ArticlesNewslettersVideosSubscribe

Caring Across the Transitions; The 2012 HHPPS Final Rule; Ethics and Accountability in an Electronic Age: 2012


Select Data University

This Month’s article HIPAA HITECH addresses security and privacy of data while the PPACA expands public and private health care initiatives

Caring Across the Transitions: The Federal Health Information Technology Strategic Plan 2011-2015

The Patient Protection and Affordable Care Act (PPACA) and the American Recovery and Reinvestment Act (ARRA) have and will continue to have some of the most significant impact on how this nation will care for patients as well as store and access data on those patients. As just a part of the latter Act, HIPAA HITECH addresses security and privacy of data while the PPACA expands public and private health care initiatives.

Some of the new initiatives include the Transitions of Care movement, the Accountable Care Organization, as well as the Patient-Centered Medical Home Model. In future issues, we will deal more with these alterations and potential impacts to the health delivery system. Know that PPACA and ARRA are designed to fundamentally expand access to health care for all US residents. They are meant to look at new ways to deliver safe, quality, and economically affordable care.

In doing so Congress has stated the new delivery models will require rapid engineering of the health care delivery system to consistently provide high quality care at an overall lower cost.

The new delivery systems essentially require ready access of information across the care continuum to empower individuals to use and manage their own care. PPACA identifies one way of “improving health and health care for all Americans is through the use of information and technology.” But, in order to expand use of the information from one care provider to the other requires ready access, and ready access requires the ability to protect individual rights.

At a time when rapid sharing of data is essential for improved quality health care, the government learned the confidence in the protection of health data was low. The Federal Health Information Technology Strategic Plan 2011-2015 was established to “Inspire consumer confidence and trust in health IT.”

The Federal Health IT Vision and Mission

Vision: “A health system that uses information to empower individuals and to improve the health of the population.”

Mission: “To improve health and health care for all Americans through the use of information and technology.”

To do so, the Office of the National Coordinator for Health Information Technology (ONC) published the plan, opened it for public comment, and finalized the Plan in October, 2011 after incorporating over 200 public comments.

Privacy and Security were key concerns. Though individuals rely on HIPAA to assist in guarding how data is transmitted, maintained, and received, the HITECH regulations provide more control of that data by Covered Entities as well as Business Associates. There are stronger provisions for sanctions and significantly higher fines. In addition, the Office of Health and Human Services has commissioned a “principal-level, inter-division workgroup to develop an updated approach to privacy and security policies.” That workgroup will make recommendations to the HIT policy Committee as well as to the HIT Standards Committee.

The Federal Health IT Principles support the government in its desire to “put individuals and their interests first” (Overview Federal Health IT Strategic Plan 2011, p2).

Goal 1: Achieve Adoption and Information Exchange through Meaningful Use of Health IT

The new Federal Health Information Technology Strategic Plan (FHITSP) will be a living document that will be responsive not only to those committees, but also to the public, and other organizations, including Congress. The ONC, responsible for the Plan, already has proposed an extension of Meaningful Use, Stage 1, by a year (to 2014), to allow time to incentivize more providers in the use of Electronic Health Records (EHRs). Giving another year would allow providers and vendors more time to develop functionality for the EHR. CMS has requested more improvement of data portability.

One goal of improved data accessibility is to, per Congress, “engage patients and families in their health care.” To accomplish this goal, patients are to have an electronic copy of their health information; test results, medications, problem lists, procedures, and instructions, upon request. Providers are to be able to easily exchange data, including information that may have been patient-authored. When the patient is transferred from one setting to another, a patient transfer summary of care should be available for each transition of care or referral. You will see the use of the word discharge begin to fade away. The belief is the patient is not discharged, merely transitioned to the more appropriate level of care; thus a transition summary, not a discharge summary will be written.

Meaningful Use- Stage 1 Objectives include protection of health information created and /or maintained by the Electronic Health Record technology through the “implementation of appropriate technical capabilities.”

Meaningful Use- Stage 1 Measures include conducting a security risk analysis and implementation of updates as necessary with identified security deficiencies identified as part of the risk management process. (45 CFR 164.308 (a)(1).

The belief is that to ensure mass acceptance, privacy and security must be the solid foundation. Patients, families, and providers must feel confident that laws, regulations, and procedures are in place to keep health information safe and they must be able to access care from one level to the next.

Goal II: Improve Care, Improve Population Health, and Reduce Health Care Costs through the Use of Health IT

Exploring the use of new health care delivery models is being encouraged. From Care Transition programs to Accountable Care Organizations, CMS is seeking new ways to treat populations. The year 2012 brings in the CMS regulations regarding ACOs:

On October 20, 2011 the US Department of Health and Human Services released the final rule implementing the ACO Shared Savings Program and the complementary regulations and guidance from CMS/OIG as well as the DOJ/FTC. It should be noted that the final rules are materially different from the proposed rules of March, 2010.

ACOs were created by the Affordable Care Act (ACA) signed into law March 2010. The dual purpose of this network provider model is to reduce the increasing cost of healthcare and to include incentives to create this new way of providing care for individuals. Coupled with the ACO rules, CMS had unveiled the Shared Savings Program (SSP), a program created by Congress to allow the ACOs to share in the savings and potentially share the costs of care to Medicare beneficiaries.

The final regulations were released. The proposed rules did not stimulate the interest expected. CMS has since changed the final rule to focus on the themes of flexibility, accountability, and innovation. It also provides clear guidance aimed at encouraging the development of the ACO participation in the Shared Savings Program. The purpose of ACOs is to realize savings and quality care through the coordination of services among the various providers, including hospitals, individual physicians, group practices, hospitals, home health agencies, and community health centers, or any combination of the above. Applications for the implementation of ACOs are currently being accepted through January 1, 2012, and the first ACOs will begin April, 2012.

The three goals of the ACOs stressed under the Shared Savings program will be to promote: 1) effective, patient-centered care for individuals; 2) preventive oriented and education oriented care for specific populations; and 3) cost savings (and profit) for the ACOs and CMS in general as well as decreasing waste in the system.

To be eligible to participate in the Shared Savings Program, ACOs must be accountable for at least 5000 beneficiaries a year for each of the three years of the agreement. To be eligible to share the savings, ACOs will be required to report on four quality measure domains.

It is apparent that this new healthcare model will be very patient-centered, not only addressing the medical needs of its participants, but also the social, nutritional and community needs as well. The cost sharing for the ACOs is determined by not-yet established benchmarks for 33 quality measures (QMs) broken down into the four domains:

  • Care Coordination/Patient Safety (6 measures)
  • Preventive Health (8 measures)
  • At-Risk Populations/Frail Elderly Health (12 measures)
  • Patient/Caregiver Quality Standards (7 measures).

The QMs include population focused areas that are approached in a patient-centered manner. These indicators include timeliness of physician appointments, effective communication, tobacco use, diabetes and other comorbidity control, as well as preventive screenings. Depending on the success of the outcome-driven education and approach to the care as well as patient ratings and surveys, specific provider scores could garner up to 60% of the savings realized by the organization. It is anticipated that the new system will save over $960 million over the next three years for the Medicare program, per CMS.

This new form of healthcare organization will utilize technology to link providers. “An ACO will be rewarded for providing better care and investing in the health and lives of patients,” said Donald M. Berwick, M.D., CMS Administrator. “ACOs are not just a new way to pay for care but a new model for the organization and delivery of care.”

Goal III: Inspire Confidence and Trust in Health IT and

Goal IV: Empower Individuals with Health IT to Improve their Health and the Health Care System

Regulations are Stronger because Risks are Higher. Recent breach statistics show the cause of consumer concern. On 5/19/11, 1 million people were impacted by the theft of 517 unencrypted hard drives from servers at BCBS Tennessee Call Center.   (www.healthcareinformationsecurity.com)

On 9/9/11 Microsoft Cloud Evaporates Leaving 365 Million Users without access for hours.     (http://techcrunch.com)

The Federal list of major health information breaches since September 2009 includes 345 incidents affecting 18.5 million people as of 10/24/11. Breaches affecting 500 or more individuals 9/09- 8/11 included 328 breach incidents affecting 11, 819, 283 individual records.

Security

In a 2010 survey, the Office of Health Information Management saw that 74% of providers surveyed offer patient access to the website or portal through the use of a unique log-in identifier. Believe it or not, 17% of those surveyed had no controls in place and were in violation of several regulations.

In the HIPAA final Security Rule (2006) personnel must be responsible for security, sharing of data safely must be provided in an electronic format, and there must be a patient identity validation.

Per the Federal HIT committees, the only secured data is data that has been destroyed or encrypted. Your IT provider should have Patient Privacy and Security Safeguards in place. Those will include an Assessment of Risk, IT Policies and Procedures with ongoing evaluations, Data Integrity Lifecycle Management, Audits, Storage and Data Retention Safeguards, with Disaster Recovery and data replication capability.

Goal V: Achieve Rapid Learning and Technological Advancement

Usability of EHR:

The ONC is looking at ways to improve the ability of providers to be more responsive to user need and improve data portability. CMS is monitoring the Medicare and Medicaid EHR incentive programs. Expect to see another collective ONC, Office of Civil Rights (responsible for HIPAA), and CMS national campaign to increase consumer awareness in the areas of:

  • A National Transition to Electronic Health IT
  • The Benefits of Managing Health IT Tools to Improve Health Care Management
  • The Fact that this Move to EHIT Helps Keep the Consumer Empowered
  • Health Information Privacy and Security

The campaign slogan chosen is to be “Putting the I in Health IT” which will encourage patients, families, and providers to share how IT can and has improved health care.

For more information and to read the Federal Health IT Strategic Plan visit http://healthit.hhs.gov/StrategicPlan

Read More »

The 2012 Home Health Prospective Payment System (HHPPS) Final Rule

The changes are soon upon us as 2012 soon arrives.

The Federal Register published Nov. 4, 2011 provided the final rule that updates the home health prospective payment system (PPS) rates for 2012.

The notice identifies changes to the national standardized 60-day episode rates and per visit LUPA rates based on the market basket update and the case-mix creep adjustment. Additionally, this rule includes notable changes to the HH PPS case-mix system

As mandated by the Patient Protection and Affordable Care Act, the payment updates for 2012 include a 1.4 percent update factor to the episode rates, which reflects a 1 percent reduction applied to the 2.4 percent market basket update factor,

Average Episode Payment Rate Timeline

These episodes will then be reduced by 3.79 percent for case mix creep, resulting in an overall episode and per visit reduction of 2.39 percent. An additional 3 percent will be applied to payments for services to patients in rural areas based on the Congress-approved rural add-on. Be aware that agencies failing to submit required quality date will be subject to a reduction of 2 percent to their episodes and per visit payments.

The Centers for Medicare and Medicaid Services (CMS) will apply the CY 2012 HH PPS payment rates for episodes with claim statement “through” dates on or after Jan. 1, 2012, and on or before Dec. 31, 2012.

The 2012 national standardized episode payment will be $2,138.52, prior to case-mix and wage adjustments, as compared to 2011’s $2,192.07.

The table below gives a more detailed comparison:

National standardized episode rate for agencies submitting quality data
2011 national standardized episode payment rate Multiply by the 2012 payment update percentage of 1.4 percent Reduce by 3.79 percent for nominal case-mix change 2012 national standardized episode payment rate (urban) Rural (multiply by 3 percent rural add-on: x 1.03)
$2,192.07 x 1.014 x 0.9621 $2,138.52 $2,202.68

Case-Mix System Changes

The case mix system 2012 changes identify removal of two hypertension codes – 401.1 benign essential hypertension, and 401.9 unspecified essential. Coders will need to be very careful that clinician written “renal failure” or “renal insufficiency” in a record for a hypertensive patient requires a query to the physician to be certain the insufficiency/failure is chronic as that is the only way they will garner their HTN points in 2012.

Policy changes in the CY 2012 HH PPS final rule related to the case-mix system will be effective beginning with episodes with OASIS M0090 dates of Jan. 1, 2012.

Therapy

Because of the presenting patterns of therapy utilization over the past few years, payments impacted by therapy have been revised by CMS. Lower therapy cases seem to be encouraged. Payment for higher-therapy episodes is reduced, while payment for lower-therapy episodes is increased.

The case-mix model has five steps:

  • Step 1: First and second episodes, 0-13 therapy visits
  • Step 2: First and second episodes, 14-19 therapy visits
  • Step 3: Third episodes and beyond, 14-19 therapy visits
  • Step 4: Third episodes and beyond, 0-13 therapy visits
  • Step 5: All episodes with 20+ therapy visits

The revision seems to be indicating that the industry may have been providing more therapy than was expected by CMS. The changes also parallel payment with costs and redistribute dollars from high therapy payment groups to other case-mix groups.

Prepare Now

Change in regulation means a need for updated policies and procedures. Do not forget to alter your casemix list for coders. Be certain everyone understands the changes in therapy reimbursement. Therapy visit numbers should correlate to the OASIS integrated assessment identification for need.

Remember, CMS expects the changes to this rule to decrease payments to agencies by over $425 million dollars. It is essential that agencies are very efficient in assessment, care, and documentation.

Read More »

Ethics and Accountability in an Electronic Age: 2012

You are a leader or have interests in home healthcare and hospice, so you are aware of the challenges and opportunities presented in this electronic age.

Are you conducting your HIPAA Risk Analysis?

Do you have your Disaster Preparedness and Recovery Policies and Procedures current?

Do you have a policy regarding use of social media in the workplace?

Are you allowing nurses to take pictures of wounds with their personal cell phones?

Are you employing etechnology ethics ?

Technology and Change:

Today, we all use a GPS, an iPhone, a Droid or some brand of cell phone, and touched our iPad or other tablet,  powered up a laptop or computer to send email, or completed status updates to Facebook,  Linkedin, or Twitter or accessed the Internet for  patient information, financial or clinical reports and benchmarks, or budgets. Technology has not necessarily made life easier. It certainly has increased its constraints on time.

Technology has impacted how we do banking, make purchases, conduct transactions, complete travel reservations, attend conferences, provide healthcare schedules, teach patients and personnel, automate revenue cycle management, and generate personnel schedules and  agency reports.

The negative effects include:

5/19/11 57 hard drives from the servers at the Blue Cross Blue Shield Tennessee Call Center were stolen with 1 million individuals impacted.

9/29/11  4.9 million Tricare beneficiaries affected after data stolen.

10/11 McAfee demonstrated how they could hack into a Medtronic Insulin Pump and could have lethally increased the dose.

2010 File boxes of patient records found in two major cities.

The world is changing. The workforce is changing. Remote workers need special policies re PHI and protection of patient data. Be certain they attend sessions regarding HIPAA HITECH, privacy, and security. You may have a policy that addresses ‘view only’ access to data with no printing of data.

HIPAA HITECH

The American Recovery and Reinvestment Act of 2009 (ARRA) was signed into law on February 17, 2009.  Title XIII of ARRA is the Health Information Technology for Economic and Clinical Health Act (HITECH Act). HITECH legislation is meant to affect health care delivery

  • One way to affect change is to provide financial stimulation to create and have physicians and hospitals adopt electronic health records (EHR)

The Federal operating plan can be found at http://www.hhs.gov/recovery/reports/plans/onc_hit.pdf

This act includes $20 billion in funding for health information technology projects.

These projects include reimbursement incentives for health care providers to acquire electronic health record technology.  Hospitals are being encouraged to move toward becoming paperless.

HITECH has TEETH

The HITECH Act has given the HIPAA Privacy and Security Rules real teeth by strengthening business associates agreements.  One of the major goals of the HIPAA  Privacy Act was and is  “to assure that individuals’ health information is properly protected  while allowing the flow of health information  needed to provide and promote high quality health care and to protect the public’s health and well being.” HIPAA ensures that personal health information  given to covered entities is protected, even information shared with home health agencies, physicians, hospitals, third party billing providers, coding specialists, and others who provide or pay for healthcare services. But Business Associates were not held to the same standards as covered entities. HIPAA HITECH moved to correct this weakness.

BUSINESS ASSOCIATES

  • The BAA states that the Business Associate is obligated to:Use/disclose PHI only as permitted or required by the agreement and by law.Use appropriate safeguards to prevent use or disclosure of PHI other than as permitted by the BAA.
  • Report to the healthcare entity any use or disclosure of PHI not permitted. Require all subcontractors and agents that create, receive, use, disclose, or have access to PHI to agree, in writing tobe held to the same restrictions and conditions on use or disclosure of PHI.

HIPAA HITECH imposed breach notifications on both covered entities and business associates and increased individual rights with respect to PHI maintained in EHRs. In addition, there is increased enforcement of, and penalties for HIPAA violations..

The Department of Health and Human Services (HHS) has published a notice of proposed rulemaking that would modify the HIPAA Privacy, Security, and Enforcement Rules. The Proposed Rule implements the requirements of the HITECH Act as well as expands upon the statutory provisions of the HITECH Act.  On March 15, 2010 HHS stated that other than the security breach notification rule and new penalty levels, the new regulation would be enforced. The compliance date for all provisions of the Proposed Rule is 180 days after publication of the Final Rule. HHS accepted comments on the Proposed Rule through September 13, 2010. As of January, 2012, the final rule has not yet arrived, but is expected soon.

Prior to the HITECH Act, a Business Associate (BA) was not directly subject to HIPAA privacy and security requirements.  The BA obligations were to the CE under the terms of the agreement. The BA was subject to contractual remedies only for any breach of the business associate agreement (BAA).

  • Prior to ARRA, HITECH Business Associates were not required to meet the obligations for Administrative, Physical, and Technical safeguards, and Procedure and Documentation Requirements.
  • NOW the BAA must clearly require the BA to comply with HIPAA regulations just as the CE.

Penalties for the BA are the same as the CE. That is a huge responsibility for the BA and the CE.

The HITECH Act and the Proposed Rule require business associates to comply with the requirements of the HIPAA Security Rule and implement policies and procedures in the same manner as the CE. Also, subcontractors to business associates must develop Security Rule compliance programs. Rules to be followed include:

Security and Incident response policies

  • Breach Log
  • Every employee must understand they have personal responsibility for intentional breaches
  • Email with PHI is to be encrypted

Breach:

A breach is an unauthorized acquisition, access, use, or disclosure of protected health information relating to failure to comply with organizational security or privacy policies, or violation of federal or state privacy and security regulations. Accessing information by an employee of a covered entity, in good faith, is not considered a breach.

However, HITECH strengthens the specifics of privacy and security, significantly increasing penalties, establishing a heightened enforcement scheme giving state attorneys general enforcement authority. Individuals may now be held accountable for wrongful disclosure (HITECH Act section 13409).

Under the new law, when a breach is learned, a covered entity (CE) should notify each individual whose unsecured PHI has been, or believed to have been, accessed or disclosed.  Business associates must notify the CE of the breach.  Note the understanding that the breach has been evaluated to have caused harm to the individual.  CE and BAs must notify individuals about a breach as soon as possible but, no later than 60 days following discovery of the breach.

If a breach involves 500 or more individuals, the department of Health and Human services should be immediately notified. They will post the covered entity on their website. DHHS began posting names on March 1, 2010. Breaches of below 500 must be recorded on a log and annually sent to DHHS.

UCLA Medical Center recently was fined $865,000 and required to submit(and have approved) a corrective action plan after allowing workers to access records who should have had more  limited access and a higher level authorization. This is an organization with a sophisticated compliance plan and still had this breach.

The EHR

The Privacy Rule gives individuals the right to obtain copies of their paper PHI from a CE. The HITECH Act expanded those access rights to PHI maintained in an EHR.

ARRA prepares for the government goal of establishing electronic health records for all Americans by 2014

  • to accomplish this goal, privacy rules have been strengthened and the requirements for breach notification and responsibilities of business associates have been greatly increased.

CEs must prepare processes in response to the requirements and have updates to the BAA.

At Select Data,

  • We believe in Corporate Compliance
  • We have a strong HIPAA Awareness and Corporate Compliance Plan which assertively strives to protect PHI.
  • We notify the Corporate Compliance Officer of suspected or actual incidents of PHI disclosure

We want to comply with the regulations and we want to protect health information because, not only is it the law, but, it is the right thing to do.

57 million US consumers have accessed their medical information. Another 40 million want to do so states Cyber Citizen Health US, 2011 survey.

DISASTER PREPAREDNESS

The Security Plan: Each CE must plan and document how they will operate during a disaster and how ePHI will be secured. HIPAA 2005 required a Data Backup Plan. That plan requires the backup plan for accessing protected data in case the original data has been destroyed.

The Plan must show regular duplication of patient files that are stored in a secure location. The Plan also required an inventory of software and hardware used so key systems can be restored quickly, if a disaster occurs. It is not acceptable to merely store information on a cell or smartphone. Have a clear concise, complete backup plan.

The Security Plan is expected to show ways of protection from access to the premises by employees. It also requires records and how each employee can access data. In addition, levels of access are to be delineated.  There should be power on authentications and auto-locks. CEs are expected to test and revise their contingency plans taking steps to identify and mitigate areas of weakness.

Employees should be aware that not just patient names are identifiers. PHI also includes addresses, phone numbers, drivers license numbers, medical record numbers, policy and account numbers, VIN numbers, health plan numbers, and relative name and identifiers.

Lastly, the HIPAA Security Plan must be in writing and the industry standard is an annual review (though there is no frequency statute). The Plan should have detailed policies and procedures with all incidents recorded, identifying a Disaster Plan with contingencies and technological interventions planned.

To read more about HITECH, please refer to Federal Register/Vol 75, No. 134/Wednesday, July 14, 2010/Proposed Rules

Department of Health and Human Services, Office of the Secretary

45 CFR Parts 160 and 164

Modifications to the HIPAA Privacy, Security, and Enforcement Rules Under the Health Information Technology for Economic and Clinical Health Act

Agency: Office for Civil Rights

Social and Professional Media

Social media is one of the most dangerous of risks. What an interesting dichotomy: on one hand we, in health care, are operating under increasing rigid privacy restrictions and on the other, individuals are posting the most intimate or the most mundane information about themselves and others on the internet for the world to read and see forever.

Agencies that allow clinicians to use their personal smart phones to take pictures of wounds and upload them to a patient record may need to be concerned about patient information stored on a personal cell phone. Who owns the data? Who will protect the data? Is texting a safe way to transport patient data? Experts say, “No.”

Should clinicians worry that their party and beer drinking pictures could be used against them if they are involved in a med error or a law suit?

At the VA, a new social media directive covers the use of Facebook pages, Twitter feeds, blogs, and YouTube channels. They use examples of these sites to educate personnel re personal and professional responsibilities.

100% of the Top 100 firms employ personnel to monitor social media. Every person interviewed has their social media investigated. Hiring is dependent upon the findings. Law firms, banks, accounting firms use social media investigators. Garner Consulting and TechCrunch Blog state “the new social media customer relationship management market (CRM) is expected to reach over $1 billion in revenue by the end of 2012, up from approximately $625 million in 2010. World-wide social CRM is projected to total $820 million in 2011.”

What are the ethics of making negative comments about a present or prior employer? Many organizations, especially banks, hospitals, and academic institutions are monitoring what is said about them and their clients or patients. They have clear policies reflecting training as to HIPAA. If an employee or former employee breaches a confidence, they may be sanctioned or sued.

WHAT Can You Do?

Encrypt email with patient or other sensitive data!

Be certain your organization has a strong corporate compliance plan in place. Have a strong Corporate Compliance Officer who reports to the CEO and Board of Directors. Consider the CCO having direct access to corporate counsel.

Have compliance policies and procedures that also address disaster preparedness, social media, data protection and backup. Annually, minimally, review the Corporate Compliance Plan. Keep a copy of the presentation with an attendance sheet to demonstrate corporate wide support of the plan. Be clear as to internal audits conducted as well as a corporate wide risk analysis conducted annually.

Review the American Nurses Association’s Principles for Nurses re Social Media and Social Networking. Draw from the ANA’s Code of Medical Ethics. Review the American Physical Therapy Association Code of Ethics. Many clinical associations can provide ethical guidelines that can assist with policy development.

Mayo Clinic has refined policies on social media well worth reading. Protect your agency. Be certain your employees know your agency’s ethical stance. Review regulations frequently:

http://www.govinfosecurity.com

http://www.mobilhealthnews.com

http://www.hhs.cms.gov

http://www.healthdatamanagement.com

Expect clinicians to adhere to their Standards of Practice. Expect everyone to adhere to the best practices in ethical protection of patient data.  Password  protect and change them frequently.

Be serious and state your ethical beliefs, in front of employees, frequently. Encourage employees that when in doubt…don’t. Don’t send data that causes them to hesitate. Encourage them to double check what is being sent to whom.

Ethics and Compliance have become the watchwords for a safer healthcare environment. Remember agencies with similar beliefs seek each other out. The ethical industry leader wants to work with other industry organizations that share the concern to protect, care, and achieve expected patient outcomes in a compliant ethical manner. Have a great 2012.

Read More »