Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
Copyright 2014. Medical Group Management Association® (MGMA®). All rights reserved.
Survive and Thrive in the New HIT Environment Indiana MGMA
May 16, 2014
Copyright 2014. Medical Group Management Association® (MGMA®). All rights reserved.
Today’s Agenda
• Administrative Simplification
• HIPAA transactions, ACA rules
– EFT/ERA
• Meaningful Use Update
• Key HIPAA Privacy and Security Requirements
• On the horizon
Copyright 2014. Medical Group Management Association® (MGMA®). All rights reserved.
Administrative Simplification
Copyright 2014. Medical Group Management Association® (MGMA®). All rights reserved.
ACA-Providers Wish List (§ 1104)
Required
–Operating Rules
oEligibility verification and claim status
oAll the other HIPAA transactions and
EFT
–EFT standards
–Health Plan Identifier
–Claims attachments
–Plan certification
Copyright 2014. Medical Group Management Association® (MGMA®). All rights reserved.
Patient Eligibility Verification
• Practices typically:
– Pick up the phone and attempt to verify
eligibility
– Log on a proprietary plan website
– Employ the “submit claim and cross fingers”
technique
– Play “chase the patient” for the outstanding
balances
Copyright 2014. Medical Group Management Association® (MGMA®). All rights reserved.
Patient Eligibility Verification
Operating Rules • With new operating rules practices will receive:
– Health plan name and coverage dates
– Static financials (co-pay, co-insurance, base deductibles)
– Benefit-specific and base deductible for individual/family
– In/out of network variances
– Remaining deductible amounts
– All within 20 seconds
– Next morning if sent in batch mode
– Challenge: insurance exchange product 90-
day “grace period”
Copyright 2014. Medical Group Management Association® (MGMA®). All rights reserved.
Electronic Funds Transfer /
Electronic Remittance Advice
Copyright 2014. Medical Group Management Association® (MGMA®). All rights reserved.
EFT – Significant Potential for Efficiency
• Estimates are that:
Businesses save between 50 cents and $1.25 per
payment for direct deposit. The savings associated with
EFT could even be greater
Providers could save ~$3 per claim settled electronically
• According to data from the US Healthcare Efficiency Index
approximately $11 billion would be saved if EFT were
adopted.
• Jan 2012-HHS adopts final standards rule for EFT
• Plan compliance, Jan. 1, 2014
• Watch out for high fees and “virtual credit cards”!
Copyright 2014. Medical Group Management Association® (MGMA®). All rights reserved.
Operating Rules
• Automates the reassociation of EFTs and
ERAs:
– Requires the health plan to release the EFT
payment and ERA within a reasonable
timeframe (e.g. 3 days or less) if the provider
has enrolled for both transactions
– You receive the key data elements (“trace
numbers”) in the two transactions necessary
for successful reassociation
• Standardizes enrollment
Copyright 2014. Medical Group Management Association® (MGMA®). All rights reserved.
MGMA EFT/ERA Guide (mgma.org)
Copyright 2014. Medical Group Management Association® (MGMA®). All rights reserved.
Meaningful Use
Copyright 2014. Medical Group Management Association® (MGMA®). All rights reserved.
Meaningful Use-Positives
• CMS offers significant provider resources:
– Toolkits
– Webinars
– Tip sheets
• RECs have proven valuable partners to small
practices
• Without MU dollars, highly doubtful we would
have seen the significant uptake in EHR adoption
Copyright 2014. Medical Group Management Association® (MGMA®). All rights reserved.
Meaningful Use-The Success Story
Copyright 2014. Medical Group Management Association® (MGMA®). All rights reserved.
Copyright 2014. Medical Group Management Association® (MGMA®). All rights reserved.
EP Stage 1 Challenges
• Challenging current environment for EPs and vendors
(HIX, ICD-10, Admin Simp, HPID, Privacy, SGR, etc)
• Redundant requirements (i.e., security risk
assessment-already required since 2005)
• Reporting same data multiple ways for multiple
programs
• MU criteria weighted toward primary care (i.e.,
smoking status, referrals, reminders)
• “All or nothing” approach to reporting
• All year reporting
Copyright 2014. Medical Group Management Association® (MGMA®). All rights reserved.
16
327 384 108 55 82 Ambulatory
CEHRT Vendors (N = 956)
2011 only (N = 178)
2014 only (N = 82)
To which editions has vendor certified any product(s)?
Were vendor’s product(s) used to attest in 2011-2013?
2011 and 2014 (N = 163)
Not used to attest in 2011-2013
Not used to attest in 2011-2013
Used to attest in 2011-2013
245 Ambulatory EHR vendors had 2014 Edition certified products as of April 2014-HITPC (May 6)
Never used to attest in 2011-2013, not yet certified to 2014 Edition
Used to attest in 2011-2013, not yet certified to 2014 Edition
Used to attest in 2011-2013, certified to 2014 Edition
Never used to attest in 2011-2013, certified to 2014 Edition
New vendor (no 2011 Edition product), certified to 2014 Edition
Copyright 2014. Medical Group Management Association® (MGMA®). All rights reserved.
The Headline from May 6
“Few hospitals, docs at Stage 2
meaningful use, CMS official says”
-4 Hospitals
-50 EPs
(From CMS official Beth Myers-speaking to HITPC)
Copyright 2014. Medical Group Management Association® (MGMA®). All rights reserved.
If you’re reporting in Stage 1 in 2014…
• 2014 Stage 1 measures and EHR certification criteria: – 13 core measures
– 5 of 9 menu measures
– 9 of 64 clinical quality measures
• New changes to Stage 1 measures and exclusions made in Stage 2 final
rule: CMS tip sheets
Retired measures for 2014: New measure/objective for 2014:
Core measure: provide patients with an
electronic copy of their health information
upon request.
New objective: Provide patients the ability to view
online, download and transmit their health
information within 4 business days of the information
being available to the EP.
Menu measure: Provide patients with
timely electronic access to their health
Information within 4 business days of the
information being available to the EP.
New core measure: More than 50% of all unique
patients seen by the EP during the EHR reporting
period are provided timely (within 4 business days
after the information is available to the EP) online
access to their health information subject to the EP's
discretion to withhold certain information.
Copyright 2014. Medical Group Management Association® (MGMA®). All rights reserved.
How to avoid the 2015 Meaningful Use
Penalty • 2015 meaningful use penalty: -1.0%
• Three ways to avoid the penalty:
– Meaningful user in 2013: demonstrated MU and attested by March 31
– New meaningful user in 2014: demonstrate MU for 90 days and attest
by Oct. 1
– Apply for a hardship exception by July 1 • Infrastructure
• New eligible professionals
• Unforeseen circumstances
• Lack of face-to-face or telemedicine interactions and follow-up visits with patients
• EPs who practice at multiple locations and lack control over availability of the CEHRT for
>50% of patient encounters
• Software issues (new EPs in 2014 only)
*Anesthesiology, radiology, and pathology are excluded from penalties
and do not have to apply for a hardship exception
Copyright 2014. Medical Group Management Association® (MGMA®). All rights reserved.
MGMA Concerns
• Reliance on patient actions to meet a
measure (i.e., portals, secure messaging)
• Reliance on expensive technology (i.e.,
portals)
• New criteria must not act as a disincentive
to participate (i.e., of the $44k total: $38k for
Stage 1…$6k for Stages 2/3)
• Insufficient time for software developers
and EPs to move from one stage to another
Copyright 2014. Medical Group Management Association® (MGMA®). All rights reserved.
MU Tips
• Review closely your current or potential vendor
contract for upgrade schedule
• Carefully review ROI (cost/penalties vs incentives)
• Pick the right software for your practice, not
necessarily the cheapest, or even one that meets MU
• Design workflow to manage challenging criteria
• Be mindful of HIPAA security assessment—leading
cause of failed MU audits
• www.mgma.org/meaningfuluse
Copyright 2014. Medical Group Management Association® (MGMA®). All rights reserved.
HIPAA Security and Privacy
Copyright 2014. Medical Group Management Association® (MGMA®). All rights reserved.
The “Omnibus Rule”
• Most HITECH Act privacy and security provisions
• Increased patient rights
• Breach Notification rule modified
• Enforcement expansion
• General compliance date: September 23, 2013
Copyright 2014. Medical Group Management Association® (MGMA®). All rights reserved.
INCREASED PATIENT RIGHTS
Copyright 2014. Medical Group Management Association® (MGMA®). All rights reserved.
Electronic Copy of PHI
• Practice must now provide an individual with a copy of
their PHI that is maintained by the practice electronically,
in the electronic form and format requested by the
individual if such format is readily producible
• If the requested format is not readily producible, practice
must offer at least one readable electronic format
• If patient/practice can’t agree on format, a readable hard
copy must be provided
• Fees (paper or e-copy) are limited to state law and
reasonable costs
Copyright 2014. Medical Group Management Association® (MGMA®). All rights reserved.
Restriction for Out-of-Pocket
Payments • Practice must agree to individual’s request to
restrict PHI disclosure to payer if the individual
(or 3rd party) pays out-of-pocket and in full For payment or health care operations
Unless disclosure is required by law
No requirement to monitor downstream providers (e.g.,
pharmacies)
• If payment dishonored, practices must make a
reasonable effort to contact patient and obtain
payment prior to disclosing PHI to health plan
• Practices will need to flag restricted PHI or note
in the record that the PHI has been restricted
Copyright 2014. Medical Group Management Association® (MGMA®). All rights reserved.
NOTICE OF PRIVACY
PRACTICES
Copyright 2014. Medical Group Management Association® (MGMA®). All rights reserved.
Changes to Notice of Privacy
Practices
• Prohibition on sale of PHI
• Duty to notify affected individuals of a breach of unsecured PHI
• Right to opt out of fundraising (if applicable)
• Right to restrict disclosure of PHI when paid out of pocket
Copyright 2014. Medical Group Management Association® (MGMA®). All rights reserved.
Notice of Privacy Practices: To Do
• Review current notice and identify required changes
• NPP to all new patients/current patients who request one
• Post new notice in prominent public area of the practice
and on your website
• Good opportunity to revise your notice to include any
practice changes (e.g., EHR, PHR, HIE) and write in “plain
language”
• Review MGMA sample NPP www.mgma.org/hipaa
• OCR templates for your office to use
– http://www.hhs.gov/ocr/privacy/hipaa/modelnotices.html
Copyright 2014. Medical Group Management Association® (MGMA®). All rights reserved.
BREACH NOTIFICATION RULE
Copyright 2014. Medical Group Management Association® (MGMA®). All rights reserved.
New “Compromise Standard”
• Previous approach:
– “Significant risk of financial, reputational, or other
harm”
• New approach:
– Presumption of reportable breach, unless low
probability the PHI has been compromised
after risk assessment
Copyright 2014. Medical Group Management Association® (MGMA®). All rights reserved.
Breach Risk Assessment Factors
• Nature and extent of PHI involved
• The unauthorized person who used
the PHI or to whom the disclosure
was made
• Whether the PHI actually was
acquired or viewed
• The extent to which the risk to the
PHI has been mitigated
Copyright 2014. Medical Group Management Association® (MGMA®). All rights reserved.
Breach Notification: To Do
• Avoidance (always your best option!)
– Creation of internal “security team”
– Conduct a thorough security risk analysis
– Identify and address gaps with new or revised
policies and procedures
– Pay particular attention to highly vulnerable areas
(strongly consider encryption):
• Mobile technology (laptops, tablets, smart
phones)
• Remote access to EHR / transmission of PHI
Copyright 2014. Medical Group Management Association® (MGMA®). All rights reserved.
Breach Notification: To Do
• Implement/revise breach response plan
– Identification of potential breaches
– Internal reporting of potential breaches
– Assess potential breaches (risk assessment with
four factors)
– Report breaches to individuals, annually to HHS
– If 500+ patients, HHS asap and local media
• Integrate state law requirements
• Train staff
Copyright 2014. Medical Group Management Association® (MGMA®). All rights reserved.
Enforcement from OCR in the Last
Few Weeks
• Stolen laptops lead to important HIPAA settlements
– Two entities have paid the U.S. Department of Health and
Human Services Office for Civil Rights (OCR) $1,975,220
collectively to resolve potential violations…
• HIPAA Breach (6k+ patients) lead to fines
– New York and Presbyterian Hospital has agreed to pay OCR
$3,300,000 to settle potential violations and will adopt a
corrective action plan to evidence their remediation of these
findings.
– Its affiliated Columbia University has agreed to a $1,500,000
monetary settlement to settle potential violations and will adopt a
corrective action plan to address deficiencies in its HIPAA
compliance program.
Copyright 2014. Medical Group Management Association® (MGMA®). All rights reserved.
The Near Future for Practices
Copyright 2014. Medical Group Management Association® (MGMA®). All rights reserved.
Patient ID Cards
Practice Management Systems
Copyright 2014. Medical Group Management Association® (MGMA®). All rights reserved.
“Smart” Cards
Copyright 2014. Medical Group Management Association® (MGMA®). All rights reserved.
Practice Management System
Software
• PM Problems:
– Software very expensive
– Requires significant staff training and
change in workflow
– Doesn’t always allow practice to take
advantage of the new standards
– Brochures and salesmen are all we
have to go on
Copyright 2014. Medical Group Management Association® (MGMA®). All rights reserved.
PM Accreditation
Copyright 2014. Medical Group Management Association® (MGMA®). All rights reserved.
In Summary
• Significant opportunities to automate your practice
• Focus on eligibility and EFT as “low-hanging fruit”
• Talk to your vendors and CHs about opportunities,
plans about compliance
• MU Stage 2 will be tricky-talk to your colleagues
• Privacy and Security still important
• Keep one eye on tomorrow’s opportunities
• Look to MGMA as your trusted partner!
Copyright 2014. Medical Group Management Association® (MGMA®). All rights reserved.
Thank you!
Robert Tennant
202.293.3450
Copyright 2014. Medical Group Management Association® (MGMA®). All rights reserved.
General Steps to HIPAA
Compliance
Copyright 2014. Medical Group Management Association® (MGMA®). All rights reserved.
Steps to HIPAA Compliance
1. Begin with a thorough risk assessment
2. Review all current policies and procedures
(gap analysis)
3. Identify all locations with PHI
4. Determine whether encryption is warranted,
and to what extent
5. Review your medical record retention and
destruction policies to confirm that data is
being destroyed properly
Copyright 2014. Medical Group Management Association® (MGMA®). All rights reserved.
Steps to HIPAA Compliance
6. Create a cost-effective plan to mitigate top risks
(i.e., physician laptops)
7. Ensure BA contracts are modified
8. Update policies and procedures
9. Train impacted staff
10.Take a cross-functional approach to compliance
11.This is a good opportunity to do a HIPAA house-
cleaning!
12.“HIPAATIZE” your staff!!
Copyright 2014. Medical Group Management Association® (MGMA®). All rights reserved.
Recent MGMA Member-Benefit Resources December 2013 – April 2014
• MGMA/AMA 2014 ACA Exchange Checklist
• EFT and ERA Guide
• Requesting payment via EFT sample letter
• Final 2014 Medicare Physician Fee Schedule Analysis
• General Medicare Update for 2014 webinar on-demand
• Updated MGMA/AMA Ordering/Referring Fact Sheet
• Meaningful Use: Top Member Questions
• HIPAA Security Toolkit
• More to Come!
Get the latest in regulatory and legislative news straight from the nation’s capital through the Washington Connection, published weekly
by our Government Affairs team.
Copyright 2014. Medical Group Management Association® (MGMA®). All rights reserved.
Visit our website for full pricing information
and to explore all of our membership options,
including special rates for group memberships.
Use the code “GAMEM” to wave the application fee
when you sign up for an annual membership today!
Copyright 2014. Medical Group Management Association® (MGMA®). All rights reserved.
Resources
• MGMA: www.mgma.com/hipaa
– HIMSS-MGMA Toolkit
– Sample BAA, sample NPP, Security Risk Analysis
toolkit
– NEW Risk Assessment Toolkit
– NIST resources (risk assessment tool, guidance)
• Office for Civil Rights:
http://www.hhs.gov/ocr/office/index.html
– Rules, regulations, guidance
– Audit and enforcement actions