Changes to Washington’s Pregnancy and Leave Laws

Accommodation of Pregnant Employees

Effective July 23, 2017, employers in Washington State with 15 or more employees must provide specific reasonable accommodations for pregnant employees.  Undue hardship is not an excuse for some of the accommodations, including:

  • Providing more frequent, longer, or flexible restroom breaks
  • Modifying a no food or drink policy
  • Providing seating or allowing the employee to sit more frequently if her job requires her to stand
  • Limits on lifting over seventeen pounds

The new law also requires employers to provide other reasonable accommodations and specifies what proof of the need for an accommodation the employer can require, and prohibits retaliation.

Paid Sick Leave

Effective January 1, 2018, employers in Washington State will need to have written policies that provide for paid leave for nonexempt employees that can be used for:

  • Their own or for a family member’s illness, injury or health condition
  • Closure of the employee’s place of business or child’s school or place of care for any health-related reason
  • For absences that qualify under the state domestic violence leave act

Other key provisions of the law:

  • The definition of “family member” is very broad
  • All nonexempt employees are eligible – even if they are part time or temporary employees
  • Leave accrues at the rate of 1 hour for every 40 hours worked
  • Leave can be used  beginning on the 90th day of employment
  • Verification can be required for leave that is more than three consecutive work days
  • Up to forty hours of accrued leave can be carried over to the next year
  • If an employee is re-employed within 12 months of separation, their leave accrual is restored
  • Employers can adopt more generous leave policies
  • A PTO policy can be adapted to meets the requirements for this leave
  • Employers in cities with paid leave laws will need to adopt policies that meet the requirements for both the state and local laws (whichever is more favorable to employees)
  • Employers cannot use paid sick leave time as an absence that may lead to or result in discipline against the employee
  • Discrimination and retaliation for exercising rights under the law are prohibited

Paid Family and Medical Leave

As of January 1, 2019, employers in Washington State must start collecting and paying premiums to the state as part of a new paid Family and Medical Leave (“FML”) program.   Employees are eligible to begin using paid FML on January 1, 2020. Some of the key provisions of this law are summarized below:

  • Paid FML is in addition to the paid sick leave that goes into effect on January 1, 2018
  • The criteria for which leave can be used are similar to the federal FMLA
  • Paid FML is usually 12 weeks, but can be extended to as much as 16 weeks for a serious health condition that occurs with a pregnancy resulting in incapacity
  • FML pay varies depending on the employee’s average weekly wage; the maximum weekly benefit is $1,000 for 2020
  • Paid FML applies to employees who work 20 or more hours per week
  • An employer may allow an employee who has accrued paid time off (PTO) to choose whether to use their PTO or not use PTO and receive paid FML benefits
  • The state decides if an employee is eligible for paid FML
  • Unless otherwise expressly permitted by the employer, paid FML must be taken concurrently with any leave taken under the federal FMLA
  • The definition of “family member” for paid FML is broader than the FMLA definition
  • This law preempts local governments from altering the state paid FML benefits or requiring employer supplements
  • Employers are allowed to provide greater benefits than paid FML provides
  • Employees who receive workers’ compensation or unemployment insurance are ineligible for paid FML
  • Employers with fewer than 50 employees are not required to pay the employer portion of the FML premiums
  • The leave entitlement for the birth or placement of a child expires at the end of the twelve-month period beginning on the date of such birth or placement
  • The leave entitlement for an employee’s own or a family member’s serious health condition, or leave for qualifying exigency, expires at the end of the twelve-month period beginning on the date the employee filed an application for the benefits
  • Employees are not entitled to leave “for any absence occasioned by the willful intention of the employee to bring about injury to or the sickness of the employee or another, or resulting from any injury or sickness sustained in the perpetration by the employee of an illegal act …[or] For an employee who is on suspension from his or her employment”
  • There is a seven calendar day waiting period except for leave for the birth or placement of a child
  • The employment protection parts of the statute do not apply to employers with less than 50 employees, employees who worked for the employer less than 12 months, and employees who work less than 1250 hours (in other words, employers don’t need to return employees to their former positions if they would not have been eligible for FMLA leave)
  • Employers are not required to reopen a CBA during its term in order to “apply rights or privileges” available under the Act until the current CBA is “reopened or renegotiated by the parties or expires”
  • Employers can adopt a voluntary plan for medical or family leave (i.e., to self-insure) if their plan is approved by the state

We recommend updating your policies now for pregnancy accommodation and paid sick leave.  We anticipate additional guidance on paid FML will be provided by the state before premium collection begins in 2019.  Any member of the Ogden Murphy Wallace’s Employment and Labor Law Group can guide you through the process of updating your policies, or you can contact Group Chair Karen Sutherland for a referral, ksutherland@omwlaw.com or 206-447-2241.

CMS Issues Stark Law Changes

CMS issued last week its final rule modifying the Physician Self-Referral Law aka the Stark Law putting into place most of what it proposed to modify this summer. The majority of the new modifications become effective on January 1, 2016, though CMS indicates that many of the changes are just clarifications of existing application of the Stark Law.

Highlights of Some Proposed Revisions

The below list is not an all-inclusive list of the revisions to the Stark Law, but highlights some of the more substantial changes.

Temporary Noncompliance with Signature. Following the confusion between what was considered inadvertent and not inadvertent, CMS has modified this rule to allow the temporary noncompliance with the signature requirements for up to 90 days following the date of noncompliance regardless of the parties’ intention for not signing earlier.

Remuneration. The definition of remuneration has been revised to more clearly specify that certain items, devices, or supplies related to the collection, transportation, etc. of specimens are excluded from the definition of remuneration if used solely for one or more of such testing/specimen collection purposes.

Arrangement vs. Agreement. CMS clarifies in several of the exceptions (i.e personal services, leases, physician recruitment, etc.) that the requirement that the arrangement be set out in writing does not require a single formal contract but rather that several documents may establish sufficient documentation to satisfy the writing requirements. Examples of supplementary contemporaneous documents may include communications between the parties, check requests or invoices, time sheets, and call coverage schedules. Further examples are described within the final rule.

Holdover Provision. Prior to this final rule, the personal service arrangement, rental of office space and rental of equipment exceptions permitted a holdover arrangement for up to 6 months. CMS has modified these provisions to permit indefinite holdovers, provided that the arrangement continues on the same terms and conditions as the original arrangement.

Recruitment of Non-Physician Practitioners. CMS has added a new exception allowing a hospital (FQHC and RHC) to provide remuneration to a physician to compensate for non-physician practitioners if certain conditions are met (including cap of 50% of remuneration paid to non-physician practitioner and restriction on using the exception with the same referring physician only once every 3 years). Such non-physician practitioners include clinical psychologists and social workers, physician assistants, nurse practitioners, clinical nurse specialists and certified nurse midwives.

Timeshare Arrangements. CMS created a new exception for timeshare lease arrangements, which includes both space and equipment (supplies, items, services, etc.). The space/equipment must be predominately used for E/M services and remain on the same schedule. The equipment in the space must also be located in the same building as where the E/M services are furnished, not used to furnish DHS other than those incidental to E/M services furnished at the time of the patient’s visit and not include advanced imaging equipment, radiation therapy equipment or clinical & pathology lab equipment (other than CLIA waived tests).

The changes that relax some of the signature, holdover and writing requirements are consistent with CMS’ experience with SRDP submissions. Further the new exceptions recognize some of the changes in the delivery of patient care (such as non-physician providers and timeshare arrangements).  If you have questions about any of these modifications or the Stark Law in general please contact Elana Zana.

 

 

 

Updated Meaningful Use Rules Released

After months of waiting, CMS and ONC finally issued final rules (with comment) pertaining to Stage 3 Meaningful Use, 2015-2018 EHR Incentive Program and 2015 edition of CEHRT certification.  CMS announced that the rules, numbering 750+ pages, are designed to “simplify requirements and add new flexibilities for providers to make electronic health information available when and where it matters most.”  CMS’ announcement also signaled more rules to come, CMS has opened a 60-day comment period for additional feedback about the EHR Incentive Programs and in particular the Medicare Access and CHIP Reauthorization Act of 2015 (MACRA), “which established the Merit-based Incentive Payment System and consolidates certain aspects of a number of quality measurement and federal incentive programs into one more efficient framework.” Expected release for MACRA is spring 2016.

Highlights of the final rule include:

  • 2015 reporting for EPs and EHs is any continuous 90 day period within CY 2015 by Feb. 29. 2016, which may be extended to March if providers need additional time.
  • 2016 & 2017 new Medicare and Medicaid providers (and 2018 Medicaid providers) may report on any 90 days.
  • Most changes in the rule will not be required until 2018 (but providers who are ready may transition to the next phase in 2017).
  • 2015-2017 EPs will report on 10 objectives, EHs on 9 objectives, including one public health reporting objective.
  • Modified patient action measures in Stage 2 objectives.
  • 90 day reporting period for any provider moving to Stage 3 in 2017.
  • Finalization of the use of application program interfaces (APIs) which allow the use of new programs/functions that will help patients have access to their healthcare records, including on mobile devices.
  • Focus on interoperability in Stage 3 rules.

The final rules will be officially published in the Federal Register on October 16, 2015.

For more information regarding the EHR Incentive Program and these new rules please contact Elana Zana.

Certificate of Need New Rule Invalidated by Supreme Court

The Washington Supreme Court unanimously agreed with the Washington State Hospital Association that the new expanded Certificate of Need rule defining the “sale, purchase or lease” of a hospital exceeded the Department of Health’s authority.  WSHA successfully argued that the new definition, promulgated by the Department of Health’s Certificate of Need Program, which expanded its jurisdiction to include “any transaction in which the control, either directly or indirectly, of part or all of any existing hospital changes to a different person, including, but not limited to, by contract, affiliation, corporate membership restructuring, or any other transaction,” was overly expansive.

The Supreme Court agreed that pursuant to the wording of the new rule, Certificate of Need approval would be required for any change in control of a hospital, including those changes that commonly occur, for example a change in the composition of the board of directors of a hospital.  The Supreme Court held that the new rule interprets “sale, purchase, or lease” in RCW 70.38.105(4)(b) too broadly and “departs too far from the plain meaning of those terms.”

For more information regarding the Certificate of Need rules please contact Elana Zana.

Ready for an OIG Security Audit?

At HIMSS15 in Chicago I had the pleasure of speaking with my colleague, Dave Schoolcraft, regarding the OIG Security Audits. These in depth security audits conducted not by the OCR or CMS, but rather the Office of Inspector General, delve into the security systems of Eligible Hospitals (and potentially Eligible Professionals) participating in the EHR Incentive Program.

Background

The OIG in its 2014 and 2015 Work Plans identified its plan to audit participants in the EHR Incentive Programs and their business associates, including cloud service providers, “to determine whether they adequately protected electronic health information created or maintained by certified EHR technology.” This audit stretches beyond a typical meaningful use audit and is not only centered on the security of ePHI stored in the CEHRT, but also looks at relationships with downstream service providers. Though EPs and EHs that participate in the EHR Incentive Program are aware of pending audits from CMS (via Figliozzi & Company), including the necessary documentation and security risk analysis requirements, these audits may come as quite a surprise – especially the level of thoroughness the OIG pursues in these audits. Though the OIG identifies the targeted entities due to their participation in the EHR Incentive Program, these audits look nothing like a CMS audit but instead are an in-depth HIPAA security audit.

The Audit

The audit itself is conducted by OIG investigators that are knowledgeable about security infrastructure as well as HIPAA requirements. The OIG commences the audit with a phone call followed by a formal letter notifying the recipient entity of the audit. As stated in its letter “the objective of [the] audit is to assess if the [hospital’s] meaningful use requirements have protected the confidentiality, integrity and availability of electronic protected health information (ePHI) in its EHR systems.” The OIG sends out a document request/questionnaire with approximately 17 categories and subcategories that it is investigating. In addition to reviewing the responses to the document requests the OIG auditors come on-site for 2-3 weeks to conduct interviews and personally review the security infrastructure.

Sample audit questions include:

  • Review of the EHR network diagram that shows EHR network architecture including external connections.
  • Provision of a description of internal or external web sites associated with the EHR system including patient portals.
  • Analysis of existing HIPAA policies and procedures, including patch management and access controls.
  • Detailed description of EHR network devices including the manufacturer and model number, software version and primary function.

As stated in the OIG Workplan, the target of the investigation is not only the covered entity itself, but also the relationships with business associates and downstream cloud service providers.

Audit Readiness Plan

It is unknown how many audits OIG will conduct and the ultimate goal of these audits. We believe that the OIG plans on creating a roll-up report to describe the findings of these audits, rather than publishing individual reports – however this has not been verified because the OIG has denied Freedom of Information Act requests.

We recommend that covered entities prepare for these audits as follows:

  • Gather information regarding existing security infrastructure in place, including relationships about sharing PHI with business associates and downstream providers.
  • Evaluate health IT vendors to determine if they are compliant with business associate agreements – this may include asking the business associate to provide you with evidence and results from a security risk assessment.
  • Identify team members that will respond to an OIG audit request.
  • Conduct a mock audit to fully assess security.

Additional Audits

 The OIG Work Plans also identify three other related types of audits.

 

  1. OIG Audits of Medicare EHR Incentive Program. Earlier this month the OIG issued a number of multi-year audits of EHR Incentive Program participants. These audits are very similar to the CMS Meaningful Use audits conducted by Figliozzi, but are in fact not conducted by CMS. Unlike the CMS audits however, the OIG audits are multi-year and may request information from both Stage 1 and Stage 2 attestations.

 

  1. OIG Audits of Medicaid EHR Incentive Programs. OIG has conducted at least three audits of states issuing Medicaid EHR Incentive Program dollars: Louisiana, Massachusetts and Florida. Of the three audited, only Florida was found to have issued the EHR Incentive Program dollars correctly. The OIG has instructed the other states to reimburse the federal government for the incorrectly distributed funds and adjust the payment calculations for the hospitals going forward.

 

  1. OIG Audits of Contingency Plans. Pursuant to the HIPAA Security Rule, covered entities must have contingency plans in place in case of a disaster or other occurrence that damages systems that contain ePHI (45 CFR 164.308). The OIG plans to compare hospitals’ contingency plans with “government and industry recommend practices.”
  2. OIG Audits of AIU Participants.  OIG has recently issued new audits investigating AIU attestations.  For further detail related to these audits go to:  http://meaningfuluseaudits.com/oig-escalates-meaningful-use-audits-of-hospitals/.

 

Preparing for these OIG audits can be accomplished during your own internal Security Risk Analysis and can be a useful tool for verifying the accuracy and thoroughness of your own process. For more information about the OIG Security Audits or other OIG audits please contact Elana Zana or Dave Schoolcraft.

 

CMS Announces Intent to Modify Meaningful Use

CMS announced today its intent to make significant changes to the EHR Incentive Program beginning in 2015.  The proposed changes, though not yet codified in a proposed rule, include a much desired ease of the program requirements in 2015.  They include:

  1. Aligning hospital EHR reporting periods to the calendar year (rather than the fiscal year) to allow hospitals to have more time to incorporate 2014 CEHRT into their workflows;
  2. Shortening the EHR reporting period in 2015 to 90 days to accommodate these changes; and
  3. Adjusting other portions of the program to “match long-term goals, reduce complexity, and lessen providers’ reporting burdens.”

These new rules are expected this spring.  CMS clarified in its announcement that these proposed modifications will not be forthcoming in the Stage 3 proposed rule which is expected to be released in early March.  CMS also indicated that it proposes to limit the scope of the Stage 3 proposed rule to criteria for meaningful use in 2017 and beyond.

To learn more about meaningful use and the EHR Incentive Program contact Elana Zana.

Washington Certificate of Need – Tertiary Services Review

The Washington State Department of Health issued today an announcement that it is conducting a review of the tertiary services that it requires obtain certificates of need under the current regulations (WAC 246-310-020(1)(d)(i)).  It is seeking comments on whether there should be additions or deletions to the current tertiary services list, which includes:

  1. Specialty burn services;
  2. Intermediate care nursery and/or obstetric services level II;
  3. Neonatal intensive care nursery and/or obstetric services level III;
  4. Transplantation of specific solid organs;
  5. Open heart surgery and/or elective therapeutic cardiac catheterization, including percutaneous coronary interventions generally and elective percutaneous coronary angioplasty (PTCA), specifically;
  6. Inpatient physical rehabilitation services level I; and
  7. Specialized inpatient pediatric services

Those providers seeking to provide the above services must first obtain a certificate of need from the Washington Department of Health before commencing the provision of these services.

The Department of Health is soliciting participation in three phases, the first of which spans from January 1 – February 28, 2015, is an invitation for individuals to propose changes to the current list of tertiary services in order to enable the Department of Health to create a report consolidating the suggestions.

To learn more about the certificate of need tertiary health services review click here.  For assistance in drafting comments to the Department of Health please contact Elana Zana.

Failure to Patch Software Leads to $150K HIPAA Settlement

Anchorage Community Mental Health Services, Inc. (“ACMHS”) a nonprofit mental health provider in Alaska, has agreed to a $150,000 HIPAA settlement and 2 year Corrective Action Plan with HHS following a breach of 2,743 patient records due to malware.  According to the HHS press release:

OCR’s investigation revealed that ACMHS had adopted sample Security Rule policies and procedures in 2005, but these were not followed. Moreover, the security incident was the direct result of ACMHS failing to identify and address basic risks, such as not regularly updating their IT resources with available patches and running outdated, unsupported software.

According to the Resolution Agreement, OCR uncovered the following HIPAA violations:

  • ACMHS failed to conduct an accurate and thorough risk assessment.
  • ACMHS did not implement security measures sufficient to reduce the risks and vulnerabilities to its ePHI.
  • ACHMS’ security infrastructure did not appropriately guard against unauthorized access to ePHI that is transmitted over an electronic communications network.  Specifically, HHS noted that ACHMS failed to “ensure that firewalls were in place with threat identification monitoring of inbound and outbound traffic and that information technology resources were both supported and regularly updated with available patches.”

In addition to the $150,000 HIPAA Settlement, ACMHS will be under HHS’ microscope for the next two years.  The Corrective Action Plan requires ACMHS to implement the following changes:

  • Draft updated and adopt Security Policies and Procedures and submit to HHS within 60 days.
  • Distribute new Security Policies and Procedures to all workforce members and require the workforce members to sign a compliance certification.
  • Provide training on security awareness to all workforce members and annual training thereafter.
  • Perform an accurate and thorough risk assessment.
  • Inform HHS if a workforce member fails to adhere to the Security Policies and Procedures.
  • Provide annual reports to HHS.

ACMHS’ settlement provides three key takeaways for covered entities and business associates:

1) Patch & Update.  Like Community Health Systems, which reported a breach of 4.5 million patient records due to Chinese hackers targeting a heartbleed vulnerability, ACMHS is finding out the hard way the importance of software patching and updating.  Staying up to date on security patches and software updates is not an easy task, but an important one considering that hackers are exploiting these vulnerabilities.

2) Tailor the Security Policies and Procedures.  Simply having in place template Security Rule policies and procedures is insufficient to satisfy the requirements of the HIPAA Security Rule and to ultimately secure ePHI.  HIPAA Security policies need to be tailored for the actual information security infrastructure in place at the covered entity/business associate.  The Security Rule permits flexibility when choosing which tools to deploy to protect ePHI, but requires that the covered entity/business associate actually evaluate its infrastructure to make these decisions.

3) Security Risk Analysis.  Further, once the Security Policies and Procedures are in place they need to be evaluated, and the actual system needs to undergo a security risk assessment (suggestion to do this at least annually).  The process of drafting the Security Policies and Procedures as well as the security risk assessment will aid covered entities/business associates in identifying vulnerabilities, evaluating security options, and ultimately safeguarding their ePHI.  HHS has created a security risk assessment tool to help covered entities (not really business associate focused) in evaluating its security compliance.

For more information about the HIPAA Security Rule or if you need assistance in creating your HIPAA Security Policies and Procedures please contact Elana Zana.

Patient Engagement and Meaningful Use

I am very excited this week to present with my colleague Dave Schoolcraft at MGMA in Las Vegas.  We have two presentations on Tuesday, the first at 10:15 entitled the Legal Aspects of Meeting Patient Engagement, the second at 2:45 entitled Double Dipping for EHR Funding.

Vegas is all about the money, and Double Dipping for EHR Funding will focus on how physician practices can still obtain money for Electronic Health Record systems.  The presentation will focus on Stark/Anti-Kickback Donation Arrangements and Meaningful Use dollars.  If you are looking to upgrade to 2014 CEHRT this is a presentation you don’t want to miss. Prior to joining our presentation, I suggest reading two articles we published earlier in the year: Understanding Stark/Anti-Kickback Compliant EHR Donation Arrangements and Key Lessons Related to Stark Compliant EHR Donation Arrangements.

As for Legal Aspects of Meeting Patient Engagement – this presentation focuses both on HIPAA Compliance and Meaningful Use. Stage 2 Meaningful Use includes five patient engagement related objectives, and this time CMS means business.  Two of these five objectives include measures requiring that at least 5% of patients take an action.  These five measures makes the implementation and use of patient portals essential, as portals are a key means of communication with patients and is an appropriate mechanism for each of these Meaningful Use objectives.

The relevant patient engagement Meaningful Use objectives I am referring to here include:

I have added links to the CMS Eligible Professional Specification Sheets for Stage 2 above because I find them very helpful in deciphering what each of these measures require.  Meeting these requirements is not a walk in the park, and my clients have expressed difficulty getting patients to send secure messages or login to  a portal.  Often the CEHRT itself makes these tasks quite difficult.  Patient engagement is core to growing a practice, especially as patients begin to pay for their healthcare and start to demand physician interaction via e-mail and other technologies.

If you are interested in learning more about these patient engagement requirements in Meaningful Use stop on by our presentation, or contact me directly.

 

Meaningful Use Audit Outcomes – Guest Blog Post

October brings a flurry of Meaningful Use attestations, and this October is no different.  Eligible Hospitals finished up their attestation and are wrapping up the 2014 year; Eligible Professionals are checking their numbers and gearing up for their last run at achieving Meaningful Use before the end of the year.  Lingering in the background is ensuring that you have maintained documentation sufficient to meet the auditor’s standards.

Our guest blog post author, Steve Spearman from Health Security Solutions, researched the CMS audit results, and for hospitals the results are not too bad – but the same can’t be said for Eligible Professionals.  Here are the highlights:

Prepayment Audits for Eligible Professionals: 21.5% failed the audit.

Post-Payment Audits for Eligible Professionals:  24% failed the audit.

Post-Payment Audits for Hospitals:  4,7% failed the audit.

Steve’s blog article provides a deep dive into the audit results and the reasons for failure for both Eligible Professionals and hospitals.  To read his terrific blog article click here.  If you are interested in learning more about the audit statistics click here for Jim Tate’s blog article as well.

More audits are coming and making sure that you have double checked your numbers before attesting and performed your security risk analysis, including an implementation plan and completion dates, is necessary.  For assistance in preparing for audits or if you recently received an audit please contact Elana Zana.