Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

3 Suggestions for Dealing with Healthcare Audits

Written by:

While at AHIMA 2013, one of the big topics people were discussing was all of the audits that the HIM staff are having to deal with on an ongoing basis. Everyone that I talked to said that there is no end in sight when it comes to the various audits. In fact, most were predicting even more audits to come.

I sat down with Dawn Crump, VP of Audit Management Solutions from HealthPort, to find out some suggestions for organizations trying to deal with this wave of audits in healthcare. Check out the video below to hear those suggestions (plus, she throws in a fourth and fifth bonus suggestion):

How is your organization dealing with all of these audits? Have you formalized and streamlined the process in your organization? Do you have an easy way to track all of your audits? Do you know the financial impact of these audits on your organization?

November 14, 2013 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 15 blogs containing almost 5000 articles with John having written over 2000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 9.3 million times. John also recently launched two new companies: InfluentialNetworks.com and Physia.com, and is an advisor to docBeat. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and Google Plus. Healthcare Scene can be found on Google+ as well.

Model Notice of Privacy Practices (NPP) Released by OCR and ONC

Written by:

The HIPAA Omnibus Rule compliance date is on Monday. Are you ready?

I’m sure the answer for most organizations is NO!

In fact, the real question that I hear most organizations asking is what they need to do to be compliant with the new HIPAA omnibus regulations. One of my more popular video interviews was on the subject of HIPAA Omnibus with Rita Bowen from HealthPort. That might be one place to start.

OCR and ONC recently released some model HIPAA Notice of Privacy Practice forms to help with compliance. Why they are just releasing them a week before organizations are suppose to be compliant is a little puzzling to me. Hopefully your organization is well ahead of the game on this, but you could still compare your Notice of Privacy Practices with the model forms they released.

David Harlow from the Health Blawg wrote the following about the model forms:

I was disappointed, however, with one of the examples given in the model NPP:
*You can ask us to contact you in a specific way (for example, home or office phone) or to send mail to a different address.
*We will say “yes” to all reasonable requests.

Telephone and snail mail are nice, but many patients would prefer to be in contact with their health care providers via text message or email. Both modes of communication are permitted under HIPAA wth the patient’s consent (which may be expressed by simply emailing or texting a provider), but if the NPP doesn’t alert patients to that right, then many will never be aware of it.

As I heard voiced at a healthcare billing conference yesterday, “You have to be HIPAA omnibus compliant on Monday. I’m not saying you should spend your whole weekend making sure you’re in compliance. The HIPAA auditors won’t be knocking your door on Monday, but you better become compliant pretty quickly if you’re not already.”

September 20, 2013 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 15 blogs containing almost 5000 articles with John having written over 2000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 9.3 million times. John also recently launched two new companies: InfluentialNetworks.com and Physia.com, and is an advisor to docBeat. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and Google Plus. Healthcare Scene can be found on Google+ as well.

What’s Pushing EMR Switching?

Written by:

I recently had a chance to talk with Sean West, VP & GM of HealthPort Data Conversion Services, about the hot topic of EMR switching (or EHR switching if you prefer). I’ve written about EMR switching many times before and even predicted it would be a hot topic a year or two ago. I assure you that it is going to become and even more important topic going forward.

During my discussion with Sean, I took note of a number of drivers behind all the EMR switching. Here’s what I consider to be the top three drivers:

Hospital Acquisition – I’ve written regularly about the trend of hospitals acquiring ambulatory practices and hospitals acquiring or merging with other hospitals. In one hospital system, I found that they were moving newly acquired practices onto the hospital EHR before they even moved their existing practices from paper to the hospital EHR. In many cases the acquired practices already had an EHR and so they had to make an EHR data conversion plan. Most current hospital acquisitions or mergers are also moving to one unified EHR software system. I could see this changing as larger more established hospitals are acquired, but right now these hospital acquisitions are driving a lot of EMR switching.

EMR User Dissatisfaction – There’s a broad range of EMR user dissatisfaction that prompts an EMR switch. Sometimes the healthcare organization is on a legacy EMR system that’s no longer being updated and so the user experience suffers. Other times we are talking about a newly implemented EMR system which doesn’t live up to the users expectations.

Not Meaningful Use Ready – The other large driver of EMR switching is when an EMR vendor isn’t or won’t be ready for meaningful use. The EHR incentive money and EHR penalties are a powerful incentive for many healthcare organizations. If an organization’s current EHR system isn’t ready for meaningful use, many have no choice but to switch EMR.

Of course, EMR switching can be a real challenge and every EMR switch is unique. You have to consider what you want to do with your old data. Do you have a way to transfer it to the new EMR? Can you get the EMR data out of the old system? Do you want to transfer all or part of the data? Do you not want to transfer the data to the new EMR, but you still want to keep the old EMR around to access the previous EMR data?

Many of the answers to these questions are heavily influenced by your original EMR contract. Sadly, many organizations did a poor job evaluating their EMR contract before they signed it. This can often lead to the old EHR vendor holding the EHR data hostage. It’s not pretty, but there are sometimes workarounds. Just be sure that you don’t make the same mistake with your new EHR vendor. My e-Book on EHR selection has a whole section on EHR contracts (starts on page 30) that you should consider.

EMR switching is never a fun experience, but it’s often a necessary evil. Plus, it’s going to continue to become more and more common. In fact, the next wave of EMR switching might be driven by EMR consolidation.

September 19, 2013 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 15 blogs containing almost 5000 articles with John having written over 2000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 9.3 million times. John also recently launched two new companies: InfluentialNetworks.com and Physia.com, and is an advisor to docBeat. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and Google Plus. Healthcare Scene can be found on Google+ as well.

Where You’ll Find Me at HIMSS 2013

Written by:

I can’t believe that HIMSS 2013 is finally here. Well, it’s almost here. I fly out on Saturday, and I’m seeing the tweets come in from the various vendors who are arriving in New Orleans to setup their booths. For those that can’t attend, we’ll do our best to give you a peek into the event. For those that can attend, I always love to meet those who read EMR and HIPAA in person. The following is a list of events that I’m hosting, participating in or otherwise engaged. All of these events and more are also listed in the Influential Networks HIMSS 2013 Event Guide.

I look forward to seeing many of you at these great events and in the hallways of HIMSS. It’s always great to see old friends and make new ones.

#SocialMedia and #Influence Tweetup
Monday, March 4, 2013
2:30 PM – 3:30 PM
Description:
Discuss the best approaches to influencing audiences around your ideas, products or services with John Lynn and Shahid Shah, InfluentialNetworks.com. Learn how social media can be used to get your messages out to those who matter. Discover common myths and misconceptions about new media, and learn proven strategies and techniques to get the most out of social media.
Location: Social Media Center

Discussion with Rita Bowen, Chief Privacy Officer at HealthPort, About HIPAA Omnibus Rule
Tuesday, March 5, 2013
12:00 PM – 1:00 PM
Description:
Come learn from one of the leading experts on HIPAA, Rita Bowen, as she discusses the latest details on the new HIPAA Omnibus rule with John Lynn, HealthcareScene.com.  We’ll talk about all the changes with business associates, how to make sure your compliant, and making a smooth transition to the new rule.
Location: HealthPort Booth #6841

New Media Meetup at #HIMSS13 Sponsored by docBeat
Tuesday, March 5, 2013
6:00 PM – 8:00 PM
Description:
Great food, free drinks, and time to mingle with the best and brightest that healthcare social media has to offer.  Come and meet people you’ve only connected with online and find new friends.  The New Media Meetup is where the online world meets offline.
Location: Mulate’s Party Hall – 743 Convention Center Boulegvard, New Orleans, LA
Register to attend: http://tinyurl.com/HIMSS13NMM

Point of Care Video with Metro
Wednesday, March 6, 2013
12:30 PM – 1:00 PM
Description:
Come learn more with John Lynn, HealthcareScene.com, about Metro’s latest point-of-care systems, AccessPoint mobile computing system, and their Metro Access platform.  We’ll be shooting a video of their latest products.  Don’t worry, you don’t have to be in the video unless you want to be.
Location: Metro Booth #6312

February 28, 2013 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 15 blogs containing almost 5000 articles with John having written over 2000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 9.3 million times. John also recently launched two new companies: InfluentialNetworks.com and Physia.com, and is an advisor to docBeat. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and Google Plus. Healthcare Scene can be found on Google+ as well.

The Final HIPAA Omnibus Rule: A Sharing of Accountability

Written by:

The following is a guest post by Rita Bowen, MA, RHIA, CHPS, SSGB, SVP of HIM and Chief Privacy Officer, HealthPort. If you’re attending HIMSS, I’ll be doing an interview with Rita at HealthPort’s Booth 6841 at Noon on Tuesday 3/5/13. Come by and learn more about the HIPAA Omnibus Rule and get any questions you have answered.

It seems an eternity ago, four years to be exact, that the HITECH Act introduced changes to HIPAA. After much speculation, rumor, innuendo and anticipation, HHS released the final HIPAA omnibus rule, which significantly amends the original HIPAA Privacy, Security, Breach and Enforcement Rules. HHS Secretary Kathleen Sebelius introduced the new rule by stating:

“The final rule greatly enhances a patient’s privacy protections, provides individuals new rights to their health information, and strengthens the government’s ability to enforce the law.”

Ms. Sebelius conceded that healthcare has changed dramatically since HIPAA was first enacted and that the new rule is necessary to “protect patient privacy and safeguard patients’ health information in an ever expanding digital age.”

The new rule, at 563 pages, is not brief, but covered entities can’t let that inhibit them from becoming intimately acquainted with this document. I’ve made an initial review of the rule and culled what I feel are its key concepts:

  • Business Associates (BAs) of covered entities are now, for the first time, directly liable for compliance with certain requirements of HIPAA Privacy and Security rules, including the cost of remediation of breaches for which they are responsible.
  • The rule goes so far as to revise the definition of a “breach.” This new definition promises to make the occurrence of breaches – and the required notification of breaches — more common.
  • The use and disclosure of protected health information for marketing and fundraising purposes is further limited, as is the sale of protected information without individual authorization.
  • The rule expands patients’ rights to receive electronic copies of their health information and to restrict disclosures to health plans regarding treatment for which they’ve already paid.
  • Covered entities are required to modify and redistribute their notice of privacy practice to reflect the new rule.
  • The new rule modifies Individual authorizations and other requirements to facilitate research, expedite the disclosure of child immunization proof to schools, and enable access to decedent information by family members and others.
  • The additional HITECH Act enhancements to the Enforcement Rule are adopted, including provisions addressing enforcement of noncompliance with HIPAA rules due to willful neglect.

Getting to Compliance

And now comes the challenging part – compliance! The new rule goes into effect on March 26, and covered entities and BAs are expected to comply by September 23, so there is much work to do. Hospitals and clinics need to thoroughly comprehend — and then prepare for — the sweeping changes in BA liability. They’ll need to communicate these changes and new requirements to BAs and update their BA agreements accordingly. And since BAs are now directly liable for breaches, organizations must decide how they’ll enforce their BA agreements with regard to privacy and security. Additionally, comparable agreements must now be shared between BAs and their subcontractors.

What are the keys to successful compliance?  The following tips should ensure your smooth transition into the new rule:

  • Become intimately acquainted with the new rule — and its ramifications for your organization, your BAs, and their subcontractors.
  • Identify a privacy officer within all of your partner organizations.
  • Define a process for the notification of patients in the event of a breach of their protected health information (PHI).
  • Update breach notification materials to reflect the new Rule.
  • Update, repost and redistribute your Notice of Privacy Practices.
  • Document current privacy and security practices, and conduct a risk assessment.
  • Make certain your healthcare security technology solution is flexible, secure, and scalable to handle the growing volume of audit inquiries promised by the RACs.
  • Encrypt all devices that store patient information.
  • Communicate new HIPAA requirements and expectations to BAs.
  • Update business associate agreements (BAAs) to clarify that BAs pay the cost of breach remediation, when the BA is responsible for the breach.
  • Provide a template of a comparable agreement for BAs to use with their subcontractors.
  • Monitor your partners’ efforts to protect patient data.

The new HPAA omnibus rule has arrived and the challenges it presents should not be underestimated. Communication and organization will be your keys to success!

Rita Bowen, MA, RHIA, CHPS, SSGB

Ms. Bowen is a distinguished professional with 20+ years of experience in the health information management industry.  She serves as the Sr. Vice President of HIM and Privacy Officer of HealthPort where she is responsible for acting as an internal customer advocate.  Most recently, Ms. Bowen served as the Enterprise Director of HIM Services for Erlanger Health System for 13 years, where she received commendation from the hospital county authority for outstanding leadership.  Ms. Bowen is the recipient of Mentor FORE Triumph Award and Distinguished Member of AHIMA’s Quality Management Section.  She has served as the AHIMA President and Board Chair in 2010, a member of AHIMA’s Board of Directors (2006-2011), the Council on Certification (2003-2005) and various task groups including CHP exam and AHIMA’s liaison to HIMSS for the CHS exam construction (2002).

Ms. Bowen is an established speaker on diverse HIM topics and an active author on privacy and legal health records.  She served on the CCHIT security and reliability workgroup and as Chair of Regional Committees East-Tennessee HIMSS and co-chair of Tennessee’s e-HIM group.  She is an adjunct faculty member of the Chattanooga State HIM program and UT Memphis HIM Master’s program.  She also serves on the advisory board for Care Communications based in Chicago, Illinois.

February 25, 2013 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 15 blogs containing almost 5000 articles with John having written over 2000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 9.3 million times. John also recently launched two new companies: InfluentialNetworks.com and Physia.com, and is an advisor to docBeat. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and Google Plus. Healthcare Scene can be found on Google+ as well.

Reducing the Administrative Burden of RAC Audits – Guest Post by Lori Brocato

Written by:

Lori Brocato - Healthport
Lori Brocato is Director of Audit at HealthPort. With more than 15 years in health care technology, Lori serves as HealthPort’s resident government and third party audit expert, sharing educational information and best practices with health care facilities via Webinars, media interviews and industry articles. Additionally, she is the AudaPro product manager for HealthPort and authors her own blog, Audit Insights, on the HealthPort website. Lori is also a monthly contributor for RACMonitor, an online knowledge source for healthcare providers. She is RAC certified by the Medicare RAC summit and a member of HIMSS and HFMA.

Taking Paper Out of the Audit Process
The amount of provider and governmental resources now dedicated to processing and managing recovery audits is staggering. According to the American Hospital Association RACTrac Survey in May 2012, 76% of participating hospitals reported that RAC activity had increased their administrative burden including additional costs, training, software and full time equivalents needed to manage the workload. Similar findings were reported in the August 2012 RACTrac report.

Costs to cover the growing administrative load range from $10,000 to over $100,000 per quarter. Nine percent of hospitals spend over $400,000 annually to manage audit. And when multiple auditors come after the same encounter, expenses rise. The majority of these costs come from producing copies of medical records, sending them to review contractors, and managing appeals.

Making RACs a Paper-Free Zone
When RACs and other auditors need medical records to conduct their reviews, they request them by submitting a formal letter to the provider. These request letters land in the Audit or HIM department where internal staffs or outsourced Release of Information (ROI) companies find the requested records, produce photocopies and submit paper to the auditor.

Efforts to streamline this paper process began in 2011 with the introduction of CMS’s Electronic Submission of Medical Documentation  (esMD) project. Since then, information exchanges designed solely for provider-auditor medical record transfer have grown and matured.

Three Provider Options
Along with esMD, many ROI companies and other Health Information Handlers (HIH’s) have developed private exchanges. Providers have three choices to reduce the paper burden of RAC and other audits. They can build their own esMD gateway using the CMS CONNECT architecture, connect to esMD through an HIH, or use the HIH’s private exchange. All three options result in the following four benefits:

  • Elimination of paper and postage
  • Increased automation request delivery
  • Improved tracking
  • Faster delivery

However, since HIHs have already established connections either through esMD or a direct, private audit exchange, providers save time and IT expense by using an HIH.

Direct Connections: What Providers Need to Know
Because the number of auditing bodies continues to expand and reach of recovery contractor activity continues to grow, the use of direct audit connections (or exchanges) may outpace submissions through esMD. Direct exchange by an HIH uses a one-to-many connection with auditors and provides four benefits:

  • Request letters from RACs and other auditors can be received electronically.
  •  One access point is established by the provider and from there, the HIH is responsible for establishing all the various auditor connections; saving time and IT resources.
  • Providers have a secure, private portal with end-to-end tracking capability for all audit record requests.
  • Providers can obtain a FedEx comparable tracking number instead of just a date and time stamp confirmation.

Paper’s Coming Out of the Process….It’s Only a Matter of Time
Audits will continue. Demands for medical records will expand. Administrative burdens will increase. These are the realities of today’s pay-and-chase model. However, new technologies to cope are emerging.

These technologies, in concert with centralized audit management and EHR advances, are poised to reduce administrative burdens and move audit processing from “paper-intensive” to “paper-free”. The future of audit management will be paper-free: one way or another!

January 17, 2013 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 15 blogs containing almost 5000 articles with John having written over 2000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 9.3 million times. John also recently launched two new companies: InfluentialNetworks.com and Physia.com, and is an advisor to docBeat. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and Google Plus. Healthcare Scene can be found on Google+ as well.

Guest Post: HIPAA Responsibility – Whether You Want It or Not

Written by:


Guest Blogger: Jan McDavid is General Counsel and Compliance Officer at HealthPort, a Release of Information and Audit Management Technology company. You can read more of Jan’s posts on the HealthPort blog.

John Lynn’s post “Covered Entity is Only One with Egg on Their Face” is good warning to healthcare providers: as HIPAA enforcement gains teeth, you are responsible for breaches caused by your business associates. The increase in HIPAA enforcement, penalties and current ONC audits make it clear that ignorance of adherence to HIPAA by your business associates (BA) is not a valid strategy.

In fact, the Poneman Institute Study cites 46 percent of breaches as caused by BAs, yet the covered entity (CE) is responsible for 100 percent of them from a legal prospective.

The time for inaction regarding your BAs is over. Now is the time to confront the issue head-on. The good news is that it costs less in the long run to prevent breaches than it does to pay for breaches committed by your BAs. Here’s how to get started.

It’s Time to Act

The same policies and procedures that you have implemented for yourself are applicable to your BAs. Of course, since the BAs do not report through your organization, the best way to assume compliance is through your contracting process.

It is not enough to just put it in the contract. In the old “trust but verify” school of management, your contract must also contain avenues of verification. That can include surveys, reports, audits, policy and procedure manuals, etc. This due diligence at contracting time pays off in many ways when ONC auditors knock on your door.

The due diligence must be a continual process, not just “once and done”. The laws are changing and Health and Human Services (HHS)’s Office of Civil Rights (OCR) is implementing new risk audits in 2012 to test your readiness. New breach notification and accounting of disclosure rules are imminent and will further tighten the laws. Also, many institutions focus on the Privacy Rules, while paying less attention to the Security Rules. The privacy rules focus on the “what,” while the security rules focus on the “how” of compliance.

To protect yourself, you should be doing self assessments using both internal and external auditors. Anything you do for yourself should be considered for your business associates.

Simple Encryption Goes a Long Way

Most accidental large-scale breaches are caused by lost or stolen electronic devices. The small one or two patient breaches are much less of a publicity problem but still require a risk assessment. The small breaches are going to happen; it is inevitable. The large breaches carry a higher degree of severity.

To prevent large breaches, it is essential that BAs which use electronics have the same tight policies and procedures in place that you do (or should). They can go beyond the HIPAA-mandated policies. One practice that should be implemented is encryption.

Remember, a lost electronic device that contains encrypted data is not considered a reportable breach. Encryption is a logical first step that, while not yet HIPAA mandated, will save considerable pain and expense over time. Notice it is only a first step. There are other security technologies available that will call a central location to pinpoint a device’s location. Further, they can wipe themselves clean if not accessed properly or in a given timeframe.

Paper Breaches Also a Concern

And providers shouldn’t lose sight of paper medical records and how BAs are using them. In fact, many breaches to date have involved paper. Understand how your BAs use paper records and patient information. Is it going off site? If so, there should be established policies and procedures.

Any access to paper records and appropriate destruction of those records must be HIPAA compliant. Locked bins for disposal and state-of-the-art shredders are a must at the provider’s site and the BA’s office. Do not let paper records lay around on desks and make sure all personnel are trained in the handling of paper records.

Training and Education for All

Training and educating are the foundation of any compliance program. BAs should have an in-depth training and education program that is as robust as that of the covered entity. Best practices make training an ongoing, living process with regular updates and mandatory attendance at classes.

Making the effort to fend off unauthorized disclosures will go a long way toward mitigating risk. Staying in front of the threat curve is difficult but not impossible. Remember to apply lessons learned to your BAs so you aren’t the only one with egg on your face!

March 21, 2012 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 15 blogs containing almost 5000 articles with John having written over 2000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 9.3 million times. John also recently launched two new companies: InfluentialNetworks.com and Physia.com, and is an advisor to docBeat. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and Google Plus. Healthcare Scene can be found on Google+ as well.

Meaningful Use Stage 2 Commentary and Resources – Meaningful Use Monday

Written by:

For this week’s Meaningful Use Monday, I decided I’d go through the large list of meaningful use stage 2 commentary that’s been put out over the past week. I’ll do my best to link to some of the most interesting commentary, summaries, etc of meaningful use stage 2 and point out some resources that I’ve found useful.

John Halamka on Meaningful Use Stage 2
First up is the blog post by John Halamka about MU stage 2. I really like his recommendation to read pages 156-163 of the MU rule (PDF here). Sure, the rule is 455 pages, but many of those pages are a recap of things we already know or legalese that is required in a government document. Halamka also created a meaningful use stage 2 powerpoint that people can reuse without attribution. Worth looking at if you’re not familiar with MU stage 2 or if you have to make a presentation on it.

Health Affairs on MU Stage 2
Health Affairs has a nice blog post covering meaningful use stage 2. They offer “3 highlights that seem particularly important:”

  1. The bar for meeting use requirements for computerized provider order entry (CPOE), arguably the most difficult but potentially the most important EHR functionality, has been raised: now a majority of the orders that providers write will have to be done electronically.
  2. There is a major move to tie quality reporting to Meaningful Use. We knew this was coming, but CMS has laid out a host of quality measures that may become requirements for reporting through the EHR.
  3. Health Information Exchange moves from the “can do it” to the “did do it” phase. In Stage 1, providers had to show that they were capable of electronically exchanging clinical data. As expected, in Stage 2, providers have to demonstrate that they have done it.

Health Affairs also talks about the timeline for this rule and the feedback that CMS is likely to get on MU stage 2. I’m sure they’re going to get a lot of feedback and while they suggest that the rule will look quite similar to the proposed rule, I expect CMS will make a couple strong changes to the rule. If nothing else to show that they listened (and I think they really do listen).

Stage 2 Meaningful Use by The Advisory Board Company
The Advisory Board Company has a good blog post listing the 10 key takeaways on stage 2 of meaningful use. Below you’ll find the 10 points, but it’s worth visiting the link to read their descriptions as well.
1. Centers for Medicare & Medicaid Services (CMS) affirms a delay for 2011 attesters.
2. Stage 1 requirements will be updated come 2013.
3. Medicaid definitions are loosened; more providers are eligible.
4. While the total number of objectives does not grow, Stage 2 measure complexity increases significantly.
5. Information exchange will be key, but a health information exchange (HIE) will not be necessary.
6. Patients will need to act for providers to succeed.
7. Sharing of health data will force real-time, high-quality data capture.
8. More quality measures; CMS’ long term goals—electronic reporting and alignment with other reporting programs—remain intact.
9. The Office of the National Coordinator’s (ONC) sister rule proposes a more flexible certification process and greater utilization of standards.
10. Payment adjustments begin in 2015.

AMA MU Stage 2
The American Medical News (done by the AMA) has a blog post up which does a good job doing an overall summary of where meaningful use is at today (post MU stage 2). Meaningful Use experts will be bored, but many doctors will appreciate it.

Justin Barnes on Meaningful Use Stage 2
Justin Barnes provides his view on meaningful use stage 2 in this HealthData Magement article. It seems that Justin (and a few other of his colleagues at other EHR vendors) have made DC their second home as they’ve been intimately involved in everything meaningful use. I found his prediction that the meaningful use stage 2 “thresholds and percentages will remain largely in place come the Final Rule targeted for August, and should not be decreased via the broader public comment phase next underway like we saw with Stage 1.” Plus, he adds that the 10 percent of patients accessing their health information online will be a widely discussed topic. Many don’t feel that a physician’s EHR incentive shouldn’t be tied to patients’ actions. Add this to the electronic exchange of care summaries for more than 10 percent of patients and the healthcare data is slowly starting flow.

Meaningful Use Stage 2 and Release of Information
Steve Emery from HealthPort has a guest post on HIT Consultant that talks about how meaningful use stage 2 affects ROI. This paragraph summarizes the changes really well:

The bottom line for providers is that Stage 2 MU changes with regards to these specific criteria will drive organizations to implement a patient portal or personal health record application; and connect their EHR systems to these systems. Through these efforts it is expected that patient requests to the HIM department for medical records will decrease; as patients will be able to obtain records themselves, online and at any time.

e-Patients and Meaningful Use Stage 2
e-Patient Dave got together with Adrian Gropper MD, to put together a post on meaningful use stage 2 from an e-Patient perspective. This line sums up Adrian Gropper MD’s perspective, “My preliminary conclusion is that Stage 2 is a huge leap toward coordinated, patient-centered care and makes unprecedented efforts toward patient engagement.”

Meaningful Use Stage 2 Standards
Those standards geeks out there will love Keith Boone’s initial review and crosswalks from this rule to the Incentives rule here.

Shahid Shah on Meaningful Use Stage 2
I like Shahid Shah’s (the Healthcare IT Guy) overview and impressions as well. He’s always great at giving a high level view of what’s happening in healthcare IT.

Are there any other meaningful use stage 2 resources out there that you’ve found particularly useful or interesting?

March 5, 2012 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 15 blogs containing almost 5000 articles with John having written over 2000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 9.3 million times. John also recently launched two new companies: InfluentialNetworks.com and Physia.com, and is an advisor to docBeat. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and Google Plus. Healthcare Scene can be found on Google+ as well.

Guest Post: Small Breaches Still Reportable – Current State of HIPAA Breach Notification

Written by:


Guest Blogger: Jan McDavid is General Counsel and Compliance Officer at HealthPort, a Release of Information and Audit Management Technology company. You can read more of Jan’s posts on the HealthPort blog.

The following is a 4 part series of blog posts on the HIPAA Breach Notification Rules. Here’s a link to read all of the HIPAA Breach Notification Rules guest posts.

In the world of release of information (ROI), we see the breach of one or two records much more frequently than the massive, over-500 events. Smaller, one- or two-record breaches do not require immediate notification to HHS. The HITECH Act says they should be aggregated and sent to HHS at the end of each year. In 2010, the agency received more than 25,000 reports of smaller breaches affecting more than 50,000 individuals. The complete Annual Report to Congress (PDF) from HHS for 2009 and 2010 is available online.

The most common, inadvertent breaches within the ROI process involve sending the wrong record to the wrong person or third party. It is usually human error that produces these breaches. For example, the CE gets a written request from an insurance company, attorney or patient for medical record #12345. Someone pulls the wrong medical record either paper-based or electronic, say medical record #12344 and sends it. The result—a breach!

Training, education, skilled staff and solid procedures are the best approach to minimizing human error-based breaches, but they are inevitable. If and when it happens, the CE must evaluate sending a notification to the patient.

Another observation about breaches is that reactions to them seem to be very polarizing. Sometimes we see “breach fatigue” by patients. They hear so much about breaches that any leakage of their information is considered “no big deal” and simply a reality of modern, high-tech times. “After all, who really cares about the appendectomy I had ten years ago?” The opposite pole is that some patients become very upset and exhibit a sense of great concern.

Ultimately, the balance between a patient’s right of confidentiality and the provider’s needs for workflow consistency will continue to evolve. In the meantime, until a final breach notification rule is released, every CE must determine for itself how patient notices are analyzed and handled.

November 3, 2011 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 15 blogs containing almost 5000 articles with John having written over 2000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 9.3 million times. John also recently launched two new companies: InfluentialNetworks.com and Physia.com, and is an advisor to docBeat. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and Google Plus. Healthcare Scene can be found on Google+ as well.

Guest Post: Expect New Rules to Expand Notification – Current State of HIPAA Breach Notification

Written by:


Guest Blogger: Jan McDavid is General Counsel and Compliance Officer at HealthPort, a Release of Information and Audit Management Technology company. You can read more of Jan’s posts on the HealthPort blog.

The following is a 4 part series of blog posts on the HIPAA Breach Notification Rules.

It is widely expected that Health and Human Service (HHS) final disclosure rules will mandate notification be done in every case. Should this occur as predicted, additional patient education will be needed to avoid the concerns mentioned above.

Further complicating matters is the fact that hospitals must adhere to HHS rules AND those at the state level. State laws in some cases are more onerous than federal laws and they continue to morph. Just trying to stay on top of all the changes may be reason enough to disclose every instance of breached information. Whether it contains protected health information (PHI) or not, some states require patient notification in every instance of the inadvertent release of certain i.d. information.

In next week’s post, we’ll cover whether small breaches are still reportable.

October 27, 2011 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 15 blogs containing almost 5000 articles with John having written over 2000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 9.3 million times. John also recently launched two new companies: InfluentialNetworks.com and Physia.com, and is an advisor to docBeat. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and Google Plus. Healthcare Scene can be found on Google+ as well.