Did you know that your practice needs to comply with HIPAA Security Regulations to successfully attest for Meaningful Use?
In the age of data breaches and the resulting, significant fines, it is absolutely necessary to secure your data. One of the most important and most
easily-mined components of any physician practice is messaging. Many are not aware there is no security when sending emails, text messages and instant messages. Anyone with a laptop and technical background potentially has the capability of intercepting and capturing the data. Imagine you are sending a harmless message about a patient to a colleague. What if that message also included a credit card number or SSN of the patient? If unprotected, even the patient name may trigger a PHI or ePHI violation.
What are your options?
How can you prevent this occurrence?
What might the solutions cost?
The first step is to identify your potential security gaps. Precision recommends examining everything from locks on the doors to your office to complexity of passwords on your PC’s, laptops and other devices. One of the many HIPAA mandates includes an annual security risk assessment. Performing this internal evaluation will go a long way in getting your medical practice compliant. As you are likely to find, some of these security flaws can be easily remedied.
Some issues require a more in-depth solution.
Messaging – email, text and instant messaging – is the single greatest threat to security. Fortunately, there are a number of products that will help. With email encryption, solutions are available that reside between your email server and the Internet to flag messages with secure content or attachments. Once flagged for encryption, the message is pulled and an email is sent to the recipient with a secure link to access the email. The process prevents a third party from intercepting the message in transit.
With the prevalence of mobile devices, solutions beyond email encryption are essential as well. Text messaging has become the preferred method for communicating via a mobile device. Unfortunately, this method is also not secure. With text messaging encryption, instead of going to your regular text message to send a text, the user goes to the secure messaging application to send that message securely. If the message is delivered to another user who has the same application, that user will simply receive the message. If the recipient does not have the application, a normal text message is sent with both a link to the message and a link to download the application for future messages.
In addition to email and text message encryption, a number of solutions are available to secure content on mobile devices. This is especially helpful when the user loses his or her phone, or the user leaves the physician practice.
What should you do now?
Precision is here to help. We offer a wide variety of HIPAA-compliant solutions to meet your needs. Precision can host and secure your email, text and instant messaging. Precision can also help with your annual security risk assessments. A security risk assessment is the best way to evaluate the strength of the security within your office and allows us to accurately recommend the next steps to achieve HIPAA security standards.
Your protection and your patients’ protection are very important to us. When comparing the per-month cost of becoming compliant to the ever-growing cost of fines and potential loss of business, the decision becomes an easy one.
Please contact Precision’s Directors of IT:
We look forward to assisting you.
The Centers for Medicare & Medicaid Services (“CMS”) recently updated its Frequently Asked Questions site with clarification of the transition of care measure for purposes of attestation of stage 2 of meaningful use. Specifically, CMS has addressed whether an eligible professional or eligible hospital may count a transition of care or referral in its numerator for the measure if they electronically create and send a summary of care document utilizing a certified electronic health record to a third party organization that plays a role in determining the next provider of care and ultimately delivers the summary of care document. CMS’ response is accessible here: https://questions.cms.gov/faq.php?faqId=10660.
CMS has also published a transition of care tip sheet to assist eligible professionals and eligible hospitals in their efforts to satisfy the Summary of Care Stage 2 objective relating to transitions of care. The tip sheet is accessible here: http://www.healthit.gov/providers-professionals/eligible-professional-ti…
With constant advances in health information technology comes the constant need to maintain and secure e-PHI within any healthcare organization. The “Security Standards for Protection of Electronic Protected health Information,” better known as HIPAA’s “Security Rule,” requires organizations to implement policies and procedures to prevent, detect, contain and correct security violations. Completing a Risk Analysis is the first step in implementing the Security Management Process standard.
A risk analysis is a process in which the healthcare organization identifies the e-PHI that is generated, maintained, received and or transmitted. The risk analysis should also identify and analyze any internal sources that could generate, maintain, receive or transmit e-PHI, such as software programs, portable devices, hardware, interfaces, patient check-in desks, as well as external sources, such as hardware, vendors and consultants. Once all devices, programs and individuals have been identified, the healthcare organization needs to look at the likelihood of any potential risks and vulnerabilities, be it human, natural or environmental threats to those systems, that could compromise the integrity of all e-PHI within the organization. The organization must then document all areas and the impact of a potential breach, along with the corrective actions to be performed to mitigate the risk.
A risk analysis should be conducted and reassessed at least on an annual basis. In addition, a risk analysis should be completed when an organization has change in ownership, turnover in staff, or makes changes to their current technology. To request a quote on a risk analysis, please contact Jason Eding at 314-881-5252/ firstname.lastname@example.org or Wayne Schiermeyer at email@example.com.
The Department of Health and Human Services recently issued a Final Rule officially resetting the ICD-10 effective date as October 1, 2015. As this revised implementation date approaches, the ability for providers to maintain comprehensive documentation will play an essential role in ensuring the proper selection of accurate diagnosis and procedure codes and, consequently, the successful billing of claims and prompt receipt of payment for those claims. To this end, below are a few quick tips that will help you improve your clinical documentation:
• Medical decision-making is the driving force behind assignment of proper E/M (Evaluation and Management) codes. Ordering and reviewing tests and summarizing old records will help support the proper selection of an E/M code.
• Legibility of documentation is very important as office staff, billers, coders and insurance companies alike must be able to read all of the documentation that is provided. The inability to read a note may cause a delay with all parties involved.
• Specificity throughout the chart is critical. With ICD-10, unspecified codes are not permitted, which is not the case with ICD-9. Accurate code selection will result in the proper payment.
• When documenting in the chart, it is helpful to know that three are more chronic conditions are necessary to complete the HPI (History of Present Illness).
The tips given above are intended to help you improve your clinical documentation in advance of the new ICD-10 implementation date. If you have questions or concerns regarding your documentation, please contact Precision at 314-565-0091 or online at www.precisionpractice.com.
Later this year, the Department of Health and Human Services is expected to begin its permanent HIPAA Audit Program. One of the most important things that you can do to prepare for a HIPAA Audit is to review the effectiveness of your current HIPAA compliance program. Consider the following list of activities to help you get started:
• Review HIPAA policies and procedures – All covered entities should have formal policies and procedures in place to ensure compliance with new HIPAA privacy, security and breach notification requirements. Policies and procedures should be clearly communicated to your staff. Plan documents should be reviewed regularly and necessary changes made to your policies or current business practices.
• Assign a Compliance Officer – The Compliance Officer will be responsible for the development and implementation of the organization’s HIPAA privacy compliance efforts. Does your Compliance Officer have any concerns with current practices? Are they prepared for a HIPAA Audit?
• Review Notice of Privacy Practices – Notices should be updated to include the 2013 final omnibus rule and displayed in a prominent location. Records should be kept if notices have been distributed by mail or electronically.
• Evaluate HIPAA Training – Your entire staff should be HIPAA trained. Training should be an ongoing activity, not just at the time of hire. Records should be kept of all training.
• Conduct a risk analysis – Regulations and standards are being updated and technology is ever-changing. Since new vulnerabilities and threats change the risk environment, it’s recommended that a risk analysis be conducted annually. Any issues discovered and improvements made should be documented to demonstrate the high level of commitment on securing protected health information.
In short, covered entities and business associates should spend time to create an effective compliance program with regular evaluation. Regularly reviewing HIPAA compliance efforts will allow you to consider whether opportunities exist to reduce risks prior to an audit. If you need assistance in conducting a risk analysis of your practice, please contact Precision Practice Management. We can help!
Practices with declining profitability often experience similar roadblocks that lead to a drop in revenue or an increase in practice expenses. In such instances, the following includes a couple of key areas worthy of review:
• Practices that do not have a comprehensive grasp of revenue cycle processes and workflows may be understaffed by not allocating sufficient resources to recoup all collectible A/R. Consequently, their days of accounts receivable outstanding may be higher than should be. Conversely, practices may be overstaffing their medical billing efforts, leading to a drain on expenses and inefficient processes that do not maximize profitability.
• Rent can be one of the largest expenses for a physician practice. It is therefore important to maximize the use of the space by maintaining a full patient schedule.Physician practices employ a number of techniques to achieve this goal, often focusing on marketing efforts (a robust website, search engine optimization, social media and building a strong referral base) to do so.
3. Payer Shortfalls
• Reviewing payer receipts on a regular basis can help you avoid acceptance of payer payments below your contracted rate. Physician practices participating with payers can still be subject to receipt of payments lower than contractually-agreed upon rates. If those low payments are not timely appealed, the much-deserved, additional revenue may be lost.
• Small purchasing contracts do not always lead to market rates for necessary products and supplies. By collectively purchasing with another practice, through a local hospital or seeking another form of volume-based purchasing, material expenses can be saved.
• Regularly review and negotiate insurance premiums, including malpractice and general liability insurance. Compare current rates with what is available in the marketplace, and then carefully read the exceptions to those policies to ensure the adequacy of coverage in place.
The areas highlighted above are not comprehensive but do provide a good roadmap of areas to consider when profitability is in decline. Precision stands ready to help you evaluate any of the aforementioned areas.
Every medical practice at times has an interaction with an unhappy patient. The key to maintaining a positive relationship with the patient is to ensure the patient’s complaint is properly and fully addressed. To do so, the following steps are recommended:
First, obtain all necessary information to assess the situation. Take time to listen to the patient and be objective.
Second, approach all parties involved to learn and understand every perspective.
Third, once all pertinent information has been gathered, analyze and take action. If the complaint filed by the patient demonstrates a failure to follow proper procedures, establish a formal protocol to ensure the same does not happen in the future. Once established, circulate the protocol within the office and to third parties as necessary and implement the training necessary to effect the change.
Fourth, follow up with the patient, regardless of the outcome of the investigation, to candidly relay the finding and solution. With a little bit of compassion and an honest attempt to correct the situation, the patient inquiry can most always be resolved.
A medical practice’s failure to release clean claims – claims that pass the clearinghouse, arrive at the payer and are paid upon first review – results in significant, adverse consequences to the practice’s revenue and cash flow. Industry research shows that medical practices regularly submit a material portion of their claims in a manner that results in denials upon arrival at the clearinghouse or payer. By incorporating sound coding principles, proper modifier usage and claim scrubbing mechanics, a medical practice’s claim submission can approach a nearly-error free rate. Claim scrubbing reduces claim errors, rejections and denials such as those listed below, which may commonly be seen on an explanation of benefits or electronic remittance advice:
• CPT code is invalid for this date of service
• Procedure 1 is missing a diagnosis code
• Diagnosis code is invalid
• Member not effective on this date of service
• Member ID invalid
• Inpatient claim missing an admission date
To reduce these errors, it is important to validate all billable codes each October-December when the new/updated CPT and ICD-9/ICD-10 codes are released. In addition, understanding changes to the codes along with payer policy guidelines will ensure proper coding and decreased delay in payment.
If the claim leaves your practice management system “clean” upon first submission, you will decrease the amount of time it takes for you to receive your reimbursement from the payer. For additional information on coding and claim submission, please contact us so we can help you!
On Tuesday, May 20, 2014, Centers for Medicare & Medicaid Services published a proposed rule that would permit eligible providers added flexibility to successfully achieve meaningful use attestation. The proposed rule would allow eligible providers to use the 2011 Edition Certified Electronic Health Record Technology (“CEHRT”) or a combination of 2011 and 2014 Edition CEHRT for the EHR reporting period in 2014 for the Medicare and Medicaid EHR Incentive Programs. This proposed rule was issued, in part, due to the large volume of CEHRT included on a “waitlist” to receive the necessary updates and certification. Notwithstanding the extension proposed for 2014, all eligible providers will be required to use technology certified under the 2014 Edition criteria in 2015. The proposed rule also includes a provision to extend Stage 2 through 2016 and begin Stage 3 in 2017.
Please don’t hesitate to contact Precision should you have any questions regarding this proposed rule or the 90-day reporting period in 2014.
In today’s healthcare industry, the need to access a myriad of healthcare and hospital websites is critical to any organization’s success. Applications and programs are regularly installed locally on computers to facilitate functionality with outside websites. And to function properly, applications need to be updated on an ongoing basis and computers need to avoid malicious threats and viruses during the update process. For example, it’s not uncommon to begin a morning with an update bubble from Adobe or Java informing that “It’s Time!” Third party updates can be unintuitive and often deliberately confusing. Moreover, they can also be hazardous. There is hope, however – keeping Adobe Flash and Java updated in a safe manner can be quick and easy. Below are a few tips.
Only update what is necessary. Downloading extra applications with required updates can add unexpected changes to default settings.
When updating Java, uncheck the optional checkboxes. By unchecking the optional checkboxes, a user can avoid, for example, Adobe installing Google Chrome as the browser.
Avoid software update popups that read “Safe Searching” or include promises to “Speed up your computer.” These types of updates can be malicious in nature and open the door to the extreme malware in the market such as Trojans, Rootkits, and worms.
Be cautious of coupon distribution websites that require a download. Common coupon websites, such as Groupon, will not typically require a download. Unfamiliar websites that require a download, however, may not be websites that can be trusted.
Searching the Internet to find information or solutions to unknown problems is a common business practice. During the search process, it is important to be equipped with updated applications and avoid some of the common pitfalls. Please don’t hesitate to contact Precision if we can help you keep your computers safe on the web. Please contact Precision’s IT Helpdesk at (314) 881-5299 or Helpdesk@precisionpractice.com.
April 8th marked the end of support for one of Microsoft’s most popular and successful operating systems (OS), Windows XP. Chances are many of you are reading this post on a pc or laptop running Windows XP. Did you know that the ATM Industry Association estimated earlier this year that 95% of ATM’s are running some variant of XP and they expected only a fraction of those machines would receive software updates by the time support ended?
So what does the end of support mean to you? The biggest impact XP users will see going forward is the end of updates and security patches. As mentioned, XP has been one of the most successful and widely distributed OS’s in history. The software works well and will continue to do so for the foreseeable future. The risk lies in the fact that MS will no longer dedicate resources to finding and fixing security issues and holes that can be exploited. For the healthcare industry this poses a significant risk as we are all entrusted with PHI which must remain protected. HITECH stipulates that software systems must be supported to be compliant.
So what should you do if you are still running XP? In the short term, users need to make sure their pc is protected by running an up to date anti-virus and malware product. Periodic scans should be done on each machine to ensure there are no viruses hiding on the machines and posing a security threat. As always, users should practice safe surfing and use business machines only for their intended purpose, business. If you have not created a migration plan to replace or upgrade old machines, the time is now. Precision is ready to help with this process. We will complete a full inventory of your environment, identify all machines running XP, and put together a comprehensive migration plan. Let us guide you through the transition.
You may contact us using our main office line at 314-787-0681. Alternatively, you can also reach out to us using our contact form here.