The recently published final "meaningful use" regulations make it clear that hospitals must be careful in how they report charity care on their Medicare cost reports if they want to maximize their incentive payments for using EHR. The amount a hospital receives in EHR incentive payments is calculated based on the hospital’s Medicare and Medicaid patient volume, calculated as a fraction of the hospital’s total patient volume. The rule proposal failed to define key terms that are part of the calculation of the fractional share of the hospital’s Medicare and Medicaid patient volume, including the term "charity care." The proposed final rule looks to the charity care amount reported in the hospital’s Medicare cost report, despite the fact that this reported number likely did not have a significant impact on the hospital’s Medicare reimbursement in the past.

As CMS explains in the preamble to the rule, "We believe that the charity care charges reported on line 20 of the pending final OMB approved Worksheet S-10 [Form CMS-2552-10, effective for cost reporting periods beginning on or after May 1, 2010] represent the most accurate measure of charity care charges as part of the hospital’s overall reporting of uncompensated and indigent care for Medicare purposes… if a hospital has not properly reported any charity care charges on line 20, we may question the accuracy of the charges used for computing the final Medicare share of the [EHR] incentive payments."

CMS goes on to explain that charity care data can be obtained by the Medicare contractor, and the data "would be used to determine in the hospital’s charity care criteria are appropriate, if a hospital should have reported charity care charges, and if the reported charges are proper. If we determine, as based on a determination of the MAC, that the hospital did not properly report charity care charges on line 20 of the pending final OMB approved Worksheet S-10, then we proposed to deem the [charity care] portion of the denominator … to be 1." Instructions to draft Form CMS-2552-10 for Worksheet S-10 define "charity care" as "[h]ealth care services for which a hospital demonstrates that the patient is unable to pay … [and] results from a hospital’s policy to provide all or a portion of services free of charge to patients who meet certain financial criteria." Conversely, "non-Medicare bad debt" is defined as "[h]ealth care services for which a hospital determines the non-Medicare patient has the financial capacity to pay, but the non-Medicare patient is unwilling to settle the claim."

CMS makes it clear that just as Medicare contractors currently determine whether a hospital’s indigency policies (for example, how a provider determines that a non-Medicaid patient is indigent or medically indigent and that the patient’s financial condition is not likely to improve following an asset/income test of patient resources) are appropriate for determining allowable Medicare bad debt, the Medicare contractor can similarly determine whether the hospital’s policies are sufficient for determination of charity care information used in the EHR incentive payment calculation.

In short, a hospital seeking EHR incentive payments must closely examine not just the accuracy of reported charity care and non-Medicare bad debt data included on its Medicare cost report, but must ensure it is actually undertaking a review of patients’ ability to pay for services. Failure to document the proportion of uncompensated care that qualifies as "charity care" may result in a decrease in EHR incentive dollars.

Hospitals, physician practices and other healthcare providers continue to misunderstand patients’ rights to their own records years after HIPAA’s privacy rule took effect. The Los Angeles Times reported on July 27 that the California Medical Board receives many complaints from patients about trouble accessing medical records from doctors:

Candis Cohen, a spokeswoman for the board, says physicians and their office staffs frequently confuse details of the HIPAA privacy law and, even with the best intentions of protecting patients’ privacy rights and complying with the law, deny consumers access to their medical records.

Among the common disputes are whether covered entities are allowed to charge patients retrieval fees for copies of their own records. HIPAA strictly limits charges associated with providing patients access to their records to "a reasonable, cost-based fee" for copying, postage and any time spent on preparing a summary explanation (as applicable). Thus, in instances where state laws allow providers to charge the patient other record-retrieval fees, such as costs associated with retrieving records for insurance companies, lawyers and other non-patients, providers may not be permitted to pass along these costs to their patients due to HIPAA, despite any such permissive state law. Also, some providers erroneously believe that they are not allowed to fax or email medical records to a patient, even at the patient’s request.

For some providers, confusion over the rules and unreasonable fear of penalties under HIPAA and state privacy laws has resulted in reluctance to release medical records to the people HIPAA was designed to protect: the patients themselves. I personally experienced this type of resistance shortly after the Privacy Rule became effective in 2003, when confusion was more understandable. By 2009, you’d think covered entities would have a better grasp on their rights and duties, but misunderstandings persist.

I have said it before, and I will say it again — employees must come to understand and truly appreciate the huge risks involved and penalties at stake with "taking a peek" at a patient’s medical record for no legitimate purpose.

This past Monday, a physician and two former employees at St. Vincent Infirmary Medical Center in Little Rock, Arkansas, pleaded guilty to misdemeanor federal charges that they inappropriately accessed the medical records of local television anchor, Anne Pressly, who was killed back in 2008.   A News Release issued by the U.S. Attorney for the Eastern District of Arkansas states that all three of the accused entered guilty pleas on July 20, 2009 acknowledging they violated the privacy provisions of HIPAA. 

The News Release indicates that the charged physician admitted that after watching a news report regarding Ms. Pressly being slain and taken to St. Vincent’s, where he was on-staff, he logged on from home and accessed the hospital’s records system to "determine if the news reports were accurate."   One of the other charged employees, a former account representative at the hospital, admitted that she accessed Ms. Pressly’s file about 12 times "out of curiosity". The third employee charged, an emergency room secretary, admitted that she "became curious about the patient’s [Ms. Pressly’s] status and accessed the medical chart to find out if the patient was still living."  The secretary did not inform anyone about her accessing the chart, but hospital records showed that the patient’s records were accessed 3 times that day by the emergency room secretary.  The hospital fired the account representative and the emergency room secretary, and suspended the physician for 2 weeks with required HIPAA re-training.

A sentencing date has not yet been set, but is expected within the next 45-60 days.  Each of the charged individuals faces a maximum penalty of one year in prison, a fine of up to $50,000, or both!    In addition, towards the end of the News Release, the local U.S. Attorney  prosecuting the case included this warning to the health care industry:

"The HIPAA privacy protections are real, and we hope that through vigorous enforcement of HIPAA’s right-to-privacy protections and swift prosecution of those who violate HIPAA, we can deter those in the medical industry who have access to protected health information from searching others’ medical records merely to satisfy their own curiosity…"

Does anyone dare to take a peek after that warning?   

[Installment 3 – Governance Considerations from HIT for the Board and Other Hospital Stakeholders]

This is the third in a series of blog posts that relate to the governance concerns surrounding developments in HIPAA, HITECH and HIT. Jim Landers of the Washington Bureau of the Dallas News  wrote an article that was published on June 24, 2009, entitled "Administration: Hospitals unwilling to share electronic records will miss out on billions in stimulus funds." His article prompted me to write on the topic as part of this series. 


In his article Mr. Landers stated:


The Obama administration’s point man on electronic medical records [David Blumenthal, national coordinator for Health Information Technology] warned Tuesday that hospitals unwilling to share such files [electronic health records or EHR] with their competitors would not be eligible for billions of dollars in economic stimulus funds.


Mr. Blumenthal was further quoted by Mr. Landers as follows: “There’s a fair amount of money in the law for hospitals that adopt interoperability [the means to share EHRs]. If they don’t, they’re not likely to be eligible for payment."


Mr. Landers correctly points out that many hospitals would be concerned that such free sharing of EHR among hospitals could give rise to the potential for losing patients to competitive institutions. I believe that, faced with deepening economic pressures and more highly educated patients with abundant choices, hospitals and their governing bodies must be increasingly concerned about material collateral issues that arise from sharing EHR with their competitors. 


I would add to the observations of Mr. Landers that embedded in EHR in one form or another could be relatively proprietary financial and business information regarding costs, charges or reimbursement of the hospital and/or treating physicians. In the exchange of EHR among hospitals, such proprietary information could be included. There exists a potential for the violation of antitrust laws for sharing of sensitive pricing and business information among competitors. The effect of such a violation could be a major financial and public relations fiasco for the hospitals. Removal or de-identification of such proprietary information could be costly or relatively impractical. This aspect warrants review by competent legal counsel and information technology and financial experts for the hospital. 


The ever-increasing momentum for acceleration of hospital conversion to EHR creates challenges and opportunities for a hospital and its governing board. On the one hand a hospital’s initiatives in this area can possibly make the hospital eligible for stimulus money to assist in the expensive cost of conversion to EHR. On the other hand there must be careful analysis at the governing board level of such an initiative in light of the risks involved.


These questions and others should be properly considered at a high level in the hospital, with board oversight, in order to avoid or mitigate liability and litigation, maintain the hospital’s reputation for candor and transparency and avoid the adverse publicity of regulatory violations and penalties.