Category Archives: HIPAA

Aetna draws criticism for automatic down-codes for office visits

Posted on by Posted in Health Insurance Industry, Health System, HIPAA, Hospital, Hospital Industry, Medical Record Coding, Medical Records, Rev Cycle Management Leave a comment

https://www.beckershospitalreview.com/finance/aetna-draws-criticism-for-automatic-down-codes-for-office-visits.html?utm_medium=email

Image result for health insurance downcoding

Providers are concerned a new national policy from Aetna involving evaluation and management services will result in inappropriate down-codes.

Under the policy, Aetna will automatically down-code claims submitted for office visits or certain modifiers when the the insurer finds an “apparent overcode rate of 50 percent or higher.” The policy concerns office visits with the 99000 series of evaluation and management codes and the 92000 series of ophthalmologic examination codes, as well as modifiers 25 and 59, the American Optometric Association said in an advocacy post.

AOA said Aetna didn’t explain how an overcoding determination is made under the insurer’s algorithm, whether with or without medical record reviews.

“The AOA believes it is inappropriate to downcode such claims without first reviewing actual medical records and questions whether it complies with HIPAA; a variety of state laws related to fair, accurate and timely processing of claims; and Aetna’s contracts with patients and physicians alike,” the association said on its advocacy page.

Physicians can appeal down-coded claims through Aetna’s internal process.

In a statement to Becker’s Hospital Review, Aetna explained why it implemented the policy:

“We periodically review our claims data for correct coding and to implement programs that support nationally recognized and accepted coding policies and practices. Through a recent review, we identified healthcare providers across several specialties who are significant outliers with respect to coding practices. While we recognize that healthcare providers undoubtedly may have complex medical cases that are unique to their practice, this result is much higher than the average for physicians across most specialties.

“For this small, targeted group of healthcare providers, we will review their claims against [American Medical Association] and CMS coding guidelines. Based on that review, we may potentially adjust their payments if the information on the claim is not supported by the level of service documented in the medical record.”

 

Healthcare’s number one financial issue is cybersecurity

Posted on by Posted in Cybersecurity, Dark Web, Data Breaches, Data Ownership, Data Sharing, Dept of Health and Human Services (HHS), Federal Bureau of Investigations (FBI), Health Insurance Industry, Health System, HIPAA, Hospital, Hospital Industry, Information Technology, Population Health, Privacy, Risk Assessment, Risk Management Leave a comment

https://www.healthcarefinancenews.com/node/139027?mkt_tok=eyJpIjoiTURRMk1tVTFaVE15TkRjMiIsInQiOiJPNUYydDU5cFVodjB4bnlnb2M0eVhDNjg2YU53NDl6MWFRQlVpUEpmTzV5cEcrVVZMWldhd1AzbHNlckIwUWJHczlhOVRMZUxxSngyWk02VVhXTktXRjN1OE9mbkQ2V2FhQlBqVFIzOWpMS0pNUEdCYWh0SUQyZWZHRmpBQjRFWiJ9

Image result for hospital cybersecurity

The cost of a healthcare breach is about $408 per patient record and that doesn’t include the loss of business, productivity and reputation.

Cyber attacks affect the finances of every hospital and insurer like no other.

“I’ve seen estimates of over $5 billion in costs to the healthcare industry annually,” said Lisa Rivera, a partner at Bass, Berry and Sims who focuses on healthcare security. “That’s enormous and is not going away.”

Beyond the cost to find a solution to fix breaches and to settle any civil complaints are fines from the Department of Health and Human Services Office of Civil Rights. In 2018, OCR issued 10 resolutions that totalled $28 million.

The HHS Office of Civil Rights is stepping up breach enforcement of private health information, according to Rivera, who is a former assistant U.S. Attorney and federal prosecutor handling civil and criminal investigations for the Department of Justice.

What officials want to see is that the hospital or insurer has taken reasonable efforts to avoid a breach.

“There is no perfect cybersecurity,” Rivera said. “They say it’s not perfection, it’s reasonable efforts. That’s going to require an investment up-front to see where data is located, and educating the workforce on phishing incidents.”

Also, hospital finance professionals who are relying more on contractors for revenue cycle management and analytics should take note on the security issues involved in sharing this information.

“Every sector of business has attacks, but healthcare is experiencing the largest growth of cyber attacks because of the nature of its information,” Rivera said. “It’s more valuable on the dark web.”

It’s also not easily fixed.

If an individual’s credit card is stolen, the consumer can cancel his or her credit card. But in health records, the damage is permanent.

THE IMPACT

Despite the number of breaches, healthcare has been behind other sectors in taking security measures. Four to seven percent of a health system’s IT budget is in cybersecurity, compared to about 15% for other sectors such as the financial industry, according to Rivera.

Hospitals are behind because first, it’s a challenge to keep up with the move to more information being in electronic form.

“There’s no hospital that doesn’t have mobile EHR information,” Rivera said. “Then there was this transition with incentives from the government to go to electronic medical records. There were vast routes to doing that without a lot of experience involved in doing it. The push to become electronic began happening with this enormous uptick in cyber attacks.”

Also, the focus of healthcare has always been patient care. The population health explosion also involves the sharing of information.

And consolidation across the healthcare industry can potentially make covered entities more vulnerable to lapses in security during the transition and integration phases.

RECOMMENDATIONS

The number one way to cut costs is to prevent a breach. Once one has happened, hospitals must be able to identify it as soon as possible and then be able to respond to it.

Hospitals should be able to determine where certain data goes off the rail, Rivera said. For instance, large systems doing research have outcome information that may not be within the system of protection.

“You don’t want to learn about a data breach because the FBI saw it on the dark web,” Rivera said. And some hospitals have.

It’s a constant battle of software updates and checks. Criminals are pinging systems thousands of times a day. It’s like locking down doors and windows.

The first thing that’s needed for systems large and small is a risk assessment. This is the first thing the OCR wants to see, she said. Many hospitals use an outside vendor to do the job.

Prices for other cybersecurity measures vary from a software purchase that could be in the millions, to having vendor monitoring.

But the cost of a healthcare breach is about $408 per patient record and that doesn’t include the loss of business, productivity, reputation and the service disruption.

Hospitals can also purchase cyber insurance, which varies in cost and coverage. Some obtain it for purposes of class action lawsuits.

THE LARGER TREND

OCR enforcement activity during 2018 demonstrates the agency’s continued emphasis on enforcing violations of the security risk assessment and risk management requirements, Rivera said.

Covered entities and business associates are required to: conduct a thorough assessment of the threats and vulnerabilities across the enterprise;    implement measures to reduce known threats and vulnerabilities to a reasonable and appropriate level; and ensure that any vendor or other organization accessing or storing private health information is security compliant.
The OCR concluded 2018 with an all-time record year for HIPAA enforcement  activity. The OCR settled 10 cases and secured one judgment, together totaling $28.7 million. This surpassed the previous record of $23.5 million from 2016.

In addition, OCR also achieved the single largest individual HIPAA settlement  of $16 million with Anthem, representing a nearly three-fold increase over the previous record settlement of $5.5 million in 2016. Anthem was held responsible for cyber attacks that stole the protected health information of close to 79 million people.

 

What your hospital knows about you

Posted on by Posted in Data Breaches, Health Policy, HIPAA, Personal Information Leave a comment

https://www.axios.com/hospitals-doctors-privacy-records-hacks-data-5cb5d8c1-27de-4cc1-94d8-634015efc04a.html

Illustration of a neon sign in the shape of a health plus with an information "i" in the center.

Every trip to a doctor’s office or hospital adds more information to a deep, comprehensive record of who you are — physically, emotionally and even financially, Axios’ Bob Herman reports.

Why it matters: Health care data breaches are more common than ever, putting our most sensitive personal information at risk of exposure and misuse.

How it works: Although electronic health records have pitfalls, they can help patients and the health care system overall.

Yes, but: “No one truly understands there’s no such thing as deleting information from a health care file,” said Pam Dixon, executive director of the World Privacy Forum. “You cannot push the rewind button.”

The medical details: Health records contain all the obvious stuff, such as height, weight and age; every appointment, vital sign, allergy, test, surgery, procedure and scan; and any prescription drugs you take, or have taken in the past.

  • But everything divulged to doctors also gets recorded. That could include describing your drinking habits, admitting responsibility in a car accident, sharing marital problems or even sending a Christmas card.

The financial details: Insurance and contact information are always on file.

  • Hospitals’ billing departments also have more personal financial information — like debit and credit card numbers — because insurance plans keep requiring patients to pay more out of pocket.

But that’s not all: Uninsured or low-income patients can apply for hospitals’ financial-assistance programs, but they have to prove they qualify.

  • That usually means handing over tax returns, pay stubs, bank statements or other relevant financial information.

The bottom line: All of this information can be exposed in data breaches, but also in medical malpractice lawsuits, workers’ compensation lawsuits or custody disputes.

Go deeper: Learn what other companies know about you