August 17, 2009
Ushering in Change — ARRA Adds New Challenges to ROI Requests
By Elizabeth S. Roop
For The Record
Vol. 21 No. 16 P. 10
Making sure your organization meets federal requirements is about to get more complicated.
The HITECH Act will do more than incentivize HIT adoption. Contained within this key section of the American Recovery and Reinvestment Act (ARRA) of 2009 are HIPAA changes that broaden privacy rights and add teeth to penalty and enforcement provisions—all of which will add new layers of complexity to the release-of-information (ROI) process.
“People are still trying to get their arms around the whole ARRA initiative in terms of how to deal with these new provisions,” says Stephen Hynes, president and chief operating officer (COO) of MRO Corp, which provides shared services, ROI, and audit-tracking technologies. “Some details are obvious, while others are buried in the provisions, and the industry is still trying to dig them out.”
Accounting for PHI Disclosures
HITECH’s most obvious changes to HIPAA relate to the disclosure of protected health information by covered entities and/or their business associates. But even the obvious changes at this point come with more questions than answers.
Under the HITECH Act, patients will have the right to receive a full accounting of PHI disclosures made through an EHR. Previously, payers, providers, and other covered entities were not required to account for disclosures made for treatment, payment, and operations.
“Accounting is one of the patient’s rights, so this is really directed at expanding those rights,” says Julie Roth, RHIA, a health law attorney with Lathrop & Gage LLP. “Your software or EHR product should have an audit function so that you can go back and look at all the disclosures for a particular patient record. It reinforces the importance of having a good audit function, one that is capable of capturing disclosure and making sure that you can easily produce an audit report that is user friendly.”
For some, concerns with the expanded accounting of disclosure requirements are more logistical than technical. Is every disclosure required to be reported, even things such as internal access by staff or reporting information to a registry?
Taking it a step further, how will this impact the volume of requests that must be processed? If the assumption is that all providers have EHRs, will the revisions mean that ROI requests must be processed in real time? Finally, does this expansion impact facilities’ and vendors’ ability to charge fees to cover the costs of ROI since the EHR was funded in part by government funds?
“At this time, the regulations that apply to the bill are being defined, so that’s up in the air,” says Rose T. Dunn, RHIA, CPA, FACHE, COO of First Class Solutions, Inc, a healthcare consulting firm. “As the details unroll, we may be seeing the clarification document stating that if you received stimulus incentive payments for EHR … when patients request copies from the system, you can’t charge for them. That will have a huge impact on the ROI industry and internal ROI services as well.”
However, it is not the expansion of accounting of disclosures, workflow concerns, or even the potential for real-time ROI that causes the most consternation among those responsible for managing ROI. Rather, it is the requirement that they abide by a patient’s request to restrict disclosure of PHI related to treatments or other services for which an individual has paid out of pocket.
Previously, HIPAA allowed covered entities to decline a patient’s request to restrict disclosure of information related to self-pay services. Now, however, if a patient pays for a procedure or testing rather than filing an insurance claim, they have the right to restrict disclosure of any information related to those services.
For ROI professionals, the challenge will be effectively segregating information that can be disclosed from that which cannot.
“If a patient wanted to not disclose portions of care rendered during an inpatient admission, how do you do that? How do you report the portion that the patient does want to go on to a payer and not be bordering on an accusation of fraud?” asks Dan Rode, MBA, CHPS, FHFMA, vice president of policy and government relations for the AHIMA. “The fact is that there is such a huge potential mix of services [in a hospital setting]. Which are aligned with the request? Working out this process is doable, but it’s going to be one that will really cause a lot of discussion on how to process it within an organization. A lot of requirements have yet to be defined. Hopefully, when it’s all over, we’ll have a clear picture. But today, we don’t have a clear picture, and there are some interesting options.”
Compliance with the patient’s right to restrict access may perhaps be an even greater challenge for ROI outsourcing firms, which are often dependent on the client facility to dictate extenuating circumstances and specific patient authorizations.
“If a patient has paid for a certain procedure or encounter out of pocket and not filed a claim with their insurance company, the insurance company has no right to that record. We are supposed to automatically know that. Of course, that is procedurally impossible unless the hospital tells us. If a request comes in and says ‘any and all records,’ we can only rely on what the provider has given us,” says Jan McDavid, general counsel and compliance officer with HealthPort, an outsourced ROI and technology provider.
Finally, the HITECH Act also requires covered entities that utilize EHRs to provide the means by which ROI requests can be submitted and received in an electronic format if the requester so desires. While that seems reasonable on the surface, it raises the question about what to do in a hybrid environment.
While some expect that only those portions of the record that are already digitized will be required to be provided electronically, like much of the HITECH Act, clarification is necessary.
“Is it only the electronic portion of the record that has been digitized, or will [providers] have to scan [paper portions]? Will it look like anything that can be understood? Those are the questions that will have to be answered because of the hybrid mode,” says Rode.
Enhanced Enforcement and Penalties
In addition to expanding patient privacy rights and accounting of disclosures, provisions within the HITECH Act add bite to enforcement of and penalties for HIPAA violations.
Previously, under HIPAA’s privacy and security standards, the maximum civil penalty was $100 per violation and up to $25,000 for all similar violations in a calendar year. Some wrongful disclosures were also subject to criminal prosecution by the Department of Justice and carried the potential of fines of up to $250,000 and up to 10 years in prison.
However, under the HITECH Act, there will be four levels of penalties:
• If the violation was not willful or occurred without the violator’s knowledge, the fine is $100 per violation up to $25,000 for the calendar year.
• If the violation was due to reasonable cause but not willful neglect, the fine is $1,000 per violation up to $100,000 for the calendar year.
• When the violation is due to willful neglect but was corrected by the organization, the fine is a minimum of $10,000 per violation up to $250,000 per year for all identical violations.
• When the violation is intentional and not corrected by the organization, the fine is a minimum of $50,000 per violation not to exceed $1.5 million for the calendar year.
Criminal penalties are also extended to apply not only to the covered entity but also to individual employees. Also, harmed individuals will have the right to share in damages resulting from civil actions.
The power the HITECH Act extends to states is also cause for concern. “Under the new rules, every state attorney general will be vested with the power to sue over breaches,” says McDavid. “Where we see this as being a problem [is that] it brings politicians into the process. If someone is running for office as attorney general and they have residents who have complained about a breach of confidentiality, instead of having the government investigate first, they can simply sue. If they are successful, the court may waive the cost to the state; so there is very little downside for them.”
Laws governing notification in the event of a breach of unsecured PHI have also been enhanced under HITECH. Whereas previously, covered entities were not required to notify individuals of a breach, they now must do so within 60 days of the discovery.
The new laws also impact business associates, who will be required to notify the covered entity when a breach is discovered. They are also subject to direct compliance with privacy and security standards and penalties for violations.
The breach notification requirements, which are expected to take effect in September, are “definitely going to increase the importance of safeguards in the ROI process. It will increase the importance of maintaining integrity,” says Roth. “It increases the importance for the people involved in the ROI process to be diligent about making sure that they are releasing the correct information to the correct people or entity and that they have the correct authorization to do so. Otherwise, they’re looking at the potential for having to issue breach notifications.”
Preparing for the Inevitable
Though many questions remain to be answered, healthcare organizations and their ROI outsourcing partners should be working now to ensure that they are ready for the HITECH Act’s inevitable impact—starting with understanding the new laws.
“If they haven’t read the regulations yet, they absolutely need to do it,” says Dunn. “I know that every HIM director has mounds of paperwork they are dealing with and fires they’re fighting, but they need to set aside a few hours to make sure they have a good understanding of the regulations [and] then assess what it means for their organization.”
Dunn suggests taking advantage of the many audio conferences and Webinars various organizations are holding to educate attendees on the HITECH Act. While there may be some conflicting information and interpretations, “Wherever there is common information, you’ll know it’s likely factual,” she says.
Organizations can also evaluate existing business associate agreements to determine if and how they should be updated to comply with the new laws.
In addition to breach notifications, business associates will now be directly regulated by HIPAA, required to comply with security requirements, and subjected to the same penalties for violations as covered entities. As such, it is more likely than not that business associate agreements will require modification to ensure compliance.
“People are taking a wait-and-see approach because they don’t want to memorialize in an agreement something that wasn’t what the government intended, [but] this is something that I would advise them to start thinking about now,” says McDavid.
Finally, organizations should be preparing to provide those who manage the ROI process with proper training, both as a refresher on current compliance requirements and on any new mandates once they have been finalized and clarified.
“If I were a privacy officer, I’d be getting out all the HIPAA privacy and security policies and looking at the new requirements for HITECH to figure out where it will fit into existing policies … and to look at revamping the training program,” says Roth. “They have expanded penalties significantly, so organizations are going to want to make sure that their employees understand that this is not something they can take lightly.”
— Elizabeth S. Roop is a Tampa, Fla.-based freelance writer specializing in healthcare and HIT.
In the next issue of For The Record, writer Elizabeth S. Roop examines how the HITECH Act changes HIPAA strategy throughout the hospital. How will the new provisions affect enforcement, breach notification, business associates, and encryption?
Ramping Up for RAC
Though the pending regulatory changes under the HITECH Act are consuming much of the industry’s attention, healthcare organizations are also bracing themselves for the national rollout of the Recovery Audit Contractor (RAC) program. Specifically, release-of-information (ROI) professionals are gearing up to manage the expected spike in record requests.
“While there are a lot of unknowns in the RAC process, from the ROI perspective, it’s straightforward. The industry is prepared to deal with it. The only question is how big it will be,” says Stephen Hynes, president and chief operating officer (COO) of MRO Corp. “Will there be a significant percentage increase in volume or a small increase? That’s going to vary from hospital to hospital based on what the RACs are looking at and from region to region based on the mix of cases and a whole range of other factors. But strictly from a release perspective, we’re not reinventing the wheel.”
According to Lori Brocato, revenue cycle product manager with HealthPort, RACs can request up to 200 records per national provider identifier every 45 days from hospitals. Depending on practice size, anywhere from 10 to 50 records per group national provider identifier can be requested every 45 days from physician practices. Providers then have 45 calendar days to provide the records or request an extension.
The problem is that it is difficult to gauge the exact volume of requests with any consistency. For example, a 20-physician practice with four locations that has issued a different group national provider identifier for each location could be on the receiving end of requests for 100 records every 45 days.
“If they know they’re at risk for certain things, they could see how many cases they’ve had in the past years and they could technically come up with some kind of calculation,” says Brocato.
Facilities that handle ROI internally are likely to be hardest hit by RAC requests. Those organizations would benefit from an evaluation of existing processes and technologies to ensure they are adequate to not only handle the increase in requests but also the tracking of RAC requests to ensure compliance.
Hynes notes that there are new software and service models that can help, and hospitals that are not already doing so may benefit from outsourcing some portion of their ROI as a way to manage the overflow in response to RAC. That may be in the form of shared or even remote services to free up internal staff.
“For those that outsource ROI, it’s going to be the responsibility of their outsourcing vendor to handle the additional workflow,” he says. “Hospitals that handle ROI in house will have to absorb [the added volume] on their own. They might want to look at their processes and tweak them, and part of that might be finding a company that can provide them with some level of assistance to handle some portions of their release process.”
Finally, oversight of the process is critical, even when it is outsourced to a service provider. As such, HIM directors should clearly define the response process down to the orientation and location from which each document in a paper, electronic, and/or hybrid record should be printed.
It is imperative that the records provided in response to the initial request are complete. This includes ensuring that any paper-based record content is copied and submitted along with the electronic content, both for the initial response and any appeals. Further, if the legal record captures the physician’s signature on paper rather than electronically, the paper version should be submitted rather than any transcribed reports that may be stored electronically without the signature.
“Even if a healthcare facility has contracted with an ROI service provider, this is not an activity for which HIM management oversight is not required,” says Rose T. Dunn, RHIA, CPA, FACHE, COO of First Class Solutions, Inc. “You absolutely do need oversight here. You get the one shot to submit the information. If you have a hybrid [record] and you forget to copy the paper or print the electronic portion, you’ll be on the losing end. Your ROI people have to be overly cautious, compulsive to the point that they’ve touched all the places where that information may be stored.”