Author: Reliant Communications

Many clinical systems can be accessed via the internet making it convenient to work from your personal computer.  However, there is growing concern regarding HIPAA privacy and security issues with using personal computers.

Reasons for the concerns are:

1. Malware, such as viruses and ransomware, are tools bad actors use to gain access to ePHI and other sensitive information.  Security and compliance minded companies implement anti-malware software and continually update it to detect and eliminate malware. With personal computers there is no guarantee this defense is in place and kept current.
2. Computer devices require an operating system (OS) to manage the various functionalities of the computer.  Windows 10 is an example of an OS.  Bad actors are continually looking for vulnerabilities within the various versions of these systems to attack and access them for ill-gotten gain.  Vendors provide routine updates as vulnerabilities are discovered to remove them and prevent bad actors from accessing.  This requires a vigilant process of routinely updating the OS to eliminate vulnerabilities.  This process is not guaranteed or consistent with personal computers.
3. Encryption of devices is a security feature by which information is encoded such that only authorized individuals can access.  Encryption is a HIPAA-endorsed safe harbor, meaning lost or stolen devices containing ePHI that are encrypted do not constitute a breach.  Configuration of encryption is not guaranteed on personal computers.
4. Remote wipe is a security feature that allows an administrator to issue a command to delete data on a computer.  This is used as a safeguard when equipment is lost or stolen to avoid unencrypted data falling into the hands of a bad actor.  Proper configuration and/or additional software is required to provide this capability, and this is not guaranteed to be implemented on personal computers.
5. Consider, ePHI can be stored on a personal computer such as reports produced by the clinical system containing PHI.  This means individuals, such as others within the household, who have no need to view or access the ePHI have that capability.  This can result in a HIPAA reportable breach.  To heighten the risk, once an employee leaves their current employer, they are no longer authorized to access the ePHI; however, there is no capability for the employer to remove the ePHI from the employee’s personal computer to eliminate access.

Reliant employees are not allowed to use personal computers to access Reliant systems and may refer to Policy 3.14 – IT Equipment Protection & Physical Access Controls. 

While many providers are anxiously anticipating the receipt of their first additional development request (ADR) or denial under the Patient-Driven Payment Model (PDPM), other providers are gradually starting to receive requests. These requests are largely coming from managed care companies (primarily Humana) that also chose to adopt the new payment model on October 1, 2019.  While the documentation requests may look the same, the information being reviewed will differ.  Previously, the requests being received were solely focused on RUG reviews. With RUG levels no longer being the driver of payment, the reviews will shift to elements of support for qualifying hospital stays, medical necessity, and the strength of the skilled documentation supporting the services provided.

Qualifying factors for skilled services have not changed with the PDPM. It is our responsibility to document why skilled therapy is needed. Be mindful that not only does strong documentation affirm medical necessity for skilled therapy, but it also becomes part of the patient’s medical record and will be referred to for validation purposes if needed. Use of discipline specific clinical terminology and documentation of techniques, which can only be performed by a skilled clinician, are paramount to ensuring success.

 The most advantageous thing we can do to prepare for documentation review is to continue to ensure our documentation and coding is held to the highest standard.  By providing thorough documentation, a collaborative team approach, and the best care possible to all beneficiaries, we possess all the tools needed to produce the outcomes that will be necessary to succeed with these audits.

The Greek philosopher, Heraclitus, mused “the only thing that is constant is change.”  In life, change often comes in waves that may be sudden and unexpected, altering our individual existence drastically.  Changes within the post-acute care industry are often cumbersome and occur gradually, but once enacted, the ripple effect is far reaching.  Such is the case with our recent industry shift to the Patient-Driven Payment Model (PDPM) and the annual, regulatory updates of healthcare. Although change is inevitable, the consistency of our mission, vision, and values, which is patient-centered, quality care that reflects successful outcomes, do not change. With this in mind, advocacy becomes paramount to ensuring our patients’ access to quality care.

The industry entered 2020 alert and aware of the need to remain abreast of regulatory updates and to affect change through advocacy. One excellent example includes the NCCI edits that CMS announced on January 1st that precluded clinicians from providing therapeutic activities or group intervention on the same day the patient was evaluated. The immediate effect included lack of patient access to potential treatment approaches at the onset of intervention, preventing the evaluating therapist from assessing patient response in order to develop the most effective, individualized plan of care. Reliant provided education on workable solutions to ensure our patients continued to receive the most individualized and appropriate treatment approaches within this regulatory limitation.  At the same time, we encouraged every avenue of advocacy, and ultimately, the industry prevailed in repeal of these edits imposed on rehabilitation codes.

Current advocacy efforts surround proposed payment reductions impacting rehabilitation directly. Beginning January 1^st, modifiers must be present to denote outpatient therapy services furnished in whole or in part by a PTA or an OTA. This data will be utilized to reflect a payment reduction beginning in 2022. These services will be reimbursed at 85% of the physician fee schedule.  The proposed reimbursement decrease is of significant concern. Daily interventions provided by a licensed PTA or an OTA are of a skill, quality, and caliber that should continue to receive value recognition through reimbursement.  As a result, advocacy should be a priority for all!

An additional area of advocacy opportunity surrounds CMS’ proposed 8% cut to outpatient therapy service reimbursement starting in 2021.  This is in addition to the changes to reimbursement for services provided by a PTA/OTA as noted above. Many details are still needed to better understand why these rehabilitation codes were selected as a pay-for to a physician outpatient evaluation code increase.  Advocacy efforts seek transparency surrounding this selection process, the data used, and continue to point out how this reduction runs counter to CMS’ mandate for patients to have access to accurate and appropriate quality of care. 

Let’s not wait until the next round of regulations are implemented before making our voices heard. Who better to anticipate how regulations may impact our patients’ access to services than the professionals of the industry who provide patient care and have a vested interest in ensuring their outcomes are positive?  May our care for the patients and their needs embolden us to action, to become agents of change. 

Imagine how hard it would be to do your job if you could no longer login to the systems you use every day! What would you do if you couldn’t access your patients’ information? How would you properly care for your patients? That’s what happens when hackers conduct a successful ransomware attack. Data is held hostage until the ransom demand is paid.

In a recent ransomware attack impacting over 100 nursing homes, the ransom demand was $14 million in bitcoin. Very few businesses can afford that large of a ransom and the FBI does not recommend paying ransoms as it only encourages this bad behavior. In this instance, a third party IT vendor called Virtual Care Provider Inc. (VCPI) providing data storage and other IT services for the nursing homes was the target of the attack. 1In an interview with KrebsOnSecurity today, VCPI Chief Executive and Owner Karen Christianson, said the attack had affected virtually all their core offerings, including internet service and email, access to patient records, client billing and phone systems, and even VCPI’s own payroll operations that serve nearly 150 company employees.

Phishing emails are the most common mechanism for the delivery of ransomware. Clicking on a link or opening an attachment within a ransomware phishing email triggers the infection resulting in encryption of data. This is the reason it is so important for anyone using email to be cautious and heed the red flags such as below.

• Be suspicious of unsolicited or unexpected email messages from individuals asking for sensitive information like User IDs and passwords.  Contact the individual by means other than email to confirm the validity of the request.
• Never click on links or open attachments in suspicious emails. (Tip: Hovering your mouse over a link will reveal the destination of where the link would take you.  If that destination is different than what’s shown in the email, do not click it.)
• Never enter your User ID or password on a web page unless you are 100% sure the page is legitimate.
• Pay attention to the URL of a website.  Malicious websites may look identical to a legitimate site, but the URL may use a variation in spelling or a different domain (e.g., .com vs. .net).

¹ https://blog.knowbe4.com/110-nursing-homes-cut-off-from-health-records-in-ransomware-attack?utm_source=hs_email&utm_medium=email&utm_content=79860342&_hsenc=p2ANqtz-9jWBaMNzZIKqlb8s2ojaqDpKROxTRgP_fcyCUVCI_VOBLpEOiAhl4q6y2ljzvEzYK4oBWCk1JSZXl4Yiij6pCZ_BhiVA&_hsmi=79860342

The person-centered care plan has always been the guide with which successful facilities provide quality care to their residents. Updates to the Quality Reporting Program, implementation of the Patient-Driven Payment Model (PDPM) in October, and phase three of the Requirements of Participation (RoP) scheduled for implementation November 28th, ensure the person-centered care plan will continue its prevalence in the spotlight.

Care planning involves assessing the resident’s needs, health status, personal preferences, religious and cultural beliefs and discharge destination in order provide the best possible individualized care. Trauma-informed care focuses on reducing triggers and re-traumatization. The goal of care planning is to develop a comprehensive plan that the interdisciplinary team (IDT) can then implement. Ensuring receipt of all relevant medical records is vital in determining how to best care for the individual. Additionally, the IDT members must be involved early in the process to identify areas of risk and interventions that are specific to their discipline or department and enhance quality of care for the individual. The goal is for each team member to bring those elements to the table for the IDT meeting in order to determine service provision under the PDPM and to accurately care plan person-centered, trauma-informed services for seamless implementation.

Therapists are uniquely qualified to assess the needs of the resident and identify individualized intervention strategies specific to their discipline; therefore, in most cases, therapy should highly influence the care planning process so that patients and facilities experience successful outcomes. Notification of admission, staff scheduling, and medical record availability is imperative to gathering accurate information for the MDS, baseline care plans and IDT education. Providing trauma-informed care is yet another aspect of care planning that is vital to patient success. Ensure processes are in place to promote IDT collaboration to determine the best approaches for each individual.

This month take opportunities to assess and refine these processes. Ensure all team members have influence at the IDT table as each person’s input is invaluable to identification of service provision under the PDPM and person-centered treatment strategies for the care planning process in order to safeguard positive patient outcomes and satisfaction.

Click here to access the final rule regarding the Requirements of Participation.

Did you know basic text messaging of Protected Health Information (PHI), including texting pictures of patients, is not HIPAA compliant?  People sometimes think the main reason texting is not compliant is because texts are sent without any encryption.  However, the biggest reason is we cannot guarantee or prove who will be accessing this information. 

HIPAA also mandates other technical safeguards when it comes to the electronic transmission of PHI¹.  Here are some other reasons why text messaging is not compliant:

• Access to PHI should be limited to authorized users who require the information to do their jobs.  With text messaging, we cannot guarantee who is accessing this information.

• A system should be implemented to monitor the activity of authorized users when accessing PHI.  Cell phones do not provide the capability of logging all activity, especially when it comes to inappropriate access. 

• Those with authorization to access PHI should authenticate their identities with a unique, centrally issued username and PIN.  Personal cell phones can be set without a PIN to access them, and, when utilized, PIN numbers do not indicate which user was using the phone.

• Policies and procedures should be introduced to prevent PHI from being inappropriately altered or destroyed based on regulations.  Text messages can be altered or deleted, preventing the ability for retrieval.

• Data transmitted beyond an organization´s internal firewall should be encrypted to make it unusable if it is intercepted in transit.  Simple Messaging Services (SMS) is the normal text messaging service and it transmits unencrypted, making it easy for others to gain access to this information. 

It is very important not to use text messaging to discuss any patient care, especially in providing PHI or pictures of patients. 

Reliant’s Use of E-mail and Text Messaging Policy (3.8) provides guidance to employees, contractors, volunteers, and trainees in proper use and safeguarding of electronic communications.

¹ https://www.hipaajournal.com/texting-violation-hipaa/

October 1^st ushered in the Patient-Driven Payment Model (PDPM).  Now that the transition has occurred and we are familiar with the day to day implementation, the question is: How do we measure success? Patient outcomes is the answer! It always has been and continues to be the mark by which success is measured in quality healthcare.

Success starts with interprofessional team collaborative care, which collectively includes the facility and therapy.  Therapy plans of care and facility care plans should correlate with an overarching focus on patient-centered goals and the discharge destination of choice.  Compare and contrast these plans to identify areas of improvement within the collaborative process to ensure positive patient outcomes.  A collaborative review of section GG for accurate coding and a unified approach toward identified goals is paramount.  

Other areas to closely monitor are quality measures and quality indicators for skilled nursing.  These measures impact all SNF residents.  Review reports and identify areas of strength and risk within your facility. While all measures are impacted by care in the facility, a few stand out as potential targets for CMS monitoring post PDPM:

• Needs increased help with ADLs
• Changes in mobility
• Functional progress toward goals
• New or worsened pressure ulcers
• Experienced a fall
• Discharges to the community
• Readmit to the hospital within 30 days of discharge

As we continue to strive for success, our processes of collaboration will become more finely tuned.  Sometimes small adjustments make huge differences in the end results.  As we analyze and streamline processes, a maintained focus on the patient, quality of care, and the ultimate goal of improved outcomes will achieve success. 

The healthcare industry continues to be a target for hackers because patient information is highly valuable.  On February 14, 2019, CBS This Morning reported social security numbers sell for $1, credit card numbers sell for up to $110 and full medical records sell for up to $1000 as reported by Experian.   

In an article in the HIPAA Journal on October 21, 2019, there were 1,957,168 healthcare records compromised in breaches from a total of 36 breaches over 500 records. The breakdown of the causes of the breaches are below.

• 24 – Hacking/IT incidents
•   9 – Unauthorized Access/Disclosures
•   2 – Theft
•   1 – Loss

Almost half of all the national breaches in September involved phishing attacks.  Ransomware attacks are also troublesome for the healthcare industry.  One ransomware attack in September resulted in 528,188 records reported as potentially breached in an attack on an OB-GYN provider in Jacksonville, Florida. 

Avoid phishing attacks by:

• limiting the amount of personal information you make public through sites such as LinkedIn, Facebook, etc.,
• implementing multiple layers of approval for major transactions such as requiring two people to sign off on wire transfers,
• taking part in your organization’s security awareness program,
• exercising healthy skepticism,
• verifying identity and not assuming someone is who they say they are,
• deleting emails containing PHI as soon as they are no longer necessary to retain,
• never sharing your password with anyone,
• changing your password regularly, using strong passwords, and
• before clicking any link – STOP. LOOK. THINK.

The technical requirements for Medicare Part A coverage have not changed.

Physician Certification and Recertifications

The physician must certify that the skilled care is needed on a continuing basis because of the resident’s need for skilled nursing or rehabilitative care. 

Certifications must be obtained at the time of admission or as soon thereafter as is practical. The first recertification must be on or before day 14 of the Medicare stay, and each recertification after that must be at intervals not exceeding 30 days from the last recertification. The timing of 30 days is based on the physician’s signature for the designated recertification beyond the 14th day.

If a resident is admitted (or readmitted) directly to the SNF from a qualifying hospital stay, the resident can be considered to meet the level of care requirements, up to and including the ARD for the five-day assessment, when correctly assigned to one of the designated case-mix groups. Although the case-mix groups have been updated for PDPM, this provision remains in place.

In conclusion, if questions remain as to whether your new admission or readmission qualifies for skilled care, please reference the Medicare Benefit Policy Manual, Chapter 8, section 30.2.

Technical Requirements

• The prospective resident must have Medicare Part A coverage with days available in their benefit period.
• The individual must have been an inpatient of a hospital for a medically necessary stay for at least three consecutive calendar days (midnights). Days in observation or the emergency room do not count.
• The beneficiary must be admitted to a Medicare-certified bed within 30 days of the qualifying Part A stay. The transfer and admission to the SNF can be from the beneficiary’s home, assisted living facility, or a non-skilled stay in a nursing facility. The day of discharge from the hospital is not counted in the 30 days.
• The beneficiary must require skilled care for a condition that was treated during the qualifying hospital stay, or for a condition that arose while in the SNF for treatment of a condition for which the beneficiary previously was treated in the hospital. Remember that the applicable hospital condition need not have been the principal diagnosis that precipitated the hospital admission, but any condition present during the qualifying hospital stay.

Additional factors needed to establish eligibility for skilled coverage remain in place. These include:

• Services must be ordered by the physician;
• The resident requires daily skilled services:
  • Five days or greater per week for rehabilitation services;
  • Seven days per week for nursing services; or
  • Six days per week for skilled restorative programming (with a word of caution that, when skilled services are based on a skilled restorative program, medical evidence documentation must justify the services, which generally are only a few weeks in duration);
• The daily skilled services must be provided as an inpatient in a SNF; and
• The services delivered must be reasonable and necessary for treatment of the resident’s illness or injury.