The Kentucky Health Information Exchange (KHIE) has issued its June 2014 Newsletter, The KHIE Connection. This month’s issue includes a summary of the Centers for Medicare and Medicaid Services (CMS) Notice of Proposed Rule Making (NPRM) that, if finalized, would allow providers to meet Stage 1 or Stage 2 Meaningful Use with electronic health records (EHRs) that are certified to HHS ONC’s 2011 or 2014 Edition criteria or a combination of both Editions. Comments to the NPRM must be received by July 21, 2014. The newsletter also addresses Medicare’s scheduled payment adjustments for 2015 that will impact eligible hospitals and providers who do not timelyattest to Meaningful Use of certified EHRs. Guidance on attesting to Meaningful Use also is included.
Saturday, March 1, 2014, is the deadline for entities covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to report to the U.S. Department of Health & Human Services Office for Civil Rights (OCR) all “small breaches” of unsecured protected health information that occurred during 2013. Entities subject to this deadline include a health care provider that conducts certain transactions in electronic form, health plans and health care clearinghouses. A “small breach” is a breach affecting less than 500 individuals.
Although affected individuals must be notified within 60 days of the breach’s discovery, the breach itself also must be reported to OCR within 60 days of the close of the calendar year in which it was discovered, or by March 1 of the following year. The notice must be submitted electronically. A separate breach notification form must be completed for each breach. To submit breach notification reports to OCR, click here.
Remember: HIPAA, as amended by the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 and the HIPAA Omnibus Rule, has a new definition of a “breach” that became effective March 26, 2013. It is OCR’s position that a breach is presumed—unless an entity can demonstrate that there is a Low Probability that the data has been Compromised (LoProCo). With any loss, theft or potential unauthorzed access to unsecured protected health information, entities should immediately perform a risk assessment and look at certain factors to decide whether there is a low probability of compromise or LoProCo. If a LoProCo analysis is not done, a breach is presumed and, even if under a LoProCo analysis it would not have been a breach, a loss, theft or unauthorized access of unsecured protected health information must be reported as a breach to OCR. For more information about the LoProCo analysis, see our previous post on December 1, 2013, here.
by Kathie McDonald-McClure and Elizabeth O’Keeffe
As we have previously reported on the Wyatt HITECH Law blog on September 14, 2013 and September 23, 2011, the Department of Health and Human Services (HHS) has had in the works, for over two years now, revisions to the Clinical Laboratory Improvement Act of 1988 (CLIA) regulations concerning whether a lab may release test results directly to patients. On February 3, 2013, HHS announced the release of a Final Rule (Final Rule) amending the CLIA regulations to allow laboratories to give a patient, or a person designated by the patient, his or her “personal representative”, access to the patient’s completed test reports upon the patient’s or patient’s personal representative’s request. The Final Rule was issued jointly by three agencies within HHS: the Centers for Medicare & Medicaid Services (CMS), which is generally responsible for laboratory regulation under CLIA, the Centers for Disease Control and Prevention (CDC), which provides scientific and technical advice to CMS related to CLIA, and the Office for Civil Rights (OCR), which is responsible for enforcing the HIPAA Privacy Rule. Continue reading
Saturday, November 30, 2013, is the last day for hospitals and critical access hospitals (CAHs) to register and attest to receive an incentive payment for FY2013 under the Medicare Electronic Health Record (EHR) Incentive Program. In the flurry of Thanksgiving activities, holiday travel and Black Friday shopping, don’t forget to take advantage of this deal. The Centers for Medicare and Medicaid Services (CMS) has posted a reminder of these deadlines on its Medicare & Medicaid EHR Incentive Program Registration & Attestation System webpage.
NOTE: On February 18, 2010, we posted an article about what to do with paper medical records when converting to an electronic health record (EHR). To date, this has been the most popular article on the HITECH Law Blog. We decided to re-review the topic, update it, and repost it. Actually, not much has changed in the way of the law applicable to this topic. So, the article below reiterates most of the tips from our original article with a few refinements, including additional information about retention periods.
Many hospitals have electronic health records (EHRs) that are hybrid digital records. While the hospital may be using electronic data entry in the emergency department, inpatient nursing care, pharmacy, lab, and pre-op anesthesia, oftentimes, these EHRs are not integrated and, thus, are not merged into a single EHR. The short-term solution may have been to scan printed records from some department, like lab or pharmacy, into the patient’s on-line digital record. As a result, the hospital’s “electronic health record” contains information that is not captured in a “coded format.” For one, this will not meet the “meaningful use” criteria under the HITECH Act.
But let’s assume that the hospital can overcome this hurdle by working with vendors to integrate these records in a way that will meet HITECH EHR certification standards. If the hospital has been maintaining certain portions of patient records in a paper format, what does it do with those paper records after converting to an EHR? If the hospital scans all the paper patient records into its EHR, how long should the hospital retain the paper record after it is scanned into their EHR?