Posts Tagged ‘HIPPA HITECH’

ICD-10 CM is Delayed but NOT for Long Because We Cannot Wait

Monday, April 30th, 2012

HHS proposes a one-year delay of ICD-10 compliance date.

On April 17, 2012 the Department of Health and Human Services (HHS) published a proposed rule that would delay, from October 1, 2013 to October 1, 2014, the compliance date for the International Classification of Diseases, 10th Edition diagnosis and procedure codes (ICD-10).

Per the CMS website, “The ICD-10 compliance date change is part of a proposed rule that would adopt a standard for a unique health plan identifier (HPID), adopt a data element that would serve as an “other entity” identifier (OEID), and add a National Provider Identifier (NPI) requirement. The proposed rule was developed by the Office of E-Health Standards and Services (OESS) as part of its ongoing role, delegated by HHS, to establish standards for electronic health care transactions under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). OESS is part of the Centers for Medicare & Medicaid Services (CMS).”

HHS states that covered entities must be in compliance with ICD-10 on October 1, 2014. The statement was made that providers required the extra year to be adequately prepared for the transition.

Providers have outgrown the present ICD-9 CM system. That system is over 30 years old, implemented in 1979 and has no more room to handle needed codes for new medical conditions or technological advances. It is not always precise or unambiguous. Because the classification system is organized with specificity, each three-digit category can have only 10 subcategories and most of those numbers already have assigned diagnoses.

The ICD was developed in the late 1800s to collect data regarding mortality causes and rates. It is an international classification system endorsed by the World Health Organization (WHO) in 1994 and started to be used by WHO members in 1994. The WHO updates the classification usually every 10 years and is looking to beta test ICD- 11 next year.

ICD-10 is already being utilized in Asia, most of Europe and all of Canada and Australia enabling those 99 nations to share public health data. Implementing ICD-10 effective October 1, 2014 allows the USA to be aligned with those nations. ICD 10 is also available in 36 languages including English, Chinese, Arabic, Russian, and the Romance languages: French and Spanish. Improved clinically coded data is essential in this modern era.

Uses of the Clinically Coded Data

  • Benchmarking and quality measurement: to improve quality and effectiveness of patient care
  • Making clinical, financial, funding, expansion, and education decisions
  • Healthcare policy
  • Public health surveillance (increase ability to track and intervene if global health threats)
  • Reimbursement
  • Research- code analysis is crucial to research
  • Increased specificity in data means more robust design of algorithms to predict outcomes and care
  • Increased coding detail offers capability to find previously unrecognized relationships of diseases and variables

Why ICD-10-CM

  • Bring US in alignment with worldwide coding system
  • Greater coding specificity and accuracy with “full code definitions”
  • Increased capability to measure healthcare quality, safety, and efficiency.
  • Lower Costs through increased efficiencies
  • Decreased reduction in additional information sent to payors
  • Synergistic effects with the Electronic Health Record (EHR)
  • Clearer recognition of medical advances
  • Clearer recognition of technological advances

ICD-10 and better data for QI

  • Decrease in complications and improved patient safety
  • Improved patient outcomes
  • Improved ability to reassure outcome efficiency and costs

There is also improved capability to determine disease severity for audit risk adjustment.

Benefits of ICD-10 CM

Organizational Monitoring

  • Administrative efficiencies
  • Cost containment
  • More accurate trend and cost analysis as well as analyze trend and cost data

Improved coding accuracy and productivity

Reimbursement

  • Increased accuracy
  • Fairer reimbursement
  • Improved justification for medical necessity
  • Fewer errors and rejected claims

Reduced opportunities for fraud

  • To handle the complexities and shear size of the number of codes ICD-10

requires expertise in

anatomy,

physiology, and

diagnostics

  • Besides moving from 13,000 codes to 68,000 available codes
  • ICD-10 allows laterality and bilaterality

ICD-10 specificity improves coding accuracy and richness of data for analysis

The Coding specificity is far greater than ICD-9-CM and the need to better understand A&P and diagnostics is vital. Improved education for coding specialists is necessary.

A Sample Coding Preparation Plan: Phase 1

  • 2012-2013…Assess for coder gaps

as to body system anatomy 15 hrs

as to body system physiology 15 hrs

as to diagnostics/pathophysiology 20 hrs

as to diagnostics/pharmacology 20 hrs

as to medical terminology 10 hrs

A Sample Coding Preparation Plan: Phase 2

  • Organizational leaders need to assess their

Organizational readiness: forms, clinical software, documentation readiness

- Billing/Support system needs

- EHR system

- Support systems

- Case management processes

- Disease management

- Compliance software

A Sample Coding Preparation Plan: Phase 3

There needs to be:

  • Testing of Coding by parallel Coding  ICD-9 and ICD-10 CM
  • Testing of Billing System for smooth transition
  • Look for misinterpretation by auditors/payors

Be certain everyone has past training goals i.e. understands documentation of medical necessity to code

Sample Coding Preparation Plan: Phase 4

  • Go Live
  • Evaluate processes
  • Evaluate Coding
  • Evaluate Billing

In Phase 1 there is a need to fully review each body system.

  • Choose 2-3 body systems for assessment of need such as:
  • Cardiovascular System

Identify the Anatomy and Physiology of the heart. Prepare pre/post tests.

Identify the Anatomy of the circulatory system and the role of each vessel type

Review categories 100-109 in ICD-10-CM Chapter 9, “Diseases of the Circulatory System.”

  • Explain ICD-10-CM terminology related to diseases of the circulatory system
  • Create scenarios and have coding team gatherings where learning can be fun

These scenarios will allow you to assess gaps and needs

  • Consider use of webinars
  • AHIMA or like courses
  • Online self study may fit certain lifestyles better
  • Have videos/PowerPoints of body systems available

Look at workshops, seminars, lunch and learn sessions

Each body system should be reviewed, such as below:

  • The Heart
    • Has three layers:  endocardium, myocardium, and epicardium
      • Endocardium – membrane lining interior wall
      • Myocardium – thick, middle, muscular layer
      • Epicardium – thin outer layer
  • Pericardium – 3 layer sac that surrounds and protects the heart
  • Route of Blood Flow Through the Heart
    • Blood enters the right atrium from the inferior and superior vena cavas (veins)
    • Blood leaves the right atrium to the right ventricle through the tricuspid valve
    • Blood leaves the right ventricle through the pulmonary semilunar valve to the pulmonary artery to the lungs

Unoxygenated blood

  • Route of Blood Flow Through the Heart
    • Blood leaves the lungs via the pulmonary veins to the left atrium
      • Oxygenated blood
  • Blood leaves the left atrium through the mitral valve to the left ventricle
  • Blood leaves the left ventricle through the aortic semilunar valve out to the body
  • A series of 20-30 slides could be developed to review the Cardiovascular System

These types of reviews could be excellent resources also for specific component answers such as Cardiac conduction

  • Route of Blood Flow Through the Heart
    • Blood leaves the lungs via the pulmonary veins to the left atrium
      • Oxygenated blood
  • Blood leaves the left atrium through the mitral valve to the left ventricle

Blood leaves the left ventricle through the aortic semilunar valve out to the body

  • Cardiac Conduction
    • Sinoatrial node (SA node, called the pacemaker of the heart) à Atrioventricular node (AV node) à Bundle of His à right and left bundle branches à Purkinje fibers

SA node (pacemaker) is located in the upper part of the right atrium below opening of the superior vena cava

  • Discuss disease processes such as:

CAD

CHF

Heart Failure

Use specific terms and processes in the discussions

  • Discuss diagnostic and intervention procedures as well as pharmacology
  • Have teams participate in establishing education plan after gaps have been identified
  • Make certain some kind of training takes place each month, even if it is only a memo about a specific aspect of ICD-10

Keep ICD-10 in front of everyone. Remember, you only have until 2014. Let’s get started!

Tags: , , , , , ,
Posted in CHF, Compliance, Home Health, ICD-10-CM Coding, ICD9-CM Coding, Medicare | No Comments »

Caring Across the Transitions: The Federal Health Information Technology Strategic Plan 2011-2015

Thursday, December 8th, 2011

The Patient Protection and Affordable Care Act (PPACA) and the American Recovery and Reinvestment Act (ARRA) have and will continue to have some of the most significant impact on how this nation will care for patients as well as store and access data on those  patients. As just a part of the latter Act, HIPAA HITECH addresses security and privacy of data while the PPACA expands public and private health care initiatives.

Some of the new initiatives include the Transitions of Care movement, the Accountable Care Organization, as well as the Patient-Centered Medical Home Model. In future issues, we will deal more with these alterations and potential impacts to the health delivery system. Know that PPACA and ARRA are designed to fundamentally expand access to health care for all US residents. They are meant to look at new ways to deliver safe, quality, and economically affordable care.

In doing so Congress has stated the new delivery models will require rapid engineering of the health care delivery system to consistently provide high quality care at an overall lower cost.

The new delivery systems essentially require ready access of information across the care continuum to empower individuals to use and manage their own care. PPACA identifies one way of “improving health and health care for all Americans is through the use of information and technology.” But, in order to expand use of the information from one care provider to the other requires ready access, and ready access requires the ability to protect individual rights.

At a time when rapid sharing of data is essential for improved quality health care, the government learned the confidence in the protection of health data was low. The Federal Health Information Technology Strategic Plan 2011-2015 was established to “Inspire consumer confidence and trust in health IT.”

The Federal Health IT Vision and Mission

Vision: “A health system that uses information to empower individuals and to improve the health of the population.”

Mission: “To improve health and health care for all Americans through the use of information and technology.”

To do so, the Office of the National Coordinator for Health Information Technology (ONC) published the plan, opened it for public comment, and finalized the Plan in October, 2011 after incorporating over 200 public comments.

Privacy and Security were key concerns. Though individuals rely on HIPAA to assist in guarding how data is transmitted, maintained, and received, the HITECH regulations provide more control of that data by Covered Entities as well as Business Associates. There are stronger provisions for sanctions and significantly higher fines. In addition, the Office of Health and Human Services has commissioned a “principal-level, inter-division workgroup to develop an updated approach to privacy and security policies.” That workgroup will make recommendations to the HIT policy Committee as well as to the HIT Standards Committee.

The Federal Health IT Principles support the government in its desire to “put individuals and their interests first” (Overview Federal Health IT Strategic Plan 2011, p2).

Goal 1: Achieve Adoption and Information Exchange through Meaningful Use of Health IT

The new Federal Health Information Technology Strategic Plan (FHITSP) will be a living document that will be responsive not only to those committees, but also to the public, and other organizations, including Congress. The ONC, responsible for the Plan, already has proposed an extension of Meaningful Use, Stage 1, by a year (to 2014), to allow time to incentivize more providers in the use of Electronic Health Records (EHRs). Giving another year would allow providers and vendors more time to develop functionality for the EHR. CMS has requested more improvement of data portability.

One goal of improved data accessibility is to, per Congress, “engage patients and families in their health care.” To accomplish this goal, patients are to have an electronic copy of their health information; test results, medications, problem lists, procedures, and instructions, upon request. Providers are to be able to easily exchange data, including information that may have been patient-authored. When the patient is transferred from one setting to another, a patient transfer summary of care should be available for each transition of care or referral. You will see the use of the word discharge begin to fade away. The belief is the patient is not discharged, merely transitioned to the more appropriate level of care; thus a transition summary, not a discharge summary will be written.

Meaningful Use- Stage 1 Objectives include protection of health information created and /or maintained by the Electronic Health Record technology through the “implementation of appropriate technical capabilities.”

Meaningful Use- Stage 1 Measures include conducting a security risk analysis and implementation of updates as necessary with identified security deficiencies identified as part of the risk management process. (45 CFR 164.308 (a)(1).

The belief is that to ensure mass acceptance, privacy and security must be the solid foundation. Patients, families, and providers must feel confident that laws, regulations, and procedures are in place to keep health information safe and they must be able to access care from one level to the next.

Goal II: Improve Care, Improve Population Health, and Reduce Health Care Costs through the Use of Health IT

Exploring the use of new health care delivery models is being encouraged. From Care Transition programs to Accountable Care Organizations, CMS is seeking new ways to treat populations. The year 2012 brings in the CMS regulations regarding ACOs:

On October 20, 2011 the US Department of Health and Human Services released the final rule implementing the ACO Shared Savings Program and the complementary regulations and guidance from CMS/OIG as well as the DOJ/FTC. It should be noted that the final rules are materially different from the proposed rules of March, 2010.

ACOs were created by the Affordable Care Act (ACA) signed into law March 2010. The dual purpose of this network provider model is to reduce the increasing cost of healthcare and to include incentives to create this new way of providing care for individuals. Coupled with the ACO rules, CMS had unveiled the Shared Savings Program (SSP), a program created by Congress to allow the ACOs to share in the savings and potentially share the costs of care to Medicare beneficiaries.

The final regulations were released. The proposed rules did not stimulate the interest expected. CMS has since changed the final rule to focus on the themes of flexibility, accountability, and innovation. It also provides clear guidance aimed at encouraging the development of the ACO participation in the Shared Savings Program. The purpose of ACOs is to realize savings and quality care through the coordination of services among the various providers, including hospitals, individual physicians, group practices, hospitals, home health agencies, and community health centers, or any combination of the above. Applications for the implementation of ACOs are currently being accepted through January 1, 2012, and the first ACOs will begin April, 2012.

The three goals of the ACOs stressed under the Shared Savings program will be to promote: 1) effective, patient-centered care for individuals; 2) preventive oriented and education oriented care for specific populations; and 3) cost savings (and profit) for the ACOs and CMS in general as well as decreasing waste in the system.

To be eligible to participate in the Shared Savings Program, ACOs must be accountable for at least 5000 beneficiaries a year for each of the three years of the agreement. To be eligible to share the savings, ACOs will be required to report on four quality measure domains.

It is apparent that this new healthcare model will be very patient-centered, not only addressing the medical needs of its participants, but also the social, nutritional and community needs as well. The cost sharing for the ACOs is determined by not-yet established benchmarks for 33 quality measures (QMs) broken down into the four domains:

  • Care Coordination/Patient Safety (6 measures)
  • Preventive Health (8 measures)
  • At-Risk Populations/Frail Elderly Health (12 measures)
  • Patient/Caregiver Quality Standards (7 measures).

The QMs include population focused areas that are approached in a patient-centered manner. These indicators include timeliness of physician appointments, effective communication, tobacco use, diabetes and other comorbidity control, as well as preventive screenings. Depending on the success of the outcome-driven education and approach to the care as well as patient ratings and surveys, specific provider scores could garner up to 60% of the savings realized by the organization. It is anticipated that the new system will save over $960 million over the next three years for the Medicare program, per CMS.

This new form of healthcare organization will utilize technology to link providers. “An ACO will be rewarded for providing better care and investing in the health and lives of patients,” said Donald M. Berwick, M.D., CMS Administrator. “ACOs are not just a new way to pay for care but a new model for the organization and delivery of care.”

Goal III: Inspire Confidence and Trust in Health IT and

Goal IV: Empower Individuals with Health IT to Improve their Health and the Health Care System

Regulations are Stronger because Risks are Higher. Recent breach statistics show the cause of consumer concern. On 5/19/11, 1 million people were impacted by the theft of 517 unencrypted hard drives from servers at BCBS Tennessee Call Center.   (www.healthcareinformationsecurity.com)

On 9/9/11 Microsoft Cloud Evaporates Leaving 365 Million Users without access for hours.     (http://techcrunch.com)

The Federal list of major health information breaches since September 2009 includes 345 incidents affecting 18.5 million people as of 10/24/11. Breaches affecting 500 or more individuals 9/09- 8/11 included 328 breach incidents affecting 11, 819, 283 individual records.

Security

In a 2010 survey, the Office of Health Information Management saw that 74% of providers surveyed offer patient access to the website or portal through the use of a unique log-in identifier. Believe it or not, 17% of those surveyed had no controls in place and were in violation of several regulations.

In the HIPAA final Security Rule (2006) personnel must be responsible for security, sharing of data safely must be provided in an electronic format, and there must be a patient identity validation.

Per the Federal HIT committees, the only secured data is data that has been destroyed or encrypted. Your IT provider should have Patient Privacy and Security Safeguards in place. Those will include an Assessment of Risk, IT Policies and Procedures with ongoing evaluations, Data Integrity Lifecycle Management, Audits, Storage and Data Retention Safeguards, with Disaster Recovery and data replication capability.

Goal V: Achieve Rapid Learning and Technological Advancement

Usability of EHR:

The ONC is looking at ways to improve the ability of providers to be more responsive to user need and improve data portability. CMS is monitoring the Medicare and Medicaid EHR incentive programs. Expect to see another collective ONC, Office of Civil Rights (responsible for HIPAA), and CMS national campaign to increase consumer awareness in the areas of:

  • A National Transition to Electronic Health IT
  • The Benefits of Managing Health IT Tools to Improve Health Care Management
  • The Fact that this Move to EHIT Helps Keep the Consumer Empowered
  • Health Information Privacy and Security

The campaign slogan chosen is to be “Putting the I in Health IT” which will encourage patients, families, and providers to share how IT can and has improved health care.

For more information and to read the Federal Health IT Strategic Plan visit http://healthit.hhs.gov/StrategicPlan

Tags: , , , , , , , , , , ,
Posted in ACO, Affordable Care Act (ACA), CMS, Compliance, HIPPA HITECH, Home Health, Medicare | No Comments »

Compliance Q&A: Survey protocols, CoPs, HIPAA, ACOs, and Transitions of Care

Saturday, November 19th, 2011

Questions regarding 2011 Survey protocols

Q. We have several questions re the new survey protocols. What are some of the key differences? What does the pre-survey preparation include?

A. The new survey protocols focus on specific standards within identified conditions that are related to quality care. To identify the care delivered and its relationship to the assessment and plan of care designed, besides reviewing the clinical record, the surveyor will also rely on personnel interviews as well as home visits. The survey is data-driven, patient-focused, and outcome-oriented.

The surveyor is expected to collect data and review State file data, prior survey results, OASIS reports, and agency specific characteristics. (S)he will review outcomes, potentially avoidable events of both active and discharged patients, and make visits for higher risk patents. The new protocols provide specific guidance on citing standard and condition-level deficiencies.

Q. Can you explain the survey levels? How is a standard survey extended?

A. A Standard Survey focuses on Level 1 standards (9 of 15 CoPs) which focus on the delivery of high quality patient care using not only clinical records but inclusive of interviews. If the home health agency is in compliance with all Level 1 standards and there are no identified concerns requiring investigation, the survey will be concluded and form CMS 2567 is issued.

Partial Extended Survey begins/expands when expected outcomes are not met for one or more Level 1 Standards. It requires a review of Level 2 standards. It should be expected that related information would be sought for areas of concern such as agency policies and procedures, personnel competency evaluations, and inservice training

Condition-Level Deficiencies can occur with serious findings related to or not related to Level 1 and 2 standards. Immediate patient jeopardy is always cited at the condition level. All conditions are reviewed.  Refer to the State Operations Manual, Appendix B Guidelines.

Questions re CoPs

Q. What are the required leadership positions stated in the CoPs?

A. The Conditions of Participation cite three administrative positions:  a governing body, an administrator, and a supervising physician or RN.  You may title these three positions whatever  your agency prefers, however the positions must exist and the individuals appointed must perform the duties identified in the CoPs. Be certain job descriptions, policies and procedures, and other necessary documentation clearly define that the positions perform all required designated responsibilities.

Do not forget the delegates required. Be certain that agency policy identifies who will function as the administrative delegate. The agency must also be in compliance with state requirements, which frequently are more stringent. Compare both State and Federal requirements so the agency is in compliance.

Q. Is it true that we must have a realistic end point for intermittent services for a patient who has a chronic diagnosis, such as Alzheimer’s disease?
A.The CMS Publication 100-2, Chapter 7, § 40.1.1,  states  services can be provided “without regard to whether the illness or injury is acute, chronic, terminal, or expected to extend over a long period of time.”

According to the publication, if the patient with a chronic disease is homebound and needs skilled, reasonable, and necessary services that meet the part-time or intermittent requirements, then the agency can provide care.  That documentation must carefully be documented, The agency must be certain there exists an intensive assessment of the patient and their support services with interventions and goals clearly stated.  Carefully delineate the SKILLED need for each visit made. If the patient with Alzheimer’s disease qualifies for Medicare coverage through a need for monthly catheter changes and receives home health aide services 1x per mon, be certain each visit shows progress and document pt/cg response to care.

Up to a maximum of 28 hours per week of skilled nursing care and home health aide services combined completed in less than 8 hours per day or up to 35 hours per week of skilled nursing and home health aide services and subject to review by the fiscal intermediary. Medicare requires supporting evidence of the continued skilled care need. The agency must reflect the need for compliant skilled care through clear documentation.

Questions about ACOs and New Payment Methods

Q. I am hearing about bundled services. Should I be concerned?

A. Home Health Agencies should be aware of potential ACO formation in their respective markets.  Does your agency have a specialty you should be marketing to local hospitals? Some hospitals are looking at the bundled payment options as well as ACOs. Read more at the CMS website but know that the proposed pilot gives participants the opportunities to make choices regarding patients to include, length of episodes of care, whether acute inpatient care should be included, and the target payment to be established. There are a variety of proposed models. Go to www.CMS.hhs.gov to learn more.

Q. I have heard there will be new payment methods. What are they?

A. Select Data will be providing ezine articles in late November and December regarding some of the proposed payment and treatment methods being considered and presently being evaluated. Those may include:

Accountable Care Organizations (ACOs) with Bundled Payments or Shared Savings Programs where the ACO shares risk. There will be various types of risk sharing programs. There may be Value- based Payment plans. Expect to see ACOs lead by hospitals or physician groups. Home Health Agencies will need to show value to become a part of such collaborative formalized groups.  Expect CMS to utilize comparative-effectiveness techniques of evidenced-based practices. Become familiar with the following terms:

ACOs: Integration of providers to assume responsibility for the quality, costs, and outcomes of care.

Total Costs of Care: A reimbursable methodology that is being designed to reduce cost by person by episode.

Predictive Modeling: A methodology to estimate how clients may use services and the related costs based upon variables, prior behavior, and attributes assigned.

Transition of Care: The movement of patients from one health care practitioner or setting to another as the condition and care needs change. Under this model, there will be NO discharge summary. Instead expect a “Transition Summary”. See the next Select Data article: CMS and Transitions of Care.

Questions re Face to Face

Q. Is anyone working to get some help for home health agencies regarding the face-to-face rule?

A. Yes, several state associations as well as NAHC are working to obtain some legislative relief. NAHC has called for 1) exemptions in specific hardship circumstances, 2) a reduction in documentation required, 3) expanded use of telehealth to meet the face to face requirement, 4) protection of home health agencies from denials without fault, 4) allow one physician/NPP to complete the Face to Face and another to certify (CMS has proposed this but is limiting it only to an inpatient physician).

Q. Could you give a summary of key points of the proposed 2012 Home Health PPS Rate Rule?

A. Agencies will need to be efficient as there is a proposed 2.5% inflation update, a 5.06% case mix creep adjustment, and a 3.56% rate reduction for 2012. In addition there is a recalculation of case mix weights proposed that includes elimination of two hypertension codes (401.1 Benign essential hypertension and 401.9 Unspecific essential hypertension). Also, there would be lower therapy episode coding weights. This would include a deceleration of a higher number of visits with a removal of the therapy visit step indicators. There will also be a recalculation of points to clinical and functional scores. Additionally, if an agency failed to complete a successful dry run  in Q3 of 2010 for HHCAHPs, they risk a 2% reduction in payment. (See October, 2011 Select Data ezine for more regarding HHCAHPs).

A few questions regarding HIPAA

Q. Could you give a brief summary of HIPAA HITECH? Can you discuss breach? Can you discuss best practices needed?

A. The American Recovery and Reinvestment Act (ARRA) of 2009 brought changes to HIPAA regulations in three broad areas: breach notifications, business associations, and penalties. It increases enforcement of HIPAA and allocates billions of dollars to invest in the implementation and exchange of health information technology such as the EMR.

Under HITECH, if a breach compromises the privacy and security of the patient’s information and poses a significant risk of financial, reputational, or other harm, patient notification is required.

Five new definitions have been added:

  • Breach Electronic
  • Health Record (HER)
  • National Coordinator
  • Personal Health Record (PHR)
  • Vendor Of PHI

HITECH strengthens the specifics of privacy, significantly increasing penalties, establishing a heightened enforcement scheme and giving state attorney general enforcement authority. Individuals may now be held accountable for wrongful disclosure (HITECH Act section 13409).

If a breach involves 500 or more individuals, the department of HHS should be immediately notified. DHHS began posting names on March 1, 2010. Breaches below 500 must be logged and annually sent to DHHS.

For Business Associates, the Covered Entity must ensure that BAs have implemented the administrative, physical, and technical safeguards of HIPAA security. The CE must also specify that the BA must comply with use and disclosure rules in the HIPPA Privacy Rule. The BA should demonstrate how they will negotiate security/data breach coordination. There should also be an agreement on reporting and dispute resolution.

If the health care organization suspects or knows that a BA has committed a material breach or violation of the agreement, “the health care organization is in violation of the business associate rules unless it takes reasonable steps to cure the breach or end the violation {45CFR 164.504 (e)(1)(ii)” (Decision Health, HIPAA, 2010).

Penalties include a Tiered System for assessing both the level and penalty for each violation. There is a cap of $50,000 per violation and 1.5 million for the calendar year for the same type of violation.

Health care organizations should have in place policies that address various levels of violation, such as failing to sign off a computer terminal when not attended, sharing passwords, assessing a patient record without legitimate reason, releasing data for personal gain, and intentionally destroying or altering data.

Use Best Practices for:

Authentication: pre-boot and intricate passwords

Access: Need to know basis on approved devices

Retention: Destroy if not needed

Encryption: Laptops, notebooks, desktops, email, and social networks

For some peace of mind, have a written information security program, an active HIPAA privacy program, and a living Corporate Compliance Program.

Tags: , , , , , , , , , , ,
Posted in ACO, Best Practice Intervention Practice, CMS, CMS Guidelines, Compliance, Face to Face Encounters, HIPAA, HIPPA HITECH, Home Health, Medicare, Patient Survey, Surveys | No Comments »