OIG recommends fraud safeguards in hospital EHR technology

December 11, 2013March 12, 2014 Kathie McDonald-McClure EHR Certification Standards, Electronic Health Records, Fraud and Abuse, Health Information Technology, HITECH Law EHR cut and paste function, EHR fraudulent documentation, Electronic Health Records, Health Information Technology, hospital incentives for EHRs, OIG Report on EHR Fraud

On December 10, 2013, the Office of Inspector General for the United States Department of Health & Human Services (OIG) issued a report finding that hospital implementation of fraud safeguards in electronic health records (EHRs) falls short of the recommended standards. The report carries out one of the OIG’s 2013 Work Plan objectives to study how EHR technology may lead to improper payments by federal healthcare programs. In its Work Plan, the OIG had noted that: “Medicare contractors have noted an increased frequency of medical records with identical documentation across services.”

The OIG’s findings were extracted from the responses to an on-line questionnaire to 864 hospitals that had received Medicare EHR incentive payments as of March 2012. The questionnaire focused on four EHR fraud safeguards: 1) EHR audit functions; 2) EHR user authorization and access; 3) EHR data transfer; and 4) patient involvement via the ability to access and comment within their EHR. The OIG criticized the Centers for Medicare and Medicaid Services (CMS) and the Office of National Coordinator of Health Information Technology (ONC) for failing to incorporate recommended safeguards into meaningful use criteria and EHR certification standards.

Continue reading →

CMS Extends Stage 2 Meaningful Use through 2016

December 6, 2013March 12, 2014 Kathie McDonald-McClure EHR Certification Standards, Electronic Health Records, Eligible Professional Incentives, Health Information Technology, HITECH Law, Hospital EHR Incentives, Meaningful Use EHR Certification Standards, EHR Stage 2 MU, Electronic Health Records, eligible professional EHR incentives, HITECH Act, hospital EHR incentives, meaningful use of certified EHR

On Friday, November 6, 2013, the Centers for Medicare & Medicaid Services (CMS) and the Office of National Coordinator of Health Information Technology (ONC) announced its proposal to extend the timeline by which eligible healthcare providers must demonstrate a “meaningful use” (MU) of a certified electronic health record (EHR) in compliance with the MU Stage 2 criteria set forth in regulations issued pursuant to the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009. Originally, eligible providers who demonstrated Stage 1 MU by the end of 2013 would have had to demonstrate at least 3 months of Stage 2 MU by September 30, 2014 for eligible hospitals and critical access hospitals (CAHs) and by December 31, 2014 for eligible professionals, do one more year of Stage 2 in 2015, and then move to Stage 3 by 2016. The CMS – ONC apparently will give all eligible providers more time to stay in Stage 2, stating: “Under the revised timeline, Stage 2 will be extended through 2016 and Stage 3 will begin in 2017 for those providers that have completed at least two years in Stage 2.” In essence, the start of Stage 3 is being delayed and, apparently (pending further rule making), nothing else.

Continue reading →

Lessons Learned from Meaningful Use Audits

December 5, 2013March 12, 2014 Margaret Young Levi Electronic Health Records, Eligible Professional Incentives, Health Information Technology, HITECH Law, Hospital EHR Incentives, Meaningful Use hospital incentives for EHRs, meaningful use audits, meaningful use security risk assessment

HITECH Act meaningful use auditor
By Margaret Levi and Kathie McDonald-McClure

As we previously reported in a blog post on September 24, 2013, an eligible professional, eligible hospital, or critical access hospital receiving an incentive payment for the meaningful use (MU) of electronic health records (EHRs) will likely be subject to a stringent audit from either Medicare or Medicaid. The fact that these MU audits are underway is now fully evident.

We have heard from several sources that CMS auditors are hitting Tennessee and Kentucky hospitals and physician practices and demanding repayment of meaningful use incentive monies if providers cannot fully back up their attestations for Stage 1 compliance in every respect.

Continue reading →

Don’t Forget to Protect your Paper Health Records!

December 2, 2013March 12, 2014 Margaret Young Levi Electronic Health Records, Health Information Technology, Privacy & Security Converting from paper to EHR, HIPAA breach, privacy and security of protected health information

Even as health care providers have moved to convert from paper to electronic health records, it remains just as important to continue to protect paper health information records. While the majority of data breaches involve mobile devices such as laptops and flash drives, a significant number of large data breaches (those affecting 500 or more individuals) Continue reading →

Conducting HIPAA Breach Risk Assessments Using the “LoProCo” Analysis

December 1, 2013March 12, 2014 Margaret Young Levi Federal Law Resources, Health Information Technology, HITECH Law, Privacy & Security HIPAA breach, HIPAA LoProCo, HIPAA Omnibus Rule, HIPAA risk assessment, HITECH Act, low probability of compromise, Privacy & Security, privacy and security of protected health information, U.S. Department of Health & Human Services Office for Civil Rights

by Margaret Young Levi and Kathie McDonald-McClure

The U.S. Department of Health & Human Services Office for Civil Rights (“OCR”) has a new acronym, “LoProCo,” relating to assessing data breaches under HIPAA, as amended by the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 and the HIPAA Omnibus Rule that became effective March 26, 2013.

It is OCR’s position that a breach is Continue reading →