Webinar gives tips on improving next eCQM submissions

Health care compliance professionals who are involved in electronic clinical quality measures (eCQM) submissions should prepare now for their 2017 submissions, according to Catherine Gorman Klug RN, MSN, Director, Quality Service Line, for Nuance Communications. In a Health Care Compliance Association (HCCA) webinar titled, “eCQM Lessons Learned and How to Prepare for 2017 Submissions,” Klug warned attendees about hidden dangers, including the lack of experience for eCQM vendors, inaccurate data submissions, and the challenges posed by multiple types of electronic health record (EHR) data files generated from more than one system. She also gave recommendations for reducing risk and listed sample questions for the information technology (IT) department.

CMS requires hospitals to report eight of 15 eCQMs, with data reported for the entire year. According to Klug, the agency expects “one file, per patient, per quarter,” that includes all episodes for care and measures associated with the patient. Many hospitals use vendors to assist with the eCQM submissions, but Klug noted that vendors must have an adequate amount of time to respond to required changes before submission, and that although many vendors support a broad number of eCQMs, they may lack adequate depth of coverage. Hospitals should choose vendors who are experienced in the eCQMs they are reporting. Further, there is no way to validate the files submitted. Possible consequences include an annual payment update reduction, failure to receive the EHR incentive payment, or poor quality scores on CMS’ Hospital Compare site.

To reduce risks, hospitals should ask the core measures vendor to validate files before submission to CMS. They should also review file error reports from the vendor and make corrections before the data is submitted. Aggregated file error reports should also be reviewed to ensure that formatting or data elements don’t result in an inaccurate submission. Klug said that accurate coding is absolutely essential. Therefore, hospital IT departments should be prepared to explain how files are validated prior to submission to ensure accuracy, and if not, what the remediation strategy is. Further, compliance professionals should request a file error report, and any other reports to help understand the data being submitted.

Hospitals falling short on implementing bar code medication administration

Ever noticed the steps nurses have to go through when they administer medications in the hospital? Scanning, typing, asking the patient for name and birthday – these steps protect patient health and hospitals from liability. Despite how useful these steps are for reducing medication errors, the Leapfrog Group found that not all hospitals are using them effectively.

Only 30 percent of hospitals are meeting standards

In the 2017 report on medication safety, Castlight Health analyzed hospital use of bar code medication administration (BCMA) and computer physician order entry (CPOE) systems. Although Leapfrog’s standard standards include implementation of a BCMA to cover 100 percent of a hospital’s intensive care and medical/surgical units, along with several important processes, only 30 percent of hospitals met all four of Leapfrog’s criteria.

BCMA systems

A BCMA system requires the administering nurse to scan a bar code on the patient’s wristband and then scan the bar code on the medication. This ensures that the “Five Rights of Medication Administration” are met: right patient, drug, dose, time, and route. The Leapfrog Group developed the first industry standard for BCMA adoption and included measurement elements in its 2016 hospital survey. One of Leapfrog’s standards requires scanning both bar codes for 95 percent of bedside administration in units with BCMA systems.

Findings

Although 97.8 reporting hospitals have a BCMA system in at least one inpatient unit connected to their electronic medication administration record, only 30 percent of the hospitals fully met the standard. A remaining 35 percent fulfilled three out of the four, and 26 percent met two of the criteria.

The most commonly unmet requirement was integration of Leapfrog’s seven decision support elements. These support elements are ensuring that the patient, medication, dose, and time are correct as well as checking for vital signs, performing a patient-specific allergy check, and having a second nurse perform a check. Out of these elements, the vital sign check was the most frequently lacking at 80 percent. Hospitals also failed to adhere to Leapfrog’s best practice processes and workaround prevention, which require (1) formal BCMA use committee; (2) back-up systems for hardware failure; (3) a help desk; (4) observation of BCMA users; and (5) engaging nursing leadership.

Reporting issues

In addition to the BCMA elements in the hospital survey, Leapfrog’s CPOE Evaluation Tool allows hospitals to download simulated data and input patient and medication combinations into their systems. Hospitals then track the alerts generated by the system and are scored based on correct alerts. Leapfrog noted that although more hospitals have been meeting the CPOE standards, an additional 26 percent of reporting hospitals failed to meet these standards. Only 22 percent of hospitals that reported CPOE and BCMA data fully met all standards. Leapfrog noted that some hospitals are not reporting their data at all, and noted that this can cause a serious gap in understanding hospital medication safety because Leapfrog is the only organization that publicly reports this data.

Health technology oversight growing more complicated as innovation continues

As health information technology (HIT) evolves and the industry increasingly relies on it, the field represents a niche opportunity for young lawyers. At the American Health Lawyers Association (AHLA) Fundamentals of Health Law conference, presenters Ryann Schneider and Sidney Welch emphasized the necessity of understanding both the technology and regulations as well as maintaining close oversight of vendors. This area presents many pitfalls and compliance is difficult, but essential.

Innovations

At the close of the third quarter of 2016, $6.5 billion in digital health deals were recorded. Clinical operations are finding more uses for technology, as providers use telehealth for specialty consults, chronic care management, monitoring, and diagnosis while patients continue to rely on personal health applications and wearables. These innovations require continued development of oversight strategies.

Statutes and regulations

One challenge for compliance is understanding the changing (and conflicting) rules surrounding telemedicine. CMS has issued and updated telemedicine regulations for Medicare, while Medicaid reimbursement differs between the states. States have also implemented various non-payment laws, such as the definitions of a valid telemedicine encounter and requiring a full license to practice medicine in the state in which the patient is located. There are also intellectual property considerations, as well as dealing with a long list of regulatory agencies from the HHS Office of Inspector General (OIG) and the Department of Justice (DOJ) to the Federal Trade Commission (FTC) and Internal Revenue Service (IRS).

Vendors

When health care entities hire technology vendors, each side has a different level of understanding and priorities. Health care customers are particularly sensitive to safety, outcome commitments, and security than other technology customers, and often overestimate the time and resources required for projects. Vendors are experts on their technology, and have a better idea of the partnership required to successfully implement sophisticated projects.

The speakers noted that counsel does not have to understand the nuts and bolts of the technology, but emphasized the need for a team comprised of both business and tech experts to ensure that all bases are covered. Additionally, if in-house counsel focuses on regulatory understanding, outside technology or intellectual property (IP) counsel can supplement with specialized expertise.

Health care gets a ‘D’ in cybersecurity, but no one scores high

The health care sector scored a ‘D’ grade in overall cybersecurity for 2016, but other industries didn’t fare much better, with the retail sector scoring a high ‘C,’ according to Tenable Network Security. Cybersecurity experts in most industries showed decreased confidence in their industry’s ability to assess risks and mitigate threats. New and increased challenges, including new platforms and environments and continued use of mobile devices, contributed to the decrease.

Tenable asked 700 security practitioners from seven industries and nine countries about their attitudes and beliefs toward security defenses, rather than actual effectiveness. Health care security professionals’ average confidence level in their risk assessments was only 54 percent, down 18 percent from Tenable’s 2015 report. Professional were more confident in their ability to mitigate threats through security assurances, showing an average 76 percent confident level, an increase of 1 percent from 2015. They were most comfortable in their ability to convey risks to executives and board members, measure security effectiveness, and view network risks continuously. However, a common theme across industries and countries were professionals’ concerns that the executive level did not responds effectively once given information about risks.

Tenable noted health significant health care sector weaknesses in assessing mobile devices. Confidence in risk assessment for mobile devices dropped 8 percent across all industries from 2015, and the web application security rating dropped 18 percent, the largest drop in any risk assessment category. The health care sector also showed weakness in assessing risks with respect to two new categories, developmental operations (DevOps) environments and containerization platforms. DevOps is a set of practices that emphasizes collaboration and communication between software developers and other information-technology (IT) professionals that also includes an automation component with respect to software delivery and infrastructure changes. Containerization technologies allow multiple isolated systems to run on a single control host by packing them in a “container” within their own operating environment.