HHS Releases Security Risk Assessment Tool

Need help performing your HIPAA/Meaningful Use Security Risk Assessment?  Good news, HHS has released a tool to help!  In partnership with the Office of the National Coordinator, HHS created a tool, user guide, software, tutorial, videos and even an iOS App to help HIPAA covered entities and business associates perform the required HIPAA Risk Analysis.

The HIPAA Security Rule specifically requires (this is not an addressable specification) a Security Risk Analysis:

“Risk analysis (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.”  45 CFR 164.308(a)(1)

In addition, those hospitals and eligible professionals seeking to meet meaningful use in order to receive the EHR Incentive dollars or avoid the Medicare payment adjustments must fulfill a HIPAA Security Risk Assessment.

Stage 1

Stage 2

Objective. Protect electronic health information created or maintained by the certified EHR technology through the implementation of appropriate technical capabilities.Measure. Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1) and implement security updates as necessary and correct identified security deficiencies as part of its risk management process. Objective. Protect electronic health information created or maintained by the Certified EHR Technology through the implementation of appropriate technical capabilities.Measure. Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1), including addressing the encryption/security of data stored in Certified EHR Technology in accordance with requirements under 45 CFR 164.312(a)(2)(iv) and 45 CFR 164.306(d)(3), and implement security updates as necessary and correct identified security deficiencies as part of the EP’s risk management process.

For those hospitals and eligible professionals looking to meet meaningful use, the Security Risk Assessment tool will generate a report that can be provided to auditors.  However, the report alone is likely insufficient because both the auditors and the  meaningful use requirements (above) require the correction of security deficiencies – so merely running a Security Risk Assessment without taking actions to remedy the problem will not suffice.  To read more about meaningful use audits and security risk assessments click here

In addition to releasing the Security Risk Assessment tool, HHS has created a helpful true/false statement with the Top 10 Myths of Security Risk Analysis.  This document highlights the misconceptions regarding the risk assessment requirements, including that all covered entities and business associates (regardless of the size) must conduct a risk assessment pursuant to HIPAA.  Importantly, though only eligible professionals & hospitals are eligible for meaningful use incentives and Medicare payment adjustments, business associates must also comply with the HIPAA Security Rule pursuant to the HITECH Act.  Therefore, business associates must also conduct security risk assessments, and per recent guidance from HHS, business associates are likely part of the next round of HIPAA audits.

For more information about HIPAA, security risk assessments, and meaningful use please contact Elana Zana.

Meaningful Use Exception Includes EHR Vendor Delays

Following its announcement at HIMSS, CMS has published its hardship exception application for 2014 along with its new exception due to vendor delays.  The new exception permits eligible hospitals and eligible professionals to request an exception from the 2015/2016 payment adjustments due to 2014 EHR Vendor Issues.  Specifically, CMS now permits an exception due to the inability of the vendor to obtain 2014 certification or if the hospital or EP was unable to implement meaningful use due to 2014 EHR certification delays.  Along with filling out the EP or Hospital exception forms, those requesting the exception must submit a notification from the EHR vendor.

For EPs and hospitals who are demonstrating meaningful use for the first time, they may apply for this hardship exception to avoid the 2015 payment adjustments.  For those EPs and hospitals who have previously demonstrated meaningful use, they may use this hardship exception to avoid 2016 payment adjustments.

For hospitals, the hardship exception request for 2015 payment adjustments is due April 1, 2014.  For eligible professionals, the hardship exception request for 2015 payment adjustments is due July 1, 2014.  However, for those EPs that have not previously participated in the Medicare EHR Incentive Program they can submit attestation by October 1, 2014 and also avoid the payment adjustments.  CMS has also issued guidance for applying for the EHR Vendor hardship exception for EPs and hospitals.

For more information about the Medicare or Medicaid EHR Incentive Program or applying for these hardship exceptions please contact Elana Zana.

Medicare EHR Incentive Program Deadline Extended

CMS announced last week that it has extended the registration and attestation deadline for the Medicare EHR Incentive Programs to March 31, 2014 for eligible professionals.  This month long extension will aid eligible professionals in compiling their meaningful use data from 2013 and filling out the registration process (which can be time consuming).

In addition, CMS is offering to assist eligible hospitals who experienced difficulty with their attestation.  This assistance will allow eligible hospitals to submit their attestation retroactively to avoid the 2015 payment adjustment.  To do so, hospitals must contact CMS by March 15, 2014.  Eligible hospitals are instructed to contact CMS at EH2013Extension@Provider-Resources.com  no later than 11:59 PM EST on Marfch 15, 2014.

  1. Type “EH 2013 EXTENSION” in the subject line of the email note
  2. Include the following information:
    • CCN;
    • hospital name;
    • contact person name;
    • contact person email; and
    • contact person phone number.

CMS will then contact the designated individual to discuss the retroactive extension.

As a reminder, these extensions are for the Medicare EHR Incentive Program only, and do not apply to the Medicaid EHR Incentive Program.  In Washington, the deadline to apply for the Medicaid EHR Incentive Program remains February 28, 2014.

For more information about the EHR Incentive Programs or meaningful use generally please contact Elana Zana.

Washington Medicaid EHR Incentive Program Webinar

The Washington State Health Care Authority announced that it will be hosting a webinar to aid in the registration for the Medicaid EHR Incentive Program.  This will help providers who are registering and attesting to both adopt, implement and upgrade and meaningful use.

Topics Include: Navigating the WA ST EHR Attestation Application-eMIPP (MU Stage 1)

  • Attestation
  • Navigating the eMIPP application
  • How to get paid correctly
  • Live Q & A after presentation

To register click here.

The state of Washington has also published helpful tools for registration, including user guides and state specific worksheets (for example the .95 multiplier).

These webinars are very informative and it is recommended that all first time applicants (and those applicants that need a refresher) attend.

Also, note that though the Medicare EHR Incentive Program has extended registration through March 31, 2014, the Washington Medicaid EHR Incentive Program requires registration and attestation by February 28, 2014.

For assistance with registration and attestation for the Medicare or Medicaid EHR Incentive Program please contact Elana Zana.

 

Meaningful Use Audits – Security Risk Analysis

‘Tis the season for Meaningful Use, the time of year when eligible professionals (EPs) and eligible hospitals (EHs) compile their data from the meaningful use measures and prepare for attestation.  It is also the season of meaningful use audits.  A lesson learned from recent audits: CMS means what it says – EPs and EHs must conduct a security risk analysis.  This measure is not one to be taken lightly – it’s a HIPAA requirement, and CMS auditors are on the lookout for documentation (remember, all documentation must be retained for 6 years).

Regardless of whether EPs or EHs are attesting to Stage 1 or Stage 2, or the fact that they performed a security risk analysis last year, this objective and measure must be fulfilled each year:

 

Stage 1

Stage 2

Objective. Protect electronic health information created or maintained by the certified EHR technology through the implementation of appropriate technical capabilities.Measure. Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1) and implement security updates as necessary and correct identified security deficiencies as part of its risk management process. Objective. Protect electronic health information created or maintained by the Certified EHR Technology through the implementation of appropriate technical capabilities.Measure. Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1), including addressing the encryption/security of data stored in Certified EHR Technology in accordance with requirements under 45 CFR 164.312(a)(2)(iv) and 45 CFR 164.306(d)(3), and implement security updates as necessary and correct identified security deficiencies as part of the EP’s risk management process.

The HIPAA requirement for a Security Risk Analysis pursuant to 45 CFR 164.308(a)(1) is as follows:

“Risk analysis (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.”

CMS Meaningful Use audits have specifically called out this objective and measure and are requiring participants to prove that a Security Risk Analysis has actually occurred.  Though the HIPAA Security Officer should have conducted a security risk analysis for the entire practice/hospital, EPs and EHs should maintain a copy of this assessment with their meaningful use documentation and should review the assessment to make sure that the risk analysis complies with the meaningful use requirements (note: the Stage 2 requirements are significantly broader).

Below is the audit question that was sent to some Stage 1 EPs:

“Provide proof that a security risk analysis of Certified EHR Technology was performed prior to the end of the reporting period (i.e. report which documents the procedures performed during the analysis and the results of the analysis).  If deficiencies are identified in this analysis, please supply the implementation plan; this plan should include the completion dates.”

Note that the audit request indicates that further documentation is needed to satisfy the auditors.  EPs must show the implementation plan and the completion dates.  As per the measure itself, the requirement is not merely to conduct a security risk analysis, but the EPs and EHs must implement security updates and correct security deficiencies.  EPs and EHs should document these steps as well in order to appropriately respond to an audit request.

CMS has recently issued a new tip sheet to assist EPs and EHs in fulfilling the security risk analysis requirement.  In addition ONC has published guidance on HIPAA Security Risk Analysis requirements.  The CMS tip sheet includes some common myths surrounding risk analysis such as:

  • “I only need to do a risk analysis once.”

False. To comply with HIPAA, you must continue to review, correct or modify, and update security protections.

  • “My EHR vendor took care of everything I need to do about privacy and security.”

False. Your EHR vendor may be able to provide information, assistance, and training on the privacy and security aspects of the EHR product. However, EHR vendors are not responsible for making their products compliant with HIPAA Privacy and Security Rules. It is solely your responsibility to have a complete risk analysis conducted.

  • “The security risk analysis is optional for small providers.”

False. All providers who are “covered entities” under HIPAA are required to perform a risk analysis. In addition, all providers who want to receive EHR incentive payments must conduct a risk analysis.

  • “Simply installing a certified EHR fulfills the security risk analysis MU requirement.”

False. Even with a certified EHR, you must perform a full security risk analysis. Security requirements address all electronic protected health information you maintain, not just what is in your EHR.

Responding to a Meaningful Use audit can be time consuming and very detailed oriented — thus, maintaining the appropriate documentation is essential.  For assistance with Meaningful Use or HIPAA security risk assessments, please contact Elana Zana.

EHR Incentive Program Meaningful Use Stage 1 Updated

CMS has recently published a tip sheet consolidating for eligible professionals and hospitals the revisions made to the Stage 1 meaningful use measures that are effective in 2013.  These changes modify the following meaningful use objectives:

  • Public Health Reporting Objectives
  • Electronic Exchange of Key Clinical Information
  • Computerized Physician Order Entry (CPOE)
  • Record and Chart Changes in Vital Signs
  • Electronic Prescribing
  • Electronic Copy of and Electronic Access to Health Information (changes only applicable starting in 2014)

Some of the changes in the measures are required, while others are optional for 2013 but become required for 2014.  To view the Stage 1 changes tip sheet click here.

At the same time CMS also revised its Stage 1 Meaningful Use table of contents and tip sheets for each objective/measure for eligible professionals and hospitals/CAH.

If you have questions regarding the Medicare or Medicaid EHR Incentive Programs or meaningful use generally please contact Elana Zana.

EHR Incentive Program Timeline Tool

CMS has recently launched a new tool which enables eligible professionals to determine which year they should meet each stage of meaningful use and the amount of incentive dollars available for the eligible professional.  This tool is useful in light of the changes to the EHR Incentive Program timeline made in the Stage 2 Final Rules.  The tool is applicable for eligible professionals applying for either the Medicare or Medicaid EHR Incentive Program.  To access the tool click here.

If you have questions regarding the EHR Incentive Program please contact Elana Zana.

CMS Posts Meaningful Use Stage 2 Specification Sheets

Looking for more detail on the Meaningful Use Stage 2 requirements?  CMS has conveniently created specification sheets for each Meaningful Use measure.  These sheets explain in detail each numerator and denominator eligible professionals and hospitals much achieve to be eligible for the EHR Incentive Payments.  The sheets also contain the certification and standards criteria issued from the Office of the National Coordinator.

For Eligible Professionals click here.

For Eligible Hospitals and Critical Access Hospitals click here.

For assistance with the EHR Incentive Programs and meaningful use in general please contact Elana Zana.

Comparison of Stage 1 vs Stage 2 Meaningful Use

Sifting through the hundreds of pages of new rules can be overwhelming.  Luckily, CMS has provided comparison charts to help navigate the meaningful use changes coming our way with Stage 2.  Along with the new rules, CMS clarified that the earliest Stage 2 meaningful use is effective is fiscal year 2014 for hospitals and calendar year 2014 for eligible professionals (more on 2014 to come in future posts).

Click on the links below to see the comparison charts:

Stage 2 Meaningful Use – Eligible Professionals: 17 core objectives, 3 of 6 menu objectives, 9 of 64 clinical quality measures.

Stage 2 Meaningful Use – Hospitals & CAHs: 16 core objectives, 3 of 6 menu objectives, 16 of 29 clinical quality measures.

For more information about meaningful use and the EHR Incentive Programs please contact Elana Zana.

CMS Issues 3 FAQs on Stage 2 Rules and the Medicaid EHR Incentive Program

CMS has responded to several questions following the issuance of its Stage 2 Meaningful Use Final Rule.  Along with publishing new meaningful use guidelines, the Final Rule adds new provisions regarding the calculation of patient volume for Medicaid providers.  CMS has recently published these new FAQs, some of which take effect immediately, while others will start in 2013, giving the states some time to update their guidance.  These new rules will affect all eligible professionals, regardless of their stage in participation in meaningful use.  To see additional FAQs click here.

Medicaid changes to patient volume calculations 

Q: The EHR Incentive Programs Stage 1 Rule stated that, in order for a Medicaid encounter to count towards the patient volume of an eligible provider, Medicaid had to either pay for all or part of the service, or pay all or part of the premium, deductible or coinsurance for that encounter.  The Stage 2 Rule now states that the Medicaid encounter can be counted towards patient volume if the patient is enrolled in the state’s Medicaid program (either through the state’s fee-for-service programs or the state’s Medicaid managed care programs) at the time of service without the requirement of Medicaid payment liability. How will this change affect patient volume calculations for Medicaid eligible providers?  

A: Importantly, this change affecting the Medicaid patient volume calculation is applicable to all eligible providers, regardless of the stage of the Medicaid EHR Incentive Program they are participating in. Billable services provided by an eligible provider to a patient enrolled in Medicaid would count toward meeting the minimum Medicaid patient volume thresholds.  Examples of Medicaid encounters under this expanded definition that could be newly eligible might include: behavioral health services, HIV/AIDS treatment, or other services that might not be billed to Medicaid/managed care for privacy reasons, but where the provider has a mechanism to verify eligibility.  Also, services to a Medicaid-enrolled patient that might not have been reimbursed by Medicaid (or a Medicaid managed care organization) may now be included in the Medicaid patient volume calculation (e.g., oral health services, immunization, vaccination and women’s health services, telemedicine/telehealth, etc.).

Providers who are not currently enrolled with their state Medicaid agency who might be newly eligible for the incentive payments due to these changes should note that they are not necessarily required to fully enroll with Medicaid in order to receive the payment.

In some instances, it may now be appropriate to include services denied by Medicaid in calculating patient volume.  It will be appropriate to review denial reasons.  If Medicaid denied the service for timely filing or because another payer’s payment exceeded the potential Medicaid payment, it would be appropriate to include that encounter in the calculation.  If Medicaid denied payment for the service because the beneficiary has exceeded service limits established by the Medicaid program, it would be appropriate to include that encounter in the calculation.  If Medicaid denied the service because the patient was ineligible for Medicaid at the time of service, it would not be appropriate to include that encounter in the calculation.

Further guidance regarding this change will be distributed to the states as appropriate.

CHIP patients eligible to be included in Medicaid patient volume totals
Q: The Stage 2 Rule describes changes to how a state considers CHIP patients in the Medicaid patient volume total when determining provider eligibility. Patients in which kinds of CHIP programs are now appropriate to be considered in the Medicaid patient volume total?  

A: States that have offered CHIP as part of a Medicaid expansion under Title 19 or Title 21 can include those patients in their provider’s Medicaid patient volume calculation as there is cost liability to the Medicaid program in either case (under the Stage 1 Rule, only CHIP programs created under a Medicaid expansion via Title 19 were eligible). Patients in standalone CHIP programs established under Title 21 are not to be considered part of the patient volume total (in Stage 1 or Stage 2). This change to the patient volume calculation is applicable to all eligible providers, regardless of the stage of the Medicaid EHR Incentive Program they are participating in.

Changes to the base year of the Medicaid EHR Incentive Program for hospital incentive payment calculation 
Q: Are there any changes to the base year for the Medicaid EHR Incentive Program hospital incentive payment calculation?

A: Yes. Previously Medicaid eligible hospitals calculated the base year using a 12 month period ending in the Federal fiscal year before the hospital’s fiscal year that serves as the first payment year.  In an effort to encourage timely participation in the program, §495.310(g)(1)(i)(B) of the Stage 2 Rule was amended to allow hospitals to use the most recent continuous 12 month period for which data are available prior to the payment year. This change went into effect upon publication of the Stage 2 Rule.  Only hospitals that begin participation in the program after the publication date of the Stage 2 Rule (i.e., program years 2013 and later) will be affected by this change.  Hospitals that began participation in the program prior to the Stage 2 Rule will not have to adjust previous calculations.