Meaningful Use, News Events

Changes to Meaningful Use Reporting in 2015

New rules expected to arrive sometime this spring should reduce the 2015 Meaningful Use reporting period to just 90 days from the previously required full year. Many hospitals and health IT organizations were clamoring for a change to reduce the reporting burden for eligible providers and hospitals.

This change and the other proposals listed below will potentially help many providers who have already made steps towards implementing EHR systems but were not capable of reporting for the full year.

  • Realigning hospital reporting periods to the calendar year to allow eligible hospitals more time to incorporate 2014 Edition software into their workflows and to better align with other quality program.
  • Modifying other aspects of the programs to match long-term goals, reduce complexity and lessen providers’ reporting burden

The new rules are a welcome reaction to a letter written to CMS this past September co-signed by healthcare industry heavyweights CHIME, HIMSS, MGMA, AHA, and the AMA, urging the agency to address 2015 reporting period requirements. While adoption of EHRs has risen steadily since the first year of the EHR Incentive Program, many providers are struggling to provide all the necessary information in the time frame required. The letter proposed that HHS should “provide for a shortened, 90-day EHR reporting period in 2015, which would give time for providers to continue their transition without having to drop out of the program.”

The new rule “would be intended to be responsive to provider concerns about software implementation, information exchange readiness, and other related concerns in 2015,” wrote Patrick Conway, MD, chief medical officer at CMS, in a Jan. 29 blog post announcing the agency’s decision. “It would also be intended to propose changes reflective of developments in the industry and progress toward program goals achieved since the program began in 2011.”

 

Source: http://blog.cms.gov/2015/01/29/cms-intends-to-modify-requirements-for-meaningful-use/

Advertisements
Data Breach, HIPAA / HITECH Enforcement, News Events

An Employee Mistake Leads to a HIPAA Data Breach

Just last month, a Pennsylvania-based hospital suffered a breach of patient data caused by unauthorized access and transmission of PHI by an employee. The 551-bed Penn State Milton S. Hershey hospital discovered through an internal investigation that a lab technician accessed and transmitted protected health data outside of the hospital’s secure network. The key in this breach was that the employee was authorized to work with PHI but in this case did not access and transmit the PHI securely. He used his own USB device and sent patient data through his own personal email address to two physicians.

The important thing to note in this situation is what your organization can do to avoid a situation like this: train your workforce. Not only is workforce training required by HIPAA, it is a prudent means of improving efficiency and confidence in your workforce. Many organizations believe that their biggest threat lies outside their walls. While it is a smart business decision to implement security controls to prevent intrusions from external threats, your organization should also prioritize properly training your workforce. Below is a list of the most investigated issues as noted in the OCR Enforcement highlights.

 

From OCR Enforcement highlights:

From the compliance date to the present, the compliance issues investigated most are, compiled cumulatively, in order of frequency:

  1. Impermissible uses and disclosures of protected health information;
  2. Lack of safeguards of protected health information;
  3. Lack of patient access to their protected health information;
  4. Uses or disclosures of more than the minimum necessary protected health information; and
  5. Lack of administrative safeguards of electronic protected health information.

Security Rule Enforcement Results as of the Date of This Summary

With regard to the subset of complaints specifically pertaining to the Security Rule, since the OCR began reporting its Security Rule enforcement results in October 2009, HHS has received approximately 880 complaints alleging a violation of the Security Rule. During this period, HHS closed 644 complaints after investigation and appropriate corrective action. As of May 31, 2014, OCR had 301 open complaints and compliance reviews.

 

Penn Breach Table

Here is the direct link to the Breaches Affecting 500 or More Individuals: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html