Complementary rules may extend electronic health record (EHR) safe harbor for an additional three years to encourage adoption. The proposed rules, one from the Centers for Medicare & Medicaid Service (CMS) and another from the Office of Inspector General (OIG) extend the 2006 rules relaxing federal Stark and anti-kickback laws from December 2013 to December 2016.
The 2006 rules waived the laws to encourage hospitals to provide financial and technical assistance to office-based physicians to adopt EHRs without fear of accusation of financial conflicts of interest in referrals. Based on an executive order by President George H. Bush, the waivers were accompanied by the establishment of the Office of the National Coordination for Health Information Technology (ONC) at the Department of Health & Human Services (HHS).
The rule set to expire at the end of this year requires EHR systems to be interoperable and certified by a certification body recognized by HHS with the previous 12 months to qualify for the waivers.
The proposed rule says that the EHR must be certified by a certification body authorized by the ONC within the previous 24 months instead. The rules also propose limiting waivers to cover hospitals, group practices, prescription drug plan sponsors, and Medicare Advantage plans, reflecting concerns that the previous rules – which included “any donor” under Medicare or Medicaid – was too broad.
April 19th, 2013
Dramatic modifications to the Health Insurance Portability and Accountability Act’s (HIPAA) Privacy, Security, Enforcement, and Breach Notification Rules that will impact your practice are finalized and begin to take effect next month.
The omnibus final rule, developed to help implement HITECH regulations in the American Recovery and Reinvestment Act and shore up electronic privacy rules in the 17-year-old act, includes changes to how providers and payers must protect personal health information (PHI) and the focus of enforcement from voluntary to punitive. The rule also makes business associates (BA) more accountable for breaches of PHI, with the risk of financial penalties.
The Centers for Medicare & Medicaid Services (CMS) maintains the changes provide the public with increased protection as penalties are increased for noncompliance based on the level of negligence with a maximum penalty of $1.5 million per violation. The changes also strengthen the HITECH breach notification requirements by clarifying when breaches of unsecured health information must be reported to HHS. These changes broaden who is responsible and extends consequences to more parties, including small practice, payers, and BAs like billing services or clearing houses.
CMS says the new rule expands individual rights. For example, patients can request a copy of their electronic medical records in electronic form. When individuals pay by cash they can instruct their provider not to share information about their treatment with their health plan. The omnibus rule sets new limits on how information is used and disclosed for marketing and fundraising purposes and prohibits the sale of an individuals’ health information without their permission.
The rule also streamlines individuals’ ability to authorize the use of their health information for research purposes. The rule makes it easier for parents and others to give permission to share proof of a child’s immunization with a school and gives covered entities and BAs up to one year after the 180-day compliance date to modify contracts to comply with the rule, the health agency says.
- The new rule increases liability for noncompliance for practices. Tiered penalties range from $100 to $50,000 per violation, depending on culpability. Under the new rule, HHS can impose monetary penalties without exhausting informal options.
- The new rule imposes direct liability for BAs and subcontractors, a change that puts billing services and their clients more at risk because a practice is now liable for what its billing service does.
- The rule introduces an objective test of whether PHI has been compromised and requires notification. The four elements are:
- Nature and extent of PHI in the incident
- Recipient of the PHI
- Acquisition or viewing status of PHI
- Mitigation of the risk after disclosure
- The new rule requires patient authorization for all communication of PHI for marketing purposes, closing a loophole that allowed health care organizations, drug companies, and others to use PHI for direct marketing to patients without permission.
- The new rule better defines what a BA is, clarifying how much interaction with PHI an entity can have before it becomes a BA, and establishing additional accountability for those entities.
- The rule loosens what can be used for fund-raising communications, allowing demographic information, dates of service, department, physician, outcome, and payer status for fund-raising and related BAs. Patient authorization is required.
- The rule makes it easier for your patients to authorize PHI to be used for more than one research effort, allowing a patient to designate PHI can be used for multiple and future research efforts at once.
Overall, the new rule clarifies the definition of a covered entity or BA, the responsibilities that each carry, and punishments associated with a lack of compliance. It doesn’t change the basics; an entity or BA must still have a plan, a designated compliance officer, education, analysis of gaps, and privacy notices for patients and their family members. Under the rule’s changes to definition of compliance, culpability, and correction, however, practices need to reassess efforts this year to avoid unexpected fines or punishment.
February 22nd, 2013
With so many Health Insurance Portability and Accountability Act (HIPAA) changes coming down the pike, it’s a great time to look at how privacy and security laws may impact your practice and compliance plan.
In a recent U.S. Department of Health & Human Services (HHS) press release, HIPAA expands the individual rights of patients to their health information. According to the press release, “The final omnibus rule greatly enhances a patient’s privacy protections, provides individuals new rights to their health information, and strengthens the government’s ability to enforce the law.”
This means patients can ask for copies of their electronic health records (EHRs). And when it comes to billing, it also means a patient who wants to pay cash can instruct the provider to not share treatment information with his or her health plan.
Keep Billers Compliant
According to Michael D. Miscoe, JD, CPC, CASCC, CUC, CCPC, CPCO, CHCC, here is why it is important to not bill insurance when a patient pays out-of-pocket:
“Although HITECH does not address billing directly, when a patient pays for a service out-of-pocket and instructs (through an appropriate ‘Restrictions on Uses and Disclosures Form’) that you may not disclose PHI associated with that service for payment or health care operations, you are prevented from submitting a claim since by doing so you would be disclosing PHI. If you chose to bill the service anyway, it would be an unauthorized disclosure constituting a breach. This may subject the provider to a penalty, which could be quite substantial if OCR determines the conduct was reckless (usually due to incomplete or non-compliant HIPAA privacy and security policies). Therefore, when the patient makes such a request, HITECH trumps any perceived contractual duty to file a claim because it can’t be done without violating a federal law. A contractual provision that requires you to violate a law is generally unenforceable.
Usually, the patient is paying cash because the service is non-covered. Most provider contracts as well as the Medicare statute do not require submission of claims for non-covered services on behalf of the beneficiary in any event.”
Under the pre-HITECH regulations, you could ignore the patient’s request not to file the claim. Under HITECH, you cannot.
If a patient pays in full out-of-pocket and does not want to bill insurance, according to Miscoe, here are the best steps to take to stay compliant with HITECH:
- Have the patient sign a request that information relative to self-paid services not be disclosed (usually called a Restrictions on Uses and Disclosures Form). Note that self-paid services do not include circumstance where the patient ultimately pays the entire value of the service because of a deductible. The patient’s signed restriction on such disclosures absolutely precludes the provider from submitting a claim for those services. As noted above, the provider is protected from any allegation regarding provider contract breach for not billing by the patient or the carrier, even assuming such an obligation existed.
- Flag these records somehow so they are not disclosed to the health plan should the health plan make a request. The easiest way is to keep them in a separate file. If that’s not an option, clearly mark the record as “Not for Disclosure for Payment or Health Care Operations.”
- If you are sending the records to another provider (which is permissible), make sure the provider knows the records cannot be sent to the health plan due to the patient’s request. A big red stamp or other notation saying the records may not be disclosed in response to a carrier’s payment or health care operations request should suffice.
February 15th, 2013
If you think your health care organization is immune to financial penalties following a violation of the Health Insurance Portability and Accountability Act (HIPAA), think again. Today, with the use of mobile phones, laptops, and other portable storage devices—more than ever—you need policies and procedures to safeguard private patient information, no matter how it’s used or accessed.
As an example of how implementing privacy and security policies and procedures is important, Robert A. Pelaia, Esq., CPC, CPCO, uses a recent (Jan. 2, 2013) HIPAA settlement case, which is the first case involving a breach of less than 500 individuals. The violation involved an Idaho hospice provider and the theft of an unencrypted laptop computer containing electronic protected health information (ePHI). The provider notified the U.S. Department of Health & Human Services (HHS) Office for Civil Rights (OCR), as required under 45 C.F.R. section 164.408, about the 441 patients affected. OCR investigated the incident and found that “the provider didn’t conduct a risk analysis to safeguard ePHI and there were no policies or procedures in place in regards to mobile device security, which is a requirement under HIPAA Security Rule,” according the Pelaia. “For the settlement, the provider had to pay HHS $50,000 and begin a corrective action plan.”
In cases that Michael D. Miscoe, Esq., CPC, CASCC, CUC, CCPC, CPCO, CHCC, has handled, and based on his discussions with the OCR investigators handling them, “the sufficiency of the Privacy and Security Policies and procedures is more of a concern to them than the breach is—especially where the entity is without fault (i.e. theft of data or disclosure by a business associate).” For this reason, Miscoe says, “It’s important for your health care organization to conduct a detailed risk analysis addressing every method of accessing or using PHI in your organization. This is then followed by development and review of appropriate policies and procedures. Because policies and procedures must address all the ways in which your specific organization uses, accesses, and discloses ePHI and PHI, it is unlikely that “off-the-shelf” products and consultant-generated products from a template” will be sufficient.
Miscoe recommends these tips to help protect and safeguard your PHI from potential security breaches:
- Policies and procedures should be drafted by legal counsel only after conducting a thorough risk analysis.
- Policies and procedures should be updated as methods of storage, access or use of ePHI, or PHI change. This is where having a Certified Professional Compliance Officer (CPCO™) is invaluable to ride herd over the policy and procedures to ensure they are current.
- Periodic (at least annually) formal review should occur to ensure that policies and procedures are being followed and accurately reflect how PHI is acquired, used, stored, and disclosed.
“Failure to take these steps, under the tier system of penalties in the Health Information Technology for Economic and Clinical Health (HITECH) Act,” Miscoe points out, “will likely mean the difference between a $100 fine and a $50K fine as in the case identified by Robert.”
January 14th, 2013
By Stephen C. Spain, MD, FAAFP, CPC
Angela “Annie” Boynton, BS, CPC, CPC-H, CPC-P, CPC-I, RHIT, CCS, CCS-P, CPhT
Part 2: As health care moves away from fee-for-service, quality care comes to the forefront.
Evidence-based medicine (EBM) and the Physician Quality Reporting System (PQRS) have brought the concept of pay for performance (P4P) to health care. The (r)evolutionary next step driving quality and value is the accountable care organization (ACO). The concept of accountable care begins where P4P ends: More than offering incentives for quality care, it requires quality care as a condition of reimbursement.
In October 2011, the U.S. Department of Health & Human Services (HHS) released a final rule governing the formation of ACOs. ACOs were implemented as a voluntary program in January 2012 as a result of the Affordable Care Act (ACA) and a modification to the Social Security Act (SSA), which established a funding source known as the Shared Savings Program. The ACO provisions represented only seven pages of the massive ACA; however, they were one of its most publicized provisions (along with the individual mandate).
Through the Shared Savings Program, the ACO initiative creates incentives for health care providers to work together to treat an individual patient across care settings, including physician offices, hospitals, and long-term care facilities.
Payers can form ACOs, and many have. UnitedHealthcare, Aetna, and Humana—each of which has vast experience with performance-driven care outcomes—have all formed ACOs. There are both commercial and Medicare ACOs. Many ACOs have been established by community-based programs and provider groups.
ACOs Require Performance Measure Reporting
ACOs seek to reduce health care costs, coordinate care, eliminate duplication of care, and prevent medical errors while ensuring better data integrity. ACOs meeting specific performance objectives over a three-year introductory period will share in any savings they create through lowered health care costs (versus estimated costs using a “traditional care” model). ACOs unable to meet the performance objectives will be penalized. The goal is to share in rewards and risk across all participants in the ACO.
Like PQRS and other quality monitoring programs, ACOs rely on data—much of which will be derived from patient charts by certified medical coders. The final rule adopts 33 individual measures of quality performance used to determine if an ACO qualifies for incentive shared savings. These performance measures span four quality domains:
- Patient Experience of Care
- Care Coordination/Patient Safety
- Preventive Health
- At-risk Populations
Reporting conditions such as chronic obstructive pulmonary disease (COPD), congestive heart failure (CHF), coronary artery disease (CAD), vascular disease, risk for falls, diabetes, hypertension, tobacco cessation, depression, certain types of cancers, and immunizations all will depend on data provided by certified medical coders, and will help to determine if the ACO will share in savings or face penalties.
Moving Away from Fee-for-service
As a reimbursement methodology, ACOs are vastly different from traditional fee-for-service (FFS), which is the most common reimbursement methodology in the United States. In an FFS system, providers are paid based on the number of tests, treatments, surgeries, or studies they perform; hospitals are paid based on the number of beds they have occupied. The focus is on “how much” (quantity) care is provided, rather than “how good” (quality) the care is.
The concept of quality-based reimbursement (such as P4P) has existed for approximately 25 years, but has only begun to pick up steam in the past 10 years with the advent of the physician quality reimbursement initiative (now PQRS). If successful, the ACO model will revolutionize the way we receive, and pay for, health care in the United States.
ACO: HMO Take 2?
There are many differences between standard health maintenance organization (HMO) models and ACOs. When the Health Maintenance Organization Act of 1973 was passed and pioneered managed care, Americans were hesitant to allow Big Brother to oversee health care. It took nearly a decade for the managed care concept to catch on, but when it did, we learned that managing care saves money. There were, however, drawbacks in the way HMOs governed access to care. For example, HMOs are insurer driven and care can be fragmented; there is often little collaboration or cooperation in care delivery. There are gatekeepers—usually a provider that controls a patient’s access to higher levels of care (which raises the often worrisome in-network versus out-of-network dilemma)—and the overall focus of HMOs and managed care remains on quantity rather than quality.
Unlike the HMO or managed care model, the ACO model is provider driven. Care is intended to be fully integrated and should occur more collaboratively. Team-based care is a primary tenet of the ACO. There are no gatekeepers in ACOs, and the overall focus is on the quality and efficiency of care. Rather than being incentivized to deny expensive care, the ACO receives incentives for higher quality outcomes.
There are risks associated with the ACO model. Early participants in ACOs are not fully weaned from of the FFS system, so ACOs remain an unproven reimbursement system. We are not likely to see quality-based outcome measures or quality-based financial incentives for a year or more.
Another potential danger is ACOs will engage in “cherry picking,” or choosing only the healthiest patients to treat. The Centers for Medicare & Medicaid Services (CMS) has announced they will penalize any ACO caught cherry picking, and there are protections built into the final rule so cherry picking ACOs stand to lose money. Concerns remain that this may not be enough to combat the problem.
Perhaps the greatest risk is that there are no gatekeepers: There is nothing requiring a patient to remain with an ACO. In other words, if a patient wants to obtain health care from providers outside the ACO, he or she may do so using traditional Medicare insurance. The ACO would be penalized for these out-of-network expenditures (presumably, if the ACO’s quality of care and patient satisfaction are high enough, there would be no reason for a patient to seek health care elsewhere). This patient freedom represents a big gamble for fledgling ACOs.
The United States has yet to design a perfect health care system. If ACOs are to be successful, they must have a solid foundation with which to bridge the divide between FFS and accountable care.
Stephen Spain, MD, FAAFP, CPC, has been engaged in the full-time practice of family medicine for over 25 years. In 1998, he founded Doc-U-Chart, a practice management consulting firm specializing in medical documentation. Dr. Spain can be reached at firstname.lastname@example.org.
Annie Boynton, BS, CPC, CPC-H, CPC-P, CPC-I, RHIT, CCS, CCS-P, CPhT, is the director of 5010/ICD-10 communication, adoption and training for UnitedHealth Group. She is an adjunct faculty member at Massachusetts Bay Community College, and a developer and member of the AAPC’s ICD-10 training team. Ms. Boynton frequently speaks and writes about coding matters, including ICD-10 and 5010 implementation.
December 1st, 2012