Electronic health records or EHR have metamorphosed health care. Choosing a vendor can be daunting and the prices fluctuate greatly. As a provider, you probably determine your EHR platform on which vendor’s program creates the best service notes… or which creates the most foolproof way of tracking time… or which program is the cheapest.
But…what’s in YOUR contract can be legally deadly.
Regardless how you choose your EHR vendor, you need to keep the following legal issues in mind when it comes to EHR and the law:
Regulatory and Clinical Coverage Policy Compliance
Most likely, your EHR vendor does not have a legal degree. Yet, you are buying a product and assuming that the EHR program complies with applicable regulations, rules, and clinical coverage policies – whichever are applicable to your type of service. Well, guess what? These regulations, rules, and clinical coverage policies are not stagnant. They are amended, revised, and re-written more than my chickens lay eggs, but a little less often, because my chickens lay eggs every day.
Think about it – The Division of Medical Assistance (DMA) publishes a monthly Medicaid Bulletin. Every month DMA provides more insight, more explanations, more rules that providers will be held accountable to follow.
Does your EHR program update every month?
You need to review your contract and determine whether the vendor is responsible for regulatory compliance or whether you are. If you are, should you put so much faith in the EHR program?
You are required to maintain your records (depending on your type of service) anywhere from 5-10 years. Let’s say that you sign a four year contract with EHR Vendor X. The four years expires, and you hire a new EHR vendor. You are audited. But Vendor X does not allow you access to the records because you no longer have a contract with them – not their problem!
You need to ensure that your EHR contract allows you access to your documents (because they are your documents) even in the event of the contract expiring or getting terminated. The excuse that “I don’t have access to that” does not equal a legal defense.
This is otherwise known as the “Blame Game.” If there is a problem with regulatory compliance, as in, the EHR records do not follow the regulations, then you need to know whether the EHR vendor will take responsibility and pay, or help pay, for attorneys’ fees to defend yourself.
Like it or not, the EHR vendor does not undergo audits by the state and federal government. The EHR vendor does not undergo post and pre-payment reviews for regulatory compliance. You do. It is your NPI number that is held accountable for regulatory compliance.
You need to check whether there is an indemnification clause in the EHR contract. In other words, if you are accused of an overpayment because of a mistake on the part of the vendor, will the vendor cover your defense? My guess is that there is no indemnification clause.
HIPAA laws require that you minimize the access to private health information (PHI) and prevent dissemination. With hard copies, this was easy. You could just lock up the documents. With EHR, it becomes trickier. Obviously, you have access to the PHI as the provider. But who can access your EHR on the vendor-side? Assuming that the vendor has an IT team in case of computer issues, you have to consider to what exactly does that team have access.
I recently attended a legal continuing education class on data breach and HIPAA compliance for health care. One of the speakers was a Special Agent with the FBI. This gentleman prosecutes data breaches for a living. He said that hackers will pay over $500 per private medical document. Health care companies experienced a 72% increase in cyberattacks between 2013 and 2014. Stolen health care information is 10 times more valuable than your credit card information.
Obviously, I am exaggerating here. I do not believe that The Walking Dead is real and in our future. But here is my point – You are held accountable for maintaining your medical records, even in the face of an act of God or terrorism.
Example: It was 1996. Provider Dentist did not have EHR; he had hard copies. Hurricane Fran flooded Provider Dentist’s office, ruining all medical records. When Provider Dentist was audited, the government did not accept the whole “there was a hurricane” excuse. Dentist was liable for sever penalties and recoupments.
Fast forward to 2017 and EHR – Think a mass computer shutdown won’t happen? Just ask Delta about its August 2016 computer shutdown that took four days and cancelled over 2000 flights. Or Medstar Health, which operates 10 hospitals and more than 250 outpatient facilities, when in March 2016, a computer virus shut down its emails and…you guessed it…its EHR database.
So, what’s in YOUR contract?
Planning for the inevitable is smart. And it is inevitable if you are a provider and you accept Medicaid that you will undergo some sort of review, whether it is onsite or database checks, in the near future. And only two outcomes can result from this upcoming review:
Are YOU ready for that test???
So, it is imperative to arm yourself with knowledge of your rights, a liability insurance policy that covers attorneys’ fees (and lets you pick your attorney), and confidence that your billing practices comply with rules and regulations. If you do not know whether your billing practices comply, do a self-audit or hire a knowledgeable billing expert to audit you.
Read or not here they come…
Beginning June 9, 2014, Public Consulting Group (PCG) began scheduling post-enrollment site visits to fulfill federal regulations 42 CFR 455.410 and 455.450, which require all participating providers to be screened according to their categorical risk level: high, moderate, or limited.
What does being high, moderate, or limited risk mean?
If you are limited risk, the state will check your licenses, ensure that you, as a provider, meet criteria for applicable federal and state statutes, conduct license verifications, and conduct database checks on a pre- and post-enrollment basis to ensure that providers continue to meet the enrollment criteria for their provider type. This is the only category that does not need an onsite review.
If you are moderate risk, the state does everything for you as if you are a limited risk plus perform on-site reviews. (Enter PCG).
If you are high risk, the state will perform all reviews as if you are a moderate risk but also will conduct a criminal background check, and require the submission of a set of fingerprints in accordance with §455.434. (And you thought fingerprints for only for the accused.)
Let’s discuss in which level risk you fall. NC Gen. Stat §108C-3 spells out the risk levels. Are you a new personal care service (PCS) provider getting ready to start your own business? You are high risk. Are you a directly-enrolled behavioral health care provider rendering outpatient behavioral health care services? You are high risk. Do you provide HIV Management services? You are high risk.
Here is a list of high risk providers:
- Prospective (newly enrolling) adult care homes delivering Medicaid-reimbursed services.
- Agencies providing behavioral health services, excluding Critical Access Behavioral Health Agencies
- Directly enrolled outpatient behavioral health services providers.
- Prospective (newly enrolling) agencies providing durable medical equipment, including, but not limited to, orthotics and prosthetics.
- Agencies providing HIV case management.
- Prospective (newly enrolling) agencies providing home or community-based services pursuant to waivers authorized by the federal Centers for Medicare and Medicaid Services under 42 U.S.C. § 1396n(c).
- Prospective (newly enrolling) agencies providing personal care services or in-home care services.
- Prospective (newly enrolling) agencies providing private duty nursing, home health, or home infusion.
- Providers against whom the Department has imposed a payment suspension based upon a credible allegation of fraud in accordance with 42 C.F.R. § 455.23 within the previous 12-month period. The Department shall return the provider to its original risk category not later than 12 months after the cessation of the payment suspension.
- Providers that were excluded, or whose owners, operators, or managing employees were excluded, by the U.S. Department of Health and Human Services Office of Inspector General or another state’s Medicaid program within the previous 10 years.
- Providers who have incurred a Medicaid or Health Choice final overpayment, assessment, or fine to the Department in excess of twenty percent (20%) of the provider’s payments received from Medicaid and Health Choice in the previous 12-month period. The Department shall return the provider to its original risk category not later than 12 months after the completion of the provider’s repayment of the final overpayment, assessment, or fine.
- Providers whose owners, operators, or managing employees were convicted of a disqualifying offense pursuant to G.S. 108C-4 but were granted an exemption by the Department within the previous 10 years.
Here is a list of moderate risk providers:
- Ambulance services.
- Comprehensive outpatient rehabilitation facilities
- Critical Access Behavioral Health Agencies.
- Hospice organizations
- Independent clinical laboratories.
- Independent diagnostic testing facilities.
- Pharmacy Services.
- Physical therapists enrolling as individuals or as group practices.
- Revalidating adult care homes delivering Medicaid-reimbursed services.
- Revalidating agencies providing durable medical equipment, including, but not limited to, orthotics and prosthetics
- Revalidating agencies providing home or community-based services pursuant to waivers authorized by the federal Centers for Medicare and Medicaid Services under 42 U.S.C. § 1396n(c).
- Revalidating agencies providing private duty nursing, home health, personal care services or in-home care services, or home infusion.
- Nonemergency medical transportation.
Here are the limited risk providers:
- Ambulatory surgical centers.
- End-stage renal disease facilities.
- Federally qualified health centers.
- Health programs operated by an Indian Health Program (as defined in section 4(12) of the Indian Health Care Improvement Act) or an urban Indian organization (as defined in section 4(29) of the Indian Health Care Improvement Act) that receives funding from the Indian Health Service pursuant to Title V of the Indian Health Care Improvement Act.
- Histocompatibility laboratories.
- Hospitals, including critical access hospitals, Department of Veterans Affairs Hospitals, and other State or federally owned hospital facilities
- Local Education Agencies.
- Mammography screening centers.
- Mass immunization roster billers.
- Nursing facilities, including Intermediate Care Facilities for the Mentally Retarded.
- Organ procurement organizations.
- Physician or nonphysician practitioners (including nurse practitioners, CRNAs, physician assistants, physician extenders, occupational therapists, speech/language pathologists, chiropractors, and audiologists), optometrists, dentists and orthodontists, and medical groups
According to the June 2014 Medicaid Bulletin, the onsite reviews will last approximately two hours and PCG will send 2 representatives to conduct the review.
How to prepare for the onSite reviews
- Read and learn. (or re-learn, whichever the case may be).
“Providers will be expected to demonstrate a working knowledge of N.C. Medicaid through responses to a series of questions.” See June 2014 Medicaid Bulletin.
Knowledge is power. Brush up on your applicable DMA Clinical Coverage Policy. Review the NC Medicaid Billing Guide. Re-read your provider participation agreement. If you don’t understand a section, go to your attorney and ask for an explanation. Actually read the pertinent federal and state statutes quoted in your participation agreements because, whether you know what the laws say or not, you signed that agreement and you will be held to the standards spelled out in the federal and state statutes.
- Call your liability insurance.
Be proactive. Contact your liability insurance agent before you get the notice of an onsite review from PCG. Have a frank, open discussion about these upcoming onsite reviews. Explain that you want to know whether you policy covers attorneys’ fees and whether you can choose your attorney. If your policy does not cover attorneys’ fees or does not allow you to choose your own lawyer, beef up your liability insurance plan to include both. Believe me, the premiums will be cheaper than an attorney from your own pocket.
- Be confident.
Presentation matters. If you whisper and cower before the PCG reviewers, you will come across as weak and/or trying to hide something. Be polite and forthcoming, but provide the information that is asked of you; do not supply more information than the reviewers do not request.
I always tell my clients before their deposition or a cross examination by the other side, “Answer the question that is asked. No more. If you are asked if your favorite color is blue, and you favorite color is red, the correct response is “No,” not “No, my favorite color is red.” Do not over-answer.
If you do not believe that you can be confident, ask your attorney to be present. I had someone tell me one time that he did not want an attorney present because he felt that the auditors would think he was hiding something and he did not want to appear litigious. I say, this is your company, your career, and your life. If you need the support of an attorney, get one. Whenever I give this advice, I try to imagine that I am telling the same advice to my mother. My mother, bless her heart, does not have the confidence to stand her ground in high pressure situations. She would rather yield her position than be the least bit confrontational. If that also describes you, have your attorney present.
- Know your rights.
What if you fail the onsite review? Can you appeal? You need to know your rights. When you get a notice from PCG that an onsite review is scheduled, contact your attorney. Make sure that BEFORE the onsite review, you understand all the possible consequences. Knowing your rights will also help with #3, confidence. If you know the worst case scenario, then you stop creating worse case scenarios in your mind and become more confident.
Ready or not, the PCG reviews are coming, so get ready!
Extrapolated audits are no fun, unless you work for a recovery audit contractor (RAC). You get a Tentative Notice of Overpayment (TNO) that says the auditor reviewed 100 dates of service (DOS), found an overpayment of $1,000, so you owe $1 million dollars. Oh, and please pay within 30 days or interest will accrue…
North Carolina’s 2nd recovery audit contractor (RAC) is ramping up. HMS had a slower start than Public Consulting Group (PCG); the Division of Medical Assistance originally announced that HMS would be conducting post-payment reviews last October 2012 in its Medicaid Bulletin. NC’s 1st RAC, PCG came charging out the gate. HMS has been a bit slower, but HMS is active now.
HMS is performing post-pay audits on inpatient and outpatient hospital claims, laboratory, specialized outpatient therapy, x-ray and long-term care claims reviews.
According to the December 2013 Medicaid Bulletin, the findings for the first group of automated lab reviews were released in early November 2013. Additional lab reviews are expected to be completed and findings released by late December 2013. The post-payment reviews are targeting excessive drug screening.
And specialized therapy service providers, you are next on the list!
How will the providers know the results of an HMS post-payment review? Same way as with PCG. You will receive a Tentative Notice of Overpayment (TNO) in the mail with some crazy, huge extrapolated amount that you supposedly owe back to the state.
If you receive a TNO, do not panic (too much), take a deep breath and read my blog: “You Received a Tentative Notice of Overpayment, Now What?”
Remember, most of the post-payment reviews that I have seen have numerous auditing mistakes on the part of the auditor, such as the auditor applying the more recent clinical coverage policies rather than the clinical coverage policy that was applicable to dates of services audited.
DMA Clinical Policy 1S-4 “Cytogenetic Studies“, for example, was recently revised February 1, 2013. Obviously, an auditor should not apply the February 1, 2013, policy to a service provided in 2012…but you would not believe how often that happens!
So what can you do to be prepared? Well, realistically, you cannot be prepared for audit ineptness.
But you can be proactive. Contact your insurance policy to determine whether your liability insurance covers attorneys’ fees for regulatory audits. It is important to be proactive and determine whether your insurance company will cover attorneys’ fees prior to undergoing an audit. Because if you find out that your liability insurance does not cover attorneys’ fees, then you can upgrade your insurance to cover attorneys’ fees. I promise, it is way better to pay additional premiums than get hit with $25,000+ bill of attorneys’ fees. Plus, if you wait until you are audited to determine whether your liability insurance covers attorneys’ fees and you realize it does not, then the insurance company may not allow you to upgrade your insurance. The audit may be considered a pre-existing condition.
So…proactiveness is imperative. But you can always move to West Virginia…
In a survey of 18 states conducted by the National Conference of State Legislatures (NCSL) and published August 29, 2013, NCSL determined that 10 states use extrapolations with the RAC audits, 7 do not and 1 intends to use extrapolations in the future. (No idea why NCSL did not survey all 50 states).
Delaware, Maryland, New Hampshire, Pennsylvania, Vermont, West Virginia, and Wisconsin do not use extrapolations in Medicaid RAC audits.
So moving to West Virginia is an option too…
It is without question that the implementation of NCTracks has been a complete debacle. NCTracks is the new computer system that is processing Medicaid claims for all health care providers who accept Medicaid in North Carolina. NCTracks went live July 1, 2013.
Immediately upon going “live,” providers received error messages. Providers were not timely paid. If the provider was paid, the reimbursement amount was incorrect. Depending on the type of provider you are, your issues varied from other types of providers. But all types of providers encountered adverse issues.
I still do not understand, even today, why the current administration did not stand up (figuratively and publicly) against Computer Sciences Corporation (CSC) the company contracted to create NCTracks and say, “North Carolina, CSC has created this debacle. We didn’t hire CSC. The past administration did. We will try to fix this debacle now…” That would have been the best public relations move, in my mind. However, instead, the Department of Health and Human Services (DHHS) stood by CSC and stated publicly how wonderful NCTracks was doing….”NCTracks is on track!”
Oh, well, suum cuique. Or…to each his own.
One of the biggest problems for providers with NCTracks is the Medicare/Medicaid crossover issue.
What is the Medicare/Medicaid crossover issue?
DHHS explains the crossover issue in the November 2013 Medicaid Bulletin as the “Medicaid Allowable minus Medicare Paid Amount equals the Net Medicaid Allowable. Next, the Net Medicaid Allowable is compared to the Medicare Coinsurance Amount and the lesser of the two is the amount payable by Medicaid.”
DMA also offers the following chart as clarification
|Example No. 1||Example No. 2|
|Total Billed Charges||
|Medicare Allowed Amount||
|Medicare Paid Amount||
|Medicare Contractual Adjustment||
|Medicare Coinsurance Amount||
|Medicare Paid Amount||
|Net Medicaid Allowable||
|Lesser of Medicare Coinsurance and Net Medicaid Allowable Amount||
DHHS goes on to say that even though the crossover claims should have been paid according to the above logic, the payments to providers for crossover claims on the NCTracks system versus the HP system may be different, as in, you may be getting paid less on the NCTracks system.
Why? We had the HP system for 35 years.
Well, according to DHHS, because the HP system “lacked the capability to perform such calculations on a claim specific basis. Instead, the prior Medicaid claims system included a “work around” that estimated the amount payable. In some cases, the “work around” paid more than the amount payable in accordance with State law and the North Carolina State Plan approved by CMS.”
Hold on….Hit the brakes!!!
Is DHHS telling us that NC was not federally compliant with Medicare/Medicaid crossover claims for 35 years???!!!!???
So, how much does NC owe to the federal government for overpaid crossover claims over a 35-year period?? And will it be extrapolated? Maybe PCG can audit NC.
This boggles my mind.
Here is the other fact that boggles my mind:
According to DHHS, “on October 7, 2013, NCTracks implemented system logic to more precisely pay Medicare crossover claims in accordance with State law and the North Carolina State Plan approved by the Centers for Medicare and Medicaid Services (CMS) on a claim specific basis. The amount of payment is the difference in the amount paid by Medicare and the Medicaid Allowable amount up to the actual amount of the Medicare coinsurance, deductible or both.”
98 days after NCTracks went live???
Why in the world would this Medicare crossover issue NOT be implemented PRIOR TO going live? The Medicare crossover issue just doesn’t seem to be a “Eh, whatever…Let’s take a gamble” issue.
So I propose a toast to DHHS. Well done. Well done on becoming federally compliant as to the Medicare/Medicaid crossover claims (if, in fact ,we are) 35 years later. And well done, to implementing a NCTracks implemented system to “more precisely pay Medicare crossover issues” 98 days after NCTracks went live.
To timeliness! Here! Here!! (the clinking of glasses).
Maybe…just maybe….in 200+ years, NC may fix the broken Medicaid system…