Q: Rural health clinics have to start to bill all services on individual lines with HCPCS codes and charges. Is there a way to report these services on a separate line without the appearance of inflating our charges?
In February 2016, just four months after ICD-10 go-live, HIM Briefings asked a range of healthcare professionals to weigh in on their productivity in ICD-9 versus ICD-10.
In general, the time spent coding records has increased since ICD-10 implementation for most record types. In fact, one respondent said his or her facility noticed a 40%?50% decline in productivity. However, another respondent noted that coder productivity often varies based on the physician who documented in the record, as some physicians are more in tune with the language of ICD-10 than others. One-third (33%) of respondents were coders, whereas 21% identified as coding directors, managers, or supervisors. Approximately 16% identified as HIM directors, managers, or assistant directors or managers, while 12% of respondents were clinical documentation improvement (CDI) specialists. A small percentage of quality/performance improvement directors, vendors, consultants, IT directors/managers, billers, and auditors weighed in as well. More than half (53%) of respondents work in acute care hospitals.
One respondent said that his or her facility expects the same productivity in ICD-10 as it had in ICD-9, a nearly impossible feat in some cases. "The productivity requirements have not changed from ICD-9 to ICD-10. The current requirement for our facility is 18 charts per day (minimum 14). Very challenging and almost unobtainable."
The HCPro survey questions asked for the average minutes to code a record type. Some respondents wrote in the daily number of records coded, while others indicated the number of records averaged per hour.
Subpoenas are a sometimes-unwelcome fact of life for privacy officers. They can be complicated, requesting broad amounts of information that is time-consuming to gather. They can be written in dense legal language that takes time and finesse to decipher. If a subpoena requests PHI, it can also raise privacy concerns and questions about how to honor the subpoena while releasing only the necessary information. Some subpoenas may request information that an organization considers sensitive for other reasons. It can be all too easy to put off dealing with a subpoena until the last minute, then rushing to react without taking the time to really read and understand what it says.
OCR and HIPAA audits. Give you chills, don't they? Most covered entities (CE) naturally fear getting the letter from the HIPAA privacy and security enforcers saying that they're coming?or that they want something. "Something" usually means your policies and procedures, risk analysis, and mitigation efforts if you've suffered a breach. Bottom line: CEs want to avoid OCR unless they need to go to the agency for information on the HIPAA Privacy, Security, or Breach Notification rules
Interoperability isn't a new goal, but 2016 may be the year it becomes closer to a reality. HHS' 2017 budget includes a boost in the Office of the National Coordinator for Health Information Technology (ONC) funding specifically for the development of interoperability guidelines and standards, like an interoperability code of conduct, as well as efforts to combat information blocking.
Staying ahead of change
Being a hot-button issue alone won't solve interoperability's problems. It's a complex initiative, and reaching the goals outlined in the ONC's Interoperability Roadmap means providers, vendors, and policymakers have to work together to create practical guidelines and products that meet all applicable existing legislation, including HIPAA and other privacy and security laws. Interoperability also requires software vendors and developers to go against the very nature of their business and work with the competition.
It's a tall order, but achieving interoperability could greatly reduce the technical burdens many security officers struggle with, as well as create an atmosphere in which providers and vendors can work together to keep PHI safe. If it's not achieved, greater administrative burdens, technological problems, and, at worst, significant security weaknesses could result, cautions Chris Apgar, CISSP, president of Apgar and Associates, LLC, in Portland, Oregon.
Security officers need to pay close attention to interoperability, Apgar says. "Any time code is touched or changes are made in how an application or interface works, [it] raises the risk that the end product will not include the required security controls."
If 2016 is the year the healthcare industry starts making real progress on the road to interoperability, security officers need to make sure they read the map and scout the territory to ensure their organizations don't take any wrong turns.
Email encryption, file sharing, and mailbox security
by Chris Apgar, CISSP
Q: We are in the process of building a new office. Would it be HIPAA compliant to have an outside locked mailbox for our general postal mail and therapist paperwork that is dropped off at night? If not, would a mail slot on our front door work better?
A: An outside locked mailbox will suffice to secure incoming mail and therapist paperwork. Ensure that the mailbox is secure and not easily broken into. If the mailbox is secured with a key, it's a good idea to implement a solid key management program so it's known who has a key. Keys should be recovered when an employee resigns or is terminated. If an employee leaves without returning his or her key, it's wise to re-key the lock on the mailbox.
Editor's note
Apgar is president of Apgar & Associates, LLC, in Portland, Oregon. He is also a BOH editorial advisory board member. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions. Email your HIPAA questions to Associate Editor Nicole Votta at nvotta@hcpro.com.
