There's good news and bad news on the 2-midnight rule front. The good news: CMS has put short-stay inpatient audits related to the 2-midnight rule on hold as of May 4. The bad news: This isn't a free pass, and it isn't going to last.
Assigning the correct patient status is important not only to ensure that the hospital gets accurate payment for a patient stay, but also to ensure that the patient receives access to the postacute benefits to which he or she is entitled.
One of the more challenging aspects of a case manager's job is helping to ensure a patient successfully transfers from the hospital to the next level of care. Under a set of proposed revisions to Medicare's Conditions of Participation (CoP) announced in November 2015.
Hackers and malware are routine threats for most healthcare organizations, but this year saw criminals add a devastating tool to their arsenal: ransomware.
Although the dramatic increase in ransomware attacks against healthcare organizations is largely a recent phenomenon, ransomware itself is not new. According to the FBI, it's been around for several years, but the agency began to see an uptick in ransomware attacks in 2015, particularly against organizations. Early this year, the Department of Defense specifically warned healthcare organizations that they are a top target for ransomware. As ransomware continued to grab headlines and lawmakers called for official action, HHS released ransomware response and prevention guidance for healthcare organizations (www.aha.org/content/16/160620cybersecransomware.pdf).
State and federal lawmakers took notice as well. At a March 22 joint hearing of the House of Representatives subcommittees on Information Technology and Health Care, Benefits, and Administrative Rules, some lawmakers suggested HIPAA should be modified to specifically require covered entities and business associates to report ransomware attacks.
Security officers must act now to protect their organizations, and in turn, organizations must be prepared to invest in security and carefully follow related policies. The price for failing to do so could be high.
PHI is a bankable commodity. Hackers steal data and sell it to fraudsters. Individuals borrow or trade health information to fraudulently obtain coverage for services. Medical identity theft is a highly personal crime that can impact the victim's finances, personal and professional life, and health. Protecting this data is a tall order and involves staff in diverse departments, from front desk registration to information security.
"It doesn't take much to steal a credit card and use it for a hit-and-run buying spree, but healthcare data includes far more personal information," says Kate Borten, CISSP, CISM, HCISSP, founder of The Marblehead Group in Marblehead, Massachusetts. PHI often includes the individual's name, address, and Social Security number, along with medical record numbers and insurance identification number.
Understanding how to detect medical identity theft and how to mitigate its effects can help organizations reduce the prevalence of such crime.
Medical identity theft can be difficult to detect, says Chris Apgar, CISSP, founder of Apgar and Associates, LLC, in Portland, Oregon.
"There is no national tracking system in place like there is with, say, theft of credit card data. I could perpetrate Medicaid fraud using the same data in multiple states, and unlike with credit cards, there is no national system to detect and shut down medical identity theft," he says.
CMS' Transmittal 3523, issued May 13, is the quarterly July 1 OPPS update. In this transmittal, CMS briefly mentions billing physical and occupational therapy and speech-language pathology services provided in support of or adjunctive to comprehensive APC (C-APC) services under revenue code 0940 (general therapeutic services) rather than the National Uniform Billing Committee‑defined revenue codes for these services (i.e., 042x, 043x, and 044x, respectively).
