Reposted from Mobihealthnews.com – January 28, 2016 by Jonah Comstock
The Centers for Medicare and Medicaid Services came out with a final rule that would require face-to-face visits prior to home health services for Medicaid patients, a rule that already exists for Medicare patients. But, as Politico spotted, the rule also includes a parenthetical allowing those “face-to-face” visits to be conducted via telehealth.
Exactly what constitutes telehealth isn’t really spelled out in the language of the bill. In responses to public comments, the agency said it would defer to state definitions of telehealth but did not mean for phone calls or emails to suffice. Thorough guidelines on telehealth from CMS, it added, are forthcoming.
During the last few weeks there has been a surge in what the industry calls “drive by attacks”. These attacks have happened at Yahoo!, weather.com, DrudgeReport.com and others recently. These attacks don’t require you as a user to do anything, just the act of visiting a webpage with an infection is enough because when a web page loads all the items on the page are processed. If you think about any site you visit that is sponsored by advertising you can see this for yourself. The code that makes the Dodge charger billow smoke from the back wheels or the Geico Gecko say something witty needs to be processed as the page loads or these ads would be ineffective.
Your browser doesn’t know the difference between these non-malicious ads and one that might load a malicious software program or software designed to encrypt your hard drive. These attacks are especially dangerous because they can show up on very legitimate websites if an attacker can fool an ad company into running one of their infected ads.
Reposted from HealthData Management – August 4, 2015 by Joseph Goedert
CMS and AMA recently developed guidance on new ICD-10 flexibility for physicians during the first year of compliance. Now, at the request of stakeholders who found errors, CMS has substantially changed the guidance in Questions 3 and 5.
Covered entities and business associates should take the following steps to ensure that they are prepared for a potential Phase 2 Audit:
- Confirm that the organization has recently completed a comprehensive assessment of potential security risks and vulnerabilities to the organization (Risk Assessment)
- Confirm that all action items identified in the Risk Assessment have been completed or are on a reasonable timeline to completion
- Ensure that the organization has a complete inventory of business associates and their contact information for purposes of the Phase 2 Audit data requests
- If the organization has not implemented any of the Security Standards’ addressable implementation standards for any of its information systems, confirm that the organization has documented (1) why any such addressable implementation standard was not reasonable and appropriate, and (2) all alternative security measures that were implemented
- Ensure that the organization has implemented a breach notification policy that accurately reflects the content and deadline requirements for breach notification under the Breach Notification Standards
- For health care provider and health plan covered entities, ensure that the organization has a compliant Notice of Privacy Practices and not only a website privacy notice
- Ensure that the organization has reasonable and appropriate safeguards in place for PHI that exists in any form, including paper and verbal PHI
- Confirm that workforce members have received training on the HIPAA Standards that are necessary or appropriate for workforce members to perform their job duties
- Confirm that the organization maintains an inventory of information system assets, including mobile devices (even in a bring-your-own-device environment)
- Confirm that all systems and software that transmit electronic PHI employ encryption technology, or that the organization has a documented risk analysis supporting the decision not to employ encryption
- Confirm that the organization has adopted a facility security plan for each physical location that stores or otherwise has access to PHI, in addition to a security policy that requires a physical security plan
Review the organization’s HIPAA security policies to identify any actions that have not been completed as required (physical security plan, disaster recovery plan, emergency access procedures, etc.)
In the American Recovery and Reinvestment Act of 2009 (ARRA), Congress mandated that payment adjustments should be applied to eligible professionals, eligible hospitals, and critical access hospitals (CAHs) that are not meaningful users of Certified Electronic Health Record (EHR) Technology under the Medicare and Medicaid EHR Incentive Program.
at East River Electric in Madison, SD on Tuesday June 2, 2015
We are thrilled to announce the launch of a rural health IT funding initiative dedicated to rural clinics and hospitals in South Dakota. The initiative is focused on a broad range of funding needs, including mobile health, Telehealth and electronic health record technology.
Reposted from HealthData Management – April 12, 2015 by Joseph Goedert
The goal of the rule is to reduce burdens on providers while focusing more on advanced use of EHRs to support health information exchange and quality improvement, according to CMS.
Reposted from Healthcare Informatics – April 6, 2015 by Leslie Krigstein, Interim Vice President of Public Policy
Last week, OIG officials confirmed that multiyear audits of randomly selected physicians are in progress. The audits probe physicians’ reports of attestation to meaningful use going back to 2011. Most audits are aimed at determining whether Medicare and Medicaid incentive payments were appropriately claimed relative to program requirements and to assess CMS’ actions to remedy erroneous payments.
The U.S. Department of Health and Human Services (HHS), Centers for Medicare & Medicaid Services (CMS) and Office of the National Coordinator for Health Information Technology (ONC) today announced the release of the Stage 3 notice of proposed rulemaking for the Medicare and Medicaid Electronic Health Records (EHRs) Incentive Programs and 2015 Edition Health IT Certification Criteria to improve the way electronic health information is shared and ultimately improve the way care is delivered and experienced.
The Centers for Medicare & Medicaid Services (CMS) is pleased to announce that the submission deadlines for the PQRS reporting methods below have been extended. All other submission timeframes for other PQRS reporting methods remain the same.
The revised submission deadline is March 20, 2015 at 8 pm ET for the following reporting methods:
Medicare deadline has been extended to March 20, 2015. The South Dakota Medicaid deadline is March 31, 2015.
News Update came to HealthPOINT from Centers for Medicare and Medicaid Services – February 25
Eligible professionals now have until 11:59 pm ET on March 20, 2015, to attest to meaningful use for the Medicare Electronic Health Record (EHR) Incentive Program 2014 reporting year.
Reposted from The CMS Blog – January 29, By Patrick Conway, MD
Today, we at the Centers for Medicare & Medicaid Services (CMS) are pleased to announce our intent to engage in rulemaking to update the Medicare and Medicaid Electronic Health Record (EHR) Incentive Programs beginning in 2015. These intended changes would help to reduce the reporting burden on providers, while supporting the long term goals of the program.
Reposted from Health Data Management
One of the objectives to demonstrate data exchange within Stage 2 of the electronic health records program is the ability to exchange a summary of care record with a provider using a different EHR, or proving you can do exchange by sending the record to one of two CMS test EHRs.
HIPAA audits are still on hold, but OCR is committed to implementing an effective HIPAA audit program.
Reposted from Healthcare Info Security
The unit of the Department of Health and Human Services that enforces HIPAA still has plenty of work to do before it can launch its long-promised next round of HIPAA compliance audits, as planned for this year. (more…)
In early December, CMS released CMS FAQ 10754 just in time for the holidays. In a nutshell, the new guidance allows for the Meaningful Use (MU) required Security Risk Assessment (SRA) to fall outside the reporting period as long as it is conducted no earlier than January 1 of the program year, and no later than the provider attests, even if it is after December 31 of the reporting year.
Police forces and news organizations across the country are providing warnings about increased theft activity from cars as the holiday season is upon us. The reasons are many- parking lots fill up around retail stores; distracted shoppers forget to lock their doors; cars are left running to fend off frigid temperatures; and simply the general hustle and bustle during this time of year. Whatever the reason, ‘tis the season of the smash and grab, the long standing criminal tradition of finding an easy target, quickly taking anything that looks like it might have value, and sorting it out later. The experience for the victim ranges from frustrating to devastating, but typically ends with an insurance claim and payment of the deductible.
On what seems like a monthly basis we are hearing about data breaches to IT networks. If you have anti-virus software and firewalls set-up, you may feel like you are set. The question is are they enough? We discuss the anti-virus software and different types of firewalls in this post.
Just on the heels of HeartBleed comes another vulnerability to make any Security Officer quake in their boots. This vulnerability, called ShellShock, threatens a large swathe of the Internet due to the fact it requires little technical expertise to exploit and is as easy to initiate as typing in a command line.
Dakota State University in Madison, S.D., and MetaStar in Madison, Wis., announced today a new partnership to perform network penetration testing for healthcare providers in the Midwest and via virtual service nationwide.
Social engineering in information security is the art of human manipulation. Criminals or malicious hackers use this method to gain access to confidential information, which can then be used to compromise a computer system, bank account, or electronic medical record (EMR).
Learn the methods that are used to execute social engineering and countermeasures that can be taken to combat it.
Everyone has heard of the Nigerian King Scam and it is often used as an example when describing what exactly phishing is. The problem with using it as an example is that it makes phishing seem like a minor threat, something only an idiot would fall for.
This is in stark contrast to reality, where phishing has evolved to become a major threat to organizations and a large source of income for scammers. While modern spam filters have done wonders to combat mass, undirected phishing scams, they do little to combat a more serious and directed threat, Spear Phishing. Find out what it is and how to combat it in this blog post.
The widespread use of mobile devices has created a new attack surface for hackers and cybercriminals. As the mobile enterprise grows, the difficulty level of securing applications and networks that mobile devices use also increases.
This brings a unique challenge to the workplace. Healthcare organizations spend vast amounts of time and money on cyber security, ensuring they are doing the best they can to prevent networks from being breached and data from being compromised. Many of them don’t realize the threat created by allowing mobile devices onto the local network.
Medicare audits are underway throughout the nation by Figliozzi and Company, an independent group of accounting and auditing professionals. The stratified, random selection process is based on size, type and geography. Notification of an audit can come by email or letter. The auditor usually allows two to four weeks for any requested information to be submitted. Extensions can be granted in special circumstances. Once the requested information is submitted, the desk review is performed which results in closure of the audit, an on-site review or a letter of opportunity. On-site reviews typically last from three to 10 business days and involved up to five auditors. They include interviews with key personnel, operational reviews, walk-throughs and requests for further information. At the end of the audit process, the determination is made that the organization is a Meaningful User or the Meaningful Use payment must be returned.
Electronic Protected Health Information (ePHI) can be found in many locations throughout the average clinic – on laptops, thumb drives, workstations, servers, backup drives and more. One of the concerns for providers is the security of the information.
Dakota State University in Madison, S.D., and USF Health at the University of South Florida in Tampa, Fla., announced today they are partnering to perform network penetration testing and vulnerability analysis for healthcare providers in the southeastern United States and Puerto Rico.
Reposted from Healthcare IT News
Kevin Johnson is a professional hacker — albeit a self-described ethical one. As head of the security consulting firm Secure Ideas, his job involves probing into organizations’ networks and applications to identify vulnerabilities. And what he sees in healthcare terrifies him.
“Horizon Health Care, Inc. recently partnered with HealthPOINT to conduct a penetration test to assist in protecting its network from external threats. Staff from HealthPOINT were professional and helpful throughout the process. With the test results, Horizon’s senior staff gained valuable knowledge of potential security vulnerabilities and was able to develop appropriate countermeasures to secure its network. As a component of its ongoing security program, Horizon looks forward to incorporating annual penetration testing using HealthPOINT .”
– Scott Weatherill
Chief Information Officer, Horizon Health Care Inc. FQHC
“My staff and I have used HealthPOINT as a resource for Meaningful Use guidance since the beginning. Most recently we worked with them during a Meaningful Use audit. Their guidance and support was invaluable and certainly lessened the stress of the audit. They are incredibly well informed on the subject matter of Meaningful Use, full of helpful suggestions and even offered a little mental health counseling when needed. We recently expanded our relationship with them to include performing our Security Risk Assessment for 2014. They were very thorough and gave us education and suggestions for improvement along with the security assessment. South Dakota should be proud that we have such a high quality organization to assist with some of the dynamic changes in healthcare.”
– Darrel Riddle CEO, Rapid City Medical Center, LLP