Reposted from Mobihealthnews.com – January 28, 2016 by Jonah Comstock
The Centers for Medicare and Medicaid Services came out with a final rule that would require face-to-face visits prior to home health services for Medicaid patients, a rule that already exists for Medicare patients. But, as Politico spotted, the rule also includes a parenthetical allowing those “face-to-face” visits to be conducted via telehealth.
Exactly what constitutes telehealth isn’t really spelled out in the language of the bill. In responses to public comments, the agency said it would defer to state definitions of telehealth but did not mean for phone calls or emails to suffice. Thorough guidelines on telehealth from CMS, it added, are forthcoming.
During the last few weeks there has been a surge in what the industry calls “drive by attacks”. These attacks have happened at Yahoo!, weather.com, DrudgeReport.com and others recently. These attacks don’t require you as a user to do anything, just the act of visiting a webpage with an infection is enough because when a web page loads all the items on the page are processed. If you think about any site you visit that is sponsored by advertising you can see this for yourself. The code that makes the Dodge charger billow smoke from the back wheels or the Geico Gecko say something witty needs to be processed as the page loads or these ads would be ineffective.
Your browser doesn’t know the difference between these non-malicious ads and one that might load a malicious software program or software designed to encrypt your hard drive. These attacks are especially dangerous because they can show up on very legitimate websites if an attacker can fool an ad company into running one of their infected ads.
Reposted from HealthData Management – August 4, 2015 by Joseph Goedert
CMS and AMA recently developed guidance on new ICD-10 flexibility for physicians during the first year of compliance. Now, at the request of stakeholders who found errors, CMS has substantially changed the guidance in Questions 3 and 5.
Covered entities and business associates should take the following steps to ensure that they are prepared for a potential Phase 2 Audit:
- Confirm that the organization has recently completed a comprehensive assessment of potential security risks and vulnerabilities to the organization (Risk Assessment)
- Confirm that all action items identified in the Risk Assessment have been completed or are on a reasonable timeline to completion
- Ensure that the organization has a complete inventory of business associates and their contact information for purposes of the Phase 2 Audit data requests
- If the organization has not implemented any of the Security Standards’ addressable implementation standards for any of its information systems, confirm that the organization has documented (1) why any such addressable implementation standard was not reasonable and appropriate, and (2) all alternative security measures that were implemented
- Ensure that the organization has implemented a breach notification policy that accurately reflects the content and deadline requirements for breach notification under the Breach Notification Standards
- For health care provider and health plan covered entities, ensure that the organization has a compliant Notice of Privacy Practices and not only a website privacy notice
- Ensure that the organization has reasonable and appropriate safeguards in place for PHI that exists in any form, including paper and verbal PHI
- Confirm that workforce members have received training on the HIPAA Standards that are necessary or appropriate for workforce members to perform their job duties
- Confirm that the organization maintains an inventory of information system assets, including mobile devices (even in a bring-your-own-device environment)
- Confirm that all systems and software that transmit electronic PHI employ encryption technology, or that the organization has a documented risk analysis supporting the decision not to employ encryption
- Confirm that the organization has adopted a facility security plan for each physical location that stores or otherwise has access to PHI, in addition to a security policy that requires a physical security plan
Review the organization’s HIPAA security policies to identify any actions that have not been completed as required (physical security plan, disaster recovery plan, emergency access procedures, etc.)
More than 7,000 people dead and counting. And you can also count on cyber-criminals exploiting the disaster. What else is new. Disgusting.
Scammers are now using the Nepal disaster to trick people in clicking on links, both on Facebook, Twitter and phishing emails trying to solicit charitable giving for the earthquake victims. Here are some examples:
- Facebook pages dedicated to victim relief contain links to scam websites.
- Tweets are going out with links to charitable websites soliciting donations, but in reality included spam links or links that lead to a malware infection.
- Phishing emails dropping in a user’s inbox asking for donations to the Nepal Earthquake Fund.
Previous disasters have been exploited like this, but the bad guys are going at it again will all guns blazing. Be wary of anything that is about the Nepal Earthquake in the following weeks.
Please warn your employees, friends and family against this scam of the week. If you want to make a donation, go to the website of the charity of your choice and make a donation. Type the address in your browser, do not click on any links in emails or text you might get. THINK BEFORE YOU CLICK.
Here is the FBI alert about this scam. It might be a good idea to send this link to all employees, an FBI alert usually has a bit more impact.
For the first time, criminal attacks are the leading cause of data breaches in healthcare, with such attacks up 125 percent versus five years ago, replacing lost laptops as the top cybersecurity threat to the industry.
That is the finding of a new study by the Ponemon Institute, sponsored by security software and services vendor ID Experts, in which 45 percent of healthcare organizations indicate the root cause of their data breach was a criminal attack and 12 percent say it was due to a malicious insider.
“We are seeing a shift in the causes of data breaches in the healthcare industry, with a significant increase in criminal attacks. While employee negligence and lost/stolen devices continue to be major causes of data breaches, criminal attacks are now the number-one cause,” said Larry Ponemon, chairman and founder of the Ponemon Institute.
Data breaches are costing the healthcare industry $6 billion annually, Ponemon reports, with the average economic impact of data breaches per organization pegged at $2,134,800. In addition, medical identity theft nearly doubled in five years, from 1.4 million adult victims to over 2.3 million in 2014. Yet, the study also found most healthcare organizations are unprepared to address new threats and lack adequate resources to protect patient data.
According to the study, all healthcare organizations—regardless of size—are at risk for data breaches. Ninety-one percent of healthcare organizations had one data breach, 39 percent experienced two to five data breaches and 40 percent had more than five data breaches over the past two years. Nonetheless, nearly two-thirds of respondents do not offer any protection services for patients whose information has been breached.
In the American Recovery and Reinvestment Act of 2009 (ARRA), Congress mandated that payment adjustments should be applied to eligible professionals, eligible hospitals, and critical access hospitals (CAHs) that are not meaningful users of Certified Electronic Health Record (EHR) Technology under the Medicare and Medicaid EHR Incentive Program.
If a provider is eligible to participate in the Medicare EHR Incentive Program, they must demonstrate meaningful use in either the Medicare EHR Incentive Program or in the Medicaid EHR Incentive Program, to avoid a payment adjustment. Medicaid providers who are only eligible to participate in the Medicaid EHR Incentive Program and do not bill Medicare are not subject to these payment adjustments.
Medicare hospitals began to receive payment adjustments on October 1, 2014, and Medicare eligible professionals will begin to receive payment adjustments on January 1, 2015.
For further information, or if you have questions, please contact your HealthPOINT representative.
at East River Electric in Madison, SD on Tuesday June 2, 2015
We are thrilled to announce the launch of a rural health IT funding initiative dedicated to rural clinics and hospitals in South Dakota. The initiative is focused on a broad range of funding needs, including mobile health, Telehealth and electronic health record technology.
Reposted from HealthData Management – April 12, 2015 by Joseph Goedert
The goal of the rule is to reduce burdens on providers while focusing more on advanced use of EHRs to support health information exchange and quality improvement, according to CMS.
Reposted from Healthcare Informatics – April 6, 2015 by Leslie Krigstein, Interim Vice President of Public Policy
Last week, OIG officials confirmed that multiyear audits of randomly selected physicians are in progress. The audits probe physicians’ reports of attestation to meaningful use going back to 2011. Most audits are aimed at determining whether Medicare and Medicaid incentive payments were appropriately claimed relative to program requirements and to assess CMS’ actions to remedy erroneous payments.
The U.S. Department of Health and Human Services (HHS), Centers for Medicare & Medicaid Services (CMS) and Office of the National Coordinator for Health Information Technology (ONC) today announced the release of the Stage 3 notice of proposed rulemaking for the Medicare and Medicaid Electronic Health Records (EHRs) Incentive Programs and 2015 Edition Health IT Certification Criteria to improve the way electronic health information is shared and ultimately improve the way care is delivered and experienced.
The Centers for Medicare & Medicaid Services (CMS) is pleased to announce that the submission deadlines for the PQRS reporting methods below have been extended. All other submission timeframes for other PQRS reporting methods remain the same.
The revised submission deadline is March 20, 2015 at 8 pm ET for the following reporting methods:
- EHR Direct or Data Submission Vendor that is certified EHR technology (CEHRT)
- Qualified clinical data registries (QCDRs) (using QRDA III format) reporting for PQRS and the clinical quality measure (CQM) component of meaningful use for the Medicare Electronic Health Record (EHR) Incentive Program
Medicare deadline has been extended to March 20, 2015. The South Dakota Medicaid deadline is March 31, 2015.
News Update came to HealthPOINT from Centers for Medicare and Medicaid Services – February 25
Eligible professionals now have until 11:59 pm ET on March 20, 2015, to attest to meaningful use for the Medicare Electronic Health Record (EHR) Incentive Program 2014 reporting year.
Reposted from The CMS Blog – January 29, By Patrick Conway, MD
Today, we at the Centers for Medicare & Medicaid Services (CMS) are pleased to announce our intent to engage in rulemaking to update the Medicare and Medicaid Electronic Health Record (EHR) Incentive Programs beginning in 2015. These intended changes would help to reduce the reporting burden on providers, while supporting the long term goals of the program.
Reposted from Health Data Management
One of the objectives to demonstrate data exchange within Stage 2 of the electronic health records program is the ability to exchange a summary of care record with a provider using a different EHR, or proving you can do exchange by sending the record to one of two CMS test EHRs.
HIPAA audits are still on hold, but OCR is committed to implementing an effective HIPAA audit program.
Reposted from Healthcare Info Security
The unit of the Department of Health and Human Services that enforces HIPAA still has plenty of work to do before it can launch its long-promised next round of HIPAA compliance audits, as planned for this year.
In early December, CMS released CMS FAQ 10754 just in time for the holidays. In a nutshell, the new guidance allows for the Meaningful Use (MU) required Security Risk Assessment (SRA) to fall outside the reporting period as long as it is conducted no earlier than January 1 of the program year, and no later than the provider attests, even if it is after December 31 of the reporting year.
Police forces and news organizations across the country are providing warnings about increased theft activity from cars as the holiday season is upon us. The reasons are many- parking lots fill up around retail stores; distracted shoppers forget to lock their doors; cars are left running to fend off frigid temperatures; and simply the general hustle and bustle during this time of year. Whatever the reason, ‘tis the season of the smash and grab, the long standing criminal tradition of finding an easy target, quickly taking anything that looks like it might have value, and sorting it out later. The experience for the victim ranges from frustrating to devastating, but typically ends with an insurance claim and payment of the deductible.
Dakota State University in Madison, S.D., and MetaStar in Madison, Wis., announced today a new partnership to perform network penetration testing for healthcare providers in the Midwest and via virtual service nationwide.
Reinforcing health information technology (HIT) concepts, and reviewing regulations and benefits of Meaningful Use of Electronic Health Records (EHR) are not exactly topics those in the healthcare field consider fun. HealthPOINT at Dakota State University (DSU) and Horizon Health Care, Inc. (Horizon), doing business as Prairie Health IT (PHIT) Network, are trying to make learning these subjects more enjoyable through gamification.
Not sure what this means or want more information about how to execute it? Click the video on the left to learn more on what meaningful use auditors are looking for in Core Measure 15 and how to properly document it for meaningful use attestation.
Social engineering in information security is the art of human manipulation. Criminals or malicious hackers use this method to gain access to confidential information, which can then be used to compromise a computer system, bank account, or electronic medical record (EMR).
Learn the methods that are used to execute social engineering and countermeasures that can be taken to combat it.
Rule will help more providers use electronic health record technology
The Department of Health and Human Services (HHS) published a final rule today that allows health care providers more flexibility in how they use certified electronic health record (EHR) technology (CEHRT) to meet meaningful use for an EHR Incentive Program reporting period for 2014. (more…)
Everyone has heard of the Nigerian King Scam and it is often used as an example when describing what exactly phishing is. The problem with using it as an example is that it makes phishing seem like a minor threat, something only an idiot would fall for.
This is in stark contrast to reality, where phishing has evolved to become a major threat to organizations and a large source of income for scammers. While modern spam filters have done wonders to combat mass, undirected phishing scams, they do little to combat a more serious and directed threat, Spear Phishing. Find out what it is and how to combat it in this blog post.
Earlier this week, Franklin, Tenn.-based Community Health Systems, notified some 4.5 million of its patients that their personal information had been stolen by cybercriminals. Fittingly, this week The Office of the National Coordinator (ONC) for Health Information Technology posted information on how to keep your health information private and secure.
In this post we review some of their health information protection tips for patients as well as some of our tips for health systems.
The widespread use of mobile devices has created a new attack surface for hackers and cybercriminals. As the mobile enterprise grows, the difficulty level of securing applications and networks that mobile devices use also increases.
This brings a unique challenge to the workplace. Healthcare organizations spend vast amounts of time and money on cyber security, ensuring they are doing the best they can to prevent networks from being breached and data from being compromised. Many of them don’t realize the threat created by allowing mobile devices onto the local network.
Developing a cost-effective budget for security expenditures is a tricky task. The costs of a data breach are nebulous and often unclear until after the fact, making it difficult to gauge just how much a business should be spending on security. The fact that the real benefits of a security solution are not apparent after an attack only further adds to the uncertainty.
How is a clinic or hospital to know how much a recent data breach would have cost them had they not had an Incident Response Plan? A recent study done by the Ponemon Institute, sponsored by Symantec, intends to answer that.
Health EDventure won an education award last week. Find out what it was in this post.
FireEye, a leading network security company, just released an analysis of security systems. Find out what key findings were and what actions you need to take to ensure your network’s security in this post.
In recent posts we have talked about the damage currently being caused by healthcare data breaches and how ethical hacking shows areas of weakness in a network. In this post, we talk about how ethical hacking works.
Ethical hacking is becoming more and more popular as healthcare organizations are being targeted and compromised by malicious hackers. Every month there is a growing number of organizations being fined due to data leaks and patient information being exposed via intrusions by hackers. Learn what ethical hacking is and why it could be good for your company in this post.
There is a false sense of security in the healthcare industry that patient data is not valuable – a who-would-want-it mentality. Find out why this is very wrong and why you should let us assess the security of your health IT system in this blog post.
In an effort to help clinical practices use health information technology (health IT) like electronic health records (EHRs) to reduce high blood pressure, the Department of Health and Human Services (HHS) today launched a new challenge asking health care professionals and other caregivers to submit the tools they use to improve patient care.
In addition to assisting Rapid City Medical Center during their recent meaningful use audit, we also performed their Security Risk Assessment (SRA). Read their thoughts on how it went.
We received some great feedback from Rapid City Medical Center last week. See what they had to say about the meaningful use support we provided.
HealthPOINT has the unique position of being a part of an institution designated by the National Security Agency (NSA) as a Center of Academic Excellence in Cyber Operations. See who it is and what it means for our customers.
Reposted from Healthcare IT News
Kevin Johnson is a professional hacker — albeit a self-described ethical one. As head of the security consulting firm Secure Ideas, his job involves probing into organizations’ networks and applications to identify vulnerabilities. And what he sees in healthcare terrifies him.
Since it was founded in 2006, Health EDventure programs have only been available to South Dakota students, teachers and parents. Beginning with the 2014-15 school year, Health EDventure is going to expand nationwide!
With participation in Stage 2 of the electronic health records program nearly dormant and many providers still having problems with Stage 1, the federal government is making big changes.
Last week we announced that we joined forces with Health EDventure to add health education for kids and teens to our line-up.
As the school year draws to an end, we are excited to celebrate a great year and plan for the next year of Health EDventure programs. This week we celebrate the South Dakota Road Trip finishing up.
Dakota State University in Madison, S.D., and USF Health at the University of South Florida in Tampa, Fla., announced today they are partnering to perform network penetration testing and vulnerability analysis for healthcare providers in the southeastern United States and Puerto Rico.
Two weeks ago we were featured in an EHR Intelligence article entitled “How a rural state manages to lead the way in EHR adoption.” The top-five states for EHR (electronic health records) adoption are Utah (71.6%), South Dakota (71.2%), Wyoming (71.0%), Iowa (70.8%), and North Dakota (69.2%).
In this post, we discuss why this is and what other states can learn from it.
AHIMA is recruiting physicians, interns, and residents for an Item Writing Meeting on Friday, June 6, 2014 from 8:00 AM to 5:00 PM (central time) at their Chicago office. Your task at this meeting would be to assist AHIMA by writing 20+ clinical scenarios based on high-frequency medical encounters.
Breakfast and lunch will be provided and all travel and lodging expenses will be entirely covered by AHIMA. Additionally, to show their appreciation, you will receive an honorarium. Should you write at least 20 clinical scenarios that adhere to their guidelines you will also be entered into a raffle to win a 3-4 night cruise to the Bahamas!
Please submit your resume no later than Friday, May 2, 2014 to Kaitlin Whitney at ItemWriting@ahima.org to reserve your spot for this item writing meeting. Available spots are limited. If you are unable to attend but are interested in contributing to the item writing, please forward your resume to the email listed above.
Reposted from AHIMA’s Facebook page.
Last Monday, March 31, the U.S. Senate voted to pass the Protecting Access to Medicare Act of 2014. This bill pushed back the compliance deadline for the ICD-10 code set conversion from Oct. 1, 2014 to Oct. 1, 2015; a full 12 months.
In this post, we discuss the impact of the ICD-10 delay and what providers should do now.
We are starting to dig into the content a medical coder will need to know about specific body systems because anatomy and physiology knowledge is very important for ICD-10 certification.
We covered the skeletal system in our last post so now we want to talk about the information a medical coder will need to know about eyes and ears for the ICD-10 transition.
In a recent post, we talked about why anatomy and physiology knowledge is so important for ICD-10 certification. Now we want to dig into what kind of content a medical coder will need to know about specific body systems.
In the free trial of our Anatomy and Physiology Review for ICD-10-CM/PCS, we provide trial users access to our skeletal system module which is the system we’ll use as an example in this post.
Reposted from Health Data Management
The adoption rate for offices with 26 or more doctors increased only 1.6 percent, from 75.9 percent to 77.5 percent. Overall, the rate of EHR adoption grew from 50.3 percent to 61 percent compared to the previous year.
Reposted from Centers for Medicare & Medicaid Services
Eligible professionals participating in the Medicare EHR Incentive Program may be subject to payment adjustments beginning on January 1, 2015. CMS will determine the payment adjustment based on meaningful use data submitted prior to the 2015 calendar year. Eligible professionals must demonstrate meaningful use prior to 2015 to avoid payment adjustments.
The deadline for conversion from ICD-9 to ICD-10 is fast approaching. Certification testing on ICD-10-CM/PCS begins April 7, 2014, with the CCS credential and April 28 for the RHIA/RHIT examinations. This means time is running out to get certified under ICD-9 before the certification tests change to ICD-10-CM/PCS. Learn the major differences between the two in this post.
Professionals involved in medical coding will need to receive their ICD-10-CM/PCS certification by October 1, 2015. The transition from ICD-9-CM to ICD-10-CM/PCS will require a strong foundation in Anatomy and Physiology. Find out why in this post.
Reposted from Centers for Medicare & Medicaid Services
CMS is extending the deadline for eligible professionals to attest to meaningful use for the Medicare EHR Incentive Program 2013 reporting year from 11:59 pm ET on February 28, 2014 to 11:59 pm ET March 31, 2014.
In addition, CMS is offering assistance to eligible hospitals who may have experienced difficulty attesting to submit their attestation retroactively and avoid the 2015 payment adjustment.
Reposted from HealthIT.gov
As part of an ongoing effort to empower patients to be informed partners with their health care providers, the Department of Health and Human Services (HHS) has taken action to give patients or a person designated by the patient a means of direct access to the patient’s completed laboratory test reports.
“The right to access personal health information is a cornerstone of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule,” said Secretary Kathleen Sebelius. “Information like lab results can empower patients to track their health progress, make decisions with their health care professionals, and adhere to important treatment plans.”
Reposted from Centers for Medicare & Medicaid Services
As part of our and CMS’ ongoing effort to improve interoperability among certified Electronic Health Records Technology (CEHRT), we are pleased to announce McKesson and Meditech are the first two “Test EHRs,” selected from among certified EHRs. We strongly encourage others in the EHR technology developer community to participate in the program to become a CMS designated test EHR.
Reposted from Centers for Medicare & Medicaid Services
Last week, CMS and ONC announced the intent to change the Stage 3 timeline and extend Stage 2 of meaningful use through 2016.
Important to note about the proposed timeline
- It does not delay the start of Stage 2 of meaningful use.
- It does not affect the current reporting periods and deadlines for 2014 participation.
Reposted from Centers for Medicare & Medicaid Services
December 31, 2013, is an important deadline for eligible professionals (EPs) participating in the EHR Incentive Programs. It marks the end of the calendar year and the last day of the 2013 meaningful use program year.
Reposted from Centers from Medicare & Medicaid Services
Subsection (d) hospitals that are eligible to participate in the Medicare EHR Incentive Program must meet meaningful use requirements to avoid the federally-mandated payment adjustments that begin in fiscal year (FY) 2015. The adjustment is determined by the hospital’s reporting period in a prior year.
Find out how your hospital’s participation start year will affect its 2015 payment adjustments:
The more-stringent-than-ever HIPAA Omnibus Rule compliance date is today, September 23, 2013. The new rule promises to bring hefty fines, more audits and added enforcement pertaining to the issue of patients’ protected health information.
Read more: Enforcing HIPAA Omnibus: What to Expect
HealthPOINT at Dakota State University was started in 2010 through an American Recovery and Reinvestment Act (ARRA) grant to help healthcare providers adopt Electronic Health Records (EHR) and guide providers and hospitals to Meaningful Use. In recognition of National Health Information Technology (IT) Week, HealthPOINT announced today that the organization has 96% of its target number of 700 primary care providers live on EHRs and over half to Meaningful Use.
Microsoft has announced that support for its Windows XP software, as well as its Office 2003 software, will end on April 8, 2014. In a nutshell this means that computers continuing to operate using Windows XP or Office 2003 after said date will no longer receive security updates; which further mean that the computer systems that are running this software will become prime targets for malicious programs and would be hackers.
South Dakota Medicaid is requiring providers to have all of the provider records updated in SD MEDX before EHR incentive payments are made.
Log into SD MEDX and ensure that all of the provider record is correct. Most often, providers will need to update all of their servicing provider records under step 14, like license information, taxonomy information, etc. When they update the license, they need to mail/fax a copy to the state, as well. Also, there must be ownership/managing employee information supplied under step 4 of the group/facility record. For specific provider enrollment information, please refer providers to the SD MEDX Response Team at 1-866-718-0084.
The sooner providers update their information, the sooner they can get paid.