Medicare Compliance & Reimbursement

When you outline your office budget, put cash aside for compliance planning.

It’s safe to say that avoiding fraudulent claims has always been a best practice, but increases to CMPs serve to drive that point home. And, if you think that small practices are exempt, you’re wrong. It’s no surprise why the feds continue to go after HIPAA offenders with a vengeance — breaches cause havoc to the business of healthcare, to patients’ privacy and safety, and destroy the integrity of the industry.

Don’t Gamble on Risk

The breach at Children’s Medical Center of Dallas highlights how just one lost phone and unsecured laptop can lead to staggering financial losses. The lack of encryption and the lack of seriousness with which the hospital ranked HIPAA compliance is what garnered the organization a $3.2 million fine.

“The high impact cases OCR moves forward with are intended to send a message to the industry,” says Kathleen D. Kenney, Esq, of Polsinelli LLP in Chicago, Illinois. “With that in mind, I advise our clients to use these cases as learning opportunities.”

Kenney recommends that practices investigate the corrective actions of these large-scale breaches and learn from the mistakes. “Ask ‘could this happen to my organization?’,” she says, “And, if the answer is ‘yes,’ use it as an opportunity to voluntarily take corrective measures.”

Stiffer penalties. The Department of Justice’s (DOJ) interim final rule adjusting CMPs for inflation was published last June in the Federal Register. Annual adjustments for inflation are mandated by the Bipartisan Budget Act of 2015 and are in effect for fines assessed beginning in August 2016 and are applicable to violations occurring after November 2, 2015.

Here’s the maximum amount each HIPAA violation will cost you under the new CMP adjustment:

• $55,010 per HIPAA violation 
• $1,650,300 annual cap
• The adjusted CMP is an increase from $50,000 per HIPAA violation with a past annual cap of $1,500,000.

Could This Happen to You?

Two recent issues with the loss of Protected Health Information (PHI) over the past week spotlight how a small practice might run into trouble.

• Fax the station. On Feb. 13, 2017, WFAA News 8 in Ft. Worth, Texas reported that it had received faxes containing the PHI of 28 individuals from seven different medical practices. After investigating, the news team discovered that the station had a fax number one digit off that of a local surgical center, which was the intended recipient of the patients’ information. More information about the Ft. Worth newsroom breach is here: http://www.wfaa.com/news/local/misdirected-medical-documents-reveals-patient-privacy-issue/408034200.
• Return to sender. At TriHealth in Cincinnati, Ohio, a software issue caused bills to be mailed to patients’ former addresses in a breach that affected the PHI of 1,162 individuals. The information included on the bills was mainly financial in nature and related to adjustments and services.

Budget for HIPAA or Pay the Price

If your small practice struggles with HIPAA, you may need to consider updating your compliance protocols, especially with the onset of quality-backed initiatives under MACRA. As the priority in healthcare is now clearly focused on the patient, putting his or her privacy and security first will be paramount.

Money matters. The upkeep and implementation of a HIPAA plan can be costly but pushing it to the last line item on your budget is a mistake.

“For a long time, and still today, many compliance officers struggle to get the budget they need from upper management/executives to invest in their privacy and security program,” observes Kenney. However, she maintains that investing upfront is essential and can be “night and day” if the OCR should come knocking.

Once you’ve set aside funds for compliance, Kenney suggests you follow these steps when setting up a HIPAA compliance plan:

• Review your HIPAA policies and procedures
• Update your risk analysis to ensure all ePHI is captured
• Implement encryption where reasonable and appropriate
• Ensure comparable controls are in place (and documented) where you are not encrypting PHI

Reminder: Preparation is the key to success in life but also in compliance. “With precautionary measures in place,” she adds. “I do think (based on my experience at OCR and on the other side of the table now), you can catch potential breach incidents before they happen or demonstrate to OCR that although a breach did occur, your organization had a plan in place and does not have a systemic issue when it comes to HIPAA compliance.”