Meaningful Use Exception Includes EHR Vendor Delays

Following its announcement at HIMSS, CMS has published its hardship exception application for 2014 along with its new exception due to vendor delays.  The new exception permits eligible hospitals and eligible professionals to request an exception from the 2015/2016 payment adjustments due to 2014 EHR Vendor Issues.  Specifically, CMS now permits an exception due to the inability of the vendor to obtain 2014 certification or if the hospital or EP was unable to implement meaningful use due to 2014 EHR certification delays.  Along with filling out the EP or Hospital exception forms, those requesting the exception must submit a notification from the EHR vendor.

For EPs and hospitals who are demonstrating meaningful use for the first time, they may apply for this hardship exception to avoid the 2015 payment adjustments.  For those EPs and hospitals who have previously demonstrated meaningful use, they may use this hardship exception to avoid 2016 payment adjustments.

For hospitals, the hardship exception request for 2015 payment adjustments is due April 1, 2014.  For eligible professionals, the hardship exception request for 2015 payment adjustments is due July 1, 2014.  However, for those EPs that have not previously participated in the Medicare EHR Incentive Program they can submit attestation by October 1, 2014 and also avoid the payment adjustments.  CMS has also issued guidance for applying for the EHR Vendor hardship exception for EPs and hospitals.

For more information about the Medicare or Medicaid EHR Incentive Program or applying for these hardship exceptions please contact Elana Zana.

2014 OIG Work Plan Contains New Priorities Specific to Hospitals

The Department of Health and Human Services, Office of the Inspector General (OIG) recently released its Fiscal Year (FY) 2014 Work Plan.  The Plan contains new priorities specific to Hospitals in areas related to Policies and Practices, Billing and Payments, and Quality of Care and Safety.  For a complete copy of the OIG 2014 Work Plan, please click here.

The OIG Work Plan provides a description of what the OIG will be focusing on in the coming year, giving providers insight into identifying corporate compliance risk areas and providing focus for ongoing efforts relating to compliance program activities, audits, and policy development.  Some of the hospital-specific priority areas identified as ‘New’ include the following:

A.      Policies and Practices

  1.  2 Midnight Rule: As of FY 2014, physicians should admit inpatients where they expect the patient’s care to last at least 2 nights in the hospital.  This modification is due to the OIG’s previous findings of over payments for inpatient stays, inappropriate billings and inconsistent billing practices.  OIG plans to review the impact of this new admission criteria and how billing varies among hospitals.
  2. Defective Medical Devices: OIG will review the increased costs to Medicare resulting from additional services necessitated by the use of defective medical devices.
  3. Comparison of Provider-Based and Free-Standing Clinics:  OIG will compare the payments made in provider-based settings and free-standing clinics with respect to similar procedures to determine the potential impact to the Medicare program for hospitals claiming provider-based status, and presumably, whether providers claiming provider-based status meet the criteria in 42 CFR § 413.65(d).

B.      Billing and Payments

  1.  Outpatient Evaluation and Management Services:  OIG will review payments made for outpatient E/M services to determine if they were appropriately billed as “new” or “established.”  Patients are generally considered “new” unless they were seen as a registered inpatient or outpatient within the past 3 years.
  2. Cardiac Catheterization and Heart Biopsies:  Billings for right heart catheterizations will be reviewed to determine if they were appropriately billed separate and apart from billings for heart biopsies.
  3. Payments for Patients Diagnosed with Kwashiorkor:  Due to the high level of reimbursement, billings for Kwashiorkor will be reviewed to determine whether diagnoses are supported by the medical record.
  4. Bone Marrow or Stem Cell Transplants: OIG will review procedure and diagnosis codes to determine the appropriateness of bone marrow and stem cell transplantation.

C.      Quality of Care and Safety

  1. Pharmaceutical Compounding:  In light of a recent meningitis outbreak resulting from contaminated injections of compounded drugs, OIG will review the oversight and accreditation assessment of pharmaceutical compounding in Medicare-participating acute care hospitals.
  2. Review of Hospital Privileging:  OIG will review how hospitals consider medical staff candidates prior to granting initial privileges, verification of credentials, and review of the National Practitioner Databank.

For additional information regarding the 2014 OIG Workplan or hospital/corporate compliance please contact Adam Snyder.

 

 

Understanding Stark/Anti-Kickback Compliant EHR Donation Arrangements

In 2006 and extended in December 2013, CMS issued Stark and Anti-Kickback exceptions/safe harbors permitting EHR technology donation arrangements between hospitals (and other organizations) and physician groups.  This exception permitted hospitals to aid physician groups, who may be referral sources, in acquiring and implementing EHR and other health information technology.  Originally, hospitals had a seven-year window in which to engage in these donation arrangements, though in December 2013 CMS extended the donation arrangements for an additional 7 years through December 31, 2021.

The arrangement may include the non-monetary donation of “items or services in the form of software or information technology and training services.”  Key components of the exception/safe harbor include:

  • The donation is provided from an entity to a physician.
    • Change in 2013 rules, this entity cannot be a lab.
  • The software is interoperable
    • Change in  2013 rules, software is deemed interoperable if it has been certified as “certified EHR technology” as that term is used by the ONC for the meaningful use/EHR Incentive Program.
  • Donor cannot restrict or limit the use or interoperability of the technology with other eRx or EHR systems.
    • Change in 2013 rules, CMS interprets this rule more broadly by providing a non-exclusive list of the types of technologies that are included in this restriction: “health information technology applications, products, or services.”
  • Physician must pay at least 15% of the costs for the technology (which amount cannot be financed by the hospital).
  • Neither the physician nor the physician’s practice makes the receipt of the technology a condition of doing business with the donor.
  • Neither eligibility of the physician nor the amount or nature of the donation is determined in a manner that takes into account the volume or value of referrals or other business generated between the parties.
  • The donation is set forth in writing, signed by the parties, specifies the items to be provided, the donor’s costs and the physician’s contribution, and covers all EHR items and services to be provided by the donor.
  • The donor cannot have knowledge of or disregard the fact that the physician already possesses equivalent items or services.
  • The donor cannot restrict or limit the physician’s right to use the software for any patient.
  • The donation cannot include staffing of physician offices and cannot be used to primarily conduct personal business or business unrelated to the physician’s medical practice.
    • Note the donation may also include other “software and functionality directly related to the care and treatment of individual patients (for example, patient administration, scheduling functions, billing, clinical support software, etc.” (71 FR 45152).
  • The donation arrangement does not violate the Anti-Kickback statute.
  • The exception expires December 31, 2021.

Beyond crafting a donation arrangement that satisfies both the Stark law exception and Anti-Kickback safe harbor, hospitals and physicians should assess overall technology alignment strategies and the goals and framework for such donation arrangements.  Making sure that clear expectations are set in advance, including understanding implementation, roll out and support, data ownership and extraction, and utilizing the EHR technology for government incentive programs, such as meaningful use, are important topics that should be addressed by the arrangement.

For those interested in learning more about this topic and are currently attending HIMSS14, David Schoolcraft, attorney at Ogden Murphy Wallace, and Michelle Holmes, principal at ECG Management Consultants, are presenting on Wednesday at 10 AM on Using Stark/Anti-Kickback To Support Hospital/Physician IT Alignment Strategies.  For further information about designing a compliant arrangement please contact Elana Zana or Dave Schoolcraft.

 

DOH Issues New Hospital CN Rule & Transparency Requirements

Prior to the end of the year, and in compliance with Governor Inslee’s directive, the Washington Department of Health (DOH) issued new hospital Certificate of Need (CN) rules and transparency requirements for existing hospitals.

Effective January 23rd, hospitals wishing to affiliate with one another (or other types of corporate restructuring) will now have to undergo full CN review.  The new rules modify WAC 246-310-010 and adopt a broad definition of “sale, purchase, or lease” to include affiliations, corporate membership restructuring, “or any other transaction.”  DOH, in response to the over 1,000 public comments received on these new rules (including the transparency rules below) explained:

The purpose of this clarification is to focus on the outcome of these transactions to bring them within CoN review.  CoN evaluation includes review of the reduction or loss of services and the community’s access to alternatives if there is a reduction or loss.

In addition, DOH issued a modification to the hospital licensing requirements.  This modification now requires hospitals to submit to DOH and publish on their own websites (“readily accessible to the public”) the following policies related to access to care:  admission, nondiscrimination, end of life care, and reproductive health care.  Hospitals must comply with this requirement no later than March 24, 2014.  Hospitals that make changes to these policies must also notify DOH of those changes within thirty days.

Since the amendment to the hospital licensing rules require online access to hospitals’ nondiscrimination policies, now is an excellent time for hospitals to review nondiscrimination policies to be sure they are consistent with all applicable laws.  Hospitals are “places of accommodation” under local, state, and federal nondiscrimination laws, which vary by jurisdiction.  For example, federal law prohibits genetic discrimination, which is not covered by Washington state law; state law prohibits discrimination on the basis of marital status, sexual orientation, and gender expression or identity, which are not covered under federal law; and the City of Seattle prohibits discrimination on the basis of political ideology, which is not covered under state or federal law.  Hospital nondiscrimination policies should be tailored to cover all the jurisdictions in which you provide services.  For assistance with drafting a nondiscrimination policy please contact Karen Sutherland.

For more information about the access to care policies or certificate of need generally please contact Elana Zana.

 

 

Meaningful Use Audits – Security Risk Analysis

‘Tis the season for Meaningful Use, the time of year when eligible professionals (EPs) and eligible hospitals (EHs) compile their data from the meaningful use measures and prepare for attestation.  It is also the season of meaningful use audits.  A lesson learned from recent audits: CMS means what it says – EPs and EHs must conduct a security risk analysis.  This measure is not one to be taken lightly – it’s a HIPAA requirement, and CMS auditors are on the lookout for documentation (remember, all documentation must be retained for 6 years).

Regardless of whether EPs or EHs are attesting to Stage 1 or Stage 2, or the fact that they performed a security risk analysis last year, this objective and measure must be fulfilled each year:

 

Stage 1

Stage 2

Objective. Protect electronic health information created or maintained by the certified EHR technology through the implementation of appropriate technical capabilities.Measure. Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1) and implement security updates as necessary and correct identified security deficiencies as part of its risk management process. Objective. Protect electronic health information created or maintained by the Certified EHR Technology through the implementation of appropriate technical capabilities.Measure. Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1), including addressing the encryption/security of data stored in Certified EHR Technology in accordance with requirements under 45 CFR 164.312(a)(2)(iv) and 45 CFR 164.306(d)(3), and implement security updates as necessary and correct identified security deficiencies as part of the EP’s risk management process.

The HIPAA requirement for a Security Risk Analysis pursuant to 45 CFR 164.308(a)(1) is as follows:

“Risk analysis (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.”

CMS Meaningful Use audits have specifically called out this objective and measure and are requiring participants to prove that a Security Risk Analysis has actually occurred.  Though the HIPAA Security Officer should have conducted a security risk analysis for the entire practice/hospital, EPs and EHs should maintain a copy of this assessment with their meaningful use documentation and should review the assessment to make sure that the risk analysis complies with the meaningful use requirements (note: the Stage 2 requirements are significantly broader).

Below is the audit question that was sent to some Stage 1 EPs:

“Provide proof that a security risk analysis of Certified EHR Technology was performed prior to the end of the reporting period (i.e. report which documents the procedures performed during the analysis and the results of the analysis).  If deficiencies are identified in this analysis, please supply the implementation plan; this plan should include the completion dates.”

Note that the audit request indicates that further documentation is needed to satisfy the auditors.  EPs must show the implementation plan and the completion dates.  As per the measure itself, the requirement is not merely to conduct a security risk analysis, but the EPs and EHs must implement security updates and correct security deficiencies.  EPs and EHs should document these steps as well in order to appropriately respond to an audit request.

CMS has recently issued a new tip sheet to assist EPs and EHs in fulfilling the security risk analysis requirement.  In addition ONC has published guidance on HIPAA Security Risk Analysis requirements.  The CMS tip sheet includes some common myths surrounding risk analysis such as:

  • “I only need to do a risk analysis once.”

False. To comply with HIPAA, you must continue to review, correct or modify, and update security protections.

  • “My EHR vendor took care of everything I need to do about privacy and security.”

False. Your EHR vendor may be able to provide information, assistance, and training on the privacy and security aspects of the EHR product. However, EHR vendors are not responsible for making their products compliant with HIPAA Privacy and Security Rules. It is solely your responsibility to have a complete risk analysis conducted.

  • “The security risk analysis is optional for small providers.”

False. All providers who are “covered entities” under HIPAA are required to perform a risk analysis. In addition, all providers who want to receive EHR incentive payments must conduct a risk analysis.

  • “Simply installing a certified EHR fulfills the security risk analysis MU requirement.”

False. Even with a certified EHR, you must perform a full security risk analysis. Security requirements address all electronic protected health information you maintain, not just what is in your EHR.

Responding to a Meaningful Use audit can be time consuming and very detailed oriented — thus, maintaining the appropriate documentation is essential.  For assistance with Meaningful Use or HIPAA security risk assessments, please contact Elana Zana.

Joint Commission Standards for Boarding and Leadership Collaboration with Behavioral Health Community

Effective January 1, 2014, hospitals, accredited by the Joint Commission, will be required to meet the elements of performance (EPs) related to boarding and leadership collaboration for behavioral health patients, as part of The Joint Commission’s revised standard for managing the flow of patients through the emergency department. Overcrowding and patient boarding in the emergency department has drawn considerable attention recently (see e.g., Seattle Times article on psychiatric boarding), and The Joint Commission recognizes that the problems with patient flow may have multiple factors and stem from other areas within and outside the hospital, not just the emergency department.

Under Leadership Standard LD.04.03.11 or the “Patient Flow” Standard, the following EPs will go into effect for hospitals starting next year:

  • EP 6. The hospital measures and sets goals for mitigating and managing the boarding of patients who come through the emergency department. Note: Boarding is the practice of holding patients in the emergency department or another temporary location after the decision to admit or transfer has been made. The hospital should set its goals with attention to patient acuity and best practice; it is recommended that boarding time frames not exceed 4 hours in the interest of patient safety and quality of care.
  • EP 9. When the hospital determines that it has a population at risk for boarding due to behavioral health emergencies, hospital leaders communicate with behavioral health care providers and/or authorities serving the community to foster coordination of care for this population.

The Joint Commission notes that the four-hour time frame referenced in EP 6 serves as a guideline (not a requirement) to help the hospital set a reasonable goal for its institution. Also, the goal of EP 9 is to “facilitate the more efficient use of limited resources, and build leverage to implement more effective systems of care for individuals at risk of psychiatric emergencies.” Though the communication required in EP 9 will vary depending on the nature of the relationship, The Joint Commission advises that “such communication should occur at least annually and may range from conference calls and correspondence to meetings, education forums, and strategic working groups.”

EP 6 and EP 9 are in addition to the revised EPs that went into effect at the beginning of this year on January 1, 2013.  The other revisions address: the use of data and measures to identify, mitigate and manage issues affecting patient flow; the management of emergency department throughput as a system-wide issue; and the environment of care, staffing, assessment, reassessment and care for patients with behavioral health emergencies.

To help organizations implement these requirements, The Joint Commission released an “R3 Report on Patient Flow through the Emergency Department” that provides the requirement, rationale and references for the updated standards.  If you have questions about these accreditation standards, please contact Don Black or Jefferson Lin.

Public Hospital Districts Offering Maternity Services Must Offer Abortion Services

A recent Washington Attorney General Opinion concludes that a public hospital district may not administer or fund programs to provide maternity care benefits or services without making provision for abortion services, benefits, and information.  The Opinion primarily relies on RCW 9.02.100 and RCW 9.02.160 which respectively provide in part:

The sovereign people hereby declare that every individual possesses a fundamental right of privacy with respect to personal reproductive decisions.

Accordingly, it is the public policy of the state of Washington that:

(1) Every individual has a fundamental right to choose or refuse birth control;

(2) Every woman has the fundamental right to choose or refuse to have an abortion (subject to legislative limitations)

If the state provides, directly or by contract, maternity care benefits, services, or information to women through any program administered or funded in whole or in part by the state, the state shall also provide women otherwise eligible for any such program with substantially equivalent benefits, services, or information to permit them to voluntarily terminate their pregnancies.

The Opinion emphasizes that no Washington public hospital district is required to provide maternity care benefits, services, or information.  However, it endorses a broad interpretation of these benefits to include a large range of prenatal, childbirth, and postpartum services and information.  It also concludes that a public hospital district provides maternity care benefits if it financially subsidizes a healthcare provider that provides these benefits.

Accordingly, the Opinion concludes that if a public hospital district contracts for the provision of maternity care benefits and subsidizes this through the use of public funds it must provide the substantially equivalent benefits, services and information required by RCW 9.02.160.  The Opinion expresses no opinion on how public hospital districts might comply with these requirements or what might constitute substantially equivalent benefits, services and information.

For more information about this Opinion or hospital compliance requirements please contact Greg Montgomery.

SRDP Settlement: Improper EHR Donation Arrangement Among Violations

Last month CMS settled several violations of the self-referral statute (aka Stark Law) with an Ohio hospital, including a failure to appropriately structure a donation arrangement for electronic health records (EHR) .  The hospital disclosed under the Self-Referral Disclosure Protocol that it may have violated the Stark Law with regard to several arrangements with certain physicians, including arrangements for EKG interpretations, medical director services, Vice-Chief of Staff services, and hospital services (no specifics provided in CMS release).  The settlement was for $265,565.  The SRDP, which was included in the ACA, was created as a mechanism for providers to self-report potential Stark law violations.

The EHR donation arrangement to the Stark and Anti-Kickback laws permits hospitals to enter into certain arrangements with physicians for the donation of EHR related software and services.  The donation arrangement exception is scheduled to expire on December 31, 2013, however CMS has proposed extending the exception through 2016.  If CMS does not extend the exception, existing donation arrangements will have to convert to fair market value for shared technology and services.

If you have questions regarding the SRDP or structuring a EHR donation arrangement please contact Elana Zana.

Hospital Medical Staff Lacks Capacity To Sue – Medical Staff Bylaws Are Not a Contract

The Minnesota Court of Appeals recently issued a decision that, in Minnesota, hospital medical staffs do not have capacity to sue as unincorporated associations.  In addition, the Court concluded that, at least in this case, medical staff bylaws do not constitute a contract between members of the medical staff and the hospital.

With respect to the issue of whether the medical staff bylaws create a contract between members of the medical staff and the hospital, the court focused on two points: (1) repeated reference in the medical staff bylaws to the right of the hospital board to approve, amend, and/or repeal the medical staff bylaws, and; (2) Minnesota rules that require hospitals to have medical staff bylaws approved by the governing body.  On this second point, the decision relies on a series of decisions from other jurisdiction holding medical staff bylaws not to create a contract for lack of consideration due to the existence of state laws requiring such bylaws.

The court relied on prior Minnesota court decisions for its conclusion that the medical staff could not sue as an unincorporated association.

These two issues are regularly litigated in courts around the country and there is hardly unanimity in the decisions.  This decision contains a very useful collection of cases going both ways on the issues and the legal theories relied on for the differing conclusions.  For questions concerning this case or related hospital medical staff issues please contact Greg Montgomery.

Washington Certificate of Need Program Commences Rule Making: Consumer Transparency in Affiliations & Dialysis

The Washington State Certificate of Need Program has announced its commencement of the rule-making process related to hospitals and dialysis.  This action is in response to the directive issued last month by Governor Inslee instructing the CN Program to expedite rule making related to the corporate restructuring, affiliations, acquisitions and mergers occurring in hospitals across the state.  His directive requires that:

The Certificate of Need process should be applied based on the effect that these transactions have on the accessibility of health services, cost containment, and quality, rather than on the terminology used in describing the transactions or the representations made in the preliminary documents.

The Department’s rulemaking process shall also consider ways to improve transparency for consumer information and ease of use, specifically the Department shall ensure hospitals supply non-discrimination, end of life care and reproductive health care policies; and the Department shall ensure that consumers have access to the policies on its webpage. The Department’s rulemaking process shall also consider the factors in RCW 43.06.155, the principles and policies in the implementation of health reform, including the guarantee of choice for patients.

In response to this directive, the CN Program has released concept rules to implement the directive.  These concept rules contain two significant modifications:

1.  A new defined term in WAC 246-310-010: “Sale, purchase, or lease” means any transaction in which the control, directly or indirectly, of part or all of any existing hospital changes to a different person, including but not limited to by contract, affiliation, corporate membership restructuring, or any other transaction.

This change is significant, as the “sale, purchase, or lease” of all or part of an existing hospital is subject to the CN rules and review.  The new definition expands the applicability of the CN rules and review.  Whereas previously affiliations were typically reviewed under Determinations of Reviewability, the expanded definition would subject such transactions to CN approval.

2.  A new section which collects hospital policies, maintains the policies and list of limitations on certain services online, and requires all hospitals to submit these policies and lists within 60 days of the effective date of the new rule.  The proposed new section is reproduced below:

New Section WAC 246-310-XXX Collection of Hospital Policies

1) Every hospital must submit to the department its following policies related to access to care:

a) Admission;

b) Non-discrimination;

c) End of life care; and

d) Reproductive health care.

2) If the effect of one or more of a hospital’s policies required under subsection (1) of this section limits or excludes access to services authorized by law, the hospital must submit to the department a list of services that are limited or not available at the facility.

3) The department shall post a copy of the policies received under subsection (1) of this section and lists received under subsection (2) of this section on its website.

4) If the hospital makes changes to any of the policies listed under subsection (1) of this section, it must submit a copy of the changed policy to the department within thirty days after the hospital approves of the changes.

5) No later than sixty days following the effective date of this rule each hospital must submit to the department the documents identified under subsections (1) and (2) of this section.

These proposed rules will have an impact on future transactions and existing hospitals.  The proposed revisions will be discussed at an August 5th workshop located at the Department of Health.

If you would like further information about these proposed rules or certificate of need in general please contact Elana Zana.