On Thursday, February 23, 2012, the Centers for Medicare and Medicaid Services (CMS), pursuant to the Health Information Technology for Economic and Clinical Health (HITECH) Act, released a 455-page Proposed Rule specifying the Stage 2 criteria that eligible professionals (EPs), eligible hospitals and critical access hospitals (CAHs) must meet in order to qualify for Medicare and/or Medicaid incentives related to electronic health records (EHRs). The Proposed Rule also proposes to modify certain Stage 1 criteria, as well as criteria that apply regardless of Stage, as previously published in the Final Rule on July 28, 2010 in the Federal Register. The proposed provisions related to Medicaid (calculations of patient volume and hospital eligibility) would take effect shortly after the finalization of the Proposed Rule and would not be subject to the proposed one-year delay for Stage 2 meaningful use of a certified EHR. The Proposed Rule states that the changes to Stage 1 would take effect for 2013, but that most changes would be optional until 2014. Last but not least, the Proposed Rule addresses the Medicare payment adjustments that will take place for EPs, eligible hospitals and CAHs who fail to demonstrate a meaningful use of certified EHRs by 2015 and proposed exceptions to such adjustments.
HITECH Act
Health Information Technology and Economic Clinical Health Act of 2009 was passed as part of the American Recovery and Revitalization Act of 2009 (ARRA) that President Obama signed on February 17, 2009.
February 29 Data Breach Reporting Deadline Fast Approaching!
The deadline is quickly approaching for mandatory data breach reporting to the United States Department of Health & Human Services (HHS) under the Health Information Technology for Economic and Clinical Health Act (HITECH Act). Covered entities must report data breaches involving less than 500 individuals to HHS within 60 days following the end of the calendar year in which the breach occurred. Because 2012 is a leap year, covered entities that experienced a data breach involving fewer than 500 individuals in 2011 should submit data breach notification reports to HHS by February 29, 2012.
The reports must be submitted electronically. Please follow these links for the submission form and reporting instructions.
Office of Civil Rights Launches Privacy and Security Audits
Section 13411 of the the Health Information Technology for Economic and Clinical Health Act (HITECH Act) requires United States Department of Health & Human Services (HHS) to provide for periodic audits to ensure covered entities and business associates are complying with the HIPAA Privacy and Security Rules and Breach Notification standards. The HHS Office of Civil Rights (OCR) announced yesterday, November 8, 2011, the launch of long-expected privacy and security audits.
In our blog on July 13, 2011, we posted information concerning OCR’s hiring of contractors to conduct new periodic audits of covered entities and business associates to ensure compliance with the Privacy and Security Standards found in the Health Insurance Portability and Accountability Act of 1996 (HIPAA) as amended by the HITECH Act. Yesterday, OCR announced a pilot program to perform up to 150 audits to assess privacy and security compliance. Audits conducted during the pilot phase will begin in November 2011 and conclude by December 2012.
The initial 150 audits will focus on covered entities, and the audits will begin this month and end by December 2012. Business Associates may have a brief respite but should expect to be the target of future audits.
OCR’s stated goals of the audits are to “examine mechanisms for compliance, identify best practices and discover risks and vulnerabilities that may not have come to light through OCR’s ongoing complaint investigations and compliance reviews.” OCR will “share best practices gleaned through the audit process and guidance targeted to observed compliance challenges.”
Covered entities will be notified in writing if selected for an audit and should be on the lookout for these notices because selected entities have only a short period of time, 10 business days, in which to respond and provide any requested information. After the initial request for information, auditors may conduct onsite audits at an organization. Covered entities will receive 30 to 90 days advance notice of an onsite visit, and auditors expect to spend three to ten days onsite reviewing records, policies and practices. Prior to an auditor’s submission of a final report to OCR, the covered entity will have an opportunity to provide written comments on the auditor’s findings.
Click here to link to OCR’s website with additional details concerning the OCR HIPAA Audit Program.
Final Rule on ACOs encourages EHR adoption but eliminates “meaningful use” requirement
The Centers for Medicare and Medicaid Services (CMS) announced today, October 20, 2011, that the use of certified electronic health records (EHRs) will be the highest-weighted quality measure for an Accountable Care Organization (ACO) under the new Medicare Shared Savings Program.
ACOs are designed to encourage primary care doctors, specialists, hospitals, and other health care providers to coordinate their care. The CMS Final Rule on ACOs bases the amount of shared savings that an ACO may receive for its performance on four domains of quality: 1) quality standards on patient experience; 2) care coordination and patient safety; 3) preventive health; and 4) at-risk populations. To earn shared savings the first performance year, providers must report across all four domains of quality, which include a total of 33 quality measures. Providers will begin to share in savings based on how well they perform on 23 of the 33 quality measures in the second performance year and on 32 of the 33 measures in the third performance year.
Measure 20 of the 33 quality measures requires ACOs to report the percentage of primary care providers (PCPs) who successfully qualify for an EHR Incentive Program payment. CMS expanded the scope of PCPs who can be counted in this measure by eliminating the requirement that the PCP be a “meaningful EHR user” as defined in 42 C.F.R. § 495.4 of the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009. CMS stated that it “decided to . . . expand [measure 20] to include any PCP who successfully qualifies for an EHR Incentive Program incentive rather than only including those deemed meaningful users.”
ONC Announces Text4Health Task Force
In an article titled, “Use of electronic communications with patients,” posted to this blog on December 18, 2009, I discussed the stated goal under the Health Information Technology for Economic and Clinical Health (HITECH) Act to “[p]rovide patients and families with timely access to data, knowledge, and tools to make informed decisions and to manage their health.” The article explored whether and to what extent patient messaging, including text messaging, might be used to achieve this HITECH Act goal. The U.S. Department of Health and Human Services (HHS) also is exploring ways to integrate text messaging into individual health management. On September 19, 2011, HHS announced the formation of the Text4Health Task Force, with specific recommendations that support health text messaging and mobile health (mHealth) programs. The HHS press release states: “The department has been actively exploring means to capitalize on the rapid proliferation of mobile phone technology and platforms, such as text messaging, to develop programs and/or partnerships with the overall aim of improving public health outcomes.” The HHS press release cites certain smoking cessation programs that utilize text messaging as representative of the direction in which this technology can be further exploited to improve population health. Among its recommendations, the Text4Health Task Force includes a recommendation related to electronic health records (EHRs) and, more specifically, recommends that “HHS align health text messaging/mHealth activities with other HHS Health IT priorities.” To read the HHS Text4Health Task Force recommendations, click here.
wyatthitechlaw.com 