Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

Meaningful Use Audits, RAC Audits, and HIPAA Audits

Written by:

The following is a guest post by Barry Haitoff, CEO of Medical Management Corporation of America.
Barry Haitoff
Healthcare has always been a deeply regulated industry, so in many ways healthcare organizations are already used to dealing with government scrutiny. However, we’ve recently seen a number of new audit programs hit the healthcare world that didn’t exist even a few years ago. Here’s a look at a few of them you should be prepared for.

Meaningful Use Audits
This is one of the newest audit programs to hit healthcare. Depending on your attestation history, it could have a tremendous impact on your organization’s financial health. These EHR incentive audits have been happening across every size organization and are conducted by the CMS hired auditing firm, Figliozzi and Company of Garden City, N.Y. If you get a letter or email from Figliozzi you’ll know what it is right away. An EHR incentive audit is a big deal since the meaningful use program is all or nothing. If they find even one thing wrong with your meaningful use attestation, you could lose ALL of your EHR incentive money.

CMS recently released an informative guidance document outlining the supporting documentation needed for an EHR incentive audit. Pages 4 and 5 of the document go through the self-attestation objectives and others detailing the audit validation and suggested documentation needed for each. If you’ve attested to meaningful use, then you’ll want to take some time to go through the document to make sure you can provide the necessary documentation if needed. In many cases this simply includes dated screenshots to prove measure completion. While many EHR vendors can be helpful in the meaningful use audit process, you should not totally rely on them.

In a recent blog post, Jim Tate makes a compelling case for why you might want to consider doing a mock EHR incentive audit and how to make sure that the audit is effective. Although smaller organizations won’t likely be able to afford an outside audit, having it done by someone in your organization that wasn’t involved in the attestation is beneficial. The CMS guidance document could be used as a guide. A mock audit could help discover any potential issues and help you put mitigation strategies in place before you have a real audit and your hands are tied.

Recovery Audit Contractor (RAC) Audits
RAC audits are currently on hold as CMS works to improve the program and deal with the enormous audit backlog. We still haven’t heard from CMS about when the RAC audits will resume, but we should hear something later this summer. While no RAC audits are occurring right now, that doesn’t mean that once the RAC audits resume, the claims you’re filing today can’t and won’t be audited.

The best thing you can do to be prepared for RAC audits is to make sure that your documentation and billing ducks are in a row. A great place to start is to look at your most common denials and look at how you can improve your clinical documentation, coding and billing for each of these denials. Also, make sure that your process for responding to audits is standardized and effective. The RAC audit is just one example of an audit performed by payers. Don’t be surprised if you’re subjected to audits from other agencies or commercial payers.

RAC audits recovered billions of dollars in overpayments in recent years. You can be sure that they will continue and that other similar initiatives are coming our way. There’s just too much incentive for the government not to do it.

HIPAA Audits
The US Department of Health and Human Services’ Office for Civil Rights (HHS OCR) first started doing HIPAA audits as part of a 2011 pilot program. It’s fair to say that HHS OCR’s audit program was one of discovery as much as it was of compliance. However, the HITECH Act and Omnibus Rule have started to up the ante when it comes to enforcement of HIPAA. HHS OCR announced that they’d be surveying 800 covered entities and 400 business associations to select the next round of audit subjects. An OCR Spokesperson said, “We hope to audit 350 covered entities and 50 BAs in this first go around.”

Unlike previous audits that were done by KPMG, these HIPAA audits will be done by OCR staff. One area that these audits will likely focus on is the HIPAA Security Risk Assessment. The importance of doing this cannot be understated and is illustrated by the fact that it’s a requirement for meaningful use. I will be surprised if these audits don’t also focus on the new HIPAA Omnibus Rule requirements. I’m sure many of the HIPAA audits will catch organizations that never updated their HIPAA policies to comply with HIPAA Omnibus.

Summary
No one enjoys an audit of any sort. However, being well prepared for an audit will provide some level of comfort to yourself and your organization. Now is your opportunity to make sure you’re well prepared for these audits that could be coming your way. These audit programs likely aren’t going anywhere, so take the time to make sure you’re prepared.

Medical Management Corporation of America, a leading provider of medical billing services, is a proud sponsor of EMR and HIPAA.

July 14, 2014 I Written By

HIPAA Security and Audits with Mac McMillan

Written by:

In case you missed the recent HIPAA Privacy and Security hangout I did with Mac McMillan, CEO of Cynergistek, you’re missing out. I think this HIPAA interview is an extension of what we started in our post “6 Reality Checks of HIPAA Compliance.” There’s a real awakening that’s needed when it comes to HIPAA. I love in this hangout when Mac says that the patience in Washington for those that aren’t HIPAA compliant is running low. An example of that is another topic we discus: HIPAA audits. The first round of HIPAA audits were more of a barometer of what was happening. The next round we’ll likely be much more damaging.

Watch the entire HIPAA interview with Mac McMillan to learn even more:

May 20, 2014 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 15 blogs containing almost 6000 articles with John having written over 3000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 14 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John launched two new companies: InfluentialNetworks.com and Physia.com, and is an advisor to docBeat. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and Google Plus. Healthcare Scene can be found on Google+ as well.

The Guide to HIPAA Compliant Text Messaging

Written by:

I’ve written regularly about the need to move to HIPAA compliant text messaging, because Texting (SMS) is NOT HIPAA Secure. To add to that, I recently wrote a post on EMR and EHR about Why Secure Text Messaging is Better than SMS. I throw out the whole “fear of HIPAA” component and paint a picture for why every organization should be moving to a secure text message solution instead of using SMS.

While I think a business case can be made for secure text messaging in healthcare over SMS without using HIPAA, the HIPAA implications are important as well. In fact, imprivata has put out The CIO’s Guide to HIPAA Compliant Text Messaging where they make a good case for why HIPAA compliant text messaging is important and how to get there.

The whitepaper suggests that you have to start with Policy, then choose a Product, and then put it into Practice. Sounds like pretty much every health IT project, no? However, the guide also offers a series of really great checklists that can help you make sure you’re covering all of your bases when it comes to implementing a secure text message strategy.

Of course, the biggest challenge to all of this is that everyone is so busy with MU stage 2 and ICD-10. However, when the HIPAA auditors come knocking, I wouldn’t want to be an organization without a secure text message solution. The best way to battle non-HIPAA compliant SMS messaging in your organization is to provide them an alternative.

Full Disclosure: I’m an adviser to HIPAA compliant messaging company docBeat.

January 23, 2014 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 15 blogs containing almost 6000 articles with John having written over 3000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 14 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John launched two new companies: InfluentialNetworks.com and Physia.com, and is an advisor to docBeat. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and Google Plus. Healthcare Scene can be found on Google+ as well.

Windows XP Won’t Be HIPAA Compliant April 8, 2014

Written by:

As was announced by Microsoft a long time ago, support for Windows XP is ending on April 8, 2014. For most of us, we don’t think this is a big deal and are asking, “Do people still use Windows XP?” However, IT support people in healthcare realize the answer to that question is yes, and far too much.

With Microsoft choosing to end its support for Windows XP, I wondered what the HIPAA implications were for those who aren’t able to move off Windows XP before April 8. Is using Windows XP when it’s no longer supported a HIPAA violation? I reached out to Mac McMillan, CEO & Co-Founder of CynergisTek for the answer:

Windows XP is definitely an issue. In fact, OCR has been very clear that unsupported systems are NOT compliant. They cited this routinely during the audits last year whenever identified.

Unsupported systems by definition are insecure and pose a risk not only to the data they hold, but the network they reside on as well.

Unfortunately, while the risk they pose is black and white, replacing them is not always that simple. For smaller organizations the cost of refreshing technology as often as it goes out of service can be a real challenge. And then there are those legacy applications that require an older version to operate properly.

Mac’s final comment is very interesting. In healthcare, there are still a number of software systems that only work on Windows XP. We’re not talking about the major enterprise systems in an organization. Those will be fine. The problem is the hundreds of other software a healthcare organization has to support. Some of those could be an issue for organizations.

Outside of these systems, it’s just a major undertaking to move from Windows XP to a new O/S. If you’ve been reading our blogs, Will Weider warned us of this issue back in July 2012. As Will said in that interview, “We will spend more time and money (about $5M) on this [updating Windows XP] than we spent working on Stage 1 of Meaningful Use.” I expect many organizations haven’t made this investment.

Did your HIPAA compliance officer already warn you of this? Do you even have a HIPAA compliance officer? There are a lot of online HIPAA Compliance training courses out there that more organizations should consider. For example, the designated compliance officer might want to consider the Certified HIPAA Security Professional (CHSP) course and the rest of the staff the HIPAA Workforce Certificate for Professionals (HWCP) course. There’s really not much excuse for an organization not to be HIPAA compliant. Plus, if they’re not HIPAA compliant it puts them at risk of not meeting the meaningful use security requirements. The meaningful use risk assessment should have caught this right?

I’m always amazed at the lack of understanding of HIPAA and HIPAA compliance I see in organizations. It’s often more lip service than actual action. I think that will come back to bite many in the coming years. One of those bites will likely be organizations with unsupported Windows XP machines.

December 12, 2013 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 15 blogs containing almost 6000 articles with John having written over 3000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 14 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John launched two new companies: InfluentialNetworks.com and Physia.com, and is an advisor to docBeat. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and Google Plus. Healthcare Scene can be found on Google+ as well.

The Coming Physician EHR Revolt

Written by:

From my blogging viewpoint I’m sensing a growing discontent among doctors that is starting to really heat up. I can’t quite predict when this discontent will reach a boiling point that will start to boil over, but the fireworks are coming. As I’ve watched the past couple years, doctors were first overwhelmed with all the government regulations. They were confused by everything was coming out and really just didn’t know where healthcare IT and EHR was headed. That overwhelmed confusion is slowly turning into a reality that many doctors are realizing is changing how they practice medicine. If you’re not seeing this, then you might want to get out and spend some more time with your casual every day doctors.

One doctor emailed me today suggesting that doctors were being literally “eaten alive” as they are working harder to provide patient centered care. It would be a disservice to doctors if we don’t take the time to acknowledge and understand the enormous pressures that many doctors are feeling right now.

Here’s a quick look at what I believe is the perspective of many doctors I connect with on a daily basis.

Regulations
Everywhere doctors look they’re getting hammered by new regulations. I recently heard Shahid Shah say, “We’re experts in the industry that spend all day thinking about the market and regulations and even we have a challenge understanding what’s going on. Now think about the doctors and adminstrators which have challenging day jobs and only a small amount of time to understand the regulations. They don’t really understand the details of what’s being regulated.”

This is a reality for many doctors and practices. Is it any wonder that many are happy to sell off their practices to major hospitals? I’m sure that many do so just because they’re tired of trying to understand all the changing regulations they’re required to know.

If we look at just the healthcare IT and EHR related regulations you have: meaningful use, ACOs, ICD-10, 5010, and Obamacare/Healthcare Reform. Any one of those is a challenge to understand and implement. Yet doctors and hospitals are dealing with all five of them simultaneously. Not to mention doctors being asked to participate in HIEs, being graded and rated online, engaging with empowered patients through social media, and embracing a new technology savvy culture while reimbursement lags behind.

Is it any wonder that doctors feel overwhelmed, overworked, and unsure whether they want to continue being doctors. Is this going to lead to a real shortage of medical professionals?

EHR Discontent
Since this is an EHR blog, we should spend some time on the growing discontent with EHR software. I hate to dwell on this, because EHR is going to be the future of clinical documentation. It’s hear to stay and no amount of belly aching and moaning is going to stop EHR software from becoming the de facto standard for clinical documentation. However, just because this is the case doesn’t mean we should ignore the realities that so many doctors are facing when it comes to EHR software today.

Many doctors see EHR as a major time suck. Their EHR software requires them to work longer hours and/or see fewer patients. Overtime this usually improves, but we have to acknowledge the initial productivity hit that pretty much every EHR implementation sees. Some clinics never get back to their previous productivity. We’ve discussed the reasons for this over and over again on this blog. We’ll save the list of reasons and ways to avoid those issues for another blog post. However, until all 300+ EHR vendors solve the EHR productivity issue, we’re going to hear more and more stories of how much of a time suck an EHR is to many doctors.

Not all doctors see it this way. Many doctors can’t imagine their practice without an EHR. As we’ve been covering in our EHR Benefits Series, there are a lot of benefits to having an EHR. Many of the benefits we’ve already covered in that series are ways that a clinic can save time thanks to an EHR. However, it can take time for a new EHR user to get up to speed where they can speak the EMR language well. It’s not easy learning a new language, and so this adds to the growing discontent that many doctors feel towards EHR.

Template EHR and Copy Paste
Many EHR vendors have implemented a complex set of templates that doctors can use to be more efficient. It’s a thing of beauty to see a full template pulled into a patient’s chart with a single click. A full patient physical documented with a single click sounds like it should save the doctors a lot of time and make them more efficient. In fact, many have argued that template based EHR documentation is a great way for doctors to achieve higher reimbursement levels since they are better able to document the actual care they’re providing. In the paper world they would have passed on the higher reimbursement because they didn’t have the time or desire to document all of the items they examined and so they just accept a lower reimbursement level. EMR templates made it possible for doctors to finally be reimbursed for all of the care they provided a patient since the templates made it easy to document.

Sounds great doesn’t it? Well, it did until the government realized that EHR software often drove up their costs. This shouldn’t have been a surprise to anyone in the EHR world. I’ve been writing about the ability to increase your reimbursement rates from EHR for over 7 years. However, instead of the government choosing to acknowledge something that was apparent to many in the industry, they decided to blame the increased costs on, you guessed it, dishonest doctors.

Think about the message that we’re sending doctors. First the government tells doctors to start using EHR. Then, the government calls those doctors dishonest for using the tools that the government told them to use. A doctor recently described their perspective is like being stuck in a pit with sly hyenas all around ready to take their bite out of them.

Add in all the recent discussions about copy and paste in EMR’s, and it shouldn’t be any wonder that doctors are gun shy. When they implement technologies to try and make things more efficient they get their hands slapped or even worse.

Reduced Reimbursement and Penalties
In the midst of all the things mentioned above, doctors are also getting hit with reduced reimbursement rates. This is particularly true for those in the general medicine area. They’re being asked to do more to improve patient care, reduce hospital re-admissions, treat the whole patient, etc and they’re getting less reimbursement.

Plus, now the EHR penalties are hanging over their head if they choose to not show meaningful use of a certified EHR. I still have my doubts that the EHR penalties will be enforced. I expect there will be a whole series of exceptions offered up which make it so pretty much all of the doctors avoid the penalties. However, that’s still unknown and many doctors see those EHR penalties as just another slap into the face.

Data Data Data
Most doctors see the push for EHR as a way for someone to get at the data in healthcare. In many ways, they’re right. EHR’s were first created as big billing machines to get at the financial data. Now with meaningful use, EHR’s are repositories of other healthcare data. The data is being used to optimize reimbursement (rarely a good thing for doctors). The data is wanted for population health analysis. The data is wanted for public health needs. The data is wanted to be able to facilitate ACOs. Everyone wants a piece of the healthcare data it seems.

The problem from a physician perspective is that everyone wants that data, but it’s not often clear how that data is going to facilitate that doctor being a better doctor. In many cases it won’t and there’s the rub. Almost every doctor I know wants to improve healthcare. So, they don’t have any problems supporting initiatives that improve healthcare, but I think that most of them also sit back and wonder at what cost.

Audits
I don’t know anyone that likes audits. Yet, most doctors are surrounded by a wide variety of audits. RAC Audits are on the way. HIPAA audits are possible and HIPAA is always lingering in the back of most doctors minds. Especially when you start talking about technology and HIPAA. There are so many unknowns that there’s no place of comfort for those doctors who want to be compliant. Most make a best effort and then push it out of their minds as they try to provide great patient care. Next up our meaningful use audits. You can be sure they’re coming.

Solutions
I wish I could say that I have a bunch of really good solutions available. What does seem clear to me is that most of the challenges that doctors face revolve around the current reimbursement models that we have today. I’m not sure we can fundamentally change those. One interesting option that’s emerging is concierge medicine.

Every doctor I know loves the idea of concierge medicine. When you tell them they don’t have to worry about reimbursement, insurance companies, etc, you see this huge weight lifted off of their shoulders as they wonder what life would be like for them if all they did was provide the best patient care to those who came to their office. The problem with concierge medicine was highlighted in a tweet I saw recently that said, “Concierge Medicine – Does it really work?”

The answer to that question is: it’s still too early to know for sure. Although, my prediction is that concierge medicine will work in certain situations and communities, but won’t be able to provide the widespread change of reimbursement that we need for healthcare to alleviate doctors concerns.

When it comes to EHR, concierge medicine is quite interesting. None of the mainstream EHR vendors really work for concierge medicine since they’re all focused around reimbursement and concierge throws that out the window. Plus, think about how few of the meaningful use requirements a concierge medicine clinic cares about. In fact, implementing many of the meaningful use and EHR certification requirements gets in the way of the concierge doctor’s workflow. I expect many doctors would love a concierge focused EHR software.

The other solution is likely going to be EHR vendors yielding to the idea that they’re the database of healthcare. Once they make this decision, EHR vendors can really open up the proverbial EHR kimono and let outside developers really make their EHR useful for doctors across all specialties, all regions, all sizes, and every unique workflow. One company can’t satisfy every doctor the way a community of empowered developers can.

No One Feels Bad for Doctors
I’ve written about this idea before, but almost no one feels bad for what most people think of as “well paid doctors.” Far too many doctors are still driving around Mercedes and BMW’s for most people to feel too bad for them. Compared to many people who don’t have a job at all, I don’t feel bad for them either.

While we don’t have to feel sorry for them, that doesn’t mean we shouldn’t acknowledge the pressures that doctors are facing. Plus, I see this only getting worse before it gets better. As an entrepreneur, I see this as a tremendous opportunity. Plus, I see a number of companies that are working to capture this opportunity. However, far too many companies are blind to this physician discontent. I’m not sure if it’s purposefully blind, ignorantly blind, or arrogantly blind, but many are ignoring it. As I predicted in the beginning of this post, I see this reaching a boiling point soon which leads to some fireworks.

Let me highlight what I’m talking about using the words of a doctor’s message I literally received in my email as I was writing this post:

EMR’s are making it more and more difficult to practice medicine. They used to be fun and helped my daily work. Now, they are getting so complex that is takes much more time to do them. MU is becoming a nightmare for physicians.

February 5, 2013 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 15 blogs containing almost 6000 articles with John having written over 3000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 14 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John launched two new companies: InfluentialNetworks.com and Physia.com, and is an advisor to docBeat. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and Google Plus. Healthcare Scene can be found on Google+ as well.

HITECH Privacy Compliance Gets Trickier – Meaningful Use Monday

Written by:

It’s been a very interesting few weeks for privacy protection under  HIPAA. Just in case you haven’t had a chance to catch up on them,  here’s what’s going on.  The OCR has announced the protocols under which it’s going to perform audits required by HITECH.

Here’s how OCR is going to check both you and business associates for compliance with the HIPAA Privacy Rule,  Security Rule and Breach Notification Rule. Here’s a summary from the Beyond Healthcare  Reform blog from lawfirm Faegre Baker Daniels:

Privacy Rule Security Rule
Notices of privacy practices Administrative Safeguards
Right to request privacy protection for PHI Physical Safeguards
Access to PHI Technical Safeguards
Administrative requirements
Uses and disclosures of PHI
Amendment of PHI
Accountings of disclosures

Meanwhile, there’s the matter of the temperature being turned up on your relationship with your business partners. As things stand, maintaining HIPAA-level control over information once it leaves your facility or office is hard enough.  Since 2009, HITECH has required covered entities and business associates to disclose if they’d used information on patients — including for treatment, payment or operations — if the access was through an EMR.

While that’s sticky to enforce, it mostly affects providers, not the business associates in most cases. But things could get a little trickier going forward.  A new proposed rule would now require a basic access report applying not just to EMRs, but also to uses and disclosures of e-PHI in a designated record set.

As the Beyond Healthcare Reform blog notes, this could mean that health plans and business associates (if they have a designated records set) would have to provide the access reports for everything, including treatment, payment and operations.

I doubt any of us are surprised to see OCR getting tougher on data sharing;  in fact, I’d argue that it’s overdue. The question is whether in the mean time, the near-daily data breaches we see (stolen laptops with unencrypted data, lost data disks) still haunt us.  Scary times.

July 9, 2012 I Written By

Katherine Rourke is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

A Misplaced Box of HIPAA Information

Written by:

Today I found a really interesting article in Utah’s local paper the Deseret Morning News. In the story, a box of medical charts was lost by UPS after being sent from a Hospital to somewhere in Las Vegas for a medicare audit. You can read the article for all the facts, but essentially the box somehow got misdirected and ended up being bought by a Utah school teacher purchasing some “scrap” paper.

I was kind of surprised by how long it took the hospital to get in touch with UPS after the box was lost. Ok, so I’m not really surprised that the hospital is not watching all of the HIPAA information they sent out to make sure that it arrives safely, but maybe it should. UPS has some pretty incredible tracking tools these days that really aren’t that hard to use.

The other interesting thing to consider is how these types of audits/information transfer happens in an electronic world. I know that we transfer eligibility lists to insurance companies using Secure FTP and that works quite well. We’ve worked with a scanning company who is scanning our old paper charts and when we need to access one of those old records, they send us an encrypted file through email. That works pretty smoothly.

Unfortunately, I think if a patient wants a record right now or if we needed to send some health information out for an audit (not sure why we would need to) then we’d have to pretty much just print out the electronic record like we do when a patient makes a . In fact, we’ve even made a request to our EMR software company to give us a one click method that will allow us to print the entire chart. It’s a pain to print out everything in the paper chart from what’s scanned in, to prescriptions, to lab results, to referrals, etc etc etc. Any EMR companies have a better way to do this?

March 10, 2008 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 15 blogs containing almost 6000 articles with John having written over 3000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 14 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John launched two new companies: InfluentialNetworks.com and Physia.com, and is an advisor to docBeat. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and Google Plus. Healthcare Scene can be found on Google+ as well.