CMS Issues Stark Law Changes

CMS issued last week its final rule modifying the Physician Self-Referral Law aka the Stark Law putting into place most of what it proposed to modify this summer. The majority of the new modifications become effective on January 1, 2016, though CMS indicates that many of the changes are just clarifications of existing application of the Stark Law.

Highlights of Some Proposed Revisions

The below list is not an all-inclusive list of the revisions to the Stark Law, but highlights some of the more substantial changes.

Temporary Noncompliance with Signature. Following the confusion between what was considered inadvertent and not inadvertent, CMS has modified this rule to allow the temporary noncompliance with the signature requirements for up to 90 days following the date of noncompliance regardless of the parties’ intention for not signing earlier.

Remuneration. The definition of remuneration has been revised to more clearly specify that certain items, devices, or supplies related to the collection, transportation, etc. of specimens are excluded from the definition of remuneration if used solely for one or more of such testing/specimen collection purposes.

Arrangement vs. Agreement. CMS clarifies in several of the exceptions (i.e personal services, leases, physician recruitment, etc.) that the requirement that the arrangement be set out in writing does not require a single formal contract but rather that several documents may establish sufficient documentation to satisfy the writing requirements. Examples of supplementary contemporaneous documents may include communications between the parties, check requests or invoices, time sheets, and call coverage schedules. Further examples are described within the final rule.

Holdover Provision. Prior to this final rule, the personal service arrangement, rental of office space and rental of equipment exceptions permitted a holdover arrangement for up to 6 months. CMS has modified these provisions to permit indefinite holdovers, provided that the arrangement continues on the same terms and conditions as the original arrangement.

Recruitment of Non-Physician Practitioners. CMS has added a new exception allowing a hospital (FQHC and RHC) to provide remuneration to a physician to compensate for non-physician practitioners if certain conditions are met (including cap of 50% of remuneration paid to non-physician practitioner and restriction on using the exception with the same referring physician only once every 3 years). Such non-physician practitioners include clinical psychologists and social workers, physician assistants, nurse practitioners, clinical nurse specialists and certified nurse midwives.

Timeshare Arrangements. CMS created a new exception for timeshare lease arrangements, which includes both space and equipment (supplies, items, services, etc.). The space/equipment must be predominately used for E/M services and remain on the same schedule. The equipment in the space must also be located in the same building as where the E/M services are furnished, not used to furnish DHS other than those incidental to E/M services furnished at the time of the patient’s visit and not include advanced imaging equipment, radiation therapy equipment or clinical & pathology lab equipment (other than CLIA waived tests).

The changes that relax some of the signature, holdover and writing requirements are consistent with CMS’ experience with SRDP submissions. Further the new exceptions recognize some of the changes in the delivery of patient care (such as non-physician providers and timeshare arrangements).  If you have questions about any of these modifications or the Stark Law in general please contact Elana Zana.

 

 

 

Updated Meaningful Use Rules Released

After months of waiting, CMS and ONC finally issued final rules (with comment) pertaining to Stage 3 Meaningful Use, 2015-2018 EHR Incentive Program and 2015 edition of CEHRT certification.  CMS announced that the rules, numbering 750+ pages, are designed to “simplify requirements and add new flexibilities for providers to make electronic health information available when and where it matters most.”  CMS’ announcement also signaled more rules to come, CMS has opened a 60-day comment period for additional feedback about the EHR Incentive Programs and in particular the Medicare Access and CHIP Reauthorization Act of 2015 (MACRA), “which established the Merit-based Incentive Payment System and consolidates certain aspects of a number of quality measurement and federal incentive programs into one more efficient framework.” Expected release for MACRA is spring 2016.

Highlights of the final rule include:

  • 2015 reporting for EPs and EHs is any continuous 90 day period within CY 2015 by Feb. 29. 2016, which may be extended to March if providers need additional time.
  • 2016 & 2017 new Medicare and Medicaid providers (and 2018 Medicaid providers) may report on any 90 days.
  • Most changes in the rule will not be required until 2018 (but providers who are ready may transition to the next phase in 2017).
  • 2015-2017 EPs will report on 10 objectives, EHs on 9 objectives, including one public health reporting objective.
  • Modified patient action measures in Stage 2 objectives.
  • 90 day reporting period for any provider moving to Stage 3 in 2017.
  • Finalization of the use of application program interfaces (APIs) which allow the use of new programs/functions that will help patients have access to their healthcare records, including on mobile devices.
  • Focus on interoperability in Stage 3 rules.

The final rules will be officially published in the Federal Register on October 16, 2015.

For more information regarding the EHR Incentive Program and these new rules please contact Elana Zana.

Certificate of Need New Rule Invalidated by Supreme Court

The Washington Supreme Court unanimously agreed with the Washington State Hospital Association that the new expanded Certificate of Need rule defining the “sale, purchase or lease” of a hospital exceeded the Department of Health’s authority.  WSHA successfully argued that the new definition, promulgated by the Department of Health’s Certificate of Need Program, which expanded its jurisdiction to include “any transaction in which the control, either directly or indirectly, of part or all of any existing hospital changes to a different person, including, but not limited to, by contract, affiliation, corporate membership restructuring, or any other transaction,” was overly expansive.

The Supreme Court agreed that pursuant to the wording of the new rule, Certificate of Need approval would be required for any change in control of a hospital, including those changes that commonly occur, for example a change in the composition of the board of directors of a hospital.  The Supreme Court held that the new rule interprets “sale, purchase, or lease” in RCW 70.38.105(4)(b) too broadly and “departs too far from the plain meaning of those terms.”

For more information regarding the Certificate of Need rules please contact Elana Zana.

Ready for an OIG Security Audit?

At HIMSS15 in Chicago I had the pleasure of speaking with my colleague, Dave Schoolcraft, regarding the OIG Security Audits. These in depth security audits conducted not by the OCR or CMS, but rather the Office of Inspector General, delve into the security systems of Eligible Hospitals (and potentially Eligible Professionals) participating in the EHR Incentive Program.

Background

The OIG in its 2014 and 2015 Work Plans identified its plan to audit participants in the EHR Incentive Programs and their business associates, including cloud service providers, “to determine whether they adequately protected electronic health information created or maintained by certified EHR technology.” This audit stretches beyond a typical meaningful use audit and is not only centered on the security of ePHI stored in the CEHRT, but also looks at relationships with downstream service providers. Though EPs and EHs that participate in the EHR Incentive Program are aware of pending audits from CMS (via Figliozzi & Company), including the necessary documentation and security risk analysis requirements, these audits may come as quite a surprise – especially the level of thoroughness the OIG pursues in these audits. Though the OIG identifies the targeted entities due to their participation in the EHR Incentive Program, these audits look nothing like a CMS audit but instead are an in-depth HIPAA security audit.

The Audit

The audit itself is conducted by OIG investigators that are knowledgeable about security infrastructure as well as HIPAA requirements. The OIG commences the audit with a phone call followed by a formal letter notifying the recipient entity of the audit. As stated in its letter “the objective of [the] audit is to assess if the [hospital’s] meaningful use requirements have protected the confidentiality, integrity and availability of electronic protected health information (ePHI) in its EHR systems.” The OIG sends out a document request/questionnaire with approximately 17 categories and subcategories that it is investigating. In addition to reviewing the responses to the document requests the OIG auditors come on-site for 2-3 weeks to conduct interviews and personally review the security infrastructure.

Sample audit questions include:

  • Review of the EHR network diagram that shows EHR network architecture including external connections.
  • Provision of a description of internal or external web sites associated with the EHR system including patient portals.
  • Analysis of existing HIPAA policies and procedures, including patch management and access controls.
  • Detailed description of EHR network devices including the manufacturer and model number, software version and primary function.

As stated in the OIG Workplan, the target of the investigation is not only the covered entity itself, but also the relationships with business associates and downstream cloud service providers.

Audit Readiness Plan

It is unknown how many audits OIG will conduct and the ultimate goal of these audits. We believe that the OIG plans on creating a roll-up report to describe the findings of these audits, rather than publishing individual reports – however this has not been verified because the OIG has denied Freedom of Information Act requests.

We recommend that covered entities prepare for these audits as follows:

  • Gather information regarding existing security infrastructure in place, including relationships about sharing PHI with business associates and downstream providers.
  • Evaluate health IT vendors to determine if they are compliant with business associate agreements – this may include asking the business associate to provide you with evidence and results from a security risk assessment.
  • Identify team members that will respond to an OIG audit request.
  • Conduct a mock audit to fully assess security.

Additional Audits

 The OIG Work Plans also identify three other related types of audits.

 

  1. OIG Audits of Medicare EHR Incentive Program. Earlier this month the OIG issued a number of multi-year audits of EHR Incentive Program participants. These audits are very similar to the CMS Meaningful Use audits conducted by Figliozzi, but are in fact not conducted by CMS. Unlike the CMS audits however, the OIG audits are multi-year and may request information from both Stage 1 and Stage 2 attestations.

 

  1. OIG Audits of Medicaid EHR Incentive Programs. OIG has conducted at least three audits of states issuing Medicaid EHR Incentive Program dollars: Louisiana, Massachusetts and Florida. Of the three audited, only Florida was found to have issued the EHR Incentive Program dollars correctly. The OIG has instructed the other states to reimburse the federal government for the incorrectly distributed funds and adjust the payment calculations for the hospitals going forward.

 

  1. OIG Audits of Contingency Plans. Pursuant to the HIPAA Security Rule, covered entities must have contingency plans in place in case of a disaster or other occurrence that damages systems that contain ePHI (45 CFR 164.308). The OIG plans to compare hospitals’ contingency plans with “government and industry recommend practices.”
  2. OIG Audits of AIU Participants.  OIG has recently issued new audits investigating AIU attestations.  For further detail related to these audits go to:  http://meaningfuluseaudits.com/oig-escalates-meaningful-use-audits-of-hospitals/.

 

Preparing for these OIG audits can be accomplished during your own internal Security Risk Analysis and can be a useful tool for verifying the accuracy and thoroughness of your own process. For more information about the OIG Security Audits or other OIG audits please contact Elana Zana or Dave Schoolcraft.

 

CMS Announces Intent to Modify Meaningful Use

CMS announced today its intent to make significant changes to the EHR Incentive Program beginning in 2015.  The proposed changes, though not yet codified in a proposed rule, include a much desired ease of the program requirements in 2015.  They include:

  1. Aligning hospital EHR reporting periods to the calendar year (rather than the fiscal year) to allow hospitals to have more time to incorporate 2014 CEHRT into their workflows;
  2. Shortening the EHR reporting period in 2015 to 90 days to accommodate these changes; and
  3. Adjusting other portions of the program to “match long-term goals, reduce complexity, and lessen providers’ reporting burdens.”

These new rules are expected this spring.  CMS clarified in its announcement that these proposed modifications will not be forthcoming in the Stage 3 proposed rule which is expected to be released in early March.  CMS also indicated that it proposes to limit the scope of the Stage 3 proposed rule to criteria for meaningful use in 2017 and beyond.

To learn more about meaningful use and the EHR Incentive Program contact Elana Zana.

Washington Certificate of Need – Tertiary Services Review

The Washington State Department of Health issued today an announcement that it is conducting a review of the tertiary services that it requires obtain certificates of need under the current regulations (WAC 246-310-020(1)(d)(i)).  It is seeking comments on whether there should be additions or deletions to the current tertiary services list, which includes:

  1. Specialty burn services;
  2. Intermediate care nursery and/or obstetric services level II;
  3. Neonatal intensive care nursery and/or obstetric services level III;
  4. Transplantation of specific solid organs;
  5. Open heart surgery and/or elective therapeutic cardiac catheterization, including percutaneous coronary interventions generally and elective percutaneous coronary angioplasty (PTCA), specifically;
  6. Inpatient physical rehabilitation services level I; and
  7. Specialized inpatient pediatric services

Those providers seeking to provide the above services must first obtain a certificate of need from the Washington Department of Health before commencing the provision of these services.

The Department of Health is soliciting participation in three phases, the first of which spans from January 1 – February 28, 2015, is an invitation for individuals to propose changes to the current list of tertiary services in order to enable the Department of Health to create a report consolidating the suggestions.

To learn more about the certificate of need tertiary health services review click here.  For assistance in drafting comments to the Department of Health please contact Elana Zana.

Failure to Patch Software Leads to $150K HIPAA Settlement

Anchorage Community Mental Health Services, Inc. (“ACMHS”) a nonprofit mental health provider in Alaska, has agreed to a $150,000 HIPAA settlement and 2 year Corrective Action Plan with HHS following a breach of 2,743 patient records due to malware.  According to the HHS press release:

OCR’s investigation revealed that ACMHS had adopted sample Security Rule policies and procedures in 2005, but these were not followed. Moreover, the security incident was the direct result of ACMHS failing to identify and address basic risks, such as not regularly updating their IT resources with available patches and running outdated, unsupported software.

According to the Resolution Agreement, OCR uncovered the following HIPAA violations:

  • ACMHS failed to conduct an accurate and thorough risk assessment.
  • ACMHS did not implement security measures sufficient to reduce the risks and vulnerabilities to its ePHI.
  • ACHMS’ security infrastructure did not appropriately guard against unauthorized access to ePHI that is transmitted over an electronic communications network.  Specifically, HHS noted that ACHMS failed to “ensure that firewalls were in place with threat identification monitoring of inbound and outbound traffic and that information technology resources were both supported and regularly updated with available patches.”

In addition to the $150,000 HIPAA Settlement, ACMHS will be under HHS’ microscope for the next two years.  The Corrective Action Plan requires ACMHS to implement the following changes:

  • Draft updated and adopt Security Policies and Procedures and submit to HHS within 60 days.
  • Distribute new Security Policies and Procedures to all workforce members and require the workforce members to sign a compliance certification.
  • Provide training on security awareness to all workforce members and annual training thereafter.
  • Perform an accurate and thorough risk assessment.
  • Inform HHS if a workforce member fails to adhere to the Security Policies and Procedures.
  • Provide annual reports to HHS.

ACMHS’ settlement provides three key takeaways for covered entities and business associates:

1) Patch & Update.  Like Community Health Systems, which reported a breach of 4.5 million patient records due to Chinese hackers targeting a heartbleed vulnerability, ACMHS is finding out the hard way the importance of software patching and updating.  Staying up to date on security patches and software updates is not an easy task, but an important one considering that hackers are exploiting these vulnerabilities.

2) Tailor the Security Policies and Procedures.  Simply having in place template Security Rule policies and procedures is insufficient to satisfy the requirements of the HIPAA Security Rule and to ultimately secure ePHI.  HIPAA Security policies need to be tailored for the actual information security infrastructure in place at the covered entity/business associate.  The Security Rule permits flexibility when choosing which tools to deploy to protect ePHI, but requires that the covered entity/business associate actually evaluate its infrastructure to make these decisions.

3) Security Risk Analysis.  Further, once the Security Policies and Procedures are in place they need to be evaluated, and the actual system needs to undergo a security risk assessment (suggestion to do this at least annually).  The process of drafting the Security Policies and Procedures as well as the security risk assessment will aid covered entities/business associates in identifying vulnerabilities, evaluating security options, and ultimately safeguarding their ePHI.  HHS has created a security risk assessment tool to help covered entities (not really business associate focused) in evaluating its security compliance.

For more information about the HIPAA Security Rule or if you need assistance in creating your HIPAA Security Policies and Procedures please contact Elana Zana.

Patient Engagement and Meaningful Use

I am very excited this week to present with my colleague Dave Schoolcraft at MGMA in Las Vegas.  We have two presentations on Tuesday, the first at 10:15 entitled the Legal Aspects of Meeting Patient Engagement, the second at 2:45 entitled Double Dipping for EHR Funding.

Vegas is all about the money, and Double Dipping for EHR Funding will focus on how physician practices can still obtain money for Electronic Health Record systems.  The presentation will focus on Stark/Anti-Kickback Donation Arrangements and Meaningful Use dollars.  If you are looking to upgrade to 2014 CEHRT this is a presentation you don’t want to miss. Prior to joining our presentation, I suggest reading two articles we published earlier in the year: Understanding Stark/Anti-Kickback Compliant EHR Donation Arrangements and Key Lessons Related to Stark Compliant EHR Donation Arrangements.

As for Legal Aspects of Meeting Patient Engagement – this presentation focuses both on HIPAA Compliance and Meaningful Use. Stage 2 Meaningful Use includes five patient engagement related objectives, and this time CMS means business.  Two of these five objectives include measures requiring that at least 5% of patients take an action.  These five measures makes the implementation and use of patient portals essential, as portals are a key means of communication with patients and is an appropriate mechanism for each of these Meaningful Use objectives.

The relevant patient engagement Meaningful Use objectives I am referring to here include:

I have added links to the CMS Eligible Professional Specification Sheets for Stage 2 above because I find them very helpful in deciphering what each of these measures require.  Meeting these requirements is not a walk in the park, and my clients have expressed difficulty getting patients to send secure messages or login to  a portal.  Often the CEHRT itself makes these tasks quite difficult.  Patient engagement is core to growing a practice, especially as patients begin to pay for their healthcare and start to demand physician interaction via e-mail and other technologies.

If you are interested in learning more about these patient engagement requirements in Meaningful Use stop on by our presentation, or contact me directly.

 

Meaningful Use Audit Outcomes – Guest Blog Post

October brings a flurry of Meaningful Use attestations, and this October is no different.  Eligible Hospitals finished up their attestation and are wrapping up the 2014 year; Eligible Professionals are checking their numbers and gearing up for their last run at achieving Meaningful Use before the end of the year.  Lingering in the background is ensuring that you have maintained documentation sufficient to meet the auditor’s standards.

Our guest blog post author, Steve Spearman from Health Security Solutions, researched the CMS audit results, and for hospitals the results are not too bad – but the same can’t be said for Eligible Professionals.  Here are the highlights:

Prepayment Audits for Eligible Professionals: 21.5% failed the audit.

Post-Payment Audits for Eligible Professionals:  24% failed the audit.

Post-Payment Audits for Hospitals:  4,7% failed the audit.

Steve’s blog article provides a deep dive into the audit results and the reasons for failure for both Eligible Professionals and hospitals.  To read his terrific blog article click here.  If you are interested in learning more about the audit statistics click here for Jim Tate’s blog article as well.

More audits are coming and making sure that you have double checked your numbers before attesting and performed your security risk analysis, including an implementation plan and completion dates, is necessary.  For assistance in preparing for audits or if you recently received an audit please contact Elana Zana.

 

Meaningful Use Attestation in 2014 – Picture Update

CMS and the Office of the National Coordinator (ONC) recently announced modifications to the meaningful use attestation requirements for 2014. Following significant lobbying from EHR vendors, eligible professionals (EPs), and hospitals, CMS issued a brief reprieve to meeting Stage 2 meaningful use in 2014 – for some lucky participants. Recognizing that EPs and hospitals may still be using 2011 certified EHR technology (CEHRT) or a mixture of 2011 and 2014 CEHRT, CMS created a chart of decision points meant to enable flexibility for EPs and hospitals alike. These options also accommodate EPs and hospitals that have upgraded to the 2014 CEHRT but are still unable to meet the Stage 2 requirements within the mandatory timetables.

However, this flexibility comes with a caveat: EPs and hospitals must explain that their failure to meet Stage 2 in 2014 as scheduled is because they could not “fully implement 2014 Edition CEHRT for the EHR reporting period in 2014 due to delays in 2014 Edition CEHRT availability.” So who is allowed to claim this exception? Though CMS does not provide an exhaustive list of examples, its published comments in the final rule provide some insights and helpful explanations.

Below are maps of decision points and examples of acceptable and unacceptable justifications for not meeting an EP’s scheduled meaningful use stage in 2014, whether it be the 2014 Stage 1 or Stage 2 objectives and measures. Any EPs or hospitals that attest for a different stage than what they were scheduled for must be prepared to defend this decision in an audit, understanding that each case will be evaluated individually; this defense should therefore be very well documented.

MU_GRAPHIC_FIRST OR SECOND YEAR-FINALMU_GRAPHIC_THIRD OR FOURTH YEAR_FINAL

Michelle Holmes, consultant with ECG Management Consultants co-authored this post.