Stark Law Donation Exception Extended to 2021

Beating the deadline by mere days, CMS and the OIG released their final rules related to the Stark Law exception/Anti-Kickback safe harbor for EHR donation arrangements.  The new rules extend the donation arrangement exception until December 31, 2021.

The new rules become effective 90 days after publication, with the exception of the extension, which is effective on December 31, 2013.  These new rules permit existing donation arrangements to continue to operate beyond December 31, 2013, provided they remain in compliance with the Stark exception and Anti-Kickback safe harbor.

Highlights of this new rule (other than the very important extension to 2021) include:

  • The items/EHR are provided by a company (i.e. a hospital) that is not a laboratory.
  • Software is deemed interoperable if it has been certified as “certified EHR technology” as that term is used by the ONC for the meaningful use/EHR Incentive Program.
  • Elimination of the requirement that the EHR software contain eRx capabilities in order to qualify for the exception.
  • Clarification that the donor cannot limit the interoperability of the donated software with other eRx and EHR systems, which CMS interprets more broadly by providing a non-exclusive list of the types of technologies that are included in this restriction: “health information technology applications, products, or services.”

For more information about drafting donation arrangements or these final rules please contact Elana Zana or Dave Schoolcraft.

To view the HIMSS statement on the extension click here.

Meaningful Use Audits – Security Risk Analysis

‘Tis the season for Meaningful Use, the time of year when eligible professionals (EPs) and eligible hospitals (EHs) compile their data from the meaningful use measures and prepare for attestation.  It is also the season of meaningful use audits.  A lesson learned from recent audits: CMS means what it says – EPs and EHs must conduct a security risk analysis.  This measure is not one to be taken lightly – it’s a HIPAA requirement, and CMS auditors are on the lookout for documentation (remember, all documentation must be retained for 6 years).

Regardless of whether EPs or EHs are attesting to Stage 1 or Stage 2, or the fact that they performed a security risk analysis last year, this objective and measure must be fulfilled each year:

 

Stage 1

Stage 2

Objective. Protect electronic health information created or maintained by the certified EHR technology through the implementation of appropriate technical capabilities.Measure. Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1) and implement security updates as necessary and correct identified security deficiencies as part of its risk management process. Objective. Protect electronic health information created or maintained by the Certified EHR Technology through the implementation of appropriate technical capabilities.Measure. Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1), including addressing the encryption/security of data stored in Certified EHR Technology in accordance with requirements under 45 CFR 164.312(a)(2)(iv) and 45 CFR 164.306(d)(3), and implement security updates as necessary and correct identified security deficiencies as part of the EP’s risk management process.

The HIPAA requirement for a Security Risk Analysis pursuant to 45 CFR 164.308(a)(1) is as follows:

“Risk analysis (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.”

CMS Meaningful Use audits have specifically called out this objective and measure and are requiring participants to prove that a Security Risk Analysis has actually occurred.  Though the HIPAA Security Officer should have conducted a security risk analysis for the entire practice/hospital, EPs and EHs should maintain a copy of this assessment with their meaningful use documentation and should review the assessment to make sure that the risk analysis complies with the meaningful use requirements (note: the Stage 2 requirements are significantly broader).

Below is the audit question that was sent to some Stage 1 EPs:

“Provide proof that a security risk analysis of Certified EHR Technology was performed prior to the end of the reporting period (i.e. report which documents the procedures performed during the analysis and the results of the analysis).  If deficiencies are identified in this analysis, please supply the implementation plan; this plan should include the completion dates.”

Note that the audit request indicates that further documentation is needed to satisfy the auditors.  EPs must show the implementation plan and the completion dates.  As per the measure itself, the requirement is not merely to conduct a security risk analysis, but the EPs and EHs must implement security updates and correct security deficiencies.  EPs and EHs should document these steps as well in order to appropriately respond to an audit request.

CMS has recently issued a new tip sheet to assist EPs and EHs in fulfilling the security risk analysis requirement.  In addition ONC has published guidance on HIPAA Security Risk Analysis requirements.  The CMS tip sheet includes some common myths surrounding risk analysis such as:

  • “I only need to do a risk analysis once.”

False. To comply with HIPAA, you must continue to review, correct or modify, and update security protections.

  • “My EHR vendor took care of everything I need to do about privacy and security.”

False. Your EHR vendor may be able to provide information, assistance, and training on the privacy and security aspects of the EHR product. However, EHR vendors are not responsible for making their products compliant with HIPAA Privacy and Security Rules. It is solely your responsibility to have a complete risk analysis conducted.

  • “The security risk analysis is optional for small providers.”

False. All providers who are “covered entities” under HIPAA are required to perform a risk analysis. In addition, all providers who want to receive EHR incentive payments must conduct a risk analysis.

  • “Simply installing a certified EHR fulfills the security risk analysis MU requirement.”

False. Even with a certified EHR, you must perform a full security risk analysis. Security requirements address all electronic protected health information you maintain, not just what is in your EHR.

Responding to a Meaningful Use audit can be time consuming and very detailed oriented — thus, maintaining the appropriate documentation is essential.  For assistance with Meaningful Use or HIPAA security risk assessments, please contact Elana Zana.

Reducing the Risks of Third-Party Access to EHR Systems

UnityPoint Health, a health system located in Iowa, recently informed 1,800 patients of a breach of their health information.  UnityPoint learned of the breach after an audit discovered that a third party contractor’s employee had improperly gained access to the UnityPoint electronic health record (EHR) system and viewed the records of the 1,800 patients.

The UnityPoint breach shows the risks of allowing a third party contractors, known as “business associates,” to access health information in an EHR system  While such access may be required for certain activities, including billing, claims management, or utilization review, providers must be certain that the business associate agreements with such contractors include strong protections for the provider.

For example, business associate agreements should include requirements for the business associate to indemnify the provider for expenses resulting from HIPAA breaches, pay all notification costs associated with such breaches, and maintain insurance policies that provide coverage for a large breach.

Although strong language in a business associate agreement provides legal protection for a provider, it will do nothing to counteract the public relations fallout that results from notifying patients of a breach.  Therefore, providers should make every effort to contract with legitimate entities that understand HIPAA compliance.

If you would like more information about HIPAA compliance, please contact Casey Moriarty.

SRDP Settlement: Improper EHR Donation Arrangement Among Violations

Last month CMS settled several violations of the self-referral statute (aka Stark Law) with an Ohio hospital, including a failure to appropriately structure a donation arrangement for electronic health records (EHR) .  The hospital disclosed under the Self-Referral Disclosure Protocol that it may have violated the Stark Law with regard to several arrangements with certain physicians, including arrangements for EKG interpretations, medical director services, Vice-Chief of Staff services, and hospital services (no specifics provided in CMS release).  The settlement was for $265,565.  The SRDP, which was included in the ACA, was created as a mechanism for providers to self-report potential Stark law violations.

The EHR donation arrangement to the Stark and Anti-Kickback laws permits hospitals to enter into certain arrangements with physicians for the donation of EHR related software and services.  The donation arrangement exception is scheduled to expire on December 31, 2013, however CMS has proposed extending the exception through 2016.  If CMS does not extend the exception, existing donation arrangements will have to convert to fair market value for shared technology and services.

If you have questions regarding the SRDP or structuring a EHR donation arrangement please contact Elana Zana.

Deadline for Avoiding the eRx Payment Adjustment Approaching at End of the Month

The June 30, 2013 deadline to participate in the Electronic Prescribing Incentive Program (“eRx”) and avoid the 2014 eRx payment adjustment is fast approaching.  Eligible Professionals (“EP’) looking to avoid the 2% payment adjustment in 2014 (payment adjustment means that EPs will only receive 98% of his/her Medicare Part B Physician Fee Schedule amount for covered professional services),  must either participate in the eRx program, fall under the exclusion criteria, or file for a hardship exemption by June 30, 2013.  Information regarding participation in the eRx program can be found here.

Exclusions

The following EPs will not be subject to the 2014 eRx payment adjustment if any one of the following applies:

  1. EP successfully participates in the eRx program during the 2012 12-month reporting period (1/1/12 – 12/31/12).
  2. EP is not an MD, DO, podiatrist, Nurse Practitioner or Physician Assistant.
  3. EP does not have at least 100 Medicare Part B PFS cases containing the encounter code in the measure’s denominator between 1/1/2013-6/30/2013.
  4. EP does not have 10% or more of their charges as Medicare Part B PFS allowable charges for encounter codes in the measure’s denominator during between 1/1/2013-6/30/2013.
  5. EP does not have prescribing privileges and reported GT8644 on a payable Medicare Part B service on at least once on a claim between 1/1/2013-6/30/2013.
  6. EP submits at least 10 eRx and reports the G-code G8553 between 1/1/2013-6/30/2013.
  7. EP achieves Meaningful Use under the Medicare or Medicaid EHR Incentive Program during 2012 or between 1/1/2013-6/30/2013 (and attests before 6/30/2013).
  8. EP demonstrates by registration of their intent to participate in the Medicare or Medicaid EHR Incentive Program during the 1/1/13-6/30/13 reporting period.
  9. EP submits one hardship exemption G-code via any payable Medicare Part B PFS claim between 1/1/2013-6/30/2013.
  10. EP request and CMS approves a hardship exemption.

Hardship Exemptions

EPs may be exempted from the payment adjustment if it is determined that compliance would result in a significant hardship.  Hardship exemptions must be submitted by June 30, 2013.  Such exemptions include:

  1. EP’s inability to electronically prescribe due to state, federal or local law or regulation. (Submit using the Communication Support Page)
  2. EP prescribes fewer than 100 prescriptions in a six month payment adjustment reporting period.  (Submit using the Communication Support Page)
  3. EP practices in a rural area without sufficient high speed internet access .  (Submit using the Communication Support Page or use G8642 in at least one claim between 1/1/13-6/30/13)
  4. EP practices in an area without sufficient available pharmacies for eRx.  (Submit using the Communication Support Page or use G8643 in at least one claim between 1/1/13-6/30/13)
  5. EP achieves Meaningful Use under the Medicare or Medicaid EHR Incentive Program.
  6. EP demonstrates their intent to participate in the Medicare or Medicaid EHR Incentive Program during the 1/1/13-6/30/13 reporting period.
  7. EP does not have prescribing privileges between 1/1/2013-6/30/2013.  (File at least one claim with G8644 on a payable Medicare Part B service between 1/1/13-6/30/13)

Requesting a Hardship Exemption

To submit a hardship request, EPs must access the Communication Support Page located here (look at upper-left hand corner once on the site).  CMS suggests that when submitting a hardship, EPs should provide detailed justifications for the hardships.

Those hardships with G-codes may also be submitted by EPs on a claim with a payable Medicare Part B service during the six-month reporting period (1/1/13-6/30/13).

EPs that achieve Meaningful Use under the Medicare or Medicaid EHR Incentive Program or demonstrate their intent to participate in the Medicare or Medicaid EHR Incentive Program during the 1/1/13-6/30/13 reporting period will be determined by CMS through review of the EHR Incentive Program Attestation and Registration system.  CMS will automatically determine if these exemptions apply.

Group practices participating in 2013 eRx GPRO must indicate hardship exemptions during self-nominations/registration or submit an exemption request via the Communication Support Page (listed above).

For more information on eRx or other incentive programs please contact Elana Zana.

 

EHR Incentive Program Meaningful Use Stage 1 Updated

CMS has recently published a tip sheet consolidating for eligible professionals and hospitals the revisions made to the Stage 1 meaningful use measures that are effective in 2013.  These changes modify the following meaningful use objectives:

  • Public Health Reporting Objectives
  • Electronic Exchange of Key Clinical Information
  • Computerized Physician Order Entry (CPOE)
  • Record and Chart Changes in Vital Signs
  • Electronic Prescribing
  • Electronic Copy of and Electronic Access to Health Information (changes only applicable starting in 2014)

Some of the changes in the measures are required, while others are optional for 2013 but become required for 2014.  To view the Stage 1 changes tip sheet click here.

At the same time CMS also revised its Stage 1 Meaningful Use table of contents and tip sheets for each objective/measure for eligible professionals and hospitals/CAH.

If you have questions regarding the Medicare or Medicaid EHR Incentive Programs or meaningful use generally please contact Elana Zana.

Proposal Would Extend EHR Donation Rules

The U.S. Department of Health and Human Services (HHS) has released proposed rules to amend the electronic health record (EHR) donation exception and safe harbor under the Stark Law and Anti-Kickback Statute.  The exception and safe harbor permit certain entities to share costs associated with EHR-related items and services with other entities.   Under the regulations, the receiving party must pay at least 15 percent of the donor’s cost for the items and services.

The current language of the regulations has a “sunset” provision that requires a donor to transfer EHR items and services on or before December 31, 2013.  Under the proposed rules, HHS would extend the sunset provision three years to December 31, 2016.

Without the rule change, existing donation arrangements would have to convert to a “fair market value” model for shared services and technology.  The existing sunset provisions also provide a significant barrier to the development of new arrangements. 

The rules also include the following proposed revisions to the regulations: (1) changes to the requirements for when EHR software is deemed “interoperable, (2) removal of the requirement related to electronic prescribing capability, and (3) limits on the types of entities that are allowed to make EHR donations.

HHS also seeks suggestions on how to achieve the following goals under the exception and safe harbor: (1) preventing the misuse of donated EHR technology in a way that results in data and referral lock-in, and (2) encouraging the free exchange of data created by donated software.

You can view the proposed rule for the Anti-Kickback Statute here and the proposed rule for the Stark Law here.

HHS will accept comments to the proposed rules until June 10, 2013.

If you have any questions about donating EHR technology under the Anti-Kickback Statute and Stark Law, please contact David Schoolcraft or Casey Moriarty.