Insurance Exchanges Pivotal to Reform Law

Posted on April 25, 2012 by Kathleen Rand

The success of the reform law could depend largely on how effective state exchanges are in determining eligibility and enrolling and retaining members. There is an idea of a ‘no-wrong-door’ enrollment system through which millions of people will go and have their eligibility determined in real-time and have a top-notch customer experience. In fact, in various states, members of the state exchange board are working with state and county agencies to redefine the eligibility and enrollment processes.

Some don’t believe that the exchanges will have an impact on coverage costs – there is an expectation that rates will come down once insurance exchanges are operational. That remains to be seen. And along with ensuring that the exchange directs people to the most appropriate coverage, exchanges also need to ensure continuity of care.

Fluctuating income could cause some people to shift between Medicaid and subsidized coverage. There does not seem to be much clarity as to the insurance exchange could ensure that someone who is in the middle of treatment doesn’t have to switch health care providers.

Some safety net providers, such as free clinics, community health centers and various grant-funded programs, will need to study commercial insurance because some of their Medicaid patients will gain coverage through the exchange.

As insurers strive to build these exchanges, providers will continue to focus on developing accountable care organizations and patient-centered medical health homes. How they will integrate in the marketplace will be interesting to watch as it unfolds.

Employers Are Anxious about Reform Mandates

Posted on April 17, 2012 by Kathleen Rand

Healthcare Compliance concern for employers

Most employers but especially those with numerous lower-paid employees are getting worried about the combined effect of upcoming healthcare reform law provisions that they fear would hurt their competitive position. While these employers do not seem to be planning to drop employee health coverage completely they are exploring strategies that could reduce the impact of the changes on them — and affect health insurers in the process.

Another concern for employers relates to the provisions requiring auto-enrollment in coverage for full-time workers. Both the administrative aspects and the reaction from employees who are having deductions taken from their pay without authorizing them is a viable source of apprehension. Furthermore, employers cite worry about both the requirement that plans must pay at least 60% of actuarial value for covered services and that all employees working more than 30 hours per week must be eligible for health coverage.

Consequently, employers may change their work-force strategy so that they have fewer employees working more than 30 hours per week and therefore requiring health coverage while others might consider making part-time workers eligible for the health plans of full-time employees. Generally employers don’t want to reduce health coverage, but they are prepared to lower the value if competitor employers do. 32% of employers plan to reduce spending on dependent health coverage.

Under the Affordable Care Act, employers have financial liabilities if their coverage is deemed not affordable or not meeting the minimum value. However, one problem the employers are facing in preparing for this is that the affordability and minimum-value concepts have not yet been adequately defined. Health coverage is deemed unaffordable if it costs more than 9.5% of household income. Employers of low-wage workers are concerned that if they made coverage affordable to workers under the 9.5% requirement, it might not be affordable to the employers. Additionally, employers fear that their employees may decide not to buy health coverage costing 9.5% of their income.

Again, in general, employers are not looking to drop coverage, but are very concerned with such requirements as coverage for part-time workers. Many of them are interested in developing a new insurance product for those workers that both is affordable and in compliance with the healthcare reform law’s requirements.

But small employers also now know that these employer mandates apply only to those with more than 50 workers – hence, employers may think long and hard before they hire that 51st worker.

Many Compliance Officers Struggle in their Growing Roles

Posted on March 1, 2012 by Kathleen Rand

Compliance officers struggle with balance as role grows.

The Affordable Care Act is an overwhelming, enormous piece of legislation with so many moving parts it can be intimidating to even breathe the word compliance without creating anxiety. And it is only going to get worse. Compliance officers are doing more work than ever and their stress levels are intensifying. Some even want (in a way) a Medicare audit at their organizations because their organizations will have little choice but to provide the resources necessary to get a tough job done. While there are varying degrees of opinions as to whether organizations are supportive of the needs of compliance officers, the common denominator is that the job is difficult and becoming more so.

And there are not enough people in compliance and operations to really respond to all of the potential agencies able to audit an organization. Plus there is no clear line where a compliance officer’s role begins and where it ends. Compliance officers have to plunge themselves in departments to help them interpret regulations, solve problems and respond to audits. However, these same compliance officers must simultaneously remain objective and autonomous.

This lack of clarity engenders a great deal of stress for compliance officers. It would be helpful if employees understand that everyone in the organization should be accountable for compliance but that can be troublesome as well. Managers may not believe that a corrective action plan needs to be implemented while the compliance officer knows that it does but is reluctant to report it to the person over the manager’s head. The importance of transparency has never been better illustrated – once compliance plans have a transparent aspect to them, then managers know that their actions are visible to all and subject to explanation and accountability as to why things are not being done.

But there is a fine line to walk: Compliance officers struggle with being taken seriously and not attaining buy-in; they face an innate questioning of internal opinions, i.e., very often external sources are viewed as more credible; and these compliance officers can be perceived as less objective and more and more willing to overstep their boundaries, which allows distrust to grow and spread.

Hence it has never been more essential to solicit the help of people in operations, human resources, audit, legal, risk management and other departments. No one person can audit and monitor billing, physician relationships, privacy, and quality of care as well as conducting compliance-program effectiveness reviews. The development of checklists or audit tools for various departments to administer can be a viable alternative to leaving the onus on one person or one department.

Unfortunately, this is not the easiest task to pull off; executives and board members may not understand the role of compliance officers and compliance programs and large the task actually can be which can leave the compliance department on their own. Additionally, there is an unspoken concern about bringing issues to the compliance officers – a fear of retaliation or worries about losing positions or power, creating a vacuum of little support and no enforcement.

Ironically, the federal government under healthcare reform is holding board members accountable for their organization’s compliance. So the buy-in should be unequivocal. Many compliance officers believe the only event that would affect the current climate is a big audit or an enforcement action. Forcing healthcare organizations to act seems to be the surest way for compliance departments to be validated. Until then compliance officers will continue to push for the adoption of regulatory requirements and ethical standards while proving that their programs positively affects outcomes and reduces risk overall.

Compliance and Employee Buy-In

Posted on January 24, 2012 by Kathleen Rand

Healthcare Compliance is daunting but necessary

Under the Affordable Care Act, compliance programs have become mandatory. To have an effective compliance and ethics program, according to the ACA, an organization “shall (1) exercise due diligence to prevent and detect criminal conduct; and (2) otherwise promote an organizational culture that encourages ethical conduct and a commitment to compliance with the law.

Compliance officers are stepping up their efforts to evaluate compliance effectiveness in light of the health reform law’s mandate, which will make programs a condition of Medicare and Medicaid participation, and the HHS Office of Inspector General’s Medicare compliance reviews, which include hospital compliance programs.

With the government looking over their shoulders, theses compliance officers are trying to find the best ways to reduce risk in their organizations through processes, and to demonstrate that risk has been reduced through outcomes. An effective compliance program encompasses seven fundamental components: policies and procedures; management oversight; education and training; and reporting; enforcement and discipline; auditing and monitoring; and remedy and corrective action. However, the pivotal factor in any program is employee buy-in and behavior.

Compliance programs can have solid structure and well-defined process which covers the principles of acceptable compliance such as discrimination and harassment, confidentiality, reporting illegal or unethical behavior, and licensing and professional credentialing. Yet, even mature compliance programs have a long way to go in the effectiveness-evaluation department, according to compliance officers, who are starting to look outside the box for ways to determine their impact on the organization.

Design is good, but organizations need to know what difference is being made, and if an impact is being made on employee behavior and the organization’s culture. A compliance program should have full integration, not just focus on specific areas. Additionally, another step would be valuable in the compliance model: a measurement of the change created.

For example, an error is identified and fixed, and a corrective action plan is implemented and reported to the board. But did it change anyone’s behavior? Is anyone monitoring the corrective action plan? If the error recurs, is a root cause analysis conducted to find out why behavior didn’t change? Most people in the compliance world do auditing/monitoring and corrective action plans, but accountability regarding the change mage would go a long way in strengthening compliance programs.

Furthermore, employee behavior is a significant indicator of buy-in and overall compliance program effectiveness. The goal is for employees to call the compliance office before there’s a problem, for their awareness to increase. Culturally, it is so important for compliance to permeate as a value.

HIPAA Security Explored

Posted on January 21, 2012 by Kathleen Rand

A significant provision of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) requires the Department of Health and Human Services (HHS) to adopt national standards for electronic health care transactions and national identifiers for providers, health plans, and employers. To date, the implementation of HIPAA standards has increased the use of electronic data interchange. The Affordable Care Act of 2010 will further these increases and include requirements that will be necessary to adopt. In addition, health plans will be required to certify their compliance. The Act provides for substantial penalties for failures to certify or comply with the new standards and operating rules.

Given the above stipulations, we are going to explore the some issues pertaining to HIPAA computer and technology security.

One of the first steps is to understand why computer security in healthcare is so important. It seems rather rhetorical: the answer is because everyone cares about the privacy and integrity of their health information. In most cases, the point of computer security is to prevent personal health information from falling into the wrong hands or being inadvertently altered or destroyed.

The HIPAA security standards apply to protected health information (PHI) that is either stored or transmitted electronically. PHI is health information in any form that personally identifies a patient.

Computers have made the issue of identity much more problematic. People have always been able to use someone else’s identity for criminal purposes, but the problem is aggravated when we can’t use physical means to confirm their identity. How do you know the person whose name is attached to an electronic health record (EHR) entry really made it? It’s difficult. The bottom line is this: Computer security is needed to protect the privacy of those whose information that is stored and managed. It is also needed to protect an organization from the risk of penalty and legal liability if private information is used or released.

The HIPAA security standards require healthcare organizations to have written security policies and procedures, including those that cover personnel training and sanctions for security policy violations. Your office staff and colleagues must truly understand basic security logic and take their role in protecting patients’ privacy very seriously.

The HIPAA security standards require your practice to appoint someone as the security manager, so you might want to assign these tasks to that person. Furthermore, an organization must also understand what encryption will do and when it is necessary. Contrary to what many people are saying, the HIPAA security standards do not require e-mails, or any other transmission from a doctor’s office, to be encrypted. The standards do require your practice to assess whether its unencrypted transmissions of health information are at risk of being accessed by unauthorized entities.

Encryption is the transformation of a message from plain text into nonsensical cipher text before the message is sent. Anyone who steals the cipher text message will not be able to understand it. Only those who have the code used to encrypt the message can convert it back from cipher to plain text and reveal its meaning.

For several reasons, encryption is generally not employed for information stored on a computer’s hard disk or transferred within an office’s local area network. First, the risk of disclosure to unauthorized parties is small in the closed environment. Second, encrypting data is costly. Third, encryption generally slows down the movement of information within software applications and databases.

The HIPAA security standards require an organization to obtain assurances from business associates that they will implement the necessary safeguards to protect the confidentiality, integrity and availability of the electronic health information they create, maintain or transmit on behalf of the organization.

Remember that there is no one-size-fits-all approach for computer security. What counts is being “reasonable and appropriate” when matching security measures with the level of risk that pertains to an organization’s situation.

Ten HIPAA Questions Answered

Posted on January 18, 2012 by Kathleen Rand

In this blog, we will review ten questions about the Health Insurance Portability and Accountability Act, or HIPAA. The legislation can seem overwhelming; sometimes breaking it down can make it much easier to digest.

Of course to ensure that your organization is prepared to overcome any compliance roadblock, please consult BHM regarding our HIPAA Compliance analysis: click here for more information

HIPAA ensures a 'lock' on privacy.

1. What is HIPAA?

The Health Insurance Portability and Accountability Act, or HIPAA, was passed by the federal government in 1996. The original intention of HIPAA

was to help guarantee the continuation of health insurance coverage when an individual left his or her job. Additionally, HIPAA was expanded to include a number of provisions in order to simplify and lower the costs of processing health information. A number of these provisions deal with the standardization of electronic transactions, particularly regarding security and privacy issues.

2. What is the HIPAA Security Rule?

HIPAA requires the implementation of security standards to help protect health information. Yet, it does not spell out any specific security requirements. HIPAA simply necessitates administrative, technical and physical safeguards to make sure that the integrity of health information remains confidential. These requirements have been defined and published in the HIPAA Security Rule by the Department of Health and Human Services.

4. What type of information is protected by HIPAA?

Health information is defined as any information, whether spoken or recorded in any form, that is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or healthcare clearinghouse. This information can be related to the past, present or future physical or mental health condition of an individual, the delivery of health care to an individual, or the past, present or future payment for the provision of healthcare to an individual.

5. Who must comply with the HIPAA Security Rule?

Any Health Plan, Health Care Clearinghouse or a Health Care Provider who transmits health information in electronic form must comply with the HIPAA Security Rule. A Health Plan is defined as an individual or group plan that provides or pays the cost of medical care. A Health Care Clearinghouse is defined as a public or private entity, including a billing service, re-pricing company, community health management information system or community health information system that does either of the following functions: (1) Processes health information received from another entity in a nonstandard format; or (2) Receives a standard transaction from another entity and processes health information into nonstandard format for the receiving entity. A Health Care Provider is defined as a provider of services, a provider of medical or health services and any other person or organization who delivers, bills or is paid for health care in the normal course of business.

6. What are the repercussions of non-compliance with HIPAA?

Failure to comply with HIPAA requirements could result in significant financial loss through civil penalties, not to mention damage to an organization’s reputation. HIPAA states that civil penalties up to $100 per day per person can be issued for non-compliance. While this does not seem like a large sum, it can quickly add up. For instance, if student health information was exposed for 1000 students over the course of 30 days, the fines could reach $3,000,000.

7. May a physician or hospital “fax” a patient’s medical information to other physicians or to an insurer?

Yes. The Privacy Rules do not prohibit a “covered entity” from faxing protected health information. A physician should be sure, however, to comply with the Privacy Rules’ requirements for disclosures generally. For example, the physician should check whether the “minimum necessary” rule applies and, if it does, limit the information in the fax to the minimum necessary information.

Also, a physician should be sure to have appropriate security safeguards in place that are administrative, technical, and physical in nature. For example, the physician should use policies and procedures that require office staff to verify the recipient’s fax number and use a cover sheet that does not include protected health information.

8. What is the “minimum necessary” standard?

HIPAA requires a physician to make reasonable efforts to limit the amount of protected health information that the physician uses or discloses to the minimum amount that is necessary to accomplish the purpose of the use or disclosure.

Importantly, this requirement does not apply when a physician discloses information to another provider for treatment purposes or when a physician requests information from another provider for treatment purposes. Accordingly, the minimum necessary standard should not interfere with a physician’s ability to provide appropriate treatment to patients.

9. May a physician discuss information about a patient’s treatment with other physicians using e-mail or fax?

Yes. Physicians may use any method of communication — including e-mail, oral conversations, written letters, or other methods (including sending facsimiles) — so long as the physician uses “reasonable and appropriate safeguards” to protect the communication. HIPAA does not prohibit a covered entity from emailing or faxing protected health information to a physician.

If a covered entity refers to the Privacy Rules as the reason the individual will not fax information to a physician, the physician may direct the covered entity to the Department of Health and Human Services’ Frequently Asked Questions at: http://www.hhs.gov/ocr/privacy/hipaa/faq/index.html. The physician may also assure the individual that appropriate safeguards are in place to receive the fax securely.

10. If a patient’s family members call to ask how their loved one is doing, what can the treating physician disclose?

HIPAA allows a physician to share a patient’s information with the patient’s family member or friend if the information is limited to what is directly relevant to that person’s involvement in the patient’s care. For example, a physician may tell a person living with the patient that the patient needs plenty of rest and lots of fluids or that the patient needs to take a prescribed medication twice daily with food. The physician should not share more information than the person needs to assist with the patient’s care.

A physician should not share a patient’s information with the patient’s family or friends if the patient has asked the physician not to, or if the physician believes, in his/her professional judgment, a disclosure would be inappropriate.

Fraud and Abuse-False Claims Act in Healthcare

Posted on September 16, 2011 by Danyell Jones

The False Claims Act, as we discussed in our prior post, encompasses any government spending program. Our focus will be on the FCA as it specifically relates to healthcare fraud and abuse.

The FCA was amended again in 1993. Within that amendment the Attorney General announced that pursuing health care fraud and abuse would be a top priority for the Department of Justice. Through the use of this law, the government has obtained huge health care fraud settlements in recent years, and has paid sizable payments to private individuals who have sued on behalf of the government.

The government has used the False Claims Act to investigate a wide range of health care providers, from managed care organizations, pharmaceutical companies, and chains of hospitals, to physician practices, home health agencies and durable medical equipment suppliers. The government has also pursued the entities that assist plans and providers with health care transactions, such as billing companies, Medicare carriers, and fiscal intermediaries.

The False Claims Act has been applied in a wide variety of situations involving knowing, false claims, including by not limited to the following:

1. Claims for “medically unnecessary” health care.

2. Double-billing by one provider.

3. Duplication of billing by two providers: for instance, a physician who bills for an analysis of X-rays when a radiologist has already performed and billed the federal program for the analysis.

4. Billing for patients not eligible to receive a benefit such as home health or hospice.

5. “Un-bundling” of services required by Medicare rules to be “bundled.”

7. Improper administration of federal programs by fiscal intermediaries and carriers, including failure to process claims and correspondence in accordance with program agency guidelines.

8. Billing for ghost patients and other care not provided at all.

9. Allocating costs that should be covered by private insurers to a federal health program.

10. Refusal to provide medically necessary care covered under capitated fee arrangements. In other words, a provider indirectly represents that it is providing the services covered by a relevant contract or regulatory provisions when it knows that it is not. This conduct is also known as knowing “under utilization.” It often involves denial of authorization for care, failure to authorize care in a timely fashion, and causing network providers to deny care through the use of financial or other pressure.

The key to survival for many organizations in this current economic climate is to attempt to prevent fraud. Knowing the likely areas in which most fraud is committed and a financial analysis are two effective means to safeguard organizations and to enable them stay competitive and profitable

The Cost of Healthcare Fraud and Abuse

Posted on September 6, 2011 by Danyell Jones

With a tight economy, budgetary cutbacks, and lawmakers looking for ever increasing ways to recoup money, healthcare fraud and abuse has become an issue of singular focus lately.

Back in 2010 CNN ran an excellent article on the cost of fraud and abuse (for article click here). Little has changed since then and healthcare fraud and abuse is still having a staggering impact on the country’s bottom line. In the upcoming week we will take a look at some of the key healthcare fraud related issues including;

The Qui Tam provisions of the False Claims Act
Reverse false claims and Medicare RAC audits
The Billion dollar cost of Fraud
What fraud initiatives are on the horizon

Here is a video from NBC Nightly News…..this story focuses on Florida, a state identified as one of the most egregious offenders when it comes to Medicaid/Medicare fraud.

Visit msnbc.com for breaking news, world news, and news about the economy

USA Today Predicts Fraud Prosecutions to Rise by 85%

Posted on September 1, 2011 by Danyell Jones

Kelly Kennedy a reporter for USA Today recently wrote a story about healthcare fraud and abuse, and shared a staggering statistic, according to government statistics “federal health care fraud prosecution in the first eight months of 2011 are on pace to rise 85% over last year”

To read the full article please click here

What is causing this dramatic increase? The Obama administrations ramped up fraud enforcement and economic recoupment efforts which are being banked on as a way to pay for Obamas proposed Health Care Reform plans.

According to the article, statistics which were harvested and released by the Transactional Records Access Clearinghouse (TRAC) show that prosecutions went from 731 people in 2010 to 903 people so far in 2011. Furthermore “prosecutions have gone up 71% from five years ago, according to TRAC.”

With such an emphasis on recoupment from both a fraud and abuse perspective, and a RAC audit perspective it will become more important than ever that organizations are aware of all of the new laws and regulations which are being released, and that they have a healthcare compliance program in place to mitigate any risk to their organization.

The key is preparation…..so make sure that your organization is ready. If you are not sure if you have a solid healthcare compliance program, BHM can help. Just give us a call at 1-888-831-1171 to set up your free initial consultation.

From Reform to Fraud and Abuse Prevention

Posted on August 29, 2011 by Danyell Jones

We would like to thank everyone who has visited our blog this month and joined us for our online series about some of the more particular aspects of healthcare reform, particularly our HIPAA 5010 posts.

We understand that this topic is extremely expansive, and will come back to visit it again in the future through some of our other posts. Indeed healthcare reform has already began to impact the industry, and will continue to do so in the future. Compliance in healthcare will be impacted, relationships with payers will be affected, and, as we have shown previously, there will be more of an emphasis on fraud and abuse prevention. September is just around the corner and has been designated by the Centers for Medicare and Medicaid Services(CMS) as Healthcare Fraud Prevention and Awareness Month. We think that this is an excellent time to shift gears and look at the topic of fraud and abuse prevention and awareness. We hope that you will join us again this week as we continue to explore relevant healthcare topics, and engage in conversations with you, our viewers.

In the meantime please feel free to check out this video to become acquainted with the basics of what healthcare fraud is: What is Healthcare Fraud

And watch this campaign for fraud and abuse prevention for some interesting statistics on how fraud is impacting healthcare costs:

Until next time!