CMS ANNOUNCES IT WILL DISCONTINUE PHASE II OF ELECTRONIC HEALTH RECORDS DEMONSTRATION

 

On April 7, 2009 CMS announced that, as a result of the incentive provisions for physicians to encourage the adoption of health information technology in the American Recovery and Reinvestment Act of 2009 (“ARRA”), CMS will change its plans for implementing the electronic health records (“HER”) Demonstration.  CMS will continue implementation of Phase I of the EHR Demonstration program on schedule.  CMS will continue working with Phase I community partners and practices, including local kick off meetings for more than 400 selected practices in May, 2009. The demonstration will begin as planned on June 1, 2009 and continue through May 21, 2014. However, CMS has decided to discontinue Phase II of the EHR demonstration, which originally was planned to begin operations in mid-2010.  

 

 

The EHR demonstration initiative aims to reward delivery of high-quality care supported by the adoption and use of electronic health records in physician practices. This initiative expands upon the foundation created by the Medicare Care Management Performance (“MCMP”) Demonstration. The goal of the demonstration is to foster the implementation and adoption of EHRs and health information technology (“HIT”) more broadly as effective vehicles to improve the quality of care provided and to transform the way medicine is practiced and delivered.    As part of the EHR demonstration, all participating primary care physician practices will be required to have a Certification Commission for Healthcare Information Technology (“CCHIT”)-certified EHR by the end of the second year. (CCHIT is the recognized certification authority for EHRs and their networks.)  Physician practices must, as part of the demonstration, utilize the EHR to perform specific minimum core functionalities that can positively impact patient care processes, (e.g., clinical documentation, ordering of lab tests, recording lab tests, and recording of prescriptions).  The core incentive payment is based on performance on the quality measures, with an enhanced bonus based on the degree of HIT functionality used to manage care.    On June 10, 2008 CMS announced its selection of 12 community partners in defined sites to help CMS implement the EHR demonstration. The approved community partners in each site represent diverse groups of organizations including varied HIT stakeholder collaborations, medical societies, primary care professional organizations and health departments. Phase I includes the following 4 sites: Louisiana, Southwest Pennsylvania, South Dakota (and some counties in bordering states), and Maryland and the District of Columbia. Recruitment of physician practices in the four Phase I sites was initiated on September 2, 2008, and the enrollment period closed on November 26, 2008. Over 800 eligible applications were received from interested practices in the four Phase I sites.      © 2009 Parsonage Vandenack Williams LLC   For more information, contact info@pvwlaw.com

Provider Information: Steps to Take to Prevent Incidents of Medical Identity Theft

          Health care providers need to implement approaches to detect, prevent and respond to medical identity theft incidents.  No single solution applies to all providers because of each provider’s unique size, overhead and available resources.  Therefore, providers should implement a variety of techniques, including patient authentication, training and awareness, and risk assessment.

          Providers should especially be awate of medical identity theft concerns because they could increase as the industry moves toward electronic health records and a national health information network.  If networks do not have adequate privacy and security protections, huge volumes of health information could be improperly accessed and used for medical identity theft, as well as other purposes.

          In many cases, providers have not yet considered the unique characteristics of medical identity theft as a part of their overall risk assessment.  It is important for providers to evaulate whether there are any gaps in their policies and procedures that might lead to medical identity theft.  The best time for this evaluation is during routine risk assessments.

         Although entities covered under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) are required to implement a security awareness and training program for their workforce, medical identity theft is raraly addressed as a separate, individual risk.  Requiring patient authentication – in the form of picture identification as well as a health insurance card – is one way to combat medical identity theft.

        In addition to using education and training to prevent incidents of medical identity theft, providers should consider conducting training following an incident to ensure that employees and contractors have responded appropriately.  This allows staff to debrief , identiry and apply lessons learned, and to continuously improve the quality of privacy and security process and procedures.  It will also help providers respond and mitigate any threats as well as learn steps that can be implemented in the future to prevent similar incidents from occurring.

 Guide to Medical Privacy and HIPAA.  Health Care Series.  December 2008, vol. 7, no. 11.

                

© 2008 Parsonage Vandenack Williams LLC

 For more information, contact info@pvwlaw.com

                                                                                                                                                     

 

                                                                                                                                                                 

Portable Devices Pose Challenges to Protecting Patient Privacy

Covered entities (“CEs”) need to be aware that their wireless networks and portable devices such as iPhones and BlackBerrys are not necessarily secure.

Almost twelve people have been charged with various counts of computer intrusion, fraud and identity theft, among other charges, for participating in a crime ring that allegedly hacked into nine major retailers’ wireless computer networks.  The feds believe that the conspirators stole credit and debit card numbers through “wardriving,” which involves one person who drives a car around while another person in the car attempts to gain access to a wireless network through a laptop computer.

CEs could be targeted in similar schemes and should make sure that their wireless networks are properly encrypted.  CEs should have already converted from using the Wired Equivalent Privacy (“WEP”) system of encryption to the more secure Wi-Fi Protected Access (“WPA”) protocol.  WEP encryption was more common until about a year ago, when researchers discovered weaknesses in it.

Additionally, CEs should remind staff members to use portable devices with care. There are two main risks: (1) if a doctor is in a public place and is using an unsecured network to transmit PHI [i.e., protected health information], then people could intercept that traffic if it is not encrypted or if it is encrypted with a weaker method; and (2) piggybacking on a signal to get into a laptop.  The second risk is much more difficult to accomplish, but it can be done so that perpetrators can look at the traffic coming from the device.

Use of portable devices like laptops and iPhones falls under HIPAA’s workstation use and security policies.  Therefore, CEs should remind staff members about where they can or cannot use these devices.  An airport is a particularly risky place to use such devices because anyone can log in for wireless access with a credit card and can intercept information.  Also, employees should use the locking features of the devices so that no one can open them without a password.  Finally, CEs should go over what kind of information is acceptable to transmit.  This will help to ensure that patient information is protected and HIPAA compliance is maintained at all times.

Health Business Daily, Sept. 17, 2008.

 

© 2008 Parsonage Vandenack Williams LLC

 

For more information, contact info@pvwlaw.com

Compliance Risks Escalate with the Use of Electronic Medical Records Systems

Health care providers truly appreciate electronic medical record (“EMR”) templates because they make documentation faster and easier.  However, abuses such a cloning and “exploding” notes are putting reimbursement and compliance at risk.  If too much information is replicated from one EMR to the next, there is very little to distinguish patient encounters, which undermines physician attempts to establish medical necessity — the foundation of Medicare reimbursement — and might implicate quality of care.

Although Centers for Medicare & Medicaid Services (“CMS”) has not adopted a position on templates, the agency has noted that they are supposed to encourage physician documentation, and not do most of the work.  The problems with templates have become a hot issue because EMR systems are becoming more popular.  Moreover, physicians are constantly working to comply with Medicare’s 1995 or 1997 evaluation and management documentation guidelines.  However, experts warn that prepopulated templates and cloning may be too easy to help.  Cloning may work for certain elements of the history, but it should not be used for the history of present illnesses, the exam, or the medical decision-making portion.

Medicare carriers do not like the use of so-called “default documentation” because they really cannot tell what kind of work is performed in each encounter if the records are so similar.  Also, payers want the documentation to support medical necessity, but it is difficult for physicians to document medical necessity because it is a cognitive process.  Carrying forth documentation that is not relevant to what the physician did, through the use of cloning or prepopulated templates, is not eligible to receive payment because it is not medically necessary.  The government is becoming increasingly aware of this because EMR is becoming so widely used.

Specific Medicare concerns include the possibility that defaulted documentation may cause a provider to overlook significant new findings, as well as the possibility that the provider’s computerized documentation program defaults to a more extensive history and physical examination than is medically necessary to perform on a given day, and does not specifically set forth new findings and changes in a patient’s condition.

In some instances, prepopulated templates and cloned records hardly appear to describe the patient at all.  When a patient goes to see a doctor and the EMR for the visit is cut and pasted from the previous medical encounter, all vital signs, history and physical, and review of systems are carried over from the patient with the intention of updating it. 

It is important for physicians to take the time to customize medical records to the greatest extent possible, even in a template system, in order to make it clear to auditors that they are not carbon-copy records.  This will allow physicians to benefit from the efficiency of EMR, but also to maintain full compliance with Medicare’s standards.  Document the patient’s primary complaint, which should carry through to the physical exam and the history, and that should support decision making and medical necessity.[1]

[1] Report on Medicare Compliance, May 28,2007.

 © 2008 Parsonage Vandenack Williams LLC  

 

For more information, contact info@pvwlaw.com