Transcript Health Care Coding Can We Talk?

Compliance:
HIPAA
OSHA/CDC
HR
AUDITS
Joe W. DeLoach, OD, FAAO
Bj Avery
Optometric Business Solutions
Disclaimer
We both work for Optometric
Business Solutions. We believe the
products mentioned here are some
of the smartest uses of your hard
earned money and genuinely hope
you will feel the same.
We are also not attorneys and do not
offer legal advice.
Who Is Optometric Business Solutions?
 A team of “road warriors” with
combined 160 years of experience in
optometric management services
 Friends helping Friends
 Services BY optometrists FOR
optometrists
 Over 1850 clients in first year of
business
Who is Optometric Business Solutions?
 A company that has donated over
$65,000 in one year to promote
optometry
 A company endorsed by over two
dozen State Optometric Associations
(including the Minnesota Optometric
Association) and major optometric
groups including: Vision Source, TSO,
Todays Vision, SNAPP and others
(there is a reason!)
What We Offer
 Compliance manuals customized to your




profession, your office and the laws of your State –
HIPAA, Human Resources, OSHA/CDC
Training audits
Remote billing services
Continuing education services
Extensive training and compliance package for
ICD10 conversion – customized to YOUR
profession
Nothing like OBS on the market!!!
This is VERY fast paced.
For complete training for you,
your staff and everything you
need to be compliant, refer to
your order sheet
Welcome to the Age of
Compliance
Let’s get a one thing out there right up front
We HATE all this stuff
What we hate worse is seeing
optometrist’s hard earned money being
taken away by the government,
insurance companies and other
regulatory agencies because evidently
you don’t know any better!
Welcome to the Age of
Compliance
You have plenty of “experts”
trying to tell you how to MAKE
more money.
Optometric Business Solutions is
about KEEPING your hard
earned money
The Evils Around You
 Human Resources – way more than meets
the eye
 OSHA/CDC – the bite is definitely worse
than the bark
 HIPAA – an absolute monster
 THE AGE OF AUDITS – this is the biggest
monster of all
HR
Can’t I just expect them to do
their job and not worry about
all this employee stuff?
Actually, you cannot!
There are 15+ agencies and laws that regulate
your relationship with your employees. Not
playing right with ANY of them can land you in
serious trouble, legally and financially














State Employment Commission
State Commission on Human Rights
State Communicable Disease Prevention and Control Act
State Workers Compensation Act
Equal Employment Opportunity Commission
Americans with Disabilities Act
Department of Labor
Wage and Hours Act
Family Medical Leave Act
Fair Labor Standards Act
Occupational Safety and Health Administration
Center for Disease Control
Federal Privacy Act
Immigration Reform and Control Act
Sorry, but…
If you think that because you’re “just an optometrist”
and have a “small business” that you don’t have
worry about all this, you are so, so wrong.
Not complying with state and federal
employee regulations can cost you a
lot of mental anguish, your reputation,
time you don’t have to waste on this,
and, most importantly, A LOT OF
MONEY!
Let’s look at just a very
few select HR issues
(and they vary by state law, this is
specific to Minnesota)
Things You Cannot Ask In An
Application Or During An Interview
Take a breath:
race, color, creed, sex, age, national origin,
disability history or status, military history or
status including discharge conditions, marital
status, availability of transportation*, dependents,
if they speak other languages*, birthplace,
residence, relationship to person they name as
emergency contact, arrest record*, criminal
conviction record*, workman’s compensation
status or history, citizenship status
* but…..sometimes an exception
Your Most Important and
Essential Employee Tool
Without a doubt….
Your Employee Manual
More Than Important – It Is
Essential

Usually, rules are designed to protect the good
from the bad. No doubt true of an employee
manual!
 An Employee Manual is NOT a contract of
employment – and yours should state that
 Without an employee manual, you are
defenseless against workman’s comp claims,
unemployment claims, discrimination claims,
harassment claims and about anything else
your disgruntled employee wants to make up
Your Employee Manual is Your
Employee Insurance Policy
Would you practice without Professional
Liability Insurance? Drive without auto
insurance? Not have insurance on your
home and belongings?
Not having an Employee Manual is living
your practice life without insurance!
Are you a gambler?
So You Have a New Hire.
What Next - Technicalities?
 Have them read your employee manual
and sign that they understand all your
policies
 Conduct HIPAA and Hazard training
 Watch out imposing non-competes –
Minnesota courts strongly rule in favor of
the employee unless the non-compete
conditions are VERY reasonable in
geographic and temporal scope
So You Have a New Hire.
What Next - Technicalities?
Interesting Minnesota law – if you hire
someone who is under a valid noncompete from a prior employee, you can
face civil liability (mostly if you knew it
and did it anyway!)
So You Have a New Hire.
What Next - Technicalities?
You must report your new hire to the state:
Minnesota New Hire Reporting Center
www.mn-newhire.com
Report employee name, employee address, employee
SS#, date of hire, employer name, employer address,
employer FEIN. (Some payroll companies do this for
you!). Must report within 20 days of hire!
$25 penalty PER DAY you do not report
Allowed in Minnesota
 Conducting a credit check on applicant or




employee – but only with their permission
Drug testing – but only with their permission
and only after “reasonable” notice
Medical examination prior to hire – but
results cannot influence your decision to hire
Mandated wear of uniforms
Mandated work with AIDS patients
NOT Allowed in Minnesota
 Background checks, if they influence your
decision to hire (good luck with that!)
 Polygraph testing – pre or post employment
 Surveillance – without permission of
employee
How Do We Treat Our Employees?
Minnesota Parenting Leave Act
This is a complex law that applies to any employer with
21 or more employees. It mandates benefits similar to
the federal Family Leave Act. In general, it mandates:
 Up to six weeks time off for birth or adoption of a child if
employee has worked the previous 12 months
 Must allow employee to use employer granted sick time
to care for adult child, minor child, spouse, sibling
parent, stepparent or grandparent
If you have questions about this law, consult
a health care attorney
Discrimination
 You cannot discriminate based on race,
color, creed, sex, national origin, disability
status or history, military service status or
history – but in reality it is dangerous to
discriminate on basis of ANYTHING
 Discrimination applies to hiring,
promotion, compensation, benefits, days
off, training, approved education or social
activities
What Requirements Exist?
Infectious Disease / Substance Abuse
Infectious Disease Control
 As we said earlier - you are legally required to
protect your employees
 CDC and OSHA require you to maintain a Hazard
Manual (see OBS CDC/OSHA Compliance
Manual)
Substance Abuse
 You may require drug or alcohol testing for any
current employee
 You are not required to provide any treatment or
rehabilitative benefits
What Requirements Exist?
Family Medical Leave Act / Unemployment
Family Medical Leave Act
 This law does not apply to employers with less than
50 employees. If it applies to you, consider
consulting with health care attorney
Unemployment Compensation
 They can file if they want to…get over it
 Can only file if involuntarily terminated
 Document, document, document
 Don’t keep employees past probationary period
 Always fight the unemployment claim
What Requirements Exist
Americans With Disabilities Act
This law only applies to employers with 15 or more
employees (combination of FT AND PT)
 Cannot discriminate against any protected employee
who meets the knowledge, experience, skill and
education necessary to perform the job with or without
reasonable accommodations
 Protected employees include a physical or mental
impairment that limits one of life’s major functions; has
a record of an impairment; is perceived as having an
impairment; has an association or known relationship
with a disabled person
 Violating this law can cost you DEARLY!
What Requirements Exist
Harassment
The issue of employee
harassment is possibly THE most
dangerous human resource issue
with absolutely the most
damaging financial penalties and
effects of an employee’s
reputation
What Requirements Exist
Harassment – IT’S NOT JUST SEXUAL
There are two forms of harassment:
1.“quid pro quo” (this for that) –
usually sexual
2. Hostile Environment
– usually not sexual
Harassment
quid pro quo
Defined as unwelcome sexual advances, requests
for sexual favors or other verbal or physical conduct
of a sexual nature is quid pro quo sexual
harassment when:
 submission to such conduct is, explicitly or
implicitly, made a term or condition of
employment
 submission to or rejection of such conduct by an
individual is used as a basis for any aspect of
their employment (raises, benefits, advances,
etc)
Harassment
Hostile Environment
Sexual conduct and other verbal or physical
conduct constitutes hostile environment when
such conduct has the effect of unreasonably
interfering with an individual’s work
performance or creating an intimidating,
hostile or offensive work environment
CAUTION: This definition is VERY loosely
interpreted in court
What About Those Posters
 There are significant fines for not displaying the
required posters – ready?
$7,500.00!
 DO NOT fall prey to the “poster companies”
high prices and lies
 Go to www.dol.gov/elaws/posters.htm. Answer
the series of questions that will tell you which
posters you need by State. Then download them
for FREE. Laminate them for preservation.
Terminating Employees
Before we get to the details, every
employer should make it a principal
goal to end an employment relationship
on as positive a note as possible.
Disgruntled or “wronged” employees
have or can find MANY ways to hurt a
prior employer
Terminating Employees
Why
 Personnel and Policy Manual should contain a list
of employee conduct and performance violations
and the range of action that may be taken against
the employee for violating this policy
 Gross conduct violation should include (at a
minimum):




Gross misconduct
Criminal or malfeasance acts
Job abandonment
Violations of patient privacy policies
Terminating Employees
Legal Issues
 Understand the likelihood that the case will go




before the state workforce commission
Does the punishment fit the crime? (you must
eliminate personal bias)
Have other employees with similar “bad” issues
been treated in the same manner? (you must
be consistent and fair)
Is your action in line with the written policy in
your employee manual?
Except in gross misconduct, did you follow
progressive discipline as outlined in your
employee manual?
Terminating Employees
How

Always in person
 If you have documented and progressively
disciplined, you will not need to state the reason
for a termination. The employee should be
expecting it. Do not avoid telling them why unless
you are hiding the real reason (Ex. You suspect
them of theft)
 Do not “sugarcoat” the reason or the process – be
firm and try to eliminate feelings from the situation
 Do not be argumentative or insulting
Terminating Employees
How
 Be ready to provide accrued pay and/or benefits if
applicable – voluntary termination at the next pay
period and involuntary within 24 hours
 Rarely keep a terminated employee around
 IMMEDIATELY delete usernames and passwords
 Vacation is deemed a contractual benefit and the
employee is free to place restrictions in the manner
in which it is accrued or paid (EMPLOYEE
MANUAL!)
Main Ways to Avoid
Employee “Issues”
 Know what the law says
 Have written policy – Employee
Manuals are designed to protect the
GOOD employees
 Be fair
 Be consistent
 Document, document, document
Bottom Line
OBS
EASE OF USE
YES
CUSTOMIZED TO
YOUR OFFICE
YES
CUSTOMIZED TO
OPTOMETRY
CUSTOMIZED TO
YOUR STATE
LAWS
YES
SEARCH AND INSERT
YES
TRAINING MODULES
DOCTOR & STAFF
PRICE
YES
$399
COMPETITION
?
OSHA/CDC
(also called Hazard)
The Players
Center for Disease Control (CDC)
Occupational Safety and Health
Administration (OSHA)
Clinical Laboratory Improvements
Amendments (CLIA)
Really? Optometrists have to
worry about this stuff???
 Do you perform ANY surgical procedures –
even minor? THEY APPLY
 Do you perform any laboratory tests in your
office? THEY APPLY
Getting ready to tune out???
 Do you have employees and see
patients? THEY STILL APPLY
CDC
 The CDC’s main focus is prevention of the
spread of blood borne disease to patients
and employees
 Specific regulations standardize the way you
handle wastes, sterilize/disinfect instruments
and work areas, exposure incident plans
 Must keep manuals, records and train your
staff
 Non-compliance – up to $10K per violation
PER DAY
For CDC compliance,
you must have policies
(written ones!)
addressing CDC’s
Universal Precautions
CDC Universal Precautions
1. Decontaminate (disinfect) work
surfaces
2. Prohibit eating, drinking or smoking in
any patient exam or treatment room
3. Provide adequate availability for
frequent hand cleansing
CDC Universal Precautions
4. Proper sterilization / disinfection
of instruments
5. Use gloves when any potential
contact with body fluids (required for
blood exposure)
6. Wear lab coats during potential
exposure and have them professionally
cleaned
CDC Universal Precautions
7. Provided protective eyewear when
indicated and facial masks when risk of
exposure to airborne pathogens or
splashes
8. Use sharps containers
9. Minimize handling of patient tissue by
using surgical spears, Q-tips, or gloves
10. Assure proper disposal of potential
infectious waste
OSHA
 OSHA’s main focus is creating a safe
environment for employees and patients
 Significant overlap with CDC
 Also requires documentation of protocols
and procedures related to cleaning,
dangerous chemicals, etc. (FYI – Windex is
a dangerous chemical in OSHA!!)
 OSHA has significant powers and authority
– penalties include significant fines and
ability to close you down
Complying with OSHA




Assure safety in your workplace
Establish standards for infection control
Establish standards for waste disposal
Establish standards for use of hazardous
chemicals in the workplace
 If applicable (more than 10 employees),
establish a written emergency plan for
your office
 Train your staff
Specific to Minnesota
Minnesota statue requires all employers with
more than 10 employees must keep an illness
and injury log. No specified format for this but
generally should include the following:
 Employee involved
 Date of injury/illness
 Any consequence of injury/illness
In general, “illness” would include any
communicable disease
Communicable Diseases per
Minnesota Department of Health
More common ones: AIDS, MRSA,
chickenpox, chlamydia, conjunctivitis, flu,
herpes, streptococcus infection, hepatitis, lice,
Lyme Disease, molluscum, mumps,
pneumococcal infection, lice, salmonella,
tuberculosis, toxoplasmosis, viral
gastroenteritis, vaginitis
Complete list at:
www.health.state.mn.us
CLIA
 Objective is to ensure quality laboratory
testing / results
 If you perform laboratory test for the
purpose of diagnosing, preventing or
treating a condition – even if provided at no
charge – CLIA applies to you
 This includes tear film testing, genetic
testing, rapid pathogen testing, glucose
testing (even finger stick), cultures, smears
 Have to register and pay fees – if you
perform any of these tests
CLIA Categories
CLIA categorizes tests based on their
complexity
 Waived (most we use)
 Moderate – also called Provider Performed
Microscopy (PPM – cultures and smears)
 Complex
Most of what we do is “Waived” – but
you still have to register
Waived Tests
 Blood glucose (83037QW)
 A1cNOW (83037QW)
 CardioChek (83721QW)
 ThyroChex (84443QW)
 Tear Analysis (83861QW)
 Rapid Pathogen Screening (87809QW)
Complete list at www.cliawaived.net
Your Hazard Communication Program
(manual) must be designed to align
you with compliance with all safety
requirements of CDC, OSHA and
CLIA
This requires time (your time –
lots of it) or money (outsource)
OBS MAKES IT EASY!
Bottom Line
OBS
EASE OF USE
YES
CUSTOMIZED TO
YOUR OFFICE
YES
CUSTOMIZED TO
OPTOMETRY
CUSTOMIZED TO
YOUR STATE
LAWS
YES
SEARCH AND INSERT
YES
TRAINING MODULES
DOCTOR & STAFF
PRICE
YES
$399
COMPETITION
?
HIPAA
Write it backwards on your forehead…
“Non-compliance with HIPAA
regulations may be the most
serious financial mistake you
make in your professional career”
Joe W. DeLoach, OD, FAAO
Let’s start with a review of the
HIPAA laws
1. The Privacy Rules – in effect
since 2004
2. The Security Rules – in effect
since 2006
3. HiTech amendment – 2010
4. Omnibus amendment - 2013
Already feeling “out of date”???
How Most (I repeat…MOST) Doctors
Have Handled HIPAA Compliance
Really? There are HIPAA Violation
Convictions???
20000
18000
16000
14000
12000
10000
8000
6000
4000
2000
0
2005
2006
2007
2008
2009
2010
2011
2012
What Changed in 2010 to Make
This a Truly Scary Problem
Hi-Tech Amendments 2010





Prior to 2010, enforcement power with Office of
Civil Rights – changed to OIG and State Attorney
General Offices – THIS WAS A BIGGIE!!!
Fines increased – many States levied additional
state fines
Allowed for “unrestricted” civil penalties
Whistleblower Act
Elimination of the “ignorance” excuse – “has
reason to know” changed to “should know”
But, most importantly…
The HIPAA Audit Project
Proved that finding HIPAA NONcompliance was going to be
easy and massively profitable
for the Feds and the States
The HIPAA Audit Project
 Authorized by Section 13411 of the HiTech Act outside agency hired (“hired gun”) to conduct
random audits of HIPAA compliance
 Initial results completed, and guess what???
Less than 17% of covered entities were likely to be
compliant with Privacy and Security Rules!!!
Optometry is doing a bit better but some if
not many of you in this room are still
playing risky games with your finances
Scared? You Should Be!
Smart Data Collective: 2013
“The average fine for a HIPAA
breach has increased from $400K
in 2010 to $1.4 MILLION in 2013”
Why? Because they can!!!
Most Common Causes of
Violations






Lost or stolen laptops
Lost office back up tapes / drives
Loose mouths
Server “hacks”
True criminal activity
Stupid Violation of Month
By the way….
Federal and Minnesota law allow both the
Office of Civil Rights and the “harmed”
individual to BOTH file suit against the
individual “violator”. The “violator” can be
the doctor but can also be the staff member.
To date, most all HIPAA penalties have
resulted from the actions of staff – most
likely not trained well by their employer!
Ways You Are Most Likely
Going to Have a Date With the
HIPAA Police
 Taking patient information out of the office
 Unhappy patient
 Litigious patient who is up on world events
(the “Nut Principle”)
 “Concerned” patient who reads too much
 Unhappy current or former employee
So, I ask you…
 Everyone who has never had an unhappy
patient, raise your hand
 Now, everyone who has never had to deal
with an unhappy employee, keep your
hand up
 Those of you with your hand still up Santa Claus, the Easter Bunny, the
Tooth Fairy and World Peace
are likely also on your list of beliefs
Has OBS been tested?
YES!!! TWO TIMES in Texas Alone
OBS manuals have gone through a
COMPLETE investigation by the HIPAA
Police and given a Gold Star!!
If you want to know just how
sleepless nights can get, talk to
your Texas colleagues Tony Bass or Kevin Katz
How About Examples from
Minnesota?
Bunches…
 Allna Hosptial – “peeking” violation (undisclosed
settlement
 Accretive Health – employee lost (reported stolen)
laptop. $2.5 million fine – under appeal
 Park Nicollet – “peeking” violation, employee
suspended, undisclosed settlement
 University of Minnesota Health Department –
researcher accessed wife’s file, undisclosed
settlement
Many more – and MANY more under
investigation!
Not “skeered” yet?
How about 113 attorneys in
Minnesota who have HIPAA
litigation as one of their areas of
service?
Think they know something you
don’t?
REALLY JOE? What is my likelihood of
getting in trouble?
ANSWER: Not real high – but more than the risk of a
malpractice suit, and everyone seems worried about that
What am I looking at if I do get in
trouble?
Low end - $25,000
High end – Over $1 million
What does it cost to protect my practice?
Depending on company you choose, anywhere
from $300 to $5000 plus varying amounts of your
time (from not much to massive amount)
So how much of a gambler are you?
And If I Do NOTHING?
$250,000.00
So how much of a
gambler are you?
Hopefully now you
understand why we
urge you to be become
HIPAA SMART…so
let’s get on with it
First, let’s talk
about what has
been in place for
over a decade
(Not just September 23, 2013)
Privacy is both a State
and Federal Issue
When applicable, we will compare the
Federal mandates and how or if that
affects Minnesota privacy laws on the
books. Our HIPAA Manual details any
areas where Federal and Minnesota
law are not in agreement.
What HIPAA charged us to do.
There are four main parts of the
Administrative Simplification Rules
I.
II.
III.
IV.
National Identifier Rules
Transaction and Code Sets
Privacy Rule
Security Rule
What HIPAA charged us to do.
There are four main parts of the
Administrative Simplification Rules
I.
II.
National Identifier Rules
Transaction and Code Sets
The Privacy Rules
Privacy is all about disclosure…
Two types of disclosure
Routine disclosure – this is what most of us
do on a day to day basis (talking to patients,
medical records, FAX, email, lab orders, etc) and
what we are concentrating on today
Non-traditional disclosure – anything not
routine (legal issues, possibly research
information, etc)
Do the Privacy Rules Regarding CONSENT
Apply To Routine Uses and Disclosures of
Health Information?
YES, but…consent of the patient to allow the provider
to release or disclose health care information is not
required (is implied) as long as the release or
disclosure is related to:
 Treatment of the patient
 Payment issues
 Healthcare/business operations
We call this “TPO”
BUT…
EVERYTHING IS NOT
TPO – EVEN TPO
MAY NOT BE TPO
In General, What Must We Do To Comply
with the Privacy Rules? SIX STEPS: 1-3
 Designate a Privacy Officer and a


Public Information Officer
Develop policies and procedures on
how medical records are handled in the
office and transmitted by any means
(Privacy Manual, Privacy Notice, etc)
Meet all documentation guidelines
In General, What Must We Do To Comply
with the Privacy Rules? SIX STEPS: 4-6
 Provide initial, updated, DOCUMENTED


training to all employees
Establish systems to handle any break
in privacy and establish sanctions for
employees who violate policy
EDUCATE YOUR PATIENTS! (thank you
government, may I have another please….)
How Must We Inform Patients Of
Their Privacy Rights?
1.It is the responsibility of each provider to
formulate a written Privacy Manual and a
Notice of Privacy Practices (NPP)
2.The NPP must be posted in the office in a
visible and accessible location and you
must have copies available to any patient
who requests one (only if they request it!).
3.The provider must attempt to get
verification that the patient understands
the office policies – this is called an
Acknowledgement of Notice Of Privacy
Practices (ANPP)
How Are Patients Informed Of
Their Privacy Issues (con’t)?
4. The ANPP must inform the patient of
their right to view your Notice of
Privacy Practices (NPP)
YOU ARE LEGALLY OBLIGATED TO
COMPLETE ALL THESE STEPS AND
ANSWER YOUR PATIENT’S
QUESTIONS ABOUT ALL THEIR
RIGHTS
(There are more? Oh yeah….more coming!)
What Specific Rights Does The Patient
Have Regarding Your Privacy Policies ?
The patient may refuse to verify and
agree to the ANPP/NPP and seek care
from another provider
 The patient may inspect and/or ask for a
a copy their health care information
 The patient may request amendments to
their health care information
The patient may make a reasonable
request for individual confidentiality
accommodations
More Patient Rights
The patient has a right to an accounting of
all disclosures by the provider (only nontraditional disclosures and only once a year)
The patient who feels their privacy has
been violated may file a complaint with your
Privacy Official, the Office of Civil Rights, or
now the Minnesota Attorney General’s
office (NEW!!)
The patient has to right to be notified if
your policies substantially (NEW!) change
Laundry List of Other Privacy Issues
Authorizations
Marketing
Minimum Necessary Rule
Incidental Disclosure Rule
Business Associates
HIPAA Breach
Medical records review
Medical records request
Request to change medical records
Requests for disclosure documentation
Individual privacy accommodations requests
You and your staff must understand all of these issues
and they must be addressed in your Privacy Manual
CAN YOU DO ALL THIS YOURSELF? SURE,
YOU CAN READ ALL ABOUT IT – 1192 PAGES
OF FEDERAL LAW
Some HIPAA Issues - Quick Answers
Patient wants a copy of their medical record
Just give it to them
Patient wants to view their medical record
Just let them
Patients refuses to sign your ANPP
Just say no
Patient wants to amend their medical record
As a rule, just say no
Patient wants special privacy accommodations
Just say no
Unique to Minnesota
In Minnesota, if the patient cannot
understand what is in their medical
record or what it means, you are
obligated to provide them with a
written summary in language they
can understand.
What About Minors?
 In Minnesota, an adult is any individual at
least 18 years old; is living away from
parents and controlling their own finances; is
married; or, has children
 In Minnesota, a minor may, without parental
knowledge or approval, consent to
evaluation and treatment for any sexually
transmitted disease (includes chlamydia),
pregnancy or alcohol or drug abuse. The
provider makes the decision regarding
notification of the parents or allowing the
records to be released to the parents.
What Has A Patient NOT
Consented To?
Anything that is not TPO – not directly
related to their care in your practice.
To release that information, the
patient must sign an
Authorization
What Is An Authorization?
Authorizations are required when the release or
disclosure of health care information is for nontraditional purposes, including but not limited to:
 Pre-employment physicals
 Drivers license forms (debated – probably OK)
 School vision screening forms (debated – probably
OK)
 Information for life insurance
 Information for employment eligibility
 Marketing purposes - MUCH more later
 Psychotherapy notes (again, special rules)
 ANY other reason the patient feels is a nontraditional disclosure
Unique to Minnesota
Minnesota law requires documentation on the
Authorization form that exceeds HIPAA
requirements. Authorizations must include:





Description of the information disclosed
Specific individual information is disclosed to
Anyone else the disclosure applies to
Expiration date
A statement of the patient’s right to revoke the
authorization
 Signature, time and date
Now, Privacy’s
Evil Twin…
The Security Rules
Security Rules
Security Rule Requirements
 Appoint a Security Officer
 Conduct a risk analysis and risk management plan
to determine threats or risks in your operational
systems
 Complete the Organizational Requirements
 Documented policies and procedures for all
applicable Security Standards – Security Manual
And that is how involved? Another
1,000 pages of legal mumbo jumbo
Risk Analysis Plan

This is an eight step process – eight questions you
need to answer related to your individual office
operations, location and type of hardware/software
environment you have in operation
 Unlike some propose, it need not be a novel. It is
simple, concise answers to the eight questions that
serve as the main basis for how you will develop
your Risk Management Plan, which is for the most
part your compliance with the Security standards.
 It must be followed by a Risk Management Plan
that addresses each risk identified
Security Rules
 The Security Standards do not prescribe a
specific policy, software and other course
of action. It operates under the pretense
of “Flexibility of Approach” and “scalability”
giving formation of security policies a very
individual format.
 Individual decisions on meeting required
security standards are based totally on a
unique risk analysis conducted by the
covered entity.
Be very careful about
paying attention to those
who tell you that you
HAVE to do certain things
to meet the Security
Standards under HIPAA
THEN…you must complete the remaining
42 Security Standards
Measure
Organizational Requirements
Total
Number
4
Required or
Addressable
All Required
Administrative Safeguards
23
11 Required
12 Addressable
Physical Safeguards
10
5 Required
5 Addressable
Technical Safeguards
9
4 Required
5 Addressable
What Do Security
Standards Look Like?
Administrative Safeguards
Information Access Management
Access Establishment and Modification
Implement policies and procedures to review
and follow the access and authorization
process granted to workforce members.
Questions
1. Is a policy in place to routinely monitor the
procedures for granting access to PHI?
2. Who is responsible for monitoring this
process?
3. Are workforce member roles routinely
reviewed to see who does and does not
have access granted?
Physical Safeguards
Device and Media Controls
Media Re-Use (R)
Implement procedures for removal of PHI
from electronic media before it is re-used
Questions
1. What procedures are in place for
removing PHI from any media used in the
practice before it is re-used for the same
or different function?
2. What information must be purged?
Are we having fun
yet?
That is all OLD news, Most is
VERY old now
What’s new?
ONLY ANOTHER 712 PAGES OF
FEDERAL LEGISLATION!!!
GIFTS FROM D.C.!
Omnibus Rule 2013
Actually, this is just final implementation of the
provisions set forth in the HITECH legislation
under the American Recovery and
Reinvestment Act of 2009 (fancy name for a
bunch of nonsense!)
Described by head of Office of Civil Rights as
“the most sweeping changes to the HIPAA
Privacy and Security Rules since they were
first implemented”
Not much of an exaggeration….
Federal Changes
(all went into effect September 23, 2013)
 Breaches
 Business Associates
 Requests for medical records
 Restricted disclosures to health plans
 Marketing communication exceptions
 Established violation penalty “tiers”
 Other minor issues
Federal Changes - Breaches
Bottom line on a breach has
not changed.
If one occurs, contact Jeff
Drummond at
[email protected]
(our recommended HIPAA attorney)
Federal Changes – Business
Associates
 Business Associates now include any entity “subcontracted” by the main Business Associate. But
compliance of the sub-contractor is the
responsibility of the main Business Associate
 Entities are NOT liable for the actions of a
Business Associate as long as they are an
independent contractor
 Business Associates defined to include health
information organizations (ex. e-prescribing
gateways and health information organizations)
Federal Changes
Release of Medical Records
Patients may request their medical records be
provided in “electronic format” (flash drive, email,
EHI, laptop, Ipad, Dropbox, etc). Physician is not
REQUIRED to comply if they feel the introduction of
an outside drive could compromise the security of
their network. BUT – law further states that hard
copies are permitted “only when the individual
rejects all readily reproducible e-formats”. OBS
recommends you restrict release only to secured
email, registered EHIs and media you supply to the
patient – but your decision.
Federal Changes – Restricted
Disclosure to Health Plans
At the patients request, physicians may not
disclose PHI if the care is for services the
patient has totally paid for out of pocket. This
only applies to those encounters related to the
care the patient wants information restricted
on (and paid for).
A big issue here is when releasing medical
records at any point in the future, this
information must be removed
Federal Changes
Marketing Communications
Oh you’re gonna love this….
New law further restricts a physician providing
marketing communications to patients when it
involves a third party product.
To provide this communication, the physician
must have a signed authorization from the
patient and the communication must have an
“opt-out” clause.
There are exceptions….
Federal Changes
Marketing Communications
Exceptions:

When the physician receives no compensation of
any kind for the communication
 The promotion provides general health
information without mention of a specific third
party product
 The communication involves government or
government sponsored programs
Federal Changes
Marketing Communications
Exceptions:
 The communication is face-to-face
 The communication involves a drug the patient is
currently being prescribed and any payment for
the communication is limited to only the actual
costs of the communication. BUT…be very
careful as this could VERY EASILY
violate other privacy standards
Let’s Boil It Down
Three questions….
1. Does the communication contain patient
information?
2. Does the communication contain
information about a third party product?
3. Did you receive compensation of any
kind for the communication?
If yes to all three…VIOLATION
VERY complex…
Here are a few
examples of what you
“for sure” CANNOT do
(and some not so sure!)
Examples
A company funds your recall or newsletter
that is mailed to the patient – they pay for
the notices or pay you money to advertise
on it. The communication has information
about their new contact lens, frame line,
treatment…etc.
VIOLATION
Examples
You sends out recall notices or newsletters
that are mailed to the patient – a company
pays part or all the costs of this mailing. The
communication has information about their
new contact lens, frame line, treatment…etc.
VIOLATION
Examples
A company provides your recall or newsletter
that is mailed to the patient – they provide you
a discount on their services, free or reduced
fee products in return for this work. The
communication has information about their new
contact lens, frame line, treatment…etc.
VERY SHAKY
HIPAA provides some exception for “in kind”
reimbursement but doesn’t define what that is.
Our attorney says slippery ground.
Examples
A data mining company sends out an
information piece containing information
about a new contact lens, medication, etc.
They are paid by the company that makes
that contact lens, medication, etc.
VIOLATION
(per my attorney, some of theirs disagree)
Examples
A company that makes a product or service
assists you directly or indirectly in designing
your website in return for advertising their
product(s)
NOT A VIOLATION
(as long as recipient list is “de-identified”)
Who Needs a Drink???
Federal Changes - Marketing
Bottom line – marketing can
be tricky.
If you aren’t sure, contact
OBS or Jeff Drummond at
[email protected]
(our recommended HIPAA attorney)
Federal Changes
Misc Actions
 Fees for hard copy of medical records may
now include reasonable labor costs
associated with producing the records –
assuming the state does not impose a lower
fee
 Allows physicians to make disclosures of a
deceased patient’s PHI to family or friends if
they were involved in the providing of or
payment for care of the deceased patient.
Eliminates the 50 year protection rule.
Bottom line…
Most all of this is total
nonsense…but non-compliance
with HIPAA is just like practicing
without professional liability, driving
without insurance, etc…. – but the
odds of losing in the HIPAA game
are MUCH higher
OBS can make this as easy as
possible for you.
Easier than any other
compliance company in the
business
Bottom Line
HIPAATRAINING.NET
AOA
OBS
ONLINE ONLY
MYHIPAATRAINING
.COM
ONLINE ONLY
Somewhat
No
NO
YES
CUSTOMIZED TO
YOUR OFFICE
No
No
Somewhat
YES
CUSTOMIZED TO
OPTOMETRY
NO
NO
NO!
NO
NO
NO
YES
SEARCH AND
INSERT
NO
NO
Somewhat
YES
TRAINING MODULES
DOCTOR & STAFF
YES
NO
NO
YES
NO
YES
NO
YES
$1,299
$1,125
$270
$499
EASE OF USE
CUSTOMIZED TO
YOUR STATE
LAWS
SAMPLE LETTERS
PRICE
Back to you
Joe
Audits
The Age of Audits
Is this the Golden Age of audits?
YES!
So, you’re broke, you need money, your system is
under scrutiny because it loses more and more
money – you are presented with an investment
opportunity with a historical 50:1 return on
investment.
What would you do???
The Age of Audits
Optometry has never been “targeted” – has
that changed?
If you are
filing claims,
you are a
target!
The Age of Audits
What Has Changed?
 First and foremost – if you hadn’t heard, the




government is broke and looking for money!
Health care reform – major emphasis on fraud,
abuse and WASTE
Change in False Claim Statute language from
“knows or has reason to know” to “knows or should
know” (Ignorance is no longer bliss!)
Qui Tam – The Whistleblower Act
Recovery Audit Contractors – the witch hunt is ON!
The Age of Audits
General Statistics – Medicare Alone
 Estimation of improper payment from all
sources in 2010 - $48 billion
 Recovery efforts total in 2008 – just over $8
billion. 2010 – $12.5 billion
Therefore….lots of low hanging fruit left!
 And Medicaid has a higher improper
payment amount than Medicare!
And Optometry Not A Problem:
RIGHT?
Estimated 2012 audit repayments from
optometry – all payors
$28.5 MILLION
Whether you know it or not, believe it or
not – most of you in this room are next
in line over the next three years!
In order…culprits
1. Medicare
2. Aetna
3. VSP
4. BCBS
5. EyeMed
What Did OBS Training Audits
in 2013 Reveal
 After THOUSANDS of patient encounters
 Average payback on “mini” audit
(25 records) - $1,911.00

Average 5-year recoupment
penalty
$397,650.00
Take home message…
Auditing is VERY
good business!
“Auditing has become one of our
most profitable lines of business”
Medical Director, Aetna 2012
The Age of Audits
What Triggers an Audit





Specialization
Success (The “Ladder Principle”)
Repetition
High utilization of single codes
Billing codes not commonly used by the majority
of your colleagues
 Billing codes at a higher percentage rate than
the majority of your colleagues
None inherently wrong, but…
Normal Intraprofessional Utilization
Curve - Service Items
Expect a
Malpractice Claim
S
A
F
E
T
Y
Suspect Zone
Expect a Call!!
Audits and Payors
 The breadth of this topic is far too big for
this course.
 WITHOUT A DOUBT, almost every payor
has stepped up their audit/recovery game
 The bottom line is you need to familiarize
yourself with the records documentation
requirements and the audit procedures of
every payor you do business with.
Audit Defense
The best defense is always a great
offense!
 Keep exquisite medical records
 Know your payor rules and policies
(remember they are REGIONAL!!)
 Keep updated by signing up for payor
website listserves and newsletters
Audit Defense
Two New Tools
 “Training” audits by a professional
company
 If you do not have exquisite
expertise in billing, coding and
payor rules, consider outsourcing
billing services to professionals
www.optometricbusinesssolutions.com
Thank you for your attention
QUESTIONS??