Harry and Louise, the fictional suburban couple featured in a series of national television spots sponsored by the health insurance industry in 1993 and 1994, stoked fears that helped doom a government-created health plan promoted by President Bill Clinton. Now, the same actors are back in a new campaign, this time to support a government overhaul of the medical system promoted by a President Barack Obama.
One month after the American Medical Association came out strongly against a public health insurance plan as part of national healthcare reform legislation, the nation's largest and most influential physicians organization today switched course dramatically by publicly endorsing HR 3200, the House legislation that includes the public plan as a centerpiece provision.
"The status quo is unacceptable," says J. James Rohack, MD, who took over as AMA president in June. "We support passage of H.R. 3200, and we look forward to additional constructive dialogue as the long process of passing a health reform bill continues. This is an important step, but one of many steps in the process."
Rohack says the AMA is working with Congress and the Obama administration to construct a workable healthcare reform package. "We are committed to passing health reform this year consistent with principles of pluralism, freedom of choice, freedom of practice, and universal access for patients," he says.
This spring, AMA had complained to the Senate Finance Committee that a public health insurance plan "threatens to restrict patient choice by driving out private insurers."
But, today, the complaints had turned to compliments. "This legislation includes a broad range of provisions that are key to effective, comprehensive health system reform," says Rohack in a statement issued to the media. "We urge the House committees of jurisdiction to pass the bill for consideration by the full House."
Supporters of the public plan–including President Barack Obama—say providing benchmark competition is the only way to keep private insurance companies honest and control costs. Opponents say the public plan is the first step in a march toward government-controlled, single-payer healthcare.
Obama tried to assuage the concerns of physicians last month in a speech before the 158th annual meeting of the AMA in Chicago, when he told a room full of physicians that the public plan "is not your enemy. It is your friend."
The AMA says H.R. 3200 includes provisions key to effective, comprehensive health reform, including:
Coverage to all Americans through health insurance market reforms
A choice of plans through a health insurance exchange
An end to coverage denials based on pre-existing conditions
Fundamental Medicare reform, including repeal of the flawed sustainable growth rate formula
Additional funding for primary care services, without reductions on specialty care
Individual responsibility for health insurance, including premium assistance to those who need it
Prevention and wellness initiatives to help keep Americans healthy
Initiatives to address physician workforce concerns
For the second time in two months, Kaiser Permanente Bellflower Hospital in Los Angeles County has been slapped with a six-figure fine for failing to secure electronic patient records from snooping employees.
Investigators say one of the eight employees caught in the latest security breach in April was also involved in the earlier breach in mid-March that involved Nadia Suleman, aka the Octomom.
The California Department of Public Health today issued an "administrative penalty" of $187,500 after determining that KP Bellflower failed to prevent unauthorized access to confidential patient medical information. The hospital was also hit with a $250,000 fine on May 15 for violations that occurred in mid-March, when KP Bellflower notified the state that employees snooped through on medical records belonging to Suleman, whose eight children were born at the hospital on Jan. 27.
Citing patient confidentiality laws, California Department of Public Health spokesman Ken August declined to say if the latest breaches also involve Suleman. The penalties were issued under a new California law that uses heavy fines and bad publicity to incentivize hospitals to protect patient confidentiality.
KP Bellflower officials say they are preparing to release a statement on the latest breach.
Four patients and eight employees were involved in the April, investigators say. One patient's records were examined by six employees. August says there is no indication that the employees were acting out of anything more sinister than curiosity. After the first breach, KP Bellflower notified Suleman and state investigators, fired 14 employees, and reprimanded eight employees.
In an unrelated matter, but also taking place in the Golden State, letters have been sent to about 30,000 patients at the University of California San Diego's Moores Cancer Center after a hacker accessed patients' personal files, the center says. UCSD officials say the hacker accessed personal data, including names, birth dates, and medical records numbers, but that personal medical record information, Social Security numbers, and driver's license and financial information were not breached. The breach occurred in late June, and the letters were sent out last week.
The hospital blamed the Internet-based attack on "highly skilled individuals living overseas."
The Centers for Medicare and Medicaid Services (CMS) released this month first-time data in its Hospital Compare Web site that reports if patients returned to an individual hospital within 30 days after being discharged for three conditions: heart attacks, heart failure, or pneumonia.
Hospital Compare data show that on average for patients admitted to a hospital for heart attack treatment, 19.9% of them will return to the hospital within 30 days, 24.5% of patients admitted for heart failure will return to the hospital within 30 days, and 18.2% of patients admitted for pneumonia will return to the hospital within 30 days.
More than 4,000 hospitals—including almost all acute care hospitals—have voluntarily submitted quality information to share with the public through the Web site. Hospitals were placed in one of three categories based on their readmission rate—compared with the national readmission rate: "no different than the U.S. national rate," "better than the U.S. national rate," or "worse than the U.S. national rate."
So what does this data mean? Is a hospital in trouble if it is ranked "worse" than the national rate? Well, not quite. Even in its own explanation, CMS urges consumers not to view any one process or outcome measure on Hospital Compare as a tool to "shop" for a hospital.
But it's important for hospitals to understand how this current year's data is obtained. First, the data used in the Web site looks at data averaged over a three-year period of time.
"So where improvements have been made in the last year—that's not necessarily going to show up in data right now," said Jayne Hart Chambers, Senior Vice President for Strategic Policy and Corporate Secretary with the Federation of American Hospitals (FAH). FAH is a member of the Hospital Quality Alliance, which has collaborated with CMS on the development of its public quality reporting efforts.
"The other thing to understand about this particular measure is that readmission to a hospital within 30 days . . . is not necessarily related to the underlying condition that [the patient was] originally discharged," Chambers said.
For instance, if a patient was discharged after being admitted for heart failure and then returned to a hospital within 30 days because of a broken leg, that would be considered a readmission. "I've seen a couple of stories that have said a fifth of heart failure patients come back to a hospital—implying that they've come for their heart failure. That's not an accurate interpretation of this data," Chambers said.
Ongoing research, though, has indicated that patients may return to a hospital within several days when problems may arise with their discharge—perhaps they didn't understand their discharge directions or questions arose over prescriptions. A number of hospital-based programs around the country have found that using their own data and improving communications during discharge can make a difference in lowering readmissions.
"It's the care coordination aspect of it," Chambers said. "In my view, this is sort of the gross measure of an area that needs to be addressed. There's clearly a lot of public interest in it, and the tools that we have to address it right now are sort of sledgehammer kind of tools."
As recent legislation on Capitol Hill has shown, the issue of readmission within 30 days is not going to go away. It's become a well-known target within current healthcare reform legislation.
But it is going to take some time and work for all hospitals to address. While the data may not be truly reflective of why readmissions are taking place, they may serve as a wake-up for hospitals—and their leaders—to ask what is happening within its walls, and if there indeed is more room for improvement.
Note: You cansign up to receive QualityLeaders, a free weekly e-newsletter that provides strategic information on the business of healthcare management from around the globe.
Nearly 500 Medicaid audits are under way in 17 states, and the program will roll out to the entire country through the end of the year, according to CMS representatives who spoke on the Medicaid Integrity Program Special Open Door Forum on Wednesday.
CMS hopes to identify additional contractors by the end of the week. These contractors, known as Medicaid Integrity Contractors, are firms CMS has chosen to carry out the following Medicaid Integrity Program goals:
Review provider actions to determine whether fraud, waste, or abuse may have occurred
Audit provider claims
Identify overpayments
Educate those involved in Medicaid administration, providers, managed care entities, beneficiaries, and others with respect to payment integrity and quality of care
There are three types of contractors: Review, audit, and education MICs. The review MICs analyze data and identify issues to pass on to audit MICs to pursue, according to CMS. Education MICs will provide education to providers and others on Medicaid payment integrity and quality of care.
CMS acknowledged on the call that it could do a better job of provider outreach, and it is taking measures to increase educational efforts, now that it has finished building the Medicaid Integrity Program organization and developing the audit process.
Fortunately, additional resources will soon become available for providers. CMS plans to soon release FAQs, a procurement timeline, background on the program, and its goals, as well as other information on the Medicaid Integrity Program Web site. CMS also plans to release Web-based training currently in development for pharmacies.
Hospitals aren't the only providers that need to prepare: 44% of the current audits focus on hospitals, but 29% are on long-term care facilities, 21% of audits are on pharmacies, and the remaining 6% are on physicians, labs, transportation, and other types of providers, according to CMS.
RACs vs. MICs
MICs have been termed "RACs for Medicaid," but there are certainly differences between the programs. For example, the RAC lookback period is three years, but MICs base the length of time on individual state lookback guidelines. Similarly, the number of days a provider has to produce medical record copies for MICs is dependant on state rules, unlike with RACs, where providers have 45 days regardless of their location.
In addition, MICs have no set medical request limits, while RACs max out at 200. Also, CMS will not reimburse providers for the cost of copying records, which is also different from the RAC program.
And unlike RACs, MICs are not paid by contingency fee, but rather through a sort of fee-for-service model. The dollars MICs recover aren't tied to their compensation, according to CMS, although they will be eligible for bonuses based on how "effective and efficient" they are. Finally, in some cases MICs will do desk audits, and in other instances, auditors will come on-site to do the reviews.
MICs will also attempt to coordinate with RACs so as not to audit the same facilities simultaneously, CMS Medicaid Integrity Program field director Robb Miller said on the call.
Your business associates (BAs) must comply with the HIPAA Security Rule beginning February 18, 2010.
That mandate is part of the Health Information Technology for Economic and Clinical Health (HITECH) Act, signed into law by President on Obama February 17, 2009.
If complying with the HIPAA Security Rule sounds like a large task for, say, a small billing and coding company, well, that's because it is.
Encryption. Destruction. Firewall protection. There's a lot to it.
And their problem is your problem. After all, it's your patients' information at stake.
If your BA is good, you're good. If they're bad, well…just picture the front page of your local newspaper with your facility's name next to the word "breach" in a headline.
So where do your BAs begin? Hopefully, they've already started.
Here are eight tips you can share with your BAs to get them ahead of the HIPAA compliance deadline next February:
1. Perform a risk assessment.
Determine your primary vulnerabilities. "Find what your biggest threats to the security of your PHI are," says Rebecca Herold, CISSP, CIPP, CISM, CISA, FLMI, privacy, security, and compliance consultant at Rebecca Herold & Associates, LLC, in Des Moines, IA. "You need to know where you are before you begin to form your policies and procedures. Check on the last time you had a security assessment, if ever, and start from there."
2. Make your own way.
As a BA, you must understand that you are responsible for your own compliance program, regardless of contract terms with a covered entity, says John R. Christiansen, an information technology lawyer at Seattle's Christiansen IT Law.
"You need to be responsible for your own security program with HIPAA," says Christiansen, chair of the newly formed HITECH Business Associates Task Force of the American Bar Association's Health Law Section and the HITRUST Business Associates Working Group of the Health Information Trust Alliance.
Do not simply accept what is thrown your way, he says. "Your program should be built based upon your organization's own unique risks," says Herold. "That's what your risk assessment will reveal."
3. Run a gap analysis on covered entity contracts.
HITECH is new, and existing contracts will probably leave gaps. "We haven't been in this world before," Christiansen says. "Find your gaps and what you will do about them."
You may want to wait for further regulations before you finalize your contracts. However, start by consulting your legal team. You may need to provide a contract in the future, but the onus now is only on the covered entity, according to current law.
4. Don't rewrite the entire contract.
"The changes to the BA contracts should be minimal," says Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, OR. Apgar suggests including a new short statement or paragraph indicating that the BA must now comply with the HIPAA security rule and the use and disclosure provisions of the privacy rule.
5. Add breach notification language to BA contracts.
The language should require the BA to notify the covered entity within five days of a breach, Apgar says. This aligns with the new California breach notification requirement regarding the notification to the state that a breach has occurred and addresses the issue of when the 60-day notification clock starts.
"Also, I would recommend adding language requiring that the BA pay the cost of notification, which could get rather expensive if the breach includes a significant number of individuals," Apgar says.
6. Add language about the Red Flags Rule.
Covered entities (primarily providers) should consider adding additional language to the BA contract requiring that certain BAs implement identity theft management programs, Apgar says. The Red Flags Rule requires covered entities considered to be creditors by FTC standards to adopt an identity theft prevention program by August 1.
7. Build your breach notification processes.
This is perhaps the biggest change for BAs. Christiansen says BAs must put a policy in writing per the HITECH Act. "You need to be able to coordinate this by fall [of 2009] at the latest," he says. "This is going to be a big issue for a lot of BAs."
8. Train, train, train.
Herold says she's seen horrible training in the BA community. "Make sure your policies document the need for regular training, along with ongoing awareness communications," she says. "Then use effective training content. Just throwing words in front of your personnel is not training."
Get your hands on HIPAA resources, such as training books, e-learning courses, and webinars. Check with your covered entities to see what they have done.
Editor's note: These tips were taken from the HCPro, Inc. white paper, Business Associates and HIPAA What BAs need to know to comply with HIPAA privacy and security rules. Download a free copy of the full white paper.
Sign up for HCPro, Inc.'s July 29 audio conference, Business Associates and Covered Entities: Adapt Contracts to Comply With New HIPAA Law.
Insurance company recommendations can actually carry equal weight to mandates from entities such as The Joint Commission or local fire departments.
In some ways, insurance companies act as authorities having jurisdiction, meaning they can enforce codes and regulations, says Mike Widdekind, a property healthcare practice leader at Zurich North American, a carrier in Schaumburg, IL.
For example, insurance representatives often look over architectural blueprints and shop drawings for fire protection systems, much like a local building inspector would.
It is common for insurance carriers to monitor the following life safety aspects in healthcare facilities, as described by Widdekind:
Fire protection system performance
Preventive maintenance activities
Life safety assessments conducted as part of The Joint Commission's Statement of Conditions
Plans for improvement filed as part of the Statement of Conditions
Many insurance inspectors will go through the individual elements of performance noted by The Joint Commission under EC.02.03.05, which covers fire protection equipment testing and maintenance, Widdekind says. Complying with Joint Commission standards can be a step in the right direction with insurance carriers too.
Insurance firms may also try to gauge whether a hospital considers the carrier a partner in fire protection or just a source of risk coverage, says Scott Henderson, PE, CFPS, Northeast region engineering manager for Fireman's Fund Insurance Companies based in Novato, CA.
Facilities simply looking to cover potential fire losses are taking the wrong approach, Henderson says. By comparison, one hospital he works with won't proceed with any major construction or fire alarm work without first contacting him, which Henderson says is a positive mindset.
One area that insurance representatives expect hospitals to stay on top of is smoke barrier protection. Joint Commission surveyors frequently check for unsealed penetrations in barriers—particularly above suspended ceilings—and insurance representatives are also on the lookout for such problems.
"If we see a lot of [penetration] issues . . . we'll go down to facilities management and find out if there's a gap in the preventive maintenance program," says Widdekind.
He recommends that hospitals establish and enforce an above-ceiling permit program if they have histories of penetration problems, he says. Such programs allow facility managers to more accurately monitor barrier penetrations and catch any unsealed holes before the employee or contractor leaves the worksite.
The White House is circulating draft legislation spelling out President Barack Obama's proposal that Congress surrender much of its authority over payment rates for Medicare to a new executive agency. The proposed five-member Independent Medicare Advisory Council would be charged with making two annual reports dictating updated rates for Medicare providers including physicians, hospitals, skilled nursing facilities, home health, and durable medical equipment.
The House healthcare reform bill introduced this week includes a public option, and it would pay hospitals and physicians at rates 5% higher than Medicare. Rates for hospitals and others would be the same as Medicare under the bill. The public plan would have premiums on average around 10% lower than private plans because of factors including the lower rates it would pay to doctors and hospitals, according to the Congressional Budget Office.
"Retailish" is the word Red Gillen, senior analyst at Celent, a New York–based consulting firm, uses to describe the change that is occurring in physician practices' attitude toward self-pay collections.
"There are some major shifts in the healthcare marketplace that are the drivers behind the need to become more, as we call it, retailish," Gillen says. "Part of that shift is happening because healthcare costs are being gradually shifted away from being paid by insurers to being paid by consumers."
The most important step in adopting a retail approach to self-pay collections is to set accurate expectations for patients. "What providers need to do is move the payment collection earlier in the process," Gillen says.
There are three options that practices can put in place to set patient expectations:
1. Supply a highly accurate estimate, then discount it. Some practices have begun using software that calculates a close estimate for patients based on historical claims data, Gillen says. Some practices have staff members inform patients of this estimate during their visit and tell them they will receive a small discount for paying up front, he explains.
"Depending on their ability to glean data from payers regarding eligibility and benefit coverage verification, providers are trying to estimate patients' financial responsibility," Gillen writes. "Whereas relatively advanced providers offer cost estimates at the point of patient registration, cutting-edge providers will provide estimates to the patient prior to an office visit."
Estimates can sometimes be made without using software programs, adds Penny Noyes, president and CEO of Health Business Navigators in Bowling Green, KY. "Practices have to get in touch with the payer and say they have patients coming in for this [who] want to know if they've met their deductible and what their insurance will cover," she says. "Sometimes, the payer will give a practice the approximate amount due, but usually the practice has to calculate it."
Gillen says he doesn't think this solution will work well in the long term. "The problem with discounts is you're starting to set expectations that you'll always get a discount," he says. "It can get really complicated to maintain and rationalize after a while."
2. Employ right-time adjudication. Gillen compares right-time adjudication to a common payment policy used at hotels: The front desk holds guests' credit card information for a time past their checkout date in case they incur any delayed charges, such as room service or any damages. This is a practice physicians can use also—charging patients for their estimated costs and keeping their payment information in case it winds up costing more than expected, with a promise not to charge over a certain amount without consent.
"In that it leverages account card on file processes, 'right time' adjudication is not at all a new concept," Gillen writes. "For many years, providers have asked their patients to preauthorize the use of a selected payment method (e.g., a credit card) for future, post-claim adjudication payments. Newer, 'right time' adjudication functionalities only serve to automate an existing process."
3. Employ real-time adjudication. Real-time adjudication is the most high-tech option and the most difficult to use today, Gillen says. In theory, a physician practice would tabulate the claim, send it electronically to the patient's insurance company, and receive the deductible amount back electronically—all while the patient is getting dressed into his or her street clothes.
"Although these solutions are offered to healthcare providers today and they work, the issue is many of the insurance companies don't have the real-time claims systems to support an incoming message," Gillen says. "They can take the message, but they can't process it in real time."
But it's not just the insurance companies that are slowing real-time adjudication down, he says. Most healthcare providers can't submit a claim quickly because many practices still rely on paper records.
Although there are several options for physician practices to take a step in the retail environment, Gillen notes that the healthcare industry is not quite there yet.
"It's starting to feel like a retail environment," he says. "I won't go as far as saying there is a retail environment, because you do have the third party in there—the insurance company—paying for a part of it. It's not completely retail, but it's retailish."
This article was adapted from one that originally ran in the July 2009 issue of The Doctor's Office, a HealthLeaders Media publication.
