Verden ViewPoint: Leadership Issue


This quarter’s issue focuses on Leadership. Susanne wrote a brief contemplation for the magazine, posted below. What do you think Leadership is (or isn’t)?

Leadership means different things to different people. Some people believe you have to be born with it, with certain “leader-like” qualities, while others say it can be nurtured (such as Dr. Scott Schams’ view in Take A Hike).

Personally, I think you need a bit of both. Being emotionally intelligent and listening to others is key to creating connections, but if you fall short on the delivery, you are likely to viewed as a “well-intentioned manager” but nothing more. If you don’t take the time to learn how to make real connections, you’re not practicing strong leadership. I believe that in order to lead effectively, you must be able to both connect and inspire people and you must also lead by example.

Even less extroverted personalities can make fine leaders if they are able to push themselves to step out in front and lead the pack. When we look to our public leaders today we see very few who embody these qualities: very few, but not none. Over the past two months I have watched with fascination as Justin Trudeau has stepped into his new role as Canada’s Prime Minister, with dignity, empathy and a real ability to connect.

From my perspective, those are the qualities that today’s leaders need to bring to the table — in business, in politics and in our home life. How do you define leadership? Leave us a comment below . . .

You can read the magazine here: www.VerdenViewpoint.com

 

HIPAA Legal Updates — Breach Reporting Requirements


By Sumita Saxena, Senior Consultant, The Verden Group

There might be some confusion regarding the breach reporting requirements mandated by the Health Insurance Portability and Accountability Act (HIPAA) and further enforced by the Health Information Technology for Economic and Clinical Health (HITECH) Act. A breach is considered any acquisition, access, use or disclosure of Protected Health Information (PHI) which compromises the security or privacy of the PHI. However, if the disclosed PHI has been rendered unusable, unreadable, or indecipherable to unauthorized individuals, an adequate risk assessment may determine that a sufficiently minimal or nonexistent risk is present, thereby excluding the event from the definition of a breach.

The most basic example of a breach occurs when one patient’s records are accidentally sent or disclosed to another patient or individual. While this may seem trivial in a circumstance in which the content disclosed is rather limited, physicians must be aware of how to identify a breach and understand their obligations with respect to reporting.

Every HIPAA breach is reportable; the differentiating factor in reporting is determined based on the number of individuals affected by the event. In instances where fewer than 500 individuals are affected by the breach, practices must maintain a system of logging or otherwise documenting these breaches that occur during the calendar year. Practices must then submit a detailed account of all such events to the Secretary of the U.S. Department of Health and Human Services (HHS), through the HHS Office for Civil Rights, no later than 60 days after the end of the calendar year. Immediate notification to the Office for Civil Rights is required in the event that a breach affects more than 500 individuals.

Recent OIG reports signal an upcoming increase in OCR activity and oversight of HIPAA covered entities, even in the absence of a breach.

On September 29th, the Office of Inspector General (OIG) in the U.S. Department of Health and Human Services (HHS) released two reports which reviewed the successes and shortcoming in the Office for Civil Rights’ (OCR) oversight of Health Insurance Portability and Accountability Act (HIPAA) compliance for covered entities. OCR is responsible for overseeing covered entities’ compliance with the HIPAA standards, which include the Breach Notification Rule, the Privacy Rule and the Security Rule. In one report, the OIG provided conclusions and recommendations from their study on covered entities’ compliance with the HIPAA Privacy Rule, while in the other report, the OIG provided conclusions and recommendations from their investigation of OCR’s follow-up on breaches of patient health information which are reported to OCR. In both studies, the OIG reached some similar conclusions. The guidance provided by these reports should be recognized by providers for what it is: harbingers of OCR’s likely future enforcement activity.

One of the key findings by the OIG likely to have a direct impact on providers: OCR will now proactively audit covered entities to monitor compliance with the Privacy Rule, as opposed to its traditional approach of initiating investigations as a result of complaints or breach reports. The fact that OCR has not been proactively auditing covered entities allows for some level of comfort for covered entities, as there is not a great concern that OCR will conduct an investigation of a covered entity unless a potential breach or violation were reported. It is likely that this will be changing in the very near future, as the OIG has recommended that OCR improve its oversight of covered entities and take a proactive stance, by instituting a permanent audit program, as opposed to OCR’s current reactive posture. In addition, the OIG recommended improving the tracking system which OCR uses to keep records about investigations of covered entities. Such improvements in record-keeping and tracking investigations could mean that OCR will be more likely to impose penalties, as it will be able to more easily determine when covered entities are the subject of multiple investigations.

Regarding the follow-up of breaches, the OIG made some similar recommendations concerning the need for OCR to improve its tracking system. The OIG recommended that OCR more uniformly enter information about breaches, whether large or small, into a searchable database. At present, OCR has largely focused on thoroughly investigating large breaches (e.g. breaches of 500 or more affected individuals) that are reported to it. However, the OIG has now recommended that OCR also track and follow-up on small breaches that are reported to it. This could have a significant impact on providers who may have experienced several small breaches, as it will be more likely that OCR will now closely track and examine covered entities that experience several small breaches. In addition, the OIG recommended that OCR maintain more complete documentation in its database of corrective actions taken by covered entities that experience a breach. Currently, because OCR does not keep thorough records of corrective actions, covered entities may be able to get away with implementing few changes if they experience a breach. Once OCR implements these recommendations to better document corrective actions taken by covered entities, it will place greater scrutiny on these corrective actions to ensure that the covered entities carry out the necessary changes and prevent the occurrence of a similar breach in the future.

It is extremely important for providers to understand how to comply with HIPAA, as well as what to do if they experience a breach. These reports serve to emphasize the importance of compliance and the ways in which OCR will begin to more actively investigate HIPAA compliance. Here at The Verden Group we can offer assistance in reviewing your HIPAA protocols and ensuring you have all the required forms up-to-date and properly disseminated to your patients.

 

 

CMS issues Final Rules for Stage 2 and Proposed Rules for Stage 3


By Jose Lopez, Senior Consultant, The Verden Group

On October 6, 2015, the Centers for Medicare and Medicaid Services (CMS) and the Office of the National Coordinator (ONC) released the final rules (click here to view) for modifications to Stage 2 and 2015 reporting requirements, as well as proposed rules for the third stage of the Meaningful Use incentive program.

Meaningful Use Stage 2 Changes

As expected, CMS finalized the modifications for the 2015 reporting period and some Stage 2 requirements (see my earlier blog post about details on those anticipated changes). CMS says it is providing a simpler, more flexible set of stage 2 regulations for 2015 through 2017 as the meaningful use regulation era gives way to CMS’s transition to value-based compensation. In summary:

  • The rules also allow for a 90-day reporting period for providers in 2015, and new providers in 2016 and 2017.
  • Many of the measures of personal health engagement have been drastically reduced (patient portal and e-messaging requirements).
  • Clinical quality measures for both hospitals and providers will remain the same.

The Verden Group applauds the relaxation of these measures to reflect the real challenges that practices and hospitals are facing. More than 60% of hospitals and about 90% of physicians have yet to attest to stage 2!

Meaningful Use Stage 3 Measures

In spite of calls from most of the major medical associations to delay the onset of Stage 3, CMS also announced that Stage 3 will go on as planned and will not be delayed. In summary, major provisions pertaining to Stage 3 meaningful use include:

  • There will be 8 objectives for eligible providers and hospitals.
  • In Stage 3, more than 60 percent of the proposed measures require interoperability, up from 33 percent in Stage 2.
  • Public health reporting will include flexible options for measure selection.
  • Clinical Quality Measures (CQM) reporting are aligned with the CMS quality reporting programs.
  • Finalizes the use of application program interfaces that enable the development of new functionalities to build bridges across systems.

In short, CMS is attempting to address the two areas in Stage 3 that have been the primary barriers for successful Stage 2 attestation: interoperability and patient engagement. In 2017, Stage 3 requirements are optional, but providers who opt to start Stage 3 in 2017 will have a 90-day reporting period. Come 2018, all providers must comply with Stage 3 regulations using a certified EHR.

Industry Reaction

Despite a public outcry from the healthcare community to delay the onset due to the lack of successful Stage 2 attestation, Stage 3 is set to begin as an optional requirement for physicians and hospitals in 2017 and a requirement in 2018. The American Medical Association applauded CMS for allowing a hardship exemption for physicians who are unable to attest in 2015 but called the final rule, as a whole, “deeply disappointing.” The American Hospital Association urged CMS to delay the implementation of Stage 3 and focus instead on “ensuring that providers could easily and efficiently share health information to support care delivery and new models of care.” The American College of Cardiology says that the program requirements “remain difficult to implement.”

The final rule for Stage 3 includes a 60-day comment period, which is longer than is typical, suggesting that there may be additional modifications or delays. As such, the political fight to delay the onset of Stage 3 of meaningful use may not be over, and we expect many changes may be coming before the rule is finalized.

A Post-HITECH World

When Congress passed the Medicare Access and CHIP Reauthorization Act of 2015 (MACRA), it essentially sunset the meaningful use payment adjustments (penalties for noncompliance) at the end of 2018. Instead, Congress has called for the establishment of a Merit-Based Incentive Payment System (MIPS), of which the meaningful use program will form one component. CMS will continue to consolidate its current incentive/adjustment programs under the umbrella of MIPS as it further transitions from encounter-based payments to value-based compensation. The Verden Group will continue to monitor industry reaction and comments submitted to CMS on the final Stage 3 rule in order to guide our clients through successful Meaningful Use Attestation and beyond.

 

Adventist Health System Agrees to Pay $115 Million to Settle False Claims Act Allegations


Recently, the Justice Department announced that Adventist Health System has agreed to pay the United States $115 million to settle allegations that it violated the False Claims Act by maintaining improper compensation arrangements with referring physicians and by miscoding claims. Adventist is a non-profit healthcare organization that operates hospitals and other health care facilities in 10 states.

Officials from the Justice Department pointed to the underlying basis for the settlement, namely that unlawful financial arrangements between heath care providers and their referral sources raise concerns about physician independence and objectivity. They further underscored their position by stating   patients are entitled to be sure that the care they receive is based on their actual medical needs rather than the financial interests of their physician.

The settlement announced a couple of days ago resolves allegations that Adventist submitted false claims to the Medicare and Medicaid programs for services rendered to patients referred by employed physicians who received bonuses based on a formula that improperly took into account the value of the physicians’ referrals to Adventist hospitals. Federal law restricts the financial relationships that hospitals and clinics may have with doctors who refer patients to them.

Adventist-owned hospitals, such as Park Ridge, allegedly paid doctors’ bonuses based on the number of test and procedures they ordered.  The Justice Department took exception to this type of financial incentive as not only prohibited by law, but as also undermining patients’ medical care. They cautioned that would-be violators should take notice that the Justice Department will use the False Claims Act to prevent and pursue health care providers that threaten the integrity of the healthcare system and waste taxpayer dollars.

“Companies that financially reward physicians in exchange for patient referrals – as the government contended in this case – undermine the physicians’ impartial medical judgment at the expense of patients and taxpayers,” said Special Agent in Charge Derrick L. Jackson of the U.S. Department of Health and Human Services Office of Inspector General (HHS-OIG) in Atlanta.  “We will continue to investigate such wasteful business arrangements.”

The settlement also resolves allegations that Adventist submitted bills to Medicare for its employed physicians’ professional services containing certain improper coding modifiers, and thereby obtained greater reimbursement for these services than entitled.

The allegations settled arose from two lawsuits filed respectively by whistleblowers Michael Payne, Melissa Church and Gloria Pryor, who worked at Adventist’s hospital in Hendersonville, North Carolina, and Sherry Dorsey, who worked at Adventist’s corporate office, under the qui tam provisions of the False Claims Act.  The act permits private parties to file suit on behalf of the United States for false claims, and to share in any recovery. The whistleblowers’ share of the settlement has not yet been determined.

This settlement illustrates the government’s emphasis on combating health care fraud and marks another achievement for the Health Care Fraud Prevention and Enforcement Action Team (HEAT) initiative, which was announced in May 2009 by the Attorney General and the Secretary of Health and Human Services. The partnership between the two departments has focused efforts to reduce and prevent Medicare and Medicaid financial fraud through enhanced cooperation. One of the most powerful tools in this effort is the False Claims Act. Since January 2009, the Justice Department has recovered a total of more than $25 billion through False Claims Act cases, with more than $16 billion of that amount being recovered in cases involving fraud against federal health care programs.

Hospitals and private practices alike should make note of this recent settlement and carefully evaluate physician compensation arrangements so as not to run afoul of this complex area of laws and regulations. At the Verden Group, we recommend working with an experienced healthcare attorney to help you navigate through this issue as the penalties for violating the law are significant and could irreparably harm your practice if you are deemed non-compliant.

 

 

Announcing www.VerdenViewPoint.com


We are pleased to announce the launch of Verden ViewPoint magazine’s new home, www.VerdenViewPoint.com along with the second issue of our digital magazine.

The addition of VerdenViewpoint.com allows us to be more expansive in our copy and enables us to share videos, audio clips, extended interviews and a whole lot more, making the ViewPoint experience truly dynamic.

Breaking down the big issues in healthcare so that you can understand their impact on your practice, both the magazine and the website are just one click away: www.VerdenViewPoint.com

We hope you find the content within engaging, timely and valuable for you and your team. Let us know what topics you’d like to see explored — we would love to hear from you.

 

Susanne Madden, MBA, CCE
President & CEO
The Verden Group | Patient Centered Solutions

Terminating the Physician-Patient Relationship


By Sumita Saxena, Senior Consultant, The Verden Group

It unfortunately can happen to anyone: You go above and beyond to provide your patients excellent care with uncompromising accessibility, and yet something somewhere goes wrong and the relationship quickly deteriorates. After trying your best to mend the problem it becomes clear – the relationship has broken down beyond repair and for whatever reason you reach the tough decision to terminate the patient from the practice.

Before you act and send notice, please take a look at some helpful steps we have compiled for you to consider as you navigate this difficult subject.

Step One:  Try to Work It Out With Your Patient.  Practically speaking, when faced with a difficult patient situation, the best course of action is to avoid a unilateral termination of the physician/patient relationship by addressing the problem quickly. Communication is the key. The patient should be advised of the situation and given a reasonable opportunity to correct the problem. You should make it clear that failure to correct the problem may result in the dismissal of the patient from the practice.

Step Two:  Review the Applicable State Medical Licensing Rules. State licensing boards govern the practice of medicine and the relationship between a physician licensed in that state and his or her patients. Accordingly, it is essential to review the medical board rules carefully before you terminate a patient from your practice.

Step Three:  Consider AMA Guidance. The American Medical Association (the “AMA”) has provided guidance on terminating the physician/patient relationship. According to the AMA’s Code of Medical Ethics, physicians have the option of terminating the physician/patient relationship, but they must give sufficient notice of withdrawal to the patient, relatives, or responsible friends and guardians to allow another physician to be secured.

The AMA recognizes that there are times when a physician may no longer be able to provide care to a certain patient, including when the patient refuses to comply, is unreasonably demanding, threatens the physician or staff, or otherwise is contributing to a breakdown of the physician/patient relationship. According to the AMA, terminating a physician/patient relationship is ethical as long as the proper procedures are followed.

The AMA has given the following advice for the termination process:

  1. Giving the patient written notice, preferably by certified mail, return receipt requested;
  2. Providing the patient with a brief explanation for terminating the relationship (this should be a valid reason, for instance non-compliance, failure to keep appointments);
  3. Agreeing to continue to provide treatment and access to services for a reasonable period of time, such as 30 days, to allow a patient to secure care from another person (a physician may want to extend the period for emergency services);
  4. Providing resources and/or recommendations to help a patient locate another physician of like specialty; and
  5. Offering to transfer records to a newly designated physician upon signed patient authorization to do so. American Medical Association (AMA), “Ending the Patient-Physician Relationship,” http://www.ama-assn.org/ama/pub/physician-resources/legal-topics/patient-physician-relationship-topics/ending-patient-physician-relationship.page

Step Four:  Check Your Payer Contracts and Policies.   A physician who is a participating provider (under contract) with the patient’s insurer (commercial or government payer) may be obligated to notify the payer and comply with additional requirements. You should review your provider contract(s) and policies in order to determine if the payer has a policy on patient termination. For example, some insurance carriers require 60 or 90 days notice before dismissal (as compared to the 30 days notice required pursuant to certain state laws) and some require prior written notice to the carrier to enable the carrier to contact the patient.  There also may be specific requirements concerning pregnant or mental health patients. Medicare, Medicaid, and other government payers have strict policies on terminating a patient that should be reviewed before terminating a governmental plan beneficiary.

Step Five:  Review Your Malpractice Carrier Requirements.  Some medical malpractice insurance carriers have adopted rules or recommendations for terminating the physician/patient relationship. Accordingly, you should review your malpractice policy or contact the malpractice carrier when establishing the procedure for terminating the physician/patient relationship.

Step Six:  Send Written Notification to Your Patient.  You should send written notification advising the patient that he or she is terminating the patient relationship. The notification should comply with the licensing board’s rules and the requirements of the applicable payer and the your malpractice carrier. Ideally the patient notification should be prepared or reviewed by experienced counsel before sending to the patient.

Step Seven:  Provide Continuity of Care.  You should ensure that you provide the proper continuity of care when dismissing a patient from your practice, including any requirements under state licensing rules, their payer contracts and their malpractice policy. The AMA guidance recommends that the physician provide the patient with resources and referrals for other sources of care.

Step Eight:  Do not Charge for Patient Records.  A physician who terminates his or her relationship with a patient should not charge the patient for copying the patient’s medical records.

Step Nine:  Consider Risk Management.  Additionally, you should perform a risk management analysis before terminating the physician/patient relationship. You should consider the possibility (even if the patient’s position is without merit and you will ultimately be successful) of patient complaints, disciplinary investigations, litigation, or other action initiated by disgruntled patients.

Step Ten:  Establish a Set Policy on Patient Terminations and Train Staff on the Policy.  In order to avoid any potential issues with former patients, the practice should have a set policy in place for the termination of the physician/patient relationship, including a sample termination letter.  The policy should be applied to patients consistently and without discrimination.  The staff should be trained on the policy and should document compliance with the policy.

By following the above steps you can be proactive and diligent in mitigating your risk if such a situation ever arises with a patient.

Looking Back: Meaningful Use Stage 1 Audits


By Jose Lopez, Senior Consultant, The Verden Group

In our most recent blog post on Meaningful Use, we looked ahead to potential Stage 3 Attestation requirements. In this post, we’ll take a step back and discuss proper Stage 1 Meaningful Use Attestation documentation and the ugly truth no one wants to hear: CMS plans to audit one in every 20 meaningful use attesters. On the Centers for Medicare and Medicaid Services (CMS) Registration & Attestation Page, CMS states, “any provider who receives an electronic health record (EHR) incentive payment for either the Medicare EHR Incentive Program or the Medicaid EHR Incentive Program may be subject to an audit.”

Meaningful Use Audit Process

Through the use of contractors, CMS will perform audits on Medicare and dually eligible (Medicare and Medicaid) providers. Individual states (through the use of their own contractors) will also perform audits on Medicaid providers. CMS and individual states will also manage appeals processes.

If you are audited, you will receive a letter via email from the audit contractor (using a CMS email address) that will include the audit contractor’s contact information. This letter will be sent to the email address provided during registration for the EHR Incentive Program, so be sure your email address is kept updated.

TVG Pro Tip: Use a general practice email address to prevent missing this important email due to employee or provider turnover!

The letter will request, at a minimum, the following four types of data for the audit (see further below for our recommendations on what documentation to keep):

  1. ONC-ATCB Certification Documentation from the Office of the National Coordinator for Health IT showing the provider used a certified EHR system for Meaningful Use attestation.
  2. Supporting documentation used by the provider to attest for the Core Set of Meaningful Use criteria.
  3. Supporting documentation used by the provider to attest for the Menu Set of Meaningful Use criteria.
  4. FOR HOSPITALS: Information about the method used to report emergency department admissions, which affects some of the hospital measures.

You will only be given two weeks to submit the request information. The initial review process will be conducted by the audit contractor based upon the information submitted. Additional information might be needed during or after this initial review process, and in some cases an on-site review at the provider’s location could follow. A demonstration of the EHR system could be requested during the on-site review.

If, based on an audit, a provider is found to not be eligible for an EHR incentive payment, the payment will be recouped.

If an eligible professional (EP) or hospital participating in the Medicare EHR Incentive Program chooses to voluntarily change or withdraw their attestation, an attestation amendment form or incentive payment attestation withdrawal form must be completed and sent back along with any incentive payments already received:

Appeals

CMS has an appeals process for eligible professionals, eligible hospitals and critical access hospitals that participate in the Medicare EHR Incentive Program. For general questions and for information on how to file an appeal, please visit the EHR Incentive Programs Appeals page.

States will implement appeals processes for the Medicaid EHR Incentive Program. For more information about these appeals, please contact your State Medicaid Agency.

What should I do now to ensure proper Meaningful Use Documentation?

Providers selected for an audit will have only two weeks to collect and submit documentation so it’s important that providers collect and keep MU Attestation documents at the time of attestation and not wait until an audit happens to try to scramble and retroactively demonstrate successful attestation.

Providers can be audited up to six years following attestation, so practices should keep these audit-ready files available for each year that each individual provider attests for an EHR Incentive payment. Audit documents may be maintained electronically or in paper form.

TVG Pro Tip: To prevent the risk of modification to audit documents, save documents in a format that is not modifiable such as a locked PDF and/or paper copy.

The primary documentation that will be requested in all reviews is the source document(s) that the provider used when completing the attestation. This document should provide a summary of the data that supports the information entered during attestation. Ideally, this would be a report from the certified EHR system, but other documentation may be used if a report is not available or the information entered differs from the report.

This summary document will be the starting point of most reviews and should include, at minimum:

  • The numerators and denominators for the measures;
  • The time period the report covers;
  • Evidence to support that it was generated for an eligible professional, eligible hospital, or critical access hospital.

The California Health Information Partnership and Services Organization has made available a http://calhipso.org/HealtheServices/MU_Audit_Preparation_Checklist_V1.4.pdf to help providers prepare for a CMS audit of Stage 1 Meaningful Use attestation. This checklist can help providers organize these records, but utilization of this checklist does not guarantee the EP will pass a CMS Audit.

If you would like assistance with this process, the Verden Group can help. Contact us today for help with collecting and documenting your Meaningful Use Attestation so they will be on hand in the event of an audit.