Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

What Do We Know About Minimum Necessary Coming to HIPAA?

Posted on November 14, 2014 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

We recently sat down with Alisha R. Smith, RHIA, HIM Compliance Educator at Healthport, to talk about HIPAA Omnibus and one of the components that was left out of the HIPAA Omnibus final rule: minimum necessary. In the video below, Alisha talks about what your company can do to prepare for minimum necessary and what minimum necessary might require if it gets included in future HIPAA requirements.

What do you think about Alisha’s recommendations? Do you think that legislation will be passed to include minimum necessary as part of HIPAA?

RACs’ Limited Restart and Partial Payment Window Opens

Posted on September 15, 2014 I Written By

The following is a guest blog post by Dawn Crump, VP of Audit Management Solutions at HealthPort.
Dawn Crump - HealthPort
The RACs are back and they’re offering acute care and critical access hospitals a sweet deal—at least for now.

The Recovery Audit Contractor (RAC) program had been on hold due to the reassigning and re-contracting of regions. In addition, there was a lawsuit pending between Centers for Medicare and Medicaid Services (CMS) and CGI over RAC reimbursement rates, models and approaches. The lawsuit was resolved in August. But CGI quickly appealed causing further delay in full resumption of the RAC program.

So while everyone awaits another court decision and green light from CMS, two important RAC announcements were made by CMS.

  • A “limited” restart of the RAC program began in August, 2014, including a restricted number of claim reviews and service targets.
  • Some claims currently pending appeals of inpatient-status claim denials by RACs may be eligible for a partial payment settlement.

Limited Restart Underway

Until the RAC program is 100 percent back in session, some reviews will be conducted. These will be mostly automated reviews, but there will be some records requests and a limited number of complex reviews in certain select areas. During the restart, RACs will not review claims to determine whether the care was delivered in the appropriate setting. CMS said it hopes that the new RAC contracts will be awarded later this year.

From the Aug. 5 edition of the American Hospital Association’s News Now: “CMS will allow current RACs to restart a limited number of claim reviews beginning this month. The agency said most reviews will be done on an automated basis. However, a limited number will be complex reviews on certain claims, including spinal fusions, outpatient therapy services, durable medical equipment, prosthetics, orthotics and supplies, and Medicare-approved cosmetic procedures.

One example of the latter is blepharoplasty, also known as an eyelid lift. The number of claims for this procedure has tripled in recent years, so I expect the RACs will make this procedure a hot target. To be covered under Medicare, vision must be impaired. What’s needed? Physician documentation of the reasons for surgery (e.g., eyelid droop interfering with vision).

Here are three specific steps to take with regard to the limited RAC restart:

  • Stay abreast of all RAC news and announcements and remain diligent in communicating with your regional peers regarding new RAC region assignments, contacts and educational opportunities.
  • Conduct an internal probe to ensure you’re following all of Medicare’s National Coverage Determinations (NCDs) and Local Coverage Determinations (LCDs).
  • Educate coders, billers and physicians around documentation, coding and billing for specific targets as mentioned above.

But the limited restart wasn’t the only important news.

Partial Repayment Deal Announced

In their September 9th, 2014 inpatient hospital reviews announcement, CMS announced an administrative agreement for acute care and critical access hospitals.  To reduce the backlog of cases in appeal status and overall administrative costs, these hospitals now have the option to withdraw their pending appeals in “exchange for timely partial payment (68% of the allowable amount)”, according to the CMS administrative agreement.

Of course there are parameters to understand and details to sort out regarding the settlement opportunity. Here is what we know so far:

  • Only acute care and critical access hospital claims are eligible.
  • Claims must already be in the appeals process for inpatient-status claims with an admission date prior to October 1, 2013.
  • Services might have been found reasonable and necessary by the Medicare contractor, but treatment as an inpatient was not.
  • Hospitals may choose to settle some claims and continue to appeal others.
  • Hospitals should send their request for settlement to CMS by October 31, 2014.

Many more details are available on the CMS.gov website.

Settle….Or Not?

Eligible hospitals must determine if requesting a settlement offer makes sense for cases in appeal that meet the specified parameters. For some cases, it will make sense to take the 68 percent settlement and cut your losses. For other denials, waiting out the appeal process may be a better choice.

Each denial will be different and each case unique. Time, money and resources must be balanced against the potential revenue retained or returned potential. Audit management directors, in conjunction with their revenue cycle and finance teams, must analyze RAC data for each eligible case.  It’s a complicated equation. And with a deadline of October 31, 2014, there is no time to lose.

About Dawn Crump

Dawn Crump, MA, SSBB, CHC, has been in the healthcare compliance industry for more than 18 years and joined HealthPort in 2013 as Vice President of Audit Management Solutions. Prior to joining HealthPort, Ms. Crump was the Network Director of Compliance for SSM. She is a former board director of the Greater St. Louis Healthcare Finance Management Association chapter and currently serves as the networking chair.

Unfinished Business: More HIPAA Guidelines to Come

Posted on August 4, 2014 I Written By

The following is a guest blog post by Rita Bowen, Sr. Vice President of HIM and Privacy Officer at HealthPort.

After all of the hullabaloo since the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) release of the HIPAA Omnibus, it’s humbling to realize that the work is not complete. While the Omnibus covered a lot of territory in providing new guidelines for the privacy and security of electronic health records, the Final Rule failed to address three key pieces of legislation that are of great relevance to healthcare providers.

The three areas include the “minimum necessary” standard; whistleblower compensation; and revised parameters for electronic health information (EHI) access logs. No specific timetable has been provided for the release of revised legislation.

Minimum Necessary

The minimum necessary standard requires providers to “take reasonable steps to limit the use or disclosure of, and requests for, protected health information to the minimum necessary to accomplish the intended purpose.”

This requires that the intent of the request and the review of the health information be matched to assure that only the minimum information intended for the authorized release be provided. To date, HHS has conducted a variety of evaluations and is in the process of assessing that data.

Whistleblower Compensation

The second bit of unfinished legislation is a proposed rule being considered by HHS that would dramatically increase the payment to Medicare fraud whistleblowers. If adopted, the program, called the Medicare Incentive Reward Program (IRP), will raise payments from a current maximum of $1,000 to nearly $10 million.

I believe that the added incentive will create heightened sensitivity to fraud and that more individuals will be motivated to act. People are cognizant of fraudulent situations but they have lacked the incentive to report, unless they are deeply disgruntled.

Per the proposed plan, reports of fraud can be made by simply making a phone call to the correct reporting agency which should facilitate whistleblowing.

Access Logs

The third, and most contentious, area of concern is with EHI access logs. The proposed legislation calls for a single log to be created and provided to the patient, that would contain all instances of access to the patient’s EHI, no matter the system or situation.

From a patient perspective, the log would be unwieldy, cumbersome and extremely difficult to decipher for the patient’s needs. An even more worrisome aspect is that of the privacy of healthcare workers.

Employees sense that their own privacy would be invaded if regulations require that their information, including their names and other personal identifiers, are shared as part of the accessed record.  Many healthcare workers have raised concern regarding their own safety if this information is openly made available. This topic has received a tremendous amount of attention.

In discussion are alternate plans that would negotiate the content of access logs, tailoring them to contain appropriate data regarding the person in question by the patient while still satisfying patients and protecting the privacy of providers.

The Value of Data Governance

Most of my conversations circle back to the value of information (or data) governance. This situation of unfinished EHI design and management is no different. Once released the new legislation for the “minimum necessary” standard, whistleblower compensation and revised parameters for medical access logs must be woven into your existing information governance plan.

Information governance is authority and control—the planning, monitoring and enforcement—of your data assets, which could be compromised if all of the dots are not connected. Organizations should be using this time to build the appropriate foundation to their EHI.

About the Author:
Rita Bowen, MA, RHIA, CHPS, SSGB

Ms. Bowen is a distinguished professional with 20+ years of experience in the health information management industry.  She serves as the Sr. Vice President of HIM and Privacy Officer of HealthPort where she is responsible for acting as an internal customer advocate.  Most recently, Ms. Bowen served as the Enterprise Director of HIM Services for Erlanger Health System for 13 years, where she received commendation from the hospital county authority for outstanding leadership.  Ms. Bowen is the recipient of Mentor FORE Triumph Award and Distinguished Member of AHIMA’s Quality Management Section.  She has served as the AHIMA President and Board Chair in 2010, a member of AHIMA’s Board of Directors (2006-2011), the Council on Certification (2003-2005) and various task groups including CHP exam and AHIMA’s liaison to HIMSS for the CHS exam construction (2002).

Ms. Bowen is an established speaker on diverse HIM topics and an active author on privacy and legal health records.  She served on the CCHIT security and reliability workgroup and as Chair of Regional Committees East-Tennessee HIMSS and co-chair of Tennessee’s e-HIM group.  She is an adjunct faculty member of the Chattanooga State HIM program and UT Memphis HIM Master’s program.  She also serves on the advisory board for Care Communications based in Chicago, Illinois.

Make the Most of the RACs Summer Recess: Three Areas to Assess, Improve and Level-Up

Posted on June 19, 2014 I Written By

The following is a guest blog post by Dawn Crump, VP of Audit Management Solutions at HealthPort.
Dawn Crump - HealthPort
2014 brings the first significant break in RAC activity for healthcare providers. Hospitals have been taking advantage of the RAC break to assess current programs, review historical data and centralize their audit management processes.

Steps taken now to improve RAC processing will drive significant returns when the RACs reconvene. This article highlights recent RAC announcements and three process improvement steps to take now…while you have the time.

What’s New with RACs?

There are no new record requests sent by RACs to hospitals (pre-payment requests stopped on February 28) and no additional documentation requests (ADRs) for now (post-payment requests stopped on February 21). While programs were initially expected to revamp this month, there has been no announcement from CMS (I don’t anticipate one until later this summer).

Secondly, CMS announced that administrative law judge (ALJ) delays may extend upwards of twenty-six months, leaving providers holding the bag for cases already in appeal. And finally, the passage of H.R. 4302 (the infamous SGR patch) in April 2014 delayed implementation of ICD-10 and extended the timeframe prohibiting review of two-midnight rule by RACs.

Three Areas to Focus

Perhaps 2014 is the year for delays. If so, providers are the benefactor. Here are three important areas to assess during the delay.

Top 10 Lists

Healthcare is riddled with lists. Medicare’s recent list of highest-priced surgeries and DRGs is a good place to identify future RAC targets. . Take a good look at this report and any others relevant to your organization. They point the way to future RAC reviews.

Short stay admissions

Medical necessity rules surrounding short stays are changing due to the Two Midnight Rule. Include short stays in your internal documentation audits and be aware that other third party payers are following the RACs’ lead.

National reports

Analyze most recent RACTrac and PEPPER reports and see how you compare. These reports are great places to find clinical documentation and coding improvement targets in ICD-9 while you wait for the RAC program to restart.

RAC Data: Take a Closer Look

Your historical RAC data is another goldmine of improvement opportunities and steps to mitigate future risk. Take a hard look at your data and ask yourself these questions:

  • How many cases and dollars are awaiting appeal? Where are these cases in the appeal process?
  • Are any cases eligible for rebilling? If so, should they be rebilled?
  • What are our most common denials and can we improve documentation, coding and billing for these cases?
  • Is a deeper level of data analysis needed? Can our audit tracking software drill down further for better business intelligence?

Centralize Your Audit Management Efforts

Finally, there’s no way around it. Audit management is expensive.

When employees repeat the same audit processing steps across multiple locations and departments, your costs skyrocket. Now is a great time to centralize your audit management process to:

  • Reduce administrative costs associated with RAC audit processing.
  • Eliminate duplicate audits and redundancies.
  • Establish consistent policies, procedures and workflows.
  • Bolster internal audit knowledge and expertise.

Most hospitals have already centralized their business offices (CBOs). Centralizing the audit management function, including RACs, is a natural next step. Take a close look at audit processing across your entire organization looking for these costly inefficiencies.

  • Each HIM department may be processing and tracking RAC requests differently.
  • Each case management department may be reviewing RAC denials differently.
  • Staff spending up to 25% of their time on audits, but no one making RAC a priority.
  • Multiple locations received RAC (auditor) requests for records and appeal correspondence.

By creating a centralized team, you establish lean processes and reduce overall costs associated with audit management. RAC is the best place to start since there are already established guidelines and rules. Once established, expand your centralized department to other audits (e.g. OIG, MACS pre and post payment, Medicaid, ZPICS, etc.)

The Summer Ahead

Beyond the steps mentioned above, I encourage you to remain vigilant with regard to other forms of audits, including commercial plans, MACs (Medicare administrative contractors) and Medicaid audits . We all have some breathing room with regard to RAC, but preparation is key.

About Dawn Crump

Dawn Crump, MA, SSBB, CHC, has been in the healthcare compliance industry for more than 18 years and joined HealthPort in 2013 as Vice President of Audit Management Solutions. Prior to joining HealthPort, Ms. Crump was the Network Director of Compliance for SSM. She has healthcare experience in education, organization development, quality improvement and corporate compliance.

Trained as a six sigma black belt, Ms. Crump used this holistic, fact-based approach to establish audit tracking (RAC) programs. Her expertise includes coding and billing compliance as well as HIPAA compliance and government audit programs for acute care facilities. She is a former board director of the Greater St. Louis Healthcare Finance Management Association chapter and currently serves as the networking chair. Ms. Crump is also a member of the Health Care Compliance Association (HCCA).

3 Suggestions for Dealing with Healthcare Audits

Posted on November 14, 2013 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

While at AHIMA 2013, one of the big topics people were discussing was all of the audits that the HIM staff are having to deal with on an ongoing basis. Everyone that I talked to said that there is no end in sight when it comes to the various audits. In fact, most were predicting even more audits to come.

I sat down with Dawn Crump, VP of Audit Management Solutions from HealthPort, to find out some suggestions for organizations trying to deal with this wave of audits in healthcare. Check out the video below to hear those suggestions (plus, she throws in a fourth and fifth bonus suggestion):

How is your organization dealing with all of these audits? Have you formalized and streamlined the process in your organization? Do you have an easy way to track all of your audits? Do you know the financial impact of these audits on your organization?

Model Notice of Privacy Practices (NPP) Released by OCR and ONC

Posted on September 20, 2013 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

The HIPAA Omnibus Rule compliance date is on Monday. Are you ready?

I’m sure the answer for most organizations is NO!

In fact, the real question that I hear most organizations asking is what they need to do to be compliant with the new HIPAA omnibus regulations. One of my more popular video interviews was on the subject of HIPAA Omnibus with Rita Bowen from HealthPort. That might be one place to start.

OCR and ONC recently released some model HIPAA Notice of Privacy Practice forms to help with compliance. Why they are just releasing them a week before organizations are suppose to be compliant is a little puzzling to me. Hopefully your organization is well ahead of the game on this, but you could still compare your Notice of Privacy Practices with the model forms they released.

David Harlow from the Health Blawg wrote the following about the model forms:

I was disappointed, however, with one of the examples given in the model NPP:
*You can ask us to contact you in a specific way (for example, home or office phone) or to send mail to a different address.
*We will say “yes” to all reasonable requests.

Telephone and snail mail are nice, but many patients would prefer to be in contact with their health care providers via text message or email. Both modes of communication are permitted under HIPAA wth the patient’s consent (which may be expressed by simply emailing or texting a provider), but if the NPP doesn’t alert patients to that right, then many will never be aware of it.

As I heard voiced at a healthcare billing conference yesterday, “You have to be HIPAA omnibus compliant on Monday. I’m not saying you should spend your whole weekend making sure you’re in compliance. The HIPAA auditors won’t be knocking your door on Monday, but you better become compliant pretty quickly if you’re not already.”

What’s Pushing EMR Switching?

Posted on September 19, 2013 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

I recently had a chance to talk with Sean West, VP & GM of HealthPort Data Conversion Services, about the hot topic of EMR switching (or EHR switching if you prefer). I’ve written about EMR switching many times before and even predicted it would be a hot topic a year or two ago. I assure you that it is going to become and even more important topic going forward.

During my discussion with Sean, I took note of a number of drivers behind all the EMR switching. Here’s what I consider to be the top three drivers:

Hospital Acquisition – I’ve written regularly about the trend of hospitals acquiring ambulatory practices and hospitals acquiring or merging with other hospitals. In one hospital system, I found that they were moving newly acquired practices onto the hospital EHR before they even moved their existing practices from paper to the hospital EHR. In many cases the acquired practices already had an EHR and so they had to make an EHR data conversion plan. Most current hospital acquisitions or mergers are also moving to one unified EHR software system. I could see this changing as larger more established hospitals are acquired, but right now these hospital acquisitions are driving a lot of EMR switching.

EMR User Dissatisfaction – There’s a broad range of EMR user dissatisfaction that prompts an EMR switch. Sometimes the healthcare organization is on a legacy EMR system that’s no longer being updated and so the user experience suffers. Other times we are talking about a newly implemented EMR system which doesn’t live up to the users expectations.

Not Meaningful Use Ready – The other large driver of EMR switching is when an EMR vendor isn’t or won’t be ready for meaningful use. The EHR incentive money and EHR penalties are a powerful incentive for many healthcare organizations. If an organization’s current EHR system isn’t ready for meaningful use, many have no choice but to switch EMR.

Of course, EMR switching can be a real challenge and every EMR switch is unique. You have to consider what you want to do with your old data. Do you have a way to transfer it to the new EMR? Can you get the EMR data out of the old system? Do you want to transfer all or part of the data? Do you not want to transfer the data to the new EMR, but you still want to keep the old EMR around to access the previous EMR data?

Many of the answers to these questions are heavily influenced by your original EMR contract. Sadly, many organizations did a poor job evaluating their EMR contract before they signed it. This can often lead to the old EHR vendor holding the EHR data hostage. It’s not pretty, but there are sometimes workarounds. Just be sure that you don’t make the same mistake with your new EHR vendor. My e-Book on EHR selection has a whole section on EHR contracts (starts on page 30) that you should consider.

EMR switching is never a fun experience, but it’s often a necessary evil. Plus, it’s going to continue to become more and more common. In fact, the next wave of EMR switching might be driven by EMR consolidation.

Where You’ll Find Me at HIMSS 2013

Posted on February 28, 2013 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

I can’t believe that HIMSS 2013 is finally here. Well, it’s almost here. I fly out on Saturday, and I’m seeing the tweets come in from the various vendors who are arriving in New Orleans to setup their booths. For those that can’t attend, we’ll do our best to give you a peek into the event. For those that can attend, I always love to meet those who read EMR and HIPAA in person. The following is a list of events that I’m hosting, participating in or otherwise engaged. All of these events and more are also listed in the Influential Networks HIMSS 2013 Event Guide.

I look forward to seeing many of you at these great events and in the hallways of HIMSS. It’s always great to see old friends and make new ones.

#SocialMedia and #Influence Tweetup
Monday, March 4, 2013
2:30 PM – 3:30 PM
Description:
Discuss the best approaches to influencing audiences around your ideas, products or services with John Lynn and Shahid Shah, InfluentialNetworks.com. Learn how social media can be used to get your messages out to those who matter. Discover common myths and misconceptions about new media, and learn proven strategies and techniques to get the most out of social media.
Location: Social Media Center

Discussion with Rita Bowen, Chief Privacy Officer at HealthPort, About HIPAA Omnibus Rule
Tuesday, March 5, 2013
12:00 PM – 1:00 PM
Description:
Come learn from one of the leading experts on HIPAA, Rita Bowen, as she discusses the latest details on the new HIPAA Omnibus rule with John Lynn, HealthcareScene.com.  We’ll talk about all the changes with business associates, how to make sure your compliant, and making a smooth transition to the new rule.
Location: HealthPort Booth #6841

New Media Meetup at #HIMSS13 Sponsored by docBeat
Tuesday, March 5, 2013
6:00 PM – 8:00 PM
Description:
Great food, free drinks, and time to mingle with the best and brightest that healthcare social media has to offer.  Come and meet people you’ve only connected with online and find new friends.  The New Media Meetup is where the online world meets offline.
Location: Mulate’s Party Hall – 743 Convention Center Boulegvard, New Orleans, LA
Register to attend: http://tinyurl.com/HIMSS13NMM

Point of Care Video with Metro
Wednesday, March 6, 2013
12:30 PM – 1:00 PM
Description:
Come learn more with John Lynn, HealthcareScene.com, about Metro’s latest point-of-care systems, AccessPoint mobile computing system, and their Metro Access platform.  We’ll be shooting a video of their latest products.  Don’t worry, you don’t have to be in the video unless you want to be.
Location: Metro Booth #6312

The Final HIPAA Omnibus Rule: A Sharing of Accountability

Posted on February 25, 2013 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

The following is a guest post by Rita Bowen, MA, RHIA, CHPS, SSGB, SVP of HIM and Chief Privacy Officer, HealthPort. If you’re attending HIMSS, I’ll be doing an interview with Rita at HealthPort’s Booth 6841 at Noon on Tuesday 3/5/13. Come by and learn more about the HIPAA Omnibus Rule and get any questions you have answered.

It seems an eternity ago, four years to be exact, that the HITECH Act introduced changes to HIPAA. After much speculation, rumor, innuendo and anticipation, HHS released the final HIPAA omnibus rule, which significantly amends the original HIPAA Privacy, Security, Breach and Enforcement Rules. HHS Secretary Kathleen Sebelius introduced the new rule by stating:

“The final rule greatly enhances a patient’s privacy protections, provides individuals new rights to their health information, and strengthens the government’s ability to enforce the law.”

Ms. Sebelius conceded that healthcare has changed dramatically since HIPAA was first enacted and that the new rule is necessary to “protect patient privacy and safeguard patients’ health information in an ever expanding digital age.”

The new rule, at 563 pages, is not brief, but covered entities can’t let that inhibit them from becoming intimately acquainted with this document. I’ve made an initial review of the rule and culled what I feel are its key concepts:

  • Business Associates (BAs) of covered entities are now, for the first time, directly liable for compliance with certain requirements of HIPAA Privacy and Security rules, including the cost of remediation of breaches for which they are responsible.
  • The rule goes so far as to revise the definition of a “breach.” This new definition promises to make the occurrence of breaches – and the required notification of breaches — more common.
  • The use and disclosure of protected health information for marketing and fundraising purposes is further limited, as is the sale of protected information without individual authorization.
  • The rule expands patients’ rights to receive electronic copies of their health information and to restrict disclosures to health plans regarding treatment for which they’ve already paid.
  • Covered entities are required to modify and redistribute their notice of privacy practice to reflect the new rule.
  • The new rule modifies Individual authorizations and other requirements to facilitate research, expedite the disclosure of child immunization proof to schools, and enable access to decedent information by family members and others.
  • The additional HITECH Act enhancements to the Enforcement Rule are adopted, including provisions addressing enforcement of noncompliance with HIPAA rules due to willful neglect.

Getting to Compliance

And now comes the challenging part – compliance! The new rule goes into effect on March 26, and covered entities and BAs are expected to comply by September 23, so there is much work to do. Hospitals and clinics need to thoroughly comprehend — and then prepare for — the sweeping changes in BA liability. They’ll need to communicate these changes and new requirements to BAs and update their BA agreements accordingly. And since BAs are now directly liable for breaches, organizations must decide how they’ll enforce their BA agreements with regard to privacy and security. Additionally, comparable agreements must now be shared between BAs and their subcontractors.

What are the keys to successful compliance?  The following tips should ensure your smooth transition into the new rule:

  • Become intimately acquainted with the new rule — and its ramifications for your organization, your BAs, and their subcontractors.
  • Identify a privacy officer within all of your partner organizations.
  • Define a process for the notification of patients in the event of a breach of their protected health information (PHI).
  • Update breach notification materials to reflect the new Rule.
  • Update, repost and redistribute your Notice of Privacy Practices.
  • Document current privacy and security practices, and conduct a risk assessment.
  • Make certain your healthcare security technology solution is flexible, secure, and scalable to handle the growing volume of audit inquiries promised by the RACs.
  • Encrypt all devices that store patient information.
  • Communicate new HIPAA requirements and expectations to BAs.
  • Update business associate agreements (BAAs) to clarify that BAs pay the cost of breach remediation, when the BA is responsible for the breach.
  • Provide a template of a comparable agreement for BAs to use with their subcontractors.
  • Monitor your partners’ efforts to protect patient data.

The new HPAA omnibus rule has arrived and the challenges it presents should not be underestimated. Communication and organization will be your keys to success!

Rita Bowen, MA, RHIA, CHPS, SSGB

Ms. Bowen is a distinguished professional with 20+ years of experience in the health information management industry.  She serves as the Sr. Vice President of HIM and Privacy Officer of HealthPort where she is responsible for acting as an internal customer advocate.  Most recently, Ms. Bowen served as the Enterprise Director of HIM Services for Erlanger Health System for 13 years, where she received commendation from the hospital county authority for outstanding leadership.  Ms. Bowen is the recipient of Mentor FORE Triumph Award and Distinguished Member of AHIMA’s Quality Management Section.  She has served as the AHIMA President and Board Chair in 2010, a member of AHIMA’s Board of Directors (2006-2011), the Council on Certification (2003-2005) and various task groups including CHP exam and AHIMA’s liaison to HIMSS for the CHS exam construction (2002).

Ms. Bowen is an established speaker on diverse HIM topics and an active author on privacy and legal health records.  She served on the CCHIT security and reliability workgroup and as Chair of Regional Committees East-Tennessee HIMSS and co-chair of Tennessee’s e-HIM group.  She is an adjunct faculty member of the Chattanooga State HIM program and UT Memphis HIM Master’s program.  She also serves on the advisory board for Care Communications based in Chicago, Illinois.

Reducing the Administrative Burden of RAC Audits – Guest Post by Lori Brocato

Posted on January 17, 2013 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Lori Brocato - Healthport
Lori Brocato is Director of Audit at HealthPort. With more than 15 years in health care technology, Lori serves as HealthPort’s resident government and third party audit expert, sharing educational information and best practices with health care facilities via Webinars, media interviews and industry articles. Additionally, she is the AudaPro product manager for HealthPort and authors her own blog, Audit Insights, on the HealthPort website. Lori is also a monthly contributor for RACMonitor, an online knowledge source for healthcare providers. She is RAC certified by the Medicare RAC summit and a member of HIMSS and HFMA.

Taking Paper Out of the Audit Process
The amount of provider and governmental resources now dedicated to processing and managing recovery audits is staggering. According to the American Hospital Association RACTrac Survey in May 2012, 76% of participating hospitals reported that RAC activity had increased their administrative burden including additional costs, training, software and full time equivalents needed to manage the workload. Similar findings were reported in the August 2012 RACTrac report.

Costs to cover the growing administrative load range from $10,000 to over $100,000 per quarter. Nine percent of hospitals spend over $400,000 annually to manage audit. And when multiple auditors come after the same encounter, expenses rise. The majority of these costs come from producing copies of medical records, sending them to review contractors, and managing appeals.

Making RACs a Paper-Free Zone
When RACs and other auditors need medical records to conduct their reviews, they request them by submitting a formal letter to the provider. These request letters land in the Audit or HIM department where internal staffs or outsourced Release of Information (ROI) companies find the requested records, produce photocopies and submit paper to the auditor.

Efforts to streamline this paper process began in 2011 with the introduction of CMS’s Electronic Submission of Medical Documentation  (esMD) project. Since then, information exchanges designed solely for provider-auditor medical record transfer have grown and matured.

Three Provider Options
Along with esMD, many ROI companies and other Health Information Handlers (HIH’s) have developed private exchanges. Providers have three choices to reduce the paper burden of RAC and other audits. They can build their own esMD gateway using the CMS CONNECT architecture, connect to esMD through an HIH, or use the HIH’s private exchange. All three options result in the following four benefits:

  • Elimination of paper and postage
  • Increased automation request delivery
  • Improved tracking
  • Faster delivery

However, since HIHs have already established connections either through esMD or a direct, private audit exchange, providers save time and IT expense by using an HIH.

Direct Connections: What Providers Need to Know
Because the number of auditing bodies continues to expand and reach of recovery contractor activity continues to grow, the use of direct audit connections (or exchanges) may outpace submissions through esMD. Direct exchange by an HIH uses a one-to-many connection with auditors and provides four benefits:

  • Request letters from RACs and other auditors can be received electronically.
  •  One access point is established by the provider and from there, the HIH is responsible for establishing all the various auditor connections; saving time and IT resources.
  • Providers have a secure, private portal with end-to-end tracking capability for all audit record requests.
  • Providers can obtain a FedEx comparable tracking number instead of just a date and time stamp confirmation.

Paper’s Coming Out of the Process….It’s Only a Matter of Time
Audits will continue. Demands for medical records will expand. Administrative burdens will increase. These are the realities of today’s pay-and-chase model. However, new technologies to cope are emerging.

These technologies, in concert with centralized audit management and EHR advances, are poised to reduce administrative burdens and move audit processing from “paper-intensive” to “paper-free”. The future of audit management will be paper-free: one way or another!