HIPAA COMPLIANCE and Why the Wise Provider Enlists Help in Achieving it

Archive for the ‘Uncategorized’ Category

HIPAA COMPLIANCE and Why the Wise Provider Enlists Help in Achieving it

Posted on: May 31st, 2016 by claimsworks

HIPAA stands for The Health Insurance Portability and Accountability Act, which was passed by The US Congress in phases during 2000 – 2003, with the intent of instituting administrative reforms. The act was designed to hold the healthcare industry accountable for safeguarding the privacy of all patients’ Protected Health Information (PHI). The Office of the Inspector General (OIG) is the governmental agency that addresses HIPAA compliance amongst the ranks of healthcare institutions, medical practices, and accompanying business associates that handle PHI. The OIG’s enforcer arm is The Office of Civil Rights (OCR).

If you work in the healthcare industry, you know that HIPAA is a big deal. HIPAA non-compliance fines can range from $100 for single “I didn’t know” cases and up to $50,000 for “willful negligence” per case. When many patients are involved in a PHI breach, the maximum fine caps out at $1.5 million, and in some cases the penalty can even include incarceration. So, with this threat looming over the heads of providers in private practice, a provider may ask – what exactly are all the aspects of HIPAA Compliancy, and more importantly, how does one ensure that his/her practice is compliant?

HIPAA COMPLIANCE goes well beyond just trying to keep Protected Health Information (PHI) secure. An initial printing of a policies and procedures along with a whole-hearted effort to educate employees about the rules and regulations of HIPAA is where some practices stop. With fingers crossed, one can only hope that their practice will never experience a security breach (that could be the act of a disgruntled staff member seeking revenge). Or, adding insult to injury, a breach could result in a full audit by The Office of Civil Rights (OCR). True HIPAA Compliancy amounts to not only establishing policies and procedures to maintain security, but it includes the burden of proof that those policies and procedures are being followed to the T! That means documentation and ongoing maintenance are a must.

Some of the over-arching necessary action steps a practice must take are the following:

  • · The practice must assign an officer in charge of all things HIPAA.
  • · The practice must establish written Policies and Procedures to properly handle PHI and keep it secure.
  • · The HIPAA officer must be the enforcer that all staff members have read (and understood) the different aspects HIPAA rules pertaining to their specific roles in the practice.
  • · Document updates but must also maintained to ensure ongoing staff education and attestation of latest document revisions.
  • · The practice must conduct an annual risk analysis.
  • · If there are gaps that keep the practice from being fully compliant, remediation actions must take place to fill the gaps.
  • · There must be an action plan already in place which would be followed in the event of a security breach.
  • · Signed Business Associate Agreements must be on file for any and all companies commissioned by the practice to provide billing, collections, coding, transcriptions, etc.

According to The Health and Human Services (HHS) the OIG has established four Rules that must be observed to satisfy the rules and regulations of HIPAA. http://www.hhs.gov/hipaa/for-professionals/covered-entities/index.html. The four HIPAA rules are as follows:

  • · HIPAA Privacy Rule
  • · HIPAA Security Rule
  • · HIPAA Administration Rule
  • · HIPAA Enforcement Rule

Under these rules, there are additional sub-categories that apply. For instance, under the Security Rule, physical security must be addressed. One common example is the sign-in sheet at the front desk of a medical practice, which should not visibly display the names of every patient that has visited the office that day for each subsequent patient to read. Staff must also be discreet and reframe from discussing any medical conditions with a patient within earshot of people waiting in the waiting area. That means a friendly office greeting such as, “How are your hemorrhoids today?” announced by the nurse for all to hear as she ushers her patient into the back office, would actually be a HIPAA violation.

Under the Security Rule there is also a sub-rule known as the Technology Rule, which addresses password protections and the need to encrypt electronic PHI. Depending on whether a practice uses a cloud-based Electronic Health Record system (EHR), or manages its health records electronically with its own server and purchased software, there are detailed policies and procedures that must be followed in order to keep PHI secure. Even something as simple as a receptionist asking a patient to just send an image of their medical insurance card via an ordinary email system like Gmail would be a HIPAA violation. While it is true that typically common sense would prevail in these types of situations, and these types of violations are unlikely to occur, HIPAA fines are so costly that the best approach is to be proactive and establish the policies and procedures that will minimize the risk of a HIPAA violation.

So, what’s the best way for a practice to help ensure they are HIPAA compliant and minimize the risk of HIPAA violations? Some build their own HIPAA compliancy plan from the ground floor, which is a daunting task. Others hire attorneys who help them to get started with templates for policies and procedures, while others enlist the help of HIPAA coaches or experts. Clearly there are a lot of different options for achieving and maintaining compliance, and these options have a wide range of prices. Prices can vary from up to $10,000 for a HIPAA coach or costly attorney fees by the hour. One proven and economical approach is to use a HIPAA compliance company that offers effective compliancy solutions through a web-enabled approach with a model that also includes the ongoing help of a HIPAA coach at only a fraction of the cost that other solutions would charge.

With the increased financial burdens that providers face in running their practices these days, some may be tempted to only hope that they never have to deal with any HIPAA problems, but such hopes may prove to be costly down the road. In the end, providers do not have absolute control over the choices that their staff and business associates make. A more proactive approach by way of enlisting the help of a HIPAA expert may serve as a valuable insurance policy of sorts in the face of a PHI breach and audit. If there is evidence of an annual self-audit and remediation, The OCR is much more likely to extend understanding if it is obvious that every effort was made to safeguard PHI.

Whether you are a solo practice provider or a large practice with multiple providers, it is never too early to address HIPAA compliancy and protect yourself from the headaches and costs associated with HIPAA violations. You’ll be glad you did, and what’s more, the stress of worrying about HIPAA compliance will be gone!

ICD-10 Preparedness: Delays, Progress and Reality Checks…and the survey says?

Posted on: April 14th, 2015 by claimsworks

Industry experts believe there will not be another ICD-10 delay this year, but most in the HIT community are taking a wait and see approach while encouraging practices to continue preparing for a transition this year.

According to a survey by the Workgroup for Electronic Data Interchange (WEDI) published on April 6, 2015, last year’s delay has “negatively affected stakeholders’ progress” preparing for the new code sets.  Why the slowdown in preparations?  According to the survey, more than 50% of providers cited “uncertainty over future delays” as the most significant barrier to their implementation progress.

Providers may be negatively impacted by multiple factors that seem beyond their control, as they are dependent on EHR, Clearinghouse, and Practice Management software providers.  Interesting, and somewhat alarming, is that 25% of vendors said their updated products would not be available until the second or third quarter of 2015.  Why won’t some vendors be ready?  They cited customer readiness and competing priorities as barriers to preparing for ICD-10.

One can only wonder what priorities are trumping ICD-10 readiness for vendors?  Providers should already know when their software vendors will make ICD-10 ready versions available, and at what cost.  (At ClaimsWorks, our systems have been ICD-10 ready since December 2013, and are made available to providers with no upgrade fees or costs)

Among health care providers, the survey found:

  • About two-thirds said they slowed or stopped entirely their transition efforts as a result of the delay
  • About 33% said they had completed impact assessments of the ICD-10 transition, down from more than 50% of providers who said they had done so in August 2014
  • About 25% said they had started external testing, down from 33% in August 2014
  • About 25% said they had tested with Medicare
  • 20% said they did not plan to conduct testing with Medicare

While most industry professionals are moving forward with preparations for a transition this fall, the survey indicates there is good reason to be concerned about the upcoming transition.  The organization (WEDI) submitted its concerns in a letter to secretary of the Department of Health and Human Services. “Unless all industry segments take the initiative to make a dedicated effort and move forward with their implementation work, there will be significant disruption on Oct. 1, 2015,” said Devin Jopp, EdD, president and CEO of WEDI.

One of the many benefits of our web-based MediTouch EHR is that updates such as ICD-10 can be implemented instantly and without any cost to the practice. Plus, Meditouch  provides an in-system tool that suggests appropriate ICD-10 codes based on the ICD-9 codes you have selected, making the transition that much easier.