The FY 2017 IPPS proposed rule released April 27 is replete with modifications and expansions to claims-based quality and cost outcome measures. Although many of these proposed changes are for future fiscal years, ICD-10 codes reported for current discharges will impact the future financial performance for our organizations.
Cost measures
Two new payment measures are proposed as additions to the efficiency and cost reduction domain beginning in FY 2021:
Hospital Level, Risk-Standardized Payment Associated with a 30-Day Episode-of-Care for Acute Myocardial Infarction
Hospital Level, Risk-Standardized Payment Associated with a 30-Day Episode-of-Care for Heart Failure
The risk adjustment methodologies used for these measures are similar to those used for risk-adjusted mortality. The payment measure is intended to be paired with the 30-day mortality measures, thereby directly linking payment to quality by the alignment of comparable populations and risk adjustment methodologies to facilitate the assessment of efficiency and value of care.
The baseline period for these measures is July 1, 2012, through June 30, 2015. The performance period for these measures is July 1, 2017, through June 30, 2019. Performance for these new measures will be scored using the methodology used for the Medicare Spending Per Beneficiary measure.
CMS expands on its interest to further integrate quality and cost measures to reflect value, and is seeking public input on potential approaches. Underlying present challenges in reflecting value are noted as follows:
Currently, the HVBP assesses quality and efficiency separately through distinct performance measures in different domains, which as of FY 2018 are equally weighted to create the overall Total Performance Score. The four domains include:
Safety
Efficiency and cost reduction
Clinical care
Personal and community engagement
The current scoring approach can permit a hospital to earn a higher payment adjustment relative to other hospitals by performing well on quality-related domains without performing well in the efficiency and cost reduction domain, or vice versa.
Without a measure or score for value that reflects both quality and costs, the ability to assess value is limited.
Discharge planning has long been a challenge for organizations, but proposed revisions to Medicare'sConditions of Participation announced in November 2015 may make the process even more difficult.
When compared to data from past surveys, HCPro's 2016 HIM director and manager salary survey revealed a harsh truth that many HIM professionals already know: There has been little movement in HIM manager and director salaries over the years.
Creating and conducting an organizationwide risk analysis: Part 2
Editor's note: This is part two of a series about implementing an organizationwide risk analysis. See the May 2016 issue of BOH for part one.
Performing a regular organizationwide risk analysis is a basic HIPAA requirement and also simply good business practice. Beyond checking off an item on the HIPAA compliance list, a risk analysis will help an organization identify and rank security weaknesses, efficiently use resources to address them, and ultimately protect the security and integrity of an organization's data, including PHI, financial, and business operations information. Yet in a world of competing demands and limited resources, a risk analysis may be put off until it's too late. Even if one is completed, security officers may encounter obstacles when trying to act on the results of the risk analysis.
The purpose of a risk analysis is to develop a strategic plan of action that addresses and corrects vulnerabilities, and shouldn't be used to simply create a report on the current state of security, says Kate Borten, CISSP, CISM, HCISPP, founder of The Marblehead Group in Marblehead, Massachusetts. "Only when an organization performs periodic and as-needed risk assessments, and then mitigates significant risks, can the ISO [information security officer] and leadership have the confidence that their security program is functioning and adequate," she says.
A risk analysis is one of several activities that is part of a risk management program, says Rick Ensenbach, CISSP-ISSMP, CISA, CISM, CCSFP, manager of risk advisory and forensic services at Wipfli, LLP, in Eau Claire, Wisconsin. The risk management program is about managing risks to the organization (i.e., business mission, image, reputation, and patient safety and privacy), organizational assets, and workforce. An organization can't mitigate risks it isn't aware of and doesn't understand.
Risks are first identified, then analyzed and evaluated based on what action is needed, Ensenbach says. They also must be monitored on an ongoing basis, a vital step that if missed can undermine an otherwise solid risk management program.
Q: I am a certified case manager working in an acute care hospital. As part of our job requirements, when working in the emergency room (ER), we are asked to problem solve throughout the day. We often get requests for information on patients seen in the ER who have since been discharged.
Editor's note: This is part one of a series about medical identity theft. Look for part two in an upcoming issue of BOH.
Privacy and security officers are sitting on a hoard of valuable data: medical identity information. Social Security numbers. Medicare, Medicaid, and other insurer numbers. Credit card and bank account information. This data can fetch a high price on the black market, and medical identity theft costs patients, providers, and insurers millions of dollars a year. The lure of medical identity information makes healthcare organizations an appealing target for criminals, from large operations launching sophisticated hacking schemes to smaller groups running tried and true fraud scams.
A 2015 study conducted by the Ponemon Institute and sponsored by the Medical Identity Fraud Alliance (MIFA), the Fifth Annual Study on Medical Identity Theft, found that medical identity fraud nearly doubled between 2010 and 2014. More than 2.3 million adults were victims of medical identity theft and fraud in 2014 alone. The average cost per victim was $13,500 and the combined out-of-pocket cost was approximately $20 billion. But the financial impact is only the tip of the iceberg. Medical identity theft can result in physical harm to a patient if the medical record is altered to include another person's information such as allergies, disease status, or blood type.
Healthcare organizations often absorb some of the costs, and if the stolen PHI was used to commit Medicare or Medicaid fraud, they could be investigated by the OIG.
The stakes are high but by raising awareness and championing education and robust security programs, privacy and security officers can help their organizations stay one step ahead of criminals.