Information Technology and EMR

 

 

A Renewed Focus: 2018-19 NYS Intellectual and Developmental Disabilities Budget Highlights

Since the beginning of the administration of Governor Andrew Cuomo, there has been a strong emphasis on reform of the acute, primary, and long term care systems, and, particularly with the recent focus on the opioid crisis, that attention has extended to the behavioral care system, as well.  In contrast, reforms in the developmental disabilities system have been slower in coming, attributable to a variety of factors, including historical issues surrounding service mix and reimbursement, and legitimate concerns about client safety and quality of life. In some ways, the developmental disabilities provisions in the 2018-19 Enacted Budget represent a return of focus on the developmental disabilities sector, with several provisions concentrating on how larger reform efforts – including the movement toward managed care, health homes, and telehealth – intersect with the developmental disabilities community. Highlights of key provisions follow.

Managed Care. The Enacted Budget includes language updating existing provisions related to the movement of developmental disabilities clients and services into managed care. First, it expands the list of individuals who may be required to enroll in managed care and revises provisions regarding eligibility to include individuals with developmental or physical disabilities who receive services via a federal 1115 waiver, and authorizes the Commissioner of Health, in consultation with the Commissioner of Developmental Disabilities, to submit an application for such waiver. The Enacted Budget also extends authority of the Office for People with Developmental Disabilities (OPWDD) to require enrollment in managed care from 2019 to 2023, and makes technical corrections to that authority. The OPWDD Commissioner will also assess the quality, outcomes, experience and satisfaction of managed care for individuals with developmental disabilities, and report to the Legislature by December 31, 2022.

Health Homes. The Enacted Budget amends the Public Health Law to require criminal history checks for employees and subcontractors of health homes and any entity that provides community based services to individuals with developmental disabilities or to individuals under 21 years old.

Telehealth. The Enacted Budget amends the Public Health Law to allow the use of telehealth by certified and non-certified day or residential health care facilities operated by OPWDD, residential health care facilities serving special needs populations, credentialed alcoholism and substance abuse counselors, and early intervention providers. Further, the Commissioner of the Department of Health, in consultation with the Commissioners of Office of Mental Health, OPWDD and the Office of Alcoholism and Substance Abuse Services may identify other providers that should be permitted to provide telehealth services. Additionally, DOH, OMH, OPWDD and OASAS will coordinate on a single guidance document that will identify the discrepancies in regulations and policies by state agencies, and assist consumers, providers and health plans to better understand and facilitate the use of telehealth to address barriers to care.

First Responder Training. The Enacted Budget agreement includes language to require the Commissioner of Mental Health, in consultation with the Department of Health, Office of Fire Prevention and Control, Municipal Police Training Council, and the Superintendent of the State Police, to develop a training program and educational materials to provide instruction and information to firefighters, police officers, and emergency medical personnel on appropriate recognition and techniques for handling emergency situations involving individuals with autism spectrum disorder and other developmental disabilities.

Care at Home Waivers. The Enacted Budget extends the Care at Home I and II waivers until March 31, 2023. These waivers provide community-based services to physically disabled children who require hospital or skilled nursing home level of care.

Extension of OMH Inpatient Psychiatry Demonstration. The Enacted Budget extends this demonstration program, which allows for three or more time-limited demonstration programs to test and evaluate new methods or arrangements for organizing, financing, staffing and providing services for individuals with intellectual or developmental disabilities, through March 31, 2021.

Independent Practitioner Services. The Enacted Budget amends Section 367-a of the Social Services Law to include independent practitioner services for individuals with developmental disabilities as covered services for insurance reimbursement.

Residents Use of Funds for Care and Treatment. The Enacted Budget extends Chapter 111 of the Laws of 2010 and Chapter 58 of the Laws of 2015 to extend the authority of state facility directors that act as federally appointed representative payees to use funds for the cost of a resident’s care and treatment in facilities through June 30, 2018.

For additional information on any of the above-referenced issues, please do not hesitate to contact Farrell Fritz’s Regulatory & Government Relations Practice Group at 518.313.1450 or NYSRGR@FarrellFritz.com.

New York increases Assisted Living Beds in 2018-19 Enacted Budget

While much of the public attention this year on healthcare budget negotiations in New York State was drawn to the pharmaceutical and managed care sectors, the Enacted Budget for 2018-19 also includes some very significant reforms in the long term care space. Continuing its ongoing efforts to rationalize what even the most ardent supporters of New York’s long term care system acknowledge to be an unnecessarily complicated structure, provisions in the Enacted Budget related to Licensed Home Care Service Agencies, Assisted Living Programs, Residential Health Care Facilities and Hospice reflect New York State’s continued efforts to combat fragmentation, inconsistent quality of services and waste across the continuum of care. This year, that has yielded policy outcomes that to the untrained eye can appear inconsistent, or even contradictory – but there is a method to the madness. The following is a list of some the key long term care reforms included in the 2018-19 Enacted Budget.

HOME CARE

Licensed Home Care Services Agencies (LHCSAs) appear to be on the frontline of the battle for consolidation of the community based long term care marketplace in New York. The 2018-19 Enacted Budget clearly articulates a policy in favor of encouraging fewer, larger LHCSAs instead of the current, heavily fragmented LHCSA market, via measures such as:

Limitations on MLTCP Contracting

Beginning October 1, 2018, the Commissioner of Health may limit the number of LHCSAs with which a Managed Long Term Care Plan (MLTCP) may contract, according to a formula tied to (1) MLTCP region, (2) number of MLTCP enrollees,  and (3) timing (the number changes on October 1, 2019).  Exceptions are allowed if necessary to (a) maintain network adequacy, (b) maintain access to special needs services, (c) maintain access to culturally competent services, (d) avoid disruption in services, or (e) accede to an enrollee’s request to continue to receive services from a particular LHCSA employee or employees for no longer than three months.

For more about MLTCPs, look for our upcoming blog analysis of the overall Managed Care provisions in the 2018-19 Enacted Budget.

Moratorium on New LHCSAs

Effective April 1, 2018, there is a new statutory moratorium on the awarding of new LHCSA licenses until March 31, 2020.  This will not apply to:  (i) LHCSA applications submitted as part of an Assisted Living Program application; (ii) application for transfers of LHCSAs licensed for at least five years for the purposes of consolidating one or more LHCSAs; or (iii) applications that address a serious concern reflecting that same considerations that would justify an exception to the new MLTCP contract rule.

Expanded Certificate of Need for LHCSAs

The Public Health and Health Planning Council (PHHPC) must now consider public need, financial feasibility and other factors in addition to character and competence when evaluating a LHCSA application (previously, LHCSAs were technically exempt from those considerations).

Registration Requirements for Existing LHCSAs

Existing LHCSAs must register with the Department of Health, and presumably meet those new CON requirements, by January 1, 2019, and any failing to register for two years may have their licenses revoked.

The question remains whether these regulations will produce the desired effect, i.e., a consolidation of the LHCSA marketplace, and whether that consolidation will occur through large providers formally acquiring smaller providers, or the gradual disappearance of smaller providers altogether as they struggle to maintain market share.

Cost Reporting Requirements for Existing LHCSAs

Under the new provision, the Commissioner is authorized to require LHCSAs to report on costs incurred by the LHCSA in rendering health care services to Medicaid beneficiaries. The commissioner must give the LHCSA 90 days’ notice of the need for the report, and an additional 30 days to correct any perceived inaccuracies. LHCSAs must certify the accuracy and completeness of the reports.

ASSISTED LIVING PROGRAMS

Assisted Living Programs (“ALP”) appear to be the biggest winner among long term care providers in the Enacted Budget. In contrast to the state’s efforts to consolidate and centralize the LHCSA providers, the Enacted Budget authorizes a general expansion of existing ALP providers and encourages the establishment of new beds. Key provisions include:

New ALP Beds at Existing ALP Providers

Each existing ALP provider may apply to DOH for approval of up to nine additional ALP beds. To be eligible, the existing ALP provider must: (a) be in good standing with the DOH; (b) be in compliance with applicable state and local requirements; (c) not require any major renovation or construction to accommodate the new beds; and (d) agree to dedicate new beds to serve only individuals receiving Medicaid.

The number of new ALP beds approved under this program will be based on the total number of previously awarded beds either withdrawn by applicants or which were previously denied. The commissioner is obligated to approve applications under this section on an expedited basis – specifically, within 90 days of the receipt of a satisfactory application.

ALP providers licensed on or before April 1, 2018 will be eligible to apply during a time period to begin no later than June 30, 2018 and ALP providers licensed on or after April 1, 2018 will be eligible to apply during a time period to begin no later than June 30, 2020.

New ALP Beds in Counties with Few ALP Providers or High Utilization

The Commissioner of Health is authorized to create up to 500 new ALP beds in counties where there are one or fewer existing ALP Providers based on criteria to be determined by the Commissioner. The Commissioner is also authorized to solicit and award applications for an additional 500 ALP beds in counties where utilization of existing ALP beds exceeds 85%. To be eligible, the applicant must commit to: (a) dedicate the beds to serve only individuals receiving medical assistance; (b) develop and execute collaborative agreements with at least one of each of the following entities: an adult care facility; a residential health care facility; or a general hospital, within 24 months of applying to DOH; and (c) enter into an agreement with an existing managed care entity. ALP beds sought by, but not awarded to, providers in counties with one or fewer ALP providers may be issued to ALP providers in counties where utilization exceeds 85%.

New ALP Beds Based On Public Need

After April 1, 2023, the Commissioner of Health is authorized to approve additional new beds on a case by case basis wherever a public need exists. In determining whether a public need exists, the Commissioner may consider, but is not limited to, regional occupancy rates for adult care facilities and ALP occupancy rates and the extent to which the project will serve individuals receiving Medicaid. Existing ALP Providers will be eligible for up to 9 additional beds under this provision.

ALP for Individuals with Alzheimer’s or Dementia

The Commissioner is authorized to issue up to two hundred vouchers for Medicaid ineligible people living with Alzheimer’s or dementia covering up to 75% of the cost of ALP based on the average private pay rate in the respective region.

RESIDENTIAL HEALTH CARE FACILITIES

The Enacted Budget includes a mix of quality control and increased support measures directed at Residential Health Care Facilities (RHCFs):

Medicaid Reduction for Underperforming Facilities

The Enacted Budget includes a provision directing the Commissioner to reduce Medicaid revenue to any RHCF in a given payment year by 2%, where that RHCF performed in the lowest two quintiles of facilities based on its nursing home quality initiative data in each of the two most recent payment years for which data is available, and was ranked in the lowest quintile in the most recent payment year. The Commissioner has the authority to waive this provision in the event the Commissioner deems the facility to be in “financial distress”.

Funding For Capital Projects

As discussed in greater detail in our earlier post regarding the Statewide Health Care Facility Transformation Program (SHCFTP), $45 million is dedicated to RHCFs to increase the quality of resident care or experience, or to improve their health information technology infrastructure, including telehealth, to strengthen the acute, post-acute and long-term care continuum, but not for general operating expenses.

Telehealth

The Enacted Budget also expands the definition of an “originating site” for purposes of telehealth to include RHCFs treating populations with special needs.

HOSPICE

The Enacted Budget requires the Commissioner to establish a methodology as of July 1, 2018, subject to federal financial participation, that will ensure a 10% increase in the Medicaid reimbursement rates for hospice providers for services provided on or after April 1, 2018. Furthermore, the Enacted budget carves hospice providers out of the Opioid Drug provisions requiring a care plan for pain lasting more than three months (discussed here).

Hospice facilities shall be eligible for up to $60 million in funding dedicated to community-based providers through SHCFTP (discussed here).

If you have any questions or would like additional information on any of the above referenced issues, please do not hesitate to contact Farrell Fritz’s Regulatory & Government Relations Practice Group at 518.313.1450 or NYSRGR@FarrellFritz.com

On January 5, 2018, the United States Department of Health and Human Services released for public comment a draft Trusted Exchange Framework, which seeks to accomplish interoperability with respect to patients’ Electronic Health Information (“EHI”) through the creation of Health Information Networks (“HINs”). The 21st Century Cures Act, which Congress enacted in 2016, has the goal of creating a trusted exchange focusing on streamlining patient EHI and establishing a network designed to “achieve a system where individuals are at the center of their care and where providers have the ability to securely access and use health information from different sources.” The Trusted Exchange Framework is the federal government’s attempt to achieve that goal.

The draft Trusted Exchange Framework is broken down into two parts:

Part A—Principles for Trusted Exchange

Part B—Minimum Required Terms and Conditions for Trusted Exchange

Part A sets forth and relies on six principles:

(1) Standardization (adherence to industry standards and best practices);

(2) Transparency (an open free flowing exchange);

(3) Cooperation and Non-Discrimination (collaboration from all stakeholders);

(4) Privacy, Security, and Patient Safety (data protection and integrity);

(5) Access (conveniently obtain EHI); and

(6) Data-driven Accountability (streamlined process for a cohort of patients to help lower cost of care).

These principles are guidelines qualified HINs need to follow to help build a trusting relationship between participants and patients and, without adherence to this foundation, a new modernized system cannot properly flourish.

Part B sets forth the minimum required terms and conditions participants must adopt and follow to ensure a trusted exchange of EHI. This is accomplished through a trusted exchange framework and common agreement (“TEFCA”). The TEFCA seeks to ensure, among other things, that there is “[c]ommon authentication processes of trusted health information network participants, [a] common set of rules for trusted exchange, and [a] minimum core of organizational and operational policies to enable the exchange of EHI among networks.” A sample TEFCA can be found in the draft Trusted Exchange Framework.

In sum, it is clear that the federal government is finally taking a serious look at how our healthcare system can become more efficient and modernized in our ever-changing society. Putting into place a final Trusted Exchange Framework, with input from all stakeholders, is a great step towards reaching that goal.

The deadline for public comment is February 18, 2018.

Effective March 1, 2017, the New York State Department of Financial Services promulgated regulations to help protect against cybercriminals and their efforts to exploit sensitive electronic data. These cybersecurity regulations apply to all individuals and entities that “operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law”, with a few exceptions.  This will undoubtedly result in insurance companies and other related healthcare entities, which hold sensitive patient health information, beefing up their internal and external rules and policies.  New York’s proactive stance should be taken with the utmost seriousness seeing that there are more than 400 cyberattacks each day over the internet, or almost 3 every minute.

The United States Congress has enacted a similar law to protect health information, the Health Insurance Portability and Accountability Act (“HIPAA”). However, because HIPAA was enacted and modified years prior to cybersecurity becoming a prominent threat to our society, HIPAA does not provide as much protection to patients’ electronic data as the New York regulations do.  HIPAA does provide important guidelines and safeguards to ensure the integrity and confidentiality of protected health information, but does not elaborate on many of the issues presented in New York’s cybersecurity regulations.

New York’s cybersecurity regulations require all “Covered Entities”, as defined in the regulations, to maintain a cybersecurity program to guard the confidentiality of Nonpublic Information, which includes a risk assessment and a comprehensive cybersecurity policy.  In addition, Covered Entities are now required to designate an individual to serve as the Chief Information Security Officer (“CISO”).  The CISO is tasked with overseeing, implementing and enforcing the Covered Entity’s cybersecurity policy, and is required to report, in writing and at least annually, to the Covered Entity’s Board of Directors or similar governing body.  The CISO’s report must include, as applicable, information on “(1) the confidentiality of Nonpublic Information and the integrity and security of the Covered Entity’s Information Systems; (2) the Covered Entity’s cybersecurity policies and procedures; (3) material cybersecurity risks to the Covered Entity; (4) overall effectiveness of the Covered Entity’s cybersecurity program; and (5) material Cybersecurity Events involving the Covered Entity during the time period addressed by the report.”

Compliance with the cybersecurity regulations will be transitioned over a two-year period with full compliance required by March 1, 2019.

Picture1Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS) is the first business associate to be held directly liable for violations under the HIPAA rules. CHCS provided management and information technology services to six nursing homes. According to the OCR Resolution Agreement, OCR received separate notifications from each of the six nursing homes regarding a breach of unsecured electronic protected health information (ePHI) by CHCS resulting from the theft of a CHCS mobile device. The mobile device containing ePHI of 412 nursing home residents was neither encrypted nor password-protected. The settlement includes a monetary payment of $650,000 and a two-year corrective action plan.

OCR’s investigation concluded that:

  1. CHCS failed to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by CHCS; and
  2. CHCS failed to implement appropriate security measures sufficient to reduce the risks and vulnerabilities to a reasonable and appropriate level to comply with the HIPAA Security Rule.

It is important for Business Associates and subcontractors of Business Associates to understand that since enactment of the Omnibus Rule in 2013, Business Associates and their subcontractors can be held directly liable for HIPAA violations, including the failure to conduct appropriate risk assessments and the failure to adopt adequate written policies and procedures to reduce the risk of violations.

Picture1Under the Privacy Rule, HIPAA covered entities (health care providers and health plans) are required to provide individuals, upon request, with access to their protected health information (PHI) in one or more “designated record sets” maintained by or for the covered entity.

Covered entities are also required to protect the individual’s PHI from unauthorized disclosure. How must a covered entity verify the identity of the individual requesting the PHI so as to comply with the Privacy Rule without at the same time violating it?

Recent guidance from the Office of Civil Rights (OCR) is somewhat helpful.

According the guidance, the Privacy Rule requires a covered entity to take “reasonable steps” to verify the identity of an individual requesting access (citing 45 CFR 164.514(h)).  OCR confirms the Privacy Rule does not mandate the form of verification, but rather leaves the manner of verification to the professional judgment of the covered entity, provided the verification processes and measures “do not create barriers to or unreasonably delay the individual from obtaining access to her PHI”.  OCR explains that verification may be oral or in writing and states that the type of verification depends on how the individual is requesting or receiving access. For instance, a person may request access in person, by phone, by fax or e-mail, or through a web portal hosted by the covered entity.

OCR suggests that standard request forms ask for basic information about the individual to enable the covered entity to verify the individual is the subject of the information requested.  For those covered entities providing individuals with access to their PHI through web portals, the portals should be set up with appropriate authentication controls, as required by the HIPAA Security Rule (for instance password protection and required periodic password updates).

For individuals who may call requesting access to their PHI, good policy might require verification of the requestors date of birth, address, and perhaps the condition the individual was treated for.

Verifying the authority of an individual’s personal representative is determined under State law. In the next blog post, we will look at the law in New York on who is a qualified person for purposes of access to an individual’s medical records.

Alternatives to the hospital emergency room and primary care doctor’s office are opening in strip malls and other retail locations throughout the country. New York State is no exception. In an effort to provide oversight for these walk-in clinics, New York’s Public Health and Health Planning Council (PHHPC) has recommended regulations for these facilities.

The recommendations would place walk-in clinics into one of four categories:
1. Limited Services Clinics (Retail Clinics);
2. Urgent Care;
3. Hospital-Sponsored Freestanding Emergency Departments; and
4. Non-Hospital Surgery- Ambulatory Surgery Centers and Office-Based Surgery.

The recommendations for each category of walk-in clinic are summarized below:

Limited Services Clinics (Retail Clinics)

• The name, marketing materials and all signage would be required to include the term “Limited Services Clinic.”
• Services would be limited to episodic care related to minor ailments and immunizations.
• Surgical, dental, physical rehabilitation, mental health, substance abuse and birth center services would not be permitted.
• No dispensing of controlled substances would be permitted.
• No services could be administered to children 24 months of age or younger.
• No childhood immunizations to patients under 18 years of age (except influenza) would be permitted.
• Accreditation by a national organization approved by the NYS Department of Health (DOH) would be required.
• The clinic would be required to have a Medical Director at the corporate level who is licensed to practice medicine in New York.

Urgent Care Providers

• Urgent Care would be limited to treatment of acute episodic illness or minor traumas.
• Services required would include:

  • unscheduled, walk-in visits typically with extended hours on weekends and weekdays;
  • Ex-ray and EKG;
  • Laceration repair; and
  • Crash cart supplies and medications

• The term “Urgent Care” would be required in the name and in all signage at the provider site and in all marketing materials. Other commercial terms could still be used in the provider’s name, but would need to include “Urgent Care” (e.g. “FastMed Urgent Care”).
• The word “Emergency” or its variations would not be permitted for urgent care providers unless licensed by New York State as an emergency department.
• Non-article 28 Urgent Care would require accreditation. No CON review required.
• Article 28 Urgent Care not otherwise accredited would be surveyed by DOH.
• Existing Article 28 Hospital or D&TC providers wanting to provide Urgent Care would require a limited review of their operating certificate.
• Private physician practices affiliated with an Article 28 may provide urgent care if they are accredited or become an Article 28 through CON review.
• Establishment of a new Article 28 Hospital or D&TC to provide urgent care services would require CON review.

Freestanding Emergency Departments

• Hospital-sponsored off-campus “emergency department” would be defined as an emergency department that is hospital-owned and geographically removed from the hospital campus.
• PHHPC recommends that the sponsored off-campus emergency department use the name of the Hospital that owns the facility followed by “Satellite Emergency Department”.
• The facility would be subject to the same standards as a hospital-based emergency department regarding training of providers, staffing, and the array of services provided at the facility.
• Establishment of an off-campus emergency department would require full CON review.
• Accreditation would be required.

Non-Hospital Surgery

• No changes are recommended regarding ambulatory surgery.
• New and existing office-based surgery practices would require registration with DOH.
• All physician practices performing procedures utilizing more than minimal sedation would require accreditation and the provision of adverse event reports.

Limited Services Clinics, Urgent Care providers and Hospital-Sponsored Freestanding Emergency Departments would be required to utilize electronic medical records.  Further, these facilities would be required to provide a list of primary care providers to any patient indicating that they do not have a primary care provider. These clinics would also be required to recommend that the patient schedule an initial or annual appointment with a primary care provider and develop policies and procedures to identify and limit repeat encounters with patients.

Is your office photocopy machine a HIPAA time-bomb?  Affinity Health Plan recently learned that the answer is yes, to the tune of a $1.2 million settlement with the US Department of Health and Human Services Office for Civil Rights (OCR).  Affinity is a not-for-profit managed care organization which includes one of the New York metropolitan area’s largest Medicaid managed care programs.  In 2010, Affinity made a mandatory breach report to OCR when it learned that the protected health information (PHI) of over 300,000 individuals was found on the hard drives of multiple photocopiers that Affinity had leased.  Affinity failed to have the hard drives wiped or destroyed prior to the return of the copiers at the end of the leases.

As HIPAA Covered Entities, healthcare organizations from hospitals and inpatient facilities to physician practices and health plans should take note of this matter.   For Covered Entities, this may mean new policies covering copiers and other hard drives containing PHI, revised risk analyses and safeguards, and revised Business Associate Agreements (BAAs).

Additionally, Business Associates of healthcare organizations, including consultants, lawyers, accountants, and billing companies, who may possess protected health information should also pay close attention.  Under the Omnibus Rule, finalized earlier this year and taking effect on September 23, 2013, business associates will be directly responsible for compliance with the privacy and security provisions HIPAA, HITECH and the Ominbus Rule. This means developing their own policies and procedures, conducting internal risk assessments and audits, and implementing physical and electronic safeguards to protect PHI.  Business Associates should carefully read new or revised BAAs they receive from Covered Entities to better understand their obligations.

The health care attorneys at Farrell Fritz understand HIPAA, can help your organization move toward compliance with new and old requirements, and minimize your risk of substantial fines.

 

On January 2, 2013, the US Department of Health and Human Services announced a $50,000 settlement with Hospice of North Idaho for a data breach involving the theft of a lost, unencrypted laptop computer containing the health information of 441 patients.

This settlement is the first for a reported breach affecting fewer than 500 individuals.   HHS Office of Civil Rights Director Leon Rodriguez stated that “This action sends a strong message to the health care industry that, regardless of size, covered entities must take action and will be held accountable for safeguarding their patients’ health information.”

A few takeaways from this settlement:

  • All HIPAA covered entities should conduct initial and ongoing risk assessments regarding use of electronic PHI;
  • Providers should develop and adopt policies and procedures regarding the use of mobile devices such as laptops, tablets, and smart phones containing electronic PHI, and appropriate safeguards to implement;
  • Think about who should have access to the devices, how they are protected or encrypted, where they are stored;
  • Providers should carefully investigate all data breaches, no matter how small;
  • After an investigation, review the provisions of the HITECH Act regarding breach notification; must the provider notify HHS immediately, notify the affected individuals, or take other measures?
  • Consult with counsel familiar with HIPAA, HITECH and data breaches to ensure that all Federal and State obligations are being met with an appropriate investigation, response, remedial assessments and policies and procedures.

 

   The Health Information Technology for Economic and Clinical Health Act (the “HITECH”) Act of 2009 aims to have all hospitals and physicians use electronic health records (“EHRs”) for all persons in the United States by 2014.  Federal and State financial incentives, electronic billing requirements, and the need for ever-increasing collaboration and sharing of information among providers have lead to a growing embrace of EHRs across the health care system.

   The U.S. Department of Health and Human Services Office of the Inspector General (the “OIG”) recently issued its Work Plan for Fiscal Year 2013.  One of the OIG’s goals for 2013 is to identity fraud and abuse vulnerabilities in EHR systems and to determine how certified EHR systems address those vulnerabilities.

Letters and Surveys Sent By OIG

  The OIG has already begun to implement the Work Plan with respect to its review of EHR systems.  In October 2012, at least ten hospitals received an 18-page, 54-question survey requesting detailed information on their EHR systems.  The survey comes on the heels of a letter that was sent on September 24, 2012 from HHS and the Department of Justice to health care providers indicating that “there are troubling indications that some providers are using [EHR] technology to game the system, possibly to obtain payments to which they are not entitled.”

  It is expected that the responses to the survey will be used by the OIG to prepare a report which will be published during fiscal year 2013.  According to a recent article posted on HealthLeaders Media, some of the questions in the OIG survey include:

  • How diagnoses and procedures are coded (manually, automatically with coding software, or other);
  • User authorization methods (unique user ID, password, tokens, biometrics, public key);
  • Access management (session time-out, minimum password configuration rules, regular changing of passwords, user agreements or contracts to prevent sharing of passwords, or other);
  • Barriers to allowing outside entities access (lack of software or hardware support, insufficient staffing, funding restrictions, performance concerns, privacy concerns, etc.);
  • How physician progress notes are entered into the EHR (free text, via structured templates);
  • Whether narrative nursing notes are directly entered into the EHR or handwritten and scanned into the EHR, and if so, why;
  • Whether patients have access to the EHR, and if so, how.

Steps to Ensure Proper Functioning of an EHR

  There are certain steps that hospitals and physicians can take in order to ensure that their EHR system is functioning properly.  First, considerable time and research should be spent on selecting an EHR vendor to ensure that the EHR system will be a good fit for the practice.  Issues to be addressed should include: What features does the vendor’s system include that competitors may not offer?  What kind of training and support is provided by the vendor and how and when is that support available?  What is the size of the vendor’s customer base and has its software been implemented in similar practices and work environments?  Legal review of acquisition documents, service/support agreements, and hardware or hosting agreements is a key component of the process.

  Second, it is essential that hospitals and physicians receive appropriate training in the use of the system and that sufficient time is allotted for staff education.  Written manuals should be provided to staff members that, along with a detailed guide to the EHR system, include quick, one-page “cheat sheets” for easy reference by users.  Third, hospitals and physician practices should set realistic goals and expectations.  Because it is unlikely that things will go smoothly from the get-go, practitioners should set aside time on a regular basis, as frequently as every 60-90 days, to reevaluate their EHR system and see if improvements or changes should be made to the system or processes.  This will also provide an opportunity to determine if any member of the team needs additional training on the system.

  In light of the OIG’s Work Plan and increasing scrutiny on EHR systems, it is essential that hospitals and physicians take measures to ensure that their EHR systems are working properly and are being use appropriately.