Clinical Quality Measures

InfoGard Accredited to Test Clinical Quality Measures

On August 22, 2016, InfoGard achieved accreditation from NVLAP (Lab Code 100432-0) to begin testing to the 2015 Edition certification criteria for Clinical Quality Measures (CQMs). The CQM criteria include:

  • 315(c)(1) – Clinical quality measures –record and export
  • 315(c)(2) – Clinical quality measures –import and calculate
  • 315(c)(3) – Clinical quality measures—report
  • 315(c)(4) – Clinical quality measures –filter

The measures tested under the 315.c.1-4 criteria are used by providers and hospitals for the CMS Meaningful Use Program in 2017 and beyond.

The test procedures can be found on the ONC website:

The test tool, Cypress, can be found at:

CMS information about the CQMs is available:

InfoGard understands that developers may have delayed testing until these criteria were available. Don’t delay any longer! Contact us to get started today!

Meaningful Use

Meaningful Use Update

In 2015 CMS released the Final Rule that outlines the requirements eligible professionals (EPs) and eligible hospitals (EHs) must fulfill in order to participate in the Medicare and Medicaid EHR Incentive Programs, also known as Meaningful Use. The Final Rule addresses participation in 2015 through 2017 with changes to Stage 2, as well as establishing Stage 3 in 2018 and beyond.

Stages for Meaningful Use and Objectives

Stage 1 – 2011 to 2013 – Data capture and sharing

Stage 2 – 2014 to 2017 – Advanced clinical processes

Stage 3 – 2018 to TBD – Improved outcomes

The CMS Rule allows providers to start Stage 3 of Meaningful Use in 2018, with 2017 as an optional year for Stage 3 participation.

Reporting Periods to Qualify for MU

The reporting periods for EPs and EHs are aligned beginning in 2017 to run on the calendar year. In terms of objectives, the Rule set out eight (8) objectives that providers are required to meet, while establishing a single set of objectives and measures, tailored to EPs, EHs, or critical access hospitals (CAHs), to meet for the definition of Meaningful Use.

In 2016 (Stage 2) – First-time participants may use their EHR to report through any continuous 90-day period between January 1 and December 31, 2016.

All returning participants must use their EHR to report the full calendar year (January 1-December 31, 2016).

In 2017 (Stage 2 or Stage 3) – First-time participants may use their EHR to report through any continuous 90-day period. Providers attesting to Stage 3 may also use a 90-day reporting period. All returning participants must use their EHR to report the full calendar year (January 1-December 31, 2017).

In 2018 (Stage 3) – First-time Medicaid participants may use their EHR to report through any continuous 90-day period. All other providers must use a reporting period of the full calendar year (January 1-December 31, 2018).

For more information, visit the CMS EHR Incentive Program,

2015 Edition and MU Stage 3 Final Rules Published

This week ONC published the Final Rule defining the 2015 Edition of EHR certification requirements. In addition, CMS released the Final Rule for Meaningful Use Stage 3.

2015 Edition:

Stage 3:

What this means for EHR developers:

The 2015 Edition certification criteria are the next set of criteria used to certify EHRs. Vendors will need to use these criteria when developing their products to be used for Meaningful Use. Testing to the 2015 Edition is expected to start in early 2016.

What this means for providers/hospitals:

According to the rule from CMS, Stage 3 will start in 2018 with an optional year starting in 2017. This gives providers and hospitals 2 years (2016-2017) to select and install an EHR certified to the 2015 Edition certification criteria.

More information on the ONC Health IT Certification Program can be found at:

More information on Meaningful Use can be found on the CMS EHR Incentive Programs website at:

See also the press release by HHS:

National Health IT Week: Post-Presentation Q&A

In the effort to carry on the theme for National Health IT Week, InfoGard’s technical staff has committed to providing answers to post-presentation questions on “10 Steps to Protect My Covered Entity From Breach” posted on October 6, 2015. Additional Q&A’s will be added to the existing list. Check back for updates periodically. To submit additional questions, email

1. How often should a covered entity conduct an SRA?

An SRA should be conducted commensurate with the changing environment. The more change occurs in the physical environment, policies, and staff, the greater the possibility of new risks emerging, and existing risks becoming more severe. With a rapidly changing environment you might consider an SRA every quarter; with a stable environment every three (3) years may be sufficient.

2. What are the benefits of a third-party risk assessment compared to internally conducted SRAs?

Third-party risk assessments can offer industry-leading expertise. Additionally, they are independent from any employee prejudices of the environment and provide a fresh set of eyes. However, having internal staff members trained can provide cost savings as well as rapid responses to new threats or situations.

3. Should I contract out everything to avoid dealing with all the security requirements myself?

This can be a great solution since some covered entities have many clients and already have experience managing EPHI as required by HIPAA and conducting SRAs. However, many businesses are not. When subcontracting IT services, such as hosting your EHR offsite, ensure that the business associate agreement (BAA) includes all security items for which the business associate (BA) is responsible. Additionally, obtain evidence they are actually doing what is required. While you may be able to avoid direct penalties from OCR by this method, when a breach occurs there still might be damage to your reputation, high staff turnover, and indirect financial cost that often amounts to six (6) figures even for small clinics.

4. I have an employee who is HIPAA certified; does this offer me security?

Security is only as deep as the individual’s expertise. There is no government backed certification program, and all certifications are simply private guarantees. Sitting down with a HIPAA lawyer and other HIPAA security experts at least once can make a huge difference in the security of the site.

5. Do I need to have an employee who is an expert in hacking to avoid a breach?

No. There are many tools available to secure your network and IT equipment which require only a general IT background. Consider purchasing some of the industry tools to help facilitate security. Often times installing these tools will help educate your staff on security in the process.

National Health IT Week: 10 Steps to Protect My Covered Entity From Breach

As part of National Health IT Week, InfoGard presents a prerecorded webinar detailing 10 steps a covered entity can take to help protect itself from a breach.

Our technical staff will be answering questions about this presentation, HIPAA requirements, and security risk assessments via email and here on the blog throughout National Health IT Week. Send your questions to

Slides from this presentation can be found here.


InfoGard is a Proud Partner in National Health IT Week

This October, InfoGard Laboratories is a Proud Partner in National Health IT Week. National Health IT Week is the premier event offering all healthcare stakeholders an opportunity to unite under one banner, expressing the benefits that health information technology (IT) brings to U.S. healthcare. “One Voice, One Vision.”

Initiated in 2006 by the Healthcare Information and Management Systems Society (HIMSS), National Health IT Week has emerged as a landmark occasion for using health IT as part of the overall solution to improve America’s healthcare as a bipartisan, federally led, market driven initiative.

The Week consists of events in Washington DC and across the country, including National Health IT Week participants —vendors, provider organizations, payers, pharmaceutical/biotech companies, government agencies, industry/professional associations, research foundations, and consumer protection groups— all working together to elevate national attention to the advantages of advancing health IT.

As the healthcare community becomes more technologically advanced, InfoGard sees the increasing concern of protecting patient health information (PHI), especially in electronic form. As part of National Health IT Week, InfoGard will release a prerecorded webinar presenting 10 steps that detail how a covered entity can protect itself from a potential breach. Following the presentation, viewers will have the opportunity to submit questions via email which will be answered by InfoGard’s technical staff and posted on our Health IT Blog throughout the Week.

The webinar will be released here on the blog at 11am PDT on Tuesday, October 6, 2015. Visit for a full list of the Week’s activities.

Security Risk Assessment Introduction

Breach of healthcare records is a rising threat that has affected millions of Americans. InfoGard understands this threat and partners with healthcare facilities to assess potential risks and provide guidance to create, implement, and maintain a risk management plan.

In the coming weeks we will be talking through why breaches are on the rise, quick fixes to make your healthcare facility more secure, how to deal with business associates that handle protected health information (PHI), and other topics related to healthcare and PHI security.

Leave a comment or contact us if there is a specific topic you would like to see covered.