Where Is Your PHI Data Traveling Today?

Understanding "The Cloud" and it's regulatory relationship with HIPAA and PHI.

With most vendors offering and pushing cloud computing solutions and offsite data backup, or guaranteeing offsite backup of data they process for you, many HIPAA covered entities (CEs) and business associates (BAs) are questioning whether and how they can take advantage of cloud computing while complying with regulations protecting the privacy and security of electronic protected health information (ePHI). 

What "Cloud" computing means is that instead of all the computer hardware and software you're using sitting on your desktop, or somewhere inside your company's network, it's provided for you as a service by another company and accessed over the Internet, usually in a completely seamless way. Exactly where the hardware and software is located and how it all works doesn't matter to you, the user -- it's just somewhere up in the nebulous "cloud" that the Internet represents. 

The business decision to "move to the cloud" is often financially motivated. Companies used to have to buy their own hardware equipment, the value of which depreciated over time. But now with the cloud, companies only have to pay for what they use. This model makes it easy to quickly scale use up or down and to have data backed up for you as part of that provided service.

The rise of offshore IT services, including distributed storage, by cloud data providers creates issues that most healthcare providers have not yet realized. Even if some of the issues are realized, many covered entities and their business associates do not know where their data is currently being processed, stored, or backed up. In fact, storage or processing of protected health information (PHI) overseas may or may not be permitted or at least require additional resources, such as additional or more detailed risk assessments.

There are currently no federal regulations or statutes that prevent storing or processing PHI offshore or overseas; however, the Centers for Medicare and Medicaid Services (CMS), the U.S. Department of Health and Human Services (HHS), and the U.S. Office of Civil Rights (OCR) within the HHS, have all issued regulations or provided guidance that restrict storing or processing PHI offshore. In addition, there are four states that ban any Medicaid data from being stored or processed overseas (Arizona, Alaska, Ohio and Wisconsin), two more that only allow offshore contracts under extremely limited circumstances, and nine more that have specific requirements that must be met before any offshore processing or storage of Medicaid data is allowed. 

Even if a healthcare provider is not located in one of the above states, if the provider has treated a patient of those states, state regulators may argue that the healthcare provider must comply with their laws, regulations, and guidance, as applied to the resident of their state. Even more concerning is that even though Delaware does not have any laws or statutes banning offshore processing or data storage, Delaware recently started adding provisions to all of their contracts (similar to Wisconsin) that the State (Delaware) will not permit project work to be done offshore. There may be additional states adding these prohibitions to their contracts in the future.

If extra regulatory burden and potential state law bans were not enough by themselves, any PHI stored offshore likely will be subject to local law of the country in which it is stored. Furthermore, these local laws may allow for actions or even access to the data that directly conflicts with requirements on healthcare providers under HIPAA/HITECH, even if the vendor signed a Business Associate Agreement (BAA). Due to the issues in enforcing HIPAA and HITECH, and even a BAA against an overseas vendor, HHS has basically stated that it is the duty of the healthcare provider or vendor for deciding how to vet data services vendors and comply with expected additional requirements when conducting a risk assessment on overseas providers. 

At this point, most healthcare providers question if any offshore or offsite data storage or processing is worth any potential cost savings, or if OCR has any further guidance. In the fall of 2016, OCR prepared guidance that explained how federal health information privacy and data security rules apply to cloud services. In summary, this guidance helped data service companies, but at the expense of covered entities by primarily placing the burden on the covered entities, specifically hospitals, insurers, doctors, and other healthcare providers.

In looking at data service vendors, OCR decided that data service subcontractors of the covered entities’ business associates are actually business associations of the business associates. According to the OCR, covered entities must assess the cloud services providers’ or offshore providers’ data security efforts, but HIPAA does not require the cloud services providers to allow covered entities audit them. As such, covered entities are required to determine how well a cloud services provider handles system reliability, data security, and data backup and recovery, without the ability to perform an audit. While this is problematic when dealing with domestic cloud service providers, it creates additional issues when dealing with overseas cloud service providers. 

While OCR allows use of overseas providers, as of right now the rules of HIPAA and HITECH fail to address any international aspects, leaving no requirements but also no protections for covered entities. If you select a domestic provider, the laws and regulations regarding PHI apply to both parties, but if an overseas provider is selected, HIPAA and HITECH will not apply, unless they contractually agreed to comply with such laws and regulations. If there is a breach and the overseas provider refuses to defend against or pay any fines or fees levied related to the breach, the covered entity may be liable for paying. It is also important to note that while an international provider may agree to sign a BAA, many international providers do not understand the requirements of HIPAA and HITECH, while most domestic providers have a greater understanding.

Even if you know where the company with whom you are contracting is located, do you know where they send the backup data? Do they send data for processing or backup to other agents, subcontractors, vendors, or other data providers overseas? You may not realize your data is regularly taking international trips, and may be better traveled than you are. In addition, if a relationship is terminated with an international provider, how will you ensure that the data is wiped from the system? Healthcare providers generally must require a certificate of destruction when terminating data services, and will you be able to comply with this provision with an offshore provider?

In contracting with cloud service providers, including backup providers, e-mail providers, and other processing entities, covered entities and their business associates must determine where their data is located, and if it is offshore, they must analyze if any of the information is prohibited from being exported by any state or local regulations. If not, next it must be determined if there is an extra compliance burden associated with the data being offshore, and if that extra compliance burden and the associated risk of being offshore are worth any cost savings by using the offshore provider. If an entity knows that some of its data may be banned from being exported overseas, or would raise too much risk or compliance burden, then language banning such exports should be placed in the agreements, including any BAAs. 

Used with permission from: Craig A. Phillips council member of Dickinson Wright

To subscribe to this blog, enter your email address:


Delivered by FeedBurner

CMS Issues New Emergency Preparedness Rule

September is National Preparedness Month and CMS is Getting Involved  By Establishing New Emergency Preparedness Requirements for Medicare and Medicaid Health Care Providers.

The Centers for Medicare & Medicaid Services (CMS) has issued a final rule to establish consistent emergency preparedness requirements for health care providers participating in Medicare and Medicaid, stating that the regulation will increase patients’ safety during emergencies and ensure more coordinated response to natural and manmade disasters.

“Over the past several years, and most recently in Louisiana, a number of natural and manmade disasters have put the health and safety of Medicare and Medicaid beneficiaries – and the public at large – at risk. These new requirements will require certain participating providers and suppliers to plan for disasters and coordinate with federal, state tribal, regional, and local emergency preparedness systems to ensure that facilities are adequately prepared to meet the needs of their patients during disasters and emergency situations,” the agency’s Sept. 8 news release stated.

“Situations like the recent flooding in Baton Rouge, Louisiana, remind us that in the event of an emergency, the first priority of health care providers and suppliers is to protect the health and safety of their patients,” said CMS Deputy Administrator and Chief Medical Officer Dr. Patrick Conway, M.D., MSc. “Preparation, planning, and one comprehensive approach for emergency preparedness is key. One life lost is one too many.”

“As people with medical needs are cared for in increasingly diverse settings, disaster preparedness is not only a responsibility of hospitals, but of many other providers and suppliers of health care services. Whether it’s trauma care or long-term nursing care or a home health service, patients’ needs for health care don’t stop when disasters strike; in fact, their needs often increase in the immediate aftermath of a disaster,” added Dr. Nicole Lurie, HHS’ assistant secretary for preparedness and response. “All parts of the health care system must be able to keep providing care through a disaster, both to save lives and to ensure that people can continue to function in their usual setting. Disasters tend to stress the entire health care system, and that’s not good for anyone.”

CMS reports that it reviewed current Medicare emergency preparedness regulations for providers and suppliers and concluded the regulatory requirements were not comprehensive enough to address the complexities of emergency preparedness; they did not address the need for communication to coordinate with other systems of care within cities or states; contingency planning; or training of personnel. So the final rule requires Medicare and Medicaid participating providers and suppliers to meet these four industry best practices:

1.Emergency plan: Based on a risk assessment, develop an emergency plan using an all-hazards approach focusing on capacities and capabilities that are critical to preparedness for a full spectrum of emergencies or disasters specific to the location of a provider or supplier.

2.Policies and procedures: Develop and implement policies and procedures based on the plan and risk assessment.

3.Communication plan: Develop and maintain a communication plan that complies with both federal and state laws.

4.Training and testing program: Develop and maintain training and testing programs, including initial and annual training, and conduct drills and exercises or participate in an actual incident that tests the plan.

CMS said these standards are adjusted to reflect the characteristics of each type of provider and supplier. For example, outpatient providers and suppliers such as ambulatory surgical centers and end-stage renal disease facilities won’t be required to have policies and procedures for provision of subsistence needs; hospitals, critical access hospitals, and long-term care facilities will be required to install and maintain emergency and standby power systems based on their emergency plan.

In response to comments, CMS removed the requirement for additional hours of generator testing, added flexibility to choose the type of exercise a facility conducts for its second annual testing requirement, and decided to allow a separately certified facility within a health care system to take part in that system’s unified emergency preparedness program.

The regulations will take effect on November 15, 2016.  Healthcare providers and suppliers affected by the rule must comply and implement all regulations one year after the effective date. More specific information about the Emergency Preparedness Rule can be found here.

Providers/Suppliers Facilities Impacted by the Emergency Preparedness Rule:

1. Hospitals

2. Religious Nonmedical Health Care Institutions (RNHCIs)

3. Ambulatory Surgical Centers (ASCs)

4. Hospices

5. Psychiatric Residential Treatment Facilities (PRTFs)

6. All-Inclusive Care for the Elderly (PACE)

7. Transplant Centers

8. Long-Term Care (LTC) Facilities

9. Intermediate Care Facilities for Individuals with Intellectual Disabilities (ICF/IID)

10. Home Health Agencies (HHAs)

11. Comprehensive Outpatient Rehabilitation Facilities (CORFs)

12. Critical Access Hospitals (CAHs)

13. Clinics, Rehabilitation Agencies, and Public Health Agencies as Providers of Outpatient Physical Therapy and Speech-Language Pathology Services

14. Community Mental Health Centers (CMHCs)

15. Organ Procurement Organizations (OPOs)

16. Rural Health Clinics (RHCs) and Federally Qualified Health Centers (FQHCs)

17. End-Stage Renal Disease (ESRD) Facilities

Source(s): www.hcsiiinc.com, https://www.cms.gov, https://1105media.com/, https://www.ready.gov,

http://hcsiinc.blogspot.com/2016/09/preparing-your-practice-for-emergencies.html

To subscribe to this blog, enter your email address:


Delivered by FeedBurner

Clarification comes a week after one CMS official had discussed the end of Meaningful Use

Meaningful Use Stage Three to Continue Even As the Agency Moves to Implement MACRA’s Value-Based Payment Law

Talk about mixed messages! Is the federal Meaningful Use (MU) program about to end? Or is it going to continue and evolve in significant new ways?

Alert pathologists and clinical laboratory executives may have picked up on the conflicting statements about the future plans for Meaningful Use that have been made in recent weeks by certain officials from the Centers for Medicare and Medicaid Services (CMS).

Because thousands of hospitals and hundreds of thousands of physicians have made substantial capital investments in electronic health records to qualify for federal incentives, any major change to the Meaningful Use requirements will have broad consequences.

Medical laboratories have a big stake in this issue as well, since they must invest substantial money into creating the interfaces needed to connect their labs’ laboratory information systems (LIS) to the EHRs of client hospitals and physicians.

CMS Drops Bombshell at J.P. Morgan Healthcare Conference

The first significant discussion about major changes to the Meaningful Use program came on January 12, 2016. That’s when CMS Administrator Andy Slavitt, MBA, made the surprise announcement during a speech to the J. P. Morgan Healthcare Conference in San Francisco.

“Now that we effectively have technology into virtually every place [health]care is provided, we are now in the process of ending meaningful use and moving to a new regime culminating with the Medicare Access and Children’s Health Insurance Program Reauthorization Act of 2015 (MACRA) implementation,” declared Slavitt to a surprised audience. “The meaningful use program as it has existed will effectively be over and replaced with something better.”

During his presentation, Slavitt indicated that three provider-reporting programs will be sunset and aligned into a single new program, but he said details of the next stage would not emerge for several months.

Andy Slavitt, MBA, Acting Administrator at the Centers for Medicare and Medicaid Services, surprised physicians and healthcare executives when he announced on Jan. 12 that the meaningful use program, which had rewarded providers for demonstrating their use of electronic health records, would be phased out this year. “The Meaningful Use program as it has existed will now be effectively over and replaced with something better,” he said. (Photo copyright: Politico.)

Slavitt’s comments about ending Meaningful Use were widely reported. While addressing the group, he said that, by phasing out the MU incentive program this year, the agency wanted to streamline and simplify programs in preparation for the implementation of MACRA, which repealed the Medicare sustainable growth rate (SGR) formula that calculated payment cuts for physicians. The new legislation also established a timeline for replacing Medicare’s existing fee-for-service payments with two payment tracks:

1. The Merit-based Incentive Payment System (MIPS); and,

2. Alternative payment models (APMs) by January 2019.

Slavitt described the MACRA legislation as a “major item squarely on our punch list [at CMS].”

“The stakes for this program are high,” he told the audience. “As any physician will tell you, physician burden and frustration levels are real. Programs that are designed to improve often distract. Done poorly, measures are divorced from how physicians practice and add to the cynicism that the people who build these programs just don’t get it.”

CMS Gave No Warning MU Was Ending

Given the content of Slavitt’s announcement, reaction to his statements about the impending end to the Meaningful Use program as it now exists caused a big stir among healthcare executives tasked with handling information technologies at their hospitals or physician practices.

Apparently officials at CMS noticed the reaction generated by Slavitt’s presentation at the J.P. Morgan 34th Annual Healthcare Conference. About one week later, a blog post titled, “EHR Incentive Programs: Where We Go Next” was published by CMS on its website. The blog’s authors were Andy Slavitt and Karen DeSalvo, the National Coordinator at CMS. It was a message to the healthcare industry that, in fact, Meaningful Use was to continue. What was changing was that Meaningful Use—the measurement of certified EHR technology by providers—would be managed by CMS in a manner that is consistent with the requirements of the Medicare Access and CHIP Reauthorization Act (MACRA) that Congress passed in 2015.

In a related story about CMS’ new direction for Meaningful Use titled, “CMS, ONC: Transition to MACRA Will Not Mean the Elimination of MU, EHR Incentives,” FierceEMR wrote, “The Meaningful Use incentive program is transitioning, but it’s not over, and electronic health record incentives are here to stay, the Centers for Medicare & Medicaid Services and the Office of the National Coordinator for Health IT clarified on Tuesday [January 19, 2015].”

In their blog comments, Slavitt and DeSalvo also emphasized that CMS is bound, under current law, to continue forward with measuring provider use of EHRs, as required by the Meaningful Use rules. They noted that Stage Three MU would continue. Meanwhile, the agency is moving forward to implement the requirements of MACRA, they said.

Further, the CMS officials noted that the agency had heard the comments and complaints by hospitals and physicians about the burdensome aspect of using EHRs and attempting to comply with the Stage Three Meaningful Use requirements. They wrote, “The approach to meaningful use under MACRA won’t happen overnight. Our goal in communicating our principles now is to give everyone time to plan for what’s next and to continue to give us input. We encourage you to look for the MACRA regulations this year; in the meantime, our existing regulations—including meaningful use stage three—are still in effect.”

Source(s): Andrea Downing Peck http://www.darkdaily.com, www.cms.com

For more information on this and other healthcare compliance topics related to HIPAA, OSHA, Medicare and HR, simply email your questions to support@hcsiinc.com, 

visit our website at http://www.hcsiinc.com or post a question on our LinkedIn group at: http://bit.ly/1FWmtq6

To subscribe to this blog, enter your email address:


Delivered by FeedBurner

The Move Away From Fee-For-Service Healthcare

White House Launches Medicare's Most Aggressive Accountable Care Effort Yet

The move away from fee-for-service Medicare forged ahead for 21 accountable care organizations entering a new more aggressive phase of a program that puts doctors and hospitals at even greater financial risk so they can improve quality, lower costs and potentially reap better pay.

The announcement by the Centers for Medicare & Medicaid Services about the number of participants in the “next generation” ACO model is significant because there had been concern some ACOs would lose interest or wouldn’t take on the more aggressive goals of the program. “In addition to being paid for positive patient outcomes (providers) will also receive penalties for negative ones,” the Obama administration said.

ACOs, which are proliferating across the country, put doctors, hospitals and a team of providers including social workers under the same umbrella to care for populations of patients. The ACO has a contract with Medicare to improve quality, lower costs and then keep any money saved from year to year based on the arrangement with the health plan.

To subscribe to this blog, enter your email address:


Delivered by FeedBurner

In all, there are more than 475 Medicare ACOs across the country serving nearly 9 million Medicare beneficiaries since the so-called “Medicare Shared savings program” began in 2012 under the Affordable Care Act. The smaller number in the next generation program are taking on greater financial risks.

Unlike earlier ACOs that have contracted with Medicare, participants can take on more financial risk “up to 100%.”

“We are moving Medicare and the entire healthcare system toward paying providers based on the quality, rather than the quantity of care they give patients,” U.S. Secretary of Health and Human Services Sylvia Burwell said. “Americans will get better care and we will spend our healthcare dollars more wisely because these hospitals and providers have made a commitment to change how they do business and work with patients.”

The ACO program is all part of the Obama administration’s effort announced last year to shift 50% of Medicare payment to value-based models and away from fee for-service by 2018. Large health insurance companies are doing the same thing in the private sector led by UnitedHealth Group, Aetna, Anthem and Blue Cross and Blue Shield plans across the country that are shifting tens of billions of dollars in payments to value-based models like ACOs, medical homes and bundled payments to providers.

While there are challenges in reducing costs while at the same time improving quality, those involved with the “next generation” phase say they see more opportunities to provide more cost-effective options that will still provide Medicare beneficiaries better service.

For example, Universal American, which contracts with Medicare to provide health benefits to seniors, said it is covering telehealth consultations that an ACO in its network will use to keep beneficiaries healthy and at home.

“Telemedicine services received at a beneficiary’s home will be covered and allow physicians to offer care through telephonic, online and other electronic communications,” said Richard Barasch, chief executive officer of Universal American, which contracts with Houston-based Accountable Care Coalition of Southeast Texas, one of the 21 next-generation Medicare ACOs.

Source: Bruce Japsen, http://www.forbes.com/   

For more information on this and other healthcare compliance topics related to HIPAA, OSHA, Medicare and HR, simply email your questions to support@hcsiinc.com, 

visit our website at http://www.hcsiinc.com or post a question on our LinkedIn group at: http://bit.ly/1FWmtq6

Medicare Advantage Fraud: Temptation, Consequence, and Protection

Knowing the law and keeping careful records may head off fraud and significant legal expenses.

Medicare Advantage delivers Medicare Parts A and B coverage through a private insurer. To encourage companies to participate in Medicare Advantage, CMS uses risk scores to determine how much a sponsor will be paid for each member of a plan. Risk scores assign a value to determine how much a plan member may cost the plan. For example, an individual whose family has a history of cancer would have a higher risk score than an identical individual without a family history. The higher the risk score of a plan member, the more the company is paid for that member’s plan.

Federal government payments to Medicare Advantage plans are based solely on the number of members enrolled at each risk score—not on the services received by the beneficiaries. That payment arrangement creates two temptations: to inflate risk scores and to sign up as many members as possible.

Recently, several whistleblower suits have shown that people do succumb to these temptations. One of those lawsuits revealed the existence of a memo­randum allegedly sent to physician practices encouraging doctors to bring in elderly patients to sign up for Medicare Advantage by promising the patients complimentary parking and waiving their copayments. Justice Department officials ultimately determined that there was no wrongdoing and didn’t intervene. But this case and others like it show that Medicare Advantage is coming under heightened scrutiny, and health plans need to be ready for it.

Legal consequences 

Medicare Advantage fraud enforcement comes in two basic flavors: CMS enforcement actions and whistleblower lawsuits. CMS initiates an enforcement action when officials decide a plan sponsor is in substantial or repeated noncompliance with its contract with the agency. Enforcement actions range from civil monetary penalties to terminating the plan’s contract. Intermediate sanctions may include suspended plan payments or the removal of the company’s ability to enroll new beneficiaries into its Medicare Advantage programs. Because Medicare Advantage has been under heightened scrutiny from Congress and the media, CMS may step up the number and severity of its enforcement actions.

Whistleblowers may bring actions under the False Claims Act on behalf of the government if they find evidence of fraud. As more sealed cases are made public, more whistleblowers could come forward with greater confidence that they will not suffer retaliation. Whistleblower lawsuits can mean millions of dollars in litigation costs, even when the lawsuit proves to be frivolous or off-base.

Four protective steps

What can health plan executives do to head off any problems with fraud? First and most fundamentally, know the law and abide by it. It is impossible for a plan sponsor that does not know what is legal and illegal to administer its plan legally. The leaders at a health plan must ensure that all employees of the company understand what constitutes fraudulent activity and how to prevent any such activity. They should avail themselves of any available resources to help them understand the requirements by which they must abide. That could mean discussions with an attorney or using free publicly available resources, such as the guidances posted on the HHS website.

Second, confirm that all required information, including billing information, is correct and complete. If an issue arises, accurate records will be key to demonstrating the legality of the provider’s policies. Third, implement a compliance program to ensure that the plan sponsor is fulfilling the required competencies for Medicare Advantage providers. Finally, report any violations promptly. All Medicare Advantage plan sponsors are required to have a mechanism to report abuses. No one may retaliate against an employee for making a report. Finding and actively resolving any violations could save millions of dollars in litigation costs years in the future.

Help fight Medicare fraud

Medicare fraud wastes a lot of money each year and results in higher health care costs and taxes for everyone. Examples of Medicare fraud include:

• A healthcare provider billing Medicare for services you never got
• A supplier billing Medicare for equipment you never got
• Someone using your Medicare card to get medical care, supplies, or equipment
• A company using false information to mislead you into joining a Medicare plan

You’re the first line of defense against Medicare fraud. You can help by guarding your Medicare number --- treat it like a credit card.

More ways to protect yourself, your loved ones, and Medicare from fraud:

• Learn tips to prevent fraud
• Learn how to spot fraud
• Learn how to report fraud
• Find out what you need to know if you’re in, or thinking about joining, a Medicare health or drug plan

Sources: Merle DeLancey & Lyndsay Gorton @ http://www.managedcaremag.com/, https://www.cms.gov/

For more information on this and other healthcare topics related to HIPAA, OSHA, Medicare and HR compliance please email support@hcsiinc.com or visit our website at http://www.hcsiinc.com 
Join our LinkedIn group at: http://bit.ly/1FWmtq6

To subscribe to this blog, enter your email address:


Delivered by FeedBurner

CMS issues Final Rule

CMS Issues Final Rule & Changes to the Two-Midnight Rule

On October 30, 2015, CMS issued its final rule with comment period (Final Rule) for the Medicare hospital outpatient prospective payment system (OPPS) and the Medicare ambulatory surgical center (ASC) payment system for calendar year 2016, as well as updates to the requirements for the Hospital Outpatient Quality Reporting (OQR) Program and the ASC Quality Reporting (ASCQR) Program.  The Final Rule also finalized certain policies relating to the hospital inpatient prospective payment system (IPPS), including changes to the two-midnight rule.

CMS estimates that based on the Final Rule, total payments for CY 2016 to the estimated 4,000 facilities paid under the OPPS will decrease by a projected $133 million (0.4 percent) compared to CY 2015.  This impact is greater than the proposed rule’s estimated $43 million (0.2 percent) decrease in total OPPS payments.  Additionally, although the proposed rule estimated a payment increase to ASCs of 1.1 percent, under the Final Rule, CMS estimates that total payments to ASCs for CY 2016 will be approximately $4.221 billion, an increase of only 0.3 percent, or approximately $128 million, as compared to estimated CY 2015 Medicare payments. 

In the Final Rule, CMS has finalized a number of changes for CY 2016, including the following changes to OPPS and the ASC payment system:

• An Outpatient Department (OPD) fee schedule increase factor of 1.7 percent (which is based on the final estimated hospital IPPS market basket percentage increase of 2.4 percent, less the final 0.5 percentage point multifactor productivity (MFP) adjustment, and less an additional 0.2 percentage point adjustment mandated by the Affordable Care Act);   
• Reducing the CY 2016 conversion factor by 2.0 percent to account for an approximately $1 billion inflation in CY 2014 OPPS payments that resulted from excess packaged payment for laboratory tests that were projected to be packaged into OPPS payment rates, but continued to be paid separately in CY 2014; 
• Requiring that laboratory tests be conditionally packaged  on a claim with an OPD service that is assigned a certain status indicator, irrespective of the date(s) of service, unless an exception applies or the laboratory test is “unrelated” to the other OPD service(s) on the claim;  
• Setting a statutory default of average sales price plus 6 percent for payment for the acquisition and pharmacy overhead costs of separately payable drugs and biologicals that do not have pass-through status; 
• Expanding the set of conditionally packaged ancillary services to include three new ambulatory payment classifications; 
• Establishing for the Hospital OQR Program for the CY 2017 payment determination and subsequent years, the following requirements, among other changes: (1) removing the OP-15: Use of Brain Computed Tomography (CT) in the Emergency Department for Atraumatic Headache measure, effective January 1, 2016; (2) revising from November 1 to August 31 the deadline for withdrawing from the Hospital OQR Program; (3) shifting to a new payment determination timeframe that will use only three quarters of data for the CY 2017 payment determination; (4) changing the timeframe in which data may be submitted for measures submitted via the CMS QualityNet website to January 1 through May 15; and (5) changing the deadline for submitting a reconsideration request to the first business day on or after March 17 of the payment year at issue;
• Establishing for the Hospital OQR Program for the CY 2018 payment determination and subsequent years the following  requirements, among others:  (1) adding a new measure: OP-33: External Beam Radiotherapy (EBRT) for Bone Metastases (NQF #1822) with a modification to the proposed manner of data submission; and (2) shifting the quarters on which CMS bases payment determinations to again include four quarters of data;
• Increasing payment rates under the ASC payment system by 0.3 percent for ASCs that meet the quality reporting requirements under the ASCQR Program; 
• Establishing a revised process of assigning ASC payment indicators for new and revised Category I and III CPT codes that would be effective January 1; and
• Setting the final ASC conversion factor of $44.177 for ASCs that meet the quality reporting requirements, based on the product of the CY 2015 conversion factor of $44.058 multiplied by the wage index budget neutrality adjustment of 0.9997 and the MFP-adjusted CPI–U payment update of 0.3 percent.

Under the Final Rule, CMS has also modified its prior “exceptions” policy under the two-midnight benchmark, which previously was limited to cases involving services designated by CMS as inpatient-only and those other exceptions published on the CMS website or in other sub-regulatory guidance.  CMS will now allow exceptions to the two-midnight benchmark to be determined on a case-by-case basis by the beneficiary’s responsible physician, subject to medical review.  CMS is careful to note that it expects that stays less than 24 hours would rarely fall into an exception. 

The Final Rule also finalized certain proposed changes from the FY 2015 IPPS Proposed Rule to the Medicare regulations governing provider administrative appeals and judicial review relating to appropriate claims in provider cost reports.  Specifically, CMS has finalized revisions to the cost reporting rules requiring providers to include an appropriate claim for a specific item on their cost reports—either by affirmatively claiming reimbursement or expressly self-disallowing the cost by filing a cost report item under protest—in order to be eligible to potentially receive Medicare reimbursement and/or to be eligible to appeal their reimbursement (or lack thereof) to the Provider Reimbursement Review Board.  CMS has eliminated the duplicative requirement to do the same in order to meet the “dissatisfaction” requirement for Board jurisdiction.  CMS has also specified procedures for Board review of whether a provider’s cost report meets this substantive reimbursement requirement of an appropriate cost report claim for a specific item.

Any comments on the payment classifications assigned to HCPCS codes identified in Addenda B, AA, and BB with the “NI” comment indicator and on other areas indicated in the Final Rule must be received no later than 5 p.m. EST on December 29, 2015.

The CMS Fact Sheet on the Final Rule is available here.  An additional Fact Sheet on the Two-Midnight Rule is available here.  The Final Rule is scheduled to be published in the Federal Register on November 13, 2015.  Our Health Headlines article summarizing the proposed rule is available here.

Source(s): HCSI, www.cms.gov, Christina Ann Gonzalez @ http://www.lexology.com/

For more information on this and other healthcare topics related to HIPAA, OSHA, Medicare and HR compliance please email support@hcsiinc.com or visit our website at http://www.hcsiinc.com 
Join our LinkedIn group at: http://bit.ly/1FWmtq6

To subscribe to this blog, enter your email address:

Delivered by FeedBurner