WHAT YOU NEED TO KNOW/DO ABOUT RANSOMWARE

By Emilie DiChristina MBA, for PracticeFirst

In the NEWS…RANSOMWARE

Last week, approximately June 28, 2017, major organizations in Europe and the US were attacked by the “Petya” RANSOMWARE. In Pittsburg, Pennsylvania, Heritage Valley Health System were hot by this malware, impacting the safety and treatment of patients across their hospitals and health centers.

About 6 weeks ago everyone heard of the RANSOMWARE attack on the Erie County Medical Center Corporation, and of course on companies across the world.

Possibly the first RANSOMWARE attack in our immediate area, occurred in May 2016 impacting the public, mental and health departments of the Niagara County Health Departments?

SCARY STUFF

Whether you are a provider or a patient, having your records held hostage is scary. The risk of incorrect prescribing, delayed surgeries, unknown allergies and delayed test results and possibly completely lost records cannot be oversold.

Having your records possibly viewed by a hacker is scary. Although the medical information loss is worrisome, the loss of vital identifiers can also be frightening. Your DOB, SS, address, bank account information…shall we go on?

Even scarier, the inability to get the information back, explaining to the government why you were unable to secure your data, and possible law suits, penalties and the loss of trust.

GOVERNMENT?

Let’s review what you, as a covered entity are required to do regarding electronic data…

CMS requirements for Electronic Security for any “covered entity” which means anyone:

  • Any provider of medical or other health care services or supplies who transmits any health information in electronic form in connection with a transaction for which HHS has adopted a standard
  • Any individual or group plan that provides or pays the cost of health care (e.g., a health insurance issuer and the Medicare and Medicaid programs).
  • Health Care Clearinghouses – A public or private entity that processes another entity’s health care transactions from a standard format to a non-standard format, or vice-versa.

Why then, if healthcare providers are following the CMS Electronic Security Rules, are they falling victim to RANSOMWARE attacks, or in fact, any virus?

CMS/HIPAA General Rules of meeting the Security Standard includes the following safeguards:

ADMINISTRATIVE – Security Management Process – Assigned Security Responsibility – Workforce Security – Information Access Management – Security Awareness and Training – Security Incident Procedures – Contingency Plan – Evaluation – Business Associate Contracts and Other Arrangements

PHYSICAL – Facility Access Controls – Workstation Use – Workstation Security – Device and Media Controls

TECHNICAL SAFEGUARDS – Access Control – Audit Controls – Integrity – Person or Entity Authentication – Transmission Security

So therefore, if an organization has policies, procedures, and documentation requirements in place to meet the CMS requirements for electronic device and information security, viruses and RANSOMWARE should not be a problem…Right?

Unfortunately, there are 2 major issues (and a host of minor ones) that may put your organization at risk from either a violations of the EPHI security requirements of CMS, or of suffering a virus or RANSOMWARE attack.

THE THINGS THAT PUT YOUR ORGANIZATION AT RISK

The first MAJOR RISK is that we all use, or are, PEOPLE.

The 2017 Level 3 Healthcare Security Study conducted by HIMSS Analytics and sponsored by Level 3 Communications found that approximately 80% of surveyed health IT executives and professional report that employee security awareness is their greatest concern regarding healthcare data security.

In large organizations there are large numbers of people, from the big guns of the Administrators and Providers, extending to housekeeping, students, security and Business Associates.

These big entities have people writing HIPAA and E-Security policies, giving inservices, even auditing HiPAA and e-Security. The job of these “people” are specifically to insure that the rules of CMS are followed up to and including those regarding E-Security.

So, why have these big entities been hit by viruses and RANSOMWARE?

Unfortunately, the sheer volume of people in these organizations make security a real issue both in physical plant (how to prevent someone claiming slip and fall injury), ID theft (people stealing a patient’s demographic information), HIPAA violations (both inadvertent such as the lobby conversation and deliberate as in reviewing the info of a VIP patient), and of course in E-Security.

E-Security can also be the defining factor in the theft of patient information or HIPAA data breaches as well as malware and viruses entering your IT system. Just think how many people have personal phones or other devices such as IPADs, as well as institution provided electronic devices. How many Medical and Dental residents are coming into these places in July, each getting their own usernames, passwords, VPN access to all kinds of IT systems and programs?

People are the issue in small and medium sized healthcare businesses as well. In these situations, the problem may be too little people, with not enough expertise to handle IT concerns, or a feeling that as a small business neither CMS nor RANSOMWARE attackers will come after you.

Personnel working in smaller practices may use their personal electronic devices for work, or may, as with any business plug them into the workstation by USB. Further, people in smaller organizations often travel between offices, take home HIPAA material or electronic devices. Also, more often than not, you begin to think of staff as family members or you have family members working there so you cannot conceive of them doing something that could harm your practice.

When you see this screen in smaller organizations, it is likely that data from your PC can be migrated to the personal device, or from the personal device. This is a common sources of virus and malware transmission as well as HIPAA breaches and data theft!

 

Bottom line? Unless every person you hire, use as a Business Associate, allow to intern, shadow, contract, clean, etc. for you is completely honest, follows all the rules, never opens personal email or uses personal devices on your system, never uses open Wi-Fi, and always turns off their computer at least once per week (not logging off, turning off) to allow for patches, people put you at risk.

The Identity Theft Resource Center and CyberScout released a survey in 2017 that showed the leading causes of healthcare data breaches was employee error or negligence.

The second MAJOR RISK(s) would be a combo of time, money and fatigue.

The HIMSS Analytics survey listed competing priorities and budget concerns as the top barriers in adopting a comprehensive security program.

While budget concerns may limit the number of people we have monitoring employee behavior, the ability to afford full time IT support, or even whether or not you have purchased licenses for the newest operating systems, the competing priority and fatigue issues may be worse.

In every organization, your specific priority depends on your role in the organization. A CEO or CIO will have different priorities that a clinical provider who just wants to log on, complete a task and get the job done.

The smaller practice gets impact by monetary priority fairly significantly as they cannot always afford IT personnel or regular updates to computer programs, they are often the entities using older Operating Systems, and many do not even have a written compliance and E-Security plan, let alone constantly reminding staff about it. If you are working in a small practice, go to your Administrator or Principle MD and say, “Does our practice have E-security threat intelligence, sandboxing or DDoS mitigation in place?” and watch their eyes glaze over.

And fatigue – One major reality of health care is overall fatigue, mental and physical. It is as real as what we call ICU alarm fatigue – too many things beeping and we tune everything out and miss something important.

We have been bombarded with HIPAA training for about 2 decades. When E-Security was added, we were already so exhausted by HIPAA, we barely listened to the new training.

We have passwords and usernames for so many programs we do the unthinkable, that is to use the same passwords where allowed or to write everything down and stick it near our work station or on our phones, etc.

We also, although trying to remember to log out of programs, or even the PC we are using, often do not turn the actual PC off (the necessary patches and updates to prevent malware can take place when the PC is turned back on0. The reason most of us conveniently forget to turn off the PC is the delay we experience when turning the PC back on, the patches and updates can take quite a bit of time if the machine hadn’t been turned off recently.

We are also so focused on getting our jobs done that we forget the exact policy or process related to IT security, for example clicking on an attachment in an email you think is from a colleague, or accessing streaming sites for radio, music, YouTube, or worse, accessing your Facebook from your work computer.

And we allow people to plug their personal USB or USB driven devices into their work stations!! Making it easy for malware to get into our system and for ePHI or Demographic data to be transferred to the personal device!!!

The HIMSS Analytics study also listed clinical workflows, employee awareness and in-house expertise as top security program barriers.

As they say – brown stuff happens, and sometimes it hits the fan!

So, if you have limited time, limited money, conflicting priorities, your best bet to protect your organization against malware, viruses or RANSOMWARE, even in the smallest organization, is to have a thorough and effective E-Security program as required by CMS.

Sounds too simple? Think about this…

RANSOMWARE attacks, virus intrusions, malware all violate the major 3 tenets of HIPAA Security:

Confidentiality – EPHI is accessible only by authorized people and processes (obviously if your system is hacked… someone unauthorized may be looking

Integrity – EPHI is not altered or destroyed in an unauthorized manner (RANSOMWARE threatens to destroy your data, which would include patient records if you don’t pay up, and even if you don’t pay, some data may still be lost depending on how long ago you backed up data.

Availability – EPHI can be accessed as needed by an authorized person (When a virus or RANSOMWARE locks up your system, and no one can access patient records… well you get the drift).

SUMMARY

  1. Make sure you are following the regulations put forth by CMS, no matter how small your organization may be, and that you have the required policies, enforce those policies and audit staff performance under those policies. This may not stop RANSOMWARE or other malware but it can indeed mitigate some of the financial, penalty and risk fallout after the event.
  1. Updated the policies and procedures and have your people sign off on each of them or the entire manual, minimally yearly, when hired and if found to be doing something incorrect.
  2. Have a plan to work without your electronic medical records. How will you cancel patients, move patients, schedule patients? How will you treat those needing immediate care? How will you record your treatment, and then insure if gets updated into the full EMR later?
  3. Strictly enforce, and punish, use of personal devices, use of personal email, opening of streaming radio, YouTube, Facebook, and any email download without first putting through a virus check.
  1. Require all staff in small offices, offices where workstations are not shared, etc. to not only log off, but also shut down their PCs and workstations at the end of their work week so IT updates (if you have an active IT provider), operating system patches, and Anti-Virus and Malware program updates can be installed when the computer is turned on again at the beginning of the week.
  1. Make sure that all of your systems, EMR, medical equipment related, billing related, even things like Quickbooks, etc. are updated regularly.

 

 

 

 

COMPLIANCE UPDATES APRIL 2017

By Becky Amann, Compliance Manager

MEDICARE LEARNING NETWORK (MLN)

The Centers for Medicare and Medicaid Services (CMS) has recently reminded providers regarding their MLN publication pertaining to HIPAA Basics for Providers: Privacy, Security and Breach Notification Rules.

PF will be utilizing this document as part of our ongoing employee training regarding HIPAA.

This publication is located: https://www.cms.gov/Outreach-and-Education/Medicare-Learning-Network-MLN/MLNProducts/Downloads/HIPAAPrivacyandSecurity.pdf

For Compliance questions, please contact Becky Amann at 716-348-3902 or beckya@pracfirst.com

 

THE SMARTPHONE – POSSIBLE RISK TO YOUR PRACTICE?

By Emilie DiChristina for PracticeFirst

Almost everyone has a smartphone now, but even the old style flip phone can be a risk to your practice.

Patient phones can present a HIPAA problem, a customer service nightmare and a medico-legal/malpractice issue. This shouldn’t be a surprise to you, but may be overlooked due to the ubiquitous nature of the technology. We are used to seeing a cell phone in everyone’s hand, no big deal right?

It can be a big deal from a medico-legal standpoint as the presence of a cell phone in the examination room can mean:

  • Your interaction, or your staff member’s interaction is being recorded – even if the phone is not out in the open, it may be recording the conversation. This could be a positive in that the patient is hoping to not miss any vital instruction. It could also be a negative in that any interaction the patient is unhappy with can wind up on social media, or in the hands of a lawyer.
  • When a second person is in the exam room with the patient, they may appear to be playing a game on this phone but may instead by video- taping the interaction. Now you have the same issues of the interaction ending up on social media, or in the hands of a lawyer, or being a civil rights/HIPAA violation.
  • Also, whether it is an old style flip phone or smart phone, pictures can be taken of charts, records, dirt in the corner of an exam room, over-flowing sharps containers…you get where this is going.

Staff and provider phones can also present HIPAA, customer service and medico-legal/malpractice issues as well as Human Resource issues.

  • Customer service can be impacted when employees or providers are perceived as being too involved with their phones. You may be looking up a PDR notation, but to the patient, you are not looking at them. When phones are seen on the desks of staff, patients will assume the worst as well.
  • Of course, recording or video-taping can also be an issue with employees. There are many stories of HIPAA violations when employees have taken pics of a special tattoo, or piercing and posted them on social media for example. Staff can also take a pic of a patient demographic sheet or computer screen as well, allowing PHI or ID information to leave the practice quit easily.
  • Other examples of HIPAA risk include providers and staff texting any information about a patient without using proper encryption software, losing a phone that has any PHI on it, and…
  • An often forgotten risk – the employee plugging their phone into a computer via USB to recharge. Unless your computers are hardened against intrusion, when the phone is plugged in, it becomes a storage device potentially allowing the download of PHI or ID information such as Social Security #’s, DOB, addresses, etc. directly on to the phone. One requirement of HIPAA/OCR is that you have a plan in place to prevent this because the risk is so significant.
  • For people with access to the financial records of the practice or providers, downloading this data to the phone can be a nice safeguard for potential termination.
  • When phones (and other devices) are plugged into computers used for patient care or practice issues there is also the risk of a virus or malware transferring into the computer and/or network. If insurers and governments can get hacked or be held hostage to data breach, your practice is at risk as well.

And there are HR risks as well. Allowing your staff to have a cell phone readily available to them during hours of operation reduces productivity. Practice costs are high enough, but hearing there is not enough time for your staff to get their work done, when you have seen them with their phone in hand should trigger an alert.

Human resources professionals often recommend that employee phones not be allowed in personnel meetings whether it is a positive or negative meeting. You may be aware of the trend for employees to post reviews of former employers, but if they have audio or video to go with their claims, the problems rises to a recruitment nightmare and possible Labor Board investigation should the recorded meeting be juicy enough.

So what do you do?

  • All phones that are used for texting/emailing PHI need to be owned by the practice, be password protected, be able to be wiped immediately if lost or stolen, and should use proper encryption software. These phones should also not be used for personal purposes by staff.
  • Non-provider staff members should not be allowed to use their personal phones at that work station, nor should they be carrying them on their person (e.g. keep them in locker or purse), and use should; be restricted to break time only, and only in a non-patient care area like a break room. Staff members should also be prohibited from charging their personal devices on a practice computer.
  • Providers using their phones in front of patients should explain why/what they are doing so the patient understands that they are not being ignored.
  • Practices should consider requesting that no cell phones be used in examination rooms, even by an accompanying visitor. To make this more palatable, it should be explained that the medical experience is improved when all parties are paying attention to the patient.<

BILLING UPDATES – AUGUST 2016

atskonzol.hu
siti di incontri reggio di calabria
aircheckaircraft.com
rumasgroup.cz
zspzydowo.pl
invitation rencontre professionnelle
rencontres entre parents solo
teslatronix.cl
site de rencontre pour pauvre
printremservis.ru
stat-stroinoi.ru
steklart.ru
site rencontre gratuit femme france
bauer sucht frau 2009 scheunenfest video
dejtingsidor thailand hus
xn--26-6kca3f5af.xn--p1ai
zewclub.com
dejtingsajt rika lyrics
narodnay-gazeta.ru
how to make a profile on a dating site
iamnick.net
ericksonlive.it
junge frau sucht reichen mann und der antwortet
dejtingapp utan facebook
mobil-autouvegezes.hu
prostituee euro 2012
vangmedia.com
myouts-psy187.de
dejtat 5 gånger chords
otakuhood.com
online dating sites for christian singles
polkom.klebek.com.pl
shopsec.no
rencontre gratuite en ligne sans inscription
katholische partnersuche profil löschen
i-magin.de
rockbandkaraoke.com
avtomobilist-pto.ru
partnervermittlung osteuropa test vergleich
stemzyme.com
tsonga nadal rencontres
annunci adulti milano
first message on dating site template
partnervermittlung yahoo es
gsb-ac.de
incontro treviso uomo cerca uomo polistena
ravihirani.com
rencontre amoureuse def
disobalt.ru
mass effect 3 rencontrer jack
ihtiswim.ru
huronsuncoldpressedsunfloweroil.com
zmdo.ru
prozimetal.cz
ckp-vrn.ru
hotelmagdalenka.pl
prostituees ostende
skriva presentation på dejtingsajt
candlelightonthebay.com
site de rencontre par region pour ado
conjugaison du verbe rencontrer au futur
sveriges största dejtingsajt gratis yrkesutbildningar
selfshotmagazine.com
edwardsosna.pl
cm-sarl.com
fotoworte.de
dejta osäker download
dejting och relationer linköping
managerconsult.com
hercomm.ch
gratis dejting eu frankrijk
annunci amicizia amore youtube
amiwebdesign.esy.es
date outfit ideas for summer
dejt chatt kep
n-c-c.ir
findingyourfitafter50.com
bip.mbps.lodz.pl
diesteinstrasse.de
joostrap.com
la rencontre des deux k
cymaplatinum.com
lorrainehess.com
immagini di ragazza
vsadipark.ru
denturesdirect.net.nz
dejtingsida för bönder medeltiden
dejta som ensamstående mamma ackord
partnersuche tschechische republik geschwindigkeitsbegrenzung
dejtingsidor för under 18 ving
chat gratis per single
singles and friends chat
ipunkt-kreativ.com
cerkiew.gorowo.pl
alain badiou la rencontre
prostituée st maximin
siti per donne
electronicaribera.esy.es
vincent cassel rencontre avec monica bellucci
gluecksphoenix.com
databenj.com.au
data type definition
infoych.ru
dejtingsajter för unga gratis yrkesutbildningar
gruz-parts.ru
familie-hilgenberg.de
le bon coin rencontre
doxxbv.nl
rencontre vinay
castrosin.net
ou trouver prostituée paris 12
klaus-lindner.net
siti per incontrare ragazze gratis flash
schoola28.ru
lapits.ru
elkotrading.com
date äldre kvinnor
industriasbc.net
rencontre sur superencontre
auditor.sopot.pl
incontro reggio calabria youtube
hotelcastillodelalba.es
top singleplayer steam games
une etrange rencontre
coucher avec une prostituée dans gta san andreas
neuropozytywni.pl
unitad.ru
zahra.ashoori.ir
salarycalculator.org
artikelforum.de
bra dejt tips stockholm
rencontre chien lyon
bra dejtingsidor för unga hjärtan
jrhuggettco.com
sito di incontri completamente gratuito
annonces rencontres amusantes
indiepinion.com
mbraslet.ru
fpo.fwh3.net
procorconstruction.com
rencontre entre personne marié gratuit
vinkenjagt.nl
online partnersuche kostenlos ohne anmeldung deutsch
lastveigas.com
archers74.fr
lincl.ru
teaselection.com.au
pantanassa.ru
rencontre mylene farmer
mauvaise rencontre adopteunmec
soshiki-eigyo.com
cerco donna matura
redmond.es
netunodivers.com
dejta chilenare skämt
loonbedrijfrauw.nl
a0021544.xsph.ru
lengnauerfuechse.ch
höra av sig efter dejt
free online chatting in pakistan without registration
madinagate.org
renata-pikulina.ru
nätdejting zoosk jobs
exitzone.dk
programme rencontre uoif
85-143-160-14.customer.comfortel.pro
dejt 30 oktober
avtomaxi22.ru
centre de loisirs et de rencontres mont saint aignan
nätdejting guide
prostitute helen wood actor named
thebirdybabe.com
centrum.nukat.edu.pl
dbfobielany.waw.pl
frasi per far innamorare una ragazza yahoo
rencontre fille rwandaise
annunci donne bologna
new super mario bros 2 kostenlos spielen
incontri donne na
rencontre nationale nos quartiers ont talents
dejtingsidor betyg
supe rencontre
android free singleplayer games
tryout-online.org
kristen stewart joue une prostituée
gratis dejtingsidor på nätet billigt
anonym chat room ohne anmeldung
projectpackaging.com
dom16rus.ru
rencontre anglais traduction
vergleich online dating cafe
securidoor.org
costruire siti internet
alljogi.com
nätdejting facebook login
kimbolb.com
gratis dejting hemsidor chrome
ryba-prud.ru
nkwazicoop.com
dejtingsajt 100 gratis games

COMPLIANCE UPDATES – APRIL 2016

OCR LAUNCHES PHASE 2 OF HIPAA AUDIT PROGRAM

As part of its continued efforts to assess compliance with the HIPAA Privacy, Security and Breach Notification Rules, the HHS Office for Civil Rights (OCR) has begun its next phase of audits of covered entities and their business associates.

The audit process begins with verification of an entity’s address and contact information. This is handled through an e-mail sent to covered entities (CE) and business associates (BA) requesting that their contact information be provided to OCR in a timely manner. Once verification has been received, a pre-audit questionnaire will be transmitted to gather data from the CE. OCR will ask that the covered entity identify their business associates. They are encouraging covered entities to prepare a list of each business associate with their contact information, so they are able to respond to this request. The data that is gathered will be used along with other information to create a potential audit subject pool.

If a CE or BA does not respond to OCR’s request for verification or their pre-audit questionnaire, OCR will use publically available information about the entity to create its audit subject pool. Therefore, if no response is received, the entity may still be selected for an audit or be subjected to a compliance review.

Please check your junk or spam e-mail for any e-mails from OCR. As your business associate, please notify Becky Amann at Practicefirst, should you receive any e-mails from the OCR regarding a Phase 2 audit. This will allow us to watch for any e-mails from OCR as well.

Additional information regarding Phase 2 of the HIPAA Audit Program is available at: http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/index.html

For Compliance questions, please contact Becky Amann at 716-348-3902 or beckya@pracfirst.com

BILLING UPDATES FEBRUARY 2016

By Jacqueline Lucas, Medical Billing Director 

IRS INSURANCE COMPANY PAYMENT SUMMARY

PF will aggregate your IRS Form 1099’s through February 15th.  These forms (1099-Misc) represent all of the payments made to you during calendar year 2015.  The IRS matches the aggregate of all 1099’s to the appropriate line of your entity’s tax return, to make sure recipients properly report their income.  In addition, any interest paid on claims is separately reportable on IRS Form 1099-Int.  This information is also matched and it is critical to properly report this income on the correct line of your tax return to avoid IRS scrutiny for under reporting income.

By law, insurance carriers are required to mail them by January 31st.  However, our past experience indicates that they do not comply with the due date and therefore they are not all generally received until the third week in February.  At that time, we will send them to you by mail or through our courier service. If you have any questions, please feel free to contact us.

INDEPENDENT HEALTH

To align with NYS Medicaid, Independent Health (IHA) will be eliminating coverage for immunization administration code 90461. This code is not covered by Medicaid. Effective April 1, 2016, 90461 will not be covered for IHA’s MediSource, Essential Benefit Plan or Child Health Plus members.

UNIVERA

Univera has announced that Telemedicine services will be available to select members effective March 1, 2016. Telemedicine services will be delivered by MDLive, a nation-wide network of physicians who are board-certified in the state in which the patient is located at the time of service. MDLive physicians will be available by phone or secure video 24 hours a day, seven days a week, including holidays to provide advice and/or treatment for non-emergency medical conditions. If you have any questions regarding Telemedicine services, please contact Univera’s Customer Care Dept. at 866-265-5983.

YOURCARE HEALTH PLAN

In-mid January, YourCare issued duplicate EFT payments. They have been identified in providers’ bank accounts beginning on January 19, 2016.  PF has contacted YourCare provider representative, Tina Burns, who indicated they will be reaching out to the various providers requesting a refund check, for the duplicate payments.

RAILROAD MEDICARE

Railroad Medicare’s Medical Review unit will begin a service-specific review of Evaluation and Management CPT Code 99214 (office or other outpatient visit of an established patient). This code was selected based on internal data analysis. At the conclusion of the review, they will publish their findings on their website.

For Billing questions, please contact Jackie Lucas at 716-348-3923 or jackiel@pracfirs

COMPLIANCE UPDATES JULY 2015

By Becky Amann, Compliance Manager

Medicare – Exclusions From Coverage

National Government Services (NGS) recently published an article regarding: Charges Imposed by Immediate Relatives of the Patient or Members of Household. NGS has recently identified claims submitted by providers who furnished services to their immediate relatives or to members of their household. Medicare does not pay for these services, since they are ordinarily furnished gratuitously because of the relationship between the Medicare beneficiary and the provider. Immediate relatives are defined as:

  • Husband or wife
  • Natural or adoptive parent, child and sibling
  • Stepparent, stepchild, stepbrother or stepsister
  • Father-in-law, mother-in-law, son-in-law, daughter-in-law, brother-in-law or sister-in-law
  • Grandparent or grandchild
  • Spouse

A step-relationship and an in-law relationship continue to exist even if the marriage upon which the relationship is based terminates through divorce or death of one of the parties.

Members of Household are defined as:

Persons sharing a common abode with the patient as part of a single family unit, including those related by blood, marriage or adoption, domestic employees and others who live together as part of a single family unit. A mere roomer or boarder is not included.

This Medicare exclusion applies whether the provider is a sole proprietor who has a relationship (as identified above) to the patient, or a partnership in which one of the partners is related to the patient.

Please refer to the Medicare Benefit Policy Manual, Chapter 16, Section 130 for further information regarding these exclusions from coverage. The Medicare manuals are located on CMS’s website under their Guidance section at:

http://www.cms.gov/Regulations-and-Guidance/Regulations-and-Guidance.html

*** Please note: These exclusions also pertain to Medicare Advantage Plans ***

Univera – Risk Adjustment Review of Medical Records

Univera has contracted with Verisk Health to retrieve medical record documentation from providers. The record retrieval is a necessary part of their Risk Adjustment Program that is designed to capture the medical complexity of their Medicare Advantage members. CMS requires Medicare Advantage plans to confirm that the diagnosis codes submitted via claims are supported in the medical records. The record review also ensures the documentation properly reflects the clinical conditions of the patient.

Verisk Health will begin contacting selected providers in July to schedule the retrieval of medical records reflecting services rendered from January 1, 2014 to present.

For Compliance questions, please contact Becky Amann at 716-348-3902 or beckya@pracfirst.com<

COMPLIANCE UPDATES – MAY 2015

By Becky Amann, Compliance Manager

Practicefirst sent out an Urgent Notice to our clients on April 17th    regarding the New York State Surprise Bill Law. The following is a recap of that notification:

NEW YORK STATE LEGISLATION – EMERGENCY SERVICES AND SURPRISE BILL LAW effective 3/31/15

New legislation has been passed by New York State, commonly known as the Emergency Services and Surprise Bill Law.  This new law went into effect on March 31, 2015.

Under the terms of this new law, patients can dispute out-of-network (OON) charges if they did not have, or were not given, the opportunity to avoid OON charges. The law applies to physicians, hospitals, insurance carriers and other facilities.

Below is a brief summary of the new law and how it may affect your practice.

Health Care Professional and Physician Disclosure Requirements:

When scheduling appointments, the following information is required to be disclosed to patients or prospective patients:

  • The names of health insurance plans with which you participate and the names of hospitals with which you are affiliated.
    • These can be provided in writing or through a website before a patient receives non-emergency services and verbally when the appointment is scheduled.
  • Notify patients that the estimated charge for a non-emergency service is available upon request if the physician does not participate with the patient’s health plan (must include disclaimer that actual charges could be higher due to unforeseen medical circumstances).

When referring or coordinating care with another provider, all health care professionals must:

  • Referrals (Coordinating Care): Disclose to patients and prospective patients the names and contact information of the providers for whom they are referring the patient to.
  • Concerning scheduled hospital admissions or scheduled outpatient hospital services:  Disclose to patients and the hospital, the names and contact information of physicians who are scheduled to treat a patient for non-emergency services during a scheduled hospital admission or outpatient hospital services.

Under this new law, patients have been given the right to dispute a “surprise” bill when it has been processed out-of-network. The patient disputes the bill by completing a Surprise Medical Bill Assignment of Benefits Form.  A copy of this form is attached. If the patient completes and forwards the Assignment of Benefits form to a provider, they cannot hold the patient responsible for the surprise bill in excess of the their  in-network copay, co-insurance or deductible. The patient’s health plan is required to pay you the billed amount or attempt to negotiate reimbursement with you. If negotiations between the health plan and you fail, either party can submit a dispute to an Independent Dispute Resolution (IDR) entity.

Per the Department of Financial Service’s website, some examples of a surprise bill are:

  • Services rendered by a non-participating physician at a participating hospital or ambulatory surgical center when: a participating physician was unavailable, or a non-participating physician renders services without the patient’s knowledge, or unforeseen medical services arise at the time the health care services are rendered.
  • Services referred by a participating physician to a non-participating provider without the explicit written consent of the patient acknowledging that the services would be out-of-network and result in cost not covered by the patient’s health plan.
  • Consultation services provided by a specialist who does not participate with the insured’s health plan when the following occurs:
    • a patient is admitted to a participating hospital following emergency services
    • a patient is admitted to a participating hospital for a scheduled hospital admission

AND a participating physician is unavailable or a non-participating physician renders services without the insured’s knowledge or unforeseen medical services arise at the time the health care services are rendered.

Conversely, some examples of bills that are not surprise bills include, but are not limited to:

  • An insured’s contract does not require the insured to obtain a referral before obtaining services. A participating physician provides the insured with a list of local laboratories and recommends that the insured make an appointment to have blood work done.
  • An insured requests a referral or authorization to a non-participating provider, the referral or authorization is denied by the health plan, and the insured subsequently obtains the services of the non-participating provider.

Emergency Services

  • The Affordable Care Act requires a health plan to reimburse out-of-network emergency services based on certain criteria.
  • A non-participating physician may dispute the amount that the health plan pays you for emergency services through the Independent Dispute Resolution (IDR) process.
  • The dispute resolution process does not apply to health care services, including emergency services, when physician fees are subject to Worker’s Comp, No Fault, Medicare fee schedules or Medicaid fee-for-service.
  • This new regulation requires insurance carriers to hold harmless the insured for charges in excess of the in-network deductible, co-payments or co-insurance for out-of-network emergency services.

Further information about this new law can be found on the New York State Department of Financial Service’s website at http://www.dfs.ny.gov/insurance/ihealth.htm. Please refer to the Out-of-Network Law Guidance.

This is a complex law, interpreting how this law affects your practice can be tricky.  We do not provide legal advice, but will attempt to answer any questions you m

BILLLING UPDATES – MARCH 2015

By Sarah Howarth, Billing Manager

On March 27, 2015 electronic prescribing of all controlled and non-controlled prescriptions will be mandatory for all prescribers in New York.  E-Prescription is defined as a prescription that is created, recorded and transmitted electronically.  E-Prescriptions are transmitted directly from the prescriber to a pharmacy or pharmacist.  Prescriptions generated on an electronic system that is printed out or faxed prescriptions do not meet the requirements of E-Prescribing.

Providers may request a waiver to E-Prescribe if they meet one of the following criteria:

  • Economic hardship
  • Technological limitations that are not reasonably within the control of the practitioner
  • Or other exceptional circumstance demonstrated by the practitioner

Waivers are granted for a time period of one year.  To request a waiver from E-Prescribe contact the New York State Department of Health at 866-811-7957, option 1.

UNIVERA COMMUNITY HEALTH

Currently, Univera Healthcare and Monroe Plan for Medical Care are partners in Univera Community Health.  In July of 2015, Monroe Plan for Medical Care will become the sole owner of Univera Community Health.  A new name for the Community Health product will be released at that time.  Univera Community Health encompasses the PlusMed and Child Health Plus products.  Additional information will be released closer to the transition date.

UNIVERA Medicare Advantage

Effective January 1, 2015, if observation services are required for Univera Medicare Advantage patients, the member cost-sharing for these services will be included in the cost-sharing for hospital outpatient services.  The member will not pay a separate copayment for observation services.  If the patient’s status is changed to inpatient, only an inpatient copayment will be applied.

Independent Health Medicare Advantage

IHA Medicare Advantage is introducing a new “Enhanced Annual Visit” (EAV) for patients seen between January 1 and June 30, 2015.  The visit incorporates many of the services that are already provided during preventive and wellness visits, with an expanded focus on assessment and management of chronic diseases.  The EAV is reimbursed only once per calendar year for Primary Care Practitioners only, using the HCPCS code G8496. Reimbursement for the EAV performed between January 1 and June 30, 2015 is $300.00. Any additional preventative or wellness visits performed during the same calendar year, by the same provider group will be denied.  The EAV will be denied if a preventative and annual wellness visit has already been performed during the same calendar year by the same provider group.

In order to receive payment for the Medicare Advantage Enhanced Annual Visit (EAV), all of the following criteria must be met. Upon record review, if all criteria are not met and well documented the payment may be retracted.

  • Completion of a Health Risk Assessment (Independent Health form or other CMS compliant form).
  • Review of the patient’s Health Risk Assessment (HRA) and make it part of your permanent clinical record.
  • Document discussions related to issues noted by the patient on the HRA.
  • Document the status of each and every medical condition (even those identified and managed by specialists), including goals for treatment and management plans for each active problem.
  • Document standard visit elements: vital signs, interval history, past history, family history, medication reconciliation, review of systems, physical examination, update medication, problem and health maintenance lists, impression/assessment, plan and counseling of patient.
  • Provide a summary of the visit to the patient, including when to expect follow-up on test results Medical and Chronic Condition Management (must be performed by a physician, nurse practitioner or physician assistant).
  • Documentation of the entire visit including the Health Risk Assessment from your medical record must be submitted with the claim.

To assist providers in ensuring all of the requirements of the EAV are met, the Enhanced Annual Visit Program Guide is available on the IHA website.  Please contact Sarah Howarth at 716-348-3923 or sarahh@pracfirst.com for assistance in obtaining these materia

COMPLIANCE UPDATES – AUGUST 2014

By Becky Amann, Compliance Manager

FRAUD, WASTE AND ABUSE TRAINING

As we have mentioned in previous client memos, Medicare Advantage Plans may require Fraud, Waste and Abuse training for their providers. If you are in need of this training, the Medicare Learning Network offers a Web-Based Training Course (WBT). This WBT is designed to provide education on fraud, waste, and abuse in the Medicare Parts C and D programs and general compliance concepts. It includes two parts and can be used to satisfy general compliance training requirements and fulfill the annual fraud, waste and abuse training requirement.  

To access the WBT, go to MLN Products on CMS’s website at: www.cms.gov/MLNProducts.

At the bottom of the web page under Related Links, click on Web Based Training Courses. Under the list of courses, select: Medicare Parts C and D Fraud, Waste and Abuse Training and Medicare Parts C and D General Compliance Training. The course is approximately 60 minutes in length.

For Compliance questions, please contact Becky Amann at 716-348-3902 or beckya@pracfirst.com