ONC-ACB Certification ID: | Certification Date: Nov 11, 2019
2020 To Do List

2020 To Do List

As the final quarter of 2020 approaches, practices should take action on time-sensitive programs that will impact reimbursement in the future. Below is our “2020 To Do List” with details outlining the steps you need to take to achieve each item.

Check Your MIPS Numbers

October marks the last quarter that practices can begin to achieve compliance for certain MIPS categories in 2020:
Confirm submission method – If you submitted via registry in the past, and plan to submit via eCQMS, or are considering submitting through a registry for 2020, make sure you understand the allowed measures, costs, and outcomes.
• Practices should run their Promoting Interoperability and MU3 – Clinical Quality Measures reports every month to ensure practice is meeting requirements.
• Complete your Security Risk Analysis.
• Document progress on Improvement Activities.

For more information, read the MIPS 2020 and Criterions blog post.

Register for PAMA

The Centers for Medicare and Medicaid (CMS) currently requires all providers to use a Clinical Decision Support Mechanism (“CDSM”) to electronically validate advanced imaging orders using approved online guidelines. On January 1, 2021, imaging centers will not be reimbursed for orders that do not include this information so it is vital that ordering physicians be able to perform the validation without impacting their workflow.

Learn how to meet the AUC validation requirements under PAMA here. 

Purchase NYC and NY State Immunization Interface

With changes to MIPS, practices are now required to have live bidirectional interfaces with NYCIR and NYSIIS.

Why practices need it:
• These interfaces send immunizations for Adults and Children to the respective registry electronically in the new MIPS format.
• The old interface is no longer valid with new rules.
• Practices without the electronic interface cannot attest on MIPS for submitting to a public registry. This will affect MIPS compliance.
• Practices not in NYC must purchase a NYSIIS interface for immunizations for Adults and Children.
• Practices in NYC must purchase a NYC CIR interface for immunizations for Adults and Children.
• This MIPS interface sends the immunizations administered, as well as retrieves the patients current immunizations already administered by other physicians from the registry.

Contact support@criterions.com to purchase.

If you have any questions about the 2020 To Do List, fill out the form below and a member of our team will be in touch:

MIPS Monthly Checklist

MIPS Monthly Checklist

Use the checklist below to ensure you are staying on track for the best MIPS reporting possible. Be sure to review your MIPS numbers monthly. For more information, please review the MIPS criteria found here.

  • Check Promoting Interoperability – Ensure you are meeting measure thresholds.  For all measures, higher percentages are better.


  • Check Clinical Quality Measures MU3 – Most measures, with the exception of 122v7 and 156v7, seek the highest percentage of patients meeting the measure. Measures 122v7 and 156v7 seek the lowest percentage of patients.


  • Document Improvement Activities – If changes or work have been done to meet the criteria of an improvement activity, document the work in case of an audit.


  • Complete Security Risk Assessment (if not previously completed) – The Security Risk Assessment must be completed at least once during the reporting period. If the report has not been completed, begin documentation.

For any other questions regarding MIPS, contact us using the form below:

MIPS 2020 and Criterions

MIPS 2020 and Criterions

While there is much uncertainty today, not only in the medical world, but the world at large, we are preparing for the resumption of life post pandemic. As of now, MIPS reporting will still be required for 2020. While we do not know if the requirements will change due to the pandemic, we are going off of the assumption that the rules will be enacted as initially created, meaning practices must report on Quality Measures, Promoting Interoperability, and Improvement Activities in the beginning of 2021. Below is our MIPS 2020 and Criterions guide that will help you fulfill MIPS requirements using Criterions EHR.

If you have any questions, please complete the from below:

What You Need to Know About Telemedicine and HIPAA

What You Need to Know About Telemedicine and HIPAA

On March 6, 2020, the CDC released guidance for Healthcare Providers to prepare for the Coronavirus Disease 2019 (COVID-19). One of the steps listed was to leverage telemedicine technologies.

In February, the Office of Civil Rights released a reminder about HIPAA privacy obligations during the Novel Coronavirus outbreak. Privacy regulations are not set aside during an emergency. HIPPA obligations still apply to healthcare providers while treating patients remotely. Providers may wish to use remote encounters to reduce exposure to their staff and susceptible patients.

How HIPAA May Apply During a Health Emergency

There are three provisions that the Office of Civil Rights highlighted in their February notice that are worth reviewing. The first two require authorization by state law, but the third relies on the discretion of the provider.
In general, reporting about an identifiable patient to the media or to people not involved in the patient’s care may not be done without the patient’s written authorization.


HIPAA permits covered entities to provide PHI to a public health authority that is authorized by law to collect or receive such information for the purpose of preventing or controlling disease, injury or disability.


HIPAA permits disclosure to persons at risk of contracting or spreading a disease if authorized by state law or if authorized by a public health emergency.


Healthcare providers may share patient information with anybody as necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or to the public, and consistent with state law and applicable codes of ethical conduct. Thus, providers may disclose a patient’s health information to anyone who is in a position to prevent or lesson the serious and imminent threat, including family, friends, caregivers, and law enforcement without a patient’s permission. HIPAA expressly defers to the professional judgment of health professionals in making determinations about the nature and severity of the threat to health and safety.

Communicating Protected Health Information Through Email or Text is Likely a HIPAA Violation

The HIPAA Conduit Exception allows transmission of PHI if the conduit does not have access PHI nor do they store copies of the data. They simply act as a path which the PHI flows. The Post Office is an example of a conduit with which a Provider would not have to have a Business Associate Agreement.

If a provider sends electronic Protected Health Information (ePHI) to a patient through text or email, the ePHI is not simply transmitted to the patient, it is held by the service provider. The mobile carrier or the email provider is not simply a conduit for the transmission of the data as the ePHI will continue to reside with the provider. For example, the email would reside on the Google inbox or the text message on the Verizon server.

Unless you have the provider of such service under a Business Associate Agreement, communication of PHI using these methods could be interpreted as a violation.

Does HIPAA Allow Video Telemedicine?

The same requirement for patient privacy and confidentiality that apply for a face to face doctor visit apply to visits conducted remotely over video, and the provider’s responsibilities to protect PHI are the same.

Any video software that a provider uses must provide two-way, end to end encryption. Additionally, the software should not record, save or store video unless the provider is (1) under a Business Associate Agreement and (2) the patient has provided consent for the recording of the session.

To qualify under the Conduit Exception, a vendor cannot store, even transiently, the video passed between the provider and the patient. In contrast, a vendor that maintains ePHI for the purpose of storing it will qualify as a business associate, and not a conduit, even if the CSP does not actually view the information, because the entity has more persistent access to the ePHI.

Some video services now provide automatic transcription services along with the video. If the audio or transcription service is utilized, it may be stored on the vendor’s server in more than a transient fashion and could affect the determination of HIPAA compliance.

Are Additional Consents Required When Utilizing Telemedicine?

It is a mistake to assume that remote communication of PHI is the same as when the communication is between doctor and patient over a video system. The communication is different than the doctor and patient were face to face in a private treatment room. The provider should ensure that the patient is in a private area or has consented to the people around them who may be able to see or hear the examination.

As stated above, any recording of a telemedicine session must have patient consent (and would likely require the vendor to be under a BAA). Furthermore, the provider should take sufficient steps to confirm the identity of the patient before starting any telemedicine consultation. Finally, informed consent for telemedicine could be a legal requirement in your state or could be a prerequisite or condition of getting payment from the payer. Some states require verbal consent and some require written consent, so be sure to check your local requirements.

Ensure That the Video Provider Qualifies as a Conduit or the Relationship is HIPAA Approved

If you are using a video program with a vendor that you do not have a BAA with, you are using it at risk of a HIPAA violation.

There have been significant penalties levied against providers who have mischaracterized a vendor as a conduit rather than a Business Associate. These violations can arise when the vendor stores PHI on their cloud environment and doesn’t simply provide the end to end communication.

There is debate as to whether applications such as Skype or Facetime are HIPAA complaint, and providers use them at their own risk.

Some providers have HIPAA complaint versions of their service that providers can sign up for, such as Zoom and Microsoft offers a telehealth program on its Azure platform and on March 9, 2020 announced a telehealth program based on its Teams platform.

There are several other commercial options that are specifically designed to be HIPAA compliant with vendors that are willing to enter into a BAA.

If you have any questions about what you have read here, please contact the Criterions team:

Welcome to the New Criterions Blog!

Welcome to the New Criterions Blog!

The Criterions team is excited to unveil our new website and blog to our customers and friends! In our blog, you’ll find TCMS product updates and articles on the topics you care most about– from patient engagement to regulatory compliance.To subscribe, simply fill out the form here.


Please reach out to the Criterions team if you have any questions:


Request a Demo!