The BridgeBlog

The Centers for Medicare and Medicaid Services (CMS) recently announced it will provide a 90-day grace period for enforcement of HIPAA 5010. This doesn’t mean providers don’t have to comply with the requirement.

CMS will accept complaints about non-compliance with the rule and could require Covered Entities to show evidence of a good-faith effort to comply. In addition, any claim or bill submitted after January 1, 2012 not in HIPAA 5010 will still get rejected, but this delay will allow for resubmitting in the appropriate format without penalty.

Below are four tips to ensure reimbursement continues to occur at your organization after January 1, 2012:

1. With HIPAA 5010, the 837 transaction set now requires anesthesia services to be reported in minutes instead of units.

2. With the start of HIPAA 5010, the 835 transaction set offers new data elements; these will provide payers the ability to allow direct billing by a Medicaid agency to other health plans.

3. For Version 5010, the 837 transaction set provides for a present-on-admission indicator related to each diagnosis code.

4. The 270/271 transaction sets, with Version 5010, clarify instructions for patient hierarchy, such as when a subscriber is a patient and when a dependent is a patient.

For more HIPAA 5010 tips and information, sign-up for our monthly tips handout.

By Kent Lane

You get the OCR audit notification letter and the panic begins. You are one of the ‘unlucky’ providers or health plans to be audited as part of the OCR’s HIPAA HITECH audit program; what do you do first?

During & After the Audit

On the OCR website, it details each step of the new HITECH audit program, including a timeline of events. Below are five critical steps:

1. Required documentation of your privacy and security compliance efforts (see below for more information)
2. Interviews with key personnel on site, and observe processes and operations to help determine compliance
3. Following the site visit, auditors will develop and share with the entity a draft report
4. Prior to finalizing the report, the covered entity will have the opportunity to discuss concerns and describe corrective actions implemented to address concerns identified
5. The final report submitted to OCR will incorporate the steps the entity has taken to resolve any compliance issues identified by the audit, as well as describe any best practices of the entity

Documentation Must Include Policies, Procedures & Training

In accordance with HIPAA regulations, all Covered Entities and Business Associates must institute and document its policies, procedures, and practices—which includes initial and refresher staff training—to improve the privacy and security of protected health information (PHI).

Your training must address privacy and security regulations:

• Privacy training must include all elements of the federal, state and organization privacy regulations
• Security training should cover topics such as, the use of virus protection software to prevent or lessen the threat of malicious software; login and password management; and how to respond to security incidents
• The training should also include your organizational security policies and procedures

BridgeFront HIPAA Online Training

We offer simple to use, cost effective online training and guides. Training is easily modified to include your policies and procedures. We guarantee our training and guides will pass your audit.

For more information on our HIPAA training and education, visit us at www.bridgefront.com or contact us directly. Send an email to info@bridgefront.com or call (866) 447-2211.

By Kent Lane

Over the past 10 years of visiting clinics and hospitals, for business or personal reasons, it’s hard for our consultants not to observe HIPAA compliance; and most of the time they’re surprised at what they see. The question on their mind is, “who will be the next data breach victim?” Below are some common HIPAA violations scenarios from our experience and from a recent Physicians Practice article.

Lack of new hire and refresher staff education

The first violation noted is usually lack of staff education. Current HIPAA Privacy and Security regulations require this:

• Everyone in your organization be trained on HIPAA
• Annual, refresher training be provided
• Training is documented
• Your Business Associates are trained

We see everything from “no training” to “word of mouth training.” Education is the first thing auditors will look for when conducting compliance audits.

Bulletin boards identifying patient information

Upon walking into a clinic, Judy Norman was greeted by a beautiful bulletin board that welcomed new patients to the practice, identifying the patient by their full name and town. Patient names and addresses are protected health information under HIPAA and may not be shared in this manner without authorization from the patient.

Announcing patient names

In most practices, patients are called up in the waiting room by their full names in front of everyone. Using first only is recommended. Also, refrain from conversations in the lobby such as, “How is your knee feeling?”

The check-in process

The check-in process for patients often leaves much to be desired in terms of privacy. Consider this common interaction at a doctor’s office:

Staff: What’s your birth date?
Me: March 5, 1990
Staff: Is your name Ericka Adler?
Me: Yes
Staff: Is your address still ___________?
Me: Yes
Staff: Are you still with Blue Cross Blue Shield?
Me: Yes

In this one conversation, overheard by everyone, information is revealed that is protected health information under HIPAA and which could be used for identity theft. This is an interaction that is unnecessary and inappropriate. Patients should be spaced out so they cannot be overheard with the reception staff. In addition, the amount of information reviewed verbally should be minimized. Consider asking if anything has changed or request the patient review private information on a computer screen to confirm its accuracy.

Patient charts in plain view

Pete Johnson is sitting in a room waiting for his physician. He sees another patient’s chart sitting on the desk in plain view. Then, as he is paying his bill at the receptionist’s desk after his visit, he sees additional charts in plain view that identify a patient’s name, address and other information without the need to even open the chart.

Jennifer Cortez brings her daughter to a practice for a procedure and in the procedure room a large mounted screen identifies the scheduled procedures for the day: every patient’s full name and birthday, the time of the procedure, the assigned physician, and the service being provided. This is a blatant disclosure of protected health information.

Patient names and addresses are protected health information under HIPAA and should not be readily accessible or in plain view of other patients.

Protected health information and social media

An OB/GYN practice client ran into trouble when its receptionist recognized a woman from her neighborhood who came in for STD testing. The receptionist promptly posted a gleeful message on Facebook regarding the patient’s medical issue after tracking down the test results, and common acquaintances on Facebook became privy to this confidential information.

Improper access to patient information by office staff and dissemination of these details using social media are significant challenges that must be addressed.

Use these scenarios as part of your next group discussion

Since you’re reading this, you probably understand the importance of patient privacy and security and the consequences when violations occur. However, does your organization share your expertise? Consider sharing these scenarios in your next staff meeting or group discussion. This activity and annual training will enable them to gain expertise and competency on HIPAA privacy and security, keeping your organization safe from violations and penalties.

For more information on HIPAA training and education, visit us at www.bridgefront.com or contact us directly. Send an email to info@bridgefront.com or call (866) 447-2211.

In a recent poll and study on the ICD-10 transition, 75% of healthcare professionals indicated deep concern over the conversion, while another 50% expect a loss of revenue. Respondents are concerned about staff training, understanding the new ICD codes, and increasing denials. Nearly half of all financial leaders who contributed to the study by HealthLeaders Media, ICD-10 Puts Revenue at Risk, anticipate a revenue loss of some kind from ICD-10. Even more significant, is that they anticipate losing margin over the next few years. The Importance of Education In the ICD-10 Puts Revenue at Risk study, Albert Oriol, the VP and CIO of Rady Children’s Hospital and Health Center in San Diego comments on the amount of learning that must take place prior to the conversion.

He says, “Many have compared ICD-10 to Y2K, [but] ICD-10 is more complex. It requires staff along the care continuum to learn and use a new order of magnitude of diagnostic and procedure codes—from the scheduler, to the physician, HIM professional and the biller. Unquestionably, ICD-10 introduces an added layer of complexity to the multitude of challenges already at hand.”

BridgeFront case studies can prove that revenue cycle staff education can improve employee productivity and increase accuracy; well-trained employees also have fewer denials, rejections, and re-bills. Staff education can clearly reduce the negative impact healthcare providers are expecting after the transition to ICD-10.

Informational Web Portal

BridgeFront recently announced its ICD-10 and HIPAA 5010 informational portal, located at www.icd10-education.com. Healthcare professionals can visit the website for complimentary resources on the conversions to ICD-10 and HIPAA 5010. Visitors can sign-up for a free on-demand webinar and a monthly preparation email newsletter.

ICD-10 and HIPAA 5010 Education by BridgeFront

BridgeFront also announces its ICD-10 and HIPAA 5010 online education. For more information, complete this form or contact us directly. Send an email to info@bridgefront.com or call 1-866-447-2211.

There are two new ‘HIPAA sheriffs’ in town…both ready to monitor and audit your HIPAA compliance practices. Recently, the OCR granted the authority to assess healthcare’s HIPAA compliance practices to State Attorney Generals (AGs) and the firm KPMG under the 2009 HITECH Act.

Steps to Survive a HIPAA Audit

In preparing for a visit from your State AG or a HITECH auditor, BridgeFront and the OCR recommend these steps:

1. Implement an annual employee training program
2. Ensure you’ve documented patient information safeguards
3. Review privacy and security policies and procedures
4. Vigilant implementation of policies and procedures
5. Regular internal audits and risk assessments
6. A prompt action plan to respond to data breach incidents

OCR Announces State Attorney General HIPAA Authority

This spring, the OCR announced its new HIPAA training program for State Attorney Generals (AGs). Under the 2009 HITECH Act, AGs now have the authority to bring civil actions on behalf of state residents for HIPAA violations.

“Most state AGs are elected into office…which means there is more pressure to pursue HIPAA violations, particularly if there’s a ‘good story’ behind the data breach. They want to be seen as protecting the little guy,” says Jeff Drummond, health law partner in the Dallas office of Jackson Walker, LLP.

HITECH Auditors Set to Begin

Last week, the Department of Health and Human Services (HHS) awarded a $9.2 million contract to the consulting firm KPMG to launch its HIPAA audit program as mandated by the HITECH Act. The HHS will work with KPMG to roll out the program in three phases, says Susan McAndrew, OCR’s deputy director for health information privacy…starting later this year.

“This is just another opportunity for covered entities to take a moment for a self-assessment,” McAndrew says. “This will help them down the road in terms of building their own capacity for a robust compliance program…”

In a recent BridgeFront compliance study more than 60% of participants indicated they use online education as part of their compliance program.

BridgeFront is the leading provider of compliance online education. Visit us on the web for a free course trial at www.bridgefront.com/trial or contact us directly. Send an email to info@bridgefront.com or call (866) 447-2211.

By Nancy Friedman, Telephone Doctor Customer Service Training

It never fails. When management is asked to name one characteristic they’d like to see in an employee, overwhelmingly it’s always OWNERSHIP; to take responsibility.

Certainly, there are other traits they’d like to see, but without fail OWNERSHIP wins. When we talk about “what does ownership mean to you” there are several answers. To make it easy, we’ve taken the word OWNERSHIP and labeled a thought to each letter.

O
Operate as though it’s your business. Take responsibility. There’s no, “It’s not my job” in ownership. There’s only, “I will help you.”

W
Walk in the customer’s shoes. That’s the best way to be sure you understand what’s going on and to help. Pretend it’s you calling in and needing the assistance. What if this happened to you?

N
Never say “NO.” That’s right; even when you’re not able to help or even when the situation is hopeless (and let’s hope it never gets to that). The word NO is offensive, abrupt, unfriendly, overused and tired. There are dozens of positive alternatives we can use to let the customer down gently. To offer a few: “I wish we could” or “Let me double check on that” or “I’m going to take some time and see if we can work this out.” Bottom line, offering NO at the top of your conversation is useless.

E
Empowerment is strength. Having employees empowered to assist by themselves is a strong motivation to do well. The worst they can do is make one mistake; normally, easily corrected and move forward. Empower your employees!

R
Resolution. Sticking with the issue until it is solved. No matter how many phone calls, how many times we re-check something; it’s not over till it’s fixed. Resolved! The mentality needs to be, “Your issues are our issues.”

S
Sending confirmation of the resolution. This is so important. If something gets fixed or resolved and the customer isn’t made aware of it, they can still be upset. The other day we were to have been issued a credit from an airline. We never heard from them. After a third call from my husband to the airline, we were told, “Oh, that credit was on your bill a few months ago.” But, no one bothered to let us know it was coming or that it had been done. Send confirmation or call! Then close the issue.

H
Happiness is key. Happy people love to help. That’s a fact. Your customers love to be helped by happy people. That’s another fact. They can even make the bitter better. (Say that three times fast!) Walk into your job HAPPY.

I
Integrity. This is non-negotiable. Having integrity is a huge part of ownership. Do what is right ALL the time. And remember, having the right to do it doesn’t always ‘make it right.’ Integrity!

P
Personal commitment. Each and every person helping a customer needs to make their own personal commitment that they will take ownership. No more, “It’s not my job.” No more, “I wasn’t here when it happened.” No more, “I don’t know anything about it.”

What does ownership mean to you? Let us know by commenting on this article or send a message on Twitter to @bridgefront.

For more customer service tips, explore BridgeFront’s Customer Communications online education. Visit our website at www.bridgefront.com, send an email to info@bridgefront.com or call 1-866-447-2211.

Reprinted with permission of Telephone Doctor Customer Service Training, St. Louis, MO. Nancy Friedman, president, is a featured speaker at association and corporate meetings. She has appeared on OPRAH, The Today Show, CNN, FOX News, Good Morning America, CBS This Morning and many others and has written articles for USA Today and the Wall Street Journal. For more information, log on to www.telephonedoctor.com or call 314-291-1012.

By Lorraine Schnelle, Co-Founder and EVP of BridgeFront

Remember sitting or standing in a circle and whispering something into the ear of the kid next to you…then watching the faces as your message was passed from person to person. The looks on each face ranged from confusion, surprise, and laughter as you all played the “telephone game.”

This picture popped into my head as I was thinking about a survey question I asked participants in a recent online webinar. The webinar was on educational tools and techniques. The attendees were primarily healthcare finance professionals—many of whom are responsible for managing one or more areas of the revenue cycle.

The survey question was, “What educational activity do you rely on most when delivering staff education?” The top two answers were on the job (OTJ) and one-on-one instruction.

Sounds to me like it could easily turn into the “telephone game” played out in our everyday work world. Don’t get me wrong, the National Training Laboratory found the average retention rate of students participating in “practice by doing” educational activities is 75%. Their study re-enforces the value of OTJ training.

However a word of caution, don’t rely on OTJ or verbal instruction as the main ‘source of truth.’ Because this same study found that only about 5% of what a student hears is retained.

Ensure you have additional educational activities and materials that are and will be used by your staff to support and re-enforce key learning concepts. This material can be in form of online courses, written procedures, video demonstration, work flow diagrams, user manuals, screen shot job aid, etc.

—————————————————————————————————————————————————————-

For more information about BridgeFront’s online education, go to www.bridgefront.com or contact us directly. Call 1-866-447-2211 or send an email to info@bridgefront.com.

Next week we are flying to sunny Orlando for the 2011 Healthcare Compliance Association’s (HCCA) Compliance Institute—that takes place April 10-13. We’re excited about our debut appearance at the conference in booth number 109. Here are three reasons you should be excited too:

#1 Live Demonstrations of Our New Mobile Learning Platform

Did you know that 2011 was dubbed ‘the year of mobile?’ Mobile learning is catching on like wildfire and BridgeFront is one of the first e-learning providers to offer it. Don’t miss a glimpse at the future of e-learning by joining us for a 5-minute demonstration of the new mobile learning platform. Learn first-hand about the evolving world of e-learning.

#2 Chance to Win a SmartPen

Stop by and enter our drawing for a chance to win a SmartPen—this product is a great learning tool which converts written notes and audio into text, right on your own computer. This tool is ideal for seminars, conference sessions, workplace meetings, and much more.

#3 Meet BridgeFront Face-to-Face

BridgeFront team members Tamara Wanamaker and Chelsey Slack will be in booth number 109 ready to meet you and answer your questions. We are also attending the afternoon “speed networking” session on Sunday, April 10—it’s like speed dating, but for attendees and exhibitors to network.

The 2011 HCCA Compliance Institute, the nation’s largest compliance conference, is expecting more than 2,000 attendees. Here are some of the topics covered in the educational sessions: long-term care, privacy and security, physician compliance, legal and regulatory, auditing and monitoring, and quality of care. Learn more about the conference by visiting www.compliance-institute.org.

BridgeFront offers compliance online education, written compliance guides, template policies and procedures, and risk assessment services. Since 2002, BridgeFront has served more than 10,000 organizations with its educational services. Learn more about BridgeFront’s compliance education by visiting www.bridgefront.com.

By Nancy Friedman, the Telephone Doctor

When you take the “friendly” out of “Business Friendly” all you have left is business – business as usual; now, we all know that’s just not good enough.

Being “Business Friendly” is for all touch points of customer service. Any way you touch or reach out to your customers on the phone, in person, by email, voicemail, fax or snail mail, we need to be Business Friendly.

You may be asking yourself, “What the heck is Business Friendly’?” Well, it’s the middle ground between being too cold, impersonal, and uncaring, and the other extreme of being too overly familiar. We’ve all experienced both I’m sure.

Here are the five points in delivering Business Friendly customer service.

#1 Every Call is Unique – Don’t Become Desensitized

The customer transaction you have at the end of the day needs to be as upbeat and helpful as the first one of the day. Often times we get the same questions over and over, and it’s easy to become desensitized. We need to remember that to the customer, their question is new to them; and it’s the first time for them, no matter the time of day.

#2 Solve the Problem – Don’t Argue

You know the old saying: “the customer is always right.” Well, at Telephone Doctor we’ve changed that around to “the customer thinks they’re always right” and that’s the perception we need to deal with. There are indeed times when the customer is wrong and we as service specialists know and realize it. What value is it to tell them: “Oh Mr. Jones, you are WRONG.” None is there? So focus on the problem; don’t worry about whose fault it is. There is zero value in arguing with a customer. You will lose every  time. Focus on solving the problem.

#3 Show Empathy – Don’t Ignore What The Customer Says

The other day, I called a company and explained that a product they sold me wasn’t operating properly. The answer from the company representative? “Oh, OK.” AGGGGGG. That drives me crazy. First of all, it’s NOT OK that the product wasn’t working right. And secondly, where was the empathy? Where was some sort of acknowledgement that they indeed heard what I was calling about. You can have empathy in happy and good things, too. Empathy isn’t only for disasters and bad times. You can join in when someone mentions a birthday, a vacation, a wedding, or anything that is happy. Point is, don’t ignore what they say. COMMENT on it.

#4 Smile

Yup, the customer can hear it. We all know that. And since we all know that, we all need to do it. And by the way, smiling is showing your teeth. If your teeth aren’t showing, you’re only grinning – not smiling. Grins can’t be heard!

#5 Avoid Emotional Leakage

What? Okay, what’s emotional leakage, Nancy? Well, that’s getting mad at Peter and taking it out on Paul. Not right, not fun and not fair. It is wrong to take a negative thought or emotion about one person and transfer it to another. Here’s how to avoid emotional leakage immediately:

1. Take a deep breath

2. Regain your professional composure

3. Smile (Even if it’s phony)

4. Then start the transaction

Being Business Friendly will make a huge difference in customer satisfaction. Don’t be cool and aloof and don’t get too familiar; be the middle ground and deliver Business Friendly customer service.

Reprinted with permission of Telephone Doctor Customer Service Training, St. Louis, MO. Nancy Friedman, president, is a featured speaker at association and corporate meetings. She has appeared on OPRAH, The Today Show, CNN, FOX News, Good Morning America, CBS This Morning and many others and has written articles for USA Today and the Wall Street Journal. For more information, log on to www.telephonedoctor.com or call 314-291-1012.

For more customer service tips, explore BridgeFront’s Communication Skills e-learning. Visit our website at www.bridgefront.com, send an email to info@bridgefront.com or call 1-866-447-2211.

By Peter N. Cizik, CEO of BridgeFront

If you don’t know what you don’t know – then what? How’s that for a little riddle at this beginning of the New Year?

We’ve been working with several Regional Extension Centers across the country trying to decipher how to structure our new Meaningful Use education in a way that is most helpful for providers. One area that’s obvious is education on how to perform a HIPAA risk assessment, since that is one of the core measures of the Meaningful Use criteria.  OK – go ahead and roll your eyes – here we go again! Many provider practices hear this and say: “We’re fine!” “We already did this years ago.” “My Office Manager took care of it.”

However, if someone walked into to your office today and said, “Show me written evidence of a risk assessment,” could you do it? You may be just fine, but if you can’t show it and show that it’s relatively current, then you don’t meet the test of HIPAA compliance. By the way – insert Business Associate anywhere I refer to providers – all these rules apply to you as well!

Here’s the real reason you should care – a proper risk assessment will do several things:

1. Validate that any controls that have been implemented are actually working.

2. Identify areas that lack controls that should have something implemented.

3. Provide an audit trail documenting that each area of risk identified within the HIPAA regulations has been analyzed and addressed.

You now know what you don’t know – and can do something about it.

Things can still go haywire and result in a breach, but with written evidence of a risk assessment you can show that you’ve applied “reasonable” effort to prevent it. That is the goal. BridgeFront is developing a course to help organizations perform their own risk assessment. We hope this will demystify the whole process for those who’ve never formally completed one or those that should do it again. Now, this is not a “one off” event. You need to periodically refresh the assessment to make sure what you thought you knew… is still accurate.

Happy New Year everyone!