PHI is a bankable commodity. Hackers steal data and sell it to fraudsters. Individuals borrow or trade health information to fraudulently obtain coverage for services. Medical identity theft is a highly personal crime that can impact the victim's finances, personal and professional life, and health. Protecting this data is a tall order and involves staff in diverse departments, from front desk registration to information security.
"It doesn't take much to steal a credit card and use it for a hit-and-run buying spree, but healthcare data includes far more personal information," says Kate Borten, CISSP, CISM, HCISSP, founder of The Marblehead Group in Marblehead, Massachusetts. PHI often includes the individual's name, address, and Social Security number, along with medical record numbers and insurance identification number.
Understanding how to detect medical identity theft and how to mitigate its effects can help organizations reduce the prevalence of such crime.
Medical identity theft can be difficult to detect, says Chris Apgar, CISSP, founder of Apgar and Associates, LLC, in Portland, Oregon.
"There is no national tracking system in place like there is with, say, theft of credit card data. I could perpetrate Medicaid fraud using the same data in multiple states, and unlike with credit cards, there is no national system to detect and shut down medical identity theft," he says.
Paper records persist despite healthcare's steady move to purely electronic documentation. Although paper records are simpler to secure than electronic records in some ways—you can't phish your way into a locked file cabinet—they also can't be encrypted. If a paper record is left out on a desk, there's little that can be done to prevent an unauthorized individual from reading it or even taking it. Papers can easily be misplaced or lost. They can be mixed up with another patient's records—or other unrelated papers—on a desk or be put back in the wrong file. And papers can all too easily fall unnoticed out of a file while being taken from one place to another.
Paper is still generated at multiple points, from new patient information forms to medical records that must be printed in part or whole if another provider's EHR system isn't interoperable. Keeping track of paper and ensuring it stays secure remains a challenge for privacy officers, but it can be managed through sound policies and alert staff.
Medical records that exist only on paper and are not digitized will be kept in a folder system. Staff may need access to these records for reference or to make copies, Ruelas says. That means paper records can pass through many hands throughout their lifetime, leaving them vulnerable to simple breaches.
Despite the security headaches caused by electronic information, electronic files can be protected against casual viewing by unauthorized individuals through proper encryption. Paper has no such protection, Frank Ruelas, MBA, principal of HIPAA College in Casa Grande, Arizona, says. "Paper records, unlike electronic records, are immediately readable," he warns. "One doesn't need an electronic interface along with a login and passwords."
You also can't easily track paper and log how many people have looked at it. An electronic file may leave a trace even if it's deleted, but a missing paper won't be noticed until someone actually goes looking for it. "Unlike electronic systems, paper documents can be seen and taken by someone without leaving a trace," Kate Borten, CISSP, CISM, HCISSP, founder of The Marblehead Group in Marblehead, Massachusetts, says. And although electronic records are more likely to be involved in large-scale breaches, there can still be paper record breaches involving thousands of patients, she says.
It's no secret that hospitals struggle with assigning the most appropriate status for patients, and this challenge is compounded by CMS' frequent changes to its regulations and guidance. To combat incorrect patient status assignments, one hospital has developed a system that rewards employees for speaking up when they suspect a patient's status is incorrect.
CMS issued a final rule in June to revamp the way it pays for tests under the Clinical Laboratory Fee Schedule (CLFS), though the agency has pushed the start date back a year and worked to ease administrative burden based on public comments.
"This, along with some other changes CMS finalized based on commenter concerns and additional analyses, is really good news for providers," says Jugna Shah, MPH, president and founder of Nimitt Consulting, Inc. "It's all in the spirit of reducing provider burden."
Now starting January 1, 2018, CMS will base CLFS payments on the weighted median amount paid by private payers for the same services. Providers are hopeful that these new weighted median rates based on a different process from the existing CLFS updating process, which has remained relatively unchanged since its establishment in 1984, will result in more accurate rates, says Shah.
Applicability
In order to develop the new rates, CMS will require "applicable laboratories to report applicable information" to the agency.
An applicable lab is defined as one that receives at least $12,500 in payments under the CLFS, and more than 50% of Medicare revenue from laboratory and/or physician services over the data reporting period to report private payer rates and test volumes for laboratory tests.
These thresholds will exclude approximately 95% of physician office laboratories and 55% of independent laboratories from having to report information, along with just about all hospital labs, according to CMS.
The applicable information required to be reported is:
The payment rate that was paid by each private payer for each test during the data collection period
The volume of such tests for each such payer
CMS originally proposed to use Taxpayer Identification Numbers (TIN) to identify applicable laboratories, but in the final rule made a change to use National Provider Identifiers (NPI). In order to keep administrative burden at a minimum, CMS will continue to apply the reporting requirements at the TIN level, making those entities responsible for reporting all NPI-level information for its applicable laboratories.
CMS also clarified that the information that must be reported is tied to payments received, which means that if a claim was submitted but payment was not yet received or was denied, that data would not be reported to CMS.
The data reporting period has been shortened from one year in the proposed rule to six months in the final rule. The first data collection period is from January 1‑June 30, 2016. That collected data will have to be reported to CMS from January 1‑March 31, 2017.
CMS plans to follow this schedule for subsequent collecting and reporting periods, which will occur every three years for all CLFS tests except Advanced Diagnostic Laboratory Tests (ADLT), which will have more frequent data collection and updating.
CMS has defined an ADLT as a clinical diagnostic laboratory test that is covered under Medicare Part B and offered and furnished by only a single laboratory, and only sold for use by the original developing laboratory, or a successor owner.
The test must also meet the following criteria:
The test is an analysis of multiple biomarkers of DNA, RNA, or proteins combined with a unique algorithm to yield a single patient-specific result
the test is cleared or approved by the Food and Drug Administration (FDA)
the test meets other similar criteria established by the secretary of HHS
In response to public comments to the proposed rule, CMS changed the definition of ADLTs, which originally only included molecular pathology analysis and did not include protein-only based tests.
ADLTs have been established by the agency in order to recognize when a laboratory has expended all of the resources associated with a test, including development, marketing, and selling.
The $12,500 threshold for CLFS payments will not apply with respect to ADLTs. If a laboratory would otherwise meet the definition of applicable, excepting the $12,500 threshold, CMS will consider it applicable with respect to the ADLT and it must report the applicable information pertaining to the ADLT.
CMS' Transmittal 3523, issued May 13, is the quarterly July 1 OPPS update. In this transmittal, CMS briefly mentions billing physical and occupational therapy and speech-language pathology services provided in support of or adjunctive to comprehensive APC (C-APC) services under revenue code 0940 (general therapeutic services) rather than the National Uniform Billing Committee‑defined revenue codes for these services (i.e., 042x, 043x, and 044x, respectively).
Healthcare organizations have become mass gatherers of data. But without sophisticated analytics, integrated IT tools, and processes to mine that data, they may not be able to take advantage of it.
