Ready or Not, Here Come HIPAA Audits

Salud Family Health Centers, headquartered in Fort Lupton, Colo., is a federally qualified health center with clinics in nine towns and a mobile unit, with about 100 medical, behavioral health and dental providers. All clinics are medical homes and all eligible professionals have attested to Stage 1 for the electronic health records meaningful use program.

All of those meaningful users attested they’re compliant with the HIPAA privacy and security rules. That attestation could be put to the test if Salud is randomly selected to be audited for HIPAA compliance in a national program the Department of Health and Human Services’ Office for Civil Rights (OCR) is looking to launch by late this year, following a 2012 pilot program.

The audit program is sending a chill down the spine of health I.T. leaders. Data security and privacy has become such a complex undertaking that many know holes exist, but can’t pinpoint where they are in their expanding data infrastructures. And the feds have proven, most recently with the Recovery Audit Contractors (RAC) program, that they’re willing to use a take-no-prisoners approach, especially when there’s money on the line (through the end of 2011, the program had recouped Medicare payments of $3.1 billion).

Under the HIPAA compliance audit program, an organization that has attested and later is audited and found not to be in “good faith compliance” with HIPAA could face penalties, including giving back the meaningful use incentive money.

Salud CIO Randy Kuehntopp is making sure that won’t happen, and not surprisingly has the full support from the CFO, who “really likes the meaningful use money,” he notes. Since coming to the organization in March 2011, Kuehntopp has been working to boost HIPAA compliance.

All data at the health center is encrypted; a privacy/security consulting firm has conducted an audit; e-mails are scanned for protected health information; computer access is logged; network security gaps have been filled; and policies and regulations are being updated and expanded.

The organization also plans to buy online HIPAA training courses to augment staff education and document that employees are annually taking and passing the privacy and security courses.

Kuehntopp came to Salud from the Colorado Blues plan, which not only has to comply with HIPAA rules, but with the Sarbanes-Oxley financial law and its security requirements that “scared the hell out of the plan,” he recalls.

Getting religion

With HIPAA now strengthened by new regulations and being more stringently enforced with the audit program, as well as major fines OCR has levied against a dozen provider organizations in recent years, CIO Kuehntopp believes others who haven’t gotten religion about security are getting wiser. And with the fines-now capped at $1.5 million annually and newly applicable to individuals-becoming a source of revenue for OCR, “people are now thinking, ‘Well, maybe we’d better be careful,’” he says. “It’s not just the company at risk, individuals also are liable.”

Chinese Community Health Care Association in San Francisco also is beefing up its information protection. The independent practice association in 2012 contracted with a security consulting firm to conduct Web-based mock HIPAA audits covering 29 physician practices. With the practices using electronic records remotely hosted and encrypted by vendor NextGen Health Information Systems with no data residing on computers, the IPA is filling in security gaps and soon will contract with an attorney to tackle perplexing legal issues that could arise.

The organization, which attested to Stage 1 EHR meaningful use last year, would be doing this work even if audits were not on the horizon, because it’s simply is the right thing to do, asserts Jonathan Everett, director of information technology at the independent practice association of Chinese Community. And it doesn’t hurt that the IPA’s three other leaders are into information technology, he adds.

A random HIPAA audit is not anything to be afraid of, Everett says. “Plan for the worse and hope for the best. Be prepared for it to happen, just like the Joint Commission coming through. As long as you can show what you are doing and there is nothing malicious, everyone’s reasonable.”

The day-long Privacy & Security Workshop on March 3 during the HIMSS13 Conference in New Orleans was a wealth of good information on preparing for a HIPAA audit, with all presentations available at himssconference.org.

Here’s a nice tip from presenter Mary Brandt, vice president of health information management at Scott & White in Temple, Texas: “Set your policies at a reasonable level, not a high level, because you will fail. But an auditor will hold you to your higher level. Set your policies at ‘reasonable’ and then make sure your people comply.”

At the workshop, Mark Dill, director of information security at Cleveland Clinic, walked through how to make a Book of Evidence in two weeks that holds all the documentation needed for an audit (see story, page 28). “We have a very simple toolbox, there’s nothing to it,” he says. Dill primarily used Microsoft SharePoint for the project. Covered entities can use a variety of other tools, some already present in information systems, to secure data and track and document compliance with HIPAA requirements.

What OCR wants

The HHS Office for Civil Rights, now reviewing the results of its pilot HIPAA compliance audit program, is planning not only a more streamlined audit process but an expanded pool of organizations audited in the permanent program as well, says OCR Director Leon Rodriguez.

The agency in the coming months will complete its assessment of the pilot, announce findings and put together the permanent program, with the hope of starting in fiscal year 2014, which begins on Oct. 1, 2013. Rodriguez says that the scope of the program is not final.

Consulting firm KPMG conducted the pilot audits and assessed compliance with 169 requirements under the HIPAA privacy, security and breach notification rules. Now, OCR is learning which gaps in protecting health information cause the most breaches. “We want to hit more entities and be more focused on parts of the privacy and security rules for which breaches are at high risk,” Rodriguez says. “We want to be focused on the things that really matter in terms of compromising patient confidentiality.”

View the original article here

May 7, 2013 admin No comments
HIPAA , ,

Allscripts Drops Lawsuit Against NYC Hospitals

Physician and hospital software vendor Allscripts has withdrawn its lawsuit filed in December against New York City Health and Hospitals Corp. after the delivery system awarded an electronic health records contract worth more than $300 million to Epic Systems Corp.

Chicago-based electronic health records software vendor Allscripts has issued the following statement on the legal action: “Allscripts Healthcare Solutions, Inc., has discontinued its legal action against the New York City Health and Hospitals Corporation regarding the award of the Integrated Clinical Information System contract and looks forward to having the opportunity to work with HHC on other matters in the future. The NYC Health and Hospitals Corporation is pleased that Allscripts has withdrawn the lawsuit.”

Allscripts in October 2012 filed a protest of the award, arguing the final bids differed by only $4 million but its system’s total cost of ownership was hundreds of millions of dollars less. On Dec. 13, the company filed suit arguing that HHC’s award “for myriad reasons, is arbitrary, capricious, an abuse of discretion, and lacks a rational basis.”

Allscripts on Dec. 17 issued an explanation for its lawsuit. Among its arguments, the company noted that “In these times, it is critical that public procurements be awarded through the conduct of fair competitions that objectively assess the merits of competing proposals and document a reasonable basis for the decision. ”

View the original article here

May 7, 2013 admin No comments
HIPAA , , , ,

Squeezing out the Revenue

When it comes to managing the revenue cycle, David Kanzler takes a pragmatic approach-he outsources a good chunk of it. “The management of billing and collections has become so sophisticated and technical that it’s hard to justify doing it ourselves,” says Kanzler, the CEO and CFO of Hinsdale (Ill.) Orthopaedic Associates, a 25-physician group practice which provides a wide range of procedures including sports medicine, total joint replacements, hand surgery and spinal fusions.

Four years ago, Kanzler turned over all post charge-capture activities to Chicago-based Origin Healthcare Solutions. The practice codes its services, then hands over claims submission and related follow-up activities to Origin, explains Margarita Cuadra, revenue cycle director. “Billing gets more difficult every year,” Kanzler moans. “And payers come up with new and novel ways to reduce payments and deny claims. So I need to leverage the expertise of a company thinking about this 24 hours a day.”

In an industry laden with revenue cycle woes, Kanzler has plenty of company. While not everyone outsources the work to the extent Hinsdale Orthopaedic has, most providers bemoan what they describe as the growing complexity of managing the revenue cycle. The hurdles are many, from a proliferating number of payer edits-particularly from Medicare-that define the documentation required to justify payments to ever-increasing financial obligations being handed over to patients-obligations which providers must collect. Then there are disparate clinical and financial information systems.

Outsourcing the back-end of the revenue cycle is always an option. Many providers have no qualms about surrendering a chunk of their revenue to a firm well-versed in dealing with claims submissions, denials and appeals. But only so much can be outsourced. That’s why providers are increasingly revamping their workflows on the front-end of the revenue cycle to avoid downstream delays and denials. Talking with patients upfront about their financial obligations is a new segment of workflow for many, one that requires a cultural shift and newly defined staff roles.

In essence providers are taking a longitudinal approach to the revenue cycle and working more closely with the clinical departments whose documentation drives it. Some are consolidating their financial and clinical systems in an effort to streamline front-end charge capture. Others are using revenue cycle dashboards to monitor the cash flow and identify possible bottlenecks. No one finds it easy-and emerging fee-for-value payment models are adding more uncertainty to the entire revenue food chain.

Managing the revenue cycle is now front and center in the industry. But it wasn’t always that way, says Steve Matteson, vice president of Pittsburgh-based Simpler Consulting, whose services include revenue cycle analysis, workflow mapping and system implementations. “In 2009, after the financial crisis, everything changed,” he says. “Before then, faith-based providers did not want to talk about money, but today all our health care clients want to start with the revenue cycle. It can be very convoluted.”

Matteson usually spends a week just mapping out an organization’s revenue cycle workflows, documenting all the steps required and the staff involved. “The number of people, the amount of time, and the dollars involved are great,’ he says. “Clients don’t have the end-to-end view. Charge capture is a big source of leakage. CFOs worry about it, but they don’t know where the holes are.”

Orlando Health, an eight-hospital delivery system in central Florida, is among those providers taking an expanded view of the revenue cycle. “In the past we’ve focused on improvements in financial systems and processes,” says Tom Yoesle, chief operating officer, revenue management, at Orlando Health. “Now we’re looking at clinical systems and where we can improve data feeds and the numerous data elements” that drive reimbursement.

One major effort has revolved around revamping high-dollar order sets in such areas as cardiology and chemotherapy. Many claims wound up denied, and the revenue cycle staff had to focus on working the denials. Orlando Health is attempting to build in stronger medical necessity rules in its ordering process to either steer physicians to lower-cost (and covered) options or clarify the documentation needed to justify higher-cost drugs. “We are always looking at standard orders that spawn medical necessity issues, denials and appeals,” he says.

But all that work only reduces-not eliminates-the degree of difficulty, Yoesle emphasizes. “You can set up a great order set, but Medicare changes the rules on a dime,” he says, referencing the “edits’ that CMS regularly disseminates as part of its ever-changing landscape of documentation requirements and payment policies. Orlando runs an inpatient EHR from Allscripts, which feeds data to its registration and billing system from QuadraMed. Getting the systems in synch requires a high level of cooperation between clinical departments and the revenue cycle staff. “You have to bridge the knowledge gap between the revenue cycle and the clinical management,” he adds.

Yoesle says revenue cycle issues span both “low-hanging fruit,” or issues that are relatively easy to fix, and “great, big audacious ones,” namely big-ticket claims that wind up getting denied. Orlando Health is tackling both, he says.

The low-hanging fruit included expensive drugs ordered as part of infusion procedures. Physicians were ordering procrit injections for anemic cancer patients and those undergoing major surgery, among others, and they’re an expensive treatment that often isn’t covered. “Physicians might have ordered it in their practice and had it covered. But it is a different requirement when you are ordering the test to take place in the hospital,” Yoesle explains.

To handle a likely denial, Orlando began monitoring the scheduling of procedures using the drug and then giving feedback to physicians about how extra documentation would be required to meet medical necessity rules for the procedure.

Controlling outlays for big-ticket chemotherapy drugs has proven to be a tougher challenge, Yoesle says. To address the problem, Orlando revamped order sets used in chemotherapy and oncology. The pharmacy staff played a big role, in writing precise, bulleted information points to add to the order sets. The bullet points clarify the documentation needed to support given drugs and also suggest lower-cost alternatives. “Laying that out in a clean order set is crucial,” Yoesle says. Many of the chemo claims wind up being denied by Medicare. In a recent month, some $256,000 was denied based on medical necessity, or about 20 percent of the chemo claims, Yoesle estimates. “We did a great job modifying chemo orders and increasing communication between pharma, case management and physicians,’ he says. “But we were still seeing denials.”

View the original article here

May 7, 2013 admin No comments
HIPAA ,

Analytics: The Top ACO Goal

All indications, from survey results, discussions with health care thought leaders, and technology suppliers, are that analytics is number 1 on the agenda for health care organizations engaging in accountable care.”

That’s the bottom line of a new report, from research firm IDC Health Insights, based on interviews with industry experts and vendors, and a survey last May of 40 hospitals and 30 insurers. The survey found that advanced analytics (50 percent) and data warehouses (46 percent) were the highest investment priorities for accountable care. Advanced analytics includes streaming data monitoring and analysis, text mining, and social graph analysis, among other functions.

Two-thirds of survey respondents point to identifying patients in need of management, clinical outcomes, and performance measurement and management as types of analyses they intend to conduct. Respondents also cite claims, clinical structured data and care management data as primary sources of information to identify and manage chronic patients.

Organizations are not only investing in new analytics capabilities, but modifying existing analytics technology and hiring or redeploying staff into analytic and informatics roles, according to IDC. “As with other technology developments, providers lag health plans in their investment plans,” according to the report. “While all health care organizations are challenged with the number and complexity of I.T. priorities, hospitals have unique challenges as they complete electronic health record installations or replacements, and strive to meet the requirements of meaningful use as well as other federal and state mandates.”

The report, “Business Strategy: Analytics Leads Accountable Care Investment Priority,” costs $4,500. More information is at idc-hi.com.

View the original article here

May 7, 2013 admin No comments
HIPAA

Editor’s Note: Analyzing the Real World

A recent report by research firm IDC Health Insights tagged analytics as the No. 1 technology priority for organizations engaging in accountable care, which is basically every organization in health care in some form or fashion. As luck would have it, the focus of our July analytics show is squarely focused on how analytics will support-or in many cases, to fundamentally create-value-based health care systems. (The Web site for the Healthcare Analytics Conference & Symposium, running July 15-17 in Chicago, is www.healthdatamanagement.com/ conferences/hcs/).

During the initial planning for the inaugural show last year, we decided to focus on a gap in the market: while analytics was becoming a must-have capability for hospitals, group practices and payers, there were no live events focused on the real-world experiences of implementing analytics technologies and programs, and trying to make sense of the output. The 20,000-foot view doesn’t really help health I.T. leaders build new intelligence into their operations, especially when the ground is shifting under their feet. So we wanted to pluck the discussions out of the realm of the theoretical and bring them into the world of the practical.

This year we continue to focus on the real world. We have an analytics workshop to kick off the event to ensure everyone’s speaking the same language, and then we get deep into the implementations and results from providers focusing on accountable care, Big Data, ICD-10, population health, hospital readmissions, hospital-associated infections, surgical analytics, measuring the ROI of electronic records and a slew of other urgent clinical and financial issues. We’re running Clinical and Operational tracks to ensure attendees have opportunities to get ideas about how to incorporate analytics across their enterprise.

What’s fascinating about analytics is that it truly is a new frontier and our speakers and the organizations they represent-be it Stanford or Mayo Clinic or Akron General Health System-face the same decision points and struggle with similar issues, most notably data governance and quality, no matter what their resources.

Every session at our conference is based on real-life experiences about making design, implementation and governance decisions to produce data that drive critical short-term and long-term decisions. I urge you to join us in Chicago this summer to hear about what works and what doesn’t in the real world.

View the original article here

May 7, 2013 admin No comments
HIPAA , ,
Page 3 of 5312345...102030...Last »