The Power of Care Planning

The person-centered care plan has always been the guide with which successful facilities provide quality care to their residents. Updates to the Quality Reporting Program, implementation of the Patient-Driven Payment Model (PDPM) in October, and phase three of the Requirements of Participation (RoP) scheduled for implementation November 28th, ensure the person-centered care plan will continue its prevalence in the spotlight.

Care planning involves assessing the resident’s needs, health status, personal preferences, religious and cultural beliefs and discharge destination in order provide the best possible individualized care. Trauma-informed care focuses on reducing triggers and re-traumatization. The goal of care planning is to develop a comprehensive plan that the interdisciplinary team (IDT) can then implement. Ensuring receipt of all relevant medical records is vital in determining how to best care for the individual. Additionally, the IDT members must be involved early in the process to identify areas of risk and interventions that are specific to their discipline or department and enhance quality of care for the individual. The goal is for each team member to bring those elements to the table for the IDT meeting in order to determine service provision under the PDPM and to accurately care plan person-centered, trauma-informed services for seamless implementation.

Therapists are uniquely qualified to assess the needs of the resident and identify individualized intervention strategies specific to their discipline; therefore, in most cases, therapy should highly influence the care planning process so that patients and facilities experience successful outcomes. Notification of admission, staff scheduling, and medical record availability is imperative to gathering accurate information for the MDS, baseline care plans and IDT education. Providing trauma-informed care is yet another aspect of care planning that is vital to patient success. Ensure processes are in place to promote IDT collaboration to determine the best approaches for each individual.

This month take opportunities to assess and refine these processes. Ensure all team members have influence at the IDT table as each person’s input is invaluable to identification of service provision under the PDPM and person-centered treatment strategies for the care planning process in order to safeguard positive patient outcomes and satisfaction.

Click here to access the final rule regarding the Requirements of Participation.

Texting and Protected Health Information

Did you know basic text messaging of Protected Health Information (PHI), including texting pictures of patients, is not HIPAA compliant?  People sometimes think the main reason texting is not compliant is because texts are sent without any encryption.  However, the biggest reason is we cannot guarantee or prove who will be accessing this information. 

HIPAA also mandates other technical safeguards when it comes to the electronic transmission of PHI1.  Here are some other reasons why text messaging is not compliant:

  • Access to PHI should be limited to authorized users who require the information to do their jobs.  With text messaging, we cannot guarantee who is accessing this information.
  • A system should be implemented to monitor the activity of authorized users when accessing PHI.  Cell phones do not provide the capability of logging all activity, especially when it comes to inappropriate access. 
  • Those with authorization to access PHI should authenticate their identities with a unique, centrally issued username and PIN.  Personal cell phones can be set without a PIN to access them, and, when utilized, PIN numbers do not indicate which user was using the phone.
  • Policies and procedures should be introduced to prevent PHI from being inappropriately altered or destroyed based on regulations.  Text messages can be altered or deleted, preventing the ability for retrieval.
  • Data transmitted beyond an organization´s internal firewall should be encrypted to make it unusable if it is intercepted in transit.  Simple Messaging Services (SMS) is the normal text messaging service and it transmits unencrypted, making it easy for others to gain access to this information. 

It is very important not to use text messaging to discuss any patient care, especially in providing PHI or pictures of patients. 

Reliant’s Use of E-mail and Text Messaging Policy (3.8) provides guidance to employees, contractors, volunteers, and trainees in proper use and safeguarding of electronic communications.

1 https://www.hipaajournal.com/texting-violation-hipaa/

Measurement of Success

October 1st ushered in the Patient-Driven Payment Model (PDPM).  Now that the transition has occurred and we are familiar with the day to day implementation, the question is: How do we measure success? Patient outcomes is the answer! It always has been and continues to be the mark by which success is measured in quality healthcare.

Success starts with interprofessional team collaborative care, which collectively includes the facility and therapy.  Therapy plans of care and facility care plans should correlate with an overarching focus on patient-centered goals and the discharge destination of choice.  Compare and contrast these plans to identify areas of improvement within the collaborative process to ensure positive patient outcomes.  A collaborative review of section GG for accurate coding and a unified approach toward identified goals is paramount.  

Other areas to closely monitor are quality measures and quality indicators for skilled nursing.  These measures impact all SNF residents.  Review reports and identify areas of strength and risk within your facility. While all measures are impacted by care in the facility, a few stand out as potential targets for CMS monitoring post PDPM:

  • Needs increased help with ADLs
  • Changes in mobility
  • Functional progress toward goals
  • New or worsened pressure ulcers
  • Experienced a fall
  • Discharges to the community
  • Readmit to the hospital within 30 days of discharge

As we continue to strive for success, our processes of collaboration will become more finely tuned.  Sometimes small adjustments make huge differences in the end results.  As we analyze and streamline processes, a maintained focus on the patient, quality of care, and the ultimate goal of improved outcomes will achieve success. 

September Breaches in the Healthcare Industry

The healthcare industry continues to be a target for hackers because patient information is highly valuable.  On February 14, 2019, CBS This Morning reported social security numbers sell for $1, credit card numbers sell for up to $110 and full medical records sell for up to $1000 as reported by Experian.   

In an article in the HIPAA Journal on October 21, 2019, there were 1,957,168 healthcare records compromised in breaches from a total of 36 breaches over 500 records. The breakdown of the causes of the breaches are below.

  • 24 – Hacking/IT incidents
  •   9 – Unauthorized Access/Disclosures
  •   2 – Theft
  •   1 – Loss

Almost half of all the national breaches in September involved phishing attacks.  Ransomware attacks are also troublesome for the healthcare industry.  One ransomware attack in September resulted in 528,188 records reported as potentially breached in an attack on an OB-GYN provider in Jacksonville, Florida. 

Avoid phishing attacks by:

  • limiting the amount of personal information you make public through sites such as LinkedIn, Facebook, etc.,
  • implementing multiple layers of approval for major transactions such as requiring two people to sign off on wire transfers,
  • taking part in your organization’s security awareness program,
  • exercising healthy skepticism,
  • verifying identity and not assuming someone is who they say they are,
  • deleting emails containing PHI as soon as they are no longer necessary to retain,
  • never sharing your password with anyone,
  • changing your password regularly, using strong passwords, and
  • before clicking any link – STOP. LOOK. THINK.

What Isn’t Changing Under PDPM: Skilled Care Requirements

The technical requirements for Medicare Part A coverage have not changed.

Physician Certification and Recertifications

The physician must certify that the skilled care is needed on a continuing basis because of the resident’s need for skilled nursing or rehabilitative care. 

Certifications must be obtained at the time of admission or as soon thereafter as is practical. The first recertification must be on or before day 14 of the Medicare stay, and each recertification after that must be at intervals not exceeding 30 days from the last recertification. The timing of 30 days is based on the physician’s signature for the designated recertification beyond the 14th day.

If a resident is admitted (or readmitted) directly to the SNF from a qualifying hospital stay, the resident can be considered to meet the level of care requirements, up to and including the ARD for the five-day assessment, when correctly assigned to one of the designated case-mix groups. Although the case-mix groups have been updated for PDPM, this provision remains in place.

In conclusion, if questions remain as to whether your new admission or readmission qualifies for skilled care, please reference the Medicare Benefit Policy Manual, Chapter 8, section 30.2.

Technical Requirements

  • The prospective resident must have Medicare Part A coverage with days available in their benefit period.
  • The individual must have been an inpatient of a hospital for a medically necessary stay for at least three consecutive calendar days (midnights). Days in observation or the emergency room do not count.
  • The beneficiary must be admitted to a Medicare-certified bed within 30 days of the qualifying Part A stay. The transfer and admission to the SNF can be from the beneficiary’s home, assisted living facility, or a non-skilled stay in a nursing facility. The day of discharge from the hospital is not counted in the 30 days.
  • The beneficiary must require skilled care for a condition that was treated during the qualifying hospital stay, or for a condition that arose while in the SNF for treatment of a condition for which the beneficiary previously was treated in the hospital. Remember that the applicable hospital condition need not have been the principal diagnosis that precipitated the hospital admission, but any condition present during the qualifying hospital stay.

Additional factors needed to establish eligibility for skilled coverage remain in place. These include:

  • Services must be ordered by the physician;
  • The resident requires daily skilled services:
    • Five days or greater per week for rehabilitation services;
    • Seven days per week for nursing services; or
    • Six days per week for skilled restorative programming (with a word of caution that, when skilled services are based on a skilled restorative program, medical evidence documentation must justify the services, which generally are only a few weeks in duration);
  • The daily skilled services must be provided as an inpatient in a SNF; and
  • The services delivered must be reasonable and necessary for treatment of the resident’s illness or injury.

Email and Protected Health Information

Business Email Compromise (BEC) is a type of attack on company email systems where the hacker’s goal is to gain access to an email system and search for data that can be used to commit fraud.

In the healthcare industry, fraudsters are committing BEC to steal protected health information (PHI). Why? Because PHI has many use cases unlike credit card and account data which is only useful until the victim cancels the credit cards and accounts. PHI such as a “Face Sheet” typically contains a treasure trove of information that can be used to commit medical services theft, Medicare/Medicaid fraud, fraudulent insurance billing, and income tax fraud to name a few.

Healthcare companies and their employees are required by HIPAA to protect PHI. You can do your part to protect PHI from BEC by taking the following actions:
• deleting emails containing PHI as soon as they are no longer necessary to retain,
• never sharing your password with anyone,
• changing your password regularly using strong passwords, and
• before clicking any link – STOP. LOOK. THINK.

A Hard Stop and Fast Go: RUGs-IV to PDPM Transition

September is here, which means October 1st is less than 30 days away. Transitioning the patients receiving care under Medicare Part A to the PDPM September 30th to October 1st will require the planning and attention of the interdisciplinary team (IDT). Here are some IDT considerations for all Medicare A patients admitted prior to October 1st:

  • Payment for the month of September, regardless of admit date, must be transmitted using the RUGs IV classification system.
  • To receive payment for October 1st and beyond, a Transitional Interim Payment Assessment (IPA) must be completed and have an ARD set no later than October 7, 2019.
  • The facility has the normal transmission time frame of 14 days to submit the transitional IPA. Use this time and plan appropriately!
  • Remember! The patient’s care needs and plans do not change on October 1st. Only payment is changing. A therapy recertification or re-evaluation is not necessary, and the facility care plan is still active.
  • Therapy and nursing will need to complete interim Section GG scoring for the 10 Section GG items that produce the PDPM Function Score.
  • Discuss current caseload and any new admissions to identify all necessary comorbidities, clinical conditions and services, restorative nursing needs, primary reason for skilled admission, and surgical interventions during the most recent hospital stay.
  • Ensure timely communication of admissions for screening and/or completion of a holistic evaluation by therapy.
  • Plan for discharge destination and goals upon admission to allow for predictive length of stay and to identify patient specific education and resource needs.
  • Continue to coordinate care between therapy, nursing, and facility support staff to foster outstanding functional outcomes and safe transitions to the next level of care!

Your partners at Reliant Rehabilitation are here to help with the transition to the PDPM.  The Director of Rehabilitation at your facility has been provided extensive training and is equipped to facilitate therapy and collaborate with the facility through the October 1st transition.  Feel free to reach out to your Reliant partners with any questions or to help you problem solve.  Together, we can make this a smooth transition.

Return to Provider Codes and the Patient Driven Payment Model

ICD-10 Codes and PDPM Mapping

The Centers for Medicare and Medicaid Services (CMS) have identified, categorized, and mapped medical conditions through ICD-10 coding which predict payment for physical therapy, occupational therapy, speech therapy, nursing, and non-therapy ancillary needs.

Physical therapy, occupational therapy, and speech therapy will be categorized based on the primary diagnosis for the SNF stay as coded in item I0020B. This single primary diagnosis will then map to 1 of 10 PDPM clinical categories which directly impacts reimbursement.

Are “return to provider” codes allowed?

Certain codes entered in I0020B (primary reason for skilled stay) will map to “return to provider”. If a “return to provider” code is used in I0020B of the MDS, the claim will be returned for revision of the code entered in I0020B.

The “return to provider” codes include symptom codes that may be used by physical, occupational, and speech therapists as treatment diagnoses on their plans of care.

Examples include but are not limited to: M25.561 pain in right knee, M62.81 muscle weakness (generalized), R13.11 dysphagia – oral phase, R27.9 unspecified lack of coordination, R26.81 unsteadiness on feet, and R41.841 cognitive communication deficit.

Symptom codes do not represent the primary reason for the SNF stay; therefore, they are not appropriate for I0020B. However, they do support the highly specified and individualized treatment provided to the patient by therapy and must be coded by therapy as treatment diagnoses and reflected on the UB04 and other areas of the MDS. This coding ensures a full clinical picture of the patient’s clinical characteristics is provided and ensures the claim is supported in the event additional review is requested.

Ten Simple HIPAA Tips

  1. Ensure discussion of PHI (protected health information) is where you cannot be easily overheard. 
  2. ePHI should not be saved on unencrypted devices such as laptops, desktops, servers, USB drives, etc.
  3. When leaving your workstation unattended, logoff or manually lock your workstation.
  4. Computer equipment should not be left unsecured such as in an unattended vehicle or hotel room.
  5. PHI should not be left on a copier or scanner unattended.
  6. Paper PHI should be disposed of properly by shredding.
  7. Keep passwords safe. Do not write down or share your password.
  8. Double check fax numbers and email addresses to ensure you have the correct information before faxing or emailing PHI.
  9. Patient photos or stories require a signed authorization prior to taking or using. Authorization forms can be obtained on the Reliant portal.  
  10. Report suspected HIPAA violations to your supervisor or the company privacy officer.  Reliant employees may contact their Privacy and Information Security Officer at privacy@reliant-rehab.com.

HIPAA Happenings: Holiday Phishing

Cyber criminals take advantage of the holidays to disguise their phishing campaigns and malware as seasonally accepted email. Requests for donations to fraudulent organizations, bogus holiday advertisements, and posing as package delivery services are common this time of year.
Click here to view a real example of a phishing email impersonating Federal Express.

What to Do If You Suspect You Are a Victim of Phishing:

  • Change your password immediately.
  • Contact your IT Department.
  • For Reliant employees contact support@reliant-rehab.com or call 225-767-7670.

CMS’ FY 2020 SNF PPS Final Rule Released

Yesterday, the Centers for Medicare and Medicaid Services (CMS) issued the FY 2020 Skilled Nursing Facility (SNF) Prospective Payment System (PPS) Final Rule, which will take effect on October 1, 2019. 

This final rule updates the payment rates used under the prospective payment system (PPS) for skilled nursing facilities (SNFs) for fiscal year (FY) 2020. CMS has also made minor revisions to the regulation text to reflect the revised assessment schedule under the Patient Driven Payment Model (PDPM). Additionally, CMS revised the definition of group therapy under the SNF PPS, and implemented a subregulatory process for updating the code lists ICD-10 used under PDPM. Finally, the final rule updated requirements for the SNF Quality Reporting Program (QRP) and the SNF Value-Based Purchasing (VBP) Program.

Below are a few highlights from the final rule: 

  • The federal rates in this final rule reflect an update to the rates that CMS published in the FY 2019 SNF PPS final rule, which reflects the SNF market basket update, as adjusted by the multifactor productivity (MFP) adjustment, for FY 2020.
  • The SNF market basket percentage is 2.4 percent for FY 2020, which is an increase in payments of $851 million compared to FY 2019. This estimated increase is attributable to a 2.8 percent market basket increase factor with a 0.4 percentage point reduction for the multifactor productivity adjustment. This is a decrease from the proposed update of 2.5 percent and $887 million.
  • Effective October 1, 2019, group therapy will be defined as “a qualified rehabilitation therapist or therapy assistant treating two to six patients at the same time who are performing the same or similar activities.”
  • CMS is not finalizing its proposal to expand data collection for SNF QRP quality measures to all SNF residents, regardless of their payer. 
  • CMS is finalizing as proposed, without modification, the process for updating the ICD-10 code mappings and lists associated with PDPM. As proposed, the subregulatory process for updating the ICD-10 codes used under PDPM will take effect beginning with the updates for FY 2020.   
  • The Final Rule updates requirements for the SNF QRP, including the adoption of two Transfer of Health Information quality measures and standardized patient assessment data elements that SNFs would be required to begin reporting with respect to admissions and discharges that occur on or after October 1, 2020. 
  • CMS is finalizing its proposal to exclude baseline nursing home residents from the Discharge to Community Measure.
  • CMS is finalizing its proposal to publicly display the quality measure, Drug Regimen Review Conducted with Follow-Up for Identified Issues, under the SNF Quality Reporting Program.
  • CMS is replacing the terminology for the “5-Day Assessment” with “Initial Medicare Assessment”.

Password Hygiene

Do you have good password hygiene?  Good password hygiene helps keep your work and personal information safe. 

You have healthy password hygiene if you:

  1. Create
    strong passwords by establishing passwords minimally 8 characters in length and
    containing upper case, lower case, and symbols. 
    A password of more than 8 characters is even better because more guesses
    will be needed by hackers to get it right. 
    Even with frequent warnings regarding cyber security, the two most
    common passwords people use are “password” and “12345678”!
  2. Use
    a different password for every account or online profile.  Should the system you are using be
    compromised that password could be published for the world to see.  There are almost 2.7 billion rows of data in the
    “Have I Been Pwned?” website of account information that has been compromised
    in data breaches.  This is a respected
    site that aggregates data breaches in order to make it easy for people to find
    out if they have been impacted by a breach. 
    You can check it yourself by going to https://haveibeenpwned.com.  
  3. Use
    two-factor authentication (2FA) whenever available.  This requires a second code be entered that
    will be provided through text, email or token in addition to your User ID and
    Password. Article Sponsored Find something for everyone in our collection of colourful, bright and stylish socks. Buy individually or in bundles to add color to your sock drawer!
  4. Never
    write down your User ID or password and particularly never write it down and
    post it to your computer.

Maintain healthy security by maintaining healthy password hygiene.

Initiating Conversations Beyond the Facility

Ninety-five days, three months, or one quarter to go until the hard transition from RUG-IV to PDPM. However you prefer to frame it, there’s no denying the next few weeks will demonstrate a shift from theoretical planning of the facility processes to practical application. Within the current planning process Reliant has been privileged to be included in many of your conversations regarding facility education opportunities, interdepartmental communication strategies, and service delivery execution under PDPM.

The preparation and planning strategies have circulated around accurate MDS coding to ensure appropriate resource provision for the patient’s care needs while a resident in our facilities. We are actively educating all levels of nursing staff, therapy staff, administration, and admissions coordinators in expected conversation changes, but have we considered education needs beyond the facility? 

Under PDPM, facilities will be asking more detailed questions of the hospital discharge coordinators and specialists’ offices. We’ll be seeking clarification, coding specificity, and asking probing questions to ensure the patient’s assessment reflects all active comorbidities and conditions. As such, our community partners may begin to ask, “Where is this coming from?” Providing these partners with a big picture snapshot of PDPM and potential conversation changes will help to ease questions and prepare our partners for their own best practice referral strategy.

Team work and collaboration should start before a resident’s admission to the SNF and continue throughout the entire stay.  If you haven’t already, now is the time to reach out to your partners to initiate conversations regarding any process changes required for this transition.  By working together and proactively engaging our referral sources, we can identify education targets now, and avoid pitfalls in the future. 

Common HIPAA Violations Employees May Not Realize

Have you ever or do you routinely email Protected Health Information (PHI) to your personal email account so you can catch up on work outside of the facility?  With the many demands of the job to get the work done, it can be tempting.  This commonly results in a HIPAA violation as the information is not properly protected and more easily breached!  Although your intentions may be good, this is not an appropriate practice. Your company may have a policy directly relating to PHI. Reliant employees should refer to Policy 8.3 – Use of E-Mail and Text Messaging for full policy information.

The same caution applies to taking paper patient information outside of the facility.   Removing protected health information from a healthcare facility places that information at risk of exposure.  Without appropriate measures in place to safeguard this information in transport and outside of the facility, it is in violation of HIPAA Rules.  Reliant employees should refer to Policy 3.14 – IT Equipment Protection & Physical Access Controls for full policy information.

PDPM Part 9: The Role of Therapy in the Nursing and Non- Therapy Ancillary (NTA) Components

In less than 6 months, the long-awaited transition to the Patient Driven Payment Model (PDPM) will occur. By now you’ve probably participated in multiple webinars and on-site meetings regarding the shift to this new payment model. One of the most consistent themes in these trainings is the use of the interdisciplinary team to ensure accuracy with coding on the MDS. While it may be obvious why the therapy team needs to contribute information for the physical therapy, occupational therapy, and speech language pathology components of PDPM, it may be less obvious why their input is crucial to the nursing and non-therapy ancillary components.

The nursing component within PDPM employs the familiar hierarchical classification method for case mix qualification. The most significant change from RUG IV is the removal of Section G and the ADL score from the classification and the introduction of the Section GG function score. The nursing, PT and OT function scores factor in seven of the same GG late loss items. Unlike RUG IV, there is no direct correlation between the function score and the case mix index (CMI). Therefore, a lower function score does not necessarily mean a higher CMI. However, subtle changes in reimbursement for nursing services provided is reflected in PDPM as seen in the use of restorative programming, extensive services, present condition, and physical function.

The non-therapy ancillary component consists of fifty conditions, each assigned a weighted value of 1-8. The weighted value is in direct proportion to pharmaceutical costs associated with that condition. These point values are summed to determine the comorbidity score for the patient. The higher the comorbidity score, the higher the CMI and reimbursement. Additionally, PDPM accounts for higher pharmaceutical costs early in the stay by front loading this CMI at 300% for the first 3 days of the stay. A thorough review of the medical record, full body assessments, and reconciliation of prescriptions to conditions must be completed to ensure all possible comorbidities are captured on the MDS.

The rehabilitation team plays a critical role in identification and accurate coding of clinical characteristics for the resident in relation to the nursing and NTA components. By establishing a foundation of understanding in relation to therapy’s role for each component, as well as fostering clinical skills to conduct holistic, full system evaluations the therapy team will aid in ensuring comorbidities are accurately coded and help identify the appropriateness of restorative programming. The conversations occurring at the interdisciplinary table regarding each new resident will shift from the projected amount of therapy to review of clinical conditions and care to allow for appropriate resources for the projected needs of the resident.

PDPM is in many ways more of a prospective payment system than RUG-IV has ever been. Therefore, with the transition to PDPM, it is more important than ever for administration, nursing, MDS coordinators, and therapy to coordinate together for accurate coding on the MDS. If one piece of the interdisciplinary team is missing, important patient information may fall through the cracks.

While an interim payment assessment is always an option, capturing an accurate picture during the initial assessment ensures the full intention of the PDPM reimbursement methodology is captured for each component including the NTA’s variable per diem rate.

CMS Improvements to Recovery Audit Process

The size of the Medicare program is astronomical – the system processes over one billion claims a year. CMS uses several types of contractors to verify that Medicare Fee for Service (FFS) claims are paid based on Medicare requirements. One type of contractor is a Recovery Audit Contractor (RAC). The Medicare FFS RAC Program is one of many tools used to prevent and reduce improper payments. RACs identify and correct overpayments made on claims for health care services provided to beneficiaries, identify underpayments to providers, and provide information that allows CMS to prevent future improper payments.

However, in the past there were numerous complaints about the RAC program. Providers found the audits time-consuming, necessitating high administrative expenses, and often requiring lengthy appeals. CMS listened to what providers were telling them and made meaningful changes. That input informed their thinking as they re-examined all aspects of the RAC process. They identified areas where they could reduce provider burden and appeals, and increase program transparency, while enhancing program oversight and effectiveness.

On May 3rd, CMS Administrator Seema Verma, outlined the key improvements and enhancements that were made to the program including:

  • Better Oversite of RACs:
    • Accountable for maintaining a 95% accuracy score.
    • Maintain an overturn rate of less than 10%.
    • Contingency fee will be delayed until after the second level of appeal is exhausted.
  • Reducing Provider Burden and Appeals:
    • Must audit proportionally to the types of claims a provider submits.
    • Conduct fewer audits for providers with low claims denial rates.
    • Allow more time to submit additional documentation before needing to repay a claim.
  • Increasing Program Transparency:
    • Regularly seeking public comment on proposed RAC areas for review.
    • Required enhancements to provider portals for claim status understanding.

While the audits can become cumbersome and overwhelming at times, ensuring that the care being provided is the most appropriate for each individual patient will only continue to assist in getting the health system where it needs to be. The improvements outlined above have helped and will to continue to help make patient care, not paperwork compliance, the main focus of providers.

CMS’ blog regarding recovery audit improvements:

https://www.cms.gov/blog/recovery-audits-improvements-protect-taxpayer-dollars-and-put-patients-over- paperwork

More information on the Medicare FFS Recovery Audit Program can be found at: https://www.cms.gov/Research-Statistics-Data-and-Systems/Monitoring-Programs/Medicare-FFS- Compliance-Programs/Recovery-Audit-Program/

Indictment of Anthem Breach Hackers

Do you remember hearing about the Anthem breach in 2015? Hackers infiltrated Anthem’s network and breached the personal health information of 78.8 million patients. This was one of the worst data breaches in US history if not the worst. There is some good news being reported. The Department of Justice has indicted two China-based hackers for the Anthem hack and breach.

How did the hackers do it?

The hackers allegedly used methods to hack including spear-phishing emails sent to employees embedded with links. After the employee clicked on the link, the malicious malware was installed to infect and compromise the system. Once inside the system, the hackers installed what is called a “backdoor” which in this case was undetected by the organization infected. This “backdoor” allows the hackers to come and go as they please. Although the hack was discovered in 2015, it began in 2014 with the hackers coming through the back door and conducting reconnaissance to identify information of interest.

What is the Lesson Learned?

Be on the lookout for “phishy” emails. Here are a few tips to assist in identifying Phishing emails.

  1. Does the email invoke a sense of urgency, fear, or curiosity?
  2. Does it ask you to click a link, open an attachment or provide your user Id/password or other sensitive information?
  3. Do you know the person that sent the message and were you expecting it? Hackers can “spoof” messages meaning they make it look like it is coming from a known sender when it is not. If you know the sender but were not expecting it, contact the sender by a means other than email to confirm.

What to do when you suspect a phishing email?

For Reliant employees who use Reliant’s email, a “Phish Alert Button” was recently implemented within the email system. This button is easily accessible within the user’s email and allows the suspicious email to be reported at the click of a button. After clicking this button, it alerts the Reliant support team and allows security measures to be quickly added to prevent others from clicking on similar malicious e-mails.

Customers who don’t have a similar “Phish Alert Button” in place, should report suspicious emails to their support team through established reporting processes.

March 2019 Healthcare Data Breaches

The Health and Human Services Office of Civil Rights (OCR) is responsible for enforcing civil right laws. Covered Entities such as Skilled Nursing Facilities and Business Associates must comply with HIPAA regulations which includes reporting breaches of Protected Health Information (PHI). Breaches affecting 500 or more individuals are posted by OCR on a public website. Breaches affecting less than 500 individuals are also required to be reported but are not posted for public viewing.

To give you an idea of the information available on the public site using March 2019 data, there were 32 breaches reported with 500 or more individuals involving 951,252 individuals. Of these 32 breaches, there were 22 Healthcare Providers, 4 Health Plans, and 6 Business Associates involved.

The types of breaches consisted of

  • 20 – Hacking/IT Incidents
  • 8 – Unauthorized Access/Disclosure
  • 4 – Thefts

Breaches involving email and network servers accounted for 893,502 of the impacted individuals (see chart below). This is why security awareness training, good password management practices, and virus protection are so important.

For a list of the names of companies impacted and other information, visit the OCR portal at https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf

FY2020 Skilled Nursing Facility (SNF) PPS Proposed Rule

On Friday, April 19, 2019, CMS released the FY2020 skilled nursing facility (SNF) proposed rule for public inspection and comment.

There is estimated to be a 2.5% market basket increase for FY2020 aggregate payments as calculated through a 3.0% market basket increase and a 0.5% multifactor productivity adjustment resulting in an $887 million annual increase.

The proposed rule includes three proposed changes related to the Patient Driven Payment Model (PDPM). First, CMS proposes changing the definition of group therapy in a SNF setting to match the definition in the IRF setting. Specifically, CMS proposes defining group therapy in the SNF Part A setting as “a qualified rehabilitation therapist or therapy assistant treating two to six patients at the same time who are performing the same or similar activities.”

Second, CMS proposes using a subregulatory process to provide non-substantive updates to ICD-10 codes used in PDPM through the PDPM website, while substantive changes will still be made through the traditional notice and rulemaking process. Non-substantive updates are those made to maintain consistency with the most recent ICD-10 code set. CMS is proposing that this take effect with the start of PDPM on October 1, 2019.

The third and final proposed change is to update the regulation text to reflect changes in the assessment schedule under PDPM which were already finalized in the FY2019 final rule. These changes are to reflect the policy taking effect under PDPM on October 1, 2019. For the initial patient assessment, the proposed regulation changes would state that “the assessment schedule must include performance of an initial patient assessment no later than the 8th day of post-hospital SNF care.” Additional proposed changes to regulation text would reflect the optional interim payment assessment.

SNF Quality Reporting Program

This rule proposes to update the SNF QRP effective October 1, 2020 to include:

  • Expansion of data collection for the SNF QRP quality measures to all skilled nursing facility residents, regardless of their payer.
  • The addition of two Transfer of Health Information quality measures.
  • Exclusion of baseline nursing home residents from the Discharge to Community Measure.
  • Public display of the quality measure, Drug Regimen Review Conducted with Follow-Up for Identified Issues.

Request for information (RFI) on the importance, relevance, appropriateness, and applicability measures of standardized patient assessment data elements (SPADEs) for future years in the SNF QRP.

SNF Value Based Purchasing Program

The SNF VBP Program is proposing to change the name of the program’s measure to the “Skilled Nursing Facility Potentially Preventable Readmissions after Hospital Discharge” measure. The measure will retain its previous abbreviation (SNFPPR).

The proposed rule also includes an update to the public reporting requirements to ensure that CMS publishes accurate performance information for low-volume SNFs.

CMS encourages comments from stakeholders. The comment period is open until June 18, 2019.

Download the proposed rule from the Federal Register. Download the CMS fact sheet.

To learn more about Reliant’s preparedness for PDPM, visit our website today.

PDPM Part 7: Changes in the Interdisciplinary Team Conversation

From an active diagnosis of endocarditis to an aphasia comorbidity, it is evident more than ever that physical therapists, occupational therapists, and speech language pathologists need to thoroughly review full body systems during evaluation for identification of the patient’s underlying conditions and comorbidities.

Under PDPM these holistic assessments extend beyond the impaired system and will allow the clinicians to bring relevant, meaningful clinical information to the interdisciplinary table. This information will contribute directly to the identification of SLP related comorbidities and the non-therapy ancillary comorbidity score to ensure the patient’s clinical classification is accurate and representative of the potential resource use needs during their stay.

A breakdown in this interdisciplinary collaboration may lead to missed opportunities for proper reimbursement. However, with extensive therapy evaluations and interdisciplinary collaboration, these opportunities won’t slip through the cracks.

Begin exploring how team conversations will change under PDPM and identify areas to improve interdisciplinary communication. Be on the lookout for Reliant resources relevant to interdisciplinary team success.