Electronic health records or EHR have metamorphosed health care. Choosing a vendor can be daunting and the prices fluctuate greatly. As a provider, you probably determine your EHR platform on which vendor’s program creates the best service notes… or which creates the most foolproof way of tracking time… or which program is the cheapest.
But…what’s in YOUR contract can be legally deadly.
Regardless how you choose your EHR vendor, you need to keep the following legal issues in mind when it comes to EHR and the law:
Regulatory and Clinical Coverage Policy Compliance
Most likely, your EHR vendor does not have a legal degree. Yet, you are buying a product and assuming that the EHR program complies with applicable regulations, rules, and clinical coverage policies – whichever are applicable to your type of service. Well, guess what? These regulations, rules, and clinical coverage policies are not stagnant. They are amended, revised, and re-written more than my chickens lay eggs, but a little less often, because my chickens lay eggs every day.
Think about it – The Division of Medical Assistance (DMA) publishes a monthly Medicaid Bulletin. Every month DMA provides more insight, more explanations, more rules that providers will be held accountable to follow.
Does your EHR program update every month?
You need to review your contract and determine whether the vendor is responsible for regulatory compliance or whether you are. If you are, should you put so much faith in the EHR program?
You are required to maintain your records (depending on your type of service) anywhere from 5-10 years. Let’s say that you sign a four year contract with EHR Vendor X. The four years expires, and you hire a new EHR vendor. You are audited. But Vendor X does not allow you access to the records because you no longer have a contract with them – not their problem!
You need to ensure that your EHR contract allows you access to your documents (because they are your documents) even in the event of the contract expiring or getting terminated. The excuse that “I don’t have access to that” does not equal a legal defense.
This is otherwise known as the “Blame Game.” If there is a problem with regulatory compliance, as in, the EHR records do not follow the regulations, then you need to know whether the EHR vendor will take responsibility and pay, or help pay, for attorneys’ fees to defend yourself.
Like it or not, the EHR vendor does not undergo audits by the state and federal government. The EHR vendor does not undergo post and pre-payment reviews for regulatory compliance. You do. It is your NPI number that is held accountable for regulatory compliance.
You need to check whether there is an indemnification clause in the EHR contract. In other words, if you are accused of an overpayment because of a mistake on the part of the vendor, will the vendor cover your defense? My guess is that there is no indemnification clause.
HIPAA laws require that you minimize the access to private health information (PHI) and prevent dissemination. With hard copies, this was easy. You could just lock up the documents. With EHR, it becomes trickier. Obviously, you have access to the PHI as the provider. But who can access your EHR on the vendor-side? Assuming that the vendor has an IT team in case of computer issues, you have to consider to what exactly does that team have access.
I recently attended a legal continuing education class on data breach and HIPAA compliance for health care. One of the speakers was a Special Agent with the FBI. This gentleman prosecutes data breaches for a living. He said that hackers will pay over $500 per private medical document. Health care companies experienced a 72% increase in cyberattacks between 2013 and 2014. Stolen health care information is 10 times more valuable than your credit card information.
Obviously, I am exaggerating here. I do not believe that The Walking Dead is real and in our future. But here is my point – You are held accountable for maintaining your medical records, even in the face of an act of God or terrorism.
Example: It was 1996. Provider Dentist did not have EHR; he had hard copies. Hurricane Fran flooded Provider Dentist’s office, ruining all medical records. When Provider Dentist was audited, the government did not accept the whole “there was a hurricane” excuse. Dentist was liable for sever penalties and recoupments.
Fast forward to 2017 and EHR – Think a mass computer shutdown won’t happen? Just ask Delta about its August 2016 computer shutdown that took four days and cancelled over 2000 flights. Or Medstar Health, which operates 10 hospitals and more than 250 outpatient facilities, when in March 2016, a computer virus shut down its emails and…you guessed it…its EHR database.
So, what’s in YOUR contract?
“Always follow the Golden Rule. Always treat others how you want to be treated.”
What is so great about following rules? Do we have to follow all rules? What if other people do not follow the rules? What if the rules contradict? Are some rules more important than others?
The answer is – it depends.
When you sign your provider procurement agreement with NC to provide Medicaid services, there is a sentence in it that says, something to the effect, “The provider agrees to follow all applicable state and federal rules, laws, and regulations.” Yet, I am constantly shocked how many providers are completely oblivious to what are the “applicable state and federal rules, laws, and regulations” (although it does keep me in business).
The fact is, however, not all rules are created equal.
First, what is the difference between a policy, a regulation, and a law?
A law must be followed. If you break the law, you are punished. A regulation also must be followed; however, regulations are created by state agencies through a rule-making process. Usually, the public may comment on proposed regulations prior to being enacted.
On the other hand, a rule (that has not been formally adopted by the State) is policy or guidance. For example, the DMA Clinical Coverage Policies are rules or guidance. The Policies are not promulgated; i.e., they have not undergone the official rule-making process. Don’t get me wrong – you should follow the DMA Clinical Coverage Policies. My point is that a violation of a Clinical Coverage Policy will not/should not warrant the same punishment as violating a regulation or law.
Let’s think about this in a “real-life” hypothetical.
You receive a notice of overpayment in the amount of $450,000.00 because, allegedly, your service notes are signed electronically and you do not have an electronic signature policy.
There is no law or regulation that dictates that you must have an electronic signature policy. It is best practice to have an electronic signature policy. The Medicaid Billing Guide suggests that you maintain an electronic billing policy.
N.C. Gen. Stat. 150B sets forth the rule-making process. Any policy or rule that has not undergone the official rule-making process is considered nonbinding interpretative statements. N.C. Gen. Stat. 150B-18 states that “[a]n agency shall not seek to implement or enforce against any person a policy, guideline, or other nonbinding interpretative statement…if the statement has not been adopted as a rule in accordance with this Article.” (emphasis added).
Because there is no law or regulation requiring you to have an electronic signature policy, the State cannot punish you for not having one. In other words, the State cannot hold you to arbitrary criteria unless that criteria was formally adopted in the rule-making process.
How do you know if a policy or rule has been formally adopted?
Any policy or rule that is formally adopted will have a legal citation. For example, N.C. Gen. Stat 150B is a formal law. 10A NCAC 27G .0104 is a formal regulation – it is part of our administrative code. NC DMA Clinical Coverage Policies and the Medicaid Billing Guide are comprised of nonbinding, interpretative statements, as well as law and regulations. Usually, when a law or regulation is cited in the Policies or Billing Guide the formal, legal citation is also provided, but not always. I know, it’s confusing, yet extremely important.
You cannot and should not be punished for violating suggestions, policy, or nonbinding, interpretative statements. You should not be punished for not “treating others how you would like to be treated.” – That is not a law.
It is important to know the distinction because, apparently, those in charge of our Medicaid program, at times, do not.
“To err is human…” Alexander Pope
Remember that show “TV”s Bloopers and Practical Jokes?” I think Dick Clark was in it (maybe not…it was a long time ago…I watched reruns). Anyway, I remember laughing so hard at some of the bloopers. I also like when, after a movie is over, the director highlights the casts’ bloopers. Something about watching someone else mess up that makes me realize everyone is human.
But accidentally erring is completely different (and a lot funnier) than a RAC auditor misapplying a clinical policy, be called out on it, and continue to audit the same erroneous way without regard or fortitude to change.
I have said over and over, no health care provider who accepts Medicaid is safe from the grasp of the over-zealous, under-trained Medicaid auditors. Welcome, dentists, to the “oh-so-ever-interesting-Medicaid-three-ring-circus.” Here are your Tentative Notice of OverPayments (TNO). And here are your bloopers.
I’ve seen a few common themes in the claim audit findings for a post-payment review of a dental practice, but want to discuss one re-occurring theme…one that has poked its rearing head more than most other issues I have seen, thus far.
RAC auditor recoups the Medicaid reimbursements because: The “attending provider” NPI number did not match the “provider rendering the services” NPI number.
The RAC auditor cites DMA Clinical Policy 4A as the source of the rule that the attending provider and rendering provider numbers must be the same.
DMA Clinical Policy 4A states, in pertinent part, “Enter the attending provider’s NPI for the individual dentist rendering service. (This number must correspond to the signature in field 53.)” (Field 53 is the field for the treating provider).
Yet,wait, young auditor, what year DMA Clinical Policy 4A are you using? 2013? Or the year that is applicable to the date of service (DOS) you are auditing?
Because prior to the 2013 Clinical Policy 4A, earlier 4A Policies read as such: “Enter the attending provider’s NPI for the individual dentist rendering service. (This number should correspond to the signature in field 53.)”
Should versus must….must versus should…
Look at these examples:
- People should protect the environment.
- People should be kind to others.
- You should go see “Man of Steel;” it is very good.
- Thou shall not murder. (Shall is an old form of must, and a bit more British).
- People must stop completely at a stop sign.
- You must stop talking!
See the difference? If someone tells me that I should go see an art exhibit, I will say, “Thank you. I will see if I can fit it in my schedule.” If someone tells me that I must abide by a rule, I will ask, “What will be the penalty if I do not?”
“Should” denotes a suggestion. “Must” denotes a command.
So going back to…
“Enter the attending provider’s NPI for the individual dentist rendering service. (This number should correspond to the signature in field 53.)”So…if the number “SHOULD” correspond, then, obviously, the number “MUST” not correspond. Right?
Bloopers are funny. Redundant errors are not.