Changes Coming to Meaningful Use

The government program providing incentives to health providers for meaningful use of electronic health records continues to be troubled as the final rule for stage 3  has been delayed until 2018. Coupled with recent comments by the Centers for Medicare and Medicaid Services (CMS), it appears that the entire program will undergo substantive changes in the year ahead. However, CMS notes, it is important to continue under the old program until the changes start being unveiled in the spring of 2016.

When meaningful use started in 2009, the intent was to induce medical providers to use the new technology purchased with the help of the federal government. By providing incentive payments to the physicians that showed they were using the new technology in a meaningful way, the government believed it would improve quality, safety, and efficiency of care through electronic health records. However, CMS has found that the program did not operate as envisioned, resulting in the forthcoming changes to the program, expected to start in the spring of 2016.

While the new program has guiding themes that were issued by CMS, it is unclear what the new program will ultimately look like. However, many of the themes are to focus on the outcome of patient care, with less focus on the use of the new technology, in hopes that complaints by all stakeholders about the meaningful use program will be alleviated. For health providers, the pending changes will take time implement and until such time, the meaningful use program is still the operative requirements. To read more about the changes, please visit the official blog of CMS at: http://blog.cms.gov/2016/01/19/ehr-incentive-programs-where-we-go-next/

© 2015 Vandenack Williams LLC
For more information, Contact Us

Advertisements

Who Owns Medical Records in the Digital Age?

Determining who owns medical records in the age of electronic health records remains somewhat ambiguous. In fact, recent issues at the University of Rochester Medical Center highlight the confusion as the health provider recently reached settlement over a violation of protected health information because a nurse practitioner took patient information to a new practice. Thus, the relevant question is whether the provider, the physician, the electronic health record provider, or the patient own the information?

Many patients assume the Health Insurance Portability and Accountability Act (HIPAA) provides ownership of health information to the patient, but the law, in fact, fails to specify. Largely, this issue is left to state legislatures to determine, but the majority of states have failed to address the issue. According to a recent survey by the George Washington University’s Hirsh Health Law and Policy Program and the Robert Wood Johnson Foundation, only New Hampshire provides ownership of medical records to the patient, while in 20 other states, the healthcare provider owns them.

In the age of electronic health records, patient data is quickly shareable between physicians, patients, and other individuals. This poses new legal challenges for healthcare providers and physicians, especially as the laws and regulations on protected health information continue to evolve and state attorneys general start to enforce the privacy laws under the Health Information Technology for Economic and Clinical Health Act. This means that physicians and healthcare providers of all types should ensure that their internal policies on health records fully comply with the evolving legal landscape.

© 2015 Houghton Vandenack Williams
For more information, Contact Us

Potential Employer Requirements Due to Anthem, Inc. Data Breach

On February 4, 2015, Anthem Inc., one of the largest U.S. health insurers, notified the public that their data systems were breached. This breach potentially left customer names, social security numbers, and other personal information vulnerable. Subsequently, Anthem Inc. has already seen a customer lawsuit filed in California over the breach, with many more expected.

Health plan participants that have been affected will be notified in compliance with federal law. However, as this investigation continues, this may place additional burdens on employers. Depending upon the nature of the breach, of which further details are expected soon, employers may have to issue breach notifications under the Health Insurance Portability and Accountability (HIPAA). Until it becomes clear what information was taken, specific notification requirements are unclear. For example, a key question is whether protected health information was taken.

Depending upon the type of health plan an employer offers, it will have a varying impact upon the obligations for each company. The requirements will become clearer once further information is released. Beyond the federal HIPAA requirements, 47 states have unique breach notification laws that may impose obligations.

If you have questions pertaining how this may impact your requirements under the law, please contact Houghton Vandenack Williams for further information.

© 2015 Houghton Vandenack Williams

For more information, Contact Us

HHS Releases Bulletin: HIPAA Privacy in Emergency Situations

Generally, when you visit a healthcare facility or receive any health treatments, you expect a certain level of privacy. Patient privacy is protected by HIPAA, or the Health Insurance Portability and Accountability Act. However, the Department of Health and Human Services released a bulletin this month outlining situations when the privacy rules are not applicable.

Private health information is not protected when public health is at risk, treatment of the individual patient so requires, and other moments that may be necessary. As an example, in the middle of a public health crisis, a healthcare provider may disclose critical information “to prevent or control the disease, injury, or disability.”

Although a provider must still be extremely careful to not over-disclose private information, the release will generally be protected if they comply with requests from Federal entities, such as the Centers for Disease Control. The provider can disclose to other health providers for coordination of care efforts, family and friends who are involved in the treatment, relief organizations such as Red Cross, and potentially media outlets.

© 2014 Parsonage Vandenack Williams LLC

For more information, Contact Us

Weak Passwords Put Patients’ EHR at Risk

By M. Thomas Langan II.

A recent government report criticized the current electronic health record certification process for failing to require strong passwords.  These vulnerabilities make it easier for hackers to penetrate electronic health record (“EHR”) systems and access patient records.  The report comes amid a study that many patients are reluctant to divulge their information when their physician uses EHR out of fear of their data’s security.  Despite the current lax requirements, it is recommended that all passwords be at least 8 characters long and contain 3 of the following: capital letters, lowercase letters, numbers and special characters and are changed at least monthly.

The government’s report can be found here: http://oig.hhs.gov/oas/reports/region6/61100063.asp

The study can be found here:  http://jamia.bmj.com/content/early/2014/07/24/amiajnl-2014-002804.abstract

© 2014 Parsonage Vandenack Williams LLC

For more information, Contact Us

How Does HIPAA Affect My Business?

HIPAA was enacted to protect the privacy of an individual’s health information. The vast majority of HIPAA requirements apply to covered entities and business associates. A covered entity is an organization that transmits or produces protected health information. A business associate is an organization that carries out the functions of covered entities or otherwise receives health information from covered entities, for example, a billing company.

If you are a covered entity or business associate then you are subject to the HIPAA Privacy Rule which governs the use and disclosure of protected health information. You are also subject to the HIPAA Security Rule which governs how health information should be safeguarded.

Even if your company is not a covered entity or business associate there are certain aspects of HIPAA that you should be aware of. If your company offers employment benefit plans or health plans or otherwise has health information on your employees, then you should make sure that this information is not disclosed without the express permission of the employee. You should also make sure that this information is safeguarded and not allowed to be accessed by unauthorized personnel.

Finally, you should check state law as states are allowed to supersede certain parts of HIPAA and apply them towards your business.

© 2014 Parsonage Vandenack Williams LLC

For more information, contact us

Meaningful Use Stage 2 Deadline Delayed

In response to mounting pressure from Congress and trade groups, CMS has announced that it will delay the Meaningful Use Stage 2 deadline by one year. As a result, Stage 2 will be extended through 2016. Eligible professionals who have completed two years of Stage 2 by 2016 can attest to Stage 3 beginning in 2017. CMS plans to release proposed Stage 3 rules in 2014.

CMS has not yet released rules that explain how the Stage 2 delay works. However, this delay presents a variety of opportunities for providers. Eligible professionals may wish to use the extended timeline to explore alternative EHR providers. Additionally, the extended timeline may give eligible professionals the chance to decide on alternate menu objectives. However, eligible professionals who are already ready to attest to Stage 2 should stay on track with their current plans. This will enable them to attest to Stage 3 as early as possible.

© 2013 Parsonage Vandenack Williams LLC

For more information, contact us

Meaningful Use Stage 2: Can Physicians Cope With CMS’S Requirements?

2014 is a crucial year for physicians in terms of attesting to Meaningful Use (MU). If physicians do not attest to MU Stage 2 in 2014, they will be subject to payment reductions by CMS. Physicians, vendors, and commentators have expressed concern over a variety of the MU Stage 2 requirements. To meet the MU Stage 2 requirements, physicians must meet 17 core objectives and three out of six “menu” objectives.

Some of these objectives are likely to present significant challenges for physicians. Notably, commentators have expressed concern that the MU Stage 2 requirements involving transitions to other providers will be problematic. Additionally, patient engagement requirements will require physicians to reach out to their patients to take advantage of the new technology. In doing so, physicians must be careful to comply with existing regulations, especially on the issue of patient privacy.

© 2013 Parsonage Vandenack Williams LLC

For more information, contact us

Republican Senators Call for One-year Meaningful Use Extension

The dizzying pace of changes in healthcare law over the past several years has led some Republican senators to call for an extension of the Meaningful Use Stage 2 deadlines. Under the current timetable, many physicians and hospitals will be required to invest extensively in new technology by the end of 2014. The senators are calling for a one-year extension, arguing that small and rural providers will be hurt by the timeline. They also argue that the current transition timeline could be disorderly and that it might limit buy-in by healthcare providers.

© 2013 Parsonage Vandenack Williams LLC

For more information, contact info@pvwlaw.com

The HIPAA-HITECH Omnibus Rule: What’s New?

New rules released under HIPAA require physicians to make several major changes over the next six months. These changes are complex and they will have a direct impact on how physicians do business, so physicians need to start planning now.

Business associate (BA) agreements must be reviewed. The new rules require physicians to use reasonable diligence in overseeing business associates. BAs should also take notice, because they may now be directly liable for breaches. The definition of who counts as a BA has expanded. So, any company working with a physician needs to figure out whether the new rules apply to it.

Physicians also need to prepare new NPPs to account for new patient rights. Patients will soon be able to limit disclosure if they pay for services in full. They will also be able to request machine-readable copies of EHR. Last, they will have to give written approval before the physician can use third-party marketing.

© 2013 Parsonage Vandenack Williams LLC

For more information, contact info@pvwlaw.com