Proposed Rules Extend EHR Donation Sunsets for Stark and Anti-Kickback

Earlier this month, CMS and OIG proposed amendments to and extension of the temporary Stark exception and Anti-kickback safe harbor for electronic health record (EHR) donations to physicians. The Proposed EHR Rules would extend the deadlines for EHR donations which are set to expire December 31, 2013.

The Proposed EHR Rules come at a perfect time, when many organizations are adopting EHRs for purposes of participating in the Medicare and Medicaid EHR Incentive Programs ("Meaningful Use"). Although the OIG Proposed Rule would extend EHR donations until at least December of 2016, the CMS Proposed Rule contemplates extending EHR donations through December of 2021 to align with the end of Medicaid Meaningful Use. 

The Anti-kickback Statute prohibits referrals for federal health care business.  Certain "safe harbors" provide assurances that certain conduct will not violate the Anti-kickback Statute.  One of these safe harbors, the EHR safe harbor, permitted certain EHR donations of interoperable EHRs and other technology and services. 

The OIG Proposed Rule would:

  • Amend how interoperable EHRs are treated, permitting also certified EHR technology adopted for purposes of Meaningful Use;
  • Remove the e-prescribing capability requirement; and
  • Extend the sunset date of the safe harbor to coincide with the end of Medicare Meaningful Use payments and the last year in which one can begin participating in Medicaid Meaningful Use.

OIG also requests public comment on additional amendments, such as limiting the scope of protected donors to only hospitals group practices, PDP sponsors and MA organizations.  It also requests comment on modifying or adding conditions to prevent risk of misuse of the EHR safe harbor and limit the risks of data and referral lock-in. 

The Stark Law prohibits physician self-referrals for designated health services payable by Medicare.  The Stark Law allows for certain exceptions which an arrangement must fit into. Almost identical to the EHR safe harbor under the Anti-kickback Statute, the EHR exception also allowed for donations of interoperable EHRs. 

Like the OIG Proposed Rule, the CMS Proposed Rule would likewise amend what interoperable EHRs are permitted to include those adopted for Meaningful Use, remove the e-prescribing capability requirement, and extend the sunset date of the safe harbor. Both CMS and OIG acknowledged that e-prescribing is adequately provided for by Meaningful Use and the Medicare E-Prescribing Incentive Program.  However, while CMS proposes to extend the sunset date to December 2016, it acknowledges that it is contemplating extending EHR donations through December 2021. 

Comments to the EHR Proposed Rules are due no later than 5pm EST on June 10, 2013.


OIG Finds Fault with CMS Meaningful Use Oversight

In a report released on November 29, the Office of Inspector General (OIG) chastised CMS for not doing a better job of pre and post-payment oversight for the Medicare and Medicaid EHR Incentive Programs (Meaningful Use).  As of September 2012, OIG stated that CMS has paid out approximately $4 billion to eligible professionals (EPs) and hospitals. 

In the report, OIG looked at CMS’s oversight of Meaningful Use, examining self-reported data, CMS auditing planning documentation, guidance, and regulations, as well as conducted interviews with CMS key staff.  It found that CMS failed to implement strong prepayment safeguards, and that postpayment safeguards were also limited, criticizing CMS for its reliance on self-reported data and failure to confirm its accuracy. 

“CMS determines that professionals and hospitals are meaningful users of certified EHR technology, and therefore qualify for incentive payments, based solely on self-reported information. CMS does not verify that self-reported information is accurate prior to payment. Although CMS is not required to verify the accuracy of this information prior to payment, doing so would strengthen its oversight of the anticipated $6.6 billion in incentive payments. Verifying self-reported information prior to payment could also reduce the need to identify and recover erroneous payments after they are made.”

Problems OIG highlighted including failure to assess whether EPs and hospitals were eligible during the certification process for incentive payments, lack of capability for EHR technology to produce reports for all required measures, lack of guidance as to what documentation is needed to support attestation, and failure to review supporting documentation prior to issuing incentive payments.  Furthermore, OIG noted that CMS does not verify that numerators and denominators entered for all percentage-based measures reflect the actual number of given patients for such measures.  

Continue Reading

Guess What? OIG DOES Care about EHRs and Meaningful Use

Today marks the last day for hospitals to return an 18-page, 54 question survey inquiring about their EHR practices, security, coding and other potential EHR fraud and abuse vulnerabilities.  Hospitals using certified EHR technology who received Meaningful Use incentive payments between January 1, 2011 through March 31, 2012 received the survey from the HHS Office of the Inspector General (OIG) last week/early this week and were asked to return it by the end of today. 

The survey is part of the OIG's 148-page FY2013 Work Plan that summarizes OIG's fraud and abuse focus areas and planned reviews and activities for the year. Whether coincidental or not, the survey's timing comes on the heels of three hotly contested letters surrounding EHRs and the CMS Meaningful Use Incentive Programs. 

First came the warning letter issued by Secretary of the Department of Health and Human Services, Kathleen Sebelius, and U.S. Attorney General, Eric Holder, to hospital associations warning them of EHR fraud and abuse through cloning medial records and upcoding.  This was quickly followed by a letter from House Representatives calling for the suspension of the Meaningful Use program, and then a second letter from four Senators requesting a meeting, by no later than today, to discuss Stage 2 of Meaningful Use. 

CMS has explicitly made it clear from the beginning that false claims associated with Meaningful Use will be subject to recoupment of any incentive payments received and may result in further liability. Now, not only will CMS or state Medicaid agencies audit providers to identify payments which were improperly made, but OIG may not be far behind. 

The majority of the survey questions focus on areas that could potentially implicate inappropriate EHR practices, including "copy and paste" functions and policies, diagnoses and procedure coding, physician and nursing progress notes, as well as security practices, such as user authorization and access controls, third-party accesses to EHRs and patient EHR access.  However, it is clear from OIG's Work Plan that it is carefully examining both Meaningful Use payments received by providers and CMS safeguards in place to identify erroneous payments. Likewise, the Work Plan states OIG plans on reviewing OCR oversight activities of HIPAA and HITECH. 

The American Hospital Association is asking all hospitals to copy it on their answers by email at 

August Goes Out with a Bang: Stage 2 Final Rule & HIPAA Arrest

August ended in a whirlwind of federal activity, with CMS and OCR publishing the long-awaited Meaningful Use Stage 2 Final Rule and its accompanying Standards & Certification Criteria.  And, as if Stage 2 wasn't enough excitement, the FBI arrested a former hospital employee for a solicitation scheme involving improper access to and sale of emergency department patient records.

Much dissected since their release on August 22 by CMS and OCR, the Meaningful Use Stage 2 Rules brought few surprises to those familiar with the Notices of Proposed Rulemakings (NPRMs) released back in March. In addition to formally delaying Stage 2 to 2014, the Final Stage 2 Rule limits the reporting period to 90-days for 2014 for ALL providers REGARDLESS of the Stage they are in.

While CMS took into consideration, and incorporated some revisions as a result of, public comment, the majority of the NPRMs carried over into the Final Rules (see my previous post on the Stage 2 NPRMs).  EPs now must report on 17 core and 3 out of 6 menu objectives, while hospitals and CAHs must report on 16 core and 3 out of 6 menu objectives.  Likewise, EPs must report on 9 out of 64 CQMs, and hospitals and CAHs report on 16 out of 29 CQMs.   The majority of Stage 1 menu objectives and measures became core, and several Stage 1 core objectives and measures were consolidated into a single objective and measure(s), or eliminated (for example, "exchange of key clinical information" eliminated in favor of a new and more robust "transitions of care summaries" objective). 

Public comments highlighted the concerns many providers had with new Stage 2 patient engagement requirements: those requiring patients utilize secure messaging with their providers (EPs) and online access to, viewing, and downloading of health information (EPs, hospitals and CAHs).  Although the requirements were not eliminated, CMS reduced the associated measure thresholds from 10% to 5%.  In addition, CMS reduced the measure thresholds of certain other objectives, including for electronic exchange of summary care records.  Another area of concern reflected in the public comments, the electronic exchange of summary care records objective was also modified by CMS in response to such concerns to require at least one successful electronic exchange to a different EHR technology or a successful test with a CMS designated test EHR during the applicable EHR reporting period. 

CMS has released several tipsheets and guidance documents to help EPs, hospitals and CAHs participating in the Medicare and Medicaid EHR Incentive Programs in understanding the new requirements for Stage 2, as well as those amendments to certain Stage 1 requirements. Additional information regarding Stage 2 can be found on CMS' new Stage 2 webpage.   

To add to August's excitement, a former employee at Florida Hospital's Celebration Health was arrested by the FBI for accessing patient emergency department records and selling those related to motor vehicle accidents.  According to the FBI criminal complaint, the former employee was fired back in July 2011, but for an unrelated incident involving accessing without authorization the medical records of a physician who had been shot and killed in a Florida Hospital parking garage.

However, prior to his termination with Celebration Health, the former employee, Dale Munroe (along with his wife and a co-worker) improperly accessed over 750,000 patient emergency department records at the various Florida Hospital locations, allegedly then selling those records that related to a car accident to an entity, S.K.  In turn, S.K. would sell the information to an entity or entities that solicited and referred patients for chiropractors and attorneys.  Patients whose information was allegedly sold would receive a phone call shortly after their emergency department visit. 

After Munroe was terminated, his wife and co-worker continued to access patient records.  After the hospital was notified by an employee who had received a solicitation call, the wife and co-worker were also fired, and a breach reported in 2011.  While the hospital was conducting audits in response to the breach, it discovered the depth of Munroe's actions prior to his termination.  Since then, the actions of these three individuals have been under investigation. 

Munroe is the only one who has been arrested so far. The complaint alleges violations of the criminal provisions of HIPAA at 1320d-6(a) and 1320d-6(b)(3) for intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm, which carries with it a fine of not more than $250,000, imprisonment of not more than 10 years, or both.  While over 750,000 records were improperly accessed, only approximately 12,000 records are believed to have been viewed in depth and sold. 

HHS Partners with Private Sector to Combat Healthcare Fraud

On Thursday, July 26, the Department of Health and Human Services (HHS) announced a new partnership between the public and private sectors to stomp out healthcare fraud.  With HHS funding, federal, state and private organizations have teamed up to help identify and prevent healthcare fraud through information-sharing and cooperation, along with resources afforded by the Patient Protection and Affordable Care Act (ACA) for anti-fraud activities. 

In the official press release, Secretary Sebelius stated,

"This partnership puts criminals on notice that we will find them and stop them before they steal healthcare dollars.  Thanks to this initiative today and the anti-fraud tools that were made available by the health care law, we are working to stamp out these crimes and abuse in our health care system."

According to the FBI, over $80 billion is lost each year due to healthcare fraud; however, efforts over the past 3 years have resulted in recovery of $10.7 billion. Over 20 federal, state and private organizations have joined forces under this new partnership, including:

  • United States Department of Justice;
  • Centers for Medicare & Medicaid Services;
  • Federal Bureau of Investigation;
  • National Association of Medicaid Fraud Control Units;
  • New York Office of the Medicaid Inspector General;
  • Blue Cross Blue Shield Association;
  • AmeriGroup Corporation;
  • Humana Inc.; and
  • United Health Group.

Initial committee meetings are set to begin in September, with workgroups working to finalize the operational structure and initial work plan of the partnership.  Potential goals include sharing information on billing codes, geographic fraud hotspots and specific fraud schemes to prevent losses before they occur, identifying and stopping payments billed on the same day for the same patient, in different cities to different insurers, as well as utilization in the future of technological solutions and analytics to predict and detect fraud schemes. 

OIG Releases New Fraud and Abuse Advisory Opinion Involving EHR Data Exchange

On December 7, 2011, the Office of the Inspector General (OIG) released an Advisory Opinion regarding a proposed coordination service to facilitate the electronic exchange of data for patient referral purposes.  A health IT company requested the opinion to determine whether its proposed services would be subject to OIG sanctions or civil monetary penalties (CMP) under the Anti-kickback Statute (AKS). The AKS makes it a criminal offense to knowingly and willfully offer, pay, solicit or receive any remuneration to induce or reward referrals of items or services which are reimburseable by a Federal health care program.  

Three types of services were offered by the health IT company: billing services, electronic health record (EHR) management services, and automated messaging services for communicating with patients.  These services could be purchased as a package deal or on a monthly basis for a subscription fee.  The Proposed Arrangement, however, would provide a new service that would provide coordination services for referrals and managing patients receiving services from other health care professionals (the "Coordination Service"). 

Through the Coordination Service, a trading partner could send referrals as well as all necessary medical records in addition to insurance and billing information.  The patient information would be accessed and exchanged through an electronic database network.  Although purchase of the EHR services offered by the health IT company was required in purchasing the Coordination Services because of the need for all patient medical, demographic and other information contained within to be available for referral purposes, the Proposed Arrangement would offer a discount on a monthly EHR subscription fee of approximately 25-35%. Other transmission, functionality and service fees would be assessed, depending upon the complexity of the services performed and per referral.

Although the Proposed Arrangement did not fit into an AKS Safe Harbor, the OIG determined it would not impose administrative sanctions upon the health IT company if it proceeded with offering the Coordination Services.  Although health care professionals were paying fees in connection with the receipt and transmission of referrals, these did not result in enhanced access to a referral stream.  Health care professionals also were not required to enter into an agreement with the health IT company or purchase the Coordination Service in order to receive a referral through the network.

In addition, the fees reflected the fair market value of the services provided and were based upon the level of services that were provided, as well as assessed regardless of whether a patient followed through on a referral and actually received the referred services, therefore distinguished from traditional per-click success fees. The Opinion stated that the independent value provided by the services which were actually paid for was unrelated to inducing referrals, and fees charged,

would not vary based on the value of the items or services that a receiving health professional might ultimately provide to Federal health care program beneficiaries.

OIG Advisory Opinions may only be legally relied upon by the party requesting the opinion but can prove useful guidance to other entities in structuring arrangements to comply with the Anti-kickback Statute. You can read the full Advisory Opinion here.  CMS also issues Advisory Opinions pursuant to its authority under the Stark physician self-referral laws.   


The IRS/DOJ/FTC Weigh-in on ACOs

Following the release of the CMS proposed ACO rule, the IRS has released a notice requesting comment whether existing guidance for tax-exempt organizations seeking to participate in the Medicare Shared Savings Program as ACOs is sufficient and whether additional, and what, guidance may be needed. 

Released along with the CMS Proposed ACO Rule, the Department of Justice (DOJ) and the Federal Trade Commission (FTC) joint Proposed Antitrust Policy Statement is available regarding antitrust enforcement for ACOs.  The proposed statement sets forth and requests public comment on a proposed "safety zone" for certain ACOs as well as an expedited review process.  It coordinates antitrust competition analysis with CMS's review of ACO applications to ensure necessary guidance is available for the formation of procompetitive ACOs.

For some "light" weekend reading, check out all the documents related to the coordinated efforts of the agencies:

CMS Proposed ACO Rule

CMS/OIG Joint Notice of Potential Fraud and Abuse Waivers

DOJ/FTC Proposed Antitrust Policy Statement

IRS Solicitation of Comments


"Soon" becomes Now - CMS releases long-awaited ACO Rules

The long wait is finally over.  The Centers for Medicare and Medicaid Services finally released the much anticipated Accountable Care Organization (ACO) proposed rules today after lengthy delays and promises that the rules would be out "soon."  The proposed rules set forth the requirements for the Medicare Shared Savings Program and are expected to clarify many questions about how ACOs will operate and receive incentive payments under the Shared Savings Program. 

The HHS Office of the Inspector General (OIG) has also released a notice and request for public comment on proposed fraud and abuse waivers for application of Stark, the Anti-kickback Statute and certain civil monetary penatlies (CMP) law provisions to ACOs. The Secretary is authorized to waive these laws as necessary to implement the Shared Savings Program.  The Federal Trade Commission (FTC) and the Department of Justice (DOJ) are also expected to weigh in on the antitrust implications for ACOs.