MedCity Influencers, Legal

Audits and penalties possible for noncompliance with new notification, digital contact rules

A CMS rule, which went into effect December 31, requires that providers publish up-to-date digital contact information regarding their compliance, using approved methods. Noncompliant hospitals will be publicly listed, akin to the Office of Civil Rights’ breach notification portal, the so-called “Wall of Shame.”

A wind torn red warning flag indicating danger on an English beach.

After years of offering incentives to hospitals to comply with electronic notification rules, the Centers for Medicare & Medicaid Services (CMS) has brandished the proverbial stick.

As of April 30, 2021, Medicare-certified hospitals, psychiatric hospitals and critical access hospitals (CAHs) are required to send electronic patient event notifications to other providers in a patient’s circle of care. Unannounced audits can occur at any time, and penalties can be severe, including losing CMS certification and the ability to recoup payments from Medicare and Medicaid.

A related CMS rule, which went into effect Dec. 31, requires that providers publish up-to-date digital contact information regarding their compliance, using approved methods.

Given the chaos and uncertainty that the Covid-19 pandemic wrought, many providers likely waited to deploy a solution to transmit electronic admission, discharge, and transfer (ADT) notifications, but the time for waiting has passed. CMS has been clear that audits can commence at any time. Organizations can meet the new rule regarding patient event notifications as long as they can send a specifically formatted electronic message, using Direct secure messaging, HL7/FHIR or electronic cloud faxing.

Specific technology types required

CMS announced its intention to publish the Interoperability and Patient Access Final Rule in March 2020, which included electronic ADT notifications as a Condition of Participation (CoPs) for hospitals that receive Medicare reimbursement. A month later, CMS announced that it would delay enforcement to May 1, 2021, to give providers more time to implement policies to comply with the Final Rule, including the ADT notification provision. The Final Rule was published on May 1, 2020.

The implications of these new requirements for your organization are serious. CMS already has begun empowering State Survey Agencies and Accreditation Organizations (AOs) to add compliance with the new ADT alert requirements to their audits of participating hospitals. The federal agency considers paper faxes or phone calls to communicate ADT notifications a noncompliant method of patient data exchange. Organizations that fail an audit have as little as 90 days to correct the situation and achieve compliance.

To encourage data-exchange interoperability across the healthcare ecosystem, CMS is requiring providers to publish up-to-date digital contact information in the CMS National Plan & Provider Enumeration System (NPPES) as part of the Final Rule. Noncompliant hospitals will be publicly listed, akin to the Office of Civil Rights’ breach notification portal, the so-called “Wall of Shame.”

CMS defines digital contact information, or an “endpoint,” as a unique electronic address for a healthcare provider. Because the goal of these endpoints is to allow providers to send authenticated, encrypted patient data to known and trusted recipients over the internet, the CMS deems only certain types of digital contact information compliant. Those include:

Hospitals are responsible for publishing up-to-date digital contact information in the NPPES directory using technologies from the above list only. Moreover, providers affiliated with an organization need up-to-date and approved endpoints through National Provider Identifiers (NPIs). The deadline to ensure NPPES endpoint data is published and meets CMS standards was Dec. 31, so organizations that have not yet complied face audits and steep penalties.

Fax number, email insufficient for compliance

Email does not meet the CMS requirements for secure digital contact information, nor does a fax number — even if the provider uses a digital fax solution.

According to CMS, “A digital fax number is not considered a digital endpoint. For those providers who continue to rely on fax-based modes of sharing information, we hope that greater availability of digital contact information will help reduce barriers to electronic communication with a wider set of providers with whom they share patients.”

Hospitals can still use fax to transmit ADT notifications, using a solution that offers a fax-to-Direct workflow that can automatically convert digital fax to the acceptable Direct format. This solution allows staff to maintain the same workflows while staying in compliance with CMS regulations.

CMS has made it clear that no extensions will be provided for hardship claims for patient-event notifications, so the time to act is now. Another compelling reason is that neither the State Survey Agency nor CMS is under any obligation to alert facilities about an upcoming audit.

Finally, CMS makes clear that providers not exchanging data electronically will be publicly noted: “If a provider is not exchanging information electronically, and does not have a digital contact, the digital contact field would remain empty in their NPPES record, and they will appear on the public report of providers who do not have digital contact information in NPPES. The report will be updated once they have the capability to exchange electronically and update their digital contact information in NPPES.”

Digital solutions readily available

Digital solutions are available today that can help Medicare-certified hospitals, psychiatric hospitals and critical access hospitals incorporate automated ADT alerts into daily workflows in such a way as to meet the standards of the CMS Final Rule. A solution can be deployed across an organization easily, quickly and without disrupting operations or patient care. The same digital solution will also bring an organization into compliance with the digital contact rules.

Transmitting ADT notifications automatically at the appropriate times to downstream providers can help your organization orchestrate better outcomes, strengthen relationships with payers and providers, and demonstrate compliance with CMS regulations when the inevitable audit occurs.

Photo: John-Kelly, Getty Images

Bevey Miner serves as Global Health IT Strategy/Chief Marketing Officer, Consensus Cloud Solutions, Inc. With over 20 years’ experience in healthcare technology and digital health, she has been instrumental in leading strategy, product management, business development, marketing and commercialization. Bevey has been influential leading innovation in care coordination, patient engagement, population health and interoperability as well as advocating for policy change with federal and state government.

This post appears through the MedCity Influencers program. Anyone can publish their perspective on business and innovation in healthcare on MedCity News through MedCity Influencers. Click here to find out how.