If we have learned anything from previous years and the severity of the attacks from cybercriminal activities, it is that the resourcefulness of attacks on PHI have been unprecedented. For the year ahead, we have every reason to believe this will continue and it really is up to us to set a new standard in preparing our organizations for the onslaught.
Start with employee education: This can be achieved in many forms. Don't limit yourself to expecting employees to read long policy and procedure manuals. As well, it is unrealistic to think that once a year canned training or worse, just training upon orientation is enough for the workforce to be armed with what they need to know to safeguard your patients' health information. Education should be creative and provided as often as possible. See a news story about a breach? Use that opportunity to share best practices in how to avoid that happening to you. Want to see how alert your teams are against phishing? Send a bogus email and see how many of them click on the link (to nowhere, since you are managing this), and how many actually report it as they should to appropriate held desk staff. Live interactive educational sessions with "real world" examples of breaches and their consequences will always be most powerful.
Next step, ask employees to share their stories: One thing that I find extremely valuable is to ask your employees to share their personal experiences with HIPAA. Friends and family who have had experiences with no access to record copies, or a provider encounter where the information was not accurate will be eye-opening to those hearing the stories. Another good one is asking your people if they've had any issues with identity theft or medical identity theft. These are impactful because they are actual events that can help those around them understand the risks of a breach of PHI or hacking attacks are not always going to be just the "other guy." This is happening all around us.
The bottom line is that there is just no substitute for focus on the efforts that are being made to get to PHI and how we must all be on guard all the time.
The first OCR fine for 2017 was issued to Presence Health for delay in notifying 836 patients of a breach experienced in 2013. Presence Health met the requirement of notifying HHS of the breach within 60 days after the end of the calendar year in which the breach is discovered (notification took place January 31, 2014).
There have been many articles written about the need to investigate a potential breach, and establish what happened, how it happened and do a thorough job in getting as complete as possible, the names of all individual affected by the breach so that notification can take place. What you don't want to do is forget the breach notification rule that states that for a breach of any size, patients must be notified "without unreasonable delay, but in no case longer than 60 days." Certainly, there are a few exceptions like law enforcement delay and other rare situations, but the rule is clear.
The fine is significant enough, but remember that along with the OCR fine, generally comes a corrective action plan (CAP). In this particular case, there was a requirement to revise existing policies and procedures related to the Breach Notification rule. Training materials would also need to be updated and provided to appropriate workforce members with documentation of the date the training was provided. Evidence of compliance with the CAP is always required.
A couple of key takeaways include noting that the OCR will investigate all breaches and that it generally takes a good bit of time for the OCR to make their determination based on information requested and provided. The fine, if infractions are identified will follow and the CAP will take resources and an investment on the facility's part. Breaches and their impact are significant and the financial costs associated with them run deep.
Read the full article here
CYBERCRIME UPDATE
The rise of cybercriminal activity in healthcare is cause to review current security protocols and practices.Since 2017 is well underway, this may be the right time to modify HIPAA policies and procedures, check those business associate agreements, formalize a breach response plan and carefully review update your security risk analyses.
It didn't take very long for the bad guys to figure out where the valuable ePHI resides and they've made quick work to targeting health plans and healthcare organizations across America. In 2015 alone through 57 large breach events, over 112 patients' data was compromised.
At the present time, based on end of year 2016 data from the OCR wall of shame, nearly 75% of the total number of patients impacted are a result of hacking activities. The number of patients affected by hacking healthcare organizations alone is about 128 million!
Because insider threats remain the best gateway for cybercrime activities, healthcare organizations should take the time to update their HIPAA education arsenal. One of the best defenses is an informed workforce. Periodic reminders with real-life events as examples serve as an excellent way to keep the workforce informed that what they do, makes a difference. Another effective solution is to provide examples of how emails that look authentic can simply be an invitation and gateway to the intruders. Help your workforce be your best first-line defense!
https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf
HIPAA Compliance audits are scheduled to resume later this year with an anticipated 1,200 to be conducted between 2014 and 2015. The word is that 800 covered entities will be audited and 400 will be completed for business associates. The interesting twist is that covered entities will be asked to provide names of their business associates and it is anticipated that the selection may come from this submission.
The initial round of audits was referred to as "friendly" audits, conducted by KPMG, a contractor for the OCR. This round will be manned by OCR staffers who, as we speak, are being trained for this mission. Important for all interested parties to keep in mind that the funding for this project will come from fines assessed based on organizations who have failed to prepare properly for HIPAA compliance.
Since over 25 million dollars in penalties have been assessed thus far due to "willful neglect," meaning disregard for attempting to comply with the requirements of the final rule, it can be reasonably expected that OCR auditors will be swift to levy fines for those who have failed to take steps to prepare.
We've been given ample time to prepare. After all the HITECH Act of 2009 laid the foundation for business associate compliance and the Final Rule was published in January 2013. So for all the procrastinators out there, the clock is ticking at a heightened pace and you cannot delay any longer. Get the facts, scale up or down to the size of your organization and just get it done!
At the AHIMA convention October 26-30, 2013, much of my time was spent on HIPAA privacy and security. No surprises there, right? It has become pretty clear by now, that this is a major focus area for me. After 2 full days in the privacy and security institute, which was fantastic, by the way, and another 3 days making the rounds in the privacy and security education tracks, there were a couple of observations that were a bit concerning.
UNDERSTANDING HIPAA COMPLIANCE REQUIREMENTS: By now, HHS has made it abundantly clear what is required to both covered entities and business associates. If you have followed HIPAA breach news at all in enforcement efforts, you know that fines are being assessed. What's more, the OCR promises to audit business associates from this point forward now that they are included under HIPAA Omnibus. We have seen varying degrees of preparedness by business associates ranging from statements about their platform compliance to those who say, "Well, we have never experienced a breach," to those who think their business associate agreement is all that is needed. Really - are you sure about that? If there are no policies in place or education for your staff to understand incident reporting requirements, how do you really know if you've ever had a breach?
MANY BUSINESS ASSOCIATES ARE NOT PREPARED: With the HITECH act of 2009, we knew about the extensions of HIPAA to business associates and should have been fully prepared since or before that time. We have had access to the HIPAA audit protocol since the summer of 2012. This is an absolute roadmap to a solid compliance strategy. It is not difficult to understand exactly what is needed for compliance, yet many business associates continue to fall short. Here is a case to consider that should give you considerable pause: If a business associate hires an employee and provides that individual with a desktop computer or laptop to do their work, and the employee a year later, suddenly disappears without a trace from the workforce with said computer that likely contains PHI (it happens all the time, folks), is that a breach? Does that business associate know how to reasonably account for the potential PHI on that system? Without policies and procedures, a breach notification response team, and reporting processes through the required 4-step risk assessment, will the covered entity even be notified?
COVERED ENTITIES ARE UNCLEAR ON DUE DILIGENCE: There is an expectation of due diligence steps to be undertaken by covered entities in ensuring their business associate partners have taken appropriate steps towards compliance. This is one of the single most important steps healthcare organizations and individual providers should be taking to protect their patients' PHI. The new guidance from AHIMA clearly mentions the value and importance of this key step in the process. Yet, still today, this is not happening on nearly a wide enough scale.
KEY TASKS TO DO (yesterday) NOW:
Business Associates -
1. Do not delay in preparing to comply with all regulations under HIPAA
2. Get your policies and procedures documented (privacy, security, breach notification)
3. Train ALL workforce members and document that training has taken place. Hold them accountable for what they have learned.
4. Update your BAAs - this is particularly important for those who hire independent contractors.
5. Conduct your comprehensive security risk analysis. Yes you do have to do one, regardless of the size of your organization and it must be documented.
Covered Entities/Providers -
1. Make a list of ALL business associates.
2. Make sure that they have signed your updated business associate agreement - even if it is not due yet, proactively get these completed.
3. Ensure that you know where the work you are outsourcing is being performed.
4. Ask for evidence-based proof of compliance (excerpts from policies, copy of BAA, risk analysis, etc.).
5. Ask for the name of your business associates' privacy officer - get their name and contact information and establish open dialogue about their compliance efforts today!
Compliance does not have to be expensive or burdensome, but it is required. Failure to comply with HIPAA can lead to an automatic willful neglect penalty. With over 12 million patients impacted by business associate breaches since 2009, there is clearly much room for improvement in practices along with baseline requirements of the law. If you want more information on how we can help, contact us here.
AHDI has published a position paper that was released at the annual convention in Indianapolis earlier this month. In this paper, the association presents the current state of healthcare documentation and why it is essential to consider a more flexible compensation model that takes into account the many other duties of the professional medical transcriptionist.
In a recent article published in For The Record, Sherry Doggett, President of AHDI states "There are many things that medical transcriptionists perform in many scenarios in the work envionment that really are not conducive to production pay." Additionally, healthcare documentation specialists (MTs) are often asked to move from one computer to another, a different transcription platform or system, work back and forth between straight transcription and speech recognition, work multiple accounts and different doctors through a single shift. All of these transitions are counter productive.
Take into consideration different account specifics that vary within a single account to accommodate different physicians' style and add the numerous queries and flags MTs notate throughout the day, the corrections they must make to errors during dictation. These things take time - uncompensated time and you have the makings of upheaval that may erode the future of this important sector. When allied health professionals consider their work to be of decreasing value and say they work in a "sweatshop for minimum wage," it is beyond time to pay attention to the type of comments seen here.
Year after year, healthcare documentation specialists have been asked to do more for less while the commoditization of this profession has been squeezed from every angle. It is considered a cost center when there has been a failure to recognize the value of this knowledge-based field. Consider coding. How can coders code without the documentation that tells the unique patient's story and is the basis for coding? How is it we will be able to move successfully into ICD-10-CM/PCS without better and more specific documentation?
It is interesting to observe the conflicting opinions about whether or not front-end speech is better for quality patient care. On the topic of front-end speech, Jeffrey Linder, MD believes that "physicians are more likely to see and respond to alerts if they are using an EHR." While the AJR published a study that revealed a 23% error rate in front-end speech compared to 4% in dictation/transcription reports.
In all the efforts to employ technology to improve healthcare, the technology advances absolutely have their place and merit in moving us away from paper. That said, providers are faced with more demands, larger case loads and in truth they need choices that suit their preferences that will lead to efficiencies. Forcing any one solution on multiple providers will be met with resistance and will not accomplish the goals of patient safety and better outcomes. Rather, in a current article, Nick vanTerheyden, MD states "The most appropriate means of documentation is the one that is most effective and productive to a physician's workflow. It will take a combination to deliver the highest clinican satisfaction."
When all is said and done, it seems that in order to get more information, meet the needs for the clinical documentation improvement required for ICD-10-CM/PCS, and achieve meaningful use goals, healthcare organizations that intentionally keep dictation and transcription as well as other options will come out on top. Looking at creative compensation methods for the professionals behind the scenes that help produce these quality documents from which coding and billing take place must move higher in priority in order to keep them engaged. Many have left the profession already due to poor compensation and we cannot afford to lose any more at a time when the language of medicine is a premium concern. We must value these hard-working professionals and look at other areas for controlling costs in the revenue cycle.
In a couple of recent articles that are not connected, there is an underlying connection. One, in "For the Record" discusses The Hazards of Note Bloat and the unintended consequences of having a lot of information that doesn't truly say much about the complexity of the patient's condition, not to mention that it is "difficult to view, notes lengthen and errors accumulate." But wait, aren't EHRs supposed to reduce errors? The article goes on to explain how narrative (dictation/transcription) notes have been reduced, but not completely eliminated. It also discusses speech recognition and its implementation this month.
The next article talks about the value of outsourcing as a cost-savings process to reduce costs and how this is happening in a big way in Canada. This model has been shown again and again to be cost effective and many hospitals across the US have already embraced this practice to help reduce costs.
In yet another article, 3 major healthcare groups were identified as having caught the financial flu and are not doing particularly well at this time.
In reviewing the 3 unrelated articles, it became apparent that there may be a myopic view of how to balance reducing costs with optimal EHR utilization. Consider this. EHRs are here to stay. We need them and the value they bring to healthcare overall. What we don't need is documentation that doesn't improve the quality of the patient encounter. We need streamlined, content-rich, not bloated notes that drone on endlessly with what the previous note stated. We need to optimally enable physicians so they have the time to see a growing patient population, not spend endless hours doing their own data entry. We also must get the level of detailed specificity now that will be needed as the ICD-10 date edges ever closer. Healthcare organizations must be fiscally healthy enough to provide care and continue to be viable as baby boomers get to Medicare age. So yes, they do absolutely need to cut costs in the right places but keep those that enhance their revenue capabilities.
Here's the conundrum in summary. If healthcare organizations and hospitals focus only on reducing costs at the expense of eliminating medical transcription/editing, they are using a tunnel vision approach that will reduce costs but will simultaneously fail to optimize reimbursement. Complete, detailed documention renders optimal coding, which leads to appropriate and optimal reimbursement. If this process becomes muddy through "note bloat" or abbreviated input from extremely busy clinicians, the revenue cycle process may breakdown and the endless cycle of trying to reduce costs and not optimize documentation will continue.
Stop the broken cycle of cost-cutting measures as the only option. It's time to see the bigger opportunity and realize the value gained in the outsourced model of quality dictation/transcription and speech editing process to capture all the details needed for ICD-10 today. This can get healthcare organizations over the financial flu and on the road to recovery. By adopting a practice of excellent documentation practices, these 3 unrelated items can become related in a way for long-term success with the EHR and improve patient outcomes as one of the most important goals.
