The ICD-10 delay forced many healthcare organizations to rethink their ICD-10 staffing and implementation plans. Baptist Health System in Birmingham, Alabama, devised a plan to prepare for the one-year delay of ICD-10 by revising its budget and relying on new graduates to fill coder positions.
Many hospitals and health systems include computer-assisted coding (CAC) systems as a strategic tool in their plan for ICD-10. CAC software is considered an antidote to the significant decrease in coder productivity anticipated with ICD-10.
Q: As part of the audit controls policy at my organization, we hired an external security vendor to collect and review logs from several critical servers. The vendor creates tickets for our IT staff when a potential incident is discovered during the daily log review. This supplements our own activity reviews of internally generated reports, and the vendor then uses them for its own review. Our internal staff never sees the reports the vendor uses for its review. Do the reports the vendor uses fall under the HIPAA requirement for retaining logs for six years? Should we compel the vendor to retain these reports?
In December 2014, CMS posted a document on its Advisory Panel on Hospital Outpatient Payment (HOP Panel) website outlining the hospital outpatient therapeutic services that were recently evaluated for a change in supervision levels. The three-page document contains a chart that includes the HCPCS code, the level of supervision required for coverage, and the effective dates of the changes for various services.
Q: I am familiar with the HIPAA Security Rule requiring information system review audits. Are there any HIPAA Privacy Rule requirements?other than to perform audits?that require the examination of inappropriate access for an alleged breach? Currently, our security team performs monthly information system review audits and issues reports to leadership on a quarterly basis. Will this suffice, or are there audits that the privacy team should perform as well?
