The post ERISA: the Key to Saving Your Company’s Private Healthcare appeared first on Herrin Health Law, P.C..

Potential insureds cannot wait for the waters to calm, and must critically evaluate cybersecurity insurance prices and coverage options. The first and most important of these coverages should be the coverage of costs related to managing breaches, to include expenses related to the investigation, remediation efforts, and patient notification. Other costs that may also be incurred are credit monitoring services, damages associated with identity theft, damages associated with recovery of data, damages incurred due to having to reset EHR systems, and damages to reconstruct or recover websites and other Internet presences. Business continuity expenses (for workarounds or loss of revenue due to a cybersecurity incident) might also need coverage, especially as most standard commercial policies now exclude cyber-related risks from their covered losses. Finally, coverage for rogue employees and insider threats needs to be a part of the insurance discussion and any available coverage needs to be understood.

What coverage a healthcare enterprise can purchase and how much that coverage costs may also change based on how the enterprise addresses these critical aspects of compliance:

• The enterprise should be able to show that it is in compliance with HIPAA, including those provisions that require security and privacy risk assessments and proof of a plan of mitigation and remediation. Insurers likely will not cover losses resulting from a gap in HIPAA compliance, especially because there is a legal obligation on the enterprise to find out what those are.

• Insurers may impose requirements for technology controls (such as encryption, for example) beyond those mandated by HIPAA. Some coverages require more secure and more robust email systems that are more resistant to phishing and spoofing, and other coverages may even require intentional phishing attacks by the insured’s IT department or vendors to gauge compliance with training.

• The training requirements for new employee onboarding and access by non-employee contractors may need to meet certain criteria beyond HIPAA workforce awareness training.

• Insurers may require that contractors providing ‘business associate’ services be separately insured as a first layer of defense against cost, and that those business associate policies explicitly cover the covered entity for losses and damages caused by the business associate.

• The purchased coverage, as with certain types of malpractice insurance, should be based on the ‘date of detection’ as opposed to ‘date of intrusion.’ It is so difficult, even with the best system monitoring tools, to determine when a breach or incident actually first occurred, so the enterprise does not want to be locked into a technical dispute with the insurer about when the hack ‘should have been’ detected.

• The policy should explicitly address whether offshore operations will be covered. Significant risks are associated with outsourcing certain data manipulation and management functions to countries or regions that have stronger privacy and data security rules than the United States.

Finally, and regardless of what specific coverage requirements your policy contains, any policy’s limits need to avoid ‘cannibalizing’ limits, in which the costs of defense reduce the limits available to pay damages or judgments. As with professional malpractice and commercial general liability coverage, the best coverage separates costs of defense from claims expenses.

Barry Herrin (barry.herrin@herrinhealthlaw.com) is an attorney and Fellow of AHIMA. He is admitted to the bar in Florida, Georgia, North Carolina, and the District of Columbia and often speaks at the FHIMA Annual Meeting.

• “Putting It All Together,” The Economist (October 24, 2002)
• Koo, “More Incident Data Needed for Cybersecurity Insurance,” Bloomberg BNA (March 28, 2016)
• Even though there is almost a universal recognition in the law enforcement and security communities that these programs do no good at all, as the sophisticated hacker knows to wait out the 1 to 2 years of service before making use of the stolen data.

As published in the November 2018 FHIMA Monthly Newsletter. Reprinted with permission.

The post Cybersecurity insurance — the basics appeared first on Herrin Health Law, P.C..

• Mary G. Gregg, MD, FACS, MHA, Enterprise Director, CareSource (panelist)
• Raymond Snead, Jr., D.Sc., FHFMA, FACHE, long-time CFO/CEO who recently served as Interim CEO at Grant Memorial Hospital, Petersburg, WV (panelist)
• Glenn Pearson, FACHE, MHA, principal and founder, Pearson Health Tech Insights (moderator)

Here are some highlights from our lively interchange:

• There has been little true progress toward containing healthcare expenditures despite decades of trying various approaches including HMOs, PPOs, DRGs, ACOs, CON, and other efforts.
• For the most part, VBR amounts to transferring risk to providers and does little to truly improve care.
• Each party in the healthcare equation has a different definition of ‘value.’ Patients want the most care for the least amount of money. Payers and employers want to pay providers as little as possible. Providers want to be adequately compensated for the care they deliver.
• By and large, VBR does not allow for variability in patient differences, including the extent to which they follow good health practices and adhere to suggested care guidelines. Chronic illnesses represent a huge part of health status and medical costs. Patients can do more to improve their health and, thereby, help moderate costs through better lifestyle choices and compliance with care guidelines.
• Technology can help identify and address health and, therefore, tamp down coats. However, some organizations merely throw new technology or an app at a problem without adequately defining it or developing a comprehensive plan to address root-cause issues.
• Hospitals must get physician involvement from the very beginning whenever proposing a change in medical practice or adopting new technology. Walking three-quarters of the way through a process and then inviting physicians into the discussion guarantees failure.
• The days of considering data security as an afterthought are over. Ironclad practices must be baked in from Day One.
• We need better analytics for identifying and tracking the 20% of patients who require the greatest level of care.
• Patient mental health issues contribute greatly to total costs but are not being effectively addressed.
• Cost coverage is being relegated to a smaller and smaller percentage of patients with insurance policies that fully cover the cost of care. As the number of plans covering costs dwindles, in order to stay in business, hospitals continue to shift more and more costs to those with more adequate plans. This effectively makes hospitals taxing agencies.
• With increasing pressures from all sides, physicians are burning out faster than ever before.
• Innovation is not being rewarded within the current delivery and payment system.
• Amazon and others outside the traditional healthcare arena may be the source of truly disruptive innovation.

You can see the conversation went well beyond just VBR since all these issues covered interlock. The overall consensus was that the enormous complexities of the healthcare system make it impossible for a single approach like VBR to tame the cost beast.

Reprinted with permission from Pearson Health Tech Insights.

Barry S. Herrin, JD, FAHIMA, FACHE, is the founder of Herrin Health Law, P.C., in Atlanta, Ga. Herrin offers more than 30 years of experience practicing law in the areas of healthcare and hospital law and policy, privacy law and health information management, among other healthcare-specific practice areas. He is a Fellow of the American College of Healthcare Executives and a Fellow of the American Health Information Management Association. He also holds a Certificate in Cyber Security from the Georgia Institute of Technology. Reach him at 404-459-2526 or barry.herrin@herrinhealthlaw.com. 

The post The Shift to Value-based Reimbursement (VBR) | Highlights from Georgia HIMSS 2018 conference appeared first on Herrin Health Law, P.C..

Institutions entering the alternative payment model (APM) landscape for the first time need to have an appreci­ation of what this activity does and does not entail. It does not simply mean that the enterprise can package a reduced fee-for-service pricing structure into a different bag. Neither does it mean that the enterprise can expect “new money” for meeting quality benchmarks that it should already be meet­ing. And, in the words of one hospital executive, it does not mean that “everything can stay the same except I can write the doctors a check.”

A true APM offering creates the kind of clinical and finan­cial integration that can help with federal and state anti­trust compliance as well as with elimination of duplicative or redundant care. APMs can increase positive clinical out­comes and reduce cost, all without denying patients medi­cally necessary services. This paradigm shift brings with it changes in operations, often occurring in parallel with ongoing efforts to stabilize revenues under the “old” way of doing things.

Getting Started with Advanced Payment Models

The biggest initial hurdle for institutions contemplating APM relationships is whether the information technology already within the enterprise is capable of gathering even basic clini­cal outcome data and sorting it within a variety of patient populations. Claims data, if made available by payers, and especially for a care-managed population, can show a va­riety of clinical activities, such as medication compliance (with prescription refill information) and clinical activity outside of the APM enterprise.

Most hospitals and multispecialty physician groups do not include vision, dental, and other types of routine care services.

Integrating this claims data with the enterprise’s electronic health record (EHR) is a critical first step, and many legacy systems (and some modern EHRs) do not have this capability. Interface engines and bridging technology are expensive as well. So, a business decision about whether the cost of new APM-assistive technology is less than the anticipated additional revenue from APM payers should be made.

Additionally, some health information management (HIM) professionals still recoil at the notion of incorporating ex­ternally generated information into the official record of care, regardless of how thoroughly this objection has been debunked, and notwithstanding how the push for interop­erability has expanded the information on which clinicians rely in developing a plan of care. Such external information is critical both to care coordination in a clinically integrated environment and to developing payment models for shared savings and case rates.

The modern HIM professional must be a participant in helping the organization integrate its record of care simulta­neously with its integration of payment for-and the delivery of-that care.

While considering the capability of the EHR to gather and sort clinical data in a helpful way, the enterprise should also analyze its business systems to make sure that, among other things, revenue from care not provided can be linked to patients whose overall care is being managed within the APM framework. Many APMs link the payment of bonuses to decreases in the overall “spend” experienced by individual patients or patient groups; linking these shared savings and other payments to providers who prevented unneeded (and therefore unbilled) patient care thus becomes important. A variety of regulatory schemes require that these savings be paid proportionally to the owners or participants in the APM venture as well, so business systems need to be able to track this and integrate this information into the back-end pay­ments of bonus or savings revenues.

Deciding What to Measure

Once the capabilities of the enterprise’s various data sys­tems have been established, the contract negotiation team, which should include providers as well as business executives, counsel, and other subject matter experts, should convene to discuss which data will be measured within the APM and what monetary value will be assigned to each of these measurable data points.

Clinicians generally do not like being measured on things that don’t matter clinically; yet, “you can’t manage what you don’t measure” is still the order of the day. The unfortunate reality of APM contracting is that once one payer requires a healthcare provider to measure some performance capability, the APM ends up measuring it for all payers on the theory that quality is payer agnostic and the enterprise doesn’t want to discriminate in the quality care it delivers based on payer type. Thus, controlling the number and quality of measurable data points at the outset of an APM relationship is critical to prevent partici­pants from measuring everything and focusing on nothing of clinical significance.

APM participants can’t forget the various legal mandates not to create payment methodologies that incentivize pro­viders to deprive patients of medically necessary care. However, the definition of “medically necessary” may vary depending on which regulatory scheme you apply and what a particular payer thinks about therapeutically equivalent care.

Monitoring compliance with all of the contract’s provi­sions is a necessary step, which is made more difficult by the traditional separation of enterprise oversight and manage­ment into different silos of responsibility. To the extent that a separate business organization has not been formed to deal with APM contracting and payment issues, close collabo­ration between clinical and administrative departments needs to be created and maintained.

For example, physicians may not make critical distinctions between care pathways that have vastly different financial consequences unless they are both included in the conver­sation about developing those pathways and reminded of those pathways when atypical patients present.

Similarly, combining clinical documentation improve­ment (CDI) programs with new clinical and financial measurements helps make the case for both. Compliance doc­trine would indicate that there needs to be valid clinical reasons present when business office or HIM staff request additions to or changes to medical record documentation after discharge (such as hospital-acquired conditions or “present on admission” indicators). Any changes to medical records after discharge typically relate only to changes in fee-for-service reimbursement, which as a motivator typ­ically does not impress physician partners and impresses regulators even less.

However, correcting clinical documentation concur­rently with an admission-or correcting entries in the re­cord after admission that relate to the continuum of care ­in a clinically integrated network has more than a simple “change the document to upcode the care” impact. It affects how all of the participants in the APM structure approach ongoing care and the financial incentives for persons other than the care provider whose record has been supplemented.

Providing Feedback on Benchmarks

Frequent feedback on both clinical and financial bench­marks needs to be provided to all participants. Industry information shows that this “dashboard” information is more effective when presented as a comparison with other partici­pants (on an anonymous basis, of course), as most providers do not want to be viewed as negative outliers. Additionally, the completeness and accuracy of clinical documentation can be dashboarded and compared with industry and com­petitor norms in order to show the effect on care provided ­or not needed-and the corresponding effect of medical spending and enterprise costs. Both are helpful in establishing the proof of clinical and financial integration desired by regulators and payers.

If a separate organization has been established to man­age the APM arrangements, then one compliance-related item of documentation should be a business associate agreement between each APM provider and the manage­ment organization. Unless the manager is a licensed entity under state insurance law, most likely it will be viewed as a “legal stranger” to the flow of “protected health information” (PHI) and will need a business associate agree­ment with each provider. Likewise, the provision of protected health information (PHI) to members of the APM collaborative not involved in direct patient care creates another compliance risk and such information should be “de-identified” before sharing with APM management and membership.

Finally, audits of payments and explanation of benefit forms should be undertaken regularly to make sure that the payer pays in accordance with the APM agreement. For many providers, these payments will be all that they receive for services rendered, and it is not uncommon (un­fortunately) for payers not to pay in accordance with their agreements.

Barry S. Herrin, JD, FAHIMA, FACHE, is the founder of Herrin Health Law, P.C., in Atlanta. Herrin offers more than 30 years of experience practicing law in the areas of healthcare and hospital law and policy, privacy law and health information management, among other healthcare-specific practice areas. He is a Fellow of the American College of Healthcare Executives and a Fellow of the American Health Information Management Association. He also holds a Certificate in Cyber Security from the Georgia Institute of Technology.

The post HIM and Health IT Considerations for Advanced Payment Model Contracts appeared first on Herrin Health Law, P.C..

Abstract

The need for constant availability and integrity of patient data means that many organizations compromise on privacy and security, often to their detriment. This article discusses the current state of healthcare data privacy and security, examines the legal issues requiring attention, discusses risks of the growing use of remote technologies, health and wearable technology, and finally discusses cybersecurity insurance as a way to mitigate the financial costs of breach.

The Current State

Notwithstanding the imperative of the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its Privacy and Security Rule,³ the era of interoperability has created a de-emphasis on the confidentiality of medical information while, at the same time, creating a tremendous emphasis on integrity and availability.

Findings from the Health Care Industry Cybersecurity Task Force in its final report of June 2, 2017⁴show that, of the three aims of cybersecurity confidentiality, integrity, availability), availability is the most important. You cannot take care of patients without having availability of information. Having high availability of patient information is especially important with hospitals that operate 24×7 and 365 days a year. Second to availability was integrity of data. The HCIC report specifically stated that integrity of data is important for protecting patient safety, which is directly implicated when it comes to connected medical devices and patients whose health can be directly impacted by the operation of the medical device. However, the report recognizes that the drive to interoperability has resulted in the confidentiality of medical information being de-prioritized and asserts that healthcare data confidentiality must remain top of mind.

A 2017 KLAS survey reports that 41 percent of respondents said their health systems dedicate less than three percent of the IT budget to cybersecurity, primarily because IT leadership has been focused on implementing electronic health record systems and dealing with interoperability challenges.⁵

Task Force Imperative four calls for an increase [in] healthcare industry readiness through improved cybersecurity awareness and education. However, the increase in readiness requires a holistic cybersecurity strategy. Organizations that do not adopt a holistic strategy not only put their data, organizations, and reputation at risk, but also – most importantly – the welfare and safety of their patients.

In the healthcare industry specifically, the financial impact of cybersecurity breaches is grim. One in three Americans were affected by healthcare breaches in 2015, according to a report from Bitglass.⁶ That’s more than 113 million individuals. Each lost or stolen medical record costs a healthcare organization $363 per record on average, per a Ponemon Institute report.⁷ The anecdotal record is not any more pleasant: Hollywood Presbyterian’s information systems were held hostage in Feb. 2016 for $3.6 million in Bitcoin,⁸ and more and more healthcare enterprises are creating reserves for data ransom. A 2016 IBM study quoted by SC Media UK showed that, in the United States, 70 percent of businesses receiving a ransomware demand paid to get their data back, with 50 percent of those paying more than $10,000 and a further 20 percent paying more than $40,000.⁹

No matter the technology used in the healthcare industry today – e-signature software, EHR platforms, wearable devices, smartphones, tablets, or other software or hardware – providers can either work to mitigate risk or watch the organization spiral into potentially uncontrollable vulnerability. Today’s electronic environment leaves little room for laissez-faire security efforts if a healthcare provider wants to remain safe from attack and protected from the financial consequences of the inevitable.

Why HIPAA Still Matters

HIPAA in general, and the Security Rule in particular, imposes specific compliance burdens on healthcare covered entities. Any use or disclosure of electronic protected health information (ePHI) not in compliance with the Privacy and Security Rules or more stringent state law constitutes a violation of HIPAA.¹⁰ The failure of a covered entity to implement sufficient security measures regarding the transmission of and storage of ePHI to reduce risks and vulnerabilities to a reasonable and appropriate level is also a violation.¹¹ Likewise, a failure to implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain ePHI into and out of its facility, and the movement of these items within its facility, are violations.¹² And, once a security incident occurs, the failure to timely identify and respond to a known security incident, mitigate the harmful effects of the security incident, and document the security incident and its outcome are all violations.¹³

At the time of writing, most of the Security Rule fines and penalties assessed by the US Department of Health and Human Services Office for Civil Rights (OCR) relate solely or primarily to either (1) theft of devices containing unsecured ePHI or (2) failure to conduct a security risk assessment that is discovered when another privacy or security breach is investigated. Examples of such traditional enforcement activity in recent times include the August 2015 announcement of a $750,000 settlement against Cancer Care Group, P.C. for the theft of an employee laptop containing ePHI on 55,000 individuals, the December 2013 announcement of a $150,000 settlement against Adult & Pediatric Dermatology, P.C. for the theft of a thumb drive containing ePHI on 2,200 patients, and the announcement of settlements by Idaho State University and University of Washington Medicine for failure to conduct privacy and security risk assessments and failure to adequately adopt security measures. Were this still the level of involvement by OCR in ePHI enforcement, a shrug of the CIO’s shoulders and a promise to encrypt all ePHI data at rest would be the universal response.

However, in recent times the enforcement focus has shifted to more core system security functions and away from the low hanging fruit of lost or stolen data-carrying devices. For example, a $850,000 settlement paid by Lahey Clinic Hospital in 2015 specifically references the failure to assign a unique user name for identifying and tracking user identity with respect to a particular workstation,¹⁴ failure to have a working audit trail capability with respect to workstation activity,¹⁵ and the failure to restrict physical access to workstations generally to authorized personnel. A similar enforcement activity against South Broward Hospital District in February 2017 resulted in a $5,500,00 settlement payment based on improper access to ePHI by over a dozen individuals exposing in excess of 80,000 patient records and the failure of the covered entity to implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports¹⁶ and to implement policies and procedures that establish, document, review, and modify a user’s right of access to a workstation, transaction, program, or process.¹⁷ Several enforcement activities also resulted in settlements for failure to have business associate agreements in place with third-party vendors responsible for storing ePHI.¹⁸ Just as the environment for bad cyber behavior has matured, so has the OCR’s level of understanding of system and enterprise failures of the healthcare community.

The Healthcare Internet of Things

The task of HIPAA compliance and compliance with cybersecurity best practices is being made harder with the proliferation of Internet-connected services in the healthcare industry. As recently as 2012, a Ponemon Institute survey reported that 69 percent of respondents did not even address the security of US Food and Drug Administration (FDA) approved medical devices in their IT security or data protection activities.¹⁹ Since that time, over five billion devices – not including smartphones – have connected to the Internet, and that number is expected to grow to between 25 billion and 50 billion by 2025.²⁰

The healthcare industry has particular patient safety risks associated with these devices, as revealed in a 2012 US Government Accountability Office report on the lack of action by the FDA to expand its consideration of information security for medical devices.²¹ A November 2015 Wired.com survey listed the seven healthcare device types most vulnerable to hacking or other violation which included drug infusion pumps, Bluetooth-enabled defibrillators, blood refrigeration units, and CT scanners – the failure of any of which would create tremendous patient risk. We have grown far beyond the fear of hacking the vice president’s pacemaker.²²

The fact that smartphones are not included in this total is worrisome, as the growth in potential cyber risk due to smartphone use is even more troubling. 84 percent of health applications for smartphones that were approved by the FDA were found to create HIPAA violations and were hackable.²³ Also worrisome is the continued increase in the use of smartphones to transmit and receive unsecured ePHI (primarily by text message) for patient treatment by healthcare professionals, in spite of HIPAA’s requirements and facility rules attempting to limit such activity.²⁴ Most health care enterprises gave up the fight over bring your own device, or BYOD, rules due to provider pressure a long time ago anyway. Although study results vary, as of 2014 upward of 90 percent of healthcare organizations permit employees and clinicians to use their own mobile devices to connect to a
provider’s network or enterprise systems.²⁵

One has to wonder what OCR’s response to all of this would be in light of the settlement agreements mentioned earlier: the decision not to impose device accountability for provider convenience may be fertile ground for future fines and penalties. And there is always the modern privacy paradox: health care consumers voluntarily share endless amounts of personal health information with applications on their smartphones, resulting in data being stored who knows where on the Internet without them thinking if it is convenient for them²⁶; however, these same consumers continue to resist the same sharing activities by their own healthcare providers, even if such activity would result in faster and better health care.²⁷

Cybersecurity Insurance

In October of 2002, The Economist magazine opined²⁸ that total security was impossible and that insurance would be the way that businesses mitigated the financial risk caused by this lack of security. Since that time, both security defenses and security attacks have proliferated, changed, and become more aggressive and complex. However, the cybersecurity insurance market, though maturing, is not developing at as rapid a pace. Some issues that remain to be explored are due to the relative newness of the coverage and the lack of good predictive actuarial models.²⁹

While the market matures, there are various factors that potential insureds should evaluate closely as they shop for and price out cybersecurity insurance. The first and most important of these coverages should be the coverage of costs related to managing breaches, to include expenses related to the investigation, remediation efforts, and patient notification. Other costs that may also be incurred are credit monitoring services,³⁰ damages associated with identity theft, damages associated with recovery of data, damages incurred due to having to reset EHR systems, and damages to reconstruct or recover websites and other Internet presences. Business continuity expenses related to workarounds or loss of revenue due to a cybersecurity incident might also need coverage, especially as most commercial policies of this type are figuring out how to exclude cyber-related risks from their covered losses. Finally, but not least importantly, coverage for rogue employees and insider threats needs to be a part of the insurance package.

The type of coverage a healthcare enterprise can obtain, and the premiums therefor, may be affected by certain underwriting considerations, all of which should inform the enterprise’s compliance efforts:

• The enterprise should be able to show that it is in compliance with HIPAA, including those provisions that require security and privacy risk assessments and proof of a plan of mitigation and remediation. Insurers likely will not cover losses resulting from a gap in HIPAA compliance, especially because there is a legal obligation on the enterprise to find out what those are.
• The potential insured needs to know what the insurer’s requirements are for encryption beyond those mandated by HIPAA. Some coverages require more secure and more robust email systems that are more resistant to phishing and spoofing, and even other coverages may require intentional phishing attacks by the insured’s IT department or vendors to gauge compliance with training.
• The training requirements for new employee onboarding and access by non-employee contractors may need to meet certain criteria beyond HIPAA workforce awareness training.
• Insurers may require that contractors providing business associate services be separately insured as a first layer of defense against cost.
• The potential purchaser needs to be on the lookout for what is referred to in the industry as cannibalizing coverage, in which the costs of defense reduce the limits available to pay damages or judgments. The best coverage separates costs of defense from claims expenses.
• The purchased coverage, as with certain types of malpractice insurance, should be based on the date of detection as opposed to date of intrusion. It is so difficult, even with the best system monitoring tools, to determine when a breach or incident actually first occurred, so the enterprise does not want to be locked into a technical dispute with the insurer about when the hack should have been detected.
• The prospective insured needs to know whether offshore operations will be covered. Significant risks are associated with outsourcing certain data manipulation and management functions to countries or regions that have stronger privacy and data security rules than the United States. In particular, the European Union takes a dim view of American-style discovery and most likely will not permit the compelled return of data from an EU vendor in litigation pending in United States courts.

Conclusions

The growth of connected devices, connected physicians, and connected patients will continue to push healthcare facilities to provide more interoperability for health data than ever before. These same technological pressures will make it easier for cybercriminals and disgruntled employees to compromise the data upon which everyone relies for reliable patient care, because an increase in interoperability in most cases creates an increase in gaps in security. Healthcare systems need to recognize this risk as a direct threat to patient care, and not just to its financial and technology resources. A holistic security approach, combining effective cybersecurity practices, HIPAA training and compliance, and appropriate insurance coverages will be the best way to address this growing area of opportunity and risk in the future.

Barry S. Herrin, JD, FAHIMA, FACHE, is the founder of Herrin Health Law, P.C., in Atlanta. Herrin offers more than 25 years of experience practicing law in the areas of healthcare and hospital law and policy, privacy law and health information management, among other healthcare-specific practice areas. He is a Fellow of the American College of Healthcare Executives and a Fellow of the American Health Information Management Association. He also holds a Certificate in Cyber Security from the Georgia Institute of Technology.

Endnotes

1. Originally published in the September 2017 ISSA Journal, the monthly publication of the Information Systems Security  Association (ISSA)  Developing and Connecting Cybersecurity Leaders Globally  www.issa.org/?page=ISSAJournal. Reprinted with permission.
2. Barry S. Herrin, JD, FAHIMA, FACHE, is the founder of Herrin Health Law P.C. in Atlanta, Georgia. Herrin has over 25 years of experience practicing law in the areas of healthcare and hospital law and policy, privacy law and health information management, among other healthcare-specific practice areas. He is both a Fellow of the American College of Healthcare Executives and a Fellow of the American Health Information Management Association and holds a Certificate in Cyber Security from the Georgia Institute of Technology. He may be reached at https://barry.herrin@herrinhealthlaw.com.
3. 45 CFR Parts 160 and 164; the enabling legislation is found at 42 U.S.C. Section 1320a-7c.
4. Report on Improving Cybersecurity in the Health Care Industry, Health Care Industry Cybersecurity Task Force (June 2017)  https://www.phe.gov/Preparedness/planning/CyberTF/Documents/report2017.pdf.
5. Center for Connected Medicine report, The Internet of Medical Things: Harnessing IoMT for Value-Based Care, July 2017  https://www.connectedmed.com/files/assets/common/downloads/publication.pdf.
6. Bitglass. Bitglass Healthcare Breach Report 2016, Bitglass  https://pages.bitglass.com/BR-Healthcare-Breach-Report-2016_PDF.html.
7. Larry Ponemon, Cost of Data Breaches Rising Globally, Says ‘2015 Cost of a Data Breach Study: Global Analysis,’  Security Intelligence, May 27, 2015  https://securityintelligence.com/costof-a-data-breach-2015.
8. Vincent Lanaria, Hackers Hold Hollywood Hospital’s Computer System Hostage, Demand $3.6 Million As Patients Transferred, Tech Times, 16 February 2016  http://www.techtimes.com/articles/133874/20160216/hackers-hold-hollywood-hospitals-computer-system-hostage-demand-3-6-million-as-patientstransferred.htm. The hospital eventually paid $17,000 in Bitcoin.
9. Max Metzger, Your Money or Your Files: Why Do Ransomware Victims Pay Up? SC Magazine UK, May 25, 2017  https://www.scmagazineuk.com/your-money-or-your-files-why-do-ransomwarevictims-pay-up/article/664211/.
10. 45 C.F.R. §§ 160.103 and 164.502 (a). NOTE: CFR 45, Parts 160 and 164 can be found at US Electronic Code of Federal Regulations: Title 45 Public Welfare, Subchapter C Administrative Data Standards and Related Requirements: 160-164  https://www.ecfr.gov/cgi-bin/text-idx?SID=fbc57ba7be313c69e19aa1e78ac97adf&mc=true&tpl=/ecfrbrowse/Title45/45CsubchapC.tpl
11. 45 C.F.R. §164.308(a)(1)(ii)(B)
12. 45 C.F.R. § 164.310(d)(1)
13. 45 C.F.R. § 164.308(a)(6)(ii)
14. 45 C.F.R. § 164.312(a)(2)(i)
15. 45 C.F.R. § 164.312(b)
16. 45 C.F.R. §164.308(a)(l)(ii)(D)
17. 45 C.F.R. § 164.308(a)(4)(ii)(C)
18. As examples, see the July 18, 2016 Resolution Agreement with Oregon Health & Science University in which $2,7 million was paid and the September 23, 2016 Resolution Agreement with Care New England Health System in which $400,000 was paid.
19. John Glaser, The Risky Business of Information Security: With Growing Threats to Patient Privacy and Increasing Sanctions by Regulators, Make Data Security Central to Your Business, Hospitals & Health Networks, August 12, 2014  http://www.hhnmag.com/articles/4064-the-risky-business-of-informationsecurity.
20. The Florida Bar, 8th Annual FUNdamentals: The Legal Implications of the ‘Internet of Things’, Course 2232R (September 16, 2016)
21. GAO, Report to Congressional Requesters: Medical Devices: FDA Should Expand Its Consideration of Information Security for Certain Types of Devices, United States Government Accountability Office, August 2012  http://www.gao.gov/assets/650/647767.pdf.
22. Lisa Vaas, Doctors Disabled Wireless in Dick Cheney’s Pacemaker to Thwart Hacking, Naked Security, Sophos, 22 Oct 2013 https://nakedsecurity.sophos.com/2013/10/22/doctors-disabled-wireless-indick-cheneys-pacemaker-to-thwart-hacking/.
23. Ibid.
24. Ibid. (citing a 2015 University of Chicago survey finding that over 70 percent of its medical residents improperly sent ePHI by text messages).
25. John Glaser, The Risky Business of Information Security: With Growing Threats to Patient Privacy and Increasing Sanctions by Regulators, Make Data Security Central to Your Business, Hospitals & Health Networks, August 12, 2014  http://www.hhnmag.com/articles/4064-the-risky-business-of-informationsecurity.
26. Shannon Barnet, Millennials and Healthcare: 25 Things to Know, Becker’s Hospital Review, August 04, 2015  http://www.beckershospitalreview.com/hospital-management-administration/millennials-and-healthcare-25-things-to-know.html. 71 percent of Millennials surveyed by Harris would use a mobile app to share health care data with providers. See also Mintel, Sixty Percent of Millennials Willing to Share Personal Info with Brands, Mintel, March 7, 2014  http://www.mintel.com/press-centre/social-andlifestyle/millennials-share-personal-info, in which the study reports that 60% of Millennials would be willing to provide details about their personal preferences and habits to marketers, and, of those that would not initially provide such information, 30% would do so after receiving an incentive offer such as a discount off future purchases.
27. Denver Nicks, Survey: Millennials Care about Privacy (But Not So Much in Japan), Time, Nov. 07, 2013  http://techland.time.com/2013/11/07/survey-millennials-care-about-privacy-but-not-somuch-in-japan/. Only 4% of respondents would be comfortable with data being used for a purpose outside of its original context. The study also says that these preferences vary by economic status, with high-income worried more about data privacy than low-income people.
28. Putting It All Together, The Economist (October 24, 2002)
29. Koo, More Incident Data Needed for Cybersecurity Insurance, Bloomberg BNA (March 28, 2016)
30. Even though there is almost a universal recognition in the law enforcement and security communities that these programs do no good at all, as the sophisticated hacker knows to wait out the 1-2 years of service before making use of the stolen data.

The post Cybersecurity Risk in Health Care appeared first on Herrin Health Law, P.C..

• Renal and urinary tract disorders
• Surgical cardiovascular procedures
• Acute inpatient admissions for neurological disorders
• Outpatient services billed as inpatient encounters.

The application of overpayment recoupment provisions under the Patient Protection and Affordable Care Act as well as Medicare Conditions of Participation provisions were illustrated with specific examples seen in practices. Some reasons for queries include ineffective practices of resulting from having the practice’s utilization review department being absorbed into the case management function, creation of workarounds for physician satisfaction, submission of noncompliant (leading) queries, assumptive actions by coders, and misconceptions of providers.

It is important for CDI professionals to focus on revenue integrity, understanding that the outcome of such an approach may not be an increase in billing, but rather keeping more of what has been billed. Correct coding may mean lower initial reimbursement but more certainty in the revenue picture. To ensure success, revenue integrity initiatives can be initiated, such as creating teams of internal experts, which may include health information management (HIM), case management, nursing, medical staff, billing, and corporate compliance. The continuous training of staff is important and can include teaching physicians the basics of coding and teaching coders about clinical documentation processes. One way to provide this education is by having CDI professionals involved in reviewing health records for content on the floor during episodes of care. Coding is a HIM function, not a business office function. Some postulates that can be beneficial to follow include: just because you have a code doesn’t mean it’s covered, just because you’ve been paid once doesn’t mean you’ll get paid again, and not knowing the rules can land you in jail.

Proceedings of AHIMA’s 2017 Summit on Clinical Documentation Improvement: Advancing the Documentation Journey

The excerpt above describes Barry Herrin’s presentation during the American Health Information Management Association’s annual clinical documentation improvement (CDI) summit July 31 to Aug. 1, 2017.

Barry S. Herrin, JD, FAHIMA, FACHE, is the founder of Herrin Health Law, P.C., in Atlanta. Herrin offers more than 25 years of experience practicing law in the areas of healthcare and hospital law and policy, privacy law and health information management, among other healthcare-specific practice areas. He is a Fellow of the American College of Healthcare Executives and a Fellow of the American Health Information Management Association. He also holds a Certificate in Cyber Security from the Georgia Institute of Technology.

The post Respond to Federal Recoupment Initiatives by Improving Clinical Documentation appeared first on Herrin Health Law, P.C..