First Healthcare Compliance CONNECT- November 2017
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
®<br />
<strong>CONNECT</strong><br />
An Exclusive Monthly Publication for Clients<br />
100 +<br />
Years of Xray<br />
Handle HIPAA<br />
Privacy Concerns<br />
Moving Ahead with MACRA<br />
<strong>November</strong> <strong>2017</strong><br />
Updates to<br />
QPP
Important <strong>Compliance</strong> Dates<br />
January<br />
1<br />
January<br />
1<br />
July<br />
1<br />
October<br />
2<br />
<strong>November</strong><br />
15<br />
December<br />
1<br />
December<br />
February<br />
1<br />
<strong>2017</strong> EHR Stage 2 Medicaid reporting period is a minimum of any<br />
continuous 90 days between January 1 and December 31, <strong>2017</strong>.<br />
<strong>2017</strong> EHR Stage 3 Medicaid (for all new and returning participants)<br />
reporting period is a minimum of any continuous 90 days between<br />
January 1 and December 31, <strong>2017</strong>.<br />
Beginning July 1, <strong>2017</strong>, practitioners in 9 states are required to<br />
report claims data on post-operative visits furnished during the<br />
global period of specified procedures using CPT code 99024.<br />
October 2, <strong>2017</strong> is the last possible day to begin collecting MACRA<br />
performance data.<br />
There are 17 Provider types that must comply with the CMS<br />
Emergency Preparedness Rule by <strong>November</strong> 15, <strong>2017</strong>.<br />
Virtual Group submissions due to CMS via email to<br />
MIPS_VirtualGroups@cms.hhs.gov by December 1, <strong>2017</strong>.<br />
December 1, <strong>2017</strong> is the new deadline for electronic submission of<br />
OSHA 300/300A Illness and Injury forms for required establishments.<br />
In This Issue:<br />
Important <strong>Compliance</strong> Dates<br />
A Letter of Thanks<br />
Updates to the Quality Payment Program<br />
Moving Ahead with MACRA<br />
2<br />
<strong>First</strong> <strong>Healthcare</strong> <strong>Compliance</strong>, LLC © <strong>2017</strong>
A Letter of Thanks<br />
The entire <strong>First</strong> <strong>Healthcare</strong> <strong>Compliance</strong> team places a high priority on client<br />
relationships. We take great pride in our communication and responsiveness to client<br />
requests. We provide a compliance management solution, but more importantly, we<br />
strive to serve as a trusted resource for all of our clients across the United States.<br />
Thank you for collaborating with us as we develop and enhance our technology and our<br />
educational resources. We’re grateful for your feedback and the opportunity to help you<br />
meet your compliance goals.<br />
Certainly, the healthcare community will continue to face changes and challenges and<br />
we intend to provide support every step of the way. We appreciate your confidence in<br />
us and will work hard to continue to earn the privilege of working with you.<br />
Wishing you a peaceful and happy Thanksgiving!<br />
Sincerely,<br />
Julie Sheppard<br />
President and Founder<br />
7 Steps for Handling a Patient HIPAA Privacy Complaint<br />
100+ Years of Xray<br />
System FAQs<br />
Upcoming Webinar Calendar<br />
Contact Toll Free: 888-54-FIRST 3
By Julie Sheppard, BSN, JD, CHC<br />
On <strong>November</strong> 16, <strong>2017</strong>, the Centers for Medicare and Medicaid<br />
Services (CMS) is expected to publish the final rule to address<br />
updates to the Quality Payment Program (QPP). The new<br />
“Patients Over Paperwork” initiative provides for streamlining<br />
with goals of reducing unnecessary burden, increasing efficiencies,<br />
and improving the beneficiary experience. This effort<br />
emphasizes a commitment to removing regulatory obstacles<br />
that get in the way of providers spending time with patients.<br />
CMS provides updates for the second year of QPP to provide<br />
more flexibility during 2018 and addresses extreme and uncontrollable<br />
circumstances, such as hurricanes and other natural<br />
disasters, for both the transition year and the 2018 MIPS performance<br />
period. Here are some of the most significant changes<br />
for small providers participating in MIPS:<br />
1. More small providers will fall under the exemption category<br />
with an increased threshold. The low volume threshold of<br />
$30,000 in Medicare Part B charges or 100 Medicare Part<br />
B patients will increase to a threshold of $90,000 or less in<br />
Medicare Part B charges or 200 patients annually.<br />
2. New reporting options for hospital based physicians and<br />
solos and small groups. Hospital based doctors will be able<br />
to report on quality and cost in the facilities where they<br />
work. Their individual score will be calculated with the submission<br />
of the facility’s inpatient value-based score.<br />
3. New virtual groups allow solo practitioners and groups with<br />
fewer than 10 eligible providers to combine for a performance<br />
period of a year. Virtual Groups would be composed<br />
of solo practitioners and groups of 10 or fewer eligible clinicians<br />
who come together “virtually” with at least 1 other<br />
such solo practitioner or group to participate in MIPS for a<br />
performance period. Please note: the group would have to<br />
be assessed as a group on all MIPS categories.<br />
4. Meaningful Use is replaced by Advancing Care Information<br />
(ACI) and allowing the 2014 edition of CEHRT for the 2018<br />
calculations. However, a bonus will be issued in the category<br />
of ACI for use of certified 2015 edition EHR.<br />
5. Cost will not be a weighted category for 2018, but it is recommended<br />
to increase efforts in this area as cost scoring<br />
is still a category to be added in the future. For now, quality<br />
will remain the most heavily weighted category at 60% with<br />
more quality measures added.<br />
6. Bonus points will be awarded by CMS for the following<br />
factors: caring for complex patients, and being part of a<br />
practice with fewer than 15 providers<br />
For more helpful information about MACRA and MIPS, please<br />
download our eBook and check out our complimentary webinar.<br />
4<br />
<strong>First</strong> <strong>Healthcare</strong> <strong>Compliance</strong>, LLC © <strong>2017</strong>
Get the eBook!<br />
Are you ready for MACRA?<br />
It’s important to understand how MACRA and the final rule published on <strong>November</strong><br />
2, <strong>2017</strong>, will impact your bottom line when it goes into effect on January 1, 2018.<br />
Get help and determine your best course of action!<br />
®<br />
Moving Ahead<br />
with MACRA<br />
Learn more about getting on<br />
track with MACRA:<br />
• Common Misconceptions<br />
• MIPS Hurdles<br />
• Creating a MIPS Action Plan<br />
By Julie Sheppard, BSN, JD, CHC<br />
Download your copy today!<br />
Contact Toll Free: 888-54-FIRST 5
By Sheba Vine, JD, CPCO<br />
A patient voices a concern of privacy violation because the provider<br />
mistakenly emailed her medical treatment information to unrecognized<br />
email addresses. Your Notice of Privacy Practices correctly informs the<br />
patient of her rights under HIPAA to file a privacy complaint with your<br />
organization’s Privacy Officer and the Office of Civil Rights (OCR). As<br />
the provider, how should you respond? What is your protocol for handling<br />
this patient complaint? Follow these seven steps outlined below<br />
to ensure you cover all your bases.<br />
Step 1: Timely Response to Patient Complaints<br />
Treat all patient complaints of privacy seriously by taking prompt action.<br />
If there is a breach of protected health information (PHI) then the clock<br />
is ticking. Depending on the level of culpability, penalties can be avoided<br />
or reduced if the breach is corrected within 30 days. If the provider is<br />
required to report the breach, it only has 60 days from discovery to<br />
report under the Breach Notification Rule (discussed below). Therefore,<br />
time is of the essence when handling complaints of this nature.<br />
In taking prompt action, the patient should be asked to reduce their<br />
complaint to writing by filing out a complaint form. A sample patient<br />
complaint form is provided below. Be careful to avoid any action that<br />
could be construed as retaliation against the patient for filing the complaint.<br />
Once the patient submits a completed complaint form, the HIPAA<br />
privacy officer, or other designated person(s), must take over to investigate<br />
and determine if a HIPAA breach has occurred.<br />
Step 2: Conduct an Adequate Investigation<br />
Is there a violation of the HIPAA Privacy or Security Rule? If so, you may<br />
be dealing with a HIPAA breach, which is defined as an impermissible<br />
use or disclosure of PHI that compromises security and/or privacy<br />
of PHI. Therefore, fully investigate the complaint by engaging in fact<br />
finding and root cause analysis to understand the depth of the incident<br />
and to determine if you are dealing with a breach situation. Review<br />
internal policies and procedures to determine if there was a violation;<br />
identify any persons who accessed, used or received the PHI, including<br />
interviewing and obtaining statements from staff that were involved in<br />
the incident; and reviewing the nature and extent of the PHI involved. If<br />
your investigation does not substantiate a HIPAA violation then skip to<br />
step 5, otherwise, continue to step 3.<br />
6<br />
<strong>First</strong> <strong>Healthcare</strong> <strong>Compliance</strong>, LLC © <strong>2017</strong>
Step 3: Correct and Mitigate Harmful Effects<br />
If the investigation substantiates a breach has occurred, then HIPAA<br />
requires you to mitigate the harmful effects of the breach. This is a<br />
critical step since it factors into the analysis that determines whether<br />
the breach must be reported to individuals, media and/or HHS. In<br />
addition, and as mentioned above, penalties may be avoided or<br />
reduced if the breach is corrected within 30 days.<br />
Start by correcting the breach if possible—stop any further disclosure<br />
or uses of unauthorized PHI. If the damage is already done,<br />
take measures to mitigate the breach. By completing an investigation,<br />
you should understand what caused the breach and determine<br />
ways of preventing similar breaches in the future. Mitigation efforts<br />
may include updating policies and procedures, providing refresher<br />
compliance training for staff, and/or implementing new safeguards<br />
to prevent noncompliance.<br />
Step 4: Determine if there is a Reportable Breach<br />
If the breach at issue involves the use or disclosure of secured PHI<br />
then the breach does not have to be reported. But if the disclosure<br />
or use involves unsecured PHI that is not properly rendered unusable,<br />
unreadable, or indecipherable, then a breach is presumed under the<br />
Breach Notification Rule. And further analysis is necessary to determine<br />
if an exception applies or if there is a low probability that the<br />
PHI has been compromised. Your initial investigation will assist you<br />
with these efforts.<br />
<strong>First</strong>, determine if the breach fits within one of the three exceptions<br />
of the Breach Notification Rule:<br />
Whether the PHI was actually acquired or viewed; and<br />
The extent to which the risk to the PHI has been mitigated.<br />
If the assessment indicates more than a low probability of PHI compromise,<br />
then the breach must be reported. Breaches affecting less<br />
than 500 individuals require notices to affected individuals within 60<br />
days following the discovery of a breach and notice to Health and<br />
Human Services (HHS) within 60 days of the end of the calendar year.<br />
For bigger sized breaches, affecting 500 or more individuals, notices<br />
to affected individuals, HHS and major media outlets must be sent<br />
within 60 days following the discovery of the breach. In addition to<br />
HIPAA, state breach notifications laws must also be followed<br />
Step 5: Involve HR to Determine Disciplinary Measures<br />
HIPAA requires covered entities to apply appropriate sanctions<br />
against workforce members who violate HIPAA. Work with human<br />
resources to identify the appropriate disciplinary measures to take,<br />
following human resources policies and any progressive disciplinary<br />
measures to be consistent with an employee’s past disciplinary history<br />
and to ensure consistency for similar violations. Disciplinary<br />
action can range from an oral warning, written warning, suspension<br />
and up to termination.<br />
Step 6: Get your Documents in Order<br />
Document and record all your investigative efforts- this includes the<br />
patient complaint, the internal investigation and determination, documents<br />
reviewed and witness statements obtained, actions taken<br />
to mitigate the breach, copies of breach notices or rational for not<br />
reporting, and any disciplinary actions taken.<br />
The unintentional access, use or acquisition of PHI by a workforce<br />
member or person acting under the authority of the provider if done<br />
in good faith and within the scope of authority and does not result in<br />
further use or disclosure that violates HIPAA.<br />
An inadvertent disclosure of PHI by an authorized person to another<br />
authorized person as long as the PHI is not further used or disclosed.<br />
Provider has a good faith belief that the unauthorized person would<br />
not likely retain the PHI that was disclosed.<br />
If an exception does not apply, conduct a risk assessment that considers<br />
the following four factors:<br />
Step 7: Follow up with the Patient<br />
The Privacy Officer or appointed designee should notify the patient of<br />
the findings and resolution of the complaint.<br />
As a final note, take this opportunity to improve your compliance<br />
program so that it promotes prevention, detection and resolution of<br />
unlawful conduct. Click here for a sample HIPAA Privacy Complaint<br />
Form.<br />
The nature and extent of the PHI involved, including the types of identifiers<br />
and the likelihood of re-identification;<br />
The unauthorized person who used the PHI or to whom the disclosure<br />
was made;<br />
Learn more about compliance with our new interactive online course<br />
and companion guidebook covering the fundamentals of healthcare<br />
compliance.<br />
Contact Toll Free: 888-54-FIRST 7
Spotlight<br />
An interview with Kelly Anderson, National Inside Sales<br />
Manager at <strong>First</strong> <strong>Healthcare</strong> <strong>Compliance</strong>.<br />
Kelly, can you start by telling me a little bit about yourself<br />
and your role here?<br />
Thank you for talking with me today, I’m excited to tell you<br />
about our sales team here at <strong>First</strong> <strong>Healthcare</strong> <strong>Compliance</strong>. My<br />
career in sales started many years ago selling solutions to<br />
my customers in the carpet industry while working for the<br />
DuPont Company. Over the years I had different roles in both<br />
sales and marketing management at DuPont and later Koch<br />
Industries when they acquired that business. Those experiences<br />
allowed me to work with many different customers, all<br />
of different sizes and needs. My role here at <strong>First</strong> <strong>Healthcare</strong><br />
<strong>Compliance</strong> is to ensure our sales team delivers the best<br />
healthcare compliance solutions available in the marketplace<br />
to a wide range of healthcare providers; anywhere from private<br />
practices, hospitals, long term care facilities etc. We<br />
even have solutions specifically for billing companies.<br />
really great selling something that you know solves problems<br />
for these folks and makes their jobs less stressful.<br />
What new things are happening in the sales department,<br />
what can clients expect to see in the future?<br />
As a company, we are always looking to add value to our<br />
solutions to address client’s needs and challenges. We strive<br />
to listen to client’s “pain points” and then address them as<br />
quickly as possible with innovative, yet easy to use and implement<br />
solutions.<br />
We use social media platforms to push our solutions out to<br />
the market: Facebook, YouTube, Twitter etc, so folks can learn<br />
about new initiatives. Go on any of those platforms and you’ll<br />
learn about our new Fundamentals course and book for folks<br />
who are looking for a base fundamentals understanding of<br />
compliance without investing in full on compliance certification<br />
curriculum.<br />
Tell us about the <strong>First</strong> <strong>Healthcare</strong> <strong>Compliance</strong> sales team?<br />
Our sales team is awesome! Although we are all quite different<br />
in personality and background, we all have one important<br />
thing in common, we are problem solvers. I always say that<br />
the clients we engage with are the busiest people I have ever<br />
worked with. I have called on CEO’s that have less stress than<br />
most of these administrators. <strong>Healthcare</strong> is dynamic, with<br />
different fires to put out everyday and those issues tend to<br />
land on our client’s desks. We know regulatory compliance<br />
is a struggle for many because it has become pretty complex<br />
and it’s always evolving and changing. Our sales team works<br />
with those responsible for compliance in their organization<br />
to identify what areas they are finding challenging and then<br />
educating them on our solutions to ease those burdens. It’s<br />
Listen to the <strong>First</strong> <strong>Healthcare</strong> <strong>Compliance</strong> podcast!<br />
8<br />
<strong>First</strong> <strong>Healthcare</strong> <strong>Compliance</strong>, LLC © <strong>2017</strong>
Contact Toll Free: 888-54-FIRST 9
System FAQs<br />
Does HIPAA permit a covered entity or its collection agency to communicate<br />
with parties other than the patient (e.g., spouses or guardians) regarding payment<br />
of a bill?<br />
Yes. The Privacy Rule permits a covered entity, or a business associate acting on behalf<br />
of a covered entity (e.g., a collection agency), to disclose protected health information<br />
as necessary to obtain payment for health care, and does not limit to whom<br />
such a disclosure may be made.<br />
Therefore, a covered entity, or its business associate, may contact persons other than<br />
the individual as necessary to obtain payment for health care services. However, the<br />
Privacy Rule requires a covered entity, or its business associate, to reasonably limit<br />
the amount of information disclosed for such purposes to the minimum necessary, as<br />
well as to abide by any reasonable requests for confidential communications and any<br />
agreed-to restrictions on the use or disclosure of protected health information. See 45<br />
CFR 164.501, 502(b), 506, 514(d), 522.<br />
What is a hybrid entity?<br />
A hybrid entity is an entity that has a mix of both healthcare and other business services.<br />
Examples of hybrid entities include:<br />
• A large corporation that has a self-insured health plan for its employees.<br />
• Grocery store that has a pharmacy.<br />
• A correctional facility with a health care clinic that transmits one or more HIPAAcovered<br />
transactions electronically.<br />
• A data processing center that conducts health care clearinghouse activities as well<br />
as non‐health care data entry.<br />
• A university, which has a medical center.<br />
Explore the FAQs tab in your compliance solution to<br />
get answers to your important compliance questions<br />
or contact our Client Services Team!<br />
888.54.FIRST or clientservices@1sthcc.com<br />
Join us on Social Media!<br />
10<br />
<strong>First</strong> <strong>Healthcare</strong> <strong>Compliance</strong>, LLC © <strong>2017</strong>
The most comprehensive healthcare<br />
compliance course yet!<br />
The Fundamentals is a user-friendly, four-module course designed<br />
to help healthcare professionals understand the<br />
essential principles and practices of compliance.<br />
Written by our “dream team” of<br />
healthcare providers and attorneys,<br />
The Fundamentals Course is packed<br />
with useful, easy-to- understand<br />
information that covers HIPAA, OSHA,<br />
employment law and enforcement of<br />
Federal healthcare laws. The course<br />
takes less than four hours to complete.<br />
Visit 1sthcc.com/shop to<br />
register today!<br />
Contact Toll Free: 888-54-FIRST 11
Join Us for Upcoming Webinars and<br />
Earn Complimentary CEU Credits!<br />
<strong>November</strong> 28th @ 12pm ET<br />
MACRA, MIPS and APMs-<br />
The New Era of Medicine<br />
Tina Colangelo, MHA<br />
Colangelo Consulting<br />
December 5th @ 12pm ET<br />
Private Enforcement of <strong>Healthcare</strong><br />
Fraud & Abuse Laws<br />
Nathan Fish, JD, LLM<br />
and Somer Hayes, JD<br />
Greenberg Traurig, LLP<br />
December 12th @ 12pm ET<br />
The Second Victim Conundrum:<br />
Recognition, Intervention, and<br />
Protection of Peer Support<br />
David M. Sommers, MD, JD, LLM<br />
Medsome LLC<br />
Don’t forget about the<br />
<strong>First</strong> <strong>Healthcare</strong> <strong>Compliance</strong><br />
Referral Program<br />
Refer a friend to receive a special<br />
gift when they sign up!<br />
See more details on the “My Account” page<br />
12<br />
<strong>First</strong> <strong>Healthcare</strong> <strong>Compliance</strong>, LLC © <strong>2017</strong>