HIPAA Compliance and Information Technology

Posted on August 28, 2018 by ncmgm

2018 Alliance sponsor article courtesy of HitsTech

The HIPAA Security Rule, in force since April 21, 2005, established three safeguards:

  • Administrative policies and procedures designed to clearly show how the entity will comply with the act.
  • Physical measures that control access to data storage areas.
  • Technical methods securing “protected health Information” (PHI) that, when transmitted electronically over open networks, is known as ePHI.

The first two safeguards take time and effort but most healthcare providers have staff who can read the manuals, apply the guidelines and develop a compliant infrastructure.

The technical safeguard provision is entirely different!

HIPAA IT skills are not easily mastered. It requires the ability to understand the rules and regulations, envision a network (along with the ePHI flowing through it), and spot vulnerabilities. This must usually be done with a limited budget and with a minimum disruption of provider efficiency.

Deciding how to protect your information is a critical decision. The financial penalties resulting from data breaches along with the colossal costs of issuing breach notifications, providing credit monitoring services, and conducting damage mitigation makes investment in the protection of PHI extraordinarily cost-effective .

If you decide to handle HIPAA technical issues by hiring an in-house IT professional or contract with a Managed Services Provider (MSP) who specializes in healthcare, how do you make the right decision?

Most importantly, your applicant must present a plan that addresses four issues:

    1. The protection of the entire volume of PHI and ePHI you process. This includes:
      • Patient names, pictures, biometric data, addresses, contact numbers, insurance information, and any identifying numbers or data.
      • Health insurance plan beneficiary numbers.
      • Vehicle identifiers and serial numbers including license plates.
      • Device identifiers and serial numbers.
      • Web URLs and Internet protocol (IP) addresses.
    2. The ability to defend against known and anticipated threats. Failure to use current generation OS software and protection and tardiness in the implementation of published fixes and patches makes you 40 times more likely to be hacked.
    3. Compliance by other “Covered entities,” “business associates” and third-party service providers who might access your PHI. This includes items sometimes overlooked such as x-rays, physician appointment schedules, dictated notes, conversations, and information placed in patient portals.
    4. Security network components that are affordable and operationally feasible. The following diagrams identifies these components.2

 

Diagram

2Prevention Data Breaches Diagram used with permission of the HIPAA Journal 2017

There are specific HIPAA standards for servers, hosted environments, cloud utilization VPN architecture, workstations and network components. Your staff or MSP must provide evidence that the components they intend to deploy meet these specifications.

The technical defense you deploy must compensate for common human failings by using:

  • Password best practices. Passwords cannot be used by a group, must not be assigned to a position and must be changed every 90 days. Passwords must be sophisticated using letters, symbols, differing case and numbers.
  • Screen protectors that limit a third party’s ability to view a protected screen. These are commercially available.
  • Automatic controls that close a computer when it is left unattended.
  • Auditing techniques that ensure business associate networks are compliant. Remember you remain responsible for ePHI even when it leaves your network for another.
  • Restricted use of mobile devices such as flash drives that are not encrypted or are left in unprotected locations.
  • Technology that locks misplaced mobile devices.
  • Tracking that identifies attempted hacks and determines if data has been compromised.
  • An automatic restoration protocol that frequently backs up data so that if you are successfully attacked, it will disable the threat and immediately return your network to its last safe status.
  • Disposal procedures that ensure that any device to be disposed of is wiped completely before release from the protected environment.

While I hope this synopsis is helpful, I highly recommend you look at the 2017 edition of the HIPAA Journal’s “HIPAA Compliance Guide”. It provides a detailed analysis of the points made in this paper.

Armed with “Compliance Guide” expertise, explain your goals to your IT staff or MSP and leave the driving to them.

Sandra Loftin
Chief Executive Officer
HitsTech

Filed under: Legislative, News | Tagged: , , , , , , , , , | Leave a comment »

Palmetto GBA E-mail Update: Monday, September 11, 2017

Posted on September 14, 2017 by ncmgm

Email and Faxed Inquiries
CMS requires all providers to utilize the Provider Contact Center (PCC) (855-696-0705) as their point of contact with their Medicare Administrative Contractors. If you submit an unsolicited fax or email inquiry directly to a specific department or individual your inquiry will be routed to the written correspondence area within the PCC for proper logging, tracking, research and response. An escalation process is used for complex issues. Submitting inquires directly to the PCC will assure CMS compliance and allow for the most timely response.

Applies to:

  • JM Home Health and Hospice//General
  • JM Part A//General
  • JM Part B//General

Provider Contact Center (PCC) To Close For Training On September 15
The Provider Contact Center (PCC) will be closed for training on September 15, 2017, from 8 a.m. to 12 p.m. ET. The PCC will reopen at 12 p.m. ET.

Applies to:

  • JM Home Health and Hospice//General
  • JM Part A//General
  • JM Part B//General

2018 Annual Update of Healthcare Common Procedure Coding System (HCPCS) Codes for Skilled Nursing Facility (SNF) Consolidated Billing (CB) Update
CR10262 provides the 2018 annual update of HCPCS Codes for SNF Consolidated Billing (SNF CB) and explains how the updates affect edits in Medicare claims processing systems. By the first week in December 2017, new code files will be posted at http://www.cms.gov/SNFConsolidatedBilling/. Make sure your staff is aware.

Applies to:

  • JM Home Health and Hospice//General
  • JM Part A//General
  • JM Part B//General
  • Railroad Medicare (RRB)//General – Railroad Medicare

Medicare Secondary Payer Inquiry Form
As a reminder, A Medicare Secondary Payer Inquiry Form is available in the Medicare Secondary Payer forms section of our website. To ensure timely processing of your request, this form should be used for any Medicare Secondary Payer (MSP) request pertaining to Primary or Secondary payment of claims. Please share with appropriate staff.

Applies to:

  • JM Home Health and Hospice//General
  • JM Part A//General
  • JM Part B//General
  • Railroad Medicare (RRB)//General – Railroad Medicare

A/B MACs Team Up with DME MACs for External Breast Prostheses and Related Mastectomy Supplies Webinar: October 18
Local A/B MACs and the DME MACs are excited to announce two collaboration webinars coming October 18, 2017. The event will be offered twice in the same day to accommodate national attendees. This webinar will focus on Medicare’s coverage of External Breast Prostheses and related supplies following surgical intervention. The educational representatives hosting the webinar will also spend time reviewing documentation requirements (such as detailed written orders and medical records). There will be plenty of time for questions after the presentation portion of the webinar. Please plan to attend.

Applies to:

  • JM Part A//General
  • JM Part B//General

MACtoberfest Workshop Conference: Innovation Today for Success Tomorrow
Palmetto GBA, the JM A/B MAC, is presenting an informative workshop in Columbia, South Carolina that will provide information related to the most common errors identified through a variety of data analysis and tips to avoid them. This workshop is intended to keep providers apprised of Medicare guidelines as well as using technology for better results. The recommended participants are administrators, billers, nurses and other healthcare professionals that submit claims to Medicare. Topics include: Electronic Data Interchange (EDI), Medicare Updates, Appeals, Medical Affairs, Medical Review, eServices portal, and Provider Enrollment and Revalidations. This is a free event! Please plan to attend.

Applies to:

  • JM Part B//General

September 2017 Medicare Part B Updates, Changes and Reminders: September 20
Palmetto GBA will host the Medicare Administrative Contract Part B September 2017 Quarterly Updates, Changes and Reminders Webcast on September 20, 2017, at 10 am. ET. These updates, changes and reminders include any new billing regulations, hot topics that impact provider billing, and a Q & A segment for questions on covered material. Note: An NPI and PTAN are required to register. You should only enter ‘n/a’ if you do not have an NPI or PTAN. Please share with your staff, and register today.

Applies to:

  • JM Part B//General

Did you know you can view your latest electronic Comparative Billing Report (eCBR) in eServices?
Did you know you can view your latest electronic Comparative Billing Report (eCBR) in eServices? Be sure to check them out today!

Applies to:

  • JM Part B//General
  • JM Part B//Chiropractic
  • JM Part B//Physician
  • JM Part B//Primary Care

eServices makes it easy to monitor the use of your NPI!
eUtilization reports provide rendering providers and ordering and referring providers access to their personal data. Check them out today.

Applies to:

  • JM Part B//General
  • JM Part B//Physician
  • JM Part B//Primary Care

Filed under: Legislative, News | Tagged: , , , , , , , , , , , , , | Leave a comment »

Palmetto GBA E-mail Update: Thursday, November 17, 2016

Posted on November 21, 2016 by ncmgm

Medicare Secondary Payer (MSP) eServices Tab
eServices allows users to identify when a patient has coverage primary to Medicare under the Medicare Secondary Payer (MSP) tab. The HETS 270/271 system we are required to access for eligibility allows date requests up to 27 months in the past. Please share with appropriate staff.

Applies to:

  • JM Home Health and Hospice//General
  • JM Part A//General
  • JM Part B//General
  • Railroad Medicare (RRB)//General – Railroad Medicare

2017 Medicare Physician Fee Schedules Available
Palmetto GBA is pleased to announce that the 2017 Medicare Part B Physician Fee Schedules (MPFS) are now available in our Medicare Physician Fee Schedule tool. The files can also be downloaded in Excel or a CSV format. Make sure your staff is aware.

Applies to:

  • JM Part B//General

Filed under: Legislative, News | Tagged: , , , , , | Leave a comment »

Palmetto GBA E-mail Update: Tuesday, March 29, 2016

Posted on April 1, 2016 by ncmgm

Entering Beneficiary Information: eServices Eligibility Inquiry vs. Claim Submission
This article explains how to enter beneficiary information for each task: obtaining beneficiary eligibility from eServices and submitting a claim. eServices uses CMS’s HETS 270/271 system, as required by CMS, for all eligibility inquiries. To protect the privacy of beneficiary data, all fields entered, including optional fields, must match the beneficiary’s data as it is maintained by CMS’ HIPAA Eligibility Transaction System (HETS); otherwise, eligibility data will not be returned. Please share with appropriate staff.

Applies to:

  • JM Home Health and Hospice//General
  • JM Part A//General
  • JM Part B//General

eServices: Claim Status
To check on a particular claim status, please enter the HICN and other required beneficiary information, as well as the date(s) of service. Should you not know the exact date of service, you are able to enter a span or range of up to 45 days.

Applies to:

  • JM Home Health and Hospice//General
  • JM Part A//General
  • JM Part B//General
  • Railroad Medicare (RRB)//Genera l – Railroad Medicare

eServices: How Often is Patient Eligibility Updated?
The eServices application is required to use CMS’ HETS 270/271 system for all eligibility inquiries. Although eServices pulls data from HETS in real time, the data available in the HETS 270/271 system is only updated at certain times. CMS currently pulls the updated data Tuesday through Saturday during the hours of 6 p.m. and 8 p.m. This data is then uploaded into HETS during the hours of 9 p.m. to 6 a.m. As soon as updated data is available in the HETS 270/271 system, p roviders will be able to view it in eServices.

Applies to:

  • JM Home Health and Hospice//General
  • JM Part A//General
  • JM Part B//General
  • Railroad Medicare (RRB)//General – Railroad Medicare

I do not see the remittance that I am looking for, what should I do?
You will only be able to view remits for the one NPI associated with your eServices user ID. If you have additional NPIs, they will need to be registered separately. The remittance date range will default to the last 30 days. You may also select the option to search by a specific date range. The date range for remittances are listed in eServices by the remittance upload date and not the deposit date, so you may need to search a few days earlier or later in the remit list to find the specific remittance you are looking for. Only remittances for your NPI with a remittance upload date within your date range will display.

Applies to:

  • JM Home Health and Hospice//General
  • JM Part A//General
  • JM Part B//General
  • Railroad Medicare (RRB)//General – Railroad Medicare

Is the eligibility information available through eServices real time?
While eServices pulls eligibility information from CMS’s HETS 270/271 system in real time, the information available in HETS is only updated at certain times. Please read this article to learn more.

Applies to:

  • JM Home Health and Hospice//General
  • JM Part A//General
  • JM Part B//General
  • Railroad Medicare (RRB)//General – Railroad Medicare

Medicare Secondary Payer (MSP) eServices Tab
eServices allows users to identify when a patient has coverage primary to Medicare under the Medicare Sec ondary Payer (MSP) tab. The MSP tab will display active MSP data based on the dates you request if they are within the past 12 months. Please share with appropriate staff.

Applies to:

  • JM Home Health and Hospice//General
  • JM Part A//General
  • JM Part B//General
  • Railroad Medicare (RRB)//General – Railroad Medicare

What should I do if I receive a message that the eligibility system is unavailable?
We are aware that eServices users may experience intermittent performance issues when attempting to use the eligibility look-up func tion. A high volume of transactions may cause processing delays and higher than normal timeouts within CMS’ HIPAA Eligibility Transaction System (HETS), that eServices is required to access for eligibility data. This issue affects all eligibility vendors, clearinghouses, contractors and other third parties that use HETS. CMS works to resolve these issues as soon as they happen. If you receive a message that the system is unavailable, please submit your request again.

Applies to:

  • JM Home Health and Hospice//General
  • JM Part A//General
  • JM Part B//General
  • Railroad Medicare (RRB)//General – Railroad Medicare

When performing a claim status inquiry, why do I receive an error message that there is nothing found to display?
Claim status information is retrieved from CMS standard systems and is as current as the data maintained in those standard systems. You will only be able to view claim status information for the one PTAN/NPI combination associated with your eServices user ID. If you have additional PTANs or NPIs, they will need to be registered separately. Please share with appropriate staff.

Applies to:

  • JM Home Health and Hospice//General
  • JM Part A//General
  • JM Part B//General
  • Railroad Medicare (RRB)//General – Railroad Medicare

When performing an eligibility inquiry, why do I receive an error message that the beneficiary I requested cannot be found?
To protect the privacy of beneficiary data, CMS’ HIPAA Eligibility Transaction System (HETS) 270/271 system, that we are required to use for all eligibility transactions, will not return data when all fields entered do not match the beneficiary’s data as it is maintained in HETS. You may enter data into optional fields, but these fields are not required to receive a valid Medicare beneficiary eligibility benefit response. If data entered into an optional field does not match the beneficiary’s data maintained in CMS’ HETS system, eligibility data will not be returned on the eligibility response tabs. Please share with appropriate staff.

Applies to:

  • JM Home Health and Hospice//General
  • JM Part A//General
  • JM Part B//General
  • Railroad Medicare (RRB)//General – Railroad Medicare

Why am I missing eligibility information?
Palmetto GBA’s eServices uses the CMS HIPAA Eligibility Transaction System (HETS) 270/271 system, which is designed to give you general eligibility checks for claims submission. Only the information that is available through HETS will be displayed in eServices. You may not be seeing information in the eligibility tabs because you are not entering a date range on the inquiry sc reen. To make sure you see all of the information, enter a date range in the inquiry screen. Please share with appropriate staff.

Applies to:

  • JM Home Health and Hospice//General
  • JM Part A//General
  • JM Part B//General
  • Railroad Medicare (RRB)//General – Railroad Medicare

Provider Enrollment Open House: Available the First Tuesday of the Month
Palmetto GBA’s Provider Enrollment Department holds an open house at our Palmetto GBA office located at 17 Technology Circle Columbia, South Carolina 29203, the first Tuesday of each month. This open house is for any of Palmetto GBA’s Part B providers who would like to stop by and receive answers to th eir questions concerning their Medicare provider enrollment applications.

Applies to:

  • JM Part B//General

E/M Weekly Tip: Diagnosis/Management Options
The number of possible diagnoses and/or the number of management options that must be considered is based on the number and types of problems addressed during the encounter, the complexity of establishing a diagnosis and the management decisions that are made by the physician. Please share with appropriate staff.

Applies to:

  • JM Part B//General
  • Railroad Medicare (RRB)//General – Railroad Medicare

A Legible Medical Record Matters
Signatures in the medical record must be clearly visible after each entry. Remember, if you can’t read it, Palmetto GBA can’t read it!

Applies to:

  • Railroad Medicare (RRB)//General – Railroad Medicare
  • JM Part A//General
  • JM Part B//General
  • JM Home Health and Hospice//General

Filed under: Legislative, News | Tagged: , , , , , , | Leave a comment »