Your practice can no longer brush off breaches of electronic patient health information (ePHI) files if fewer than 500 patients are exposed. Small breaches carry the same risk for all providers, according to HIPAA and HITECH regulations.
The Hospice of North Idaho’s recent breach settlement with the Department of Health & Human Services (HHS) of $50,000 is the first case settled involving fewer than 500 patients. In the Idaho case, a laptop with 441 records was stolen in 2010. During its review, HHS’ Office for Civil Rights (OCR) determined the hospice failed to conduct a risk analysis to safeguard ePHI, and had no policies or procedures to address mobile device security. According to HHS, ePHI breaches nearly doubled last year, mostly as the result of lost or stolen laptops.
A breach is defined by HHS as “the unauthorized acquisition, access, use, or disclosure of protected health information, which compromises the security and privacy such that the use of the information poses significant risk of financial, reputational, or other harm to the affected individual.” Regarding electronic PHI, only breaches of “unsecured” ePHI trigger the notification requirement.
When a breach occurs, a notice must be sent to all affected individuals within 60 days. The notice can be sent by regular mail or email (if permission was given)—or, if this information is outdated, by alternative methods such as the web or print advertisement. If the breach involves PHI for more than 500 individuals, the breach must also be reported to a major media outlet serving the affected individuals. You must include the following in the notice:
- The date of the breach and when it was discovered
- A brief description of the incident that led to the breach
- Description of the unsecured PHI involved
- Suggested steps individuals should take to protect themselves against any problems stemming from the breach
The best strategy is to avoid a breach. Include mobile device security in your compliance plan, and take the time to analyze what practices put your data at risk. Can risks be eliminated? A hospice or home health agency, for example, needs its staff to carry laptops to patients’ houses. Use of the Cloud for ePHI storage rather than the computer’s hard disk, along with extensive training about computer security might prevent similar breaches.
Perform a thorough assessment of potential risks to the confidentiality, integrity, and availability of ePHI your practice holds, and implement security measures that are reasonable and appropriate to reduce risks and vulnerabilities to an acceptable level.
January 16th, 2013
An EHR that meets meaningful use certification requirements may not necessarily be able to connect and exchange data with all the entities providers want it to. Experts are now advising doctors to consider what data exchange they plan to implement and make sure the EHR they use is capable of meeting those needs. American Medical News recently interviewed Dixon Davis, vice president of business development at AAPC Physician Services, on EHRs and meaningful use.
“The exchange requirements EHRs must meet to be certified for meaningful use are limited mostly to exchange between one organization and another, not across multiple settings,” Davis says. “Physicians will need to talk with the organizations with whom they plan to exchange data — including labs, other practices, hospitals and health information organizations — to find out what capabilities their systems must have.”
Read the full article.
November 29th, 2012
With so many changes in the way health care business is conducted, it’s crucial to stay updated and current. “In the current age of Electronic Medical Records (EMR) many have seen notes become bloated with extensive histories, medication lists, old labs and radiology that may not have been obtained at the present visit or even be pertinent,” stated AAPC member Erin Anderson, CPC, CHC in the most recent BC Advantage issue. “Ironically, many physicians do not document some of the work they actually did for the present visit and this can adversely affect their Level of Service (LOS) so the code billed is not reflective of the work they performed.”
Read the full article here (with subscription).
September 19th, 2012
Stage 2 Meaningful Use guidelines become effective November 5. To take full advantage of financial incentives available to your practice, knowing what is expected will help.
The Centers for Medicare & Medicaid Services (CMS) announced a final rule after Labor Day specifying the Stage 2 criteria set for eligible professionals, eligible hospitals, and critical access hospitals (CAH) to quality for Medicare and Medicaid electronic health record (EHR) incentive payments. The rule also outlines payment adjustments made if program participants fail to meaningfully use EHR technology. However, the new rules provide a flexible reporting period for 2014 so providers will have sufficient time to adopt or upgrade to the latest technology available in 2014.
CMS said Meaningful Use, which is divided into three stages, affects one out of every five eligible health care professionals.
- Stage 1 sets the basic functionalities electronic health records must include, such as capturing data electronically and providing patients with electronic copies of health information.
- Stage 2 (which will begin as early as 2014) increases health information exchange between providers and promotes patient engagement by giving patients secure online access to their health information.
- Stage 3 will continue to expand meaningful use objectives to improve health care outcomes.
Remember that if your practice is not a facility, you must meet the measurements or quality for exclusion to 17 core objectives and three to six menu objectives. (If you are a hospital or critical access hospital (CAH), you must meet 16, with three to six menu items.) However, if you are using “2011 Edition Certified EHR Technology,” you may use it until 2014. Some new criteria include:
- Patient Engagement. CMS proposed two new core objectives providing patients online access to health information and secure messaging between patient and provider with measures that require patients to take specific actions for a provider to achieve meaningful use and receive an EHR incentive payment. For both objectives, the threshold was set at 10 percent of patients. While providers expressed concern, CMS is finalizing the proposed measures with reduced thresholds of 5 percent for both objectives. In addition, CMS introduced exclusions based on availability of broadband in a provider’s practice area.
- Electronic Exchange of Summary of Care Documents. To spur provider commitment to electronic exchange, CMS had initially proposed two ambitious measures for this objective in Stage 2. The first measure required that a provider send a summary of care record for more than 50 percent of transitions of care and referrals. The second measure required that a provider electronically transmit a summary of care for more than 10 percent of transitions of care and referrals. CMS is requiring at least one instance of exchange with a provider using EHR technology designed by a different EHR vendor or with a CMS-designated test EHR.
Prepare, too, for clinical quality measure (CQM) guidelines. The rule finalizes that providers must report on nine out of 64 CQMs. All providers must select CQMS from at least three of the six key health care policy domains from the Department of Health & Human Services (HHS) national quality strategy:
- Patient and family engagement
- Patient safety
- Care coordination
- Population and public health
- Efficient use of health care resources
- Clinical processes/effectiveness
For more information about this and hardship exceptions, review the Final Rule, published in the Federal Register Sept. 4.
September 12th, 2012
Figliozzi and Co., an accounting firm based in Garden City, N.Y., has started post-payment audits for hospitals and eligible professionals who have claimed successful meaningful use of electronic health records (EHRs). The process starts with a mailed letter sent from the Centers for Medicare & Medicaid Services (CMS) to physicians who have received an incentive check, saying he or she is being audited. Practices are required to reply within two weeks upon receiving the letter. (more…)