Author: Reliant Communications

Many clinical systems can be accessed via the internet making it convenient to work from your personal computer.  However, there is growing concern regarding HIPAA privacy and security issues with using personal computers.

Reasons for the concerns are:

1. Malware, such as viruses and ransomware, are tools bad actors use to gain access to ePHI and other sensitive information.  Security and compliance minded companies implement anti-malware software and continually update it to detect and eliminate malware. With personal computers there is no guarantee this defense is in place and kept current.
2. Computer devices require an operating system (OS) to manage the various functionalities of the computer.  Windows 10 is an example of an OS.  Bad actors are continually looking for vulnerabilities within the various versions of these systems to attack and access them for ill-gotten gain.  Vendors provide routine updates as vulnerabilities are discovered to remove them and prevent bad actors from accessing.  This requires a vigilant process of routinely updating the OS to eliminate vulnerabilities.  This process is not guaranteed or consistent with personal computers.
3. Encryption of devices is a security feature by which information is encoded such that only authorized individuals can access.  Encryption is a HIPAA-endorsed safe harbor, meaning lost or stolen devices containing ePHI that are encrypted do not constitute a breach.  Configuration of encryption is not guaranteed on personal computers.
4. Remote wipe is a security feature that allows an administrator to issue a command to delete data on a computer.  This is used as a safeguard when equipment is lost or stolen to avoid unencrypted data falling into the hands of a bad actor.  Proper configuration and/or additional software is required to provide this capability, and this is not guaranteed to be implemented on personal computers.
5. Consider, ePHI can be stored on a personal computer such as reports produced by the clinical system containing PHI.  This means individuals, such as others within the household, who have no need to view or access the ePHI have that capability.  This can result in a HIPAA reportable breach.  To heighten the risk, once an employee leaves their current employer, they are no longer authorized to access the ePHI; however, there is no capability for the employer to remove the ePHI from the employee’s personal computer to eliminate access.

Reliant employees are not allowed to use personal computers to access Reliant systems and may refer to Policy 3.14 – IT Equipment Protection & Physical Access Controls. 

While many providers are anxiously anticipating the receipt of their first additional development request (ADR) or denial under the Patient-Driven Payment Model (PDPM), other providers are gradually starting to receive requests. These requests are largely coming from managed care companies (primarily Humana) that also chose to adopt the new payment model on October 1, 2019.  While the documentation requests may look the same, the information being reviewed will differ.  Previously, the requests being received were solely focused on RUG reviews. With RUG levels no longer being the driver of payment, the reviews will shift to elements of support for qualifying hospital stays, medical necessity, and the strength of the skilled documentation supporting the services provided.

Qualifying factors for skilled services have not changed with the PDPM. It is our responsibility to document why skilled therapy is needed. Be mindful that not only does strong documentation affirm medical necessity for skilled therapy, but it also becomes part of the patient’s medical record and will be referred to for validation purposes if needed. Use of discipline specific clinical terminology and documentation of techniques, which can only be performed by a skilled clinician, are paramount to ensuring success.

 The most advantageous thing we can do to prepare for documentation review is to continue to ensure our documentation and coding is held to the highest standard.  By providing thorough documentation, a collaborative team approach, and the best care possible to all beneficiaries, we possess all the tools needed to produce the outcomes that will be necessary to succeed with these audits.

The Greek philosopher, Heraclitus, mused “the only thing that is constant is change.”  In life, change often comes in waves that may be sudden and unexpected, altering our individual existence drastically.  Changes within the post-acute care industry are often cumbersome and occur gradually, but once enacted, the ripple effect is far reaching.  Such is the case with our recent industry shift to the Patient-Driven Payment Model (PDPM) and the annual, regulatory updates of healthcare. Although change is inevitable, the consistency of our mission, vision, and values, which is patient-centered, quality care that reflects successful outcomes, do not change. With this in mind, advocacy becomes paramount to ensuring our patients’ access to quality care.

The industry entered 2020 alert and aware of the need to remain abreast of regulatory updates and to affect change through advocacy. One excellent example includes the NCCI edits that CMS announced on January 1st that precluded clinicians from providing therapeutic activities or group intervention on the same day the patient was evaluated. The immediate effect included lack of patient access to potential treatment approaches at the onset of intervention, preventing the evaluating therapist from assessing patient response in order to develop the most effective, individualized plan of care. Reliant provided education on workable solutions to ensure our patients continued to receive the most individualized and appropriate treatment approaches within this regulatory limitation.  At the same time, we encouraged every avenue of advocacy, and ultimately, the industry prevailed in repeal of these edits imposed on rehabilitation codes.

Current advocacy efforts surround proposed payment reductions impacting rehabilitation directly. Beginning January 1^st, modifiers must be present to denote outpatient therapy services furnished in whole or in part by a PTA or an OTA. This data will be utilized to reflect a payment reduction beginning in 2022. These services will be reimbursed at 85% of the physician fee schedule.  The proposed reimbursement decrease is of significant concern. Daily interventions provided by a licensed PTA or an OTA are of a skill, quality, and caliber that should continue to receive value recognition through reimbursement.  As a result, advocacy should be a priority for all!

An additional area of advocacy opportunity surrounds CMS’ proposed 8% cut to outpatient therapy service reimbursement starting in 2021.  This is in addition to the changes to reimbursement for services provided by a PTA/OTA as noted above. Many details are still needed to better understand why these rehabilitation codes were selected as a pay-for to a physician outpatient evaluation code increase.  Advocacy efforts seek transparency surrounding this selection process, the data used, and continue to point out how this reduction runs counter to CMS’ mandate for patients to have access to accurate and appropriate quality of care. 

Let’s not wait until the next round of regulations are implemented before making our voices heard. Who better to anticipate how regulations may impact our patients’ access to services than the professionals of the industry who provide patient care and have a vested interest in ensuring their outcomes are positive?  May our care for the patients and their needs embolden us to action, to become agents of change. 

Imagine how hard it would be to do your job if you could no longer login to the systems you use every day! What would you do if you couldn’t access your patients’ information? How would you properly care for your patients? That’s what happens when hackers conduct a successful ransomware attack. Data is held hostage until the ransom demand is paid.

In a recent ransomware attack impacting over 100 nursing homes, the ransom demand was $14 million in bitcoin. Very few businesses can afford that large of a ransom and the FBI does not recommend paying ransoms as it only encourages this bad behavior. In this instance, a third party IT vendor called Virtual Care Provider Inc. (VCPI) providing data storage and other IT services for the nursing homes was the target of the attack. 1In an interview with KrebsOnSecurity today, VCPI Chief Executive and Owner Karen Christianson, said the attack had affected virtually all their core offerings, including internet service and email, access to patient records, client billing and phone systems, and even VCPI’s own payroll operations that serve nearly 150 company employees.

Phishing emails are the most common mechanism for the delivery of ransomware. Clicking on a link or opening an attachment within a ransomware phishing email triggers the infection resulting in encryption of data. This is the reason it is so important for anyone using email to be cautious and heed the red flags such as below.

• Be suspicious of unsolicited or unexpected email messages from individuals asking for sensitive information like User IDs and passwords.  Contact the individual by means other than email to confirm the validity of the request.
• Never click on links or open attachments in suspicious emails. (Tip: Hovering your mouse over a link will reveal the destination of where the link would take you.  If that destination is different than what’s shown in the email, do not click it.)
• Never enter your User ID or password on a web page unless you are 100% sure the page is legitimate.
• Pay attention to the URL of a website.  Malicious websites may look identical to a legitimate site, but the URL may use a variation in spelling or a different domain (e.g., .com vs. .net).

¹ https://blog.knowbe4.com/110-nursing-homes-cut-off-from-health-records-in-ransomware-attack?utm_source=hs_email&utm_medium=email&utm_content=79860342&_hsenc=p2ANqtz-9jWBaMNzZIKqlb8s2ojaqDpKROxTRgP_fcyCUVCI_VOBLpEOiAhl4q6y2ljzvEzYK4oBWCk1JSZXl4Yiij6pCZ_BhiVA&_hsmi=79860342