Blog Archives

EHR: What’s In YOUR Contract? Legal Issues You Need to Know.

Electronic health records or EHR have metamorphosed health care. Choosing a vendor can be daunting and the prices fluctuate greatly. As a provider, you probably determine your EHR platform on which vendor’s program creates the best service notes… or which creates the most foolproof way of tracking time… or which program is the cheapest.

But…what’s in YOUR contract can be legally deadly.

Regardless how you choose your EHR vendor, you need to keep the following legal issues in mind when it comes to EHR and the law:

Regulatory and Clinical Coverage Policy Compliance

Most likely, your EHR vendor does not have a legal degree. Yet, you are buying a product and assuming that the EHR program complies with applicable regulations, rules, and clinical coverage policies – whichever are applicable to your type of service. Well, guess what? These regulations, rules, and clinical coverage policies are not stagnant. They are amended, revised, and re-written more than my chickens lay eggs, but a little less often, because my chickens lay eggs every day.

Think about it – The Division of Medical Assistance (DMA) publishes a monthly Medicaid Bulletin. Every month DMA provides more insight, more explanations, more rules that providers will be held accountable to follow.

Does your EHR program update every month?

You need to review your contract and determine whether the vendor is responsible for regulatory compliance or whether you are. If you are, should you put so much faith in the EHR program?

Document Accessibility

You are required to maintain your records (depending on your type of service) anywhere from 5-10 years. Let’s say that you sign a four year contract with EHR Vendor X. The four years expires, and you hire a new EHR vendor. You are audited. But Vendor X does not allow you access to the records because you no longer have a contract with them – not their problem!

You need to ensure that your EHR contract allows you access to your documents (because they are your documents) even in the event of the contract expiring or getting terminated. The excuse that “I don’t have access to that” does not equal a legal defense.

Indemnification

This is otherwise known as the “Blame Game.” If there is a problem with regulatory compliance, as in, the EHR records do not follow the regulations, then you need to know whether the EHR vendor will take responsibility and pay, or help pay, for attorneys’ fees to defend yourself.

Like it or not, the EHR vendor does not undergo audits by the state and federal government. The EHR vendor does not undergo post and pre-payment reviews for regulatory compliance. You do. It is your NPI number that is held accountable for regulatory compliance.

You need to check whether there is an indemnification clause in the EHR contract. In other words, if you are accused of an overpayment because of a mistake on the part of the vendor, will the vendor cover your defense? My guess is that there is no indemnification clause.

HIPAA Compliance

HIPAA laws require that you minimize the access to private health information (PHI) and prevent dissemination. With hard copies, this was easy. You could just lock up the documents. With EHR, it becomes trickier. Obviously, you have access to the PHI as the provider. But who can access your EHR on the vendor-side? Assuming that the vendor has an IT team in case of computer issues, you have to consider to what exactly does that team have access.

I recently attended a legal continuing education class on data breach and HIPAA compliance for health care. One of the speakers was a Special Agent with the FBI. This gentleman prosecutes data breaches for a living. He said that hackers will pay over $500 per private medical document. Health care companies experienced a 72% increase in cyberattacks between 2013 and 2014. Stolen health care information is 10 times more valuable than your credit card information.

Zombie Apocalypse

Obviously, I am exaggerating here. I do not believe that The Walking Dead is real and in our future. But here is my point – You are held accountable for maintaining your medical records, even in the face of an act of God or terrorism.

Example: It was 1996. Provider Dentist did not have EHR; he had hard copies. Hurricane Fran flooded Provider Dentist’s office, ruining all medical records. When Provider Dentist was audited, the government did not accept the whole “there was a hurricane” excuse. Dentist was liable for sever penalties and recoupments.

Fast forward to 2017 and EHR – Think a mass computer shutdown won’t happen? Just ask Delta about its August 2016 computer shutdown that took four days and cancelled over 2000 flights. Or Medstar Health, which operates 10 hospitals and more than 250 outpatient facilities, when in March 2016, a computer virus shut down its emails and…you guessed it…its EHR database.

So, what’s in YOUR contract?

Medicaid Law: What Are Policies Versus Law and Why Does It Matter?

“Always follow the Golden Rule. Always treat others how you want to be treated.”

What is so great about following rules? Do we have to follow all rules? What if other people do not follow the rules? What if the rules contradict? Are some rules more important than others?

The answer is – it depends.

When you sign your provider procurement agreement with NC to provide Medicaid services, there is a sentence in it that says, something to the effect, “The provider agrees to follow all applicable state and federal rules, laws, and regulations.” Yet, I am constantly shocked how many providers are completely oblivious to what are the “applicable state and federal rules, laws, and regulations” (although it does keep me in business).

The fact is, however, not all rules are created equal.

First, what is the difference between a policy, a regulation, and a law?

A law must be followed. If you break the law, you are punished. A regulation also must be followed; however, regulations are created by state agencies through a rule-making process. Usually, the public may comment on proposed regulations prior to being enacted.

On the other hand, a rule (that has not been formally adopted by the State) is policy or guidance. For example, the DMA Clinical Coverage Policies are rules or guidance. The Policies are not promulgated; i.e., they have not undergone the official rule-making process. Don’t get me wrong – you should follow the DMA Clinical Coverage Policies. My point is that a violation of a Clinical Coverage Policy will not/should not warrant the same punishment as violating a regulation or law.

Let’s think about this in a “real-life” hypothetical.

You receive a notice of overpayment in the amount of $450,000.00 because, allegedly, your service notes are signed electronically and you do not have an electronic signature policy.

There is no law or regulation that dictates that you must have an electronic signature policy. It is best practice to have an electronic signature policy. The Medicaid Billing Guide suggests that you maintain an electronic billing policy.

N.C. Gen. Stat. 150B sets forth the rule-making process. Any policy or rule that has not undergone the official rule-making process is considered nonbinding interpretative statements. N.C. Gen. Stat. 150B-18 states that “[a]n agency shall not seek to implement  or enforce  against any person a policy, guideline, or other nonbinding interpretative statement…if the statement has not been adopted as a rule in accordance with this Article.” (emphasis added).

Because there is no law or regulation requiring you to have an electronic signature policy, the State cannot punish you for not having one. In other words, the State cannot hold you to arbitrary criteria unless that criteria was formally adopted in the rule-making process.

How do you know if a policy or rule has been formally adopted?

Any policy or rule that is formally adopted will have a legal citation. For example, N.C. Gen. Stat 150B is a formal law. 10A NCAC 27G .0104 is a formal regulation – it is part of our administrative code. NC DMA Clinical Coverage Policies and the Medicaid Billing Guide are comprised of nonbinding, interpretative statements, as well as law and regulations. Usually, when a law or regulation is cited in the Policies or Billing Guide the formal, legal citation is also provided, but not always. I know, it’s confusing, yet extremely important.

You cannot and should not be punished for violating suggestions, policy, or nonbinding, interpretative statements. You should not be punished for not “treating others how you would like to be treated.” – That is not a law.

It is important to know the distinction because, apparently, those in charge of our Medicaid program, at times, do not.

Have an Inkling of a Possible Overpayment, You Must Repay Within 60 Days, Says U.S. District Court!

You are a health care provider.  You own an agency.  An employee has a “hunch” that…

maybe…

perhaps….

your agency was overpaid for Medicare/caid reimbursements over the past two years to the tune of $1 million!

This employee has been your billing manager for years and you trust her…but…she’s not an attorney and doesn’t have knowledge of pertinent legal defenses. You are concerned about the possibility of overpayments, BUT….$1 million? What if she is wrong?  That’s a lot of money!

According to a recent U.S. District Court in New York, you have 60 days to notify and refund the government of this alleged $1 million overpayment, despite not having a concrete number or understanding whether, in fact, you actually owe the money.

Seem a bit harsh? It is.

With the passage of the Affordable Care Act (ACA) on March 23, 2010, many new regulations were implemented with burdensome requirements to which health care providers are required to adhere.  At first, the true magnitude of the ACA was unknown, as very few people actually read the voluminous Act and, even fewer, sat to contemplate the unintentional consequences the Act would present to providers. For example, I daresay that few, if any, legislators foresaw the Draconian effect from changing the word “may” in 42 CFR 455.23 to “must.” See blog and blog and blog.

Another boiling frog in the muck of the ACA is the 60-Day Refund Rule (informally the 60-day rule).

What is the 60-Day Refund Rule?

In 2012, CMS proposed the “60-day Refund Rule,” requiring Medicare providers and suppliers to repay Medicare overpayments within 60 days of the provider or supplier identifying the overpayment.  Meaning, if you perform a self audit and determine that you think that you were overpaid, then you must repay the amount within 60 days or face penalties.

If I had a nickel for each time a clients calls me and says, “Well, I THINK I may have been overpaid, but I’m not really sure,” and, subsequently, I explained how they did not owe the money, I’d be Kardashian rich.

It is easy to get confused. Some overpayment issues are esoteric, involving complex eligibility issues, questionable duplicity issues, and issues involving “grey areas” of “non”-covered services.  Sometimes a provider may think he/she owes an overpayment until he/she speaks to me and realizes that, by another interpretation of the same Clinical Coverage Policy that, in fact, no overpayment is owed. To know you owe an overpayment, generally, means that you hired someone like me to perform the self audit.  From my experience, billing folks are all too quick to believe an overpayment is owed without thinking of the legal defenses that could prevent repayment, and this “quick to find an overpayment without thinking of legal defenses” is represented in Kane ex rel. United States et al. v. Healthfirst et al., the lawsuit that I will be discussing in this blog.  And to the billings folks’ credit, you cannot blame them.  They don’t want to be accused of fraud. They would rather “do the right thing” and repay an overpayment, rather than try to argue that it is not due.  This “quick to find an overpayment without thinking of legal defenses” is merely the billing folks trying to conduct all work “above-board,” but can hurt the provider agency financially.

Nonetheless, the 60-day Refund Rule is apathetic as to whether you know what you owe or whether you hire someone like me.  The 60-Day Refund Rule demands repayment to the federal government upon 60-days after your “identification” of said alleged overpayment.

Section 1128(d)(2) of the Social Security Act states that:

“An overpayment must be reported and returned under paragraph (1) by the later of— (A) the date which is 60 days after the date on which the overpayment was identified; or (B) the date any corresponding cost report is due, if applicable.”

A recent case in the U.S. District Court of New York has forged new ground by denying a health care providers’ Motion to Dismiss the U.S. government’s and New York State’s complaints in intervention under the False Claims Act (FCA).  The providers argued that the 60-day rule cannot start without a precise understanding as to the actual amount of the overpayment. Surely, the 60-day rule does not begin to run on the day someone accuses the provider of a possible overpayment!

My colleague, Jennifer Forsyth, recently blogged about this very issue.  See Jennifer’s blog.

Basically, in Kane ex rel. United States et al. v. Healthfirst et al., three hospitals provided care to Medicaid patients. Due to a software glitch [cough, cough, NCTracks] and due to no fault of the hospitals, the hospitals received possible overpayments.  The single state entity for Medicaid in New York questioned the hospitals in 2010, and the hospitals took the proactive step of tasking an employee, Kane, who eventually became the whistleblower, to determine whether, if, in fact, the hospital did receive overpayments.

At this point, arguably, the hospitals were on notice of the possibility of overpayments, but had not “identified” such overpayments per the 60-day rule.  It was not until Kane made preliminary conclusions that the hospitals were held to have “identified” the alleged overpayments.  But very important is the fact that the Court held the hospitals liable for having “identified” the alleged overpayments prior to actually knowing the veracity of the preliminary findings.

Five months after being tasked with the job of determining any overpayment, Kane emails the hospital staff her findings that, in her opinion, the hospitals had received overpayments totaling over $1 million for over 900 claims.  In reality, Kane’s findings were largely inaccurate, as approximately one-half of her alleged findings of overpayments were actually paid accurately.  Despite the inaccurate findings, the Complaint that Kane filed as the whistleblower (she had been previously fired, which may or may not have contributed to her willingness to bring a whistleblower suit), alleged that the hospitals had a duty under the 60-day rule to report and refund the overpayments, even though there was no certainty as to whether the findings were accurate. And the Court agreed with Kane!

Even more astounding, Kane’s email to the hospitals’ management that contained the inaccurate findings contained phrases that would lead one to believe that the findings were only preliminary:

  • “further analysis would be needed to confirm his findings;” and
  • the spreadsheet provided “some insight to the magnitude of the problem” (emphasis added).

The above-mentioned comments would further the argument that the hospitals were not required to notify the Department and return the money 60 days from Kanes’ email because Kane’s own language within the email was so wishy-washy. Her language in her email certainly does not instill confidence that her findings are accurate and conclusive.

But…

The 60-day rule requires notification and return of the overpayments within 60 days of identification.  The definition of “identification” is the crux of Kane ex rel. United States et al. v. Healthfirst et al. [it depends on what the definition of “is” is].

The Complaint reads, that the hospitals “fraudulently delay[ed] its repayments for up to two years after the Health System knew” the extent of the overpayments” (emphasis added). According to the Complaint, the date that the hospitals “knew” of the overpayment was the date Kane emailed the inaccurate findings.

The hospitals filed a Motion to Dismiss based on the fact that Kane’s email and findings did not conclusively identify overpayments, instead, only provided a preliminary finding to which the hospitals would have needed to verify.

The issue in Kane ex rel. United States et al. v. Healthfirst et al. is the definition of “identify” under the 60-day rule. Does “identify” mean “possibly, maybe?” Or “I know I owe it?” Or somewhere in between?

The hospitals filed a Motion to Dismiss, claiming that the 60-day rule did not begin to run on the date that Kane sent his “preliminary findings.”  The U.S. District Court in New York denied the hospitals’ Motion to Dismiss and stated in the Order, “there is an established duty to pay money to the government, even if the precise amount due is yet to be determined.” (emphasis added).

Yet another heavy burden tossed upon health care providers in the ever-deepening, regulatory muck involved in the ACA.  As health care providers carry heavier burdens, they begin to sink into the muck.

Important take aways:

  • Caveat: Take precautions to avoid creating disgruntled, former employees.
  • Have an experienced attorney on speed dial.
  • Self audit, but self audit with someone highly experienced and knowledgeable.
  • Understand the ACA. If you do not, read it. Or hire someone to teach you.

A Very, Common Blooper in Dental Medicaid Audits

“To err is human…”  Alexander Pope

Remember that show “TV”s Bloopers and Practical Jokes?” I think Dick Clark was in it (maybe not…it was a long time ago…I watched reruns). Anyway, I remember laughing so hard at some of the bloopers.  I also like when, after a movie is over, the director highlights the casts’ bloopers. Something about watching someone else mess up that makes me realize everyone is human.

But accidentally erring is completely different (and a lot funnier) than a RAC auditor misapplying a clinical policy, be called out on it, and continue to audit the same erroneous way without regard or fortitude to change.

I have said over and over, no health care provider who accepts Medicaid is safe from the grasp of the over-zealous, under-trained Medicaid auditors. Welcome, dentists, to the “oh-so-ever-interesting-Medicaid-three-ring-circus.”  Here are your Tentative Notice of OverPayments (TNO). And here are your bloopers.

I’ve seen a few common themes in the claim audit findings for a post-payment review of a dental practice, but want to discuss one re-occurring theme…one that has poked its rearing head more than most other issues I have seen, thus far.

RAC auditor recoups the Medicaid reimbursements because: The “attending provider” NPI number did not match the “provider rendering the services” NPI number.

The RAC auditor cites DMA Clinical Policy 4A as the source of the rule that the attending provider and rendering provider numbers must be the same.

DMA Clinical Policy 4A states, in pertinent part, “Enter the attending provider’s NPI for the individual dentist rendering service. (This number must correspond to the signature in field 53.)” (Field 53 is the field for the treating provider).

Yet,wait, young auditor, what year DMA Clinical Policy 4A are you using? 2013? Or the year that is applicable to the date of service (DOS) you are auditing?

Because prior to the 2013 Clinical Policy 4A, earlier 4A Policies read as such: “Enter the attending provider’s NPI for the individual dentist rendering service. (This number should correspond to the signature in field 53.)”

Should versus must….must versus should…

Look at these examples:

Should:

  • People should protect the environment.
  • People should be kind to others.
  • You should go see “Man of Steel;” it is very good.

Must:

  • Thou shall not murder. (Shall is an old form of must, and a bit more British).
  • People must stop completely at a stop sign.
  • You must stop talking!

See the difference? If someone tells me that I should go see an art exhibit, I will say, “Thank you.  I will see if I can fit it in my schedule.”  If someone tells me that I must abide by a rule, I will ask, “What will be the penalty if I do not?”

“Should” denotes a suggestion.  “Must” denotes a command.

So going back to…

“Enter the attending provider’s NPI for the individual dentist rendering service. (This number should correspond to the signature in field 53.)”So…if the number “SHOULD” correspond, then, obviously, the number “MUST” not correspond. Right?

Bloopers are funny. Redundant errors are not.