Health Law Blog - Healthcare Legal Issues

Archive for January, 2018

Written Agreement Requirement for Disclosure of Part 2 Records

Wednesday, January 31st, 2018

Disclosure of Part 2 Records for Payment or Health Care Operations Requires Written Agreement

Regulations issued by SAMHSA in January of 2018, permit a lawful holder of Part 2 Records (relating to alcohol or substance abuse treatment) to disclose those records, with written consent of the patient, to its contractors, subcontractors, or legal representatives to carry out payment or healthcare operations on behalf of the lawful holder. The regulations list 17 examples of situations where a release may be considered appropriate. Disclosures to contractors, subcontractors, and legal representatives to carry out other purposes such as substance use disorder patient diagnosis, treatment, or referral for treatment are not permitted under the new rule.

In order to take advantage of the rule permitting disclosure for payment and/or health care operations, the lawful holder of the information is required to have in place a written contract or comparable legal instrument with the contractor or voluntary legal representative, which provides that the contractor, subcontractor, or voluntary legal representative is fully bound by the provisions of part 2 upon receipt of the patient identifying information.

In addition to having a proper contract in place, when making any such disclosures, the lawful holder must take the following further steps:

  • furnish such recipients with the notice required under § 2.32 of the regulations;
  • require such recipients to implement appropriate safeguards to prevent unauthorized uses and disclosures; and
  • require such recipients to report any unauthorized uses, disclosures, or breaches of patient identifying information to the lawful holder.

The lawful holder may only disclose information to the contractor or subcontractor or voluntary legal representative that is necessary for the contractor or subcontractor or voluntary legal representative to perform its duties under the contract or comparable legal instrument. Contracts may not permit a contractor or subcontractor or voluntary legal representative to re-disclose information to a third party unless that third party is a contract agent of the contractor or subcontractor, helping them provide services described in the contract, and only as long as the agent only further discloses the information back to the contractor or lawful holder from which the information originated.

17 Examples SAMHSA Payment and Health Care Operations

Wednesday, January 31st, 2018

Examples of Disclosures of Part 2 Records for Payment and Health Care Operations

In regulations released in January of 2018, SAMHSA included a list of 17 specific types of payment and health care operations in the regulatory text that would be the basis for further disclosures by a lawful holder of patient identifying information. SAMHSA did not include this list of 17 items in the regulations.  Rather, these items were contained in the preamble reflecting that additional reasons for release for payment and health care operations may be permissible.  Examples of permissible activities under § 2.33(b) that SAMHSA considers to be payment and health care operations activities include:

  • Billing, claims management, collections activities, obtaining payment under a contract for reinsurance, claims filing and related health care data processing;
  • Clinical professional support services (e.g., quality assessment and improvement initiatives; utilization review and management services);
  • Patient safety activities;
  • Activities pertaining to:
  • The training of student trainees and health care professionals;
  • The assessment of practitioner competencies;
  • The assessment of provider and/or health plan performance; and
  • Training of non-health care professionals;
  • Accreditation, certification, licensing, or credentialing activities;
  • Underwriting, enrollment, premium rating, and other activities related to the creation, renewal, or replacement of a contract of health insurance or health benefits, and ceding, securing, or placing a contract for reinsurance of risk relating to claims for health care;
  • Third-party liability coverage;
  • Activities related to addressing fraud, waste and abuse;
  • Conducting or arranging for medical review, legal services, and auditing functions;
  • Business planning and development, such as conducting cost management and planning-related analyses related to managing and
    operating, including formulary development and administration, development or improvement of methods of payment or coverage
    policies;
  • Business management and general administrative activities, including management activities relating to implementation of and compliance with the requirements of this or other statutes or regulations;
  • Customer services, including the provision of data analyses for policy holders, plan sponsors, or other customers;
  • Resolution of internal grievances;
  • The sale, transfer, merger, consolidation, or dissolution of an organization;
  • Determinations of eligibility or coverage (e.g. coordination of benefit services or the determination of cost sharing amounts), and adjudication or subrogation of health benefit claims;
  • Risk adjusting amounts due based on enrollee health status and demographic characteristics;
  • Review of health care services with respect to medical necessity, coverage under a health plan, appropriateness of care, or justification of charges.

SAMHSA believes it is important to maintain patient choice in disclosing information to health care providers with whom patients have direct contact. For this reason, the final provision in § 2.33(b) does not cover care coordination or case management and disclosures to contractors, subcontractors, and legal representatives to carry out such purposes are not permitted under this section. In addition, SAMHSA added language to the regulatory text in § 2.33(b) to clarify that disclosures to contractors, subcontractors and legal representatives are not permitted for activities related to a patient’s diagnosis, treatment, or referral for treatment.

Disclosures for Specific Payment or Health Care Operations Purposes (§ 2.33)

Wednesday, January 31st, 2018

Part 2 Records –  Specific Payment or Health Care Operations Purposes (§ 2.33)

Special restrictions apply to health information that is restricted under SAMHSA rules.  These rules protect patient information involving substance and alcohol treatment in Federal programs.  SAMHSA requirements are much more restrictive than HIPAA rules and must be considered, not only by substance abuse program, but also by providers and others who may receive these records and are subject to strict re-disclosure prohibitions.

The 2018 Rules finalizes the scope and requirements for permitted disclosures to contractors, subcontractors, and legal representatives for the purpose of payment and health care operations. SAMHSA lists 17 specific types of activities for which minimal information necessary may be disclosed for specific payment and health care operations activities. The 17 specific activites are listed in the preamble, rather than the regulatory text, as examples of potentially permissible disclosures.
SAMHSA states that its intent is for other appropriate payment and health care operations activities to be permitted beyond the 17 listed activities. In addition, consistent with SAMHSA’s prior statement in the SNPRM preamble, SAMHSA has added language to the regulatory text in § 2.33(b) to clarify that disclosures to contractors, subcontractors, and legal representatives are not permitted for activities related to a patient’s diagnosis, treatment, or referral for treatment. The rules require lawful holders of restricted information who engage contractors or subcontractors to carry out payment and health care operations activities to include specific contract provisions addressing compliance with part 2. Additionally, language was added to the regulation to clarify that disclosures to contractors, subcontractors, and legal representatives are not permitted for substance use disorder patient diagnosis, treatment, or referral for treatment.

Notice of Restriction on Re-Disclosure SAMHSA Records

Wednesday, January 31st, 2018

Prohibition on Re-Disclosure – Changes in New SAMHSA Final Rules (§ 2.32)

Redisclosure Notice SAMHSA RecordsOne of the primary new operative provisions that was created in the 2017 Final Rules is an expanded prohibition against re-disclosure of records that are covered under SAMHSA. Even when a disclosure is permitted, the 2017 rules required the disclosure to be accompanied by a lengthy written statement, notifying the recipient of the special status of the information and the prohibition against re-disclosure. The notification was rediculously long:

This information has been disclosed to you from records protected by Federal confidentiality rules (42 CFR part 2). The Federal rules prohibit you from making any further disclosure of this information unless further disclosure is expressly permitted by the written consent of the person to whom it pertains or as otherwise permitted by 42 CFR part 2. A general authorization for the release of medical or other information is NOT sufficient for this purpose. The Federal rules restrict any use of the information to criminally investigate or prosecute any alcohol or drug abuse patient.

The new 2018 Rules create an abbreviated notice that is 80 characters long to fit in standard free-text space within health care electronic systems. The abbreviated notice in this final rule reads ‘‘Federal law/42 CFR part 2 prohibits unauthorized disclosure of these records.’’

The 42 CFR part 2 regulations have always required that a notice of the prohibition on redisclosure accompany each disclosure made with the patient’s written consent. With the adoption of electronic health record systems, it became difficult to comply electronically with the longer notification form due to character limits in freetext fields within electronic health record systems. Many electronic record systems contain a free text space with a maximum character capacity of 80 characters. The new 2018 Rules reflect SANHSA’s belief that offering an abbreviated notice option will be beneficial to providers who use electronic health record systems to exchange data.

SAMHSA recognizes concerns that an abbreviated notice could be insufficient to convey understanding of part 2 requirements. SAMHSA encourages part 2 programs and other lawful holders of restricted records that chose to use the abbreviated notice to discuss the restriction and redisclosure requirements applicable to SAMHSA protected records with those to whom they disclose patient identifying information.

First Article in SAMHSA Series

Confidentiality of Substance Use Disorder Patient Records

Wednesday, January 31st, 2018

New SAMHSA Clarifying Regulations for Part 2 Program Records

SAMHSA Regulations Substance Abuse RecordsNew Final regulations were issued on January 2, 2018 by the Substance Abuse and Mental Health Services Administration (SAMHSA). The new Final regulations supplement SAMHSA’s major regulation change that was finalized in regulations that were released in January of 2017. The new, 2018 Final regulations add some clarification and more specificity to some of the requirements of the 2017 rule.

These rules, commonly known as the “SAMHSA Rules” or “Part 2” describe special confidentiality restrictions that apply to Substance Use Disorder Patient Records related to certain substance use disorder treatment programs that receive federal financial assistance. The confidentiality requirements that apply to treatment records covered by the SAMHSA Rules are more stringent than apply to general patient health records. The special restrictions on these records has been in existence for decades, with the last major re-write occuring in 1987.

SAMHSA began a process of reconstituting the SAMHSA Rules in February of 2016, when it published a Notice of Proposed Rulemaking (NPRM) in the Federal Register (81 FR 6988). SAMHSA’s stated purpose for revising the rules was to reflect development of integrated health care models and the use of electronic exchange of patient information. At the same time, SAMHSA’s aim was to accomodate new technologies while maintaining confidentiality protections for patients of covered treatment programs who could encounter discrimination if their information is not properly protected.

The  Final Rules that we published on January 18, 2017, provided for greater flexibility in disclosing patient identifying information within the health care system while continuing to address the need to protect the confidentiality of substance use disorder patient records. At the same time that it published the 2017 Final Rule’s, SAMHSA issued a supplemental notice of proposed rulemaking (SNPRM) to solicit public comment on additional proposals in a variety of areas covered by the SAMHSA Rule. The new Final Rules that were issued on January 2, 2018, address many of the issues suggested in the SNPRM and integrate some of the 55 regulatory comments that SAMHSA received in response to the SNPRM.

SAMHSA received numerous comments asking it to consider alignment of the special restrictions applicable through the SAMHSA Rules with the Health Insurance Portability and Accountability Act (HIPAA) or the Health Information Technology for Economic and Clinical Health (HITECH) Act. It is challenging for providers to establish different requirements for special status records. By its very nature, the more restrictive requirements that are applicable to SAMHSA covered records requires providers to “triage” record requests to be certain that they are not covered by the special restrictions of the SAMHSA Rules. This is especially problematic when a provide that does not provide alcohol or substance abuse treatment receives SAMHSA protected records from another provider. SAMHSA Rules not subject receiving providers to a direct prohibition against redisclosure.

SAMHSA says that it has attempted to align the final rule with HIPAA, the HITECH Act, and their implementing regulations to the extent feasible. Yet, the more stringent SAMHSA restrictions will be difficult to completely harmonize with HIPAA and HITECH. Part 2 provides more stringent federal protections than other health privacy laws such as HIPAA and seeks to protect individuals with substance use disorders who could be subject to discrimination and legal consequences in the event that their information is improperly used or disclosed. A similar issue exists with respect to many state laws that provide more stringent privacy restrictions on records related to mental health related services. Decision trees applicable to disclosure of special treatment records can be quite complex; particularly when HIPAA premption concepts are applied as an overlay to the base analysis.

Follow our article series on the SAMHSA Regulations on this site.

Next Article in Series

Notice of Restriction on Re-Disclosure

CMS Position On Texting Physician Orders

Monday, January 29th, 2018

Texting of Physician Orders : CMS Statement Clarifies Position on Texting

Physician Order Texting RegulationsThe CMS Center for Clinical Standards and Quality/Survey & Certification Group recently released a Memorandum clarifying its position regarding texting of health care information. In S&C 18-10-ALL, dated December 28, 2017, CMS clarifies the following issues:

  • Texting of PHI Within Health Care Team.  CMS says that this is permissible on a secure platform.  Providers should develop policies covering texting among the care team.  Providers may want to consider special conditions, or even limiting or prohibiting this practice.  CMS, HIPAA and other standards need to be considered when developing provider specific policy.  State laws may differ and certain types of information may be subject to special restrictions.
  • Texting of Patient Orders.  Even though texting communication between care team members is permissible, CMS clarifies that texting patient orders is always prohibited; even on a secure platform.
  • Preferred Use of CPOE.  CMS clarifies that Computerized Provider Order Entry (CPOE) is the preferred method for a provider to enter a patient order.  Providers should review their policies regarding acceptable order platforms.  Special attention should be paid to texting practices.  Verbal orders are also an area of significant compliance and liability concerns.  Over-use of verbal orders and non-compliance with authentication requirements is very common and is a significant risk area.

You can reference the CMS Texting Guidance Letter on this issue directly.

I have been posting a series of articles on compliance issues relating to physician orders that you can also reference for additional guidance.  And as always, if you have additional questions, please do not hesitate to contact me thhrough the contact form on this blog or directly through contact information on my law firm web site.

 

Physician Orders Legal and Regulatory Article Series

Physician Order Reimbursement Issues

Physician Orders – Why Are They So Important?

The Verbal Order Minefield

Authenticating Verbal Orders : Compliance Requirements

Third Party Authentication of Verbal Orders

Physician Order – CMS Guidelines on Texting Physician Orders

 

Authentication of Verbal Orders by Other Responsible Practitioner

Wednesday, January 24th, 2018

Authentication of Verbal Orders

Authenticating Verbal OrdersIn a past blog article, I discussed the need for physicians to promptly authenticate verbal orders. The failure of a physician to timely sign a verbal order can have reimbursement implications. In some cases, in some states, another responsible provider can sign a verbal order that is originally given by another practitioner. This option is not always available and depends a lot on whether state law permits the practice. Some states require the practitioner who gave the verbal order to authenticate the order. With the use of electronic medical records, practitioners cannot expect leniency on these types of requirements.

In states that permit one practitioner to authenticate for another, the authenticating proxy practitioner should understand that he or she is accepting responsibility for the authenticated verbal order. State scope of practice rules apply to cross authentication of orders. In otherwords, the practitioner authenticating the order must have practice authority to have provided the original verbal order. Facilities can develop policies that a more restrictive then what the law permits. Policy can eliminate or restrict cross authentication practices. There is inherent risk in permitting cross authentication because the authenticating provider did not give the original verbal order. Additionally, as covered in previous blog articles, verbal orders are over-used in many facilities and carry inherent risks. Facilities can enact policies to curtail the use of verbal orders. At minimum, facility policy should echo the CMS comments regarding the appropriate scope of use of verbal orders. Practices can be audited to determine whether a practitioner is overusing verbal orders.

Physician Orders Legal and Regulatory Article Series

Physician Order Reimbursement Issues

Physician Orders – Why Are They So Important?

The Verbal Order Minefield

Authenticating Verbal Orders : Compliance Requirements

Third Party Authentication of Verbal Orders

Physician Order – CMS Guidelines on Texting Physician Orders

Verbal Orders Documentation and Authentication

Wednesday, January 24th, 2018

The Verbal Order Minefield

Authenticating Verbal OrdersPhysicians often provide orders over the telephone in cases where action must be taken immediately. For example, verbal orders must be given by a physician who is on call or off duty but an issue arises that requires staff to take immediate action. Physician orders are generally effective when they are given, subject to appropriate documentation. Verbal orders are effective when provided verbally, but must be properly recorded in the medical records and authenticated or signed by the ordering physician.

Verbal Order Policies and Procedures

Normally, the facility will have policies in place that provide guidance on how staff should handle verbal orders. Those policies will define who is authorized to receive a verbal order from a physician as well as the process for taking a verbal order. Many facilities use a “read-back” requirement that requires the provider who receives the order to read the order back to the physician and receive confirmation. The receiving provider is required to document the receipt of the verbal order in the chart.

Over-use of Verbal Orders

Medicare policy (and many state laws) clarifies that verbal orders are not to be used as common practice. Verbal orders are not to be used for the convenience of the physician, but only when the patient’s condition or status requires immediate attention and when it is impossible or impractical to enter the order without creating unacceptable delays in needed treatment. Even though verbal orders are to be used infrequently under Medicare policy, their use has become very commonplace in many facilities. Frequent use of verbal orders increases risk in a variety of ways. Verbal orders leave room for error. This can be mitigated by using a read-back process, but risk of misinterpretation or incorrect fulfillment will be enhanced when verbal orders are used. Verbal orders contribute significantly to the risk of medication error and a variety of other potential adverse patient incidents.

Another significant risk of using verbal orders relates to the need to meet authentication requirements. CMS rules direct medical reviewers to disregard orders that are not properly authenticated. All orders, including verbal orders, are required to be dated, timed, and authenticated promptly by the ordering practitioner.

Authentication of Verbal Orders by Ordering Physician

In terms of timing, Medicare guidance requires the ordering physician to sign the verbal order promptly. Some states, such as Wisconsin, require the ordering physician to sign the order within 24 hours of providing the verbal order. Medicare ties into state law requirements in this area. This is an area of significant potential risk for a facility where physician’s routinely use verbal orders during off-shift times. It can be days before the physician is back at the facility. It used to be that reviewers provided a lot of slack on the followup physician signature requirement. With the integration of electronic medical records and the use of electronic signatures, the timing requirements for physician signatures on verbal orders are enforced strictly.

CMS has gotten a bit more lenient on certain delayed medical record entries. Amendments, corrections, and delayed medical record entries are now given credit in medical review. This leniency does not apply with respect to certain types of physician orders. For example, late or corrected entries to support orders for inpatient admission or outpatient observation services are not accepted and are treated as they do not exist on medical review. Again, failure to properly and timely authenticate an “order” in contrast to an “entry,” has reimbursement implications. This makes it critical to assure that orders are completely documented. Verbal order use should be limited to appropriate cases. Verbal orders are over-used in many facilities. When verbal orders are used, prompt authentication requirements should be enforced. Strict time limitations may exist under state law. For example, Wisconsin requires verbal orders to be be signed by the ordering provider within 24 hours.

Physician Orders Legal and Regulatory Article Series

Physician Order Reimbursement Issues

Physician Orders – Why Are They So Important?

The Verbal Order Minefield

Authenticating Verbal Orders : Compliance Requirements

Third Party Authentication of Verbal Orders

Physician Order – CMS Guidelines on Texting Physician Orders

Physician Orders : Why Are They So Important?

Wednesday, January 24th, 2018

The Importance of Physician Orders in Health Care

importance of physician ordersIn my last article on physician orders, I more or less ranted about the lack of a clear regulatory definition of physician orders. Yet, physician orders serve a variety of important purposes including communicating the physician’s direction for ancillary services and required diagnostic tests and securing the ability to receive reimbursement for services that flow from the physician’s encounter with the patient. The systematic use of physician orders also serves as proof that the physician is directing services to the patient and that conditions of participation of the facility, which require a physician driven process, are being complied with on a systematic basis.

Physician Orders as Conditions of Participation

Medicare law draws a distinction between conditions of participation and conditions of payment. Conditions of participation are compliance items, failure of which can result in corrective action and citations on survey. Failure of physician orders can result in survey deficiencies. The good news here is that a facility will normally be able to take action to correct a cited deficiency. If the failure of physician orders is systematic, other sanctions can attach; even including exclusion from governmental health program. But the garden variety, relatively isolated failure of a physician to timely sign an order can normally be corrected without devastating consequences.

Physician Orders As Condition of Payment

Physician orders can also be conditions of payment for specific services flowing from the physician’s encounter with the patient. This is where the real, serious regulatory exposure for failure to document physician orders occurs. Where an order is a condition of payment, claiming and accepting reimbursement results in an overpayment that should be repaid to Medicare. Failing to repay within 60 days of identification of the overpayment results in significant False Claims Act penalties that can far outweigh the original overpayment amount. Identification occurs when a provider “should know” that an overpayment exists which is why health care providers need to proactively look for missing physician orders as an identified risk as part of their compliance programs.

Physician Order Documentation Requirements

Health care providers will be familiar with the adage that “if it is not documented, it didn’t happen.” The same is true with respect to physician orders. A physician order that is not properly documented will be treated by payors as if the order does not exist. Even failure of seemingly technical failures to sign orders on a timely basis can result in payment denial or overpayment claims. In these cases, the provider is not entitled to reimbursement. If reimbursement is received, an overpayment will exist and I describe above the consequences of not repaying overpayments.

So it is important for physicians and other providers to understand the requirements for physician orders as they pertain to the services that they provide. Not getting it right can have very serious consequences. False Claims Act penalties are triple the original overpayment, plus up to $22,000 per claim. A systematic failure to properly use physician’s orders can result in draconian levels of damages under the False Claims Act.

Physician Orders Legal and Regulatory Article Series

Physician Order Reimbursement Issues

Physician Orders – Why Are They So Important?

The Verbal Order Minefield

Authenticating Verbal Orders : Compliance Requirements

Third Party Authentication of Verbal Orders

Physician Order – CMS Guidelines on Texting Physician Orders

Physician Orders – Definition and Reimbursement Implications

Wednesday, January 24th, 2018

Physician Orders – Big Implications but Few Definitions

Physician Ordering Services Physician OrdersI wanted to talk a bit about physician orders. Physician orders hold a great deal of significance in health care. The root purpose of a physician order is to direct other providers to furnish certain services. Services ordered by a physician might include things like therapy services, skilled nursing services, home health, diagnostic testing, and a variety of other therapeutic and/or diagnostic services that might flow from the physician’s examination of the patient.

In addition to the practical application of directing care, health care payors look to physician orders to make payment determinations. The Medicare program places a great deal of importance on physician orders to support claims for ancillary and diagnostic services. Certain services require a physician’s order as a prerequisite to payment on a claim for service. In other cases there may be no direct, fee-for-service payment implication to a physician’s order, but they are still critical to patient safety and to communicate matters that may impact care and treatment of patients.

A few weeks back, my trials and tribulations as a health care compliance lawyer resulted in my need to locate a definition of what constitutes a physician’s order. I looked in the Medicare regulations and was surprised to find that there is no statutory or regulatory definition of what constitutes the order of a physician. This seemed odd given the importance of physician orders as conditions for payment of many Medicare claims. There are references throughout the regulations that require physician orders. I was finally able to locate a definition in a CMS Policy Manual. But if push comes to shove in the context of a case, these policy manuals are not binding on the interpretation of regulatory terms. CMS may define physician orders internally, but that does not necessarilly mean that a court will uphold that definition.

Some states do a better job than Medicare at defining what constitutes a physician’s order. Medicare policy sometimes defers to state law, particularly regarding some of the technical aspects of physician orders such as what constitutes a valid electronic signature. State law should always be referenced when determining issues relating to physician orders, attestation, signatures, and other issues. This does not always provide clarification and, in fact, sometimes it causes confusion. But it is necessary for a full analysis and identification of where there may be uncertainty.

So no I am inspired to do some further exploration on physician orders. When are they necessary? When are they required? What technical requirements apply? Stay tuned to this blog for additional articles and hopefully some fairly comprehensive coverage of physician orders.

Physician Orders Legal and Regulatory Article Series

Physician Order Reimbursement Issues

Physician Orders – Why Are They So Important?

The Verbal Order Minefield

Authenticating Verbal Orders : Compliance Requirements

Third Party Authentication of Verbal Orders

Physician Order – CMS Guidelines on Texting Physician Orders

John H. Fisher

Health Care Counsel
Ruder Ware, L.L.S.C.
500 First Street, Suite 8000
P.O. Box 8050
Wausau, WI 54402-8050

Tel 715.845.4336
Fax 715.845.2718

Ruder Ware is a member of Meritas Law Firms Worldwide

Search
Disclaimer
The Health Care Law Blog is made available by Ruder Ware for educational purposes and to provide a general understanding of some of the legal issues relating to the health care industry. This site does not provide specific legal advice and you should not use the information contained on this site to address your specific situation without consulting with legal counsel that is well versed in health care law and regulation. By using the Health Care Law Blog site you understand that there is no attorney client relationship between you and Ruder Ware or any individual attorney. Postings on this site do not represent the views of our clients. This site links to other information resources on the Internet; these sites are not endorsed or supported by Ruder Ware, and Ruder Ware does not vouch for the accuracy or reliability of any information provided therein. For further information regarding the articles on this blog, contact Ruder Ware through our primary website.