In a concerted effort to move healthcare payments to a system of "quality over quantity," CMS finalized policies that greatly expanded packaging for outpatient providers in the 2015 OPPS final rule (www.gpo.gov/fdsys/pkg/FR-2014-11-10/pdf/2014-26146.pdf). It also introduced complexity adjustments with comprehensive ambulatory payment classifications (C-APCs).
The ICD-10 delay forced many healthcare organizations to rethink their ICD-10 staffing and implementation plans. Baptist Health System in Birmingham, Alabama, devised a plan to prepare for the one-year delay of ICD-10 by revising its budget and relying on new graduates to fill coder positions.
Q: As part of the audit controls policy at my organization, we hired an external security vendor to collect and review logs from several critical servers. The vendor creates tickets for our IT staff when a potential incident is discovered during the daily log review. This supplements our own activity reviews of internally generated reports, and the vendor then uses them for its own review. Our internal staff never sees the reports the vendor uses for its review. Do the reports the vendor uses fall under the HIPAA requirement for retaining logs for six years? Should we compel the vendor to retain these reports?
There are many misconceptions about HIPAA throughout the healthcare industry. In particular, business associates (BA) who provide cloud services to covered entities (CE) often have the misconception that they do not need to be concerned with HIPAA if they are compliant with the Payment Card Industry Data Security Standard (PCI-DSS). BAs with this school of thought should be prepared to get their checkbooks out when the Office for Civil Rights (OCR) comes calling.
The Office for Civil Rights (OCR) announced December 8, 2014 that it fined an Alaska behavioral health service $150,000 for potential HIPAA violations. OCR entered into a resolution agreement with Anchorage Community Mental Health Services (ACMHS), a nonprofit behavioral healthcare service, per the announcement (see www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/acmhs/amchs-capsettle...).
