CMS Updates Meaningful Use FAQs for Multiple Certified EHRs

Coming a little too late for hospitals and eligible professionals who have already attested or begun to attest for 2012, CMS has kindly taken a step back on Meaningful Use requirements for accounting for unique patients in calculating numerators and denominators during attestation in the release of an updated FAQ on April 20.  Retracting its previous requirement that any hospital attesting with multiple certified EHR technology, or any eligible professional seeing patients at multiple locations with certified EHR technology, reconcile the various reports generated by the certified EHR technology to ensure only "unique patients" were counted in the numerators/denominators, CMS now permits hospitals and eligible professionals to simply add the numerators and denominators from the reports generated by the certified EHR technology.  

CMS states,

For objectives that require an action to be taken on behalf of a percentage of "unique patients" (e.g., the objectives of "Record demographics", "Record vital signs", etc.), EPs, eligible hospitals, and CAHs may also add the numerators and denominators calculated by each certified EHR system in order to arrive at an accurate total for the numerator and denominator of the measure. Previously CMS had advised providers to reconcile information so that they only reported unique patients. However, because it is not possible for providers to increase their overall percentage of actions taken by adding numerators and denominators from multiple systems, we now permit simple addition for all meaningful use objectives.

This therefore removes one step from the attestation process, eliminating the need to reconcile various reports to ensure patients aren't counted twice. However, hospitals and eligible professionals still must count any patients whose records are not maintained in certified EHR technology where applicable in order to provide accurate numbers.  All of the CMS FAQs are available on the newly designed CMS Frequently Asked Questions page by clicking on the topic "Electronic Health Records Incentive Programs."

Yet Another Medicaid Breach; Emory Loses Back-up Discs

This April appears to have been designated "National Breach" month.  In what is the second massive breach of Medicaid data this month, over 200,000 South Carolina Medicaid beneficiaries have been notified of a breach of their health information.  The South Carolina Department of Health and Human Services discovered on April 10 that an employee had emailed 17 spreadsheets of beneficiary health information to his personal email account, including names, addresses, social security numbers and Medicaid ID numbers, but no medical information. 

The former employee and project manager, Christopher Lykes, has since then been fired and arrested, charged with five counts of confidentiality violations under the South Carolina Medically Indigent Assistance Act, and one count of disclosure of confidential information, according to ABC News, Charleston. According to Department of Health and Human Services Director, Anthony Keck, the records were transferred to at least one other person, although it is unknown yet why the information was accessed. 

Investigations showed that the information was available through normal reporting processes, however, Department policies and procedures did not require employees to justify needs for information, which has now been rectified by the Department.  An external IT consultant has also been hired to conduct a full risk assessment of all data and IT systems. 

As I posted earlier this month (see my previous blog, Utah Medicaid Claims Data Hacked), this is the second Medicaid breach this month.  Utah, at least, can blame European hackers for the breach, rather than its own policies and procedures, which has since skyrocketed from its original estimate of 24,000 to almost 800,000 Medicaid beneficiaries or individuals who received health services and whose Medicaid status may have been inquired about by their health care provider, as well as CHIP recipients. This makes it one of the top breaches reported over the past few years. The Utah Department of Health has updated its toll-free number for Medicaid clients to call and added additional information about the breach on its website.   

And finally, continuing the April breach theme, Emory Healthcare Systems reported this past week that 10 back-up discs went missing from storage at Emory University Hospital, containing data of 315,000 patients, including likely its own CEO's information.  Oops.  The data related to surgical patients treated at several Emory facilities from September 1990 through April 2007 and contained names, social security numbers, dates of surgery, diagnoses, and surgical codes, as well as names of surgeons and anesthesiologists. 

Patients were notified beginning April 17, although the discs went missing sometime in February.  Emory stated in its online notice that it does not believe any of the data was or will be misused, as the backup discs were for an obsolute software system long-deactivated by Emory.  However, Emory has offered one year of free credit monitoring and has implemented additional security data control measures. 

Along with the recent $100,000 settlement agreement between HHS and a Phoenix cardiac surgeons group, these breaches hammer home the need for a comprehensive HIPAA Compliance Program and periodic risk assessments.  See Helen's post last week for the significance of this settlement agreement and the steps covered entities can take to protect themselves against breaches and privacy and security violations. 

Meaningful Use EP Eligibility Appeals Extended to April 30, 2012

As a reminder to eligible professionals (EPs) participating in the Medicare EHR Incentive Program, CMS has extended the deadline within which an EP may file an eligibility appeal to Monday, April 30, 2012.  In general, there are three types of appeals afforded to EPs:  eligibility appeals, meaningful use appeals, and incentive payment appeals. 

Eligibility appeals provide an EP with the chance to show that he or she should have receive an incentive payment as all meaningful use requirements were met, but could not because of circumstances outside of the EP's control.  There are two levels of review afforded under the Medicare EHR Incentive Program appeals process:

  • Informal review;
  • Request for reconsideration if the EP does not win in the informal review.  

EPs should be aware that all relevant issues must be presented in the initial appeal as any issues raised at a later time will not be considered absent special circumstances. When filing an appeal, EPs should be prepared to provide any additional documentation requested within seven (7) calendar days from a request.

CMS strongly encourages EPs and other providers to communicate with OCSQ, the designated appeals coordinator, about any questions on specific issues or providing documentation in order to avoid having an appeal dismissed. Additional guidance on the appeals process is available here.  Appeals may be filed through OCSQ.

Cardiac Surgery MD Group Agrees to Pay $100,000 Settlement to HHS for Lack of HIPAA safeguards

Take our money.pngAnd the HIPAA money keeps rolling to the feds. The latest settlement (announced today) is with a cardiac surgery physician group in Phoenix, Arizona, which has agreed to pay a hefty sum after someone reported to HHS that the MD group was potentially compromising patients' PHI by posting appointments on an internet-based calendar, which prompted OCR to then investigate and find the physicians to be out of compliance with HIPAA's safeguards.  

The following April 17, 2012 Press Release is HOT off the presses on HHS' News Release website

Phoenix Cardiac Surgery, P.C., of Phoenix and Prescott, Arizona, has agreed to pay the U.S. Department of Health and Human Services (HHS) a $100,000 settlement and take corrective action to implement policies and procedures to safeguard the protected health information of its patients. 

The settlement with the physician practice follows an extensive investigation by the HHS Office for Civil Rights (OCR) for potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules.

The incident giving rise to OCR’s investigation was a report that the physician practice was posting clinical and surgical appointments for its patients on an Internet-based calendar that was publicly accessible. On further investigation, OCR found that Phoenix Cardiac Surgery had implemented few policies and procedures to comply with the HIPAA Privacy and Security Rules, and had limited safeguards in place to protect patients’ electronic protected health information (ePHI).

This case is significant because it highlights a multi-year, continuing failure on the part of this provider to comply with the requirements of the Privacy and Security Rules,” said Leon Rodriguez, director of OCR. “We hope that health care providers pay careful attention to this resolution agreement and understand that the HIPAA Privacy and Security Rules have been in place for many years, and OCR expects full compliance no matter the size of a covered entity.

The HHS Resolution Agreement can be found on HHS' website here.  OCR’s investigation  revealed the following specific issues with this group's HIPAA program:

  • Phoenix Cardiac Surgery failed to implement adequate policies and procedures to appropriately safeguard patient information;
  • Phoenix Cardiac Surgery failed to document that it trained any employees on its policies and procedures on the Privacy and Security Rules;
  • Phoenix Cardiac Surgery failed to identify a security official and conduct a risk analysis; and
  • Phoenix Cardiac Surgery failed to obtain business associate agreements with Internet-based email and calendar services where the provision of the service included storage of and access to its ePHI.  This last finding being a significant one, and underscores that HIPAA BA Agreements MUST be entered into with vendors who have access to ePHI to facilitate a service to covered entities!

With the HITECH Rules in OMB and due out by mid June (unless an extension is sought by OMB), it will be particularly interesting to see if the Final Rules address the HITECH Act's requirement for percentages being paid out to individuals "damaged" by breaches of their information. The HITECH Act required rules on that topic to be out by this summer. Since an individual's report to HHS triggered this particular investigation and subsequent settlement, some are suggesting that such percentage payouts to individuals for HIPAA violations could in effect become almost like a whistle-blower provision and incentivize patients and others to submit reports to HHS for potential investigation.  I think that might be the point.

But for now, this case just underscores once again that the best way for physician practices (and other covered entities) to protect themselves is to have a fully robust HIPAA compliance program developed and implemented (see, for example, our comprehensive HIPAA-HITECH Helpbook on  Don't forget to also conduct a Security Gap Audit (see, a leading company that specializes in and has thousands of hours of experience under its belt with competing Security Audits for Physician Practices, or contact them here). Finally, don't forget to provide regular training to your employees. For live training sessions and video training options, visit our Workshops page. 

Utah Medicaid Claims Data Hacked Affecting Over 24,000

The Utah Department of Health (UDOH) has experienced a data breach of its Medicaid claims data of over 24,000 individuals.  The breach was reported to UDOH by the Utah Technology Services Department on Monday, April 2nd, and while the initial hacking is suspected to have occurred on Friday, March 30th, UDOH stated that information began to be removed from the server on Sunday, April 1 (perhaps merely coinciding with April Fools' Day...). 

Currently, UDOH suspects the hackers originated from Eastern Europe, and according to Reuters, has been able to pinpoint it to within certain countries.  The Department of Technology Services had recently moved the claims data to a new server, and, despite a multi-layered security system, the hackers were able to circumvent and access potentially client names, addresses, birth dates, Social Security numbers, physician’s names, national provider identifiers, addresses, tax identification numbers, and procedure codes for billing.

UDOH is still investigating the scope of the breach, and has yet to determine exactly what types of information were compromised as well as the identities of all of the affected Medicaid clients.  So far, UDOH believes only one server was hacked.  The affected server was shut down, and new security measures implemented, according to Reuters and UDOH. 

UDOH is currently advising all Medicaid clients to monitor their credit and bank accounts until those affected can be fully identified and notified.  According to, Technology Services Executive Director Steve Fletcher said the server had "weaker controls" than the original server it was exchanged for.  However, Fletcher stated that the agency will investigate further to assess how the hackers were able to circumvent the security system and do whatever may be necessary to prevent future breaches.

"These hackers are very, very sophisticated and that's one of the things that we want to document so that we can to put more controls in place to make sure that it will not happen again," stated Fletcher.

For more information, check out the UDOH official statement and the Reuters and articles.    

NeHC Releases Roadmap for Growth and Evolution of HIE, and Legal HIE Listed as a Helpful Resource!

Following ONC's release of its Program Information Notice "Privacy and Security Framework Requirements and Guidance for State Health Information Exchange Cooperative Agreement Program," (the P&S PIN discussed in a previous blog post) the National eHealth Collaborative (NeHC) has released a roadmap for successful and widespread growth of HIE to improve health and healthcare after extensive collaboration with private and public stakeholders (the HIE Roadmap). NeHC is a pubic-private partnership established through a grant from the ONC and is led by some of the nation's most respected thought leaders, and so we were thrilled to discover that our blog, Legal Health Information Exchange, was identified by NeHC as one of only a selected group of "Helpful Resources" found at Exhibit B of its HIE Roadmap. You can register with NeHC to download a copy of the HIE Roadmap here

Entitled "The Landscape and a Path Forward," the HIE Roadmap sets forth current HIE connectivity and exchange approaches across the nation, as well as federal efforts towards developing the foundation for interoperability and trusted HIE through common standards, services and policies.  It highlights those strategies for integrating these federal and private sector efforts, emphasizing the current progress that has been made and those challenges and barriers remaining to be overcome. 

Most importantly, it hopes to provide a roadmap of the major steps communities can follow to achieve progress towards HIE.  The HIE Roadmap states,

...Given the rapid market and policy changes and technology innovations occurring right now, there is confusion among healthcare stakeholders about how best to proceed with implementing HIE.  Leading HIE organizations are indeed charting new ground.  Emerging HIE efforts can and should learn from those who are further along in order to...leapfrog toward success."

It notes that in 2010, the number of public HIEs increased 81% from 37 to 67 with a whopping 210% increase in operating private HIEs, from 52 to 160.  Providing clear examples of leading HIE efforts, their leverage of national standards for exchange, and other factors contributing success, the HIE Roadmap seeks to capture the vision for why HIE is important to improving patient care and to the performance of our healthcare system, as well as provide a framework and a path forward for those working towards achieving HIE in their communities. 

The HIE Roadmap highlights several of the most notable challenges and barriers to HIE, including:

  • Funding and sustainability;
  • Variations in implementation of interoperability standards;
  • Provider adoption;
  • Disparate EMRs; and
  • Privacy and security concerns.

However, it recognizes that these challenges and barriers are being "tackled and overcome."  The HIE Roadmap highlights ONC efforts towards building a foundation of interoperability and trusted exchange, in particular, recommendations of the HIT Policy and Standards Committees and their workgroups, such as the Meaningful Use, Information Exchange, and Privacy and Security Policy Workgroups.  It highlights the importance the Direct Project and the Nationwide Health Information Network (NHIN) continues to play in developing a strong interoperable foundation and the potential the Direct Project and NHIN have to promote best practices, compliance with existing national standards and implementation recommendations, and following through responsibility to protect health information.

The HIE Roadmap describes the approaches taken by several HIE initiatives across the nation, including:

  • Care Connectivity Consortium, comprised of five leading health systems, Kaiser Permanent, Mayo Clinic, Geisinger Health, Intermountain Healthcare and Group Health;
  • HealthBridge, with 50 participating hospitals, 800 physician practices, and 7,500 physicians;
  • Indiana HIE (IHIE), with 90 hospitals and 19,000 participating physicians;
  • Inland Northwest Health Services (INHS), with an air ambulance collaborative, rehabilitation hospital, and IT management for 38 hospitals and EMR services for 750 physicians, and which also partners with the Departments of Defense and Veterans Affairs; and
  • Kaiser Permanente, which includes the Kaiser Foundation Health Plan and subsidiaries, 37 hospitals and over 450 clinical facilities, and the Permanente Medical Group Practices.

While highlighting the various strategies implemented by these initiative, the HIE Roadmap also recognizes that,

Indeed, interoperable HIE is a journey without a definite endpoint.  Many different approaches are being used, stakeholders are at different stages along this journey, and there is by no means a "one size fits all" model. 

It notes, however, that a key priority of many of these initiatives is to provide standards-based services to small physician practices, recognizing that most healthcare is delivered in these physician practices and the challenges they face.  Finally, the HIE Roadmap sets forth four major "steps" or phases for implementing successful and sustainable HIE, which starts wtih developing the HIE's objectives and vision.

In conclusion, the HIE Roadmap states,

The ultimate goal of HIE is to ensure that the right information is available at the right time and place every time to support the delivery of high quality, well coordinated, and cost effective patient-centered healthcare.  Keeping a consistent and clear focus on what is best for the patient is above all else the smartest way to stay on course in the ever-changing environment of HIE.