8/14/2017

1

It’s 2017! Time to Bullet Proof Your Practice!

Jeffrey Lewin, DC, CCSP

info@kmcuniversity.com

754-300-2269

We have a ton to cover! Don’t try to write everything

down.

Complete the form being passed around and we will email you a complete copy of every

slide in this presentation.

Do You Feel Like This?

3

Or This?

4

Learn the Basics to Reduce Your Risk

•Many DCs don’t knowwhat they don’t know, when it comes to compliance in healthcare today!

•OIG Compliance is that rule book that many don’t know they must follow

5

Let's be clear

•None of this is new

•Compliance is been around for decades

•The difference now, is auditors, insurance companies and the government are bothering to look!

•Now for some “Risk Management”

6

8/14/2017

2

Who is the OIG?

•Office of Inspector General's (OIG) mission is to protect the integrity of Department of Health & Human Services (HHS) programs as well as the health and welfare of program beneficiaries.

7

OIG Compliance vs. HIPAA Compliance

•OIG Compliance relates to fraud and abuse• Documentation, coding,

billing and patient financial inconsistencies•Medical necessity and

erroneous payment demands• Federal programs with

extension through Office of Audit Services

•HIPAA requires covered entities to have contingency plans that establish policies and procedures regarding protected health information•HIPAA also administered by HHS•Office of Civil Rights

8

Seems like we’re always waiting for the other shoe to drop…

I T FINALLYH A P P E N E D !

A F T E R WA R N I N G C H I R O P R A C T O R S F O R

OV E R 3 D E C A D E S … . .

WHAT HAPPENED?

$359

The Collection Coach

million

8/14/2017

3

Vis

it n

um

bers

incr

eas

ed…

…………………………………………… Medical N

ece

ssity Decre

ased

Should Chiropractic Visits Be Limited?

The Collection Coach

Lack of Medical Necessity

-Incorrect Coding

-Insufficient Documentation

The Collection Coach

Oig82% Error

RateThe Collection Coach

OIG 105

claimsThe Collection Coach

Cms51.7% Error

RateThe Collection Coach

cms 451

claimsThe Collection Coach

8/14/2017

4

AUGUST 2015 – BUSY YEAR!• CERT shows decreased of

improper payments for last 5

years,

• Chiropractic improper

payments went up!

The Collection Coach

WHAT THEY FOUND

The Collection Coach

High visit #

Maintenance

High potential up coding

Beneficiary sharing

Unlikely # of services

Fraud

AUGUST 2016

The Collection Coach

“Establish adequate policies and procedures

to ensure that chiropractic services billed to

Medicare are medically necessary, correctly

coded and adequately documented.”

W H AT D O Y O U T H I N K ?

S TAT I S T I C S B E I N G M A N I P U L AT E D ?

P R O B L E M W I T H I N C H I R O P R A C T I C ?

C O N T I N U A T I O N O F A M A

C O N S P I R A C Y

I S C H I R O P R A C T I C I T ’ S O W N W O R S T

E N E M Y ?

The Gospel According to KMC…•“It’s ridiculous to think that in 2017 you can run the business of healthcare without a mandatory compliance program. It’s tantamount to thinking that you can adjust without going to chiropractic school.”

Your Compliance Program! Just Do it!

•The truth is, we've been being told that since 2001.

•Get your policies and procedures and OIG compliance plan in place.

• It's too easy to do, and if you don't know how, ask us! We teach this every weekend!! Don't delay.

24

8/14/2017

5

Why Implement a compliance program?

Integrate policies and procedures into the physician’s practice that are necessary to promote adherence to federal and state laws and statutes and regulations applicable to the delivery of healthcare services

25

Is it Mandatory?•Came out of the sentencing guidelines•Affordable Care Act: Mandatory Compliance Plans Included thanks to Obama Care PPACA•CMS has NOT finalized the requirements •CMS will advance specific proposals at some point in the future

26

A “Program” is not a “Manual”

27

Getting Started with OIG Compliance

OIG Report Facts

•The OIG is not “out to get us all”•There is enough “low hanging fruit” to take care of the federal budget deficit•Be aware of the specific errors pointed out in the reports like this

A Warning that Should be Heeded

8/14/2017

6

Another Recent Decision Your Office

Compliance Program• Customized to your

individual practice

• No two are the same because no two practices are exactly the same

• Provides a mechanism to ensure office compliance with all applicable laws, rules, and regulations

Parts of an Effective Office Compliance Program

• CMS/Medicare

• OIG compliance

• HIPAA

• OSHA

• CLIA

• Anti-Kickback Laws

• Stark Laws

• State laws

• Employment Laws

Step 1- Implement Policies and Procedures

Why You Need Both

•Policy: This is how and why we do things here

•Procedure: Standard Operating Procedure (SOP)—It’s how we implement the policy we’ve decided upon.

Know and Apply These Two Important Concepts

•A clear knowledge of both policy and procedure ensures a proper compliance program.•Every issue may not need both•Less is not more in this instance!• It’s a journey, not a destination.

8/14/2017

7

Step 2- Compliance Officer or Contact

Step 3- Employ Comprehensive Education and Training

Step 4- Enforce Disciplinary Standards

Step 5- Respond Swiftly to Detected Offenses

8/14/2017

8

Step 6-Internal Audits and Monitoring

All Kinds of Auditing

•Initial baseline audit

•Periodic E/M audits

•Periodic medical necessity audits

•Coding audits

•EOB audits

44

Step 7- Open Lines of Communication

Install Your Program

•Create materials yourself•Train on the concepts and then document your decision making•Create policy •Create or refresh procedure•Train everyone on policy•Sign off

46

Can take 2-12 months depending on what you start with

Maintain Your Program

•1-3 hours per month•Go-to resource•Got a question? Is there a policy for that?•Create more policy and procedure as you go•Keep to a compliance calendar

47

Daily, Weekly, Monthly Duties

Daily:Ongoing monitoringWeekly:Team meeting training; review recommended concernsMonthly:Compliance meeting with doctor; spot check 1-4 notes per provider; random EOB review; EOB denial review

8/14/2017

9

Annual Duties

• Complete baseline audit of 5-10 charts per provider

• Conduct coding audit• Review provider contracts• Review all existing policy

and procedure and update as necessary

• Annual compliance meeting with team

• Renew the Code of Conduct• Confirm key team members

completed annual training• Conduct formal compliance

training with the entire team

As Needed Duties

•Initial compliance training for new team members, within 10 to 90 days of employment

•Ongoing and remedial training based on audit findings or spot check findings

•Ongoing case work for compliance incidents

53

Getting Started with HIPAA Privacy

A KMC University Rapid Tutorial

8/14/2017

10

What is HIPAA?

•HIPAA = Health Insurance Portability and Accountability Act

•Or…Helping Increase Paperwork Across America

Should You Bother With Compliance?

Cardiac Practice Fined for failing to Shield Patient

Information

Should You Bother With Compliance?

The Federal government fined a

Phoenix cardiac medical practice

$100,000 for posting patient appointment information online

Should You Bother With Compliance?

HHS investigation could find no policies

and/or procedures and few safeguards to

protect PHI

There was nodocumentation showing

employee training, norisk analysis was

conducted, and there was no designated privacy or security

official

Should You Bother With Compliance? HIPAA Privacy

•Protection for the privacy of Protected Health Information (PHI)•Sets the standard for how to maintain privacy for personal information and focuses on confidentiality

8/14/2017

11

What’s Permitted?

•Disclosure to the person that is the subject of the information

•TPO: Treatment, Payment, Healthcare Operations

•OK for care coordination

•Billing & collections activities

•Business management, admin, QC, audits, training

Uses and Disclosures for Treatment, Payment, and Health Care Operations

•To avoid interfering with an individual’s access to quality health care or the efficient payment for such health care, the Privacy Rule permits a covered entity to use and disclose protected health information—with certain limits and protections—for treatment, payment, and health care operations activities.

7 Steps to Achieve Privacy Compliance

1. Install a Privacy Officer

2. Define Minimum Necessary for Your Office

3. Write HIPAA Privacy Policies and Procedures

4. Customize Your NPP (Notice of Privacy Practices)

5. Train Your Team Members

6. Monitor Your Active Privacy Program

7. Initiate business Associate Agreements

It’s the Rule!

•Assigning a Privacy Officer (PO) is part of HIPAA law•Someone has to be in charge•Better when the PO is someone other than the doctor•The buck must stop with someone

What Makes a Good Privacy Officer (PO)?

Competencies•Project Management•Communication Proficiency•Change Agent•Ethical Conduct•Learning Orientation•Technical Capacity•Thoroughness

Install a Privacy Officer

Choose someone able to:

•Understand the intricate rules and guidelines that govern HIPAA

•Apply updated guidance and new HIPAA rules and regulations

•Comfortably work alongside practice leadership

8/14/2017

12

Minimum Necessary• Develop policies and procedures

that reasonably limit disclosures of, and requests for, protected health information for payment and health care operations to the minimum necessary.

• Develop role-based access policies and procedures that limit which members of the workforce may have access to PHI for TPO based on those who need access to the information to do their jobs.

• Not required to apply the minimum necessary standard to disclosures to or requests by a health care provider for treatment purposes.

What is the Minimum Necessary Standard?

•According to HHS, this is a “reasonableness standard” to limit unnecessary sharing of medical information.

• The standard is developed by each individual practice; it is based on best practices and guidelines already used by many providers.

First Step- What is the Minimum?

•What PHI access does your Front Desk staff need in order to carry out their job duties?•What PHI access does your Back Office Assistant need to accomplish his/her responsibilities? •What PHI access does your Billing Manager currently have, and how does that access help him/her carry out the job duties associated with the position?

What is Necessary?

•Develop Role-Based Access to PHI•Document Access Privileges and Restrictions•Communicate or Set restrictions in Practice Management Software and EHR programs

PHI

CADC

MT

General Privacy Rules

•Minimum necessary defined

•Notice of Privacy Practices

•Safeguarding and storing PHI

•Emailing and Faxing PHI

•Business Associates

Patient Rights

•Access to PHI

•Accounting of PHI disclosures

•Amending PHI

•Filing complaints

•Restrictions of permitted PHI use

8/14/2017

13

Write HIPAA Policies & Procedures toMinimize Incidental Uses and Disclosures

•Unintentional

•Overheard phone conversations at the front desk.

•A patient passing a room where treatment is taking place

•Everyday operations

Write HIPAA Policies & ProceduresAccidental Disclosures

•Faxing or emailing PHI to the wrong destination

•Disclosing PHI to an unauthorized person

•If harmful, must be disclosed to the patient

•Always included in non-TPO disclosure log

Write HIPAA Policies & Procedures Sample for Faxes

PRIVILEGED AND CONFIDENTIAL: This document and the information contained herein are confidential and protected from disclosure pursuant to federal law. This message is intended only for the use of the Addressee(s) and may contain information that is PRIVILEGED AND CONFIDENTIAL. If you are not the intended recipient, you are hereby notified that the use, dissemination, or copying of the information is strictly prohibited. If you have received this communication in error, please erase all copies of the message and its attachments and notify the sender immediately.

Write HIPAA Policies & Procedures Sample for Emails

This email, including any attachments, may include PRIVILEGED AND CONFIDENTIAL information and may be used only by the person or entity to whom it is addressed. If the reader of this email is not the intended recipient, or his or her authorized agent, the reader is hereby notified that any dissemination, distribution, or copying of this email is prohibited. If you have received this email in error, please notify the sender by replying to this message, and delete this email immediately.

Write HIPAA Policies & Procedures EOB’s and COB’s

•When coordinating benefits, blacken any other patient’s PHI on EOB•Remove anything that does not apply to the claim•Otherwise it is in violation of HIPAA law.

Write HIPAA Policies & Procedures Use of Photographs

•Permitted but must be out of the public view•As part of a testimonial or other marketing effort but you must have authorization•Can include them in electronic or paper form

8/14/2017

14

Write HIPAA Policies & Procedures What’s OK?

•Sign in sheets: with minimal information—name, time, etc.

•Verification of Callers: PHI over phone—Password, SSN, DOB, Zip, Maiden Name, etc.

•Social Security Number: use sparingly, or, better yet, use the last four digits only

Write HIPAA Policies & Procedures Phone Messages/ Appt. Reminders

•Reminders are good

•Postcards are ok

•Answering machines are ok

•Do not leave PHI or test results on a machine

•OK to say that this is to remind the patient of an appointment & give the date/time

• Include what was said in the NPP

Write HIPAA Policies & ProceduresMore Common Sense

•You are NOT required to have :

•Private rooms

•Sound-proof rooms

•Wireless encryption

•Encrypted telephones

• It’s GOOD to have:• Patients wait a few steps

back from the front desk• Curtains or screens•Quiet voices• Files turned backward • Folders marked

“Confidential”•All faxes/email containing

PHI marked “Confidential”• Fax machines placed in

secure locations

Business Associates and Breach Notification

•A breach is: Generally speaking, impermissible use or disclosure that compromises the security or privacy of PHI under the Privacy Rule

•Following a breach of unsecured PHI: covered entities must provide notification of the breach to affected individuals, the Secretary, and, in certain circumstances, to the media.

Take The Time

An active HIPAA Privacy Program is worth the effort!

General Security Rules• Ensure the confidentiality,

integrity, and availability of all e-PHI created, received, maintained or transmitted

• Identify and protect against reasonably anticipated threats to the security or the integrity of the information

• Protect against reasonably anticipated, impermissible uses or disclosures

• Ensure workforce compliance through documented training.

8/14/2017

15

Security Terms

•Confidentiality- ePHI should not be available

or disclosed to unauthorized persons (this

supports the Privacy Rule)

• Integrity- ePHI is not altered or destroyed in an

unauthorized manner

•Availability- ePHI is accessible and useable on

demand by authorized person(s)

HIPAA Security Acronyms • EHR Electronic Health Record

• ePHI Electronic Protected Health Information

• HHS U.S. Department of Health and Human Services

• HITECH Health Information Technology for Economic and Clinical Health Act

• NIST National Institute of Standards and Technology

• OCR The Office for Civil Rights within HHS

• ONC The Office of the National Coordinator for Health Information Technology within HHS

• OS Operating System

• PDF Portable Document Format

• PHI Protected Health Information

• SRA Tool Security Risk Assessment Tool

HIPAA Security General Rules

The Security Rule requires covered entities to maintain reasonable and appropriate administrative, technical, and physicalsafeguards to protect e-PHI.

HIPAA Security Safeguards

Administrative✓ Assigned Security Personnel ✓ Security Management Process ✓ Information Access

Management ✓ Workforce Training and

Management ✓ Contingency Plan✓ Evaluation✓ Security Awareness and

Training✓ Security Incident Procedures✓ Business Associate Agreements

Physical ✓ Facility Access and Control✓ Workstation and Device

Security

Technical✓ Access Control✓ Audit Controls✓ Integrity Controls ✓ Authentication✓ Transmission Security

Is the Security Rule Optional? It says “addressable”

Addressable – The concept of "addressable implementation specifications" was developed to provide covered entities additional flexibility as it applies to compliance with the security standards.

Required – If an

implementation

specification is

described as

“required,” the

specification must be

implemented.

Required Security Items

•Unique User Identification – no shared passwords allowed

• Risk Analysis – Most HIPAA fines are based on a missing, old, or incomplete Risk Analysis

•Risk Management – HIPAA Security Rule requires you to document the actions you are going to take to reduce risks

•Disaster Plan – procedure to restore data access

8/14/2017

16

More Required Security Items

•Business Associate Agreements – 2013 HIPAA Omnibus Final Rule requires updated Business Agreements with more of the liability falling on covered entities (your practice)

•Audit Controls – find out where ePHI is located, viewed, and transmitted, and by whom; Access Logs be created and stored for six (6) years

Addressable Items(optional)

•Encryption (data at rest) – a device with encrypted data that is lost or stolen is not reportable as a breach. On the other hand, unencrypted data (on thumb drives, laptops) can lead to severe fines.

•Automatic Logoff/Lockout – It is worth the inconvenience!

Is it Unreasonable or Inappropriate to..?

•Protect Access to PHI by using passwords

•Require Business Associate Agreements prior to allowing PHI access

• Lock down or encrypt portable devices and laptops

•Train staff on how to handle emails and other business postings online

7 Steps to Achieving Security Compliance

1. Assign a Security Officer

2. Perform an Initial Risk Assessment

3. Develop an Action Plan for Compliance

4. Implement Safeguards

5. Write HIPAA Security Policies and Procedures

6. Train Your Team Members to Prevent Breaches

7. Monitor, Audit, and Update Security on an Ongoing Basis

Install a Qualified Security Officer

•Knowledge of technology and various business applications

•Understanding of HIPAA laws and regulations in regard to the Security Rule

•Excellent organizational skills; able to create and implement policies and procedures

•Solid leadership skills; able to perform risk analyses and train staff.

Refresh Your Knowledge

•Review the HIPAA Privacy Rules

•Check with your State Association for any local laws that relate to HIPAA Security

8/14/2017

17

Get to Know Your EHR

Schedule a meeting with the EHR vendor and ask about:

• What are the current Security Settings?

• How do you configure Settings to align with your Policies and Procedures?

• What is the process to correct security-setting deficiencies found by you or your staff?

• Is training for staff on the security features of the software offered ?

Assess Your SafeguardsDoes your practice have:

• A training program that makes each individual with access to ePHI aware of security measures?

• Policies and procedures for providing a unique identifier for each authorized user?

• Policies and procedures for the physical protection of facilities and equipment?

• Inventory and location records for workstation devices and regularly review to see where they are vulnerable to unauthorized use, theft, or viewing?

• A documented initial risk assessment and action plan?

Quick Assessment

Great Starting

Point

What is a Risk Assessment?

•HIPAA Security Rule REQUIRES all Covered Entities (your practice) to conduct a risk assessment.

•This requirement involves answering specific questions concerning access and storage of ePHI in your practice.

•The goal is to reveal any potential risks within your practice and document the findings for your compliance plan.

Assessment or Analysis?

• A risk assessment involves evaluating existing security and controls and assessing their adequacy relative to the potential threats to the organization.

• A risk analysis involves identifying the most probable threats to an organization and analyzing the organization’s related vulnerabilities to these threats.

Assessment turns into Analysis

In order to analyze the vulnerabilities of your Security you need to answer questions related to Administrative, Technical, and Physical Safeguards.

What is the BEST Risk Assessment Tool?

8/14/2017

18

OPTIONS

• Online electronic Risk Assessment Tools

• Professional Compliance Specialist Services

• A customized, downloadable risk assessment worksheet

KMC’s Risk Assessment Workbook

Electronic Security Risk Assessment

The SRA Tool, available at HealthIT.gov, takes you through each HIPAA requirement by presenting a question about your organization’s activities.

Your “yes” or “no” answer is an indication of whether you need to take corrective action for that particular item.

What Information Will You Need?

• Practice Demographics

• List of Business Associates (BAs)

• List of IT Assets

• List of Assignees

Document the Results- REQUIRED

•Create a report using the SRA Tool.

•Review the Results

• Identify areas that need attention.

•Address these in the order of risk level of high, medium and low.

Document the Results with KMCU’s Resource

•INSERT REPORT IMAGE

8/14/2017

19

Create an Action Plan

5 Components

1. Administrative Safeguards

2. Physical Safeguards

3. Technical Safeguards

4. Organizational Standards

5. Policies And Procedures

$$$ Affordable $$$Safeguards

• Say “no” to staff requests to take laptops containing unencrypted

ePHI home .

• Remove/destroy hard drives before disposing of old computers.

• Do not email ePHI unless you know the data is encrypted.

• Server room should be locked/accessible to authorized staff only

Stress that passwords are not be shared/are not be easy to guess.

• Notify staff that you are required to monitor access randomly.

• Maintain a working fire extinguisher in case of fire.

• Check your EHR server often for viruses and malware.

Administrative Safeguards

Administrative Issues

•No designated security officer

•Assessment and reassessment are not performed

•Workforce is not trained and is unaware of security policies

Safeguard Actions

•Designated Security Officer

•Security risk analysis is performed periodically; changes made as needed

•Workforce training begins at hire and is conducted on a regular and frequent basis

Physical Safeguards

ISSUES

• Computer equipment is easily accessible to the public.

• Portable devices are not tracked and/or are not locked when not in use

SAFEGUARDS

• Offices are locked. Screens are shielded from secondary viewers.

• Log created for all devices.

• Encryption installed on all devices. Laptop locks applied.

Technical Safeguards

ISSUES

• No measures in place to keep electronic patient data from improper changes

• Electronic exchanges of patient information are not encrypted or otherwise secured

SAFEGUARDS

• Secure user IDs, passwords, and appropriate role-based access are used.

• Routine audits of access and changes to EHR are conducted

• Data is encrypted

Organizational Safeguards

ISSUES

• No breach notification and associated policies exist

• Business Associate (BA) agreements have not been updated in several years

SAFEGUARDS

• Create a Breach Notification process

• Conduct regular reviews of agreements and update as necessary

8/14/2017

20

Policy & Procedure Safeguard

ISSUE

• Generic template policies and procedures were purchased but not followed

SAFEGUARD

• Written and tailored policies and procedures are implemented and staff is trained

Policy & Procedures • Contractor Access ( IT tech, other

outside contractors)

• Electronic Communication, E-Mail, Internet Usage

• Screen Lock

• Audit of Login ID’s

• User Lockout

• Password Length, Change, and Reuse

• Antivirus Software & Updates

• Security System, Secure Doors, Motion Detectors, Security Cameras

• Provide Equipment Security (mobile devices, laptops)

• Record Retention

• Sanction Policy

Breach Notification

• BREACH –impermissible use or disclosure, under the Privacy Rule, that compromises the security or privacy of protected health information.

• NOTIFICATION – must

provide notification of the

breach to affected

individuals, the Secretary,

and, in some cases, to the

media. In addition, Business

Associates (BA) must notify

covered entities if the

breach was caused by the

BA.

3 EXCEPTIONS To Reporting a Breach

• Unintentional access by a workforce member; in good faith and within scope of authority

• Inadvertent disclosure by one authorized person to another authorized person

• Good faith belief that the unauthorized person would not be able to retain the information

Train Your Workforce

Staff Needs to:

•Know how to safeguard patient information in the practice

•Know the procedures & processes used to monitor security and steps for breach notifications

•Possess a copy of the practice’s policies and procedures for easy reference

Monitor Security

• Does each workforce member have a unique user identifier?

• Is the automatic logoff feature activated on all workstations with access to EPHI?

• Are role-based access settings active on all software?

8/14/2017

21

Perform Regular Audits

•Password changes

• Incident Identification and Response

•Procedure to maintain retrievable exact copies of ePHI

Check out HHS.GOV Audit Protocol for a detailed list.

Update Policies and Procedures

Compliance is not a “once done, I’m

done!” task. Continue to:

ASSESS, MAKE CHANGES, DOCUMENT, TRAIN

Ongoing Staff Training

• Schedule Regular Meetings to REMIND Staff of your Security Policies.

• Share examples of tactics being used to gain Unauthorized Access to ePHI.

Don’t be a HIPAA-crit !

• Think about your patients!

• Commit to providing the protection they deserve!

Take The Time

An active HIPAA Security Program is worth the effort!

8/14/2017

22

127

Need Help? info@kmcuniversity.com