Survive and Thrive in the New HIT Environment - Indiana MGMA · 2014-08-18 · Jan 2012-HHS adopts final standards rule for EFT ... MGMA 2013-2014 PowerPoint template 1 Author: Zehra

Copyright 2014. Medical Group Management Association® (MGMA®). All rights reserved.

Survive and Thrive in the New HIT Environment Indiana MGMA

May 16, 2014


Today’s Agenda

• Administrative Simplification

• HIPAA transactions, ACA rules

– EFT/ERA

• Meaningful Use Update

• Key HIPAA Privacy and Security Requirements

• On the horizon


Administrative Simplification


ACA-Providers Wish List (§ 1104)

Required

–Operating Rules

oEligibility verification and claim status

oAll the other HIPAA transactions and

EFT

–EFT standards

–Health Plan Identifier

–Claims attachments

–Plan certification


Patient Eligibility Verification

• Practices typically:

– Pick up the phone and attempt to verify

eligibility

– Log on a proprietary plan website

– Employ the “submit claim and cross fingers”

technique

– Play “chase the patient” for the outstanding

balances


Patient Eligibility Verification

Operating Rules • With new operating rules practices will receive:

– Health plan name and coverage dates

– Static financials (co-pay, co-insurance, base deductibles)

– Benefit-specific and base deductible for individual/family

– In/out of network variances

– Remaining deductible amounts

– All within 20 seconds

– Next morning if sent in batch mode

– Challenge: insurance exchange product 90-

day “grace period”


Electronic Funds Transfer /

Electronic Remittance Advice


EFT – Significant Potential for Efficiency

• Estimates are that:

Businesses save between 50 cents and $1.25 per

payment for direct deposit. The savings associated with

EFT could even be greater

Providers could save ~$3 per claim settled electronically

• According to data from the US Healthcare Efficiency Index

approximately $11 billion would be saved if EFT were

adopted.

• Jan 2012-HHS adopts final standards rule for EFT

• Plan compliance, Jan. 1, 2014

• Watch out for high fees and “virtual credit cards”!


Operating Rules

• Automates the reassociation of EFTs and

ERAs:

– Requires the health plan to release the EFT

payment and ERA within a reasonable

timeframe (e.g. 3 days or less) if the provider

has enrolled for both transactions

– You receive the key data elements (“trace

numbers”) in the two transactions necessary

for successful reassociation

• Standardizes enrollment


MGMA EFT/ERA Guide (mgma.org)


Meaningful Use


Meaningful Use-Positives

• CMS offers significant provider resources:

– Toolkits

– Webinars

– Tip sheets

• RECs have proven valuable partners to small

practices

• Without MU dollars, highly doubtful we would

have seen the significant uptake in EHR adoption


Meaningful Use-The Success Story



EP Stage 1 Challenges

• Challenging current environment for EPs and vendors

(HIX, ICD-10, Admin Simp, HPID, Privacy, SGR, etc)

• Redundant requirements (i.e., security risk

assessment-already required since 2005)

• Reporting same data multiple ways for multiple

programs

• MU criteria weighted toward primary care (i.e.,

smoking status, referrals, reminders)

• “All or nothing” approach to reporting

• All year reporting


16

327 384 108 55 82 Ambulatory

CEHRT Vendors (N = 956)

2011 only (N = 178)

2014 only (N = 82)

To which editions has vendor certified any product(s)?

Were vendor’s product(s) used to attest in 2011-2013?

2011 and 2014 (N = 163)

Not used to attest in 2011-2013

Not used to attest in 2011-2013

Used to attest in 2011-2013

245 Ambulatory EHR vendors had 2014 Edition certified products as of April 2014-HITPC (May 6)

Never used to attest in 2011-2013, not yet certified to 2014 Edition

Used to attest in 2011-2013, not yet certified to 2014 Edition

Used to attest in 2011-2013, certified to 2014 Edition

Never used to attest in 2011-2013, certified to 2014 Edition

New vendor (no 2011 Edition product), certified to 2014 Edition


The Headline from May 6

“Few hospitals, docs at Stage 2

meaningful use, CMS official says”

-4 Hospitals

-50 EPs

(From CMS official Beth Myers-speaking to HITPC)


If you’re reporting in Stage 1 in 2014…

• 2014 Stage 1 measures and EHR certification criteria: – 13 core measures

– 5 of 9 menu measures

– 9 of 64 clinical quality measures

• New changes to Stage 1 measures and exclusions made in Stage 2 final

rule: CMS tip sheets

Retired measures for 2014: New measure/objective for 2014:

Core measure: provide patients with an

electronic copy of their health information

upon request.

New objective: Provide patients the ability to view

online, download and transmit their health

information within 4 business days of the information

being available to the EP.

Menu measure: Provide patients with

timely electronic access to their health

Information within 4 business days of the

information being available to the EP.

New core measure: More than 50% of all unique

patients seen by the EP during the EHR reporting

period are provided timely (within 4 business days

after the information is available to the EP) online

access to their health information subject to the EP's

discretion to withhold certain information.

http://www.healthit.gov/sites/default/files/meaningfulusetablesseries1_110112.pdf

http://www.healthit.gov/sites/default/files/meaningfulusetablesseries1_110112.pdf

http://www.cms.gov/Regulations-and-Guidance/Legislation/EHRIncentivePrograms/Downloads/2014_EP_MeasuresTable_June2013.pdf

http://www.cms.gov/Regulations-and-Guidance/Legislation/EHRIncentivePrograms/Downloads/2014_EP_MeasuresTable_June2013.pdf

http://www.cms.gov/Regulations-and-Guidance/Legislation/EHRIncentivePrograms/Downloads/Stage1ChangesTipsheet.pdf




How to avoid the 2015 Meaningful Use

Penalty • 2015 meaningful use penalty: -1.0%

• Three ways to avoid the penalty:

– Meaningful user in 2013: demonstrated MU and attested by March 31

– New meaningful user in 2014: demonstrate MU for 90 days and attest

by Oct. 1

– Apply for a hardship exception by July 1 • Infrastructure

• New eligible professionals

• Unforeseen circumstances

• Lack of face-to-face or telemedicine interactions and follow-up visits with patients

• EPs who practice at multiple locations and lack control over availability of the CEHRT for

>50% of patient encounters

• Software issues (new EPs in 2014 only)

*Anesthesiology, radiology, and pathology are excluded from penalties

and do not have to apply for a hardship exception

http://www.cms.gov/Regulations-and-Guidance/Legislation/EHRIncentivePrograms/Downloads/HardshipException_EP_Application.pdf


MGMA Concerns

• Reliance on patient actions to meet a

measure (i.e., portals, secure messaging)

• Reliance on expensive technology (i.e.,

portals)

• New criteria must not act as a disincentive

to participate (i.e., of the $44k total: $38k for

Stage 1…$6k for Stages 2/3)

• Insufficient time for software developers

and EPs to move from one stage to another


MU Tips

• Review closely your current or potential vendor

contract for upgrade schedule

• Carefully review ROI (cost/penalties vs incentives)

• Pick the right software for your practice, not

necessarily the cheapest, or even one that meets MU

• Design workflow to manage challenging criteria

• Be mindful of HIPAA security assessment—leading

cause of failed MU audits

• www.mgma.org/meaningfuluse

http://www.mgma.org/meaningfuluse


HIPAA Security and Privacy


The “Omnibus Rule”

• Most HITECH Act privacy and security provisions

• Increased patient rights

• Breach Notification rule modified

• Enforcement expansion

• General compliance date: September 23, 2013


INCREASED PATIENT RIGHTS


Electronic Copy of PHI

• Practice must now provide an individual with a copy of

their PHI that is maintained by the practice electronically,

in the electronic form and format requested by the

individual if such format is readily producible

• If the requested format is not readily producible, practice

must offer at least one readable electronic format

• If patient/practice can’t agree on format, a readable hard

copy must be provided

• Fees (paper or e-copy) are limited to state law and

reasonable costs


Restriction for Out-of-Pocket

Payments • Practice must agree to individual’s request to

restrict PHI disclosure to payer if the individual

(or 3rd party) pays out-of-pocket and in full For payment or health care operations

Unless disclosure is required by law

No requirement to monitor downstream providers (e.g.,

pharmacies)

• If payment dishonored, practices must make a

reasonable effort to contact patient and obtain

payment prior to disclosing PHI to health plan

• Practices will need to flag restricted PHI or note

in the record that the PHI has been restricted


NOTICE OF PRIVACY

PRACTICES


Changes to Notice of Privacy

Practices

• Prohibition on sale of PHI

• Duty to notify affected individuals of a breach of unsecured PHI

• Right to opt out of fundraising (if applicable)

• Right to restrict disclosure of PHI when paid out of pocket


Notice of Privacy Practices: To Do

• Review current notice and identify required changes

• NPP to all new patients/current patients who request one

• Post new notice in prominent public area of the practice

and on your website

• Good opportunity to revise your notice to include any

practice changes (e.g., EHR, PHR, HIE) and write in “plain

language”

• Review MGMA sample NPP www.mgma.org/hipaa

• OCR templates for your office to use

– http://www.hhs.gov/ocr/privacy/hipaa/modelnotices.html

http://www.mgma.org/hipaa

http://www.hhs.gov/ocr/privacy/hipaa/modelnotices.html


BREACH NOTIFICATION RULE


New “Compromise Standard”

• Previous approach:

– “Significant risk of financial, reputational, or other

harm”

• New approach:

– Presumption of reportable breach, unless low

probability the PHI has been compromised

after risk assessment


Breach Risk Assessment Factors

• Nature and extent of PHI involved

• The unauthorized person who used

the PHI or to whom the disclosure

was made

• Whether the PHI actually was

acquired or viewed

• The extent to which the risk to the

PHI has been mitigated


Breach Notification: To Do

• Avoidance (always your best option!)

– Creation of internal “security team”

– Conduct a thorough security risk analysis

– Identify and address gaps with new or revised

policies and procedures

– Pay particular attention to highly vulnerable areas

(strongly consider encryption):

• Mobile technology (laptops, tablets, smart

phones)

• Remote access to EHR / transmission of PHI


Breach Notification: To Do

• Implement/revise breach response plan

– Identification of potential breaches

– Internal reporting of potential breaches

– Assess potential breaches (risk assessment with

four factors)

– Report breaches to individuals, annually to HHS

– If 500+ patients, HHS asap and local media

• Integrate state law requirements

• Train staff


Enforcement from OCR in the Last

Few Weeks

• Stolen laptops lead to important HIPAA settlements

– Two entities have paid the U.S. Department of Health and

Human Services Office for Civil Rights (OCR) $1,975,220

collectively to resolve potential violations…

• HIPAA Breach (6k+ patients) lead to fines

– New York and Presbyterian Hospital has agreed to pay OCR

$3,300,000 to settle potential violations and will adopt a

corrective action plan to evidence their remediation of these

findings.

– Its affiliated Columbia University has agreed to a $1,500,000

monetary settlement to settle potential violations and will adopt a

corrective action plan to address deficiencies in its HIPAA

compliance program.


The Near Future for Practices


Patient ID Cards

Practice Management Systems


“Smart” Cards


Practice Management System

Software

• PM Problems:

– Software very expensive

– Requires significant staff training and

change in workflow

– Doesn’t always allow practice to take

advantage of the new standards

– Brochures and salesmen are all we

have to go on


PM Accreditation


In Summary

• Significant opportunities to automate your practice

• Focus on eligibility and EFT as “low-hanging fruit”

• Talk to your vendors and CHs about opportunities,

plans about compliance

• MU Stage 2 will be tricky-talk to your colleagues

• Privacy and Security still important

• Keep one eye on tomorrow’s opportunities

• Look to MGMA as your trusted partner!


Thank you!

Robert Tennant

202.293.3450

[email protected]

mailto:[email protected]


General Steps to HIPAA

Compliance


Steps to HIPAA Compliance

1. Begin with a thorough risk assessment

2. Review all current policies and procedures

(gap analysis)

3. Identify all locations with PHI

4. Determine whether encryption is warranted,

and to what extent

5. Review your medical record retention and

destruction policies to confirm that data is

being destroyed properly


Steps to HIPAA Compliance

6. Create a cost-effective plan to mitigate top risks

(i.e., physician laptops)

7. Ensure BA contracts are modified

8. Update policies and procedures

9. Train impacted staff

10.Take a cross-functional approach to compliance

11.This is a good opportunity to do a HIPAA house-

cleaning!

12.“HIPAATIZE” your staff!!


Recent MGMA Member-Benefit Resources December 2013 – April 2014

• MGMA/AMA 2014 ACA Exchange Checklist

• EFT and ERA Guide

• Requesting payment via EFT sample letter

• Final 2014 Medicare Physician Fee Schedule Analysis

• General Medicare Update for 2014 webinar on-demand

• Updated MGMA/AMA Ordering/Referring Fact Sheet

• Meaningful Use: Top Member Questions

• HIPAA Security Toolkit

• More to Come!

Get the latest in regulatory and legislative news straight from the nation’s capital through the Washington Connection, published weekly

by our Government Affairs team.

http://www.mgma.com/government-affairs/issues-overview/aca/mgma-ama-medical-practice-checklist-for-2014-aca-exchange-implementation

http://www.mgma.com/government-affairs/issues-overview/health-information-technology/administrative-simplification/mgma-eft-and-era-guide

http://www.mgma.com/government-affairs/issues-overview/health-information-technology/administrative-simplification/sample-letter-to-request-payment-via-eft

http://www.mgma.com/government-affairs/issues-overview/medicare-payment-policies/medicare-physician-reimbursement/final-2014-medicare-physician-fee-schedule-analysis

http://www.mgma.com/store/education/online/webinars-on-demand/general-medicare-update-for-2014-on-demand

http://www.mgma.com/government-affairs/issues-overview/medicare-payment-policies/medicare-provider-enrollment/mgma-ama-ordering-referring-fact-sheet-updated

http://www.mgma.com/government-affairs/issues-overview/federal-quality-reporting-programs/what-mgma-members-are-asking-about-meaningful-use

http://www.mgma.com/government-affairs/issues-overview/federal-quality-reporting-programs/what-mgma-members-are-asking-about-meaningful-use

http://www.mgma.org/hipaa

http://www.mgma.com/Washington


Visit our website for full pricing information

and to explore all of our membership options,

including special rates for group memberships.

Use the code “GAMEM” to wave the application fee

when you sign up for an annual membership today!

http://www.mgma.com/membership/not-a-member/become-a-member-of-mgma-today

http://www.mgma.com/membership/not-a-member/mgma-group-membership


Resources

• MGMA: www.mgma.com/hipaa

– HIMSS-MGMA Toolkit

– Sample BAA, sample NPP, Security Risk Analysis

toolkit

– NEW Risk Assessment Toolkit

– NIST resources (risk assessment tool, guidance)

• Office for Civil Rights:

http://www.hhs.gov/ocr/office/index.html

– Rules, regulations, guidance

– Audit and enforcement actions

http://www.mgma.com/hipaa

http://www.hhs.gov/ocr/office/index.html

Documents

Survive and Thrive in the New HIT Environment - Indiana MGMA · 2014-08-18 · Jan 2012-HHS adopts final standards rule for EFT ... MGMA 2013-2014 PowerPoint template 1 Author: Zehra