OCR's long-awaited Phase 2 HIPAA Audit Program is finally in full swing. On March 21, OCR announced that it will begin verifying the contact information of covered entities (CE) and business associates (BA) selected for audits (www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/phase2a...). This shouldn't surprise savvy healthcare organizations. The audits kicked off after a flurry of activity from OCR and HHS, including pricey HIPAA settlement fines and the publication of user-friendly HIPAA guidance for providers, developers, and patients.
Over the past couple months, HIMB has had audits on the brain. We covered the progress of the 2-midnight audits and walked you through the pass-fail meaningful use audits in detail. Now it's time to get a bird's-eye view of the 2016 audit landscape to ensure you're prepared for whatever comes your way this year.
Recovery Auditors
With 2-midnight rule audits shifting to the BFCC-QIOs, Crump predicts the Recovery Auditors will likely spend 2016 focusing on diagnosis-related group (DRG) audits and medical necessity reviews. These audits will likely focus on reviewing medical necessity for procedures, tests, and treatments in relation to what the Payment Integrity Manual states should be captured in the health information. Records that do not capture information related to local and national coverage determinations will likely be the low-hanging fruit if the Recovery Auditors are approved to focus on these reviews, says Dawn Crump, MA, SSBB, CHC, vice president of audit management solutions for CIOX Health in Alpharetta, Georgia.
To prepare for the Recovery Auditors, HIM professionals should focus on analyzing the risk at their facility. In addition, they should ensure there is a continuous feedback loop not only within the department but outside of it as well. Coding, compliance, and medical staff should be in the loop too, Crump says. Solid communication and education can go a long way in ensuring everyone is well prepared for an audit.
Establishing good quality checks, especially with EMRs, can also help a hospital bolster its audit preparation. HIM should be involved in checking that the information in the record tells the patient's complete story, Crump says.
"Records are evolving and EMRs are evolving, so I think status quo needs to be checked on a regular basis," she says.
For example, EMRs don't always capture all of the needed information. As local and national coverage determinations change for high-risk procedures and admissions, HIM and coding should be involved in the process of ensuring the EMR captures the latest changes and meets the new requirements; this way, the hospital will be ready to present information in the event of an audit, Crump says.
OCR and HIPAA audits. Give you chills, don't they? Most covered entities (CE) naturally fear getting the letter from the HIPAA privacy and security enforcers saying that they're coming?or that they want something. "Something" usually means your policies and procedures, risk analysis, and mitigation efforts if you've suffered a breach. Bottom line: CEs want to avoid OCR unless they need to go to the agency for information on the HIPAA Privacy, Security, or Breach Notification rules
The new modifier -PO (services, procedures, and/or surgeries furnished at off-campus provider-based outpatient departments [PBD]) and the alternative payment provisions under the Bipartisan Budget Act Section 603 are both related to off-campus PBDs but define "off-campus PBD" slightly differently.
In February 2016, just four months after ICD-10 go-live, sister publication HIM Briefings (formerly Medical Records Briefing) asked a range of healthcare professionals to weigh in on their productivity in ICD-9 versus ICD-10.
When the Quality Improvement Organizations (QIO) took over the role of education and enforcement for the 2-midnight rule on October 1, 2015, many anticipated that their reviews would only look at records from that date forward. But in an unpleasant turn of events, some hospitals have reported QIO record requests zeroing in on cases as far back as May 2015, says Ronald Hirsch, MD, FACP, CHCQM, vice president of the Regulations and Education Group for AccretivePAS in Chicago.
"It caught everybody off guard. No one expected them to audit any earlier than October 1," he says. "But audits are starting hot and heavy, and it's important for organizations to understand that it's permitted and that the QIOs can request charts going back six months."
According to a fact sheet, CMS is specifically using "Beneficiary and Family Centered Care (BFCC) QIOs, rather than MACs or Recovery Auditors, to conduct the initial medical reviews of providers who submit claims for short-stay inpatient admissions on October 1, 2015. Beginning in 2016, BFCC-QIOs will begin reviewing inpatient cases under the revised Two Midnight Rule being announced today." (For more information, visit www.cms.gov/Newsroom/MediaReleaseDatabase/Fact-sheets/2015-Fact-sheets-items/2015-10-30-4.html.)
Another surprise? BFCC-QIOs are requesting charts for inpatient-only surgeries, something they weren't supposed to do, says Hirsch.
