In a concerted effort to move healthcare payments to a system of "quality over quantity," CMS finalized policies that greatly expanded packaging for outpatient providers in the 2015 OPPS final rule (www.gpo.gov/fdsys/pkg/FR-2014-11-10/pdf/2014-26146.pdf). It also introduced complexity adjustments with comprehensive ambulatory payment classifications (C-APCs).
There are many misconceptions about HIPAA throughout the healthcare industry. In particular, business associates (BA) who provide cloud services to covered entities (CE) often have the misconception that they do not need to be concerned with HIPAA if they are compliant with the Payment Card Industry Data Security Standard (PCI-DSS). BAs with this school of thought should be prepared to get their checkbooks out when the Office for Civil Rights (OCR) comes calling.
Even organizations with sound policies, procedures, training, and safeguards can experience a breach. When?not if?a breach occurs, traditional insurance may not be enough to cover the damages. Ensuring that your organization has adopted the appropriate cyber insurance can be valuable in the event of a breach.
CMS designates certain procedures as inpatient-only and identifies them using CPT codes. Hospitals normally only use CPT codes for outpatient coding, so this may be confusing for coders who use ICD-9-CM Volume 3 codes for inpatient procedures. Coders need to know which procedures are on the inpatient-only list to monitor compliance with this rule as they apply inpatient procedure codes.
Q: I am familiar with the HIPAA Security Rule requiring information system review audits. Are there any HIPAA Privacy Rule requirements?other than to perform audits?that require the examination of inappropriate access for an alleged breach? Currently, our security team performs monthly information system review audits and issues reports to leadership on a quarterly basis. Will this suffice, or are there audits that the privacy team should perform as well?
Beginning January 1, 2015, physicians will no longer need to provide certification for an inpatient admission unless the admission is expected to last for at least 20 days or the case is an outlier.
