CMS wants your thoughts on its 2017 OPPS proposed changes. In various places in the proposed rule, CMS specifically asks providers to comment on the proposals. You may submit comments to the agency until September 6.
Threats to PHI are coming fast and furious. Although many organizations are ready to take HIPAA compliance seriously, it requires sustained attention and resources for organizations to protect PHI. That can't happen if privacy and security officers aren't being heard by the board and senior leaders.
In July, OCR announced it reached a HIPAA breach settlement with Oregon Health and Science University (OHSU), an academic health center. In its statement on the settlement, the agency drew attention to the vital role hospital executives and senior leaders play in HIPAA compliance. OHSU did complete risk analyses and identify vulnerabilities, including those that caused the two massive breaches named in the settlement, but no action was taken to mitigate these vulnerabilities. Without support from the top, OHSU's security risks remained unaddressed until it was too late. Failure to address these risks came with a $2.7 million price tag, a strict three-year corrective action plan, and the kind of bad press that's difficult to put a positive spin on.
Privacy and security officers need executive support, but obtaining it may be a challenge. Alliances with key staff and an understanding of the concerns senior leaders face can be a win for privacy and security in the boardroom.
Growing threats to PHI, particularly ransomware, have drawn attention to privacy and security this year. Senior leaders and members of the board may be feeling the pressure to change the way their organizations operate and step up security measures.
Assigning the correct patient status is a constant challenge for hospitals and the case managers who are charged with ensuring these decisions are accurate.
CMS is looking to implement the Section 603 provisions of the Bipartisan Budget Act of 2015 regarding off-campus, provider-based departments (PBD) by January 1, 2017, according to the 2017 OPPS proposed rule (https://s3.amazonaws.com/public-inspection.federalregister.gov/2016-16098.pdf). The agency is proposing to pay the nonfacility or office Medicare Physician Fee Schedule (MPFS) amount to the performing/supervising physician and preclude hospitals from billing on a UB-04 form or receiving OPPS payment for services performed at these locations for 2017, but plans to explore other options for 2018 and beyond.
Physicians would be paid at the higher nonfacility rate of the MPFS, but only hospitals that have employed or contracted physicians that reassign their billing to the hospital would get paid under the MPFS for these services.
Hospitals would be able to bill claims on CMS-1500 forms for physicians who have already reassigned their billing to the hospital, as in the case of employed physicians. Otherwise, hospitals would have the option of enrolling the location as the type of provider or supplier it wishes to bill to meet the requirements of that payment system (e.g., ambulatory surgery center or group practice).
"This proposal will be very challenging for hospitals that have community physicians practice at their off-campus outpatient departments that will no longer be paid under OPPS," says Valerie Rinkle, MPA, lead regulatory specialist and instructor for HCPro, a division of BLR, in Middleton, Massachusetts.
"These physicians would bill with the office place of service code and the hospital would have to figure out how to get compensated," she says. "This will likely require hospitals to rewrite their agreements with these physicians."
There are no federally recognized HIPAA certification standards for covered entities (CE) and business associates (BA) and it's unlikely one will be. However, that doesn't stop larger CEs from requiring some form of certification to demonstrate compliance with HIPAA and proof that BAs have implemented sound information security programs. The Health Information Trust Alliance (HITRUST) published its first common security framework (CSF) in March 2009 with the goal of focusing on information security as a core pillar of the broad adoption of health information systems and exchanges. Larger CEs, primarily large health plans, now require their BAs to become HITRUST certified.
The cost of healthcare is quickly rising across the nation, and patients are shouldering the majority of the price increases through higher deductibles and out-of-pocket expenses as expenditures continue to shift from employers to patients. According to a TransUnion Healthcare report released during HFMA's 2016 National Institute in Las Vegas (www.marketwired.com/press-release/-2137926.htm), patients experienced a 13% increase in medical costs between 2014 and 2015.
A rise in self-pay patients usually signifies an increase in bad debt risk that can have a sharp and negative effect on revenue streams. As expected, healthcare organizations responded to this upward trend in patient financial responsibility by dedicating more attention and resources to managing their self-pay accounts. But are additional complications necessary? Can self-pay accounts be managed more effectively by actually taking fewer and more logical steps?
Recent work with pre-acute care providers, such as emergency medical services (EMS) and emergency medicine physician groups, reveals that most of these providers are struggling to address self-pay accounts. Hospitals and health systems report similar concerns. Addressing the rise in self-pay patients requires a shift change in revenue cycle management strategies and tactics.
Instead of raising the level of complexity required to manage self-pay receivables, providers should try to simplify efforts?work smarter, not harder. Determining patient propensity to pay is one of these practical steps. Using the pre-acute care sector as one example, qualification for accounts management can be radically simplified with significantly fewer steps.
