Those who regularly attend the annual AHIMA Convention and Exhibit no doubt have seen the exceptional quilt created each year by AHIMA member Katy Sheehy, MPA, RHIA, and sponsored by the Dames of Distinction to be bid at auction. The quilt is auctioned in support of the Linda Culp Memorial Scholarship fund, which was established in memory of the late Linda Culp, a former HIM professional, hospital chief executive officer, and AHIMA member. If you have seen the quilt, you have probably asked yourself, "Who are these people?"
Clinical documentation and coding has a significant impact on value-based quality outcome performance. Such outcomes include risk-adjusted mortality, readmission, patient safety, complication rates, and cost efficiency measures.
Value-based outcomes linked to payment represent the next wave of opportunity for CDI programs to support their health systems. Clinical documentation and coding across the continuum impact performance for claims-based measures contained within these standard data sets. Claims-based outcome measures use ICD-10 codes submitted on claims both to define the populations (or cohorts) included in the measure, as well as to risk-adjust performance.
Let's look at a few examples to illustrate how clinical documentation and code assignment can impact performance for one of the claims-based measures in the figure, the risk standardized complication rate?THA/TKA (RSCR THA/TKA):
Assignment of the discharge disposition as "AMA" also excludes the THA/TKA discharge from the measure.
Documentation and reporting of "morbid obesity" prior to the admission for the THA/TKA procedure strengthens risk adjustment. Note: "Obesity" does not impact risk adjustment.
Documentation and reporting of "chronic renal insufficiency" prior to the admission for the THA/TKA procedure will further strengthen risk adjustment. Note: "Renal insufficiency" will not count.
Documentation and reporting of "coronary artery disease" in the THA/TKA inpatient encounter will strengthen the risk adjustment even further.
The alignment of quality measures that will be linked to payment by public and private payers provides a framework upon which future efforts can be based. CMS will go through a public notice and comment rulemaking for implementation of these core sets and looks forward to public input on the measures included in these core measure sets.
Each year, some 400,000 patients in the U.S. receive home parenteral and enteral nutrition (HPEN), and that number is expected to grow as the population ages, the malnutrition epidemic becomes greater, and the push to improve nutrition to improve patient outcomes increases, says Noreen Luszcz, MBA, RD, CNSC,the national nutrition program director for Option Care, a home infusion provider for adult and pediatric patients.
A breach of PHI is the last thing a privacy or security officer wants but, large or small, breaches can happen. The best-laid defenses can be undermined by simple human error or a cyber-criminal hacking on the cutting edge of technology. When that happens, you need a security incident response plan.
Disaster plan
A formal security incident response plan should be developed and maintained similar to a data center disaster response plan, Kate Borten, CISSP, CISM, HCISPP, founder of The Marblehead Group, Marblehead, Massachusetts, says. IT departments should be accustomed to disaster recovery plans that guide the department's response to any disaster (e.g., fire, flood, earthquake) that affects computer systems. Security incident response plans can be seen as comparable and equally important.
When a breach is identified, the first step should be to stop the bleeding. Take steps to prevent a recurrence or limit the damage. This could be especially important for security breaches that involve hacking or PHI that was accidentally made accessible to the public on a website or cloud service. In such a situation, it would be prudent to shut down affected websites, portals, or remove access to data repositories, according to Frank Ruelas, MBA, principal of HIPAA College in Casa Grande, Arizona.
Follow a plan from the start to ensure that risks are mitigated quickly. The plan should include appropriate steps to take depending on the type of security incident, who should be part of the incident response team, and how information about the breach should be communicated within the organization, according to Chris Apgar, CISSP, president of Apgar and Associates in Portland, Oregon. Having a detailed plan that lists members of the incident response team means more time can be spent addressing the breach than asking questions about who should be involved.
A security incident response plan will also help an organization determine what level of action it needs to take. "There will be some incidents, including breaches, where it's not necessary to pull together the whole team and go through every step in the plan," Apgar says. "For example, if a patient notifies you that she received another patient's EOB [explanation of benefits], it may not be necessary to call everyone together."
In that example, Apgar says, because the organization already knows who was impacted by the breach, the response is simply a matter of following the breach notification steps set by HIPAA and any applicable state laws.
Creating and conducting an organizationwide risk analysis: Part 1
Editor's note: This is part one of a series about implementing organizationwide risk analyses. Look for part two in an upcoming issue of BOH.
OCR's breach settlements, corrective action plans (CAP), and penalties often take organizations to task for not completing a regular organizationwide risk analysis, yet it's all too easy for this important job to fall by the wayside. A lack of resources and competing demands within an organization can push the risk analysis to the bottom of the list of priorities. But this leaves an organization vulnerable to threats it will only see in hindsight. It also often leads to scrutiny from OCR and the public.