CMS Issues 3 FAQs on Stage 2 Rules and the Medicaid EHR Incentive Program

CMS has responded to several questions following the issuance of its Stage 2 Meaningful Use Final Rule.  Along with publishing new meaningful use guidelines, the Final Rule adds new provisions regarding the calculation of patient volume for Medicaid providers.  CMS has recently published these new FAQs, some of which take effect immediately, while others will start in 2013, giving the states some time to update their guidance.  These new rules will affect all eligible professionals, regardless of their stage in participation in meaningful use.  To see additional FAQs click here.

Medicaid changes to patient volume calculations 

Q: The EHR Incentive Programs Stage 1 Rule stated that, in order for a Medicaid encounter to count towards the patient volume of an eligible provider, Medicaid had to either pay for all or part of the service, or pay all or part of the premium, deductible or coinsurance for that encounter.  The Stage 2 Rule now states that the Medicaid encounter can be counted towards patient volume if the patient is enrolled in the state’s Medicaid program (either through the state’s fee-for-service programs or the state’s Medicaid managed care programs) at the time of service without the requirement of Medicaid payment liability. How will this change affect patient volume calculations for Medicaid eligible providers?  

A: Importantly, this change affecting the Medicaid patient volume calculation is applicable to all eligible providers, regardless of the stage of the Medicaid EHR Incentive Program they are participating in. Billable services provided by an eligible provider to a patient enrolled in Medicaid would count toward meeting the minimum Medicaid patient volume thresholds.  Examples of Medicaid encounters under this expanded definition that could be newly eligible might include: behavioral health services, HIV/AIDS treatment, or other services that might not be billed to Medicaid/managed care for privacy reasons, but where the provider has a mechanism to verify eligibility.  Also, services to a Medicaid-enrolled patient that might not have been reimbursed by Medicaid (or a Medicaid managed care organization) may now be included in the Medicaid patient volume calculation (e.g., oral health services, immunization, vaccination and women’s health services, telemedicine/telehealth, etc.).

Providers who are not currently enrolled with their state Medicaid agency who might be newly eligible for the incentive payments due to these changes should note that they are not necessarily required to fully enroll with Medicaid in order to receive the payment.

In some instances, it may now be appropriate to include services denied by Medicaid in calculating patient volume.  It will be appropriate to review denial reasons.  If Medicaid denied the service for timely filing or because another payer’s payment exceeded the potential Medicaid payment, it would be appropriate to include that encounter in the calculation.  If Medicaid denied payment for the service because the beneficiary has exceeded service limits established by the Medicaid program, it would be appropriate to include that encounter in the calculation.  If Medicaid denied the service because the patient was ineligible for Medicaid at the time of service, it would not be appropriate to include that encounter in the calculation.

Further guidance regarding this change will be distributed to the states as appropriate.

CHIP patients eligible to be included in Medicaid patient volume totals
Q: The Stage 2 Rule describes changes to how a state considers CHIP patients in the Medicaid patient volume total when determining provider eligibility. Patients in which kinds of CHIP programs are now appropriate to be considered in the Medicaid patient volume total?  

A: States that have offered CHIP as part of a Medicaid expansion under Title 19 or Title 21 can include those patients in their provider’s Medicaid patient volume calculation as there is cost liability to the Medicaid program in either case (under the Stage 1 Rule, only CHIP programs created under a Medicaid expansion via Title 19 were eligible). Patients in standalone CHIP programs established under Title 21 are not to be considered part of the patient volume total (in Stage 1 or Stage 2). This change to the patient volume calculation is applicable to all eligible providers, regardless of the stage of the Medicaid EHR Incentive Program they are participating in.

Changes to the base year of the Medicaid EHR Incentive Program for hospital incentive payment calculation 
Q: Are there any changes to the base year for the Medicaid EHR Incentive Program hospital incentive payment calculation?

A: Yes. Previously Medicaid eligible hospitals calculated the base year using a 12 month period ending in the Federal fiscal year before the hospital’s fiscal year that serves as the first payment year.  In an effort to encourage timely participation in the program, §495.310(g)(1)(i)(B) of the Stage 2 Rule was amended to allow hospitals to use the most recent continuous 12 month period for which data are available prior to the payment year. This change went into effect upon publication of the Stage 2 Rule.  Only hospitals that begin participation in the program after the publication date of the Stage 2 Rule (i.e., program years 2013 and later) will be affected by this change.  Hospitals that began participation in the program prior to the Stage 2 Rule will not have to adjust previous calculations.

 

Stage 2 Meaningful Use Final Rules Announced

After much delay and anticipation, the Stage 2 Meaningful Use Final Rules were announced late last week.  Though the primary focus of the new rules were to update (and increase) the meaningful use objectives and measures for the Medicare and Medicaid EHR Incentive Program, significant additional components regarding the EHR Incentive Program were also included.  To read the 672 pages of the Final Rule click here.  CMS has also posted a fact sheet which provides a good high level summary of some of the main topics of the Final Rule.  In addition to the Meaningful Use final rules, the Office of the National Coordinator has released its new standards governing certified EHR technology and a fact sheet.  The National eHealth Collaborative hosted a helpful webinar with an overview of these new rules, which can be accessed here.

Stay tuned for further information and analysis of these new rules, including an update regarding 2014, batch reporting for groups, commencement of payment adjustments, Medicaid patient volume calculations, new meaningful use measures, and more.

For immediate assistance regarding these new rules or for information regarding Stage 1 Meaningful Use and the EHR Incentive Program generally please contact Elana Zana.

New Type of Breach – Hackers Encrypting PHI & Holding for Ransom

Typical breach scenarios often include a stolen laptop or other device and the extraction of medical records by those thieves.  Now a new type of breach has occurred, hackers breaking into systems and holding PHI for ransom.  Bloomberg recently reported a breach in which hackers burrowed into the computer network of a surgical practice in Illinois.  Rather than stealing the data and using it for identity theft purposes, the hackers encrypted the PHI and held it for ransom.  To read the full article click here.

This type of incident would most likely be considered a “breach” under the HITECH Act, requiring breach notification to the affected individuals, unless the NIST encryption standards were already employed providing a safe harbor.  However, other HIPAA requirements are also implicated including obligations under the Security Rule to have technical and physical safeguards, which may include building secure firewalls to prevent such hackers.      Along with maintaining a secure system, it is also advisable to back-up all PHI.

HIPAA Final Rule…Still Waiting

Though the HIPAA Final Rules were expected to be out before the end of the month, it seems that the end is not yet in sight.  Last week, the Office of Management and Budget (OMB) extended its review of the HIPAA Final Rules.  This review consisted of the HITECH updates, including the HIPAA Privacy and Security Rule, Enforcement and the Breach Notification Requirements.  It is unclear  how long the HIPAA Final Rules were extended, the OMB has the option of extending the final rule for thirty days or indefinitely.  Comments from HHS indicate that the HIPAA Final Rules should be out sometime this summer.  But for now, we must wait…

Access To Patient Data Even Without Knowledge of Illegality Can Still Lead to HIPAA Criminal Liability

On May 10, 2012, the Ninth Circuit heard United States v. Zhou, No. 10-50231 (9th Cir. May 10, 2012), and held that the Health Insurance Portability and Accountability Act of 1996 (HIPAA) criminal misdemeanor provision, 42 U.S.C. § 1320d-6(a)(2), is not limited to defendants who knew their actions were illegal.

The case arose out of the following facts:  Huping Zhou was a licensed cardiothoracic surgeon in China who was employed in 2003 at University of California at Los Angeles Health System (UHS) as a researcher.  UHS later terminated his employment.  After his termination, Zhou accessed patient records of celebrities and co-workers on at least four separate occasions.  The U.S. Attorney’s Office for the Central District of California brought criminal charges for a misdemeanor violation of HIPAA’s prohibition of “knowingly” obtaining individually identifiable health information in violation of HIPAA.  Zhou filed a motion to dismiss on the grounds that he did not know it was illegal to obtain the health information and, therefore, did not act “knowingly.”  The magistrate judge dismissed Zhou’s motion, and Zhou then submitted a conditional guilty plea, reserving the right to appeal the dismissal.  The trial court sentenced Zhou to four months in prison, a $2,000 fine, and a $100 special assessment.

The Ninth Circuit rejected Zhou’s interpretation of the statute as applying only to defendants who knew obtaining the personal healthcare information was illegal.  Rather the court held that, “as used in the statute, the term ‘knowingly’ applies only to the act of obtaining the health information,” the appeals court said.  Thus, the statute did not require a defendant to have knowledge that his or her actions were illegal under HIPAA.

The court’s decision is significant because it sets a relatively low bar for criminal misdemeanor liability under HIPAA.  To access the case click here.

ONC Issues Guide on HIPAA Privacy and Security and Meaningful Use

ONC has recently released a new “Guide to Privacy and Security of Health Information” which incorporates tips on complying with HIPAA Privacy and Security as well as meeting related meaningful use measures.  The guide is designed for clinical providers and focuses on the following:

  • Privacy & Security and Meaningful Use
  • Security Risk Analysis and Management Tips
  • Working with EHR and Health IT Vendors
  • A Privacy & Security 10-Step Plan
  • Health IT Privacy and Security Resources

Specifically, with regard to Meaningful Use, the guide describes Meaningful Use measures 12 and 15:

#12. Provide patients with an electronic copy of their health information (including diag­nostics test results, problem
list, medication lists, medica­tion allergies) upon request.  To learn more about this measure click here.

#15. Protect electronic health information created or maintained by the certified EHR technology through the implementation of appropriate technical capabilities.  To learn more about this measure click here.

If you have questions regarding HIPAA Privacy and Security or Meaningful Use please contact Elana Zana.

 

$100,000 HIPAA Settlement Due to Misuse of Online Calendar & More

The U.S. Department of Health and Human Services (HHS) has entered into another settlement for the violation of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), this time with a small physician practice that violated HIPAA while using Internet-based calendar and email services.
Phoenix Cardiac Surgery, P.C., of Phoenix and Prescott, Arizona, has agreed to pay HHS a $100,000 settlement after it was reported that the physician practice violated HIPAA by posting clinical and surgical appointments for its patients on an Internet-based calendar that was publicly accessible.  The HHS Office for Civil Rights’ (OCR) investigation also revealed that Phoenix Cardiac Surgery violated HIPAA by emailing patient information from an Internet-based email account to workforce members’ Internet-based email accounts.
The OCR investigation also revealed the following issues:
• Phoenix Cardiac Surgery failed to implement adequate policies and procedures to appropriately safeguard patient information;
• Phoenix Cardiac Surgery failed to document that it trained any employees on its policies and procedures on the Privacy and Security Rules;
• Phoenix Cardiac Surgery failed to identify a security official and conduct a risk analysis; and
• Phoenix Cardiac Surgery failed to obtain business associate agreements with Internet-based email and calendar services where the provision of the service included storage of and access to patients’ electronic protected health information (ePHI).
Leon Rodriguez, director of OCR, said “This case is significant because it highlights a multi-year, continuing failure on the part of this provider to comply with the requirements of the Privacy and Security Rules.  We hope that health care providers pay careful attention to this resolution agreement and understand that the HIPAA Privacy and Security Rules have been in place for many years, and OCR expects full compliance no matter the size of a covered entity.”
This settlement highlights the need for all providers, regardless of their size, to understand the implications of the technology they use in their practices, to implement policies and procedures for HIPAA compliance, and to obtain business associate agreements where needed.
A press release and more information can be found on HHS’s website.

Washington State EHR Incentive Program Seminars

The Washington State Health Care Authority has announced a traveling seminar on calculating and registering for the Medicaid EHR Incentive Program.  The seminar is aimed at group registration and defining the group proxy methodology to calculate patient volume.

The seminars are as follows:

May 1: Wenatchee
May 3: Spokane
May 8: Yakima
May 16: Seattle
May 17: Mt. Vernon
May 22: Silverdale
May 24: Olympia

To register click here (the link will take you to the Seattle registration, scroll down on that page for other registration links).

 

CMS Releases Proposed Rule On Meaningful Use Stage 2

CMS announced today its proposed rule (NPRM) on Stage 2 of the EHR Incentive Program Meaningful Use requirements.  These requirements apply to both eligible professionals and hospitals participating in the Medicare and Medicaid EHR Incentive Program.  As previously announced, and proposed within this NPRM, the onset of the Stage 2 meaningful use requirements will not begin until 2014.

The Stage 2 requirements include greater applicability to specialists, changes to the clinical quality measures, and modifications to the core and menu measures.  CMS has issued a fact sheet that briefly summarizes the Stage 2 requirements.

The NPRM will be published in the Federal Register on March 7, 2012.

For questions regarding the Stage 2 proposed requirements or for assistance related to the Medicare or Medicaid EHR Incentive Program please contact Elana Zana.

EHR Contracting Tip: Attestation for AIU

Now that most states have their Medicaid EHR Incentive Program in full swing we have gotten a glimpse of what they are requiring for attesting to “adopt, implement and upgrade” aka “AIU”.  As described in the CMS rules themselves, practices need to show that they have some skin in the game and have actually invested in an EHR product.  Many states are asking that an EP (or group practice) upload the actual EHR software contract (or a redacted version).  Some states (such as California) are requesting a signed vendor statement in lieu of the full contract.  

If you are a practice in the process of negotiating an EHR contract, you may want to consider including a provision in the contract specific to the AIU attestation requirements of the state your practice is in.  For example, requiring in the contract itself that the software vendor execute any documents required by the state to attest to AIU or that the vendor provide a letter acknowledging the practice’s EHR license (if such a letter is acceptable in your state). Similar provisions are recommended in situations where the practice is involved with a Stark donation arrangement or other type of third party contract. 

Setting expectations up front and creating a contractual obligation will help ensure that the software vendor or other third party contractor does not stand in the way of your practice receiving EHR incentive dollars.

For assistance in drafting and negotiating EHR software contracts or the Medicaid EHR Incentive Program in general please contact Elana Zana or Dave Schoolcraft.