MACRA Released

On Friday, CMS released the MACRA final rules, its innovative payment system for Medicare replacing the sustainable growth rate formula and the EHR Incentive Program for Medicare providers.

MACRA creates the framework for providers to participate in the CMS Quality Payment Program through either the Advanced Alternative Payment Models (Advanced APMS) or the Merit-based Incentive Payment System (MIPS). The goal of these models is to reward value and outcomes, specifically supporting CMS’ goal of paying for quality and value. The MIPS program importantly consolidates components of PQRS, the Physician Value-based Payment Modifier (“VM”), and the EHR Incentive Program (aka meaningful use).

“As prescribed by Congress, MIPS will focus on: quality – both a set of evidence-based, specialty-specific standards as well as practice-based improvement activities; cost; and use of certified electronic health record (EHR) technology (CEHRT) to support interoperability and advanced quality objectives in a single, cohesive program that avoids redundancies. Many features of MIPS are intended to simplify and integrate further during the second and third years.”

Though the new rule becomes effective on January 1st, 2017, clinicians will be given a transition period in which to prepare for MIPS, with negative payment adjustments not occurring until January 1, 2019. MACRA will sunset payment adjustments under the Medicare EHR Incentive Program, PQRS and VM after CY2018. For those clinicians not ready to start on January 1st, 2017 they have until October 2, 2017 to commence participation. Regardless of when a clinician starts he/she needs to submit performance data by March 31, 2018.

CMS’ Quality Payment Program has the following strategic objectives:

(1) to improve beneficiary outcomes and engage patients through patient-centered Advanced APM and MIPS policies;

(2) to enhance clinician experience through flexible and transparent program design and interactions with easy-to-use program tools;

(3) to increase the availability and adoption of robust Advanced APMs;

(4) to promote program understanding and maximize participation through customized communication, education, outreach and support that meet the needs of the diversity of physician practices and patients, especially the unique needs of small practices;

(5) to improve data and information sharing to provide accurate, timely, and actionable feedback to clinicians and other stakeholders; and

(6) to ensure operational excellence in program implementation and ongoing development.

CMS also launched a new website with graphics to aid in understanding the MACRA regulations. The view the interactive website click here.

CMS has also provided a 24-page executive summary. Click here to view the executive summary.

If you have questions about MACRA please contact Elana Zana.

 

HIPAA Audit Program Phase II – Have You Been Selected?

HIPAAAuditProgram

Phase II of the HIPAA Audit Program has begun, with many covered entities and business associates receiving a “Audit Entity Contact Verification” message from the Department of Health and Human Services (HHS) and the Office of Civil Rights (OCR). The communication requires the individual recipient to verify that he or she is the primary contact for the HIPAA Audit Program.

Does the receipt of this form mean that your entity has been selected for an audit? Not necessarily.

Although receipt of the communication is not a guarantee of an audit,  it is the first step in a process that may lead to a comprehensive HIPAA compliance audit of your entity.  According to OCR, the process for the HIPAA Audit Program is as follows:

  1. Contact Verification: OCR will send the Audit Entity Contact Verification to a covered entity or business associate to determine the entity’s primary contact for HIPAA purposes. Covered entities and business associates who receive the form should respond and not ignore the OCR’s request for verification.  The OCR has made it clear that entities who do not respond could still be subject to an audit.
  1. Questionnaire: After the entity’s contact information is verified, the OCR will send a questionnaire to each covered entity and business associate to determine the size, type, and operations of the entity.  Covered Entities will also be required to identify each of their business associates. OCR will use this data to develop the pool of potential auditees for the HIPAA Audit Program.
  1. Selection: OCR will then randomly select entities from the pool for audit.  If selected, the entity will have to visit an OCR web site and upload its HIPAA privacy policies, security policies, and most recent risk assessment. Based on the information uploaded, it is possible that OCR will arrange for an on-site visit of the entity.

The bottom line is that your receipt of the Audit Entity Contact Verification message does not necessarily mean that your entity will be selected for a HIPAA audit.  However, your entity will likely be placed into the pool from which OCR will select entities to audit.

If nothing else, the receipt of the Audit Entity Contact Verification communication should motivate your entity to review current HIPAA privacy and security policies and ensure that they conform to the requirements of HIPAA and the HITECH Act.  In addition, your entity should perform an updated risk analysis to uncover and address gaps in your HIPAA security policies and procedures.

A basic risk analysis should include the following components:

  1. Inventory: An inventory listing all of your information assets that contain health information (e.g. computers, laptops, smartphones, etc.);
  2. Threats: Potential threats to the security of your information assets;
  3. Controls: Current controls to safeguard the assets against the threats;
  4. Vulnerabilities: Any vulnerabilities in the controls;
  5. Likelihood: The likelihood that the threats will exploit the vulnerabilities;
  6. Impact: The impact if the vulnerabilities are exploited (e.g. how much health information is at risk); and
  7. Risk: The overall risk of a threat based the likelihood and potential impact of the threat’s exploitation of a vulnerability.

It is important to develop policies and procedures to address any risks that your entity uncovers as a result of the risk analysis.

Although the HIPAA Audit Program can be a source of anxiety for covered entities and business associates, it can also be a great opportunity to update HIPAA policies and procedures and ensure that your entity is doing everything possible to safeguard health information.

For more information about the HIPAA Audit Program and HIPAA compliance issues, please contact Casey Moriarty.

Can non-MSSP ACOs qualify for Tax-Exempt Status?

The Internal Revenue Service (IRS) recently affirmed its decision to deny 501(c)(3) tax-exempt status to an accountable care organization (ACO) that did not participate in the Medicare Shared Savings Program (MSSP). The IRS initially denied the ACO’s request for tax exempt status in a determination letter dated August 25, 2014. While neither the determination letter nor subsequent appeal is precedential, they provide valuable guidance for ACOs operating as tax-exempt organizations or pursuing tax-exempt status.

The ACO was formed by an existing exempt 501(c)(3) organization (System). The ACO’s purported purpose was furthering the triple aim health care reform goals (Triple Aim Goals) established by the Patient Protection and Affordable Care Act (PPACA), i.e. reducing healthcare costs, improving patient access to and the quality of medical care, and improving population health and patient experience. The ACO strove to further the Triple Aim Goals by acting as the representative for its providers in the negotiation and execution of agreements with third-party payers. The ACO’s providers included physicians employed by System, independent practice groups whose physicians were employed by System, and providers unaffiliated with System. Approximately half of the physicians participating in the ACO worked for independent practices or independent hospitals unaffiliated with System.

The IRS denied the ACO tax exempt status on two separate grounds. First, the IRS determined that the ACO was not operated exclusively for exempt purposes within the meaning of the Internal Revenue Code. The IRS then determined that the ACO was also not operated primarily for a public purpose.

Operated Exclusively for Exempt Purposes:

In order to qualify for 501(c)(3) status, an organization must be organized and operated exclusively for an exempt purpose. An organization is regarded as being operated exclusively for one or more exempt purposes, if it engages primarily in activities that accomplish an exempt purpose. An organization is not operated exclusively for an exempt purpose if more than an insubstantial part of its activities is not in furtherance of an exempt purpose. Two exempt purposes recognized by the IRS are lessening the burdens of government and the promotion of health.  In its determination letter, the IRS applied both exempt purposes to the ACO, before determining that the ACO was not operated exclusively for an exempt purpose.

Lessening the Burdens of Government:

In order for an activity to lessen the burdens of government, there must be an objective manifestation that government considers the activity to be its burden. Provisions of the PPACA encourage and support ACO cost sharing arrangements. In its determination letter, the IRS acknowledged that participation in the MSSP by an ACO will generally further the exempt purpose of lessening the burdens of government. The IRS continued, however, that the government has not provided an objective manifestation that it considers the activities of ACOs that do not participate in the MSSP to be its burden, regardless of their furtherance of the Triple Aim Goals. Accordingly, the IRS determined that the ACO’s activities did not further the exempt purpose of lessening the burdens of government.

This conclusion suggests that ACOs that do not participate in the MSSP may not be able to qualify for tax-exempt status by lessening the burdens of government. Such non-MSSP ACOs may be able to lessen the burdens of government through other means, however, furthering the Triple Aim Goals of the PPACA alone appears to be insufficient. ACOs who intend to further the Triple Aim Goals, should either participate in the MSSP or establish an exempt purpose other than lessening the burdens of government.

Promoting Health:

The promotion of health has long been recognized as an exempt purpose. However, not every activity that promotes health furthers exemption under Code Section 501(c)(3). For example, selling prescription pharmaceuticals promotes health, but is not a tax-exempt activity. In its determination letter, the IRS provided that while the Triple Aim Goals generally promote health, not all activities that that support the Triple Aim Goals further the promotion of health for purposes of Code Section 501(c)(3). The ACO’s primary activity was negotiating with private insurers on behalf of its providers, many of which were unrelated to the ACO. The IRS determined that the link between negotiating with private insurers and promoting health was insufficient. Accordingly, the IRS concluded that the ACO was not operated exclusively in furtherance of the exempt purpose of promoting health.

This conclusion provides two insights. First, it indicates that an ACO whose purpose is furthering the Triple Aim Goals can qualify as being operated exclusively for the exempt purpose promoting health. This is a valuable insight for ACOs that would prefer not to participate in the MSSP, but would like to receive tax-exempt status. Second, the IRS’ determination letter indicates that negotiating with private insurers likely is not sufficiently connected to promoting health. Accordingly, the activities of ACOs that do that participate in the MSSP will require a closer nexus to promoting health, in order for such ACOs to qualify as tax-exempt organizations.

Benefiting a Public Purpose:

In addition to being organized and operated exclusively for exempt purposes, organizations seeking tax-exempt status must be organized and operated primarily for a public purpose. Organizations that primarily serve private interests instead of public interests are not eligible for tax-exempt status. Notwithstanding the foregoing, limited private benefits are permissible, when a benefit to the public cannot be achieved without necessarily benefiting private individuals and the private benefits are insubstantial to the public benefit conferred by the activity. In its determination letter, the IRS determined that the ACO conferred an impermissible private benefit.

As discussed above, the ACO’s primary activity was negotiating with private insurers on behalf of its providers. The IRS determined that the ACO’s negotiations only indirectly benefitted the community, compared to the benefit conferred to the ACO’s providers. Further, the IRS determined that the ACO’s activities were not the only means of conferring the benefit to the community. Accordingly, the IRS determined that the ACO conferred an impermissible private benefit to its providers. This example stands is reminder, that the primary benefit of an organization’s activities must flow to the public and not private interests, in order for the organization to receive tax-exempt status.

Conclusion:

The IRS’ determination letter and holding on appeal provide three valuable lessons for ACO’s operating as tax-exempt organizations or pursuing tax-exempt status. First, in the opinion of the IRS, the activities of ACOs that do not participate in the MSSP do not further the exempt purpose of lessening the burdens of government. Second, while the Triple Aim Goals generally promote health, not all activities that support the Triple Aim Goals adequately further the promotion of health. For example, negotiation with private insurers on behalf of healthcare providers is not sufficiently tied to promoting health. Third, regardless of whether an ACO is organized and operated exclusively for an exempt purpose, the primary benefit an ACO’s activities must flow to the public and not private interests.

Stolen Laptop Costs Research Institute Millions

The Feinstein Institute for Medical Research (Feinstein) recently agreed to pay, the U.S. Department of Health and Human Services, Office for Civil Rights (OCR), $3.9 million to settle allegations that Feinstein violated the HIPAA Privacy and Security Rules. This settlement confirms the OCR’s position that nonprofit research institutes are held to the same standards as all other HIPAA covered entities.

The OCR began its investigation, after Feinstein filed a breach report revealing that a laptop computer containing electronic protected health information (ePHI) had been stolen from an employee’s car. The laptop contained the ePHI of approximately 13,000 patients and research participants. The laptop was unencrypted.
In addition to the breach, OCR’s investigation determined that Feinstein failed to:

(1) conduct a risk analysis of all of the PHI held at Feinstein, including the PHI on the stolen laptop;

(2) implement policies and procedures for granting access to ePHI to workforce members;

(3) implement physical safeguards for the laptop;

(4) implement policies and procedures managing the movement of hardware that contains ePHI; and

(5) implement encryption technology or to ensure that an alternative measure to encryption was deployed to safeguard the ePHI.

HIPAA does not expressly require encryption of ePHI, however, covered entities and business associates, who do not encrypt ePHI, are required to document why encryption is not reasonable or appropriate. Covered entities and business associates that do not encrypt ePHI are also required implement measures equivalent to encryption to safeguard ePHI.

 
In addition to other violations, the OCR’s investigation revealed that Feinstein failed to document why encrypting the laptop was not reasonable or appropriate. Further, contrary to having measures equivalent to encryption for safeguarding ePHI, the OCR found that Feinstein lacked policies and procedures for the receipt and removal of laptops containing ePHI from its facilities and policies and procedures for authorizing access ePHI.

 
This settlement provides us with three lessons. First, it’s important to realize that research institutes are held to the same standards as other covered entities. To the extent a research institute maintains PHI, it is essential to develop adequate policies and procedures to protect the PHI. Failing to do so, exposes the institute to considerable risk. Second, encrypting ePHI goes a long way towards reducing liability. Had Feinstein’s laptop been encrypted to the NIST standard, Feinstein’s ePHI would have been secured and Feinstein wouldn’t have been required to report a breach. Instead, as is often the case, the OCR’s investigation revealed multiple additional HIPAA violations. By not encrypting ePHI covered entities and business associates risk not only the cost of a breach, but also the potential for added costs following an OCR investigation. Lastly, covered entities and business associates that don’t encrypt their ePHI, are required to document why encryption is not reasonable or appropriate. Failing to do so is a HIPAA violation and subjects covered entities and business associates to liability.

Steep Price Tag for Not Entering a Business Associate Agreement

North Memorial Health Care of Minnesota (“North Memorial”) recently agreed to settle charges that it violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules by essentially failing to enter into a Business Associate Agreement. Pursuant to the settlement, North Memorial agreed to pay $1,550,000. This settlement is a reminder of the importance of executing business associate agreements before sharing protected health information.

The U.S. Department of Health and Human Services Office of Civil Rights (“OCR”) initiated an investigation of North Memorial following their receipt of a breach report. The report indicated that a password protected laptop had been stolen from a locked vehicle belonging to an employee of North Memorial’s business associate, Accretive Health, Inc. (“Accretive”). The laptop contained electronic protected health information on 9,497 individuals.

OCR’s investigation revealed that North Memorial failed to enter into a business associate agreement with Accretive. Pursuant to the HIPAA Privacy and Security Rules, covered entities are required to enter into business associate agreements with all business associates to whom they provide protected health information. The investigation further revealed that North Memorial failed to complete a risk analysis for the electronic protected health information that it maintained, accessed, and transmitted across its IT infrastructure. Such an analysis, may have revealed the vulnerability posed by permitting protected health information to be stored on an unencrypted laptop.

Takeaways from this settlement:

  • Do not share protected health information with business associates without a valid business associate agreement in place. A valid business associate agreement almost certainly would have reduced North Memorial’s liability in this case.
  • Covered entities and business associates should perform HIPAA security risk analyses as required under the HIPAA Privacy and Security rules. Such analyses may uncover vulnerabilities that can be easily addressed.
  • Electronic Protected Health Information should be safeguarded with encryption technology. A high percentage of all breaches stem from lost or stolen portable devices. Encryption provides strong protection to covered entities and business associates in the case of a breach.

HIPAA $239K Fine – Don’t Leave PHI with Husband

An Administrative Law Judge for the U.S. Department of Health and Human Services, recently ruled that Lincare violated the HIPAA Privacy Rule, by failing to implement policies and procedures to safeguard protected health information (PHI) and failing to protect PHI from disclosure to unauthorized persons. For such violations, the Judge imposed $239,800 in civil monetary penalties. This is only the second time the Office of Civil Rights (OCR) has pursued civil monetary penalties for violations of HIPAA, and the first time such a matter has been appealed to an Administrative Law Judge. This ruling serves as a reminder of the importance of maintaining adequate procedures and policies to safeguard PHI and prevent its unauthorized disclosure.

The OCR became aware of the violation, when the estranged husband of a Lincare Manager reported to the OCR that his wife had left documents containing PHI in his possession, though he was not authorized to see them. Lincare instructed its Center Managers to maintain copies of certain PHI “secured” in their vehicles so that employees would have access to patient contact information if a center office was destroyed or otherwise made inaccessible. As a Center Manager, she kept such PHI in her car, despite knowing that her husband had keys to the car. The wife ultimately abandoned PHI in her home and vehicle.

In reaching its conclusion, the Judge noted that Lincare did not have a written policy addressing PHI that was removed from its offices. Lincare’s privacy policy could even be read as prohibiting the removal of PHI, despite Lincare’s business model requiring employees to remove PHI from its offices. Lincare also lacked policies and procedures to monitor PHI that was moved offsite. This meant that PHI could go missing without it coming to Lincare’s attention.

In light of this ruling, covered entities and business associates, should consider whether their policies and procedures adequately protect PHI that is moved offsite. Specifically, employers should consider the circumstances in which they permit PHI to be moved offsite, what procedures and policies apply to PHI that is moved offsite, and how PHI that is moved offsite will be tracked. Employers allowing PHI to be removed from their offices should also consider options such as encryption and limiting access to PHI to virtual private networks.

Updated Meaningful Use Rules Released

After months of waiting, CMS and ONC finally issued final rules (with comment) pertaining to Stage 3 Meaningful Use, 2015-2018 EHR Incentive Program and 2015 edition of CEHRT certification.  CMS announced that the rules, numbering 750+ pages, are designed to “simplify requirements and add new flexibilities for providers to make electronic health information available when and where it matters most.”  CMS’ announcement also signaled more rules to come, CMS has opened a 60-day comment period for additional feedback about the EHR Incentive Programs and in particular the Medicare Access and CHIP Reauthorization Act of 2015 (MACRA), “which established the Merit-based Incentive Payment System and consolidates certain aspects of a number of quality measurement and federal incentive programs into one more efficient framework.” Expected release for MACRA is spring 2016.

Highlights of the final rule include:

  • 2015 reporting for EPs and EHs is any continuous 90 day period within CY 2015 by Feb. 29. 2016, which may be extended to March if providers need additional time.
  • 2016 & 2017 new Medicare and Medicaid providers (and 2018 Medicaid providers) may report on any 90 days.
  • Most changes in the rule will not be required until 2018 (but providers who are ready may transition to the next phase in 2017).
  • 2015-2017 EPs will report on 10 objectives, EHs on 9 objectives, including one public health reporting objective.
  • Modified patient action measures in Stage 2 objectives.
  • 90 day reporting period for any provider moving to Stage 3 in 2017.
  • Finalization of the use of application program interfaces (APIs) which allow the use of new programs/functions that will help patients have access to their healthcare records, including on mobile devices.
  • Focus on interoperability in Stage 3 rules.

The final rules will be officially published in the Federal Register on October 16, 2015.

For more information regarding the EHR Incentive Program and these new rules please contact Elana Zana.

4 Ways That HIPAA Encourages the Disclosure of Health Information

What’s the first word that comes to mind when you see the term “HIPAA”?

For many individuals in the healthcare market, the word is “NO.”

“Just say no” is a common answer for covered entities and business associates when they are faced with a decision about whether to disclose health information.

But what if I told you that HIPAA actually permits (and even requires) you to say “yes” to many disclosures of health information?

One of the most overlooked aspects of HIPAA is that there are sections that encourage the free-flow of information.  Examples include: (1) disclosures for treatment purposes, (2) disclosures for patient access, (3) disclosures to minimize an imminent danger, and (4) disclosures that are required by state laws.

Disclosures for Treatment Purposes

Let’s get one thing clear: HIPAA allows the disclosure of health information for treatment purposes.

A common misconception among providers is that HIPAA prevents or limits health care providers from sharing health information between each other to provide care for a patient.

This is not true.

I also commonly hear the idea that HIPAA requires a Business Associate Agreement in order for a provider to share health information for the purpose of treating a patient.

This is not true.

In fact, the HIPAA treatment disclosure exception is so broad that it applies to disclosures between health care providers AND the “coordination or management of health care” by a provider and a third party.

The third party does not even have to be a health care provider!

For example, an eye doctor can disclose health information to a contact lens distributor in order to confirm a prescription.  The distributor is not a health care provider, but the disclosure is for the purpose of treatment of the patient.

Patient Access

One common idea is that patients do not have an unfettered right to access their entire medical record.

Many providers feel that they, not the patient, have ownership of the patient’s health information and have no obligation to give the patient unrestricted access.

This opinion has lead to more than one Office of Civil Rights investigation.

In reality, HIPAA gives patients broad rights to access their health information and health care providers are required to honor patient requests. Patients are also not required to fill out an Authorization for Release of Records when requesting their own health care information.

With that said, there are some important exceptions to the patient’s access rights under HIPAA, including the limitation on accessing psychotherapy notes, information compiled in anticipation of a lawsuit, or if the access is prohibited under some other law.

But in general, patients have the right to access all of their health information that a provider uses to make treatment decisions about a patient. This includes any health information that a provider received from other providers.

Denial of such access could constitute a HIPAA violation.

Disclosures to minimize an imminent danger or assist law enforcement

Another way that HIPAA encourages the disclosure of health information is seen in the allowable disclosure to minimize an imminent threat to health or safety of an individual or of the public.

HIPAA permits covered entities to disclose health information to persons reasonably able to prevent or lessen the threat.

In addition, HIPAA permits covered entities to disclose health information to law enforcement authorities to identify or apprehend an individual in the following circumstances:

  • An individual makes a statement admitting participation in a violent crime that the covered entity reasonably believes may have resulted in serious physical harm to the victim.
  • Where it appears from all the circumstances that the individual has escaped from a correctional institution or from lawful custody.

There are some key exceptions to this permissive disclosure for mental health counselors. State laws may further restrict the extent of the disclosure exceptions.

However, these are important exceptions that can prevent danger to members of the community.

Disclosures Required By Law State

Another permissive type of disclosure under HIPAA is any disclosure required by state law. A few common disclosure obligations under state law are:

  • Reporting cases of child abuse
  • Reporting cases of vulnerable adult abuse
  • Reporting to law enforcement if an individual has certain types of wounds (e.g. bullet wound).

The HIPAA “required by law” disclosure exception makes it essential for covered entities and business associates to review their state mandatory reporting laws.

Focusing only on the federal HIPAA regulations to inform your disclosure obligations is a mistake.

Conclusion

HIPAA does not always mean “no.”

Of course, it is easy for healthcare market participants to believe this stereotype.  The horror stories of large fines levied on covered entities and business associates who improperly disclose health information are so common.

However, there are many permissive (and some required) disclosures under HIPAA that covered entities and business associates must understand and implement in their business operations.

Learning the types of health information disclosures that HIPAA prohibits and encourages will facilitate the proper flow of information, improve patient experience, and help avoid costly government investigations and fines.

For more information about HIPAA, please contact Casey Moriarty.

Ready for an OIG Security Audit?

At HIMSS15 in Chicago I had the pleasure of speaking with my colleague, Dave Schoolcraft, regarding the OIG Security Audits. These in depth security audits conducted not by the OCR or CMS, but rather the Office of Inspector General, delve into the security systems of Eligible Hospitals (and potentially Eligible Professionals) participating in the EHR Incentive Program.

Background

The OIG in its 2014 and 2015 Work Plans identified its plan to audit participants in the EHR Incentive Programs and their business associates, including cloud service providers, “to determine whether they adequately protected electronic health information created or maintained by certified EHR technology.” This audit stretches beyond a typical meaningful use audit and is not only centered on the security of ePHI stored in the CEHRT, but also looks at relationships with downstream service providers. Though EPs and EHs that participate in the EHR Incentive Program are aware of pending audits from CMS (via Figliozzi & Company), including the necessary documentation and security risk analysis requirements, these audits may come as quite a surprise – especially the level of thoroughness the OIG pursues in these audits. Though the OIG identifies the targeted entities due to their participation in the EHR Incentive Program, these audits look nothing like a CMS audit but instead are an in-depth HIPAA security audit.

The Audit

The audit itself is conducted by OIG investigators that are knowledgeable about security infrastructure as well as HIPAA requirements. The OIG commences the audit with a phone call followed by a formal letter notifying the recipient entity of the audit. As stated in its letter “the objective of [the] audit is to assess if the [hospital’s] meaningful use requirements have protected the confidentiality, integrity and availability of electronic protected health information (ePHI) in its EHR systems.” The OIG sends out a document request/questionnaire with approximately 17 categories and subcategories that it is investigating. In addition to reviewing the responses to the document requests the OIG auditors come on-site for 2-3 weeks to conduct interviews and personally review the security infrastructure.

Sample audit questions include:

  • Review of the EHR network diagram that shows EHR network architecture including external connections.
  • Provision of a description of internal or external web sites associated with the EHR system including patient portals.
  • Analysis of existing HIPAA policies and procedures, including patch management and access controls.
  • Detailed description of EHR network devices including the manufacturer and model number, software version and primary function.

As stated in the OIG Workplan, the target of the investigation is not only the covered entity itself, but also the relationships with business associates and downstream cloud service providers.

Audit Readiness Plan

It is unknown how many audits OIG will conduct and the ultimate goal of these audits. We believe that the OIG plans on creating a roll-up report to describe the findings of these audits, rather than publishing individual reports – however this has not been verified because the OIG has denied Freedom of Information Act requests.

We recommend that covered entities prepare for these audits as follows:

  • Gather information regarding existing security infrastructure in place, including relationships about sharing PHI with business associates and downstream providers.
  • Evaluate health IT vendors to determine if they are compliant with business associate agreements – this may include asking the business associate to provide you with evidence and results from a security risk assessment.
  • Identify team members that will respond to an OIG audit request.
  • Conduct a mock audit to fully assess security.

Additional Audits

 The OIG Work Plans also identify three other related types of audits.

 

  1. OIG Audits of Medicare EHR Incentive Program. Earlier this month the OIG issued a number of multi-year audits of EHR Incentive Program participants. These audits are very similar to the CMS Meaningful Use audits conducted by Figliozzi, but are in fact not conducted by CMS. Unlike the CMS audits however, the OIG audits are multi-year and may request information from both Stage 1 and Stage 2 attestations.

 

  1. OIG Audits of Medicaid EHR Incentive Programs. OIG has conducted at least three audits of states issuing Medicaid EHR Incentive Program dollars: Louisiana, Massachusetts and Florida. Of the three audited, only Florida was found to have issued the EHR Incentive Program dollars correctly. The OIG has instructed the other states to reimburse the federal government for the incorrectly distributed funds and adjust the payment calculations for the hospitals going forward.

 

  1. OIG Audits of Contingency Plans. Pursuant to the HIPAA Security Rule, covered entities must have contingency plans in place in case of a disaster or other occurrence that damages systems that contain ePHI (45 CFR 164.308). The OIG plans to compare hospitals’ contingency plans with “government and industry recommend practices.”
  2. OIG Audits of AIU Participants.  OIG has recently issued new audits investigating AIU attestations.  For further detail related to these audits go to:  http://meaningfuluseaudits.com/oig-escalates-meaningful-use-audits-of-hospitals/.

 

Preparing for these OIG audits can be accomplished during your own internal Security Risk Analysis and can be a useful tool for verifying the accuracy and thoroughness of your own process. For more information about the OIG Security Audits or other OIG audits please contact Elana Zana or Dave Schoolcraft.

 

Finally! Washington Has A Telemedicine Bill. But What’s In It?

After many years of effort, the Washington State Legislature has sent a telemedicine bill to the Governor for signature.

It is an exciting achievement, but now that the bill has passed, we need to answer an important question: “What is actually in the bill?”

Payment for Professional Telemedicine Services

The primary purpose of the bill is to require health insurance companies, Medicaid managed care plans, and health plans offered to Washington State employees to reimburse health care providers who provide professional services via telemedicine technology.

This is critical because, prior to the bill, insurance companies had no obligation to reimburse providers for telemedicine services.

One unfortunate aspect of the new law is that it does not set the specific reimbursement rate for telemedicine services. In other words, nothing requires health plans to pay for telemedicine services at the same rate as an in-person encounter.

Instead, the rate for telemedicine services will be whatever the health plan and provider agree upon in the negotiated provider agreement between the parties.

Additionally, in order to receive the negotiated rate, providers must pay special attention to the detailed reimbursement requirements of the bill:

Health Care Providers

The bill states that only “health care providers” are entitled to reimbursement for telemedicine services. Fortunately, “health care provider” is defined broadly and includes any of the licenses listed in Title 18 of the Revised Code of Washington.

A health plan need only reimburse health care providers that are contracted with the health plan.

“Out of network” reimbursement is not required.

Types of Technology

The bill applies to both real time “telemedicine” technology and “store and forward” services.

“Telemedicine” technology is a real-time, interactive, video and audio conference between a patient and a provider.  Think “Skype.”

“Store and forward” technology is a system by which information is sent to an intermediate location where it is kept and, at a later time, sent to the intended destination.

This type of technology is very common in the teleradiology and teledermatology fields in which specialists provide reads for digital images of patients.

Unlike telemedicine technology, the bill has some critical restrictions on the use of store and forward technology:

  • The bill requires an associated office visit between the patient and referring health care provider if store and forward technology is used. The use of “telemedicine” technology, as defined above, can meet the office visit requirement; and
  • A health plan only has the obligation to provide reimbursement for a service provided via store and forward technology if the service is specified in the negotiated agreement between the health plan and the provider.

The second restriction is a big deal.

Under this restriction, the bill does not require a health plan to pay a provider for services rendered via store and forward technology if such services are not explicitly covered in the provider agreement between the provider and health plan.

Therefore, it is critical that providers using store and forward technology pay close attention to their provider agreements with health plans.

Types of Telemedicine Services

The bill is clear that health plans only have the obligation to provide reimbursement for services that meet all of the following criteria:

  • Reimbursement is only required if the health plan provides coverage of the same service when it is provided in person;
  • The service must be an “essential health benefit” under the Affordable Care Act; and
  • The service is medically necessary.

Health plans have no requirement to provide reimbursement if these three requirements are not met.

Payment For Facility Fees

In discussing the facility fee issue, it is important to understand that there are always two different sites in a telemedicine encounter:

  • The Originating Site: This is the location where the patient is physically located. For reimbursement purposes, originating sites can be hospitals, rural health clinics, federally qualified health centers, health care provider offices, community mental health centers, skilled nursing facilities, or renal dialysis centers (except independent renal dialysis centers).
  • The Distant Site: This is the location where the health care provider is physically located at the time telemedicine services are rendered.

As described above, the bill requires health plans to reimburse providers for the professional services they perform at the distant site during a telemedicine encounter.

But what about the originating site facility where the patient is located? Are health plans required to reimburse these facilities?

The answer is no.

According to the bill, originating site providers are only entitled to facility fees if such fees have been negotiated in the provider’s contract with the health plan.

The bill does not require any health plan reimbursement to the originating site if a health plan refuses to include reimbursement for facility fees in its provider agreement.

This is unfortunate for rural providers who would have benefited from the requirement for health plans to pay facility fees for telemedicine.

Hospital Credentialing and Privileging of Telemedicine Physicians

Aside from reimbursement, another important part of the bill is the changes to the requirements for hospital credentialing and privileging of telemedicine physicians.

In the hospital world, a physician can only provide services at a hospital if the physician is properly credentialed and privileged.  Therefore, a physician that provides telemedicine services an originating site hospital technically must be credentialed and privileged by the hospital.

Prior to the bill, Washington law required hospitals to engage in a detailed credentialing process of requesting information from a physician who was applying for privileges.  The hospital also had to request information from hospitals and facilities that had granted privileges or employed the physician.

This cumbersome process could unnecessarily delay the provision of telemedicine services.

Under the bill, the credentialing requirements no longer exist for telemedicine physicians.

The bill states that an originating site hospital may rely on a distant site hospital’s decision to grant or renew privileges for a telemedicine physician if the originating site enters into a written contact with the distant site.

The contract must have the following provisions:

  • The distant site hospital providing the telemedicine services must be a Medicare participating hospital;
  • Any physician providing telemedicine services at the distant site hospital must be fully privileged to provide such services by the distant site hospital;
  • Any physician providing telemedicine services must hold and maintain a valid license to perform such services issued or recognized by the state of Washington; and
  • The originating site hospital must have evidence of an internal review of the distant site physician’s performance of the privileges and sends the distant site hospital performance information for use in the periodic appraisal of the distant site physician.

Conclusion

There is much to like in Washington’s new telemedicine bill.

For the first time, private health plans are required to pay for telemedicine services. Additionally, the process of hospital credentialing and privileging of telemedicine physicians has been streamlined.

But the bill is not perfect.

Without specific requirements on rates, health plans have the ability to reimburse telemedicine services at a much lower rate than in-person services.  Large health systems may have leverage to negotiate for higher reimbursement in provider agreements, but smaller and rural providers may not have this luxury.

Additionally, teleradiology and teledermatology providers must pay close attention to their negotiated provider agreements with health plans.  Under the bill, health plans have no requirement to pay professional services for services rendered via “store and forward” technology if the services are not explicitly covered in the provider agreement.

With that said, no bill is perfect, and the new Washington bill is a good first step into improving the prospects for telemedicine in Washington State.

For more information about telemedicine, please contact Casey Moriarty.