Understanding Stark/Anti-Kickback Compliant EHR Donation Arrangements

In 2006 and extended in December 2013, CMS issued Stark and Anti-Kickback exceptions/safe harbors permitting EHR technology donation arrangements between hospitals (and other organizations) and physician groups.  This exception permitted hospitals to aid physician groups, who may be referral sources, in acquiring and implementing EHR and other health information technology.  Originally, hospitals had a seven-year window in which to engage in these donation arrangements, though in December 2013 CMS extended the donation arrangements for an additional 7 years through December 31, 2021.

The arrangement may include the non-monetary donation of “items or services in the form of software or information technology and training services.”  Key components of the exception/safe harbor include:

  • The donation is provided from an entity to a physician.
    • Change in 2013 rules, this entity cannot be a lab.
  • The software is interoperable
    • Change in  2013 rules, software is deemed interoperable if it has been certified as “certified EHR technology” as that term is used by the ONC for the meaningful use/EHR Incentive Program.
  • Donor cannot restrict or limit the use or interoperability of the technology with other eRx or EHR systems.
    • Change in 2013 rules, CMS interprets this rule more broadly by providing a non-exclusive list of the types of technologies that are included in this restriction: “health information technology applications, products, or services.”
  • Physician must pay at least 15% of the costs for the technology (which amount cannot be financed by the hospital).
  • Neither the physician nor the physician’s practice makes the receipt of the technology a condition of doing business with the donor.
  • Neither eligibility of the physician nor the amount or nature of the donation is determined in a manner that takes into account the volume or value of referrals or other business generated between the parties.
  • The donation is set forth in writing, signed by the parties, specifies the items to be provided, the donor’s costs and the physician’s contribution, and covers all EHR items and services to be provided by the donor.
  • The donor cannot have knowledge of or disregard the fact that the physician already possesses equivalent items or services.
  • The donor cannot restrict or limit the physician’s right to use the software for any patient.
  • The donation cannot include staffing of physician offices and cannot be used to primarily conduct personal business or business unrelated to the physician’s medical practice.
    • Note the donation may also include other “software and functionality directly related to the care and treatment of individual patients (for example, patient administration, scheduling functions, billing, clinical support software, etc.” (71 FR 45152).
  • The donation arrangement does not violate the Anti-Kickback statute.
  • The exception expires December 31, 2021.

Beyond crafting a donation arrangement that satisfies both the Stark law exception and Anti-Kickback safe harbor, hospitals and physicians should assess overall technology alignment strategies and the goals and framework for such donation arrangements.  Making sure that clear expectations are set in advance, including understanding implementation, roll out and support, data ownership and extraction, and utilizing the EHR technology for government incentive programs, such as meaningful use, are important topics that should be addressed by the arrangement.

For those interested in learning more about this topic and are currently attending HIMSS14, David Schoolcraft, attorney at Ogden Murphy Wallace, and Michelle Holmes, principal at ECG Management Consultants, are presenting on Wednesday at 10 AM on Using Stark/Anti-Kickback To Support Hospital/Physician IT Alignment Strategies.  For further information about designing a compliant arrangement please contact Elana Zana or Dave Schoolcraft.

 

DOH Issues New Hospital CN Rule & Transparency Requirements

Prior to the end of the year, and in compliance with Governor Inslee’s directive, the Washington Department of Health (DOH) issued new hospital Certificate of Need (CN) rules and transparency requirements for existing hospitals.

Effective January 23rd, hospitals wishing to affiliate with one another (or other types of corporate restructuring) will now have to undergo full CN review.  The new rules modify WAC 246-310-010 and adopt a broad definition of “sale, purchase, or lease” to include affiliations, corporate membership restructuring, “or any other transaction.”  DOH, in response to the over 1,000 public comments received on these new rules (including the transparency rules below) explained:

The purpose of this clarification is to focus on the outcome of these transactions to bring them within CoN review.  CoN evaluation includes review of the reduction or loss of services and the community’s access to alternatives if there is a reduction or loss.

In addition, DOH issued a modification to the hospital licensing requirements.  This modification now requires hospitals to submit to DOH and publish on their own websites (“readily accessible to the public”) the following policies related to access to care:  admission, nondiscrimination, end of life care, and reproductive health care.  Hospitals must comply with this requirement no later than March 24, 2014.  Hospitals that make changes to these policies must also notify DOH of those changes within thirty days.

Since the amendment to the hospital licensing rules require online access to hospitals’ nondiscrimination policies, now is an excellent time for hospitals to review nondiscrimination policies to be sure they are consistent with all applicable laws.  Hospitals are “places of accommodation” under local, state, and federal nondiscrimination laws, which vary by jurisdiction.  For example, federal law prohibits genetic discrimination, which is not covered by Washington state law; state law prohibits discrimination on the basis of marital status, sexual orientation, and gender expression or identity, which are not covered under federal law; and the City of Seattle prohibits discrimination on the basis of political ideology, which is not covered under state or federal law.  Hospital nondiscrimination policies should be tailored to cover all the jurisdictions in which you provide services.  For assistance with drafting a nondiscrimination policy please contact Karen Sutherland.

For more information about the access to care policies or certificate of need generally please contact Elana Zana.

 

 

Meaningful Use Audits – Security Risk Analysis

‘Tis the season for Meaningful Use, the time of year when eligible professionals (EPs) and eligible hospitals (EHs) compile their data from the meaningful use measures and prepare for attestation.  It is also the season of meaningful use audits.  A lesson learned from recent audits: CMS means what it says – EPs and EHs must conduct a security risk analysis.  This measure is not one to be taken lightly – it’s a HIPAA requirement, and CMS auditors are on the lookout for documentation (remember, all documentation must be retained for 6 years).

Regardless of whether EPs or EHs are attesting to Stage 1 or Stage 2, or the fact that they performed a security risk analysis last year, this objective and measure must be fulfilled each year:

 

Stage 1

Stage 2

Objective. Protect electronic health information created or maintained by the certified EHR technology through the implementation of appropriate technical capabilities.Measure. Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1) and implement security updates as necessary and correct identified security deficiencies as part of its risk management process. Objective. Protect electronic health information created or maintained by the Certified EHR Technology through the implementation of appropriate technical capabilities.Measure. Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1), including addressing the encryption/security of data stored in Certified EHR Technology in accordance with requirements under 45 CFR 164.312(a)(2)(iv) and 45 CFR 164.306(d)(3), and implement security updates as necessary and correct identified security deficiencies as part of the EP’s risk management process.

The HIPAA requirement for a Security Risk Analysis pursuant to 45 CFR 164.308(a)(1) is as follows:

“Risk analysis (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.”

CMS Meaningful Use audits have specifically called out this objective and measure and are requiring participants to prove that a Security Risk Analysis has actually occurred.  Though the HIPAA Security Officer should have conducted a security risk analysis for the entire practice/hospital, EPs and EHs should maintain a copy of this assessment with their meaningful use documentation and should review the assessment to make sure that the risk analysis complies with the meaningful use requirements (note: the Stage 2 requirements are significantly broader).

Below is the audit question that was sent to some Stage 1 EPs:

“Provide proof that a security risk analysis of Certified EHR Technology was performed prior to the end of the reporting period (i.e. report which documents the procedures performed during the analysis and the results of the analysis).  If deficiencies are identified in this analysis, please supply the implementation plan; this plan should include the completion dates.”

Note that the audit request indicates that further documentation is needed to satisfy the auditors.  EPs must show the implementation plan and the completion dates.  As per the measure itself, the requirement is not merely to conduct a security risk analysis, but the EPs and EHs must implement security updates and correct security deficiencies.  EPs and EHs should document these steps as well in order to appropriately respond to an audit request.

CMS has recently issued a new tip sheet to assist EPs and EHs in fulfilling the security risk analysis requirement.  In addition ONC has published guidance on HIPAA Security Risk Analysis requirements.  The CMS tip sheet includes some common myths surrounding risk analysis such as:

  • “I only need to do a risk analysis once.”

False. To comply with HIPAA, you must continue to review, correct or modify, and update security protections.

  • “My EHR vendor took care of everything I need to do about privacy and security.”

False. Your EHR vendor may be able to provide information, assistance, and training on the privacy and security aspects of the EHR product. However, EHR vendors are not responsible for making their products compliant with HIPAA Privacy and Security Rules. It is solely your responsibility to have a complete risk analysis conducted.

  • “The security risk analysis is optional for small providers.”

False. All providers who are “covered entities” under HIPAA are required to perform a risk analysis. In addition, all providers who want to receive EHR incentive payments must conduct a risk analysis.

  • “Simply installing a certified EHR fulfills the security risk analysis MU requirement.”

False. Even with a certified EHR, you must perform a full security risk analysis. Security requirements address all electronic protected health information you maintain, not just what is in your EHR.

Responding to a Meaningful Use audit can be time consuming and very detailed oriented — thus, maintaining the appropriate documentation is essential.  For assistance with Meaningful Use or HIPAA security risk assessments, please contact Elana Zana.

Joint Commission Standards for Boarding and Leadership Collaboration with Behavioral Health Community

Effective January 1, 2014, hospitals, accredited by the Joint Commission, will be required to meet the elements of performance (EPs) related to boarding and leadership collaboration for behavioral health patients, as part of The Joint Commission’s revised standard for managing the flow of patients through the emergency department. Overcrowding and patient boarding in the emergency department has drawn considerable attention recently (see e.g., Seattle Times article on psychiatric boarding), and The Joint Commission recognizes that the problems with patient flow may have multiple factors and stem from other areas within and outside the hospital, not just the emergency department.

Under Leadership Standard LD.04.03.11 or the “Patient Flow” Standard, the following EPs will go into effect for hospitals starting next year:

  • EP 6. The hospital measures and sets goals for mitigating and managing the boarding of patients who come through the emergency department. Note: Boarding is the practice of holding patients in the emergency department or another temporary location after the decision to admit or transfer has been made. The hospital should set its goals with attention to patient acuity and best practice; it is recommended that boarding time frames not exceed 4 hours in the interest of patient safety and quality of care.
  • EP 9. When the hospital determines that it has a population at risk for boarding due to behavioral health emergencies, hospital leaders communicate with behavioral health care providers and/or authorities serving the community to foster coordination of care for this population.

The Joint Commission notes that the four-hour time frame referenced in EP 6 serves as a guideline (not a requirement) to help the hospital set a reasonable goal for its institution. Also, the goal of EP 9 is to “facilitate the more efficient use of limited resources, and build leverage to implement more effective systems of care for individuals at risk of psychiatric emergencies.” Though the communication required in EP 9 will vary depending on the nature of the relationship, The Joint Commission advises that “such communication should occur at least annually and may range from conference calls and correspondence to meetings, education forums, and strategic working groups.”

EP 6 and EP 9 are in addition to the revised EPs that went into effect at the beginning of this year on January 1, 2013.  The other revisions address: the use of data and measures to identify, mitigate and manage issues affecting patient flow; the management of emergency department throughput as a system-wide issue; and the environment of care, staffing, assessment, reassessment and care for patients with behavioral health emergencies.

To help organizations implement these requirements, The Joint Commission released an “R3 Report on Patient Flow through the Emergency Department” that provides the requirement, rationale and references for the updated standards.  If you have questions about these accreditation standards, please contact Don Black or Jefferson Lin.

Public Hospital Districts Offering Maternity Services Must Offer Abortion Services

A recent Washington Attorney General Opinion concludes that a public hospital district may not administer or fund programs to provide maternity care benefits or services without making provision for abortion services, benefits, and information.  The Opinion primarily relies on RCW 9.02.100 and RCW 9.02.160 which respectively provide in part:

The sovereign people hereby declare that every individual possesses a fundamental right of privacy with respect to personal reproductive decisions.

Accordingly, it is the public policy of the state of Washington that:

(1) Every individual has a fundamental right to choose or refuse birth control;

(2) Every woman has the fundamental right to choose or refuse to have an abortion (subject to legislative limitations)

If the state provides, directly or by contract, maternity care benefits, services, or information to women through any program administered or funded in whole or in part by the state, the state shall also provide women otherwise eligible for any such program with substantially equivalent benefits, services, or information to permit them to voluntarily terminate their pregnancies.

The Opinion emphasizes that no Washington public hospital district is required to provide maternity care benefits, services, or information.  However, it endorses a broad interpretation of these benefits to include a large range of prenatal, childbirth, and postpartum services and information.  It also concludes that a public hospital district provides maternity care benefits if it financially subsidizes a healthcare provider that provides these benefits.

Accordingly, the Opinion concludes that if a public hospital district contracts for the provision of maternity care benefits and subsidizes this through the use of public funds it must provide the substantially equivalent benefits, services and information required by RCW 9.02.160.  The Opinion expresses no opinion on how public hospital districts might comply with these requirements or what might constitute substantially equivalent benefits, services and information.

For more information about this Opinion or hospital compliance requirements please contact Greg Montgomery.

SRDP Settlement: Improper EHR Donation Arrangement Among Violations

Last month CMS settled several violations of the self-referral statute (aka Stark Law) with an Ohio hospital, including a failure to appropriately structure a donation arrangement for electronic health records (EHR) .  The hospital disclosed under the Self-Referral Disclosure Protocol that it may have violated the Stark Law with regard to several arrangements with certain physicians, including arrangements for EKG interpretations, medical director services, Vice-Chief of Staff services, and hospital services (no specifics provided in CMS release).  The settlement was for $265,565.  The SRDP, which was included in the ACA, was created as a mechanism for providers to self-report potential Stark law violations.

The EHR donation arrangement to the Stark and Anti-Kickback laws permits hospitals to enter into certain arrangements with physicians for the donation of EHR related software and services.  The donation arrangement exception is scheduled to expire on December 31, 2013, however CMS has proposed extending the exception through 2016.  If CMS does not extend the exception, existing donation arrangements will have to convert to fair market value for shared technology and services.

If you have questions regarding the SRDP or structuring a EHR donation arrangement please contact Elana Zana.

Hospital Medical Staff Lacks Capacity To Sue – Medical Staff Bylaws Are Not a Contract

The Minnesota Court of Appeals recently issued a decision that, in Minnesota, hospital medical staffs do not have capacity to sue as unincorporated associations.  In addition, the Court concluded that, at least in this case, medical staff bylaws do not constitute a contract between members of the medical staff and the hospital.

With respect to the issue of whether the medical staff bylaws create a contract between members of the medical staff and the hospital, the court focused on two points: (1) repeated reference in the medical staff bylaws to the right of the hospital board to approve, amend, and/or repeal the medical staff bylaws, and; (2) Minnesota rules that require hospitals to have medical staff bylaws approved by the governing body.  On this second point, the decision relies on a series of decisions from other jurisdiction holding medical staff bylaws not to create a contract for lack of consideration due to the existence of state laws requiring such bylaws.

The court relied on prior Minnesota court decisions for its conclusion that the medical staff could not sue as an unincorporated association.

These two issues are regularly litigated in courts around the country and there is hardly unanimity in the decisions.  This decision contains a very useful collection of cases going both ways on the issues and the legal theories relied on for the differing conclusions.  For questions concerning this case or related hospital medical staff issues please contact Greg Montgomery.

Washington Certificate of Need Program Commences Rule Making: Consumer Transparency in Affiliations & Dialysis

The Washington State Certificate of Need Program has announced its commencement of the rule-making process related to hospitals and dialysis.  This action is in response to the directive issued last month by Governor Inslee instructing the CN Program to expedite rule making related to the corporate restructuring, affiliations, acquisitions and mergers occurring in hospitals across the state.  His directive requires that:

The Certificate of Need process should be applied based on the effect that these transactions have on the accessibility of health services, cost containment, and quality, rather than on the terminology used in describing the transactions or the representations made in the preliminary documents.

The Department’s rulemaking process shall also consider ways to improve transparency for consumer information and ease of use, specifically the Department shall ensure hospitals supply non-discrimination, end of life care and reproductive health care policies; and the Department shall ensure that consumers have access to the policies on its webpage. The Department’s rulemaking process shall also consider the factors in RCW 43.06.155, the principles and policies in the implementation of health reform, including the guarantee of choice for patients.

In response to this directive, the CN Program has released concept rules to implement the directive.  These concept rules contain two significant modifications:

1.  A new defined term in WAC 246-310-010: “Sale, purchase, or lease” means any transaction in which the control, directly or indirectly, of part or all of any existing hospital changes to a different person, including but not limited to by contract, affiliation, corporate membership restructuring, or any other transaction.

This change is significant, as the “sale, purchase, or lease” of all or part of an existing hospital is subject to the CN rules and review.  The new definition expands the applicability of the CN rules and review.  Whereas previously affiliations were typically reviewed under Determinations of Reviewability, the expanded definition would subject such transactions to CN approval.

2.  A new section which collects hospital policies, maintains the policies and list of limitations on certain services online, and requires all hospitals to submit these policies and lists within 60 days of the effective date of the new rule.  The proposed new section is reproduced below:

New Section WAC 246-310-XXX Collection of Hospital Policies

1) Every hospital must submit to the department its following policies related to access to care:

a) Admission;

b) Non-discrimination;

c) End of life care; and

d) Reproductive health care.

2) If the effect of one or more of a hospital’s policies required under subsection (1) of this section limits or excludes access to services authorized by law, the hospital must submit to the department a list of services that are limited or not available at the facility.

3) The department shall post a copy of the policies received under subsection (1) of this section and lists received under subsection (2) of this section on its website.

4) If the hospital makes changes to any of the policies listed under subsection (1) of this section, it must submit a copy of the changed policy to the department within thirty days after the hospital approves of the changes.

5) No later than sixty days following the effective date of this rule each hospital must submit to the department the documents identified under subsections (1) and (2) of this section.

These proposed rules will have an impact on future transactions and existing hospitals.  The proposed revisions will be discussed at an August 5th workshop located at the Department of Health.

If you would like further information about these proposed rules or certificate of need in general please contact Elana Zana.

Medicaid Disallows Reimbursement, Requires Reporting for Provider Preventable Conditions

Starting  July 1, 2013, the Washington Medicaid program will not pay a provider for the health care costs of treating conditions that the provider could have prevented.  The rule, WAC 182-502-0022, contains a long list of such conditions and adds a few more acronyms to health care speak, including:

(1) PPC – provider preventable conditions that include hospital and non-hospital acquired conditions;

(2) OPPC – other provider preventable conditions that are a PPC subset of conditions identified in WAC 246-302-030, and;

(3) HCAC – health care acquired conditions that are also a PPC subset occurring in an inpatient hospital setting.

Providers, including inpatient hospitals, must report any PPC to the Health Care Authority even if there is no intent to bill for services related to the PPC.  Health care professionals or designees responsible for or associated with a PPC involving a Medicaid patient must notify the Health Care Authority within forty-five (45) calendar days of confirming the PPC.

A similar reporting requirement applies to hospitals for OPPC.  And, of course, Medicaid patients are not liable for payment of an item related to a HCAC or an OPPC and must not be billed for any item or service related to a PPC.

For information about this new rule or Medicaid reimbursements please contact Greg Montgomery.

Stolen Laptop Leads to Stanford’s Fifth HIPAA Breach

Earlier this month Stanford reported its 5th HIPAA breach since 2009.  This is Stanford’s third largest breach, affecting nearly 13,000 patients.   A broken laptop containing protected health information of pediatric patients was stolen from a restricted area of the Lucile Packard Children’s Hospital at Stanford.  The laptop was un-encrypted and contained patient information including: name, medical record number, age telephone numbers, surgical procedures and treating physicians.  Though the laptop had a broken screen, there is still the possibility of extracting the data from the computer.

Stanford’s other breaches include a disclosure  of 20,000 patient records when a subcontractor of a business associate placed patient information on the web seeking assistance with using Excel, the data was left on the website for nearly a year.  This breach has resulted in a $20 Million class action law suit under California law.

Earlier this year, Stanford announced its largest breach, affecting 57,000 patient records when an unencrypted laptop with patient information was stolen from a physician’s car.  In addition, Stanford reported a breach in 2012 of 2,500 patient records following the theft of an unencrypted laptop from a physician’s office.  Lastly, in 2010, Stanford was hit with a fine after failing to notify the state of California of the theft of a laptop by an employee containing over 500 patient records.

Considering Stanford’s previous breaches, encryption of its laptops would be a good course of action to prevent future HIPAA data breaches.  Stanford has reported that it now encrypts its laptops, but the one that was most recently stolen was unencrypted because the screen was broken.

Lessons learned from Stanford’s misfortunes:  encrypt all PHI and destroy broken devices (remember though broken, the data is still valuable to thieves).

For assistance with  HIPAA and/or the breach notification rules please contact Elana Zana.