Simply Put: Simplify

A bit over a year ago, a couple of weeks after the death of my mother, I received an email from a blog entitled ‘Becoming Minimalist.’ I don’t know why I received it; I do not remember expressing interest in the topic of removing possessions as the driving force in my life. I like to think that someone who knows me sent it to me because they knew I need it.

I read the post and created a folder called ‘Simplify’ to save the ones I liked. I have not even developed the habit of reading the posts when they arrive in my mailbox each week, but I know that I have that as a goal and have them there whenever I am ready to dig in. Just seeing the email arrive reminds me that I also have as a goal to simplify my life.

When I received today’s post, I was reminded again of something I learned a long time ago but seem to need regular lessons in. The lifestyle I live often gets in the way of the lifestyle I think I want to live. As I once learned in a Twelve Step program, I behave as if I am a human doing rather than a human being. Part of the reason for that is that I have placed so much importance on success in my job and the ownership of nice things. I think I must be constantly doing in order to maintain what I have and get more of the same. That is not really all I want in life, but it is how I behave.

When I was a child, I learned that developing different patterns of behavior took a constant focus on that new pattern and practice of it. As a psychologist, I taught clients how to do that. In my daily life, I forget that over and over again. It is as if I never learned how to change one habit and create a new one. Had I read the post I received last Friday, I would have been reminded again that there is a science to change and we can all accomplish it.

Part of the reason for my ongoing re-learning of these lessons is that I usually focus outside myself rather than inside. While I have always experienced an internal locus of control (for all you psychology-types), I have for some reason spent my energy on behaving to a certain effect in the world rather than on regularly re-confirming a commitment to a certain way of being and developing the patterns of behavior which accomplish that.

I did better when I was a therapist; helping others learn to decide what they want to be and to behave in that direction helped me do the same for myself.  What do you do; what circumstances do you create that allow you to become more of the person you want to be each day? Your comments and suggestions are welcome.

 

Performance-Based Compensation: What is your plan?

If you are a solo provider of mental health services in private practice, you entire income is based on your performance as a psychotherapist or diagnostician or prescriber. There is really nothing between you and your patients. You see them; they are satisfied and continue coming to see you, or they are not and do not return. That is ‘performance based compensation’ of the most basic sort. I have often wondered precisely what others mean by that term.

Earlier this week, I read an article by Sarah Threnhauser of Open Minds that very much enlightened me. Making Performance-Based Comp Plans Work is an excellent look at the compensation plan of Manatee Glens, a specialty hospital and outpatient program in Bradenton, Florida. The article discusses the criteria they use for measuring performance as well as the steps they follow to measure each clinician’s functioning relative to the criteria. One of their measures is number of client no-shows; another is clinician completion of concurrent documentation with the client. Surpassing the criteria results in additional pay to the clinician.

Does your organization use any sort of performance-based compensation? How have you made it fit the personality and structure of your practice or agency? What kinds of functions do you measure? What criteria do you use?

Please share your comments and responses in the comment section below. We would love to have our discussion here on this blog site!

 

Government Entities are not sheltered from HIPAA requirements

For the first time, the Office of Civil Rights (OCR) has levied a fine against a government entity for a possible HIPAA breach.

Skagit County, WA, a small county (118,000) in the northwest part of the state, was fined $215,000 for its failure to protect patient information controlled by the county Health Department. Even after a data breach in 2011 that the county reported to OCR, the county failed to implement adequate policies and procedures to prevent future breaches.

In its report about this incident, FierceHealthIT also cited the compromise of information for 169,000 clients served by the Los Angeles County Department of Health Services. A third party billing vendor, Sutherland Healthcare Solutions, was the victim of theft of unencrypted computers containing the not-so-protected PHI of these clients.

If you think that being small or a government entity or a not-for-profit might protect you from being penalized for the exposure of the data of your clients, best that you think again. We are all responsible for assuring that PHI is protected, whether the people involved are our own clients, or in the case of SOS, the clients of our customers who are Covered Entities. This is not an area in which you should skimp on effort made to protect information.

Please share with us and your colleagues some of the steps you have taken to assure the protection of the PHI of your clients. Do you feel that your written policies and implemented procedures are known and understood by your employees? Do they take these procedures seriously? What do you do when you learn that they are not practicing what they have been taught? When was the last time you had training on HIPAA issues? You do have training, right?

Please comment below.

Sharing Mental Health Information: HIPAA Privacy Rule Guidance

Those of us trained as providers of mental health services have been indoctrinated about the need to maintain the privacy of our patients. Unfortunately, changes in law and in rules mean that the way in which we were trained may no longer fit the realities on the ground. It is essential that you stay up-to-date on the requirements of your state (especially if those requirements are more stringent than HIPAA) and on the requirements of HIPAA for protecting the privacy of your patients.

The Office of Civil Rights (OCR) and Health and Human Services (HHS) has issued Guidance regarding the HIPAA Privacy Rule and Mental Health information. This is information you will want to read. The Department specifically addressed issues that are directly pertinent to behavioral health providers of every ilk.

In this guidance, we address some of the more frequently asked questions about when it is appropriate under the Privacy Rule for a health care provider to share the protected health information of a patient who is being treated for a mental health condition. We clarify when HIPAA permits health care providers to:

  • Communicate with a patient’s family members, friends, or others involved in the patient’s care;
  • Communicate with family members when the patient is an adult;
  • Communicate with the parent of a patient who is a minor;
  • Consider the patient’s capacity to agree or object to the sharing of their information;
  • Involve a patient’s family members, friends, or others in dealing with patient failures to adhere to medication or other therapy;
  • Listen to family members about their loved ones receiving mental health treatment;
  • Communicate with family member, law enforcement, or others when the patient presents a serious and imminent threat of harm to self or others; and
  • Communicate to law enforcement about the release of a patient brought in for an emergency psychiatric hold.

The Question & Answer format is a helpful way to quickly review the relevant information. You might take particular note of the section on the protection of psychotherapy notes. Some providers have chosen to believe that any note they write about the psychotherapy provided is protected and that they do not have to release such information when it is requested. This Guidance spells out what this does NOT mean. In other words, it specifies all the information that is not a ‘psychotherapy note’ for the purposes of the rule. You might be surprised to find, for instance, that symptoms, prognosis and progress to date cannot be considered part of the psychotherapy note.

Psychotherapy notes do not include any information about medication prescription and monitoring, counseling session start and stop times, the modalities and frequencies of treatment furnished, or results of clinical tests; nor do they include summaries of diagnosis, functional status, treatment plan, symptoms, prognosis, and progress to date. Psychotherapy notes also do not include any information that is maintained in a patient’s medical record.

Reading this new Guidance is the easiest way for you to quickly review just what your responsibilities are under HIPAA and HITECH for maintaining patient privacy. Do take a look when you get a chance, and feel free to share your comments below. 

Smartphone Apps for Behavioral Health: Are you connected?

I read a newsletter yesterday that got me thinking. Mercom Market Intelligence Report on Healthcare IT for January 27, 2014 talked about the boom in patient at-home monitoring. I wondered what kind of apps might be around for behavioral health and whether they might be useful as supports in therapy.

When I worked as a psychologist, I practiced Cognitive Behavioral Therapy (CBT), as taught by Aaron Beck and his colleagues. The biggest struggle my patients had was to remember to do their homework, self-monitoring that almost always involved daily recording of activities, thoughts and reactions. I always provided them with a pocket-sized notebook to record things (this was 20 years ago, after all). Now, I would be more likely to find a higher tech way to assist them.

And so I began my quick review. I started with a Google search for ‘behavioral health self monitoring apps.’ I was somewhat surprised at the pages of links and articles that appeared. This has clearly become a hot area. Some of the apps are aimed at young people and children; many are aimed at adults.

I have not reviewed any of these apps. I am going to give you lots of articles and links so you can explore for yourself.

There are some more formal articles and research reports on the subject.

The American Psychological Association is offering some continuing education on the subject.

And multiple organizations list smart phone apps among a variety of self-help resources.

I was surprised at the broad array of resources available. Certainly each clinician will need to review these and determine if there any that fit well with their practice and modalities and might be beneficial to their clients. Perhaps some of you have already done that.

Please share any smartphone apps you use in your practice or organization to facilitate therapy progress. We would love to know what you have found useful.

Information Explosion

Do you ever feel like your head is going to explode from all the new pieces of information you are trying to cram into it?

‘No,’ you say. You never let yourself get overwhelmed by too much information – TMI. Please teach me how you do that!

I am constantly presented with new things that I think I should know more about, so I try to organize my life so I can learn it. Perhaps I spent too much of life as a student to let such a circumstance pass me by. If someone even vaguely implies that I should be informed about something, and they tell me where I can get the information, I feel compelled to go there and gain that knowledge. I have referred to myself as a sucker for learning something new. It is one of my greatest of joys; it is also one of my heaviest of burdens, especially as my aging brain resists assimilating more data.

The arena in which I am currently trying to become more informed is website analytics and email tracking. I know about Google Analytics. We have had an account for many years, since the days when it was fairly straightforward and simple. Have you looked at it lately?  This service has become so sophisticated that just clicking onto our Dashboard makes me feel like I need to start this only when my brain is at its sharpest.

For the last several years I have used an alternative service that has served up a lot of this analytic information in bite-sized portions for those like me with limited time to do it themselves. This has been a great tool, but that company has grown beyond my ability to keep up with their services. As a result, I am looking to bring some of that tracking and analysis in-house and share it with another staff person. We want to be able to use the tools that will help us and leave the rest behind….kind of a *KISS* approach.

So what is a person to do? Well, Google it, of course!

I started by doing this search: “google analytics learning” and found many places I can go for training. Of course, I will start with the Google Analytics Guide. Hopefully, this will get me started before I move on to ‘Get Started’ at the Google Analytics Training and Certification site. Or maybe I will start with Get Started….hmmm? But then, it seems that I need to learn something about this ‘regular expressions‘ stuff so I don’t get too lost. It looks like I can pay lynda.com to teach me about this and everything else technical; or I can let Eugen Oprea at Udemy teach me for free. Or maybe it would be even better to go to this YouTube Google Analytics channel. Undoubtedly, this article from KISSmetrics, 50 Resources for Getting the Most Out of Google Analytics, will do it for me. After all, it is using that *KISS* notion, right?

You see what I mean about TMI? Maybe you have discovered a simpler way that does not include hiring a marketing firm. After all, we are in the behavioral health community and do not have lots of resources to spend on fancy stuff. How do you handle analytics for your website. Any insights for the likes of me?

Thanks for reading and for your comments.

ICD-10 Challenges Behavioral Health Providers

I have had a difficult time getting started with blogging this year. I have been struggling with finding a topic that I really wanted to address. So I have been actively avoiding the reminder in my calendar to ‘write blog’, sticking my head in the sand just a bit.

Trust our customers to come to the rescue.

I was told by both Seth and Trish that several customers have called this week with questions about what we are doing about the transition to the ICD-10. That is in spite of the fact that our last two newsletters have been filled with information about just that topic.

Synergistic Update | December 2013 is primarily about the ICD-10 transition, while in Synergistic Update | September 2013, the ICD-10 is our lead story. 

Perhaps I am not alone in my ostrich-like tendency!

What worries me most about the fact that some of our customers have not noticed these stories is that it is possible that the cash flow of provider organizations will be affected by this move to ICD-10 codes, at least initially. While the process of implementing the codes is not likely to be a very difficult thing for behavioral health organizations, it is definitely a huge matter for 3rd party payers of every stripe. You may need to be prepared with a short-term loan or line of credit in case your payers really bungle the transition!

So, please inform yourselves about this migration, how it will impact you, and what you need to do to get your organization ready for the change. You can view a webinar that was provided by the National Council in late January: Transitioning to ICD-10: Why It’s Important to Behavioral Health Providers and How to Prepare. You can attend (online or in person) CMS’ eHealth Summit on ICD-10 on February 14. Or, you can read the volumes of material provided by CMS at their website. Feel free to access some of the links in our newsletter stories as well as previous blog articles.

We may not always be successful, but we do make an effort to communicate early and often about matters that affect the practices of those we serve and their ability to obtain reimbursement for their services. Please take advantage of some of the many resources available to learn about and help you prepare for this transition. If you do not use our software, communicate with your own software vendor to learn about how this affects you. If you do use our software, read the articles in our newsletters so you will be ready when the transition begins!

Please feel free to share how you and your organization are preparing for the move to ICD-10.

 

 

 

A Model to Follow

Sometimes when I start looking for a topic for this blog, I struggle a bit. I find myself searching without finding a topic that feels useful and satisfying. When that happens, I go to newsletters I receive from a variety of sources to help me come up with ideas.

Today, I did not even go looking. A newsletter from one of our customers appeared, and I was reminded that some behavioral health organizations do this newsletter/blog/public information activity just right.

Southeast Psych of Charlotte, North Carolina sends me their newsletters regularly. They also send Southeast Psych’s Hotsheet, a summary of the videos and blogs and programs they have presented during the month. If you think your organization ought to be doing more public education and reaching out to your clients and to your community, you would be hard pressed to come up with a better model for doing so.

Take a look at some of their offerings and get an idea about how a behavioral health practice or agency can use the internet and social media to develop a significant influence in their community. Then get posting!

If your organization does something similar, please let me know so we can see many examples of how behavioral health providers can establish a community presence using electronic media.

 

 

CMS Notices on ICD-10 Transition Become More Concerned

The Centers for Medicare and Medicaid Services (CMS) has been sending out a newsletter on ICD-10 transition for over a year. The tone of that newsletter is beginning to change as we move into a countdown that is less than one year long.

What could possibly be the big deal? This is a question that many have asked, but until you assess your own practice or organization, you will not know. It is crucial that you begin to do this if you have not already done so. The impact in your organization may be minimal; on the other hand, it may be huge.

Here’s where to start. CMS has a large quantity of Provider Resources. This document is an Introduction to ICD-10: A Guide for Providers. Medscape has provided A Roadmap for Small Clinical Practices as well as a Small Practice Guide to a Smooth Transition. Both of these are continuing education programs aimed at small practices across many specialties.

If these resources do not appeal to you, or you think there is nothing for you to be concerned about in this transition, think about what happened earlier this year when we transitioned to a few new ICD codes that included compound codes for the first time for many types of providers. Did you experience an interruption in your cash flow? Now think about all the payers with whom you deal. How many of them will be completely ready to receive your claims with the new codes? How will you know whether to use the old or new codes? Can you count on your clearinghouse? your software vendor?

My take on this transition is that you must count on yourself. You must be prepared. No one else can do this for you. If you have not yet begun, now is the time to start.

Please share what your organization has done to begin the process of transition to the ICD-10.

Two Quick Notes: On Parity and HIPAA for Business Associates

Parity

On November 8, the Administration announced a final rule on Parity of mental health and substance abuse benefits with physical health benefits. The Departments of Health and Human Services along with Labor and the Treasury issued this final rule that

…implements the Paul Wellstone and Pete Domenici Mental Health Parity and Addiction Equity Act, and ensures that health plans features like co-pays, deductibles and visit limits are generally not more restrictive for mental health/substance abuse disorders benefits than they are for medical/surgical benefits.

While health insurers have claimed to be supportive of Parity, their implementation in the absence of a Final Rule has been spotty and challenged by providers. We will now get to see what changes, if any, emerge.

HIPAA for Business Associates

You are a behavioral health provider, right? You have Business Associates, right? You even have Business Associate Agreements with those Business Associates, right? But do your Business Associates really have any idea what HIPAA is all about and what responsibilities and liabilities they have under the law?

You can make sure they have at least been exposed to some information in order to protect yourself, your patients, and their protected health information (PHI) a bit better. Send them the link to this free webinar happening on Tuesday, November 19 and ask them to attend. ID Experts is a fine provider of education and consultation and tools focused on privacy and security. HIPAA Compliance for Business Associates: Ignorance is Not Bliss should be a very instructive event, especially for Business Associates who really do not know their responsibilities.

________________________________________

Please share any information you have obtained about the Parity Final Rule or about training for Business Associates. We would love to be sure this information is well-circulated.

 

Do You Own Your Patient Records?

I just re-read an email newsletter by Monica Oss of Open Minds asking the question: “Who Owns Patient Records?“. The answer to this question varies from state to state, with some locales not having clear statutory requirements. In Florida, the provider owns the record but must provide a copy of it if the patient requests it. In fact, the HIPAA privacy standards make it very clear that the provider is responsible for sharing records with a patient (making copies) if a patient so requests. One of the major exceptions to this requirement is psychotherapy notes, which the behavioral health provider is not responsible to share with the patient and must not share with anyone else (like an insurance company) without the patient’s specific permission.

This matter is complicated when a provider uses an Electronic Medical Record (EMR) that is hosted by a software company. Why should that matter, you ask. Well, in the case of the hosted product, the software resides on the company’s servers, not on the provider’s computer. The provider pays to use the software; they don’t own anything. Unless the provider prints everything out, they do not really have possession of a record; the software company does.

What happens when they decide to go to another software program? The first company may be willing to provide them with reports and printouts of their records, but getting that into a new program can be a challenge. And if the old company is willing to work with the new one to transfer the data, the process can be very time-consuming and costly…and some companies won’t even do it.

And if the EMR is free, the provider may be agreeing to share some of the data they enter so the software company can sell it to other companies…all within the confines of their role as a Business Associate, of course. You do have a BAA with the software company, right? And of course, you have a good contract that you have read and understood before you signed it, right?

Hmmm…..this ownership question is complicated.

Please share your comments below.

Heathcare.gov Struggles in First Weeks

I don’t know about you, but I have been reading everywhere I turn about the shortcomings and failures of healthcare.gov, the website created by HHS to serve as the health insurance exchanges for over half the states. The site was overwhelmed by the number of people who attempted to access it in the first days. The method of requiring the potential customer to create an account before they could even look at prices in their state, and the bottleneck that requirement caused meant that people could not get anywhere. Each time they tried anew, they were required to re-enter their information and still got nowhere. Many people were very frustrated.

President Obama has called for a ‘tech surge‘ including the assistance of heavy hitters from government and private sources. And now members of Congress are calling for investigations into who in the administration is to blame. The strong undercurrent in each of the articles I have read is that here we have yet another example of government ineptitude.

But is that what we have? After all, this entire project was contracted to a huge private corporation who had an open-ended contract to provide a mission-critical product for HHS. They failed, and now they are being paid even more money to fix their mess. Here’s one more example of private corporations fleecing the American taxpayer.

But wait, aren’t private corporations by definition more effective and efficient than the government? That is a story we have all been sold for the past forty years. Privatize! Private companies can always do it better…by definition!

According to Joshua Holland and Moyers & Company, that is anything but the case. Government has been so downsized since Reagan, Bush, Clinton and Bush, that it does not have the resources to even oversee these huge contracts; so when they go awry, there is no one there to get them back on track.

I don’t think large government is our problem; I think out of control private contractors and their cronies in the administration and in Congress are.

 

 

Medical Identity Theft: Fastest growing type of fraud

You know all that work you have been doing to make your organization HIPAA compliant? You have been tuning up your privacy and security practices in order to keep safe the protected health information (PHI) of your clients.

Good job…but not good enough!

In spite of the efforts of healthcare organizations and providers of all stripes to secure the PHI of their patients, Medical Identity Theft and resulting fraud is dramatically on the rise. According to ID Experts’ Data Breach Examiner,

In the last year, medical identity theft has affected 1.84 million Americans, costing victims an estimated $12.3 billion in out-of-pocket expenses. . . . Medical identity fraud is estimated to cost the healthcare industry almost $40 billion annually, driving up the cost of healthcare for everyone.

Do you know someone who has allowed another person to use their Health Insurance card and ID? Maybe your friend who has insurance let her sister who did not use her card. Or possibly, your wallet was stolen and you noticed an EOB on your payer’s web site that was for services you never received.

Breaches are not the only way data finds its way into the hands of someone who does not own it. According to ID Experts, its all in the family.

 More than half the survey respondents said they would find another provider if they knew their healthcare organization could not safeguard their medical records. Yet 30 percent of those surveyed also reported that they knowingly allowed a family member to use their personal identification to obtain medical treatment, healthcare products, or pharmaceuticals, and more than 20 percent couldn’t even remember how many times they had shared their healthcare credentials. Even in cases where medical identity was stolen, 48 percent said they knew the thief (typically a family member) and didn’t want to report him or her.

Not only does this cost money, it also contaminates the medical record of the individual increasing the danger of misdiagnosis and improper prescriptions.

Perhaps you have never experienced this in your behavioral health organization. Perhaps you have and have many stories to tell. I know I was certainly asked to do some fraudulent insurance activities when I was in private practice.

Have you or your organization experienced someone falsely using another person’s medical identity? How did you handle it? Please share your comments below.

 

HIPAA Omnibus Final Rule Now in Effect

On September 23, 2013, the HIPAA Omnibus Rules became effective. You can read the detail of the process and get huge amounts of information from the HHS web site; you can read the entire Rule as published in the Federal Register. But if you are strapped for time and you want to be sure you and your organization have done everything you need to do to meet the requirements of the rule, you can take a look at an excellent summary published by the Godfrey Kahn Law Firm of Wisconsin that was published in March. There are many such summaries around and you definitely should take a look at one of them if you are the Privacy Officer for your organization. I know that many organizations have not done even the basics of updating their Notice of Privacy Practices or updating their Business Associate Agreement (BAA) . . . you do have those, right?

Keeping the protected health information (PHI) of your clients secure and private is a significant responsibility, especially the sensitive information of behavioral health clients. I hope you have taken these changes seriously.

Please share your comments below.

Telehealth: Is this a legitimate way to provide treatment?

My first article on telehealth services in mental health was in February 2009. Since that time, I have written about this subject on multiple occasions. It has seemed natural to many of us that some mental health services could be appropriately provided using services like Skype.

This area is very much open for debate, but in Oklahoma, a doctor has been sanctioned for mental health services he provided remotely. Investigative Reporter Andrew Knittle reported on NewsOK that Dr. Thomas Trow was disciplined because he prescribed controlled substances for a patient he had never met face-to-face (his nurse was with the patient and present during the remote session), the patient overdosed multiple times, and the patient ultimately died. Joseph Kvedar, M.D. re-reported this story and his comments in the cHealth Blog after he was invited to comment in WBUR’s Common Health blog. Dr. Kvedar wrote the following as part of his contribution:

The Medical Board of the state of Oklahoma recently sanctioned a physician for using Skype to conduct patient visits. A number of other factors add color to the board’s action, including that the physician was prescribing controlled substances as a result of these visits and that one of his patients died. This situation brings up several challenges of telehealth — that is, using technology to care for patients when doctor and patient are not face-to-face.

• Legal/regulatory: On the legal side, physicians are bound by medical regulations set by each state. It appears that the use of Skype is not permitted for patient care in Oklahoma.

• Privacy/security: Skype says its technology is encrypted, which means that you should not be able to eavesdrop on a Skype call. That would seem to protect patient privacy.

At Partners HealthCare, we ask patients to sign consent before participating in a ‘virtual video’ visit. Because this is a new way of providing care, we feel it’s best to inform our patients of the very small risk that their video-based call could be intercepted. I don’t know if the Oklahoma physician was using informed consent or not.

But the most interesting aspects of this case involve the question of quality of care. Can a Skype call substitute for an in-person visit? Under what circumstances?

While Dr. Kvedar brings up additional interesting points in his discussion, I think the three listed above are crucial.

  1. What is the state law where you are working? If the patient is in another state, what is the law in that state? Which state’s laws govern the interaction?
  2. Is the method you are using for your session secure? Does the patient understand that it might not be so?
  3. Can you provide quality care remotely? Is this a new patient you have never met face-to-face or is this follow-up care with an already established patient?

Has your organization begun using remote sessions to provide behavioral health services? How do you do this? How do you handle the privacy/security issues? How do you assure that the quality of the patient’s care remains high?

Please share your comments below.

 

HHS Releases Model Notice of Privacy Practices

Yesterday I had the experience of going into an outpatient surgery center for a procedure. I was presented with a form to sign indicating that I had seen the Notice of Privacy Practices (NPP), but when I asked to see it they had to go searching. When I was presented with the document 15 minutes later, I was saddened to see that it was dated 2003. The notice indicated that it was posted on the wall of the office (it was not) and that it was distributed to each patient on admission (obviously, it was not). I was distressed to see how little energy even an organization the size of an outpatient surgery center has given to implementing HIPAA. I certainly fear for the security and privacy of my data.

A couple of weeks ago, I posted about the amount of time providers have spent implementing the new HIPAA Omnibus Rule that goes into effect on Monday, September 23, 2013. The Notice of Privacy Practices is the most time consuming part of this implementation.

On September 16, 2013, the Office of the National Coordinator (ONC) and HHS Office of Civil Rights released sample NPPs that you can customize and use in your own organization. Please note that these models are templates that are meant for you to edit. Please DO NOT just print them out as they are. You can also use them as models for an NPP that you create from scratch.

You should also know that HHS OCR maintains detailed background information about HIPAA NPPs, implementation of HIPAA, and anything else you can think of related to it. If you have never visited this web site, you should be sure to do so.

Please tell us where you are in implementing the HIPAA Omnibus Rule. Have you updated your NPP? Do you have BAAs with all your business partners who might have access to your PHI? What have you done to include the changes in your procedures and educate your staff? Please share your comments below.

 

 

New CMS-1500 Forms Required Soon

CMS has announced deadline dates for use of the new CMS-1500 form that will be ICD-10 compatible. CMS will begin accepting the new paper form (for those who have a special exemption to send paper Medicare claims) on January 6, 2014. Starting April 1, 2014, Medicare will accept only the new form. The information and links below are from an email notification we received on September 5, 2013.

CMS-1500 Claim Form Updates: Medicare to Accept Revised Form Starting January 2014

The CMS-1500 Claim Form has been recently revised with changes including those to more adequately support the use of the ICD-10 diagnosis code set. The revised CMS-1500 form (version 02/12) will replace version 08/05. The revised form will give providers the ability to indicate whether they are using ICD-9 or ICD-10 diagnosis codes, which is important as the October 1, 2014, transition approaches. ICD-9 codes must be used for services provided before October 1, 2014, while ICD-10 codes should be used for services provided on or after October 1, 2014. The revised form also allows for additional diagnosis codes, expanding from 4 possible codes to 12. 

Only providers who qualify for exemptions from electronic submission may submit the CMS-1500 Claim Form to Medicare. For those providers who use service vendors, CMS encourages them to check with their service vendors to determine when they will switch to the new form.

Medicare will begin accepting the revised form on January 6, 2014. Starting April 1, 2014, Medicare will accept only the revised version of the form.

As you know, other insurers will follow CMS’ lead on use of the new form; you will need to find out from them when they will require the new form. SOS, like most other software vendors, will provide the new format for customers with current support agreements. But you will need to purchase the forms and use them…unless you have wisely moved to electronic claim filing!

 

HIPAA Omnibus Rule: How much time have you spent?

FierceHealthIT, one of the newsletters I monitor, just reported that the department of Health and Human Services Office for Civil Rights estimates that all healthcare organizations in total will spend 32.8 million hours implementing the new aspects of the HIPAA omnibus rule.

The bulk of that time–30.65 million hours–involves the dissemination and acknowledgement of privacy practices at provider offices, a notice published in the Federal Register reveals.

I recently went into a physicians office and needed to sign an acknowledgement that I had received their notice. Of course, I had not. I looked around to see if one was posted, as some offices do to make it a bit easier. When I did not spot one, I asked to see a copy. After a bit of rummaging in a desk drawer, I was graciously provided with a copy. It was a very nice, plain language policy that could easily have been framed and hung on the wall, or copied and included in the packet of materials I needed to sign. But it was not. I had to ask for it. In my humble opinion, that is not a dissemination of the privacy practices.

How does your organization handle this sharing of privacy practices? Do you provide a copy for every new patient when they arrive at your offices and complete your intake paperwork? Do your staff know exactly where it is located and just what it means in case they are asked? Have you forgotten all about this requirement that HIPAA places upon your organization?

I think this is especially important in behavioral health organizations where people are seen for sensitive reasons. Please share your strategies for disseminating your privacy practices. I would love to know how you handle this. Just enter your comments below.

Contractor vs. Employee: How does your organization decide?

This week I received an email from the Florida Department of Revenue about classification of workers for tax purposes. With Labor Day upon us, I find myself wondering how your organizations make the decision about whether to treat their workers as W-2 employees or as 1099 independent contractors.

In behavioral health organizations there is often a mix of kinds of workers including licensed professionals, salaried and hourly workers. I am often confused when I hear a customer say that they have 14 counselors and two back office staff, and that they are all independent contractors. That does not fit with my understanding of what an employee and an independent contractor is.

I was surprised to learn that Florida (and many other states) have their own definitions of employee and contractor that are separate from the IRS definitions (additional IRS articles). There appear to be significant overlaps, but the email I received indicated that businesses should review their employment practices to make this determination. If someone believes they were your employee and files for Unemployment Compensation (Reemployment Assistance here in Florida) after you let them go, and you have not been paying those taxes because you have them classified as an independent contractor, you may find yourself with some explaining to do.

How does your behavioral health organization handle the employee vs independent contractor issue? Please share your comments below.

HIPAA Breach Fines Grow

Remember that CBS Evening News report back in 2010 that got everyone panicked about patient data that might be stored on the hard drives of copy machines and other multipurpose machines like combination printer/fax/copy machines?

Well, it turns out there is good reason that any health-related practice that uses such a machine (one that has a hard drive) should panic; in fact there are 1,215,780 such reasons. That is the amount Affinity Health Plan was fined by OCR this month for the potential breach of PHI that was reported in this incident.

I know, this could never happen to you. But are you sure of that? Does your organization own or lease a copy machine? Do you have one or multiple printers that are also copy and fax machines as well as a scanner? What is your organization’s policy for the hard drives in those machines? What about the hard drive in that computer you are using to read this? What is your policy for removing any PHI that might be on it?

If you do not know the answers to these questions, you may not have been properly trained in your organization’s HIPAA policies and procedures. Or you may not even have such policies and procedures. Or the practice you work for did all this before you were hired and you have never been informed. These excuses do not fly when it comes to OCR enforcement.

The Federal Trade Commission (FTC) has guidance on handling copier data. NIST, the National Institute of Standards and Technology, has recommendations on how to sanitize electronic media. And Medscape, among others, offers lots of training on HIPAA security. (You might need to register for Medscape before you can access their materials.)

When was your organization’s last HIPAA training? What did you learn? Please share how you address these issues.