Tuesday, March 24, 2020

Adverse Effects, Poisonings, Underdosings, and Toxic Effects

This installment of “In the kNOW” will examine the differences in and coding of adverse effects, poisonings, underdosings, and toxic effects.  Let’s begin with a look at adverse effects.  These are conditions that a patient may develop as a result of taking a prescribed medication exactly as directed.  Another term for this would be side effects.   For example, a patient takes Lisinopril and develops angioedema of the tongue.  The appropriate code assignment and sequencing would be:

T78.3XXA  angioneurotic edema, initial

T46.4X5A  adverse effect of angiotensin-converting-enzyme inhibitors, initial

Proper code sequencing is to code first the nature of the adverse effect (angioedema, in this instance) and then the code to identify the drug.  

Poisonings can occur through a variety of different mechanisms such as:

Drug prescription or administration error
Intentional overdose
Nonprescribed drug taken with a properly prescribed and administered drug
Drug and alcohol interaction

In the circumstance of a poisoning, the appropriate poisoning code is sequenced first followed by any manifestations present.  Poisoning codes include the intent (accidental, intentional, self-harm, assault, and undetermined).  The “undetermined” intent should seldom be assigned as it is only to be used if the documentation has specified that the intent cannot be determined.  In instances where the intent is not known or is unspecified, coding professionals are directed to assign an “accidental” intent. 

An example of a poisoning would be a patient who took their prescribed Gabapentin as directed, but also had several glasses of wine, ending up in a coma.  The correct code assignment and sequencing would be:

T42.6X1A  Poisoning by other antiepileptic or sedative-hypnotic drugs, accidental, initial
T51.0X1A  Toxic effect of ethanol, accidental, initial
R40.20       Unspecified coma

In this scenario, there were two different drugs (Gabapentin and alcohol) which were responsible for the poisoning so both were coded.  Assign as many codes as necessary to capture all the drugs, medicinals, or biological substances that are documented.  When more than one code is necessary, assign separate codes, unless the Table of Drugs and Chemicals supplies a combination code.  Remember, that when drugs and alcohol are mixed, the condition is considered a poisoning.
Should a patient have substance abuse or dependence related to the reason for the poisoning, an additional code should be assigned for that abuse or dependence.  If, in our scenario above, the patient was also dependent on alcohol, then we would assign a fourth code of F10.20 for alcohol dependence. 

Underdosing is a relatively new concept in ICD-10-CM and addresses taking less of a medication than prescribed.  Last year, a change to the Official Coding Guidelines, clarified that the definition of underdosing also includes any discontinuation of a prescribed medication without provider instruction.

When coding for underdosings, it is important to remember that the underdosing code itself cannot be the principal or first-listed code.  Coding professionals will also want to assign the appropriate noncompliance codes to identify intent. 

In this scenario, a patient stops taking their Protonix after six months because they are feeling better.  Within a week, they develop severe nausea and go to see their physician, who restarts the medication.

The code and sequencing assignment would be:

R11.0           Nausea
T47.1X6A  Underdosing of other antacids and anti-gastric-secretion drugs, initial
Z91.128     Patient’s intentional underdosing of medication regimen for other reason

Harmful substances that are ingested or come into contact with a person are considered toxic effects.  Just like with poisonings, the codes include the intent associated with the toxic effect, be it accidental, intentional, self-harm, assault, or undetermined. 

A toxic effect scenario would be a person who was intentionally doused with bleach on the left forearm resulting in a first degree burn.

The correct sequencing and code assignment are:

T54.93XA  Toxic effect of unspecified corrosive substance, assault, initial
T22.512A  Corrosion of first degree left forearm, initial

A word of caution, always check the Tabular List for codes related to drugs and chemicals.  Do not rely solely on the Table of Drugs and Chemicals for code assignment. 

A final point regarding these conditions regards the use of the appropriate seventh character.  These seventh characters will indicate the phase of treatment; A for initial encounter (active treatment), D for subsequent encounter (healing phase of treatment), or S for sequela (late effect of initial condition).

Now you are In the kNOW!!

About the Author 

Dianna Foley, RHIA, CHPS, CCS  is OHIMA's Coding Education Coordinator. Dianna has been an HIM professional for 20 years. She progressed through the ranks of coder, department supervisor, and department director, to her current role as a coding consultant. 

She recently served as the program director for Medical Coding and HIT at Eastern Gateway Community College. Dianna earned her bachelor's degree from the University of Cincinnati subsequently achieving her RHIA, CHPS, and CCS certifications. She is an AHIMA Approved ICD-10-CM/PCS Trainer and a a presenter at regional HIM meetings and the OHIMA Annual Meeting.

Tuesday, March 3, 2020

Recent OCR Enforcement Actions and Civil Monetary Penalties

by Elizabeth Curtis, MA, RHIA, CHPS, FAHIMA 

This is a new feature of the OHIMA blog feature entitled "HIPAA NEWS" - watch for these articles quarterly over the next year!
The Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services continued to be very active in 2019, after a record year in 2018. 

In 2019, OCR settled 10 cases totaling $12,274,000 from enforcement actions and civil monetary penalties.  

Here is a summary of actions related to the HIPAA Privacy and Security Rules, from the last half of 2019.  There have been no actions announced yet in 2020.

Ambulance Company Pays $65,000 to Settle Allegations of Longstanding HIPAA Noncompliance
On December 30, 2019, OCR announced West Georgia Ambulance, Inc. (West Georgia) agreed to pay $65,000 to OCR and to adopt a corrective action plan to settle potential violations of the HIPAA Security Rule. West Georgia provides emergency and non-emergency ambulance services.
OCR began its investigation after West Georgia filed a breach report in 2013 concerning the loss of an unencrypted laptop containing the protected health information (PHI) of 500 individuals. OCR’s investigation uncovered long-standing noncompliance with the HIPAA Rules, including failures to conduct a risk analysis, provide a security awareness and training program, and implement HIPAA Security Rule policies and procedures.
OCR Settles Second Case in HIPAA Right of Access Initiative
On December 21, 2019, OCR announced its second enforcement action and settlement under its HIPAA Right of Access Initiative. OCR announced this initiative earlier in 2019 promising to vigorously enforce the rights of patients to get access to their medical records promptly, without being overcharged, and in the readily producible format of their choice. Korunda Medical, LLC agreed to take corrective actions and pay $85,000 to settle a potential violation of HIPAA's right of access provision. Korunda is a Florida-based company that provides pain management.
In March of 2019, OCR received a complaint concerning a Korunda patient alleging that, despite repeatedly asking, Korunda failed to forward a patient's medical records in electronic format to a third party. Korunda failed to timely provide the records to the third party, failed to provide them in the requested electronic format, and charged more than allowed under HIPAA. OCR provided Korunda with technical assistance on how to correct these matters and closed the complaint. Despite OCR's assistance, Korunda continued to fail to provide the requested records, resulting in another complaint to OCR. As a result of OCR's second intervention, the requested records were provided for free in May 2019, and in the format requested.
OCR Secures $2.175 Million HIPAA Settlement after Hospitals Failed to Properly Notify HHS of a Breach of Unsecured Protected Health Information

In an agreement with the OCR announced November 27, 2019, Sentara Hospitals agreed to take corrective actions and pay $2.175 million to settle potential violations of the HIPAA Breach Notification and Privacy Rules.  Sentara is comprised of 12 acute care hospitals with more than 300 sites of care throughout Virginia and North Carolina.

In April of 2017, HHS received a complaint alleging that Sentara had sent a bill to an individual containing another patient’s PHI. OCR’s investigation determined that Sentara mailed 577 patients’ PHI to wrong addresses that included patient names, account numbers, and dates of services.  Sentara reported this incident as a breach affecting 8 individuals, because Sentara concluded, incorrectly, that unless the disclosure included patient diagnosis, treatment information or other medical information, no reportable breach of PHI had occurred.  Sentara persisted in its refusal to properly report the breach even after being explicitly advised of their duty to do so by OCR. OCR also determined that Sentara failed to have a business associate agreement in place with Sentara Healthcare, an entity that performed business associate services for Sentara.
OCR Imposes a $1.6 Million Civil Money Penalty against Texas Health and Human Services Commission for HIPAA Violations

OCR announced November 7,2019 that it imposed a $1,600,000 civil money penalty against the Texas Health and Human Services Commission (TX HHSC), for violations of the HIPAA Privacy and Security Rules between 2013 and 2017. TX HHSC is part of the Texas HHS system. The Department of Aging and Disability Services (DADS) was reorganized into TX HHSC in September 2017.
On June 11, 2015, DADS filed a breach report with OCR stating that the electronic protected health information (ePHI) of 6,617 individuals was viewable over the internet, including names, addresses, social security numbers, and treatment information. The breach occurred when an internal application was moved from a private, secure server to a public server and a flaw in the software code allowed access to ePHI without access credentials. OCR's investigation determined that, in addition to the impermissible disclosure, DADS failed to conduct an enterprise-wide risk analysis, and implement access and audit controls on its information systems and applications as required by the HIPAA Security Rule. Because of inadequate audit controls, DADS was unable to determine how many unauthorized persons accessed individuals' ePHI.
Failure to Encrypt Mobile Devices Leads to $3 Million HIPAA Settlement

On November 5, 2019, OCR announced The University of Rochester Medical Center (URMC) agreed to pay $3 million to the OCR and take substantial corrective action to settle potential HIPAA violations.

URMC filed breach reports with OCR in 2013 and 2017 following its discovery that protected health information (PHI) had been impermissibly disclosed through the loss of an unencrypted flash drive and theft of an unencrypted laptop, respectively. OCR's investigation revealed that URMC failed to conduct an enterprise-wide risk analysis; implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level; utilize device and media controls; and employ a mechanism to encrypt and decrypt electronic protected health information (ePHI) when it was reasonable and appropriate to do so. In 2010, OCR investigated URMC concerning a similar breach involving a lost unencrypted flash drive and provided technical assistance to URMC. Despite the previous OCR investigation, and URMC's own identification of a lack of encryption as a high risk to ePHI, URMC permitted the continued use of unencrypted mobile devices.
OCR Imposes a $2.15 Million Civil Money Penalty against Jackson Health System for HIPAA Violations

OCR announced on October 23, 2019 it had imposed a civil money penalty of $2,154,000 against Jackson Health System (JHS) for HIPAA violations between 2013 and 2016. JHS is a nonprofit academic medical system based in Miami, Florida.
On August 22, 2013, JHS submitted a breach report to OCR stating that its Health Information Management Department had lost paper records containing the PHI of 756 patients in January 2013. JHS's internal investigation determined that an additional three boxes of patient records were also lost in December 2012; however, JHS did not report the additional loss or the increased number of individuals affected to 1,436, until June 7, 2016.
In July 2015, OCR initiated an investigation following a media report that disclosed the PHI of a JHS patient. A reporter had shared a photograph of a JHS operating room screen containing the patient's medical information on social media. JHS subsequently determined that two employees had accessed this patient's electronic medical record without a job-related purpose.
On February 19, 2016, JHS submitted a breach report to OCR reporting that an employee had been selling patient PHI. The employee had inappropriately accessed over 24,000 patients' records since 2011.
OCR's investigation concluded that JHS failed to provide timely and accurate breach notification to the Secretary of HHS, conduct enterprise-wide risk analyses, manage identified risks to a reasonable and appropriate level, regularly review information system activity records, and restrict authorization of its workforce members' access to patient ePHI to the minimum necessary to accomplish their job duties.

Dental Practice Pays $10,000 to Settle Social Media Disclosures of Patients’ Protected Health Information
Elite Dental Associates, Dallas (“Elite”) agreed to pay $10,000 to the OCR and to adopt a corrective action plan to settle potential violations of the HIPAA Privacy Rule, the OCR announced on October 2, 2019.  Elite is a privately-owned dental practice located in Dallas, Texas.
On June 5, 2016, OCR received a complaint from an Elite patient alleging that Elite had responded to a social media review by disclosing the patient’s last name and details of the patient’s health condition.  OCR’s investigation found that Elite had impermissibly disclosed the protected health information (PHI) of multiple patients in response to patient reviews on the Elite Yelp review page.  Additionally, Elite did not have a policy and procedure regarding disclosures of PHI to ensure that its social media interactions protect the PHI of its patients or a Notice of Privacy Practices that complied with the HIPAA Privacy Rule.  OCR accepted a substantially reduced settlement amount in consideration of Elite’s size, financial circumstances, and cooperation with OCR’s investigation.
OCR Settles First Case in HIPAA Right of Access Initiative
On September 9, 2019, OCR announced its first enforcement action and settlement in its Right of Access Initiative.  Earlier in 2019, OCR announced this initiative promising to vigorously enforce the rights of patients to receive copies of their medical records promptly and without being overcharged.
Bayfront Health St. Petersburg (Bayfront) paid $85,000 to OCR and has adopted a corrective action plan to settle a potential violation of the right of access provision of the HIPAA Rules after Bayfront failed to provide a mother timely access to records about her unborn child.  Bayfront, based in St. Petersburg, Florida, is a Level II trauma and tertiary care center licensed as a 480-bed hospital.
OCR initiated its investigation based on a complaint from the mother.  As a result, Bayfront directly provided the individual with the requested health information more than nine months after the initial request. HIPAA generally requires covered health care providers to provide medical records within 30 days of the request and providers can only charge a reasonable cost-based fee.  This right to patient records extends to parents who seek medical information about their minor children, and in this case, a mother who sought prenatal health records about her child.
The actions taken by the OCR involved violations in the areas listed below, and provide a reminder to all health information professionals about the topics the OCR investigates.

 Access and Audit Controls                 Implementation of access and audit controls on information systems and applications, including regularly reviewing information system activity records, and restricting authorization of workforce members' access to patient ePHI to the minimum necessary to accomplish their job duties.
Breach Reporting                                 Reported accurately and timely. 

Business Associate Agreement           Agreements in place with entities that perform business associate services.

Notice of Privacy Practices                  Meet requirements as specified in the HIPAA Privacy Rule.

Right of Access                                    Timely provision of medical records (generally within 30 days), in electronic format (if requested), and charge at most only what is allowable under HIPAA. 
Risk Analysis                                       Conducting an enterprise-wide risk analysis, providing a security awareness and training program, implementing HIPAA Security Rule policies and procedures, and managing identified risks to a reasonable and appropriate level. 
Security Measures                               Implementing security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level; utilizing device and media controls; and employing a mechanism to encrypt and decrypt electronic protected health information (ePHI) when it is reasonable and appropriate to do so.
Social Media                                        Policy and procedure regarding disclosures of PHI to ensure social media interactions protect patient PHI.

Additional Information
All HHS press releases, fact sheets and other news materials are available at https://www.hhs.gov/news.