Posts Tagged HITECH

image_pdfimage_print

Introducing a New HIPAA Privacy Notice for Patients and Practices

HIPAA Notice of Privacy Practices

September 23, 2013 is the date that medical practices and other covered healthcare entities will roll out a new Notice of Privacy Practices to patients to be compliant with the HIPAA Omnibus rule enacted in March 2013.

What Does This Mean For Patients?

Patients should be aware that after September 23rd, their healthcare providers will have a new Notice of Privacy Practices (NPP) available. The new NPP should be posted in each office, on the website if one exists, and should be available as a handout for any patient requesting it.

The new notice will include:

    • Reasons that your Protected Health Information (PHI) can and cannot be disclosed to others.
    • Information for opting-out of communication related to fundraising activities, if your healthcare provider does any fundraising.
    • The ability to restrict your PHI from payer disclosure when you pay in cash instead of having the charges filed with your insurance plan.
    • Information about being contacted if there is a breach of your PHI due to unsecured records.

What Does This Mean For Practices?

    • A new Notice of Privacy Practices that is specialized to your practice must be developed.
    • The new NPP must be posted in your practice, on your website and available as a handout for any established patients who request them.
    • All new patients must be offered a copy of the new NPP and must sign an acknowledgement that they received it. (They may turn a copy of the NPP down, however.)
    • Policies that address the disclosure of information/records and notification of a breach, should one occur must be developed.
    • Old and new versions of the NPP should be on file in the practice, and patient acknowledgements should also be kept as long as the medical record is retained.

What else is required for compliance with HIPAA Omnibus?

One of our good friends, Steve Spearman at Health Security Solutions has posted great information on his site about the other requirements of the HIPAA Omnibus rule. His excellent posts help readers understand and comply with the new HIPAA guidelines in the following areas:

    • Business Associates Agreement (BAA) Update
    • Downstream Subcontractors Needing BAAs
    • New Breach Notification and Reporting Protocol
    • School Immunization Records Protocol
    • Electronic Fulfillment of PHI Request
    • Medical Record Protocols for Cash Payments

At Manage My Practice, we’ve offering a free sample Notice of Privacy Practices for your practice use. Please read the sample notice carefully, make changes specific to your practice and add your practice name. Note that language related to fundraising is NOT included, as it will not apply to most private practices. Insert fundraising language as follows if appropriate for your practice.

Fundraising Activities: We may use PHI to contact you to raise money. If  you wish to opt out these contacts, or if you wish to opt back in to these contacts, please contact our Privacy Officer.

Likewise, if your practice has a research function, insert relevant language:

Research: We may use and share your health information for certain kinds of research, however, all research projects are subject to a special approval process.

Check your state laws.

Your state law may require authorizations for certain uses and disclosures of PHI beyond those outlined in the sample notice. Be sure to amend your NPP to reflect any state-specific laws (resource hererelated to release of medical records. Remember to post your new NPP on your website and in your practice, and begin giving it to new patients September 23, 2013.

The new Notice of Privacy Practices is not required until September 23rd, but you can start using it as soon as you have yours ready.

For more on HIPAA, read my post “Three Big HIPAA Myths.”




(Photo Credit: hyku via Compfightcc)

Posted in: General

Leave a Comment (0) →

David Brooks of qliqSoft Talks to Us about Secure Communications, Replacing the SMS, and BYOD

a picture of David Brooks of qliqSoft, interviewed in this post

 

Last week Mary Pat and I had a chance to meet and sit down for a while with a smart guy whose new venture is doing some really exciting things in the healthcare space. One of our favorite things to do! In an effort to keep on readers on the edge of what’s new, and to give more of the people we meet a chance to say hello and connect to our audience, we present the first in the MMP Interview series.

We first got in touch with David when he commented on one of our 2.0 Tuesday posts on Medigram– a new, private beta secure communications service. David let us know that Medigram wasn’t the only player in the space, and we agreed to meet for coffee and a chat. We got a chance to sit down with David soon after for a coffee and a demo of his company’s flagship product qliqConnect– also currently in Beta.

David is a sharp, passionate guy, and we loved having the chance to talk to him. Check out the interview below!

(more…)

Posted in: Day-to-Day Operations, Electronic Medical Records, General, Innovation

Leave a Comment (0) →

HHS Releases a Proposed Rule for ICD-10 Go-Live October 2014

Garden with some tulips and narcissus

Today HHS announced a proposed rule (complete rule here – 175 page pdf) that would delay the go live for ICD-10 from October 1, 2013 to October 1, 2014. What follows are excerpts from the proposed rule.

(more…)

Posted in: Collections, Billing & Coding, Compliance, Electronic Medical Records, Medicare & Reimbursement

Leave a Comment (6) →

Managed IT Services, HIPAA/HITECH Compliance and Changing IT Providers: Ed Garay from Lutrum Answers Your IT Questions.

Mary Pat: Where does the name of your company, Lutrum, come from?

Ed Garay: When I was developing a name for this company, I didn’t want to be like every other healthcare IT services company with health, md, medical, etc. as part of their name.  I wanted it to represent something deeper about what we do and who we are as an IT organization.  Although we are IT specialists, I realized that one of the things that I am always working with my team on is to listen and understand our client’s needs.  Which lead me to creating the name, Lutrum.  Lutrum is a slight variant of the Latin word Lutra.  Lutra means otter in English.  And the otter symbolizes empathy.

Mary Pat: What led up to you starting your own business?

Ed Garay: In late 2000, I worked as an IT Director for an organization that continued to downsize.  I came to a career crossroad.  With starting to support under 100 systems, and the network running in tip-top shape, there was really no need for me to be there full-time in the long run.  So, do I look for another job that can’t possibly be as fulfilling as where I was, or do I take a leap of faith and start up my own business and share my knowledge with the masses?  Through the feedback of mentors and other resources that knew me personally and professionally, I was highly motivated to take the leap of faith and have never looked back.  My business career has evolved over the years and has naturally lead me to Lutrum.

Mary Pat: What are Managed IT Services?

(more…)

Posted in: Compliance, Electronic Medical Records, General

Leave a Comment (0) →

The Personal Health Record (PHR) is Alive and Well! Meet Zweena.

Smiling Couple with iPadA personal health record (or PHR) is an individual electronic health record that is stored securely on the Internet so it can be accessed by medical providers and caregivers who have permission.

PHRs allow the storage of all critical health history information in one place. In the event of an emergency, the patient, caregiver or family member can give providers access to health information. By having the most current information always available, duplicate or unnecessary tests can be avoided as can possible drug interactions. This benefit is achieved without having to rely on the memory or incomplete records of the patient. PHRs also allow patients, caregivers or third-party vendors to update information regularly over the Internet so that new data can always be accessed by stakeholders.

Although Personal Health Records have been around for more than 10 years, they have gained little traction. Amidst a healthcare environment that is increasingly supportive of the empowered patient, most patients have neither the time nor the knowledge to enter their own records into a PHR. Many PHRs can interface with an individual hospital or physician’s EHR system, but most are unable to share information bi-directionally with more than one entity or flow seamlessly into a Health Information Exchange (HIE).

(more…)

Posted in: Electronic Medical Records, Innovation, Learn This: Technology Answers

Leave a Comment (3) →

Learn This: Physicians, Smartphones and mHealth

For the organized and busy professional on the go, the smartphone has quickly become a necessity on par with a persons house keys, wallet, or purse. The past five years have vaulted the smartphone from status symbol to must-have business tool by bringing data and communication capabilities from your office to the palm of your hand. With decision making and communication tools always at the ready, you can be productive from anywhere you are, and you are freed up to bring information to clients, meetings, and conferences without the hindrance of a laptop.

Physicians, practitioners and forward thinking healthcare organizations are leading the charge to embrace mobile health, often called mHealth, or the practice of patient care supported by mobile devices. A survey conducted at the physician online and mobile community QuantiaMD in May of 2011 found 83% of physicians reported using at least one mobile device and 25% used both a phone and a tablet. Of the 17% surveyed who did not use a mobile device, 44% planned on purchasing a mobile device sometime in 2011. Physicians surveyed reported their top uses for mobile devices as :

Posted in: Learn This: Technology Answers, Memes

Leave a Comment (0) →

CHIME Publishes 2 Free Guidebooks for Implementing EHRs, the HITECH Act and Getting the Stimulus Money

CHIME is the professional organization for chief information officers and other senior healthcare IT leaders.

CHIME has produced a CIO-oriented publication providing details on how organizations should focus their efforts to implement EHR systems that will qualify for stimulus funding payments through the HITECH Act. The 80-page guidebook is available free to the public and can be downloaded here.

Also, the American Hospital Association (AHA) and CHIME have worked collaboratively to create a guidebook for CEOs on the HITECH Act and meaningful use implementation. The handbook entitled, “Health Care Leader Action Guide on Implementation of Electronic Health Records”, provides a readable, actionable, step-by-step guide designed to assist CEOs and other C-suite executives in the EHR implementation process. The 22-page guide is available free to the public and can be downloaded here.

Series of 1917 $1 United States Note

Image via Wikipedia

Posted in: Electronic Medical Records

Leave a Comment (0) →

ARRA Eligible Providers: Who Is Eligible to Receive Stimulus Money and How Much is Available Per Provider?

Note: read my latest post on getting the EHR Incentives here.

Medicare Definition of Eligible Provider (EP)

For Medicare, physicians and some hospitals are eligible providers. “Physicians” includes doctors of medicine (MD) or osteopathy (DO), dentists or dental surgeons (DDS or DMD), podiatric medicine (DPM), and optometry (OD) and chiropractors (DC).

For providers, their annual payment will be equal to 75 percent of Medicare allowable charges for covered services in a year, not to exceed the incentives in the table below.  Payments will be made as additions to claims payments.

Hospitals include quick-care hospitals (subsection-d) and critical access hospitals  and only includes hospitals in the 50 States or the District of Columbia.

Medicaid Definition of Eligible Provider (EP)

Medicaid takes the Medicare definition of eligible providers (physicians) and adds nurse practitioners, certified nurse midwives and physician assistants, however, physician assistants are only eligible when they are employed at a federally qualified health center (FQHC) or rural health clinic (RHC) that is led by a Physician Assistant.  Eligible hospitals include quick care hospitals and children’s hospitals.

At minimum, 30 percent of an EP’s patient encounters must be attributable to Medicaid over any continuous 90-day period within the most recent calendar year. For pediatricians, however, this threshold is lowered to 20 percent.

The first year of payment the Medicaid provider must demonstrate that he is engaged in efforts to adopt, implement, or upgrade certified EHR technology.  For years of payment after year 1, the Medicaid provider must demonstrate meaningful use of certified EHR technology.

Change 1:

The  definition of “hospital-based physician” was recently clarified to include physicians working in hospital outpatient clinics (employed physicians) as opposed to the inpatient units, surgery suites or emergency departments.  This still excludes pathologists, anesthesiologists, ER physicians, hospitalists and others who see most of their patients in the ER as outpatients or as hospital inpatients.

Possible Change 2:

The Health Information Technology Extension for Behavioral Health Services Act of 2010 (HR 5040)  is a bill in the US Congress originating in the House of Representatives that would amend the Public Health Service Act and the Social Security Act to extend health information technology assistance eligibility to behavioral health, mental health, and substance abuse professionals and facilities, and for other purposes.  You can track the bill here.

For more information on stimulus money for meaningful use of an EMR, read my post here.

Posted in: Electronic Medical Records, Headlines, Medicare & Reimbursement

Leave a Comment (7) →

ARRA Changes Rules for HIPAA – Did You Miss These Three February Deadlines?

With so much going on in healthcare, it would not surprise me if a lot of practices missed the February 2010 deadline for three expanded HIPAA rules.  This expansion was dictated by the Health Information Technology for Economic and Clinical Health (HITECH) Act passed by Congress in February 2009.

If you haven’t already, get started now with the new requirements.

  1. New obligations for business associates (BA) – February 17, 2010 Remember that a BA is a person or organization outside of your entity with whom you share protected health information (PHI) so they may provide services to you.  Good examples are your billing service, collection agency, attorney, consultant, computer vendors, attorneys and providers of documentation abstracting or coding services.  Under HITECH, BA have the same responsibilities for breaches as the healthcare entity does, but it is the healthcare organization’s responsibility to have an updated, signed BA agreement in place that describes this new responsibility.  Here is an excellent example of a BA agreement (first link under Publications) that you can download and tweak for your practice.
  2. New disclosure agreement provision – February 18, 2010 This is a big one! Patients now may waive their right to have you file their medical insurance, pay for your services themselves and request that their medical information NOT be disclosed to their insurance plan or any other entity.  In other words, patients may elect to become “self-insured”.  I recommend that you create a new financial class for these patients so they neither fall into the standard self-pay/financial assistance class or into their actual insurance class.  These patients, if you have any, will need to be identified according to their wishes, which could mean that they want you to file insurance for some services and not for others.  This means their record must be tagged for what records can be released and what records cannot.  There could be an argument made either way for whether or not these patients should receive self-pay discounts that you have in place for your non-insured patients.  I would be interested to know how different groups have decided to handle this.  There are sample forms for PHI disclosure accounting and for patients to request an accounting of PHI disclosures in the Manage My Practice Library under Operations.
  3. Information breach notification – February 22, 2010
    We’ve heard a lot about this one as the media (along with HHS) must now be notified if a PHI breach involves 500 people or more.  Breaches are being reported weekly as non-encrypted laptops are stolen or repurposed, and as copier hard drives (story here) go unnoticed as a security risk.  If a breach involves 500 people or less, each individual must receive written notice with details of the breach, the information disclosed, and the steps being taken by the practice or entity to avoid any future breaches, as well as explaining the rights of the patient(s) in protecting their private healthcare information.  Several of my employees have received notification letters from health plans and they have been horrified that this could happen.  Note that entities that secure health information through encryption or destruction don’t have to provide notification in the event of a breach!

Enforcement is also beefed up.
Criminal penalties will apply to covered entities that violate privacy rules AND to those organizations’ individual employees (can you track who accesses whose records when?)  Civil penalties have been increased and harmed individuals may share in the booty.  Probably most importantly, HITECH gives state attorneys general the power to enforce HIPAA rules.

Other resources:

HHS FAQ on HIPAA Privacy

AMA HIPAA Resources

Healthcare Blog Listing

Posted in: Compliance, Day-to-Day Operations, Electronic Medical Records, Headlines

Leave a Comment (1) →

Quick Reference for Acronyms and Buzzwords of ARRA and HITECH

certification @Sgame/Dreamstime.comARRA: American Recovery and Reinvestment Act of 2009, also called “The Stimulus Package” or “The Stimulus Bill.”  Of the $850B in the bill,  $51B is pegged for the health care industry and $19B of that will be used to incent medical practices to adopt EMRs/EHRs.

CCHIT: the Certification Commission for Health Information Technology is a private organization that certifies EMRs and EHRs based on 475 criteria spanning functionality, interoperability and security.  CCHIT does not evaluate ease of use of products, financial viability of the company offering the software; or the quality of customer support offered by the software vendor.  Whether or not CCHIT will be THE certifying organization to approve “qualified EMRs” will be announced at the end of the year.  (Can be pronounced “SEA-CHIT” or each letter can be pronounced as in “C.C.H.I.T.”)

Comparative Effectiveness: Comparative Effectiveness Research (CER) compares treatments and strategies to improve health.  For CER, HITECH provides $300M for the Agency for Healthcare Research and Quality, $400M for the National Institutes of Health, and $400M for the Office of the Secretary of Health and Human Services. (more…)

Posted in: Electronic Medical Records, Headlines, Medicare & Reimbursement

Leave a Comment (1) →