CMS Extends Meaningful Use Attestation Deadline to March 13

Posted February 9th in Education, Meaningful Use, News

doctor-clockCMS has extended its original deadline for 2016 EHR Incentive Program attestations from Feb 28 to March 13, giving providers two more weeks to successfully attest. Below is the information from CMS eHealth News Updates:

Attest to 2016 EHR Incentive Program Requirements by March 13 to Avoid a 2018 Payment Adjustment

The Centers for Medicare & Medicaid Services (CMS) has extended the attestation deadline for providers participating in the Medicare EHR Incentive Program to Monday, March 13, 2017, at 11:59 p.m. PT.

Providers participating in the Medicare EHR Incentive Program must attest to the 2016 program requirements by March 13, 2017 to avoid a 2018 payment adjustment.
If you are participating in the Medicaid EHR Incentive Program, please refer to your state’s deadlines for attestation information.
If you are eligible to participate in both the Medicare and Medicaid EHR Incentive Programs, you MUST demonstrate meaningful use to avoid the Medicare payment adjustment. You may demonstrate meaningful use under either Medicare or Medicaid. If you are eligible to participate in both the Medicare and Medicaid EHR Incentive Programs, you MUST demonstrate meaningful use to avoid the Medicare payment adjustment. You may demonstrate meaningful use under either Medicare or Medicaid.

Attestation Resources:

Registration and Attestation System
Eligible Professional (EP) and Eligible Hospital and Critical Access Hospital (CAH) Attestation Worksheets
EP and Eligible Hospital and CAH Attestation User Guides
EP and Eligible Hospital and CAH Registration User Guides
Attestation Batch Upload Webpage

CMS Contacts:

For questions about the Registration and Attestation System, contact the EHR Information Center at 1-888-734-6433 (press option 1). The EHR Information Center is open Monday through Friday from 6:30 a.m. to 5:30 p.m. ET, except federal holidays.

Contact the Kentucky REC for more information and help with this and other issues facing your practice at 859-323-3090.

Review CMS Quality Payment Program (QPP) Website

Posted February 7th in Value Based Payment/MACRA

helpbuttonWe need your help!

With the nationwide migration of health care providers into value-based payment systems this year, it is vitally important that the QPP Portal  be as user friendly, easily understood, and helpful as it can possibly be.

Who better than the providers and staff to help with an upgrade?

Please contact the Kentucky REC if you would be willing to review the web site and provide feedback, ideas, and suggestions about how to improve the QPP Portal to make it the best it can be for all who depend upon it.

Your insights and ideas will prove essential to guiding future changes and upgrades to the QPP Portal.

Access the QPP Portal here.

Contact us at 859-323-3090 or email us at

Meaningful Use Deadlines Approaching

Posted February 1st in Education, Meaningful Use

ehr incentive program screenImportant deadlines for Meaningful Use are upon us. Listed below are dates to help you keep your practice on track.

• February 28, 2017 (Medicare EHR Incentive Program) CY 2016 Attestation Deadline
• February 28, 2017 (Medicare EHR Incentive Program) 2017 Payment Adjustment Reconsideration Deadline
• February 28, 2017 (Medicaid EHR Incentive Program) Last day to enroll and submit Registration for Program Year 2016
• March 31, 2017 (Medicaid EHR Incentive Program) Last day to submit an Attestation to receive an incentive payment for Program Year 2016

If your practice is a current client of the Kentucky REC, our Health IT Advisors are setting up appointments now to assist with attestations. With deadlines approaching quickly, contact your advisor to set up your appointment. If you are not currently a client and would like more information, contact us at 859-323-3090.


According to CMS approximately 171,000 Medicare eligible EPs are subject to a downward payment adjustment in 2017 for failure to demonstrate meaningful use. If you feel you are subject to the payment adjustment for Medicare in error, please follow the instructions on the website link here to apply for payment adjustment reconsideration for Program Year 2017. If you received a letter from CMS stating that you would receive a payment adjustment and you were paid for 2015 MU attestation you will still need to fill out the payment adjustment reconsideration letter.

Medicare Payment adjustments for eligible Professionals are applied to the Medicare Physician Fee Schedule and the amounts were established by law:
• For 2015 – 99% of MPFS
• For 2016 – 98% of MPFS
• For 2017 – 97% of MPFS
• For 2018 – 97% of MPFS

Additional information on EHR Incentive Program Payment Adjustments and Reconsideration Application can be found here. There are two applications – one for single EPs and one for multiple EPs. To use the multiple EP application, all of the EPs must be from the same group and apply for the same reconsideration reason. A maximum of 25 EPs may apply on one reconsideration application.
To be reconsidered for the 2017 payment adjustment, this application must be submitted electronically by 11:59 PM ET, February 28, 2017. The date the application is received will be the submission date.
If approved, this payment adjustment reconsideration is valid only for 2017 payment adjustments.

The Kentucky REC is your trusted advisor for understanding government healthcare regulations and their impact on providers. Contact us for more information at 859-323-3090.

OCR Publishes Guidance Regarding Audit Controls

Posted January 24th in HIPAA Information

Audit KeyFrom HHS OCR Cyber Newsletter:  Understanding the Importance of Audit Controls

Covered Entities and Business Associates should make sure that they appropriately review and secure audit trails, and they use the proper tools to collect, monitor, and review audit trails. Protecting audit logs and audit trails prevent intruders from tampering with the audit records and protecting their integrity. Not safeguarding audit logs and audit trails can allow hackers or malevolent insiders to cover their electronic tracks, making it difficult for Covered Entities and Business Associate to not only recover from breaches, but to prevent them before they happen.

According to the National Institute of Standards and Technology (NIST), audit logs are records of events based on applications, users, and systems, and audit trails involve audit logs of applications, users, and systems. Audit trails’ main purpose is to maintain a record of system activity by application processes and by user activity within systems and applications.

The HIPAA Security Rule provision on Audit Controls (45 C.F.R. § 164.312(b)) requires Covered Entities and Business Associates to implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information (ePHI). The majority of information systems provide some level of audit controls with a reporting method, such as audit reports. These controls are useful for recording and examining information system activity which also includes users and applications activity.

Examples of audit trails include:

Application audit trails – Normally monitor and log user activities in the application. This includes the application data files opened and closed, and the creating, reading, editing, and deleting of application records associated with ePHI.

System-level audit trails – Usually capture successful or unsuccessful log-on attempts, log-on ID/username, date and time of each log-on/off attempt, devices used to log-on, and the application the user successfully or unsuccessfully accessed.

User audit trails – Normally monitor and log user activity in a ePHI system or application by recording events initiated by the user, such as all commands directly initiated by the user, log-on attempts with identification and authentication, and access to ePHI files and resources.

Audit controls that produce audit reports work in conjunction with audit logs and audit trails. Audit logs and trails assist Covered Entities and Business Associates with reducing risk associated with: reviewing inappropriate access; tracking unauthorized disclosures of ePHI; detecting performance problems and flaws in applications; detecting potential intrusions and other malicious activity; and providing forensic evidence during investigation of security incidents and breaches. As part of this process, Covered Entities and Business Associates should consider which audit tools may best help them with reducing non-useful information contained in audit records, as well as with extracting useful information.

The HIPAA Security Rule does not identify what information should be collected from an audit log or trail or how often the audit reports should be reviewed. When determining reasonable and appropriate audit controls for information systems containing or using ePHI, Covered Entities and Business Associates must consider their risk analysis results and organizational factors, such as their current technical infrastructure, hardware, and software security capabilities. It is imperative for Covered Entities and Business Associates to review their audit trails regularly, both particularly after security incidents or breaches, and during real-time operations. Regular review of information system activity should promote awareness of any information system activity that could suggest a security incident or breach. Access to audit trails should be strictly restricted, and should be provided only to authorized personnel.

Questions that Covered Entities and Business Associates should consider:

• What audit control mechanisms are reasonable and appropriate to implement so as to record and examine activity in information systems that contain or use ePHI?

• What are the audit control capabilities of information systems with ePHI?

• Do the audit controls implemented allow the organization to adhere to their audit control policies and procedures?

• Are changes or upgrades of an information system’s audit capabilities necessary?


The original publication may be accessed here.

National Institute of Standardization and Technology (NIST Special Publication 800-12 An Introduction to Computer Security: The NIST Handbook)

Department of Health and Human Services, Office for Civil Rights (OCR)  (Technical Safeguards)

OCR’s Monthly Cyber Awareness newsletters and other HIPAA Security Rule Guidance Material may be found here.

The Kentucky REC is your trusted resource for security and privacy concerns. Contact us at 859-323-3090

ICD-10 Glitch Leads CMS to Relax Physician Quality Penalties

Posted January 10th in Education, News, PQRS, Value Based Payment/MACRA

questionCMS issued something of a “get-out-of-Medicare-penalties-free-card” for two years to physicians and group practices due to a glitch with quality reporting measures based on a recent update to the ICD-10 diagnosis and procedure codes.

CMS pointed its finger at updates that went into use Oct. 1, 2016, to the ICD-CM (Clinical Modification) and ICD-PCS (Procedural Coding System) and their impact on the Physician Quality Reporting System (PQRS).

The updates “will impact CMS’s ability to process data reported on certain quality measures for the 4th quarter of CY 2016,” the agency said in a statement posted on its website.

CMS said it will not apply the 2017 or 2018 PQRS payment adjustments to any “eligible professional” or “group practice that fails to satisfactorily report for (calendar year) 2016 solely as a result of the impact of ICD-10 code updates on quality data reported for the 4th quarter of (CY) 2016.”

“What they’re basically saying is that new coding updates apparently had some impact on their quality measures and they will not be able to process data on those,” said Stanley Nachimson, a health IT consultant expert on the ICD-10 codes. “It sounds like the first three quarters were fine, but in the fourth quarter it had some impact on their quality measures. They’re not going to penalize providers if they couldn’t come up with PQRS quality measures.”

Normally under the PQRS program, penalties are 2% of the Medicare fee schedule.

According to a page of frequently asked questions, problem areas concentrated in certain medical specialties, notes Sue Bowman, senior director of coding policy and compliance at the American Health Information Management Association.

“It says the majority of the codes are for diabetes, pregnancy, cardiovascular, oncology, mental health and eye diseases,” Bowman said.

So, when will the ICD-10 code update itself be updated?

Bowman said that’s not specified. But at least CMS acknowledged the problem and is taking steps to correct it and mitigate its impact, she said.

“CMS is pretty good about working with providers,” she said. “They recognized this is a problem and the providers shouldn’t be penalized for it.”

Source: Modern Healthcare