OCR Publishes Guidance Regarding Audit Controls

Posted January 24th in HIPAA Information

Audit KeyFrom HHS OCR Cyber Newsletter:  Understanding the Importance of Audit Controls

Covered Entities and Business Associates should make sure that they appropriately review and secure audit trails, and they use the proper tools to collect, monitor, and review audit trails. Protecting audit logs and audit trails prevent intruders from tampering with the audit records and protecting their integrity. Not safeguarding audit logs and audit trails can allow hackers or malevolent insiders to cover their electronic tracks, making it difficult for Covered Entities and Business Associate to not only recover from breaches, but to prevent them before they happen.

According to the National Institute of Standards and Technology (NIST), audit logs are records of events based on applications, users, and systems, and audit trails involve audit logs of applications, users, and systems. Audit trails’ main purpose is to maintain a record of system activity by application processes and by user activity within systems and applications.

The HIPAA Security Rule provision on Audit Controls (45 C.F.R. § 164.312(b)) requires Covered Entities and Business Associates to implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information (ePHI). The majority of information systems provide some level of audit controls with a reporting method, such as audit reports. These controls are useful for recording and examining information system activity which also includes users and applications activity.

Examples of audit trails include:

Application audit trails – Normally monitor and log user activities in the application. This includes the application data files opened and closed, and the creating, reading, editing, and deleting of application records associated with ePHI.

System-level audit trails – Usually capture successful or unsuccessful log-on attempts, log-on ID/username, date and time of each log-on/off attempt, devices used to log-on, and the application the user successfully or unsuccessfully accessed.

User audit trails – Normally monitor and log user activity in a ePHI system or application by recording events initiated by the user, such as all commands directly initiated by the user, log-on attempts with identification and authentication, and access to ePHI files and resources.

Audit controls that produce audit reports work in conjunction with audit logs and audit trails. Audit logs and trails assist Covered Entities and Business Associates with reducing risk associated with: reviewing inappropriate access; tracking unauthorized disclosures of ePHI; detecting performance problems and flaws in applications; detecting potential intrusions and other malicious activity; and providing forensic evidence during investigation of security incidents and breaches. As part of this process, Covered Entities and Business Associates should consider which audit tools may best help them with reducing non-useful information contained in audit records, as well as with extracting useful information.

The HIPAA Security Rule does not identify what information should be collected from an audit log or trail or how often the audit reports should be reviewed. When determining reasonable and appropriate audit controls for information systems containing or using ePHI, Covered Entities and Business Associates must consider their risk analysis results and organizational factors, such as their current technical infrastructure, hardware, and software security capabilities. It is imperative for Covered Entities and Business Associates to review their audit trails regularly, both particularly after security incidents or breaches, and during real-time operations. Regular review of information system activity should promote awareness of any information system activity that could suggest a security incident or breach. Access to audit trails should be strictly restricted, and should be provided only to authorized personnel.

Questions that Covered Entities and Business Associates should consider:

• What audit control mechanisms are reasonable and appropriate to implement so as to record and examine activity in information systems that contain or use ePHI?

• What are the audit control capabilities of information systems with ePHI?

• Do the audit controls implemented allow the organization to adhere to their audit control policies and procedures?

• Are changes or upgrades of an information system’s audit capabilities necessary?


The original publication may be accessed here.

National Institute of Standardization and Technology (NIST Special Publication 800-12 An Introduction to Computer Security: The NIST Handbook)

Department of Health and Human Services, Office for Civil Rights (OCR)  (Technical Safeguards)

OCR’s Monthly Cyber Awareness newsletters and other HIPAA Security Rule Guidance Material may be found here.

The Kentucky REC is your trusted resource for security and privacy concerns. Contact us at 859-323-3090

ICD-10 Glitch Leads CMS to Relax Physician Quality Penalties

Posted January 10th in Education, News, PQRS, Value Based Payment/MACRA

questionCMS issued something of a “get-out-of-Medicare-penalties-free-card” for two years to physicians and group practices due to a glitch with quality reporting measures based on a recent update to the ICD-10 diagnosis and procedure codes.

CMS pointed its finger at updates that went into use Oct. 1, 2016, to the ICD-CM (Clinical Modification) and ICD-PCS (Procedural Coding System) and their impact on the Physician Quality Reporting System (PQRS).

The updates “will impact CMS’s ability to process data reported on certain quality measures for the 4th quarter of CY 2016,” the agency said in a statement posted on its website.

CMS said it will not apply the 2017 or 2018 PQRS payment adjustments to any “eligible professional” or “group practice that fails to satisfactorily report for (calendar year) 2016 solely as a result of the impact of ICD-10 code updates on quality data reported for the 4th quarter of (CY) 2016.”

“What they’re basically saying is that new coding updates apparently had some impact on their quality measures and they will not be able to process data on those,” said Stanley Nachimson, a health IT consultant expert on the ICD-10 codes. “It sounds like the first three quarters were fine, but in the fourth quarter it had some impact on their quality measures. They’re not going to penalize providers if they couldn’t come up with PQRS quality measures.”

Normally under the PQRS program, penalties are 2% of the Medicare fee schedule.

According to a page of frequently asked questions, problem areas concentrated in certain medical specialties, notes Sue Bowman, senior director of coding policy and compliance at the American Health Information Management Association.

“It says the majority of the codes are for diabetes, pregnancy, cardiovascular, oncology, mental health and eye diseases,” Bowman said.

So, when will the ICD-10 code update itself be updated?

Bowman said that’s not specified. But at least CMS acknowledged the problem and is taking steps to correct it and mitigate its impact, she said.

“CMS is pretty good about working with providers,” she said. “They recognized this is a problem and the providers shouldn’t be penalized for it.”

Source: Modern Healthcare

CMS Publishes Update on eCQM Value Sets for 2017

Posted January 10th in Education, PQRS, Value Based Payment/MACRA

cms-logo-smallThe Centers for Medicare & Medicaid Services (CMS) and the National Library of Medicine (NLM) has published an addendum to the 2016 eCQM specifications (published in April 2016). This addendum updates relevant International Classification of Diseases (ICD)-10 Clinical Modification (CM) and Procedure Coding System (PCS) eCQM value sets for the 2017 performance year. These changes affect electronic reporting of eCQMs for the following programs:
• The Hospital Inpatient Quality Reporting Program;
• The Medicare Electronic Health Record (EHR) Incentive Program for eligible hospitals and critical access hospitals (CAHs);
• The Merit-based Incentive Payment System (MIPS) for MIPS eligible clinicians.

What Changes are Included in the Addendum?
Changes will only affect the value sets for eCQMs remaining in the programs listed above for 2017 reporting. The Health Quality Measure Format (HQMF) specifications, the value set object identifiers (OIDs), and the measure version numbers for 2017 eCQM reporting will not change.
The changes to the ICD-10 value sets consist of deletion of expired codes and addition of relevant replacement codes. Newly available codes that represent concepts consistent with the intent of the value set and corresponding measure(s) were also added. CMS is prioritizing these ICD-10 updates. Updates for other terminologies will take place during the 2017 Annual Update.
All changes to ICD-10 value sets are detailed in revised technical release notes, including the OIDs affected and information on the codes added or deleted from the value sets.

Where is the Addendum Posted?
The following updated measure information is available on the eCQM library and the electronic Clinical Quality Improvement (eCQI) Resource Center websites, including:
• eCQM specifications, which include only measures in use for 2017 eCQM reporting
• eCQMs for Eligible Clinicians Table January 2017 and eCQMs for Eligible Hospitals Table January 2017, which include only measures in use for 2017 eCQM reporting
• Revised release notes, which provide an overview of technical changes implemented in the addendum. Two sets of release notes will be available.
-The first set provides information on ICD-10 value set updates for measures affected by this addendum.
-The second set provides information on changes from this addendum and all other updates for the measures included for 2017 eCQM reporting.
All changes to the eCQM value sets are available through the NLM’s Value Set Authority Center ( The value sets are available as a complete set, as well as value sets per measure. The Data Element Catalog on the VSAC home page contains the complete list of updated eCQMs and value set names.

What Do I Need to Do?
Measure implementers should review these changes and revise mapping of ICD-10 codes as needed to ensure their submissions comply with the updated requirements included in this addendum for 2017 reporting. Clinicians may also have to revise their workflows to comply with the ICD-10 code additions and removals included in this addendum.
More information on implementing and mapping of ICD-10 codes can be found on the CMS website at:

Where Do I Go for Assistance?
Questions regarding the addendum, eCQM value sets, appropriateness of mapping, and non-ICD-10 code system updates should be reported to the ONC CQM Issue Tracker available at 

CMS Update: QRDA-III Instructions for 2017 ECs Now Available

cms-logo-smallThe Centers for Medicare & Medicaid Services (CMS) has published Version 0.1 of the 2017 CMS Implementation Guide for Quality Reporting Document Architecture Category III (QRDA-III) Eligible Clinician Programs with schematrons and sample files. As CMS continues to build the submission portal for eligible clinician reporting, ongoing testing and feedback from stakeholders is essential. As part of this process, CMS encourages partners and stakeholders to utilize these tools and provide feedback on an ongoing basis. CMS has made the guide, schematrons and sample files available for a public comment period on the ONC QRDA JIRA Issue Tracker until April 1, 2017. A JIRA account is required to comment. You can find the implementation guide and supplemental documents on the CMS eCQM Library and the Electronic Clinical Quality Improvement (eCQI) Resource Center. Additional information pertaining to eligible clinician reporting can be found on the Quality Payment Program website.

This Version 0.1 implementation guide provides CMS-specific instructions for submitting QRDA-III documents for the 2017 performance period for the:
• Comprehensive Primary Care Plus (CPC+)
• Merit-Based Incentive Payment System (MIPS)

General Background:
• QRDA-III is a standard document format for the exchange of aggregated electronic clinical quality measure (eCQM) data. QRDA is one format CMS supports for eCQM submission.
• The implementation guide defines the form and manner required to implement a valid QRDA file for submission.
• The Schematron ensures that the submitted files follow all requirements defined in the implementation guide.

The Version 0.1 2017 CMS Implementation Guide for QRDA-III Eligible Clinician Programs contains the following high-level changes compared with the reporting specifications for Eligible Professionals in the 2016 CMS Implementation Guide for QRDA-III Eligible Professional Programs. The Version 0.1 2017 implementation guide:
• Replaces the term “Eligible Professional” with “Eligible Clinician”.
• Only contains CMS QRDA-III reporting guidance for eligible clinician programs. The QRDA Category I is no longer an accepted submission method in 2017 for eligible clinician programs.
• Is based on the HL7 Implementation Guide for CDA Release 2 Quality Reporting Document Architecture – Category III, Standard for Trial Use (STU) Release 2. The HL7 implementation guide includes template updates to:
-Support advancing care information and improvement activities performance categories under the MIPS; and
-Address the HL7 September 2016 ballot cycle ballot reconciliation.
• Includes updated eCQM Universally Unique IDs (UUIDs) based on the April 2016 annual update eCQM specifications, advancing care information measure identifiers, and improvement activities identifiers.
• Provides implementation reporting guidance for the CPC+ and MIPS programs.
• Establishes new requirements for adding C4 filtering based on the 2015 Edition Health IT Certification Criteria final rule for the CPC+ Program.

The Version 0.1 2017 implementation guide does not contain the following previously published information. You can find these resources on the CMS eCQM Library:
• The April 2016 annual update eCQM specifications for 2017 reporting; and
• Reporting instructions for the Hospital Quality Reporting Program for Eligible Hospitals and Critical Access Hospitals

Contact Kentucky REC for additional information!

New Payment Models to Improve Cardiac and Joint Care

Posted December 29th in Education, Hospitals, News

cms-logo-smallOn December 20, 2016, the Centers for Medicare & Medicaid Services (CMS) finalized new Innovation Center models that continue the Administration’s progress to shift Medicare payments from rewarding quantity to rewarding quality by creating strong incentives for hospitals to deliver better care to patients at a lower cost. These models will reward hospitals that work together with physicians and other providers to avoid complications, prevent hospital readmissions, and speed recovery.

The announcement finalizes significant new policies that:
• Improve cardiac care: Three new payment models will support clinicians in providing care to patients who receive treatment for heart attacks, heart surgery to bypass blocked coronary arteries, or cardiac rehabilitation following a heart attack or heart surgery.

• Improve orthopedic care: One new payment model will support clinicians in providing care to patients who receive surgery after a hip fracture, other than hip replacement. In addition, CMS is finalizing updates to the Comprehensive Care for Joint Replacement Model, which began in April 2016.

• Provides an Accountable Care Organization opportunity for small practices: The new Medicare ACO Track 1+ Model will have more limited downside risk than in Tracks 2 or 3 of the Medicare Shared Savings Program in order to encourage more practices, especially small practices, to advance to performance-based risk.

These new payment models and the updated Comprehensive Care for Joint Replacement Model give clinicians additional opportunities to qualify for a 5 percent incentive payment through the Advanced Alternative Payment Model (APM) path under the Medicare Access and CHIP Reauthorization Act of 2015 (MACRA) and the Quality Payment Program. For the new cardiac and orthopedic payment models, clinicians may potentially earn the incentive payment beginning in performance year 2019 or potentially as early as performance year 2018 if they collaborate with participant hospitals that choose the Advanced APM path. For the Comprehensive Care for Joint Replacement model, clinicians may potentially earn the incentive payment beginning in performance year 2017. For the Track 1+ Model, clinicians may potentially earn the incentive payment beginning in performance year 2018, and the application cycle will align with the other Shared Savings Program tracks.

These models are being implemented by the CMS Innovation Center under section 1115A of the Social Security Act, with participation by all hospitals in selected geographic areas in order to yield more generalizable results, and additional protections for small and rural providers. The models will be referred to as:

• The Acute Myocardial Infarction (AMI) Model
• The Coronary Artery Bypass Graft (CABG) Model
• The Surgical Hip and Femur Fracture Treatment (SHFFT) Model
• The Cardiac Rehabilitation (CR) Incentive Payment Model

CMS is also announcing the new Medicare ACO Track 1+ Model. This new opportunity, beginning in 2018, will allow clinicians to join Advanced Alternative Payment Models to improve care and potentially earn an incentive payment under the Quality Payment Program, created by the Medicare Access and CHIP Reauthorization Act of 2015 (MACRA). The new Medicare ACO Track 1+ Model will test a payment model that incorporates more limited downside risk than is currently present in Tracks 2 or 3 of the Medicare Shared Savings Program in order to encourage more rapid progression to performance-based risk.

Below is a list of Kentucky areas affected by the new payment models:

For more information about the individual models finalized through this rule, visit the CMS Innovation Center website.