CMS Releases Meaningful Use Changes in Interim Final Rule with Comment

CMS has announced the release of an Interim Final Rule with Comment ("IFC") that makes several changes to the Medicare and Medicaid EHR Incentive Programs and 2014 EHR Certification Criteria. 

Short and sweet, the IFC major changes that are proposed include:

  • Revising regulatory text for the hospital measures for making patient information available online. The measure will base the denominator on all unique patients, not all patients.  CMS inadvertently omitted the word "unique" from previous regulatory text for these measures.   
  • Expanding denominator options for the objective of sending electronic lab results to ambulatory providers. Hospitals may choose between a denominator of all lab orders received from ambulatory providers or all lab orders received electronically from ambulatory providers, in order to account for the difficult hospitals may have where they receive a small percentage of lab orders electronically and to capture performance more adequately. 
  • Moving the CQM minimum denominator threshold effective date from 2014 to 2013.
  • Adoption of new version of the DEC (version 1.1) to ensure EHR technology certified is capable of electronic capturing of all data for CQM calculation and submission. 
  • Adoption of November 2012 balloted version of QRDA III for appropriate creation of data files for transmission of CQM data.
  • Intent to address technical errors in CQM specifications released previously on October 25, 2012. 


The IFC can be found here.  Stay tuned for more information about the comment period!

OIG Finds Fault with CMS Meaningful Use Oversight

In a report released on November 29, the Office of Inspector General (OIG) chastised CMS for not doing a better job of pre and post-payment oversight for the Medicare and Medicaid EHR Incentive Programs (Meaningful Use).  As of September 2012, OIG stated that CMS has paid out approximately $4 billion to eligible professionals (EPs) and hospitals. 

In the report, OIG looked at CMS’s oversight of Meaningful Use, examining self-reported data, CMS auditing planning documentation, guidance, and regulations, as well as conducted interviews with CMS key staff.  It found that CMS failed to implement strong prepayment safeguards, and that postpayment safeguards were also limited, criticizing CMS for its reliance on self-reported data and failure to confirm its accuracy. 

“CMS determines that professionals and hospitals are meaningful users of certified EHR technology, and therefore qualify for incentive payments, based solely on self-reported information. CMS does not verify that self-reported information is accurate prior to payment. Although CMS is not required to verify the accuracy of this information prior to payment, doing so would strengthen its oversight of the anticipated $6.6 billion in incentive payments. Verifying self-reported information prior to payment could also reduce the need to identify and recover erroneous payments after they are made.”

Problems OIG highlighted including failure to assess whether EPs and hospitals were eligible during the certification process for incentive payments, lack of capability for EHR technology to produce reports for all required measures, lack of guidance as to what documentation is needed to support attestation, and failure to review supporting documentation prior to issuing incentive payments.  Furthermore, OIG noted that CMS does not verify that numerators and denominators entered for all percentage-based measures reflect the actual number of given patients for such measures.  

Continue Reading

OCR Releases HIPAA De-identification Q&A Guidance

With the weekend coming up, why not take a break from the holiday frenzy and read through OCR's new HIPAA De-identification guidance. The approximately 30-page guidance document is an easy read, even for those of us who aren't statistically savvy.  

Covered entities are generally prohibited from disclosing protected health information (PHI) without authorization or as permitted/required by HIPAA unless it has been appropriately de-identified.  HIPAA sets forth two specific methods in which PHI may be considered de-identified: the Statistical method, or Expert Determination, and the Safe Harbor standard.  Once de-identified, the data may be used for a variety of purposes. 

The HITECH Act required the Secretary of HHS to issue guidance on implementing HIPAA de-identification, no later than 12 months after its enactment.  However, the guidance wasn't released until this past November, even though HHS and OCR had held a workshop on de-identification in 2010 that brought together policy, technical and statistical experts to discuss the challenges to de-identification and the ever increasing risk of re-identification. 

The document primarily addresses methods and approaches under the HIPAA Expert Determination method, in addition to the Safe Harbor standard in a question-and-answer format. With various tables and scenarios, the guidance highlights the general acceptable approaches for achieving de-identification and strategies to minimize information loss through de-identification.

Continue Reading