An RSS Feed from melniklegal.com

Eligible Professionals May Apply for a Hardship Exception from Meaningful Use Penalties

Sun, 15 Dec 2013 17:59:56 EST

As part of the American Recovery and Reinvestment Act of 2009 (ARRA), Congress mandated that payment adjustments be applied to Medicare eligible professionals (EPs) who are not meaningful users of Certified EHR Technology under the Medicare EHR Incentive Programs.

Medicare EPs who are not meaningful users will be subject to a payment adjustment beginning on January 1, 2015.

But, exceptions are available under certain limited circumstances.

Which practitioners are subject to MU payment adjustments and when do the payment adjustments begin?

EPs who participate in the Medicare EHR Incentive Program.
EPs who can participate in either the Medicare or Medicaid EHR Incentive Programs.
These payment adjustments will be applied beginning on January 1, 2015, for Medicare EPs.

Which practitioners are NOT subject to MU payment adjustments?

Medicaid EPs who can only participate in the Medicaid EHR Incentive Program and do not bill Medicare.

How much are the payment adjustments and how are they applied?

The payment adjustment will be applied to the Medicare physician fee schedule (PFS) amount for covered professional services furnished by the EP during the year (including the fee schedule amount for purposes of determining a payment based on the fee schedule amount).

The payment adjustment is 1% per year and is cumulative for every year that an EP is not a meaningful user. Depending on the total number of Medicare EPs who are meaningful users under the EHR Incentive Programs after 2018, the maximum cumulative payment adjustment can reach as high as 5%.

For additional details on MU payment adjustments, please see the Payment Adjustments and Hardships Exceptions Tipsheet for Eligible Professionals released by CMS.

Are there any payment adjustment exceptions available for Medicare EPs who cannot meet MU deadlines?

Yes. EPs who cannot meet MU deadlines may be eligible to receive a hardship exception from CMS. But, CMS has explained that these exceptions will be granted only under specific circumstances and only if CMS determines that providers have demonstrated that those circumstances pose a significant barrier to their achieving meaningful use.

Hardship exceptions are available in the following categories:

Infrastructure - EPs must demonstrate that they are in an area without sufficient internet access or face insurmountable barriers to obtaining infrastructure (e.g., lack of broadband).
New EPs - Newly practicing EPs who would not have had time to become meaningful users can apply for a 2-year limited exception to payment adjustments. Thus EPs who begin practice in calendar year 2015 would receive an exception to the penalties in 2015 and 2016, but would have to begin demonstrating meaningful use in calendar year 2016 to avoid payment adjustments in 2017.
Unforeseen Circumstances - Examples may include a natural disaster or other unforeseeable barrier.
Patient Interaction - Lack of face-to-face or telemedicine interaction with patients; Lack of follow-up need with patients.
Practice at Multiple Locations - Lack of control over availability of CEHRT for more than 50% of patient encounters

CMS will be providing additional details on the requirements and application process in the future.

Target's Data Breach Costs Reach $148 Million

Wed, 06 Aug 2014 09:51:19 EST

In a Press Release issued on August 5, 2014, Target Corporation announced that its costs to address the December 2013 data breach have reached approximately $148 million. This number is "partially offset by a $38 million insurance receivable,"[1] of the $100 million network security insurance coverage available.[2]

The Company further noted that, "[e]xpenses for the quarter include an increase to the accrual for estimated probable losses for what the Company believes to be the vast majority of actual and potential breach-related claims, including claims by payment card networks." In its 10-Q report from May 29, 2014, Target advised that it expects these claims to "include amounts for incremental counterfeit fraud losses and non-ordinary course operating expenses (such as card reissuance costs) that the payment card networks believe they or their issuing banks have incurred."[3] Interestingly, Target specifically noted that, "[w]hile an independent third-party assessor found the portion of [its] network that handles payment card data to be compliant with applicable data security standards in the fall of 2013, the forensic investigator working on behalf of the payment card networks claimed that [Target was] not in compliance with those standards at the time of the Data Breach."[4]

As of May 29, Target also had more than 100 actions filed against the Company "on behalf of guests, payment card issuing banks, shareholders or others seeking damages or other related relief, allegedly arising out of the Data Breach."[5] Additionally, Target reported that "State and federal agencies, including the State Attorneys General, the Federal Trade Commission and the SEC are investigating events related to the Data Breach, including how it occurred, its consequences and [Target's] responses."[6]

On July 24, 2014, U.S. District Judge Paul Magnuson, U.S. District Court, District of Minnesota, rejected Target's motion to stay discovery in a multidistrict litigation over the data breach. Target requested the stay pending the court's decision on a motion to dismiss that Target intends to file, noting that, "any motions to dismiss will be fully briefed by the end of October in the bank cases and the end of November in the consumer cases."[7] Judge Magnuson ruled that, "[g]iven the Court's practice of issuing rulings on dispositive motions within one month of the hearing date, if not sooner, discovery will have proceeded for only a few months by the time the Court rules on Defendants' motions. Ninety days' worth of discovery does not impose such a burdensome expense to warrant disturbing the case's schedule."[8] Discovery is scheduled to begin in September 2014.

A few comments.... Data breach remediation is clearly expensive. The Target incident is also a good reflection of what we continue to see in the market for both payment card and protected health information related data breaches - numerous class actions combined with federal and state government investigations. Additionally, as noted by Target in its 10-Q report, a third-party vendor found Target in compliance "with applicable data security standards" (presumably PCI-DSS) in fall 2013, but "the forensic investigator working on behalf of the payment card networks claimed that [Target was] not in compliance with those standards at the time of the Data Breach." Organizations storing personally identifiable information, whether it be credit card data or medical records, must carefully assess their risk on a continuous basis.

-------------------------------------------

[1] SEC, Form 8-K, Target Corporation, Aug. 5, 2014, available at https://investors.target.com/phoenix.zhtml?c=65828&p=irol-sec.

[2] SEC, Form 10-Q, Target Corporation, May 29, 2014, p. 9, available at https://investors.target.com/phoenix.zhtml?c=65828&p=irol-sec.

[3] Id. at 8.

[4] Id. at 8.

[5] Id. at 9.

[6] Id. at 9.

[7] In re: Target Corporation Customer Data Security Breach Litigation, MDL No. 14-2522, Order, July 24, 2014 (Court Order denying Defendants� Motion to Stay Discovery (Docket No. 125)), available at https://www.mnd.uscourts.gov/MDL-Target/Orders/2014/2014-0724-14MDL2522-Order.pdf.

[8] Id.

-------------------------------------------

Posted by Tatiana Melnik on August 6, 2014

Money doesn't stop technology crashes

Tue, 15 Oct 2013 18:22:27 EST

Skip to the Take-a-Ways

The U.S. government's insurance exchange program is not the only one to experience technological woes. Healthcare IT News and the California Nurses Association recently reported that Sutter Health, a health system in Northern California, experienced some technological woes as well, when its $1 billion dollar EPIC electronic health record (EHR) system crashed, causing patient records to be unavailable at several of its facilities.

The crash happened on August 26, 2013 at approximately 8 a.m. and lasted for a full day. During the crash, doctors and nurses could not access patient records, including medication lists and medical history. According to the California Nurses Association (CNA), the pharmacy backup system also failed.

Several of Sutter Health's facilities were impacted including Alta Bates Summit Medical Center facilities in Berkeley and Oakland, Eden Medical Center facilities in Castro Valley, Mills Peninsula in Burlingame, Sutter Delta in Antioch, and Sutter Tracy and Sutter Modesto, as well as Sutter affiliated doctors' offices and clinics.

According to the CNA, the EPIC system was down for about 8 hours on August 23 for planned maintenance, "during which nurses and other users could read medication orders and patient histories, but not enter new data." The new information "was kept on paper records then re-entered into the computers later."

In its press release, the CNA noted that "[r]eports from RNs throughout Sutter found little or no backup planning by hospital management, inadequate training, and little support during the emergency. . . . All that prevented greater chaos, said [Alta Bates Summit RN Mike] Hill, was the expertise of the RNs who 'knew what to do from experience, not from any direction from management as management was running around not knowing what to do according to the nurses. There was no training for this kind of downtime as it was unplanned. Nurses followed previous downtime training but this was different because there was no ability to see any info on the patient.'"

Sutter Health's spokesperson Bill Gleeson explained to Healthcare IT News that, the system "experienced an issue with the software that manages user access to the EHR . . . This caused intermittent access challenges in some locations. Our team applied a software patch Monday night to resolve the issue and restore access. We regret any inconvenience this may have caused patients[.]"

According to the CNA, the issues with Sutter's EPIC implementation are not new. In a press release issued July 2013, the CNA reported that, RN's at Alta Bates Summit Medical Center facilities in Berkeley and Oakland submitted over 100 reports, where "nurses cited a variety of serious problems with" the EPIC implementation efforts. These problems included:

A patient who had to be transferred to the intensive care unit due to delays in care caused by the computer.
A nurse who was not able to obtain needed blood for an emergent medical emergency.
Insulin orders set erroneously by the software.
Missed orders for lab tests for newborn babies and an inability for RNs to spend time teaching new mothers how to properly breast feed babies before patient discharge.
Lab tests not done in a timely manner.
Frequent short staffing caused by time RNs have to spend with the computers.
Orders incorrectly entered by physicians requiring the RNs to track down the physician before tests can be done or medication ordered.
Discrepancies between the Epic computers and the computers that dispense medications causing errors with medication labels and delays in administering medications.
Patient information, including vital signs, missing in the computer software.
An inability to accurately chart specific patient needs or conditions because of pre-determined responses by the computer software.
Multiple problems with RN fatigue because of time required by the computers and an inability to take rest breaks as a result.
Inadequate RN training and orientation.

Take-a-ways

Stakeholder buy-in - This dispute between Sutter and its nurses is a great reminder of the importance of getting user buy-in when implementing new technology. When users desires are not carefully considered and addressed, the on-boarding process becomes significantly more complicated and leads to animosity and hurt feelings on both sides.

Disaster Training - No technology is fool-proof. Technology is not perfect and crashes should be expected, whether they are due to a software error, natural disaster, or some other reason. Employees must be adequately trained and knowledgeable about the steps that need to be taken in the event of an EHR or other critical software system malfunction. Otherwise, hospital systems and doctors leave themselves open to greater liability in the event of an adverse patient outcome. A Disaster Recovery Plan is required under HIPAA and employee training should be considered in any Disaster Recovery and Business Continuity plan.

Adequate Backup - Critical systems must have adequate backup. Yes, this can be costly, but "critical" indicates that the information technology resources are essential to the function of the particular business. In the case of an EHR system, it is critical in the sense that lives are literally on the line. As such, backup services in these circumstances should be looked at as the cost of doing business and accounted for in annual cost allocations. A Data Backup Plan is a requirement element of HIPAA.

Resources and Supporting Documents

Erin McCann, Setback for Sutter after $1B EHR crashes, Healthcare IT News, Aug. 28, 2013
California Nurses Association, Press Release, Sutter�s $1 Billion Boondoggle-New Electronic Records System Goes Dark, Aug. 27, 2013
California Nurses Association, Press Release, Sutter�s New Electronic System Causes Serious Disruptions to Safe Patient Care at E. Bay Hospitals, July 11, 2013

FTC Announces Agenda for Upcoming Big Data Workshop

Wed, 13 Aug 2014 10:58:57 EST

The Federal Trade Commission continues its focus on Big Data and is hosting a workshop on �Big Data: A Tool for Inclusion or Exclusion?� on September 15 in Washington, D.C.

The workshop will examine the use of big data and its impact on consumers, including low-income and underserved consumers, and will consist of four panel discussions:

Assessing the Current Environment: This panel will examine the current uses of big data in a variety of contexts and how these uses impact consumers.

What�s on the Horizon with Big Data? This panel will explore potential uses of big data as well as the potential benefits and harms for particular populations of consumers.

Surveying the Legal Landscape: This panel will review various antidiscrimination and consumer protection laws and discuss how they may apply to the use of big data, and whether there may be gaps in the law.

Mapping the Path Forward: This panel will explore best practices for the use of big data to protect consumers.

More details and registration information is available on the FTC website here - https://www.ftc.gov/news-events/events-calendar/2014/09/big-data-tool-inclusion-or-exclusion.

Posted by Tatiana Melnik on Aug. 13, 2014

HMA to Repay $31 Million for Improper EHR Claims

Mon, 11 Nov 2013 21:03:06 EST

In a Form 8-K filed with the SEC on November 5, 2013 [1], Health Management Associates, Inc. (HMA) announced that it will restate financial statements to address a repayment of $31 million the company received in EHR Incentive Payments for demonstrating "Meaningful Use" of certified EHR technology. HMA notified CMS and the relevant state programs and is in the process of repaying the funds received from both Medicare and Medicaid.[2]

HMA explained that, "[i]n October 2013, based on the results of an internal review, the Company determined that it had made an error in applying the requirements for certifying its EHR technology under these programs and, as a result, that 11 of the hospitals it had enrolled in the [federal Medicare and various state Medicaid Healthcare Information Technology (HCIT)] programs did not meet the 'meaningful use' criteria necessary to qualify for HCIT payments." As a result, HMA will be restating financial statements for the years ended December 31, 2010, 2011 and 2012 and the quarters ended March 31 and June 30, 2013 to correct the accounting treatment of the payments:

2011 - recognized as income approximately $8.3 million
2012 - recognized as income approximately $17.3 million
2013 (first six months) - recognized as income approximately $5.4 million

HMA also advised that the following filings and reports "should no longer be relied upon" given the errors:

consolidated financial statements contained in

HMA's Annual Report on Form 10-K for the fiscal year ended December 31, 2012
the Quarterly Reports on Form 10-Q for the fiscal quarters ended March 31, 2013 and June 30, 2013

all releases issued by HMA discussing its financial results for December 31, 2012, March 31, 2013, and June 30, 2013
HMA's guidance for fiscal year 2013 issued on July 30, 2013
Ernst & Young LLP reports dated February 27, 2013 on HMA's consolidated financial statements and the effectiveness of HMA's internal control over financial reporting

HMA's story is a good reminder that Meaningful Use payment recipients, particularly those with multiple offices, must take the appropriate steps to audit use to ensure that incentives are not being claimed erroneously. CMS hired Figliozzi and Company to undertake audits on Medicare eligible professionals and eligible hospitals, as well as on hospitals that are eligible for both the Medicare and Medicaid EHR Incentive Programs. CMS made clear in an announcement in February 2013 that it expects eligible professionals, eligible hospitals, and critical access hospitals to "retain ALL relevant supporting documentation (in either paper or electronic format) used in the completion of the Attestation Module responses." [3]

How long the documentation must be retained depends on the type of documents:

Documents that support attestation data for meaningful use objectives and clinical quality measures - retained for six years post-attestation
Documents that support payment calculations (e.g., cost report data) - retention period should follow the current document retention processes.

Companies should review their document retention policies to ensure that the policies are consistent with requirements. If no retention policy is currently in place, now may be the appropriate time to develop such a policy.

[1] Health Management Associates, Inc., Securities and Exchange Commission Form 8-K, Nov. 5, 2013.

[2] Press Release, Health Management Associates, Inc., Nov. 5, 2013.

[3] CMS, EHR Incentive Program, Supporting Documentation for Audits, Updated Feb. 2013.