This week’s updates include the temporary pause of QIO short stay reviews; review of CMS' Pioneer Accountable Care Organization Payment Model first performance year administration; and more!
Q: CMS released guidance last summer about not auditing or counting errors for the specificity of an ICD-10-CM code. CMS is not going to count the code as an error as long as the first three digits are correct. Does this apply to medical necessity diagnoses and edits?
This week’s updates include change requests regarding payments to home health agencies that do not submit required quality data; the July 2016 update of the ambulatory surgical center payment system; and more!
A breach of PHI is the last thing a privacy or security officer wants but, large or small, breaches can happen. The best-laid defenses can be undermined by simple human error or a cyber-criminal hacking on the cutting edge of technology. When that happens, you need a security incident response plan.
Disaster plan
A formal security incident response plan should be developed and maintained similar to a data center disaster response plan, Kate Borten, CISSP, CISM, HCISPP, founder of The Marblehead Group, Marblehead, Massachusetts, says. IT departments should be accustomed to disaster recovery plans that guide the department's response to any disaster (e.g., fire, flood, earthquake) that affects computer systems. Security incident response plans can be seen as comparable and equally important.
When a breach is identified, the first step should be to stop the bleeding. Take steps to prevent a recurrence or limit the damage. This could be especially important for security breaches that involve hacking or PHI that was accidentally made accessible to the public on a website or cloud service. In such a situation, it would be prudent to shut down affected websites, portals, or remove access to data repositories, according to Frank Ruelas, MBA, principal of HIPAA College in Casa Grande, Arizona.
Follow a plan from the start to ensure that risks are mitigated quickly. The plan should include appropriate steps to take depending on the type of security incident, who should be part of the incident response team, and how information about the breach should be communicated within the organization, according to Chris Apgar, CISSP, president of Apgar and Associates in Portland, Oregon. Having a detailed plan that lists members of the incident response team means more time can be spent addressing the breach than asking questions about who should be involved.
A security incident response plan will also help an organization determine what level of action it needs to take. "There will be some incidents, including breaches, where it's not necessary to pull together the whole team and go through every step in the plan," Apgar says. "For example, if a patient notifies you that she received another patient's EOB [explanation of benefits], it may not be necessary to call everyone together."
In that example, Apgar says, because the organization already knows who was impacted by the breach, the response is simply a matter of following the breach notification steps set by HIPAA and any applicable state laws.
