TGIF

It's somewhat surprising that the Department of Health and Human Services ("HHS") has not yet defined what it meant by stating that "certain health care entities" would be given an ICD-10 code set compliance date beyond October 1, 2013. Which health care entities and how long of a delay?

Iheathbeat reports on a scholarly Health Affairs article which makes the following conclusion

Instead of moving toward ICD-10 standards, the authors recommended that the health care industry move toward implementing ICD-11 code sets. They note that ICD-11 standards are closely linked with the Systematized Nomenclature of Medicine-Clinical Terms, which is a key part of the meaningful use Stage 2 criteria.

Under the 2009 federal economic stimulus package, health care providers who demonstrate meaningful use of certified EHR systems can qualify for Medicaid and Medicare incentive payments. The authors recommended that federal officials allow a grace period for compliance with the ICD-10 code sets or push back the compliance deadline by one to three years.

Of course, the HHS mandate is being issued under HIPAA, a 1996 law intended to facilitate the electronic payment of health plan claims. The law has nothing to do with public health, but public health reporting concerns are the foundation for switching to the ICD-10.  The FEHBlog expects that a lot of money could be saved by repealing HIPAA and letting the health care industry set these payment standards.

Speaking of electronic recordkeeping, CIO includes an article with the eye popping number from a Ponemon Institute study finding that "the average organizational cost per [electronic] data breach was $5.5 million in 2011, down 24 percent from $7.2 million in 2010. Additionally, the cost per compromised record fell to $194 per record, down $20 (10 percent) from 2010." The article adds this interesting tidbid

While the decline in costs should benefit businesses, the reason for the decline may not be so reassuring.

"I think the root cause is that people are maybe becoming a little numb to the notification," Dr. Ponemon says when asked to speculate on the driver for the decline in lost business costs. "Maybe most of us by now have received one if not more notifications. Over time, if you don't become a data breach victim as a result of the event, it begins to lose its impact. These notifications are becoming almost ubiquitous. It's hard to determine which ones I should care about."

The FEHBlog hopes that HHS reads this study as it certainly supports the interim HIPAA unsecured PHI breach notice rule's harm prerequisite to issuance of such a notice.