Key Lessons Related to Stark Compliant EHR Donation Arrangements

Is your entity thinking about engaging in a Stark/AKS Compliant EHR Donation Arrangement?  If so, check out this list of top 5 issues to consider as you are assessing your options and your health IT alignment strategy.

1.  An EHR donation arrangement is an effective way for hospitals to align with their physicians.

In the world of health information exchange, having the technological ability to seamlessly communicate with a hospital or referring physician is crucial to effective patient care.  It enables physicians and hospitals alike to efficiently obtain patient information and to exchange this information as needed to ensure quality patient care.

2.  There are specific rules – and significant consequences for breaking those rules.

Be careful not to run afoul of the Stark or Anti-Kickback rules.  Ensure that your contracts are compliant with both Stark and Anti-Kickback and that the arrangement is not designed at rewarding referring physicians.  

3.  What is the hospital taking on when it becomes an EHR vendor?  

What are the consequences for a physician practice if the local hospital is also its EHR vendor?  In many arrangements the hospital is the contracting party with the EHR software vendor (i.e. Epic, Cerner, etc.) and owns the relationship.  Physician groups will look to the hospital to obtain necessary service, updates, modules and when the system malfunctions.  The hospital should evaluate if it is able to take on this role.

4.  Physicians need to know what to expect as recipients of an EHR donation.

Often times the physician group is giving up its autonomy in choosing the EHR vendor, configuration or customization and must often defer to the hospital to make appropriate purchase, upgrade and service decisions.  In addition, even though the hospital may be picking up the majority of the costs (no more than 85%) the investment may still be expensive (and will likely exceed the meaningful use incentive dollars).  Items such as hardware, storage, and operating system software are excluded from the donation.    

5.  Before you align, be clear about who will get the “record collection” if things don’t turn out.

Before entering into a donation arrangement the parties should have a clear understanding of what happens if the relationship goes awry.  How will the records be divided, extracted, or migrated into a new system?  Will the physician group be able to maintain a relationship with the software vendor independently?  What are the ramifications of changing vendors and separating from the hospital EHR?

Special thanks to ECG’s Michelle Holmes and OMW attorney David Schoolcraft for composing this list based on their HIMSS14 presentation “Using Stark/Anti-Kickback to Support Hospital/Physician IT Alignment Strategies.

For more information on designing Stark/Anti-Kickback compliant donation arrangements please see the previous posts describing the exception requirements and the 2013 updates.  For assistance in creating a donation arrangement please contact Elana ZanaMichelle Holmes or David Schoolcraft.

 

Understanding Stark/Anti-Kickback Compliant EHR Donation Arrangements

In 2006 and extended in December 2013, CMS issued Stark and Anti-Kickback exceptions/safe harbors permitting EHR technology donation arrangements between hospitals (and other organizations) and physician groups.  This exception permitted hospitals to aid physician groups, who may be referral sources, in acquiring and implementing EHR and other health information technology.  Originally, hospitals had a seven-year window in which to engage in these donation arrangements, though in December 2013 CMS extended the donation arrangements for an additional 7 years through December 31, 2021.

The arrangement may include the non-monetary donation of “items or services in the form of software or information technology and training services.”  Key components of the exception/safe harbor include:

  • The donation is provided from an entity to a physician.
    • Change in 2013 rules, this entity cannot be a lab.
  • The software is interoperable
    • Change in  2013 rules, software is deemed interoperable if it has been certified as “certified EHR technology” as that term is used by the ONC for the meaningful use/EHR Incentive Program.
  • Donor cannot restrict or limit the use or interoperability of the technology with other eRx or EHR systems.
    • Change in 2013 rules, CMS interprets this rule more broadly by providing a non-exclusive list of the types of technologies that are included in this restriction: “health information technology applications, products, or services.”
  • Physician must pay at least 15% of the costs for the technology (which amount cannot be financed by the hospital).
  • Neither the physician nor the physician’s practice makes the receipt of the technology a condition of doing business with the donor.
  • Neither eligibility of the physician nor the amount or nature of the donation is determined in a manner that takes into account the volume or value of referrals or other business generated between the parties.
  • The donation is set forth in writing, signed by the parties, specifies the items to be provided, the donor’s costs and the physician’s contribution, and covers all EHR items and services to be provided by the donor.
  • The donor cannot have knowledge of or disregard the fact that the physician already possesses equivalent items or services.
  • The donor cannot restrict or limit the physician’s right to use the software for any patient.
  • The donation cannot include staffing of physician offices and cannot be used to primarily conduct personal business or business unrelated to the physician’s medical practice.
    • Note the donation may also include other “software and functionality directly related to the care and treatment of individual patients (for example, patient administration, scheduling functions, billing, clinical support software, etc.” (71 FR 45152).
  • The donation arrangement does not violate the Anti-Kickback statute.
  • The exception expires December 31, 2021.

Beyond crafting a donation arrangement that satisfies both the Stark law exception and Anti-Kickback safe harbor, hospitals and physicians should assess overall technology alignment strategies and the goals and framework for such donation arrangements.  Making sure that clear expectations are set in advance, including understanding implementation, roll out and support, data ownership and extraction, and utilizing the EHR technology for government incentive programs, such as meaningful use, are important topics that should be addressed by the arrangement.

For those interested in learning more about this topic and are currently attending HIMSS14, David Schoolcraft, attorney at Ogden Murphy Wallace, and Michelle Holmes, principal at ECG Management Consultants, are presenting on Wednesday at 10 AM on Using Stark/Anti-Kickback To Support Hospital/Physician IT Alignment Strategies.  For further information about designing a compliant arrangement please contact Elana Zana or Dave Schoolcraft.

 

HHS Issues HIPAA Guidance For Mental Health

HHS recently issued HIPAA guidance for mental health practitioners, in an effort to help providers wade through complicated decisions of when disclosures of patient information are permissible.  This guidance, set up in a FAQ format, is designed to incorporate common questions related to the intersection of mental health and privacy laws.  The guidance addresses when healthcare providers are permitted to:

  • Communicate with a patient’s family members, friends, or others involved in the patient’s care;
  • Communicate with family members when the patient is an adult;
  • Communicate with the parent of a patient who is a minor;
  • Consider the patient’s capacity to agree or object to the sharing of their information;
  • Involve a patient’s family members, friends, or others in dealing with patient failures to adhere to medication or other therapy;
  • Listen to family members about their loved ones receiving mental health treatment;
  • Communicate with family members, law enforcement, or others when the patient presents a serious and imminent threat of harm to self or others; and
  • Communicate to law enforcement about the release of a patient brought in for an emergency psychiatric hold.

The guidance also addresses FERPA (privacy laws in a school setting), Federal alcohol and drug abuse confidentiality (42 CFR Part 2 Programs) and the rights of parents to have access to a minor child’s information.    Though not addressed in the guidance, those mental health practitioners practicing in Washington State should also be aware of  the new statutes regulating mental health record disclosures which take effect on July 1, 2014.

For assistance in navigating these privacy rules please contact Elana Zana or Dave Schoolcraft.

HHS Deadline for HIPAA Breach Notification Reporting

As part of the HITECH revisions to HIPAA, providers are required to report all HIPAA breaches, regardless of the number of individuals affected to HHS on an annual basis.  The deadline for this report is Saturday, March 1st, 2014.  This reporting requirement is pursuant to the Omnibus HIPAA Rule published in January of 2013.  Providers who have had breaches affecting less than 500 individuals can report the HIPAA breaches here.  This report needs to be filled out for each breach that occurred during the 2013 calendar year.  For example, if a covered entity had a breach in April of 2013 affecting three individuals and another breach in December 2013 affecting two individuals the report must be submitted for each breach but not for each individual (a total of two reports would be submitted in this example).  To fill out this form covered entities will need to submit the following information about the breach:

  • General information regarding the covered entity
  • Whether the breach occurred at or by a Business Associate and the associated contact information for that Business Associate
  • Date of the Breach
  • Date of Discovery
  • Approximate number of individuals affected by the Breach
  • Type of Breach (i.e. theft, loss, unauthorized access, etc.)
  • Location of breached information (i.e. laptop, e-mail, etc.)
  • Type of Protected Health Information involved in the Breach (i.e. demographic, financial, etc.)
  • Description of the Breach
  • Safeguards in place prior to the Breach (i.e. firewalls, physical security, etc.)
  • Date individuals were notified of the Breach
  • Whether substitute notice was required (this requirement is described in the rule)
  • Whether media notice was required (this requirement is described in the rule)
  • Actions taken in response to the Breach (sanctions, mitigation, etc.)
  • Any additional actions taken
  • Attestation

For those covered entities that have had a breach which affected more than 500 individuals, this report should have been submitted no later than 60 days following discovery of the breach in accordance with the Breach Notification Rule.

If you have questions regarding filling out this report or on Breach Notification in general please contact Elana Zana or Dave Schoolcraft.

Medicare EHR Incentive Program Deadline Extended

CMS announced last week that it has extended the registration and attestation deadline for the Medicare EHR Incentive Programs to March 31, 2014 for eligible professionals.  This month long extension will aid eligible professionals in compiling their meaningful use data from 2013 and filling out the registration process (which can be time consuming).

In addition, CMS is offering to assist eligible hospitals who experienced difficulty with their attestation.  This assistance will allow eligible hospitals to submit their attestation retroactively to avoid the 2015 payment adjustment.  To do so, hospitals must contact CMS by March 15, 2014.  Eligible hospitals are instructed to contact CMS at EH2013Extension@Provider-Resources.com  no later than 11:59 PM EST on Marfch 15, 2014.

  1. Type “EH 2013 EXTENSION” in the subject line of the email note
  2. Include the following information:
    • CCN;
    • hospital name;
    • contact person name;
    • contact person email; and
    • contact person phone number.

CMS will then contact the designated individual to discuss the retroactive extension.

As a reminder, these extensions are for the Medicare EHR Incentive Program only, and do not apply to the Medicaid EHR Incentive Program.  In Washington, the deadline to apply for the Medicaid EHR Incentive Program remains February 28, 2014.

For more information about the EHR Incentive Programs or meaningful use generally please contact Elana Zana.

Washington Medicaid EHR Incentive Program Webinar

The Washington State Health Care Authority announced that it will be hosting a webinar to aid in the registration for the Medicaid EHR Incentive Program.  This will help providers who are registering and attesting to both adopt, implement and upgrade and meaningful use.

Topics Include: Navigating the WA ST EHR Attestation Application-eMIPP (MU Stage 1)

  • Attestation
  • Navigating the eMIPP application
  • How to get paid correctly
  • Live Q & A after presentation

To register click here.

The state of Washington has also published helpful tools for registration, including user guides and state specific worksheets (for example the .95 multiplier).

These webinars are very informative and it is recommended that all first time applicants (and those applicants that need a refresher) attend.

Also, note that though the Medicare EHR Incentive Program has extended registration through March 31, 2014, the Washington Medicaid EHR Incentive Program requires registration and attestation by February 28, 2014.

For assistance with registration and attestation for the Medicare or Medicaid EHR Incentive Program please contact Elana Zana.

 

DOH Issues New Hospital CN Rule & Transparency Requirements

Prior to the end of the year, and in compliance with Governor Inslee’s directive, the Washington Department of Health (DOH) issued new hospital Certificate of Need (CN) rules and transparency requirements for existing hospitals.

Effective January 23rd, hospitals wishing to affiliate with one another (or other types of corporate restructuring) will now have to undergo full CN review.  The new rules modify WAC 246-310-010 and adopt a broad definition of “sale, purchase, or lease” to include affiliations, corporate membership restructuring, “or any other transaction.”  DOH, in response to the over 1,000 public comments received on these new rules (including the transparency rules below) explained:

The purpose of this clarification is to focus on the outcome of these transactions to bring them within CoN review.  CoN evaluation includes review of the reduction or loss of services and the community’s access to alternatives if there is a reduction or loss.

In addition, DOH issued a modification to the hospital licensing requirements.  This modification now requires hospitals to submit to DOH and publish on their own websites (“readily accessible to the public”) the following policies related to access to care:  admission, nondiscrimination, end of life care, and reproductive health care.  Hospitals must comply with this requirement no later than March 24, 2014.  Hospitals that make changes to these policies must also notify DOH of those changes within thirty days.

Since the amendment to the hospital licensing rules require online access to hospitals’ nondiscrimination policies, now is an excellent time for hospitals to review nondiscrimination policies to be sure they are consistent with all applicable laws.  Hospitals are “places of accommodation” under local, state, and federal nondiscrimination laws, which vary by jurisdiction.  For example, federal law prohibits genetic discrimination, which is not covered by Washington state law; state law prohibits discrimination on the basis of marital status, sexual orientation, and gender expression or identity, which are not covered under federal law; and the City of Seattle prohibits discrimination on the basis of political ideology, which is not covered under state or federal law.  Hospital nondiscrimination policies should be tailored to cover all the jurisdictions in which you provide services.  For assistance with drafting a nondiscrimination policy please contact Karen Sutherland.

For more information about the access to care policies or certificate of need generally please contact Elana Zana.

 

 

Stark Law Donation Exception Extended to 2021

Beating the deadline by mere days, CMS and the OIG released their final rules related to the Stark Law exception/Anti-Kickback safe harbor for EHR donation arrangements.  The new rules extend the donation arrangement exception until December 31, 2021.

The new rules become effective 90 days after publication, with the exception of the extension, which is effective on December 31, 2013.  These new rules permit existing donation arrangements to continue to operate beyond December 31, 2013, provided they remain in compliance with the Stark exception and Anti-Kickback safe harbor.

Highlights of this new rule (other than the very important extension to 2021) include:

  • The items/EHR are provided by a company (i.e. a hospital) that is not a laboratory.
  • Software is deemed interoperable if it has been certified as “certified EHR technology” as that term is used by the ONC for the meaningful use/EHR Incentive Program.
  • Elimination of the requirement that the EHR software contain eRx capabilities in order to qualify for the exception.
  • Clarification that the donor cannot limit the interoperability of the donated software with other eRx and EHR systems, which CMS interprets more broadly by providing a non-exclusive list of the types of technologies that are included in this restriction: “health information technology applications, products, or services.”

For more information about drafting donation arrangements or these final rules please contact Elana Zana or Dave Schoolcraft.

To view the HIMSS statement on the extension click here.

Meaningful Use Audits – Security Risk Analysis

‘Tis the season for Meaningful Use, the time of year when eligible professionals (EPs) and eligible hospitals (EHs) compile their data from the meaningful use measures and prepare for attestation.  It is also the season of meaningful use audits.  A lesson learned from recent audits: CMS means what it says – EPs and EHs must conduct a security risk analysis.  This measure is not one to be taken lightly – it’s a HIPAA requirement, and CMS auditors are on the lookout for documentation (remember, all documentation must be retained for 6 years).

Regardless of whether EPs or EHs are attesting to Stage 1 or Stage 2, or the fact that they performed a security risk analysis last year, this objective and measure must be fulfilled each year:

 

Stage 1

Stage 2

Objective. Protect electronic health information created or maintained by the certified EHR technology through the implementation of appropriate technical capabilities.Measure. Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1) and implement security updates as necessary and correct identified security deficiencies as part of its risk management process. Objective. Protect electronic health information created or maintained by the Certified EHR Technology through the implementation of appropriate technical capabilities.Measure. Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1), including addressing the encryption/security of data stored in Certified EHR Technology in accordance with requirements under 45 CFR 164.312(a)(2)(iv) and 45 CFR 164.306(d)(3), and implement security updates as necessary and correct identified security deficiencies as part of the EP’s risk management process.

The HIPAA requirement for a Security Risk Analysis pursuant to 45 CFR 164.308(a)(1) is as follows:

“Risk analysis (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.”

CMS Meaningful Use audits have specifically called out this objective and measure and are requiring participants to prove that a Security Risk Analysis has actually occurred.  Though the HIPAA Security Officer should have conducted a security risk analysis for the entire practice/hospital, EPs and EHs should maintain a copy of this assessment with their meaningful use documentation and should review the assessment to make sure that the risk analysis complies with the meaningful use requirements (note: the Stage 2 requirements are significantly broader).

Below is the audit question that was sent to some Stage 1 EPs:

“Provide proof that a security risk analysis of Certified EHR Technology was performed prior to the end of the reporting period (i.e. report which documents the procedures performed during the analysis and the results of the analysis).  If deficiencies are identified in this analysis, please supply the implementation plan; this plan should include the completion dates.”

Note that the audit request indicates that further documentation is needed to satisfy the auditors.  EPs must show the implementation plan and the completion dates.  As per the measure itself, the requirement is not merely to conduct a security risk analysis, but the EPs and EHs must implement security updates and correct security deficiencies.  EPs and EHs should document these steps as well in order to appropriately respond to an audit request.

CMS has recently issued a new tip sheet to assist EPs and EHs in fulfilling the security risk analysis requirement.  In addition ONC has published guidance on HIPAA Security Risk Analysis requirements.  The CMS tip sheet includes some common myths surrounding risk analysis such as:

  • “I only need to do a risk analysis once.”

False. To comply with HIPAA, you must continue to review, correct or modify, and update security protections.

  • “My EHR vendor took care of everything I need to do about privacy and security.”

False. Your EHR vendor may be able to provide information, assistance, and training on the privacy and security aspects of the EHR product. However, EHR vendors are not responsible for making their products compliant with HIPAA Privacy and Security Rules. It is solely your responsibility to have a complete risk analysis conducted.

  • “The security risk analysis is optional for small providers.”

False. All providers who are “covered entities” under HIPAA are required to perform a risk analysis. In addition, all providers who want to receive EHR incentive payments must conduct a risk analysis.

  • “Simply installing a certified EHR fulfills the security risk analysis MU requirement.”

False. Even with a certified EHR, you must perform a full security risk analysis. Security requirements address all electronic protected health information you maintain, not just what is in your EHR.

Responding to a Meaningful Use audit can be time consuming and very detailed oriented — thus, maintaining the appropriate documentation is essential.  For assistance with Meaningful Use or HIPAA security risk assessments, please contact Elana Zana.

OIG Issues Unfavorable Advisory Opinion Related to Fee Arrangement

Earlier this week the OIG issued an unfavorable Advisory Opinion concerning the relationship between an Anesthesiology Group (defined as the “Requester” in the OIG opinion), a Psychiatry Group and a Hospital.  The Psychiatry Group performed electroconvulsive therapy (ECT) services at the Hospital, requiring related anesthesia services.  The Requester had an exclusive contract with the Hospital for the provision of anesthesia services.  The specific arrangements reviewed by the OIG dealt with the Hospital’s pressure on the Requester to carve out exceptions to its exclusive contract that would have the effect of allowing the Psychiatry Group to have access to a new anesthesia revenue stream.  Ultimately, the OIG determined that the Proposed Arrangement could potentially generate prohibited remuneration under the anti-kickback statute.

The Proposed Arrangement stemmed from negotiations between the Hospital and the Anesthesiology Group, which had held an 18 year exclusive relationship with the Hospital until 2011.  In late 2010 the Psychiatry Group relocated its practice, which centers around ECT services, to the Hospital; a member of the Psychiatry Group included an anesthesiologist.  In 2011 negotiations with the Anesthesia Group, the Hospital modified the exclusive relationship to allow the Psychiatry Group’s anesthesiologist to perform ECT anesthesia services, and to request the Anesthesiology Group’s coverage while he was not available.  In 2012, the Psychiatry Group requested a provision allowing it to bring in a part time anesthesiologist if the Psychiatry Group and the Anesthesiology Group could not agree on terms for those additional services.  After the 2012 contract went into effect, the Psychiatry Group notified the Anesthesiology Group that it wanted to bring in the additional anesthesiologist and asked the Anesthesiology Group to enter into the Proposed Arrangement.

The Proposed Arrangement provided that the Anesthesiology Group would provide the ECT anesthesia coverage services that were needed and would reassign all billing rights to Psychiatry Group.  In exchange the Anesthesiology Group would receive a per diem rate which the Anesthesiology Group asserts was less than fair market value and below what it would receive if it billed directly for the anesthesia services.  The Psychiatry Group would retain the difference between the amount collected and the per diem rate.  The OIG unequivocally rejected this Proposed Arrangement, finding that the per diem payment made to the Anesthesiology Group did not fall under the personal services and management contract safe harbor of the anti-kickback statute because it was not set in advance nor consistent with fair market value.  Further, the OIG determined that the fee generated for the Psychiatry Group was a door to solicit compensation for its patient referrals for ECT services:

 “The Proposed Arrangement appears to be designed to permit the Psychiatry Group to do indirectly what it cannot do directly; that is, to receive compensation, in the form of a portion of Requestor’s anesthesia services revenues, in return for the Psychiatry Group’s referrals of ECT patients to Requestor for anesthesia services. The Additional Anesthesiologist Provision gave the Psychiatry Group the ability to solicit this remuneration for its ECT patient referrals by allowing the Psychiatry Group to contract with an anesthesiologist other than Requestor if Requestor and the Psychiatry Group were not successful in negotiating the terms of an agreement for Requestor to provide ECT anesthesia services. The Proposed Arrangement therefore presents the significant risk that the remuneration Requestor would provide to the Psychiatry Group—i.e., the opportunity to generate a fee equal to the difference between the amounts the Psychiatry Group would bill and collect for Requestor’s anesthesia services, and the per diem amounts the Psychiatry Group would pay to Requestor—would be in return for the Psychiatry Group’s anesthesia referrals to Requestor. We discern no safeguards in the Proposed Arrangement that would minimize this risk.”

What perhaps might be the most interesting part of the opinion, are the OIG’s comments in concluding the opinion. Although not asked to opine on the Hospital’s relationships with the Psychiatry Group and Requester, the OIG commented in a footnote about the potential improprieties of the Hospital’s relationship with those parties:

“Although we have not been asked to opine on, and express no opinion regarding, any aspect of Requestor’s relationship with the Hospital, including the 2012 Contract or the Additional Anesthesiologist Provision, we cannot exclude the possibility that: (i) the Hospital agreed to negotiate for the Additional Anesthesiologist Provision in exchange for, or to reward, the Psychiatry Group’s continued referral of patients to the Hospital for ECT procedures; (ii) the Hospital leveraged its control over its large base of anesthesia referrals to induce Requestor to agree to the Additional Anesthesiologist Provision; and (iii) Requestor agreed to the Additional Anesthesiologist Provision in exchange for access to the Hospital’s stream of anesthesia referrals.”

This OIG opinion highlights the OIG’s continued concern regarding arrangements that allow referring providers access to new revenue streams in a manner that may be connected to the providers referrals.  Parties desiring to enter into these types of arrangements should take care to include as many safeguards (using the OIG’s language) to ensure that the payments are not related to referrals.  In the absence of such safeguards, it is pretty clear that the OIG will not look favorably upon the arrangement.

For more information about this particular OIG Opinion or the anti-kickback statute in general please contact Elana Zana or Don Black.