The government seems to have done it yet again. First with ICD-10 and now with Meaningful Use … it’s creating more difficulty and expense for healthcare facilities.
NEMT CEO Linda Sullivan
On Aug. 29, 2014 the Centers for Medicaid and Medicare Services (CMS) and the Office of the National Coordinator for Health IT (ONC) issued a final rule that allows providers participating in the EHR Incentive Programs to use the 2011 Edition of certified electronic health record technology (CEHRT) for calendar and fiscal year 2014. While it provides some flexibility, it contains some onerous provisions.
Russell P. Branzell, president and CEO of the College of Healthcare Information Management Executives (CHIME) responded on Aug. 29 with the following statement:
“This afternoon the Centers for Medicaid and Medicare Services (CMS) and the Office of the National Coordinator for Health IT (ONC) finalized a regulation granting providers additional flexibility in meeting Meaningful Use (MU) requirements in 2014. However, the final rule lacked a key provision that would ensure continued EHR adoption and MU participation.”
Of significance is that the rule requires a 365-day attestation period in 2015. Currently the attestation period to meet Meaningful Use criteria is 90 days. I believe many facilities will have great difficulty in meeting the criteria and consequently incurring expensive penalties for failing to do so.
For example, part of MU requires 5 percent of patients being discharged to access their discharge instructions online. According to Sharon Busler, Director of Health Information Management at Catholic Medical Center “There is no way to legislate patient behavior.”
Branzell further stated: “Now the very future of Meaningful Use is in question.”
The Omnibus Rule became effective on March 26, 2013 and there were many changes. Most of those changes needed to be in effect on Sept. 23, 2013. However, Business Associate Agreements (BAAs) that were in place prior to Jan. 25, 2013 did not need to be updated until Sept. 22, 2014.
NEMT President Linda Allard
Sept. 22, 2014 is right around the corner. This is the time to confirm that all your BAAs have been updated and comply with the new requirements of the Omnibus Rule.
The final HIPAA Omnibus Rule that was published on Jan. 25, 2013 really increased the responsibilities of privacy and security of business associates and covered entities. One example is that a BAA must now have provisions about notifying a covered entity if there is a data breach.
The Omnibus Rule also put in place downstream responsibilities such as now requiring a business associate to have a BAA for their subcontractors who have access to PHI.
This is the time to do that last minute checking to make sure that if you are a covered entity you have identified all your subcontractors. Business associates need to make sure they have verified all their subcontractors. Once you are sure you have identified them you need to double check that you have the properly-updated Omnibus-ready BAA in effect.
Remember that documentation is the key if you are asked to provide information in an audit. Also, did I mention that Sept. 22, 2014 is right around the corner?
I recently spent an entire day cleaning up a machine that had been compromised, which prompted me to write this article. It is my hope that some of these tips will save you time and frustration in the future.
Don’t fall for popups indicating slow computer / virus activity
Microsoft will never pop up a screen on your computer telling you it’s infected and asking you to call them. As a rule, you should never call a number that pops up on your screen or comes to you in a text message from an unknown source. NEVER! There was recently a big story about people who received a text message from their banks telling them they needed to call to correct a problem with their account. When called, the number prompted for social security number, etc. Some people actually input the info. Don’t fall for it.
- If you suspect a problem with your bank, call the number in your statement or on the back of your ATM / Visa card. If you have a computer problem, take it to your computer person.
- Never give personal information or credit card numbers to someone who calls you unsolicited. No matter what they say, you don’t know who they are or where they’re from.
- Don’t call the number they give you. Of course it will be answered correctly. It’s a con!
- Microsoft, the IRS, your bank, insert professional organization here — none of them will pop up a message on your screen. None of them will attempt to communicate with you via email, which brings up the next point.
- Do NOT click on links in emails from unknown sources. Clicking those links often leads to installing unwanted programs which then install actual malware, steal information, etc.
- When installing software, read each screen carefully to ensure you don’t install add-ons that you don’t want. Lots of people wonder how their homepage changes. The change is normally the result of installing some free program that, in turn, changed the home page. If possible, do the advanced install instead of the quick install so that you can (hopefully) uncheck boxes that would automatically install extra software that you don’t want.
- If you think you’ve been compromised, change every password you have immediately! Make sure you change the password you use to log into your computer, your email password, your banking password … all of them. Next, run the Eset Online Scanner (esetonlinescanner.com) and Malware Bytes (malwarebytes.org) to clean up anything that might have been installed.
I’ve tried to include as much information as I could in this short article. The bottom line is to be cautious and slightly paranoid. Slow down – read what comes up on the screen then think about it. If you’re running Norton, and some other antivirus message pops up, it’s fake! Remember: never, never call a phone number that just pops up on your screen or comes to you in a text message. Don’t click on links from people you don’t know, and sometimes from people you do know. Your friend’s computer might be infected. If it doesn’t look like something your friend would normally send you , give him/her a quick call or message asking if they really sent it. You might be the one who lets them know they have a problem, which will save both of you a lot of time and trouble.
Posted in HIPAA, IT
Tagged Andrew, security
In case you missed it, “Fortune” had a story this week about the flip side of security breaches — medical identity theft. It’s estimated to range from $80 to $230 billion each year and an estimated 90 percent of healthcare organizations surveyed said they’d had a data breach in the last two years.
Communications Director Tara Courtland
While some of those breaches are due to lost or stolen laptops or employee errors, it’s intentional criminal identify theft that presents the big problems.
Security experts say that criminal rings use stolen identities to order medical goods and services that are never delivered and then bill Medicare and Medicaid. It’s an extremely lucrative field – more so than other criminal activities traditionally pursued by crime rings.
So how do you keep tabs on your identity in healthcare? The same as you do in finance – order credit reports but also check up on your medical records when you visit your doctor to make sure there’s nothing you don’t recognize.
For healthcare companies, preventing medical identity theft goes along with preventing other types of security breaches. But it’s more than that. A new coalition, called the Medical Identity Fraud Alliance, is helping develop guidelines to preventing medical identity theft. One of the key ideas is that security isn’t just the job of the IT Department or the HIPAA compliance officer — it needs to be ingrained in the culture of the organization, the job of every person in the company.
Click here to check out the full article in “Fortune” and see if your organization is ready to get on board.
The Department of Health and Human Services has officially given the new deadline for ICD-10 implementation as Oct. 1, 2015. Once upon a time we would not have questioned a delay of this type but after two delays and two years, it’s anyone’s guess if the deadline will hold this time. And with Meaningful Use II attestation so far behind what everyone expected, the impact from that could yet again affect ICD-10.
NEMT CEO Linda Sullivan
Given the magnitude of what is happening inside of healthcare administration today, if you think about it, the delays were almost inevitable. We’re trying to make massive, expensive and time-consuming changes on many fronts in a very tough economic environment — the recovery that doesn’t feel like a recovery to anybody.
I wonder though if it would have been wiser to have chosen October 2016 as the new date. While there are hospitals still struggling to prepare, those that are ready have now lost momentum ($$$$).
Compare the delay of ICD-10 to the loss of momentum children experience when taking off three months between school years — called by academics “the summer slide” or “summer learning loss.” What we have here is “hospital readiness loss.”
It’s tough enough inside of hospitals now juggling multiple projects to have them derailed by the very folks who imposed the deadlines to begin with.
It’s important to have goals and dates for completion or nothing gets done but more realism about all the interwoven and competing processes from the 30,000-foot view would have made this difficult road more manageable.