EHR vendor loses ONC certification for two of its records systems
This week health care organizations were startled and not a little concerned to learn of the ONC's unprecedented action with regards to a California health software company. The agency is decertifying electronic health records systems which initially met ONC requirements for certification.
Via Modern Healthcare:
For the first time, the Office of the National Coordinator for Health Information Technology at HHS has revoked certifications for two electronic health-record systems, raising troubling questions about how physicians and hospitals should react if the government nixes a system they're already using.
Federal officials require that doctors and hospitals use certified EHR systems in order to receive federal money to defray the cost of converting to EHRs. But on Thursday, the ONC said it decided to revoke certifications for two products on the market after anonymous complaints were lodged about the systems.
EHRMagic, of Santa Fe Springs, Calif., had two of its records systems shot down by the government: EHRMagic-Ambulatory and EHRMagic-Inpatient. Two people familiar with the company interviewed for this story said they were not surprised by the development, since the firm didn't seem able to live up to its promises on the sales side of the operation several years ago.
Calls and e-mails to EHRMagic on Thursday were not returned. Records with the California secretary of state list the 4-year-old company's corporate status as “suspended.”
ONC spokesman Peter Ashkenaz said no healthcare provider has “attested” to using the system, which means that no one had tried to receive federal funding to pay for installation of an EHRMagic system. Since 2011, more than 234,000 organizations and individuals have received a total of $12.7 billion in EHR incentives to install one of the 1,700 systems eligible for payments.
But a blog post Thursday from Carol Bean, director of the certification office at the ONC, makes clear that the office will continue aggressive monitoring for other EHR systems that don't meet the federal requirements. That includes proactive investigations and surveillance by the office, as well as inquiries that stem from tips from the public about shoddy systems.
“We want to be clear,” the blog post says, “the office of certification's role doesn't stop after EHR certification. We are also going to monitor certified EHRs to determine whether they continue to meet our requirements. The doctors, hospitals and other providers that are adopting—and have already adopted—EHRs deserve this and should feel confident that the tools they are using are up to the job of helping their patients get the best care possible.”
Ashkenaz declined to say what a healthcare provider should do if the system it is using ends up retroactively decertified for payments, as EHRMagic's systems were.
Richard Gant, CEO of physician-supply seller Innovative Healthcare Systems in Royal Palm Beach, Fla., said the EHRMagic situation pointed to another major concern about decertification. EHRMagic sells what is known as a “cloud-based” system, meaning that patient information is stored off-site and not physically in a provider's office.
“The biggest issue is, all of your information is on their servers,” he said. “And if they disappear, that information could go away.”
Several years ago, Gant's firm attempted to sell EHRMagic's systems through a sales model that would have allowed it to be installed for free in exchange for eventual federal subsidies. But he said Innovative Healthcare Systems severed its relationship with the EHRMagic after several initial attempts to install it failed, and sales payments were not forthcoming.
“When they weren't paying for anything and they weren't supporting clients of ours, we said goodbye,” Gant said. “I'm surprised they were even around to even be decertified.”
By Joe Carlson
“ONC revokes firm's EHR certifications,” Modern Healthcare (April 25, 2013)
Health education materials provided to health care consumers until now have commonly assumed a fairly high level of “health literacy” – a level which, research has shown, makes the materials inaccessible to about 77 million people. HHS’ new program addressing this issue begins with the development of a system to rate health information as efforts are made to improve the quality of these materials.
National Coordinator for Health IT Farzad Mostashari has announced there is no cap on how much individual providers may receive in meaningful use incentive payouts, as long as they meet the requirements for the EHR incentive payments program. According to the ONC, almost seven billion of the approximately twenty billion dollars in incentives allocated under the HITECH Act has already been distributed.
In preparation for the launching of ONC's permanent EHR system testing and certification program, part of the EHR incentive payment initiative, ONC has authorized five groups as permanent EHR certifiers.
On April 17, 2012, HHS announced that its Office for Civil Rights (OCR) settled a HIPAA violation case against a surgery practice in Arizona, for $100,000 and a Corrective Action Plan (CAP), which requires implementation of policies and procedures to prevent such HIPAA violations and breaches in the future.
On February 24, 2012, Center for Medicare and Medicaid Services (CMS) and the Office of National Coordinator for Health IT (ONC) issued proposed rules regarding Stage 2 of Meaningful Use. The proposed rules include the criteria for demonstrating Stage 2 Meaningful Use, and address the penalties for failure to achieve Meaningful Use by 2015. HHS noted the progress made in the last few years, but also recognized the challenges facing the industry, and pushed back the attestation for Stage 2 to 2014. Via 
On October 20, 2011, CMS published the final rule on Accountable Care Organizations (ACOs) or, as it is formally known, the Medicare Shared Savings Program (the "Program"), enacted as part of the Patient Protection and Affordable Care Act (ACA) of 2010. According to CMS chief Don Berwick, MD, the Program represents an "opportunity to coordinate care among providers," which could "greatly improve the quality of care Medicare beneficiaries receive," and produce substantial savings for the federal government. The Program creates incentives for providers to collaborate in treating an individual patient across care settings, in order to receive a portion of the savings generated from providing such care. 
The HIT Policy Committee, which advises the Office of the National Coordinator for Health IT in the Department of Health and Human Services, voted 12-5 to approve a significant delay in requiring providers to meet Stage 2 Meaningful Use until 2014. If finalized by CMS, such delay would be a welcome relief to those providers who qualified for Stage 1 Meaningful Use in 2011 (and therefore would have only a few months to commence Stage 2 Meaningful Use under the current rule).
HHS's own Office of Inspector General (OIG) issued a scathing report regarding pervasive breaches in privacy and security of patient data. OIG specifically called out the Office of Civil Rights (OCR), charged with enforcement of HIPAA Privacy and Security Rules, for failing to investigate and punish the vast majority of violators.
Earlier today, HHS has released the highly anticipated proposed rule on Accountable Care Organizations (ACOs). The rules will guide healthcare providers in setting up exchanges of healthcare data to improve care and reduce costs, as mandated under the Patient Protection and Accountable Care Act of 2010.
Cignet Health, a Maryland health plan and a HIPAA covered entity, has been fined $4.3 million for failing to produce health records upon request to 41 patients, and for failing to cooperate with OCR with the agency's investigation. This is the very first civil money penalty (CMP) issued by HHS under the HIPAA Privacy Rule.
Post & Schell, in collaboration with 
In addition, our guest presenter for this webinar, Alex Ricardo, CIPP of Kroll Fraud Solutions, discussed the practical implications of this new set of regulations on covered entities and business associates, including:
The Rite Aid Corporation, the third largest pharmacy chain in the United States, reached a 
On July 7, 2010, HHS issued a notice of proposed rule making (NPRM) regarding the changes to the HIPAA Privacy, Security and Enforcement Rules, as provided in the HITECH Act, in order "to strengthen the privacy and security protections for health information and to improve the workability and effectiveness of the HIPAA Rules." .gif){kind=logo}
HHS's Office of Civil Rights (OCR) filed a notice in the Federal Register lifting a requirement preventing OCR from posting names of sole practitioners who suffer breaches of patient data without first obtaining consent from such practitioners. Pursuant to the HITECH Act, any covered entity reporting a breach affecting over 500 individuals must report such breach to HHS, and HHS will post a notice of such breach on its web site. At the same time, HHS did not post names of individual physician practices (e.g., sole practitioners) without such physicians' consent because they deemed the name of the physician to be protected under the Privacy Act of 1974. Instead, HHS listed such breaches under "private practice." However, OCR announced on April 16, 2010, that "it will begin posting on its breach notification web site the names of entities they consider "individuals" regardless of whether or not those entities give consent." According to .gif){kind=logo}
A group of 37 U.S. Senators sent a .gif){kind=logo}
Pursuant to the HITECH Act, on February 17, 2010, business associates of covered entities .gif){kind=logo}
Pursuant to the HITECH Act, the Department of Health and Human Services (HHS) released interim final regulations updating enforcement rules for violations of HIPAA. As .gif){kind=logo}
On August 19, 2009, pursuant to the HITECH Act, the Department of Health and Human Services (HHS) published the interim final regulations regarding breach notification requirements for health care providers and other entities covered by HIPAA. 