Year: 2013

The Ball is Now in Play to Extend the EHR Safe Harbor!

Kathie McDonald-McClure Electronic Health Records, Fraud and Abuse, Health Information Technology, HITECH Law , , , , , , ,

By Ann F. Triebsch and Kathie McDonald-McClure

clip_image002Barely two weeks after Rep. Jim McDermott (D-Wash) sent a letter to the HHS Office of the Inspector General (OIG) requesting that the Anti-Kickback Statute’s “safe harbor” allowing hospitals to donate electronic health record (EHR) items and services to physicians be extended, the OIG has proposed a rule to do exactly that.  On April 10, 2013, the OIG proposed a rule to extend the Anti-Kickback Statute safe harbor from December 31, 2013, to December 31, 2016.  On the same date, the Centers for Medicare & Medicaid Services (CMS) proposed a complementary rule to extend the Stark Law’s similar EHR exception to December 31, 2016.

Continue reading

Extension of EHR Safe Harbor? The Ball is Rolling …

Ann Feldkamp Triebsch Electronic Health Records, Fraud and Abuse, Health Information Technology, HITECH Law , , , , ,

clip_image002by Ann F. Triebsch

The anti-kickback “safe harbor” allowing hospitals to donate electronic health record (“EHR”) equipment to physicians who may refer patients to their facility is set to expire on December 31, 2013, but efforts have begun to have the safe harbor extended. The safe harbor, created in 2006, allows hospitals to donate EHR and electronic prescribing technology to practices for the purpose of setting up or improving EHR systems, provided that the practice covers 15% of the cost of the EHR technology, without risk of anti-kickback enforcement. The purpose was to incentivize the meaningful use of EHR systems, and Medicare incentive payments for EHR adoption will continue through 2016.

Rep. Jim McDermott (D-Wash.) sent a letter on March 28 to Greg Demske, chief counsel of the HHS Office of Inspector General, asking OIG to extend the safe harbor provision. He emphasized Washington’s goal of reducing healthcare costs and eliminating wasteful spending, and pointed out that an extension would further that goal. He called the safe harbor provision “a common-sense policy” that “encourages collaboration among providers, yet also contains rigorous requirements that providers must meet in order to protect the Medicare and Medicaid programs from the few unscrupulous providers who would donate electronic health record software in exchange for referrals.” Earlier this year, the Federation of American Hospitals also showed support for renewing the EHR safe harbor.

To read Rep. McDermott’s letter, click here.

To read the Federation of American Hospitals letter, click here.

Stay tuned for further action on an extension.

New EHR Exemptions Proposed

Margaret Young Levi Electronic Health Records, Eligible Professional Incentives, Health Information Technology, HITECH Law, Meaningful Use, Physician EMR Stimulus , , , ,

Doctor Speaking with PatientA new bill entitled the “Electronic Health Records Improvement Act” has been introduced in the U.S. House of Representatives. Its stated purpose is to “amend certain requirements and penalties implemented under the Medicare and Medicaid programs by the HITECH Act of 2009, which would otherwise impede eligible professionals from adopting electronic health records to improve patient care.” Most notably, this bill proposes two new exemptions to the requirements to be a meaningful user of electronic health records (“EHRs”) that will be beneficial to solo physician practices and physicians nearing retirement:

  • Eligible Professionals in Small Physician Practices.  A physician who is a solo practitioner in 2015 would be exempt from the application of the downward payment adjustment for not demonstrating EHR meaningful use during the payment years 2015-2017.  Implementing EHRs require significant investments in time for vendor selection, capital, and staff resources—and solo practitioners typically do not have the necessary resources to invest in EHRs.  This exemption allows undercapitalized solo practitioners an additional three years to become a meaningful EHR user.
  • Exception for Certain Physicians Near Retirement Age.  A physician who will be eligible for Social Security by December 31, 2015 (or will be eligible during the 5-year period following that date) is also exempt from the application of the downward payment adjustment for not demonstrating EHR meaningful use during the payment years 2015-2017.  This exemption will encourage physicians nearing retirement to continue practicing medicine for several more years instead of retiring early to avoid implementing an EHR.  (Because this section of the Bill uses the terms “eligible professional” (in the text) and “physician” (in the title), there is some question as to whether this exception applies only to physicians nearing retirement or also applies to other types of eligible professionals, such as dentists, chiropractors, podiatrists, and optometrists.  Hopefully, this confusion will be clarified if this Bill progresses into law.)

Here is a link to H.R. 1331. This Bill is currently in committee, and we will watch its progress closely.

Update (1/31/2015):  Unfortunately, H.R. 1331 died in Committee.

Sample BAA Provisions

Margaret Young Levi Federal Law Resources, Health Information Technology, Privacy & Security ,

The final HIPAA-HITECH Omnibus Rule (Omnibus Rule), released in January, substantially increases the privacy responsibilities of a business associate that receives protected health information, such as contractors and subcontractors.  These new requirements will need to be reflected in business associate agreements (BAAs) between the covered entity and the business associate as well as in agreements between a business associate and its subcontractor.

For example, BAAs must now contain provisions requiring business associates to notify the covered entity of any data breaches.  Moreover,  the Omnibus Rule expanded the definition of “business associates” to include subcontractors, which means business associates must now enter into BAAs with their subcontractors who access PHI. 

The Department of Health & Human Services (HHS), Office for Civil Rights (OCR) has posted sample BAA provisions on its website to help covered entities and business associates more easily comply with the additional BAA requirements found in the Omnibus Rule.  While these sample provisions are written for use in a contract between a covered entity and its business associate, the language may be tailored for purposes of a contract between a business associate and its subcontractor.

These sample provisions do not constitute a sample contract but are only a starting point.  It is not enough to print and sign these provisions.  As OCR warns, “These provisions address only concepts and requirements set forth in the HIPAA Privacy, Security, Breach Notification, and Enforcement Rules, and alone may not be sufficient to result in a binding contract under State law. They do not include many formalities and substantive provisions that may be required or typically included in a valid contract.  Reliance on this sample may not be sufficient for compliance with State law, and does not replace consultation with a lawyer or negotiations between the parties to the contract.”  Moreover, there are common concepts in BAAs that are notably missing from the sample provisions, such as indemnification, notification, and mitigation, which should be considered for inclusion with any BAA. 

 

If your current BAA was signed on or before January 24, 2013, then it will be deemed HIPAA compliant through September 23, 2014 (at which time the BAA will need to have been amended for compliance with the Omnibus Rule).  Any new BAAs signed after January 24, 2013 should comply with the new requirements under Omnibus Rule, and be in place by September 23, 2013.

Report 2012 HIPAA Small Breaches by Friday, 3/1

Margaret Young Levi Electronic Health Records, Federal Law Resources, Health Information Technology, Privacy & Security

by Ann F. Triebsch

Friday, March 1, is the deadline for HIPAA covered entities to report to HHS small breaches of unsecured protected health information that occurred in 2012.  A small breach includes less than 500 individuals.  Affected individuals must be notified within 60 days of the breach’s discovery, but the breach also must be reported to HHS within 60 days of the close of that calendar year, or by March 1of the following year.  To file a report, follow this link.