CLIA Program and HIPAA Privacy Rule

 Patients' Access to Test Reports

A Proposed Rule by the Centers for Medicare & Medicaid Services on 09/14/2011

This proposed rule would amend the Clinical Laboratory Improvement Amendments of 1988 (CLIA) regulations to specify that, upon a patient's request, the laboratory may provide access to completed test reports that, using the laboratory's authentication process, can be identified as belonging to that patient. Subject to conforming amendments, the proposed rule would retain the existing provisions that provide for release of test reports to authorized persons and, if applicable, the individuals (or their personal representative) responsible for using the test reports and, in the case of reference laboratories, the laboratory that initially requested the test. In addition, this proposed rule would also amend the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule to provide individuals the right to receive their test reports directly from laboratories by removing the exceptions for CLIA-certified laboratories and CLIA-exempt laboratories from the provision that provides individuals with the right of access to their protected health information.

HHS Sets Goal of 50% of Physicians Using EHRs by Year End

2013 Agenda to Focus on Improving Care through Health IT

Yesterday the Centers for Medicare & Medicaid Services (CMS) Acting Administrator Marilyn Tavenner and the National Coordinator for Health Information Technology Farzad Mostashari, M.D., announced HHS’s plan to accelerate health information exchange (HIE) and build a seamless and secure flow of information essential to transforming the health care system.

“Thanks to the Affordable Care Act, we are improving the way care is delivered while lowering costs,” said Acting Administrator Tavenner.  “We are already seeing benefits, such as a reduction in hospital readmissions due to these reforms.  Health IT and the secure exchange of information across providers are crucial to reforming the system, and must be a routine part of care delivery.”

This year, HHS will:

• Set aggressive goals for 2013: HHS is setting the goal of 50 percent of physician offices using electronic health records (EHR) and 80 percent of eligible hospitals receiving meaningful use incentive payments by the end of 2013.
• Increase the emphasis on interoperability: HHS will increase its emphasis on ensuring electronic exchange across providers.  It will start that effort by issuing today a request for information (RFI) seeking public input about a variety of policies that will strengthen the business case for electronic exchange across providers to ensure patients’ health information will follow them seamlessly and securely wherever they access care.
• Enhance the effective use of electronic health records through initiatives like the Blue Button initiative.  Medicare beneficiaries can access their full Medicare records online today. HHS is working with the Veterans Administration and more than 450 different organizations to make health care information available to patients and health plan members.  HHS is also encouraging Medicare Advantage plans to expand the use of Blue Button to provide beneficiaries with one-click secure access to their health information.
• Implement Meaningful Use Stage 2:  HHS is implementing rules that define what data must be able to be exchanged between Health IT systems, including how data will be structured and coded so that providers will have one uniform way to format and securely send data.
• Underscoring program integrity: HHS is taking new steps to ensure the integrity of the program is sound and technology is not being used to game the system.  For example, it is conducting extensive medical reviews and issuing Comparative Billing reports that identify providers.

The goals build on the significant progress HHS and its partners have already made on expanding health information technology use.  EHR adoption has tripled since 2010, increasing to 44 percent in 2012 and computerized physician order entry has more than doubled (increased 168 percent) since 2008.

“The 2014 standards for electronic health records create the technical capacity for providers to be able to share information with each other and with the patient,” said Dr. Mostashari. “Through the RFI, we are interested in hearing about policies that could provide an even greater business case for such information sharing.”

In addition to seeking public input, the RFI also discusses several potential new policies and ideas to accelerate interoperability and exchange of a patient’s health information across care settings so that they can deliver better and more affordable care to their patients.

The RFI can be found at http://www.ofr.gov/OFRUpload/OFRData/2013-05266_PI.pdf. Deadline for comments is April 21, 201

What meaningful use stage 3 could require

Preliminary recommendations for stage 3 of the federal electronic health record program — starting for some doctors in 2016 — would retire some measures, increase thresholds for others and add new requirements to achieve meaningful use. Key changes proposed include:

• Removing the requirement to record smoking status during at least 80% of patient visits. Instead, smoking status would be tracked by a clinical quality measure.
• Implementing 15 clinical decision support intervention requirements, up from five in stage 2 and one in stage 1.
• Requiring clinical summaries that are pertinent to office visits be sent to patients within one business day during 50% of eligible encounters. The threshold is the same, but the summary cannot be just an abstract of the record.
• Directing practices to use EHRs to query research systems for clinical trials. The new certification criteria would identify patient eligibility for relevant trials.
• Requiring the identification of education resources in five non-English languages and mandating that 80% of materials written in at least one of those languages be made available to patients.

Source: “Request for Comment Regarding the Stage 3 Definition of Meaningful Use of Electronic Health Records,” HHS Office of the National Coordinator for Health Information Technology, HIT Policy Committee, Nov. 27, 2012  (www.healthit.gov/sites/default/files/hitpc_stage3_rfc_final.pdf)

Meaningful use stage 3

Proposed meaningful use stage 3 Criticized as hasty and too strict

Rigid requirements to meet electronic health record measures will trip up physicians attempting to stop upcoming penalties, warn the AMA and others in organized medicine.

Washington Criteria floated for the final stage of the federal electronic health record incentive program would be extremely difficult for physicians to meet, causing those using the systems at their practices to fall short of requirements and exposing them to lower Medicare payments, organized medicine groups say.

A health information technology committee under the Dept. of Health and Human Services has drafted preliminary recommendations for stage 3 of the EHR meaningful use program. The committee wants the program to support new care models, apply broadly to specialties and reflect technologies that are becoming available. But physician organizations, including the American Medical Association, are urging federal officials to review and improve the first two stages of paperless record standards before jumping ahead too hastily.

“The AMA shares the administration’s goal of widespread EHR adoption and use, but we again stress our continuing concern that the meaningful use program is moving forward without a comprehensive evaluation of previous stages to resolve existing problems,” said Steven J. Stack, MD, chair of the AMA Board of Trustees. “A full evaluation of past stages and more flexible program requirements will help physicians in different specialties and practice arrangements successfully adopt and use EHRs.”

The earliest physicians will see stage 3 is 2016. Stage 2 won’t begin until 2014 for the earliest adopters, and physicians who have not yet adopted EHRs will spend two years under stage 1 criteria before they start progressing to the next stages.

Physicians can earn up to $44,000 in Medicare bonuses or $63,750 from Medicaid. Incentives taper off over time, with Medicare and Medicaid bonuses ending in 2016 and 2021, respectively. Those not achieving meaningful use by October 2014 stand to be assessed Medicare payment penalties beginning in 2015.

The committee had sought comments from stakeholders on its recommendations to retire several meaningful use measures and strengthen other requirements in stage 3. Even though the meaningful use program has spurred adoption of EHRs and led to more than 125,000 physicians receiving bonuses, the AMA and others have identified several areas that they say need improvement before the program can move forward.

“A number of the proposed stage 3 measures necessitate significant increases in clinical documentation, involve new and potentially complex work flows, are likely to be difficult for many eligible professionals to understand and implement, or depend on technologies that are not yet widely deployed or shown to be usable in busy practices,” said Michael H. Zaroukian, MD, PhD, chair of the American College of Physicians medical informatics committee.
The American Academy of Family Physicians said the issues are serious enough that stage 3 should be delayed until at least 2017. “Rather than prematurely impose stage 3 requirements, HHS should first focus on improving the ability for physicians to achieve meaningful use stage 1 and 2 requirements,” wrote AAFP Board Chair Glen Stream, MD.

No partial credit for some measures

Physicians already having trouble meeting core and optional meaningful use measures in stage 1 will experience far greater difficulties in the third phase of the program, the organized medicine groups said. The committee’s proposal would nearly double the number of measures that a practice must meet for every eligible patient encounter to avoid Medicare pay penalties.

“Failing to meet just one measure by 1% would make a physician ineligible for incentives and face the same financial penalties during the penalty phase as those physicians who make no effort to adopt EHRs,” the AMA stated in a Jan. 14 comment letter.

The AMA does not support the financial penalties, which will lower Medicare pay by 1% in 2015 for physicians not using the technology adequately by October 2014. However, the policy committee could provide physicians with more options to prevent lower payments, the Association stated.

For instance, similar regulations to the ones adopted by the Centers for Medicare & Medicaid Services for electronic prescribing and quality reporting programs would lower the number of physicians penalized by the EHR initiative. Reporting e-prescribing activity during 10 eligible patient encounters over six months stops the pay cut in that program even though it is not enough to secure a pay bonus. The AMA recommended that physicians meet only 10 meaningful use measures to avoid that penalty, instead of requiring them to meet all of the measures to be compliant.

Medical group administrators also believe that the decision to set 2014 as the reporting year that determines the 2015 penalties should be revisited. Payment adjustments should be assigned the same way bonuses are paid, wrote MGMA-ACMPE, the medical practice management association, in a Jan. 14 letter.

“If penalties are to be assigned, we urge the imposition of payment adjustments to start Jan. 1, 2016, for failing to meet the 2015 meaningful use requirements,” the MGMA-ACMPE said. “We believe this is the appropriate interpretation of the statute’s requirement that payment adjustments begin in 2015.”

Dismissing EHR “science fiction”

Physicians and hospitals have been tasked with purchasing EHRs and transitioning the health care system to paperless records. However, there are gaps in the national health information technology network that must be closed for doctors and facilities to meet the objectives, the American College of Cardiology stated in its Jan. 14 comment letter.

“Without those pieces, much of what the [committee] proposes seems more like science fiction than mere forward thinking,” the ACC said. “Indeed, the proposals seem ambitious and imaginative, but almost impossible to actually accomplish, especially without much in the way of underlying data, interoperability and communication standards.”

The AMA recommended that the new standards for stage 3 be optional and placed on a menu set, from which physicians can choose measures to meet for meaningful use. For example, one such new measure would require a physician to acknowledge receipt of external information when receiving a patient referral at least 50% of the time. The physician then would be required to return referral results electronically during at least 10% of the encounters.

Measures requiring such communication could lead to message fatigue and defeat the purpose of the meaningful use objective, the ACC wrote. “While larger systems may not encounter difficulties with message acknowledgements, small physician practices will be overwhelmed and could potentially be distracted from providing the highest patient care.”

 

Select Your Billing Company Carefully

Select Your Billing Company Carefully

Many practices enjoy the benefits of outsourcing their billing functions, which allows them to concentrate on providing patient care. Choose the wrong billing company, however, and you may end up with even greater distractions and financial frustration.

To be sure you choose a billing company that meets your needs efficiently—and does so compliantly—do some homework to answer the questions below:

What credentials/experience does the billing service have? For example, how long have they been in business and what is their reputation? Is the billing company registered or licensed by the state they are in, if their state requires such registration/licensing? Do they carry professional liability insurance? Do they provide a written contract for their services which spells out their and your responsibilities in this business relationship? How many clients do they have, and do they have any clients similar in size/patient mix as your own practice? Are you able to contact current and/or previous clients, to ask their opinions of the service’s performance?

Does the billing company have experience in your specialty? Does the billing company have experience and, if not, do they understand the unique factors that affect your specialty? Do they have an appreciation for the issues surrounding your coding, reimbursement, denials, and appeals? If not, do they have the resources to get up to speed, to your satisfaction, so that your revenue does not suffer?

What types of training does the staff have/receive? For example, does the billing service’s management hold a certification from a professional billing organization? Are billers/coders professionally certified? Does the service provide ongoing education and guidance for staff?

What resources does the biller provide for its staff? Are all guidebooks (CPT®, HCPCS, etc.) up-to-date? Does the service have a written compliance plan? If so (and you need to be sure it is so), can you review the plan?

Speaking of Compliance …

What is the procedure to protect the privacy of information? Does the service have a compliance officer? Does the billing company provide secure encrypted email communications consistent with Health Insurance Portability and Accountability Act (HIPAA) requirements? Does the billing company use home-based employees and, if so, what precautions are taken to ensure HIPAA compliance?

What are the company’s technical capabilities? Do they electronically process and submit claims, either directly to Medicare or through a clearinghouse? How often are claims submitted to the clearinghouse? What’s the process for third-party payers? Does the service use batch controls to minimize data entry and other errors? Will the service help your practice with forms, superbill design, office processes, etc.?

How does the biller handle claim changes? In other words, what’s their protocol for changing CPT® or ICD-9 codes if errors are discovered? What’s the protocol for missing information?

What type of financial reporting does the billing company provide? For instance, can the practice request ad-hoc reports? Can the service provide reports to determine physician compensation levels? If the practice is capitated, can the billing service report on capitated service utilization? Can your practice access billing data at its office? How robust are the month-end reports?

How is the billing company’s follow up? Specifically, how successful are they with appeals? What parameters do they use to determine if they will appeal a denial or underpayment? What kind of accounts receivable follow-up procedures does the billing service have? How often does the service follow up on payer accounts?

How much will it all cost? If the billing company’s fee is based on a percentage, is it a percentage of charges, or a percentage of receipts (the latter is better)? How are refunds handled? Are they netted out of receipts, so your practice is not paying the billing company for money returned to the payer? Does the billing service charge a start-up fee?

If the answers to any of the above questions are not to your satisfaction, keep looking until you find a billing service that meets expectations. Remember: Even though you are outsourcing, the practice is ultimately responsible for its own claims, and you need a billing company you can trust.

Experienced Staff Is Crucial

Even if the billing company is not coding for you, it’s a good idea for them to have at least one certified coder on staff. Appeals require the knowledge of a coder, and compliance also demands the increased knowledge that a certified coder can bring to the table. Even the billers need to know aspects of coding—although they do not need to be certified—to do an excellent job in billing for your practice. Key areas of education include rules and regulations, where to find the information for Medicare, Medicaid, your private payers, etc., modifiers, correct order of diagnoses, bundling and National Correct Coding Initiative (NCCI) edits, what separate procedures are, etc. You do not want a billing company that is just providing data entry.

Best Bets

My recommendation is to find a billing company with experience in your specialty, with a proven track record in compliantly optimizing practice revenue. I would not recommend entering into a billing company relationship without a written contract that very explicitly spells out both your, and their, responsibility.

Compliance is no longer an option. The Accountable Care Act mandates a compliance plan for all practices, with minimum requirements to be spelled out by the Office of Inspector General (OIG). A practice cannot afford to contract with a billing company that does not have a living, breathing, and operating compliance plan in place.

I also suggest checking out the billing company’s recommendations. Talk to both current and past clients, if possible. Find out what the benefits of working with the billing company are, and what you need to make the relationship function flawlessly. Clients should be able to confirm what the company has told you during the sales phase of your relationship.

Finally, do not expect to see your full income generated by the billing company for approximately four months. It takes about that long for them to get a full queue of your billing to the payers and a revenue stream to start flowing into the practice. Make sure you keep collecting on the accounts receivable that was in process when you contracted with the billing company to keep the bank account healthy during this four-month period.

HITECH-related HIPAA Changes Final

Dramatic modifications to the Health Insurance Portability and Accountability Act’s (HIPAA) Privacy, Security, Enforcement, and Breach Notification Rules that will impact your practice are finalized and begin to take effect next month.

The omnibus final rule, developed to help implement HITECH regulations in the American Recovery and Reinvestment Act and shore up electronic privacy rules in the 17-year-old act, includes changes to how providers and payers must protect personal health information (PHI) and the focus of enforcement from voluntary to punitive. The rule also makes business associates (BA) more accountable for breaches of PHI, with the risk of financial penalties.

The Centers for Medicare & Medicaid Services (CMS) maintains the changes provide the public with increased protection as penalties are increased for noncompliance based on the level of negligence with a maximum penalty of $1.5 million per violation. The changes also strengthen the HITECH breach notification requirements by clarifying when breaches of unsecured health information must be reported to HHS. These changes broaden who is responsible and extends consequences to more parties, including small practice, payers, and BAs like billing services or clearing houses.

CMS says the new rule expands individual rights. For example, patients can request a copy of their electronic medical records in electronic form. When individuals pay by cash they can instruct their provider not to share information about their treatment with their health plan. The omnibus rule sets new limits on how information is used and disclosed for marketing and fundraising purposes and prohibits the sale of an individuals’ health information without their permission.The rule also streamlines individuals’ ability to authorize the use of their health information for research purposes. The rule makes it easier for parents and others to give permission to share proof of a child’s immunization with a school and gives covered entities and BAs up to one year after the 180-day compliance date to modify contracts to comply with the rule, the health agency says.

1. The new rule increases liability for noncompliance for practices. Tiered penalties range from $100 to $50,000 per violation, depending on culpability. Under the new rule, HHS can impose monetary penalties without exhausting informal options.
2. The new rule imposes direct liability for BAs and subcontractors, a change that puts billing services and their clients more at risk because a practice is now liable for what its billing service does.
3. The rule introduces an objective test of whether PHI has been compromised and requires notification. The four elements are:
• Nature and extent of PHI in the incident
• Recipient of the PHI
• Acquisition or viewing status of PHI
• Mitigation of the risk after disclosure
• The new rule requires patient authorization for all communication of PHI for marketing purposes, closing a loophole that allowed health care organizations, drug companies, and others to use PHI for direct marketing to patients without permission.
• The new rule better defines what a BA is, clarifying how much interaction with PHI an entity can have before it becomes a BA, and establishing additional accountability for those entities.
• The rule loosens what can be used for fund-raising communications, allowing demographic information, dates of service, department, physician, outcome, and payer status for fund-raising and related BAs. Patient authorization is required.
• The rule makes it easier for your patients to authorize PHI to be used for more than one research effort, allowing a patient to designate PHI can be used for multiple and future research efforts at once.

Overall, the new rule clarifies the definition of a covered entity or BA, the responsibilities that each carry, and punishments associated with a lack of compliance. It doesn’t change the basics; an entity or BA must still have a plan, a designated compliance officer, education, analysis of gaps, and privacy notices for patients and their family members. Under the rule’s changes to definition of compliance, culpability, and correction, however, practices need to reassess efforts this year to avoid unexpected fines or punishment.