Archive for the ‘HIPAA’ Category

« Older Entries
Newer Entries »

Educational Videos: RACs, MACs, Z-PICs, Part I of IV

Thursday, January 19th, 2012

RACs, MACs, Z-PICs, Part I of IV

CMS has Unleashed the Auditors

Annually, CMS receives 1.2 billion claims. That breaks down to 4.3 million claims per work day, 574,000 claims per hour, and 9,579 claims per minute. Fraud and abuse are on the rise and the pressure is on.

CMS has unleashed the age of the auditor with the advent of the RACs, MACs, CERTs, MICs, Z-PICs, and now, the HEAT.

RACs- The contingency motivated Recovery Audit Contractors (retrospectively focused). The RAC Demonstration Project of 2005-2007 recovered over $1.3 billion, mostly due to medically unnecessary services (45%), incorrect coding (35%), and insufficient documentation (10%). With four RAC approved firms covering specific geographic regions, these auditors are expected to continue their positive recovery program. The RAC demonstration project yielded a cost of only 22 cents for every $1.00 recovered. They are now in place and ready to go at measure. Certain RACs have been held back until all MACs were in place. That is now completed.

MACs – Medicare Administrative Contractors have been transitioning in and replacing the Regional Home Health Intermediaries (RHHIs). There are 15 MACs with 4 focusing only on DME claims. Though providers fear the RACs, they are well aware of the power of the MAC. This auditing body can impose “severe administrative action” such as up to 100% prepayment review, payment suspension, and use of statistical sampling for over payment estimation of claims (current and prospective focus). MACs have power and Congress is encouraging them to use it.

Tags: , , , , , ,
Posted in CMS Guidelines, Compliance, Educational Videos, HEAT, HIPAA, HIPPA HITECH, Home Health, MACs, MICs, OASIS-C, RACs, Z-PICs | No Comments »

Ethics and Accountability in an Electronic Age: 2012

Wednesday, December 28th, 2011

You are a leader or have interests in home healthcare and hospice, so you are aware of the challenges and opportunities presented in this electronic age.

Are you conducting your HIPAA Risk Analysis?

Do you have your Disaster Preparedness and Recovery Policies and Procedures current?

Do you have a policy regarding use of social media in the workplace?

Are you allowing nurses to take pictures of wounds with their personal cell phones?

Are you employing etechnology ethics ?

Technology and Change:

Today, we all use a GPS, an iPhone, a Droid or some brand of cell phone, and touched our iPad or other tablet,  powered up a laptop or computer to send email, or completed status updates to Facebook,  Linkedin, or Twitter or accessed the Internet for  patient information, financial or clinical reports and benchmarks, or budgets. Technology has not necessarily made life easier. It certainly has increased its constraints on time.

Technology has impacted how we do banking, make purchases, conduct transactions, complete travel reservations, attend conferences, provide healthcare schedules, teach patients and personnel, automate revenue cycle management, and generate personnel schedules and  agency reports.

The negative effects include:

5/19/11 57 hard drives from the servers at the Blue Cross Blue Shield Tennessee Call Center were stolen with 1 million individuals impacted.

9/29/11  4.9 million Tricare beneficiaries affected after data stolen.

10/11 McAfee demonstrated how they could hack into a Medtronic Insulin Pump and could have lethally increased the dose.

2010 File boxes of patient records found in two major cities.

The world is changing. The workforce is changing. Remote workers need special policies re PHI and protection of patient data. Be certain they attend sessions regarding HIPAA HITECH, privacy, and security. You may have a policy that addresses ‘view only’ access to data with no printing of data.

HIPAA HITECH

The American Recovery and Reinvestment Act of 2009 (ARRA) was signed into law on February 17, 2009.  Title XIII of ARRA is the Health Information Technology for Economic and Clinical Health Act (HITECH Act). HITECH legislation is meant to affect health care delivery

  • One way to affect change is to provide financial stimulation to create and have physicians and hospitals adopt electronic health records (EHR)

The Federal operating plan can be found at http://www.hhs.gov/recovery/reports/plans/onc_hit.pdf

This act includes $20 billion in funding for health information technology projects.

These projects include reimbursement incentives for health care providers to acquire electronic health record technology.  Hospitals are being encouraged to move toward becoming paperless.

HITECH has TEETH

The HITECH Act has given the HIPAA Privacy and Security Rules real teeth by strengthening business associates agreements.  One of the major goals of the HIPAA  Privacy Act was and is  “to assure that individuals’ health information is properly protected  while allowing the flow of health information  needed to provide and promote high quality health care and to protect the public’s health and well being.” HIPAA ensures that personal health information  given to covered entities is protected, even information shared with home health agencies, physicians, hospitals, third party billing providers, coding specialists, and others who provide or pay for healthcare services. But Business Associates were not held to the same standards as covered entities. HIPAA HITECH moved to correct this weakness.

BUSINESS ASSOCIATES

  • The BAA states that the Business Associate is obligated to:
    Use/disclose PHI only as permitted or required by the agreement and by law.
    Use appropriate safeguards to prevent use or disclosure of PHI other than as permitted by the BAA.
  • Report to the healthcare entity any use or disclosure of PHI not permitted. Require all subcontractors and agents that create, receive, use, disclose, or have access to PHI to agree, in writing tobe held to the same restrictions and conditions on use or disclosure of PHI.

HIPAA HITECH imposed breach notifications on both covered entities and business associates and increased individual rights with respect to PHI maintained in EHRs. In addition, there is increased enforcement of, and penalties for HIPAA violations..

The Department of Health and Human Services (HHS) has published a notice of proposed rulemaking that would modify the HIPAA Privacy, Security, and Enforcement Rules. The Proposed Rule implements the requirements of the HITECH Act as well as expands upon the statutory provisions of the HITECH Act.  On March 15, 2010 HHS stated that other than the security breach notification rule and new penalty levels, the new regulation would be enforced. The compliance date for all provisions of the Proposed Rule is 180 days after publication of the Final Rule. HHS accepted comments on the Proposed Rule through September 13, 2010. As of January, 2012, the final rule has not yet arrived, but is expected soon.

Prior to the HITECH Act, a Business Associate (BA) was not directly subject to HIPAA privacy and security requirements.  The BA obligations were to the CE under the terms of the agreement. The BA was subject to contractual remedies only for any breach of the business associate agreement (BAA).

  • Prior to ARRA, HITECH Business Associates were not required to meet the obligations for Administrative, Physical, and Technical safeguards, and Procedure and Documentation Requirements.
  • NOW the BAA must clearly require the BA to comply with HIPAA regulations just as the CE.

Penalties for the BA are the same as the CE. That is a huge responsibility for the BA and the CE.

The HITECH Act and the Proposed Rule require business associates to comply with the requirements of the HIPAA Security Rule and implement policies and procedures in the same manner as the CE. Also, subcontractors to business associates must develop Security Rule compliance programs. Rules to be followed include:

Security and Incident response policies

  • Breach Log
  • Every employee must understand they have personal responsibility for intentional breaches
  • Email with PHI is to be encrypted

Breach:

A breach is an unauthorized acquisition, access, use, or disclosure of protected health information relating to failure to comply with organizational security or privacy policies, or violation of federal or state privacy and security regulations. Accessing information by an employee of a covered entity, in good faith, is not considered a breach.

However, HITECH strengthens the specifics of privacy and security, significantly increasing penalties, establishing a heightened enforcement scheme giving state attorneys general enforcement authority. Individuals may now be held accountable for wrongful disclosure (HITECH Act section 13409).

Under the new law, when a breach is learned, a covered entity (CE) should notify each individual whose unsecured PHI has been, or believed to have been, accessed or disclosed.  Business associates must notify the CE of the breach.  Note the understanding that the breach has been evaluated to have caused harm to the individual.  CE and BAs must notify individuals about a breach as soon as possible but, no later than 60 days following discovery of the breach.

If a breach involves 500 or more individuals, the department of Health and Human services should be immediately notified. They will post the covered entity on their website. DHHS began posting names on March 1, 2010. Breaches of below 500 must be recorded on a log and annually sent to DHHS.

UCLA Medical Center recently was fined $865,000 and required to submit(and have approved) a corrective action plan after allowing workers to access records who should have had more  limited access and a higher level authorization. This is an organization with a sophisticated compliance plan and still had this breach.

The EHR

The Privacy Rule gives individuals the right to obtain copies of their paper PHI from a CE. The HITECH Act expanded those access rights to PHI maintained in an EHR.

ARRA prepares for the government goal of establishing electronic health records for all Americans by 2014

  • to accomplish this goal, privacy rules have been strengthened and the requirements for breach notification and responsibilities of business associates have been greatly increased.

CEs must prepare processes in response to the requirements and have updates to the BAA.

At Select Data,

  • We believe in Corporate Compliance
  • We have a strong HIPAA Awareness and Corporate Compliance Plan which assertively strives to protect PHI.
  • We notify the Corporate Compliance Officer of suspected or actual incidents of PHI disclosure

We want to comply with the regulations and we want to protect health information because, not only is it the law, but, it is the right thing to do.

57 million US consumers have accessed their medical information. Another 40 million want to do so states Cyber Citizen Health US, 2011 survey.

DISASTER PREPAREDNESS

The Security Plan: Each CE must plan and document how they will operate during a disaster and how ePHI will be secured. HIPAA 2005 required a Data Backup Plan. That plan requires the backup plan for accessing protected data in case the original data has been destroyed.

The Plan must show regular duplication of patient files that are stored in a secure location. The Plan also required an inventory of software and hardware used so key systems can be restored quickly, if a disaster occurs. It is not acceptable to merely store information on a cell or smartphone. Have a clear concise, complete backup plan.

The Security Plan is expected to show ways of protection from access to the premises by employees. It also requires records and how each employee can access data. In addition, levels of access are to be delineated.  There should be power on authentications and auto-locks. CEs are expected to test and revise their contingency plans taking steps to identify and mitigate areas of weakness.

Employees should be aware that not just patient names are identifiers. PHI also includes addresses, phone numbers, drivers license numbers, medical record numbers, policy and account numbers, VIN numbers, health plan numbers, and relative name and identifiers.

Lastly, the HIPAA Security Plan must be in writing and the industry standard is an annual review (though there is no frequency statute). The Plan should have detailed policies and procedures with all incidents recorded, identifying a Disaster Plan with contingencies and technological interventions planned.

To read more about HITECH, please refer to Federal Register/Vol 75, No. 134/Wednesday, July 14, 2010/Proposed Rules

Department of Health and Human Services, Office of the Secretary

45 CFR Parts 160 and 164

Modifications to the HIPAA Privacy, Security, and Enforcement Rules Under the Health Information Technology for Economic and Clinical Health Act

Agency: Office for Civil Rights

Social and Professional Media

Social media is one of the most dangerous of risks. What an interesting dichotomy: on one hand we, in health care, are operating under increasing rigid privacy restrictions and on the other, individuals are posting the most intimate or the most mundane information about themselves and others on the internet for the world to read and see forever.

Agencies that allow clinicians to use their personal smart phones to take pictures of wounds and upload them to a patient record may need to be concerned about patient information stored on a personal cell phone. Who owns the data? Who will protect the data? Is texting a safe way to transport patient data? Experts say, “No.”

Should clinicians worry that their party and beer drinking pictures could be used against them if they are involved in a med error or a law suit?

At the VA, a new social media directive covers the use of Facebook pages, Twitter feeds, blogs, and YouTube channels. They use examples of these sites to educate personnel re personal and professional responsibilities.

100% of the Top 100 firms employ personnel to monitor social media. Every person interviewed has their social media investigated. Hiring is dependent upon the findings. Law firms, banks, accounting firms use social media investigators. Garner Consulting and TechCrunch Blog state “the new social media customer relationship management market (CRM) is expected to reach over $1 billion in revenue by the end of 2012, up from approximately $625 million in 2010. World-wide social CRM is projected to total $820 million in 2011.”

What are the ethics of making negative comments about a present or prior employer? Many organizations, especially banks, hospitals, and academic institutions are monitoring what is said about them and their clients or patients. They have clear policies reflecting training as to HIPAA. If an employee or former employee breaches a confidence, they may be sanctioned or sued.

WHAT Can You Do?

Encrypt email with patient or other sensitive data!

Be certain your organization has a strong corporate compliance plan in place. Have a strong Corporate Compliance Officer who reports to the CEO and Board of Directors. Consider the CCO having direct access to corporate counsel.

Have compliance policies and procedures that also address disaster preparedness, social media, data protection and backup. Annually, minimally, review the Corporate Compliance Plan. Keep a copy of the presentation with an attendance sheet to demonstrate corporate wide support of the plan. Be clear as to internal audits conducted as well as a corporate wide risk analysis conducted annually.

Review the American Nurses Association’s Principles for Nurses re Social Media and Social Networking. Draw from the ANA’s Code of Medical Ethics. Review the American Physical Therapy Association Code of Ethics. Many clinical associations can provide ethical guidelines that can assist with policy development.

Mayo Clinic has refined policies on social media well worth reading. Protect your agency. Be certain your employees know your agency’s ethical stance. Review regulations frequently:

http://www.govinfosecurity.com

http://www.mobilhealthnews.com

http://www.hhs.cms.gov

http://www.healthdatamanagement.com

Expect clinicians to adhere to their Standards of Practice. Expect everyone to adhere to the best practices in ethical protection of patient data.  Password  protect and change them frequently.

Be serious and state your ethical beliefs, in front of employees, frequently. Encourage employees that when in doubt…don’t. Don’t send data that causes them to hesitate. Encourage them to double check what is being sent to whom.

Ethics and Compliance have become the watchwords for a safer healthcare environment. Remember agencies with similar beliefs seek each other out. The ethical industry leader wants to work with other industry organizations that share the concern to protect, care, and achieve expected patient outcomes in a compliant ethical manner. Have a great 2012.

Tags: , , , , , ,
Posted in CMS, CMS Guidelines, Compliance, CY2012, HIPAA, HIPPA HITECH, Home Health, Medicare | No Comments »

Compliance Q&A: Survey protocols, CoPs, HIPAA, ACOs, and Transitions of Care

Saturday, November 19th, 2011

Questions regarding 2011 Survey protocols

Q. We have several questions re the new survey protocols. What are some of the key differences? What does the pre-survey preparation include?

A. The new survey protocols focus on specific standards within identified conditions that are related to quality care. To identify the care delivered and its relationship to the assessment and plan of care designed, besides reviewing the clinical record, the surveyor will also rely on personnel interviews as well as home visits. The survey is data-driven, patient-focused, and outcome-oriented.

The surveyor is expected to collect data and review State file data, prior survey results, OASIS reports, and agency specific characteristics. (S)he will review outcomes, potentially avoidable events of both active and discharged patients, and make visits for higher risk patents. The new protocols provide specific guidance on citing standard and condition-level deficiencies.

Q. Can you explain the survey levels? How is a standard survey extended?

A. A Standard Survey focuses on Level 1 standards (9 of 15 CoPs) which focus on the delivery of high quality patient care using not only clinical records but inclusive of interviews. If the home health agency is in compliance with all Level 1 standards and there are no identified concerns requiring investigation, the survey will be concluded and form CMS 2567 is issued.

Partial Extended Survey begins/expands when expected outcomes are not met for one or more Level 1 Standards. It requires a review of Level 2 standards. It should be expected that related information would be sought for areas of concern such as agency policies and procedures, personnel competency evaluations, and inservice training

Condition-Level Deficiencies can occur with serious findings related to or not related to Level 1 and 2 standards. Immediate patient jeopardy is always cited at the condition level. All conditions are reviewed.  Refer to the State Operations Manual, Appendix B Guidelines.

Questions re CoPs

Q. What are the required leadership positions stated in the CoPs?

A. The Conditions of Participation cite three administrative positions:  a governing body, an administrator, and a supervising physician or RN.  You may title these three positions whatever  your agency prefers, however the positions must exist and the individuals appointed must perform the duties identified in the CoPs. Be certain job descriptions, policies and procedures, and other necessary documentation clearly define that the positions perform all required designated responsibilities.

Do not forget the delegates required. Be certain that agency policy identifies who will function as the administrative delegate. The agency must also be in compliance with state requirements, which frequently are more stringent. Compare both State and Federal requirements so the agency is in compliance.

Q. Is it true that we must have a realistic end point for intermittent services for a patient who has a chronic diagnosis, such as Alzheimer’s disease?
A.The CMS Publication 100-2, Chapter 7, § 40.1.1,  states  services can be provided “without regard to whether the illness or injury is acute, chronic, terminal, or expected to extend over a long period of time.”

According to the publication, if the patient with a chronic disease is homebound and needs skilled, reasonable, and necessary services that meet the part-time or intermittent requirements, then the agency can provide care.  That documentation must carefully be documented, The agency must be certain there exists an intensive assessment of the patient and their support services with interventions and goals clearly stated.  Carefully delineate the SKILLED need for each visit made. If the patient with Alzheimer’s disease qualifies for Medicare coverage through a need for monthly catheter changes and receives home health aide services 1x per mon, be certain each visit shows progress and document pt/cg response to care.

Up to a maximum of 28 hours per week of skilled nursing care and home health aide services combined completed in less than 8 hours per day or up to 35 hours per week of skilled nursing and home health aide services and subject to review by the fiscal intermediary. Medicare requires supporting evidence of the continued skilled care need. The agency must reflect the need for compliant skilled care through clear documentation.

Questions about ACOs and New Payment Methods

Q. I am hearing about bundled services. Should I be concerned?

A. Home Health Agencies should be aware of potential ACO formation in their respective markets.  Does your agency have a specialty you should be marketing to local hospitals? Some hospitals are looking at the bundled payment options as well as ACOs. Read more at the CMS website but know that the proposed pilot gives participants the opportunities to make choices regarding patients to include, length of episodes of care, whether acute inpatient care should be included, and the target payment to be established. There are a variety of proposed models. Go to www.CMS.hhs.gov to learn more.

Q. I have heard there will be new payment methods. What are they?

A. Select Data will be providing ezine articles in late November and December regarding some of the proposed payment and treatment methods being considered and presently being evaluated. Those may include:

Accountable Care Organizations (ACOs) with Bundled Payments or Shared Savings Programs where the ACO shares risk. There will be various types of risk sharing programs. There may be Value- based Payment plans. Expect to see ACOs lead by hospitals or physician groups. Home Health Agencies will need to show value to become a part of such collaborative formalized groups.  Expect CMS to utilize comparative-effectiveness techniques of evidenced-based practices. Become familiar with the following terms:

ACOs: Integration of providers to assume responsibility for the quality, costs, and outcomes of care.

Total Costs of Care: A reimbursable methodology that is being designed to reduce cost by person by episode.

Predictive Modeling: A methodology to estimate how clients may use services and the related costs based upon variables, prior behavior, and attributes assigned.

Transition of Care: The movement of patients from one health care practitioner or setting to another as the condition and care needs change. Under this model, there will be NO discharge summary. Instead expect a “Transition Summary”. See the next Select Data article: CMS and Transitions of Care.

Questions re Face to Face

Q. Is anyone working to get some help for home health agencies regarding the face-to-face rule?

A. Yes, several state associations as well as NAHC are working to obtain some legislative relief. NAHC has called for 1) exemptions in specific hardship circumstances, 2) a reduction in documentation required, 3) expanded use of telehealth to meet the face to face requirement, 4) protection of home health agencies from denials without fault, 4) allow one physician/NPP to complete the Face to Face and another to certify (CMS has proposed this but is limiting it only to an inpatient physician).

Q. Could you give a summary of key points of the proposed 2012 Home Health PPS Rate Rule?

A. Agencies will need to be efficient as there is a proposed 2.5% inflation update, a 5.06% case mix creep adjustment, and a 3.56% rate reduction for 2012. In addition there is a recalculation of case mix weights proposed that includes elimination of two hypertension codes (401.1 Benign essential hypertension and 401.9 Unspecific essential hypertension). Also, there would be lower therapy episode coding weights. This would include a deceleration of a higher number of visits with a removal of the therapy visit step indicators. There will also be a recalculation of points to clinical and functional scores. Additionally, if an agency failed to complete a successful dry run  in Q3 of 2010 for HHCAHPs, they risk a 2% reduction in payment. (See October, 2011 Select Data ezine for more regarding HHCAHPs).

A few questions regarding HIPAA

Q. Could you give a brief summary of HIPAA HITECH? Can you discuss breach? Can you discuss best practices needed?

A. The American Recovery and Reinvestment Act (ARRA) of 2009 brought changes to HIPAA regulations in three broad areas: breach notifications, business associations, and penalties. It increases enforcement of HIPAA and allocates billions of dollars to invest in the implementation and exchange of health information technology such as the EMR.

Under HITECH, if a breach compromises the privacy and security of the patient’s information and poses a significant risk of financial, reputational, or other harm, patient notification is required.

Five new definitions have been added:

  • Breach Electronic
  • Health Record (HER)
  • National Coordinator
  • Personal Health Record (PHR)
  • Vendor Of PHI

HITECH strengthens the specifics of privacy, significantly increasing penalties, establishing a heightened enforcement scheme and giving state attorney general enforcement authority. Individuals may now be held accountable for wrongful disclosure (HITECH Act section 13409).

If a breach involves 500 or more individuals, the department of HHS should be immediately notified. DHHS began posting names on March 1, 2010. Breaches below 500 must be logged and annually sent to DHHS.

For Business Associates, the Covered Entity must ensure that BAs have implemented the administrative, physical, and technical safeguards of HIPAA security. The CE must also specify that the BA must comply with use and disclosure rules in the HIPPA Privacy Rule. The BA should demonstrate how they will negotiate security/data breach coordination. There should also be an agreement on reporting and dispute resolution.

If the health care organization suspects or knows that a BA has committed a material breach or violation of the agreement, “the health care organization is in violation of the business associate rules unless it takes reasonable steps to cure the breach or end the violation {45CFR 164.504 (e)(1)(ii)” (Decision Health, HIPAA, 2010).

Penalties include a Tiered System for assessing both the level and penalty for each violation. There is a cap of $50,000 per violation and 1.5 million for the calendar year for the same type of violation.

Health care organizations should have in place policies that address various levels of violation, such as failing to sign off a computer terminal when not attended, sharing passwords, assessing a patient record without legitimate reason, releasing data for personal gain, and intentionally destroying or altering data.

Use Best Practices for:

Authentication: pre-boot and intricate passwords

Access: Need to know basis on approved devices

Retention: Destroy if not needed

Encryption: Laptops, notebooks, desktops, email, and social networks

For some peace of mind, have a written information security program, an active HIPAA privacy program, and a living Corporate Compliance Program.

Tags: , , , , , , , , , , ,
Posted in ACO, Best Practice Intervention Practice, CMS, CMS Guidelines, Compliance, Face to Face Encounters, HIPAA, HIPPA HITECH, Home Health, Medicare, Patient Survey, Surveys | No Comments »

RACs, MACs, Z-Pics:The Auditors are Unleashed

Saturday, October 15th, 2011

What are your agency case mix averages by admission: clinician: diagnosis?

Do you know your top five diagnostic patient profiles?

How do you set visit frequencies? Formula-based or what seems right?

Are you making visits that have no impact on patient outcomes?

Are you auditing for homebound status?

Are you auditing documentation for medical necessity?

What is your cost per visit by discipline?

What is your recertification percentage?

Do you know your supply utilization per patient?

Do supply usage have adequate supportive documentation?

Do you know what coding, operational, or billing edits you are routinely triggering?

How are you applying the data collected to your business processes?

The RACs, MACs, MICs, and Z-PICs are now in place. The auditors are expected to perform. They have been chosen based upon performance.

Algorithms and Matrices are in place using Predictive Analytics.

Per Wikipedia, predictive analytics “encompasses a variety of statistical techniques from modeling, data mining and game theory that analyze current and historical facts to make predictions about future events”.

CMS is using predictive models to identify patterns found in transactional data gathered to identify risks and potential future behaviors.  They are looking at diagnoses in relation to visit frequencies and recertifications. They are looking at HIPPS scores compared to visit frequencies and durations. They are looking at predictive models that capture relationships among many factors to allow assessment of risk or potential associated with a particular set of assessment/care frequency/payments expected. In other words, what are the guiding decision-making factors for agency transactions? This is one reason why there needs to be rhyme and reason for visit frequency and patient diagnoses and care needed.

Predictive analytics look at past performance to assess how likely an agency is to exhibit a specific behavior in the future. That behavior is then compared to other agencies’ behavior in order to calculate risk, then encompasses models that seek out subtle data patterns that  answer questions about that agency’s overall  performance. These analytics quickly become fraud detection models.

The MACs are using predictive models to perform calculations during live transactions to evaluate the risk or opportunity of a given agency transaction, in order to guide a decision. Individual agency modeling systems can simulate likely human behavior or reaction to specific situations.  The new term for animating data specifically linked to an individual in a simulated environment is avatar analytics. Hopefully, CMS is not there yet but gaming experts ARE employed by CMS.

The government is serious about attacking fraudulent behavior. The danger that exists is that some agencies not intending to commit fraud, but who are not auditing their data submitted, may be triggering alerts. Home Health Agencies can no longer afford to provide care without auditing the assessment, the care predicted, and the care provided.

The RACs have also identified that insufficient documentation for medical necessity will be one of the first area of focus for their audits. But, no agency should believe that only therapy documentation will be scrutinized. Skilled nursing with observation and assessment O/A continues to be high on the list for visit and episode denials.

What happens if compliance measures are not employed? Targeted Medical Reviews (TMRs)/(ADRs) Additional Documentation Requests will rise. There will be claim denials and Medicare audits.

CMS has Unleashed the Auditors

Annually, CMS receives 1.2 billion claims. That breaks down to 4.3 million claims per work day, 574,000 claims per hour, and 9,579 claims per minute. Fraud and abuse are on the rise and the pressure is on.

CMS has unleashed the age of the auditor with the advent of the RACs, MACs, CERTs, MICs, Z-PICs, and now, the HEAT.

RACs- The contingency motivated Recovery Audit Contractors (retrospectively focused). The RAC Demonstration Project of 2005-2007 recovered over $1.3 billion, mostly due to medically unnecessary services (45%), incorrect coding (35%), and insufficient documentation (10%). With four RAC approved firms covering specific geographic regions, these auditors are expected to continue their positive recovery program. The RAC demonstration project yielded a cost of only 22 cents for every $1.00 recovered. They are now in place and ready to go at measure. Certain RACs have been held back until all MACs were in place. That is now completed.

MACs – Medicare Administrative Contractors have been transitioning in and replacing the Regional Home Health Intermediaries (RHHIs). There are 15 MACs with 4 focusing only on DME claims. Though providers fear the RACs, they are well aware of the power of the MAC. This auditing body can impose “severe administrative action” such as up to 100% prepayment review, payment suspension, and use of statistical sampling for over payment estimation of claims (current and prospective focus). MACs have power and Congress is encouraging them to use it.

CERTS – (Comprehensive Error Rate Testing) To better calculate the performance of the FIs and MACs, as well as to look at the reasons for their errors, CMS decided to look at a number of additional rates. The additional rates include

—   provider compliance error (how well providers prepared claims for submission)

—   paid claims error rates (measures how accurately FIs and MACs make coverage, coding, and other claims payment decisions). CERTs randomly select a sample of about 100,000 claims each reporting period.

—  CERTs review the claims for proper Medicare coverage, coding, and billing rules, and if not in compliance, they assign an overall error rate.

CERTs also identify if providers received overpayment letters or notices of adjustments to be made for claims that were overpaid and underpaid. CERTs are considered the Quality Improvement specialists who track and trend the performance of fiscal intermediaries and Medicare Administrative Contractors.

Z-PICs – Zone Program Integrity Contractors will perform Medicare Program integrity functions for CMS. They will interact with each MAC to handle fraud and abuse issues within their jurisdictions. ZPICs are seen to consolidate the work of present CMS Program Safeguard Contractors (PSCs) and Medicare Drug Integrity Contractors (MEDICs) and are divided into 7 zones.

The Z-PICs act with the Department of Justice and FBI and act as the investigators when fraud is very strongly thought to have been found. The Z-PICs have the power to suspend claims for up to a year and the agency has no appeal recourse during that time.  That power can cripple or financially devastate an agency.

HEAT –This auditing body is considered the more aggressive investigator of essentially DME and Home Health.  There has been expansion of DOJ/CMS/HHS Inspector General Medical Strike forces to Baton Rouge, Brooklyn, Detroit, Houston, LA, Miami-Dade, and Tampa Bay and as recently as September, 2011, they have struck, arresting 91.

The HEAT is the technologically oriented auditing body using state of the art analytics to expand the CMS Medicaid provider audit program. This program leadership has meetings with top anti-fraud leaders in Congress/Law enforcement/Private sector.

CMS states that their mission includes, “providing additional resources to our civil enforcement efforts under the False Claims Act to increase dollars recovered; data sharing, including access to real time data; detect patterns of fraud through technology; strengthening partnerships among Federal agencies between public and the private sectors.”

Clearly, with all of the auditing bodies, CMS is making a bold statement; fraud and abuse will not be tolerated.. Unfortunately, in this kind of environment, innocent casualties can occur. Agencies need to take action now.

Can Audits be Prevented?

Maybe not, but exposure for paybacks can be limited by enacting solid compliance measures.

Prepare now. Be aware of what other providers have faced with auditors.

Be certain a clinical documentation chart audit is available for all disciplines for clinical records.

The following items should be included in every clinical note:

Homebound status: Identify what taxing effort was exerted if a patient left the house since the last clinical visit. Be certain all assistive devices are listed and/or the caregivers needed, the purpose for leaving the home, and if this was expected and/or a part of the careplan.

Identify what skilled the visit. If teaching was conducted, was it initial teaching, reinforcement teaching, or was it re-teaching? Identify in objective terminology measureable progress towards goals; ie for the psych nurse, what evidence toward cognitive structural behavior was identified? For physical therapy, how many feet were walked since the last visit and where does this relate to the plan? For the SN, did the patient identify at least two key side effects for their medications? Does the patient know what their medication is for and what it is expected to do for them? Do they know how to safely take their medications?

Compare the Visits to the POC: Compare the visit note to the plan of care that is developed by the clinician based upon the assessment. Have physician orders or notification for changes in condition. Note all change of condition clearly.

SN should be reviewing the body systems noting VS and pain assessments.

When Teaching: Note if the teaching is New, Reinforced Teaching, or Reteaching of the same subject to, perhaps, another caregiver. Note the caregivers willingness and capacity to learn and carry out the learning skills. Note the patient and caregiver’s learning in percentage; ie 70% or 80%.

Interdisciplinary communication: Comments to the physical therapist or the home health aide or other disciplines should be clearly noted. The visits should show the progress of the care in relation to the plan of care.

Specificity of wounds, skin conditions, falls risk, depression, and the focus of care are necessary. Auditors look for detail; for reasons that support skill. No skill can mean denial of visit payment.

For Diabetics Receiving Insulin

Be certain homebound status is clearly and adequately documented.

Skilled Visits must have skill identified such as specific instructions.

Return demonstration responses by the patient or caregiver should be documented. Note the patient or caregiver’s ability to follow their diet. Give examples to support diet and meal planning learning.

Caregiver willingness and availability should be specifically noted on each visit.

More Strategies

Review all claims against known edits prior to submission.

Have a system that prevents claims from being submitted without a signed physician order.

Counsel and hold clinicians accountable for accurate, complete, and concise documentation that matches the planned care expectation.

Clinicians must now be aware that surveyors are looking at their assessments, discipline specific plan of care, the overall plan of care, the visit documentation outlining care provided and patient response, and the outcomes at the episode conclusion. The diagnoses listed in M1020/M1022 must be compliant with ICD-9 coding guidelines, be unresolved, must read as the table of contents for the clinical record, and must be supported by the clinical documentation.

RAC auditors use clinicians and coders on their team to provide more specific auditing. Ask your clinicians: could their visits withstand that kind of auditing review?

Establish peer review sessions at your agency. Proud clinicians want their peers to think highly of them. Peer Review audits can be an excellent defense against an audit, not only because they can be enlightening to clinicians as to what is expected, but because they can be a motivation for excellence.

Tags: , ,
Posted in CMS, CMS Guidelines, Compliance, HEAT, HIPAA, Home Health, Legislation, MACs, MICs, RACs, Surveys, Z-PICs | No Comments »

Office of Civil Rights (OCR) and HIPAA

Friday, June 24th, 2011

At a recent HIPAA seminar, the Office of Civil Rights (OCR) identified that they are evaluating HIPAA audit models. The present model requests certain records, reviews, cites errors/omissions and calls for corrective action. Privacy and security of Protected Health Information (PHI) is of primary concern especially in light of social media and mandated Electronic Medical Record creation in healthcare.

Presently, organizations are reviewing their privacy and security programs. How compliant is your Compliance and HIPAA programs? Perhaps you should conduct a gap analysis.

Getting started

To conduct a review and analysis of your agency’s compliance program you must know if your program covers the required elements:

  • Complete written policies and procedures
  • Designation of a Corporate Compliance Officer
  • A training and education program regarding confidentiality, commitment to preventing fraud and abuse, and other elements of compliance
  • Communication lines to the Corporate Compliance Officer
  • Identification of compliance risk areas and a plan to mitigate risk
  • Responding to non-compliance issues
  • Policy of non-intimidation and non-retaliation against employees who identify non- compliance
  • Disciplinary policies regarding non-compliant behavior

Consider the re-signing of the organization privacy policies annually by employees. This act can become a reminder of the importance of privacy and confidentiality in the organization. Identify who will conduct regular internal audits. Conduct this present review and analysis as if it were a surveyor visit, only this time, you get to be the surveyor.

Audit the HIPAA Program

As part of the compliance audit process, be certain to evaluate the HIPAA program. Are there plan objectives? Is an audit and monitoring system in place? Who has the responsibility for completion?  Identify the audit checklist. Is it inclusive? Is there a documentation process to record findings?

Are there annual goals to improve on privacy and security in the organization? How are audit findings reviewed? How does follow up occur?

The Audit

The following checklist should be considered a guideline (not necessarily all inclusive) and would require agency individual application.

  • Is the Compliance plan, particularly the HIPAA portion, in compliance with the HIPAA Security Rule? Has an assessment been conducted regarding environmental/operational impact on PHI?
  • Can the organization identify how it protects access to information? Is there a policy re access to PHI and “need to know?”
  • Can patients obtain their information in a timely manner? Can information be provided in electronic format, as required by HITECH. Has a security risk analysis been conducted?
  • Have security measures been implemented to reduce the risk? What are those measures?
  • Have the Compliance, Privacy, and Security risk analysis available for an OCR audit or questions from an accrediting surveyor.
  • At the very least, for privacy, look at the following:
  • Can patients/guests view PHI? See computer screens? Is there any place on the premises that PHI is readily available?
  • Is PHI posted on wall boards where those who have “no need to know” have access to the info?
  • Is PHI left on desks? Are computer screens left on when the user steps away?
  • Are recycling bins used? Is there a BAA with that recycling vendor?
  • Are all BAAs in place with all vendors and in compliance with HIPAA HITECH?
  • Communication:
  • Is PHI faxed? Is there a confidentiality/disclosure statement on each fax coversheet?
  • Does the online system require level logins?
  • Are screen savers activated in a short period of time?
  • Are emails used with PHI? Are the emails encrypted?
  • Are phone calls used to give and receive PHI? How is the individuals receiving or giving info identified and confirmed?
  • Responsibility:
  • Can each employee identify when PHI enters their area of responsibility?
  • Who handles PHI? Where is it stored? What is the back up process? What is the length of storage? Is it secure? How do you know it is secure?
  • Have all employees been trained in privacy? Has security at the specific employee level been conducted? Is compliance training mandatory? Is it conducted annually?
  • Is there a protocol for new employees? Is there a protocol regarding confidentiality upon employee departure?
  • Are BAAs in place holding contractors accountable for PHI protection?  Have you seen their policies, procedures, and processes?
  • Reports:
  • Are reports created that have confidential information? Are they circulated to only those with “need to know” rights?
  • Have the reports been reviewed to reduce the amount of sensitive information, if possible? Could de-identified information be substituted?
  • Is transmission of report information secure?
  • Security:
  • Is there a written policy to protect PHI? Is there policies re computer screens in view with PHI? Are there policies re passwords?
  • Are there policies re storage of data and how backup tapes and storage devices are accounted for and monitored?
  • Has every station been evaluated as to protection of PHI and view and accessibility to information by those who do not have clearance to that station.
  • Technical Security:
  • Does the technical team periodically verify the technological security is in place and working appropriately? Can the technical team identify if an unauthorized user has accessed PHI? What safeguards are in place to protect against unauthorized access?
  • Is technology in place to verify identity of users?
  • Are passwords and IDs routinely changed per a schedule?

OCR Investigations and Review:

If you have a breach that triggers an investigation by OCR, be certain to promptly respond as to what happened, how it happened, what was done to mitigate outcomes, and what has been implemented to prevent a future occurrence.  Be certain to identify the fact you have a full Compliance Program in place. Identify that all employees have routine education re Compliance and HIPAA.

If documents are requested, your counsel may request confidentiality for those documents being sent to OCR. Create and maintain a log of events, complete with dates, times, and people involved throughout the entire investigation process. Save all electronic documents. Keep statements by all employees involved in the incident and the investigation. Obtain counsel’s advice as to phone conversations with OCR as written correspondence maintains an investigation trail.

Focus on internal compliance. If there is a HIPAA breach, there must be remediation/education regarding the process and the prevention of a reoccurrence.

Summary:

  • Keep your plan objectives current.
  • Identify who is responsible for the audits and establish times and how findings will be transmitted.
  • Have corrective action plans in place.
  • Include documentation of audits, results, and remediation/corrective action/education
  • Report findings to the BOD, leadership, and counsel.
  • If there is an OCR audit/investigation have a team established to quickly respond, pull data, analyze, and report.
  • Have an ongoing risk analysis performed as specified by policy. Be certain the risk analysis encompasses the technical requirements of the Security Rule.
  • Be certain the Risk Analysis is well documented. Be certain the plan for mitigation of any adverse findings is in place.

Like the clinical documentation rule, “if it wasn’t documented you did not do it,” so it is true here also. Document each step of the plan. If ever there is an audit, the fact a full compliance plan is in place in your agency including a HIPAA Privacy and Security review, can speak volumes about you and your organization.

Tags: , ,
Posted in Compliance, HIPAA, Legislation | No Comments »

« Older Entries
Newer Entries »