Meaningful Use Attestation in 2014 – Picture Update

CMS and the Office of the National Coordinator (ONC) recently announced modifications to the meaningful use attestation requirements for 2014. Following significant lobbying from EHR vendors, eligible professionals (EPs), and hospitals, CMS issued a brief reprieve to meeting Stage 2 meaningful use in 2014 – for some lucky participants. Recognizing that EPs and hospitals may still be using 2011 certified EHR technology (CEHRT) or a mixture of 2011 and 2014 CEHRT, CMS created a chart of decision points meant to enable flexibility for EPs and hospitals alike. These options also accommodate EPs and hospitals that have upgraded to the 2014 CEHRT but are still unable to meet the Stage 2 requirements within the mandatory timetables.

However, this flexibility comes with a caveat: EPs and hospitals must explain that their failure to meet Stage 2 in 2014 as scheduled is because they could not “fully implement 2014 Edition CEHRT for the EHR reporting period in 2014 due to delays in 2014 Edition CEHRT availability.” So who is allowed to claim this exception? Though CMS does not provide an exhaustive list of examples, its published comments in the final rule provide some insights and helpful explanations.

Below are maps of decision points and examples of acceptable and unacceptable justifications for not meeting an EP’s scheduled meaningful use stage in 2014, whether it be the 2014 Stage 1 or Stage 2 objectives and measures. Any EPs or hospitals that attest for a different stage than what they were scheduled for must be prepared to defend this decision in an audit, understanding that each case will be evaluated individually; this defense should therefore be very well documented.

MU_GRAPHIC_FIRST OR SECOND YEAR-FINALMU_GRAPHIC_THIRD OR FOURTH YEAR_FINAL

Michelle Holmes, consultant with ECG Management Consultants co-authored this post.

WA Certificate of Need Waiver for Psych Beds

The Washington Certificate of Need (“CN”) Program recently announced a temporary change in the CN requirements for acute care hospitals to change the use of existing licensed beds to psychiatric care beds.  Acute care hospitals choosing to convert some of their acute care beds to psychiatric beds will not have to undergo the CN review process.  This exemption however does not extend to the addition of new beds added to the hospital’s licensed bed count, only the conversion of existing beds.  Hospitals will also be allowed to return the use of the exempt psychiatric beds to general acute care services (i.e. med/surg) without full CN review.

In order to take advantage of this exemption, acute care hospitals will still have to submit a “Hospital Change of Use Exemption Hospitals Licensed Under RCW 70.41 Proposing Psychiatric Beds” application to the CN Program with an application fee of $1,925.  If the project is approved it must commence within two years of the exemption issue date (unless a 6 month extension is otherwise granted).  Hospitals applying for this exemption will still need to meet the physical plan standards and staffing ratios required for providing psychiatric care.

For more information about this exemption or Certificate of Need generally please contact Elana Zana.

Rady HIPAA Breach – Access Controls & Training

Rady Children’s Hospital in San Diego announced this week that it has discovered two instances of impermissible disclosure of patient information – both disclosures arising from employees sending spreadsheets containing PHI to job applicants.  Surprisingly, Rady employees did not learn the lesson from their northern California neighbor, Stanford, which recently settled a lawsuit for $4 Million based on similar circumstances of a vendor releasing patient information to a job applicant.  In both the Rady situations (and at Stanford) identifiable patient information was sent to job applicants in order to evaluate those applicants’ skill sets.  The spreadsheets contained names, dates of birth, diagnoses, insurance carrier, claim information, and additional information.  Combined, the breach affected over 20,000 patients.

Rady has announced that it will take the following actions to prevent future events:

• Only commercially available and validated testing programs will be used to evaluate job applicants who will be tested onsite.
• We are increasing data security by further automating flagging of emails that may contain potential protected health or other sensitive information, and requiring an added level of approval before it can be sent.
• Rady Children’s is working with our email encryption provider to further strengthen our protection of sensitive data.
• Rady Children’s continually provides employees with education regarding privacy policies. We will be using these incidents as examples to better inform our leadership team and employees about the risks and the importance of the policies we have in place and train them in these new measures we are taking.

Though these steps are important, it is quite alarming that breaches such as these are still happening.  Why are job applicants receiving spreadsheets with patient information?  As Rady notes above, training exercises are commercially available.  Breaches, such as the one at Rady and at Stanford, reveal several flaws in HIPAA compliance – but two in particular rise to the surface.

1.  Access Controls.  The HIPAA Security Rule stresses the importance of access controls both internally and externally within a covered entity (and now business associates). Who gets access to the PHI, who gives that person access, and what access do they have?  The administrative, physical, and technical safeguard requirements all touch on whether access to PHI for workforce members is appropriate.  For example, a technical safeguard requirement specifically addressing access controls requires that covered entities, and business associates “implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in 164.308(a)(4).”  45 CFR 164.312.  Covered entities and business associates alike should evaluate who within their organizations actually need access to PHI to perform job functions.  Does the HR Department or an internal/external recruiter, arguably in charge of hiring new staff, need PHI in order to perform their job duties?  (Note, I do not opine here as to whether access to PHI was properly granted to the workforce members at Rady, as I lack sufficient information to make that judgment).  Determining if access to PHI is appropriate is both a requirement of the HIPAA Security Rule (though it is “addressable” you still need to address it!) and is a good mitigation tactic to avoid impermissible breaches, such as the one here.

2.  Training.  All covered entities and business associates are responsible for HIPAA Security training for all members of the workforce.  45 CFR 164.308.  Though training may vary depending on the workforce member’s use of PHI, all staff must be trained.  Training does not end following an initial session.  Periodic security updates are specifically identified in the Security Rule as an implementation specification.  These updates do not have to be limited to information about new virus protection software installed on the system. They can include valuable tidbits like case studies, HIPAA rule reminders, and HIPAA related headlines.  For some workforce members HIPAA may not be top of mind (specifically for those in business roles that may not deal with patients or patient information on a routine basis).  Providing periodic training updates and reminders, including examples of other HIPAA breaches (i.e. Stanford here) may be very useful in driving home how easy HIPAA breaches can be…and how expensive they are.

Avoidance of HIPAA breaches altogether is nearly impossible, but proper access controls and training can help mitigate against breaches such as the one that occurred here.

For more information about HIPAA Security contact Elana Zana.

 

Meaningful Use EP Hardship Exception Deadline – July 1, 2014

Not able to meet meaningful use this year?  You may qualify for a hardship exception.  Eligible professionals that qualify for certain hardship exceptions can avoid the meaningful use payment adjustments in 2015 by submitting to CMS the 2015 Hardship Exception Application.  CMS has permitted the EPs to apply for a hardship exception based on the following reasons:

  • Infrastructure: Eligible professionals must demonstrate that they are in an area without sufficient internet access or face insurmountable barriers to obtaining infrastructure (e.g., lack of broadband).
  • New Eligible Professionals: Newly practicing eligible professionals who would not have had time to become meaningful users can apply for a 2-year limited exception to payment adjustments. Thus eligible professionals who begin practice in calendar year 2015 would receive an exception to the penalties in 2015 and 2016, but would have to begin demonstrating meaningful use in calendar year 2016 to avoid payment adjustments in 2017.
  • Unforeseen Circumstances: Examples may include a natural disaster or other unforeseeable barrier.
  • Patient Interaction: Lack of face-to-face or telemedicine interaction with patient or lack of follow-up need with patients.
  • Practice at Multiple Locations: Lack of control over availability of CEHRT for more than 50% of patient encounters.
  • 2014 EHR Vendor Issues: The eligible professional’s EHR vendor was unable to obtain 2014 certification or the eligible professional was unable to implement meaningful use due to 2014 EHR certification delays. (Note that CMS has published a proposed rule regarding lack of availability of 2014 CEHRT proposing to permit EPs in certain situations to attest to Stage 1, click here for further information).

Payment Adjustments & Hardship Exceptions Tipsheet for Eligible Professionals.  This tip sheet further describes the payment adjustments and includes frequently asked questions.

The following categories of EPs do not have to apply for a hardship exception but will automatically be granted one based on their status with CMS:

  • New providers in their first year (both eligible professionals and eligible hospitals).
  • Eligible professionals who are hospital-based: a provider is considered hospital-based if he or she provides more than 90% of their covered professional services in either an inpatient (Place of Service 21) or emergency department (Place of Service 23) of a hospital.
  • Eligible professionals with certain PECOS specialties (Anesthesiology-05, Pathology-22, Diagnostic Radiology-30, Nuclear Medicine-36, Interventional Radiology-94).

Eligible professionals that have not participated in the EHR Incentive Program in the past have the option of avoiding the 2015 payment adjustment if they successfully attest to meaningful use by October 1, 2014.  Those eligible professionals that qualify for any of the above hardship exceptions and will not be able to attest to meaningful use by October 1, 2014 may still apply for a hardship exception, but must do so by July 1, 2014.

For more information about the EHR Incentive Programs and meaningful use please contact Elana Zana.

 

 

CMS Proposed Revisions to Meaningful Use – A Welcome Delay

CMS has issued proposed revisions to meaningful use Stages 2 and 3 in response to numerous industry complaints that hospitals and provider groups will not be able to implement the 2014 certified EHR technology with enough time to meet meaningful use in 2014.  CMS, recognizing that EPs and hospitals are either using 2011 CEHRT, 2014 CEHRT, or a mixture of both, issued proposed rules addressing what each category must attest to in 2014.  In a substantial change from the Final Rules issued in September 2012, CMS has agreed to extend Stage 1 in 2014 for those EPs and hospitals that cannot successfully obtain or deploy 2014 CEHRT.  Further, CMS has proposed to delay Stage 3 meaningful use by one year. 

Medicaid Modification

The proposed rule modifies the AIU (adopt, implement and upgrade) exception for those EPs and hospitals attesting for the first time in 2014.  Hospitals and EPs attesting to AIU in 2014 must adopt, implement or upgrade to 2014 Edition CEHRT only, attesting to the 2011 Edition or a combination Edition will not satisfy the definition in 2014.

Meaningful Use Timeline

Originally, all Medicare EPs and hospitals were required to meet meaningful use using the 2014 Edition CEHRT for Stage 1 or Stage 2 in 2014.  This proposed rule delays this process as follows:

Table 2:  Proposed CEHRT Systems Available for Use in 2014

If you were scheduled to demonstrate: You would be able to attest for Meaningful Use:

Using 2011 Edition

CEHRT to do:

Using 2011 & 2014

Edition CEHRT to do:

Using 2014 Edition

CEHRT to do:

Stage 1 in 2014

2013 Stage 1 objectives and measures*

2013 Stage 1 objectives and measures*

-OR-

2014 Stage 1 objectives and measures*

2014 Stage 1 objectives and measures

Stage 2 in 2014

2013 Stage 1 objectives and measures*

2013 Stage 1 objectives

and measures*

-OR-

2014 Stage 1 objectives and measures*

-OR-

Stage 2 objectives and measures*

2014 Stage 1 objectives and measures*

-OR-

Stage 2 objectives and measures

 *Only providers that could not fully implement 2014 Edition CEHRT for the reporting period in 2014 due to delays in 2014 Edition CEHRT availability.  Note: Table 2 is directly from the CMS proposed rule (similar table in press release does not contain asterisk).

To take advantage of the delays, EPs and hospitals must attest that they were not able to upgrade or fully implement to the 2014 Edition CEHRT because of issues related to availability.  Providers that were planning on meeting Stage 2 in 2014 and are now going to attest to Stage 1 in 2014 will be required to begin Stage 2 in 2015.

Stage 3 Delay

CMS also proposed a delay in Stage 3 for a year.  This is welcome news considering that CMS has not yet built-out Stage 3 and is waiting for the results from Stage 2 to “inform [its] development of the criteria for Stage 3 meaningful use.”  Stage 3 will begin on January 1, 2017 for EPs and October 1, 2016 for hospitals and CAHs.  The proposed revised schedule is as follows:

TABLE 3–PROPOSED STAGE OF MEANINGFUL USE CRITERIA BY FIRST PAYMENT YEAR

 

First Payment Year

Stage of Meaningful Use

2011 2012 2013 2014 2015 2016 2017 2018 2019 2020 2021
2011 1 1 1 1 or 2* 2 2 3 3 TBD TBD TBD
2012 1 1 1or 2* 2 2 3 3 TBD TBD TBD
2013 1 1* 2 2 3 3 TBD TBD TBD
2014 1* 1 2 2 3 3 TBD TBD
2015 1 1 2 2 3 3 TBD
2016 1 1 2 2 3 3
2017 1 1 2 2 3

*3-month quarter EHR reporting period for Medicare and continuous 90-day EHR reporting period (or 3 months at State option) for Medicaid EPs.  All providers in their first year in 2014 use any continuous 90-day EHR reporting period.  Note: Table 3 is directly from the CMS proposed rule (similar table in press release does not contain asterisk).

Clinical Quality Measures

CMS has also relaxed the requirements related to reporting on clinical quality measure in 2014.  Specifically, the method of CQM submission to CMS will depend on the edition of CEHRT deployed by the provider (States will still have discretion for submission requirements).

 

2011 Edition CEHRT

2011 & 2014

Edition CEHRT

2013 Stage 1 objectives

Method of Reporting Attestation Attestation
EP Reporting Requirements 3 core/alternate
3 additional
3 month reporting period (90 days if 1st year)
3 core/alternate
3 additional
3 month reporting period (90 days if 1st year)
Derived exclusively from 2011 CEHRT
Hospital/CAH Reporting Requirements 15 Stage 1 Measures
3 month reporting period (90 days if 1st year)
15 Stage 1 Measures
3 month reporting period (90 days if 1st year)
Derived exclusively from 2011 CEHRT

For those providers using a combination of 2011 and 2014 Edition CEHRT to report on either the 2014 Stage 1 measures or Stage 2 measures or the 2014 Edition CEHRT they should report CQMs as originally indicated in the Stage 2 final rule (i.e submitting electronically) and subsequent rule making.

ONC Modifications

In order to support the CMS revisions, ONC has made modifications to its CEHRT definition to reflect the proposed new required start dates.  ONC’s proposed revisions would move the required start dates for the 2014 Edition of CEHRT to October 1, 2014 for hospitals and CAHs and January 1, 2015 for EPs.

For more information on the EHR Incentive Program and meeting meaningful use please contact Elana Zana.

Stolen Laptops Lead to $2 Million in HIPAA Settlements

Last week HHS announced close to $2 Million dollars in HIPAA settlements with Concentra and QCA Health Plan due to the theft of unencrypted laptops.  However, the message from HHS is not just the importance of data encryption, rather its performance and follow through with security risk analysis and implementation of security policies and procedures.  Further, the close to $2 million in fines do not include the additional costs and time it will take both of these health care organizations to comply with the OCR corrective action plans.

Concentra

The larger settlement and corrective action plan involved Concentra Health Services, a subsidiary of Humana, Inc., which operates more than 300 medical clinics nationally, including urgent care, occupational and physical therapy, and wellness services.  Concentra agreed to a $1,725,220 settlement with HHS for potential violations resulting from the breach notification associated with a stolen unencrypted laptop.  Specifically, the Resolution Agreement identified the following two deficiencies:

(1) Concentra failed to adequately remediate and manage its identified lack of encryption or, alternatively, document why encryption was not reasonable and appropriate and implement an equivalent alternative measure to encryption, if reasonable and appropriate, from October 27, 2008, until June 22, 2012 (date on which a complete inventory assessment was completed and Concentra immediately took action to begin encrypting all unencrypted devices) (see 45 C.F.R. § 164.312(a)(2)(iv)).

(2) Concentra did not sufficiently implement policies and procedures to prevent, detect, contain, and correct security violations under the security management process standard when it failed to adequately execute risk management measures to reduce its identified lack of encryption to a reasonable and appropriate level from October 27, 2008, (date of Concentra’s last project report indicating that 434 out of 597 laptops were encrypted) until June 22, 2012 (date on which a complete inventory assessment was completed and Concentra immediately took action to begin encrypting all unencrypted devices) (see 45 C.F.R. § 164.308(a)(1)(i)).

Interestingly, while the Security Rule allows for flexibility in implementation for certain measures, including data encryption under 45 CFR 164.312, this high settlement amount indicates that healthcare organizations (including now business associates) who choose not to implement encryption standards must be able to explain themselves.  HHS, in the Resolution Agreement, faults Concentra not only for failing to encrypt the data, but in light of a decision not to encrypt, Concentra was faulted for failing to implement an alternative to encryption (though unclear what a reasonable alternative to encryption would be).  Now, not only does Concentra have this large settlement payment due to HHS, but it has to comply with the corrective action plan, which includes the implementation of a security management plan (with a security risk analysis baked in), encryption obligations, security awareness training, and annual reports to HHS.  And if Concentra fails to comply, HHS has reserved its right to impose civil monetary penalties (which were significantly increased under the HITECH Act).

QCA Health Plan of Arkansas

The smaller settlement of $250,000 was with QCA Health Plan of Arkansas, a healthcare insurance provider.  The impetus for this settlement and corrective action plan was the theft of an unencrypted laptop from an employee’s car which contained PHI belonging to 148 individuals (note that this breach affected less than 500 individuals).  The Resolution Agreement determined that:

A.  QCA did not implement policies and procedures to prevent, detect, contain, and correct security violations, including conducting an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI it held, and implementing security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with 45 C.F.R. § 164.306 from the compliance date of the Security Rule to June 18, 2012.

B. QCA did not implement physical safeguards for all workstations that access ePHI to restrict access to authorized users on October 8, 2011.

C. QCA impermissibly disclosed the ePHI of 148 individuals on October 8, 2011.

Unlike Concentra, QCA was not directly faulted for failing to encrypt its laptops, or failing to implement a reasonable alternative. Rather, this settlement focused instead on the lack of sufficient HIPAA Security policies and procedures, inadequacy in conducting a security risk assessment, and the failure to implement security measures, most specifically physical safeguards. The corrective action plan is also noticeably different, with a focus instead on workforce training and reporting of workforce non-compliance, rather than on encryption requirements (the press release notes that QCA encrypted its laptops following the breach).

Though like most breach cases the simple solution is to encrypt the data to avoid an actual breach, these settlements expose the depth of compliance obligations and monetary consequences associated with the failure to securely protect the PHI.  Concentra and QCA, like other health care organizations who have settled with HHS, will have years of compliance reporting obligations and security management requirements that will likely create significant cost burdens in addition to the monetary settlement obligations.  HHS has made it quite clear in its press releases and corrective action plans, healthcare organizations and business associates must create and implement Security policies and procedures, and must engage in a security management process that ensures the security of patient data post the initial implementation.

For assistance on the HIPAA Security Rule requirements, drafting and implementing Security policies and procedures, or general HIPAA assistance please contact Elana Zana.

HHS Security Risk Assessment Tool Webinar

The Office of the National Coordinator announced today that it will host a webinar to discuss its Security Risk Assessment Tool.

This webinar is designed to review the current state of the tool, discuss some of the known issues and ONC’s plan to address those identified issues, and answer questions from users across the country.

The webinar will be on April 29th at 2:00 PM Eastern (11:00 AM Pacific).  To register click here.

To learn more about the Security Risk Assessment Tool and using it for HIPAA and meaningful use compliance read our previous article here.

ICD-10, Two-Midnight Rule, RAC Audits, SGR Delayed

The Senate passed this evening the “Protecting Access to Medicare Act of 2014“, which creates a 12 month delay for pending Medicare cuts pursuant to Medicare’s sustainable growth rate (SGR) payment formula. This bill avoids the 24% Medicare cuts physicians were facing starting on April 1st (this will be the 17th delay of the SGR).  Another significant component of the Act includes the delay in ICD-10 implementation, until at least October 1, 2015.

In addition to these significant postponements, the Act also delays until March 2015 the implementation of the “two-midnight” rule and the recovery audits of unnecessary claims.

HHS Releases Security Risk Assessment Tool

Need help performing your HIPAA/Meaningful Use Security Risk Assessment?  Good news, HHS has released a tool to help!  In partnership with the Office of the National Coordinator, HHS created a tool, user guide, software, tutorial, videos and even an iOS App to help HIPAA covered entities and business associates perform the required HIPAA Risk Analysis.

The HIPAA Security Rule specifically requires (this is not an addressable specification) a Security Risk Analysis:

“Risk analysis (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.”  45 CFR 164.308(a)(1)

In addition, those hospitals and eligible professionals seeking to meet meaningful use in order to receive the EHR Incentive dollars or avoid the Medicare payment adjustments must fulfill a HIPAA Security Risk Assessment.

Stage 1

Stage 2

Objective. Protect electronic health information created or maintained by the certified EHR technology through the implementation of appropriate technical capabilities.Measure. Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1) and implement security updates as necessary and correct identified security deficiencies as part of its risk management process. Objective. Protect electronic health information created or maintained by the Certified EHR Technology through the implementation of appropriate technical capabilities.Measure. Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1), including addressing the encryption/security of data stored in Certified EHR Technology in accordance with requirements under 45 CFR 164.312(a)(2)(iv) and 45 CFR 164.306(d)(3), and implement security updates as necessary and correct identified security deficiencies as part of the EP’s risk management process.

For those hospitals and eligible professionals looking to meet meaningful use, the Security Risk Assessment tool will generate a report that can be provided to auditors.  However, the report alone is likely insufficient because both the auditors and the  meaningful use requirements (above) require the correction of security deficiencies – so merely running a Security Risk Assessment without taking actions to remedy the problem will not suffice.  To read more about meaningful use audits and security risk assessments click here

In addition to releasing the Security Risk Assessment tool, HHS has created a helpful true/false statement with the Top 10 Myths of Security Risk Analysis.  This document highlights the misconceptions regarding the risk assessment requirements, including that all covered entities and business associates (regardless of the size) must conduct a risk assessment pursuant to HIPAA.  Importantly, though only eligible professionals & hospitals are eligible for meaningful use incentives and Medicare payment adjustments, business associates must also comply with the HIPAA Security Rule pursuant to the HITECH Act.  Therefore, business associates must also conduct security risk assessments, and per recent guidance from HHS, business associates are likely part of the next round of HIPAA audits.

For more information about HIPAA, security risk assessments, and meaningful use please contact Elana Zana.

$4 Million Stanford Settlement – Business Associate Pays Majority

Remember the $20 Million class action law suit against Stanford due to the posting of an Excel file online by a Business Associate?  The law suit, driven by California state privacy laws recently settled for $4 Million, with the Business Associate paying the bulk of the settlement.  The class action suit, one of five large Stanford related large HIPAA breaches, stems from a 2010 disclosure of emergency room patient data affecting 20,000 patients. The majority of the settlement fund, $3.3 million will come from Stanford’s business associate. Stanford is contributing $500,000 for a vendor education fund and is paying $250,000 in settlement administrative costs.  Though a significant reduction from the $20 Million original claim, the $4 Million settlement price tag is not a drop in the bucket.

The major lesson to glean from this case is that covered entities should better investigate their vendors before transmitting PHI.  Meaning not just simply executing a Business Associate Agreement with an indemnification and insurance provision (though advisable), but also reviewing/evaluating their current security policies, staff training, use of subcontractors, and encryption standards.  For more information about HIPAA please contact Elana Zana.