Tuesday, November 24, 2015

Why HIPAA Compliance is Lacking in Smaller Practices and Where to Begin

Why Compliance and Security Are Still Lacking

A number of healthcare data breaches have made the news of late, particularly involving large insurance companies and data clearinghouses. As the media portrays the situation, our private health information is leaking to the outside world at an alarming rate. Based on Bitsite's recently-released Third Annual Industry Benchmark Report, we should not be surprised. Based on the Bitsight report, the healthcare industry is near worst in overall security, with only education below them.

The data available prompts one big question – why is the security of our most personal data so poor? By comparison, security in the financial industry (best in the Bitsight report) is well addressed, with significant guidance and oversight being provided by PCI, GLBA and other bodies of regulations. The healthcare world has HIPAA, which admittedly, as security standards go, is fairly weak. That being said, it does not appear that it is being followed well. 

In her article Why are healthcare data breaches so common?, author Stephanie Tayengco suggests 5 reasons why 91 percent of healthcare organizations reported at least one breach over the last year: 
  1. Systems are old and complex
  2. Health IT is 95 percent manual work
  3. Disjointed monitoring
  4. "We’re already HIPAA compliant”
  5. Health data is valuable 
I tend to work with smaller healthcare organizations, the front lines of the healthcare cyberwar. They have less data than the big guys, but are usually much easier to hack. While Tayengco's list is quite appropriate for the industry as a whole, I see a somewhat different story in the niche I work with:

Transition to EMR without considering security 
Many smaller practices are adopting electronic medical record (EMR) systems. This is prompted partly by financial incentives available under the HITECH Act, and partly because an EMR system is seen as a pathway to HIPAA compliance. In most cases, practices are selecting “HIPAA compliant software,” thinking that the selection constitutes their compliance and as a result resolves their security issues. Sadly, this is a myth often spread by software companies as a sales tool. Compliance impacts the totality of a practice, not just the software used. 
Buy something that says “HIPAA,” and you are covered 
HIPAA is a complex standard, and not documented in a way that folks in medical practices can easily comprehend the requirements. As such, I have observed that a practice will buy something that claims HIPAA compliance, be it a secure email system, an encrypted storage system, etc, and assume that the purchase makes them compliant, and therefore secure. Again, HIPAA applies to the totality of a practice. It cannot be met by the purchase of a single product, no matter what the sales person said. 

No monitoring 
Tayengco is exactly correct in her point about disjointed monitoring, but again, that applies to the larger organizations. What I see in smaller practices is the complete lack of monitoring. These folks generally have no idea how to even open a log file, let alone review it. They often assume that their IT provider is handling it for them, which is usually not the case. Their network may be under attack, and they don’t even know it. 

Ignoring paper records 
While adoption of EMR by smaller practices has been strong, paper records almost always remain. This may result from the decision not to add archival paper records to the EMR system, or because they serve as a bit of a security blanket. Whatever the reason, they often sit in unlocked file cabinets with no controls in place, leaving them open to insider threats

Lack of basic network protection 
In my experience, smaller practices are not much different from small business in general with their adoption of basic security controls like firewalls, strong wireless systems and data encryption. I rarely see these practices properly adopted in any small business, medical or otherwise. 

No training or policies 
Have you ever tried to put together a bike for one of your kids at Christmas without the instructions? Unless you happen to be an engineer, attempting this will result in a string of expletives, and a disappointed kid. In the HIPAA world, we seem to expect staff members to fill their roles in the compliance effort without understanding what they are, or having the necessary basic training or skills to pull it off. We would not think of putting a medical office employee with a patient without the necessary technical training, so why is compliance different? 

I am just too small for anyone to mess with 
This may be the most common excuse I hear in small practices, and small businesses in general. Those in smaller groups consider themselves invisible as compared to Anthem, Blue Cross, or a large hospital. They miss the fact that they are usually easy to breach, and readily found on the Internet. If they use Comcast as their internet provider for example, their business information is likely on the Comcast website as a public hot spot
Unfortunately, while data breaches involving the big players usually become known reasonably quickly, patient data may be leaking from the smaller practices without anyone ever knowing. Once patient data hits the black market, we may never know its source. This makes the lack of security at smaller practices very dangerous. 

Addressing compliance and security
If you are reading this as a member of such a practice, here are the steps you should begin to take immediately to address compliance and security: 
  • Understand HIPAA requirements, and formulate a compliance plan
  • Implement essential security practices on your network
  • Training your employees, and give them policies and procedures to follow
  • Monitor your systems and logs for evidence of issues 
If the above seems a bit overwhelming, there are many organization's available to help. If you are reluctant to spend the money for such help, keep in mind that you would never consider fixing your X-Ray machine yourself. If you don't have the time or expertise for HIPAA/security, hire someone who does. 

Bottom line – as a small practice, you are not invisible. Rather, you are the front line of the battle. Recognize that you are at war with those who would steal patient data, and begin fighting back.

For more information on this and other healthcare compliance topics related to HIPAA, OSHA, Medicare and HR, simply email your questions to support@hcsiinc.com
visit our website at http://www.hcsiinc.com or post a question on our LinkedIn group at: http://bit.ly/1FWmtq6

To subscribe to this blog, enter your email address:

Delivered by FeedBurner

Friday, November 13, 2015

140 Reasons You Should Be Concerned About the 2016 HIPAA Audits

Health care organizations and the 140 areas that could be checked during a HIPAA audit

Beginning early 2016, the Office of Civil Rights (OCR) will begin auditing health care organizations to check their HIPAA compliance situation. This is a new effort by OCR, with increased funding, to hold health care organizations accountable to the HIPAA Compliance Rules and Standards.

When a health care organization is audited by OCR, they will need to have documentation of their compliance in more than 140 areas of the HIPAA Compliance Rules. These areas of accountability include:

  • HIPAA Security Rule (Required and Addressable): 66 individual requirements
Health and Human Services web site describes the difference between required and addressable:
If an implementation specification is described as “required,” the specification must be implemented. The concept of "addressable implementation specifications" was developed to provide covered entities additional flexibility with respect to compliance with the security standards. In meeting standards that contain addressable implementation specifications, a covered entity will do one of the following for each addressable specification:
(a) implement the addressable implementation specifications;
(b) implement one or more alternative security measures to accomplish the same purpose;
(c) not implement either an addressable implementation specification or an alternative.
The covered entity’s choice must be documented. The covered entity must decide whether a given addressable implementation specification is a reasonable and appropriate security measure to apply within its particular security framework.

  • HIPAA Privacy Rule: 67 individual requirements
Requirements for compliance with the HIPAA Privacy Rules.
  • HIPAA Breach Rule: 10 individual requirements
Requirements for self-reporting when a HIPAA breach occurs.

HIPAA audits are going to happen and they are real. If your organization is not prepared to account for the 140 individual areas of accountability, then move forward and become compliant! Your organization will be held accountable for any areas of non-compliance.

It looks like OCR is beginning to take HIPAA compliance a lot more seriously and so should you. For your organization, HIPAA is an irritating nuisance, but for the individual, whose personal and private health information you have, it means so much more.

For more information on this topic, please feel free to email support@hcsiinc.com

Read more about upcoming HIPAA audits: http://bit.ly/1OiU2Wf

Learn more about conducting your own in-house HIPAA Security risk analysis: http://bit.ly/1Mkg0CE

Understand HIPAA Security workforce: http://bit.ly/1kwnH1g

To subscribe to this blog, enter your email address:

Delivered by FeedBurner

Thursday, November 12, 2015

Medicare Advantage Fraud: Temptation, Consequence, and Protection

Knowing the law and keeping careful records may head off fraud and significant legal expenses.

Medicare Advantage delivers Medicare Parts A and B coverage through a private insurer. To encourage companies to participate in Medicare Advantage, CMS uses risk scores to determine how much a sponsor will be paid for each member of a plan. Risk scores assign a value to determine how much a plan member may cost the plan. For example, an individual whose family has a history of cancer would have a higher risk score than an identical individual without a family history. The higher the risk score of a plan member, the more the company is paid for that member’s plan.
Federal government payments to Medicare Advantage plans are based solely on the number of members enrolled at each risk score—not on the services received by the beneficiaries. That payment arrangement creates two temptations: to inflate risk scores and to sign up as many members as possible.
Recently, several whistleblower suits have shown that people do succumb to these temptations. One of those lawsuits revealed the existence of a memo­randum allegedly sent to physician practices encouraging doctors to bring in elderly patients to sign up for Medicare Advantage by promising the patients complimentary parking and waiving their copayments. Justice Department officials ultimately determined that there was no wrongdoing and didn’t intervene. But this case and others like it show that Medicare Advantage is coming under heightened scrutiny, and health plans need to be ready for it.

Legal consequences 

Medicare Advantage fraud enforcement comes in two basic flavors: CMS enforcement actions and whistleblower lawsuits. CMS initiates an enforcement action when officials decide a plan sponsor is in substantial or repeated noncompliance with its contract with the agency. Enforcement actions range from civil monetary penalties to terminating the plan’s contract. Intermediate sanctions may include suspended plan payments or the removal of the company’s ability to enroll new beneficiaries into its Medicare Advantage programs. Because Medicare Advantage has been under heightened scrutiny from Congress and the media, CMS may step up the number and severity of its enforcement actions.
Whistleblowers may bring actions under the False Claims Act on behalf of the government if they find evidence of fraud. As more sealed cases are made public, more whistleblowers could come forward with greater confidence that they will not suffer retaliation. Whistleblower lawsuits can mean millions of dollars in litigation costs, even when the lawsuit proves to be frivolous or off-base.

Four protective steps

What can health plan executives do to head off any problems with fraud? First and most fundamentally, know the law and abide by it. It is impossible for a plan sponsor that does not know what is legal and illegal to administer its plan legally. The leaders at a health plan must ensure that all employees of the company understand what constitutes fraudulent activity and how to prevent any such activity. They should avail themselves of any available resources to help them understand the requirements by which they must abide. That could mean discussions with an attorney or using free publicly available resources, such as the guidances posted on the HHS website.
Second, confirm that all required information, including billing information, is correct and complete. If an issue arises, accurate records will be key to demonstrating the legality of the provider’s policies. Third, implement a compliance program to ensure that the plan sponsor is fulfilling the required competencies for Medicare Advantage providers. Finally, report any violations promptly. All Medicare Advantage plan sponsors are required to have a mechanism to report abuses. No one may retaliate against an employee for making a report. Finding and actively resolving any violations could save millions of dollars in litigation costs years in the future.
Help fight Medicare fraud
Medicare fraud wastes a lot of money each year and results in higher health care costs and taxes for everyone. Examples of Medicare fraud include:
  • A healthcare provider billing Medicare for services you never got
  • A supplier billing Medicare for equipment you never got
  • Someone using your Medicare card to get medical care, supplies, or equipment
  • A company using false information to mislead you into joining a Medicare plan
You’re the first line of defense against Medicare fraud. You can help by guarding your Medicare number --- treat it like a credit card.

More ways to protect yourself, your loved ones, and Medicare from fraud:

Sources: Merle DeLancey & Lyndsay Gorton @ http://www.managedcaremag.com/https://www.cms.gov/
For more information on this and other healthcare topics related to HIPAA, OSHA, Medicare and HR compliance please email support@hcsiinc.com or visit our website at http://www.hcsiinc.com 
Join our LinkedIn group at: http://bit.ly/1FWmtq6

To subscribe to this blog, enter your email address:

Delivered by FeedBurner

Economic Growth Fuels High Employee Turnover

With the economy on the upturn, talent retention is coming to the forefront for employers

A New York Times article cites the 2015 Deloitte survey of more than 3,300 business and HR leaders in 106 countries that found retaining talent was seen as the most important challenge, edging out developing leadership, which has been a long-time top concern.
Also, a study from Spherion of 225 HR managers mentioned in the Times article said far fewer employers were concerned about employee costs in 2015 compared to 2014. One-third of managers, however, said that after finding skilled workers, which is the #1 concern, came turnover and retention. Last year, only 25% had the same concern.
“It’s the No. 1 issue for H.R. professionals,” Chason Hecht, president of Retensa, an employee retention consulting firm, told the Times. Hecht said the problem was “pervasive across industries, but some are hit harder than others”, like healthcare. For healthcare, the main challenge is sourcing and keeping workers to serve an increasingly aging population, who have more health-related issues.
“In my experience, doing this for 15 years, this is the first time it has scored this high,” Josh Bersin, founder of the research firm Bersin by Deloitte and one of the report’s authors, told the Times.
Hayes MacArthur, an HR executive from EisnerAmper, an accounting firm with a workforce of more than 1,300, told the Times that apart from strategies such as reinventing performance reviews and doing exit interviews, one effective strategy is following up with departed talent months later to try to see if they will return to the fold. “When someone returns, it sends a great message to the rest of the firm,” he told the Times.

To subscribe to this blog, enter your email address:

Delivered by FeedBurner

Wednesday, November 11, 2015

Understanding Business Associates

To be compliant with HIPAA, you must understand the Business Associate aspect of the law.

Business Associates of covered entities must comply directly with the HIPAA Security and Privacy Rules, according to the Health Information Technology for Economic and Clinical Health (HITECH) Act. The Security Rule, which complements the HIPAA Privacy Rule, includes safeguards for protecting patients’ electronic protected health information (PHI), based on three components:

• Administrative: Organizations must have procedures that show how they will comply with the security rule
• Physical: Organizations must control how patients’ records are physically accessed and prevent inappropriate access
• Technical: Organizations must have a system to control computer access and monitor and protect communication that flows electronically over open networks.

Section 13401 of the HITECH Act includes the new BA requirements. The act also states that civil and criminal penalties for violations of the HIPAA and compliance audits apply directly to BAs. Covered entities must incorporate these additional requirements in their agreements with BAs, according to the new law.

A covered entity may disclose PHI to a business associate for purposes agreed to by contract.
HHS’ definition of a Business Associate:

• A business associate is a person or entity who provides certain functions, activities, or services on behalf of a covered entity involving the use and/or disclosure of PHI.
• A business associate is not a member of the health care provider’s workforce.
• A health care provider or other covered entity can also be a business associate to another covered entity.
• Covered entities who disclose PHI to providers for treatment are not business associates. An insurance company is not a business associate. They do not perform a function on behalf of a covered entity.

The provider’s office must document by means of a written contract or other written agreement the satisfactory assurances that the business associate will appropriately safeguard the information disclosed to them for their use.

Examples of a business associate are:

• A billing company
• A clearinghouse
• An answering service
• IT personnel who have access to computers containing PHI
• A document shredding company
• A collection agency
• An attorney
• Couriers

The contract with business associates covers a set of contractual obligations. Their function is to protect information generally and help the covered entity comply with the entity’s obligations under HIPAA.

HHS has stressed that PHI may be disclosed to a business associate only to help the providers and plans carry out their health care functions - not for independent use by the business associate.
To subscribe to this blog, enter your email address:

Delivered by FeedBurner

Tuesday, November 10, 2015

OSHA and the Red Cross renew focus on protecting the safety of health care workers

OSHA and the American Red Cross renew alliance focused on protecting the safety and health of volunteers, employees

The Occupational Safety and Health Administration and the American Red Cross on 11/9/2015 renewed their alliance to continue efforts to reduce workplace incidents and protect workers from hazardous exposures. During this five-year alliance, OSHA and the Red Cross will focus on providing workers and employers with information and training resources on emergency preparedness, disease prevention education and first aid.
“Our alliance with the Red Cross over the past 10 years has allowed us to share safety and health information with workers, particularly those most vulnerable to workplace hazards,” said Assistant Secretary of Labor for Occupational Safety and Health Dr. David Michaels. “We look forward to continuing this partnership to provide workers with the resources necessary to stay safe and healthy on the job.”
The Red Cross has been helpful in sharing information on updates to OSHA’s injury reporting requirements and also hosted a webinar on bloodborne pathogens and prevention of disease transmission in the workplace.
“This alliance reaffirms our commitment to training and preparation to help save lives,” said Dominick Tolli, Vice President, Preparedness and Health and Safety Services at the Red Cross. “Knowing the correct steps to take in those critical first moments of an emergency can mean the difference between life and death.”
Founded in 1881, the Red Cross helps communities through disaster preparedness and service. Volunteers and staff provide care to people affected by disasters in the United States and support members of the military and their families.  The Red Cross also facilitates blood collection and distribution, health and safety education and training, and international relief and development.
Through its Alliance Program, OSHA works with unions, consulates, trade and professional organizations, faith- and community-based organizations, businesses and educational institutions to prevent workplace fatalities, injuries and illnesses. The purpose of each alliance is to develop compliance assistance tools and resources and to educate workers and employers about their rights and responsibilities. Alliance Program participants do not receive exemptions from OSHA inspections or any other enforcement benefits.
Under the Occupational Safety and Health Act of 1970, employers are responsible for providing safe and healthful workplaces for their employees. OSHA’s role is to ensure these conditions for America’s working men and women by setting and enforcing standards, and providing training, education and assistance. For more information, visit www.osha.gov.

All health care providers are required to complete training anally in OSHA rules and compliance. In busy medical practice settings this can easily be put on the back burner but it is vital that your staff maintain their training requirementsOSHA compliance training is not only required and for the safety of your staff but also for the protection of your patients and visitors to your practice.
To subscribe to this blog, enter your email address:

Delivered by FeedBurner

Leaches in the Workplace: Discrimination

Discrimination within a workforce, sucks the lifeblood out of the organization

Discrimination: the practice of unfairly treating a person or group of people differently from other people or groups of people

Leaches: bloodsucking parasites

Dan was excited about his new job. However, that excitement quickly dissipated as he experienced some situations that made him feel like he was being treated differently. It was not only how some people talked to him, but also how they looked at him, gave extra space while walking around him, and at times, made an effort to avoid him all together. Dan decided to put all of this aside and earn his way through the company using his talents, experience, and amazing work ethic. His quality of work was at a high level, but the strange treatment remained the same. No matter what he did, Dan felt that his hard work and determination would never pay-off. Less than a year after starting this new job with excitement and enthusiasm, Dan resigned. The company has now lost a valuable and contributing member of its organization. A little more information about Dan; he is a war veteran of African descent who had lost his arm fighting in Iraq.

Discrimination comes in many forms including, age, disability, gender, race, national origin, religious, pregnancy, sexual orientation, and weight. When discrimination is part of a workforce, it sucks the lifeblood out of that organization and all of the people who are a part of it. Productivity is less, morale is lower, and there is an increase in turnover. On many occasions, companies loose valuable members of their workforce who have greatly contributed to its success. Discrimination is a behavior that has a negative effect on everyone involved.

Here are some signs that discrimination may be a part of your workplace:

Odd hiring practices – Failing to hire or refusing to hire a potential employee based on one of the discrimination classifications. Typically, an organization is not even aware that this is happening, because the recruiters have complete control over the initial screening process.

Missed promotions – Promotions are wonderful opportunities for employees to move their careers ahead, but sometimes the most qualified employee is not the one who receives the promotion. When a company promotes an employees, there should be extensive documentation that justifies that promotion. Employees know who the most qualified person is for a promotion, and when that person gets looked over, everybody takes notice and remembers.

Unequal pay – All employees should be paid based on the value that individual brings to the organization in a particular position. Paying people differently for doing the same job is a slippery slope. If employees have similar experience, education, and skills and they are doing a similar job, then their pay should reflect that.

Unequal discipline – It is vital for an organization to have documented discipline procedures and to follow those procedures. Disciplining employees differently could be a demonstration of favoritism or discrimination.

In order to help avoid these unfair practices, organizations need to teach employees what their expectations are in the area of discrimination. They need to be clear, blunt, and they need to teach by example by quickly handling any discrimination practices or situations that may arise. Leading by example begins with management. Companies must demonstrate the type of behavior they expect from their employees. Discrimination will suck the lifeblood out of any organization. Eliminating discrimination will help your employees be more productive, increase morale, and reduce turnover. Discrimination has no place within the workforce of an organization.
To subscribe to this blog, enter your email address:

Delivered by FeedBurner

Monday, November 9, 2015

HIPAA Security Risk Analysis

Risk analysis involves identifying risks and vulnerabilities in your information systems. 

It is a required implementation specification within the Security Management Process. It requires you to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI) held by your office. It calls for you to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.

Perform a Risk Analysis

A risk analysis is a process that you should carry out in your practice in a step-by-step manner. Following is a suggested method of performing your risk analysis:

Inventory – You should begin by conducting a detailed inventory of your ePHI and your information systems that contain ePHI. Information systems can be complex. The inventory should seek to identify all inter-dependencies among these items.
• Information system hardware and software
• Identify the primary users of the information systems and ePHI
• Function and purpose of the ePHI and information system
• Technical controls (hardware or software access control mechanisms)
• Non-technical controls (security policies, employee training)
Threat identification – You should next identify all potential threats to your ePHI and your related information systems.
• Natural – floods, earthquakes, tornadoes, hurricanes, etc.
• Human – Unintentional (incorrect data entry or accidental deletion of data)- or - Intentional (installing malicious hardware, refusing service)
• Environmental – Power failures, hazardous material spill, etc.

Vulnerability Identification – Identify the vulnerabilities of your ePHI and related information systems. A vulnerability is a flaw or weakness in a system’s implementation, security, procedures, design, or internal controls that can be exploited by a threat and result in misuse or abuse of ePHI.
Examine your vulnerable sources by reviewing:
• Information systems
• Audit reports
• Information system test
• Evaluation reports
Security control analysis – You should next analyze the security controls that have you put into place to protect ePHI. There are two types of security controls that need to be assessed:
1. Preventative controls are designed to prevent or restrict the exploitation of vulnerabilities.
• Access control
• Authentication
2. Detective controls detect and report when violations occur.
• Audit trail
• Alarm
Determine risk likelihood – Three determining factors should be considered:
1.) Threat motivation and capability;
2.) Type of vulnerability; and
3.) Existence and availability of security controls.

Below are three risk likelihood levels and their definitions that may be used as examples:
• High likelihood - Threat is highly capable, motivated, or likely and current security controls are ineffective.
• Medium likelihood - Threat is capable, motivated or likely, but there are security controls in place that may prevent the exploitation of the vulnerabilities.
• Low likelihood – Threat is not capable, motivated or likely, or current security controls will likely prevent exploitation of the vulnerabilities.
Analyze the impact –Next, determine the impact that would result if a perceived threat were to actually take place in your practice. You should determine the impact in the following areas (define the impacts as high, medium, or low):
• Confidentiality - ePHI is disclosed or accessed in an unauthorized manner
• Integrity - ePHI is improperly modified
• Availability – ePHI is unavailable to authorized users

Determine the risk - For each vulnerability and its associated possible threat, you should make a risk determination based on:
• The likelihood that a threat will happen or attempt to happen.
• The level of impact to your practice in the event that the threat happens.
• The adequacy of the existing or planned security controls to protect your ePHI.
• High risk – Security controls should be implemented or improved as soon as possible.
• Medium risk – Security controls should be implemented or improved in a reasonable amount of time.
• Low risk – The security controls that are currently in place are probably adequate or the risk is acceptable.

Recommendations for Security Control – By using all of the above information, you should be able to conclude your Security Risk Analysis by implementing security controls that can mitigate or eliminate the unacceptable risks that you have identified. These controls should reduce the level of risk to your ePHI and your related electronic information systems to an acceptable level.
Documentation Requirements – Good documentation generally supports any situation in which an action is called into question. We often hear, “If is not documented, it was not done.” This is also true with security.

No documentation or poor documentation does not mean that you do not have a security risk. In fact, the better the documentation, the more likely it is for an external investigator to believe that an undocumented risk did not previously exist. Your diligence in documenting risks and your decisions relative to them can demonstrate that you made the effort to identify as many risks as reasonable and practical. If one is overlooked, you are much less likely than if your documentation is poor or nonexistent and you attempt to.

This type of Security Risk Analysis should be conducted on an annual basis. Be sure to document the specifics of your audit and its findings.
To subscribe to this blog, enter your email address:

Delivered by FeedBurner

Friday, November 6, 2015

7 Signs an Employee is About to Quit

It is important to be proactive when you believe an employee is going to quit.

Jack has worked at his current position for more than five years. Today, Jack walked into his supervisor’s office and gave his notice that he will be leaving his current position in two weeks. His supervisor was very surprised at the news. Jack is an important part of what the company does and his leaving is going to affect the company in a negative way. Jack’s supervisor knows that it will take some time to replace him and then even longer to train the new hire. This will have a negative impact on the company for the next few months . . . at least! Unfortunately, Jack’s supervisor did not recognize the warning signs of Jack’s intent to find a new job. If he had, this situation could have been averted or prepared for.

Employee retention is an ongoing effort of every organization. They want to keep the best talent and the brightest employees. However, companies do recognize that they are not going to be able to keep everybody. When an employee does intend to leave, there are some signs that could give a company some awareness of that intention, before the employee actually quits.

  1. Sloppy Work Habits – the best employees’ are consistent and complete high quality work on time. An occasional slip-up could mean nothing, but the company should begin to have concerns when prolonged lapses in quality or efficiency begin to happen. This could be an indication that the employee has grown tired of their work and has become disengaged from the company.
  2. Attendance – Employees typically maintain the same schedule when they arrive to work and when they leave. If an employee begins to arrive to work earlier than usual or leave earlier than usual on a regular basis and begin taking random days off, this could be a warning sign that they are taking time out of their day to attend interviews. Taking random days off could also be a sign that the employee is trying to use up any remaining paid-time-off before quitting.
  3. Appearance – Employees will usually wear the same type of clothes to work every day. If the organization does not require employees to wear a tie and an employee suddenly begins to wear one, then the employee should take notice. Does the day the employee upgraded their wardrobe also coincide with a day they slightly adjusted their schedule?
  4. Isolation – You don’t want to jump to conclusions, but an employee who takes frequent trips away from his or her desk to seek solitude might be a sign that they are fielding calls from potential employers. It could also be a sign that they are dealing with a personal issue that is conflicting with work.
  5. Life Changes – Birth of a child, loss of a loved one, marriage, divorce, sudden illness requiring on-going medical treatment are all life changes that could alter and employees’ career. These changes offer an opportunity to the employer to have a meeting with the employee to discuss future work plans. Failing to do so could end in the company scrambling to fill a big and unexpected vacancy.
  6. Out-of-Character Complaining – Happy workers usually don’t make their negative feelings known to other workers. If an employee develops a surly personality and begins complaining about other co-workers or processes, this could be a hint that something is not right. This shows that the employee has become disenchanted with his or her work and the grumblings could have an effect on other employees’ attitudes.
  7. Distancing – If an employee appears to separating or distancing him or herself from co-workers, this could be an indication that the employee has begun disconnecting from fellow co-workers in anticipation of their imminent leave. This type of behavior is also noticeable during meetings where the employee appears disengaged.

In order for a company to keep the best talent and brightest employees, its supervisors need to be able to recognize when an employee is preparing to quit. If a supervisor has cause to think a valuable employee might be on their way out, the correct course of action would be to have a meeting with the employee to discuss the supervisor’s concerns. If the employee does intend to leave, then the company can begin the hiring process. This meeting might also be an opportunity for the company to make some changes in pay, benefits, work schedule, etc. in order to keep the valued employee.

If this article was helpful, you may also want to read about employee burnout at: http://bit.ly/1PCFgd7

To subscribe to this blog, enter your email address:

Delivered by FeedBurner

Thursday, November 5, 2015

CMS issues Final Rule

CMS Issues Final Rule & Changes to the Two-Midnight Rule

On October 30, 2015, CMS issued its final rule with comment period (Final Rule) for the Medicare hospital outpatient prospective payment system (OPPS) and the Medicare ambulatory surgical center (ASC) payment system for calendar year 2016, as well as updates to the requirements for the Hospital Outpatient Quality Reporting (OQR) Program and the ASC Quality Reporting (ASCQR) Program.  The Final Rule also finalized certain policies relating to the hospital inpatient prospective payment system (IPPS), including changes to the two-midnight rule.
CMS estimates that based on the Final Rule, total payments for CY 2016 to the estimated 4,000 facilities paid under the OPPS will decrease by a projected $133 million (0.4 percent) compared to CY 2015.  This impact is greater than the proposed rule’s estimated $43 million (0.2 percent) decrease in total OPPS payments.  Additionally, although the proposed rule estimated a payment increase to ASCs of 1.1 percent, under the Final Rule, CMS estimates that total payments to ASCs for CY 2016 will be approximately $4.221 billion, an increase of only 0.3 percent, or approximately $128 million, as compared to estimated CY 2015 Medicare payments. 
In the Final Rule, CMS has finalized a number of changes for CY 2016, including the following changes to OPPS and the ASC payment system:
  • An Outpatient Department (OPD) fee schedule increase factor of 1.7 percent (which is based on the final estimated hospital IPPS market basket percentage increase of 2.4 percent, less the final 0.5 percentage point multifactor productivity (MFP) adjustment, and less an additional 0.2 percentage point adjustment mandated by the Affordable Care Act);   
  • Reducing the CY 2016 conversion factor by 2.0 percent to account for an approximately $1 billion inflation in CY 2014 OPPS payments that resulted from excess packaged payment for laboratory tests that were projected to be packaged into OPPS payment rates, but continued to be paid separately in CY 2014; 
  • Requiring that laboratory tests be conditionally packaged  on a claim with an OPD service that is assigned a certain status indicator, irrespective of the date(s) of service, unless an exception applies or the laboratory test is “unrelated” to the other OPD service(s) on the claim;  
  • Setting a statutory default of average sales price plus 6 percent for payment for the acquisition and pharmacy overhead costs of separately payable drugs and biologicals that do not have pass-through status; 
  • Expanding the set of conditionally packaged ancillary services to include three new ambulatory payment classifications; 
  • Establishing for the Hospital OQR Program for the CY 2017 payment determination and subsequent years, the following requirements, among other changes: (1) removing the OP-15: Use of Brain Computed Tomography (CT) in the Emergency Department for Atraumatic Headache measure, effective January 1, 2016; (2) revising from November 1 to August 31 the deadline for withdrawing from the Hospital OQR Program; (3) shifting to a new payment determination timeframe that will use only three quarters of data for the CY 2017 payment determination; (4) changing the timeframe in which data may be submitted for measures submitted via the CMS QualityNet website to January 1 through May 15; and (5) changing the deadline for submitting a reconsideration request to the first business day on or after March 17 of the payment year at issue;
  • Establishing for the Hospital OQR Program for the CY 2018 payment determination and subsequent years the following  requirements, among others:  (1) adding a new measure: OP-33: External Beam Radiotherapy (EBRT) for Bone Metastases (NQF #1822) with a modification to the proposed manner of data submission; and (2) shifting the quarters on which CMS bases payment determinations to again include four quarters of data;
  • Increasing payment rates under the ASC payment system by 0.3 percent for ASCs that meet the quality reporting requirements under the ASCQR Program; 
  • Establishing a revised process of assigning ASC payment indicators for new and revised Category I and III CPT codes that would be effective January 1; and
  • Setting the final ASC conversion factor of $44.177 for ASCs that meet the quality reporting requirements, based on the product of the CY 2015 conversion factor of $44.058 multiplied by the wage index budget neutrality adjustment of 0.9997 and the MFP-adjusted CPI–U payment update of 0.3 percent.
Under the Final Rule, CMS has also modified its prior “exceptions” policy under the two-midnight benchmark, which previously was limited to cases involving services designated by CMS as inpatient-only and those other exceptions published on the CMS website or in other sub-regulatory guidance.  CMS will now allow exceptions to the two-midnight benchmark to be determined on a case-by-case basis by the beneficiary’s responsible physician, subject to medical review.  CMS is careful to note that it expects that stays less than 24 hours would rarely fall into an exception. 
The Final Rule also finalized certain proposed changes from the FY 2015 IPPS Proposed Rule to the Medicare regulations governing provider administrative appeals and judicial review relating to appropriate claims in provider cost reports.  Specifically, CMS has finalized revisions to the cost reporting rules requiring providers to include an appropriate claim for a specific item on their cost reports—either by affirmatively claiming reimbursement or expressly self-disallowing the cost by filing a cost report item under protest—in order to be eligible to potentially receive Medicare reimbursement and/or to be eligible to appeal their reimbursement (or lack thereof) to the Provider Reimbursement Review Board.  CMS has eliminated the duplicative requirement to do the same in order to meet the “dissatisfaction” requirement for Board jurisdiction.  CMS has also specified procedures for Board review of whether a provider’s cost report meets this substantive reimbursement requirement of an appropriate cost report claim for a specific item.
Any comments on the payment classifications assigned to HCPCS codes identified in Addenda B, AA, and BB with the “NI” comment indicator and on other areas indicated in the Final Rule must be received no later than 5 p.m. EST on December 29, 2015.
The CMS Fact Sheet on the Final Rule is available here.  An additional Fact Sheet on the Two-Midnight Rule is available here.  The Final Rule is scheduled to be published in the Federal Register on November 13, 2015.  Our Health Headlines article summarizing the proposed rule is available here.

For more information on this and other healthcare topics related to HIPAA, OSHA, Medicare and HR compliance please email support@hcsiinc.com or visit our website at http://www.hcsiinc.com 
Join our LinkedIn group at: http://bit.ly/1FWmtq6

To subscribe to this blog, enter your email address:

Delivered by FeedBurner