Changes Proposed to Medicare Appeals Process

July 13, 2016

Current Process Description – Every year, Medicare Administrative Contractors process an estimated 1.2 billion fee-for-service claims on behalf of the Centers for Medicare & Medicaid Services (CMS) for more than 33.9 million Medicare beneficiaries.  When beneficiaries or providers disagree with a coverage or payment decision made by Medicare, they have the right to appeal and the Social Security Act established five levels to the Medicare appeals process:

  1. Redetermination by a Medicare Administrative Contractor
  • No minimum amount in controversy to appeal
  • 60-day target to complete the process
  1. Reconsideration by a Qualified Independent Contractor (QIC)
  • No minimum amount in controversy to appeal
  • Filing deadline 180 days from issuance of a MAC redetermination
  • 60-day target to complete the process
  1. Hearing Before an Administrative Law Judge at the Office of Medicare Hearings and Appeals (OMHA)
  • Minimum amount in controversy required for a hearing is adjusted annually based on a formula prescribed by the statute; currently $150
  • Filing deadline 60 days from date of receipt of QIC determination
  • 90-day target to complete the process
  1. Medicare Appeals Council Review
  • Minimum amount in controversy required for a hearing is adjusted annually based on a formula prescribed by the statute; currently $150
  • Filing deadline 60 days from date of receipt of OMHA determination
  • 90-day target to complete the process
  1. Judicial Review in U.S. District Court
  • Minimum amount in controversy required for a hearing is adjusted annually based on a formula prescribed by the statute; currently $1,500
  • Filing deadline 60 days from date of receipt of Medicare Appeals Council determination; or a party may request judicial review by the federal court is the Council does not render an action within 90 days of when the appeal is filed with them

Of the 1.2 billion claims filed in 2015, 123 million or about 10 percent, were denied, and 3.7 million of those (about three percent of total claims) were appealed.

Current Backlog

At Levels 1 and 2, CMS is currently meeting its statutory timeframes to process appeals and is not experiencing a backlog.

At Level 3, the OMHA is currently receiving more than a year’s worth of appeals every 18 weeks.  At the end of 2015, the pending workload exceeded 880,000 appeals while annual adjudication capacity with current level of resources was approximately 75,000 appeals.

At Level 4, the Council is currently receiving more than a year’s worth of appeals every 11 weeks.  At the end of 2015, the pending workload exceeded 14,000 appeals while annual adjudication capacity with current level of resources was approximately 2,300 appeals.

HHS has identified four primary drivers of the increase in volume:

  1. Increases in the number of beneficiaries;
  2. Updates and changes to Medicare and Medicaid coverage and payment rules;
  3. Growth in appeals from State Medicaid Agencies; and
  4. National implementation of the Medicare Fee-for Service Recovery Audit Program.

Action Taken

In a report issued on June 9, 2016, the Government Accountability Office (GAO) stated that U.S. Department of Health and Human Services (HHS) should take more steps to improve its oversight of the Medicare fee-for-service appeals process and to reduce the volume of appeals.

On June 28th, the HHS issued a Notice of Proposed Rulemaking (NPRM) proposing changes to the Medicare claims appeal process, and has recently released a Primer on the Medicare Appeals Process that describes its three-pronged strategy to improve the Medicare Appeals process:

  1. Invest new resources at all levels of appeal to increase adjudication capacity and implement new strategies to alleviate the current backlog.
  2. Take administrative actions to reduce the number of pending appeals and encourage resolution of cases earlier in the process.
  3. Propose legislative reforms that provide additional funding and new authorities to address the appeals volume.

The proposed regulatory changes that appear in the NPRM are the latest in a series of administrative actions designed to reduce the number of pending appeals and encourage resolution of cases earlier in the Medicare appeals process.  In the NPRM, HHS is proposing additional administrative action to: expand the pool of available OMHA adjudicators; increase decision making consistency among the levels of appeal; and improve efficiency by streamlining the appeals process so less time is spent by adjudicators and parties on repetitive issues and procedural matters.

In addition to these administrative actions, the FY 2017 President’s Budget requests additional funding to bring capacity for processing and resolving appeals in line with current appeal volume.  The budget request also includes a comprehensive legislative package aimed at both helping HHS process a greater number of appeals and encouraging resolution of appeals earlier in the process before they reach the OMHA and the Medicare Appeals Council.

If the administrative authorities set forth in the NPRM are implemented in conjunction with the proposed funding increases and legislative actions outlined in the FY 2017 President’s Budget, HHS estimates that the backlog of appeals could be eliminated by FY 2021.

The proposed changes will be posted on the Federal Register website and open to comments through August 29th.

{ 0 comments }

Article is a 4-minute read

CMS Becomes Arch Nemesis of Hospitals with Plans for Site-neutral Rates in Outpatient Payment Rule

CMS Witch of the WestTo hospitals, the Centers for Medicaid & Medicare Services (CMS) is acting like the terrible Wicked Witch of the West from the movie the Wizard of Oz because of their proposed plans for site-neutral rate reductions.  The 2017 Hospital Outpatient Prospective Payment System (OPPS) and Ambulatory Surgical Center (ASC) Payment System (CMS-1656-P) proposal changes were submitted on July 6, 2016.  The law provides for payment system policy changes, quality reporting provisions, and reduced pay rates that many hospitals would prefer to douse with water and have them disappear like the Wicked Witch rather than have payments reduced at their off-campus facilities.

CMS is proposing a number of policies they believe will improve the quality of care Medicare patients receive.  A key piece of the 2017 proposed legislation is the implementation of Section 603 of the Bipartisan Budget Act of 2015. This law affects how Medicare pays for certain items and services furnished by certain off-campus outpatient departments.  Also, CMS is proposing to remove the pain management dimension of the Hospital Consumer Assessment of Healthcare Providers and Systems (HCAHPS) survey for purposes of the Hospital Value-Based Purchasing Program (VBP).

The OPPS and ASC proposed rule is one of several slated for 2017 that reflect a broader administration-wide strategy to create a healthcare system that results in better care, smarter spending, and healthier people.

The American Hospital Association (AHA), a not-for-profit association that advocates for provider organizations that include nearly 5,000 hospitals, healthcare systems, networks, other providers of care and 43,000 individual members, disagrees with CMS.  Tom Nickels, the Executive Vice President, Government Relations and Public Policy for the AHA issued a statement on July 6, 2016, expressing its disappointment with CMS’ “short-sighted” proposal.

“Hospitals and health systems and more than half of the House and the Senate requested that CMS provide reasonable flexibility when implementing Section 603 of the Balanced Budget Act of 2015 in order to ensure that patients have continued access to hospital care,” Nickels, with the AHA, said.  “Instead, the agency is proposing to provide no funding support for outpatient departments for the services they provide to patients.  This does not reflect the reality of how hospitals strive to serve the needs of their communities.  Also, CMS’ refusal to continue current reimbursement to hospitals that need to relocate or rebuild their outpatient facilities to provide needed updates and ensure patient access is unreasonable and troubling.”

The AHA is not the only industry group that disagrees with CMS.  America’s Essential Hospitals (AEH), a trade group that represents safety-net providers, said that CMS “appeared to ignore Congress’ intent” to use a different payment system for new hospital-owned outpatient facilities.  “Hospital systems that otherwise would seek to enhance access by establishing new clinics in underserved areas will not do so, as this damaging payment policy makes new outpatient centers economically unsustainable,” the organization said in a statement.  Based on comments to date from providers it appears that CMS will have its work cut out for them as they sift through the public’s feedback.  They will accept comments on the proposed rule until September 6, 2016, and will respond to comments in a final rule.  The rule is available in the Federal Register and can be downloaded at https://www.federalregister.gov/public-inspection.

The fundamental changes in the OPPS, and ASC payment system proposed rule include:

  1. Site-neutral payment provisions for emergency departments
    Under the proposed rule, services provided in a dedicated emergency department would continue to be paid under the OPPS and CMS proposed certain restrictions on off-campus provider-based departments that began billing under the OPPS before November 2, 2015.
  2. Payment update
    CMS has proposed updating the OPPS rates by 1.55 percent in 2017.  CMS arrived at its proposed rate increase through the following updates: a positive 2.8 percent market basket update, a negative 0.5 percent update for a productivity adjustment and a negative 0.75 percent update for cuts under the Affordable Care Act.  After considering all other policy changes included in the proposed rule, CMS estimates OPPS payments would increase by 1.6 percent and ASC payments would increase by 1.2 percent in 2017.
  3. Hospital Value-Based Purchasing Program
    Beginning with the fiscal 2018 program year, CMS has proposed removing the pain management dimension of the HCAHPS survey of the VBP.  It is their belief that leaving the section in the rule puts pressure on hospital staff to prescribe more opioids and that is ill advised.
  4. Electronic Health Record Incentive Program
    To offer greater flexibility in the meaningful use of the Electronic Health Record Incentive Program (EHR), CMS has proposed a 90-day EHR reporting period in 2016 for all eligible professionals and hospitals.  The reporting period would be any continuous period of 90 days between January 1, 2016, and December 31, 2016.   Also, CMS noted that it is not feasible for physicians and hospitals that have not demonstrated meaningful use in a prior year to attest to the Stage 3 objectives and measures in 2017.  Under the proposed rule, these new participants would be required to attest to Modified Stage 2 by October 1, 2017.
  5. Hospital Outpatient Quality Reporting Program
    CMS offers hospitals a financial incentive to report the quality of their services.  The hospital reporting program provides CMS with data to help consumers make more informed decisions about their healthcare.  For 2017, CMS has proposed adding seven measures to the Outpatient Hospital Quality Reporting Program for the 2020 payment determination and subsequent years.  Some of the hospital quality of care information gathered through the program is available to consumers on the Hospital Compare website at: www.hospitalcompare.hhs.gov.

In addition to the changes proposed for site-neutral rates in OPPS and ASC, the 764-page draft rule proposes adjustments to the following:

  • Proposed Comprehensive Ambulatory Payment Classifications (C-APCs) for 2017;
  • Proposed Packaged Services Policy Refinements;
  • Device-Intensive Procedure Policies;
  • Device Pass-Through Applications;
  • Inpatient Only List Paid Under The IPPS;
  • ASC Payment Update;
  • Partial Hospitalization Program (PHP) Rate Setting;
  • Hospital Value-Based Purchasing Program;
  • Organ Transplant Enforcement;
  • EHR Incentive Program; and
  • Ambulatory Surgical Center Quality Reporting Program.

Conclusion

CMS is expecting numerous comments on their rule changing proposals.  I’m sure many stakeholders who are vying to change the proposed OPPS and ASC wished they had the all-knowing Wizard of Oz on their side to help them build a compelling case in their favor.

Based on AHA and AEH’s comments, you would think CMS has become an arch-nemesis flying around on a broomstick trying to do harm to their members.  It is the job of the AHA and AEH to protect its members, so it is no surprise they are stepping up to guard their interests.

Does the proposed rule change make sense?  The law seems to discourage organizations from expanding or duplicating services and this may play a part in reducing healthcare costs.  Perhaps encouraging providers to consolidate services into one location would offer some benefits.  Combining specialties into one place would improve parking and access for the sick and elderly population who otherwise have to navigate their way around large campuses.  Consolidation of services impacts workflow, timeliness, and efficiency and would reduce maintenance and other building costs, and eliminate duplicate staffing.

Unfortunately, many facilities have limited land for contiguous expansion.  They will be forced to build upward to avoid the negative financial repercussions the new law will pose.  Since CMS is actively seeking comments on a number of their proposals; there is a good chance that many items inside of the rule will change.  Will CMS’ site-neutral payments rule save Medicare about $500 million in 2017 as they projected?  Only time will tell.

_________________________

Phil C. Solomon is the publisher of Revenue Cycle News, a healthcare business information blog and serves as the Vice President of Global Services for MiraMed, a revenue cycle outsourcing company.  Phil has over 25 years experience consulting on a broad range of healthcare initiatives for revenue cycle optimization, where he has developed executable strategies for revenue enhancement, expense reduction, and clinical transformation. Previously, he was the CEO of a Fast-Tech 50 healthcare firm, a principal at an INC Magazine’s top 500 Company and he has held various senior leadership positions with national and global business process outsourcing firms. He is an active member of the HFMA Georgia Chapter, has published over 250 articles about revenue cycle optimization and healthcare reform and is a featured speaker at industry educational events. You can reach him at philcsolomon@gmail.com, 404-849-8065 or on Twitter @philcsolomon.

Photo credit: http://www.flickr.com/photos/12836528@N00/8235255566

 

{ 0 comments }

Free Webinar: Uber-Up Your Patient Payment Liability Strategies

When: July 14, 2016 – 2:00 PM to 3 PM EDT

Register: https://attendee.gotowebinar.com/register/1796784893242454788

Sponsored by: The Georgia Chapter of HFMA
__________________

Why Use ThGirl Megaphone Orangee Uber Analogy to Reference Patient Payment Liability Strategies?

Uber is an on-demand transportation service which has revolutionized the transportation industry. Uber’s new strategy reimagined the old taxi model into a $50 billion dollar company.

This free webinar will help you “Think Like Uber” by adjusting the way you pursue collecting rising patient liabilities.  

In this webinar, you will learn about the latest trends and techniques to mitigate the risks of the emerging trend of patient payment liability growth and the strategies required to collect more from patients while maintaining patient advocacy and satisfaction. Leaders who deliver high-performing revenue cycle results have one thing in common… they are continually on the lookout for new cutting edge methods to improve their financial position and bottom line.
Discover new strategies that will help you reduce your risk of the industry’s estimated $200 billion in bad debt write-offs in 2016.

Presenter: Phil C. Solomon – Vice President of Global Services at MiraMed

Phil serves as the Vice President of Global Services for MiraMed, a revenue cycle outsourcing company and is the publisher of Revenue Cycle News. He has over 25 years of experience consulting on a broad range of healthcare initiatives for revenue cycle performance improvement by developing executable strategies for revenue enhancement, expense reduction, and clinical transformation.

Learning Objectives:
▪ Current trends in healthcare
▪ Improve scheduling pre-registration/registration processes to collect more cash
▪ Develop POS strategies that include new payment channels and mobile strategies
▪ Understand the scope and trends of patient payment liability
▪ Improve patient collection response rate by leveraging billing statement psychology
▪ Improve collection recovery while maintaining patient satisfaction
▪ Increase bad debt recovery and improve patient advocacy
▪ Learn about the new strategies for debt purchasing

Register today! Uber-Up Your Patient Payment Liability – July 14, 2016 – 2:00 PM to 3 PM EDT 

Register now! Just click this link to sign up!

________________________________

Phil C. Solomon is the publisher of Revenue Cycle News, a healthcare business information blog and serves as the Vice President of Global Services for MiraMed, a healthcare revenue cycle outsourcing company.  As an executive leader, he is responsible for creating and executing sales and marketing strategies which drive new business opportunities and client engagement. Phil has over 25 years experience consulting on a broad range of healthcare initiatives for revenue cycle optimization, where he has developed executable strategies for revenue enhancement, expense reduction, and clinical transformation.

Previously, he was the CEO of a Fast-Tech 50 healthcare technology firm, a principal executive at an INC Magazine’s top 500 Fastest Growing Private Companies in the U.S. and he has held various senior leadership positions with national and global business process outsourcing firms. He is an active member of the HFMA Georgia Chapter, has published over 250 articles about revenue cycle optimization and healthcare reform and is a featured speaker at industry educational events. You can reach him at philcsolomon@gmail.com, 404-849-8065 or on Twitter @philcsolomon.

 

 

{ 0 comments }

Risk Adjustment and the Hierarchical Condition Categories Methodology

Money DrugsRisk Adjustment (RA) and Hierarchical Condition Category (HCC) coding is a payment model mandated by the Balanced Budget Act of 1997 (BBA) and implemented by the Centers for Medicare and Medicaid Services (CMS). The RA program allows CMS to pay plans for the risk of the beneficiaries they enroll, instead of an average amount for Medicare beneficiaries. By risk adjusting plan payments, CMS can make appropriate and accurate payments for enrollees with differences in expected costs. RA is used to make payments based on the health status and demographic characteristics of an enrollee. Risk scores measure individual beneficiaries’ relative risk, and they are used to adjust payments for each beneficiary’s expected expenditures. By risk adjusting plan bids, CMS can use standardized bids as base payments to plans.

Initiating the Affordable Care Act Risk Adjustment Program

Starting with coverage beginning in 2014, the Affordable Care Act (ACA) established a lasting RA program to minimize the negative effects of serving sick patients and help level the playing field between insurance companies where they are rewarded for providing high-quality, affordable coverage, not for offering plans designed to attract the healthy and avoid the sick.  The RA program is intended to achieve this goal by mitigating the effect of risk selection on premiums by transferring premium revenue from plans with below-average actuarial risk to plans with above-average actuarial risk. Such a transfer mechanism is an essential component of the insurance market reforms implemented by the ACA. These market reforms include:

– Guaranteed issue/renewal. All non-grandfathered insurance coverage offered by health insurance issuers must be offered on a guaranteed issue basis. Health insurance issuers may not refuse to issue or renew coverage to any individual on the basis of their health status or prior use of health services.
– Adjusted community rating. A health insurance issuer may not charge an individual more for non-grandfathered individual or small group market coverage based on that individual’s health status or prior use of health services.
– Single risk pool. The single risk pool requirement directs an issuer to develop its market index rates for non-grandfathered insurance plans in the individual and small group markets based on the pooled essential health benefits claims experience of all of its enrollees in all non-grandfathered health plans in the applicable market in a State.

These three provisions mean that a health plan that enrolls individuals in poor health would not be able to charge higher premiums than one with healthier individuals. Without an RA mechanism, a health plan would gain a competitive advantage if it enrolled the healthy and avoided the sick. This could create an incentive for issuers to avoid offering plan designs that are particularly valuable to sicker individuals, thereby reducing the variety and quality of the coverage consumers have to choose from. The goal of the Affordable Care Act market reforms, and the goal of its risk adjustment

The goal of the Affordable Care Act market reforms and the goal of its risk adjustment program is to create a stable market in which health plan premiums will reflect the value of the coverage offered, including product features such as effective care delivery, and not risk selection.

Health Systems today need to find ways to accurately document and report patient’s entire disease burden. There are negative financial consequences for a lack of accurately tracking a patient’s medical history. When a provider under-reports that means the provider won’t get paid for the full cost it takes to keep patient’s healthy. Therefore, the medical data must tell the entire story of the patient’s encounter.

Under the RA program, providers are required to provide a face-to-face visit with each patient, each year, to identify the patient’s conditions thoroughly and link those to what the provider did to manage, evaluate, assess and/or treat each condition. In order to qualify for HCC reimbursement, the diagnosis must be directly monitored, evaluated, assessed and/or treated by the provider.

Staff Requirements for the Risk Adjustment Program

Most health system staff don’t fully understand the HCC methodology for RA. Traditional Diagnosis-Related Group (DRG) focused documentation programs may not always emphasize the entire disease burden, so physicians, coders, and clinical document improvement personnel may need additional training and updated policies to follow. It is also important to understand the two types of HCCs. They are CMS-HCC and the United States Department of Health and Human Services (HHS) HCCs. The guidelines that differentiate each other are:

the United States Department of Health and Human Services (HHS) HCCs. The guidelines that differentiate each other are:

CMS HCC HHS HCC (Commercial HCC)
§  Developed by CMS for risk adjustment of the Medicare Advantage Program (Medicare Part C) §  Developed by the Department of Health and Human Services (HHS)
§  CMS also developed a CMS RX HCC model for risk adjustment of Medicare Part D population §  Designed for the commercial payer population
§  Based on aged population (over 65) §  HHS-HCCs predict the sum of medical and drug spending
§  Current year data predictive of future year risk §  Includes all ages

 

Under both types of HCCs (CMS and HHS), HCCs are used with the following programs:
Medicare Advantage Plans;
• Medicare Shared Savings ACO (expected cost);
• Value-Based Purchasing (expected cost/efficiency);
• Some Commercial ACOs/Shared Risk arrangements;
• Health Insurance Exchange Plans;
• States Where Medicare/Medicaid Dual Eligible are Managed Care; and
• Population Health/Risk Stratification/Cost Prediction.

The complexity of RA creates confusion for providers. Since approximately 80 percent of patient care occurs in the physician practice, they often have limited documentation of improvement practices as compared to a hospital’s inpatient setting. Doctor’s disparate systems and processes create difficulty for identifying a longitudinal care record that ultimately affects reimbursement.

Health Systems are continually seeking ways to accurately predict operating costs. The provider-sponsored health plans and/or providers with risk-based agreements need to predict costs to remain financially solvent. These providers are looking to risk stratify patient populations to help control costs and maximize reimbursements. This is why the RA scores are so important. The RA score is calculated using an actuarial tool that has been developed to predict the cost of healthcare for covered beneficiaries and enrollees. An RA score is determined by using a combination of demographic information such as the age and gender of the patient and whether it is community-based or institution based and if there is Medicaid disability and with disease information such as the HCC category, based on diagnoses reported, the interaction between certain disease categories and the disability status.

The RA score is calculated using an actuarial tool that has been developed to predict the cost of healthcare for covered beneficiaries and enrollees. An RA score is determined by using a combination of demographic information such as the age and gender of the patient and whether it is community-based or institution based and if there is Medicaid disability and with disease information such as the HCC category, based on diagnoses reported, the interaction between certain disease categories and the disability status.

The approved sources of data used to calculate the RA score diagnoses are from a valid provider (physicians, nurse practitioners and certified registered nurse anesthetist) with proper data collection methods. The data that makes up the HCC Classification System comes from 79 CMS-HCC categories.

Validating the Data Through Risk Adjustment Processing System (RAPS)

In order to evaluate a provider’s data, a risk adjustment model is run to calculate risk scores for all beneficiaries with available qualified data. In order for data to be included in the model run, organizations must meet three submission deadlines each year:

1. Once For Initial Risk Score – First Friday In September
2. Once For The Mid-Year Update – First Friday In March
3. Once For Final Reconciliation – January 31 After The Payment Year

It is important for plans to recognize the connection between the model runs and the dates of service. Plans should keep in mind that the model run timetable includes not only diagnosis information, but all statuses that affect risk adjustment. The Medicare risk adjustment model is prospective, which means that diagnoses reported in the prior year along with the demographic information will “predict” future costs and adjust payments accordingly.

Risk Adjustment Data Flow Process from Submission to Payment

Risk scores measure individual beneficiaries’ relative risk and are used to adjust payments for each beneficiary’s expected expenditures. In order to calculate individual risk scores, plans must submit data to RAPS based on beneficiary diagnoses. Accurate risk-adjusted payments rely on the diagnosis coding derived from the member’s medical record. This is why it is so important to capture the events of the entire patient encounter. The RA process flow is as follows:

• A physician documents a patient’s visit in their medical record;
• The physician’s office or hospital codes the claim from the medical record and submits the data to the payer;
• The payer converts and sends the diagnosis clusters in RAPS format or via direct data entry (DDE) to the Front-End Risk Adjustment System (FERAS) at least quarterly;
• The data goes to FERAS for processing where the file-level data, batch-level data, and first and last detail records are checked; and
• If any data are rejected, then data are reported on the FERAS Response Report.

The final submission of RA data is reconciled and is used to complete the implementation of payments, with CMS calculating final risk adjustment factors and beneficiary status based on complete data. CMS continues to allow a period (approximately 13 months after the data collection year) for submitting final RAPS data for the appropriate data collection period. Data not received or submitted by the initial submission deadline for a data collection period can be submitted by the final submission deadline (reconciliation). In addition to incorporating new RAPS and fee-for-service diagnoses, reconciliation takes into account necessary adjustments to institutional status and demographic data for enrollees.

Note: CMS reconciles risk-adjusted payments for a calendar year only one time. When submitting risk adjustment data for reconciliation, plans may submit corrected data that was previously submitted.

Summary

Providers should continually strive to improve their RA and HCC program processes by developing strategies to mitigate issues affecting accurate reporting. Reporting challenges exist because:

• The majority of patients are only seen in a physician office setting;
• Physician office notes are limited and specificity is not always identified;
• Physicians have to report what is treated, evaluated and monitored and might not be aware of what falls into each category;
• The physician’s report on a 1500 claim form which has space only for four diagnoses–electronically more can be reported; and
• Unspecified and symptom diagnoses are not considered as HCCs.

RA has become a lightning rod topic for ACOs and other providers despite not being a completely new subject. There is plenty of confusion about how RA and HCCs work and providers will uncover many opinions about how best to approach implementing the program. In any case, most data capture solutions that providers are pursuing today still have caveats. To best prepare for increased scrutiny, consider a multi-prong approach while being mindful of acceptable trade-offs. Utilizing a single source bolt-on technology by itself will not offer an overarching solution. The best technology tools will also use claims data rather than relying on electronic medical record data alone. One fact is indisputable: inaction will likely have negative operational and financial consequences for provider organizations.

________________________________

Phil C. Solomon is the publisher of Revenue Cycle News, a healthcare business information blog and serves as the Vice President of Global Services for MiraMed, a healthcare revenue cycle outsourcing company.  As an executive leader, he is responsible for creating and executing sales and marketing strategies which drive new business opportunities and client engagement. Phil has over 25 years experience consulting on a broad range of healthcare initiatives for revenue cycle optimization, where he has developed executable strategies for revenue enhancement, expense reduction, and clinical transformation.

Previously, he was the CEO of a Fast-Tech 50 healthcare technology firm, a principal executive at an INC Magazine’s top 500 Fastest Growing Private Companies in the U.S. and he has held various senior leadership positions with national and global business process outsourcing firms. He is an active member of the HFMA Georgia Chapter, has published over 250 articles about revenue cycle optimization and healthcare reform and is a featured speaker at industry educational events. You can reach him at philcsolomon@gmail.com, 404-849-8065 or on Twitter @philcsolomon.

Also, view on MiraMed Global Service’s website.  

{ 0 comments }

Stop civil rights

OCR Signals its Concern with Business Associates – BAAs

The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) has lately been broadcasting its increased attention to, and concern about, HIPAA business associates on a monthly basis.

In March, the OCR announced a $1.55 million settlement with North Memorial Health Care of Minnesota that was partially based on a key finding that the hospital failed to enter into a business associate agreement (BAA) with a major contractor. Then in April, OCR began its Phase 2 HIPAA Audit Program which was expanded to include business associates as well as covered entities, and entered into another BAA-related settlement (as discussed here).

Continuing with the recent theme, in May the OCR published a cyber-awareness update entitled “Is Your Business Associate Prepared for a Security Incident?” in which it essentially answered “no.” Thus, now is the time for covered entities and business associates to ensure that they have signed BAAs in place that adequately address security assessment of the business associate, breach notification and breach response.

Date: May 25, 2016
For more information contact:
By: Susan R. Huntington, Attorney at Law | Attorney Bio
Day Pitney, LLC
___________________
Phil C. Solomon is the publisher of Revenue Cycle News, a healthcare business information blog and serves as the Vice President of Global Services for MiraMed, a healthcare revenue cycle outsourcing company.  As an executive leader, he is responsible for creating and executing sales and marketing strategies which drive new business opportunities and client engagement. Phil has over 25 years experience consulting on a broad range of healthcare initiatives for revenue cycle optimization, where he has developed executable strategies for revenue enhancement, expense reduction, and clinical transformation. Previously, he was the CEO of a Fast-Tech 50 healthcare technology firm, a principal executive at an INC Magazine’s top 500 Fastest Growing Private Companies in the U.S. and he has held various senior leadership positions with national and global business process outsourcing firms. He is an active member of the HFMA Georgia Chapter, has published over 250 articles about revenue cycle optimization and healthcare reform and is a featured speaker at industry educational events. You can reach him atphilcsolomon@gmail.com, 404-849-8065 or on Twitter @philcsolomon.

{ 0 comments }

Free Webinar: Demystifying Revenue Cycle Best Practices

To register: Demystifying Revenue Cycle Best Practices – May 12, 2016 11:00am to 12pm EDT https://attendee.gotowebinar.com/register/3489263138740164353

PresenGirl Megaphone Orangeters:

Lyman G. Sornberger – Chief Healthcare Strategy Officer Capio Partners

Presenters:

Lyman Sornberger joined Capio Partners in 2008 as their Chief Healthcare Strategy Officer. Prior to joining Capio and forming LGS
Health Care (2013), Mr. Sornberger was the Executive Director of Revenue Cycle Management at Cleveland Clinic Health Systems.  Mr. Sornberger was also employed at the University of Pittsburgh Medical Center (UPMC) for 22 years in leadership roles for their revenue cycle management groups.

Phil C. Solomon – Vice President of Global Services at MiraMed

Phil is the publisher of Revenue Cycle News and serves as the Vice President of Global Services for MiraMed, a revenue cycle outsourcing company. He has over 25 years’ experience consulting on a broad range of healthcare initiatives for revenue cycle performance improvement by developing executable strategies for revenue enhancement, expense reduction, and clinical transformation.

Learning Objectives:

§  Improve scheduling pre-registration/registration processes

§  Increase revenue from insurance claims with denial resolution strategies

§  Develop POS strategies that include payment channels and mobile strategies

§  Understand the scope and trends of patient payment liability

§  Improve patient response rate by leveraging billing statement psychology

§  Improve collection recovery while maintaining patient satisfaction

§  Increase bad debt recovery: agency management, debt purchasing and patient advocacy

To register: Demystifying Revenue Cycle Best Practices – May 12, 2016 at 11:00 AM EDT https://attendee.gotowebinar.com/register/3489263138740164353

For Questions – Contact: Phil Solomon | phil.solomon@miramedgs.com| 404-849-8065

________________

Phil C. Solomon is the publisher of Revenue Cycle News, a healthcare business information blog and serves as the Vice President of Global Services for MiraMed, a healthcare revenue cycle outsourcing company.  As an executive leader, he is responsible for creating and executing sales and marketing strategies which drive new business opportunities and client engagement. Phil has over 25 years experience consulting on a broad range of healthcare initiatives for revenue cycle optimization, where he has developed executable strategies for revenue enhancement, expense reduction, and clinical transformation. Previously, he was the CEO of a Fast-Tech 50 healthcare technology firm, a principal executive at an INC Magazine’s top 500 Fastest Growing Private Companies in the U.S. and he has held various senior leadership positions with national and global business process outsourcing firms. He is an active member of the HFMA Georgia Chapter, has published over 250 articles about revenue cycle optimization and healthcare reform and is a featured speaker at industry educational events. You can reach him at philcsolomon@gmail.com, 404-849-8065 or on Twitter @philcsolomon.

{ 0 comments }

My colleague, David Johnson wrote this insightful book and I recommend it highly.

Market vs. Medicine: America’s Epic Battle for Better, Affordable Healthcare is a must read for any healthcare business owner- large or small. Get your copy on May 9. Stay tuned for updates. http://bit.ly/1WLuBgw – See more at:

4A_wheel_15_03_30

Learn about 4sight Health:
4sight Health operates at the intersection of healthcare economics, strategy and capital formation. The company’s four-stage analytic (Assess. Align. Adapt. Advance.) reflects the bottom-up, evolutionary character of disruptive, market-driven change and guides 4sight Health’s professional services, which include the following:

 

Regular commentary on market-driven reform
Public speaking
Board education
Strategic advice
Capital formation design and execution
Advancing organizational change
Venture investing: strategic partnerships; capital funding; product/service design
– See more at: http://4sighthealth.com/about/#sthash.Ai1MHooP.dpuf

  • Regular commentary on market-driven reform
  • Public speaking
  • Board education
  • Strategic advice
  • Capital formation design and execution
  • Advancing organizational change
  • Venture investing: strategic partnerships; capital funding; product/service design

– See more at: http://4sighthealth.com/about/#sthash.Ai1MHooP.dpuf

Learn about the author: David W. Johnson, CEO

Dave is the CEO and founder of 4sight Health.  Mr. Johnson is currently writing Market vs. Medicine: America’s Epic Fight for Better, Affordable Healthcare that will publish on May 9, 2016. He is the author-in-residence at the Health Management Academy, writes the widely-read “Market Corner” commentaries each week and contributes regularly to Huron Consulting’s Perspectives. He is an investor and board member for three early-stage healthcare companies: Bienestar, Curate Health and HealthiPass.

During his 28-year investment-banking career, Mr. Johnson managed over $30 billion in healthcare revenue bonds and led significant strategic advisory engagements for his health system clients. Dave specializes in capital formation, asset-liability management, enterprise risk analytics and new business-model development. His expertise encompasses health policy, academic medicine, economics, statistics, behavioral finance, disruptive innovation, organizational change and complexity theory.

Mr. Johnson holds a Bachelors of Arts degree in English Literature from Colgate University and a Master’s degree in Public Policy from Harvard University. Dave was a Peace Corps Volunteer in Liberia, West Africa and a United States Presidential Management Intern. His civic and professional affiliations have included Harvard Medical School (Visiting Committee); the Chicago Council on Global Affairs (Board, Executive and Finance Committees); the University of Chicago (Harris School of Public Policy’s Visiting Committee and Student Engagement Sub-Committee Chair); the Health Management Academy; Harvard School of Public Health; CHRISTUS Health (Audit
Committee); the British-American Project (U.S. Chair); and Terence Cardinal Cooke Health Center (Finance Committee Chair).

Dave enjoys reading, traveling and has run ten marathons.

– See more at: http://4sighthealth.com/about/#sthash.Ai1MHooP.dpuf

Enjoy the book and reach out to David if you have any questions ~ Phil C. Solomon

 

 

{ 0 comments }

MACRA – More Changes Coming to Healthcare Delivery

CMSThe passage of the Medicare Access and Children’s Health Insurance Program (CHIP) Reauthorization Act of 2015 (MACRA)1  has contributed to changes in healthcare delivery by redesigning Medicare’s payment and delivery methods for physicians and other clinicians.

MACRA repealed the highly debated sustainable growth rate (SGR) formula which eliminates the 21 percent across-the-board cut in Medicare’s provider payments.  This legislation supports Medicare’s efforts to move rapidly from the current fee-for-service (FFS) reimbursement model toward value-based payments for physician services.

Healthcare in the United States is in the midst of a financial and clinical overhaul driven by new legislation that attempts to improve outcomes and reduce costs.  Reinventing our healthcare system across the entire care continuum and getting over 16 million healthcare workers2 to follow new rules and regulations is about as complicated as putting a man on the moon.  Luckily we were successful in that endeavor and we expect to be equally successful implementing healthcare’s sweeping changes.

Industry leaders and policymakers have tried countless incremental fixes designed at improving care and reducing costs—but none has had much impact.  In 2010, the catalyst for reform became law with the passage of the Patient Protection and Affordable Care Act also known as the Affordable Care Act (ACA).The law established a Health Insurance Marketplace4 designed to improve consumer access to affordable healthcare through private payers and provided strong financial incentives in publicly financed healthcare programs tying provider payment to quality of care and efficiency.

Building on the principles set by the ACA and the passing of MACRA, the Centers for Medicare and Medicaid Services (CMS) has targeted 30 percent of Medicare payments to be tied to the quality of care or value through alternative payment models by the end of 2016 and 50 percent by the end of 2018.

As our population ages, it is more important than ever to have the appropriate provider incentives in place to care for the almost 60 million Americans that are eligible for Medicare today and the projected 80 million beneficiaries that are estimated by 2030.4

The MACRA Program  

MACRA provides CMS the leverage required to drive quality measure development with the aim of providing patients with better care while spending more intelligently and improving clinical outcomes.   With the passing of MACRA, there are five significant changes to the Medicare payment system:

  1. Ending the sustainable growth rate formula;
  2. Establishing a new framework for rewarding value;
  3. Creating a builtin period of financial stability for providers;
  4. Combining existing quality reporting programs into one system; and
  5. Providing support for physician practice transformation.

The MACRA legislation is intended to advance CMS’s goal for a value-based payment system.  Called by CMS as the “Path to Value”6 from 2015 through 2021 and beyond, MACRA allows healthcare providers to participate in one of two new quality incentive programs:

  1. Merit-Based Incentive Payment System (MIPS)
  2. Alternative Payment Models (APMs)

With MACRA, a new payment framework consisting of annual fee updates and incentives will be implemented for MIPS and APMs. The schedule for the program is:

  • 1/1/2015 through 6/30/2015: 0 percent update
  • 7/1/2015 through 12/21/2015: 0.5 percent update
  • 2016 through 2019: 0.5 percent update each year (subject to MIPS adjustment beginning in 2019)
  • 2020 through 2025: 0 percent update each year (subject to MIPS and APM adjustment)
  • 2026 and beyond: Annual updates during this period consist of:
  1. A “qualifying APM conversion factor” for professionals participating in qualified APMs is set at 0.75 percent; and
  2. A “non-qualifying APM conversion factor” for all other professionals, set at 0.25 percent.

The Merit-Based Incentive Payment System (MIPS)

The MIPS7 is a new program that combines parts of:

The basis of the program has four fundamental attributes:

  1. Quality: Includes existing measures for quality performance programs, in addition to new measures developed through notice and comment rulemaking by CMS, and actions used by qualified clinical data registries and population-based measures;
  2. Resource use: Includes measures utilized in the current VBM program, with additional enhancements based on public input. These refinements must ascertain specific clinical criteria and patient characteristics to include patients in care episode and patient condition groups for resource use measurement purposes.  The process also must develop patient relationship categories and codes that distinguish the relationship with a physician toward a patient at the time of furnishing an item or service;
  3. Clinical practice improvement (CPIA): Reflects professionals’ efforts to improve clinical practice or care delivery resulting in improved outcomes that include at least the following:
  1. Expanded practice access population management;
  2. Care coordination;
  3. Beneficiary engagement; and
  4. Patient safety and practice assessments in an alternative payment model.
  1. Meaningful use (MU): Includes meeting current EHR MU requirements as demonstrated by the utilization of a certified system.

The MIPS program that adjusts payments to providers is entirely voluntary. The fee-for-service8 payment model is still available to those providers who want to follow it.

Beginning in 2017, MIPS will annually measure Medicare Part B providers in four performance categories to derive a “MIPS score” (0 to 100), which can significantly change a provider’s yearly Medicare reimbursement.  The performance categories reflect the following:

MIPS measurements will be updated yearly through public notice, and the results are available on the CMS Physician Compare website.  While it was not the intention of the program, making this data available to consumers is a giant leap in the right direction for more consumer transparency.

Those who are participating in the MIPS program will be eligible for positive, negative or no payment adjustments, plus an opportunity to be awarded additional incentive payment adjustments based on composite performance scores.  Payment adjustment criteria are:

  • Positive adjustments: Eligible professionals whose composite performance scores are above the threshold will receive a positive payment adjustment, with higher performance scores receiving proportionally larger incentive payments.  The magnitude of positive payment adjustments will vary and will maintain budget neutrality considering the amount of negative payment adjustments (except in certain limited circumstances), with a cap of three times the annual cap for negative payment adjustments.
  • Negative adjustments: The maximum negative adjustment will be as follows: four percent in 2019, five percent in 2020, seven percent in 2021, and nothing in 2022 and subsequent years. The maximum negative adjustment will apply to eligible professionals whose composite performance score falls between zero and one-fourth of the performance threshold and smaller negative adjustments will apply to composite performance scores closer to the limit.  Such negative adjustments will fund positive payment adjustments for professionals with composite performance scores above the threshold.
  • Zero adjustments: Composite performance scores at the threshold will receive no MIPS payment adjustment.
  • Additional incentive payment adjustment: An additional adjustment will be available for exceptional performance on a linear distribution basis, with better performers receiving larger incentive payments. The aggregated incentive payments will equal $500 million annually from 2019 through 2024.

The illustration below shows the milestones for payment updates and risk/reward compensation.

Source: Making Way for MACRA: Positioning Your Organization for Payment Reform, http://www.ecgmc.com/thought-leadership/articles/making-way-for-macra-positioning-your-organization-for-payment-reform

The Alternative Payment Models (APM)

MACRA provides incentive payments for EPs participating in certain types of APMs.9  The program is for qualified providers who derive a significant portion of their patients and payments from APMs that include both risk for financial losses and quality measurement.  MACRA requires quality measures used in APMs to be comparable to the quality measures used in MIPS.

Medicare defines any of the following as an APM:

  • An innovative payment model expanded under the Center for Medicare & Medicaid Innovation (CMMI), including Comprehensive Primary Care (CPC) initiative participants;
  • A Medicare Shared Savings Program accountable care organization (ACO);
  • Patient-centered medical homes and bundled payment models; and
  • Medicare Health Care Quality Demonstration Program or Medicare Acute Care Episode Demonstration Program, or another demonstration program required by federal law.

Becoming APM-qualified isn’t easy. Providers must meet additional qualifying principles for APMs.  They require participants to meet all of the following criteria:

  • Uses quality measures comparable to measures under the MIPS;
  • Uses certified electronic health record (EHR) technology;
  • Bears more than minimal financial risk OR is a medical home expanded under the CMMI; and
  • Has increasing percentage of payments linked to value through Medicare or all-payer APMs.

The illustration below shows the timing of updates and revenue requirements for APMs.

Source: Making Way for MACRA: Positioning Your Organization for Payment Reform, http://www.ecgmc.com/thought-leadership/articles/making-way-for-macra-positioning-your-organization-for-payment-reform

If a provider chooses, they can opt to stay in the fee-for-service program until at least 2025.  That said, CMS is encouraging industry stakeholders to move into the APM program because it incentivizes the delivery of value-based care.  The difference between the fee-for-service program and APM model is:

Category one: Fee-for-service payment – no link to quality and value;

Category two: Fee-for-service payment – link to quality and value; and

  1. Foundational payments for infrastructure and operations
  2. Pay for reporting
  3. Rewards for performance
  4. Penalties for performance

Category three: APM built on quality and value fee-for-service architecture; and

  1. APMs with upside gainsharing;
  2. APMs with downside risk

Category four: (future program) Population-based payment

  1. Condition specific population based-payment
  2. Comprehensive population based-payment

MACRA Countdown to Go-live

Many changes must occur before the 2019 go-live date.  The illustration below compares high-level implementation milestones and timeframes of the MIPS and APM programs.

Source: Making Way for MACRA: Positioning Your Organization for Payment Reform, http://www.ecgmc.com/thought-leadership/articles/making-way-for-macra-positioning-your-organization-for-payment-reform

Before the kickoff of MACRA, the completion of many mandated tasks for measurement, development, processes, design and reporting must be in place, including:

  • Policy discussion period for MIPS and APM;
  • Consideration planning and measurement development;
  • Reporting and financial adjustments; and
  • Annual updating of program measures.

The Effects of MACRA for Providers and Healthcare Stakeholders

In his article, Making Way for MACRA: Positioning Your Organization for Payment Reform, Dave Wofford, a senior manager at ECG Healthcare Management Consultants, highlighted six areas that providers should consider between now and when MACRA kicks-off in 2019:

  1. Changes to CMS’s payment methodologies for nonphysician services should be expected as well

CMS’s decision to measure and pay differently for physician resource utilization will affect costs in every setting where physicians provide services.  Real changes in physician behavior regarding ordered services will transform services payment.  We anticipate changes will begin to occur around 2022, once CMS has several years of data from this program.

  1. Understanding the relationship between Medicare Parts A and B will become more complicated

Providers will need to become more sophisticated in understanding how performance under Part B—particularly the resource utilization incentive—will impact reimbursement under Part A.  Therefore, providers must evaluate their Medicare strategy and participation in various programs (e.g., MIPS, APMs, Medicare Advantage) as it may not be effective simply to be a passive participant in Medicare FFS.

  1. Physician practice consolidation and acquisitions will continue

Many smaller physician practices are unlikely to have the internal resources necessary to take full advantage of, and manage their performance against, MIPS or participate in an APM.  This will likely accelerate consolidation into larger freestanding physician practices or integrated delivery systems.  Additionally, given the impact that MIPS’s resource utilization feature will have on hospital reimbursement, health systems may be even more motivated to employ physicians to shape their incentives appropriately.

  1. Physician compensation and service agreements will need to evolve

Physician compensation arrangements, as well as professional services agreements, will need to include physician incentives that reflect those being implemented by CMS.  There will need to be a strategy to address the disparate performances from different physicians; certain physicians will have the potential for much lower or higher reimbursement rates.  The question of who (i.e., the physician or the health system) bears the risk and reaps the reward will be a hot topic, especially considering the cost associated with ramping up technology capabilities for tracking the quality metrics built into MIPS.

While these changes will not happen overnight, they will begin to take place within just a few years.  Therefore, assessing the implications of MACRA upon any long-term physician contracts that are currently in negotiation or up for renegotiation should happen shortly.  If necessary, flexibility should be built into the contract language to accommodate future payment incentives.

  1. Commercial contracts will need to be amended

Many commercial payor contracts contain language that defines reimbursement regarding a percentage of Medicare.  While that has worked well in the traditional FFS world, it will not translate with the introduction of MIPS, and many commercial contracts do not have sufficient flexibility in them to accommodate this new feature.  Therefore, commercial payor contracts should be reviewed to determine their compatibility with MACRA and language should be adjusted as necessary.

  1. Providers can have a voice in shaping the final product

MACRA involves an extraordinary degree of delegation to CMS in fleshing out the details of the plan and it mandates that stakeholder input is considered in developing these finer points. Therefore, providers should take advantage of the opportunity to make their voices heard during the stakeholder comment and review process.

Summary

The passing of MACRA transcends the repealing of the SGR formula and signals the government’s continued desire to evolve payment models that incentivize providers to improve patient care, reduce healthcare costs and make a significant step toward an industry-wide value-based payment system.

Healthcare leaders should stay ahead of the juggernaut of information by monitoring CMS’ release of information detailing how the agency will implement MIPS and the APM incentive payments, including the creation of composite scoring criteria and performance thresholds.

References

  1. R.2 – Medicare Access and CHIP Reauthorization Act of 2015, 114th Congress (2015-2016) https://www.congress.gov/bill/114th-congress/house-bill/2/text
  2. S. Bureau of Labor Statistics states that there are 16 million medical-related jobs, http://www.exploremedicalcareers.com/1-in-8-americans-employed-by-u-s-healthcare-industry/
  3. Patient Protection and Affordable Care Act, https://democrats.senate.gov/pdfs/reform/patient-protection-affordable-care-act-as-passed.pdf
  4. Health Insurance Marketplace, http://obamacarefacts.com/insurance-exchange/health-insurance-marketplace/
  5. The next generation of Medicare beneficiaries, http://www.medpac.gov/documents/reports/chapter-2-the-next-generation-of-medicare-beneficiaries-(june-2015-report).pdf?sfvrsn=0
  6. CMS, Path to Value, https://www.cms.gov/Medicare/Quality-Initiatives-Patient-Assessment-Instruments/Value-Based-Programs/MACRA-MIPS-and-APMs/MACRA-LAN-PPT.pdf
  7. The Merit-Based Incentive Payment System (MIPS), https://www.cms.gov/Medicare/Quality-Initiatives-Patient-Assessment-Instruments/Value-Based-Programs/MACRA-MIPS-and-APMs/MACRA-MIPS-and-APMs.html
  8. CMS fee-for-service payment model, https://www.medicaid.gov/medicaid-chip-program-information/by-topics/delivery-systems/fee-for-service.html
  9. Alternative Payment Models, https://www.cms.gov/Medicare/Quality-Initiatives-Patient-Assessment-Instruments/Value-Based-Programs/MACRA-MIPS-and-APMs/MACRA-MIPS-and-APMs.html
  10. Making Way for MACRA: Positioning Your Organization for Payment Reform, http://www.ecgmc.com/thought-leadership/articles/making-way-for-macra-positioning-your-organization-for-payment-reform

________________

Phil C. Solomon is the publisher of Revenue Cycle News, a healthcare business information blog and serves as the Vice President of Global Services for MiraMed, a healthcare revenue cycle outsourcing company.  As an executive leader, he is responsible for creating and executing sales and marketing strategies which drive new business development and client engagement. Phil has over 25 years’ experience consulting on a broad range of healthcare initiatives for clinical and revenue cycle performance improvement.  He has worked with industry’s largest health systems developing executable strategies for revenue enhancement, expense reduction, and clinical transformation. He can be reached at philcsolomon@gmail.com or on Twitter @philcsolomon.

 

 

 

{ 0 comments }

dollarThe U.S. Department of Health & Human Services (HHS) Office for Civil Rights (OCR) announced the beginning of the 2016 Phase Two Health Insurance Portability and Accountability Act (HIPAA) Audit Program.  This program is designed to evaluate the compliance efforts of covered entities and their business associates (BA) with the HIPAA Privacy, Security and Breach Notification Rules (HPSBNR).

Phase Two audits will act as an additional regulatory compliance evaluation tool that supports OCR’s current enforcement strategies.  The goal of the Phase Two HIPAA audits is to ascertain best practices and proactively find and mitigate risks and vulnerabilities to protected health information (PHI).  These audits will mainly be desk audits and some will be on-site evaluations.

Why are Phase Two HIPAA Audits so Important?

HIPAA security has become a lightning rod issue in the United States (U.S.) because of the growing threat of cyber-crimes that include computer hacking and identity theft.  From October of 2009 through March 2016 the Secretary of HHS’s Breach of Unsecured Protected Health Information Portal documented over 157 million individuals who were affected by PHI breaches.  Section 13402(e)(4) of the Health Information Technology for Economic and Clinical Health (HITECH), requires the Secretary to post a list and description of breaches of unsecured PHI affecting 500 or more individuals.  Initiating Phase Two audits are a proactive measure led by the OCR to evaluate readiness, compliance and develop a strategy to reduce PHI breaches.

According to a Redspin, in their 2015 Healthcare Breach Report of PHI, the sixth annual analysis of the causes of PHI breaches reported to the OCR, Redspin found that PHI breaches have evolved from typical employee error that includes loss or theft of unencrypted portable computing devices to more sophisticated malicious acts.

“2015 was a watershed (or perhaps a ‘washout’) year in healthcare IT security,” notes the report.  “In previous reports, we warned that ‘the threat from malicious outsiders—hackers—has the potential to wreak havoc on the healthcare industry.’  In 2015, havoc was wrought.”

Nine out of 10 breach incidents were the result of criminal hacking.  Those occurrences amounted to 98 percent of all patient records breached in 2015.  Daniel W. Berger, President of Redspin, said, “Healthcare organizations are under attack.  For those entrusted to protect patient data, the security challenges are now much more difficult.”

The report also indicated that 88 percent of all records breached stemmed from the top three cases in 2015.  Anthem led the pack as the largest healthcare breach in U.S. history, involving 79 million patient medical records.

The statistics on healthcare data breaches continues to be a growing concern.  According to the Identity Theft Resource Center, healthcare data breaches accounted for 35.5 percent of all breaches in 2015 which surprisingly was a drop of 8.6 percent from a record high of 44.1 percent in 2014.

However, the healthcare industry is in no position to celebrate.  While financial data has the greatest number of data breaches, a single PHI record is worth roughly 50 times more than a credit card or Social Security number.  Medical records have detailed demographics and other sensitive information, including commercial and government insurance and prescription data.  Unlike credit card numbers or other financial information, when a theft of PHI happens, the data is irrecoverable.

One in 10 Americans have been affected by large health data breaches, and employee negligence is considered the greatest security risk reported in the 2015 Ponemon Institute’s Fifth Annual Benchmark Study (PIABS) on Patient Privacy and Data Security report. Data breaches in healthcare put patient data at risk and are costly.  Based on the results of the PIABS study, the survey found:

  • The cost to the industry is over $6 billion annually;
  • Over 40 percent of the respondents had more than five data breaches over the past two years;
  • The average cost of a data breach for healthcare organizations is estimated to be more than $2.1 million; and
  • The average cost of a data breach to Business Associates’ (BA) is more than $1 million.

Enforcing HIPAA Privacy and Security Rules by OCR is serious business.  On March 16, 2016, the Feinstein Institute for Medical Research in New York entered into an agreement with the OCR to pay $3.9 million to settle violations of HIPAA rules.  In addition to the penalty, Feinstein agreed to initiate a corrective plan to remediate deficiencies that led to the breach.  This action stemmed from a September of 2012 incident when a laptop was stolen containing unencrypted, electronic PHI from a Feinstein employee’s car.  The laptop contained information on approximately 13,000 Feinstein patients and research participants, including names, dates of birth, addresses, social security numbers, diagnoses, laboratory results, medications and other medical information regarding subjects’ participation in a research study.  This case demonstrates OCRs commitment to enforcing and penalizing those who violate the HIPAA Privacy and Security Rules.

Despite the potential risk of financial exposure, half of all healthcare organizations surveyed in the PIABS report have little or no confidence in their ability to detect all patient data loss or theft.  This is concerning because, for the first time in history, criminal attacks are the number one cause of data breaches in healthcare.  Hacking healthcare’s technology infrastructure is up 125 percent compared to five years ago.  The illustration below highlights the rise in hacking incidents.

Source:  Identity Theft Resource Center Breach Report Hits Near-Record High in 2015, http://www.idtheftcenter.org/ITRC-Surveys-Studies/2015databreaches.html

A new type of cyber-crime has emerged in the health industry affecting healthcare providers who have their data hijacked and held for ransom.  Methodist Hospital, located in Henderson, Kentucky, has become the third healthcare entity in recent weeks to be victimized by ransomware.  The first was Hollywood Presbyterian Medical Center in Los Angeles California, which paid $17,000 to the hackers to regain access to its electronic medical system, and the second known victim was Ottawa Hospital in Ontario, Canada, which had to wipe the system of the affected computers to regain access to its medical data.  It appears that data held for ransom will continue to increase and will pose a serious business threat for covered entities and BAs.

Based on the rise in security threats, it would make sense that healthcare executives would be acutely focused on data security and make it a top priority, but they haven’t.  According to the American College of Healthcare Executives’ (ACHE) annual survey of top issues confronting hospitals in 2015, Chief Executive Officer’s (CEO) ranked the top ten overarching issues affecting their hospitals, and they identified other specific areas of concern.  There was more than 350 community hospital CEOs who participated in the survey.

Implementation of Phase One and Two HIPAA Audits

Phase One of OCR’s PSBNR Audit Program has concluded.  The program established critical national standards for the privacy and security of PHI and the Health Information Technology for Economic and Clinical Health Act (HITECH) and set breach notification requirements to provide greater transparency for individuals whose information may be at risk.

HITECH requires the OCR office to conduct audits of covered entities and BAs assuring adherence of the HPSBNR.  In 2011 and 2012, OCR implemented the Phase One audit program to assess the controls and processes and conducted an extensive evaluation of the effectiveness of the pilot program.  For more information about Phase One audits, you can view the post: OCR Releases Guidance Regarding Patients’ Access to PHI on MiraMed’s website.

Drawing on that experience and the results of the evaluation, OCR has implemented Phase Two of the program.  According to OCR, Phase Two audits are designed to assess compliance with the HPSBNR for covered entities and their business associates.  These audits will supplement OCR’s other enforcement tools, such as complaint investigations and reviews.  OCR is attempting to identify best practices and proactively uncover and address risks and vulnerabilities to protected PHI.

Speaking at the 24th National HIPAA Summit in the District of Columbia on March 21, 2016, OCR Director Jocelyn Samuels announced the Phase Two launch, saying that the effort will comprise more than 200 desk and on-site audits.  Samuels noted that OCR has also developed an audit-specific portal to enable notified entities to submit requested documentation in digital form.

Desk audits will make up the first two rounds of audits, Samuels said.  The first series of desk audits will focus on covered entities, according to an OCR announcement, while the second round of audits will focus on business associates.  By December 2016, all desk audits be completed.  “We’ll be looking at risk analysis and risk management, notices of privacy practices and access and response to requests for access, and content timeliness of notifications,” Samuels said.  Onsite audits, according to OCR, will focus on “a broader scope of requirements” compared to the desk audits.

The audit program, Samuels continued, will give OCR a way to examine different sectors and geographic regions of the industry, as well as different sized entities, to evaluate some of the risks they may be facing before those risks “ripen” into breaches.

“We don’t necessarily get to see these things through the complaints we receive, and by the time we get a breach report, it’s too late to prevent a problem,” she said.  “We really do look at this as a valuable way for us to get out in front of potential problems and to direct our guidance to the issues that we see occurring in ways that we hope will be more useful to the regulated community.”

OCR’s Phase Two audits will increase industry cognizance of compliance requirements and identify where technical assistance is needed due to issues uncovered through the audits.  The goal of the audit program is to give stakeholders the tools and guidance to improve industry compliance, self-evaluation and the prevention of breaches.

Concurrent with the recent Phase Two audit announcement, OCR has provided a list of 12 frequently asked questions on the HHS website to help covered entities and BAs better understand the program.  They are:

1. When Will the Next Round of Audits Commence?

Phase Two of OCR’s HIPAA audit program is currently underway.  OCR has begun to obtain and verify contact information to identify covered entities and business associates of various types and determine which are appropriate to be included in potential auditee pools.  Communications from OCR will be sent via email and may be incorrectly classified as spam.  If your entity’s spam filtering and virus protection are automatically enabled, we expect you to check your junk or spam email folder for emails from OCR; OSOCRAudit@hhs.gov.

2. Who Will Be Audited?

Every covered entity and business associate is eligible for an audit.  These include covered individual and organizational providers of health services; health plans of all sizes and functions; healthcare clearinghouses; and a range of business associates of these entities.  We expect covered entities and business associates to provide the auditors their full cooperation and support.

3. On What Basis Will Auditees Be Selected?

For this phase of the audit program, OCR is identifying pools of covered entities and business associates that represent a wide range of health care providers, health plans, health care clearinghouses and business associates.  By looking at a broad spectrum of audit candidates, OCR can better assess HIPAA compliance across the industry–factoring in size, types and operations of potential auditees.  Sampling criteria for auditee selection will include size of the entity, affiliation with other healthcare organizations, the type of entity and its relationship to individuals, whether an organization is public or private, geographic factors, and present enforcement activity with OCR.  OCR will not audit entities with an open complaint investigation or that are currently undergoing a compliance review.

4. How Will the Selection Process Work?

Once entity contact information is obtained, a questionnaire designed to gather data about the size, type, and operations of potential auditees will be sent to covered entities and business associates.  As a part of the pre-audit screening questionnaire, OCR is asking that entities identify their business associates.  We encourage covered entities to prepare a list of each business associate with contact information so that they are able to respond to this request.  OCR will conduct a random sample of entities in the audit pool.  Selected auditees will then be notified of their participation.

If a covered entity or business associate fails to respond to information requests, OCR will use publically available information about the entity to create its audit pool.  An entity that does not respond to OCR may still be selected for an audit or subject to a compliance review.

5. How Will the Audit Program Work?

OCR plans to conduct desk and onsite audits for both covered entities and their business associates.  The first set of audits will be desk audits of covered entities followed by a second round of desk audits of business associates.  These audits will examine compliance with specific requirements of the Privacy, Security, or Breach Notification Rules and auditees will be notified of the subject(s) of their audit in a document request letter.  All desk audits in this phase will be completed by the end of December 2016.

The third set of audits will be onsite and will examine a broader scope of requirements from the HIPAA Rules than desk audits.  Some desk auditees may be subject to a subsequent onsite audit.

The audit process will employ common audit techniques.  Entities selected for an audit will be sent an email notification of their selection and will be asked to provide documents and other data in response to a document request letter.  Audited entities will submit documents online via a new secure audit portal on OCR’s website.  There will be fewer in-person visits during these Phase Two audits than in Phase One, but auditees should be prepared for a site visit when OCR deems it appropriate.  Auditors will review documentation and then develop and share draft findings with the entity.  Auditees will have the opportunity to respond to these draft findings; their written responses will be included in the final audit report.  Audit reports generally describe how the audit was conducted, discuss any findings and contain entity responses to the draft findings.

6. What If an Entity Doesn’t Respond to OCR’s Requests for Information?

If an entity does not respond to requests for information from OCR, including address verification, the pre-screening audit questionnaire and the document request of those selected entities, OCR will use publically available information about the entity to create its audit pool.  An entity that does not respond to OCR may still be selected for an audit or subject to a compliance review.

7. What is the General Timeline for an Audit?

In the coming months, OCR will notify the selected covered entities in writing through email about their selection for a desk audit.  The OCR notification letter will introduce the audit team, explain the audit process and discuss OCR’s expectations in more detail.  In addition, the letter will include initial requests for documentation.  OCR expects covered entities that are the subject of an audit to submit requested information via OCR’s secure portal within 10 business days of the date on the information request.  All documents are to be in digital form and submitted electronically via the secure online portal.

After these documents are received, the auditor will review the information submitted and provide the auditee with draft findings.  Auditees will have 10 business days to review and return written comments, if any, to the auditor.  The auditor will complete a final audit report for each entity within 30 business days after the auditee’s response.  OCR will share a copy of the final report with the audited entity.

While conducting desk audits of covered entities, OCR will replicate the notification and document request process for initiating desk audits of selected business associates.  OCR will share a copy of the final report with the audited business associate.

Similarly, entities will be notified via email of their selection for an onsite audit.  The auditors will schedule an entrance conference and provide more information about the onsite audit process and expectations for the audit.  Each onsite audit will be conducted over three to five days onsite, depending on the size of the entity.  Onsite audits will be more comprehensive than desk audits and cover a wider range of requirements from the HIPAA Rules.  Like the desk audit, entities will have 10 business days to review the draft findings and provide written comments to the auditor.  The auditor will complete a final audit report for each entity within 30 business days after the auditee’s response.  OCR will share a copy of the final report with the audited entity.

8. What Happens After an Audit?

Audits are primarily a compliance improvement activity.  OCR will review and analyze information from the final reports.  The aggregated results of the audits will enable OCR to better understand compliance efforts with particular aspects of the HIPAA Rules.  Generally, OCR will use the audit reports to determine what types of technical assistance should be developed and what types of corrective action would be most helpful.  Through the information gleaned from the audits, OCR will develop tools and guidance to assist the industry in compliance self-evaluation and in preventing breaches.

Should an audit report indicate a serious compliance issue, OCR may initiate a compliance review to further investigate.  OCR will not post a listing of audited entities or the findings of an individual audit which clearly identifies the audited entity.  However, under the Freedom of Information Act (FOIA), OCR may be required to release audit notification letters and other information about these audits upon request by the public.  In the event OCR receives such a request, it will abide by the FOIA regulations.

9. How Will Consumers Be Affected?

The audit program is an important tool to help assure compliance with HIPAA protections, for the benefit of individuals. For example, the audit program may uncover promising practices, or reasons health information breaches are occurring and will help OCR create tools for covered entities and business associates to better protect individually identifiable health information.  Concerns about compliance identified and corrected through an audit will serve to improve the privacy and security of health records.  The technical assistance and promising practices that OCR generates will also assist covered entities and business associates in improving their efforts to keep health records safe and secure.  During the audit process, OCR will continue to accept complaints from individuals and to launch compliance reviews where warranted; covered entities and business associates’ compliance obligations remain in full effect.

10. Will Audits Differ Depending on the Size and Type of Participants?

The audit protocols are designed to work with a broad range of covered entities and business associates, but their application may vary depending on the size and complexity of the entity being audited.

11. Will Auditors Look at State-Specific Privacy and Security Rules in Addition to HIPAA’s Privacy, Security and Breach Notification Rules?

No, the scope of the audit program does not extend beyond the Privacy, Security and Breach Notification Rules.

12. Who is Responsible for Paying the On-Site Auditors?

The Department of Health and Human Services is responsible for the onsite auditors.  Neither covered entities nor their business associates are responsible for the costs of the audit program.

Summary

The Phase Two audit program is a work-in-progress.  OCR has indicated that it will post updated audit protocols to reflect the HIPAA Omnibus Rulemaking and can be used as a tool for organizations to conduct their internal self-audits as part of their HIPAA compliance activities.  OCR plans to develop new tools and guidance to assist the industry in compliance, self-evaluation and breach prevention strategies.  The OCRs goal is to evaluate the results and procedures used in the Phase Two audits to develop a permanent audit program.

In preparation of the Phase Two audits, OCR recommends that covered entities and BAs pay extra attention to areas that represent “heightened risk.”  They are:

  • Risk assessment;
  • Individuals’ right to access their PHI;
  • Authorizations;
  • Minimum necessary use and disclosure;
  • Notice of privacy practices;
  • Breach notification and incident response;
  • Access controls;
  • Encryption; and
  • Logging.

Moreover, if covered entities and BAs focus on the following four primary HIPAA compliance actions, the likelihood of a positive outcome to a Phase Two audit is much greater.  They are:

  1. Ensure the confidentiality, integrity and availability of all electronic protected health information the covered entity or business associate creates, receives, maintains, or transmits;
  2. Protect against any reasonably anticipated threats or hazards to the security or integrity of such information;
  3. Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under [the regulations]; and
  4. Ensure compliance with [the regulations] by its workforce. 45 CFR §164.306(a).

Reference
1. 45 CFR § 164.502(e), 164.504(e), 164.532(d) and (e), A Business Associate is any company or person that is exposed to, handles or works with the data in medical records of the medical entities they are contracted with. http://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/

______________________

Phil C. Solomon  is the publisher of Revenue Cycle News, a healthcare business information blog and serves as the Vice President of Global Services for MiraMed, a healthcare revenue cycle outsourcing company.  Phil has over 25 years’ experience consulting on a broad range of healthcare initiatives for clinical, financial and revenue cycle performance improvement and has worked with some of the industry’s largest health systems developing executable strategies for revenue enhancement, expense reduction, and clinical transformation. Previously, he was the CEO of a Fast Tech 50, healthcare technology firm, a principal executive at an INC Magazine’s top 500 Fastest Growing Private Companies in the U.S. and he has held various senior leadership positions with national and global business process outsourcing firms. He is an active member of the HFMA Georgia Chapter, has written over 250 articles about revenue cycle optimization and healthcare reform and is often featured as a speaker at industry educational events. You can reach him at philcsolomon@gmail.com, 404-849-8065 or on Twitter @philcsolomon.

{ 0 comments }

Population Health’s Under Developed Capabilities 

Despite remarkable medical advances, Americans are sicker today than ever.  With slow inevitability, individuals and society are accepting responsibility for improving our national health.  Addressing obesity and the chronic disease it spawns (see graphic) is America’s principal health challenge.  A  factsheet by the Partnership to Fight Chronic obDisease details  scope and impact.  133 million Americans have chronic disease.  It accounts for 81% of hospital admissions, 91% of prescriptions and 76% of physician visits.  As chronic disease swells, healthcare spending climbs, national productivity declines and income inequality expands.  Unfortunately, the U.S. system lacks the care management capabilities to fight obesity and diminish chronic disease.  Health companies that develop these capabilities will experience expansive demand for their services.

Population Health Conundrums: Structural; Behavioral and Environmental
Our lifestyle causes unprecedented and increasing levels of disease, disability and medical expenditure. Significant structural, biological, and environmental factors contribute. While daunting, addressing the health system’s structural challenges is easier than overcoming the biological and environmental realities that shape modern living.

Structural: Chronic disease consumes over 70% of U.S. healthcare expenditure. Unfortunately, treatment, not prevention, reigns. There is ample money for amputating feet, but little to manage the diabetes causing the condition. Perverse financial incentives support treatment-centric delivery with the following structural flaws:

• Overtreatment
• Payment for medical activity, not outcomes
• Disproportionate specialty care
• Excessive medical error
• Excessive end-of-life care
• Excessive malpractice insurance and litigation
• Underinvestment in primary care

To their credit, enlightened health systems are attacking the system’s structural flaws by incorporating evidenced-based solutions. They’re making real progress. Unfortunately, it’s not enough. Advancing population health requires modifying deep-seated biologically and environmentally-based behaviors.

Biological: To survive in the Serengeti, humans learned to walk long distances, think on our feet, live in cooperative communities, respond quickly to threats and eat mostly plants. Evolution enabled humans to live off the land and avoid saber-toothed tigers, but did not equip us for office work, abundant food and prolonged stress. Our “modern” lifestyle causes heart disease, cancer, osteoporosis, depression and dementia. Compounding the challenge, America’s growtreatment-centric health system responds to disease, not its sources:

• Inactivity: too much sedentary work and entertainment
• Chronic Stress: “fight or flight” mechanisms trigger prolonged adrenalin and cortisol release that damage immune systems
• Overeating: more die from too much food than too little
• Sugar, Fat, Salt: unhealthy processed foods short-circuit the body’s systems for regulating nutrient consumption
• Sleep Deprivation: impairs decision-making and weakens the immune system
Environmental: Most human behavior is habitual. We respond without thinking to environmental cues carved into our neural circuitry. This works well except when our habits (e.g. afternoon cookies) reinforce unhealthy behaviors. Overcoming bad habits require developing new neural pathways that ignore salient environmental cues and redirect behavior. This is difficult because the old neural pathways don’t disappear. Ask anyone who has tried to quit smoking.

Environmental stresses include:
• Stimulus Overload: constant bombardment of sophisticated emotional messaging
• Isolation: “wired” to live in close-knit, social communities, isolated individuals experience more depression and Food kiddisease.
• Inequality: low-income individuals are disproportionately obese and suffer from chronic disease, stress-related illness and depression. Complex environmental factors relating to food access, economic insecurity and dysfunctional communities drive this pathology.
• Expectations: belief that pharmacological and medical breakthroughs will compensate for unhealthy lifestyle choices.

Population Health’s Four Levels

Population health has four distinct and increasingly complex levels: chronic disease management; predictive analytics; lifestyle management and lifestyle transformation. They interconnect and require different forms of societal, institutional and individual commitment.

I. Chronic Disease Management: Reducing the impact of existing chronic disease on the U.S. health system is imperative. This begins with “hotspotters,” the heaviest users of healthcare users. In a November Harvard Business Review blog , Scott Pingree details Intermountain Healthcare’s program to understand and treat their hotspotters, the five percent of patients consuming 51% percent of care services. Detailed surveys of these high-cost patients reveal inadequate care coordination, poor life quality, care plan misunderstanding, significant mental illness and “self-care” failure. In response, Intermountain has initiated pilot programs to improve its overall adult care strategy and achieve better outcomes for high-cost patients with personalized and holistic solutions that combine coordinated medical treatment with mental health services, monitoring, training and lifestyle coaching. Their goal is to treat chronic disease’s root causes as well as its symptoms.

II. Predictive Analytics: Proactively treating patients for chronic disease (before they become “hotspotters”) prevents hospitalization, lowers costs and improves life quality. Preventive care requires active monitoring and engaged customers. In 2004, UPMC’s Health Plan began using predictive analytics, coaching and wellness programs to improve employee health. They are adept at identifying employees at high-risk of hospital admission and treating their chronic diseases before they require invasive care. In addition to low premium increases (1.1% in 2011), the Health Plan has reduced days lost to illness and injury by 9%. Keeping trained caregivers working improves quality and lowers costs.

III. Lifestyle Management: Given the importance of environmental cues and strong communities in changing habitual behaviors, organizations should promote employee health and wellness. Under Dr. Michael Roizen’s leadership, the Cleveland Clinic inaugurated its Wellness Institute in January 2008 to engage its communities in healthy life choices. Employing “carrot and stick” strategies, the Clinic has introduced active monitoring, eliminated unhealthy meals and snacks, prohibited smoking, promoted fitness, encouraged weight loss, supported stress reduction and rebated health insurance premiums to healthy employees. Early results validate the investment. Employees have lost over 400,000 pounds. Employee utilization of healthcare services has declined – hard evidence that wellness programs can be cost-effective.

IV. Lifestyle Transformation: Overcoming habitual behaviors that trigger chronic disease requires individual lifestyle transformatidron. Most people who try to eat better and exercise more fail. Within two years, 90% of by-pass surgery patients revert to the behaviors that caused their cardiac disease. While difficult, change is not impossible. Dr. Dean Ornish treats chronic cardiac patients with strict diets, meditation and exercise. 80% of his patients still follow the program after three years. His regimen actually reverses heart disease. Ornish achieves this success by teaching good habits, making participants feel better and creating ongoing support networks. Lifestyle transformation occurs individually, but it occurs more often within conducive environments and encouraging communities.

A Good Start

In December, Oxeon Partners published a report on Village Practice Management (“VPM”). VPM is an efficient Houston primary care practice with a big vision: to become the nation’s largest primary care company with physician owners who provide effective care management by aligning productivity and compensation. VPM’s Houston practice has 55% fewer hospital admissions, 45% fewer readmissions and 50% lower costs than comparable practices. Their physicians see 50% more patients per day. VPM’s seasoned leadership team believes their model is scalable and transportable to other markets. Moreover, they’re ready to undertake full risk-based contracting supported by efficient specialty care networks.

Care management companies like VPM will thrive by meeting the care needs of distinct populations. While their efforts are vital, they are not enough. If obesity and chronic disease continue to increase, medical expenditures will skyrocket and our nation’s health will decline. Addressing America’s obesity crisis requires universal participation by individuals, communities, schools, employers, religious/social organizations and governments. Chronic disease management and predictive analytics provide a good start. American society also must tackle lifestyle management and transformation. We cannot afford to fail.

To learn more contact: David Johnson

______________________

Phil C. Solomon  is the publisher of Revenue Cycle News, a healthcare business information blog and serves as the Vice President of Global Services for MiraMed, a healthcare revenue cycle outsourcing company.  Phil has over 25 years’ experience consulting on a broad range of healthcare initiatives for clinical, financial and revenue cycle performance improvement and has worked with some of the industry’s largest health systems developing executable strategies for revenue enhancement, expense reduction, and clinical transformation. Previously, he was the CEO of a Fast Tech 50, healthcare technology firm, a principal executive at an INC Magazine’s top 500 Fastest Growing Private Companies in the U.S. and he has held various senior leadership positions with national and global business process outsourcing firms. He is an active member of the HFMA Georgia Chapter, has written over 250 articles about revenue cycle optimization and healthcare reform and is often featured as a speaker at industry educational events. You can reach him at philcsolomon@gmail.com, 404-849-8065 or on Twitter @philcsolomon.

 

{ 0 comments }