MACRA Released

On Friday, CMS released the MACRA final rules, its innovative payment system for Medicare replacing the sustainable growth rate formula and the EHR Incentive Program for Medicare providers.

MACRA creates the framework for providers to participate in the CMS Quality Payment Program through either the Advanced Alternative Payment Models (Advanced APMS) or the Merit-based Incentive Payment System (MIPS). The goal of these models is to reward value and outcomes, specifically supporting CMS’ goal of paying for quality and value. The MIPS program importantly consolidates components of PQRS, the Physician Value-based Payment Modifier (“VM”), and the EHR Incentive Program (aka meaningful use).

“As prescribed by Congress, MIPS will focus on: quality – both a set of evidence-based, specialty-specific standards as well as practice-based improvement activities; cost; and use of certified electronic health record (EHR) technology (CEHRT) to support interoperability and advanced quality objectives in a single, cohesive program that avoids redundancies. Many features of MIPS are intended to simplify and integrate further during the second and third years.”

Though the new rule becomes effective on January 1st, 2017, clinicians will be given a transition period in which to prepare for MIPS, with negative payment adjustments not occurring until January 1, 2019. MACRA will sunset payment adjustments under the Medicare EHR Incentive Program, PQRS and VM after CY2018. For those clinicians not ready to start on January 1st, 2017 they have until October 2, 2017 to commence participation. Regardless of when a clinician starts he/she needs to submit performance data by March 31, 2018.

CMS’ Quality Payment Program has the following strategic objectives:

(1) to improve beneficiary outcomes and engage patients through patient-centered Advanced APM and MIPS policies;

(2) to enhance clinician experience through flexible and transparent program design and interactions with easy-to-use program tools;

(3) to increase the availability and adoption of robust Advanced APMs;

(4) to promote program understanding and maximize participation through customized communication, education, outreach and support that meet the needs of the diversity of physician practices and patients, especially the unique needs of small practices;

(5) to improve data and information sharing to provide accurate, timely, and actionable feedback to clinicians and other stakeholders; and

(6) to ensure operational excellence in program implementation and ongoing development.

CMS also launched a new website with graphics to aid in understanding the MACRA regulations. The view the interactive website click here.

CMS has also provided a 24-page executive summary. Click here to view the executive summary.

If you have questions about MACRA please contact Elana Zana.

 

Finally! Washington Has A Telemedicine Bill. But What’s In It?

After many years of effort, the Washington State Legislature has sent a telemedicine bill to the Governor for signature.

It is an exciting achievement, but now that the bill has passed, we need to answer an important question: “What is actually in the bill?”

Payment for Professional Telemedicine Services

The primary purpose of the bill is to require health insurance companies, Medicaid managed care plans, and health plans offered to Washington State employees to reimburse health care providers who provide professional services via telemedicine technology.

This is critical because, prior to the bill, insurance companies had no obligation to reimburse providers for telemedicine services.

One unfortunate aspect of the new law is that it does not set the specific reimbursement rate for telemedicine services. In other words, nothing requires health plans to pay for telemedicine services at the same rate as an in-person encounter.

Instead, the rate for telemedicine services will be whatever the health plan and provider agree upon in the negotiated provider agreement between the parties.

Additionally, in order to receive the negotiated rate, providers must pay special attention to the detailed reimbursement requirements of the bill:

Health Care Providers

The bill states that only “health care providers” are entitled to reimbursement for telemedicine services. Fortunately, “health care provider” is defined broadly and includes any of the licenses listed in Title 18 of the Revised Code of Washington.

A health plan need only reimburse health care providers that are contracted with the health plan.

“Out of network” reimbursement is not required.

Types of Technology

The bill applies to both real time “telemedicine” technology and “store and forward” services.

“Telemedicine” technology is a real-time, interactive, video and audio conference between a patient and a provider.  Think “Skype.”

“Store and forward” technology is a system by which information is sent to an intermediate location where it is kept and, at a later time, sent to the intended destination.

This type of technology is very common in the teleradiology and teledermatology fields in which specialists provide reads for digital images of patients.

Unlike telemedicine technology, the bill has some critical restrictions on the use of store and forward technology:

  • The bill requires an associated office visit between the patient and referring health care provider if store and forward technology is used. The use of “telemedicine” technology, as defined above, can meet the office visit requirement; and
  • A health plan only has the obligation to provide reimbursement for a service provided via store and forward technology if the service is specified in the negotiated agreement between the health plan and the provider.

The second restriction is a big deal.

Under this restriction, the bill does not require a health plan to pay a provider for services rendered via store and forward technology if such services are not explicitly covered in the provider agreement between the provider and health plan.

Therefore, it is critical that providers using store and forward technology pay close attention to their provider agreements with health plans.

Types of Telemedicine Services

The bill is clear that health plans only have the obligation to provide reimbursement for services that meet all of the following criteria:

  • Reimbursement is only required if the health plan provides coverage of the same service when it is provided in person;
  • The service must be an “essential health benefit” under the Affordable Care Act; and
  • The service is medically necessary.

Health plans have no requirement to provide reimbursement if these three requirements are not met.

Payment For Facility Fees

In discussing the facility fee issue, it is important to understand that there are always two different sites in a telemedicine encounter:

  • The Originating Site: This is the location where the patient is physically located. For reimbursement purposes, originating sites can be hospitals, rural health clinics, federally qualified health centers, health care provider offices, community mental health centers, skilled nursing facilities, or renal dialysis centers (except independent renal dialysis centers).
  • The Distant Site: This is the location where the health care provider is physically located at the time telemedicine services are rendered.

As described above, the bill requires health plans to reimburse providers for the professional services they perform at the distant site during a telemedicine encounter.

But what about the originating site facility where the patient is located? Are health plans required to reimburse these facilities?

The answer is no.

According to the bill, originating site providers are only entitled to facility fees if such fees have been negotiated in the provider’s contract with the health plan.

The bill does not require any health plan reimbursement to the originating site if a health plan refuses to include reimbursement for facility fees in its provider agreement.

This is unfortunate for rural providers who would have benefited from the requirement for health plans to pay facility fees for telemedicine.

Hospital Credentialing and Privileging of Telemedicine Physicians

Aside from reimbursement, another important part of the bill is the changes to the requirements for hospital credentialing and privileging of telemedicine physicians.

In the hospital world, a physician can only provide services at a hospital if the physician is properly credentialed and privileged.  Therefore, a physician that provides telemedicine services an originating site hospital technically must be credentialed and privileged by the hospital.

Prior to the bill, Washington law required hospitals to engage in a detailed credentialing process of requesting information from a physician who was applying for privileges.  The hospital also had to request information from hospitals and facilities that had granted privileges or employed the physician.

This cumbersome process could unnecessarily delay the provision of telemedicine services.

Under the bill, the credentialing requirements no longer exist for telemedicine physicians.

The bill states that an originating site hospital may rely on a distant site hospital’s decision to grant or renew privileges for a telemedicine physician if the originating site enters into a written contact with the distant site.

The contract must have the following provisions:

  • The distant site hospital providing the telemedicine services must be a Medicare participating hospital;
  • Any physician providing telemedicine services at the distant site hospital must be fully privileged to provide such services by the distant site hospital;
  • Any physician providing telemedicine services must hold and maintain a valid license to perform such services issued or recognized by the state of Washington; and
  • The originating site hospital must have evidence of an internal review of the distant site physician’s performance of the privileges and sends the distant site hospital performance information for use in the periodic appraisal of the distant site physician.

Conclusion

There is much to like in Washington’s new telemedicine bill.

For the first time, private health plans are required to pay for telemedicine services. Additionally, the process of hospital credentialing and privileging of telemedicine physicians has been streamlined.

But the bill is not perfect.

Without specific requirements on rates, health plans have the ability to reimburse telemedicine services at a much lower rate than in-person services.  Large health systems may have leverage to negotiate for higher reimbursement in provider agreements, but smaller and rural providers may not have this luxury.

Additionally, teleradiology and teledermatology providers must pay close attention to their negotiated provider agreements with health plans.  Under the bill, health plans have no requirement to pay professional services for services rendered via “store and forward” technology if the services are not explicitly covered in the provider agreement.

With that said, no bill is perfect, and the new Washington bill is a good first step into improving the prospects for telemedicine in Washington State.

For more information about telemedicine, please contact Casey Moriarty.

Premera Breach: Is HIPAA Compliance Enough?

Many health care businesses assume that HIPAA compliance guarantees protection from data breaches. Unfortunately, this is not a correct assumption.

The health insurance company Premera Blue Cross recently announced that it was the target of a sophisticated cyber attack.  It is estimated that the personal information of eleven million individuals may have been accessed by hackers.

In the days following the breach, the Seattle Times ran an article about an audit conducted by the federal Office of Personnel Management (OPM)  and Office of Inspector General (OIG) on Premera’s operations prior to the breach.

Due to the health insurance coverage that Premera provides to federal employees, OPM and OIG had the right to audit Premera’s systems to ensure the security of the employees’ personal information.  According to the Seattle Times article, the federal agencies warned Premera of potential vulnerabilities with its information technology security prior to the breach.

What Did OPM and OIG Actually Find?

After reading the article, I assumed that the federal agencies found massive problems with Premera’s HIPAA security compliance.  Clearly, Premera would not have suffered the breach if it had complied with the HIPAA Security Rule, right?

Nope.

Page ii of the audit states the following:

Health Insurance Portability and Accountability Act (HIPAA)

Nothing came to our attention that caused us to believe that Premera is not in compliance with the HIPAA security, privacy, and national provider identifier regulations.

Instead, the security issues that the OPM and OIG found with Premera’s system appear to have involved more advanced features, including:

  • Lack of Piggybacking Prevention; and
  • Although Premera had a “thorough incident response and network security program,” it needed a better methodology for applying software patches, updates, and server configurations.  Note, that failing to appropriately patch software can lead to serious HIPAA violations, including OCR investigations and Settlements.  For more information about patching and HIPAA please read: “Failure To Patch Software Leads to $150,000 Settlement“.

Upon review of the audit report, it appears  that Premera did have fairly robust security safeguards.  For example, although it did not have the physical access control of piggybacking prevention, it had installed a multi-factor authentication key pad for each staff member.

The OPM and OIG certainly found issues with Premera’s security procedures, but the report repeatedly makes it clear that Premera:

  • Had adequate HIPAA privacy and security policy and procedures;
  • Updated its HIPAA policies annually and when necessary; and
  • Required employees to complete HIPAA compliance training each year.

HIPAA Compliance May Not Be Enough

The unfortunate takeaway from Premera’s data breach is that HIPAA compliance may not be enough to ensure security from attacks carried out by sophisticated hackers.

Although a covered entity’s security policies and procedures may technically comply with the HIPAA Security Rule, it is still critical to go further and address any known vulnerabilities that HIPAA may not even require to be addressed.

Contact Casey Moriarty for more information about HIPAA compliance.

CMS Announces Intent to Modify Meaningful Use

CMS announced today its intent to make significant changes to the EHR Incentive Program beginning in 2015.  The proposed changes, though not yet codified in a proposed rule, include a much desired ease of the program requirements in 2015.  They include:

  1. Aligning hospital EHR reporting periods to the calendar year (rather than the fiscal year) to allow hospitals to have more time to incorporate 2014 CEHRT into their workflows;
  2. Shortening the EHR reporting period in 2015 to 90 days to accommodate these changes; and
  3. Adjusting other portions of the program to “match long-term goals, reduce complexity, and lessen providers’ reporting burdens.”

These new rules are expected this spring.  CMS clarified in its announcement that these proposed modifications will not be forthcoming in the Stage 3 proposed rule which is expected to be released in early March.  CMS also indicated that it proposes to limit the scope of the Stage 3 proposed rule to criteria for meaningful use in 2017 and beyond.

To learn more about meaningful use and the EHR Incentive Program contact Elana Zana.

Meaningful Use Audit Outcomes – Guest Blog Post

October brings a flurry of Meaningful Use attestations, and this October is no different.  Eligible Hospitals finished up their attestation and are wrapping up the 2014 year; Eligible Professionals are checking their numbers and gearing up for their last run at achieving Meaningful Use before the end of the year.  Lingering in the background is ensuring that you have maintained documentation sufficient to meet the auditor’s standards.

Our guest blog post author, Steve Spearman from Health Security Solutions, researched the CMS audit results, and for hospitals the results are not too bad – but the same can’t be said for Eligible Professionals.  Here are the highlights:

Prepayment Audits for Eligible Professionals: 21.5% failed the audit.

Post-Payment Audits for Eligible Professionals:  24% failed the audit.

Post-Payment Audits for Hospitals:  4,7% failed the audit.

Steve’s blog article provides a deep dive into the audit results and the reasons for failure for both Eligible Professionals and hospitals.  To read his terrific blog article click here.  If you are interested in learning more about the audit statistics click here for Jim Tate’s blog article as well.

More audits are coming and making sure that you have double checked your numbers before attesting and performed your security risk analysis, including an implementation plan and completion dates, is necessary.  For assistance in preparing for audits or if you recently received an audit please contact Elana Zana.

 

Meaningful Use Attestation in 2014 – Picture Update

CMS and the Office of the National Coordinator (ONC) recently announced modifications to the meaningful use attestation requirements for 2014. Following significant lobbying from EHR vendors, eligible professionals (EPs), and hospitals, CMS issued a brief reprieve to meeting Stage 2 meaningful use in 2014 – for some lucky participants. Recognizing that EPs and hospitals may still be using 2011 certified EHR technology (CEHRT) or a mixture of 2011 and 2014 CEHRT, CMS created a chart of decision points meant to enable flexibility for EPs and hospitals alike. These options also accommodate EPs and hospitals that have upgraded to the 2014 CEHRT but are still unable to meet the Stage 2 requirements within the mandatory timetables.

However, this flexibility comes with a caveat: EPs and hospitals must explain that their failure to meet Stage 2 in 2014 as scheduled is because they could not “fully implement 2014 Edition CEHRT for the EHR reporting period in 2014 due to delays in 2014 Edition CEHRT availability.” So who is allowed to claim this exception? Though CMS does not provide an exhaustive list of examples, its published comments in the final rule provide some insights and helpful explanations.

Below are maps of decision points and examples of acceptable and unacceptable justifications for not meeting an EP’s scheduled meaningful use stage in 2014, whether it be the 2014 Stage 1 or Stage 2 objectives and measures. Any EPs or hospitals that attest for a different stage than what they were scheduled for must be prepared to defend this decision in an audit, understanding that each case will be evaluated individually; this defense should therefore be very well documented.

MU_GRAPHIC_FIRST OR SECOND YEAR-FINALMU_GRAPHIC_THIRD OR FOURTH YEAR_FINAL

Michelle Holmes, consultant with ECG Management Consultants co-authored this post.

Washington Earns “F”s on its Telemedicine Report Card

On September 9, 2014, the American Telemedicine Association issued two reports in which it graded all fifty states on telemedicine gaps in coverage and reimbursement and  physician practice standards and licensure.  Not surprisingly, in the area of telemedicine parity Washington received predominantly failing grades.  Washington fared better in the area of Medicaid coverage and conditions of payment but still racked up three failing grades in the ten categories that were graded.  In the report on physician practice standard and licensure, Washington averaged less than a C.

On September 23, 2014 Ogden Murphy Wallace presented the first of two webinar sessions on telemedicine covering CMS, Joint Commission, and Washington rules pertaining to the ability of a site receiving telemedicine services to rely on the credentialing and privileging of the site from which the services are provided.  On October 7, 2014, Ogden Murphy Wallace will present the second session of its telemedicine webinars addressing additional regulatory requirements relevant to telemedicine services in Washington including licensure, informed consent, Washington’s Stark, Anti-Kickback and Anti-Rebating laws, HIPAA compliance and reimbursement.  To register for the October 7 telemedicine webinar click here.

For more information regarding telemedicine laws in Washington please contact Greg Montgomery.

FDA Releases Report on Health IT Oversight

On April 3, 2014, the Food and Drug Administration (“FDA”), in collaboration with the Office of the National Coordinator for Health Information Technology (“ONC”) and the Federal Communications Commission (“FCC”), released a congressionally mandated report which proposes to clarify oversight of health information technology (“health IT”) based on a product’s function and the potential risk to patients who use it. The full draft report can be viewed here.

Similar to the FDA’s September 2013 guidance on how it would regulate mobile medical apps, this report proposes a strategy based on the premise that risk and corresponding controls should focus on health IT functionality– not the platform(s) on which such functionality resides.  As such, the FDA has identified three categories of health IT: (1) administrative health IT functions (2) health management health IT functions, and (3) medical device health IT functions.  The following table provides examples of the three categories and describes the FDA’s regulatory approach for each:

 

Health IT Category Examples (includes but not limited to) Level of Oversight
Administrative functionality Billing and claims processing, practice and inventory management,  scheduling, general purpose communications, determination of health benefit eligibility, population health management, reporting of communicable diseases to public health agency, quality measure reporting No additional oversight necessary
Health management functionality (sometimes referred to as “clinical software”) Health information and data exchange, data capture and encounter documentation, electronic access to clinical results, most clinical decision support, medication management, electronic communication and coordination, provider order entry, knowledge management, patient identification and matching Not focus of FDA oversight given proposed risk-based framework for health management  health IT
Medical device functionality Computer aided detection/diagnostic software, remote display or notification of real-time alarms from bedside monitors, robotic surgical planning and control Focus of FDA oversight

 

A significant portion of the FDA’s report focuses on the proposed framework for health management health IT functionalities.  Instead of recommending a new or additional area of FDA oversight, the report recommends a limited, narrowly-tailored approach that primarily relies on ONC-coordinated activities and private sector capabilities.  Four key priority areas for health management health IT include: (1) promote the use of quality management principles (2) identify, develop, and adopt standards and best practices (3) leverage conformity assessment tools and (4) create an environment of learning and continual improvement.

The framework also  includes a recommendation for ONC to create a public-private Health IT Safety Center, in collaboration with FDA, FCC, and Agency for Healthcare Research and Quality (“AHRQ”) and other health IT stakeholders. This Center would work on best practices and provide a forum for the exchange of ideas and information focused on promoting health IT as an integral part of patient safety.

What do you think about the FDA’s health IT report?  The FDA is seeking public input on a number of specific questions related to the report’s recommendations– the report is open to public input/comment for 90 days.  For more information about the FDA report or health IT regulatory issues, please contact Jefferson Lin or David Schoolcraft.

 

 

Proposal Would Extend EHR Donation Rules

The U.S. Department of Health and Human Services (HHS) has released proposed rules to amend the electronic health record (EHR) donation exception and safe harbor under the Stark Law and Anti-Kickback Statute.  The exception and safe harbor permit certain entities to share costs associated with EHR-related items and services with other entities.   Under the regulations, the receiving party must pay at least 15 percent of the donor’s cost for the items and services.

The current language of the regulations has a “sunset” provision that requires a donor to transfer EHR items and services on or before December 31, 2013.  Under the proposed rules, HHS would extend the sunset provision three years to December 31, 2016.

Without the rule change, existing donation arrangements would have to convert to a “fair market value” model for shared services and technology.  The existing sunset provisions also provide a significant barrier to the development of new arrangements. 

The rules also include the following proposed revisions to the regulations: (1) changes to the requirements for when EHR software is deemed “interoperable, (2) removal of the requirement related to electronic prescribing capability, and (3) limits on the types of entities that are allowed to make EHR donations.

HHS also seeks suggestions on how to achieve the following goals under the exception and safe harbor: (1) preventing the misuse of donated EHR technology in a way that results in data and referral lock-in, and (2) encouraging the free exchange of data created by donated software.

You can view the proposed rule for the Anti-Kickback Statute here and the proposed rule for the Stark Law here.

HHS will accept comments to the proposed rules until June 10, 2013.

If you have any questions about donating EHR technology under the Anti-Kickback Statute and Stark Law, please contact David Schoolcraft or Casey Moriarty.

OIG Approves Electronic Interface Arrangement

In a recent advisory opinion, the Office of Inspector General DHHS (“OIG”) approved an arrangement under which free access to an electronic computer interface is provided by a hospital to local physicians.  The opinion provides an important contemporary analog to earlier guidance published by the OIG as part of the preamble to the Federal anti-kickback statute safe harbor regulations (see 56 Fed. Reg. 35952, 35978, July 29, 1991).   At the same time, the OIG reinforced its long-standing position that in order for such arrangements to pass muster under the Federal anti-kickback statute, the parties must validate that the technology is limited to facilitating hospital-physician communications, and that it will not have independent value to the physicians. 

Please contact David Schoolcraft  (dschoolcraft@omwlaw.com or 206.447.7000) you have any questions about the scope and applicability of this OIG advisory opinion.