office for Civil Rights (OCR) has issued two reports to Congress required by Section 13402(i) of the Health Information Technology for Economic and Clinical Health (HITECH) Act:

• “Annual Report to Congress on Breaches of Unsecured Protected Health Information For Calendar Years 2011 and 2012” (the Breach Report), and
• “Annual Report to Congress on HIPAA Privacy, Security, and Breach Notification Rule Compliance For Calendar Years 2011 and 2012” (the Compliance Report).

Both reports (as well as previous annual reports) may be accessed here.  This post discusses the Breach Report, and a separate article will be posted later addressing the Compliance Report.

The Breach Report offers valuable insight into OCR’s priorities with respect to healthcare data breaches and gives an excellent summary of many recent settlements. OCR (the office responsible for administering and enforcing the HIPAA Privacy, Security, and Breach Notification Rules) has prepared this Breach Report describing the numbers and types of healthcare data breaches occurring for calendar years 2011 and 2012.  The Breach Report is compiled from breach reports that HIPAA requires be provided to OCR by covered healthcare providers, health plans, healthcare clearinghouses and their business associates.  The raw data upon which these reports is based is available here. OCR also provides some cumulative data on breaches reported since the breach notification law went into effect on September 23, 2009. OCR then slices and dices this data in a variety of different and useful ways, sorting it by: cause, location of affected protected health information (PHI), types of entities involved, number of individuals affected, remediation steps taken, etc. Continue reading

New Kentucky Data Breach Rules Go into Effect

Margaret Young Levi Federal Law Resources, Health Information Technology, HITECH Law, Privacy & Security , , , ,
Kentucky imposes new security and data breach notification requirements.
Kentucky imposes new security and data breach notification requirements.

In its most recent legislative session, the Kentucky General Assembly enacted two new data breach laws, HB 5 and HB 232, which go into effect July 15, 2014. Kentucky governmental agencies, those doing business with governmental agencies, and persons simply doing business in Kentucky should be aware of these added data security and breach notification requirements. Some level of comfort may be taken by health care providers, health insurance companies, banks, or others who are subject to either the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) or Title V of the Gramm-Leach-Bliley Act of 1999, as at least HB 232 appears to exempt them.  However, questions remain as to whether HIPAA-covered entities and banks are exempt under HB 5 when they have a contract with a state agency and receive personal information from the agency.  Hopefully this issue will be sorted out in the rule-making to come, before additional requirements of HB 5 kick in on January 1, 2015.

Continue reading