Sequester Payment Reductions to Medicare EHR Incentive Payments

CMS has confirmed that the mandatory reductions in federal spending aka the sequester will affect the Medicare EHR Incentive Program payments made in 2013.  Accordingly, all Medicare EHR Incentive Program payments made to hospitals and eligible professionals will have a 2% reduction.  This reduction applies to any hospital or eligible professional that participates in the program with a reporting period ending on or after April 1, 2013. 

The 2% reduction will not apply to the Medicaid EHR Incentive Program.  Therefore, those hospitals and eligible professionals expecting Medicaid EHR Incentive Program payments will receive the full amount without any sequester related reduction. 

If you have questions regarding the Medicare or Medicaid EHR Incentive Program please contact Elana Zana.

OMW Hosting Webinar on HIPAA Changes

2013 – HIPAA Readiness Program

 

Join us for a Webinar on March 21

Space is limited.
Reserve your Webinar seat now at:
https://www3.gotomeeting.com/register/822080726
 
New HIPAA rules were recently finalized and will go into effect in 2013.  This webinar program will provide important information to help your organization prepare for the implementation of these new rules, including details on:

• Business Associates
• Revisions to the Notice of Privacy Practices
• Breach Notification Requirements
• Individual Rights related to the Release of PHI

Join Ogden Murphy Wallace attorneys David Schoolcraft and Elana Zana as they explore these HIPAA modifications and help you form a compliance action plan to avoid HIPAA violations.

 

Title: 2013 – HIPAA Readiness Program
Date: Thursday, March 21, 2013
Time: 12:00 PM – 1:00 PM PDT

 

After registering you will receive a confirmation email containing information about joining the Webinar.

If you have questions about this Webinar or HIPAA in general please contact Elana Zana.

EHR Incentive Program Timeline Tool

CMS has recently launched a new tool which enables eligible professionals to determine which year they should meet each stage of meaningful use and the amount of incentive dollars available for the eligible professional.  This tool is useful in light of the changes to the EHR Incentive Program timeline made in the Stage 2 Final Rules.  The tool is applicable for eligible professionals applying for either the Medicare or Medicaid EHR Incentive Program.  To access the tool click here.

If you have questions regarding the EHR Incentive Program please contact Elana Zana.

Deadline to Report HIPAA Breach to HHS is Friday, March 1st

As part of the HITECH revisions to HIPAA, providers are required to report all HIPAA breaches, regardless of the number of individuals affected to HHS on an annual basis.  The deadline for this report is Friday, March 1st.  This reporting requirement is pursuant to the interim final rule on Breach Notification, the Omnibus HIPAA rule published in January does not impose any new requirements related to reporting of 2012 HIPAA breaches.  Providers who have had breaches affecting less than 500 individuals can report the HIPAA breaches here.  This report needs to be filled out for each breach that occurred during the 2012 calendar year.  For example, if a covered entity had a breach in March of 2012 affecting five individuals and another breach in August 2012 affecting two individuals the report must be submitted for each breach but not for each individual (a total of two reports would be submitted in this example).  To fill out this form covered entities will need to submit the following information about the breach:

  • General information regarding the covered entity
  • Whether the breach occurred at or by a Business Associate and the associated contact information for that Business Associate
  • Date of the Breach
  • Date of Discovery
  • Approximate number of individuals affected by the Breach
  • Type of Breach (i.e. theft, loss, unauthorized access, etc.)
  • Location of breached information (i.e. laptop, e-mail, etc.)
  • Type of Protected Health Information involved in the Breach (i.e. demographic, financial, etc.)
  • Description of the Breach
  • Safeguards in place prior to the Breach (i.e. firewalls, physical security, etc.)
  • Date individuals were notified of the Breach
  • Whether substitute notice was required (this requirement is described in the rule)
  • Whether media notice was required (this requirement is described in the rule)
  • Actions taken in response to the Breach (sanctions, mitigation, etc.)
  • Any additional actions taken
  • Attestation

For those covered entities that have had a breach which affected more than 500 individuals, this report should have been submitted no later than 60 days following discovery of the breach in accordance with the interim final rule on Breach Notification Rule.

If you have questions regarding filling out this report or on Breach Notification in general please contact Elana Zana or Dave Schoolcraft.

ONC Launches Toolkit on Using Mobile Devices

Theft of mobile devices is one of the most common causes of HIPAA breaches.  Though usage of mobile devices is permitted under HIPAA, users must maintain appropriate security to avoid unauthorized use or disclosure of patient information.  The ONC recently launched a new website entitled: Mobile Devices: Know the RISKS. Take the STEPS. PROTECT and SECURE Health Information to help providers better use their mobile devices that contain PHI.  The website contains videos, tip sheets, and FAQs.  Providers using mobile devices are strongly encouraged to visit the site and install security safeguards to avoid potential breaches.

For more information about HIPAA and securing mobile devices please contact Elana Zana.

OCR Releases Guidance Regarding De-Identification Methods for PHI

After two years, OCR recently released its Guidance Regarding Methods for De-Identification of PHI in Accordance with HIPAA.  The guidance is designed to help covered entities understand de-identification, how protected health information is de-identified, and the options available for correctly performing de-identification.  De-identification removes identifiers from PHI and reduces privacy risks to individuals allowing the secondary uses of data for other purposes.  Importantly, once PHI has been appropriately de-identified it is no longer considered PHI.  Currently, under HIPAA, Sec. 164.514, there are two methods by which PHI can be de-identified: 1) a formal determination by a qualified expert; or 2) the removal of specified individual identifiers (18) in conjunction with the lack of knowledge by the covered entity that the remaining information could be used alone or in combination with other information to re-identify individuals.

The Guidance delves into the two options for de-identification.  It includes specific details on how to satisfy the expert determination method and what is called the “safe harbor method,” which is the removal of 18 specific identifiers.  The Guidance includes Q&A as well as specific examples to help guide covered entities and business associates.

De-identification can be an important tool for both covered entities and business associates, but if performed incorrectly it could lead to serious breach potential.  For more information on HIPAA and how to correctly de-identify PHI please contact Elana Zana or Dave Schoolcraft.

CMS Posts Meaningful Use Stage 2 Specification Sheets

Looking for more detail on the Meaningful Use Stage 2 requirements?  CMS has conveniently created specification sheets for each Meaningful Use measure.  These sheets explain in detail each numerator and denominator eligible professionals and hospitals much achieve to be eligible for the EHR Incentive Payments.  The sheets also contain the certification and standards criteria issued from the Office of the National Coordinator.

For Eligible Professionals click here.

For Eligible Hospitals and Critical Access Hospitals click here.

For assistance with the EHR Incentive Programs and meaningful use in general please contact Elana Zana.

eRx Hardship Exemption Requests Extension

On November 1st CMS extended the time period for eligible professionals to request a hardship exemption under the e-Prescribing Incentive Program.  Those eligible professionals that have made at least 10 electronic prescriptions (eRx) between January 1, 2012-June 30, 2012 (for certain CPT codes) will not be subject to the Medicare penalties, and those that have prescribed 25 in 2012 will receive an incentive payment under the program (unless they are receiving the Medicare EHR Incentive Program incentives).  However, there are some eligible professionals that due to “hardships” cannot participate in this program, and CMS acknowledges should not be penalized.  Current hardship exemption categories include:

1.  The inability to e-prescribe due to local, State or Federal law or regulation.

2.  Providers that prescribe fewer than 100 prescriptions between January 1st and June 30, 2012.

3.  Providers practicing in a rural area without sufficient high speed internet access.

4.  Providers practicing in an area without sufficient available pharmacies for eRx.

To apply for a hardship exemption click here.  CMS has added the following two new hardship exemption request categories:

5.  Eligible professionals who achieve meaningful use during certain eRx timeframes. For the 2013 eRx payment adjustment, this will include any eligible professional who achieved meaningful use during January 1, 2011 through June 30, 2012 and has attested to this by January 31, 2013.

6.  Eligible professionals who demonstrate intent to participate in the EHR Incentive Program and adoption of Certified EHR Technology by registering for the EHR Incentive Program by January 31, 2013.  Please note: EHR Incentive Program participants must provide their entire EHR Certification Number  in the CMS EHR Certification ID field during registration to receive this hardship.

For these last two hardship exemption categories, eligible professionals do not have to apply through the Communications Support Page.  But instead must register and attest for the EHR Incentive Program by January 1, 2013.

If you have questions regarding the eRx program please contact Elana Zana.

Verizon Cloud Services Agrees to Sign BAA

Earlier this month Verizon announced its cloud services aimed at healthcare providers.  These services are designed to be HIPAA compliant including providing the necessary physical, technical and administrative safeguards required by the HIPAA Security Rule.  Most notably with this announcement, Verizon has agreed to execute a Business Associate Agreement.  Verizon’s press release expresses its commitment to top security protocols and offers a cloud hosting possibility to traditional healthcare companies that self-host.  Verizon touts the cloud services as a safe, secure and fast mechanism for healthcare providers to efficiently share information with one another.

Verizon is not the only vendor attracting healthcare clients with HIPAA compliance and Business Associate Agreements.  Microsoft announced earlier in the summer its willingness to execute Business Associate Agreements as well with its Windows Azure Core Services.  Amazon has even published a white paper on HIPAA compliance when using its Amazon Web Services platform.

Though willingness to sign a Business Associate Agreement is significant, as well as the acknowledgement that these companies are subject to the HIPAA requirements (per the HITECH Act) healthcare providers contracting with Verizon, Amazon, Microsoft, or any other company should make sure that they are adequately protected, which not only includes the implementation of security safeguards but also sufficient indemnification provisions in case of a breach.  For more information about HIPAA and Business Associate Agreements please contact Elana Zana or Dave Schoolcraft.

HIPAA Violations – Visually Speaking

So how much can a HIPAA violation cost?  Below is a roll-up of some of the larger HIPAA penalties and further information about current enforcement.

HIPAA Violation Infographic

Infographic authored by Inspired eLearning, providers of online security awareness and training programs. To view the original post, check out the original HIPAA violation infographic.