Earlier this year, the U.S. Department of Health and Human Services (HHS) announced the final rule that strengthens the HIPAA laws and regulations and puts in place many conditions of the HITECH Act. Obviously, it’s been every medical provider’s goal to be compliant to the HIPAA rules from the very beginning; so why the panic over the HIPAA compliance deadline of Monday, September 23rd? Simply put: It’s overwhelming.
Physicians and their office managers are trying to get up-to-speed, but they do not have the time or manpower to dedicate the hours needed to achieve compliance. The hospitals and larger private practices usually have a compliance officer on their team to get these things done, but the small or mid-sized practices cannot afford that luxury. So it’s up to office managers and administrators to get the practice in line with the new regulations. But even if the office has done its part and implemented all the correct policies and procedures, HHS can still come in and audit the practice and potentially find problems. The fines and penalties associated with HIPAA are significantly higher with the new rule: Up to $1.5 million!
As a healthcare provider, how do you manage the risks of government regulations?
- Have a risk analysis done by an outside contractor: This is the first step in identifying areas that need to be addressed. One of the Meaningful Use requirements is this type of assessment as well. You can purchase DIY programs to help you conduct an analysis on your own, but an outside firm that specializes in HIPAA will be much more efficient and save you a great deal of time. Time = Money!
- Ask your attorney to review policies and procedures: Chances are that your privacy policies and procedures need to be revised. Many practices haven’t updated forms since the late 1990s or early 2000s. To be sure you are using up-to-date, legal documents, get an attorney involved and make sure it’s right. Sure it costs money, but it could save you thousands in the long run if you are audited by the government.
- Protect your practice with insurance: Believe it or not the new rules have spawned a whole new category of insurance products. You can buy a policy that covers the practice in the event of fines or penalties related to government regulations such as, HIPAA & HITECH violations, RAC audits, billing errors, Medicare and Medicaid fraud, and data breaches including private health information or financial information. Of course we’d like to help you with this part of the process! Contact eQuoteMD for a free, no-hassle quote.
So what risks have been created by healthcare reform?
The risks to healthcare providers created by the new reforms fall into 2 categories:
- Regulatory Violations
- Cyber Liability
As we’ve already mentioned, the main regulatory violations you need to know about are related to HIPAA. The deadline for compliance to the new rules is Monday, September 23rd, and it is possible that the government could start random audits after that. Up until now they have only been acting on complaints. In fact, since HIPAA was enacted in the 1990s HHS has investigated almost 80,000 complaints and approximately 20,000 of those investigations resulted in settlements, penalties, or corrective action. Experts agree that HHS will get a lot more aggressive in initiating audits as they try to find increased streams of revenue.
Another area of risk is related to Recovery Audit Contractors, commonly known as RAC audits. For several years now the government has contracted with private firms to conduct audits of medical practices in search of Medicare and Medicaid billing errors. The amount of overpayments found and recovered since the program began is in the billions of dollars. The auditors get paid a percentage of what they recover, so there is incentive to find errors. A recent article states that 56,620 providers audited in 2011 appealed the overpayment claims and 43% of them won. That shows you the overzealous nature of the auditors involved.
Other regulatory violations include:
- Zone Program Integrity Contractors (ZPIC) – Medicare/Medicaid fraud
- Emergency Medical Treatment and Labor Act (EMTALA)
- Stark Laws
The second category of risk for healthcare providers is Cyber Liability. You hear this term thrown around quite a bit these days, but most people don’t really know what it’s all about. This type of risk is not really unique to healthcare. Any business entity that uses and stores sensitive data is at risk. There are privacy and security issues when you have personal or financial information from patients or customers. The problems fall into several broad categories:
- Privacy Breach – when patients’ personal information (names, birthdates, social security numbers, credit card numbers, bank account numbers, etc.) is distributed to an unauthorized group or individual. The breach could be the result of computer hackers or maybe due to a lost or stolen computer or mobile device. The costs involved in a privacy breach can be astronomical. You must notify all patients involved in a timely manner, and you may have to pay legal expenses, set up credit monitoring, and provide identity theft controls. Not to mention the public relations problems associated with the event.
- Loss of Data – when electronic data is compromised, damaged, erased, or corrupted due to a virus, an accident, computer crash, or crime. Costs add up quickly when attempting to recover lost data. Most cases require an IT company to do forensic work. And then there may be a need to replace hardware as well. In addition, if you are unable to continue seeing patients through the process there will be loss of revenue due to the interruption.
- Cyber Extortion & Terrorism – although it sounds like something out of a James Bond movie, this type of crime is real and is on the rise. Hackers are on the prowl looking to steal information they can use for identity theft, to clean out bank accounts, or to use as leverage for political reasons. Many of these attacks come from outside the U.S. Again the costs can be incredible because of the steps required in correcting the problem.
The bottom line is that because things are constantly changing in the world of technology lawmakers are trying to keep up by enacting rules and regulations that help protect all of us. Because of the amount of patient information used and stored, healthcare providers have a responsibility to keep that information secure and private. Physicians and their practice managers need to do everything possible to achieve compliance and to protect their patients’ private health information and personal financial information. During that process, if you have any questions about eQuoteMD’s insurance products, let us know.