Rx for practice management

Transcription

1 Rx for practice management Summer 2015 How to avoid data breaches in your practice Going boutique? How concierge services can work for your practice Paths to practice success in a value-based market Exploring the ins and outs of outsourcing the billing function Mount Arlington Office Newton Office

2 How to avoid data breaches in your practice id you know that the three most common ways that a data breach occurs D are theft (29% of all breaches), hacking (23%), and accidental public access or distribution (20%)? Over half of all data breaches occur in health care entities. Health data is more valuable to thieves than credit card information because it can be used to access bank accounts and obtain prescriptions for controlled substances. 2 Minimizing the threat The steps for minimizing, or preventing entirely, breaches of patient data are well established. They start with identifying all areas of potential vulnerability. This includes overall security for the practice s premises, records and equipment. Computers must be protected by adequate electronic security for protected health information (PHI). Devices that carry PHI must be encrypted, including desktops, laptops, tablets, smartphones, memory sticks and centralized servers. Loss or theft of such devices is one of the most common breach risks, and encryption is the best defense. The best practices already have many defensive measures in place. Still, breaches can sneak through and it s prudent to plan in advance how the practice will respond. So, how can you ensure your practice is safe? First, you need to train all practice staff on how to protect PHI, using HIPAA-compliant policies. That means restricting open discussion of patient PHI among staff members. Your practice should also audit or test physical, electronic, and procedural security policies regularly including the steps that will be taken if a breach occurs. Last, insure your practice against the high costs that can flow from a breach. The best practices already have most of these defensive measures in place. Despite them, breaches can sneak through and it s prudent to plan in advance how the practice will respond. Act quickly if a breach occurs The actions taken in the first 24 hours after a breach is recognized can influence how the government and your patients view you. It s critical to minimize the damage. The first step is to keep the situation from getting worse. If the practice is found guilty of willful neglect, it will face higher civil money penalties. If an employee appears to be mishandling patient data or inappropriately distributing it, that person may have to be suspended or denied access to the data. If the breach involves criminal activity, the police must be notified. If the protected information has been placed on the Internet, it must be removed. In addition, failing to respond promptly to a breach by one of your business associates may be attributed to the practice.

3 After the initial damage has been contained, assess the gravity of the breach. Contact an attorney experienced in advising health entities and their HIPAA obligations. Together, you will carry out the four-part risk assessment described in the HIPAA Breach Notification Rule to determine whether PHI was truly compromised. The four elements of that assessment are 1) the nature and extent of the PHI involved, 2) the person or party to whom the PHI was exposed, 3) whether the PHI was actually acquired or viewed, and 4) the extent to which the risk has been mitigated. If you conclude that PHI was compromised, numerous others must be notified of the fact. Federal law requires it, and many states have data breach laws that impose additional requirements. If more than 500 patient records have been breached, you must inform the HHS and be prepared to notify local media, as required by the HIPAA Security Rule. Notifying patients The greatest challenge is likely to be breaking the news to patients. The basic message should be candid. State what happened, what steps already have been taken, and what steps will be taken in the future. Quickly notify all staff and business associates of the breach, and prepare them for the questions they ll receive from patients in the coming weeks by phone, and in person. The questions will be in response to a letter sent to all patients whose PHI was compromised. Legally, you have 60 days to send this letter. But it s best to send it within 10 days. Train staff on how to address patient questions Start by appointing certain staff to answer questions. Train them on how to handle calls, helping them with a list of answers to frequently asked questions. Next, implement new security measures to patch the holes that allowed the breach to occur. The HHS will want to know what s being done to prevent it from happening again. This Ouch! Breaches can be expensive In 2012, Phoenix Cardiac Surgery was required to pay the HHS a $100,000 settlement after it posted clinical and surgical appointments on a publicly accessible, Internet-based calendar. The investigation into the practice also found that it had few procedures to comply with HIPAA, limited protections for patients electronic health information, no documentation of staff training on security policies and procedures, no conduct of a risk analysis, and no appropriate agreements with business associates. The practice was required to implement a corrective action plan that included a review of recently developed policies and other actions it would take to come into legal compliance. likely will involve new policies and physical and electronic controls, as well as privacy and security training for employees. Document all actions Next, prepare for an investigation by the Office for Civil Rights. This process can take as long as a year. And document all actions taken and new preventive changes introduced. Be sure to keep a copy of your risk assessment. Looking ahead Once you ve gone through the entire process, draw up a plan for future incidents. Based on lessons learned from the current breach, designate who will be responsible for monitoring possible breaches in the future. Finally, contact your health care advisor. He or she can help you work through the red tape. x 3

4 Going boutique? How concierge services can work for your practice oncierge services provide physicians with C the time to truly know their patients and treat each one individually. It s a great way to personalize a patient s care, and it allows doctors to get away from the daily grind of medicine and get more in touch with their patients. So, it s no wonder that boutique services continue to pop up. Offering premium services In a concierge practice, patients pay an annual retainer or subscription fee of between $1,500 to $5,000 (for an individual) and $3,500 to $8,000 (for a couple), depending on the services received. Those services might include immediate and 24/7 access to physicians via phone, or personal visits. They can also sport same- or next-day appointments, and an emphasis on wellness, prevention and health counseling. Beyond that, the practice can offer whatever premium services its patients desire and are willing to pay for: spa-like amenities and décor, house calls and out-of-office care, and telephone or consultations, for example. There s a caveat, however. The concierge fee doesn t and can t apply to clinical services for which third-party reimbursement may be sought from Medicare or private payers. The practice can either: 1) continue to perform the third-party billing function for its patients, or 2) forgo that responsibility entirely, leaving it up to patients to deal with their insurers. There are risks to the concierge model. Once patients remit their annual fees, be aware that they ll have virtually unlimited access to you and your physicians at any time. A substantial investment may be necessary to get started. You ll likely want a redesigned office space, for instance, along with staff retraining for greater customer sensitivity and new EMR capabilities for enhanced follow-up. Because your practice will want to get the word out about its concierge services, you ll also incur some marketing expenses. It can take one or two years to build up the patient volume to turn a significant profit. The benefits for your practice Once a concierge practice becomes fully operational with satisfactory patient flow, several benefits could begin to emerge. You may be able to downsize your existing coding and billing staff, potentially cutting payroll expenses. And with a smaller daily patient volume, you may need fewer front desk staff. Plus, moving to the concierge model often lets physicians focus on areas of medicine about which they re truly passionate. 4

5 new practice format will continue to bill third-party payers or operate as a totally direct-pay operation. In addition, research patient demographics and the local market to see if there s sufficient demand with the necessary financial resources to participate. Next, determine which noninsured services and amenities you ll offer and whether you ll need additional training for staff and physicians. You ll also need to calculate the monthly or annual fee/ retainer that you ll charge patients to cover costs for the new services. Of course, there are risks to the concierge model. Once patients remit their annual fees, be aware that they ll have virtually unlimited access to you and your physicians at any time. Above all, you ll be solely accountable for the fiscal welfare of the practice. How to transition to a concierge practice If the notion of a concierge practice interests you, do your homework before making the switch. For example, ask your physicians whether they re willing to adapt to a more interactive relationship with patients. You ll also need to decide whether the Be prepared Make sure you set a timetable for initiation and phase-in of the new format. And communicate with patients about the transition via letters, s, phone calls, office visits or focus groups. Also, ascertain how to handle existing patients who won t convert to the new practice model. Finally, create marketing materials and launch a campaign. Work with your advisors Your health care advisor can help you with the entire process. So make sure you get him or her on your team. x Paths to practice success in a value-based market t s no secret that health care reimbursement I is moving from a volume-based model to a value-based paradigm. Unfortunately, this is a transformational change for which most practices aren t prepared. The goal of value-based care Value-based care incorporates an array of clinical initiatives, delivery models, and provider payment methodologies involving bonuses and penalties. The goal is to align cost, quality and outcome measures. Participating successfully in these initiatives and models requires different capabilities and resource commitments. Supporting value-based care The recent 2014 Survey of U.S. Physicians by Deloitte Center for Health Solutions asked physicians to rank the most important work-related resources and capabilities they needed to support value-based care. The top results were: x Expanded clinical support capability, x Information technology tools, 5

6 x Access to nonphysician staff, x Access to the latest medical equipment and facilities, x Ability to negotiate third-party payer contracts, x Access to more patients, and x Access to capital. It s true that physician practices don t have control over all these elements. But, it is possible to narrow them down to a handful of critical success factors. Success factors Physicians need clinical and technical support to take a balanced, end-to-end approach to delivering quality care while also competing on value. This typically takes the form of care coordination, care pathways, registry access and patient engagement tools that often are available from partners, such as hospitals, health systems and health plans. Physicians need clinical and technical support to take a balanced, end-to-end approach to delivering quality care while also competing on value. Integrated health information technology (HIT) can enable physicians to more effectively treat patients and manage risk. Using EHR data and analytics, high-risk patients can be identified and actively managed. Physicians can test which actions/interventions best improve quality, cost, and health outcomes. HIT also allows them to communicate, share, coordinate and engage seamlessly with multiple clinicians for improved care management. In a value-based care environment, physicians benefit from enhanced business management and organizational skills that facilitate evaluating contracts, leading care coordination activities and managing partner relationships. These can be learned through formal courses and on-the-job training. Financial and clinical risks Transparent governance structures with trusted decision-making procedures help allocate financial and clinical risks among all parties involved. If accountability standards are set for caregivers at each stage of care, physicians will feel confident of receiving credit for their contributions. Giving physicians influence over setting performance goals may help address their concerns over fairness. Payment models As physicians prepare to practice more value-focused medicine, they can expect to encounter variations of four types of payment models: 1. Shared savings arrangements where a physician is rewarded if patients have better-than-average quality/cost outcomes, and penalized if they don t, 2. Per-patient-per-month capitation payments covering physician-related services, or global capitation payments covering costs of pharmacy, hospital, and other services, as well as physicianrelated services, 3. Bundled payments consisting of a single payment for all the services around a particular patient s treatment or episode of care paid to a physician, physician group, or hospital for redistribution to individual clinicians, and 4. Fee-for-service payments combined with a monthly care coordination fee. The bottom line Work with your advisors to take a balanced, end-to-end approach to delivering quality care while also competing on value. x 6

7 Practice notes Exploring the ins and outs of outsourcing the billing function hysician practices wrestle frequently with P the decision about whether to outsource their billing processes. It can be hard to balance the pros and cons. What s good for one practice might not work for another. So, whether you want to improve the billing practices within your practice or are looking for a vendor who can raise the output of your revenue cycle management, the answers to certain questions can lead to a better decision about outsourcing those functions. Key questions How does your practice billing and collection metrics compare with industry standards? Do you believe your billing and collection procedures and systems would benefit from upgrades? Have you accepted the need for more investment in your revenue cycle technology but lack the necessary capital? Do you know where to allocate your limited resources to maximize net revenue? Are your billing and collection operations keeping up with the practice s growth? Reimbursement models and payer requirements are evolving constantly. So be sure your revenue cycle processes and technology are up to the challenge. For example, is your practice able to keep up with changing compliance and payer policies? Have you had difficulty recruiting and retaining qualified billing and collections staff? Do staff members spend too much time trying to resolve denied claims? And last, do you have any concerns about misappropriation of funds or fraudulent billing? If the answers to many of these questions are affirmative, consider subcontracting billing and collection functions to an outside vendor. Third-party billing This function should offer several flexible, valuebased contracting options in which payments are tied to the practice revenue results achieved. In addition, the services it offers should be tailored to the practice s structure and requirements. Solutions in the vendor s package should function seamlessly with each other across the practice s revenue cycle. Look for a vendor that employs a full staff with experience in all phases of revenue cycle management, as well as the related technology. Its services should comply with HIPAA and support both ICD-10 and Meaningful Use in all stages. The vendor s operations should include the ability to electronically process the submission of claims and remittances, and the use of credit cards. As an added feature, the arrangement should allow the practice access to all its billing data, up-to-date reporting and analytics competencies. Finally, through the outsourcing contract, the vendor should assume responsibility for resolving claims denials. It s worth the effort Finding a billing vendor that meets these criteria will be worth the effort when it pays off in reduced costs and improved revenue cycle performance. x This publication is distributed with the understanding that the author, publisher and distributor are not rendering legal, accounting or other professional advice or opinions on specific facts or matters, and, accordingly, assume no liability whatsoever in connection with its use RXsu15 7

8