Health IT: Should HIPAA Require Encryption?

According to the Associated Press, federal officials are planning on reviewing whether HIPAA should require encryption. The Senate Health, Education, Labor and Pensions committee said it will take up the matter as part of a bipartisan review of health information security. Recently, information on up to 80 million consumers, including names, birth dates, addresses, email addresses, employment information and Social Security/member identification numbers, were compromised in the attack on Anthem. According to sources, Anthem’s information was not encrypted. However, Anthem has stated that the hacker also had a system administrator’s ID and password, “which would have made encryption a moot point.” Security experts have said that a stolen credential by itself should not be key to the whole data kingdom and information should always be encrypted wherever it resides.

Click here to read more.

NPP Distribution Deadline Approaching Quickly!

The compliance deadline of 9/23/13 for the final omnibus HIPAA/HITECH rule is approaching quickly. Health care providers and health plans must revise their notice of privacy practices (NPP) and make them accessible to all individuals, including those with disabilities. Distribution rules differ for health care providers and health plans.

Click here to read more

House Investigates IRS HIPAA Policies

A House Committee on Energy and Commerce has launched a probe of the Internal Revenue Service (IRS) which includes looking into the department’s Health Insurance Portability & Privacy Act (HIPAA) policies and procedures. The investigation is in response to a lawsuit alleging  the agency unlawfully seized 60 million medical records.

Click here to read more.

Preparing For ICD-10: What You Need To Know Now

The ICD-9 code sets used to report medical diagnoses and inpatient procedures will be replaced by ICD-10 code sets in October 1, 2014.  Below is an overview of information you need to know to prepare for the transition to ICD-10.

  • What Does ICD-10 Compliance Mean?  ICD-10 compliance means that everyone covered by HIPAA is able to successfully conduct health care transactions using ICD-10 codes.
  • Will ICD-10 Replace Current Procedural Terminology (CPT) Procedure Coding? No. The switch to ICD-10 does not affect CPT coding for outpatient procedures.
  • Who Is Affected By The Transition To ICD-10? Everyone covered by HIPAA must transition to ICD-10. This includes providers and payers who do not deal with Medicare claims.
  • Do State Medicaid Programs Need To Transition To ICD-10? Yes. Like everyone else covered by HIPAA, state Medicaid programs must comply with ICD-10.
  • What Happens If I Don’t Switch To ICD-10? Claims for all services and hospital inpatient procedures performed on or after the compliance deadline must use ICD-10 diagnosis and inpatient procedure codes. Claims that do not use ICD-10 diagnosis and inpatient procedure codes cannot be processed. It is important to note, claims for services and inpatient procedures provided before the compliance date must use ICD-9 codes.
  • Will CMS Process ICD-10 Claims Early? No. CMS and other payers will not be able to process claims using ICD-10 until the compliance date, however, providers should expect ICD-10 testing to take up to 19 months.
  • How Are ICD-10 Codes Different? ICD-10 codes are different from ICD-9 codes and have a completely different structure. Currently, ICD-9 codes are mostly numeric and have 3 to 5 digits. ICD-10 codes are alphanumeric and contain 3 to 7 characters.
  • What Should Payers Do To Prepare? The transition to ICD-10 will involve new coding rules, so it will be important for payers to review payment policies. Payers should ask software vendors about their readiness plans and timelines for product development, testing, availability, and training.
  • What Should Software Vendors, Clearinghouses and Third-Party Billing Services Do To Prepare?  Software vendors, clearinghouses, and third-party billing services should be working with customers to install and test ICD-10 ready products. Take a proactive role in assisting with the transition so your customers can get their claims paid. Products and services will be obsolete if steps are not taken to prepare them.

Preparing For ICD-10: Just The Facts

The U.S. Department of Health and Human Services (HHS) has mandated the use of ICD-10 code sets to report health care diagnoses and procedures effective October 1, 2014. Implementation of ICD-10 code sets will alter the way coding is currently done and will require a significant effort to execute.

The first part of the HMS Healthcare Management Solutions blog series Preparing For ICD-10 provides an overview of ICD-10 in an effort to better prepare providers.

  • The ICD-10 compliance deadline is October 1, 2014.
  • All HIPAA covered entities must use ICD-10 starting October 1, 2014.
  • Claims that do not use ICD-10 diagnosis and inpatient procedure codes after October 1, 2014 cannot be processed.
  • CMS will not be able to process ICD-10 claims until the October 1 compliance date.
  • There are approximately 71,000 ICD-10 code sets compared to 16,000 ICD-9.
  • Procedural coding will require increased knowledge of physiology, anatomy, medical terms, surgical devices and implants to name a few.
  • Clinical documentation must support new codes.
  • ICD-10 codes were developed with significant clinical input.
  • Coders will need to be certified for ICD-10.
  • Some specialties will have more assigned codes, resulting in greater “drill downs”

ICD-10 code books are currently available to help prepare for the transition. Click here for more information.

Tiptastic Tuesday: Creating Airtight Passwords

HMS Healthcare Management SolutionsPractices are required under the Health Insurance Portability and Accountability Act (HIPAA) and meaningful use rules to perform security assessments. Yet, many practices overlook simple things like password security because they are too focused on the big issues like protecting health information while overlooking other assets.

A recent report identified 72% of unauthorized online access of health care organizations in 2011 and 2012 was caused by hackers guessing correct passwords.  Below are some tips for creating passwords that are meaningful enough not to be forgotten.

  • Make A Phrase: I_love_pizz@ (I love pizza)
  • Create An Acronym: IL2EP_vm (I like to eat pizza very much)
  • Include Shapes: @wdvgy& (letter V, starting with “@” key)
  • Use Emotions: Iam:)2bme (I am happy to be me)

Source: American Medical News

Meaningful Use Monday: EHR Privacy & Security

When adopting an EHR, it’s important to identify any gaps in how your practice fulfills its responsibilities for both the HIPAA Privacy Rule and other applicable laws.  Privacy is the focus of the 4-step process which complements the security risk analysis process emphasized in the 10-step plan for meeting Meaningful Use.

4-Step Privacy Process:

  • HIPAA Privacy Rule: Read about and become familiar with HIPAA Privacy Rule requirements.
  • State Privacy Laws: In many states, state agencies or professional associations have prepared an analysis of the interaction between state privacy law and the HIPAA Privacy Rule. Find out if such an analysis is available in your state.
  • Federal & State Privacy Requirements: Review your practices’ adherence to federal and state privacy requirements. Assess and address any compliance gaps.
  • Patient Privacy Concerns: Anticipate and address privacy concerns patients may have as their health information goes digital.

Click here for more on the privacy & security of health information.