healthcarecompliance101

Healthcare Compliance 101

Archive for the month “May, 2011”

Accounting of Disclosures – Proposed Rule

Patient rights in the healthcare industry have been a critical issue for years.  One such right that the public has insisted on is their right to access their own health information and amend health information when it is deemed to be incorrect. 

On May 31, 2011, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) published a Notice of Proposed Rule Making (NPRM) entitled HIPAA Privacy Rule Accounting of Disclosures Under HITECH.  OCR will now receive comments on this proposed rule until August 1, 2011 and is expected to publish a final rule by the end of 2011. Compliance with the accounting of disclosures requirements would then begin sometime mid 2012.

The purpose of this rule is to implement the requirement under HITECH to require covered entities and business associates to account for disclosures of protected health information to carry out treatment, payment and healthcare operations where such disclosures are made through an electronic health record. This rule will expand the accounting provision so that individuals would have the right to receive an access report indicating who has accessed ePHI in a designated record set.  A Designated Record Set means a group of records maintained by or for a health plan or health care provider that are 1) the medical records and billing records about individuals maintained by or for a covered health care provider; 2) the enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; used, in whole or in part, by or for the health plan or health care provider to make decisions about individuals.

There are a couple of noteworthy points about this NPRM. First, the covered entity accounting information must be for all disclosures by the covered entity or its business associates (if that business associate creates, receives, maintains, or transmits record set information). So this would include all non-routine and routine (those for treatment, payment and operations) disclosures of PHI from an electronic database (ePHI).  Beginning Jan. 1, 2013, individuals would have the right to receive a report of who accessed their ePHI (access report) for a three year period from the date of the request.  Secondly, covered entities will have to revise their Notice of Privacy Practices (NPP) to reflect these changes and provide individuals with a Notice of Privacy Practice that discloses how the covered entity may use and disclose PHI and the individuals’ rights regarding their health information.  Thirdly, this NPRM will reduce the time for a covered entity to respond to a request for an accounting of disclosures from 60 days to 30 days.

The time to start preparing for these new accounting of disclosure requirements is now – not December 2012.  Why now?  A big challenge will be whether your system vendors can handle this new ePHI accounting of disclosures requirement and how they will do it. Covered Entities and Business Associates will have to revise their NPP to explain to individuals that they now have a right to an accounting of all disclosures of their ePHI.  Changes will have to be made administratively on how a Covered Entity and Business Associate will manage non-routine disclosures of hardcopy PHI for 6 years and routine disclosures of ePHI for 3 years.  With another new rule (accounting disclosures) coming down the pike shortly, be prepared and start planning now. 

Dave Sina – Author of A Healthcare Compliance Plan for Less that Two Dollars ($2.00) Per Day.

amednews: A few simple tricks can improve social media postings :: May 23, 2011 … American Medical News

amednews: A few simple tricks can improve social media postings :: May 23, 2011 … American Medical News.

The ICD-10 PlayBook: Hitting IT Out of the Park!

The ICD-10 PlayBook: Hitting IT Out of the Park!.

Over 1,600 people attended yesterday’s webinar on the launch of the new ICD-10 PlayBook, a cross-industry resource spearheaded by HIMSS. The PlayBook required the active participation by all the operating departments at HIMSS – from web to legal, education, communications, and more.

CMS Moves to Expand DRG Window Rule To Hospital-Owned Practices, Lower Fees | AIS Health

CMS Moves to Expand DRG Window Rule To Hospital-Owned Practices, Lower Fees | AIS Health.

Electronic Prescribing (eRx) Incentive Program Update – Avoiding the Adjustment – From CMS

In November 2010, the Centers for Medicare & Medicaid Services announced that, beginning in calendar year 2012, eligible professionals who are not successful electronic prescribers based on claims submitted between Sat Jan 1 and Thu June 30, 2011, may be subject to a payment adjustment on their Medicare Part-B Physician Fee Schedule-covered professional services. Section 132 of the Medicare Improvements for Patients and Providers Act of 2008 (MIPPA) authorizes CMS to apply this payment adjustment whether or not the eligible professional is planning to participate in the eRx Incentive Program.

From 2012 through 2014, the payment adjustment will increase each calendar year. In 2012, the payment adjustment for not being a successful electronic prescriber will result in an eligible professional or group practice receiving 99% of their Medicare Part-B PFS amount that would otherwise apply to such services. In 2013, an eligible professional or group practice will receive 98.5% of their Medicare Part-B PFS-covered professional services for not being a successful electronic prescriber in 2011 or as defined in a future regulation. In 2014, the payment adjustment for not being a successful electronic prescriber is 2%, resulting in an eligible professional or group practice receiving 98% of their Medicare Part-B PFS-covered professional services. (The payment adjustment does not apply if less than 10% of an eligible professional’s or group practice’s allowed charges for the Sat Jan 1, 2011 through Thu June 30, 2011, reporting period are comprised of codes in the denominator of the 2011 eRx measure.)  Also note that earning an eRx incentive for 2011 will NOT necessarily exempt an eligible professional or group practice from the payment adjustment in 2012.

How to Avoid the 2012 eRx Payment Adjustment:

  • Eligible professionals – An eligible professional can avoid the 2012 eRx Payment adjustment if (s)he:
  • Is not a physician (MD, DO, or podiatrist), nurse practitioner, or physician assistant as of Thu June 30, 2011, based on primary taxonomy code in NPPES;
  • Does not have prescribing privileges. Note that (s)he must report G8644 at least one time on an eligible claim prior to Thu June 30, 2011;
  • Does not have at least 100 cases containing an encounter code in the measure denominator;
  • Becomes a successful e-prescriber; and
  • Reports the eRx measure for at least 10 unique eRx events for patients in the denominator of the measure.
  • Group Practices – For group practices that are participating in eRx GPRO-I or GPRO-II during 2011, the group practice MUST become a successful e-prescriber.
  • Depending on the group’s size, the group practice must report the eRx measure for 75-2500 unique eRx events for patients in the denominator of the measure.

For additional information, please visit the “Getting Started” webpage at Click here, or download the “Medicare’s Practical Guide to the Electronic Prescribing (eRx) Incentive Program” under “Educational Resources” on the same website.

Candy Sina – Author and developer of “Compliance Program for Less Than $2.00 Per Day.”

www.healthcarecomplianceconsulting.net

Simple Marketing for Healthcare Providers

If you are interested in how you can use simple marketing strategies to grow and develop your health care practice, you may want to look at Social Media as a tool to assist you in this process. Lee Aaseis the Communications Manager for the Mayo Clinic and Chancellor of SMUG, Social Media University, Global where his passion for what social media tools make possible knows how to use the social media to your advantage.

Social media represents a vehicle for taking advantage of opportunities.  You don’t need to be a genius and it’s not hard to do.  Get comfortable with social media tools.  Figure out how they work.  These are low cost tools and, if used effectively, can help you achieve results.  It costs little to nothing to use social media platforms, but you do need to develop expertise and experience to use those tools effectively. 

The Internet is rapidly becoming the medium by which people access healthcare information.  Currently 83% of Internet user search online for health information. 

The Mayo Clinic has been using social media to get its message out to the public.  It set up a Facebook page in November 2007, a  YouTube Channeland the  Twitter– at first purely as a defensive move with an RSS feed of news releases and then as a more interactive and engaging platform in 2/2009 when Lee Aase discovered TweetDeck

Mayo Clinic also has a  Newsroomwhere it can pitch content on a password – protected basis to journals prior to releasing news on key research, and a multitude of blogs to communicate with.  For example,  sharing.mayoclinic.org is where the Mayo Clinic can feature stories about and by patients and employees.  One video, created by a patient, features a 90 year old couple performing a piano duet from the Mayo Clinic Atrium; it recently went viral and I bet many of you will recognize it, click on this link to see Mayo Clinic atrium piano, charming older couple….

Social Media is here to stay.  If your organization starts to use social media tools in its healthcare practice, you will be ahead of the competition and be able to grow and develop your practice more effectively.

www.healthcarecompliance101.com and www.healthcarecompliance101.wordpress.com is commited to keeping healthcare providers informed on healthcare issues, healthcare compliance and enforcement.

Visit us on Facebook at http://www.facebook.com/pages/Saint-Paul-MN/Healthcare-Compliance-101/178908562161509 and become a fan.

Healthcare Compliance Consulting, Inc., 5755 Heather Ridge Drive, St. Paul, MN 55126, 651-484-4303, www.healthcarecomplianceconsulting.net  authors and developers of “Compliance Program for Less Than $2.00 Per Day.”

OIG Results of HIPAA Security Audits of Hospitals

Audit (A-04-08-05069)

05-16-2011
Nationwide Rollup Review of the Centers for Medicare & Medicaid Services Health Insurance Portability and Accountability Act of 1996 Oversight

Executive Summary

Our review found that the Centers for Medicare & Medicaid Services’ (CMS) oversight and enforcement actions were not sufficient to ensure that covered entities, such as hospitals, effectively implemented the Health Insurance Portability and Accountability Act of 1996 Security Rule. As a result, CMS had limited assurance that controls were in place and operating as intended to protect electronic protected health information (ePHI), thereby leaving ePHI vulnerable to attack and compromise. Both the Social Security Act and the Security Rule require a covered entity, defined as a health plan, health care clearinghouse, or health care provider that transmits any health information in electronic form, to (1) ensure the confidentiality, integrity, and availability of the information; (2) protect against any reasonably anticipated threats or risks to the security or integrity of the information; and (3) protect against unauthorized uses or disclosures of the information.

Our audits of 7 hospitals throughout the Nation identified 151 vulnerabilities in the systems and controls intended to protect ePHI, of which 124 were categorized as high impact. These vulnerabilities placed the confidentiality, integrity, and availability of ePHI at risk. Outsiders or employees at some hospitals could have accessed, and at one hospital did access, systems and beneficiaries’ personal data and performed unauthorized acts without the hospitals’ knowledge.

We recommended that the Department’s Office for Civil Rights (OCR) continue the compliance review process that CMS began in 2009 and implement procedures for conducting compliance reviews to ensure that Security Rule controls are in place and operating as intended to protect ePHI at covered entities. OCR did not comment on our specific findings and stated that it had considered our recommendations. OCR also noted that it maintains a process for initiating covered entity compliance reviews in the absence of complaints and that it had used this process to open compliance reviews as a result of our hospital audits. Although OCR stated that it maintains a process for initiating covered entity compliance reviews in the absence of complaints, it provided no evidence that it had actually done so.

Complete Report

Notification Download the complete report (PDF)
Adobe Acrobat Reader This link exits the Office of Inspector General Web site is required to view PDF files.

Copies can also be obtained by contacting the Office of Public Affairs at 202-619-1343.

amednews: Medicare audits to be expanded :: March 22, 2010 … American Medical News

amednews: Medicare audits to be expanded :: March 22, 2010 … American Medical News.

amednews: CMS proposes rule on expanding RAC program to Medicaid :: Dec. 13, 2010 … American Medical News

amednews: CMS proposes rule on expanding RAC program to Medicaid :: Dec. 13, 2010 … American Medical News.

Post Navigation