Kusserow on Compliance: Physicians must comply with sharing patient information

Under the electronic health records (EHR) metric, The Medicare Access and CHIP Reauthorization Act of 2015 (MACRA) (P.L. 114-10) requires attestations from doctors that they are not knowingly and willfully limiting or restricting their EHR’s ability to share information with providers that may have different record systems.  CMS has issued new guidance reminding providers of their responsibilities to promptly share medical information with patients and other clinicians, or else face financial penalties. The targets are providers participating in the Merit-based Incentive Payment System (MIPS) to comply with MACRA. The notice stated physicians will need to attest that they are not engaged in information blocking and that they give patients their data in a timely fashion. Many physicians and medical practices use vendors for their information management systems. They will now have to ensure their vendors enable them to comply with the information sharing mandates.

Under MIPS, providers become eligible for either bonus payments or penalties based on their performance, including evidence of quality improvement, cost reduction or maintaining current levels of spending; efficient use of EHRs; and clinical improvement activities such as later office hours and greater use of care coordination. The Prevention of Information Blocking Attestation has three related statements for MIPS eligible clinicians:

  1. They did not knowingly and willfully take action to limit or restrict the compatibility or interoperability of Certified EHR Technology (CEHRT).
  2. They implemented technologies, standards, policies, practices, and agreements reasonably calculated to ensure the CEHRT was connected and compliance with applicable law and standards for timely access by patients to their data and other health care providers.
  3. They responded in good faith and in a timely manner to request to retrieve or exchange EHR from patients and other health care providers.

CMS also stated that physicians would not be held accountable for things outside of their control, but must get adequate assurances from their vendors that they are able to comply with the information sharing requirements. On the other hand, physicians must take care that they don’t violate the HIPAA Privacy law for patient Protected Health Information (PHI).

 

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2017 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: EHR incentive program attestation is serious business

The American Recovery and Reinvestment Act of 2009 (ARRA) (P.L. 111-5) authorized providing incentive payments to eligible health care professionals, hospitals, and Medicare Advantage Organizations (“MAOs”) to promote the adoption and “meaningful use” of health information technology and electronic health record (“EHR”) systems. CMS established the Medicare and Medicaid Electronic Health Record Incentive Programs (EHR Incentive Programs) to make incentive payments to health care professionals and providers that meet specified requirements for the meaningful use of certified EHR technology (CEHRT). The EHR Incentive Programs are intended to bring about improved clinical outcomes and population outcomes, increase transparency and efficiency in health care, empower individuals to make decisions regarding their care, and generate additional research data on health systems. Program participants must report on their performance pertaining to certain clinical quality measures (CQMs) and objectives to CMS (for Medicare) or the authorized state agency (for Medicaid) through an attestation process. Since 2011, the EHR Incentive Programs have made incentive payments to numerous eligible professionals, eligible hospitals, and critical access hospitals (CAHs) that qualify as “meaningful users” by meeting the objectives and CQMs outlined in the various stages of the applicable programs.

Annual attestations required

Eligible providers must annually attest to meeting the specified objectives and measures in order to receive incentive payments under the EHR Incentive Programs. Once they have attested to meeting the identified objectives and measures, they are deemed to be meaningful users and eligible for incentive payments.  CMS, its contractor, and state Medicaid agencies conduct both random and targeted audits to detect inaccuracies in eligibility, reporting, and receipt of payment with respect to the EHR Incentive Programs.  Eligible hospitals may be selected for pre- or post-payment audits. CMS has required that eligible hospitals retain all supporting documentation used in completing the Attestation Module responses in either paper or electronic format for six years post-attestation. Eligible hospitals are responsible for maintaining documentation that fully supports the meaningful use and CQM data submitted during attestation. Those hospitals undergoing pre-payment audits will be required to provide supporting documentation to validate submitted attestation data before receiving payment.

Unsupported and false attestations

Making false statements, including attestations to the federal government, could implicate federal law (18 U.S.C. § 1001), which generally prohibits knowingly and willfully making false or fraudulent statements or concealing information. Although eligible hospitals receiving incentive payments under the Medicare and Medicaid EHR Incentive Programs are not required to follow any particular parameters when spending the payments, they must annually attest to meeting the relevant measures and objectives in order to be entitled to incentive payments. It is critical that eligible hospitals maintain documentation that supports their attestations.  Supporting documentation needs to make clear that the hospital is meeting the terms and conditions of the EHR Incentive Program. A checklist document by itself would be insufficient as supporting documentation. Failure to maintain such supporting documentation creates potential liability. Although no significant enforcement activity has taken place, compliance officers are advised to verify that proper supporting documentation is maintained.  In fact, the responsible program manager should be maintaining documentation as part of ongoing monitoring. As part of ongoing auditing, the compliance office should ensure that monitoring is conducted and validate that it is adequately meeting regulatory requirements.

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on
Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2017 Strategic Management Services, LLC. Published with permission.

 

 

$6.50 not the max for PHI record fees

The HHS Office for Civil Rights (OCR) is reminding covered entities (CEs) that they there is no cap on the fees they may charge individuals or their personal representatives for providing them, or third parties to whom the CEs are directed, with copies of protected health information (PHI)—within specific limits. Rather, in a new FAQ, the office states that CEs that would prefer not to engage in arduous calculations have the option to charge a flat fee of not more than $6.50 for electronic copies of PHI maintained electronically.

Permissible fees

The Health Information Portability and Accountability Act (HIPAA) (P.L. 104-191) Privacy Rule permits CEs to charge fees for copies of PHI. Charges may only include labor, supplies, and postage (45 C.F.R. sec. 164.524(c)(4)). Labor for copying includes only labor for creating and delivering the copy in the form and format (electronic or paper) agreed upon, once the relevant PHI has been identified, gathered, and prepared for copying; search and retrieval costs are not permitted. Labor to prepare a summary or explanation may be included if the individual requests such a summary or explanation and agrees to the costs in advance. Supply costs include costs for paper and toner costs for paper copies and the cost of portable electronic media, if the individual requests a copy on portable media.  However, individuals have the right to ask that PHI is simply mailed or emailed.  CEs may not charge fees when they simply fulfill a HIPAA access request using its certified electronic health record technology (CEHRT) view, download, and transmit feature.  CEs must notify individuals of the approximate fees they will charge in advance of providing the copies.

Flat fee

CEs may calculate actual costs individually for each request or develop a schedule of labor costs based on the average costs required to fulfill standard requests. CEs may not charge per-page fees for PHI maintained electronically, even when individuals request paper copies. The FAQ clarifies that CEs may charge a flat fee not to exceed $6.50 for standard requests, although they may wish to calculate actual costs in the event of non-standard requests. The OCR reminds CEs, in those situations, that they must still notify individuals of the approximate fee they will charge in advance of providing the copies. Actual costs and average costs may exceed $6.50, provided the fees comply with 45 C.F.R. sec. 164.521(c)(4).