No Further Extensions for ICD-10 and MU Stage 2

February 28, 2014April 7, 2014 Margaret Young Levi EHR Certification Standards, Eligible Professional Incentives, Health Information Technology, HITECH Law, Hospital EHR Incentives, Hospital EHR Stimulus, Meaningful Use, Physician EMR Stimulus American Hospital Association, American Medical Association, Centers for Medicare & Medicaid Services, Centers for Medicare and Medicaid Services, Certified Electronic Health Record, Certified Electronic Health Record Technology, CMS, EHR, Health Insurance Portability and Accountability Act, HIMSS14, ICD-10, Marilyn Tavenner, Medicare EHR Incentive Programs, Medicare EHR Incentives, MU, Privacy & Security, Stage 2, Stage 2 Meaningful Use, Tavenner

Update: On April 1, 2014, President Obama signed into law the “Doc Fix” bill, Public Law 113-93, which extends the deadline for ICD-10 for an additional year. Section 212 of this law prohibits the Secretary of Health and Human Services from adopting ICD-10 code sets prior to October 1, 2015.

Everyone is a-twitter (pun intended) about the announcement on Thursday, February 27, 2014, from Marilyn Tavenner, the Administrator for the Centers for Medicare & Medicaid Services (CMS), that the deadline for adoption of ICD-10 will not be extended. Tavenner was the keynote speaker at the HIMSS14 conference, and numerous tweets from HIMSS attendees highlighted her assertion that CMS will stand firm on the October 1, 2014 deadline. All entities covered by the Health Insurance Portability and Accountability Act (HIPAA) must be prepared to use ICD-10 codes on transactions by this date.

Tavenner also affirmed that the deadlines for Stage 2 Meaningful Use (MU) will not be extended. Providers who are not meaningful users of Certified Electronic Health Record (EHR) Technology under the Medicare EHR Incentive Programs will face a penalty, in the form of Medicare payment adjustments. These payment adjustments will be applied beginning on January 1, 2015. Continue reading →

March 1, 2014 is Deadline to Report Breaches Affecting Less than 500

February 28, 2014March 12, 2014 Kathie McDonald-McClure Electronic Health Records, Federal Law Resources, Health Information Technology, HITECH Law HIPAA breach, HIPAA Omnibus Rule, linkedin, privacy and security of protected health information, reporting data breach to OCR

Saturday, March 1, 2014, is the deadline for entities covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to report to the U.S. Department of Health & Human Services Office for Civil Rights (OCR) all “small breaches” of unsecured protected health information that occurred during 2013. Entities subject to this deadline include a health care provider that conducts certain transactions in electronic form, health plans and health care clearinghouses. A “small breach” is a breach affecting less than 500 individuals.

Although affected individuals must be notified within 60 days of the breach’s discovery, the breach itself also must be reported to OCR within 60 days of the close of the calendar year in which it was discovered, or by March 1 of the following year. The notice must be submitted electronically. A separate breach notification form must be completed for each breach. To submit breach notification reports to OCR, click here.

Remember: HIPAA, as amended by the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 and the HIPAA Omnibus Rule, has a new definition of a “breach” that became effective March 26, 2013. It is OCR’s position that a breach is presumed—unless an entity can demonstrate that there is a Low Probability that the data has been Compromised (LoProCo). With any loss, theft or potential unauthorzed access to unsecured protected health information, entities should immediately perform a risk assessment and look at certain factors to decide whether there is a low probability of compromise or LoProCo. If a LoProCo analysis is not done, a breach is presumed and, even if under a LoProCo analysis it would not have been a breach, a loss, theft or unauthorized access of unsecured protected health information must be reported as a breach to OCR. For more information about the LoProCo analysis, see our previous post on December 1, 2013, here.

Puerto Rico Imposes Massive Fine for Insurer’s Data Breach

February 24, 2014March 12, 2014 Erin Brisbay McMahon Federal Law Resources, Health Information Technology Breach Notification, data breach, Health Information Technology, HIPAA breach, privacy and security of protected health information, security of protected health information

The Puerto Rico Health Insurance Administration has fined Triple-S Salud Inc. (TSS) $6.8 million for failure to safeguard Medicare beneficiary numbers. This far exceeds any fine imposed by or settlement reached by the United States Office of Civil Rights to date for HIPAA data breaches. How did the fine reach such a staggering amount? What lessons can be learned? Continue reading →

After LabMD: FTC, What Do We Comply With?

February 20, 2014April 15, 2014 Ann Feldkamp Triebsch Federal Law Resources, FTC Enforcement, Health Information Technology, Privacy & Security FTC, LabMD, Privacy & Security

by Ann F. Triebsch

As observers of data security enforcement are aware, the Federal Trade Commission (FTC) determined on January 16, 2014, that even entities that are already subject to the privacy and security requirements of the Health Insurance Portability and Accountability Act (HIPAA) are also subject to FTC jurisdiction and enforcement powers for data security breaches. In the LabMD decision, the FTC denied the motion to dismiss sought by LabMD in the administrative case against it, which was formally filed in August, 2013. This outcome, though anticipated, has stirred up plenty of discussion, including about how to know whether or not you’re storing data in a way that satisfies the FTC, and what happens if you’re not. For entities that are subject to HIPAA and have been following the HIPAA Security Rule regulations, is this enough? Should they be doing more to also demonstrate compliance to the FTC? Continue reading →

CMS Provides Detailed Instructions on Deadline Extension for 2013 MU Attestation

February 12, 2014March 12, 2014 Kathie McDonald-McClure Electronic Health Records, Eligible Professional Incentives, Health Information Technology, HITECH Law, Hospital EHR Incentives Electronic Health Records, Extension of 2013 Meaningful Use Attestation Deadline, HITECH Act, hospital incentives for EHRs, Meaningful Use, physician incentives for EHRs

On Friday, February 7, 2014, the Centers for Medicare and Medicaid Services (CMS) announced an extension until 11:59 pm on March 31, 2014 for Eligible Professionals to submit their 2013 EHR Meaningful Use (MU) attestation. In addition, Eligible Hospitals that had trouble submitting their 2013 MU attestation may be able to retroactively submit their attestation to avoid the 2015 payment adjustment but must contact CMS by March 15, 2014 at 11:59 pm to do so. Note that only the attestation deadline is being moved. The requirement to meet MU by September 30, 2013 for Eligible Hospitals and by December 31, 2013 for Eligible Professionals in order to avoid the 2015 payment adjustment is not affected.

What’s new from our previous post about this? Today, CMS published specific instructions on how to take advantage of the extensions of the 2013 MU attestation deadlines in its MLN Connects, Weekly Provider eNews dated Thursday, February 13, 2014. Scroll to the section titled “New EHR Attestation Deadline for Eligible Professionals: March 31” which provides instructions for both Eligible Professionals and Eligible Hospitals. CMS also updated the Eligible Professional 2013 attestation deadline on its EHR Incentive Programs home page.