[ Thursday, January 15, 2004 ]
Random HIPAA news:
I have subscribed to get emails from Medical News Wire, including its HIPAA Wire and Hospital Compliance wire, and often get very good information from them. You too can subscribe by going here
Anyway, there are a few interesting articles from them over the past few days which I thought I'd share:
Understanding Security Incidents:
What is a security incident, and what do you need to do when one occurs? You have obligations under HIPAA to document when they happen and your response. Three key elements to successfully doing so are (i) tracking the incidents, (ii) looking for patterns and trends to help you anticipate (and prevent) the next one or otherwise cure vulnerabilities, and (iii) creating security awareness. If you've heard me speak on HIPAA, you've probably heard me say that getting started with HIPAA compliance is the best way to make HIPAA compliance happen. In many ways, HIPAA is a corporate cultural issue, and the best way to make HIPAA awareness a part of your corporate culture is to engage in high-visibility activities that turn HIPAA compliance into a self-fulfilling prophecy. Just as you can leverage your staff into doing the HIPAA heavy lifting just by getting them to think about it (hey, an army of consultants will know less about your practice's particular HIPAA vulnerabilities than your staff does), an active security program, led by security incident reporting and analysis, will keep your staff focused on HIPAA security.
Speedbumps, not Roadblocks.
Most providers view HIPAA hassles as temporary aggravations that, once overcome, will result in better, safer care, rather than as permanent problems that will prevent the delivery of care. That's good, since delivering care is what providers do. According to the Long Island Business News, the biggest problem for providers facing HIPAA compliance issues is interpreting the regulations and finding out what is reasonable. You don't need to buy a $50,000 shredder, but you also can't just throw records in the trash. Balance is the key, and once providers (and other covered entities) get a handle on that, they'll be able to navigate the HIPAA speedbumps better.
Lack of Information in Data Fields Leads to Denied Claims:
According to physician consulting firm MedSynergies, physician practices are seeing a growing number of claims rejected by payors for failure to include information in all required data fields. Often, it is hard for the practice to determine what information is missing and what is needed, which makes it difficult for practices to meet filing timeframes. Should this be happening, since HIPAA should have standardized all fields? Perhaps, but HIPAA did allow payors to ask for additional information in particular fields, and not all payors are using strict X-12 formats. Of course, even understanding the X-12 form 837 (the standard claims submission form) is almost impossible if you don't understand computer code (which I, as a proud liberal arts major, don't, at all).
One thing is clear, whether under HIPAA requirements, managed care or payor contracts, Medicare/Medicaid, or state Prompt Claims laws: providers need to keep on top of their billing and coding processes to make sure that they are providing the right information to get paid and doing so in a timely fashion. Failure to provide the right information, OR failure to provide it within the required time frames, can result in rejected claims which just might be lost forever (or at least fall outside the "prompt pay" law requirements that give providers some leverage over payors).
Jeff [12:06 PM]
Blogger: HIPAA Blog - Edit your Template