BEI HIT Blog
Healthcare IT News, 11/19/13
BEI Commentary: Many people use dropbox for filesharing. We suspect a lot of you are. It’s easy, free in many cases, and convenient. One problem – it is not HIPAA compliant.
Torie Jones, former chief privacy officer at University of Pennsylvania Health System, had an ironclad rule in place for her staff: “No PHI in the cloud until you have a BAA in place.”
For most cloud-based vendors, those who are used to the specific demands of working in healthcare, getting that business associate agreement in place wouldn’t be much of a problem.
But when it comes to using the popular file hosting service Dropbox, that all-important contract isn’t something that’s readily forthcoming. Read More
American Medical Association, September 10, 1013
BEI Commentary: We know that many of you feel like you are being “HIPAA’d” to death, but we get requests about the new HIPAA rules all the time. Here is a link from the AMA website that has some nice resources on the new HIPAA rules, Encryption and even sample Notice of Privacy Practices and Business Associate Agreements.
Upcoming September 23, 2013 HIPAA privacy and security deadline – The U.S Department of Health & Human Services (HHS) recently adopted new rules which make changes to existing privacy, security and breach notification requirements in what is often referred to as the final “HIPAA Omnibus Rule.” These new rules stem from changes made under the Health Information Technology for Economic and Clinical Health (HITECH) Act which is part of the same law that created the Electronic Health Records (EHRs) Incentive Program under Medicare and Medicaid. Read More
EMR & HIPAA Newsletter, November 5, 2011
According to the 2013 Medicare Final Rule released last week, there are new ways to avoid future payment adjustments under the MIPPA ePrescribing rule for those who have not already taken the necessary steps to avoid them: 1) The exemption request period has been reopened and 2) meaningful use will satisfy the ePrescribing requirements according to specific timetables.
1) CMS is offering a second chance to physicians who missed the June 30 deadline for requesting an exemption to the 2013 ePrescribing penalty (1.5%) under the original 4 categories. Between November 1, 2012 and January 31, 2013, physicians can go to the Quality Reporting Communication Support Page and request an exemption based on one of the following justifications: Read More
New York Times, Octobe 8, 2012
BEI Commentary: A very interesting article about how some physicians are using social media. Obviously there are a lot of issues to work out, but it looks like these technologies can be put to good use in working with patients.
The teenager’s cellphone buzzes. Her doctor, Natasha Burgert, is texting her: “Better morning with this medication?”
Another teenager opens his phone. “Everything is great,” reads Dr. Burgert’s discreet text. “Go ahead with the plan we discussed. Please reply so I know you received.”
And on the morning of college entrance exams, a teenager who suffers from a roiling stomach reads Dr. Burgert’s texted greeting: “Prepared. Focused. Calm. Your body is healthy and well. Good luck today.” Read More
EHR Watch, May 15, 2012
BEI Commentary: If you have an EHR you need an IT support company, or you need internal staff to support your network and hardware. Most ambulatory practices will either partially or totally outsource their IT. It is a good idea to work with a company that understands the healthcare vertical and its rules and regulations (shameless plug: BEI is one such company). Business Associates Agreements are one of the reasons why.
So you’ve been working hard to firm up your IT security protocols and systems, and you’re feeling good about the progress you’ve made.
Now, how about your myriad partners who also have access to your patients’ health information?
As this observer points out, for many providers that’s a different story altogether. He says that “while the HIPAA rules have been around for a while — the Security Rule’s compliance date goes back to 2005 — hospitals and other health care providers have not consistently devoted a significant amount of time to business associate security.” Read More
Health Data Management, April 17, 2012
BEI Commentary: For those of you who think that the HIPAA police are only after hospitals and payers, think again. This article states that an Arizona based cardiology practice was fined $100,000 for sloppy HIPAA practices related to their IT infrastructure.
Phoenix Cardiac Surgery, P.C, with offices in Phoenix and Prescott, Ariz., will pay a $100,000 fine and implement a corrective action plan under a resolution agreement with the HHS Office for Civil Rights following HIPAA privacy and security rule violations.
OCR began an investigation after learning that the physician practice was posting clinical and surgical appointments on an Internet-based calendar that was publicly accessible, according to an April 17 announcement from the agency. The investigation found that the practice had few policies and procedures to comply with the privacy and security rules.
“This case is significant because it highlights a multi-year, continuing failure on the part of this provider to comply with the requirements of the Privacy and Security Rules,” OCR Director Leon Rodriguez said in the announcement. Read More
MedPage Today, December 7, 2011
BEI Commentary: There are good reasons for Meaningful Use Core Measure 15. According to some experts, stolen health care data can be worth much
more than even credit card numbers. Another major difference is that credit card numbers can be cancelled. Health information always remains with the individual.
Medical identity theft has become one of the most lucrative forms of identity theft, according to a panel of cybersecurity specialists.
Stolen patient data – including electronic health records as well as insurance information – is valuable because it can be used to make false or inflated insurance claims, obtain prescription drugs, or receive treatment at the insurance account holder’s expense. Read More
HealthData Management, November 7, 2011
BEI Commentary: This article reflects the whole point of Core Measure 15 – Risk Analysis. You need to make sure that you have put in place reasonable security procedures regarding your IT Infrastructure. Clearly, the practice in this article was caught off-guard.
Earlier this year, Janet Spangler got an object lesson in the tension between data access and security. A new patient at Family Medical Associates of Raleigh (N.C.) toted his own laptop into the exam room, recalls Spangler, administrator at the five-physician group practice. When the physician arrived, the patient–a computer technician–turned his laptop around, revealing he had just gained access into the group’s ostensibly secure wireless network, then admonishing the physician about the need to improve access controls. “We have since modified our wireless system,” Spangler says. “But the experience left us uneasy.”
No sensitive information was exposed during the interlude, but the episode gives insight into why Family Medical Associates takes what Spangler describes as “a conservative approach” to data access. Not only did the group bolster its firewall against unwarranted outside intrusion, it put limits on what its own staff can see on the EHR, an ambulatory system from Greenway Medical Technologies that has been in place for five years. The practice even takes the extraordinary step of maintaining any employee medical records on paper-in a locked cabinet-and not on the EHR. “We can restrict access to our online charts, but you don’t want records inappropriately accessed by other staff,” she explains. “We are all for access if it results in better care. But we are quick to limit access if there’s a risk of a security breach.” Read More
Security becomes a bigger IT issue everyday. Security is not just about protecting websites or servers; appropriate security is required for workstations as well. In fact, HIPAA requires it. Here are a few simple things to think about:
- Make sure each individual on your staff has a unique ID/Password for logging into the EHR. This may seem like a simple thing, but we have seen practices where a common ID/PW is used by people with similar roles. Unique ID/PWs are required to determine who has logged into the EHR and what changes they made.
- Passwords should be strong. Require at least 6 characters with at least one character being alphabetic and one being numeric.
- Place an inactivity timer on each workstation of five minutes. It is quite easy for someone to walk away from a workstation while forgetting that they are logged in. This gives a patient or other staff the opportunity to access the EHR using someone else’s ID/PW. This would result in unauthorized access to ePHI, which is a HIPAA violation.
- Encrypt your hard drives. Some workstations may have ePHI and some may not. Why bother figuring out which is which. If you encrypt the hard drive of each workstation, you will guarantee that you are HIPAA compliant. Encrypting the hard drive should not cost anything. If the workstation is lost, and you are not sure if there is ePHI on the machine, and the machine does not have encryption, that is a HIPAA violation that most likely needs to be reported to the Office of Civil Rights.
- Consider a privacy filter for workstations, especially those in public areas. Privacy filters allow only the user to view what is on the screen. Off angle viewing is blocked. They are very inexpensive and can be purchased for both laptops and desktops.
All of the items above are straight-forward and easy to implement. They can go a long way to protecting the ePHI in your practice!
By Manny Oliverez, CPC
Effective January 1, 2012 HIPAA Version 5010 becomes mandatory. All of us in the healthcare industry need to understand, implement and transition to the new Health Insurance Portability and Accountability Act (HIPAA) version 5010 well before the mandated compliance date. Testing should begin as soon as possible to avoid any delays in claims payments and rejections.
What is 5010 and how does it affect the Healthcare Industry?
5010 refers to the set of rules implemented and regulated under HIPAA which determines how electronic information is transmitted. The current standard of electronic transactions and designated code sets is the 4010 version (Version 004010 of the ASC X12 transaction implementation guides), which will be phased out and replaced by 5010. 5010 will allow for more efficient, more improved and larger information exchange. The 5010 version will also transition the healthcare industry from ICD-9 to ICD-10.
The 5010 code set is expected to save $12 billion according to The Department of Health and Human Services. Cost savings will come from eliminating inefficient manual processing of transactions. These cost savings are mandated by the Affordable Care Act.
When claims are sent electronically, the information submitted gets translated and put into specific parameters that are then sent by clearinghouses or directly through Practice Management software (PMS) to insurance companies for payment. Not only are electronic transactions required to submit claims, they are also necessary to receive payments, check eligibility, authorizations and get claim status. This is what comprises the 5010 transaction set.
Even though the current standard is 4010, multiple systems are still in use by insurance carriers. The new 5010 rules will now provide greater uniformity in the transmission of information. Any systems not meeting the 5010 transition deadline of January 1, 2012 will no longer be able to communicate with any insurance companies, seriously affecting the bottom line! Any disruption of claims payments will adversely impact any medical practice.
Is there a choice?
NO. Just like the upcoming ICD-10 implementation in 2013, this new 5010 version is required. Payers, clearinghouses and all providers are required to comply with the mandated 5010 requirements. The only exemption is for paper claims filing.
The official guidelines can be found at: https://www.cms.gov/ElectronicBillingEDITrans/18_5010D0.asp and http://www.cms.gov/Versions5010andD0/
What does this mean for to the average small medical practice?
The 5010 requirements are parameters that either your Practice Management Software vendor or your electronic clearinghouse will implement. There should be a minimal impact on your practice, as long as you are partnered with a good PM system and/or clearinghouse. Testing should already be happening and your PMS/clearinghouse partners should have already given you their timeline for testing your practice.
In a nutshell, there are four basic items that will affect the information on claims that your office needs to be aware of:
- Provider addresses can no longer be a post office box. An actual street address is now required.
- The provider must be listed as the billing provider. A billing service or clearinghouse is no longer acceptable.
- Rules for reporting providers and NPI have changed.
- Subscribers for the most part are now the patient regardless of who purchases the policy. The only exception is if there is a suffix in the last name.
How do you prepare for the 5010 conversion?
There are several ways that you can get started to ensure 5010 compliance. The earlier you start the better.
- Contact your Practice Management Software vendor. Your vendor must be able to upgrade your system to be 5010 compliant.
- Check with your electronic clearinghouse to make sure that testing is underway and find out when you can begin testing your own claims with the clearinghouse for claims submission.
- Review and adjust any data collection that will impact your claims submissions. Your Practice Management Software vendor should take care of this for you.
- Confirm with your payers that they are also testing and implementing 5010. Find out when you can submit claims for testing to payers also.
You can send and receive 5010 transactions as soon as your practice, clearinghouse and payers are ready to accept them. The American Medical Association has provided a free checklist for 5010 compliance and background information:
Manny Oliverez is CEO of Capture Billing, an outsourced medical billing services company located just outside of Washington DC in South Riding, Virginia. Follow his blog on medical billing issues.