How to Juggle Medicare and Medicaid Compliance in a Fluid Regulatory Landscape

Do you treat patients insured by Medicaid or Medicare at your hospital? While participation is voluntary for for-profit healthcare systems, accepting Medicaid and Medicare patients is a condition of federal tax exemption for non-profits. Currently, Medicare and Medicaid account for more than 60 percent of care provided by hospitals making it nearly impossible for healthcare systems to forgo these programs.

So, if the stark reality is that you must participate, compliance becomes an issue. And it’s complex. Especially for hospitals that have multiple outpatient locations and inpatient campuses. Under Medicare provider-based rules, it’s not possible to certify just part of the system. When you consider there’s nearly a 500-page certification process, it’s clear that it’s crucial to have effective compliance tracking.

An effective compliance program is multi-faceted and includes monitoring and auditing, legal reviews of procedures and contracts, reporting mechanisms as well as training for employees. Healthcare systems are multi-faceted too with labs, pharmacies, rehabilitation centers, clinics, surgery centers and more. Keeping on top of compliance not only to effectively report but to identify and then prevent misconduct before it balloons into a much bigger problem is anything but easy.

The Centers for Medicare & Medicaid Services has attempted to streamline information into quarterly updates for providers, suppliers and the public. While this helps curate the information and updates to regulations, management and oversight of compliance and putting these regs into practice represents an enormous task for each healthcare system. The distance between knowing and doing can be vast when providers are juggling regulations alongside providing quality patient care. Maintaining oversight of not just the Medicare and Medicaid federal regulations, but compliance with other state and local regulations is required.

The regulatory landscape continues to be muddled with additional requirements to safeguard privacy and to fight fraud and abuse today. Since governing bodies are vigilant about fighting fraud, your compliance process needs to be tight or you’ll risk criminal charges, fines and even the possibility of losing licenses. Every state has its own Medicaid Fraud Control Unit (MFCU), typically as part of the State Attorney General’s office. When your compliance tracking system is thorough, the auditing process and working with your MFCU becomes simpler.

Streamline Compliance Tracking

If your hospital is juggling Medicare and Medicaid payment compliance along with all the other mandates and reporting requirements, it can easily get overwhelming. But, it doesn’t have to be that way. Solutions such as youCompli’s compliance system monitors and translates Medicare and Medicaid regulations for easier understanding. Then, it helps you track and oversee your hospital’s compliance.

If you’re ready to take the headache out of Medicare and Medicaid compliance, it’s time to see what a compliance management system can do for you. Schedule a call today where you can see how our risk management software can support your healthcare system’s compliance program.

Understanding and Managing the HIPAA Security Rule

Protecting the privacy of patients is of paramount concern to healthcare organizations today. Data breaches and/or hacking attempts are happening more frequently. Regulatory requirements are constantly changing. And the pace of technology innovations keeps increasing. The penalties, both financial and reputational, can be disastrous for any organization — and its compliance team — that is not prepared and in the know at all times

For example, recently a healthcare institution mailed hundreds of patient statements, containing names, account numbers and payments due, to wrong addresses. The organization believed that, for most of these statements, this was not a reportable breach, because there was no patient diagnosis, treatment information, or other medical information listed.

This was not correct. And the failure to understand the rule and its nuances resulted in a $2 million settlement.

The HIPAA Security Rule is the hedge against that kind of disaster  —  so grasping its complexity is crucial.

The regulations that comprise the Security Rule are often the most difficult to understand and implement, as every security compliance measure must be carefully monitored and reported. Not only are all healthcare organizations required to meet the standards and legal requirements in the Security Rule, there can also be implementation specifications which include provide detailed instructions and steps needed for compliance.

From an administrative perspective, HIPAA requires a documented framework of policies and procedures. These policies and procedures detail exactly what your organization does to protect key information. For example, policies can outline the requirements for training for all employees, including those who do and do not have direct access to vital patient information.

The documents that outline the policy and procedure framework must be retained for at least six years (although state requirements may mandate longer retention periods). As policies change, so must your accompanying documentation. And to further ensure your compliance, periodic reviews of policies and responses to changes in the electronic patient health information environment are also recommended.

From a security perspective, HIPAA requires a comprehensive evaluation of the security risks your organization faces, as well as the electronic health record technologies your organization uses.  This includes a combination of physical safeguards — such as IT infrastructure, computer systems and security monitoring systems — and technical safeguards — such as risk management software, healthcare management software or regulatory software. These safeguards are designed to both protect patient information and control access to it.

Fortunately, the Security Rule allows for scalability, flexibility and generalization. This means that smaller organizations are given greater latitude in comparison to larger organizations that have significantly more resources. HIPAA’s security requirements are also not linked to specific technologies or products, since both can change rapidly. Instead, requirements focus more on what needs to be done and when, and less on how it should be accomplished.

Managing the complexity of the HIPAA Security Rule can be easier. At youCompli, we help you identify, document and monitor your critical HIPAA information. We understand the time and resource constraints that compliance officers operate under — the need for quickly collecting and accessing quality data and reporting it. Our solutions enable you to remain up-to-date with healthcare regulations — what they mean and how to implement them with precision accuracy in cost-efficient and effective ways. Contact us for more information on how to approach and implement the Security Rule and remain in compliance.

Cybersecurity: The Nightmare That Keeps Me Up At Night

You are preparing for board meeting, but you can’t get into your reporting application.  You log off the computer and then log back in – no good.  You call the helpdesk and hear what you never want to: “The application is offline due to a potential cyber attack.”

Keeping organization data safe from hackers is a real concern for compliance professionals.  When asked what keeps them up at night, most would say it is the fear of finding one of the IT systems or applications was hacked. The nightmare may be recurring for compliance professionals who work in health care where personal, protected health information (PHI) data is stored in electronic health record applications.

To optimize cyber protection and minimize cyber events, it is recommended that compliance departments partner with their organization’s information technology (IT) and risk management departments.  A good place to start collaborating is to write and implement an organization-wide cybersecurity plan (CSP) based on each discipline’s input, this way input is included from each discipline leading to a more robust plan

As required under HIPAA and HITECH, Compliance and IT professionals generally focus on how to prevent both privacy and security breaches respectively, so the CSP should include prevention steps from both of those aspects.  While risk management includes prevention, risk also focuses on loss mitigation and minimizing impact to the organization’s reputation after a cyber event has occurred.

And the CSP must include ongoing staff education.  While there are many commercially available tools or applications which provide cyber protection against email hackers, phishers, malware, spyware, and viruses, these tools are only as good as the end users working on the organization’s computers.  Of course, the CSP should include appropriate fire walls and penetration testing by an outside vendor to assess the organizations privacy and security vulnerabilities; however, the best prevention is education for staff so they can identify emails which may contain malware, spyware or viruses.

Ongoing education should occur with staff at all levels of the organization.  Education should include internal IT generated phishing emails with remediation for those who “take the bait” and click on the bad links.  It should also include cross-departmental table-top exercises where cybersecurity related scenarios are presented and discussed to ensure familiarity with the CSP and to identify and improve upon weaknesses in the plan, staff education, or the applications used.

PRACTICE TIPS:

  1. Schedule a one-hour call with your insurance broker to review your cyber liability insurance policy and reporting requirements in the event of a privacy or security breach.
  2. Ensure you are current with not only federal, but state security and privacy laws.

Denise Atwood, RN, JD, CPHRM
District Medical Group (DMG), Inc., Chief Risk Officer and owner of Denise Atwood, PLLC
Disclaimer: The opinions expressed in this article or blog are the author’s and do not represent the opinions of DMG.


Denise Atwood, RN, JD, CPHRM has over 30 years of healthcare experience in compliance, risk management, quality, and clinical areas. She is also a published author and educator on risk, compliance, medical-legal and ethics issues. She is currently the Chief Risk Officer and Associate General Counsel at a nonprofit, multispecialty provider group in Phoenix, Arizona and Vice President of the company’s self-insurance captive.  


CMS Does It Again

What an October!  In addition to all the Halloween fun, we processed over 100 new regulatory changes last month.

They covered both state and federal regulators and came in all shapes and sizes, but one stands out.

CMS decided to lump together seemingly unrelated concepts covering everything from multi-hospital QAPI programs and critical access hospitals to long-term care and autopsy services.

(84 FR 51732)

We’re experts at dealing with these large complex regs and I thought I would share a hint on how to deal with them more effectively.

We find it helpful to break the reg into more meaningful chunks. To do this start by analyzing the summary, you’ll usually find it in the preamble to most large regs.  That summary typically lists the different areas the regulator has targeted with a particular change.

Next group the different areas that tend to make sense (grouping should be done based on your organization’s structure)  into one “chunk,” while separating out the disparate areas into their own “chunk”. Breaking down a large regulation this way allows us to:

  1. Pinpoint the individual functional areas of an organization being affected;
  2. Tune in to specific issues involved with each functional area of an organization; and
  3. Ensure an easy-to-understand business requirement is a result.

84 FR 51732 was a real “bear”, it resulted in 10 different business requirements.

If your organization is faced with a similar complex regulation, you too might benefit from breaking it down into smaller projects or “chunks” to ensure it is effectively implemented into your organization’s policies and procedures…or…let us do the work for you!

Click this link and sign-up for a 10-minute demo and see how you can comply without reading regs.

Schedule 10-minute demo

How to Align Physician Satisfaction and Compliance

  Fraud is still a very real issue across the relationships between physicians and hospitals Is it possible to align physician satisfaction and compliance? According to Gail Peace, President of Ludi Inc., “Regardless of the physician being independent or employed by a hospital, there are a myriad of regulations to navigate in these relationships.” She […]

Continue reading

Building a Common Compliance Language

Everyone needs to understand industry terminology to properly communicate.  Imagine a physician referring to a patient as a “customer,” or a lawyer calling a client a “patient;” it feels odd. Even worse, it would create communication challenges. Every business organization has its own language, a specific terminology unique to the profession. Building a common organizational […]

Continue reading

Faster Compliance Using “Command Signals”

You don’t want to waste time on regs that don’t matter to you! Whether it’s a new reg from the Office of Civil Rights (OCR), the Centers for Medicare & Medicaid Services (CMS), or your state’s Health Department, one of the 1st steps required for compliance is gauging the new regs’ relevance to your organization. […]

Continue reading

How To Say NO And Still Feel The LOVE

If you’ve read my previous posts your familiar with what I refer to as the “Compliance Effect”. Often, as compliance professionals, people are not always happy to see us when we walk in the room. They noticeably shrink in their seats just waiting to hear us deliver the news that they can’t do something because […]

Continue reading