One of the more challenging aspects of a case manager's job is helping to ensure a patient successfully transfers from the hospital to the next level of care. Under a set of proposed revisions to Medicare's Conditions of Participation (CoP) announced in November 2015.
Hackers and malware are routine threats for most healthcare organizations, but this year saw criminals add a devastating tool to their arsenal: ransomware.
Although the dramatic increase in ransomware attacks against healthcare organizations is largely a recent phenomenon, ransomware itself is not new. According to the FBI, it's been around for several years, but the agency began to see an uptick in ransomware attacks in 2015, particularly against organizations. Early this year, the Department of Defense specifically warned healthcare organizations that they are a top target for ransomware. As ransomware continued to grab headlines and lawmakers called for official action, HHS released ransomware response and prevention guidance for healthcare organizations (www.aha.org/content/16/160620cybersecransomware.pdf).
State and federal lawmakers took notice as well. At a March 22 joint hearing of the House of Representatives subcommittees on Information Technology and Health Care, Benefits, and Administrative Rules, some lawmakers suggested HIPAA should be modified to specifically require covered entities and business associates to report ransomware attacks.
Security officers must act now to protect their organizations, and in turn, organizations must be prepared to invest in security and carefully follow related policies. The price for failing to do so could be high.
PHI is a bankable commodity. Hackers steal data and sell it to fraudsters. Individuals borrow or trade health information to fraudulently obtain coverage for services. Medical identity theft is a highly personal crime that can impact the victim's finances, personal and professional life, and health. Protecting this data is a tall order and involves staff in diverse departments, from front desk registration to information security.
"It doesn't take much to steal a credit card and use it for a hit-and-run buying spree, but healthcare data includes far more personal information," says Kate Borten, CISSP, CISM, HCISSP, founder of The Marblehead Group in Marblehead, Massachusetts. PHI often includes the individual's name, address, and Social Security number, along with medical record numbers and insurance identification number.
Understanding how to detect medical identity theft and how to mitigate its effects can help organizations reduce the prevalence of such crime.
Medical identity theft can be difficult to detect, says Chris Apgar, CISSP, founder of Apgar and Associates, LLC, in Portland, Oregon.
"There is no national tracking system in place like there is with, say, theft of credit card data. I could perpetrate Medicaid fraud using the same data in multiple states, and unlike with credit cards, there is no national system to detect and shut down medical identity theft," he says.
CMS' Transmittal 3523, issued May 13, is the quarterly July 1 OPPS update. In this transmittal, CMS briefly mentions billing physical and occupational therapy and speech-language pathology services provided in support of or adjunctive to comprehensive APC (C-APC) services under revenue code 0940 (general therapeutic services) rather than the National Uniform Billing Committee‑defined revenue codes for these services (i.e., 042x, 043x, and 044x, respectively).
CMS issued a final rule in June to revamp the way it pays for tests under the Clinical Laboratory Fee Schedule (CLFS), though the agency has pushed the start date back a year and worked to ease administrative burden based on public comments.
"This, along with some other changes CMS finalized based on commenter concerns and additional analyses, is really good news for providers," says Jugna Shah, MPH, president and founder of Nimitt Consulting, Inc. "It's all in the spirit of reducing provider burden."
Now starting January 1, 2018, CMS will base CLFS payments on the weighted median amount paid by private payers for the same services. Providers are hopeful that these new weighted median rates based on a different process from the existing CLFS updating process, which has remained relatively unchanged since its establishment in 1984, will result in more accurate rates, says Shah.
Applicability
In order to develop the new rates, CMS will require "applicable laboratories to report applicable information" to the agency.
An applicable lab is defined as one that receives at least $12,500 in payments under the CLFS, and more than 50% of Medicare revenue from laboratory and/or physician services over the data reporting period to report private payer rates and test volumes for laboratory tests.
These thresholds will exclude approximately 95% of physician office laboratories and 55% of independent laboratories from having to report information, along with just about all hospital labs, according to CMS.
The applicable information required to be reported is:
The payment rate that was paid by each private payer for each test during the data collection period
The volume of such tests for each such payer
CMS originally proposed to use Taxpayer Identification Numbers (TIN) to identify applicable laboratories, but in the final rule made a change to use National Provider Identifiers (NPI). In order to keep administrative burden at a minimum, CMS will continue to apply the reporting requirements at the TIN level, making those entities responsible for reporting all NPI-level information for its applicable laboratories.
CMS also clarified that the information that must be reported is tied to payments received, which means that if a claim was submitted but payment was not yet received or was denied, that data would not be reported to CMS.
The data reporting period has been shortened from one year in the proposed rule to six months in the final rule. The first data collection period is from January 1‑June 30, 2016. That collected data will have to be reported to CMS from January 1‑March 31, 2017.
CMS plans to follow this schedule for subsequent collecting and reporting periods, which will occur every three years for all CLFS tests except Advanced Diagnostic Laboratory Tests (ADLT), which will have more frequent data collection and updating.
CMS has defined an ADLT as a clinical diagnostic laboratory test that is covered under Medicare Part B and offered and furnished by only a single laboratory, and only sold for use by the original developing laboratory, or a successor owner.
The test must also meet the following criteria:
The test is an analysis of multiple biomarkers of DNA, RNA, or proteins combined with a unique algorithm to yield a single patient-specific result
the test is cleared or approved by the Food and Drug Administration (FDA)
the test meets other similar criteria established by the secretary of HHS
In response to public comments to the proposed rule, CMS changed the definition of ADLTs, which originally only included molecular pathology analysis and did not include protein-only based tests.
ADLTs have been established by the agency in order to recognize when a laboratory has expended all of the resources associated with a test, including development, marketing, and selling.
The $12,500 threshold for CLFS payments will not apply with respect to ADLTs. If a laboratory would otherwise meet the definition of applicable, excepting the $12,500 threshold, CMS will consider it applicable with respect to the ADLT and it must report the applicable information pertaining to the ADLT.
Modifier -58 describes a staged or related procedure or service by the same provider during the postoperative period. For outpatient hospitals, the postoperative period is defined as the same service date.
