AMA letter to CMS: Repeal ICD-10

Written by Jill Raykovicz

On Wednesday, the American Medical Association wrote a letter to the US Department of Health and Human Services calling for a repeal of the ICD-10 implementation, slated to be required by all covered entities October 1st, 2014.  AMA Executive Vice President and CEO, Dr. James L. Madara, reasoned ICD-10  “is not expected to improve the care physicians provide their patients and, in fact, could disrupt efforts to transition to new delivery models.”

Financial Burdens and Vendor Readiness

Dr. Madara voiced particular concern for smaller sized practices, where some estimates of the ICD-10 price tag could reach over $225,000, which, he writes, merely compounds other financial hardships such as costs to comply with Stage 2 Meaningful Use, overcoming any impending ePrescribe and PQRS penalties, as well as mitigating the 2 percent across-the-board sequestration cuts now pushed into 2023.

The letter released the results of a report by Nachimson Advisors, which revealed fewer than half (47 percent) of physicians say their practice management system vendor plans on delivering an ICD-10 software upgrade. Of those who are expecting an upgrade, 26 percent expect to receive it before April, 24 percent before July, 13 percent before October, and 1 percent after the October 1st deadline.  These timelines, the AMA argues, is insufficient to perform the necessary testing to ensure the software is working as intended.

Dr Madara also implored Medicare to conduct true end-to-end testing with at least 100 different physician practices of varying size and specialties.  Dr. Madara writes, “We believe end-to-end testing is essential for ensuring the health industry will not suffer massive disruptions in claims and payment processing and ultimately risk physicians’ ability to care for their patients.”

Advance Payment
 Options

Dr. Madara also appeals for an “Advance Payment” policy for the more serious cases that would jeapordize a provider’s ability to treat Medicare patients due to non-payment of services. This would apply to those services that have been submitted but not yet paid for date of service after October 1st, 2014, where the provider has already tried unsuccessfully to recoup payment from their contractor but is still weeks or months away from receiving reimbursement.  Dr. Madara reminds CMS a similar policy went into effect after the implementation of the National Provider Identifier (NPI) in 2008, and proposed the following parameters where advance payment would be afforded to providers:

1. When a physician has submitted claims but is having problems getting the claim paid to reach the contractor due to problems on the contractor’s end
2. When a physician has not been paid for at least 90 days
3. When they attest that at least 25 percent of their patients are Medicare and;
4. When they attest that at least 25 percent of their reimbursements are from Medicare.

Two-Year Implementation Grace Period

To battle the learning curve physicians and coders will experience as they gain a better understanding of the specificity required for ICD-10, Dr Madara proposes a two-year “implementation period” during which Medicare will not be allowed to deny payment based on the specificity of the ICD-10 code, and provide feedback to the physician on any coding concerns.  Medicare would also agree not to recoup payment due to lack of ICD-10 specificity during this grace period.

Conclusion

While the AMA confirms their commitment to the successful transtion to new payment and delivery models, and the adoption of technology to promote care coordination,  the letter concludes that  ICD-10 is “unlikely to improve the care physician provide to their patients and takes valuable resources away from implementing delivery reforms and health information technology”.

800,000 Reasons You Need Workforce Training

The recent HHS settlement in the case of 71 cardboard boxes of medical records being left on a physicians driveway is your 800,000 reasons, and they are all in cold, hard cash.  Here is the key detail about what happened direct from the resolution agreement:

[su_quote]On June 4, 2009, Parkview failed to appropriately and reasonably safeguard the PHI, when Parkview employees, with notice that Dr. Hamilton had refused delivery and was not at home, delivered and left 71 cardboard boxes of these medical records unattended and accessible to unauthorized persons on the driveway of Dr. Hamilton’s home, within 20 feet of the public road and a short distance away (four doors down) from a heavily trafficked public shopping venue.[/su_quote]

The $800,000 settlement came with a corrective action plan that includes additional training to all 8,700 employees.  It clearly states that the employees made a decision to leave 71 boxes of records on a driveway.  Whether or not the employees had been properly trained and elected to do this anyway isn’t clear.  So, do you think those employees just didn’t care or they weren’t trained to care about what information was in those boxes?

When we are discussing training requirements with many offices, both CE and BA, they question the need to train all workforce members.  I could easily see a discussion about whether or not those employees needed HIPAA training.  They never touch PHI to do their jobs, they move things between the health system’s facilities maybe. It would be argued that there is no need to spend the time nor the money to train these people to worry about the importance of protecting PHI.  They just don’t end up in that situation where it will matter.

I tell them the same thing today that I have for the last few years.  Now, I just have something specific to point to with this resolution. If you can’t be certain who may be in the position to make a decision like these employees did, isn’t it better to have a fighting chance they have a clue about HIPAA?

It is summer time and many small offices have teenagers around the office.  Yes, some are there to work and others more so someone keeps an eye on them, but either way they need to know how serious they should be about protecting the PHI in your office right now.  What if they were the ones someone decided to send on an errand like this one?

If someone cleaning out the trash finds medical records tossed where they shouldn’t be, wouldn’t you prefer they know to tell you about it or even just toss it in the shredder box instead?  They may be your last line of defense.

Take it further and consider what would have happened if a BA was involved in this delivery debacle.  Do you think a BA would worry about making sure those people were trained properly to understand what they were delivering and how it should be handled? Many sites are still uncertain if their BAs even know what they are supposed to be doing for HIPAA, much less actually training every single member of their workforce.

HIPAA Training should be done for every single member of your workforce.  Make note the term workforce is used. HIPAA defines the workforce as every person under direct control of the CE or BA whether or not they are even paid.  If you tell them in any way what they should work on, when, and where they should work, then they should be trained.

HIPAA Training can no longer be the 45 minute lunch everyone sits through in January while someone from the malpractice insurance company comes by to talk about HIPAA.  There needs to be more to it than that, or you may find your records floating down a street one day because it was just a box of papers being delivered.

 View Original Post

Coming to a Medical Practice Near You: HIPAA and Hi-Tech Audits

On December 26, 2013, the U.S. Health and Human Services Office of Civil Rights (“OCR”) announced its first settlement with a covered entity for not having policies and procedures in place to address the breach notification provisions of the Health Information Technology for Economic and Clinical Health (“HITECH”) Act. Adult & Pediatric Dermatology, P.C., (“the Practice”) of Concord, Massachusetts agreed to settle potential violations with a $150,000 penalty and corrective action plan.

In 2011, the Practice notified OCR that an unencrypted thumb drive containing the electronic protected health information (“ePHI”) of approximately 2,200 individuals was stolen from a staff member’s vehicle. OCR launched a subsequent investigation and found that the Practice had failed to conduct an accurate and thorough analysis of the potential risks and vulnerabilities of confidential ePHI as part of its security management process.  Further, the Practice did not fully comply with requirements of the Breach Notification Rule to have in place written policies and procedures and train workforce members.

The Final Omnibus Rule has been discussed at length on this blog and compliance was mandated by September 23, 2013. Providers should already have policies and procedures implemented to correspond with the Final Rule, reflect current technology, and address ePHI. The OCR’s December settlement, however, serves as a startling reminder that providers of every size are being audited. No entity is too small and medical practice practitioners are gravely mistaken if they think they are off OCR’s radar.

The importance of HIPAA risk analysis cannot be stressed enough. The Practice failed to have a risk analysis and paid the costly consequences. Not only is an analysis required as the first step in HIPAA Security Rule compliance, but it is also a Core Measure of Stage 1 and 2 “Meaningful Use.”

The Practice’s troubles began over a lost thumb drive. Does your practice use thumb drives? How about laptops? Mobile phones? Have you accounted for the use and misuse of these devices in your HIPAA risk analysis?

 
Originating Source

What is Reasonable and Appropriate for Your Specific Environment

These days we deal with resistance and denial towards HIPAA compliance. There are many reasons given for incomplete or ineffective compliance programs. We have heard everything from long rambling rants against the government, claims of not applicable to me and plenty of “we don’t have the _____” (fill in: time, money, resources) to explain away the compliance gaps.

There is, however, one case that concerns me when we find it. A practice or business is given a standard list of HIPAA Security implementation recommendations. The problem is that the list of recommendations doesn’t always include a review of what is reasonable and appropriate for the specific environment. The result is a group frozen by fear, sticker shock or worse paying for services and equipment that may be overkill for them. The Security Rule explains in the General Rules section just what should be considered in determining what is reasonable and appropriate for a specific environment (emphasis added):

HHS recognizes that covered entities range from the smallest provider to the largest, multi-state health plan. Therefore the Security Rule is flexible and scalable to allow covered entities to analyze their own needs and implement solutions appropriate for their specific environments. What is appropriate for a particular covered entity will depend on the nature of the covered entity’s business, as well as the covered entity’s size and resources.

Therefore, when a covered entity is deciding which security measures to use, the Rule does not dictate those measures but requires the covered entity to consider:

Its size, complexity, and capabilities,

Its technical, hardware, and software infrastructure,

The costs of security measures, and

The likelihood and possible impact of potential risks to e-PHI.

No, this doesn’t mean you can decide you are so small and the rules are too complex to follow them at all. That is definitely not what reasonable and appropriate means in this context. What it does mean, though, is that you can determine how to implement the standards, both required and addressable, but apply these considerations to your implementation plans.

Our approach is to always define the environment before defining the plan. The Security Risk Analysis is first in the list of requirements for a reason. But, keep in mind, that even the tasks performed in the Risk Analysis should be confirmed as reasonable and appropriate for your specific environment.

 

Reposted with permission from: http://smallproviderhipaa.com/2013/10/31/what-is-reasonable-and-appropriate-for-your-specific-environment/

Do Your BA Due Diligence

Long gone are the days that you pull down a template Business Associate Agreement and everyone just signs it.  BAs may not understand the extent of their obligations under HIPAA.  You need to confirm your agreements plus check what they are really doing to comply.

I really don’t recommend blindly using a template agreement to anyone.  Make sure you know what the agreement is committing for both parties.  There are optional things in those templates that can cause problems for some businesses.  Many folks just rolled them all in there and never looked at the implications closely.

Once you have the agreement worked out, get at least a general understanding of what each BA is doing for their own compliance including BAs they use to provide services.  We use a due diligence checklist to help with the process.  Here are a few things we have learned while doing them.

IT Support Companies.  If you are trying to manage HIPAA Security requirements without some sort of IT company involved (or your own IT staff), you probably aren’t doing everything that is required.  Someone has to understand firewall logs, encryption key management, network scanning, etc.  BUT, make sure the one you do use is HIPAA compliant.  If they have admin access to all your servers they have access to everything; and they can’t do their job well without that level access.

We find that most IT companies have the security part of the rules covered, maybe not documented fully but mostly in place.  The real problem comes when you ask about anything outside the Security Rule.  They should have a training program, understand minimum uses and disclosure requirements, breach notification policies and procedures and a few more things that have nothing to do with the Security Rule.  Make sure they understand there is more to HIPAA than the Security Rule.

Collections Services.  Collections services vary widely in the data they gather.  Many of these services may not specialize in medical but make it a segment of their business.  Be very thorough with any service that doesn’t offer specific secure connections or instructions for data exchange.  When checking these guys you have to ask about Security first.  You may never even get to the things outside of security requirements before you know you have a problem.  Make sure to determine how much medical work they are doing first then ask about the rest of compliance, especially how they worry about encryption at all stages of the process.

Accounting/CPAs.  Sometimes these are also collection or billing services which may make things easier.  Think through what you do with them otherwise and make sure you understand exactly what they are doing with your patient information they may be privy to for their services.   In cases where they are simply doing accounting they may only see patient data when dealing with large balance accounts or writing refund checks.  It is still PHI.  Make sure they have a plan to protect PHI.  Also, make sure they train employees on HIPAA even if they think they are discreet enough because they have to be for everyone.

Billing Services.  These guys deal in high volumes of data moving through their offices all the time.  They usually have a decent understanding of the uses and disclosure rules but may be lax in security within their office.  Also, they have a lot of downline BAs and subcontractors in most cases just in processing services.  Make sure they have security plans in place and understand clearly what their BA and subcontractors obligations include.

Transcription.  A wide array of situations are occurring when we ask about transcription.  You need to be sure you know if they are signing your BAA but using subcontractors that may not be signing one with them.  This area can get very messy just working out who is storing data and who is accessing data.  Review every part of their set up to be sure they are covering their bases.  Make sure you check a lot of details with this BA both for a service as well as individual contractors.

Many of the compliance management tools include BA management features.  It is a very valuable tool to help you keep up with all this information and documentation.  It is hard enough to keep up with our own stuff but you have to get some info about all their stuff too.   It is important, though.

By checking on your BAs to make sure they truly understand their obligations, you better protect your patients and your business from compliance problems that aren’t under your roof.  If you have a BA that you know is a BA but they don’t want to become compliant, you have very specific steps you need to follow in order to protect your compliance status.

  • Take reasonable steps to cure the problem with the BA and get compliance in line
  • If a BA still does not comply, you must terminate the business contract on HIPAA compliance grounds.
  • If there is no other entity you can get the service provided by the non-compliant BA, you must report them to HHS.

One more thing…….  BA management isn’t just for CEs anymore.  All you BAs need to follow the same process for your BAs.

Original article authored by Donna Grindle, used here by permission.