First Healthcare Compliance CONNECT- November 2017

®
CONNECT
An Exclusive Monthly Publication for Clients
100 +
Years of Xray
Handle HIPAA
Privacy Concerns
Moving Ahead with MACRA
November 2017
Updates to
QPP

Important Compliance Dates
January
1
January
1
July
1
October
2
November
15
December
1
December
February
1
2017 EHR Stage 2 Medicaid reporting period is a minimum of any
continuous 90 days between January 1 and December 31, 2017.
2017 EHR Stage 3 Medicaid (for all new and returning participants)
reporting period is a minimum of any continuous 90 days between
January 1 and December 31, 2017.
Beginning July 1, 2017, practitioners in 9 states are required to
report claims data on post-operative visits furnished during the
global period of specified procedures using CPT code 99024.
October 2, 2017 is the last possible day to begin collecting MACRA
performance data.
There are 17 Provider types that must comply with the CMS
Emergency Preparedness Rule by November 15, 2017.
Virtual Group submissions due to CMS via email to
MIPS_VirtualGroups@cms.hhs.gov by December 1, 2017.
December 1, 2017 is the new deadline for electronic submission of
OSHA 300/300A Illness and Injury forms for required establishments.
In This Issue:
Important Compliance Dates
A Letter of Thanks
Updates to the Quality Payment Program
Moving Ahead with MACRA
2
First Healthcare Compliance, LLC © 2017

A Letter of Thanks
The entire First Healthcare Compliance team places a high priority on client
relationships. We take great pride in our communication and responsiveness to client
requests. We provide a compliance management solution, but more importantly, we
strive to serve as a trusted resource for all of our clients across the United States.
Thank you for collaborating with us as we develop and enhance our technology and our
educational resources. We’re grateful for your feedback and the opportunity to help you
meet your compliance goals.
Certainly, the healthcare community will continue to face changes and challenges and
we intend to provide support every step of the way. We appreciate your confidence in
us and will work hard to continue to earn the privilege of working with you.
Wishing you a peaceful and happy Thanksgiving!
Sincerely,
Julie Sheppard
President and Founder
7 Steps for Handling a Patient HIPAA Privacy Complaint
100+ Years of Xray
System FAQs
Upcoming Webinar Calendar
Contact Toll Free: 888-54-FIRST 3

By Julie Sheppard, BSN, JD, CHC
On November 16, 2017, the Centers for Medicare and Medicaid
Services (CMS) is expected to publish the final rule to address
updates to the Quality Payment Program (QPP). The new
“Patients Over Paperwork” initiative provides for streamlining
with goals of reducing unnecessary burden, increasing efficiencies,
and improving the beneficiary experience. This effort
emphasizes a commitment to removing regulatory obstacles
that get in the way of providers spending time with patients.
CMS provides updates for the second year of QPP to provide
more flexibility during 2018 and addresses extreme and uncontrollable
circumstances, such as hurricanes and other natural
disasters, for both the transition year and the 2018 MIPS performance
period. Here are some of the most significant changes
for small providers participating in MIPS:
1. More small providers will fall under the exemption category
with an increased threshold. The low volume threshold of
$30,000 in Medicare Part B charges or 100 Medicare Part
B patients will increase to a threshold of $90,000 or less in
Medicare Part B charges or 200 patients annually.
2. New reporting options for hospital based physicians and
solos and small groups. Hospital based doctors will be able
to report on quality and cost in the facilities where they
work. Their individual score will be calculated with the submission
of the facility’s inpatient value-based score.
3. New virtual groups allow solo practitioners and groups with
fewer than 10 eligible providers to combine for a performance
period of a year. Virtual Groups would be composed
of solo practitioners and groups of 10 or fewer eligible clinicians
who come together “virtually” with at least 1 other
such solo practitioner or group to participate in MIPS for a
performance period. Please note: the group would have to
be assessed as a group on all MIPS categories.
4. Meaningful Use is replaced by Advancing Care Information
(ACI) and allowing the 2014 edition of CEHRT for the 2018
calculations. However, a bonus will be issued in the category
of ACI for use of certified 2015 edition EHR.
5. Cost will not be a weighted category for 2018, but it is recommended
to increase efforts in this area as cost scoring
is still a category to be added in the future. For now, quality
will remain the most heavily weighted category at 60% with
more quality measures added.
6. Bonus points will be awarded by CMS for the following
factors: caring for complex patients, and being part of a
practice with fewer than 15 providers
For more helpful information about MACRA and MIPS, please
download our eBook and check out our complimentary webinar.
4
First Healthcare Compliance, LLC © 2017

Get the eBook!
Are you ready for MACRA?
It’s important to understand how MACRA and the final rule published on November
2, 2017, will impact your bottom line when it goes into effect on January 1, 2018.
Get help and determine your best course of action!
®
Moving Ahead
with MACRA
Learn more about getting on
track with MACRA:
• Common Misconceptions
• MIPS Hurdles
• Creating a MIPS Action Plan
By Julie Sheppard, BSN, JD, CHC
Download your copy today!
Contact Toll Free: 888-54-FIRST 5

By Sheba Vine, JD, CPCO
A patient voices a concern of privacy violation because the provider
mistakenly emailed her medical treatment information to unrecognized
email addresses. Your Notice of Privacy Practices correctly informs the
patient of her rights under HIPAA to file a privacy complaint with your
organization’s Privacy Officer and the Office of Civil Rights (OCR). As
the provider, how should you respond? What is your protocol for handling
this patient complaint? Follow these seven steps outlined below
to ensure you cover all your bases.
Step 1: Timely Response to Patient Complaints
Treat all patient complaints of privacy seriously by taking prompt action.
If there is a breach of protected health information (PHI) then the clock
is ticking. Depending on the level of culpability, penalties can be avoided
or reduced if the breach is corrected within 30 days. If the provider is
required to report the breach, it only has 60 days from discovery to
report under the Breach Notification Rule (discussed below). Therefore,
time is of the essence when handling complaints of this nature.
In taking prompt action, the patient should be asked to reduce their
complaint to writing by filing out a complaint form. A sample patient
complaint form is provided below. Be careful to avoid any action that
could be construed as retaliation against the patient for filing the complaint.
Once the patient submits a completed complaint form, the HIPAA
privacy officer, or other designated person(s), must take over to investigate
and determine if a HIPAA breach has occurred.
Step 2: Conduct an Adequate Investigation
Is there a violation of the HIPAA Privacy or Security Rule? If so, you may
be dealing with a HIPAA breach, which is defined as an impermissible
use or disclosure of PHI that compromises security and/or privacy
of PHI. Therefore, fully investigate the complaint by engaging in fact
finding and root cause analysis to understand the depth of the incident
and to determine if you are dealing with a breach situation. Review
internal policies and procedures to determine if there was a violation;
identify any persons who accessed, used or received the PHI, including
interviewing and obtaining statements from staff that were involved in
the incident; and reviewing the nature and extent of the PHI involved. If
your investigation does not substantiate a HIPAA violation then skip to
step 5, otherwise, continue to step 3.
6
First Healthcare Compliance, LLC © 2017

Step 3: Correct and Mitigate Harmful Effects
If the investigation substantiates a breach has occurred, then HIPAA
requires you to mitigate the harmful effects of the breach. This is a
critical step since it factors into the analysis that determines whether
the breach must be reported to individuals, media and/or HHS. In
addition, and as mentioned above, penalties may be avoided or
reduced if the breach is corrected within 30 days.
Start by correcting the breach if possible—stop any further disclosure
or uses of unauthorized PHI. If the damage is already done,
take measures to mitigate the breach. By completing an investigation,
you should understand what caused the breach and determine
ways of preventing similar breaches in the future. Mitigation efforts
may include updating policies and procedures, providing refresher
compliance training for staff, and/or implementing new safeguards
to prevent noncompliance.
Step 4: Determine if there is a Reportable Breach
If the breach at issue involves the use or disclosure of secured PHI
then the breach does not have to be reported. But if the disclosure
or use involves unsecured PHI that is not properly rendered unusable,
unreadable, or indecipherable, then a breach is presumed under the
Breach Notification Rule. And further analysis is necessary to determine
if an exception applies or if there is a low probability that the
PHI has been compromised. Your initial investigation will assist you
with these efforts.
First, determine if the breach fits within one of the three exceptions
of the Breach Notification Rule:
Whether the PHI was actually acquired or viewed; and
The extent to which the risk to the PHI has been mitigated.
If the assessment indicates more than a low probability of PHI compromise,
then the breach must be reported. Breaches affecting less
than 500 individuals require notices to affected individuals within 60
days following the discovery of a breach and notice to Health and
Human Services (HHS) within 60 days of the end of the calendar year.
For bigger sized breaches, affecting 500 or more individuals, notices
to affected individuals, HHS and major media outlets must be sent
within 60 days following the discovery of the breach. In addition to
HIPAA, state breach notifications laws must also be followed
Step 5: Involve HR to Determine Disciplinary Measures
HIPAA requires covered entities to apply appropriate sanctions
against workforce members who violate HIPAA. Work with human
resources to identify the appropriate disciplinary measures to take,
following human resources policies and any progressive disciplinary
measures to be consistent with an employee’s past disciplinary history
and to ensure consistency for similar violations. Disciplinary
action can range from an oral warning, written warning, suspension
and up to termination.
Step 6: Get your Documents in Order
Document and record all your investigative efforts- this includes the
patient complaint, the internal investigation and determination, documents
reviewed and witness statements obtained, actions taken
to mitigate the breach, copies of breach notices or rational for not
reporting, and any disciplinary actions taken.
The unintentional access, use or acquisition of PHI by a workforce
member or person acting under the authority of the provider if done
in good faith and within the scope of authority and does not result in
further use or disclosure that violates HIPAA.
An inadvertent disclosure of PHI by an authorized person to another
authorized person as long as the PHI is not further used or disclosed.
Provider has a good faith belief that the unauthorized person would
not likely retain the PHI that was disclosed.
If an exception does not apply, conduct a risk assessment that considers
the following four factors:
Step 7: Follow up with the Patient
The Privacy Officer or appointed designee should notify the patient of
the findings and resolution of the complaint.
As a final note, take this opportunity to improve your compliance
program so that it promotes prevention, detection and resolution of
unlawful conduct. Click here for a sample HIPAA Privacy Complaint
Form.
The nature and extent of the PHI involved, including the types of identifiers
and the likelihood of re-identification;
The unauthorized person who used the PHI or to whom the disclosure
was made;
Learn more about compliance with our new interactive online course
and companion guidebook covering the fundamentals of healthcare
compliance.
Contact Toll Free: 888-54-FIRST 7

Spotlight
An interview with Kelly Anderson, National Inside Sales
Manager at First Healthcare Compliance.
Kelly, can you start by telling me a little bit about yourself
and your role here?
Thank you for talking with me today, I’m excited to tell you
about our sales team here at First Healthcare Compliance. My
career in sales started many years ago selling solutions to
my customers in the carpet industry while working for the
DuPont Company. Over the years I had different roles in both
sales and marketing management at DuPont and later Koch
Industries when they acquired that business. Those experiences
allowed me to work with many different customers, all
of different sizes and needs. My role here at First Healthcare
Compliance is to ensure our sales team delivers the best
healthcare compliance solutions available in the marketplace
to a wide range of healthcare providers; anywhere from private
practices, hospitals, long term care facilities etc. We
even have solutions specifically for billing companies.
really great selling something that you know solves problems
for these folks and makes their jobs less stressful.
What new things are happening in the sales department,
what can clients expect to see in the future?
As a company, we are always looking to add value to our
solutions to address client’s needs and challenges. We strive
to listen to client’s “pain points” and then address them as
quickly as possible with innovative, yet easy to use and implement
solutions.
We use social media platforms to push our solutions out to
the market: Facebook, YouTube, Twitter etc, so folks can learn
about new initiatives. Go on any of those platforms and you’ll
learn about our new Fundamentals course and book for folks
who are looking for a base fundamentals understanding of
compliance without investing in full on compliance certification
curriculum.
Tell us about the First Healthcare Compliance sales team?
Our sales team is awesome! Although we are all quite different
in personality and background, we all have one important
thing in common, we are problem solvers. I always say that
the clients we engage with are the busiest people I have ever
worked with. I have called on CEO’s that have less stress than
most of these administrators. Healthcare is dynamic, with
different fires to put out everyday and those issues tend to
land on our client’s desks. We know regulatory compliance
is a struggle for many because it has become pretty complex
and it’s always evolving and changing. Our sales team works
with those responsible for compliance in their organization
to identify what areas they are finding challenging and then
educating them on our solutions to ease those burdens. It’s
Listen to the First Healthcare Compliance podcast!
8
First Healthcare Compliance, LLC © 2017

Contact Toll Free: 888-54-FIRST 9

System FAQs
Does HIPAA permit a covered entity or its collection agency to communicate
with parties other than the patient (e.g., spouses or guardians) regarding payment
of a bill?
Yes. The Privacy Rule permits a covered entity, or a business associate acting on behalf
of a covered entity (e.g., a collection agency), to disclose protected health information
as necessary to obtain payment for health care, and does not limit to whom
such a disclosure may be made.
Therefore, a covered entity, or its business associate, may contact persons other than
the individual as necessary to obtain payment for health care services. However, the
Privacy Rule requires a covered entity, or its business associate, to reasonably limit
the amount of information disclosed for such purposes to the minimum necessary, as
well as to abide by any reasonable requests for confidential communications and any
agreed-to restrictions on the use or disclosure of protected health information. See 45
CFR 164.501, 502(b), 506, 514(d), 522.
What is a hybrid entity?
A hybrid entity is an entity that has a mix of both healthcare and other business services.
Examples of hybrid entities include:
• A large corporation that has a self-insured health plan for its employees.
• Grocery store that has a pharmacy.
• A correctional facility with a health care clinic that transmits one or more HIPAAcovered
transactions electronically.
• A data processing center that conducts health care clearinghouse activities as well
as non‐health care data entry.
• A university, which has a medical center.
Explore the FAQs tab in your compliance solution to
get answers to your important compliance questions
or contact our Client Services Team!
888.54.FIRST or clientservices@1sthcc.com
Join us on Social Media!
10
First Healthcare Compliance, LLC © 2017

The most comprehensive healthcare
compliance course yet!
The Fundamentals is a user-friendly, four-module course designed
to help healthcare professionals understand the
essential principles and practices of compliance.
Written by our “dream team” of
healthcare providers and attorneys,
The Fundamentals Course is packed
with useful, easy-to- understand
information that covers HIPAA, OSHA,
employment law and enforcement of
Federal healthcare laws. The course
takes less than four hours to complete.
Visit 1sthcc.com/shop to
register today!
Contact Toll Free: 888-54-FIRST 11

Join Us for Upcoming Webinars and
Earn Complimentary CEU Credits!
November 28th @ 12pm ET
MACRA, MIPS and APMs-
The New Era of Medicine
Tina Colangelo, MHA
Colangelo Consulting
December 5th @ 12pm ET
Private Enforcement of Healthcare
Fraud & Abuse Laws
Nathan Fish, JD, LLM
and Somer Hayes, JD
Greenberg Traurig, LLP
December 12th @ 12pm ET
The Second Victim Conundrum:
Recognition, Intervention, and
Protection of Peer Support
David M. Sommers, MD, JD, LLM
Medsome LLC
Don’t forget about the
First Healthcare Compliance
Referral Program
Refer a friend to receive a special
gift when they sign up!
See more details on the “My Account” page
12
First Healthcare Compliance, LLC © 2017