Updates | HIT Study Guide
Providing approved approved updates even before the next edition is published!
Approved updates to the 5th Edition Fundamentals of Health Information Technology Management for Physician Practices and Ambulatory Health Service Organizations (HITCM-PP Study Guide) are listed here by page number.
Please feel free to suggest an update. If approved, your suggestion will be listed on this page and appear in the next published edition of the manual.
MAIN CONTENT
Page 16
Promoting Interoperability Program (PIP). This program (called Meaningful Use at the time) rolled out in three stages starting in 2011 with incentive and penalty components. In 2017, Stage 3 was optional for Medicaid providers but Medicare Part B providers who were eligible clinicians moved to Medicare Access and CHIP Reauthorization Act’s (MACRA’s) Quality Payment Program (QPP).
Page 18
The paragraph below the bullets.
The Stage 3 requirements were optional in 2017 for Medicaid providers and Medicare Part A providers (such as hospitals) and required for 2018. However, Medicare Part B providers moved to the new Quality Payment Program (QPP) 2017. As with Stage 3, all eligible providers under the QPP were required to use EHR technology certified to the 2015 Edition. Objectives and measures for Stage 3 included increased thresholds, advanced use of HIE functionality and an overall focus on continuous quality improvement.
Pages 19 & 20
Below are excerpts from the CMS Promoting Interoperability Programs website:
(Replace everything after the above statement on page 19 and all of page 20 with the following)
In 2011, the Centers for Medicare and Medicaid Services (CMS) established the Medicare and Medicaid Electronic Health Record (EHR) Incentive Programs to encourage eligible professionals (EPs), eligible hospitals, and critical access hospitals (CAHs) to adopt, implement, upgrade, and demonstrate meaningful use of certified electronic health record technology (CEHRT).
To continue a commitment to promoting and prioritizing interoperability and exchange of health care data, CMS renamed the EHR Incentive Programs to the Medicare and Medicaid Promoting Interoperability Programs in April 2018. This change moved the programs beyond the existing requirements of meaningful use to a new phase of EHR measurement with an increased focus on interoperability and improving patient access to health information.
Beginning in calendar year (CY) 2022, the Medicaid Promoting Interoperability Program ended. The program is currently known as the Medicare Promoting Interoperability Program for eligible hospitals and CAHs.
2023 Medicare Promoting Interoperability Program Requirements
In the fall of 2022, CMS finalized changes to the Medicare Promoting Interoperability Program for eligible hospitals and critical access hospitals (CAHs) for calendar year (CY) 2023. These changes and requirements can be found below.
For information on Hardship Exceptions and Payment Adjustments, please visit the Medicare Promoting Interoperability Program Resource Library.
EHR Reporting Period in CY 2023
The Electronic Health Record (EHR) reporting period for new and returning participants attesting to CMS is a minimum of any continuous, self-selected, 90-day period.
Certified EHR Technology (CEHRT)
To be considered a meaningful user and avoid a downward payment adjustment, eligible hospitals and CAHs attesting to the Medicare Promoting Interoperability Program will be required to use CEHRT that has been updated to meet 2015 Edition Cures Update criteria.
The CY 2023 CEHRT requirements for the Medicare Promoting Interoperability Program are as follows:
2015 Edition Cures Update functionality must be used as needed for a measure action to count in the numerator during the EHR reporting period chosen by the eligible hospital or CAH (a minimum of any continuous 90 days in 2023).
In some situations, the product may be deployed during the EHR reporting period but pending certification. In such cases, the product must be updated to the 2015 Edition Cures Update criteria by the last day of the EHR reporting period.
Eligible hospitals and CAHs must provide their EHR’s CMS Identification code from the Certified Health IT Product List (CHPL), available on HealthIT.gov, when submitting their data.
Objectives and Measures
Participants are required to report on four scored objectives and their measures.
Electronic Prescribing
Health Information Exchange
Provider to Patient Exchange
Public Health and Clinical Data Exchange
Participants are also required to report (yes/no) on the Protect Patient Health Information objective:
Security Risk Analysis measure
Safety Assurance Factors for EHR Resilience (SAFER) Guides measure
Scoring Methodology
CMS continues to implement a performance-based scoring methodology. Each measure will contribute to the eligible hospital or CAH’s total Medicare Promoting Interoperability Program score. A minimum of 60 points is required to satisfy the scoring requirement.
Electronic Clinical Quality Measures (eCQMs)
Must report on the following using 4 quarters of CY 2023 data:
3 self-selected eCQMs; AND
The Safe Use of Opioids Concurrent Prescribing eCQM
Page 23
There are 4 categories of measurement in MIPS:
Quality replaces PQRS
Promoting Interoperability replaces Advancing Care Information (Stage 3)
Cost replaces the VPM (and wasn’t implemented until 2018)
Improvement Activities
Page 27
5. The four categories measured under the current MIPS program are: Quality, Promoting Interoperability, Cost, and Improvement Activities.
a. True
b. False
Page 60
New paragraph between "Health care quality specifically... and the EBM-Quality Reporting-Population Management subtitle:
The Healthcare Effectiveness Data and Information Set (HEDIS) is a tool used by more than 90 percent of U.S. health plans to measure performance on important dimensions of care and service. More than 190 million people are enrolled in health plans that report quality results using HEDIS. Since 2008, HEDIS has also been available for use by medical providers and practices. Because so many health plans use HEDIS and because the measures are so specifically defined, HEDIS can be used to make comparisons among plans. To ensure that HEDIS stays current, the National Committee for Quality Assurance (NCQA) has established a process to evolve the measurement set each year through its Committee on Performance Measurement.
Page 60
After the last paragraph on page 60 add:
Chronic Care Management (CCM) is care coordination services done outside of the regular office visit for patients with two or more chronic conditions expected to last at least 12 months or until the death of the patient, and that place the patient at significant risk of death, acute exacerbation/decompensation, or functional decline. These services are typically not face-to-face and allow eligible practitioners to bill for at least 20 minutes of care coordination services per month. CCM is part of overall CDM.
Page 81
FHIR is another HL7 standard. It is a standard for exchanging healthcare information electronically and is integral to the fully interoperable personal health record (PHR).
Page 94
Patient Privacy Rights
Practices are required to provide patients with HIPAA privacy policies; one set of policies may serve more than one medical provider in an organized healthcare arrangement. They can be written or electronic, generally updated annually, and can account for the sharing or exchange of patient data between covered entities according to relationships the practice has established. Most practices call this patient document a Notice of Privacy Practices.
The Privacy Notice not only establishes when and how a practice maintains the privacy of patient data, but also how a patient can report a complaint or error with their record.
Page 96
2nd paragraph under The Security Rule.
Practices are required to provide patients with HIPAA privacy policies; one set of policies may serve more than one medical provider in an organized healthcare arrangement. They can be written or electronic, generally update annually, and can account for the sharing or exchange of patient data between covered entities according to relationships the practice has established. Most practices call this patient document a Notice of Privacy Practices.
Page 97
If over 500 patients’ PHI has been breached, a notice of the occurrence must also be made in prominent media outlets in the state of the occurrence.
Page 100
HIPAA Privacy and Security Standard Timeline from its advent through 2023
Page 102
Add one more row to this table for 2023.
The next major update is now due, as OCR issued a Notice of Proposed Rulemaking (NPRM) on December 10, 2020, proposing a slew of changes to the HIPAA Privacy Rule. The Final Rule is expected to be published in the Federal Register at some point in 2023 now the comment period has closed. However, no date has been provided on when the Final Rule will be published, nor when the 2023 HIPAA changes will take effect (see the New HIPAA Regulations in 2023 section below).
For several years, new HIPAA regulations have been under consideration concerning how substance use disorder (SUD) and mental health information records are treated and protected. SUD records are covered by the Confidentiality of Substance Use Disorder Patient Records (42 CFR Part 2) regulations, which serve to protect the privacy of substance use disorder patients who seek treatment at federally assisted programs, whereas other healthcare data is covered under HIPAA.
There have been calls from many healthcare stakeholder groups to align the Part 2 regulations more closely with HIPAA so all healthcare data had equal protections. This would allow clinicians to view patients’ entire medical records, including SUD records, to get a complete view of a patient’s health history to inform treatment decisions. If details of treatment for SUD are withheld from doctors, there is a risk that a patient may be prescribed opioids when they are in recovery.
Ref: https://www.hipaajournal.com/
APPENDICES
Page 173
Replace “Encrypted” with “Encryption”.
Add the following to Appendix - C:
Chronic Care Management (CCM): CCM is care coordination services done outside of the regular office visit for patients with two or more chronic conditions expected to last at least 12 months or until the death of the patient, and that place the patient at significant risk of death, acute exacerbation/decompensation, or functional decline. These services are typically not face-to-face and allow eligible practitioners to bill for at least 20 minutes or more of care coordination services per month.
Chronic Disease Management (CDM): An integrated care approach to managing illness which includes screenings, check-ups, monitoring and coordinating treatment, and patient education. It can improve your quality of life while reducing your health care costs if you have a chronic disease by preventing or minimizing the effects of a disease.
Data Breach: Occurrence or disclosure of confidential information, access to confidential information, destruction of data assets, or abusive use of a private IT environment.
Distributed Denial of Service (DDoS) Attack: Attack which attempts to block access to and use of a resource. It is a violation of availability. DDOS (or DDoS) is a variation of the DoS attack and can include flooding attacks, connection exhaustion, and resource demand.
Digital Footprint: Footprint of digital information left behind by a user’s online activity.
Firewall: Network security device that monitors incoming and outgoing network traffic and permits or blocks data packets based on a set of security rules.
Incident: An occurrence that jeopardizes the confidentiality, integrity, or availability of an information system or the information the system processes, stores, or transmits or that constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies. Source(s): NIST SP 800-114
Healthcare Effectiveness Data and Information Set (HEDIS): CMS contracts with NCQA to collect Healthcare Effectiveness Data and Information Set (HEDIS®) measures from Medicare Special Need Plans (SNPs). The HEDIS measurement set is sponsored, supported and maintained by NCQA. Measures relate to many significant public health issues such as cancer, heart disease, behavioral health and diabetes. SNPs can use HEDIS performance data to identify opportunities for improvement, monitor the success of quality improvement initiatives, track improvement and provide a set of measurement standards that allow comparison with other plans. HEDIS data help identify performance gaps and establish realistic targets for improvement.
Honeypot: Trap or decoy for attackers. A honeypot is used to distract attackers in order to prevent them from attacking actual production systems. It is a false system that is configured to look and function as a production system and is positioned where it would be encountered by an unauthorized entity who is seeking out a connection or attack point. A honeypot may contain false data in order to trick attackers into spending considerable time and effort attacking and exploiting the false system. A honeypot may also be able to discover new attacks or the identity of the attackers.
Phishing: Untargeted, mass emails sent to many people asking for sensitive information or encouraging them to visit a fake website.
Port: The entry or exit point from a computer for connecting communications or peripheral devices. Source: NIST SP 800-82
Risk Tolerance: The level of risk that the organization is willing to accept in pursuit of strategic goals and objectives. Source: NIST SP 800-53
Threat: A possible danger to a computer system. Source: NIST SP 800-28 Version 2
Virtual Private Network (VPN): Encrypted network often created to allow secure connections for remote users.
Vulnerability: A security weakness in a computer.
FORMAT & TYPOS
TOC
Overview of the Health Information Management Technology Certified Manager for Physician Practice
Page 1
OVERVIEW OF THE HEALTH INFORMATION MANAGEMENT TECHNOLOGY CERTIFIED MANAGER FOR PHYSICIAN PRACTICE EXAM
Page 73
(Last bullet on the page. Add $)
Increased revenue by >$100K during the study period
Page 80
HIE participation & EHR interoperability
Once a practice decides identifies its HIE options, there are several considerations in how the EHR will directly connect to the HIE. Understanding the following methods of interoperability should help your practice clearly negotiate better terms and better connectivity to achieve maximum ROI from its HIT investment.
Page 80
Health Level 7 (HL7)/Continuity of Care Documents (CCDs)/Fast Healthcare Information Resources (FHIR)
HL7/CCDs are the most common method of exchange for EHRs. With PI Stage 2, the CCD standard/CD32 greatly consolidates this means of interoperable communication.
(The 1st line is a title, not a bullet)
Take me to the main HITCM-PP page!
240514 | Public