Kentucky REC News


One of the goals of the Quality Payment Program is for providers to move into what are called Advanced Alternative Payment Models. In Year 4 of the QPP, clinicians who meet the billing and/or patient thresholds in an Advanced APM are still eligible for the 5% lump sum payment. Over the course of this program, the requirements and flexibilities afforded to APM participants have evolved. Initially almost all participants in Advanced APM models met the billing and/or patient thresholds, making them eligible for the Qualified Participant status. However, as the thresholds (and the difficulty of meeting them) have increased, the likelihood of becoming a Qualified Participant or Partial QP status has declined. Because of this, many clinicians may find themselves evaluated on the MIPS APM scoring standard.

During our webinar, our quality experts will discuss the changes to the APM track and how the increases to the billing and/or patient thresholds may impact your  requirements and performance in the QPP.

*Webinar – QPP Year 4: MIPS Alternative Payment Models
Thursday, April 30, 2020 12:30 PM ET

Coming Up:
*May 21 – QPP Categories Year 4: Cost
June 18 – QPP Year 4: Kentucky REC Can Help You Improve Your QPP Performance
*July 16 – QPP Categories Year 4: Promoting Interoperability & Improvement Activities

All QPP Webinars start at 12:30 PM ET

*This webinar is for Kentucky REC contracted QPP clients only. If you are interested in this topic and would like to learn more about becoming a client, please contact us at (859) 323-3090 or Kentucky REC. We aim to be your trusted healthcare advisor!

Future dates subject to change


Due to the COVID-19 novel coronavirus national emergency, the Kentucky Medicaid EHR Incentive Promoting Interoperability Program (Meaningful Use Stage 3) has changed the reporting deadline from 3/31/2020 to 4/30/2020 for all Eligible Providers (EPs).

From the Kentucky Cabinet for Health and Family Services page:

“Program Year 2019 Attestations – Deadline Extended to April 30, 2020

The Kentucky Medicaid EHR Incentive Program (Promoting Interoperability) is accepting the program year 2019 attestations until 11:59 p.m. April 30, 2020. Any attestation not submitted will be closed out and ineligible for participation for the program year. To assist with your attestation, please see the EP User Manual on the EHR website. For questions or concerns, please contact the EHR team by email or calling (502) 564-0105, ext. 2463.”

Here is the link to the statement .

Contact your Kentucky REC advisor with any questions. If you don’t have a Kentucky REC advisor, contact us at Kentucky REC with your questions. We’re here to help and are available at 859-323-3090.


Under the 1135 waiver authority and Coronavirus Preparedness and Response Supplemental Appropriations Act, CMS has expanded access to Medicare telehealth services for beneficiaries. This response is in an effort to ensure that all beneficiaries, particularly those at high-risk of complications, can maintain access to the care they need.

Our expert advisors have created a Fact Sheet to guide you through these changes during the national emergency due to COVID-19.

You can access the Fact Sheet HERE.

Contact us at Kentucky REC with your questions. We’re here to help and are available at 859-323-3090.


COVID-19 and The HIPAA Privacy Rule: Bulletins from HHS

In light of the COVID-19 national emergency, the Health and Human Services (HHS) Office for Civil Rights (OCR) has released information specific to the HIPAA Privacy Rule. The Kentucky REC wants to make sure you are aware of the information coming from HHS in order for you to be able to continue providing healthcare services to patients. Below is a collection of all bulletins released from HHS regarding modifications and waivers related to the HIPAA Privacy Rule.

The Kentucky REC will continue to share updates and releases with hyperlinks from HHS as the information becomes available. Each of the titles below is hyperlinked to the information described.

March 24, 2020: COVID-19 and HIPAA: Disclosures to Law Enforcement, Paramedics, Other First Responders and Public Health Authorities

Today, the Office for Civil Rights (OCR) at the U.S Department of Health and Human Services (HHS) issued guidance on how covered entities may disclose protected health information (PHI) about an individual who has been infected with or exposed to COVID-19 to law enforcement, paramedics, other first responders, and public health authorities in compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule.

The guidance explains the circumstances under which a covered entity may disclose PHI such as the name or other identifying information about individuals, without their HIPAA authorization, and provides examples including:
• When needed to provide treatment;
• When required by law;
• When first responders may be at risk for an infection; and
• When disclosure is necessary to prevent or lessen a serious and imminent threat.

This guidance clarifies the regulatory permissions that covered entities may use to disclose PHI to first responders and others so they can take extra precautions or use personal protective equipment. The guidance also includes a reminder that generally, covered entities must make reasonable efforts to limit the PHI used or disclosed to that which is the “minimum necessary” to accomplish the purpose for the disclosure.

“Our nation needs our first responders like never before and we must do all we can to assure their safety while they assure the safety of others,” said Roger Severino, OCR Director. “This guidance helps ensure first responders will have greater access to real time infection information to help keep them and the public safe,” added Severino.

March 20, 2020: FAQs on Telehealth and HIPAA During the COVID-19 Nationwide Public Health Emergency

The Office for Civil Rights (OCR) at the U.S Department of Health and Human Services (HHS) issued guidance on telehealth remote communications following its Notification of Enforcement Discretion during the COVID-19 nationwide public health emergency.

The Notification, issued earlier this week, announced, effective immediately, that OCR is exercising its enforcement discretion to not impose penalties for HIPAA violations against healthcare providers in connection with their good faith provision of telehealth using communication technologies during the COVID-19 nationwide public health emergency.

The new guidance is in the form of frequently asked questions (FAQs) and clarifies how OCR is applying the Notification to support the good faith provision of telehealth.

March 17, 2020: Notice of Enforcement Discretion for Telehealth

The HHS Office for Civil Rights (OCR) announced on March 17, 2020, that it will waive potential HIPAA penalties for good faith use of telehealth during the nationwide public health emergency due to COVID-19.
A covered health care provider that wants to use audio or video communication technology to provide telehealth to patients during the COVID-19 nationwide public health emergency can use any non-public facing remote communication product that is available to communicate with patients. OCR is exercising its enforcement discretion to not impose penalties for noncompliance with the HIPAA Rules in connection with the good faith provision of telehealth using such non-public facing audio or video communication products during the COVID-19 nationwide public health emergency. This exercise of discretion applies to telehealth provided for any reason, regardless of whether the telehealth service is related to the diagnosis and treatment of health conditions related to COVID-19.

The notification explains how covered health care providers can use everyday communications technologies to offer telehealth to patients responsibly.

March 16, 2020: Limited Waiver of HIPAA Sanctions and Penalties During a Nationwide Public Health Emergency

In response to President Donald J. Trump’s declaration of a nationwide emergency concerning COVID-19, and Secretary of the U.S. Department of Health and Human Services (HHS) Alex M. Azar’s earlier declaration of a public health emergency on January 31, 2020, Secretary Azar has exercised the authority to waive sanctions and penalties against a covered hospital that does not comply with the following provisions of the HIPAA Privacy Rule:
• the requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care. See 45 CFR 164.510(b).
• the requirement to honor a request to opt out of the facility directory. See 45 CFR 164.510(a).
• the requirement to distribute a notice of privacy practices. See 45 CFR 164.520.
• the patient’s right to request privacy restrictions. See 45 CFR 164.522(a).
• the patient’s right to request confidential communications. See 45 CFR 164.522(b).

The waiver became effective on March 15, 2020. When the Secretary issues such a waiver, it only applies:
(1) in the emergency area identified in the public health emergency declaration;
(2) to hospitals that have instituted a disaster protocol; and
(3) for up to 72 hours from the time the hospital implements its disaster protocol.

When the Presidential or Secretarial declaration terminates, a hospital must then comply with all the requirements of the Privacy Rule for any patient still under its care, even if 72 hours have not elapsed since implementation of its disaster protocol.

March 13, 2020: Waiver or Modification of Requirements Under Section 1135 of the Social Security Act

The Waiver was implemented “to ensure that sufficient health care items and services are available to meet the needs of individuals enrolled in the Medicare, Medicaid and CHIP programs and to ensure that health care providers that furnish such items and services in good faith, but are unable to comply with one or more of these requirements as a result of the consequences of the 2019 Novel Coronavirus (previously referred to as 2019-nCoV, now as COVID-19) pandemic, may be reimbursed for such items and services and exempted from sanctions for such noncompliance, absent any determination of fraud or abuse.”

February 2020: BULLETIN: HIPAA Privacy and Novel Coronavirus

This bulletin was released “to ensure that HIPAA covered entities and their business associates are aware of the ways that patient information may be shared under the HIPAA Privacy Rule in an outbreak of infectious disease or other emergency situation, and to serve as a reminder that the protections of the Privacy Rule are not set aside during an emergency.”

HHS – Emergency Situations: Preparedness, Planning, and Response

Summary of HIPAA Privacy Rule

Contact us at Kentucky REC with your questions. We’re here to help and are available at 859-323-3090.


As we enter this unprecedented time of a national emergency due to COVID-19, our team at Kentucky REC wants you to know that we are here to help you and your healthcare organization. We will continue to monitor the situation with federal government programs and policies and keep you updated with anything that might affect you.

We support and appreciate your efforts amid the stress and added workload on your organization due to COVID-19.

Here are some external resources for COVID-19 information:

UK Healthcare Questions and Answers about COVID-19

Kentucky Cabinet for Health and Family Services COVID-19

Contact us Kentucky REC with your questions. We’re available at 859-323-3090.


Kentucky REC has an opening for a Quality and Value Manager. This person will work with the Kentucky REC Managing Director and executive leadership to ensure quality and value goals are met. This position will lead a team of advisors in assisting practices in developing and implementing strategic plans for process improvement, clinical innovation and/or quality improvement projects (i.e., alternative payment models, quality and value-based care programs such as patient-centered medical home, pay-for-performance, Value Based Modifier, MACRA, MIPS, ACO, and Bundled Payment initiatives); develop and maintain tools to facilitate and support clients; and ensure timely and consistent communication to stakeholders on progress, impacts, and changes associated with management of a services portfolio. Further details here.


Contact us Kentucky REC with your questions. We’re available at 859-323-3090.


For 2020, Kentucky REC Quality experts are hosting a *series of three webinars in which they will discuss each of the four MIPS categories, starting with a deep dive into the Quality category. This category carries not only the highest weight of the four, but also has the longest reporting period.

Strong performance in the Quality category is essential to avoiding the negative payment adjustment. It is also has the biggest impact on your potential for exceptional performance status, which requires a score of 85+ points, and qualifies you for an additional positive payment adjustment factor outside the budget neutral program.

Our experts will share the changes to Quality for 2020, and how ongoing monitoring and improvement is essential in your overall success in the Quality Payment Program. During this first webinar of the series we will discuss ways you can be successful in the Quality performance category and maximize your performance in Program Year 4 no matter your practice size, level of submission, or method of collection. We want to help you not only meet the minimum threshold, but thrive in the Quality Payment Program.

Webinar – QPP Categories Year 4: Quality
Thursday, March 19, 2020 12:30 PM ET



Next in the series:
May 21 – QPP Categories Year 4: Cost
July 16 – QPP Categories Year 4: Promoting Interoperability & Improvement Activities

All QPP Webinars start at 12:30 PM ET

*This webinar is for Kentucky REC contracted QPP clients only. If you are interested in this topic and would like to learn more about becoming a client, please contact us at (859) 323-3090 or Kentucky REC. We aim to be your trusted healthcare advisor!

Future dates subject to change


Assessing the vulnerabilities of your network and IT assets is essential for understanding the risks facing your organization. The Center for Internet Security (CIS) ranks vulnerability assessment third in its 20 critical security controls for effective cyberdefense (CIS Controls).

“Organizations that do not scan for vulnerabilities and proactively address discovered flaws face a significant likelihood of having their computer systems compromised.” *

What is a vulnerability assessment?

A vulnerability assessment is broken down into two different phases:

  • Scanning & diagnosis
  • Results assessment

Scanning & Diagnosis: Our IT expert will use a network scanning device to identify potential points of exploitation on a network or computer and identify security holes within that system. The scanner’s repository of vulnerabilities is updated just before every scan to include any newly identified items, and is compatible with the Common Vulnerabilities and Exposures (CVE) Index, which standardizes the names of vulnerabilities across diverse security products and vendors.

Results Assessment: Once these items are identified, a severity rating is assigned as follows: critical; severe; moderate; or clean. From the severity rating, a mitigation strategy is created to address the most critical items first, and then move down the list in severity level. This mitigation strategy will include information about specific software patches, downloadable fixes and reference content about security weaknesses.

To better facilitate HIPAA compliance in your organization, you should accompany your vulnerability scan with a full Security Risk Analysis and HIPAA Security Education for your staff.

Join our webinar to learn more about these important HIPAA Privacy and Security Topics.

Webinar – HIPAA Security: Find Vulnerabilities Before Attackers Do

Thursday, March 26, 2020 12:00 PM ET


Call 859-323-3090 or email Kentucky REC HIPAA Privacy and Security experts with your questions, or if you want to talk to a security expert to schedule your vulnerability assessment.

Additional Resources:
Center for Internet Security (CIS) Controls List
MITRE Corporation’s Common Vulnerabilities and Exposures



In order to successfully meet the objectives of Stage 3 Medicaid Promoting Interoperability, it is crucial for you to be looking at the 2020 requirements.

During the webinar we will review the Stage 3 objectives and the thresholds for each measure. We will provide detailed information regarding the newest measures and the importance of having a 2015 CEHRT.

Let Kentucky REC advisors help you be prepared and successful when tackling Stage 3. We will provide action lists that will guide you through the important next steps to meeting the thresholds for hard to reach measures.

Webinar: KY Medicaid Promoting Interoperability (MU) 2020 Stage 3 Overview for Eligible Professionals

Wednesday, March 25, 2020 12:00 pm ET


Contact us at Kentucky REC with your questions about Promoting Interoperability. Our team of experts is here to help: 859-323-3090.


Our partners at the Kentucky Health Information Exchange are excited to announce the launch of their Provider Assistance Program mini-grant opportunity.

In collaboration with the Department for Medicaid Services (DMS) and Centers for Medicare & Medicaid Services (CMS), the Kentucky Health Information Exchange (KHIE) is offering Pharmacies, Eligible Providers (EPs), Eligible Hospitals (EHs) and Critical Access Hospitals (CAHs) the opportunity to apply for a mini-grant to offset the vendor fees associated with connecting to KHIE.

The Provider Assistance Program was created to help Pharmacies, EPs, EHs and CAHs in rural areas of the state to mitigate the challenges associated with interoperability. The objective is to relieve some of the financial burden a healthcare facility experiences which hinders engagement in Public Health and Clinical Data Registry reporting as well as Health Information Exchange.

Applicants are required to be:

  • located in the state of Kentucky
  • considered an EP, EH or CAH (as defined by CMS)
  • or a licensed pharmacy

If approved, EHs and CAHs may be awarded up to $15,000 and Pharmacies and EPs may be awarded up to $8,000.

Grants will be awarded on a first come first serve basis until all grant funds are depleted. Incomplete applications will not be considered and only one grant will be awarded per business entity.

If interested, please complete the Provider Assistance Program Application in its entirety and e-mail to Brett Brown ( with the subject line: Application for the Provider Assistance Program.

Applications can also be found on the KHIE Website.

Applications will be accepted through June 30, 2020.