Hit recs contracting issues
1 / 28

HIT RECs: Contracting Issues - PowerPoint PPT Presentation

  • Uploaded on

HIT RECs: Contracting Issues. Constance A. Wilkinson May 6, 2010 2010 AHQA Annual Meeting. Agenda. Provider Contracts 2010 HIPAA and HITECH Payments HIT REC - QIO Contracts Conflict of Interest. Factors Resulting in Increased Scrutiny of Holders of PHI.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'HIT RECs: Contracting Issues' - Rita

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Hit recs contracting issues l.jpg

HIT RECs: Contracting Issues

Constance A. Wilkinson

May 6, 2010

2010 AHQA Annual Meeting

Agenda l.jpg

  • Provider Contracts

    • 2010 HIPAA and HITECH

    • Payments

  • HIT REC - QIO Contracts

    • Conflict of Interest

Factors resulting in increased scrutiny of holders of phi l.jpg
Factors Resulting in Increased Scrutiny of Holders of PHI

  • Breach Notification Requirements of ARRA (HITECH Act)

    • Distinct from the Act’s attempt to encourage adoption of EHRs by incentive payments for “meaningful use”

  • Direct application of security rule to BAs

    • HITECH Act also states that requirements should be incorporated into the business associate agreements

  • New State Attorney General Rights of Action

  • Government Audits

Business associates now directly regulated l.jpg
Business Associates Now Directly Regulated

  • Extension of Security Provisions to Business Associates

    • Direct exposure to HIPAA civil and criminal penalties

      • Penalties can be as high as $50,000 per incident and $1,500,000 in the aggregate

      • “Willful neglect” standard now included

      • State Attorney General enforcement

    • HHS Secretary, with recommendations from the GAO, must develop mechanism for harmed individuals to share in the penalties (February 17, 2012)

Terms of ba agreement l.jpg
Terms of BA Agreement

  • What needs to be included?

    • Breach reporting

    • Security Rule compliance

    • Mutual termination

    • Access to records in EHRs

  • Other inclusions

    • Minimum necessary to reflect new standard

    • Marketing

    • Responsibility for addressing financial impact of breaches

Breach reporting l.jpg
Breach Reporting

  • In the event of a “breach” of “unsecured” PHI, a Covered Entity must notify each individual whose unsecured PHI has been, or is reasonably believed to have been, breached.

    • Exceptions where inadvertent disclosure to or by workforce, BA or organized health care arrangement participant

  • The risk of harm standard requires that the affected entity undertake some form of risk assessment in the event of a breach to determine in good faith whether it is necessary to notify the individual of the breach.

    • Does the breach “pose a significant risk of financial reputational, or other harm to the individual”?

    • 2007 OMB Memorandum (M-07-16) provides examples of factors to take into account

Notice requirements l.jpg
Notice Requirements

  • Notice must be made to the affected individuals “without unreasonable delay and in no case later than 60 calendar days after discovery of a breach.”

    • For any breach involving 500 or more people, notification through the media and to the Secretary must be made

  • If the breach occurs at or through a Business Associate, the Business Associate must notify the Covered Entity of the breach within 60 days of discovering the breach so that the Covered Entity is able to comply with its breach reporting obligations.

Ba agreement considerations l.jpg
BA Agreement Considerations

  • Should the BA make the assessment of whether it was a breach?

    • Liability rests with BA if BA makes wrong assessment

  • Notification timing

    • Less than 60 days

    • Will Covered Entity want to do its own assessment?

  • Who sends the notice?

Security rule requirements l.jpg
Security Rule Requirements

  • Explicit agreement to meet Security Rule Requirements

    • Annual appropriate technical safeguards updates from HHS

    • Should BA agree to unknown requirements?

    • How will BA be aware of updates?

Mutual termination l.jpg
Mutual Termination

  • Should be non-controversial

    • When/how can Covered Entity breach BA agreement?

    • Mutual termination may spur BAs to ask for more responsibilities from Covered Entity

      • Notice and updated notices

      • Restrictions by individuals

Access and accounting l.jpg
Access and Accounting

  • Different access rights to records in EHR

  • Right to accounting of treatment, payment, and health care operations disclosures from EHR

    • Only have to provide for three years prior to request

    • When will BA have EHR?

Minimum necessary l.jpg
Minimum Necessary

  • Tightening definition of “minimum necessary”

    • Implication for access controls under Security Rule

    • Secretary to issue guidance on minimum necessary standard by August 17, 2010

    • BA agree to comply with unseen guidance?

Sample language l.jpg
Sample Language

  • In accordance with Section 13405 of ARRA, the uses, disclosures, or requests for the PHI described herein shall be, to the extent practicable, limited to a Limited Data Set or the minimum necessary (as may be described by the Secretary in guidance on these terms) to accomplish the intended purpose of such use, disclosure, or request.

Limitations on marketing l.jpg
Limitations on Marketing

  • Necessary to include?

    • Marketing should be outside scope of what BA is doing

    • Explicit language puts BA on notice and makes clear the understanding between the parties

Financial responsibility for breach l.jpg
Financial Responsibility for Breach

  • BA financially responsible for any notifications that must occur as a result of BA breach

    • Insurance?

    • Limitation on amount of exposure?

  • Indemnification

Resources l.jpg

  • Sample Business Associate Contract Provisions (pre-ARRA)

    • http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractprov.html

  • EBG Client Alert entitled, “Covered Entity Compliance with HITECH Act Amendments to HIPAA: An Overview of Requirements, Deadlines and Enforcement Environment”, by Alicia H. Sable and H. Carol Saul (February 2010).

    • www.ebglaw.com/showClientAlert.aspx?Show=12454

Program funding l.jpg
Program Funding

  • Core Support

    • $500,000-$750,000, quarterly

  • Direct Assistance Support

    • Quarterly basis

    • Based on number of providers that achieved milestones in prior quarter

      • Milestone 1 – Contract with REC

      • Milestone 2 – Go Live on EHR

      • Milestone 3 – Certified for Meaningful Use

Cost sharing requirements l.jpg
Cost Sharing Requirements

  • Years 1-2: $9 Federal/$1 REC

  • Years 3-4: $1 Federal/$9 REC

  • Potential Revenue Sources

    • Provider fee

    • Assignment of Medicaid EHR payments

    • Contributions in cash or in-kind

      • Verifiable (documentation)

      • Not paid under another award

      • Necessary and reasonable for program objectives

      • Unrecovered indirect costs, with Government approval, for state agency

Cost sharing requirements19 l.jpg
Cost Sharing Requirements

  • The matching requirements must be met by the end of the 2-year grant

  • To the extent fees/funds exceed the matching requirements, the excess becomes Program Income

    • Program Income must be used to further the purposes of the program

    • Program Income may be retained and applied to future grant periods (typically a 3-year holdover is permitted)

Structure of provider fee l.jpg
Structure of Provider Fee

  • Flat fee (upon initiation or timeline)

  • Structured fee

    • Based upon timeframe

    • Based upon achievement of Milestones

      • Based upon stages of Meaningful Use

    • Incentives (discounts or rebates) based upon achievement of Milestones within a specified timeframe or enhanced (penalty) payments for delays/failures

      • For accounting purposes, may be preferable to structure as base payment/contingent payment to facilitate reporting of match/income

Structure of provider fee21 l.jpg
Structure of Provider Fee

  • Provider payments based on assignment of EHR incentive payments may also be based on structured approach

  • Structure may be based on strategy of avoidance of conflict of interest implications under QIO contract

    • Payments in excess of match requirement for first two years, and resulting program income, may mitigate effect in later years

Conflict of interest l.jpg
Conflict of Interest

  • ONC FOA Terms

    • “Regional Centers will avoid entering into business relationships creating an actual or apparent conflict of interest with the [REC’s] obligation to act solely in the best interests of advancing meaningful use of certified health IT by the providers it serves.”

  • COI Certification

    • “There are no potential, real or perceived conflicts of interest … between our organization and the HIT vendor….”

Conflict of interest23 l.jpg
Conflict of Interest

  • SDPS Memo #10-014-CO, dated January 14, 2010

    • Clarification Letter Regarding QIO Organizational Conflict of Interest Issues Resulting From Award of Regional Center Cooperative Agreement by the Office of the National Coordinator

  • CMS supports the ability of QIOs to perform work under the REC contracts as long as some safeguards are in place to avoid conflicts

  • Identified two potential conflicts between HIT REC and QIO contracts

Conflict of interest24 l.jpg
Conflict of Interest

  • Relationship with EHR Vendors

    • "negotiating contracts with vendors or reseller" and assisting "providers in holding vendors accountable for adhering to service level agreements“

  • CMS has taken the position that a close relationship will exist between providers and entities recruiting and negotiating with vendors on their behalf under the Extension Program contracts

  • If the QIO is the sole awardee or lead, the work must be performed by an unrelated/unaffiliated subcontractor

  • If the QIO is a team member, the work must be performed by another unrelated/unaffiliated member of the group

Conflict of interest25 l.jpg
Conflict of Interest

  • Provider Fee Payment to QIO

    • “clear possibility for the cost to a large provider for these Regional Center services to exceed the five percent safe harbor under section H.11 of the 9th SOW”

  • 9th SOW, Section H.11, Conflict of Interest

    • Prohibits QIO from having financial relationships, specifically compensation arrangements, with providers it may work for under private contracts

    • Includes parent companies, subsidiaries, affiliates, subcontractors, or current clients

    • Includes “safe harbor” – the so-called “5/20 rule”

      • Excludes provider contracts that do not exceed 5% of the total cost of the QIO core contract individually or 20% in the aggregate

    • Should payments to a QIO for work related to a federal grant/federal purpose be considered a “financial relationship” within this prohibition?

Conflict of interest26 l.jpg
Conflict of Interest

  • When a particular provider's payments to the QIO (as a REC or an EA) exceed the 5% safe harbor (or those payments in total exceed 20%), a conflict exists

    • Referral of any complaints regarding that provider to another QIO would be required

  • QIOs should develop and submit a mitigation strategy

    • Refer complaints regarding that provider/providers to another QIO that does not have a REC contract/subcontract and is not related or affiliated with the QIO

Conflict of interest27 l.jpg
Conflict of Interest

  • If in doubt, request a waiver

    • Federal acquisition policy, CMS policy, regulations and contractual provisions, the government may waive conflict of interest rules and regulations if enforcement is not in the government’s best interest

Questions l.jpg

Connie Wilkinson