Archive for the ‘HIPAA’ Category

« Older Entries

HIPAA Rules and the HITECH Act- Patient Privacy

Tuesday, April 30th, 2013

Compliance officers were awaiting the Office of Civil Rights (OCR) final rules on Breach Notification, Enforcement, and the modification to Privacy and Security Rules of HIPAA HITECH. Now that we have the regulations, it is time to review the basics in this ezine and additional requirements in the next article. HIPAA may be one of your largest potential liabilities for your agency.

Key Definitions

Protected Health Information (PHI)

  • Individually identifiable health information
  • Transmitted or maintained in any form
  • Created or received by a covered entity, business associate, or employer

Covered Entity

  • Health Care Providers
  • Insurers
  • Clearinghouses
  • Covered entities may only use and disclose PHI according to Privacy Rule provisions

Disclosures

  • Treatment and  payment sources
  • Individual has opportunity to agree or object
  • Limited data set (facially de-identified, requires data use agreement between parties
  • With authorization

HIPAA Privacy Rule controls privacy unless a state law is stricter.

Treatment

  • CE may disclose PHI for treatment activities to another healthcare provider

Payment

  • CE may disclose PHI to another CE or healthcare provider for the CE payment

Health Care Operations

  • CE may disclose PHI to another CE for specific activities such as QI

Authorization

  • Individual may authorize the release of the PHI in writing with the signature and data provided

Compliance Officers need to keep HIPAA and compliance in front of personnel. Finding ways to do that can be challenging but well worth the effort. For most organizations, some of their greatest risks are those tied to PHI.

Build security into hardware, software, and processes to the greatest extent possible. Make security provisions operate automatically where possible. When replacing manual processes with technology, validate the process and the fact that it does not increase risk. Technology for the sake of technology needs to be monitored also. Review your processes. Educate personnel to be privacy alert.

Build a meaningful HIPAA and Compliance audit system foundation that has value for the organization. It is mandated by the OCR.  Agency audits of organizations  began last year.  Remember, not having an audit program can be costly, the OCR state fine can go up to $1.5 million.

Required elements of a Patient Authorization

When reviewing the patient authorization, be certain it includes:

  • A description of the PHHI to be used or disclosed. Be specific
  • The persons authorized to use or disclose the PHI
  • The person or agency  to whom the CE may disclose the PHI
  • The purpose of the disclosure use
  • The patient’s right to revoke the authorization
  • The consequences if the patient refuses to sign
  • An expiration date of the form
  • Signed and dated by the patient
  • PHI may be re-disclosed by a third party and if a business associate, subject to the same HIPAA regulations
  • Must be written in clear language

HIPAA continues to pose a growing liability for agencies. Review agency policies, procedures, and processes now. More to follow on that topic

Tags: , , , , ,
Posted in HIPAA, HIPPA HITECH, PHI | No Comments »

OCR and HIPAA

Tuesday, April 30th, 2013

At a recent HIPAA seminar, the Office of Civil Rights (OCR) identified that they are evaluating HIPAA audit models. The present model requests certain records, reviews, cites errors/omissions and calls for corrective action. Privacy and security of Protected Health Information (PHI) is of primary concern especially in light of social media and mandated Electronic Medical Record creation in healthcare.

Presently, organizations are reviewing their privacy and security programs. How compliant is your Compliance and HIPAA programs? Perhaps you should conduct a gap analysis.

Getting started

To conduct a review and analysis of your agency’s compliance program you must know if your program covers the required elements?

  • Complete written policies and procedure
  • Designation of a Corporate Compliance Officer
  • A training and education program regarding confidentiality, commitment to preventing fraud and abuse, and other elements of compliance
  • Communication lines to the Corporate Compliance Officer
  • Identification of compliance risk areas and a plan to mitigate risk
  • Responding to non compliance issues
  • Policy of non-intimidation and non-retaliation against employees who identify non compliance
  • Disciplinary policies regarding non compliant behavior

Consider the re-signing of the organization privacy policies annually by employees. This act can become a reminder of the importance of privacy and confidentiality in the organization. Identify who will conduct regular internal audits. Conduct this present review and analysis as if it were a surveyor visit, only this time, you get to be the surveyor.

Audit the HIPAA Program

As part of the compliance audit process, be certain to evaluate the HIPAA program. Are there plan objectives? Is an audit and monitoring system in place? Who has the responsibility for completion?  Identify the audit checklist. Is it inclusive? Is there a documentation process to record findings?

Are there annual goals to improve on privacy and security in the organization? How are audit findings reviewed? How does follow up occur?

The Audit

The following checklist should be considered a guideline (not necessarily all inclusive) and would require agency individual application.

  • Is the Compliance plan, particularly the HIPAA portion, in compliance with the HIPAA Security Rule? Has an assessment been conducted regarding environmental/operational impact on PHI?
  • Can the organization identify how it protects access to information? Is there a policy re access to PHI and “need to know?”
  • Can patients obtain their information in a timely manner? Can information be provided in electronic format, as required by HITECH. Has a security risk analysis been conducted?
  • Have security measures been implemented to reduce the risk? What are those measures?
  • Have the Compliance, Privacy, and Security risk analysis available for an OCR audit or questions from an accrediting surveyor.
  • At the very least, for privacy, look at the following:
  • Can patients/guests view PHI? See computer screens? Is there any place on the premises that PHI is readily available?
  • Are PHI posted on wall boards where those who have “no need to know” have access to the info?
  • Is PHI left on desks? Are computer screens left on when the user steps away?
  • Are recycling bins used? Is there a BAA with that recycling vendor?
  • Are all BAAs in place with all vendors and in compliance with HIPAA HITECH?
  • Communication:
  • Is PHI faxed? Is there a confidentiality/disclosure statement on each fax coversheet?
  • Does the online system require level logins?
  • Are screen savers activated in a short period of time?
  • Are emails used with PHI? Are the emails encrypted?
  • Are phone calls used to give and receive PHI? How is the individuals receiving or giving info identified and confirmed?
  • Responsibility:
  • Can each employee identify when PHI enters there area of responsibility?
  • Who handles PHI? Where is it stored? What is the back up process? What is the length of storage? Is it secure? How do you know it is secure?
  • Have all employees been trained in privacy? Has security at the specific employee level been conducted? Is compliance training mandatory? Is it conducted annually?
  • Is there a protocol for new employees? Is there a protocol regarding confidentiality upon employee departure?
  • Are BAAs in place holding contractors accountable for PHI protection. Have you seen their policies, procedures, and processes?
  • Reports:
  • Are reports created that have confidential information? Are they circulated to only those with “need to know”
  • Have the reports been reviewed to reduce the amount of sensitive information, if possible? Could de-identified information be substituted?
  • Is transmission of report information secure?
  • Security:
  • Is there a written policy to protect PHI? Is there policies re computer screens in view with PHI? Are there policies re passwords?
  • Are there policies re storage of data and how backup tapes and storage devices are accounted for and monitored?
  • Has every station been evaluated as to protection of PHI and view and accessibility to information by those who do not have clearance to that station.
  • How are SmartPhones used? Are they ever used to capture pictures of patient wounds?
  • Technical Security:
  • Does the technical team periodically verify the technological security is in place and working appropriately? Can the technical team identify if an unauthorized user has accessed PHI? What safeguards are in place to protect against unauthorized access?
  • Is technology in place to verify identity of users?
  • Are passwords and IDs routinely changed per a schedule?

OCR Investigations and Review:

If you have a breach that triggers an investigation by OCR, be certain to promptly respond as to what happened, how it happened, what was done to mitigate outcomes, and what has been implemented to prevent a future occurrence.  Be certain to identify the fact you have a full Compliance Program in place. Identify that all employees have routine education re Compliance and HIPAA.

If documents are requested, your counsel may request confidentiality for those documented being sent to OCR. Create and maintain a log of events, completes with dates, times, and people involved throughout the entire investigation process. Save all electronic documents. Keep statements by all employees involved in the incident and the investigation. Obtain counsel’s advice as to phone conversations with OCR as written correspondence maintains an investigation trail.

Focus on internal compliance. If there is a HIPAA breach, there must be remediation/education regarding the process and the prevention of a reoccurrence.

Summary:

  • Keep your plan objectives current.
  • Identify who is responsible for the audits and establish times and how findings will be transmitted.
  • Have corrective action plans in place.
  • Include documentation of audits, results, and remediation/corrective action/education
  • Report findings to the BOD, leadership, and counsel.
  • If there is an OCR audit/investigation have a team established to quickly respond, pull data, analyze, and report.
  • Have an ongoing risk analysis performed as specified by policy. Be certain the risk analysis encompasses the technical requirements of the Security Rule.
  • Be certain the Risk Analysis is well documented. Be certain the plan for mitigation of any adverse findings is in place.

Like the clinical documentation rule, “if it wasn’t documented you did not do it,” so it is true here also. Document each step of the plan. If ever there is an audit, the fact a full compliance plan is in place in your agency including a HIPAA Privacy and Security review, can speak volumes about you and your organization.

Tags: , , , ,
Posted in Audits, HIPAA, OCR, PHI | No Comments »

The Role of Compliance : Home Health and Hospital Readmissions

Tuesday, January 8th, 2013

This is THE topic one sees everywhere; trade journals, conferences, CMS, MLN, State Alerts, Home Health Associations. This topic is no longer just an operational and financial issue. Boards of Directors are looking to the Corporate Compliance Department and stating hospital readmissions should be part of the Corporate Compliance Plan.

More and more, leaders are demanding that the Corporate Compliance Officer be involved in evaluating the underlying causes for readmission and discerning the readmission issues.

Hospitals have put in place operational and financial impact reviews of readmissions into their facility within 30 days of discharge. The Affordable Care Act has required a number of measures be instituted to reduce hospital readmissions. Among these measures is the Hospital Readmission Reductions Program (HRRP) that regulates adjustment for payment to facilities with excess readmissions within 30 days of discharge.

Hospitals recognize that evaluation of the issue requires review of three phases of operation; admission/inpatient care, discharge/transition planning, and post-discharge care. The hospital compliance officer is beginning to look at each phase of care. They are beginning to have active involvement on the “Safety and Quality of Post Acute Care” Committees. These committees are looking at which agencies have the most readmissions and which physicians are involved. What diagnoses are seen most frequently and which medications are seen most frequently? Which agencies have overall compliance issues?

Smart Home Health Providers are viewing this as an opportunity. Not only can the agencies market their hospital readmission prevention programs; i.e. falls risk, heart failure, and medication reconciliation, but now is the time to market the home health agency corporate compliance program and theirleaders involvement in this program.

Hospitals usually do not envision compliance programs in home health agencies, even though they are strongly encouraged, they are not mandated by the OIG as

they are in the acute care setting. Positioning the home health agency as compliant, meeting the OIG required elements and also focusing on HIPAA, strongly states the agency parallels the hospital’s focus on compliance. It also non -verbally speaks to the agency’s root cause analysis approach to seeking solutions to problems. Since audit and prevention are required elements of a compliance program, the home health compliance officer can relay the home health agency’s approach to reduce hospital readmissions and discuss data infomatics leading to present programs and review of hospital readmission.

It is this type of collaboration that positions a home health agency as a future partner in new programs; i.e. ACOs, Patient Centered Medical Homes, and other Transitional Care Initiatives.

Tags: , , , , , , , , , , , , ,
Posted in ACO, Affordable Care Act (ACA), CMS, Compliance, Corporate Compliance, HIPAA, Home Health, Hospital Readmission Reductions Program (HRRP), Hospitals, MLN, Patient Centered Medical Homes, Transitional Care Initiatives | No Comments »

ICD-10: An Overview Are You Prepared? Part 1

Thursday, August 16th, 2012

The implementation date for ICD-10-CM has been pushed back one year to October 1, 2014, but it doesn’t mean you have a lot of time. If you have not assessed, through a Gap Analysis, the impact of ICD-10 on your organization, you should be planning that event…soon. There is a lot to do.

 Consider organizing an ICD-10 Transition Team. That team should have a project leader.

One of the first tasks of the team is to conduct an overview of ICD-10, identify the differences between ICD-9 and ICD-10, as well as the changes soon to come.

 The ICD-10-CM Manual is available in both a print and an electronic version. It will provide the classification system that identifies diagnoses and injuries. Acute care procedures are not included in ICD-10-CM as they have been provided in a separate classification system called ICD-10 PC, so they are not a focus of home care.

 The Transition Team needs to understand that all entities covered by HIPAA, per the American Recovery and Reinvestment Act (ARRA) who conduct healthcare transactions must comply with ICD- 10 requirements.

 Per CMS, every day it pays 4.4 million claims totaling  $1.5 B. Each month, Medicare receives 19,000 provider enrollment applications. Each year, Medicare pays over $430 B for 45 million beneficiaries. Each year, Medicaid nationally pays 2.5 billion claims for 54 million beneficiaries in 56 states and territories. ICD-10 is expected to assist in cost savings as well impacting fraud and abuse. Because of the specificity of ICD-10, more sophisticated algorithms are designed to hone in on questionable combinations of codes coupled with OASIS answers to spot potential fraud.

 What is the rationale for ICD-10?

 - ICD- 9 is 30 years old and no longer has code space for new diagnoses or new conditions and treatments.

 - ICD-9 is not always precise or unambiguous.

 - US mortality data is being reported in ICD-10

thus making international comparison of mortality and morbidity difficult.

 We need more coding specificity!

- Accountable Care Organizations, Patient Centered Medical Models, Guided Coaches, etc will require more discreet data.

- Benchmarking and quality measurement require more detailed codes

- Reimbursement will require detailed documentation reflected by codes that portray accurate patient conditions

- Increased specificity in data means more robust design of algorithms to predict outcomes and care

- Increased coding detail offers the capability to find previously unrecognized relationships in  

  disease as well as variables

- Increased capability to measure healthcare quality, safety, and efficiency

- Space to accommodate future advances and expansion

- Improved capability to determine disease severity for audit risk and adjustment

 The primary physician or specialist must establish a patient’s diagnosis. A nurse or therapist will document all pertinent diagnoses on the OASIS-C and the Home Health Certification and Plan of Care (Form CMS-485). New or additional diagnoses that the clinician identifies at the assessment must be verified by the physician before the diagnoses may be added to the patient’s medical record. For ICD-10, nothing changes other than greater detail availability via codes.

 At first glance, trying to use the ICD-10-CM Manual may seem overwhelming. In ICD-9-CM, there were approximately 14,000 choices for codes. In ICD-10-CM, there are  approximately 68,000 choices. Codes exist for so many injuries, including W61.11XA biting by a macaw, initial encounter or W61.11XD biting, subsequent encounter or codes for bites by a parrot, a goose, a turkey, or a chicken. All in all nine codes for each animal and there are a total of 312 animals. There are even separate codes for a turtle as one may be “bit by a turtle” or “struck by a turtle.” Humor aside, there are now the precise combination codes to more clearly depict the true presenting picture of the patient and their needs.

 ICD-10 CM may now have 68,000 codes but acute care procedure codes, ICD-10 PC, have increased from 3,000 to 87,000 codes. That is a phenomenal increase, but necessary, given the medical advances these past 30 years. There are expected organizational benefits from ICD-10 including administrative efficiencies, cost containment, capability for more accurate trend and cost analysis, along with improved coding accuracy and productivity.

 CMS believes that the impact on reimbursement expected, includes increased accuracy, fairer reimbursement, improved justification for medical necessity, fewer errors and rejected claims (after the initial learning curve), and reduced opportunities for fraud.

 ICD-10-CM codes may have up to 7 digits and digits 2 and 3 are numeric, digits 4-7 are alpha or numerical. The greater the specificity, the greater the number of characters required.

 A Bit of Humor

 There are so many codes including injuries incurred while sewing, ironing, playing a brass instrument, even while crocheting. There is even a code, V91.07XA, for burns due to water skis on fire. Really, quite the vision and subsequent to…what, one might ask.

 Because of the precise specificity, ICD-10 requires expertise in anatomy and physiology, pathophysiology, and diagnostics. The specificity is far greater than ICD-9 and the need to better understand finite A&P as well as diagnostics is vital. Injuries are grouped by anatomical site rather than type of injury. Another change includes sequelae instead of after effects.

 CMS plans to have a draft grouper ready by April, 2013.

 New features in ICD-10 include combination codes for a large variety of conditions, commonly seen symptoms, and manifestations. An example of a combination code includes:

E13.331 Diabetic Retinopathy with Macular Edema- other specified diabetes Mellitus with moderate non-proliferative diabetic retinopathy with macular edema.

  There are a number of expanded codes for diseases and conditions, such as diabetes, substance abuse, and injuries. Codes for post operative complications have also been expanded with a distinction between intraoperative complications and post procedural disorders.

 There will be an impact on many home health departments. In our next article, let’s discuss what preparation will be needed and the specifics needed for the Gap Analysis.

 Next article: What do we do to prepare for ICD-10: Developing the Gap Analysis

 

 

 

 

 

 

 

 

Tags: , ,
Posted in ACO, ARRA, CMS Guidelines, HIPAA, ICD-10-CM Coding, OASIS-C | No Comments »

Educational Videos: RACs, MACs, Z-PICs, Part II of IV

Thursday, January 19th, 2012

RACs, MACs, Z-PICs, Part II of IV

CERTS – (Comprehensive Error Rate Testing) To better calculate the performance of the FIs and MACs, as well as to look at the reasons for their errors, CMS decided to look at a number of additional rates. The additional rates include

—   provider compliance error (how well providers prepared claims for submission)

—   paid claims error rates (measures how accurately FIs and MACs make coverage, coding, and other claims payment decisions). CERTs randomly select a sample of about 100,000 claims each reporting period.

—  CERTs review the claims for proper Medicare coverage, coding, and billing rules, and if not in compliance, they assign an overall error rate.

CERTs also identify if providers received overpayment letters or notices of adjustments to be made for claims that were overpaid and underpaid. CERTs are considered the Quality Improvement specialists who track and trend the performance of fiscal intermediaries and Medicare Administrative Contractors.

Z-PICs – Zone Program Integrity Contractors will perform Medicare Program integrity functions for CMS. They will interact with each MAC to handle fraud and abuse issues within their jurisdictions. ZPICs are seen to consolidate the work of present CMS Program Safeguard Contractors (PSCs) and Medicare Drug Integrity Contractors (MEDICs) and are divided into 7 zones.

The Z-PICs act with the Department of Justice and FBI and act as the investigators when fraud is very strongly thought to have been found. The Z-PICs have the power to suspend claims for up to a year and the agency has no appeal recourse during that time.  That power can cripple or financially devastate an agency.

HEAT –This auditing body is considered the more aggressive investigator of essentially DME and Home Health.  There has been expansion of DOJ/CMS/HHS Inspector General Medical Strike forces to Baton Rouge, Brooklyn, Detroit, Houston, LA, Miami-Dade, and Tampa Bay and as recently as September, 2011, they have struck, arresting 91.

The HEAT is the technologically oriented auditing body using state of the art analytics to expand the CMS Medicaid provider audit program. This program leadership has meetings with top anti-fraud leaders in Congress/Law enforcement/Private sector.

CMS states that their mission includes, “providing additional resources to our civil enforcement efforts under the False Claims Act to increase dollars recovered; data sharing, including access to real time data; detect patterns of fraud through technology; strengthening partnerships among Federal agencies between public and the private sectors.”

Clearly, with all of the auditing bodies, CMS is making a bold statement; fraud and abuse will not be tolerated.. Unfortunately, in this kind of environment, innocent casualties can occur. Agencies need to take action now.

Tags: , , , , ,
Posted in CMS Guidelines, Compliance, Educational Videos, HEAT, HIPAA, HIPPA HITECH, Home Health, MACs, Medicare, MICs, OASIS-C, RACs, Z-PICs | No Comments »

« Older Entries