The State of Security in Today s Hospital



Similar documents
EHR Client Bulletin: Answers to Your Most Frequently Asked Condition Code 44 Questions

Fraud and Abuse. Current Trends and Enforcement Activities

SUBJECT: FRAUD AND ABUSE POLICY: CP 6018

Care Management Can We Do It Better?

Communications Set the Pace for Patient Flow

Somansa Data Security and Regulatory Compliance for Healthcare

The Impact of HIPAA and HITECH

UPDATED. Special Advisory Bulletin on the Effect of Exclusion from Participation in Federal Health Care Programs

COMPLIANCE WITH LAWS AND REGULATIONS (CLR)

Data Breach, Electronic Health Records and Healthcare Reform

Inpatient or Outpatient Only: Why Observation Has Lost Its Status

Regulatory Compliance Tools from Strategic Management Services March 27, 2012

Compliance Plan Required for ACO Participation

Securing Patient Portals. What You Need to Know to Comply With HIPAA Omnibus and Meaningful Use

HPC Healthcare, Inc. Administrative/Operational Policy and Procedure Manual

NOTICE OF PRIVACY PRACTICES

Deploying DLP and Encryption

Presented by: Anne B Mattson, RN, MSN. Teresa Mack. Director Regulatory and Compliance. Director Revenue Cycle Management

Sendmail and PostX: Simplifying HIPAA Compliance. Providing healthcare organizations with secure outbound, inbound and internal

Ready for an OCR Audit? Will you pass or fail an OCR security audit? Tom Walsh, CISSP

Library Guide: HIPAA

Deloitte Center for Regulatory Strategies. Balancing act Can hospital CFOs square their medical necessity risks with revenue goals? Here s how.

MEDICARE ENROLLMENT APPLICATION

HIPAA NOTICE OF PRIVACY PRACTICES

HIPAA Audits: How to Be Prepared. Lindsey Wiley, MHA, CHTS-IM, CHTS-TS HIT Manager Oklahoma Foundation for Medical Quality

MEDICARE COMPLIANCE TRAINING EMPLOYEES & FDR S Revised

IT Vendor Due Diligence. Jennifer McGill CIA, CISA, CGEIT IT Audit Director Carolinas HealthCare System December 9, 2014

Health Management Annual Compliance Training

Agenda. OCR Audits of HIPAA Privacy, Security and Breach Notification, Phase 2. Linda Sanches, MPH Senior Advisor, Health Information Privacy 4/1/2014

Identity Theft Prevention and Security Breach Notification Policy. Purpose:

Name of Other Party: Address of Other Party: Effective Date: Reference Number as applicable:

Page 2 State Medicaid Director

Unit 1 Core Care Management Activities

AppleCare General Compliance Training

WELCOME TO PCCMA. We look forward to being of service to you and helping you to be healthier in the future.

The Third National Medicare RAC Summit

MEDICAL AUDITS: TOP TEN TIPS FOR PHYSICIANS TO ANTICIPATE, RESPOND AND PROTECT THEIR PRACTICES

COMPLIANCE ALERT 10-12

1. Clarification regarding whether an admission order must be completed before any therapy evaluations are initiated.

HIPAA Audits and Compliance: What To Expect From Regulators and How to Comply

REPRODUCTIVE ASSOCIATES OF DELAWARE (RAD) NOTICE OF PRIVACY PRACTICES PLEASE REVIEW IT CAREFULLY.

acknowledgment of health center privacy policy, privacy practices, and privacy procedures PATIENT PRIVACY

Managing the Insider Threat: Real-time Monitoring of Access Patterns to ephi

By Ross C. D Emanuele, John T. Soshnik, and Kari Bomash, Dorsey & Whitney LLP Minneapolis, MN

Symantec DLP Overview. Jonathan Jesse ITS Partners

Medicare Advantage and Part D Fraud, Waste, and Abuse Training. October 2010

Utah Medicaid Hospice Care Provider Training

This form may not be modified without prior approval from the Department of Justice.

HIPAA Security. 1 Security 101 for Covered Entities. Security Topics

Best Practices for DLP Implementation in Healthcare Organizations

Nursing Home Facility Implementation Overview

HIPAA Privacy and Security. Rochelle Steimel, HIPAA Privacy Official Judy Smith, Staff Development January 2012

Member, Executive Committee, Health Law Section, State Bar of Georgia,

FirstCarolinaCare Insurance Company Business Associate Agreement

Joe Dylewski President, ATMP Solutions

Navigating Compliance Landmines in Electronic Health Record (EHR) Documentation

University Healthcare Physicians Compliance and Privacy Policy

Dissecting New HIPAA Rules and What Compliance Means For You

2/9/ HIPAA Privacy and Security Audit Readiness. Table of contents

HIPAA Overview and updates since HITECH and PPACA

Preparing for Medicare s Recovery Audit Contractor (RAC) Permanent Program: Are you ready?

Compliance Training for Medicare Programs Version 1.0 2/22/2013

Compliance, Risk Management, and Quality Assurance How to Play in the Same Sandbox

Regulatory Compliance Policy No. COMP-RCC 4.07 Title:

Qtr Provider Update Bulletin

Reviewing Hospital Claims for Patient Status: Admissions On or After October 1, 2013 (Last Updated: 11/27/13)

6/8/2012. Cloning and Other Compliance Risks in Electronic Medical Records

SHERIDAN MEMORIAL HOSPITAL SPECIAL BOARD OF TRUSTEES MEETING MINUTES Tuesday, March 15, :00 p.m.

New Patient Information Form

Transcription:

The State of Security in Today s Hospital HCCA Annual Compliance Institute Pre-Conference Session P13 Florentine III/IV 2:00-5:00pm Sunday, April 26th, 2009 1 Agenda Introduction to AHA and AHA Solutions Operational Alignment of Compliance and IT Panel Discussion Healthcare Compliance Scenarios Q&A and Wrap-up 2 2 1

Presenters Brad Hunter, Director, and Moderator AHA Solutions, Inc. Stefan Keller, President Certiphi Endorsed for Background Investigation & Drug Testing Services Sean Tippett, Product Manager Cisco IronPort Endorsed for Secure Email Messaging Joseph Zebrowitz, MD, Executive Vice President Executive Health Resources (EHR) Endorsed for Clinical Revenue Cycle Management 3 3 AHA Solutions, Inc. Overview 4 2

Principle Areas of Focus AHA has 100+ year history 5,000 member hospitals, health care systems, networks, other providers of care 38,000 individual members 5 About AHA Solutions AHA Solutions, Inc. is a resource to hospitals pursuing operational excellence. As an American Hospital Association (AHA) member service, AHA Solutions collaborates with hospital leaders and market consultants to conduct product due diligence and identify solutions to hospital challenges in the areas of finance, human resources, patient flow and technology. AHA Solutions provides related marketplace analytics and education to support product decision-making. As a subsidiary of the AHA, the organization convenes people with like interests for knowledge sharing centered on timely information and research. AHA Solutions is proud to reinvest its profits in the AHA mission: creating healthier communities. 6 6 3

Solutions to Enable Growth & Improve Governance Board of Directors Corporate Governance and Due Diligence Business Drivers Right Sizing & Growth Mergers, Acquisitions, and Divestiture Support Activities Intellectual Property & NPI Protection Client Information, Partner Connections, and Joint Development Collaboration Compliance Cost Reduction Preparation & Remediation 7 7 Healthcare Industry Expert Panel Compliance Scenarios Stefan Keller, President, Certiphi Sean Tippett, Product Manager, Cisco IronPort Joseph Zebrowitz, MD, Executive Vice President, EHR 8 4

Compliance Scenario 1 A hospital has a billing clerk from a temporary staffing agency working in their accounting department. The clerk is taking the personal information of critically ill patients and emailing it to a relative who uses the information to open credit cards in the patients names. The clerk is eventually caught and it is learned their name is on the OIG excluded parties list from a previous billing scam. 9 Compliance Scenario 1 - Recommendations Know what your contract staffing companies and temporary firms are doing in terms of screening. Specific background searches such as OIG exclusions and federal criminal records (for Medicare/Medicaid fraud) are not standard outside of healthcare Assess what data is available to what groups. Adjust access controls on a need-to-know basis. Monitor or restrict communications to detect potential abuses Be aware of data breach laws and have a response plan in place 10 5

Compliance Scenario 2 You review your PEPPER report and find you are in the 90th percentile for 1- day stays and Chest Pain, but in the 20th percentile for Congestive Heart Failure. You audit observation admissions and 1-day stays and find significant errors in each (observation that should be inpatient, inpatient that should be observation) The next day, your CFO invites you to a meeting to help establish a reserve for the RAC program. What do you do? 11 Compliance Scenario 2 - Recommendations Problem: Your Admission Review Process is Broken Solution: Implement process as per CFR 411.406(e) Case Management applies strict admission criteria to 100% of medical cases placed in a hospital bed and documents this review in an auditable format ALL cases that do not pass criteria (regardless of admission order status) are referred to a Physician Advisor who is an expert in CMS rules and regulations and clinical standards of care (Easily adopts variations of ACMP) Physician Advisor reviews case, speaks with admitting physician when needed, renders final decision based upon UR Standards and documents decision in auditable format on chart or in UR documentation Attending physician changes order as appropriate Must run 7 days a week/365 days a year 12 6

Compliance Scenario 3 A lot more organizations under HIPAA or HIPAA-like Legislation Requirements now Nevada Hospital sends employee-specific information to Benefits Company Examples HITECH is a HIPAA-boost and requires a lot more companies to comply to HIPAA New State Privacy Laws have HIPAA-like requirements Nevada, Massachusetts, New York, Connecticut 13 Compliance Scenario 3 - Recommendations Scan outgoing email for different personal identifiers SSN, Credit Card Numbers (automated methods exists e.g. DLP) Look to see if violations are from business-process gaps or education gaps Business-acceptable reasons to partners establish business to business encryption links Talk to IT and see what your options are Automatic encryption to your trusted business partners is a lot easier on the users and reduces corporate risk Reach out to other organizations with respect to compliance Be a source of compliance best-practices Learn how others are attacking the problems 14 7

Compliance Scenario 4 In hiring employees, a hospital verifies the employment and education information listed on the employment application, but does not keep records of how, when or by whom the verification was conducted. An audit determines that the hospital is not in compliance with the Joint Commission Standard HR.1.20, which says hospitals must verify and document that the applicant has the education and experience required by the job responsibilities. 15 Compliance Scenario 4 - Recommendations To comply with the Joint Commission standard, hospitals should verify an applicant s education, employment and professional licensure When conducting that verification by phone, write and file when the call was placed, to whom the hospital s HR representative spoke, the information given by the source and, if applicable, the applicant s license number and expiration date When conducting verification via the Internet, print out the information found online and ensure it is time and date stamped. File the printed documentation 16 8

Compliance Scenario 5 As part of the CERT program, your MAC denies 24 elective Inpatient PCI s. You review the process of assignment of status and find some doctors make all PCI inpatient, some make all outpatient. You know that the RAC s are also auditing Cardiac Procedures. You get a letter from the DOJ requesting 100 Kyphoplasty Admissions for audit. Is this the same issue? How did this happen what do you do? 17 Compliance Scenario 5 - Recommendations IP/OP Procedural setting is RAC and DOJ target Use IP only list but recognize its limitations Buy or Build evidence based content to allow for risk stratification of high risk targets Begin Concurrent UR process for Cardiac Procedures, Kyphoplasty going forward Determine from a data analysis is this an error or something more? Determine whether a repayment strategy or self disclosure is appropriate Audit charts using trained Physician Advisors (who understand both clinical and regulatory guidance pertaining to these procedures) Use audits to set reserves, make paybacks, extrapolate etc. Ironically, a proactive process and cooperation with the MAC may save you a lot of headaches down the road 18 9

Compliance Scenario 6 A physician asks a physician s assistant to send some of her patients EMRs to her home email so she can complete her work at home or at her clinic. The part time nurse complies and sends the PHI-laden information via email. 19 Compliance Scenario 6 - Recommendations Self Policing with Little Technology If a user sends an email with attachments to a web mail account (yahoo, gmail, etc.) have an auto-filter send a reminder to the sender about HIPAA compliance Advanced Policing with Policy-Based Scans Use a Data Loss Solution to scan for PHI lexicons Quarantine Violations Active Compliance Incident investigation 20 10

Compliance Scenario 7 A patient, who lost their job and insurance this past year, comes into a hospital using a family members insurance card and registers under that family member s name. The patient is treated as though they are the family member and the information is entered into the EMR of the family member. 21 Compliance Scenario 7 - Recommendations The floor is open for discussion! 22 11

Interesting General Sessions Running Successful Hospital Exercises: Planning, Execution, and Assessment Tuesday April 28, 11:00am-12:00pm; Session 512; Capri Room Mitch Saruwatari, VP Quality and Compliance, LiveProcess; Michael Bowers, Director of Facilities & Engineering, Riverside County Regional Medical Center Where s That Policy? Solving the Pitfalls of Paper-Based and Internally Built Policy & Procedure Systems Tuesday April 28, 3:00pm-4:00pm; Session 711; Genoa Room Robert Tietjen, President/CEO, Policy Technologies International, Inc.; Wayne Soo Hoo, Director, Quality Management & Patient Safety, Mercy San Juan Medical Center 23 Plans Monday Night? Join Us for Dinner, Networking & Learning When: Monday, April 27 th 7:00-9:00pm Where: The Palm Restaurant (in the Forum Shops at Caesar s Palace) 24 12

AHA Solutions Signature Learning Series - Upcoming Events Powerful Results in Heart Failure Care through Patient Engagement; 4/30 Medicare & Medicaid Integrity Contractors (MACs, RACs, MIPs): Making Sense of the Alphabet Soup!; 5/13 State Security Regulations & HITECH Complying with Increased Mandates for Privacy and Security; 5/21 Optimizing Patient Placement at Presbyterian Intercommunity Hospital; 6/3 All events are 1:00-2:00pm EDT 25 Question & Answer Session and Thank you! To our Expert Panel Stefan Keller, President, Certiphi Sean Tippett, Product Manager, Cisco IronPort Joseph Zebrowitz, MD, Executive Vice President, EHR (Executive Health Resources) Visit AHA Solutions at Booth #407 Visit AHA-Endorsed Solution Provider Booths too! Certiphi; Booth #206 EHR; Booth #109/111 PolicyTech; Booth #711 26 26 13

Contact Information Brad Hunter, Director AHA Solutions bhunter@aha.org / 312.895.2527 Stefan Keller, President Certiphi skeller@certiphi.com Sean Tippett, Product Manager Cisco IronPort setippet@ironport.com Joseph Zebrowitz, MD, Executive Vice President EHR drjoe@ehrdocs.com 27 27 14

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information