Meaningful Use Sees Impressive Payouts since Beginning

CMS recently released the numbers for the Medicare and Medicaid EHR Incentive Programs through February 2013.  About $12.6 billion has been paid out to participants by the program so far. 

Although only 4,299 hospitals are actively registered for Meaningful Use, over 380,000 EPs are registered, with about 234,000 providers combined receiving payments through February 2013.  CMS greatly exceeded the goal it had set for the program for 2012 of 100,000 participants, which had been reached by last summer. 

On the state side, California, Florida, New York, Texas and Pennsylvania lead the way in the amount of payments made to EPs and hospitals, as well as total number of participating providers.  New Jersey has 6,891 participating providers as of February 2013 with $318,261,098 paid out.

Visit the CMS Data and Program Reports page for up-to-date Meaningful Use payment and registration information. 

HHS Releases RFI on Interoperability and HIE

HHS, CMS and ONC have released a Request for Information (RFI) seeking input on policies and programs to encourage health information exchange (HIE) through interoperable systems.  Although the Medicare and Medicaid EHR Incentive Programs and other federal efforts are rapidly increasing the adoption of standards based HIE and EHR technology,

This alone will not be enough to achieve the widespread interoperability and electronic exchange of information necessary for delivery reform where information will routinely follow the patient regardless of wheter they receive care....

The overarching goal is to develop and implement a set of policies that would encourage providers to routinely exchange health information through interoperable systems in support of care coordination across health care settings.  

HHS therefore seeks comment on several options for encouraging HIE among providers and settings of care through a hodge-podge of existing statutory vehicles (primarily CMS and ONC programs and projects). In addition to requesting comment on these existing vehicles, CMS and ONC seek to identify what is currently working to encourage HIE, and which changes would have the biggest impact on HIE adoption, including regulatory requirements.

Furthermore, although long neglected under the EHR Incentive Programs, CMS and ONC specifically seek comment on what policies and programs would have the most impact on post-acute and LTC care providers as well as behavioral health.  They ask for insight into how these programs and policies should be implemented and developed to maximize care coordination and quality improvement for these populations. In addition, CMS and ONC specifically seek comment on policies and programs which would most impact patient access and use of their electronic health information for management of their care.   

Post-Acute and Long-Term Care Providers.  HHS acknowledges the low rates of EHRs and HIE among LTC and post-acute care providers and identifies existing authority which could be leveraged to expand HIE.  These include incorporating HIE as key components of:

  1. Medicaid health homes;
  2. Demonstration and pilot projects under Medicaid and the Childrens Health Insurance Program (CHIP);
  3. Home and community based services (HCBS), which would include LTC;
  4. State expansions of HIE infrastructure as part of the Medicaid EHR Incentive Program, and
  5. CMS Conditions of Participation or Coverage

Settings of Care.  HHS additionally acknowledges the need to accelerate HIE across providers, including ambulatory care, behavioral health, laboratory, and post-acute and LTC. For example, HHS seeks comment on:

  1. New e-specified measures for exchanging summary records following transitions of care aligned with CMS quality reporting programs, including the EHR Incentive Programs;
  2. Medicare Shared Savings Program, requiring or encouraging Accountable Care Organization (ACO) to engage in HIE as part of coordination of care;
  3. Payment and service delivery model testing under the Affordable Care Act, such as demonstration of use of interoperable technology for HIE to facilitate model participation decisions and requirements;
  4. Model testing to align Medicare and Medicaid financing and care integration under the Capitated Financial Alignment model.

Consumer and Patient Engagement.  HHS and CMS seek to encourage engagement of patients in their care by improving their access to health information and electronic communication between their health care providers.  Options to encourage consumer and patient engagement include:

  1. Incorporating new measures into Medicare Advantage Program consumer assessment serveys (CAHPS);
  2. Blue Button availability to all CMS beneficiaries;
  3. Payment and service delivery model testing under the Affordable Care Act, such as demonstration of incentives for consumers to more actively participate in their health; and
  4. Direct access to lab results from laboratories (CLIA and HIPAA Amendments).

The RFI will be published today in the Federal Register.  Comments may be submitted up to 5pm on April 22, 2013. 

What Do I Need To Do to Comply with the HITECH Omnibus Rule? (the short version, please)

long list (picture).pngThe HITECH Omnibus Rule clocked-in at 563 pages, and we have read, digested and condensed the nuts and bolts for you here in our February 2013 edition of our Health Law Diagnosis newsletter.  But if 11 pages is still too long for you, then here is a checklist that bullets out the basics of what Covered Entity Health Care Providers need to know in order to update their compliance programs for HITECH & the Omnibus Rule:

  • Update the following HIPAA Policies & Procedures:
    • Patient Rights to Access:  Patients now have a right to an electronic copy of their ePHI. An updated policy should address processes for how much data the patient can get; how much you can charge for producing electronic formats; security safeguards to be applied with transfer of ePHI to the patient, and others issues.
    • Patient's Right to Restrictions: When a patient pays for services  "out-of-pocket" and in full, you must abide by any request the patient makes to restrict PHI generated from that visit from being disclosed to their health plan. The procedures should address how to flag such episodes in the record and abide by the restriction; informing patients that if disclosures are "required by law" then their restriction would not prevent such disclosures; how to notify individuals that the restriction only applies to the provider restricting disclosures to the health plan, and does not necessarily prevent downstream disclosures (i.e., if a prescription is sent to the pharmacy, then the pharmacy may submit a claim for payment to the patient's health plan).
    • Fundraising: You must provide a "clear and conspicuous" opportunity for  individuals to opt-out of future fundraising communications. You cannot condition treatment/payment on any decision.  The NPP must include a sentence about this right to opt-out.
    • Marketing: Communications that encourage a patient to use a product or service are considered marketing and require the patient's signed HIPAA Authorization, unless the communication falls within specific new exceptions; but, if there is any payment exchanged for making such communication, then it may still be  prohibited. This HITECH change is complicated, and revisions to this policy requires careful drafting to not be overly restrictive or too permissive.
    • Prohibition on Sale of PHI: Policies must be updated to reflect that in any case where there is payment exchanged for PHI, that this must be flagged and is prohibited unless it falls within one of the specifically listed exceptions.  Otherwise, the patient's HIPAA Authorization is required. 
    • Security Breach Notification: Policies governing security incidents and mitigation when there is an unauthorized disclosure of PHI must be updated to synchronize with new Security Breach Notification obligations. A stand-alone new policy to govern Security Breaches is recommended for compliance with HITECH.  Note that any draft polices that were prepared under the Interim Final Breach Rule must now be updated as a result of the Omnibus Final HITECH Rule to reflect that the "Harm" threshold no longer applies, there is a presumption of Breach.
    • Definition of PHI:  Policies should reflect two important changes to the definition of PHI (i) that Genetic Information is PHI, and is prohibited from being used for underwriting purposes; and (ii) that PHI of decedents is no longer protected by HIPAA 50 years after their death.  This last change should also be synchronized with an organization's medical retention policies, and with how they will deal with BAs who do may retain PHI after termination of the underlying services contract (i.e., when return or destruction of PHI not possible).
    • Public Health Disclosures: this policy should be updated to reflect the Omnibus Rule change that now permits proof of immunizations to be released to schools where the school is required by law to have that information.   The policy should reflect that the parent or guardian's approval is still required, which can be satisfied by documenting a phone conversation, an email or by other methods.
    • Minimum Necessary: this policy must reflect that Covered Entities and Business Associates must limit uses and disclosures of PHI to only the minimum amount necessary, or to the limited data set.  Also, update BA Agreements accordingly.
    • Research: If your organization engages in research, policies can permit compound authorizations, condition participation on authorization, and obtain authorization for future research now, post-HITECH and Omnibus.  
    • De-identification: this policy should be reviewed and updated to reflect OCRs new guidance on de-identification, see here.
    • Accounting of DisclosuresSTAY TUNED ON THIS ONE.  HHS declined to finalize  the proposed expansion of AOD to treatment, payment and health care operations, or the Access Report in the Omnibus Rule. This will be subject to a future Final Rule. In the meantime, Covered Entities may follow the "old" HIPAA standard for Accounting for Disclosures.

  • Update your Notice of Privacy Practices:  Several statements must be added to the NPP to comply with HITECH.  As a courtesy, here is a copy of our "Update your NPP" checklist from our HIPAA HITECH Helpbook.
  • Update your HIPAA Business Associate Agreements:  HIPAA BA Agreements must be updated to reflect required language.  Covered Entities will also want to address issues such as determining if a BA is its "agent", which carries with it significant implications post-HITECH, and including indemnity provisions as a result.  It is also recommended that Covered Entities address BA's rights with regard to using de-identified data, and what to do with information 50 years after a patient's death, among other issues.
  • Update Your HIPAA Authorization:  If you are sending marketing communications, you must update your Authorization forms to indicate this.  If you are using HIPAA Authorizations for research, make sure to update them for the new changes.

  • Update your Fundraising forms: If your organization engages in fundraising activities, then you must update your communications for the new "opt-out" requirement.

For more help, email me at for more information about forms and checklists available in our HIPAA HITECH Helpbook, or our HIPAA HITECH Workshop.