OIG Report on CMS’ EHR Audit Practices Concludes The Practices Are Not Very Sophisticated

February 11, 2014March 12, 2014 Kathie McDonald-McClure EHR Certification Standards, Electronic Health Records, Fraud and Abuse, Health Information Technology EHR copy and paste, Electronic Health Records, impact of EHR documentation on billing and coding, OIG Report on EHR Fraud

By Ann Triebsch and Kathie McDonald-McClure

Following our blog post on December 11, 2013 about Part One of a report from the Office of the Inspector General for the United States Department of Health and Human Services (OIG) about fraud safeguards in electronic health records (EHRs), the OIG recently issued Part Two of its report. Dated January 2014, the report is entitled, “CMS and Its Contractors Have Adopted Few Program Integrity Practices to Address Vulnerabilities in EHRs”. That title pretty well sums up the report’s findings about the audits conducted by contractors for the Centers for Medicare and Medicaid Services (CMS).

The OIG’s January 2014 report and the earlier December 2013 report both rely heavily on a 2007 study by RTI International (RTI), which was performed under a contract with the Office of the National Coordinator for Health Information Technology (ONC). The RTI Study made recommendations for enhancing data quality and integrity in EHRs. The recommendations were aimed at both strengthening some EHR benefits and providing tools within the EHR for detecting inappropriate documentation practices that are unique to EHRs. The OIG investigated whether those tools have been put into full force. Continue reading →

CMS Extends Eligible Professional MU Attestation Deadline until March 31, 2014

February 10, 2014March 12, 2014 Kathie McDonald-McClure Electronic Health Records, Eligible Professional Incentives, Health Information Technology, HITECH Law, Hospital EHR Incentives, Meaningful Use Eligible Hospital Meaningful Use Attestation Retroactive Submission, Eligible Professional Meaningful Use Attestation Extension

On Friday, February 7, 2014, the Centers for Medicare and Medicaid Services (CMS) announced an extension until 11:59 pm on March 31, 2014 for Eligible Professionals to submit their 2013 EHR Meaningful Use (MU) attestation. In addition, Eligible Hospitals that had trouble submitting their 2013 MU attestation may be able to retroactively submit their attestation to avoid the 2015 payment adjustment but must contact CMS by March 15, 2014 at 11:59 pm to do so. Note that only the attestation deadline is being moved. The requirement to meet MU by September 30, 2013 for Eligible Hospitals and by December 31, 2013 for Eligible Professionals in order to avoid the 2015 payment adjustment is not affected.

(We would provide a link to this CMS announcement but it currently is not readily available on the CMS EHR Incentive Program website and, in fact, CMS has not yet updated the EP deadline on its home page for the Program. When and if additional details become available on the CMS webpage, we’ll post it here!)

HHS Amends CLIA to Broaden the Patient’s Access Rights to Lab Test Results

February 5, 2014March 12, 2014 Kathie McDonald-McClure Electronic Health Records, Eligible Professional Incentives, Federal Law Resources, Health care reform, Health Information Technology, HITECH Law, Meaningful Use CLIA lab amendment, eligible professional incentives for electronic medical records, linkedin, Meaningful Use, Patient Access to Lab Tests, Uploading Lab Test Results to Patient Portals

by Kathie McDonald-McClure and Elizabeth O’Keeffe

As we have previously reported on the Wyatt HITECH Law blog on September 14, 2013 and September 23, 2011, the Department of Health and Human Services (HHS) has had in the works, for over two years now, revisions to the Clinical Laboratory Improvement Act of 1988 (CLIA) regulations concerning whether a lab may release test results directly to patients. On February 3, 2013, HHS announced the release of a Final Rule (Final Rule) amending the CLIA regulations to allow laboratories to give a patient, or a person designated by the patient, his or her “personal representative”, access to the patient’s completed test reports upon the patient’s or patient’s personal representative’s request. The Final Rule was issued jointly by three agencies within HHS: the Centers for Medicare & Medicaid Services (CMS), which is generally responsible for laboratory regulation under CLIA, the Centers for Disease Control and Prevention (CDC), which provides scientific and technical advice to CMS related to CLIA, and the Office for Civil Rights (OCR), which is responsible for enforcing the HIPAA Privacy Rule. Continue reading →

Legislation would require Kentucky businesses to notify consumers of data breach

January 29, 2014March 12, 2014 Dan Soldato Electronic Health Records, Federal Law Resources, FTC Enforcement, Health Information Technology, HITECH Law data breach, State Breach Notification Law

by Dan Soldato

Data breaches, particularly of consumer information and other private information, are becoming an increasing public concern and a headline in the daily news. We regularly hear about incidents in which electronically stored customer information is lost by or stolen from businesses, including health care companies, retailers, and telecommunications companies. These risks are exponentially increasing with the increased use of mobile devices in businesses (e.g., laptops, tablets, flash drives, smartphones, etc.) and the increased use of mobile apps by consumers. Electronic data, if not adequately secured, can lead to both physical and electronic thefts (e.g., hacking, malware, etc.). In light of the increase in data breach reports, this week, the Consumer Financial Protection Bureau issued an advisory bulletin to provide guidance to consumers on protecting their personal information following the recent high-profile breaches involving debit cards and other payment data (e.g., Target, Michaels, Neiman Marcus). Notice to consumers about a breach of their data is seen as another way to further protect against a loss.

Data Breach Laws. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) and Section 5 of the Federal Trade Commission Act are two federal laws under which federal agencies aim to protect the confidentiality of sensitive personal information such as health information, social security numbers and other personally identifiable information. In addition, many states have enacted laws that have a similar aim. One such law that many states have enacted is a breach notification law that requires business entities to notify affected individuals when their personally identifiable information has been breached or compromised.

Kentucky is one of a handful of states that has yet to enact a breach notification law. However, on January 21, 2014, Representative Steve Riggs introduced HB232, which, if passed, would implement new standards and requirements to notify affected individuals in the event of a breach of their personally identifiable information. The Bill is now under consideration by the House Labor and Industry Committee. Continue reading →

EHR Donation Safe Harbors Extended to 2021

January 29, 2014March 12, 2014 Roz Cordini Fraud and Abuse, Health Information Technology, HITECH Law, Meaningful Use EHR Donation Safe Harbors

by Margaret Young Levi and Roz Cordini

Amidst concerns that physicians and other providers are slow to adopt electronic health record (EHR) systems and be “meaningful users” of health information technology, just before the New Year, the federal government extended two programs that permit hospitals and other health care providers as well as health plans to subsidize physician offices’ adoption of EHRs without violating the Anti-Kickback Statute and Stark Law prohibition on inducements for referrals of federal health care program business. These programs were not simply extended though. This article addresses certain modifications to the programs of which providers should be aware. Continue reading →