Meaningful Use Exception Includes EHR Vendor Delays

Following its announcement at HIMSS, CMS has published its hardship exception application for 2014 along with its new exception due to vendor delays.  The new exception permits eligible hospitals and eligible professionals to request an exception from the 2015/2016 payment adjustments due to 2014 EHR Vendor Issues.  Specifically, CMS now permits an exception due to the inability of the vendor to obtain 2014 certification or if the hospital or EP was unable to implement meaningful use due to 2014 EHR certification delays.  Along with filling out the EP or Hospital exception forms, those requesting the exception must submit a notification from the EHR vendor.

For EPs and hospitals who are demonstrating meaningful use for the first time, they may apply for this hardship exception to avoid the 2015 payment adjustments.  For those EPs and hospitals who have previously demonstrated meaningful use, they may use this hardship exception to avoid 2016 payment adjustments.

For hospitals, the hardship exception request for 2015 payment adjustments is due April 1, 2014.  For eligible professionals, the hardship exception request for 2015 payment adjustments is due July 1, 2014.  However, for those EPs that have not previously participated in the Medicare EHR Incentive Program they can submit attestation by October 1, 2014 and also avoid the payment adjustments.  CMS has also issued guidance for applying for the EHR Vendor hardship exception for EPs and hospitals.

For more information about the Medicare or Medicaid EHR Incentive Program or applying for these hardship exceptions please contact Elana Zana.

Key Lessons Related to Stark Compliant EHR Donation Arrangements

Is your entity thinking about engaging in a Stark/AKS Compliant EHR Donation Arrangement?  If so, check out this list of top 5 issues to consider as you are assessing your options and your health IT alignment strategy.

1.  An EHR donation arrangement is an effective way for hospitals to align with their physicians.

In the world of health information exchange, having the technological ability to seamlessly communicate with a hospital or referring physician is crucial to effective patient care.  It enables physicians and hospitals alike to efficiently obtain patient information and to exchange this information as needed to ensure quality patient care.

2.  There are specific rules – and significant consequences for breaking those rules.

Be careful not to run afoul of the Stark or Anti-Kickback rules.  Ensure that your contracts are compliant with both Stark and Anti-Kickback and that the arrangement is not designed at rewarding referring physicians.  

3.  What is the hospital taking on when it becomes an EHR vendor?  

What are the consequences for a physician practice if the local hospital is also its EHR vendor?  In many arrangements the hospital is the contracting party with the EHR software vendor (i.e. Epic, Cerner, etc.) and owns the relationship.  Physician groups will look to the hospital to obtain necessary service, updates, modules and when the system malfunctions.  The hospital should evaluate if it is able to take on this role.

4.  Physicians need to know what to expect as recipients of an EHR donation.

Often times the physician group is giving up its autonomy in choosing the EHR vendor, configuration or customization and must often defer to the hospital to make appropriate purchase, upgrade and service decisions.  In addition, even though the hospital may be picking up the majority of the costs (no more than 85%) the investment may still be expensive (and will likely exceed the meaningful use incentive dollars).  Items such as hardware, storage, and operating system software are excluded from the donation.    

5.  Before you align, be clear about who will get the “record collection” if things don’t turn out.

Before entering into a donation arrangement the parties should have a clear understanding of what happens if the relationship goes awry.  How will the records be divided, extracted, or migrated into a new system?  Will the physician group be able to maintain a relationship with the software vendor independently?  What are the ramifications of changing vendors and separating from the hospital EHR?

Special thanks to ECG’s Michelle Holmes and OMW attorney David Schoolcraft for composing this list based on their HIMSS14 presentation “Using Stark/Anti-Kickback to Support Hospital/Physician IT Alignment Strategies.

For more information on designing Stark/Anti-Kickback compliant donation arrangements please see the previous posts describing the exception requirements and the 2013 updates.  For assistance in creating a donation arrangement please contact Elana ZanaMichelle Holmes or David Schoolcraft.

 

Understanding Stark/Anti-Kickback Compliant EHR Donation Arrangements

In 2006 and extended in December 2013, CMS issued Stark and Anti-Kickback exceptions/safe harbors permitting EHR technology donation arrangements between hospitals (and other organizations) and physician groups.  This exception permitted hospitals to aid physician groups, who may be referral sources, in acquiring and implementing EHR and other health information technology.  Originally, hospitals had a seven-year window in which to engage in these donation arrangements, though in December 2013 CMS extended the donation arrangements for an additional 7 years through December 31, 2021.

The arrangement may include the non-monetary donation of “items or services in the form of software or information technology and training services.”  Key components of the exception/safe harbor include:

  • The donation is provided from an entity to a physician.
    • Change in 2013 rules, this entity cannot be a lab.
  • The software is interoperable
    • Change in  2013 rules, software is deemed interoperable if it has been certified as “certified EHR technology” as that term is used by the ONC for the meaningful use/EHR Incentive Program.
  • Donor cannot restrict or limit the use or interoperability of the technology with other eRx or EHR systems.
    • Change in 2013 rules, CMS interprets this rule more broadly by providing a non-exclusive list of the types of technologies that are included in this restriction: “health information technology applications, products, or services.”
  • Physician must pay at least 15% of the costs for the technology (which amount cannot be financed by the hospital).
  • Neither the physician nor the physician’s practice makes the receipt of the technology a condition of doing business with the donor.
  • Neither eligibility of the physician nor the amount or nature of the donation is determined in a manner that takes into account the volume or value of referrals or other business generated between the parties.
  • The donation is set forth in writing, signed by the parties, specifies the items to be provided, the donor’s costs and the physician’s contribution, and covers all EHR items and services to be provided by the donor.
  • The donor cannot have knowledge of or disregard the fact that the physician already possesses equivalent items or services.
  • The donor cannot restrict or limit the physician’s right to use the software for any patient.
  • The donation cannot include staffing of physician offices and cannot be used to primarily conduct personal business or business unrelated to the physician’s medical practice.
    • Note the donation may also include other “software and functionality directly related to the care and treatment of individual patients (for example, patient administration, scheduling functions, billing, clinical support software, etc.” (71 FR 45152).
  • The donation arrangement does not violate the Anti-Kickback statute.
  • The exception expires December 31, 2021.

Beyond crafting a donation arrangement that satisfies both the Stark law exception and Anti-Kickback safe harbor, hospitals and physicians should assess overall technology alignment strategies and the goals and framework for such donation arrangements.  Making sure that clear expectations are set in advance, including understanding implementation, roll out and support, data ownership and extraction, and utilizing the EHR technology for government incentive programs, such as meaningful use, are important topics that should be addressed by the arrangement.

For those interested in learning more about this topic and are currently attending HIMSS14, David Schoolcraft, attorney at Ogden Murphy Wallace, and Michelle Holmes, principal at ECG Management Consultants, are presenting on Wednesday at 10 AM on Using Stark/Anti-Kickback To Support Hospital/Physician IT Alignment Strategies.  For further information about designing a compliant arrangement please contact Elana Zana or Dave Schoolcraft.

 

Medicare EHR Incentive Program Deadline Extended

CMS announced last week that it has extended the registration and attestation deadline for the Medicare EHR Incentive Programs to March 31, 2014 for eligible professionals.  This month long extension will aid eligible professionals in compiling their meaningful use data from 2013 and filling out the registration process (which can be time consuming).

In addition, CMS is offering to assist eligible hospitals who experienced difficulty with their attestation.  This assistance will allow eligible hospitals to submit their attestation retroactively to avoid the 2015 payment adjustment.  To do so, hospitals must contact CMS by March 15, 2014.  Eligible hospitals are instructed to contact CMS at EH2013Extension@Provider-Resources.com  no later than 11:59 PM EST on Marfch 15, 2014.

  1. Type “EH 2013 EXTENSION” in the subject line of the email note
  2. Include the following information:
    • CCN;
    • hospital name;
    • contact person name;
    • contact person email; and
    • contact person phone number.

CMS will then contact the designated individual to discuss the retroactive extension.

As a reminder, these extensions are for the Medicare EHR Incentive Program only, and do not apply to the Medicaid EHR Incentive Program.  In Washington, the deadline to apply for the Medicaid EHR Incentive Program remains February 28, 2014.

For more information about the EHR Incentive Programs or meaningful use generally please contact Elana Zana.

Washington Medicaid EHR Incentive Program Webinar

The Washington State Health Care Authority announced that it will be hosting a webinar to aid in the registration for the Medicaid EHR Incentive Program.  This will help providers who are registering and attesting to both adopt, implement and upgrade and meaningful use.

Topics Include: Navigating the WA ST EHR Attestation Application-eMIPP (MU Stage 1)

  • Attestation
  • Navigating the eMIPP application
  • How to get paid correctly
  • Live Q & A after presentation

To register click here.

The state of Washington has also published helpful tools for registration, including user guides and state specific worksheets (for example the .95 multiplier).

These webinars are very informative and it is recommended that all first time applicants (and those applicants that need a refresher) attend.

Also, note that though the Medicare EHR Incentive Program has extended registration through March 31, 2014, the Washington Medicaid EHR Incentive Program requires registration and attestation by February 28, 2014.

For assistance with registration and attestation for the Medicare or Medicaid EHR Incentive Program please contact Elana Zana.

 

Stark Law Donation Exception Extended to 2021

Beating the deadline by mere days, CMS and the OIG released their final rules related to the Stark Law exception/Anti-Kickback safe harbor for EHR donation arrangements.  The new rules extend the donation arrangement exception until December 31, 2021.

The new rules become effective 90 days after publication, with the exception of the extension, which is effective on December 31, 2013.  These new rules permit existing donation arrangements to continue to operate beyond December 31, 2013, provided they remain in compliance with the Stark exception and Anti-Kickback safe harbor.

Highlights of this new rule (other than the very important extension to 2021) include:

  • The items/EHR are provided by a company (i.e. a hospital) that is not a laboratory.
  • Software is deemed interoperable if it has been certified as “certified EHR technology” as that term is used by the ONC for the meaningful use/EHR Incentive Program.
  • Elimination of the requirement that the EHR software contain eRx capabilities in order to qualify for the exception.
  • Clarification that the donor cannot limit the interoperability of the donated software with other eRx and EHR systems, which CMS interprets more broadly by providing a non-exclusive list of the types of technologies that are included in this restriction: “health information technology applications, products, or services.”

For more information about drafting donation arrangements or these final rules please contact Elana Zana or Dave Schoolcraft.

To view the HIMSS statement on the extension click here.

Meaningful Use Audits – Security Risk Analysis

‘Tis the season for Meaningful Use, the time of year when eligible professionals (EPs) and eligible hospitals (EHs) compile their data from the meaningful use measures and prepare for attestation.  It is also the season of meaningful use audits.  A lesson learned from recent audits: CMS means what it says – EPs and EHs must conduct a security risk analysis.  This measure is not one to be taken lightly – it’s a HIPAA requirement, and CMS auditors are on the lookout for documentation (remember, all documentation must be retained for 6 years).

Regardless of whether EPs or EHs are attesting to Stage 1 or Stage 2, or the fact that they performed a security risk analysis last year, this objective and measure must be fulfilled each year:

 

Stage 1

Stage 2

Objective. Protect electronic health information created or maintained by the certified EHR technology through the implementation of appropriate technical capabilities.Measure. Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1) and implement security updates as necessary and correct identified security deficiencies as part of its risk management process. Objective. Protect electronic health information created or maintained by the Certified EHR Technology through the implementation of appropriate technical capabilities.Measure. Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1), including addressing the encryption/security of data stored in Certified EHR Technology in accordance with requirements under 45 CFR 164.312(a)(2)(iv) and 45 CFR 164.306(d)(3), and implement security updates as necessary and correct identified security deficiencies as part of the EP’s risk management process.

The HIPAA requirement for a Security Risk Analysis pursuant to 45 CFR 164.308(a)(1) is as follows:

“Risk analysis (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.”

CMS Meaningful Use audits have specifically called out this objective and measure and are requiring participants to prove that a Security Risk Analysis has actually occurred.  Though the HIPAA Security Officer should have conducted a security risk analysis for the entire practice/hospital, EPs and EHs should maintain a copy of this assessment with their meaningful use documentation and should review the assessment to make sure that the risk analysis complies with the meaningful use requirements (note: the Stage 2 requirements are significantly broader).

Below is the audit question that was sent to some Stage 1 EPs:

“Provide proof that a security risk analysis of Certified EHR Technology was performed prior to the end of the reporting period (i.e. report which documents the procedures performed during the analysis and the results of the analysis).  If deficiencies are identified in this analysis, please supply the implementation plan; this plan should include the completion dates.”

Note that the audit request indicates that further documentation is needed to satisfy the auditors.  EPs must show the implementation plan and the completion dates.  As per the measure itself, the requirement is not merely to conduct a security risk analysis, but the EPs and EHs must implement security updates and correct security deficiencies.  EPs and EHs should document these steps as well in order to appropriately respond to an audit request.

CMS has recently issued a new tip sheet to assist EPs and EHs in fulfilling the security risk analysis requirement.  In addition ONC has published guidance on HIPAA Security Risk Analysis requirements.  The CMS tip sheet includes some common myths surrounding risk analysis such as:

  • “I only need to do a risk analysis once.”

False. To comply with HIPAA, you must continue to review, correct or modify, and update security protections.

  • “My EHR vendor took care of everything I need to do about privacy and security.”

False. Your EHR vendor may be able to provide information, assistance, and training on the privacy and security aspects of the EHR product. However, EHR vendors are not responsible for making their products compliant with HIPAA Privacy and Security Rules. It is solely your responsibility to have a complete risk analysis conducted.

  • “The security risk analysis is optional for small providers.”

False. All providers who are “covered entities” under HIPAA are required to perform a risk analysis. In addition, all providers who want to receive EHR incentive payments must conduct a risk analysis.

  • “Simply installing a certified EHR fulfills the security risk analysis MU requirement.”

False. Even with a certified EHR, you must perform a full security risk analysis. Security requirements address all electronic protected health information you maintain, not just what is in your EHR.

Responding to a Meaningful Use audit can be time consuming and very detailed oriented — thus, maintaining the appropriate documentation is essential.  For assistance with Meaningful Use or HIPAA security risk assessments, please contact Elana Zana.

Reducing the Risks of Third-Party Access to EHR Systems

UnityPoint Health, a health system located in Iowa, recently informed 1,800 patients of a breach of their health information.  UnityPoint learned of the breach after an audit discovered that a third party contractor’s employee had improperly gained access to the UnityPoint electronic health record (EHR) system and viewed the records of the 1,800 patients.

The UnityPoint breach shows the risks of allowing a third party contractors, known as “business associates,” to access health information in an EHR system  While such access may be required for certain activities, including billing, claims management, or utilization review, providers must be certain that the business associate agreements with such contractors include strong protections for the provider.

For example, business associate agreements should include requirements for the business associate to indemnify the provider for expenses resulting from HIPAA breaches, pay all notification costs associated with such breaches, and maintain insurance policies that provide coverage for a large breach.

Although strong language in a business associate agreement provides legal protection for a provider, it will do nothing to counteract the public relations fallout that results from notifying patients of a breach.  Therefore, providers should make every effort to contract with legitimate entities that understand HIPAA compliance.

If you would like more information about HIPAA compliance, please contact Casey Moriarty.

SRDP Settlement: Improper EHR Donation Arrangement Among Violations

Last month CMS settled several violations of the self-referral statute (aka Stark Law) with an Ohio hospital, including a failure to appropriately structure a donation arrangement for electronic health records (EHR) .  The hospital disclosed under the Self-Referral Disclosure Protocol that it may have violated the Stark Law with regard to several arrangements with certain physicians, including arrangements for EKG interpretations, medical director services, Vice-Chief of Staff services, and hospital services (no specifics provided in CMS release).  The settlement was for $265,565.  The SRDP, which was included in the ACA, was created as a mechanism for providers to self-report potential Stark law violations.

The EHR donation arrangement to the Stark and Anti-Kickback laws permits hospitals to enter into certain arrangements with physicians for the donation of EHR related software and services.  The donation arrangement exception is scheduled to expire on December 31, 2013, however CMS has proposed extending the exception through 2016.  If CMS does not extend the exception, existing donation arrangements will have to convert to fair market value for shared technology and services.

If you have questions regarding the SRDP or structuring a EHR donation arrangement please contact Elana Zana.

Deadline for Avoiding the eRx Payment Adjustment Approaching at End of the Month

The June 30, 2013 deadline to participate in the Electronic Prescribing Incentive Program (“eRx”) and avoid the 2014 eRx payment adjustment is fast approaching.  Eligible Professionals (“EP’) looking to avoid the 2% payment adjustment in 2014 (payment adjustment means that EPs will only receive 98% of his/her Medicare Part B Physician Fee Schedule amount for covered professional services),  must either participate in the eRx program, fall under the exclusion criteria, or file for a hardship exemption by June 30, 2013.  Information regarding participation in the eRx program can be found here.

Exclusions

The following EPs will not be subject to the 2014 eRx payment adjustment if any one of the following applies:

  1. EP successfully participates in the eRx program during the 2012 12-month reporting period (1/1/12 – 12/31/12).
  2. EP is not an MD, DO, podiatrist, Nurse Practitioner or Physician Assistant.
  3. EP does not have at least 100 Medicare Part B PFS cases containing the encounter code in the measure’s denominator between 1/1/2013-6/30/2013.
  4. EP does not have 10% or more of their charges as Medicare Part B PFS allowable charges for encounter codes in the measure’s denominator during between 1/1/2013-6/30/2013.
  5. EP does not have prescribing privileges and reported GT8644 on a payable Medicare Part B service on at least once on a claim between 1/1/2013-6/30/2013.
  6. EP submits at least 10 eRx and reports the G-code G8553 between 1/1/2013-6/30/2013.
  7. EP achieves Meaningful Use under the Medicare or Medicaid EHR Incentive Program during 2012 or between 1/1/2013-6/30/2013 (and attests before 6/30/2013).
  8. EP demonstrates by registration of their intent to participate in the Medicare or Medicaid EHR Incentive Program during the 1/1/13-6/30/13 reporting period.
  9. EP submits one hardship exemption G-code via any payable Medicare Part B PFS claim between 1/1/2013-6/30/2013.
  10. EP request and CMS approves a hardship exemption.

Hardship Exemptions

EPs may be exempted from the payment adjustment if it is determined that compliance would result in a significant hardship.  Hardship exemptions must be submitted by June 30, 2013.  Such exemptions include:

  1. EP’s inability to electronically prescribe due to state, federal or local law or regulation. (Submit using the Communication Support Page)
  2. EP prescribes fewer than 100 prescriptions in a six month payment adjustment reporting period.  (Submit using the Communication Support Page)
  3. EP practices in a rural area without sufficient high speed internet access .  (Submit using the Communication Support Page or use G8642 in at least one claim between 1/1/13-6/30/13)
  4. EP practices in an area without sufficient available pharmacies for eRx.  (Submit using the Communication Support Page or use G8643 in at least one claim between 1/1/13-6/30/13)
  5. EP achieves Meaningful Use under the Medicare or Medicaid EHR Incentive Program.
  6. EP demonstrates their intent to participate in the Medicare or Medicaid EHR Incentive Program during the 1/1/13-6/30/13 reporting period.
  7. EP does not have prescribing privileges between 1/1/2013-6/30/2013.  (File at least one claim with G8644 on a payable Medicare Part B service between 1/1/13-6/30/13)

Requesting a Hardship Exemption

To submit a hardship request, EPs must access the Communication Support Page located here (look at upper-left hand corner once on the site).  CMS suggests that when submitting a hardship, EPs should provide detailed justifications for the hardships.

Those hardships with G-codes may also be submitted by EPs on a claim with a payable Medicare Part B service during the six-month reporting period (1/1/13-6/30/13).

EPs that achieve Meaningful Use under the Medicare or Medicaid EHR Incentive Program or demonstrate their intent to participate in the Medicare or Medicaid EHR Incentive Program during the 1/1/13-6/30/13 reporting period will be determined by CMS through review of the EHR Incentive Program Attestation and Registration system.  CMS will automatically determine if these exemptions apply.

Group practices participating in 2013 eRx GPRO must indicate hardship exemptions during self-nominations/registration or submit an exemption request via the Communication Support Page (listed above).

For more information on eRx or other incentive programs please contact Elana Zana.