AMA letter to CMS: Repeal ICD-10

Written by Jill Raykovicz

On Wednesday, the American Medical Association wrote a letter to the US Department of Health and Human Services calling for a repeal of the ICD-10 implementation, slated to be required by all covered entities October 1st, 2014.  AMA Executive Vice President and CEO, Dr. James L. Madara, reasoned ICD-10  “is not expected to improve the care physicians provide their patients and, in fact, could disrupt efforts to transition to new delivery models.”

Financial Burdens and Vendor Readiness

Dr. Madara voiced particular concern for smaller sized practices, where some estimates of the ICD-10 price tag could reach over $225,000, which, he writes, merely compounds other financial hardships such as costs to comply with Stage 2 Meaningful Use, overcoming any impending ePrescribe and PQRS penalties, as well as mitigating the 2 percent across-the-board sequestration cuts now pushed into 2023.

The letter released the results of a report by Nachimson Advisors, which revealed fewer than half (47 percent) of physicians say their practice management system vendor plans on delivering an ICD-10 software upgrade. Of those who are expecting an upgrade, 26 percent expect to receive it before April, 24 percent before July, 13 percent before October, and 1 percent after the October 1st deadline.  These timelines, the AMA argues, is insufficient to perform the necessary testing to ensure the software is working as intended.

Dr Madara also implored Medicare to conduct true end-to-end testing with at least 100 different physician practices of varying size and specialties.  Dr. Madara writes, “We believe end-to-end testing is essential for ensuring the health industry will not suffer massive disruptions in claims and payment processing and ultimately risk physicians’ ability to care for their patients.”

Advance Payment
 Options

Dr. Madara also appeals for an “Advance Payment” policy for the more serious cases that would jeapordize a provider’s ability to treat Medicare patients due to non-payment of services. This would apply to those services that have been submitted but not yet paid for date of service after October 1st, 2014, where the provider has already tried unsuccessfully to recoup payment from their contractor but is still weeks or months away from receiving reimbursement.  Dr. Madara reminds CMS a similar policy went into effect after the implementation of the National Provider Identifier (NPI) in 2008, and proposed the following parameters where advance payment would be afforded to providers:

1. When a physician has submitted claims but is having problems getting the claim paid to reach the contractor due to problems on the contractor’s end
2. When a physician has not been paid for at least 90 days
3. When they attest that at least 25 percent of their patients are Medicare and;
4. When they attest that at least 25 percent of their reimbursements are from Medicare.

Two-Year Implementation Grace Period

To battle the learning curve physicians and coders will experience as they gain a better understanding of the specificity required for ICD-10, Dr Madara proposes a two-year “implementation period” during which Medicare will not be allowed to deny payment based on the specificity of the ICD-10 code, and provide feedback to the physician on any coding concerns.  Medicare would also agree not to recoup payment due to lack of ICD-10 specificity during this grace period.

Conclusion

While the AMA confirms their commitment to the successful transtion to new payment and delivery models, and the adoption of technology to promote care coordination,  the letter concludes that  ICD-10 is “unlikely to improve the care physician provide to their patients and takes valuable resources away from implementing delivery reforms and health information technology”.

800,000 Reasons You Need Workforce Training

The recent HHS settlement in the case of 71 cardboard boxes of medical records being left on a physicians driveway is your 800,000 reasons, and they are all in cold, hard cash.  Here is the key detail about what happened direct from the resolution agreement:

[su_quote]On June 4, 2009, Parkview failed to appropriately and reasonably safeguard the PHI, when Parkview employees, with notice that Dr. Hamilton had refused delivery and was not at home, delivered and left 71 cardboard boxes of these medical records unattended and accessible to unauthorized persons on the driveway of Dr. Hamilton’s home, within 20 feet of the public road and a short distance away (four doors down) from a heavily trafficked public shopping venue.[/su_quote]

The $800,000 settlement came with a corrective action plan that includes additional training to all 8,700 employees.  It clearly states that the employees made a decision to leave 71 boxes of records on a driveway.  Whether or not the employees had been properly trained and elected to do this anyway isn’t clear.  So, do you think those employees just didn’t care or they weren’t trained to care about what information was in those boxes?

When we are discussing training requirements with many offices, both CE and BA, they question the need to train all workforce members.  I could easily see a discussion about whether or not those employees needed HIPAA training.  They never touch PHI to do their jobs, they move things between the health system’s facilities maybe. It would be argued that there is no need to spend the time nor the money to train these people to worry about the importance of protecting PHI.  They just don’t end up in that situation where it will matter.

I tell them the same thing today that I have for the last few years.  Now, I just have something specific to point to with this resolution. If you can’t be certain who may be in the position to make a decision like these employees did, isn’t it better to have a fighting chance they have a clue about HIPAA?

It is summer time and many small offices have teenagers around the office.  Yes, some are there to work and others more so someone keeps an eye on them, but either way they need to know how serious they should be about protecting the PHI in your office right now.  What if they were the ones someone decided to send on an errand like this one?

If someone cleaning out the trash finds medical records tossed where they shouldn’t be, wouldn’t you prefer they know to tell you about it or even just toss it in the shredder box instead?  They may be your last line of defense.

Take it further and consider what would have happened if a BA was involved in this delivery debacle.  Do you think a BA would worry about making sure those people were trained properly to understand what they were delivering and how it should be handled? Many sites are still uncertain if their BAs even know what they are supposed to be doing for HIPAA, much less actually training every single member of their workforce.

HIPAA Training should be done for every single member of your workforce.  Make note the term workforce is used. HIPAA defines the workforce as every person under direct control of the CE or BA whether or not they are even paid.  If you tell them in any way what they should work on, when, and where they should work, then they should be trained.

HIPAA Training can no longer be the 45 minute lunch everyone sits through in January while someone from the malpractice insurance company comes by to talk about HIPAA.  There needs to be more to it than that, or you may find your records floating down a street one day because it was just a box of papers being delivered.

 View Original Post

Just Another Reason To Run From IE

I personally turned away from Internet Explorer years ago and never looked back.

In today’s latest news, it seem that IE is getting some great negative publicity. So bad is the problem that the U.S. Department of Homeland Security is issuing a warning?!

Read it for yourself here.

5 Things You Can Do To Protect Yourself & Your Business

  1. Use Google Chrome or Firefox – My flavor of choice for a while has been Chrome. I like the look, feel and simplicity of just using it. Plus, I’m a heavy user of Google Apps so it works seamlessly. Personally, I wouldn’t go back to IE even after its patched. IE security hasn’t been short of lacking for quite some time.
  2. Update often – Arguably one of the best defenses against security issues is keeping ALL your software products updated. This can be a bit difficult, even if you know how to do it… it can be time consuming. With anything time consuming, it is not likely to get done. Patch and Update Management is one of the benefits our clients enjoy. We automate these time consuming tasks to ensure the highest security and protection.
  3. Use a GOOD Antivirus – Ok… so we all love FREE but sometimes you need to splurge. I can think of many areas where you would never splurge to protect yourself or your business (or family). Internet security is no longer an issue only for the big corporations. Every small business (and even home) should be taking proactive steps to protect themselves online.
  4. Protect your network from the edge – Small businesses should put edge protection into place. Edge protection simply means that there is a level of protection and security at the point (the edge) where your Internet service comes into your business… before it gets to any PC. Traffic is monitored, scanned and filtered at the first point of entry. Think of it as a big bouncer at the door of a high-end club.
  5. Monitor your network – You don’t know what you can’t see… unless you are having your network monitored. 24/7 monitoring is almost always VERY surprising to clients. Typically there are a lot of problems lurking but undetectable until things start crashing. I haven’t met one single client that hasn’t thought their network was in good shape only to find that there were some serious issues going on that they weren’t aware of. This type of information can only be gathered through good monitoring.

These 5 tips can be used over and over again for many situations because they are simply fundamental steps to prudent protection.

Be Still My Bleeding Heart

heartbleedThe Heartbleed Bug… heard about this one yet?

The latest problem recently discovered is called the Heartbleed Bug. Where do they get these names anyway?

So, not to bore you with the technical details, just know that this is a HUGE (potential) problem. Basically, any site that uses OpenSSL likely has this bug. In layman’s terms… you know when you go to a website and there is this little padlock that appears next to the website address… like when you login to your bank or webmail? Yeah, like Gmail or Yahoo Mail. Well, most of those protected, secure sites are… well… not secure.

This security bug allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).

What You Should Do

1. Identify those sites that you use that may be “secure” sites and go to those sites, or call the companies, and inquire about whether they are affected by this. If they are, find out when it will be fixed on their end and asked to be notified when its fixed… or ways to followup on the progress. Most likely, these sites and companies will be contacting you by email in the very near future.

2. Use this tool to test their server by entering in their web address. Be aware that just because they pass this test does not mean they were not vulnerable. They could have repaired the problem since its discovery… before you ran this test. http://filippo.io/Heartbleed/

3. Change your passwords to these sites AFTER you are confident they have fixed the problem. Changing your passwords before the fix is in place will likely cause your new password to be stolen as well.

WARNING

The chances are very high that there will be scammers coming out of the woodwork to take advantage of this. Here are some DO NOTs to follow:

DO NOT click on any links in any email guiding you to reset your password. Instead, go directly to the site and change your password as you would normally do.

DO NOT take any phone calls from anyone claiming to be the Feds or Microsoft or Facebook wanting to get personal information from you.

DO NOT use the same password on more than one site. Make every password unique (more on this in a minute).

DO NOT assume anything online is inherently safe. The Internet is a wonderful and dangerous place… treat it as such.

Other Considerations

1. Use a GOOD password manager. Everyone complains about passwords these days. They have too many… too complicated… can’t remember… blah blah blah. Do yourself a favor and use a good, secure password manager. I personally use and recommend LastPass (https://lastpass.com/). The free version will work for most users. However, if you want even more security and smartphone functionality (which I like), then a premium subscription is needed. For $12 a year, a premium subscription is hardly a strain on the wallet.

2. Never use the same password twice. Using LastPass makes this easy. First, since LastPass stores all your sites, usernames and passwords its not a big deal to use passwords that you can’t remember. I have probably a hundred different passwords and know almost none of them… thats what I pay LastPass to do. LastPass will also generate a password for you so you don’t have to figure out what to use.

3. Always use strong passwords. I recommend using passwords of at least 12 characters in length… especially for sensitive sites like banking and sites you put credit card or personal information into. You need to have at least one of the following: Capital letter, number and special character. With LastPass you can enter these parameters and it will generate a secure password for you to use… simple.

4. Change passwords on a regular basis. If you’re a business you should be changing passwords at least every 90 days. For individuals, pick a day each year… or twice a year to go through and change your passwords (at least you super important ones). For example, change your passwords when the time changes twice a year or every year on your birthday or groundhog day… I mean… what else are you doing on groundhog day?

If you can think of other recommendations, leave a comment below or go over to our Facebook page and let us know what you would recommend.

42,000 Impacted by Insurance Hard Drive Breach

A Wisconsin health insurance group has notified nearly 42,000 of its members that their protected health information may have been compromised following a HIPAA privacy breach.

Back in December, Unity Health Plans Insurance Corporation, which serves some 140,000 members, discovered a unencrypted portable computer hard drive containing health records of 41,437 individuals was missing from the University of Wisconsin-Madison School of Pharmacy. Officials say the school had this information as part of a benefits program evaluation.

Member names, dates of birth, name of prescription drugs and dates of service were contained on the device.

“(We’re) reviewing all our policies and trying to reeducate employees,” Jennifer Woomer Dinehart, spokesperson for Unity Health, told Healthcare IT News. Woomer Dinehart would not confirm or clarify what the company-wide encryption policy was.

“We are sorry this happened and want to provide pertinent information concerning the occurrence along with the steps we are taking to minimize any potential impact,” read a Jan. 30 company notice.

To date, out of the more than 80,000 HIPAA breach cases OCR has received since 2003, only 17 of them have resulted in fines thus far.

Just this past December, the five-hospital Riverside Health System in southeast Virginia announced that the PHI of nearly 1,000 patients had been compromised in a privacy breach that continued for four years. From September 2009 through October 2013, a former Riverside employee inappropriately accessed the Social Security numbers and electronic medical records of 919 patients. The breach wasn’t discovered until Nov. 1 following a random company audit.

 

Originating Source

Skype With Patients? HIPAA Says “No Go”

Oklahoma medical board sanction against Thomas Trow, MD, sparked concern over the practices of telemedicine and telepsychiatry. Using Skype, Trow conducted online video appointments and prescribed controlled substances to a patient who ultimately succumbed to an overdose. Trow never saw the patient in person before prescribing the drugs. As a result, the Oklahoma medical board published a ruling on January 16 of this year, stating that telemedicine, “Technology must be HIPAA compliant.”

With growing excitement, doctors and patients are “seeing” each other online through a range of video chat technology platforms. In fact, healthcare innovation like telemedicine is vital to the changing landscape of patient demands and government-driven insurance. For many, the Oklahoma telemedicine ruling brings welcome clarification and an opportunity to educate providers about this new way of practicing HIPAA-compliant telemedicine.

“The last thing the U.S. healthcare system needs is to abandon the idea of telemedicine,” said Daniel Gilbert, president and CEO of CloudVisit Telemedicine. “The technology has tremendously positive implications for providers and patients. To lose out because of one platform — a platform that was never designed as a medical tool — would be real detriment.”

Since the Oklahoma ruling does not specifically cite any brand names, many physicians are left wondering, “Is Skype HIPAA compliant?” Skype’s privacy policy simply states that they, “will take appropriate organizational and technical measures to protect the personal data…” and owner, Microsoft Corp.’s Business Associate Agreement (BAA) explicitly omits Skype. To better understand Skype’s security, one must turn to the Health Insurance Portability and Accountability Act (HIPAA).

  • Telemedicine is a HIPAA-compliant method for patient appointments
  • Online video appointments must be conducted via a HIPAA-compliant telemedicine platform
  • Business Associate Agreement (BAA) must exist between the healthcare provider and the company responsible for the telemedicine technology
  • The BAA must guarantee the HIPAA compliance of all measures for security practices and data encryption
  • Providers must obtain informed patient consent prior to conducting online video appointments
  • In absence of a BAA and informed consent, Skype is not HIPAA compliant

“It’s important to keep in mind that Microsoft never intended Skype to be a medical tool,” reminds Gilbert. “Beyond significant HIPAA issues, Skype has many operational shortcomings. CloudVisit provides tools for scheduling and billing, plus treatment notes and more. Skype has none of these features.”

In fact, a search of the word “telemedicine” on the Skype website comes up empty. They do not claim to be HIPAA compliant, nor do they position themselves as a resource for the medical community.

As stated, healthcare practices and patients have a lot to gain from online video appointments. The right technology can be highly effective and appropriate for follow-up care, routine appointments, and mental health consultations once a provider-patient relationship is established in person.

CloudVisit Telemedicine provides a HIPAA-compliant telemedicine and telepsychiatry platform for scheduling, conducting, tracking, and billing online video appointments with patients. CloudVisit enters into a BAA with every client.

 

Originating Source

Coming to a Medical Practice Near You: HIPAA and Hi-Tech Audits

On December 26, 2013, the U.S. Health and Human Services Office of Civil Rights (“OCR”) announced its first settlement with a covered entity for not having policies and procedures in place to address the breach notification provisions of the Health Information Technology for Economic and Clinical Health (“HITECH”) Act. Adult & Pediatric Dermatology, P.C., (“the Practice”) of Concord, Massachusetts agreed to settle potential violations with a $150,000 penalty and corrective action plan.

In 2011, the Practice notified OCR that an unencrypted thumb drive containing the electronic protected health information (“ePHI”) of approximately 2,200 individuals was stolen from a staff member’s vehicle. OCR launched a subsequent investigation and found that the Practice had failed to conduct an accurate and thorough analysis of the potential risks and vulnerabilities of confidential ePHI as part of its security management process.  Further, the Practice did not fully comply with requirements of the Breach Notification Rule to have in place written policies and procedures and train workforce members.

The Final Omnibus Rule has been discussed at length on this blog and compliance was mandated by September 23, 2013. Providers should already have policies and procedures implemented to correspond with the Final Rule, reflect current technology, and address ePHI. The OCR’s December settlement, however, serves as a startling reminder that providers of every size are being audited. No entity is too small and medical practice practitioners are gravely mistaken if they think they are off OCR’s radar.

The importance of HIPAA risk analysis cannot be stressed enough. The Practice failed to have a risk analysis and paid the costly consequences. Not only is an analysis required as the first step in HIPAA Security Rule compliance, but it is also a Core Measure of Stage 1 and 2 “Meaningful Use.”

The Practice’s troubles began over a lost thumb drive. Does your practice use thumb drives? How about laptops? Mobile phones? Have you accounted for the use and misuse of these devices in your HIPAA risk analysis?

 
Originating Source

This 5-Minute Video Could Save Your Practice

Almost every business uses a multi-function copy machine that copies, scans, prints and possibly faxes information. What most people don’t realize is that many of these machines have hard drives that store all information that the machine has access to. Think of these machines as computers that store a digital record of every copy it makes, every document it scans and every page it prints.

Copying patient information

If your organization copies insurance explanation of benefits (EOBs), patient insurance cards or uses a multi-function printer to print out letters to patients, all that information could be sitting on the hard drive of your copier. If this information is not properly destroyed before you return the machine to a leasing company, recycle the machine, sell the machine or throw the machine out; all that patient information might cause a HIPAA data breach.

Watch this video!

The below video from CBS news gives valuable information about the risks of copy machines.

Note: Affinity Health Plan who is featured in the video, received a $1,215,780 HIPAA fine (that’s right… $1.2 MILLION) because of one copy machine that contained 344,579 records with protected health information (PHI)

[youtube id=”TCKr5WgVVN8″ width=”600″ height=”350″]

Independent Physicians Lag Behind with EHRs

Adoption and use of health IT increased significantly from 2009 to 2012, though there is a sizable gap between the adoption levels of large and small practices.

A study by The Commonwealth Fund measured changes in health IT use over that four-year period. The study found that the percentage of physicians able to electronically send prescriptions to pharmacies rose from 34% to 66% and electronic prescribing increased from 40% to 64% over that timeframe. Adoption of electronic records is where the difference between practice sizes was most pronounced: Only half of solo physicians use EMRs, while more than 90% of physicians in practices with 20 or more physicians do so.

A lack of resources is one explanation why independent physicians and smaller practices aren’t turning to health IT solutions at the same rate as larger ones. Independent physicians’ responses to an athenahealth Inc. survey reflected this sentiment. Fewer than half of independent physicians not associated with hospitals felt the financial and care benefits of EHRs exceeded the costs, while greater than half of their employed peers felt the same.

Independent physicians’ unwillingness to take on major business costs (including those associated with EHRs) is likely contributing to the shrinking number of independent doctors in the U.S. Statistics from Accenture show the percentage of independents sunk from 57% in 2000 to just 39% in 2012. A large majority (87%) of doctors cited business costs and expenses as a top concern and a reason why they’d consider abandoning their independent status.

A data brief from the National Center of Health Statistics (NCHS) focused on physicians’ widespread use of EHR technology. The NCHS data showed that in 2013 78% of all office-based physicians were using some type of EHR, an increase from  18%  in 2001 — something Karen Desalvo, national coordinator for health IT, noted in a recent blog post. Meaningful use incentives are driving many providers to adopt EHR systems. The NCHS brief reported that 69% of physicians intend to participate in the Medicaid or Medicare EHR incentive programs, though only 13% of them had EHR systems in place to support 14 of the 17 stage 2 core objectives. Those statistics represent a fear of independent physicians — adopting an EHR system without qualifying for reimbursement payments.

ICD-10 – Not Just A Coder’s Problem

by Jill Raykovicz

The deadline to transition ICD-10 for all covered entities is October 1, 2014.   If that seems like a long way off, it isn’t.   In terms of actual work days[1], this timeframe is compressed to six months for medical and other healthcare practices to train staff, communicate with vendors, test software systems and claim files, and evaluate current processes to determine in what areas ICD-10 will affect day-to-day office functions.

IMPACT ON REIMBURSEMENT

If this sounds like a problem reserved for coders and billing staff, it isn’t.   CMS’  ICD-10 Implementation Guide for Physician Practices advises,  “Consider getting a line of credit to cover cash flow disruptions due to changing reimbursement models, delays in claims processing and re-processing, staff learning curve and long-term effects of the ICD-10 transition”[2]

Although  CPT and HCPC based reimbursements will not change with the ICD-10 transition, indirectly, fee-for-service payments may have a potential to be adversely affected for the following reasons:

  • Denials will increase because of  incomplete or inaccurate translation of payment rules in payer systems as they attempt to translate these rules from ICD-9 to ICD-10
  • Payments will be delayed because of challenges in claim processing in the ICD-10 environment.

Increased detail contained in ICD-10-CM means that the documentation required will change dramatically.   The level of severity, comorbidities, complications, sequalae, manifestations, and causes that characterize the patient’s condition increases within the ICD-10 coding guidelines.

 

PLANNING IS EVERYTHING

ICD-10 Coordination Manager

Every office should have an ICD-10 Coordination Manager. Depending on the size of the practice, this could be one person or a committee of persons responsible for communication and coordination with staff, providers, and vendors on key dates and project timelines for an ICD-10 pre and post go-live.

The Coordination Manager will also:

  • Coordinate training schedules and verify staff has attended and completed.
  • Set an ICD-10 project budget in terms of training and software upgrade  costs, coding books and guides, re-printing of encounter or referral forms with the new codes, if necessary, and other costs associated with ICD-10.
  • Determine if re-training is necessary, as we get closer to the October 2014 timeframe.  

He or she (or they) should ensure accurate coding decisions are being made, clinical documentation supports the new ICD-10 specificity requirements, and associated lags in productivity are identified and communicated.

Training

Speaking of training, although most ICD-10 literature advises staff and providers receive training no more than six to nine months from implementation, it is imperative to reserve slots now before classes fill up, or before less than desirable dates and times are the only ones left for either on-site training or off-site seminar.  Don’t wait to contact professional associations around the April 2014 timeframe to find out the on-site ICD-10 trainer’s only availability is the same week Suzie in the business office goes out for surgery.  Or, the only off-site workshop with any seats available is the week before Jane, your charge entry clerk, returns from maternity leave.  

Resources

CMS, the American Academy of Professional Coders (AAPC)American InformationManagement Association (AHIMA) and Workgroup for Electronic Data Interchange(WEDI) all have information on ICD-10 training and factors to success.

WEDI and CMS have partnered in taking a proactive approach to answer questions and concerns regarding the ICD-10 transition.  Organizations can submit questions, free of charge, to an online database.

IN CONCLUSIONExpect no more delays or movement of the October 1st, 2014 deadline.  Ready or not, here ICD-10 comes. Through planning, resource management, and effective leadership, medical and other healthcare practices can mitigate disruptions in cash flow as a result of ICD-10.


[1] Based on regular Monday through Friday office hours

[2] ICD Implementation Guide for Small and Medium Practices, p. 31

Physician Practice Consultants is led by Jill Raykovicz, MHA, CMPE, CPC.  Jill has over 15 years’ experience in physician practice management.  She has a strong passion for leveraging this experience and expertise within the private-practice setting, in order to assist independent practices struggling to keep up with changes in healthcare reform, pay-for-performance quality measures, and shrinking reimbursement from third party payers.

Jill holds a Master of Health Administration from Cornell University, is a board-certified medical practice executive (CMPE) through the American College of Medical Practice Executives, and is a Certified Professional Coder (CPC) with the American Association of Professional Coders.

She is also a member of the National Society of Certified Healthcare Business Consultants and the North Carolina Healthcare Information and Communication Alliance ICD-10 Taskforce.

Jill may be reached at jill@physician-practice-consultants.com