You are here: Home / Archives for HITECH

Eligibility for EMR Incentives Could Be Widened

August 23, 2010 By Peter Polack 1 Comment

The AMA reports that new legislation is proposing to extend the eligibility for EMR incentives to include licensed psychologists and clinical social workers.

The Health Information Technology Extension for Behavioral Health Services Act also would expand the Medicare hospital incentive to include inpatient psychiatric hospitals, and extend Medicaid hospital bonuses to community health centers, mental health treatment facilities, psychiatric hospitals, and substance abuse treatment facilities. The bill was introduced on Aug. 5 by Sen. Sheldon Whitehouse (D, R.I.), and a companion bill was introduced in the House by Rep. Patrick Kennedy (D, R.I.).

Whitehouse said his legislation “will give mental health professionals access to comprehensive and up-to-date medical histories, enhancing the precision of diagnoses and reducing medication errors.”

CMS Meaningful Use Rules, Part 3

July 29, 2010 By Peter Polack 3 Comments

In part 1, we discussed just what is meant by a meaningful user and in part 2 we touched briefly on some of the changes made in the meaningful use rules from the proposed rules to the final rules. Whereas initially there was an 80% threshold that had to be met for pretty much every objective, after much discussion and consideration, CMS agreed that for some of these measures that was too high a bar to jump.

Here is a nice summary of the final rules thresholds for each of the meaningful use objectives and measures. Thanks to Robin Raiford, RN, from the HIMSS Legislation and Regulation Review Task Force, for providing us with this great resource.

It’s too detailed to see clearly on the website so….

RIGHT-CLICK HERE to download the PDF file

E-Book PDF: Download (165.8KB)

CMS Meaningful Use Rules, Part 2

July 22, 2010 By Peter Polack 2 Comments

In part 1, we introduced the different stages of meaningful use criteria as defined by CMS in their final rules, released July 13, 2010. Many practices and hospitals breathed a collective sigh of relief on the one hand, as several criteria had thresholds that were less onerous than were originally proposed. It seems that CMS has been listening.

Thresholds for CPOE and e-Prescribing

For example, as we mentioned earlier, the threshold for meeting criteria for CPOE (computerized physician order entry) is now set at 30%. This means that only 30% of unique patients (not total patient visits) need to have at least one order entered into the electronic medical record system to meet those goals.

Another example is electronically transmitted prescriptions or e-Prescribing. Originally set at 75% of “permissible prescriptions”, this has been dropped to “at least 40%”. This was due in part to objections that (1) some pharmacies are not quite ready to accept e-Prescribing and (2) some patients insist on getting a paper prescription.

Structured Data vs Unstructured Data

Along the subject of prescriptions, an active medication list must be maintained on patients (with the default threshold of at least 80% of unique patients) in the form of “structured data”. Structured data refers to data that can be identified by the EMR system. In other words, [Read more...]

CMS Releases EHR Adoption Rules, Part 1

July 14, 2010 By Peter Polack 2 Comments

On Tuesday July 13, CMS released the final rule for adopting a certified electronic health record (EHR) system.

After listing about 60 acronyms and abbreviations (and it’s impossible to remember them when reading the subsequent text), what follows is approximately 800 pages of proposals, related comments, and final rulings.

All this is to spell out the meaning of meaningful use (which we first touched on in October ), how to be considered an EP (eligible professional) and when said EP can expect to first receive any kind of incentive payment – for the early adopters, the first “payment year” is calendar year (CY) 2011.

When you actually receive the payment could be the end of the following calendar year). Hospitals will typically be incentivized on a fiscal year (FY) basis.

We’ll attempt to digest this compelling tome, one 100-page piece at a time (or so). Keep in mind, though, that this is only what CMS considers “Stage 1″ of the meaningful use criteria. Stage 2 criteria are expected by the end of 2011 and Stage 3 criteria by the end of 2013. The idea is to have an “initial graduated approach to arriving at the ultimate goal”: total enlightenment of EMR, I suppose.

As we previously mentioned, a meaningful user is one who:

[Read more...]

CMS to Publish "Meaningful Use" Final Rule by July 14

July 2, 2010 By Peter Polack 1 Comment

According to a report on FierceEMR.com, the CMS has announced that by July 14 it will release its final ruling on the EMR “meaningful use” standards which will finally spell out just how healthcare providers can become eligible for the HITECH (Healthcare Information for Electronic and Clinical Health) Act financial incentive payments.

In addition, it will presumably unveil its plan for aligning its Physician Quality Reporting Initiative (PQRI) with the EMR financial incentives program.

“We propose to include many ARRA core clinical quality measures in the PQRI program, to demonstrate meaningful use of EHR and quality of care furnished to individuals,” CMS states in an advanced copy of the proposed reg, CMIO magazine reports. “We propose the selection of these measures to meet the requirements of planning the integration of PQRI and EHR reporting.”

HIPAA Data Requirements: Can Violation Send You to Jail?

June 28, 2010 By Peter Polack 4 Comments

As if physicians didn’t have enough to concern themselves with regards to HIPAA, new healthcare legal guidelines are about to make things much more complicated. But first, let’s take a closer look at the regulations regarding the protection of patient information.

Legislation. HIPAA (the Healthcare Information Portability and Accountability Act) has provisions requiring the safeguarding of “protected health information” (PHI). Specifically, this sets out the rules for encryption of the data so that if it falls in the wrong hands, the information is safe and sound. Fair enough. But what kinds of data are covered under this definition? We’ll discuss that a bit later.

Enter the HITECH Act (Health Information Technology for Economic and Clinical Health), part of the American Recovery and Reinvestment Act or Stimulus Bill of 2009. With it comes another set of verbiage regarding protection of PHI data. Now, the HITECH Act itself doesn’t require encryption of the data. It specifies the kinds of encryption that makes the data secure. For guidance on the specific requirements, HITECH punts back to HIPAA.

But what HITECH has done is to allow for sizeable increases in fines for violating provisions of HIPAA for not only “covered entities” such as medical practices, but also for what are known as business associates, those entities such as medical supply vendors who work with covered entities. Practices should be careful with whom they make formal contractual agreements, specifically if those parties have any access to patient information; any infringement on the part of a business associate may bring investigators to your front door.

HITECH also sets more stringent provisions for what are known as breach notifications. Entities who have had data compromised are required to advise patients if there has been any kind of unauthorized acquisition, access, use or disclosure of their “unsecured” PHI. Unsecured in this case is defined as information not protected by technology that renders it unreadable or indecipherable.

Enforcement. The HITECH Act has also amended the HIPAA regulations to allow for enforcement and prosecution through the Department of Health and Human Services’ Office of Civil Rights (OCR). They can levy fines from $100 to $50,000 per violation, and up to $1.5 million per calendar year. And through this office, the States Attorneys General have been given clear authority to prosecute healthcare providers for “criminal penalties” – and they get to keep part of the collected fines.

The problem is that there is much discrepancy between the two pieces of legislation concerning not only what information must be protected but also how that is to be accomplished. And the statutes have not quite caught up with the legislation. But for those who believe that this is just a bunch of bluster, a precedent has already been set: a UCLA researcher who was a licensed surgeon in China was sentenced to four months in jail for illegally accessing patient electronic records.

What data needs protecting?

A critical debate is brewing regarding which kinds of data need to be encrypted, or protected with certain security protocols. This is because the two pieces of legislation mentioned above don’t quite agree. To make matters worse, the technical terminology that they use is not used by experts in the computer industry.

In general, data that is going from one place to another needs to be protected. This is easy enough to understand. If someone who is unauthorized were to intercept this information, the privacy of the data would be compromised. But this is where things get complicated: who decides what information is vulnerable to a breach?

Data-at-rest

According to the National Institutes of Science and Technology (NIST), information on external storage media such as backup tapes or flash memory sticks is considered data-at-rest. Since this information can be physically taken from one place to another, it runs the risk of being compromised, and so it must be encrypted. This makes sense.

Data-in-motion

This refers to information traveling from one point to another, usually between distinct networks. Think about electronic transactions between a hospital and an insurance company, or between two financial institutions. The problem is that some interpret the HIPAA data requirements to include data that is ‘traveling’ within a local area network (LAN). And this would include local networks within a medical practice containing the practice management and electronic medical records systems.

Others argue that the data that is flowing on a local network is under the control of the practice. Therefore, the assumption is that this data need not be encrypted when going from one practice computer to another. The system is protected from unauthorized users by passwords and other security measures.

And further confusing still, there are others that say the data in your network is data-at-rest and for that reason it should be encrypted.

The bottom line is that there is no definitive ruling on how data on a local network should be treated. And unfortunately, there will need to be some sort of statutory ruling before medical practices know for sure.

Regardless of its classification, if all of the data on a medical practice’s local network (LAN) falls under the requirements for protected information, this would undoubtedly be an onerous proposition. It would be prohibitively expensive for a medical practice if it had to encrypt their LAN information not only in terms of the additional hardware and software needed but also in terms of processor and memory ‘overhead.’ Even if a practice could afford to do it, their network may slow down to a crawl.

What should a practice do?

The best and safest option for the time being is to go for the “low-hanging fruit.” Any data that is contained on portable media – CDs, tapes, thumb drives or memory sticks – needs to be encrypted. This is simple enough to do. However, there will be challenges in terms of pushback from physicians and staff who are used to simply plugging in a USB device in a practice computer without taking any precautions.

Information transmitted from the practice to another entity – clearing houses, insurance companies, etc. – are generally already encrypted nowadays by default. Apart from that, medical practices should stay abreast of the news concerning security of protected health information in order to steer clear of the law.

Medical Practice Trends Podcast 7: HIPAA, HITECH, and Protecting Your Patients’ Information

June 8, 2010 By Peter Polack Leave a Comment


EMR Update 7 – HIPAA, HITECH, and Protecting Your Patients’ Information
This Issue:

  • What is data-at-rest vs data-in-motion?
  • What do the new HITECH Act provisions mean to your medical practice?
  • What are potential penalties for violating the HIPAA regulations?
  • What proactive measures can you take to protect yourself and your practice?

Podcast: Download (Duration: 9:07 — 3.7MB)

ePrescribing and PQRI: Are You Leaving Money on the Table?

March 15, 2010 By Peter Polack 2 Comments

As the time approaches when potential financial incentives for the widespread use of electronic medical records (EMR) finally kick in, there is increasing excitement and anxiety among medical practices. Unfortunately, there is also a lot of confusion.

What is the difference between the financial incentives from the Stimulus Bill and bonuses from ePrescribing or those from PQRI (Physicians Quality Reporting Initiative)?

And what do you need to do to qualify for and then claim these incentives and/or bonuses?
[Read more...]

Medical Practice Trends Podcast 6: ePrescribing, PQRI, and ARRA Incentives

January 12, 2010 By Peter Polack Leave a Comment

EMR Update 6 – eRx and PQRI: Are Your Leaving Money on the Table?

This Issue:

  • How can your practice qualify for ‘Stimulus Bill’ financial incentives?
  • ePrescribing(eRx) & PQRI – what bonuses can you expect for each?
  • How do you make a claim?
  • Find out about PQRI Toolset, a tool that can help you claim bonus payments

(Note: MPT has a financial interest in Protodrone LLC, creator of PQRI Toolset)

Podcast: Download (Duration: 10:42 — 4.3MB)

CMS Releases Proposed Meaningful Use Criteria

December 30, 2009 By Peter Polack Leave a Comment

The Centers for Medicare and Medicaid Services (CMS) announced today a proposed outline for Meaningful Use criteria, in accordance with EMR implementation provisions under the Health Information Technology for Clinical and Economic Health (HITECH) Act, part of the American Recovery and Reinvestment Act (ARRA) of 2009. These specify some of the guidelines by which physicians can receive incentives of up to $44,000 per provider, over 5 years, beginning as early as 2011.

Stage 1 criteria (the first of 3 total) would cover 25 meaningful use objectives (and 23 for hospitals). These are listed under modules known as Health Outcomes Policy Priorities such as Improving quality and patient safety (use of drug-allergy interaction checks, use of ePrescribing, maintaining active medication list, etc.), Engaging patients and their families in their health care (e.g., provide patients with a copy of their health information), Improving care coordination (e.g., exchanging key clinical information among authorized entities), Improving population and public health (e.g., capability to submit data to immunization registries), and Ensuring adequate privacy and security for personal health information (through the use of appropriate EMR technology).

The implementation of Stage 1 meaningful use standards would begin in 2011. Stage 2 (which would essentially expand upon certain aspects of Stage 1) and Stage 3 (which would deal with achieving improvements in conditions of a national high-priority nature and population health outcomes) would follow later.

While this certainly doesn’t clear things up completely for the individual physician, every piece of information that trickles down from Washington is eventually analyzed and translated for all parties which have a vested interest in the process. Hopefully, resources such as this can help doctors stay informed and as up-to-date as possible.

If you have any comments or questions, please post them here. If we don’t know the answer we’ll certainly try to find someone who does.

« Older Posts