On March 20, 2015, the Department of Health and Human Services’ (HHS) Centers for Medicare & Medicaid Services (CMS) issued a proposed rule for Stage 3 of the Medicare and Medicaid Electronic Health Record (EHR) Incentive Programs. Stage 3 raises the bar for all providers, increasing some existing threshold measures from Stage 2 and proposing aggressive timelines for attestation. The new rules require providers to meet rigorous qualifications, and all eligible Medicare and Medicaid providers (EPs) must attest to meaningful use Stage 3 by 2018. While financial incentives are tapering off for meaningful use, the implication is clear. The penalty phase is about to begin in earnest. Starting in January 2015, nearly 257,000 eligible professionals (EPs) – or half of all EPs - will face a one percent cut to their Medicare reimbursements for not meeting meaningful use standards, according to CMS.

The protection and security of electronic medical records is a topic of growing concern. While the public may be focusing on the issue of breaches due to recent data hacks, the Office of Inspector General is turning its attention to EHR fraud. The OIG is calling for the Centers for Medicare & Medicaid Services to address the issue of EHR fraud vulnerabilities. In a March 2015 report, the OIG claimed that the agency has not adequately implemented fraud safeguards. "HHS must do more to ensure that all hospitals' EHRs contain safeguards and that hospitals use them to protect against electronically enabled healthcare fraud," OIG officials wrote in the report.

Part 1: Interoperability & EHR Function Measures On March 20 2015, The Centers for Medicare & Medicaid Services (CMS) released Stage 3 of their Electronic Health Record Incentive Program. At the same time, the Office of the National Coordinator for Health Information Technology (ONC) released the 2015 Editions of the Health Information Technology Certification Criteria, Base Electronic Health Record Definition, and ONC Health IT Certification Program. This news has resulted in some rather extreme reactions among some in the healthcare industry—for example, absolute panic and unbridled rage. This seems rather odd. Come on… it’s not like we weren’t aware that this was coming. As a matter of fact, I’m pretty sure that I gave everyone a heads up about this back in January. Based on how certain people are behaving, though, you’d think the CMS & ONC just surprised all of us with this stuff like it’s some kind of weird fire drill. Then again, trying to make sense out of so much complicated (and, let’s face it, very boring) text is probably enough to make anyone a little irritable.

Providers as well as health care organizations have eagerly waited for the Centers for Medicare & Medicaid Services to reveal the stage 3 requirements for meaningful use under the Health Information Technology for Economic and Clinical Health Act. On March 20, the organization finally released the proposed rule for stage 3.

Just about any business, especially in healthcare, is likely already covered by some kind of general liability insurance. Such policies are standard, providing coverage for events such as bodily injury and/or property damage that result from the insured’s operation, product, and/or building/site. However, these types of policies were created long before the days of cybercrime. They were never meant to cover liability or loss from things like cyberattacks and data breaches. Therefore, these policies rarely if ever cover losses due to cybercrime. In fact, just about all general liability policies now come with very specific language about the fact that they do NOT cover such losses or costs due to cyber-incidents. This means many businesses have no choice but to turn to cyber insurance… and so they should.

Some readers might remember the Anthem data breach, in which around 78.4 million people had their records compromised, that I briefly mentioned at the start of our cybersecurity blog series. At the time, the cause of that breach had not yet been made public. By a funny (or, perhaps not so funny) coincidence, it turned out to be the result of spear-phishing (which that article covered) and was further compounded by factors such as Anthem’s lack of data encryption and their poor password security practices. One would think that the catastrophic and very public data breach at Anthem would have served as a strong warning to other such organizations, and that they would have taken steps to prevent the same from happening to them.

Regardless of how prepared your practice is for the coming implementation of ICD-10, you may be somewhat overwhelmed with the number of tasks you've completed to get ready. The October 1, 2015 deadline seems as though it is going to stick this year, so if you are not in the process of preparing your practice for the big switch, you should start immediately. No matter your stage of preparation, at times like these, it's often good to take a second, step back and reflect on the fruits of your labors. With that in mind, check out some of the surprising side effects of ICD-10 implementation: