Wednesday, May 30, 2012

HIPAA: The Cost of Non-Compliance

By Cynthia Ransburg-Brown

In April, Phoenix Cardiac Surgery, P.C. (“Phoenix”), a private physician medical practice comprised of five physicians, entered a one-year Corrective Action Plan (“CAP”) with the Office of Civil Rights (“OCR”) and agreed to pay $100,000 for alleged violations of the Privacy and Security Rules of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).  The CAP and payment are significant because Phoenix is the first physician group practice to enter a Resolution Agreement and agree to a monetary settlement under the increased HIPAA penalties made available via the American Recovery and Reinvestment Act of 2009, which increased the maximum HIPAA penalty to $1.5 million from $250,000.   
An OCR Press Release leaves no doubt as to the significance of the Phoenix case, which ended a multi-year investigation of the practice’s overall HIPAA compliance efforts.  According to the Director of OCR, Leon Rodriguez, the government’s investigation revealed a “continuing failure on the part of [Phoenix] to comply with the requirements of the Privacy and Security Rules.”  Rodriguez noted that “health care providers should pay careful attention to this resolution agreement and understand that the HIPAA Privacy and Security Rules have been in place for many years, and the OCR expects full compliance no matter the size of a covered entity.” 
Phoenix’s troubles began when a patient filed a complaint citing a violation of the HIPAA Security Rule, triggering the OCR’s multi-year investigation.  Phoenix used an Internet-based calendaring system.  According to the Resolution Agreement, the calendaring system was active from July 2007 through December 2009, when the OCR contacted Phoenix about the HIPAA complaint.  While the calendaring system was active, Phoenix “posted over 1,000 separate entries of electronic protected health information (“ePHI”) on the publicly accessible, Internet-based calendar.” The calendar was on a “public” setting rather than a “private setting” thus allowing anyone to access confidential patient information.  Phoenix had not “clicked” the system’s “private” setting and had failed to enter a Business Associate Agreement with the computer company providing the Internet-based service.
Among other things, the OCR’s investigation revealed the following conduct:
a.       Phoenix did not provide and document training of each its employees on the HIPAA Privacy and Security Rules;
b.      Phoenix failed to implement policies and procedures to appropriately safeguard patient information;
c.       Phoenix failed to identify a HIPAA security official and failed to conduct an accurate and thorough risk assessment of the potential risks to the confidentiality, integrity, and availability of ePHI; and
d.      Phoenix failed to obtain business associate agreements with its Internet-based email and calendar service providers.
As the OCR notes, no covered entity is too small.  Medical practices, therefore, should view the OCR’s actions as a clear warning of future government action.  Even though the settlement Phoenix agreed to pay may seem small in comparison to the $1.5 million settlement the OCR reached with BlueCross and BlueShield of Tennessee to resolve claims of HIPAA Privacy and Security violations, a $100,000 settlement is significant and can be financially crippling for physician practice.    
In addition, the OCR has released early results from a new HIPAA Privacy and Security Audit Program. Under the pilot program, the OCR intends to gauge overall HIPAA compliance through the use of random audits of covered entities.  Providers should be aware, however, that the program, while still in its early stages, could result in government investigations, resolution agreements, and fines similar those discussed above.  According to the OCR, the “audits present an opportunity to examine mechanisms for compliance, identify best practices and discover risks and vulnerabilities that may not have come to light through OCR’s established complaint investigations and compliance reviews.”  Early audit reports reveal a wide gap in HIPAA compliance with some covered entities failing to complete basic HIPAA tasks such as entering business associate agreements, failing to perform risk assessments, or failing to issue a notice of privacy practices.  In other audits, however, the auditors found no major compliance issues, supporting the OCR’s position that the random audits are “primarily a compliance improvement activity.”

These enforcement activities and others indicate the government’s renewed focus on HIPAA compliance.  HIPAA has been around for many years, and the government has worked diligently with covered entities to improve and ensure compliance.  However, if the Phoenix case is any indication, the government’s tolerance for non-compliance is fading fast.  HIPAA is often relegated to the “last item on the agenda,” but its importance should not be so cavalierly dismissed.  Given the government’s recent enforcement efforts, medical practices, both large and small, should take a serious look at overall HIPAA compliance because the cost of non-compliance can be staggering.  Practice should begin with re-training employees and documenting the training; updating HIPAA policies and procedures to address breach notification, electronic medical records and portable electronic devices; and ensuring that business associates are aware of their HIPAA obligations through the use of an updated business associate agreement consistent with the requirements of the HIPAA Privacy and Security Rule.
Cynthia Ransburg-Brown, Esq.
Partner, Sirote & Permutt, P.C.’s Health Care Consulting Group 
Phoenix Resolution Agreement:

HHS settles case with Phoenix Cardiac Surgery for Lack of HIPAA Safeguards, April 17, 2012,

HIPAA Privacy & Security Audit Program:

Jeff Drummond & John Christiansen, Pervasive HIPAA Failings Net Surgeons the First OCR Sanctions Against Physicians, Report on Patient Privacy, May 2012, at 1.

Tuesday, May 22, 2012

Medical Missions: One Practice’s Experience

Medical Missions: One Practice’s Experience
By Nathan M. Ross, MD
OB-GYN South, P.C.
2006 Brookwood Medical Center Drive, Suite 402
Birmingham, AL 35209

For several years now I have had the pleasure of traveling to West Africa and where I've been able to help provide medical care to the people of Ghana. Although I'm trained as an OB/GYN I had the opportunity to serve in the role of a primary care provider to both men and women as well as children. I definitely had to reach back into my memory banks from medical school but managed to recall enough to make it through my time there.  This year I'll have the opportunity to use my training in a mission teaching hospital in Kenya.

The first few times I went there was definitely some nervousness about being able to handle the illnesses that are unique to Africa and a third world country. But my experience was that, although there are unique illnesses there that I had only read about, the majority of patients just needed basic medical care and medications that are readily available here over the counter. I learned that the people are so very appreciative for whatever they receive.

I still have much to learn regarding how to best address and minister to the needs that I see in Africa. But the first step for me was to just go.  To take that first leap and get on a plane and go. There's a price to pay for taking time away from your practice, to traveling far away, and to living and working in challenging situations. But the rewards are so much greater. It's worth the price.

Thursday, May 17, 2012

Are you Maximizing Patient Collections in your practice?

Are you Maximizing Patient Collections in your practice?
By Marchelle Cagle, CPC, CPC-I, PCS

In today’s world of healthcare,k it is estimated that $1 out of $ 4 dollars are coming from patients based on the 2010 MGMA research survey printed in the Connexion April 2010.  
This is startling considering the economic ups and downs we have faced as a nation the past several years. Insurance payers have increased the out of pocket expenses for the patients significantly through office copay and deductibles. It wasn’t too long ago patients paid a small office copay, then the insurance was billed and the balance was taken care of. The days of $15.00 dollar copays we as consumers complained about that now seems like a dream.
That said, there is hope with collecting patient monies up front without harming your patient relationships and increasing your patient collection revenue. In this climate of healthcare no one can afford to leave money on the table, especially that is already owed to the physician practice in the first place. Some physicians do not realize how many copays or deductibles that they have not even pursued in the past because of fear of losing patients or not having well trained staff to direct them in the right direction. This is where an attentive administrator can help, while our physicians continue to treat patients without worries of financial burdens.
There are some simple and inexpensive processes to put into place that patients and staff can live with.  
1.       Training, Training and more Training with the staff responsible for collection patient past due balances, copays, or deductibles prior to seeing the physician.
2.       Most of the time patients will pay their uncollected monies just by having good information readily available stating when and why they have a balance especially after they have paid previous copay. Remember patients also get a copy of the insurance carriers “Explanation of Benefits” that details their responsibility if a balance is outstanding left for the patient to pay.
3.        Easy to read patient financial responsibility policies given at the very start of this physician/patient relationship so there are no surprises for the patients.
4.       Technology can be your best friend with online payment software for check or credit card transactions. It is a must to offer different options for patients to pay their bills whether in person, mail, or online.
5.       Strong tracking systems in whatever practice management software that is used in your practice that keeps this process timely and keeps this process current. Try to keep your A/R days 35 days or less so that is much easier to collect patient monies in a timely fashion.
6.        Give patients options when they have fallen on hard times for instance give discounts for paying the majority of their bill by credit card over the telephone.
Respect and courtesy go a long way when handling these matters with your patients and “Honesty”.   Your physicians won’t be disappointed either when their patient collection revenue increases.  

Monday, May 14, 2012

What Happens If The Supreme Court Strikes Down The Affordable Healthcare Act?

What Happens If The Supreme Court Strikes Down The Affordable Healthcare Act?
By Bill Cockrell

There’s an old saying: “Be careful what you wish for.”  This month, I will have been in healthcare management for 31 years.  During that period I have seen us pass from the days of payments based on UCR (usual, customary and reasonable) to the participating provider fee for service model, the comings and goings of HMO’s (still a preferred model in some markets), medical management companies rising and falling, and a myriad of other delivery system changes.  Now we have the Accountable Care Act (ACA), or “Obamacare”, as the Act has been become known and there are many who are wishing for its demise.  
While its goals of making sure quality, affordable healthcare is available to all, is hard to fault, the Act itself is fraught with problems ranging from its complexity to its legality.  There’s not enough space here to go into all the details but the Supreme Court is now considering four issues.  These are:
1.       Whether the Anti-Injunction Act bars challenges to the requirement for individuals to obtain insurance (the individual mandate) until the mandate is implemented in 2014,
2.       The constitutionality of the individual mandate,
3.       Whether the individual mandate, if found constitutional, is severable from the rest of the ACA, and
4.       The constitutionality of the Medicaid eligibility expansion to a new segment of the population.
If the Supreme Court strikes down any one of these provisions, that action will have a significant impact on the whole Act.  While there are plenty of experts who are making predictions as to which way the Court will rule, the fact is, we won’t know until sometime this summer.   That means plans for Insurance Exchanges, Healthcare Co-ops, and the many other methods on the drawing board for the implementation of the Act, must move forward while not being sure if the will be able to operate under some legal structure.  Of course, for physicians used to the annual SGR cliff concerns, individual third party payer rules and increased scrutiny of quality issues, this uncertainty is just another unknown to have to deal with.
The issue now is, going back to my opening statement, what happens if the Act goes away.  Do we go back to the “good old days” of four years ago?  And were the “good old days” really that good?  We still had the SGR issues, there were concerns about Medicare insolvency, more control of the healthcare delivery process by payers through benefit management programs and wide variations in the availability of diagnostic services.
So now, if the Act goes away (and rest assured I am not a proponent of all of it) what takes its place?  We probably will be dealing with some or all of the following:
Medicare funding will continue to dry up if we continue with the current fee for service model continues.
Wide variations in access to care will continue.
Payers will continue to be forced to reduce payments because their customers, industry purchasers of benefit plans, will demand it because their costs will be too high for their pocket books.
Reporting on the cost of healthcare to payers and patients will expand.  (Check out the Aetna out of pocket cost tool which, interestingly, has no mention of quality measures.)
There will continue to be efforts to find some national guidelines for care (despite wide socio-economic variations).
In essence, if the ACA goes away, we still face the same issues.
So, what do we do to deal with the future?
We continue the push to implement more technology (EMR’s, better links to transmit patient information, more accurate testing, etc.) to save money by being more efficient.  The EMR train has already left the station so, if you are not on board, it’s time to start running.
We try to control operating costs by purchasing more efficiently.  That means standardizing and negotiating prices, something that we historically have not done well on the provider side.
We try to improve on quality to control costs.  This means finding ways to measure quality and the willingness to address issues.
We, as providers, will need to work together to find ways to improve quality and accessibility so we can accomplish all of the above.
So, while the ACA is the plan many of us love to hate, we still have to deal with many of the same issues no matter what happens.  Ultimately, we have to avoid ’throwing baby out with the bath water”.  We have to be the drivers of improvement meaning we have to communicate and deal with uncomfortable subjects (quality, utilization rates, etc.).   I was recently on a call with a national medical specialty organization discussing the availability of cost and quality information when some on the call expressed concern over presenting the information because the information is “sensitive”.  That’s despite the fact (unrelated to the ACA), in 2013 Medicare will make the same information available to the general public through its Physician Compare website.  The fact is the information in question is based on claims and documentation data submitted by providers and has some inherent problems based on things such as patient demographics, coding expertise and other reporting issues.  Wouldn’t we be better served by improving that information instead of arguing about the sensitivity?
The reality is we have to find ways to work together.  Forget the ACA, health plans, payers and other influencers.  Providers have to figure this out themselves or accept what is handed to them.

Thursday, May 10, 2012

BMN Blog Coming Monday

The Birmingham Medical News blog will have our first guest writer this coming Monday, May 14. Bill Cockrell will be writing about how health care might look if the Supreme Court strikes down all or part of Obamacare.