Finally! Washington Has A Telemedicine Bill. But What’s In It?

After many years of effort, the Washington State Legislature has sent a telemedicine bill to the Governor for signature.

It is an exciting achievement, but now that the bill has passed, we need to answer an important question: “What is actually in the bill?”

Payment for Professional Telemedicine Services

The primary purpose of the bill is to require health insurance companies, Medicaid managed care plans, and health plans offered to Washington State employees to reimburse health care providers who provide professional services via telemedicine technology.

This is critical because, prior to the bill, insurance companies had no obligation to reimburse providers for telemedicine services.

One unfortunate aspect of the new law is that it does not set the specific reimbursement rate for telemedicine services. In other words, nothing requires health plans to pay for telemedicine services at the same rate as an in-person encounter.

Instead, the rate for telemedicine services will be whatever the health plan and provider agree upon in the negotiated provider agreement between the parties.

Additionally, in order to receive the negotiated rate, providers must pay special attention to the detailed reimbursement requirements of the bill:

Health Care Providers

The bill states that only “health care providers” are entitled to reimbursement for telemedicine services. Fortunately, “health care provider” is defined broadly and includes any of the licenses listed in Title 18 of the Revised Code of Washington.

A health plan need only reimburse health care providers that are contracted with the health plan.

“Out of network” reimbursement is not required.

Types of Technology

The bill applies to both real time “telemedicine” technology and “store and forward” services.

“Telemedicine” technology is a real-time, interactive, video and audio conference between a patient and a provider.  Think “Skype.”

“Store and forward” technology is a system by which information is sent to an intermediate location where it is kept and, at a later time, sent to the intended destination.

This type of technology is very common in the teleradiology and teledermatology fields in which specialists provide reads for digital images of patients.

Unlike telemedicine technology, the bill has some critical restrictions on the use of store and forward technology:

  • The bill requires an associated office visit between the patient and referring health care provider if store and forward technology is used. The use of “telemedicine” technology, as defined above, can meet the office visit requirement; and
  • A health plan only has the obligation to provide reimbursement for a service provided via store and forward technology if the service is specified in the negotiated agreement between the health plan and the provider.

The second restriction is a big deal.

Under this restriction, the bill does not require a health plan to pay a provider for services rendered via store and forward technology if such services are not explicitly covered in the provider agreement between the provider and health plan.

Therefore, it is critical that providers using store and forward technology pay close attention to their provider agreements with health plans.

Types of Telemedicine Services

The bill is clear that health plans only have the obligation to provide reimbursement for services that meet all of the following criteria:

  • Reimbursement is only required if the health plan provides coverage of the same service when it is provided in person;
  • The service must be an “essential health benefit” under the Affordable Care Act; and
  • The service is medically necessary.

Health plans have no requirement to provide reimbursement if these three requirements are not met.

Payment For Facility Fees

In discussing the facility fee issue, it is important to understand that there are always two different sites in a telemedicine encounter:

  • The Originating Site: This is the location where the patient is physically located. For reimbursement purposes, originating sites can be hospitals, rural health clinics, federally qualified health centers, health care provider offices, community mental health centers, skilled nursing facilities, or renal dialysis centers (except independent renal dialysis centers).
  • The Distant Site: This is the location where the health care provider is physically located at the time telemedicine services are rendered.

As described above, the bill requires health plans to reimburse providers for the professional services they perform at the distant site during a telemedicine encounter.

But what about the originating site facility where the patient is located? Are health plans required to reimburse these facilities?

The answer is no.

According to the bill, originating site providers are only entitled to facility fees if such fees have been negotiated in the provider’s contract with the health plan.

The bill does not require any health plan reimbursement to the originating site if a health plan refuses to include reimbursement for facility fees in its provider agreement.

This is unfortunate for rural providers who would have benefited from the requirement for health plans to pay facility fees for telemedicine.

Hospital Credentialing and Privileging of Telemedicine Physicians

Aside from reimbursement, another important part of the bill is the changes to the requirements for hospital credentialing and privileging of telemedicine physicians.

In the hospital world, a physician can only provide services at a hospital if the physician is properly credentialed and privileged.  Therefore, a physician that provides telemedicine services an originating site hospital technically must be credentialed and privileged by the hospital.

Prior to the bill, Washington law required hospitals to engage in a detailed credentialing process of requesting information from a physician who was applying for privileges.  The hospital also had to request information from hospitals and facilities that had granted privileges or employed the physician.

This cumbersome process could unnecessarily delay the provision of telemedicine services.

Under the bill, the credentialing requirements no longer exist for telemedicine physicians.

The bill states that an originating site hospital may rely on a distant site hospital’s decision to grant or renew privileges for a telemedicine physician if the originating site enters into a written contact with the distant site.

The contract must have the following provisions:

  • The distant site hospital providing the telemedicine services must be a Medicare participating hospital;
  • Any physician providing telemedicine services at the distant site hospital must be fully privileged to provide such services by the distant site hospital;
  • Any physician providing telemedicine services must hold and maintain a valid license to perform such services issued or recognized by the state of Washington; and
  • The originating site hospital must have evidence of an internal review of the distant site physician’s performance of the privileges and sends the distant site hospital performance information for use in the periodic appraisal of the distant site physician.

Conclusion

There is much to like in Washington’s new telemedicine bill.

For the first time, private health plans are required to pay for telemedicine services. Additionally, the process of hospital credentialing and privileging of telemedicine physicians has been streamlined.

But the bill is not perfect.

Without specific requirements on rates, health plans have the ability to reimburse telemedicine services at a much lower rate than in-person services.  Large health systems may have leverage to negotiate for higher reimbursement in provider agreements, but smaller and rural providers may not have this luxury.

Additionally, teleradiology and teledermatology providers must pay close attention to their negotiated provider agreements with health plans.  Under the bill, health plans have no requirement to pay professional services for services rendered via “store and forward” technology if the services are not explicitly covered in the provider agreement.

With that said, no bill is perfect, and the new Washington bill is a good first step into improving the prospects for telemedicine in Washington State.

For more information about telemedicine, please contact Casey Moriarty.

The Myth of a HIPAA Compliant Product

Purchasing a “HIPAA compliant” technology product does not guarantee HIPAA compliance.

There. I said it.

In today’s healthcare marketplace, a vendor’s representation that its product is “100% HIPAA Compliant” is an important assurance for covered entities and business associates. Due to the complex and confusing HIPAA regulations, the idea of “purchasing” compliance can be very attractive.

Unfortunately, you cannot buy HIPAA compliance. To explain, allow me to use the example of encryption technology.

HIPAA Compliant Encryption

Nearly every vendor of an encryption product that targets the healthcare market will claim that the product is HIPAA compliant. This representation is critical because health information that is properly encrypted is exempt from the HIPAA breach notification rules.

But when a vendor states that its encryption product is “HIPAA compliant,” the vendor is merely stating that the product meets the HIPAA encryption guidelines for data at rest (stored data) and data in motion (data that is transmitted over networks).

In reality, the HIPAA Security Rule requires more than merely using technology that meets the encryption guidelines.

The HIPAA Security Rule – What Product is “Reasonable and Appropriate”?

The HIPAA Security Rule standard related to encryption states that covered entities and business associate must: “Implement a mechanism to encrypt and decrypt electronic protected health information.”

Because this standard is “addressable,” an entity must carefully analyze its operations to determine what type of encryption product is reasonable and appropriate for its business.

The analysis must focus on a number of different factors related to the entity, including:

  • The entity’s size, complexity and capabilities;
  • The entity’s technical infrastructure, hardware and software security capabilities;
  • Costs of encryption measures; and
  • Probability and criticality of potential risks to electronic PHI.

For example, if a small entity simply wants to send a limited number secured e-mails containing patient information, a top-of-the-line encryption product for all IT systems may not be necessary. Rather, a basic e-mail encryption product may suffice.

However, if a large health system regularly transmits a large amount of health information over public networks, a basic e-mail encryption product is probably not appropriate.

The vendor of the e-mail product might claim that its product is “HIPAA compliant,” but under the Security Rule, a deluxe encryption solution for the health system’s various IT systems probably makes more sense.

In all cases, it is important for the entity to document why it believes that a selected encryption product is appropriate for its operations.

Conclusion

The takeaway is that HIPAA compliance takes real work. While the idea of buying compliance might be attractive, HIPAA requires covered entities and business associate to look inward and conduct a thorough analysis of their operations.

Do not be misled by thinking that HIPAA compliance can be achieved by entering credit card information and pushing a button.

If you would like more information about HIPAA compliance, please contact Casey Moriarty.

You’ve Been Sued: 4 Non-HIPAA Claims in Data Breach Cases

“There is no private right of action under HIPAA.”  This oft-repeated rule is a source of comfort for many health care entities.

Of course, patients can file complaints with the Office of Civil Rights or State Attorneys General, but a “HIPAA cause of action” does not exist.

So what is the basis for the many different class action lawsuits against health care entities that have been hit with data breaches? The recent class action lawsuit filed against Premera sheds some light on strategies of class action attorneys.

The Complaint alleges seven different causes of action.  This article will focus on four of the claims.

The Four Causes of Action in the Premera Complaint

  • Negligence: The first cause of action is negligence. To establish a claim for negligence, the plaintiff must show that an entity: (1) had a duty to the plaintiff, (2) the entity breached the duty, (3) the plaintiff suffered damages, and (4) the entity’s acts caused the damage.

    The Complaint states that Premera had a “duty” to keep the plaintiffs personal information secure as the provider of health coverage to the plaintiffs.  Premera breached this duty by failing to secure its IT systems and this failure directly caused the plaintiff’s damages related to improper disclosure of health information.

  • Bailment: The second cause of action is Bailment. A “bailment” arises when personal property is delivered to another for some particular purpose with an express or implied contract to redeliver when the purpose has been fulfilled.

    In other words, “I’m giving you my stuff with the expectation that I’ll get it back in the same condition.”

    The Complaint alleges that the plaintiffs provided Premera with their personal information with the understanding that Premera would adequately safeguard it.  Premera breached its bailment by failing to protect the information which resulted in the data breach.

  • Breach of Contract: The third cause of action is breach of contract. My first question concerning this claim is: “Did Premera actually state in its beneficiary agreements that it would keep all data secure?”

    Based on the allegations in the Complaint, the answer appears to be no.

    However, the Complaint alleges that Premera’s Notice of Privacy Practices (NPP) states that Premera must take measures to protect each beneficiary’s health information. Whether or not an NPP is actually a contract between a covered entity and individuals, this allegation should motivate health care entities to be careful in drafting their NPPs.

  • Washington State Data Breach Claim: In emphasizing the “no private right of action under HIPAA” mantra. Many entities fail to take understand state laws concerning data breaches.

    In the Complaint, the plaintiffs allege that Premera violated the Washington State data breach notification requirements of RCW 19.255.010. Unlike HIPAA, affected individuals may bring claims for violations of this statute.

    Among the requirements of RCW 19.255.010 is to disclose data breaches in the most “expedient” time possible and without “unreasonable delay.” The Complaint alleges that Premera took far too long to notify beneficiaries of the data breach.

Conclusion

In light of these claims (and others) in the Premera breach complaint, the warning for health care entities is clear: You can be sued by your customers for data breaches.

Although HIPAA may not provide for a private right of action, there are many other ways for plaintiffs to recover compensation for the failure to keep health information secure.

For more information about data breaches, please contact Casey Moriarty.

Premera Breach: Is HIPAA Compliance Enough?

Many health care businesses assume that HIPAA compliance guarantees protection from data breaches. Unfortunately, this is not a correct assumption.

The health insurance company Premera Blue Cross recently announced that it was the target of a sophisticated cyber attack.  It is estimated that the personal information of eleven million individuals may have been accessed by hackers.

In the days following the breach, the Seattle Times ran an article about an audit conducted by the federal Office of Personnel Management (OPM)  and Office of Inspector General (OIG) on Premera’s operations prior to the breach.

Due to the health insurance coverage that Premera provides to federal employees, OPM and OIG had the right to audit Premera’s systems to ensure the security of the employees’ personal information.  According to the Seattle Times article, the federal agencies warned Premera of potential vulnerabilities with its information technology security prior to the breach.

What Did OPM and OIG Actually Find?

After reading the article, I assumed that the federal agencies found massive problems with Premera’s HIPAA security compliance.  Clearly, Premera would not have suffered the breach if it had complied with the HIPAA Security Rule, right?

Nope.

Page ii of the audit states the following:

Health Insurance Portability and Accountability Act (HIPAA)

Nothing came to our attention that caused us to believe that Premera is not in compliance with the HIPAA security, privacy, and national provider identifier regulations.

Instead, the security issues that the OPM and OIG found with Premera’s system appear to have involved more advanced features, including:

  • Lack of Piggybacking Prevention; and
  • Although Premera had a “thorough incident response and network security program,” it needed a better methodology for applying software patches, updates, and server configurations.  Note, that failing to appropriately patch software can lead to serious HIPAA violations, including OCR investigations and Settlements.  For more information about patching and HIPAA please read: “Failure To Patch Software Leads to $150,000 Settlement“.

Upon review of the audit report, it appears  that Premera did have fairly robust security safeguards.  For example, although it did not have the physical access control of piggybacking prevention, it had installed a multi-factor authentication key pad for each staff member.

The OPM and OIG certainly found issues with Premera’s security procedures, but the report repeatedly makes it clear that Premera:

  • Had adequate HIPAA privacy and security policy and procedures;
  • Updated its HIPAA policies annually and when necessary; and
  • Required employees to complete HIPAA compliance training each year.

HIPAA Compliance May Not Be Enough

The unfortunate takeaway from Premera’s data breach is that HIPAA compliance may not be enough to ensure security from attacks carried out by sophisticated hackers.

Although a covered entity’s security policies and procedures may technically comply with the HIPAA Security Rule, it is still critical to go further and address any known vulnerabilities that HIPAA may not even require to be addressed.

Contact Casey Moriarty for more information about HIPAA compliance.

CMS Announces Intent to Modify Meaningful Use

CMS announced today its intent to make significant changes to the EHR Incentive Program beginning in 2015.  The proposed changes, though not yet codified in a proposed rule, include a much desired ease of the program requirements in 2015.  They include:

  1. Aligning hospital EHR reporting periods to the calendar year (rather than the fiscal year) to allow hospitals to have more time to incorporate 2014 CEHRT into their workflows;
  2. Shortening the EHR reporting period in 2015 to 90 days to accommodate these changes; and
  3. Adjusting other portions of the program to “match long-term goals, reduce complexity, and lessen providers’ reporting burdens.”

These new rules are expected this spring.  CMS clarified in its announcement that these proposed modifications will not be forthcoming in the Stage 3 proposed rule which is expected to be released in early March.  CMS also indicated that it proposes to limit the scope of the Stage 3 proposed rule to criteria for meaningful use in 2017 and beyond.

To learn more about meaningful use and the EHR Incentive Program contact Elana Zana.

Failure to Patch Software Leads to $150K HIPAA Settlement

Anchorage Community Mental Health Services, Inc. (“ACMHS”) a nonprofit mental health provider in Alaska, has agreed to a $150,000 HIPAA settlement and 2 year Corrective Action Plan with HHS following a breach of 2,743 patient records due to malware.  According to the HHS press release:

OCR’s investigation revealed that ACMHS had adopted sample Security Rule policies and procedures in 2005, but these were not followed. Moreover, the security incident was the direct result of ACMHS failing to identify and address basic risks, such as not regularly updating their IT resources with available patches and running outdated, unsupported software.

According to the Resolution Agreement, OCR uncovered the following HIPAA violations:

  • ACMHS failed to conduct an accurate and thorough risk assessment.
  • ACMHS did not implement security measures sufficient to reduce the risks and vulnerabilities to its ePHI.
  • ACHMS’ security infrastructure did not appropriately guard against unauthorized access to ePHI that is transmitted over an electronic communications network.  Specifically, HHS noted that ACHMS failed to “ensure that firewalls were in place with threat identification monitoring of inbound and outbound traffic and that information technology resources were both supported and regularly updated with available patches.”

In addition to the $150,000 HIPAA Settlement, ACMHS will be under HHS’ microscope for the next two years.  The Corrective Action Plan requires ACMHS to implement the following changes:

  • Draft updated and adopt Security Policies and Procedures and submit to HHS within 60 days.
  • Distribute new Security Policies and Procedures to all workforce members and require the workforce members to sign a compliance certification.
  • Provide training on security awareness to all workforce members and annual training thereafter.
  • Perform an accurate and thorough risk assessment.
  • Inform HHS if a workforce member fails to adhere to the Security Policies and Procedures.
  • Provide annual reports to HHS.

ACMHS’ settlement provides three key takeaways for covered entities and business associates:

1) Patch & Update.  Like Community Health Systems, which reported a breach of 4.5 million patient records due to Chinese hackers targeting a heartbleed vulnerability, ACMHS is finding out the hard way the importance of software patching and updating.  Staying up to date on security patches and software updates is not an easy task, but an important one considering that hackers are exploiting these vulnerabilities.

2) Tailor the Security Policies and Procedures.  Simply having in place template Security Rule policies and procedures is insufficient to satisfy the requirements of the HIPAA Security Rule and to ultimately secure ePHI.  HIPAA Security policies need to be tailored for the actual information security infrastructure in place at the covered entity/business associate.  The Security Rule permits flexibility when choosing which tools to deploy to protect ePHI, but requires that the covered entity/business associate actually evaluate its infrastructure to make these decisions.

3) Security Risk Analysis.  Further, once the Security Policies and Procedures are in place they need to be evaluated, and the actual system needs to undergo a security risk assessment (suggestion to do this at least annually).  The process of drafting the Security Policies and Procedures as well as the security risk assessment will aid covered entities/business associates in identifying vulnerabilities, evaluating security options, and ultimately safeguarding their ePHI.  HHS has created a security risk assessment tool to help covered entities (not really business associate focused) in evaluating its security compliance.

For more information about the HIPAA Security Rule or if you need assistance in creating your HIPAA Security Policies and Procedures please contact Elana Zana.

Patient Engagement and Meaningful Use

I am very excited this week to present with my colleague Dave Schoolcraft at MGMA in Las Vegas.  We have two presentations on Tuesday, the first at 10:15 entitled the Legal Aspects of Meeting Patient Engagement, the second at 2:45 entitled Double Dipping for EHR Funding.

Vegas is all about the money, and Double Dipping for EHR Funding will focus on how physician practices can still obtain money for Electronic Health Record systems.  The presentation will focus on Stark/Anti-Kickback Donation Arrangements and Meaningful Use dollars.  If you are looking to upgrade to 2014 CEHRT this is a presentation you don’t want to miss. Prior to joining our presentation, I suggest reading two articles we published earlier in the year: Understanding Stark/Anti-Kickback Compliant EHR Donation Arrangements and Key Lessons Related to Stark Compliant EHR Donation Arrangements.

As for Legal Aspects of Meeting Patient Engagement – this presentation focuses both on HIPAA Compliance and Meaningful Use. Stage 2 Meaningful Use includes five patient engagement related objectives, and this time CMS means business.  Two of these five objectives include measures requiring that at least 5% of patients take an action.  These five measures makes the implementation and use of patient portals essential, as portals are a key means of communication with patients and is an appropriate mechanism for each of these Meaningful Use objectives.

The relevant patient engagement Meaningful Use objectives I am referring to here include:

I have added links to the CMS Eligible Professional Specification Sheets for Stage 2 above because I find them very helpful in deciphering what each of these measures require.  Meeting these requirements is not a walk in the park, and my clients have expressed difficulty getting patients to send secure messages or login to  a portal.  Often the CEHRT itself makes these tasks quite difficult.  Patient engagement is core to growing a practice, especially as patients begin to pay for their healthcare and start to demand physician interaction via e-mail and other technologies.

If you are interested in learning more about these patient engagement requirements in Meaningful Use stop on by our presentation, or contact me directly.

 

Meaningful Use Hardship Exception Deadline Extended to November 30, 2014

Still not able to meet meaningful use this year? CMS recently announced that it has reopened submission and extended the deadline for eligible professionals and eligible hospitals to submit a hardship exception application for not demonstrating “Meaningful Use” of Certified Electronic Health Record Technology (CEHRT). The CMS hardship application can be found here.

Under the HITECH Act, eligible hospitals, critical access hospitals, and eligible professionals had to demonstrate “meaningful use” of a CEHRT, or face reductions in their Medicare payment. Under certain circumstances, the Secretary of Health and Human Services has discretion to consider hardship exceptions on a case-by-case basis to avoid payment penalties, including issues related to difficulties with vendors obtaining certification.

The original hardship exception application deadlines of April 1, 2014 (for eligible hospitals) and July 1, 2014 (for eligible professionals) were extended to November 30, 2014.

According to CMS, the reopened hardship exception application submission period applies to eligible professionals and eligible hospitals that:

  • Have been unable to fully implement 2014 Edition CEHRT due to delays in 2014 Edition CEHRT availability; AND
  • Eligible professionals who were unable to attest by October 1, 2014, and eligible hospitals that were unable to attest by July 1, 2014, using the flexibility options provided in the CMS 2014 CEHRT Flexibility Rule.

For more information about the EHR Incentive Programs and meaningful use please contact Elana Zana.

Meaningful Use Audit Outcomes – Guest Blog Post

October brings a flurry of Meaningful Use attestations, and this October is no different.  Eligible Hospitals finished up their attestation and are wrapping up the 2014 year; Eligible Professionals are checking their numbers and gearing up for their last run at achieving Meaningful Use before the end of the year.  Lingering in the background is ensuring that you have maintained documentation sufficient to meet the auditor’s standards.

Our guest blog post author, Steve Spearman from Health Security Solutions, researched the CMS audit results, and for hospitals the results are not too bad – but the same can’t be said for Eligible Professionals.  Here are the highlights:

Prepayment Audits for Eligible Professionals: 21.5% failed the audit.

Post-Payment Audits for Eligible Professionals:  24% failed the audit.

Post-Payment Audits for Hospitals:  4,7% failed the audit.

Steve’s blog article provides a deep dive into the audit results and the reasons for failure for both Eligible Professionals and hospitals.  To read his terrific blog article click here.  If you are interested in learning more about the audit statistics click here for Jim Tate’s blog article as well.

More audits are coming and making sure that you have double checked your numbers before attesting and performed your security risk analysis, including an implementation plan and completion dates, is necessary.  For assistance in preparing for audits or if you recently received an audit please contact Elana Zana.

 

Meaningful Use Attestation in 2014 – Picture Update

CMS and the Office of the National Coordinator (ONC) recently announced modifications to the meaningful use attestation requirements for 2014. Following significant lobbying from EHR vendors, eligible professionals (EPs), and hospitals, CMS issued a brief reprieve to meeting Stage 2 meaningful use in 2014 – for some lucky participants. Recognizing that EPs and hospitals may still be using 2011 certified EHR technology (CEHRT) or a mixture of 2011 and 2014 CEHRT, CMS created a chart of decision points meant to enable flexibility for EPs and hospitals alike. These options also accommodate EPs and hospitals that have upgraded to the 2014 CEHRT but are still unable to meet the Stage 2 requirements within the mandatory timetables.

However, this flexibility comes with a caveat: EPs and hospitals must explain that their failure to meet Stage 2 in 2014 as scheduled is because they could not “fully implement 2014 Edition CEHRT for the EHR reporting period in 2014 due to delays in 2014 Edition CEHRT availability.” So who is allowed to claim this exception? Though CMS does not provide an exhaustive list of examples, its published comments in the final rule provide some insights and helpful explanations.

Below are maps of decision points and examples of acceptable and unacceptable justifications for not meeting an EP’s scheduled meaningful use stage in 2014, whether it be the 2014 Stage 1 or Stage 2 objectives and measures. Any EPs or hospitals that attest for a different stage than what they were scheduled for must be prepared to defend this decision in an audit, understanding that each case will be evaluated individually; this defense should therefore be very well documented.

MU_GRAPHIC_FIRST OR SECOND YEAR-FINALMU_GRAPHIC_THIRD OR FOURTH YEAR_FINAL

Michelle Holmes, consultant with ECG Management Consultants co-authored this post.