Isn’t it exciting when the government finally explains rules they set forth ?

Isn’t it great when the government clearly and concisely details for all to understand the hoops that must be jumped through in order to receive money promised?

I speak of course about the Health Information Technology for Economic and Clinical Health Act (HITECH) incentive to pay physicians, through Medicare & Medicaid, when they use electronic health record systems (EHRs) to achieve specific improvement in care delivery.

Remember how everyone ran out and bought an EHR because Uncle Sam was going to “give them” $44,000?

Remember how, once you spent all of that money, then you then began to try and figure out how to get reimbursed?

Remember how difficult it was to figure out how to get reimbursed?

Have you figured that out yet?

One lynch pin in qualifying for reimbursement was proving “Meaningful Use”.

As usually happens in these circumstances, many folks made educated guesses on what Meaningful Use was going to actually mean.

I haven’t read all of those guesses, but I don’t recall anyone being even close to what was just released.

The final rule regulation is explained in explained in a mere 864 pages.

Among other things, it has created 2 groups of requirements that your EHR must meet.  Really, what these requirements do is ensure you aren’t strapping together Excel and Word with bubble gum & bailing wire and claiming it is an EHR.

Group 1 of these requirements is called the “core objectives”.
This consists of things like:

• Recording patient demographics on more than 50% of your patients
• Recording vital signs and chart changes on more than 50% of your patients
• Recording smoking status for patients 13 and older for more than 50% of your patients 13 & older
• Implement drug-drug and drug-allergy interaction checks

This isn’t quite half the required core set, but you get the point.

Next there is an optional section.  No it is not optional for you to follow these objectives, but you must choose 5 items from a list of about 10 to implement.

Some of these items include:

• Implement drug formulary checks
• Incorporate clinical lab test results into your EHR for more than 40% of your patients
• Use EHR technology to identify patient-specific education resources & provide this information to your patients

And much more.

Note: in a later posting, we will discuss each of the “optional” items and which we feel would be easiest to implement.

What does all of this mean?

It’s quite simple actually: call your EHR vendor and ensure they are doing what is required for your EHR to fulfill meaningful use.

There is no need for you to run around worrying about which menu sets to choose.

Just do this: get a letter (yes a written letter) from your EHR vendor certifying your EHR meets the requirements of meaningful use.

It really is that simple…for you at least.

This doesn’t mean suddenly you’ll start to receive that EHR money.

In fact, I wouldn’t be surprised if around each corner up pops another requirement like…HIPAA compliance!

Yes, there are many out there that believe that HIPAA compliance will be required to receive that check.

It might go something like this:

Let’s pretend you have all of your ducks-in-a-row on the meaningful use side of the house.  Now the CMS says, “Ok, nice job, but first we must do a HIPAA audit to ensure you are in compliance.”

GULP!

Yes, then year 2, HIPAA Audit.

Year 3, HIPAA Audit.

Year 4, HIPAA Audit.

Oh, yes, one more thing.  You better show progress each year or No Check For You!

It could, and just might, happen.

Ah the joy of our new health care rules.

When the government isn’t reducing reimbursement rates, threatening to take back money already paid to you (via a RAC audit) or hanging huge fine threats over your head if you don’t follow privacy rules (HIPAA)…they sneak in a nifty little (additional) paperwork pothole.

With the passage of the new health care bill, among the 2,400 plus pages is hidden this little gem: all companies, starting in 2012, will have to issue IRS 1099 tax forms to any individual or corporation from which they buy more than $600 in goods or services in a tax year.

CNN said the following:

Right now, the IRS Form 1099 is used to document income for individual workers other than wages and salaries. Freelancers receive them each year from their clients, and businesses issue them to the independent contractors they hire.

But under the new rules, if a freelance designer buys a new iMac from the Apple Store, they’ll have to send Apple a 1099. A laundromat that buys soap each week from a local distributor will have to send the supplier a 1099 at the end of the year tallying up their purchases.

The bill makes two key changes to how 1099s are used. First, it expands their scope by using them to track payments not only for services but also for tangible goods. Plus, it requires that 1099s be issued not just to individuals, but also to corporations.

What’s this mean? More trees destroyed for one.

For any individual or company that pays for services from you for greater than $600, they have to provide you with a 1099.

Let’s think about how this will affect the typical practice:

• Supplies: how often do you order less than $600 in supplies = 1099
• Equipment: not much medical equipment for less than $600 = 1099
• Software: EMR/EHR/PM not below $600 for sure, oh and if you use a web based EHR that costs more than $600 per month = 1099 x 12.
• Support: most software support is greater than $600 per year = 1099

The list goes on.

Why is this happening?

Well, more paperwork means an easier to follow paper trail which is expected to make it more difficult for folks to dodge taxes ergo this is an attempt to collect more taxes to pay for the new healthcare reform bill.

Sit back for a moment and just think through all the additional paperwork this will generate for your office…not only the 1099’s that you have to fill out and send, but the 1099’s all your patients will need to fill out and send to you…that you will need to keep organized.

There’s a bill introduced by Rep. Dan Lungren (H.R. 5141), which has gathered over 80 members of Congress as co-sponsors to repeal this section.

It’s probably worth noting you should talk to your congressman about this.

On Friday (the second best day to report bad news), American Airlines announced that a hard drive had been stolen from it’s Fort Worth headquarters building.

On this hard drive was current and former employee:

• Names
• Addresses
• Dates of birth
• Social Security numbers
• some bank information

Oh, and “No customer data was affected”…whew!  I’m sure the employees are grateful.

Things we don’t know:

• Was this a portable hard drive?
• Was this on a computer that was being “thrown out”?
• Was this an actual break-in theft?
• What policies were broken regarding storage of this hard drive?

So, why discuss this non-medical event?

It is another solid example how you can’t overlook anything.

You need to have policies in place:

• Physical security
  • Is your server room locked?
  • Are patients able to wander from the waiting room to the back without escort?
• Encryption?
  • Is PHI stored on portable devices?
  • Should your entire server be encrypted?
• Reaction Checklists
  • Once a suspected (or actual) data release occurs, what do you do next?

You need to have your act together ahead of time so something like this does not consume every moment of your day and prevent you from generating income.

Georgia’s  largest health insurance company, Blue Cross and Blue Shield of Georgia, has warned 70,000 Georgians that their personal medical information, Social Security numbers and credit card data “may have been wrongly accessed because of a Web site security breach.”

One might argue this isn’t really the fault of BCBS of GA as the security problem at  is part of an even larger breach of its parent company, WellPoint, which this month sent warning letters to 470,000 people across the country.

See our previous post on the WellPoint Screw up here >>

“Information was exposed for five months”, said company spokeswoman Cindy Sanders.  “It affected applicants under the age of 65 who were applying for individual policies”.  She said the problem occurred following a faulty Web site upgrade in October.

Faulty?

This is a mess.

WellPoint/BCBS are acting as though, and being treated as if, they are too big to fail.

Until the victims speak up, until we all wake up and realize that Facebook and Google and Twitter are not appropriate places to expose everything about us, we’ll continue to shrug off catastrophes like this.

A small practice would be squashed if they did this…these big companies keep on truckin.

As noted in Reuters:

WellPoint Inc., has warned some 470,000 people who applied for its health insurance that a website security glitch may have exposed their Social Security numbers and other sensitive data to the public….The glitch was introduced…by a contractor who upgraded the site….

A couple of things to note here:

1. Large companies can (and will) continue to screw up like this and merely apologize, small companies, specifically medical practices can not.  The bad local press a situation like this generates will squash a local medical practice.
   • So once again I say, HIPAA is not just for Hospitals.  Just like a tax audit and fine is a bump in the road for a large company, the same situation can run a small business out of business.
2. The ever important Associate’s Agreement, and of course the software/website specifications clarifying the site be secure!
   • If this were to happen to a medical practice that had an Associate’s Agreement in place, this would at least show that medical practice was doing everything they could to do things correctly and by the federal law.