HIPAA and Protecting Patient Information

by Michelle Hennen RHIA, CPC, RMC, CMM

Privacy is…

• the patient’s expectation
• the patient’s right
• the foundation of trust between the healthcare organization and the patient; as well as preserving the health of the organization

Top Hit List for Incidents

• Inappropriate release of PHI
• Inappropriate access of PHI
• Inappropriate emailing of PHI
• Use of portable electronic devices

Why is our information important?

The value of the data itself is relatively low, but the impact of what criminals can do with the data is extremely high.  Some examples are:

• Insurance Fraud/False Medical Claims
• Identity Theft
• Tax Fraud

The impact to the healthcare organization losing PHI is:

• Trust in the healthcare organization
• Costs for the organization
• The average cost per stolen record is $363 which includes the cost of patient notification, media notification, and HHS notification (this does not include any costs with a government audit or remediation efforts)

How much is our PHI worth on the black market?
Our PHI is bought and sold just like merchandise on the internet.  The information most valuable is:

• Credit card information
• Mother’s maiden name
• Date of birth
• Social security number
• Patient medical record

In a cited a case last year one patient learned that his records at a major hospital chain were compromised after he started receiving bills related to a heart procedure he had not undergone. The man’s credentials were also used to buy a mobility scooter and several pieces of medical equipment, racking up tens of thousands of dollars in total fraud.  Stolen health credentials can go for $10 each, about 10 or 20 times the value of a U.S. credit card number.

Here is suggestion for healthcare organizations to implement to safeguards PHI.

1. Protect email accounts. Healthcare providers should use a tool that scans incoming email messages in real time in order to spot suspicious messages and filter them out before someone clicks a phishing link. On top of that, every employee should be aware of suspicious emails. If something seems a little “off,” they should know how to report it right away.
2. Every organization needs some sort of security software or service in place. This is something that can be outsourced to a company or handled with healthcare security software.
3. Back up your data regularly. This is one of the most important parts of a good cyber security strategy. If an organization has good back-up data, they don’t have to shell out millions to decrypt information and get that data back.
4. Keep an eye on mobile devices and their use.  If staff members will be accessing data on a mobile device, healthcare organizations should consider restricting access to critical data and systems. At the very least, they should invest in a centrally-controlled system so mobile devices can be wiped clean if they are stolen or compromised.

References
https://www.darkreading.com/cloud/stolen-medical-data-is-now-a-hot-commodity--/a/d-id/1316598
https://www.reuters.com/article/us-cybersecurity-hospitals-idUSKCN0HJ21I20140924

ASK HIM: What are the Key Performance Indicators of Director of HIM?

Question: What are the Key Performance Indicators of Director of HIM?

Answer: We put your question to the OHIMA Board of Directors – many of which are managers and directors of HIM in hospitals and other healthcare facilities. Below are the examples of key performance indicators (KPIs) they shared. 

-  Release of Information requests at below turn-around time

- Chart Completion/Chart Analysis performed within 24 hours of discharge 

- Delinquency Rate is less than 50%

-  Duplicate Medical Record Number percentage 

- Coding/ DNFC/DNB (below national benchmarks)

- Percentage of claims denied (along with the reasons)

- Gap between date of service and date billed

- Productivity Reports

- Outstanding Accounts Receivable

- Aged Accounts

- Customer satisfaction surveys

- EMR utilization

- H&P compliance is at 100%

KPIs depend on the focus assigned to the particular HIM Director and/or what the facility has elected to track and trend.  

What are some of the KPIs for your role and facility?
  

Do you have a question??  Ask an HIM expert!  We will do our best to answer questions on any topic ranging from HIM, management, beginning your HIM career, CEUs, OHIMA, AHIMA, etc.!  Submit your question HERE.

Documentation Improvement-A Strategy for Denials Avoidance

by Glenn Krauss - Director of Healthcare Solutions, Casa Healthcare

One major way organizations can reduce claims denials is to truly focus upon root cause analysis, take a hard look at avoidable unnecessary denials, develop a management action plan and engage in process improvement that holds stakeholders accountable.

Case in point, bring into the fold CDI specialists and hospitalists who in some respects to medical necessity & clinical validation denials as well as DRG downcodes. Examine and validate to what extent do hospitalist contribute to these denials due to poor documentation practices, incomplete H & Ps failing to show and describe the true clinical picture as evident in the ER documentation, cut/paste progress notes that say virtually nothing about patient progress or clinical status, problems with progress note situational awareness, rabbit out of the hat diagnostic assessments, discharge summaries that don't "discharge" the patient, inconsistent documentation throughout the chart. As for CDI programs, and correlate with the increasing number of clinical validation denials and DRG downcodes. Are we feeding back this information to CDI specialists in the interest of CQI and process improvement? Are the queries clinically valid and is the clinical information and facts of the case supportive of the diagnosis? Are the CDI specialists operating in a vacuum with their blinders on, thinking the query response rate and agreement response rate are right on target for benchmark measurement, not realizing their performance is failing achieving alignment and integration with the revenue cycle? One can make an argument CDI can potentially be negating the effectiveness of the hospital's revenue cycle operations.

It's time to engage in transforming repetitive denials management to a more effective efficient approach of denials avoidance. A reasonable starting point in process improvement is to hold physicians and CDI accountable for relevant denials they have contributed to, requiring a wholesale change to thought processes of documentation and principles of documentation improvement. Denials avoidance requires the awareness and realization that maintaining the status quo is not an acceptable business practice. Process improvement entails investing sufficient resources in root cause analysis and taking the necessary steps to develop a reasonable approach to process improvement that facilitates accountability that is valid, reliable and measurable. KPIs in today's CDI programs are not conducive to supporting and achieving a true denials avoidance culture as relates to affecting positive change in patterns of physician documentation.

http://www.beckershospitalreview.com/finance/4-ways-healthcare-organizations-can-reduce-claim-denials.html

This article was originally featured on Glenn's Physician Documentation Improvement-A New Paradigm LinkedIn page on May 24, 2017 and reprinted with permission.

ICD-11

ICD-11! ……Wait ….. what?

The World Health Organization (WHO) began development on ICD-11 in 2007 and is set to be finalized in 2018.  What does this mean for the U.S.?  At this point it is estimated that “11” will be implemented by 2023 or after.  I think I just heard a collective sigh of relief.  I know what you are thinking so I’ll give you a moment to “do the math” and see if your retirement supersedes this timeframe; if it does not -read on.

What needs to happen to “11” before we adopt? 

ICD-11 will need to be evaluated and customized to meet the U.S. needs for formal updating as required by Congress and U.S. stakeholders.  A procedural coding system will need to be developed and as part of HIPAA regulations “11” will need to undergo a rulemaking process before adoption.  Now, historically speaking, it took 8 years to modify “10” and 19 years to implement.  I personally do not feel “11” will take that long as “10” has already started us on the path to computerization; but rest assured it will take an estimated 10 years or more before we see “11” in the states.  For all of you reading this with sweaty palms and racing heartbeats – you may breathe now.

What does ‘11” look like?  For all you coding geeks out there, me included, I know you’re anxious for a taste.  ICD-11 has 26 chapters, 4-digit categories and the ability to build “code-strings” through something called Post-Coordination.  ICD-11 has also split chapter 3 (Diseases of the blood and blood forming organs and certain disorders involving the immune mechanism) into 2. Chapter 3: Diseases of blood and blood forming organs and Chapter 4: Disorders of the immune system.  There are 4 brand new chapters: Chapter 6 Conditions related to sexual health, Chapter 8 Sleep-wake disorders, Chapter 26 Extension codes, and Chapter 27 Traditional medicine.

Here is a sample diagnosis and codes:     

Hypertensive Chronic Renal Disease, Stage 4

BA02     Hypertensive renal disease

GC11.5  Chronic kidney disease stage 4

For those of you wishing to poke around a little more go to:  

www.who.int/classifications/icd/revision/en/

Do keep in mind that the above comparisons are between ICD-10-CM as it is modified for the U.S. and the World Health’s ICD-11 version which is not modified. One thing is for sure; ICD-11-CM will be designed to better communicate with computers as the objective of “11” is to form a modern terminology optimized for clinical information systems.  This is so it may be easily utilized by electronic health applications.  Some features of “10” will be preserved but “11” will have some similarities with SNOMED-CT (a computer-friendly terminology).

Blogger opinion:  What does this mean for me? A coding lifer?  My personal thoughts:  The “bar” for coders has continually been raised since the 80’s when codes were required for reimbursement through DRG’s and CPT codes for outpatient procedures.  Then along came Present on Admission (POA) indicators and an increased importance of coding severity of illness (SOI) and risk of mortality (ROM).  More recently coders are working with clinical documentation improvement (CDI) efforts and computerized assisted coding applications (CAC).  The traditional role of a coder will become more automated and the coder will once again be elevated to the higher level - that being a coding auditor.  We have rolled with the punches before and we will continue to do so.  My advice is to embrace the challenge and seek ways to insert yourself into the future.

In summary, the adoption of “11” will be a massive undertaking for the U.S. and will require system designers, implementers and users who have expertise in SNOMED-CT, ICD-10, and the unique features of ICD-11.  The traditional role of an HIM professional will be impacted by this change.  AHIMA is gently steering members through “HIM re-imagined” so we have a place at the table in the future.  Of course, OHIMA is here to assist our membership through educational opportunities so no one gets left behind.  

Thank you for listening.

 

About the Author

Dee Mandley, RHIT, CCS, CCS-P is the president and owner of D.Mandley and Associates, LLC.  She currently serves as as the OHIMA 2017-18 Board President.