Archives for September 15, 2016

Kusserow on Compliance: New HIPAA risk analysis tool released

The HHS Office for Civil Rights (OCR) and Office of the National Coordinator of Health Information Technology (ONC) released a new jointly developed downloadable Security Risk Assessment (SRA) Tool to assist providers and professionals to perform HIPAA compliance risk assessments. It was designed primarily for small and medium-sized covered entities and business associates. The Tool is a self-contained, operating system (OS) independent application that is available at no cost, can be downloaded from Apple’s App Store. It guides users through each HIPAA requirement by presenting questions answerable as “yes” or “no” to indicate if there is a need for corrective action for any of the 156 question items. Guidance provides assistance in:

  • Understanding the context of the question
  • Considering the potential impacts to your PHI if the requirement is not met
  • Seeing the actual safeguard language of the HIPAA Security Rule

The Tool can serve as the local repository for the information and does not send your data anywhere else. At any time during the risk assessment process, you can pause to view your current results. The results are available in printable PDF and Excel formats. For details on how to use the tool, download the SRA Tool User Guide. A paper-based version of the tool is also available:

Camella Boateng, an experienced HIPAA consultant, makes the point that “Covered Entities and Business Associates are not mandated to use this tool; however they are required to conduct regular, organization-wide risk analyses for HIPAA compliance. Much of my work over the last year has been assisting clients in conducting a system-wide HIPAA compliance reviews. Using the tool greatly assists in doing this. If you monitor the OCR website, it is clear from the many recent HIPAA enforcement actions that many organizations have not performed such analyses properly.”

Suzanne Castaldo, JD, notes, “OCR can be counted upon to include review of risk analyses of organization during the Phase 2 HIPAA audits and that results from these reviews will result in many Business Associates being notified of having a desk audit before the end of this year. OCR plans following up with field audits for both Covered Entities and Business Associate beginning in 2017 that will have twin objectives of learning more about HIPAA compliance in general, as well as having some of the audits finding cases that warrant becoming enforcement investigations of HIPAA violations.”

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2016 Strategic Management Services, LLC. Published with permission.

QIOs back to reviewing Two-Midnight rule claims

Beneficiary and Family Centered Care quality improvement organizations (BFCC-QIOs) are back to performing initial patient status reviews to determine whether short stays qualify for Medicare Part A payment under the Two-Midnight Rule as of September 12, 2016. In May 2016, CMS put the reviews on hold “to promote consistent application of the medical review policies” concerning short stays and to standardize the review process. BFCC-QIOs will once again review short stays in acute care inpatient hospitals, long-term care hospitals, and inpatient psychiatric facilities.

Pursuant to the Two-Midnight Rule, Medicare Part A will provide coverage for inpatient stays not passing two midnights where, at the time of admission, the admitting practitioner expected the patient to be hospitalized over the span of two midnights or where the practitioner believes that inpatient admission is medically necessary despite an expected stay shorter than two midnights. In both situations, the medical record must support that expectation. During the review hiatus, the BFCC-QIOs underwent retraining on the Two-Midnight Rule and completed re-reviews of claims that had been formally denied. They reached out to providers to discuss claims impacted by the suspension and also to educate them on the Two-Midnight policy. CMS also validated BFCC-QIO peer review activities related to the reviews.

BFFC-QIOs are still expected to follow the CMS guidance entitled, “Reviewing Short Stay Hospital Claims for Patient Status: Admissions On or After January 1, 2016.” CMS will ensure that BFFC-QIOs are complying with requirements by re-reviewing a sample of completed claim reviews on a monthly basis. The agency will also monitoring provider education calls and respond to individual provider inquiries and concerns.