Who Accessed My Health Records? Recommendation for Quality over Quantity in Access Reports

By Kathie McDonald-McClure, Ann F. Triebsch and Margaret Young Levi

Group of Healthcare Professionals
Accounting for Disclosures Would Include Disclosures of PHI to All Staff

The Office of National Coordinator (ONC) Health IT Policy Committee voted in December 2013 to recommend that the United States Department of Health & Human Services (HHS) scale back its 2011 proposed rules requiring covered entities to provide patients with reports showing the name of every staff member who accessed their information in an electronic health record (EHR). As reported by Government Health IT, the committee’s Privacy and Security Tiger Team opposes a requirement that entities covered by the Health Insurance Portability & Accountability Act of 1996 (HIPAA) give such broad “accounting of disclosure” reports to patients. Continue reading

Initial HIPAA Audit Report Provides Some Guidance, Identifies Top Risks

In our November 2011 blog post, we told you about the launch of HIPAA privacy and security audits mandated by Section 13411 of the Health Information Technology for Economic and Clinical Health Act (HITECH Act). KMPG, Inc. was awarded the contract to develop the audit protocol and conduct these audits last fall and, on March 1, 2012, completed its initial group of 20 audits aimed at testing the audit protocol. The United States Department of Health & Human Services’ (HHS) Office of Civil Rights (OCR) recently issued a preliminary report of the results (click here to see OCR’s slide presentation of the 2012 HIPAA Privacy and Security Audits Report). 

Continue reading

Early Meaningful Users Promised Stage 2 Extension

On November 30, 2011, U.S. Department of Health and Human Services (HHS) Secretary Kathleen Sebelius issued a press release announcing proposed steps to encourage physicians and hospitals to adopt electronic health records (EHRs) this year and receive incentive payments made available under the Health Information Technology for Economic and Clinical Health (HITECH) Act), which was part of the American Recovery and Reinvestment Act of 2009 (ARRA). 

Under the HITECH Act, physicians and hospitals have the opportunity to earn financial incentives from Medicare and Medicaid if they demonstrate the adoption and meaningful use of certified EHRs in a series of three stages. Under the current rules, physicians and hospitals that adopt EHRs in 2011 and attest to meeting Stage 1 meaningful use standards by February 28, 2012 must meet Stage 2 standards in 2013. If they wait until 2012 to attest to Stage 1, providers could delay Stage 2 compliance until 2014. To encourage more providers to adopt EHRs in 2011, instead of waiting until 2012, HHS proposes to allow providers who qualify for Stage 1 meaningful use in 2011 an extension until 2014 to meet Stage 2 standards. HHS clarified that providers first attesting to meaningful use in 2011 qualify for both 2011 and 2012 incentive payments.

These proposed steps are consistent with June 2011 recommendations from the Health IT Policy Committee (HITPC).  As we reported this summer, HITPC advocated that providers who begin to attest to meaningful use in 2011 be provided an extra year “to phase in the stage 2 expectations (i.e., Stage 2 for those who attest in 2011 would begin in 2014).”  HHS listened!

HHS intends to publish this extension in the Stage 2 meaningful use Notice of Proposed Rulemaking (NPRM) in February 2012.

At the same time, HHS also released new data from the Centers for Disease Control and Prevention (CDC) showing increased adoption of EHRs by physicians.  The CDC report documented that physicians’ adoption of health information technology (IT) doubled in two years, and 52% of physicians intend to apply for meaningful use incentives, up from 41% in 2010.  Click here to access additional information about achieving meaningful use, including the CDC report.

CMS Issues HITECH IT Guidance to State Medicaid Directors

On August 17, 2010, the Centers for Medicare and Medicaid Services (CMS) issued a 4-page letter plus attachments to State Medicaid Directors giving guidance on the implementation of Medicaid EHR incentive programs under the Health Information Technology for Economic and Clinical Health Act (HITECH) and the recently published CMS Final Rule under HITECH.  HITECH mandates that the Federal government provide 100% funding to States for the incentives available to eligible professional and hospitals who participate in HITECH’s Medicaid incentive program, and 90% funding to States for the administration of such Medicaid incentives.  States, however, must qualify for the 90% administrative Federal funding participation (FFP) by:

  1. Administering the Medicaid incentive payments to eligible professionals and hospitals;
  2. Overseeing the Medicaid incentive program, including tracking “meaningful use” attestations and reporting mechanisms; and
  3. Pursuing initiatives that encourage the adoption of certified EHR technology for the promotion of health care quality and the electronic exchange of health information.

Importantly, States must use the HIT Implementation Advance Planning Document (IAPD) in order to request the FFP and must receive approval before implementing proposed activities and services or acquiring equipment. CMS points out that some activities may be more appropriately reimbursed through the existing Medicaid Management Information Systems and that other administrative expenditures may not be eligible for any Federal funding.  States must have a State Medicaid Health Information Technology Plan (SMHP) outlining the State’s current and future HIT landscape and plans for implementation of the Medicaid EHR incentives.  CMS made available a SMHP template for States to outline their Medicaid EHR incentive implementation plans and timeline, referenced here.

The guidance documents CMS included with its letter are: A)  Administering the Medicaid EHR Incentive Program; B) Oversight of the Medicaid Incentive Program; C) Guiding Principles for the Use of the 90% FFP for EHR Promotion; and D) SMHP/IAPD Review Process.   For additional CMS information for states, click here.

HHS announces proposed rulemaking to “significantly” modify HIPAA

On Thursday, July 8, 2010, the United States Department of Health & Human Services (HHS) held a press briefing to announce “significant modifications” through proposed rulemaking to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) pursuant to the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH). The proposed modifications also seek to strengthen the privacy of health information and help Americans understand their rights and resources available to safeguard their personal health information. As part of the latter effort, Sebelius announced the launch of another new website “where Americans can read about all HHS’ efforts to protect privacy in the exchange of electronic health information and that will give Americans the tools needed to embrace technology to take control over their health information.” The website will be available at www.hhs.gov/healthprivacy.

Continue reading