Health Law Blog - Healthcare Legal Issues

Archive for the ‘Electronic Health Information’ Category

Faxing Patient Health Information to Wrong Number – Compliance Risk Area

Tuesday, March 13th, 2018

Physician Revises Faxing Procedures to Safeguard PHI After Faxing PHI to Employer  by Mistake

faxing phi wrong numberA medical office recently settled with OCR after it allegedly disclosed a patient’s HIV status when the office mistakenly faxed medical records to the patient’s place of employment instead of to the patient’s new health care provider.  The employee responsible for the disclosure received a written disciplinary warning, and both the employee and the physician apologized to the patient.  To resolve this matter, OCR also required the practice to revise the office’s fax cover page to underscore a confidential communication for the intended recipient. The office informed all its employees of the incident and counseled staff on proper faxing procedures.

Two things pop about about this instance.  First, this was clearly a privacy violation.  The patient’s protected health information, which incidentally revealed his or her HIV status, we sent to the employer.  Secondly, it was evident from the facts that this was a mistake.  We aren’t told exactly how this mistake was made.  Was the fax number written down in the wrong box on the patient’s records?  Did the employee who faxed the records put the incorrect number on the fax cover sheet?  We may never know.  But this does raise the importance of being precise at all stages of the patient encounter to assure that no inadvertent violations occur.  Care you should be taken when information about the patient is initially entered into the system.  Individuals at all levels who may be responsible for transmitting PHI must be deliberate about their actions.  How many people have called or faxed something to the wrong person before?  How many people have written down the wrong telephone or fax number before?  Everyone?

This OCR settlement just illustrates that sometimes these small errors can have big implications.  It does not appear to have been any significant fines or loss of employment in this situation.  But we cannot downplay the potential embarrassment or other negative consequences of mistakes like these.  It is one thing to text your friend Bob rather than your friend Bobbie, and weirdly from Bob’s perspective say how wonderful last night was and how you can’t wait to see him again.  Telling a patient’s employer about their health condition can have consequences that are much harder to laugh off.

Written Agreement Requirement for Disclosure of Part 2 Records

Wednesday, January 31st, 2018

Disclosure of Part 2 Records for Payment or Health Care Operations Requires Written Agreement

Regulations issued by SAMHSA in January of 2018, permit a lawful holder of Part 2 Records (relating to alcohol or substance abuse treatment) to disclose those records, with written consent of the patient, to its contractors, subcontractors, or legal representatives to carry out payment or healthcare operations on behalf of the lawful holder. The regulations list 17 examples of situations where a release may be considered appropriate. Disclosures to contractors, subcontractors, and legal representatives to carry out other purposes such as substance use disorder patient diagnosis, treatment, or referral for treatment are not permitted under the new rule.

In order to take advantage of the rule permitting disclosure for payment and/or health care operations, the lawful holder of the information is required to have in place a written contract or comparable legal instrument with the contractor or voluntary legal representative, which provides that the contractor, subcontractor, or voluntary legal representative is fully bound by the provisions of part 2 upon receipt of the patient identifying information.

In addition to having a proper contract in place, when making any such disclosures, the lawful holder must take the following further steps:

  • furnish such recipients with the notice required under § 2.32 of the regulations;
  • require such recipients to implement appropriate safeguards to prevent unauthorized uses and disclosures; and
  • require such recipients to report any unauthorized uses, disclosures, or breaches of patient identifying information to the lawful holder.

The lawful holder may only disclose information to the contractor or subcontractor or voluntary legal representative that is necessary for the contractor or subcontractor or voluntary legal representative to perform its duties under the contract or comparable legal instrument. Contracts may not permit a contractor or subcontractor or voluntary legal representative to re-disclose information to a third party unless that third party is a contract agent of the contractor or subcontractor, helping them provide services described in the contract, and only as long as the agent only further discloses the information back to the contractor or lawful holder from which the information originated.

Disclosures for Specific Payment or Health Care Operations Purposes (§ 2.33)

Wednesday, January 31st, 2018

Part 2 Records –  Specific Payment or Health Care Operations Purposes (§ 2.33)

Special restrictions apply to health information that is restricted under SAMHSA rules.  These rules protect patient information involving substance and alcohol treatment in Federal programs.  SAMHSA requirements are much more restrictive than HIPAA rules and must be considered, not only by substance abuse program, but also by providers and others who may receive these records and are subject to strict re-disclosure prohibitions.

The 2018 Rules finalizes the scope and requirements for permitted disclosures to contractors, subcontractors, and legal representatives for the purpose of payment and health care operations. SAMHSA lists 17 specific types of activities for which minimal information necessary may be disclosed for specific payment and health care operations activities. The 17 specific activites are listed in the preamble, rather than the regulatory text, as examples of potentially permissible disclosures.
SAMHSA states that its intent is for other appropriate payment and health care operations activities to be permitted beyond the 17 listed activities. In addition, consistent with SAMHSA’s prior statement in the SNPRM preamble, SAMHSA has added language to the regulatory text in § 2.33(b) to clarify that disclosures to contractors, subcontractors, and legal representatives are not permitted for activities related to a patient’s diagnosis, treatment, or referral for treatment. The rules require lawful holders of restricted information who engage contractors or subcontractors to carry out payment and health care operations activities to include specific contract provisions addressing compliance with part 2. Additionally, language was added to the regulation to clarify that disclosures to contractors, subcontractors, and legal representatives are not permitted for substance use disorder patient diagnosis, treatment, or referral for treatment.

CMS Position On Texting Physician Orders

Monday, January 29th, 2018

Texting of Physician Orders : CMS Statement Clarifies Position on Texting

Physician Order Texting RegulationsThe CMS Center for Clinical Standards and Quality/Survey & Certification Group recently released a Memorandum clarifying its position regarding texting of health care information. In S&C 18-10-ALL, dated December 28, 2017, CMS clarifies the following issues:

  • Texting of PHI Within Health Care Team.  CMS says that this is permissible on a secure platform.  Providers should develop policies covering texting among the care team.  Providers may want to consider special conditions, or even limiting or prohibiting this practice.  CMS, HIPAA and other standards need to be considered when developing provider specific policy.  State laws may differ and certain types of information may be subject to special restrictions.
  • Texting of Patient Orders.  Even though texting communication between care team members is permissible, CMS clarifies that texting patient orders is always prohibited; even on a secure platform.
  • Preferred Use of CPOE.  CMS clarifies that Computerized Provider Order Entry (CPOE) is the preferred method for a provider to enter a patient order.  Providers should review their policies regarding acceptable order platforms.  Special attention should be paid to texting practices.  Verbal orders are also an area of significant compliance and liability concerns.  Over-use of verbal orders and non-compliance with authentication requirements is very common and is a significant risk area.

You can reference the CMS Texting Guidance Letter on this issue directly.

I have been posting a series of articles on compliance issues relating to physician orders that you can also reference for additional guidance.  And as always, if you have additional questions, please do not hesitate to contact me thhrough the contact form on this blog or directly through contact information on my law firm web site.

 

Physician Orders Legal and Regulatory Article Series

Physician Order Reimbursement Issues

Physician Orders – Why Are They So Important?

The Verbal Order Minefield

Authenticating Verbal Orders : Compliance Requirements

Third Party Authentication of Verbal Orders

Physician Order – CMS Guidelines on Texting Physician Orders

 

Verbal Orders Documentation and Authentication

Wednesday, January 24th, 2018

The Verbal Order Minefield

Authenticating Verbal OrdersPhysicians often provide orders over the telephone in cases where action must be taken immediately. For example, verbal orders must be given by a physician who is on call or off duty but an issue arises that requires staff to take immediate action. Physician orders are generally effective when they are given, subject to appropriate documentation. Verbal orders are effective when provided verbally, but must be properly recorded in the medical records and authenticated or signed by the ordering physician.

Verbal Order Policies and Procedures

Normally, the facility will have policies in place that provide guidance on how staff should handle verbal orders. Those policies will define who is authorized to receive a verbal order from a physician as well as the process for taking a verbal order. Many facilities use a “read-back” requirement that requires the provider who receives the order to read the order back to the physician and receive confirmation. The receiving provider is required to document the receipt of the verbal order in the chart.

Over-use of Verbal Orders

Medicare policy (and many state laws) clarifies that verbal orders are not to be used as common practice. Verbal orders are not to be used for the convenience of the physician, but only when the patient’s condition or status requires immediate attention and when it is impossible or impractical to enter the order without creating unacceptable delays in needed treatment. Even though verbal orders are to be used infrequently under Medicare policy, their use has become very commonplace in many facilities. Frequent use of verbal orders increases risk in a variety of ways. Verbal orders leave room for error. This can be mitigated by using a read-back process, but risk of misinterpretation or incorrect fulfillment will be enhanced when verbal orders are used. Verbal orders contribute significantly to the risk of medication error and a variety of other potential adverse patient incidents.

Another significant risk of using verbal orders relates to the need to meet authentication requirements. CMS rules direct medical reviewers to disregard orders that are not properly authenticated. All orders, including verbal orders, are required to be dated, timed, and authenticated promptly by the ordering practitioner.

Authentication of Verbal Orders by Ordering Physician

In terms of timing, Medicare guidance requires the ordering physician to sign the verbal order promptly. Some states, such as Wisconsin, require the ordering physician to sign the order within 24 hours of providing the verbal order. Medicare ties into state law requirements in this area. This is an area of significant potential risk for a facility where physician’s routinely use verbal orders during off-shift times. It can be days before the physician is back at the facility. It used to be that reviewers provided a lot of slack on the followup physician signature requirement. With the integration of electronic medical records and the use of electronic signatures, the timing requirements for physician signatures on verbal orders are enforced strictly.

CMS has gotten a bit more lenient on certain delayed medical record entries. Amendments, corrections, and delayed medical record entries are now given credit in medical review. This leniency does not apply with respect to certain types of physician orders. For example, late or corrected entries to support orders for inpatient admission or outpatient observation services are not accepted and are treated as they do not exist on medical review. Again, failure to properly and timely authenticate an “order” in contrast to an “entry,” has reimbursement implications. This makes it critical to assure that orders are completely documented. Verbal order use should be limited to appropriate cases. Verbal orders are over-used in many facilities. When verbal orders are used, prompt authentication requirements should be enforced. Strict time limitations may exist under state law. For example, Wisconsin requires verbal orders to be be signed by the ordering provider within 24 hours.

Physician Orders Legal and Regulatory Article Series

Physician Order Reimbursement Issues

Physician Orders – Why Are They So Important?

The Verbal Order Minefield

Authenticating Verbal Orders : Compliance Requirements

Third Party Authentication of Verbal Orders

Physician Order – CMS Guidelines on Texting Physician Orders

Vendor Delays Hardship EHR Meaningful Use Implementation Standards

Monday, March 24th, 2014

CMS Recognizes Hardship Exemption From Meaningful Use Standards

meaningful use,vendor delays,cms hardshipThe American Recovery and Reinvestment Act of 2009 mandates a reduction in payments to eligible Medicare providers who have not met meaningful use standards for electronic health record technology.  Payment adjustments begin October 1, 2014, for hospitals and January 1, 2015, for Medicare eligible professionals.

CMS has created a hardship exception that permits providers to request an exemption from the payment adjustments in certain circumstances.  The hardship exemption lasts for one payment year.  A provider can be granted up to five years worth of hardship exceptions but must reapply on a yearly basis.

In order to be granted a hardship exception, providers must prove that special circumstances pose a significant barrier to their achieving meaningful use.  A few of the circumstances where hardship may be considered include the following:

  • Being located in an area without sufficient internet access or with other insurmountable infrastructure barriers.
  • Professionals who are new to the practice and who have not had time to become meaningful users can apply for a two-year limited exception to the payment adjustment rules.
  • Certain other unforeseen circumstances such as natural disasters or other unforeseeable impediments to meeting standards.

Recently, CMS added a new potential hardship for providers who are faced with EHR vendor issues.  In order to be eligible for the vendor exemption, a provider must demonstrate that circumstances are beyond its control and must explicitly outline these circumstances and indicate how they significantly impaired the ability to meet meaningful use standards.

The standards applied to receive a hardship exemption are fairly narrow and can be difficult to meet.  However, providers who see potential significant impediments to their implementation of meaningful use should begin to consider the possibility of applying for hardship exemption.  If the hardship exemption is going to be based upon EHR vendor difficulties, the implementation difficulty should be clearly documented.  At the time of application for a hardship exemption, the complete circumstances involved in the vendor relationship will need to be described to CMS.

If you have any further questions regarding electronic health record information or other health law questions, please contact John Fisher, II of our health law practice.

EHR Donation Program Extended Through 2021 – Clinical Laboratory Companies Excluded

Monday, December 30th, 2013

Electronic Health System Donation RulesElectronic Health Record Donation – Final Rules Issued By CMS and OIG

Qualified Donations Extended Through 2021

Clinical Laboratory Companies Excluded As Donors

Just before the current rule was due to expire, the Center for Medicare and Medicaid Services released final regulations on donation of electronic health record donations.  The existing rule, which was set to expire on December 31, 2013, permitted hospitals and other providers of Stark Law “designated health services” to make donations of electronic health records software that meets certain requirements, to physicians and physician groups.  The new final rule was released on December 27, 2013.  A similar rule was released by the Office of Inspector General addressing the Anti-kickback issues presented by donation arrangements.

The final rule adopts most of the changes that were proposed in draft rules that had been previously released in April 2013.  For example, the rule extends the expiration of date of the EHR donation exception from December 31, 2013, to December 31, 2021.  The final rule also removes some of the previous requirements that qualifying software contain electronic prescribing capacity.  The proposed regulations in April raised the possibility of excluding certain types of designated health service providers from qualification to offer EHR donations to physicians.  Comments were solicited on whether providers such as clinical laboratories and durable medical equipment providers should be permitted to offer donations to referring providers.  In the final rules, only clinical laboratory companies are excluded from the ability to offer EHR donations under the exception.

The reversed rule also clarifies some issues regarding restrictions on the use, compatibility, and/or interoperability of donated items.  Since 2006, there has been an exception to the Stark Law protecting certain arrangements involving inter-operable electronic health records software or information technology and training services (the ‘‘Donation Exception”).  The Donation Exception provides an exception from the physician self referral laws for certain arrangements involving inter-operable electronic health records software or information technology and training services.  Absent such an exception, the value of qualifying technology that is donated by a hospital or other provider of “designated health services” would create a compensation arrangement that would trigger a violation of the Stark Law.

 

Model Patient Privacy Notice Forms Privacy Rule Compliance

Thursday, September 19th, 2013

Patient Privacy Notice Forms

patient privacy notice formsThe HIPAA Privacy Rule gives individuals a fundamental right to be informed of the privacy practices of the health care providers and their privacy rights with respect to their personal health information. Providers are obligated to provide patients with a clear and concise description of their rights.

The HHS Office for Civil Rights and Office of the National Coordinator for Health Information Technology have released model Notices of Privacy Practices for health care providers and health plans. The model was created by collaboration between the two agencies with jurisdiction over patient privacy issues. The models express the views of these agencies concerning what health care providers should be communicating to their patients.

The Model Notices can be found at the following page of the HHS web site. Model Privacy Notices

It is notable that the model Notices of Privacy are not as in depth as the forms that have been used by many health care providers in the past. There is a simplicity to the model which seems to be directed toward communicating basic information to patients as opposed to an approach that includes “everything under the sun” in order to protect the provider. The less complicated approach seems to be more consistent with the regulatory requirement that providers develop and distribute a notice that provides a clear, user friendly explanation of these rights and practices.

The model released by the agencies provides a variety of formats that providers can consider depending on the context and their personal preference. The optional format include:

  • Notice in the form of a booklet
  • A layered notice that presents a summary of the information on the first page, followed by the full content on the following pages
  • A notice with the design elements found in the booklet, but formatted for full page presentation
  • A text only version of the notice

The models integrate the regulatory changes contained in the Omnibus Rule. Providers may use these models to serve as the baseline for compliance with the new requirements. For example, relatively new changes to patient access rights to information that is held in an electronic health record is covered. Providers who have not recently updated their notices may not include this information in their disclosure form.

The provided forms are set up so that providers can simply enter their specific information in the model forms. They can then be printed, posted, and otherwise used in connection with their practices.

The agencies seem to be actively encouraging providers to use these standard forms. Providers should take the opportunity to review their Notice of Privacy Policies and consider updating them to conform with the government provided standard forms unless the provider has a compelling reason to be more inclusive in its disclosure.

 

The Model Notices can be found at the following page of the HHS web site. Model Privacy Notices

Electronic Health Information System Proposed Regulations Ancillary Providers

Monday, April 15th, 2013

Proposed CMS Rules Suggest Possible Future Changes To E.H.R. Donation Rules

ehr donation agreement proposed regulationsThe proposed regulations that were recently released by CMS and the OIG relating to electronic health record donations, provides a glimpse of what may be expected in the future.  Both agencies refer to concerns over “data lock” situations and donation agreements entered with clinical laboratories, DME companies, and other ancillary providers.  Although neither agency placed limitations on these arrangements in the current proposed rules, they both make it clear that they are looking closely at who should be a qualified donor under the donation regulations.

As they currently stand, the only effect of the proposed regulations would be (i) to extend the donation agreement sunshine deadline from December 31, 2013 to December 31, 2016, and (ii) to remove the requirement that software include electronic prescribing.  However, comment was solicited in other areas that make it pretty clear that we should expect the final rules to include other changes.

CMS appears to be considering what approach to take to address reports of clinical laboratories, DME providers and other ancillary providers using the Stark Law exception to enter into abusive arrangements.  CMS suggests that they may exclude certain classes of providers from being qualified donors.  They also allude to the possibility of adding an additional set of requirements to prohibit “data lock” situations.  They appear to be considering taking one or both approaches when final regulations are released.

For now, comments can be made to the proposed regulations.  Providers who have an interest in this issue might want to consider submitting comments in response to the OIG and/or CMS proposed regulations.  In the meantime, the discussions coming from the regulatory agencies cast a shadow over donation arrangements with many ancillary providers.  Even though the arrangements meet Stark Law and safe harbor provisions at the present time, it is not clear whether arrangements that are entered before the issuance of final regulations will qualify to permit extension of donation benefits beyond the first Sunset date of December 31, 2013.

Telemedicine Credentialing By Proxy

Tuesday, February 12th, 2013

Telemedicine Credentialing By Proxy and Hospital Policies

telemedicine policies credentialing telehealthProvider Credentialing requirements raise important considerations in any telemedicine arrangement. The facility where care is received, renders a diagnosis, or otherwise provides clinical treatment to a patient, must assure that a telemedicine practitioner is appropriately credentialed and privileged in compliance with their credentialing process, CMS rules, and the requirements of applicable accreditation organizations.  The process for credentialing telemedicine providers should be addressed by the governing body and reflected in medical staff bylaws and formal credentialing policies.

Credentialing standards have been somewhat streamlined since CMS adopted new regulations that were effective in June of 2011.  CMS rules now permit “credentialing by proxy” provided that several conditions are met.  It remains the responsibility of the board to determine when or if it wishes to rely on “credentialing by proxy” or whether it should apply full credentialing requirements on remote providers of telemedicine services.  Even though the process has been simplified, credentialing of providers who perform telemedicine services to patients of a hospital is still an extremely important responsibility of the hospital board.

John H. Fisher

Health Care Counsel
Ruder Ware, L.L.S.C.
500 First Street, Suite 8000
P.O. Box 8050
Wausau, WI 54402-8050

Tel 715.845.4336
Fax 715.845.2718

Ruder Ware is a member of Meritas Law Firms Worldwide

Search
Disclaimer
The Health Care Law Blog is made available by Ruder Ware for educational purposes and to provide a general understanding of some of the legal issues relating to the health care industry. This site does not provide specific legal advice and you should not use the information contained on this site to address your specific situation without consulting with legal counsel that is well versed in health care law and regulation. By using the Health Care Law Blog site you understand that there is no attorney client relationship between you and Ruder Ware or any individual attorney. Postings on this site do not represent the views of our clients. This site links to other information resources on the Internet; these sites are not endorsed or supported by Ruder Ware, and Ruder Ware does not vouch for the accuracy or reliability of any information provided therein. For further information regarding the articles on this blog, contact Ruder Ware through our primary website.