Washington Medicaid EHR Incentive Program Webinar

The Washington State Health Care Authority announced that it will be hosting a webinar to aid in the registration for the Medicaid EHR Incentive Program.  This will help providers who are registering and attesting to both adopt, implement and upgrade and meaningful use.

Topics Include: Navigating the WA ST EHR Attestation Application-eMIPP (MU Stage 1)

  • Attestation
  • Navigating the eMIPP application
  • How to get paid correctly
  • Live Q & A after presentation

To register click here.

The state of Washington has also published helpful tools for registration, including user guides and state specific worksheets (for example the .95 multiplier).

These webinars are very informative and it is recommended that all first time applicants (and those applicants that need a refresher) attend.

Also, note that though the Medicare EHR Incentive Program has extended registration through March 31, 2014, the Washington Medicaid EHR Incentive Program requires registration and attestation by February 28, 2014.

For assistance with registration and attestation for the Medicare or Medicaid EHR Incentive Program please contact Elana Zana.

 

Meaningful Use Audits – Security Risk Analysis

‘Tis the season for Meaningful Use, the time of year when eligible professionals (EPs) and eligible hospitals (EHs) compile their data from the meaningful use measures and prepare for attestation.  It is also the season of meaningful use audits.  A lesson learned from recent audits: CMS means what it says – EPs and EHs must conduct a security risk analysis.  This measure is not one to be taken lightly – it’s a HIPAA requirement, and CMS auditors are on the lookout for documentation (remember, all documentation must be retained for 6 years).

Regardless of whether EPs or EHs are attesting to Stage 1 or Stage 2, or the fact that they performed a security risk analysis last year, this objective and measure must be fulfilled each year:

 

Stage 1

Stage 2

Objective. Protect electronic health information created or maintained by the certified EHR technology through the implementation of appropriate technical capabilities.Measure. Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1) and implement security updates as necessary and correct identified security deficiencies as part of its risk management process. Objective. Protect electronic health information created or maintained by the Certified EHR Technology through the implementation of appropriate technical capabilities.Measure. Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1), including addressing the encryption/security of data stored in Certified EHR Technology in accordance with requirements under 45 CFR 164.312(a)(2)(iv) and 45 CFR 164.306(d)(3), and implement security updates as necessary and correct identified security deficiencies as part of the EP’s risk management process.

The HIPAA requirement for a Security Risk Analysis pursuant to 45 CFR 164.308(a)(1) is as follows:

“Risk analysis (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.”

CMS Meaningful Use audits have specifically called out this objective and measure and are requiring participants to prove that a Security Risk Analysis has actually occurred.  Though the HIPAA Security Officer should have conducted a security risk analysis for the entire practice/hospital, EPs and EHs should maintain a copy of this assessment with their meaningful use documentation and should review the assessment to make sure that the risk analysis complies with the meaningful use requirements (note: the Stage 2 requirements are significantly broader).

Below is the audit question that was sent to some Stage 1 EPs:

“Provide proof that a security risk analysis of Certified EHR Technology was performed prior to the end of the reporting period (i.e. report which documents the procedures performed during the analysis and the results of the analysis).  If deficiencies are identified in this analysis, please supply the implementation plan; this plan should include the completion dates.”

Note that the audit request indicates that further documentation is needed to satisfy the auditors.  EPs must show the implementation plan and the completion dates.  As per the measure itself, the requirement is not merely to conduct a security risk analysis, but the EPs and EHs must implement security updates and correct security deficiencies.  EPs and EHs should document these steps as well in order to appropriately respond to an audit request.

CMS has recently issued a new tip sheet to assist EPs and EHs in fulfilling the security risk analysis requirement.  In addition ONC has published guidance on HIPAA Security Risk Analysis requirements.  The CMS tip sheet includes some common myths surrounding risk analysis such as:

  • “I only need to do a risk analysis once.”

False. To comply with HIPAA, you must continue to review, correct or modify, and update security protections.

  • “My EHR vendor took care of everything I need to do about privacy and security.”

False. Your EHR vendor may be able to provide information, assistance, and training on the privacy and security aspects of the EHR product. However, EHR vendors are not responsible for making their products compliant with HIPAA Privacy and Security Rules. It is solely your responsibility to have a complete risk analysis conducted.

  • “The security risk analysis is optional for small providers.”

False. All providers who are “covered entities” under HIPAA are required to perform a risk analysis. In addition, all providers who want to receive EHR incentive payments must conduct a risk analysis.

  • “Simply installing a certified EHR fulfills the security risk analysis MU requirement.”

False. Even with a certified EHR, you must perform a full security risk analysis. Security requirements address all electronic protected health information you maintain, not just what is in your EHR.

Responding to a Meaningful Use audit can be time consuming and very detailed oriented — thus, maintaining the appropriate documentation is essential.  For assistance with Meaningful Use or HIPAA security risk assessments, please contact Elana Zana.

EHR Incentive Program Timeline Tool

CMS has recently launched a new tool which enables eligible professionals to determine which year they should meet each stage of meaningful use and the amount of incentive dollars available for the eligible professional.  This tool is useful in light of the changes to the EHR Incentive Program timeline made in the Stage 2 Final Rules.  The tool is applicable for eligible professionals applying for either the Medicare or Medicaid EHR Incentive Program.  To access the tool click here.

If you have questions regarding the EHR Incentive Program please contact Elana Zana.

CMS Posts Meaningful Use Stage 2 Specification Sheets

Looking for more detail on the Meaningful Use Stage 2 requirements?  CMS has conveniently created specification sheets for each Meaningful Use measure.  These sheets explain in detail each numerator and denominator eligible professionals and hospitals much achieve to be eligible for the EHR Incentive Payments.  The sheets also contain the certification and standards criteria issued from the Office of the National Coordinator.

For Eligible Professionals click here.

For Eligible Hospitals and Critical Access Hospitals click here.

For assistance with the EHR Incentive Programs and meaningful use in general please contact Elana Zana.

Comparison of Stage 1 vs Stage 2 Meaningful Use

Sifting through the hundreds of pages of new rules can be overwhelming.  Luckily, CMS has provided comparison charts to help navigate the meaningful use changes coming our way with Stage 2.  Along with the new rules, CMS clarified that the earliest Stage 2 meaningful use is effective is fiscal year 2014 for hospitals and calendar year 2014 for eligible professionals (more on 2014 to come in future posts).

Click on the links below to see the comparison charts:

Stage 2 Meaningful Use – Eligible Professionals: 17 core objectives, 3 of 6 menu objectives, 9 of 64 clinical quality measures.

Stage 2 Meaningful Use – Hospitals & CAHs: 16 core objectives, 3 of 6 menu objectives, 16 of 29 clinical quality measures.

For more information about meaningful use and the EHR Incentive Programs please contact Elana Zana.

Washington State EHR Incentive Program Seminars

The Washington State Health Care Authority has announced a traveling seminar on calculating and registering for the Medicaid EHR Incentive Program.  The seminar is aimed at group registration and defining the group proxy methodology to calculate patient volume.

The seminars are as follows:

May 1: Wenatchee
May 3: Spokane
May 8: Yakima
May 16: Seattle
May 17: Mt. Vernon
May 22: Silverdale
May 24: Olympia

To register click here (the link will take you to the Seattle registration, scroll down on that page for other registration links).