Perfecting cybersecurity through better training and testing

Various types of training and testing of health care professionals and staff can be used by health care entities to perfect their cybersecurity programs, according to a Health Care Compliance Association (HCCA) webinar presented by Steve Snyder of Smith Moore Leatherwood, LLP.

Snyder believes that perfecting cybersecurity training and testing is made especially challenging due to the uniqueness of the cybersecurity threat. Snyder listed the primary factors making cybersecurity unique, including:

  • the people trying to penetrate are adversarial and usually off-shore;
  • cyberattacks are evolving rapidly, with attacks designed to respond to new defenses;
  • cybersecurity involves highly technical concepts, which make staff hesitant to embrace safeguards; and
  • cybersecurity is outside the core competency for most of the staff to be trained and tested.

Training

Snyder believes that cybersecurity training must take a long term view, be about learning and reminding, have the objective of conditioning behavior, and must evolve over time as circumstances and threats change.

Opportunities for training, according to Snyder, could be when new job functions are created, when introducing new procedures, or when reinforcing integral work functions. He listed the possible training scenarios and their pros and cons as:

  • External programs offered by third parties. These programs offer specialized knowledge and instruction but can be costly, rely on the competency of others, and may suffer from the lack of familiarity of the third-party with the organization.
  • Internal learning management systems (LMS). These internal systems, relying on online or classroom training, can develop custom content and make tracking compliance easy. However, they require internal expertise and can create a record of noncompliance for government investigators.
  • This method can be particularly effective for conveying best practices to staff members in a new role. However, it requires competent mentors and is not ideal for new and evolving issues that the mentor is unfamiliar with.
  • Passive measures (e-mail reminders, etc.). This method is easy, cheap, and is agile enough to address emerging issues. However, it is easy for staff to ignore and therefore it is hard to access effectiveness.
  • Training tips. Snyder’s cybersecurity training tips included the following:
  • Start with objectives (such as increasing reporting of possible cyber incidents) and work back to prevention methods.
  • Try to find objective metrics (such as the rate of reporting vs. known incidents).
  • Make it digestible by staff (we live in a sound bite society).
  • Show a tangible purpose (clicks = malware = detriment to business).
  • Use varying approaches as people learn differently.
  • Make it interesting by using gamification, simulations, scoring, ranking, competitions, etc.

Testing

Snyder believes that testing should be focused on existing knowledge and established procedures. He favors a testing program with a narrow focus and reoccurring elements. The goals of testing, according to Snyder, should insure that cybersecurity procedures are known and understood, are effective, guarantee compliance, and identify gaps in policies and procedures.

Snyder listed several types of cybersecurity testing:

  • Penetration testing (looking for breach of security from the outside).
  • Vulnerability testing from the inside (looking for known bugs, unpatched software, or legacy systems that can be exploited).
  • Simulated testing (using drills and tabletop exercises).
  • Pop quizzes (discrete staff testing).
  • Final comprehensive exams.

Final takeaway

Snyder wrapped up his presentation by stressing that in training and testing for cybersecurity, and organization should: (1) be contemplative in designing their programs, (2) use a mix of internal and external resources, and (3) assess and revisit the programs often.

What compliance professionals should know about auditing physician compensation arrangements

In an environment of increasing integration and financial relationships with physicians; a rigid and technical regulatory framework; aggressive government enforcement; and disproportionate penalties and enterprise risk under the Stark Law (42 U.S.C §1395nn), it is incumbent for health care organizations to have an audit plan and process for physician compensation arrangements to ensure such arrangements comply with Stark law requirements. In a webinar presented by the Health Care Compliance Association (HCCA), Curtis H. Bernstein, Principal, Pinnacle Healthcare Consulting and Joseph N. Wolfe (Hall, Render, Killian, Heath & Lyman, P.C.) provided insight into considerations for managing risks, an overview of the Stark Law and its exceptions, and tips for planning an audit and the audit process.

Managing the risk

Wolfe stressed the importance of ensuring that compensation arrangements with referring physicians are defensible. When it comes to compensation arrangements, organizations should ask, “How will the organization defend itself?” Wolfe recommended that the organization focus on the Stark Law’s technical requirements, which were updated in 2016, and the three tenets of defensibility: (1) fair market value, (2) commercial reasonableness, and (3) not taking into account the value or volume of referrals. Wolfe emphasized the need for health care providers that enter into physician arrangements to ensure that individuals involved in the process have an in depth understanding the Stark regulations and the exceptions

The plan and the process

Bernstein explained that the scope of the audit depends on the size and complexity of the company, prior experience with the process under audit, recent changes in the company or company’s operations, and previously recognized deficiencies, as well as circumstances that may arise during the audit. The audit process involves several steps.

  • A list of currently executed physician contracts must be compiled.
  • Compliance personnel must interview individuals commonly involved in physician relationships. The individuals conducting the audit should understand interview processes, including strategy, documentation, approval, and selection of interviewees.
  • The interviews must be reconciled to currently executed physician contracts. Common issues arising in reconciliation include the use of space, office equipment, and other items by physicians for professional or personal use, and payment for services not provided.
  • Time sheets or other attestation forms must be reviewed for completeness and accuracy.
  • Fair market value and commercial reasonableness must be documented for each agreement. Consider:
    • Who is providing the service?
    • Why are the services required?
    • When are the services performed?
    • How are the services provided?
  • All other terms of agreement and necessary steps must be performed in executing agreements and verified.

Bernstein noted that other items to consider during the process include the compensation structure, the length of a fair market value opinion versus the length of the contract, whether the compensation was set in advance, if the agreements were executed, and whether the agreements expired.

The compliance component

While the basic elements of an effective compliance program apply to physician arrangements, Wolfe explained that as compliance applies specifically to physician arrangements, it should be compensation focused and documentation and governance should support defensibility. He recommended that organizations adopt a compensation philosophy, have a written compensation plan, establish parameters for monitoring compensation, and form a compensation committee. In addition, organizations should (1) ensure that policies align with the new Stark technical requirements; (2) establish a consistent process for obtaining third party valuation opinions; and (3) periodically audit physician compensation arrangements. Finally, organizations should continue to monitor the enforcement climate.

Revised Common Rule strengthened human-subject protections, simplified IRB oversight simplified

In January 2017, the regulations for ethical conduct of human research, known as the Federal Policy for the Protection of Human Subjects and referred to as the Common Rule, were updated to better protect human subjects involved in research, while facilitating valuable research and reducing burden, delay, and ambiguity for investigators (82 FR 7149, January 19, 2017). In addition, the revisions modernize and simplify the current system of independent review board (IRB) oversight. The changes to the Common Rule, which was originally adopted in 1991, become effective January 19, 2018. At a Health Care Compliance Association (HCCA) webinar, Laura Odwazny, Senior Attorney, HHS Office of the General Counsel, provided the background of, and insight into, the main changes made to the Common Rule.

The Common Rule

The Common Rule, which currently applies to 18 federal departments and agencies, outlines the basic provisions for prior approval of human subjects research by IRBs, informed consent of participants, and institutional assurances of compliance with the regulations. Some agencies have adopted regulatory protections for human subjects in addition to the Common Rule.

Organizations whose researchers receive federal funding to conduct human research must have a Federalwide Assurance (FWA), a written commitment to comply with federal regulations related to human research protections, on file with the OHRP. According to Odwazny, under the current regulations, if a research institution voluntarily extends FWA to all research regardless of the funding source, OHRP can extend its oversight of activities of privately funded research; however the preamble of the Final rule includes a plan to eliminate the voluntary extension of the FWA.

Major changes

Odwazny identified three major rules that were adopted in the Final rule: (1) single-IRB review for multi-institutional research in the U.S.; (2) extended compliance oversight jurisdiction to independent IRBs; and (3) improved informed consent, as well as allowing broad consent for unspecified future research use of already collected information and biospecimens.

The following areas were specifically addressed:

  • consent forms;
  • carve outs;
  • definitions of identifiable private information (IPI) and identifiable biospecimens;
  • concepts of broad consent;
  • limited IRB review; and
  • exemptions for secondary use research of IPI or identifiable biospecimens.

Streamlining IRB oversight

Odwazny explained that under the revised Common Rule, agencies have the authority to enforce compliance directly against IRBs not operated under the Federalwide Assurance. Under this change, compliance actions can be directed against an independent IRB responsible for regulatory noncompliance rather than against the institution working with the independent IRB. In addition, U.S. institutions engaged in cooperative research, which involves more than one institution, must rely on a single IRB approval for the portion of research conducted in the U.S. (the effective date for this provision is January 20, 2020). The single IRB must be identified by the federal department or agency supporting or conducting the research or by the lead institution subject to the acceptance of the federal department or agency supporting the research. The Final rule also provided exceptions to the mandated single IRB review, exceptions for continuing review, and changes to IRB recordkeeping requiring documentation related to these new exceptions.

How to avoid coding pitfalls for ambulatory services billing

Ambulatory services documentation offers compliance challenges as complex as inpatient services documentation that providers need to be aware of to avoid potential compliance risks while documenting for billing. Ellis Knight, M.D., Senior Vice President/Chief Medical Officer, of the Coker Group, focused on ambulatory coding in an HCCA webinar titled “Clinical Documentation for Compliant Coding—It’s No Longer Just an Inpatient Issue.”

Clinical documentation improvement

Knight noted that coders “speak” a different language than clinicians and therefore clinical documentation improvement (CDI) has been mainly a translational process. Specifically in relation to medical diagnoses, translating what a clinician may write down in the clinical note versus how the coder interprets the clinical note for billing purposes. Historically the focus has been on inpatient documentation, especially documentation to justify diagnostic related group (DRG) assignment and capture of major complications and co-morbidities (MCCs) and complications and co-morbidities (CCs). As a result, the “problem” is that reimbursement occurs with parties arriving at the same diagnosis with different billing codes.

Ambulatory documentation

As such, ambulatory documentation is equally as complex as the inpatient documentation arena, involving thousands of codes. A major complicating factor is that time-frame and volume of patient encounters makes ambulatory CDI a much different work process than inpatient CDI. Knight noted that among the many compliance risks associated with ambulatory CDI, documentation must support: (1) medical necessity of services rendered (CPT codes); (2) specific services and level of care provided to the patient (CPT and HCPCS codes); (3) diagnoses (ICD-10); (4) severity of illness and clinical complexity (HCCs); and (5) quality of care rendered (HEDIS).

For medical necessity, the clinical documentation must justify the ordering of tests, performance of procedures, referrals to specialists or consultants, prescribing of medications and other activities which payers must cover. It must document services and level of services performed, as errors leave practitioners at risk for overbilling the carrier which could result in treble damages under the False Claims Act. Moreover, Knight stressed that it is not enough to just document. HCCs must be documented on an annual basis and addressed, i.e., monitored, evaluated, assessed or treated, in order to be captured. In regards to quality of care, the clinical documentation must include provision of certain quality of care measures, e.g., immunizations, tobacco use, smoking cessation counseling, BMI measurement, obesity counseling, preventive care (colonoscopy, mammography).