Social media is everywhere—even inside the walls of hospitals. Staff may log into personal accounts during lunch breaks, and many organizations maintain official social media accounts; plus, of course, patients and visitors often rely on social media to keep in touch with friends and family. For many, social media is so much a part of their everyday routine that the benefits are almost too obvious to list. Yet the risks—including potential HIPAA violations—are often not as clear, and privacy and security officers need to stay aware of them.
As OCR's auditors wrap up the final desk audit reports for phase two of the HIPAA audit program, many covered entities (CE) are breathing a little easier. Only 167 CEs were selected for desk audits in July. Audited CEs can expect to wait several months to see the final audit reports, although they will have the opportunity to review a draft version and submit comments that will be attached to the final report.
But phase two is far from over. Business associates (BA) will be selected for desk audits this fall—the first time these entities will be subject to OCR's HIPAA audits. And early next year, OCR will launch comprehensive on-site audits of both CEs and BAs.
One of the topics raising the most questions in case management today is related to the MOON notification requirement. Hospitals were struggling this summer to comply with the Notice of Observation Treatment and Implication for Care Eligibility (NOTICE) Act, which was signed by President Barack Obama August 6, requiring hospitals to provide a verbal and written notice of outpatient status to any patient in observation who has been in the hospital for more than 24 hours. Just prior to the August 6 implementation date, hospitals received word that the notification requirement would be delayed pending approval of modifications made to the government's notification form.
Hospitals got a last-minute reprieve from the MOON notification requirement, which was set to go into effect August 6. Citing the need for additional time to revise the standardized notification form that hospitals will need to use to notify patients about the financial implications of being assigned to observation services, CMS moved back the start date for the requirement in the 2017 Inpatient Prospective Payment System (IPPS) final rule to "no later than 90 days," after the final version of the form is approved.
In the outpatient setting, we have a different set of rules to follow in regard to the ICD-10-CM Official Guidelines for Coding and Reporting compared to those that follow the guidelines for inpatient care. The ICD-10-CM guidelines for outpatient coding are used by hospitals and providers for coding and reporting hospital-based outpatient services and provider-based office visits.
The Medicare Reporting and Returning of Self-Identified Overpayments final rule (81 Fed. Reg. 7654‑7684), which became effective March 14, is designed to implement Section 1128J(d) of the Social Security Act, which was established under Section 6402(a) of the Affordable Care Act, effective March 23, 2010.
