In case you haven’t heard, several deadlines have been detoured lately – some pushed back, some here, some coming who knows when…. Here they are, followed by some commentary: Read More
On November 17, 2011, the CMS (Medicare) Office of E-Health Standards and Services (OESS) announced that it will not enforce compliance with the HIPAA 5010 transaction set until March 31, 2012.
Before you get too giddy about the prospect of your office not having to undergo conversion to the 5010 Format for Electronic Claims submission – think again. Read More
I’ve got three news updates for you today – one positive, one negative, one perhaps can go both ways. Read More
Today I’m going to speak to you about a mandatory format conversion for your electronic billing that you must do by January 2012 or you will not be paid! If 2012 sounds like a long way away, you should know that testing for the 5010 conversion starts now — in April 2011!
Specifically this format conversion is called 5010 and you might’ve heard of it as a HIPAA 5010 Format Conversion or “mandatory claims reformatting.” Lots of chiropractors have been emailing me for advice on what to do, where to go for information and what exactly is required for the conversion.
First — a reality check. Do NOT be fooled by the term HIPAA! One reason I told you up front that you will not be paid and I didn’t mention HIPAA is that I know chiropractors by in large ignore lots of things related to HIPAA. They think, “Well in I’ve never seen a HIPAA policeman” or “this is just some low priority compliance items I can handle later.” This is entirely different!
This 5010 conversion is mandatory if you do ANY sort of electronic claims transmission or electronic billing. Read More
Apparently, last week’s blog post on security struck a sore spot with many readers who have experienced security problems, challenges and employee issues within their office.
Interestingly enough, the comments and questions I received were not focused on firewall breaches, corporate bank data comprises or any “high level” security threats that created a cascade of financial and stress-related nightmares for chiropractic offices. Instead, most of your comments could be summarized with two warnings:
1) Beware the low-tech hacks
2) Employees can be incredible liabilities if not managed properly
While most would probably agree that any security issue should be approached with sufficient planning and preventative measures, the stories of just how much trouble these two items caused for your fellow chiropractors was both surprising and seemed to warrant additional attention on the matter.
Let’s deal with the first topic:
Beware Employee Stupidity and Low Tech Hacks
While the thought of some financial terrorist attempting a transfer from an entire bank’s portfolio of accounts to a mysterious bank in Liberia or the possibility of a band of Bulgarian mobsters launching a viral shutdown of your town’s financial institutions is certainly upsetting, apparently it’s the not-so-flashy stuff on which we should focus our preventative measures. Similarly, while some of you may lose sleep at night for fear of violating the umpteen HIPAA regulations you didn’t know about, it’s the stuff that just makes plain common sense that you can easily prevent.
An apparently, these common, everyday issues are thwarting your fellow DC’s.
Last year about this time, big trouble broke out in Tennessee when thousands of medical records – including patient photos, files and social security numbers – were found in a Chattanooga recycling center bin. You need not be an expert in all matters HIPAA to determine that dumping your records (old, new or even patients that you do not like) into a recycling bin is not the proper way to dispose of medical files. Yet, it happened and the news was all over the story. And I am sure the fines weren’t pretty.
What’s worse is that the guy caught dumpster diving for those files (who likely thought he hit the mother lode of his career) took those files to make 1000 fake ID’s in which he ripped off other people, stores and banks. And he committed similar crimes throughout California.
I am sure you can also see several problems here:
- This fella was not just looking to be the most popular guy in his high school and make fake ID’s for all his friends to get into the local bars. He is stealing your patient’s data as the starting point for his criminal sprees.
- Apparently, banks have poor protective mechanisms for detecting fake id’s
- Unlike banks, YOU as the chiropractor are dealing with Personal Health Information which means when someone like this steals your patient’s info, YOU are now required to report the breach
- The process of reporting to Mrs. Melba Johnson that one of your employees (I am assuming it wasn’t you who dumped the files) used poor judgment and put her file in a recycling bin and some thief came and stole her social security number and other personal information and by now, has applied for an Abercrombie credit card, a home mortgage and was approved for a $1500 credit line to purchase some new wheels for their new/used Mazda (also purchased via the kind donation of Mrs. Johnson) – this is a conversation that will not go smoothly.
- This conversation will need to be repeated with all of your patients whose records were breached
Silence is Golden
Sometimes privacy or security takes the simple form of silence. Unfortunately, according to my mail bag (actually e-mail inbox, but I always thought it would be fun to open a bag full of fan mail) silence is not so simple. Employees routinely assist you in violating HIPAA privacy policies by openly discussing patient information with…well, anyone!
And while this too may seem like common sense, again, see above. It’s not usually the stuff out of The Matrix that is going to foil you. But when your employee casually mentions in the grocery store that she has seen Mr. Weasly in your office, not knowing that Mrs. Weasly has been trying to chase him down for 7 months worth of alimony, suddenly you are amidst a family squabble AND your employee’s loose lips have sunk your HIPAA ship. Mr. Weasley may be forced to pony up on his alimony but you will be footing the bill once he turns you in for violating his privacy.
Similarly, it may seem like you can safely assume that the 16 year-old your tech is about to x-ray is not-pregnant, has their parents permission or even has parents that are paying, none of this is safe. And when your staff member e-mails the x-ray results to her parents, questions abound that you do not want to answer.
Silence is golden, if you can get it.
Some Employees are Smart, Lazy and Vindictive
Judging from the responses I received in regards to employee security threats, not all employees are dumb enough to dump data in dumpsters. In fact, some employees are too smart for their own (or our) good.
They play endless rounds of computer solitaire while claiming they don’t have enough time to do their job. They surf the internet on your time and your dime. Literally – you pay them and some of them shop for personal items using your credit card. Others make money by selling your patient list to direct mail marketing companies. And when they leave or you fire them (associates or other independent contractors), they attempt to take your patients (and sometimes your records too) with you. Then, they try and sit on unemployment for a year and half (despite the fact they only worked for you for a week and a half!).
Learn from the multitude of chiropractors who wrote in asking how to prevent these exact situations that occurred at the hands of wasteful or rogue employees. Protect yourself from unanticipated emergencies (let’s face it, no one’s smart enough to predict this type of behavior predictably).
Here are Three Protective Agreements I think can prevent a multitude of the problems many of you are facing or have faced in the past:
1) Establish an Employee Confidentiality Agreement: While might seem basic to have your employees sign something that states they can’t blab info or dump data, but if it occurs, you have at least protected your end from needless additional punishments or penalties via HIPAA or the consumers. Also, you need to demonstrate ongoing training in these matters, so having employees sign such an agreement (along with actual training) provides a paper trail of your compliance in this regard.
2) Utilize a Non-Compete Clause for All Associate Doctors: Sure, it may work out. You may even be partially at fault if it doesn’t work well. But protect your practice and livelihood if it does not. Some states limit the usage of these agreements, but in general, something is better than nothing. And I have witnessed the successful enforcement of non-competes which served their legally binding purpose along with stiff financial consequences for their violation.
3) Establish Appropriate Technology Policies: I use the word “technology” because really you have to have written guidelines for proper usage of the internet, of computers (and passwords), of cell phones, voice mail, email, downloads, instant messaging, etc. The least of your troubles (but the most common) is employees wasting time while surfing or emailing for personal reasons. As above, it can get a whole lot uglier than that, so to prevent this, put a policy in place!
Hindsight is 20/20 Wisdom
According to every chiropractor who e-vented (vented via email) their security and/or employee problems, you will undoubtedly and repeatedly kick yourself for future fiascos in this department – especially after reading this blog and being warned! Skip e-mailing me about how ridiculous it is that we have to do this and how deplorable society has become. I agree and the entities that make these rules don’t care. You just need to protect your asset numero uno.
Here are your options:
Have your attorney draft the Three Protective Agreements for you and sleep soundly knowing you’ve done your part.
Search the internet for these agreements – make sure they are up-to-date! Most technology agreements, for example, that I have seen online are outdated either have no reference to what we do as chiropractors (translated HIPAA!) or do not contain clauses for relatively new “social media” provisions, online downloads policies or even instant messaging.
For those who’d like to save time and searching, you can obtain a copy of my Three Protective Agreements that I use with my clients, updated and ready-to-go. Simply, open the Word Document, change the names and any relevant info to your clinic and you are on your way! For those who would like to have an attorney review your document, this will save you time and money from having them draft one from scratch.
Anyway you slice it, be sure to act on this promptly. While both crime and stupidity are unpredictable, the price of planning is not nearly as painful as the headaches and hassles that will occur as a result of your neglect on this!
To Your Success!
Tom Necela, DC, CPC, CPMA
Legal Disclaimer: Every reasonable effort has been made to ensure the accuracy of the information and recommendations provided in respect to these Three Protective Agreements. However, due to the nature of changing payer requirements and state regulations, you may wish to seek advice from a local health care attorney to ensure that the use of these agreements are legally valid and compliant with your state laws.
Today’s post is a back-to-basics reminder of something that we all should not need to be reminded of, but….it is likely than most chiropractors could use improvement in this area.
The topic: security.
Specifically, I’d like to say a few words about the security of information, finances and records in your office. Some of this pertains to HIPAA; some of this pertains to good old fashioned common sense. Both are needed.
In case you were not aware, business accounts are the most vulnerable to hacker attacks and the least protected by the law. This is bad news for all chiropractors who do not hold their money under their mattress, which I suspect is most of us. Here’s why:
Hackers are much more inclined to break into a six-figure business account than a consumer account with a few thousand dollars, according to the article “Could Online Hackers Steal Your Cash” published on the financial website Bankrate.com. And there’s more bad news: if your bank determines that your money vanished because of something you did, they may not be liable for your disappearing cash! Sound a bit subjective and risky to you?
With online transactions and banking opportunities increasing daily, chiropractors need to be especially vigilant of protecting their accounts not only to protect their money, but need to take extra steps towards data security in general. A breach in a health care office may not only be financially damaging, but also has potential to cross lines and expose patient’s personal health information, which could lead to HIPAA privacy violations and fines as well.
While all of this may sound like the plot line to a new conspiracy theory thriller, a quick reality check in your own office may reveal that you are either well protected or unnecessarily exposed so such dangers.
Here are a few items that I would recommend for your to-do list so you can sleep a little more soundly:
- Make sure all patient files (and x-rays) are kept in locked storage. This is not only required via HIPAA regulations, but is a good idea to prevent theft.
- Utilize tougher passwords online. “1234” just won’t cut it. Use multiple passwords – not the same one for every site to avoid a widespread breach. Mix upper and lower case numbers, letters, symbols, etc.
- Protect yourself against malware (viruses, spyware and other online threats). While most computers come with a free trial, many chiropractors let them lapse and/or never upgrade to the full version. Check out the June 2010 issue of Consumer Reports magazine for the latest ratings on effective free and paid security software. The most expensive fee of any of their recommended options is $70 – hardly a matter for debate when you consider the amount of time, money and effort that will be expended if something bad happens.
- Pay to have a security system with monitoring installed in your office. In terms of banking, your greatest theft threat may be online. But fire, break-ins and other hassles can effectively be monitored via a security system. I know several DC’s whose offices were destroyed by the elements and many more who suffered break-ins. Even small town DC’s are not immune to crime and certainly not safe from the elements.
- Don’t Let Employees Take Laptops Home. One of the biggest data breaches in health care history occurred when a Blue Cross employee took a laptop to do some work from home. Unfortunately, the laptop was stolen in a parking lot while the employee was busy running errands. So not only did the employee NOT get any work done at home, the employee inadvertently caused a data breach that involved over 100,000 physician records – including Social Security numbers and EINs. Certainly, an accident like that would not be of the same magnitude for your office. But how many patients do you want to notify and inform them that your employee’s conduct caused their personal information to be stolen? Although that would certainly not be fun, it would be required per HIPAA regulations and failure to do so would result in major fines!
Lock up. Protect your business. Sleep well.
Tom Necela, DC, CPC, CPMA
In business and in life, it is helpful to go back and review the basics, to take a look at where you’ve been and where you want to go.
Today’s blog post feature’s 3 links to our most popular columns of the past – in case you missed them – or in case you need “a refresher course.” (pardon the Fletch reference)
Here they are (in no apparent order):
Tom Necela, DC, CPC, CPMA
Just in case you were actually focusing on your practice and not glued to the news, HIPAA television and the endless assault of compliance related emails that cross your desk, we had three significant deadlines in February that seem to have rattled a significant number of you.
Even though I may not know you personally, I am going to extend you the grace of assuming that you are not normally paranoid, panicky or otherwise possessive of a peculiar tendency to “snap” when confronted with the politics of change that besets our profession.
So, let me first gently remind you of the deadlines of which you may or may not be aware. And then, I’d like to put your mind at ease over a few items that repeatedly hit my email inbox and drip with panic-driven sweat and media-fueled fear.
- New requirements for “Business Associates” – Deadline: February 17, 2010 HIPAA rules were strengthened by extending the responsibility for protection of PHI to “Business Associates.” Under the new law, the “Business Associates” have the same responsibilities for any breach of private health care information as do the provider of the services. “Business Associates” would include Attorneys, Consultants, Accountants, Third-Party Billing Companies, Computer Vendors or maintenance companies, etc. For a more detailed description of this requirement, see my previous blog entry on “Mandatory HIPAA Updates.”
- Disclosure Agreement Provision – Effective: February 18, 2010
Patients have the right to pay in full for out of pocket expenses for health care services and request that your practice not disclose his or her medical information to a health plan or other entity. Your practice must comply with this request. Make sure that all your employees are informed about this provision and modify notification or follow-up procedures where applicable. This is information that will have to be shared with all employees in the medical practice that is involved in health information and insurance processing. This one is not likely to happen too often, but regardless, you are still required to follow the rules should it occur. Essentially, if you have a patient that is under- or non-insured and pay for services in cash (or credit card, check), they have the right for their info to remain silent.
- Information Breach Notification – Effective February 22, 2010
New provision requiring that HIPAA covered entities such as physicians notify patients (and Business Associates notify the partnering entity) of any breach of health care information. If a breach involves 500 people or less, the responsible party must notify each affected individual by written notice. This notice must contain the details of the breach, the information disclosed, and the steps being taken by the practice or entity to avoid any future breaches, as well as explaining the rights of the patient(s) in protecting their private healthcare information. If the breach involves more than 500 persons, the Act requires that the Department of Health and Human Services be notified as well as the local media outlets. Hopefully, this one will never happen, but you should be aware that if it does, there are required steps to take.
The Reality of the Situation
Of those three new HIPAA requirements, I do not see any as the reason to hit the panic button. Rather, get your Business Agreement in place and train the staff on the other two, should the need ever arise.
As for other recent news affecting our practice (and for which I received a lot of email), the President did signed into law a bill that delays Medicare Fee cuts until March 31, 2010. Hopefully, this delay will be prolonged at least until 2099 or until the government gets its Medicare act together, in which case the 2099 date may happen first. On this item, continue to make your voice known through your state and national associations and hope that we make enough collective noise to stop the feds from cutting our paychecks.
Again, no need for panic, but action may be helpful.
Some FAQs About Chiropractic Compliance Measures
The one interesting byproduct of chiropractors who begin to get their compliance act in gear is that more questions begin popping up over everyday matters. Suddenly, policies and procedures they have utilized for years become the subject of much questioning, much needed revision and, in some cases, not so needed fear.
To set the record straight, here are a few items that I would like to clarify for you so that you can fully understand your responsibilities and which side of the compliance fence that you stand.
- Q. Our practice confirms patients’ insurance coverage by contacting their health plans the day before their appointments to verify coverage and patients’ financial responsibility. Do we need their consent or authorization to contact their health plan? A. Patient consent or authorization is not necessary to disclose PHI for coordination of benefits, which is considered part of your treatment. Per HIPAA [45 CFR | 164.501] the full definition of treatment includes: “the provision, coordination or management of health care and related services by one or more health care providers, including the coordination or management with a third party
- Q: Are sign-in sheets or calling out the next patient’s name in the waiting room – allowed or not allowed? A: Yes, they are allowed. Believe it or not, if you actually sit down and read through the HIPAA regulations (sick and twisted) one of the intentions behind HIPAA that you will repeatedly see mentioned is “administrative simplification.” To this extent these activities result in other people learning a patient’s name or other information, the disclosure would be considered “incidental” to your of the patient, and therefore acceptable under HIPAA. (7.6.2001, OCR HIPAA Privacy TA 164.000.001 FAQ) Chiropractors should still take appropriate precautions to limit the amount of information that might be incidentally disclosed in this manner. For example, you may not want to ask patients to list “reason for visit” on a sign-in sheet. With respect to placing charts outside of your adjusting rooms, you should take precautions such as turning the front of the chart towards the wall so others do not have the opportunity to read the front page while walking past the room.
- Q: What about billing electronically, EMR and all these new proposed regulations? Am I going to be required to do all of this? A: While it may make sense for many individuals to move as much as their practice as possible to an electronic format, you have two reasons to rest easy. 1) Several proposed requirements for electronic communications are still in the future and so there dates may be delayed or never quite arrive. 2) You may be an exception to the rule anyway. For example, back in 2003, providers were supposed to be required to bill Medicare electronically. However, this requirement does not affect many chiropractors, as there are exceptions to physicians with fewer than 10 full-time employees. [42 USC | 1395y(h)]
Keep informed so that you know what you are required to do, but don’t get paranoid. Focus on your practice and your patients. Sleep easy.
Best wishes for continued success!
Tom Necela, DC
The good news is that the new HIPAA requirements aren’t quite as bad as the above cartoon, the bad news is that they are going to require some paperwork on your part. And we know how much all of us chiropractors love paperwork! Here’s the skinny:
Covered entities and Business Associates (BA) are required to amend existing BA contracts or negotiate new contracts. Contracts executed prior to the HITECH Act do not comply with the interim breach notification rule or the new BA-related statutory requirements. The breach notification requirements for BAs became effective September 23, 2009, and many of the other BA-related requirements become effective February 17, 2010.
Are Chiropractors Covered Entities?
The first question most chiropractors will ask is: “Am I a covered entity?” Put simply, if you conduct transactions in electronic form, you are a covered entity. Examples include billing electronically (or through a clearinghouse), using any electronic storage media, etc. Most chiropractors are likely considered covered entities. If you are in doubt, see Medicare’s Covered Entity Chart to help you determine this.
What is a Business Associate?
In chiropractic, we tend to define an associate as the DC who is an employee and who helps us care for our patients. The HIPAA definition, however, is much broader than that. In fact, the HIPAA Business Associate refers to non-employees with whom you do business and who use or have potential access to Protected Health Information (PHI). Common examples of BAs may include: electronic clearinghouses, billing companies, transcriptionists, accountants, etc. For more information and official definitions on Business Associates, go to the Department of Health & Human Services Business Associate page.
Why New Contracts?
As you may know, there was a changing of the guard last year and the Office Of Civil Rights now administers HIPAA per the HITECH Act of 2009. Also, included in that provision was mandatory HIPAA audits.
One simple way an organization can see how much monitoring needs to be done is to throw out a new change and see how well we comply. In other words, new contract + monitoring = lots of money generated in fines for the new organization.
Forgive my cynicism, I am sure that there may be other motives. However, in the meantime, you need an updated BA contract by February 17, 2010…or else.
In case you are not motivated by the “or else” threat, here are some details:
What’s Changed in the new HIPAA Business Associate Agreement?
• Establishes criminal and civil penalties for non-compliance
• Now applies privacy & security rules DIRECTLY to BAs
• Establishes mandatory breach reporting for CEs and BAs
The Hit to Your Wallet
If the threat of jail time is not enough for you (hey, I guess some people might appreciate the alone time), here are some threats to your bank account you might not like:
Penalties will be determined by nature and extent of both the violation and the harm resulting from the violation, so they could be substantial. Civil monetary penalties have tiered increases to progressively punish offenders.
Tier 1: Unintentional or inadvertent violation – At least $100 for each violation, but no more than $25,000
Tier 2: Reasonable cause, but no willful neglect – At least $1,000 for each violation, but no more than $100,000
Tier 3: Willful neglect, but violation is corrected – At least $10,000 for each violation, but no more than $250,000
Tier 4: Willful neglect, violation not corrected – At least $50,000 for each violation, but no more than $1,500,000
What is required?
- Make a list of your current business associates and vendors
- Identifying entities with which your practice shares PHI because these BA’s are subject to the same privacy and security rules as Covered Entities
- Drafting new legal agreements for BAs to comply with the HITECH Act
- Updating HIPAA privacy & security policies and procedures (including the creation or modification of existing Breach Notification Policies). See Dept of HHS Breach Notification Policies page for more info.
The Bottom Line
You will kick yourself for getting fined for this new rule. Save the time in emailing me your angry thoughts, I probably agree with you and you’re screaming at the messenger anyway, which is not terribly productive.
Here are your options:
Have your attorney draft a Business Associate Agreement for you. Search the internet for an agreement that is up-to-date (be sure that the agreement mentions the HITECH Act of 2009! Most that I have seen online are outdated and refer to the HIPAA rules of 2006) and relative to what we do as chiropractors (I have seen ones that are 23 pages long!).
For those who’d like to save time and searching, you can obtain a copy of my Sample Business Associate Agreement that I use with my clients, updated for the recent HITECH Act changes. Simply, open the Word Document, change the names and any relevant info to your clinic and you are on your way! For those who would like to have an attorney review your document, this will save you time and money from having them draft one from scratch.
Anyway you slice it, be sure to act on this promptly as the deadline is approaching!
Tom Necela, DC
Legal Disclaimer: Every reasonable effort has been made to ensure the accuracy of the information and recommendations provided in respect to the Business Associate Agreement. However, due to the nature of changing payer requirements and state regulations, you may wish to seek advice from a local health care attorney to ensure that the use of the Business Associate Agreement is compliant with your state laws.
You are invited as a guest to Join Tom Necela, DC, CPC, CPMA — Certified Professional Coder, Certified Professional Medical Auditor, former Insurance Claims Analyst, and current President of The Strategic Chiropractor — for a special FREE 60 minute Webinar!
Thursday December 17, 2009
– 9 am PST/10 am MST/11 am CST/Noon EST
Bring your TOUGHEST questions on Chiropractic:
- Getting Paid for the Work You Do!
And receive the ANSWERS you need that will help you:
- Maximize your reimbursements
- Decrease denials
- Shorten Payment delays
- Lower Accounts Receivable
- Reduce your risk of audits
We are hosting this seminar as a special “thank you” to all of our blog readers, clients and customers who have made The Strategic Chiropractor the #1 source for teaching chiropractors how to “Work SMARTER, not harder” for increased profits.
As a sign of our appreciation we’d like to offer you a FREE seat for this webinar and the chance to have your question answered “live” during the event.
(If you cannot attend or would like a CD copy of the webinar, see below for details.)
Historically, this is our most popular event webinar of the year, so you need to act quickly! Previous editions of this webinar resulted in hundreds more questions than we could physically answer in a limited time format.
Space is limited and ADVANCED REGISTRATION is MANDATORY to submit questions (the earlier you submit them, the better chance they have for being included in the presentation material). So register below, submit your questions and get your front row seat for the ultimate biggest bargain on the subject of chiropractic, billing, coding and documentation!
Hope to see you there!
Tom Necela, DC, CPC, CPMA
The Strategic Chiropractor