How To Use An Ehr

Transcription

1 Compliance Considerations in the World of an EHR Jackie Smith, CHC, CHPC Network Privacy & Compliance Officer Community Health Network April 8, 2014 Community Health Network 7 Hospitals, 12 Outpatient Pavilions, Home Health, Hospice, DME, Inpatient Psych Pavilion, outpatient behavioral health facilities 500+ employed physicians; 100+ sites 11,000+ employees 53,000+ admissions, 240,000+ ER visits, 7,000+ births Epic Journey Late 2011 Validation sessions April July 2012 Physicians go live August hospitals go live November hospitals go live Jan/Feb 2013 Home Health, Hospice, DME, Outpatient Behavioral Health go live 1

2 Benefits of an EHR Improved care coordination Improved accuracy Improved efficiency Improved quality Convenient access for providers, patients, payers Enhanced, real-time alerts, tools, guidance Challenges of an EHR Access Documentation Correction of errors You have more data now what? Where is the information going? 2

3 DHHS and DOJ View Letter from DHHS and DOJ to 5 hospital trade associations expressed concerns in 2012 Indication that providers were gaming the system and receiving payments to which they re not entitles cloning Using EHR to facilitate upcoding DHHS, DOJ and FBI are monitoring these activities and doing some data mining and will take action if fraud is identified. Access Who should get access? Everyone wants it! Must be role-based; how many roles do you have in your organization? An RN is an RN is an RN, right? Wrong! What about payers, IOPO, nursing homes, auditors? Access Users sharing logons and passwords Falsified medical record Potential to practice outside the scope of his/her license Possible false claim User is accountable for what happens under his/her logon, including inappropriate access 3

4 Access What level of access should users have? Who can sign orders? Who can see sensitive notes and mental health records? Can users initiate documentation for a physician? Access Access by non-employees Does your agreement with the vendor allow access by non-employees? Does the vendor require an affiliation agreement between vendor and the nonemployee users? How is that process managed prior to providing access? Access How do you manage changes in access? Users who leave the organization Users who change roles Non-employed users Staff in a physician office IOPO, payers, nursing homes, consultants, auditors Want vsneed 4

5 Documentation 2014 OIG Work Plan Evaluation and management services Inappropriate payments We will determine the extent to which selected payments for evaluation and management (E/M) services were inappropriate. We will also review multiple E/M services associated with the same providers and beneficiaries to determine the extent to which electronic or paper medical records had documentation vulnerabilities. Context Medicare contractors have noted an increased frequency of medical records with identical documentation across services. Medicare requires providers to select the billing code for the service on the basis of the content of the service and to have documentation to support the level of service reported. Documentation Copy/Paste Will you allow physicians and other clinicians to copy/paste? If so, whatwill you allow them to copy/paste? Their own documents? Another provider s notes? How will you ensure that documentation that s copied and pasted is appropriate for the visit? Documentation Templates Make sure they are appropriately customized for the provider so that documentation will accurately support the services provided Medical records that are identical from patient to patient or from visit to visit raise red flags with payers Ensure they do not prompt overdocumentation resulting in overbilling 5

6 Documentation Co-signing of documents Whose documentation is required to be cosigned? Resident PA, PA student Med Student, scribe, fellow CRNA NP -independent, NP -incident to, NP student pharmacy students rounding staff RN, LPN, MA CNM, perfusionists, Registered Radiology Assistant Documentation Credentials How will you make sure the user s credentials are accurate? What is your primary source verification? How will you know if a user s license has expired or been revoked? LCSW vsmsw vssocial Worker If it s wrong, how will you correct it? Accuracy of Patient Identification Not accurately identifying the patient can cause many issues: Patient safety issues (blood type, allergies) Medical record will need to be corrected Bill may have been sent to wrong payer Bill may be sent to wrong patient, resulting in HIPAA breach HIPAA breach may require notification to the patient and the OCR 6

7 Correction of Errors Chart Correction If a caregiver charts on the wrong patient s chart, how do you correct it? What if other caregivers relied on that information in their decision making? What if the test was charted on the wrong encounter? What if charges are automated? How do you protect your organization if there s future litigation regarding that chart? Correction of Errors Downstream impact Where does the information flow to? Patient portal Independent providers Payers IHIE Who do you need to notify and how do you do that? More Data Now What? What do you want to monitor? Who will monitor? Additional resources needed to monitor and follow-up? Ex: Break the glass reports Access by independent providers Audit trails on documentation Timely chart completion 7

8 Where Does the Info Go? From a HIPAA perspective, is it appropriate? Do independent providers who have access to the EHR only access the appropriate information? New HITECH restrictions -patient pays for services in full/requests no disclosures to payer Separate, but affiliated entities, want more data Is information sent to IHIE appropriate? Where Does the Info Go? Patient Portals How do you manage this process to make sure only authorized individuals have access? Proxy access for parents of minors: How do you handle minors who are able to consent to their own treatment? Where Does the Info Go? With the convenience of electronic records and remote access, PHI goes everywhere! Lost unencrypted USB drive cost dermatology practice $150k in Dec and required a corrective action plan and 3 years of oversight by the OCR 8

9 Bon Secours reports EHR data breach The 7-hospital Bon Secours Health System in Virginia announced that 5,000 former patients had their PHI compromised following an EHR data breach. The breach occurred after two members of the patient care team accessed patients' medical records in a "manner that was inconsistent with their job functions and hospitals procedures and inconstant with the training they received regarding appropriate access of patient medical records". The "potentially unlawful behavior" was discovered during an April 2013 audit. Patients' names in addition to treatment information, SSNs, DOBs, medications and providers may have been accessed.(june 2013) Headlines Allina Health System reports internal EHR data breach 3,800 patients affected (October 2013) EMR vendor at fault in patient data breach 2 patients affected (Mar 2013) UPMC Alerts Patients to Privacy Concern 1300 patients affected (Nov 2013) Four-year EHR breach raises eyebrows 919 patients affected (Dec 2013) Key Messages There are lots of decisions to make leading up to implementation as well as postimplementation. Get key stakeholders (including compliance and legal) involved in decision-making and policy setting. 9

10 Contact Information Jackie Smith Network Privacy & Compliance Officer Community Health Network (317) Questions? 10