HHS Says Push for EHRs Overlooks Security Gaps

It seems HHS is laying the groundwork for the issuance of the updates to HIPAA privacy and security rules under the HITECH Act.  As reported May 16th in the Washington Post:

“The nation’s push to computerize medical records has failed to fully address longstanding security gaps that expose patients’ most sensitive information to hackers and snoops, government investigators warn.”

http://www.washingtonpost.com/politics/hhs-inspector-general-says-push-for-electronic-medical-records-overlooks-some-security-gaps/2011/05/16/AFpaH54G_story.html

Bill Allows Public Hospital Districts to Fundraise

Effective July 22, 2011, Public Hospital Districts in Washington will now be allowed to fundraise.  The new bill amended RCW 70.44.060 to allow Public Hospital Districts to:

“To solicit and accept gifts, grants, conveyances, bequests, and devises of real or personal property, or both, in trust or otherwise, and to sell, lease, exchange, invest, or expend gifts or the

proceeds, rents, profits, and income therefrom, and to enter into contracts with for-profit or nonprofit organizations to support the purposes of this subsection, including, but not limited to, contracts1 providing for the use of district facilities, property, personnel, or

services.”  To read the full text of the bill click here.

$12 Million in New Grant Funding to Assist Physicians with EHRs

As reported in Healthcare IT News “The Health Resources and Service Administration has made available $12 million in grants for rural healthcare network organizations to help them become meaningful users of certified electronic health records.” According to HRSA officials “the grants may support health IT activities, such as development of a strategic plan for electronic health records (EHRs), workforce analysis, purchase of health IT equipment and installation of broadband for connectivity.” For more details see http://www.healthcareitnews.com/news/hrsa-puts-12m-rural-health-networks.

Attestation for EHR Incentive Programs Available

Earlier this month, CMS launched the attestation portion of the EHR Incentive Payment Program.  Beginning on April 18th, eligible professionals and hospitals are now able to attest to meaningful use (or adopt, implement or upgrade for Medicaid).  Along with the attestation itself, CMS launched its Meaningful Use Attestation Calculator, a wizard which walks eligible professionals and hospitals through the meaningful use objectives and enables the entity to determine if it can successfully meet the meaningful use standards prior to filling out the registration form. 

For those providers that are able to begin the registration and attestation process, access to registration and attestation is available here.  The CMS website also has a user guide that is helpful when registering as well as FAQs.  To be eligible for either the Medicare or Medicaid EHR Incentive Programs an eligible professional or hospital must be using certified EHR technology.  The ONC provides a list of which EHR systems are “certified.”

In addition, CMS is offering teleconferences regarding registration and attestation:

  • Tuesday, May 3, 2:00 – 3:30 p.m. ETRegister to join this call if you are an eligible hospital or CAH who wants to learn more about the attestation process for the Medicare EHR Incentive Program.
  • Thursday, May 5, 1:30 – 3:00 p.m. ET- Register to join this call if you are an EP who wants to learn more about the attestation process for the Medicare EHR Incentive Program.

Some states are also offering webinars about the Medicaid EHR Incentive Payment Program and how to register.  Registration for the Medicaid EHR Incentive Program requires both registration with CMS and on the state level.  However, eligible professionals and hospitals will not be able to register with CMS for the Medicaid EHR Incentive Program until their state is ready to start its Medicaid EHR Incentive Program.  Washington expects to go-live in June 2010; California plans to go-live this Summer for eligible professionals. 

If you have questions regarding the Medicare or Medicaid EHR Incentive Programs or would like some assistance with understanding meaningful use or calculating patient volume (Medicaid) please contact Elana Zana or Dave Schoolcraft.

Washington Emergency Cardiac and Stroke System

Applications are now available for hospital participation in the new Washington Emergency Cardiac and Stroke (ECS) System.  The ECS System is designed to provide timely treatment for cardiac and stroke patients, including getting the patient to the right hospital.  The new law (Chapter 70.168 RCW), effective in June 2010, asks hospitals to self-identify cardiac and stroke capabilities.  Additionally, the Department of Health (“DOH”) will:

  • “Expand the scope of EMS and Trauma regional quality assurance programs to include cardiac and stroke cases.
  • Require quality improvement activities for participating hospitals.
  • Identify hospitals that can treat cardiac and stroke patients and meet criteria to participate in the system.
  • Adopt standard procedures for emergency medical services to assess and triage cardiac and stroke patients.”

More information regarding the ECS System is available at on the DOH website, including an informative PDF.

Below is a letter sent out by the DOH regarding hospital applications:

To All Chief Executive Officers and Staff Involved in Cardiac and Stroke Care:

Back in September, we told you about the Emergency Cardiac and Stroke (ECS) System the Department of Health is putting in place http://www.doh.wa.gov/hsqa/hdsp/default.htm.  We also told you we’d be sending out information about how to apply to participate in the system. That’s what this email message is about.

Applying to participate in the ECS System is easy. There are three categorization levels for stroke centers and two for cardiac centers. Most hospitals already meet the criteria to participate at one of the levels. Steps to apply:

1)      Determine which level of cardiac and stroke center categorization best fits your hospital’s resources and capabilities. See the participation criteria here http://www.doh.wa.gov/hsqa/hdsp/hospital.htm [NOTE: we have provided clarification and made minor modifications to the criteria on the application. Please request an application even if you think your hospital doesn’t meet the participation criteria exactly as stated on the website.]

2)      Request an application for the categorization level you wish to apply for by sending an email to Kim Kelley, Cardiac/Stroke Systems Coordinator, kim.kelley@doh.wa.gov. We will begin sending applications out Friday, December 3, 2011.

3)      Complete and submit the application according to the instructions on the application.

You’ll hear back from us within 60 days of the date we receive your application. We hope you’ll apply right away. The sooner we can let EMS know which hospitals are participating, the faster we can get the system in place and start saving more lives and reducing disability for the people in our communities.

We look forward to working with you to build on all the improvements in cardiac and stroke care you’ve already made at your hospitals. Now it’s time for us to improve our response and treatment before the patient gets to the hospital by building a comprehensive, coordinated Emergency Cardiac and Stroke System. It’ll be the first system in the country that includes both cardiac and stroke care and is in place statewide.

If you have questions, contact Kim Kelley, 360-236-3613, kim.kelley@doh.wa.gov.

Sincerely,

Janet Kastl, Director

Office of Community Health Systems

 

 

Initial Certification of EHR Technology

The Drummond Group and CCHIT announced this week the certification of EHR technology.  CCHIT certified 33 complete EHRs and modules, click here to access the list.  The Drummond Group certified 3 complete EHRs and modules, click here to access the list.  The certification of these EHRs is significant because meaningfully using certified EHR technology  is required to qualify for the Medicare and Medicaid incentive payments.  Hospitals and eligible providers may use either a complete EHR system to show meaningful use or a set of modules that combine create a complete EHR system.

For more information regarding meaningful use and certification visit the ONC FAQ page.

CMS Releases Self-Referral Disclosure Protocol

On September 23, 2010, the Centers for Medicare and Medicaid Services (CMS) posted on its web site the long awaited voluntary “Self-Referral Disclosure Protocol” which it refers to as the “SRDP.”  Information about the SRDP is available on the CMS website, and the SRDP is available here.

In March 2010, Congress enacted the Patient Protection and Affordable Care Act (sometimes referred to as the “PPACA” or “ACA”).  Section 6409 of the ACA required CMS to promulgate a Stark law self-disclosure program by September 23, 2010, which it has now done.  CMS intentionally decided to establish the SRDP without going through rule making.  While it is good news that there exists a formal mechanism for resolving Stark law violations, the SRDP raises as many questions as it answers.  Important aspects of the SRDP include the following:

  • The SRDP is separate from the advisory opinion process and cannot be used to obtain a CMS determination about an actual or potential violation;
  • CMS makes no guaranty about the treatment a disclosing party will receive, i.e., that overpayment amounts will be compromised in any particular manner or at all;
  • CMS will coordinate disclosures it receives with the DHHS Office of Inspector General (OIG) and Dept. of Justice (DOJ) as appropriate;
  • The disclosure must be comprehensive, address all of the elements set forth in SRDP, and include a comprehensive financial analysis;
  • Disclosures made within 60 days of the overpayment being identified will suspend the obligation to return any overpayment until a settlement agreement is entered or the disclosure is removed from the SRDP;
  • The disclosing party or an appropriate officer of the disclosing party must certify that the submission is truthful and based on a good faith effort to resolve any potential liabilities under the Stark law;
  • CMS will verify the submission, including requesting additional information and requiring cooperation from the disclosing party to provide information that may be subject to the attorney-client or attorney work product privileges; and
  • Repayment of any overpayment will not be accepted prior to CMS’s completion of its verification and inquiry.

Throughout the process, CMS will require the diligent and good faith cooperation of a disclosing party.  Failure to provide cooperation will be considered by CMS as it assesses appropriate resolutions.  If a disclosing party provides false or misleading information, or intentionally omits relevant information, CMS may refer the matter to the DOJ or other appropriate agencies.  Disclosures must be made within 60 days of the date the original overpayment was identified, or the date any corresponding cost report is due, if applicable.  Finally, CMS has set forth factors that it will consider in determining whether to reduce the amounts that would otherwise be owed.  Again, CMS provides no guarantees, or even guidelines, for how it will determine appropriate resolutions.  The factors CMS will consider include

  • The nature and extent of the illegal or improper practice;
  • The timeliness of the self-disclosure;
  • The cooperation of the disclosing party in providing additional information;
  • The litigation risk associated with the disclosure; and
  • The financial position of the disclosing party.

Despite the request of various industry groups, CMS has made no explicit statements about how it will consider or treat disclosures of technical violations (e.g., missing signature, expired agreements, etc.).  Ultimately, CMS states that it has “no obligation to reduce any amounts due and owing,” and that it will make determinations on an individual, facts and circumstances basis for each disclosure.

Having this avenue to attempt to resolve Stark law violations is indeed an improvement that has been needed for a long time.  However, providers cannot take much comfort from CMS’s statement that it has no obligation under the SRDP to compromise amounts due.  Only time and experience will tell how CMS treats these disclosures.  Ultimately, if a disclosing party does not believe that it is receiving appropriate treatment, it appears that the party can remove itself from the SRDP;  however, that is cold comfort after it has brought the matter to CMS’s attention and now has the obligation under the ACA to return overpayments.

For more information on the SRDP or the Stark law in general, please contact Don Black, Dave Schoolcraft or any one of OMW’s Healthcare Team members.  

WSHA Publishes Updated HIPAA Law Enforcement Guide

The Washington State Hospital Association recently published an update to its Hospital and Law Enforcement Guide to Disclosure of Protected Health Information.  This guide will assist providers in assessing both HIPAA and state law when disclosing protected health information to law enforcement.  The guide also provides a sample patient authorization form.  Updates to the guide include:

  • registered domestic partnership patient information authorization;
  • when hospitals are required to make an affirmative report regarding the admission of unconscious patients; and
  • the release of information relating to involuntarily committed patients. 

To access the guide click here.

CMS Launches EHR Incentive Payment Website

To help answer questions regarding meaningful use and the EHR incentive payments, CMS has launched an EHR Incentive Program website.  The website provides FAQ’s, CMS presentations, fact sheets, and more.  To view the site click here.

Final Rule for Breach Notification Delayed

HHS announced this week that it will be delaying publication of the HIPAA breach notification final rules.  These rules were originally expected to be published in the Federal Register later this summer.  HHS is expected to delay the publication of these rules for several more months.

Below is the text of the HHS press release:

The Interim Final Rule for Breach Notification for Unsecured Protected Health Information, issued pursuant to the Health Information Technology for Economic and Clinical Health (HITECH) Act, was published in the Federal Register on August 24, 2009, and became effective on September 23, 2009.  During the 60-day public comment period on the Interim Final Rule, HHS received approximately 120 comments.

HHS reviewed the public comment on the interim rule and developed a final rule, which was submitted to the Office of Management and Budget (OMB) for Executive Order 12866 regulatory review on May 14, 2010.  At this time, however, HHS is withdrawing the breach notification final rule from OMB review to allow for further consideration, given the Department’s experience to date in administering the regulations.  This is a complex issue and the Administration is committed to ensuring that individuals’ health information is secured to the extent possible to avoid unauthorized uses and disclosures, and that individuals are appropriately notified when incidents do occur.  We intend to publish a final rule in the Federal Register in the coming months.

If you have questions regarding the interim breach notification rules please contact David Schoolcraft or Elana Zana.