Electronic Health Records

Changes to the Health Breach Notification Rule Include Regulations for Health Apps

nsreenan Data Breach & Notification, Data Privacy & Security, Electronic Health Records, FTC Enforcement, Health Information Technology, HIPAA , , , , , , , , , , ,

Written by: Margaret Young Levi and Casey Parker-Bell (Wyatt Summer Associate)

Vendors who maintain personal health records will soon be subject to amended rules for notifying customers of data breaches. The Federal Trade Commission (“FTC”) has issued a Final Rule, finalizing changes to the Health Breach Notification Rule (“HBNR“) first issued in 2009 (the “2009 Rule”). The Final Rule clarifies the HBNR’s application to apps and other new technologies in the healthcare industry.

New technology, like fitness trackers and other direct-to-consumer health tech and wearable apps, have increased the amount of health data collected from consumers. There is a growing concern that some companies are disclosing or selling individuals’ personal health data for marketing and other purposes, while not subject to protections under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). “We are witnessing an explosion of health apps and connected devices, many of which aren’t covered by HIPAA, collecting vast amounts of sensitive consumer health information.” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “The proposed amendments to the new rule will allow it to keep up with marketplace trends, and respond to development and changes in technology.” The FTC has announced this Final Rule to address these new technologies.

The Final Rule’s Changes to the HBNR

The HBNR requires vendors of personal health records (“PHRs”) to notify individuals, the FTC, and, in some cases, the media of a breach of unsecured PHR identifiable health information. The HBNR also requires third-party service providers of personal health records to provide notifications. After seeking comments on proposed changes to better protect consumer who use PHRs, the FTC finalized the following changes to the HBNR:

Continue reading

CMS Proposed Rule on Hospital EHR “Electronic Patient Event Notifications”

Kathie McDonald-McClure Cures Act and Program Interoperability, Data Privacy & Security, EHR Certification Standards, Electronic Health Records, Health Information Technology, HIPAA, HITECH Law , , , , ,

By Kathie McDonald-McClure and Margaret Young Levi

Doctor Speaking with Patient

Summary: CMS proposes new Medicare Conditions of Participation (CoPs) for hospitals that will require the hospital EHR to send electronic event notifications to post-acute care providers when a patient has been admitted, discharged, or transferred.  What must hospitals do, and how much time is needed, to operationalize the new CoPs, considering a process will need to be developed that identifies providers who should and can receive these event notices? What will be required, and how much time is needed, to reconfigure EHRs to send the notifications and demonstrate compliance with the multiple facets of the CoP?  Will PAC providers be obligated to operationalize the receipt and use of these notifications under the IMPACT Act?  CMS is seeking stakeholder input on its proposal, including a reasonable time frame for implementation. Comments are due June 3, 2019.* Continue reading

Providers Talk, CMS Listens: CMS Announces Plan to Modify Meaningful Use Requirements

Margaret Young Levi Electronic Health Records, Health Information Technology, HITECH Law, Hospital EHR Incentives, Meaningful Use , , , , , , , ,

On January 29, 2015, Centers for Medicare & Medicaid Services (CMS) electronic health recordannounced its intent to make changes to the Medicare and Medicaid Electronic Health Record (EHR) Incentive Programs beginning in 2015, which aim to “help to reduce the reporting burden on providers.”

Providers have expressed concerns about the EHR Incentive Programs’ requirements and their burden on providers. In response to those concerns, CMS is considering whether to:

  • Shorten the EHR reporting period in 2015 to 90 days to accommodate these changes.
  • Realign hospital EHR reporting periods to the calendar year to allow eligible hospitals more time to incorporate 2014 Edition software into their workflows and to better align with other CMS quality programs.
  • Modify other aspects of the program to match long-term goals, reduce complexity, and lessen providers’ reporting burdens.

CMS is expected to engage in rulemaking this spring to implement these changes to the EHR Incentive Programs. These changes will not be included in the proposed regulations regarding Stage 3 meaningful use requirements and criteria that CMS plans to issue by early March 2015 and which will apply in 2017 and subsequent years.

 

Can’t Complete the Stage 2 MU Summary of Care Measure 3 Test with a CMS Designated Test EHR? CMS Issues New FAQ on Alternative

Kathie McDonald-McClure Electronic Health Records, Eligible Professional Incentives, Health Information Technology, HITECH Law, Hospital EHR Incentives, Meaningful Use , , ,

HCP with stethoscope using phone while on laptopOn January 22, 2015, the Centers for Medicare and Medicaid Services (CMS) updated previously posted FAQ No. 11666 to help guide providers who are striving to meet Stage 2 Meaningful Use criteria under the Medicare and Medicaid EHR Incentive Programs implemented by the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009. The updated FAQ addresses the problem providers are having in meeting Measure 3 under the Stage 2 Summary of Care objective. The question posed is:

“When reporting on the Summary of Care objective in the EHR Incentive Programs, how can eligible professionals, eligible hospitals, and critical access hospitals (CAHs) meet measure 3 if they are unable to complete a test with the CMS Designated Test EHR (NIST EHR-Randomizer Application)?”

The CMS answer is as follows: Continue reading

AHIMA Issues Guidance on Appropriate Use of Copy and Paste in EHRs

Kathie McDonald-McClure EHR Certification Standards, Electronic Health Records, Fraud and Abuse, Health Information Technology, HITECH Law, Meaningful Use , , , , , ,

16354859As we have written about in previous posts, the Office of Inspector General (OIG) for the United States Department of Health and Human Services (HHS) has been critical of the copy/paste function that is available in electronic health record (EHR) technology developed by software vendors.  (See “Electronic Health Records in OIG’s Sights for 2013“, October 20, 2012; “OIG recommends fraud safeguards in hospital EHR technology“, December 11, 2013; “OIG Report on CMS’ EHR Audit Practices Concludes The Practices Are Not Very Sophisticated“, February 11, 2014)  As our February 11, 2014 post concludes, while turning off the copy/paste functionalities are not the immediate solution to preventing a misuse of the function, health care providers should implement standards for its use.  The American Health Information Management Association (AHIMA) recently issued guidance, “Appropriate Use of the Copy and Paste Functionality in Electronic Health Records,” dated March 17, 2014, discussing the availability and appropriate use of the copy and paste function.

AHIMA supports maintaining the copy/paste functionality in ONC’s EHR certification standards and allowing for its use in CMS Conditions of Participation.  AHIMA encourages CMS to augment provider education and training materials on the appropriate use of copy/paste in order to reduce the risk that it may pose to quality of care, patient safety and fraudulent documentation.  Importantly, AHIMA recommends that health care providers implement policies and procedures to guide users of EHRs on the proper use of copy/paste functionalities.  To read the AHIMA guidance, click here.