Comparison of Stage 1 vs Stage 2 Meaningful Use

Sifting through the hundreds of pages of new rules can be overwhelming.  Luckily, CMS has provided comparison charts to help navigate the meaningful use changes coming our way with Stage 2.  Along with the new rules, CMS clarified that the earliest Stage 2 meaningful use is effective is fiscal year 2014 for hospitals and calendar year 2014 for eligible professionals (more on 2014 to come in future posts).

Click on the links below to see the comparison charts:

Stage 2 Meaningful Use – Eligible Professionals: 17 core objectives, 3 of 6 menu objectives, 9 of 64 clinical quality measures.

Stage 2 Meaningful Use – Hospitals & CAHs: 16 core objectives, 3 of 6 menu objectives, 16 of 29 clinical quality measures.

For more information about meaningful use and the EHR Incentive Programs please contact Elana Zana.

CMS Issues 3 FAQs on Stage 2 Rules and the Medicaid EHR Incentive Program

CMS has responded to several questions following the issuance of its Stage 2 Meaningful Use Final Rule.  Along with publishing new meaningful use guidelines, the Final Rule adds new provisions regarding the calculation of patient volume for Medicaid providers.  CMS has recently published these new FAQs, some of which take effect immediately, while others will start in 2013, giving the states some time to update their guidance.  These new rules will affect all eligible professionals, regardless of their stage in participation in meaningful use.  To see additional FAQs click here.

Medicaid changes to patient volume calculations 

Q: The EHR Incentive Programs Stage 1 Rule stated that, in order for a Medicaid encounter to count towards the patient volume of an eligible provider, Medicaid had to either pay for all or part of the service, or pay all or part of the premium, deductible or coinsurance for that encounter.  The Stage 2 Rule now states that the Medicaid encounter can be counted towards patient volume if the patient is enrolled in the state’s Medicaid program (either through the state’s fee-for-service programs or the state’s Medicaid managed care programs) at the time of service without the requirement of Medicaid payment liability. How will this change affect patient volume calculations for Medicaid eligible providers?  

A: Importantly, this change affecting the Medicaid patient volume calculation is applicable to all eligible providers, regardless of the stage of the Medicaid EHR Incentive Program they are participating in. Billable services provided by an eligible provider to a patient enrolled in Medicaid would count toward meeting the minimum Medicaid patient volume thresholds.  Examples of Medicaid encounters under this expanded definition that could be newly eligible might include: behavioral health services, HIV/AIDS treatment, or other services that might not be billed to Medicaid/managed care for privacy reasons, but where the provider has a mechanism to verify eligibility.  Also, services to a Medicaid-enrolled patient that might not have been reimbursed by Medicaid (or a Medicaid managed care organization) may now be included in the Medicaid patient volume calculation (e.g., oral health services, immunization, vaccination and women’s health services, telemedicine/telehealth, etc.).

Providers who are not currently enrolled with their state Medicaid agency who might be newly eligible for the incentive payments due to these changes should note that they are not necessarily required to fully enroll with Medicaid in order to receive the payment.

In some instances, it may now be appropriate to include services denied by Medicaid in calculating patient volume.  It will be appropriate to review denial reasons.  If Medicaid denied the service for timely filing or because another payer’s payment exceeded the potential Medicaid payment, it would be appropriate to include that encounter in the calculation.  If Medicaid denied payment for the service because the beneficiary has exceeded service limits established by the Medicaid program, it would be appropriate to include that encounter in the calculation.  If Medicaid denied the service because the patient was ineligible for Medicaid at the time of service, it would not be appropriate to include that encounter in the calculation.

Further guidance regarding this change will be distributed to the states as appropriate.

CHIP patients eligible to be included in Medicaid patient volume totals
Q: The Stage 2 Rule describes changes to how a state considers CHIP patients in the Medicaid patient volume total when determining provider eligibility. Patients in which kinds of CHIP programs are now appropriate to be considered in the Medicaid patient volume total?  

A: States that have offered CHIP as part of a Medicaid expansion under Title 19 or Title 21 can include those patients in their provider’s Medicaid patient volume calculation as there is cost liability to the Medicaid program in either case (under the Stage 1 Rule, only CHIP programs created under a Medicaid expansion via Title 19 were eligible). Patients in standalone CHIP programs established under Title 21 are not to be considered part of the patient volume total (in Stage 1 or Stage 2). This change to the patient volume calculation is applicable to all eligible providers, regardless of the stage of the Medicaid EHR Incentive Program they are participating in.

Changes to the base year of the Medicaid EHR Incentive Program for hospital incentive payment calculation 
Q: Are there any changes to the base year for the Medicaid EHR Incentive Program hospital incentive payment calculation?

A: Yes. Previously Medicaid eligible hospitals calculated the base year using a 12 month period ending in the Federal fiscal year before the hospital’s fiscal year that serves as the first payment year.  In an effort to encourage timely participation in the program, §495.310(g)(1)(i)(B) of the Stage 2 Rule was amended to allow hospitals to use the most recent continuous 12 month period for which data are available prior to the payment year. This change went into effect upon publication of the Stage 2 Rule.  Only hospitals that begin participation in the program after the publication date of the Stage 2 Rule (i.e., program years 2013 and later) will be affected by this change.  Hospitals that began participation in the program prior to the Stage 2 Rule will not have to adjust previous calculations.

 

ICD-10 Compliance Delayed

In response to public encouragement, HHS announced earlier this week that it will delay requirements for ICD-10 compliance from October 1, 2013 to October 1, 2014.  The reconsideration of the compliance date was, according to the final rule,  a result of  “(1) the industry transition to Version 5010 did not proceed as effectively as expected; (2) providers expressed concern that other statutory initiatives are stretching their resources; and (3) surveys and polls indicated a lack of readiness for the ICD-10 transition.”  To view the final rule announcing the compliance delay click here.

Stage 2 Meaningful Use Final Rules Announced

After much delay and anticipation, the Stage 2 Meaningful Use Final Rules were announced late last week.  Though the primary focus of the new rules were to update (and increase) the meaningful use objectives and measures for the Medicare and Medicaid EHR Incentive Program, significant additional components regarding the EHR Incentive Program were also included.  To read the 672 pages of the Final Rule click here.  CMS has also posted a fact sheet which provides a good high level summary of some of the main topics of the Final Rule.  In addition to the Meaningful Use final rules, the Office of the National Coordinator has released its new standards governing certified EHR technology and a fact sheet.  The National eHealth Collaborative hosted a helpful webinar with an overview of these new rules, which can be accessed here.

Stay tuned for further information and analysis of these new rules, including an update regarding 2014, batch reporting for groups, commencement of payment adjustments, Medicaid patient volume calculations, new meaningful use measures, and more.

For immediate assistance regarding these new rules or for information regarding Stage 1 Meaningful Use and the EHR Incentive Program generally please contact Elana Zana.

New Type of Breach – Hackers Encrypting PHI & Holding for Ransom

Typical breach scenarios often include a stolen laptop or other device and the extraction of medical records by those thieves.  Now a new type of breach has occurred, hackers breaking into systems and holding PHI for ransom.  Bloomberg recently reported a breach in which hackers burrowed into the computer network of a surgical practice in Illinois.  Rather than stealing the data and using it for identity theft purposes, the hackers encrypted the PHI and held it for ransom.  To read the full article click here.

This type of incident would most likely be considered a “breach” under the HITECH Act, requiring breach notification to the affected individuals, unless the NIST encryption standards were already employed providing a safe harbor.  However, other HIPAA requirements are also implicated including obligations under the Security Rule to have technical and physical safeguards, which may include building secure firewalls to prevent such hackers.      Along with maintaining a secure system, it is also advisable to back-up all PHI.

PCI Certificate of Need Regulations Here to Stay

On July 9th the federal court in the Eastern District of Washington granted the Department of Health’s motion for summary judgment, thus ending the drawn out battle between Yakima Valley Memorial Hospital (“YVMH”) and the State over the denial of a certificate of need (“CN”) for elective PCI at YVMH.  The motion, which was remanded back to the district court by the Ninth Circuit, focuses on the question of whether the CN regulations unreasonably discriminate against interstate commerce in violation of the dormant Commerce Clause.  This constitutional challenge questions the burdens the PCI regulations place on interstate commerce as compared to the local benefits of the regulations.  Following an analysis of the PCI regulations and their application to YVMH, the court determined that the PCI regulations do not impose a substantial burden on interstate commerce as compared to the local benefits.  The PCI CN regulations therefore live to fight another day…

HIPAA Final Rule…Still Waiting

Though the HIPAA Final Rules were expected to be out before the end of the month, it seems that the end is not yet in sight.  Last week, the Office of Management and Budget (OMB) extended its review of the HIPAA Final Rules.  This review consisted of the HITECH updates, including the HIPAA Privacy and Security Rule, Enforcement and the Breach Notification Requirements.  It is unclear  how long the HIPAA Final Rules were extended, the OMB has the option of extending the final rule for thirty days or indefinitely.  Comments from HHS indicate that the HIPAA Final Rules should be out sometime this summer.  But for now, we must wait…

Access To Patient Data Even Without Knowledge of Illegality Can Still Lead to HIPAA Criminal Liability

On May 10, 2012, the Ninth Circuit heard United States v. Zhou, No. 10-50231 (9th Cir. May 10, 2012), and held that the Health Insurance Portability and Accountability Act of 1996 (HIPAA) criminal misdemeanor provision, 42 U.S.C. § 1320d-6(a)(2), is not limited to defendants who knew their actions were illegal.

The case arose out of the following facts:  Huping Zhou was a licensed cardiothoracic surgeon in China who was employed in 2003 at University of California at Los Angeles Health System (UHS) as a researcher.  UHS later terminated his employment.  After his termination, Zhou accessed patient records of celebrities and co-workers on at least four separate occasions.  The U.S. Attorney’s Office for the Central District of California brought criminal charges for a misdemeanor violation of HIPAA’s prohibition of “knowingly” obtaining individually identifiable health information in violation of HIPAA.  Zhou filed a motion to dismiss on the grounds that he did not know it was illegal to obtain the health information and, therefore, did not act “knowingly.”  The magistrate judge dismissed Zhou’s motion, and Zhou then submitted a conditional guilty plea, reserving the right to appeal the dismissal.  The trial court sentenced Zhou to four months in prison, a $2,000 fine, and a $100 special assessment.

The Ninth Circuit rejected Zhou’s interpretation of the statute as applying only to defendants who knew obtaining the personal healthcare information was illegal.  Rather the court held that, “as used in the statute, the term ‘knowingly’ applies only to the act of obtaining the health information,” the appeals court said.  Thus, the statute did not require a defendant to have knowledge that his or her actions were illegal under HIPAA.

The court’s decision is significant because it sets a relatively low bar for criminal misdemeanor liability under HIPAA.  To access the case click here.

ONC Issues Guide on HIPAA Privacy and Security and Meaningful Use

ONC has recently released a new “Guide to Privacy and Security of Health Information” which incorporates tips on complying with HIPAA Privacy and Security as well as meeting related meaningful use measures.  The guide is designed for clinical providers and focuses on the following:

  • Privacy & Security and Meaningful Use
  • Security Risk Analysis and Management Tips
  • Working with EHR and Health IT Vendors
  • A Privacy & Security 10-Step Plan
  • Health IT Privacy and Security Resources

Specifically, with regard to Meaningful Use, the guide describes Meaningful Use measures 12 and 15:

#12. Provide patients with an electronic copy of their health information (including diag­nostics test results, problem
list, medication lists, medica­tion allergies) upon request.  To learn more about this measure click here.

#15. Protect electronic health information created or maintained by the certified EHR technology through the implementation of appropriate technical capabilities.  To learn more about this measure click here.

If you have questions regarding HIPAA Privacy and Security or Meaningful Use please contact Elana Zana.

 

$100,000 HIPAA Settlement Due to Misuse of Online Calendar & More

The U.S. Department of Health and Human Services (HHS) has entered into another settlement for the violation of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), this time with a small physician practice that violated HIPAA while using Internet-based calendar and email services.
Phoenix Cardiac Surgery, P.C., of Phoenix and Prescott, Arizona, has agreed to pay HHS a $100,000 settlement after it was reported that the physician practice violated HIPAA by posting clinical and surgical appointments for its patients on an Internet-based calendar that was publicly accessible.  The HHS Office for Civil Rights’ (OCR) investigation also revealed that Phoenix Cardiac Surgery violated HIPAA by emailing patient information from an Internet-based email account to workforce members’ Internet-based email accounts.
The OCR investigation also revealed the following issues:
• Phoenix Cardiac Surgery failed to implement adequate policies and procedures to appropriately safeguard patient information;
• Phoenix Cardiac Surgery failed to document that it trained any employees on its policies and procedures on the Privacy and Security Rules;
• Phoenix Cardiac Surgery failed to identify a security official and conduct a risk analysis; and
• Phoenix Cardiac Surgery failed to obtain business associate agreements with Internet-based email and calendar services where the provision of the service included storage of and access to patients’ electronic protected health information (ePHI).
Leon Rodriguez, director of OCR, said “This case is significant because it highlights a multi-year, continuing failure on the part of this provider to comply with the requirements of the Privacy and Security Rules.  We hope that health care providers pay careful attention to this resolution agreement and understand that the HIPAA Privacy and Security Rules have been in place for many years, and OCR expects full compliance no matter the size of a covered entity.”
This settlement highlights the need for all providers, regardless of their size, to understand the implications of the technology they use in their practices, to implement policies and procedures for HIPAA compliance, and to obtain business associate agreements where needed.
A press release and more information can be found on HHS’s website.