EHR Incentive Program Timeline Tool

CMS has recently launched a new tool which enables eligible professionals to determine which year they should meet each stage of meaningful use and the amount of incentive dollars available for the eligible professional.  This tool is useful in light of the changes to the EHR Incentive Program timeline made in the Stage 2 Final Rules.  The tool is applicable for eligible professionals applying for either the Medicare or Medicaid EHR Incentive Program.  To access the tool click here.

If you have questions regarding the EHR Incentive Program please contact Elana Zana.

Deadline to Report HIPAA Breach to HHS is Friday, March 1st

As part of the HITECH revisions to HIPAA, providers are required to report all HIPAA breaches, regardless of the number of individuals affected to HHS on an annual basis.  The deadline for this report is Friday, March 1st.  This reporting requirement is pursuant to the interim final rule on Breach Notification, the Omnibus HIPAA rule published in January does not impose any new requirements related to reporting of 2012 HIPAA breaches.  Providers who have had breaches affecting less than 500 individuals can report the HIPAA breaches here.  This report needs to be filled out for each breach that occurred during the 2012 calendar year.  For example, if a covered entity had a breach in March of 2012 affecting five individuals and another breach in August 2012 affecting two individuals the report must be submitted for each breach but not for each individual (a total of two reports would be submitted in this example).  To fill out this form covered entities will need to submit the following information about the breach:

  • General information regarding the covered entity
  • Whether the breach occurred at or by a Business Associate and the associated contact information for that Business Associate
  • Date of the Breach
  • Date of Discovery
  • Approximate number of individuals affected by the Breach
  • Type of Breach (i.e. theft, loss, unauthorized access, etc.)
  • Location of breached information (i.e. laptop, e-mail, etc.)
  • Type of Protected Health Information involved in the Breach (i.e. demographic, financial, etc.)
  • Description of the Breach
  • Safeguards in place prior to the Breach (i.e. firewalls, physical security, etc.)
  • Date individuals were notified of the Breach
  • Whether substitute notice was required (this requirement is described in the rule)
  • Whether media notice was required (this requirement is described in the rule)
  • Actions taken in response to the Breach (sanctions, mitigation, etc.)
  • Any additional actions taken
  • Attestation

For those covered entities that have had a breach which affected more than 500 individuals, this report should have been submitted no later than 60 days following discovery of the breach in accordance with the interim final rule on Breach Notification Rule.

If you have questions regarding filling out this report or on Breach Notification in general please contact Elana Zana or Dave Schoolcraft.

HHS Releases Updates to HIPAA Rules

Today HHS released the long-awaited modifications to the HIPAA privacy, security, enforcement and breach notification rules.  A full copy of the rule can be found here.

In a related press release HHS described the impact of the rule as follows:

“The changes in the final rule making provide the public with increased protection and control of personal health information.  The HIPAA Privacy and Security Rules have focused on health care providers, health plans and other entities that process health insurance claims.  The changes announced today expand many of the requirements to business associates of these entities that receive protected health information, such as contractors and subcontractors. Some of the largest breaches reported to HHS have involved business associates. Penalties are increased for noncompliance based on the level of negligence with a maximum penalty of $1.5 million per violation. The changes also strengthen the Health Information Technology for Economic and Clinical Health (HITECH) Breach Notification requirements by clarifying when breaches of unsecured heath information must be reported to HHS.”

If you have questions related to the new HIPAA rules please contact Dave Schoolcraft or Elana Zana.

 

OIG Approves Electronic Interface Arrangement

In a recent advisory opinion, the Office of Inspector General DHHS (“OIG”) approved an arrangement under which free access to an electronic computer interface is provided by a hospital to local physicians.  The opinion provides an important contemporary analog to earlier guidance published by the OIG as part of the preamble to the Federal anti-kickback statute safe harbor regulations (see 56 Fed. Reg. 35952, 35978, July 29, 1991).   At the same time, the OIG reinforced its long-standing position that in order for such arrangements to pass muster under the Federal anti-kickback statute, the parties must validate that the technology is limited to facilitating hospital-physician communications, and that it will not have independent value to the physicians. 

Please contact David Schoolcraft  (dschoolcraft@omwlaw.com or 206.447.7000) you have any questions about the scope and applicability of this OIG advisory opinion.

ONC Launches Toolkit on Using Mobile Devices

Theft of mobile devices is one of the most common causes of HIPAA breaches.  Though usage of mobile devices is permitted under HIPAA, users must maintain appropriate security to avoid unauthorized use or disclosure of patient information.  The ONC recently launched a new website entitled: Mobile Devices: Know the RISKS. Take the STEPS. PROTECT and SECURE Health Information to help providers better use their mobile devices that contain PHI.  The website contains videos, tip sheets, and FAQs.  Providers using mobile devices are strongly encouraged to visit the site and install security safeguards to avoid potential breaches.

For more information about HIPAA and securing mobile devices please contact Elana Zana.

OCR Releases Guidance Regarding De-Identification Methods for PHI

After two years, OCR recently released its Guidance Regarding Methods for De-Identification of PHI in Accordance with HIPAA.  The guidance is designed to help covered entities understand de-identification, how protected health information is de-identified, and the options available for correctly performing de-identification.  De-identification removes identifiers from PHI and reduces privacy risks to individuals allowing the secondary uses of data for other purposes.  Importantly, once PHI has been appropriately de-identified it is no longer considered PHI.  Currently, under HIPAA, Sec. 164.514, there are two methods by which PHI can be de-identified: 1) a formal determination by a qualified expert; or 2) the removal of specified individual identifiers (18) in conjunction with the lack of knowledge by the covered entity that the remaining information could be used alone or in combination with other information to re-identify individuals.

The Guidance delves into the two options for de-identification.  It includes specific details on how to satisfy the expert determination method and what is called the “safe harbor method,” which is the removal of 18 specific identifiers.  The Guidance includes Q&A as well as specific examples to help guide covered entities and business associates.

De-identification can be an important tool for both covered entities and business associates, but if performed incorrectly it could lead to serious breach potential.  For more information on HIPAA and how to correctly de-identify PHI please contact Elana Zana or Dave Schoolcraft.

CMS Posts Meaningful Use Stage 2 Specification Sheets

Looking for more detail on the Meaningful Use Stage 2 requirements?  CMS has conveniently created specification sheets for each Meaningful Use measure.  These sheets explain in detail each numerator and denominator eligible professionals and hospitals much achieve to be eligible for the EHR Incentive Payments.  The sheets also contain the certification and standards criteria issued from the Office of the National Coordinator.

For Eligible Professionals click here.

For Eligible Hospitals and Critical Access Hospitals click here.

For assistance with the EHR Incentive Programs and meaningful use in general please contact Elana Zana.

Verizon Cloud Services Agrees to Sign BAA

Earlier this month Verizon announced its cloud services aimed at healthcare providers.  These services are designed to be HIPAA compliant including providing the necessary physical, technical and administrative safeguards required by the HIPAA Security Rule.  Most notably with this announcement, Verizon has agreed to execute a Business Associate Agreement.  Verizon’s press release expresses its commitment to top security protocols and offers a cloud hosting possibility to traditional healthcare companies that self-host.  Verizon touts the cloud services as a safe, secure and fast mechanism for healthcare providers to efficiently share information with one another.

Verizon is not the only vendor attracting healthcare clients with HIPAA compliance and Business Associate Agreements.  Microsoft announced earlier in the summer its willingness to execute Business Associate Agreements as well with its Windows Azure Core Services.  Amazon has even published a white paper on HIPAA compliance when using its Amazon Web Services platform.

Though willingness to sign a Business Associate Agreement is significant, as well as the acknowledgement that these companies are subject to the HIPAA requirements (per the HITECH Act) healthcare providers contracting with Verizon, Amazon, Microsoft, or any other company should make sure that they are adequately protected, which not only includes the implementation of security safeguards but also sufficient indemnification provisions in case of a breach.  For more information about HIPAA and Business Associate Agreements please contact Elana Zana or Dave Schoolcraft.

HIPAA Violations – Visually Speaking

So how much can a HIPAA violation cost?  Below is a roll-up of some of the larger HIPAA penalties and further information about current enforcement.

HIPAA Violation Infographic

Infographic authored by Inspired eLearning, providers of online security awareness and training programs. To view the original post, check out the original HIPAA violation infographic.

Comparison of Stage 1 vs Stage 2 Meaningful Use

Sifting through the hundreds of pages of new rules can be overwhelming.  Luckily, CMS has provided comparison charts to help navigate the meaningful use changes coming our way with Stage 2.  Along with the new rules, CMS clarified that the earliest Stage 2 meaningful use is effective is fiscal year 2014 for hospitals and calendar year 2014 for eligible professionals (more on 2014 to come in future posts).

Click on the links below to see the comparison charts:

Stage 2 Meaningful Use – Eligible Professionals: 17 core objectives, 3 of 6 menu objectives, 9 of 64 clinical quality measures.

Stage 2 Meaningful Use – Hospitals & CAHs: 16 core objectives, 3 of 6 menu objectives, 16 of 29 clinical quality measures.

For more information about meaningful use and the EHR Incentive Programs please contact Elana Zana.