Tips for small covered entities charged with HIPAA compliance
"OCR has bigger fish to fry than me."
You may have heard that before—or even said it. Maybe you're an employee in a tiny healthcare facility. Or maybe you've seen the big headlines on data breaches, noted how they seem to always involve large insurance companies and massive healthcare facilities, and thought, "That won't happen to us."
Know thy BA
BAs are a part of HIPAA life—no matter how big or small your entity is. So how far should CEs go to ensure their BAs are HIPAA compliant?
Roger Shindell, CHPS, the CEO of Carosh Compliance Solutions in Crown Point, Indiana, notes that things changed in the HIPAA Omnibus Rule, HHS' biggest set of modifications to the HIPAA Privacy and Security rules per the HITECH Act. Prior to 2013, if a CE had a valid BA agreement in place, and the BA had a breach, the CE had a safe harbor exemption for the breach, he notes.
Entities are required to conduct an "accurate and thorough assessment" of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic PHI.
BA agreements stipulate that the BA will comply with all the requirements under HIPAA/HITECH, per the HIPAA Omnibus Rule. So BAs need to be ready, just like you.
Should CEs offer training to the BAs? No, says Shindell.
"The BA has their own obligation to conduct training," he adds, "and if training is on specific policies and procedures, the CE would not know what these are and what is appropriate."
In our last article, I provided an overview of the Comprehensive Care for Joint Replacement (CJR) model, described in a recent Healthcare Financial Management Association webinar as one of the biggest Medicare changes since the implementation of DRGs.
Under the CJR, which began April 1, acute care hospitals in selected geographic areas assume quality and payment accountability for retrospectively calculated bundled payments for lower extremity joint replacement (LEJR) episodes.
The impact of CDI on CJR patient selection
A Medicare fee-for-service beneficiary is included in the CJR model when a claim is submitted for an inpatient encounter assigned MS-DRGs 469 or 470. These surgical MS-DRGs include total hip and knee replacements, ankle arthroplasties, partial hip replacements, lower leg, ankle and thigh reattachments, and hip resurfacing procedures. In the CJR final rule, CMS noted that the majority of the procedures in these MS-DRGs are total and partial hip replacements, and total knee replacements (see Figure 1 on p. 5).
The key CDI vulnerability associated with CJR patient selection is inaccurate MS-DRG assignment. The included MS-DRGs are replacement—not revision—procedures. Joint revision procedures are more complex, have higher costs, and are therefore assigned to different MS-DRGs (466-468, revision of hip or knee replacement with or without MCC).
If the coder omits assignment of the ICD-10-PCS code for the removal of the original device and only codes the replacement procedure, a patient with a revision—who should be assigned to MS-DRGs 466-468—will instead be misclassified into MS-DRGs 469 or 470, and will skew CJR clinical and cost outcomes.
Over the past couple months, HIMB has had audits on the brain. We covered the progress of the 2-midnight audits and walked you through the pass-fail meaningful use audits in detail. Now it's time to get a bird's-eye view of the 2016 audit landscape to ensure you're prepared for whatever comes your way this year.
Recovery Auditors
With 2-midnight rule audits shifting to the BFCC-QIOs, Crump predicts the Recovery Auditors will likely spend 2016 focusing on diagnosis-related group (DRG) audits and medical necessity reviews. These audits will likely focus on reviewing medical necessity for procedures, tests, and treatments in relation to what the Payment Integrity Manual states should be captured in the health information. Records that do not capture information related to local and national coverage determinations will likely be the low-hanging fruit if the Recovery Auditors are approved to focus on these reviews, says Dawn Crump, MA, SSBB, CHC, vice president of audit management solutions for CIOX Health in Alpharetta, Georgia.
To prepare for the Recovery Auditors, HIM professionals should focus on analyzing the risk at their facility. In addition, they should ensure there is a continuous feedback loop not only within the department but outside of it as well. Coding, compliance, and medical staff should be in the loop too, Crump says. Solid communication and education can go a long way in ensuring everyone is well prepared for an audit.
Establishing good quality checks, especially with EMRs, can also help a hospital bolster its audit preparation. HIM should be involved in checking that the information in the record tells the patient's complete story, Crump says.
"Records are evolving and EMRs are evolving, so I think status quo needs to be checked on a regular basis," she says.
For example, EMRs don't always capture all of the needed information. As local and national coverage determinations change for high-risk procedures and admissions, HIM and coding should be involved in the process of ensuring the EMR captures the latest changes and meets the new requirements; this way, the hospital will be ready to present information in the event of an audit, Crump says.
Last year, as ICD-10 implementation approached, organizations throughout the U.S. reported varying levels of comfort with regard to readiness and understanding of the impact of ICD-10 on physician workflow. For some, it was business as usual. For other physicians, ICD-10 became one more check box on the list of reasons to leave practice.
CMS proposed an extensive five-year, two-phase plan to overhaul Part B drug payments for physicians and hospitals in March outside of the normal OPPS rulemaking cycle that could be implemented as early as this fall.
