Performing regular HIPAA risk assessments is an important part of protecting your practice and your patients, but security problems and loss of patient data are more than violations of government regulations. They affect business continuity and the safety of your patients’ health information.

While HIPAA has required physician practices to conduct comprehensive security risk assessments since 2005, the new HIPAA omnibus rule, finalized earlier this year, now requires practice professionals to take additional steps if protected health information (PHI) is breached. And the process is onerous and expensive, says Robert Tennant, MA, MGMA Government Affairs senior policy advisor. Eligible professionals (EPs) are also required to conduct risk assessments to achieve meaningful use. Lacking a comprehensive risk analysis is one of the primary reasons EPs fail meaningful use audits Tennant says.

It’s not enough to recognize that a risk exists,” he adds. “You have to find a way to address the problem.”

Tennant suggests practice professionals ask critical “what if” questions to ensure they identify potential threats and develop a plan to mitigate possible problems. Here are three common “what if” scenarios facing practices.

What if a provider loses his or her mobile device?

Laptops, phones and tablets are particularly vulnerable to loss because of their portability, and misplacing them is one of the most common causes of a privacy breach, Tennant says.

If PHI lives on a mobile device— rather than in a cloud-based system — and it is lost or stolen, that is considered a breach, which triggers the notification requirements. Requiring a username and password to use the device is not enough. If you have PHI on the equipment, it is best to encrypt the data, Tennant says.

It’s important to remember that according to the government, it is not considered a privacy breach if a physician loses a mobile device that contains encrypted PHI but you will need to notify patients and others if unencrypted PHI has been lost or stolen.

The reporting process following a privacy breach is daunting — identifying and correcting the breach, providing written notification to all impacted patients, the government, and in breaches involving more than 500 individuals, local media Risk assessment and mitigation can help prevent that type of disruption. When you’re performing this type of assessment, determine whether you could use mobile devices simply as conduits to the remote records database instead of storing PHI on them, Tennant adds.

What if your computer screens are visible to patients or visitors?

Your providers may leave laptops on and open in exam rooms or patient areas, or your EHR may be set up on desktop computers throughout the practice. This provides an opportunity for patients or visitors to access PHI if you don’t have the proper safeguards in place.

In the 2005 HIPAA Security Rule, the government provides three sets of security standards for the protection of PHI under the HIPAA security rule: Administrative, physical and technical safeguards. For protecting computers in the office, these safeguards include using robust passwords that are discreetly recorded (this means not using “password” as a password and not writing password information on a Post-It next to the computer), establishing a unique username and password for each staff member and ensuring administrators have access to all staff members’ log-in information.

You should also set up your devices with an automatic log-off setting in case a staff member leaves a workstation unattended.

What if your server goes down?

HIPAA requires practice professionals to establish contingency plans that outline policies and procedures for responding to an emergency or other occurrence, such as a server crash, that compromises systems containing PHI. Protections should include a data back-up plan, disaster recovery plan and an emergency mode operation plan.

Tennant recommends consulting with your EHR and practice management system (PMS) vendors to confirm appropriate data back-up plans on their end. Ask about frequency of back-ups and whether companies offer electronic PHI storage off-site to protect the practice in case of fire or other calamity. It’s also important to know whether you can receive immediate assistance if you lose power or your server goes down. Can you call your software vendor or have you contracted with a third-party information technology company that will send representatives to the practice at a moment’s notice for repairs? Consider making that a part of your practice’s business continuity plan.

Tennant also encourages professionals to consider an alternative documentation approach if they aren’t able restore access to an EHR or PMS. You may have to temporarily use paper records and re-enter the information into your systems once the server is restored.

White Paper Contents:

Executive Summary
ICD-10 History
ICD-9-CM Limitations
ICD-10 Specifics
ICD-10 Documentation
Impact of ICD-10
Successful ICD-10 Transition

WHITE PAPER

It is not a secret that January 1, 2012 will usher in a huge change to healthcare. Once HIPAA Version 5010 is fully enacted throughout the industry, practices will need to ensure their claims are delivered to payers based on the new transaction standards—or risk losing proper reimbursement for services rendered. Although a majority of the necessary changes associated with HIPAA 5010 will be handled by technology vendors, a few major updates to claims submission must be handled directly by each medical practice in the nation. Specifically, practices will have to ensure they are prepared for the new billing provider address and zip code requirements.

As the deadline for 5010 looms near, more and more medical practices are beginning to review exactly what these two changes mean to their claims submission processes. Here is a clarification, plus some suggestions to help practices prepare: 

• Billing Provider Address: Once HIPAA 5010 is implemented with a payer, each medical practice must report a physical street address in the Provider Billing address field. Medical practices that wish to have payments delivered to a PO Box (or any address other than the Provider Billing address) can report that address in the Pay-To address field. While a PO Box address cannot be used as the practice’s street address, the PO Box may still be used for other claim addresses, such as a payer or patient address.

• Nine-Digit Zip Codes: Once HIPAA 5010 is implemented, a nine-digit zip code must be reported in the practice’s Billing Provider and Service Facility Location address fields. You can continue to use a five-digit zip code for the practice’s Pay-To Address, the Subscriber, the Patient, the Payer and all other addresses on the claim. To be prepared, review the zip code values you currently have set up for your practice street and all service facility addresses to be sure they are valid nine-digit zip codes. If you are unsure what your nine-digit zip is, verify with the USPS at www.usps.com.

Although there are a number of changes that will occur with the transition, these two will impact most medical practices and cannot be handled exclusively by technology vendors. Don’t leave your revenue to chance – make sure your practice prepares for these changes long before HIPAA 5010 is enacted. 

Editor's note: The comments section on this blog have been disabled due to spam attacks. MGMA is working on a solution to this problem and hopes to enable the comment function soon. Thank you for your patience.

By Ken Bradley, Vice President of Strategic Planning, Navicure in Atlanta

An important step in preparing for the transition to HIPAA Version 5010 is understanding the purpose behind the new standard. For years, the healthcare industry has engaged in claims filing, payment posting, eligibility verification and other vital revenue-cycle management functions with a less-than-perfect standard “language” of communication. This has yielded inefficient processes and a lack of consistency among healthcare organizations. Version 5010 offers an improved standard language with the intent of supporting effective and efficient communication among healthcare entities.

Before the benefits of this improved standardization can be realized, however, the entire healthcare industry —including payers and providers — must adopt the new standard on Jan. 1, 2012. While the journey to Version 5010 implementation will be different for every practice, there are some common activities in which all practices should engage in to support an effective transition:

• Creating an implementation planWorking with health information technology (HIT) vendors, billing services and clearinghouses to determine what steps need to be taken to make the transition to Version 5010
• Obtaining testing schedules from all HIT vendors and devoting staff time and resources to testing efforts
• Updating all necessary HIT software to recognize Version 5010
• Training staff on the transition to Version 5010, with special emphasis on billing staff
• Testing internal procedures and troubleshooting
• Communicating with major payers directly about their Version 5010 plans
• Testing your Version 5010 transactions with Medicare and your other major payers
• Monitoring operational data files to ensure solutions are working properly

A key component on this checklist is ensuring that your practice management and billing system software will be Version 5010 compliant by the implementation date. Practices that do not do this could experience claim rejections and significant disruptions in their cash flow. Practices can verify that their HIT vendors are prepared for the transition by asking:

• When will you be ready to transition to Version 5010?
• Will you be able to handle both Version 4010 and Version 5010 transactions?
• Will there be any software updates? If so, will there be a cost associated with them?
• When can my practice participate in testing with clearinghouses and payors?
• What tools and services will you offer to ensure no interruption to cash flow during the transition period?

In addition to increased standardization, Version 5010 also serves as a critical step in preparing for the transition to ICD-10, which is scheduled to occur in October 2013. Without a successful Version 5010 conversion, practices will not be able to move to ICD-10 because Version 4010 will not support the new codes. This underscores the importance of a systematic Version 5010 preparation process that involves both HIT vendors and payers.

Note: MGMA does not endorse any solutions put forth in this column. We encourage readers to explore all Version 5010/ICD-10 requirements and recommendations.

AAP’s Practice Management Online (membership required)
http://practice.aap.org/

Kentucky Chapter of the AAP
http://www.kyaap.org/joomla/index.php

Ohio Chapter of the AAP
http://ohioaap.org

Indiana Chapter of the AAP
http://inaap.org