MU: Stage 1 Updated 01/28/2013

 January 2013 
Stage 1 Updated
On Sept. 4, 2012, the U.S. Department of Health and Human Services, Center for Medicare and Medicaid Services (CMS), officially adopted the Stage 2 requirements for Meaningful Use of Electronic Health Records(EHR).  
In addition to adopting specifications required for Stage 2, the Federal Register has been updated to describe new specifications that are required in order for hospitals and providers to comply with Stage 1 – regardless of their first year of attestation and EHR adoption. 
Stage 1 Updated  
The rule requires that all eligible hospitals and providers must acquire and install the “2014 Edition” of certified EHR software to attest with during the 2014 reporting period. This means that all hospitals who have attested, regardless of the stage of Meaningful Use they are at will need to upgrade from the “2011 Version” to the “2014 Version” of Certified Electronic Health Record Technology (CEHRT). (see chart below)  
Under the 2014 definition of CEHRT all hospitals and Eligible Providers (EPs), (regardless of what stage of Meaningful Use they are at) will only need to possess EHR capabilities certified to:
  1. Meet the requirements of a “BASE” EHR as defined by CMS
  2. Meet any other criteria associated with objectives and measures needed to qualify for the providers current stage of Meaningful Use
“Regardless of what stage of Meaningful Use you are at, all eligible hospitals and providers must acquire the “2014 Edition” of certified EHR software to attest with in 2014.”  
Jim Deren
Strategic IT Planning Specialist CareTech Solutions
As indicated in the chart, CMS has reduced the amount of time that an organization will need to measure and attest from an entire year to a three-month period that aligns with a reporting year quarter. The latest a hospital can perform their 90-day measurement is from July 1 through Sept 30, 2014, with submission of attestation no later than two months following the completion of the 90-day measurement period. The latest an EP can measure is Oct 1 through Dec 31, 2014, with submission of attestation no later than two months following the end of the measurement period.
In addition to timing, a number of Stage 1 requirements have been modified. Hospitals and EPs are required to fulfill the updated requirements in order to remain in compliance.  
Following is a summary of changes to the Stage 1 Meaningful Use requirements and Quality Core Measures (CQMs) that will take effect in 2013 or 2014.  
Core Requirements
  • Remove: Provide an electronic copy of health information for EPs and Hospitals (2014)
  • Remove: Provide patients with timely electronic access to their data for EPs (2014)
  • Remove: Electronic exchange of key clinical information by hospitals and EPs (2013)
  • Remove: Provide patients with an e-copy of discharge instructions for hospitals (2014)
Being replaced by:
  • Add: Ability for hospitals and providers to provide patients with the ability to view online, download, and transmit their health information (2014)
  • For EPs and Hospitals – CPOE: have an option to use unique Rx orders or unique patients as denominator (2013)
  • EPs can claim an exclusion for the e-prescribe requirement if they are not located within 10 miles of a pharmacy that accepts electronic prescriptions (2013)
  • Add: Record chart changes in vital signs; add blood pressure for patients who are 3 years old or older and height and weight for all ages. EPs may be able to claim exclusions for these new chart changes and vital signs (2014)
Menu Set Requirements  
  • Remove: EPs to provide patient with timely access to their medical data (2014)
Clinical Quality Measures: 2014 and Beyond  
  • Beginning In 2014: EPs must report on nine of the 64 approved CQMs. The selected CQMs must cover at least three of the National Quality Strategy domains. This is up from the six that were required initially.
  • Hospitals must report on 16 of the 29 approved CQMs from at least three of the six approved domains. This is up from the 15 CQMs that were defined initially, however all 15 are allowable as choices for 2014 – with one additional measure needed.
  • Beginning in 2014: Hospitals and EPs who have attested to Meaningful Use in a prior reporting year must electronically report the data to CMS.
To see more about Stage 2 and changes to Stage 1 visit the CMS Stage 2 web page at:
http://www.cms.gov/Regulations-and-Guidance/Legislation/EHRIncentivePrograms/Stage_2.html
 

MU: The Importance of Retaining Supporting Documentation 05/29/2013

 May 2013 
The Importance of Retaining Supporting Documentation  
As hospitals and eligible providers attest to Meaningful Use, it is important that they retain all evidence supporting their attestation in preparation for a potential Centers for Medicare and Medicaid Services (CMS) audit. Documentation to support attestation data for Meaningful Use objectives and clinical quality measures should be retained for six years post-attestation.
Documentation to support payment calculations (such as cost report data) should continue to follow the current documentation retention processes. States and their contractors will perform audits of Medicaid providers. Please contact your State Medicaid Agency for more information about audits for Medicaid EHR Incentive Program payments.  
Pre- and Post-Payment Audits  
There are numerous pre-payment audit checks built into the EHR Incentive Programs’ systems to detect inaccuracies in eligibility, reporting, and payment. Beginning with attestations submitted during and after January 2013, Medicare providers may also be subject to pre-payment audits. These pre-payment audits will include random audits, as well as audits that target suspicious or anomalous data. For those providers selected for pre-payment audits, CMS will request supporting documentation to validate submitted attestation data before releasing payment.
CMS will also continue to conduct post-payment audits during the course of the EHR Incentive Programs. Providers selected for post-payment audits will also be required to submit supporting documentation to validate their submitted attestation data.  
Audit Review Process  
“It is the provider’s responsibility to maintain documentation that fully supports the Meaningful Use and clinical quality measure data submitted during attestation.”
Jim Deren
Strategic IT Planning
CareTech Solutions

If you are selected for an audit, you will receive an initial request letter from the CMS audit partner with the CMS and EHR Incentive Program logos on the letterhead. The request letter will be sent electronically from a CMS email address. The initial review process will be conducted at the audit contractor’s location, using the information received as a result of the initial request letter. Additional information might be needed during or after this initial review process, and in some cases an onsite review at the provider’s location could follow. A demonstration of the certified EHR system could be requested during the on-site review. A secure communication process has been established by the contractor, which will assist the provider to send any information that could be considered sensitive.

Audit Determination and Additional Measures

Once the audit is concluded, the provider will receive an Audit Determination Letter from the audit contractor. This letter will inform the provider whether they were successful in meeting Meaningful Use of electronic health records. If, based on the audit, a provider is found not to be eligible for an EHR incentive payment, the payment will be recouped.

CMS may also pursue additional measures against providers who attest fraudulently to receive an EHR incentive payment. It is a crime to defraud the Federal Government and its programs. Punishment may involve imprisonment, significant fines, or both. Criminal penalties for healthcare fraud reflect the serious harms associated with healthcare fraud and the need for aggressive and appropriate fraud prevention. In some states, providers and healthcare organizations may lose their licenses. Convictions also may result in exclusion from Medicare participation for a specified length of time. Medicare fraud may also result in civil liability.
Preparing and Maintaining Documentation
It is the provider’s responsibility to maintain documentation that fully supports the Meaningful Use and clinical quality measure data submitted during attestation. To ensure that you are prepared for a potential audit, save any electronic or paper documentation that supports your attestation. Also save the documentation that supports the values you entered in the Attestation Module for clinical quality measures. Hospitals should also maintain documentation that supports their payment calculations.
Primary (Source) Documentation and Other Support  
The primary documentation that will be requested in all reviews is the source document(s) that the provider used when completing the attestation. This document should provide a summary of the data that supports the information entered during attestation. Ideally, this would be a report from the certified EHR system, but other documentation may be used if a report is not available or the information entered differs from the report.
Providers should retain a report from the certified EHR system to validate all clinical quality measure data entered during attestation, since all clinical quality measure data must be reported directly from the certified EHR system.  
Providers who use a source document other than a report from the certified EHR system to attest to meaningful use data (e.g., non-clinical quality measure data) should retain all documentation that demonstrates how the data was accumulated and calculated.  
This primary document will be the starting point of most reviews and should include, at minimum:  
  • The numerators and denominators for the measures
  • The time period the report covers
  • Evidence to support that it was generated for that EP, eligible hospital, or CAH (e.g., identified by National Provider Identifier (NPI), CMS Certification Number (CCN), provider name, practice name, etc.)
Because some certified EHR systems are unable to generate reports that limit the calculation of measures to a prior time period, CMS suggests that providers download and/or print a copy of the report used at the time of attestation for their records.  
Summary Document and Additional Reviews  
Although the summary document is the primary review step, there could be additional and more detailed reviews of any of the measures, including review of medical records and patient records. The provider should be able to provide documentation to support each measure to which he or she attested, including any exclusions claimed by the provider.  
 

NIST Framework for Improving Critical Infrastructure Cybersecurity 07/18/14

 July 2014 
The NIST Framework for Improving Critical Infrastructure Cybersecurity
Given the enforcement activities, investigations and audits from the Office of Civil Rights and other state and federal government agencies, it should be an urgent priority for every healthcare provider and business associate to fully comply with the HIPAA Security Rule. The NIST Framework for Improving Critical Infrastructure Cybersecurity version 1.0, known as the NIST Cybersecurity Framework, can provide guidance to assess your current state (i.e., a security gap analysis), describe your target state (i.e., full HIPAA compliance and any other needed security controls), and create an organizational support plan to achieve that target state.
The NIST Cybersecurity Framework focuses on developing a risk management process and guides healthcare and other organizations through a five-step process, as well as providing a needed set of security functions (i.e., activities and outcomes). These functions are further broken down into categories, subcategories and informative references. In the end, the Framework outlines a comprehensive set of cybersecurity controls and an approach to organizational cybersecurity risk management.  
Read more about how the NIST Framework may fit into the security program of a typical healthcare organization.
Jeff Bell
IT Security and Risk Services
CareTech Solutions
For an archive of our newsletters, please visit the Resources page on CareTech.com.

 

Meaningful Use Opening Statement 07/22/14

 July 2014 
Meaningful Use Opening Statements
Winston Churchill once said, “to improve is to change; to perfect is to change often.” As applied to our industry, it must indicate that we are close to perfect with the Meaningful Use legal language because it has certainly changed often!
The good news is that we are making great strides toward adoption. Based on information reported by the Centers for Medicare and Medicaid (CMS) as of April 2013:
  • Approximately 80% of hospitals have received an incentive payment for adopting, implementing, upgrading, or meaningfully using an EHR, resulting in more than 3,800 received incentive payments from Medicare and Medicaid
  • 73% (more than 388,000 eligible professionals) registered to participate in the EHR incentive program and more than half of them (291,000) received an incentive payment
  • 44% of hospitals are using EHR systems with certain advanced functionalities beyond the requirements of Meaningful Use Stage 1 compared with only 9.4% at this level in 2008
  • 40% of doctors are using EHR systems with the same advanced functionalities, up from 17% in 2008
  • 53% of office-based physicians are actively e-prescribing as of January 2013, up from only 0.8% in December 2006
In an effort to keep current with the changes on the topic of Meaningful Use, CareTech Solutions developed this five-part series on things to know, changes and key timing of requirements to help you navigate through your Meaningful Use journey.  
  • Part One: Understanding the Timing and Calculations for Incentive Payments
  • Part Two: Payment Adjustments
  • Part Three: Attestation Timelines
  • Part Four: Hardship Exemptions
  • Part Five: Security – What You Need to Know and Updates
We hope that you and your teams will find this information relevant and helpful.  

Paula Gwyn
Senior Director, Strategy and Business Development
CareTech Solutions

For an archive of our newsletters, please visit the Resources page on CareTech.com.

 

MU: Understanding the Timing and Calculations for Incentive Payments 07/29/14

 July 2014 
Meaningful Use Update – Understanding the Timing and Calculations for Incentive Payments
Understanding Stimulus Incentives
Recent changes to the timing for hospitals and providers to comply with Meaningful Use requirements reinforce the notion that healthcare organizations must regularly review and understand how updates to the American Recovery and Reinvestment Act of 2009 HITECH rule affect them.  
The U.S. healthcare industry has made significant progress toward implementing Electronic Health Records (EHRs). Since the program began in 2011, more than 370,000 hospitals and professionals nationwide have received an incentive payment. Much of the success can be attributed to diligent planning that includes understanding the specifications as well as the required timing. An ongoing challenge that organizations will continue to encounter revolves around the many options and differences in the rule that are based upon your organization’s unique environment.  
Although there are many similarities, major differences in the rule exist for individual hospitals and eligible providers, including the stimulus payment schedule and calculation, fiscal verses calendar year timing, penalty schedule and calculation, and patient mix. Additional factors that can affect your schedule include eligible organization type (acute care, critical access hospitals or eligible professional), the vendor’s delivery of certified software and the date that you first attested.  
Incentives  
There have been few changes in the timing and calculations for incentive payments, however calculations of the stimulus amounts may vary each year based upon a number of factors, including when you first attested, the selection of Medicare or Medicaid and eligible organization type (acute care hospital, critical access hospital or eligible provider). Major factors affecting eligible organizations:  
  • Acute care hospital payments include the Medicare or Medicaid share, number of discharges and revenue for each year.
  • Critical access stimulus amount factors include the cost of EHR technology and past year discharges. Ambulatory provider calculations consider patient charges toward the maximum set annual stimulus amounts.
What to know:  
“Stimulus incentives timing and amounts vary based upon whether you select Medicare, Medicaid, or both.”  

Jim Deren
Healthcare IT Planning Specialist
CareTech Solutions

  • Stimulus payments are spread over four consecutive years for hospitals requiring achievement of successful attestation for each consecutive year in order to receive maximum incentives.
  • The total stimulus money is reduced by a percentage each subsequent year.
  • In order to receive full incentives, hospitals must have attested for the four consecutive years beginning no later than 2013.
  • Hospitals that first attest after 2013 will have reduced payments and reduced number of years of incentives.
  • Critical Access Hospitals (CAHs) may only receive Medicare stimulus incentives through FY2015. Subsection D hospitals’ stimulus incentives can be received through FY2016.
  • Eligible provider stimulus payments are spread over five years for Medicare and six years for Medicaid programs.
  • Medicare stimulus incentives are reduced for those first attesting after calendar year 2012.
  • The Medicaid fee schedule provides a full six years of payments for those who first attest no later than 2016.
Upcoming Meaningful Use topic: Payment Adjustments


For an archive of our newsletters, please visit the
Resources page on CareTech.com.

 

 

MU: Payment Adjustments 08/05/14

 August 2014 
Meaningful Use Update – Payment Adjustments
Understanding Meaningful Use Penalties
As part of the American Recovery and Reinvestment Act of 2009 (ARRA), Congress mandated payment adjustments to be applied to Medicare-eligible professionals and hospitals who are not Meaningful Users of Certified Electronic Health Record (EHR) Technology under the Medicare EHR Incentive Programs. Medicaid-eligible professionals who can only participate in the Medicaid EHR Incentive Program and do not bill Medicare are not subject to these payment adjustments.  
There are significant differences in the calculation and timing of penalties in the form of reduced Medicare re-imbursement between acute care, critical access and eligible providers. Depending upon when you first attest, penalty timeframes may vary. The Stage 2 Rule has established the timeline for how reductions in Medicare reimbursement will be calculated for EHs and EPs who fail to meet Meaningful Use requirements for a given year.  
Payment Adjustment for Medicare Subsection (d) Eligible Hospitals  
Eligible hospitals that are not Meaningful Users will be subject to a payment adjustment beginning on October 1, 2014. This payment adjustment is applicable to the percentage increase of the Inpatient Prospective Payment System (IPPS) payment rate for those eligible hospitals that are not Meaningful EHR Users. These hospitals will receive a reduced update to the IPPS standardized amount. The payment adjustment is cumulative for each year that an eligible hospital is not a Meaningful EHR User.  
Eligible hospitals that first demonstrate Meaningful Use in fiscal year 2011 or 2012 must demonstrate Meaningful Use for a full year in fiscal year 2013 to avoid payment adjustments in 2015.  
Eligible hospitals that first demonstrate Meaningful Use in fiscal year 2013 must demonstrate Meaningful Use for a 90-day reporting period in 2013 to avoid payment adjustments in 2015. They must continue to demonstrate Meaningful Use every year to avoid payment adjustments in subsequent years.  
“Depending upon when you first attest, penalty timeframes
may vary.”
 

Jim Deren
Healthcare IT Planning Specialist
CareTech Solutions

Eligible hospitals that first demonstrate Meaningful Use in fiscal year 2014 must demonstrate Meaningful Use for a 90-day reporting period in 2014 to avoid payment adjustments in 2015. This reporting period must occur in the first nine months of fiscal year 2014, and must attest to Meaningful Use no later than July 1, 2014, in order to avoid the payment adjustments. Eligible hospitals must continue to demonstrate Meaningful Use every year to avoid payment adjustments in subsequent years.
Payment Adjustment for Critical Access Hospitals  
Critical Access Hospitals (CAHs) that are not Meaningful Users will be subject to a payment adjustment for fiscal year 2015. This payment adjustment is applicable to a CAH’s Medicare reimbursement for inpatient services during the cost reporting period in which they failed to demonstrate Meaningful Use. If a CAH has not demonstrated Meaningful Use for an applicable reporting period, then for a cost reporting period that begins in FY 2015, its reimbursement would be reduced from 101 percent of its reasonable costs to 100.66 percent. For a cost reporting period beginning in FY 2016, its reimbursement would be reduced to 100.33 percent of its reasonable costs. For a cost reporting period beginning in FY 2017 and each subsequent fiscal year, its reimbursement would be reduced to 100 percent of reasonable costs.
In order to avoid the payment adjustments, CAHs must demonstrate Meaningful Use within the full federal fiscal year that is the same as the payment adjustment year. The adjustment would then apply based upon the cost reporting period that begins in the payment adjustment year (that is, FY 2015 and thereafter).
CAHs are required to submit their attestations for Meaningful Use by November 30 of the following fiscal year. For example, if a CAH is attesting that it was a Meaningful EHR User for FY 2015, the attestation must be submitted no later than November 30, 2015 in order to avoid payment adjustments.
Payment Adjustments for Medicare-Eligible Professionals
Medicare-eligible professionals who are not Meaningful Users will be subject to a payment adjustment beginning on January 1, 2015. This payment adjustment will be applied to the Medicare physician fee schedule (PFS) amount for covered professional services furnished by the eligible professional during the year. The payment adjustment is one percent per year and is cumulative for every year that an eligible professional is not a Meaningful User. Depending on the total number of Medicare eligible professionals who are Meaningful Users under the EHR incentive programs after 2018, the maximum cumulative payment adjustment can reach as high as five percent.
Eligible professionals who first demonstrate Meaningful Use in 2011 or 2012 must demonstrate Meaningful Use for a full year in 2013 to avoid payment adjustments in 2015.
Eligible professionals who first demonstrate Meaningful Use in 2013 must demonstrate Meaningful Use for a 90-day reporting period in 2013 to avoid payment adjustments in 2015.
Because all providers must upgrade or adopt newly certified EHRs in 2014, all providers, regardless of their stage of Meaningful Use, are only required to demonstrate Meaningful Use for a three-month (or 90-day) EHR reporting period in 2014. Eligible professionals who first demonstrate Meaningful Use in 2014 must demonstrate Meaningful Use for a 90-day reporting period in 2014 to avoid payment adjustments in 2015. This reporting period must occur in the first nine months of calendar year 2014, and eligible professionals must attest to Meaningful Use no later than October 1, 2014 in order to avoid the payment adjustments.  
Eligible professionals must continue to demonstrate Meaningful Use every year to avoid payment adjustments in subsequent years.  
Upcoming Meaningful Use topic: Attestation Timelines


For an archive of our newsletters, please visit the
Resources page on CareTech.com.

 

 

MU: Attestation Timelines 08/12/14

 August 2014 
Meaningful Use Update – Attestation Timelines
Stage Timing  
Meaningful Use attestation timelines are based upon a federal fiscal year timeframe for hospitals and calendar year timeframe for eligible providers.
A new proposed rule published by HHS would provide eligible professionals, eligible hospitals, and critical access hospitals more flexibility in how they use certified electronic health record (EHR) technology (CEHRT) to meet Meaningful Use. The proposed rule, from the Centers for Medicare & Medicaid Services (CMS) and the Office of the National Coordinator for Health Information Technology (ONC), would let providers use the 2011 Edition CEHRT or a combination of the 2011 and 2014 Edition CEHRT for the EHR reporting period in 2014 for the Medicare and Medicaid EHR Incentive Programs.
“It is critical that you continually review and adjust your plan based upon the financial and scheduling implications of the law.”

Jim Deren
Healthcare IT Planning Specialist
CareTech Solutions

For those first attesting in 2011 or 2012, Stage 2 must be achieved in 2014. For those attesting in 2013, Stage 2 is required in 2015, and for those first attesting in 2014 Stage 2 is required in 2016. Eligible hospitals and providers must attest for a 90-day period for their first year and full year thereafter with the exception of 2014 where a complete quarter is required. The recent update to the law in May 2014 allows those hospitals and providers who were required to move to Stage 2 in 2014 to claim a hardship and opt to report on Stage 1 requirements for the 90-day period in 2014. The option includes the ability to select the use of a 2011 or 2014 certified software version with or without the enhanced Stage 1 requirements. It is important to note that the requirements for submitting Quality Core Measures (QCMs) will continue to require submission of 2014 measures.
Regardless of where you are in your Meaningful Use journey, if your goal is to receive reimbursement, it is critical that you continually review and adjust your plan based upon the financial and scheduling implications of the law.

Upcoming Meaningful Use topic: Hardship Exemptions


For an archive of our newsletters, please visit the
Resources page on CareTech.com.

 

 

MU: Hardship Exemptions 08/19/14

 August 2014 
Meaningful Use Update – Hardship Exemptions
Eligible professionals and eligible hospitals may be exempt from payment adjustments if they can show that a significant hardship has restricted their ability to demonstrating Meaningful Use in the required timeframe. To be considered for an exception, an eligible professional or eligible hospital may need to complete a hardship exception application along with proof of the hardship.  If approved, the hardship exception is valid for one payment year only.  A new application must be submitted if the hardship continues for the following payment year.  In no case may a provider be granted an exception for more than five years.  Eligible professionals can use the Hardship Exception Tool that is provided by Centers for Medicaid & Medicare Services (CMS) to determine if they will avoid the 2015 and 2016 Medicare Electronic Health Record (EHR) Incentive Program payment adjustments by demonstrating Meaningful Use, or if they should apply for a hardship exception.

The deadline for submitting a hardship exception application for 2015 (covering the 2013 attestation time period) for eligible providers (July 1, 2014) and eligible hospitals (April 1, 2014) has already passed. Hospital and providers who desire to apply for a hardship for subsequent penalties in 2016, based upon the 2014 reporting period, may apply for an exemption by April 1, 2015 for hospitals, and July 1, 2016 for eligible providers. CMS will review the application to determine whether or not you are granted a hardship exception.
Hardship Exceptions for Medicare Eligible Hospitals and CAHs
Eligible hospitals and critical access hospitals (CAHs) may apply for hardship exceptions to avoid the payment adjustments described above. Hardship exceptions will be granted only under specific circumstances and only if CMS determines that providers have demonstrated that those circumstances pose a significant barrier to their achieving Meaningful Use.
Medicare Subsection (d) eligible hospitals and CAHs can apply for hardship exceptions in the following categories:
Infrastructure: An eligible hospital or CAH must demonstrate that they are in an area without sufficient internet access or face insurmountable barriers to obtaining infrastructure (e.g., lack of broadband).
New Eligible Hospitals: An eligible hospital or CAH with new CMS Certification Numbers (CCNs) that would not have had time to become Meaningful Users can apply for a limited exception to payment adjustments. The hardship exception is limited to one full-year cost reporting period.
Unforeseen Circumstances: Examples may include a natural disaster or other unforeseeable barriers.
The following hardship category is limited to Subsection (d) eligible hospitals and does not apply to CAHs:
“To be considered for an exception, an eligible
professional or eligible
hospital may need to
complete a Hardship
Exception application
along with proof of the
hardship.”

Jim Deren
Healthcare IT Planning
Specialist
CareTech Solutions

EHR Vendor Issues: The hospital’s EHR vendor was unable to obtain 2014 certification or the hospital was unable to implement Meaningful Use due to 2014 EHR certification delays.
Hardship Exceptions for Medicare Eligible Hospitals and CAHs
Eligible professionals may apply for hardship exceptions to avoid the payment adjustments described above. Hardship exceptions will be granted only under specific circumstances and only if CMS determines that providers have demonstrated that those circumstances pose a significant barrier to their achieving Meaningful Use.
Eligible professionals can apply for hardship exceptions in the following categories:  
Infrastructure: Eligible professionals must demonstrate that they are in an area without sufficient Iiternet access or face insurmountable barriers to obtaining infrastructure (e.g., lack of broadband).
New Eligible Professionals: Newly practicing eligible professionals who would not have had time to become Meaningful Users can apply for a two-year limited exception to payment adjustments. Thus eligible professionals who begin practice in calendar year 2015 would receive an exception to the penalties in 2015 and 2016, but would have to begin demonstrating Meaningful Use in calendar year 2016 to avoid payment adjustments in 2017.
Unforeseen Circumstances: Examples may include a natural disaster or other unforeseeable barrier.
Patient Interaction: Lack of face-to-face or telemedicine interaction with patient or lack of follow-up needed with patients.
Practice at Multiple Locations: Lack of control over availability of certified EHR technology (CEHRT) for more than 50 percent of patient encounters.
2014 EHR Vendor Issues: The eligible professional’s EHR vendor was unable to obtain 2014 certification or the eligible professional was unable to implement Meaningful Use due to 2014 EHR certification delays.
Not All Providers Are Required to Apply for Hardship Exceptions

·         New providers in their first year (both eligible professionals and eligible hospitals)

·         Eligible professionals who are hospital-based: a provider is considered hospital-based if he or she provides more than 90% of their covered professional services in either an inpatient (Place of Service 21) or emergency department (Place of Service 23) of a hospital

·         Misc. Error (12%)  Eligible professionals with certain Provider Enrollment, Chain and Ownership System (PECOS) specialties (05, 22, 30, 36, 94)

Regardless of your organization’s current Meaningful Use situation, a well-developed risk management plan should be in place and include understanding your options to deal with potential hardships that may occur.  

Upcoming Meaningful Use topic: Security – What You Need to Know and Updates


For an archive of our newsletters, please visit the
Resources page on CareTech.com.

 

 

MU: Security – What You Need to Know and Updates 08/26/14

 August 2014 

Meaningful Use Update
Security – What You Need to Know and Updates

In the General Rules of the HIPAA Security Rule, we are required to “protect against any reasonably anticipated threats or hazards to the security or integrity of [electronic protected health] information (ePHI).” How do we reasonably anticipate the threats or hazards to patient information that we must protect?
The Concept of “Threat Intelligence”
In cybersecurity, there is the concept of “threat intelligence.” Simply put, threat intelligence is an analysis of security incidents, such as data breaches and malicious attacks. Threat intelligence is often made available as a human-readable report, though it may also be made available in a machine-readable format and used to automatically configure security controls such as security gateways and intrusion prevention systems. I read a lot of threat intelligence reports – the human-readable kind – and they help me better understand cybersecurity risks. What follows is a summary of recent threat intelligence:
Healthcare Data at Risk of Cyber Intrusion
On April 17, 2014, the FBI Cyber Division released a Private Industry Notification (PIN) stating, “Health Care Systems and Medical Devices at Risk for Increased Cyber Intrusions for Financial Gain.” A notice from the FBI about increased risks to healthcare data got my attention. The notice states that the healthcare industry has “lax cybersecurity standards” and “is not technically prepared to combat against cyber criminals’ basic cyber intrusion tactics, techniques and procedures (TTPs), much less against more advanced persistent threats (APTs),” and that “the healthcare industry is not as resilient to cyber intrusions compared to financial and retail sectors, therefore the possibility of increased cyber intrusion is likely.”
“A risk assessment can
identify specific
cybersecurity risks that
need to be addressed,
but a roadmap or plan
should be developed to
close gaps identified in
the risk assessment.”

Jim Deren
Healthcare IT Planning
Specialist
CareTech Solutions

The notice further explains that healthcare data is more valuable to cyber criminals than other types of data. Criminals can obtain a higher payout on the black market for stolen medical records than for stolen credit card numbers. The FBI cites a report from RSA titled Cybercrime and the Healthcare Industry which states that medical information sells for about $50 per record, compared to $1 per record for SSN or credit card data. These numbers fluctuate based on the market, but generally healthcare data is worth five to ten times what credit card data is worth.
As we all learned from recent news reports, Chinese hackers have stolen the personal information of more than 4 million patients of Community Health Systems, making this the largest data breach that has taken place in the healthcare industry thus far. Similar to the Target breach of last winter, malware (malicious software) was instrumental in the attack. It is not yet known how the malware was delivered, but a frequent technique is via “phishing” emails. It is not time to panic, but it is time to act.
Four Top Healthcare Data Breach Types
In April 2014, the annual Verizon Data Breach Investigation Report was published. This report stratifies breaches by industry and type of breach. In healthcare, the top types of breaches are:  

·         Theft / Loss (46%)

·         Insider Misuse (15%)

·         Misc. Error (12%)  This includes misdelivery, disposal errors, misconfiguration and malfunction.

·         Point of Sale Device Intrusion (9%)

Key Findings on Healthcare Data Risks

A report from Ponemon Institute, commissioned by ID Experts, titled Fourth Annual Benchmark Study on Patient Privacy and Data Security was published in March 2014. Key findings include:

·         90% of the organizations who responded to the study reported at least one breach of patient information in the previous two years.

·         38% had more than five breaches.

·         Misc. Error (12%)  The estimated average economic impact to each healthcare organization is $2,000,000 over a two-year period.

·         Criminal attacks are up 100% since 2010 (still a small portion of the breaches, but growing).

·         Employee negligence is the biggest concern of those who responded.

Healthcare Organizations Themselves Compromised by Malware
Published by SANS in February 2014, Health Care Cyberthreat Report analyzes data from a global network of threat detection sensors. Over a 13-month period (September 2012 to October 2013), these sensors were attacked by 375 U.S.-based healthcare organizations. The attacks originated from many types of devices on healthcare systems’ own networks, including medical devices such as X-ray machines and more traditional computer systems.
This indicates that healthcare organizations have devices on their networks that are compromised by malware and controlled by cybercriminals. In many cases, the organizations are unaware or unable to resolve the problem. This report was cited by the FBI and led to the comments above about “lax cybersecurity standards.”  
Make Cybersecurity a Higher Priority, Develop Risk Management Plan

How does this threat intelligence guide us as we think about the HIPAA and Meaningful Use requirements to ensure cybersecurity? The short answer is that healthcare organizations (and their business associates) need to make it a higher priority to improve their cybersecurity practices. This will require development of a plan and may require additional investment in security tools, training and staff devoted to cybersecurity. A risk assessment (which is required by HIPAA and Meaningful Use) can identify specific cybersecurity risks that need to be addressed, but a roadmap or plan should be developed to close gaps identified in the risk assessment.This is referred to as a risk management plan.

CareTech has invested significantly in its cybersecurity capabilities in recent years and is ready to work with you to address cybersecurity risks. Together we can “protect against any reasonably anticipated threats or hazards to the security or integrity of [ePHI].” It is the right thing to do and is more urgent now than ever. Let us know how we can help.  


For an archive of our newsletters, please visit the
Resources page on CareTech.com.

 

 

Healthcare IT Insights 11/19/14

 November 2014 

Observations on the Risk Management of Medical Device and Software Cybersecurity

Many healthcare organizations have worked hard to reduce cybersecurity risks in recent years. However, there is still much to be done before patients can have the level of confidence in the cybersecurity of healthcare organizations that they deserve.

Read the article in this month’s HIMSS Clinical Informatics Insights.

For an archive of our newsletters, please visit the Resources page on CareTech.com.

Jeff Bell
IT Security and Risk
Services
CareTech Solutions

For an archive of our newsletters, please visit the Resources page on CareTech.com.