HIT RECs: Contracting Issues Constance A. Wilkinson May 6, 2010 2010 AHQA Annual Meeting
Agenda • Provider Contracts • 2010 HIPAA and HITECH • Payments • HIT REC - QIO Contracts • Conflict of Interest
Factors Resulting in Increased Scrutiny of Holders of PHI • Breach Notification Requirements of ARRA (HITECH Act) • Distinct from the Act’s attempt to encourage adoption of EHRs by incentive payments for “meaningful use” • Direct application of security rule to BAs • HITECH Act also states that requirements should be incorporated into the business associate agreements • New State Attorney General Rights of Action • Government Audits
Business Associates Now Directly Regulated • Extension of Security Provisions to Business Associates • Direct exposure to HIPAA civil and criminal penalties • Penalties can be as high as $50,000 per incident and $1,500,000 in the aggregate • “Willful neglect” standard now included • State Attorney General enforcement • HHS Secretary, with recommendations from the GAO, must develop mechanism for harmed individuals to share in the penalties (February 17, 2012)
Terms of BA Agreement • What needs to be included? • Breach reporting • Security Rule compliance • Mutual termination • Access to records in EHRs • Other inclusions • Minimum necessary to reflect new standard • Marketing • Responsibility for addressing financial impact of breaches
Breach Reporting • In the event of a “breach” of “unsecured” PHI, a Covered Entity must notify each individual whose unsecured PHI has been, or is reasonably believed to have been, breached. • Exceptions where inadvertent disclosure to or by workforce, BA or organized health care arrangement participant • The risk of harm standard requires that the affected entity undertake some form of risk assessment in the event of a breach to determine in good faith whether it is necessary to notify the individual of the breach. • Does the breach “pose a significant risk of financial reputational, or other harm to the individual”? • 2007 OMB Memorandum (M-07-16) provides examples of factors to take into account
Notice Requirements • Notice must be made to the affected individuals “without unreasonable delay and in no case later than 60 calendar days after discovery of a breach.” • For any breach involving 500 or more people, notification through the media and to the Secretary must be made • If the breach occurs at or through a Business Associate, the Business Associate must notify the Covered Entity of the breach within 60 days of discovering the breach so that the Covered Entity is able to comply with its breach reporting obligations.
BA Agreement Considerations • Should the BA make the assessment of whether it was a breach? • Liability rests with BA if BA makes wrong assessment • Notification timing • Less than 60 days • Will Covered Entity want to do its own assessment? • Who sends the notice?
Security Rule Requirements • Explicit agreement to meet Security Rule Requirements • Annual appropriate technical safeguards updates from HHS • Should BA agree to unknown requirements? • How will BA be aware of updates?
Mutual Termination • Should be non-controversial • When/how can Covered Entity breach BA agreement? • Mutual termination may spur BAs to ask for more responsibilities from Covered Entity • Notice and updated notices • Restrictions by individuals
Access and Accounting • Different access rights to records in EHR • Right to accounting of treatment, payment, and health care operations disclosures from EHR • Only have to provide for three years prior to request • When will BA have EHR?
Minimum Necessary • Tightening definition of “minimum necessary” • Implication for access controls under Security Rule • Secretary to issue guidance on minimum necessary standard by August 17, 2010 • BA agree to comply with unseen guidance?
Sample Language • In accordance with Section 13405 of ARRA, the uses, disclosures, or requests for the PHI described herein shall be, to the extent practicable, limited to a Limited Data Set or the minimum necessary (as may be described by the Secretary in guidance on these terms) to accomplish the intended purpose of such use, disclosure, or request.
Limitations on Marketing • Necessary to include? • Marketing should be outside scope of what BA is doing • Explicit language puts BA on notice and makes clear the understanding between the parties
Financial Responsibility for Breach • BA financially responsible for any notifications that must occur as a result of BA breach • Insurance? • Limitation on amount of exposure? • Indemnification
Resources • Sample Business Associate Contract Provisions (pre-ARRA) • http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractprov.html • EBG Client Alert entitled, “Covered Entity Compliance with HITECH Act Amendments to HIPAA: An Overview of Requirements, Deadlines and Enforcement Environment”, by Alicia H. Sable and H. Carol Saul (February 2010). • www.ebglaw.com/showClientAlert.aspx?Show=12454
Program Funding • Core Support • $500,000-$750,000, quarterly • Direct Assistance Support • Quarterly basis • Based on number of providers that achieved milestones in prior quarter • Milestone 1 – Contract with REC • Milestone 2 – Go Live on EHR • Milestone 3 – Certified for Meaningful Use
Cost Sharing Requirements • Years 1-2: $9 Federal/$1 REC • Years 3-4: $1 Federal/$9 REC • Potential Revenue Sources • Provider fee • Assignment of Medicaid EHR payments • Contributions in cash or in-kind • Verifiable (documentation) • Not paid under another award • Necessary and reasonable for program objectives • Unrecovered indirect costs, with Government approval, for state agency
Cost Sharing Requirements • The matching requirements must be met by the end of the 2-year grant • To the extent fees/funds exceed the matching requirements, the excess becomes Program Income • Program Income must be used to further the purposes of the program • Program Income may be retained and applied to future grant periods (typically a 3-year holdover is permitted)
Structure of Provider Fee • Flat fee (upon initiation or timeline) • Structured fee • Based upon timeframe • Based upon achievement of Milestones • Based upon stages of Meaningful Use • Incentives (discounts or rebates) based upon achievement of Milestones within a specified timeframe or enhanced (penalty) payments for delays/failures • For accounting purposes, may be preferable to structure as base payment/contingent payment to facilitate reporting of match/income
Structure of Provider Fee • Provider payments based on assignment of EHR incentive payments may also be based on structured approach • Structure may be based on strategy of avoidance of conflict of interest implications under QIO contract • Payments in excess of match requirement for first two years, and resulting program income, may mitigate effect in later years
Conflict of Interest • ONC FOA Terms • “Regional Centers will avoid entering into business relationships creating an actual or apparent conflict of interest with the [REC’s] obligation to act solely in the best interests of advancing meaningful use of certified health IT by the providers it serves.” • COI Certification • “There are no potential, real or perceived conflicts of interest … between our organization and the HIT vendor….”
Conflict of Interest • SDPS Memo #10-014-CO, dated January 14, 2010 • Clarification Letter Regarding QIO Organizational Conflict of Interest Issues Resulting From Award of Regional Center Cooperative Agreement by the Office of the National Coordinator • CMS supports the ability of QIOs to perform work under the REC contracts as long as some safeguards are in place to avoid conflicts • Identified two potential conflicts between HIT REC and QIO contracts
Conflict of Interest • Relationship with EHR Vendors • "negotiating contracts with vendors or reseller" and assisting "providers in holding vendors accountable for adhering to service level agreements“ • CMS has taken the position that a close relationship will exist between providers and entities recruiting and negotiating with vendors on their behalf under the Extension Program contracts • If the QIO is the sole awardee or lead, the work must be performed by an unrelated/unaffiliated subcontractor • If the QIO is a team member, the work must be performed by another unrelated/unaffiliated member of the group
Conflict of Interest • Provider Fee Payment to QIO • “clear possibility for the cost to a large provider for these Regional Center services to exceed the five percent safe harbor under section H.11 of the 9th SOW” • 9th SOW, Section H.11, Conflict of Interest • Prohibits QIO from having financial relationships, specifically compensation arrangements, with providers it may work for under private contracts • Includes parent companies, subsidiaries, affiliates, subcontractors, or current clients • Includes “safe harbor” – the so-called “5/20 rule” • Excludes provider contracts that do not exceed 5% of the total cost of the QIO core contract individually or 20% in the aggregate • Should payments to a QIO for work related to a federal grant/federal purpose be considered a “financial relationship” within this prohibition?
Conflict of Interest • When a particular provider's payments to the QIO (as a REC or an EA) exceed the 5% safe harbor (or those payments in total exceed 20%), a conflict exists • Referral of any complaints regarding that provider to another QIO would be required • QIOs should develop and submit a mitigation strategy • Refer complaints regarding that provider/providers to another QIO that does not have a REC contract/subcontract and is not related or affiliated with the QIO
Conflict of Interest • If in doubt, request a waiver • Federal acquisition policy, CMS policy, regulations and contractual provisions, the government may waive conflict of interest rules and regulations if enforcement is not in the government’s best interest
Questions? Connie Wilkinson 202.861.1378 email@example.com