1

Introducing a New HIPAA Privacy Notice for Patients and Practices

HIPAA Notice of Privacy Practices

September 23, 2013 is the date that medical practices and other covered healthcare entities will roll out a new Notice of Privacy Practices to patients to be compliant with the HIPAA Omnibus rule enacted in March 2013.

What Does This Mean For Patients?

Patients should be aware that after September 23rd, their healthcare providers will have a new Notice of Privacy Practices (NPP) available. The new NPP should be posted in each office, on the website if one exists, and should be available as a handout for any patient requesting it.

The new notice will include:

    • Reasons that your Protected Health Information (PHI) can and cannot be disclosed to others.
    • Information for opting-out of communication related to fundraising activities, if your healthcare provider does any fundraising.
    • The ability to restrict your PHI from payer disclosure when you pay in cash instead of having the charges filed with your insurance plan.
    • Information about being contacted if there is a breach of your PHI due to unsecured records.

What Does This Mean For Practices?

    • A new Notice of Privacy Practices that is specialized to your practice must be developed.
    • The new NPP must be posted in your practice, on your website and available as a handout for any established patients who request them.
    • All new patients must be offered a copy of the new NPP and must sign an acknowledgement that they received it. (They may turn a copy of the NPP down, however.)
    • Policies that address the disclosure of information/records and notification of a breach, should one occur must be developed.
    • Old and new versions of the NPP should be on file in the practice, and patient acknowledgements should also be kept as long as the medical record is retained.

What else is required for compliance with HIPAA Omnibus?

One of our good friends, Steve Spearman at Health Security Solutions has posted great information on his site about the other requirements of the HIPAA Omnibus rule. His excellent posts help readers understand and comply with the new HIPAA guidelines in the following areas:

    • Business Associates Agreement (BAA) Update
    • Downstream Subcontractors Needing BAAs
    • New Breach Notification and Reporting Protocol
    • School Immunization Records Protocol
    • Electronic Fulfillment of PHI Request
    • Medical Record Protocols for Cash Payments

At Manage My Practice, we’ve offering a free sample Notice of Privacy Practices for your practice use. Please read the sample notice carefully, make changes specific to your practice and add your practice name. Note that language related to fundraising is NOT included, as it will not apply to most private practices. Insert fundraising language as follows if appropriate for your practice.

Fundraising Activities: We may use PHI to contact you to raise money. If  you wish to opt out these contacts, or if you wish to opt back in to these contacts, please contact our Privacy Officer.

Likewise, if your practice has a research function, insert relevant language:

Research: We may use and share your health information for certain kinds of research, however, all research projects are subject to a special approval process.

Check your state laws.

Your state law may require authorizations for certain uses and disclosures of PHI beyond those outlined in the sample notice. Be sure to amend your NPP to reflect any state-specific laws (resource hererelated to release of medical records. Remember to post your new NPP on your website and in your practice, and begin giving it to new patients September 23, 2013.

The new Notice of Privacy Practices is not required until September 23rd, but you can start using it as soon as you have yours ready.

For more on HIPAA, read my post “Three Big HIPAA Myths.”




(Photo Credit: hyku via Compfightcc)




Need a New Employee? Ask Yourself These Three Questions

Adding an employee to any business takes some serious consideration.

Help-WantedRegardless of whether you are replacing someone who left the company or you are adding an entirely new position, adding an employee is a serious commitment. At the point that you are ready to make an offer to a candidate, you have already invested labor and resources.

In healthcare, most employees (excluding Mid-level Providers and Technologists) do not generate revenue. Sometimes they are hired to accommodate increased patient volume as with the addition of a new physician, but they often are hired because it takes more administrative manpower to garner the same or less reimbursement from payers. In particular, there are more phone calls inbound and outbound, more pre-authorizations, more denials, more audits and more hoops to jump through to document, justify and confirm payment.

Before you add a position that will not generate more revenue, that is, one that is not related to more customers/patients needing more services for which they will pay, ask yourself these three questions.

#1 Is there enough for a full-time person to do?

I must admit, I have been guilty of “rounding up” a position to make it full-time. It’s not that I didn’t have enough work for a full-time position, but I let one specific part-time need bloom into one full-time person. In most workplaces, especially in in healthcare, there is always more work than can be done in one day, however, just because there is always work to do does not mean a practice can afford an additional full-time person.

#2 Will the new person come on board with the requisite skills or will they have to be trained?

There is always a push-pull between hiring someone with lots of experience (more money) and hiring someone with less experience but who can be trained in the duties needed (less money.) The more experienced person will probably hire in at more than you allocated for the position, but the less-experienced person will take time to ramp up and will not be immediately productive.

#3  Will you have to allocate workspace and outfit the new employee with a desk, chair, phone and computer?

When the decision is made to add an employee, do you list the hard and soft costs of adding an employee to the practice? Just like you construct a pro forma to consider adding a new provider or a new ancillary service, you should construct a pro forma to truly understand the cost to the practice of adding an employee. List what you spend to recruit, salary, all benefits including paid time off, anything the practice pays based on the number of employees such as unemployment, perks such as parties and gifts, bonuses,uniforms, parking, dues, memberships, licenses, continuing education (whether guaranteed or not), plus desk, chair, phone, computer and workspace.

If you don’t have the work for another FT person, if you’re not sure if you can afford an experienced person, and if your investment will be significant, it’s time to do some creative thinking about getting what your business needs without adding an additional employee.

Some Other Options for Your Workforce

Remote Employee

Get what you need by hiring someone to work from their home. Obviously only some jobs can be done remotely, but there are more possibilities than you might think. Most Practice Management and Electronic Medical Record (PM/EMR) software have built-in communications so staff can email or instant message each other instead of walking through the clinic to have a conversation. You should be using this functionality even if all your employees are onsite. Develop a Remote Employee Policy that spells out the expectations of a remote employee and clearly discusses security and privacy as it relates to the home office of a healthcare employee. Remote employees can be part-time or full-time. They can also be remote four days a week and come onsite one day a week to give another employee an opportunity to work from home one day a week.

Contract Help

Don’t want to hire an employee? How about paying someone on a contract basis? Make sure you are following the guidelines for employees vs contractors and that the contractor understands the terms of the work. Make sure you have a contract, or at least a written agreement that you’ve both signed, as well as a Business Associates Agreement, required of all healthcare contractors who have access to PHI (Protected Health Information.)

Student Help

Do you have your full-time employees doing a lot of work that could be offloaded to someone with a different skill set? Think about hiring a part-time high school or college student to scan and index records, enter pre-registration data, scan non-medical record paperwork to be stored in the cloud, correct simple claims issues, etc. Spend some time observing employees or have them write down every little job they are doing so you can assess what they may be doing that you could transition to someone else.

Volunteer Help

Most people think that volunteers are only appropriate for hospitals. Think again. There are many, many people trying to break into the healthcare field that would love to volunteer some of their time at your facility. There are also people who have retired from healthcare who would love to spend a few hours a week staying involved in their former career. I’ve written before about using retired people for greeters in the reception area, or for teaching others how to use your patient portal or the Personal Health Record (PHR) you offer your patients.

Outsourced Help

You might be surprised that companies now offer more services than you could previously get. What about phone pre-registration, nurse triage, appointment scheduling, collection calls, appointment reminders, credentialing, phone answering 24/7, medical record scanning & indexing, release of information (ROI), no-show follow-up, recall follow-up or remote scribing of the office visit.

Recruit from All 50 States

Don’t forget that you are no longer restricted to hiring from your local area. Whether you are talking about an employee, a contractor, or a company, as long as you both agree on the terms, it doesn’t matter where they are working, it only matters how well they are meeting your company’s needs.




mHealth Gives Home Health a Whole New Meaning

a picture of a mobile phone with a red cross on its screen

One of the most exciting trends in modern healthcare can be found at the intersection of two larger societal changes: the shifting demographics of an aging Baby-Boomer population, and the fast adoption of smart mobile devices and mobile application platforms. As robust, secure and intuitive mHealth applications are adopted, patients are more empowered to monitor and share their health data outside of a traditional medical office or hospital setting. As healthcare delivery system already short on providers becomes even more taxed, mHealth applications will allow the system as a whole (patients, caregivers, loved ones, and payers) to navigate health decisions in a more efficient and informed way.

This quote from the Deloitte Center for Health Solutions 2010 Survey of Health Care Consumers says it all:

“Boomers view tech-enabled health products as a way to foster control and ongoing independence for themselves, especially in light of the rise in incidence in chronic disease with aging, and their desire to reduce costs. Nearly 56% of boomers show a high willingness to use in-home health monitoring devices in tandem with care of their primary physician.”

What are the advantages of pushing home health medical data from the source to the care provider?

  • Minimum lag time between data collection and the clinician’s ability to review it.
  • Reduction in errors associated with human intervention in data entry.
  • Intuitive and simple interfaces promote active patient involvement and caregiver communication in healthcare management.
  • Secure sharing of PHI (Protected Health Information) with patient, family members, and approved internal and external stakeholders in health.

Here are just a few of the companies and products available now (or in the near future) that might change your mind about where and how health data is captured and shared. Each of these products automates the capture of health data and the transfer of the data in a usable format to an Electronic Health Record.

Near Field Communications

NFC (Near Field Communications) is a wireless technology that allows for quick transfer of data between two sensors that are fairly close (an inch or two) together. The secure transfer allows for seamless data tracking inside caregivers’ workflow. For example: medical supplies, drugs, injectables and fluids can be fitted with low cost sensors that are swiped past a patient’s sensor to indicate they will be administered to the patient, and then again past the provider’s sensor to indicate a finished procedure, capturing time of administration, dosage, and patient information without slowing down the care to enter this critical data by writing them down, typing them in, or just resolving to remember them for later entry.

Gentag makes the data sensors and applications that manufacturers can use to send data via cell phone to the hospital or physician for seamless inclusion in the electronic medical record (EMR). Monitoring of blood pressure, fever, weight management and urinalysis are just a few of the ways Gentag has improved data capture in healthcare.

iMPak Health makes a cholesterol monitor the size of a credit card that accepts a small blood sample to process for triglyceride levels. The data is uploaded wirelessly to a cell phone that transmits it to a health provider.

Smart Fabrics and Wearable Monitors

Researchers at the Universidad Carlos III de Madrid in Spain developed a fascinating concept for an “Intelligent T-Shirt” that uses sensors woven into a washable fabric to create a hospital garment that does more than preserve the patient’s modesty. The sensors in the fabric can detect and record temperature, bioelectric impulses (for ECG monitoring), as well as the patients location, current resting position, and level of physical activity.

Copenhagen Institute of Interaction Design graduate Pedro Nakazato Andrade has designed a dynamic cast called Bones that collects muscle activity data around a fracture area by using electromyographic (EMG) sensors to report the patient’s progress to physicians automatically. This could reduce the need for follow-up visits and imaging, or change the specifics of rehabilitation.

The Basis Band is a wristwatch-type accessory that monitors heart rate by directing light into the skin to image blood flow. It also uses a heat sensor for skin temperature changes, an accelerometer for recording movement and activity, and sensors for galvanic skin response. The band also gives customers access to a free, web-based health dashboard to oversee the data the device collects and transmits.

There are still some considerable hurdles to full adoption of mobile home health monitoring. Very few patients use only one medical device, so not only do monitoring devices need to work with networked EHR technologies, they have to be integrated with each other to present a comprehensive picture of health to providers and Health Information Exchanges (HIEs). Also, as patients navigate the system of generalists, specialists, and emergency care providers, the possibility of encountering multiple software and hardware platforms will require flexible, integrated solutions that can run on any device. As with any networked application of sensitive data, security and availability are major factors in a success deployment. Unless patients can count on the privacy of their data, and providers can count on the uptime of their software, healthcare systems won’t be able to realize the full benefit of mHealth installations. On top of that, more monitoring of patient health means that there will be even more data to be collected on each patient, and on the population as a whole. While more data means more opportunity for large scale research and analysis for the public benefit, it also means more data has to be secured and protected as a part of the health record, requiring even more security and storage resources. And finally, the Food and Drug Administration will have a large say in the future of mHealth application development through industry regulation. Device makers and application developers will certainly have to work within a governmental framework which will have a large say in the time-to-market of many possible products.

With all that being said, the opportunity to meet the demographic challenges of an already stressed healthcare system with mobile home health monitoring and Electronic Health Records will be one of the major themes of the future of both the heath and technology industries.




50 Places Your Rejuvenated Practice Brochure Should Be and Yes! You Still Need a Practice Brochure

Brochure rack

I admit to being a great fan of electronic media for healthcare. My fandom, however, does not mean that I believe all paper and ink informational and marketing mediums are dead.

Because most practices have some portion of their patient population depending on paper for information and may also market to that population (whether patients or referrers), my opinion is that the practice brochure remains a viable and important piece of paper. You might want to give yours an update, though, to make it more usable and meaningful to everyone.

Using your brochure for your patients – new, established and future

 

  • ABOUT – a brief sentence or two making it clear what ages, genders and types of problems your practice works with. You might also want to note if you do not see your patients in the hospital.  A Mission Statement is a waste here – the reader wants facts. A history of the practice is also a waste here – save this for your website. You don’t even really need to itemize your providers here.  Think of someone who knows nothing at all about you. Their first question is “Is this a practice I need and want?”

Your ABOUT could even be on the front of the brochure, so the patient doesn’t have to spend time reading the entire brochure if they are not a fit for your practice.  Here’s an About Example: Main Street Urology helps men and women ages 18 and older with problems such as urinary infections, kidney stones and prostate problems. We see patients in our two offices, as well as at XXX and XXX hospitals.

 

  • NEW & ESTABLISHED PATIENTS – Answer the second most common question next, which is “How do I get services?” Try to make this brochure as applicable to as many people as possible, so do not assume that the person reading the brochure has already signed on as a new patient. Consider the person that knows nothing about you and briefly describe all ways people can contact you to become a patient.
    • Your website – do people complete their registration electronically and you call them to set the appointment or do they request an appointment and you email a response? How is it done?
    • Your phone number – hopefully you are in step with the modern world and know that people don’t always think about establishing or following up on medical care during office hours. Do you have a way besides your website for patients to request appointments that are not urgent? Can they call and leave a message or do they get your answering service asking them to call back during office hours?
    • Stop by the office – largely discouraged by most offices, patients in the rural communities I’ve worked in know that stopping by the office is the quickest way to get service. Do you welcome that “interruption”?
    • Walk-in hours, work-ins, or same-day sick visits – what is appropriate for a same-day visit? When should patients go to the emergency room or call 911?

 

  • PRESCRIPTIONS – The third most-common question is about getting new prescriptions and refills. With most people hoping to get a prescription without an office visit charge (who doesn’t want to save that co-pay?), requests for prescriptions are one of the primary reasons most specialties are struggling to keep the phones answered (read my post on phones here.) If you are not going to prescribe a new medication without an office visit, put it in writing. If all refills are obtained by calling the pharmacy, say so, and state how long it typically takes to get an existing prescription refilled.  If you require a visit every 6 months for chronic illness medications, and a visit every month for chronic pain medications, say so. For practices with large numbers of chronic pain patients, spell out your terms including pain medication contracts and periodic laboratory tests.

 

  • PAYMENTS – Now is a good time to state your payment policy. What is due at time of service? What kinds of payments do you accept? Do you require a credit card on file? Do you collect deductibles and co-insurance? Surgery or procedure deposit? Fee for no-shows? Fee for forms completion? Fee for NSF checks? Do you give discounts for self-pay patients? Do you have a sliding scale for financial need patients? Do you send statements? One of my big management philosophies is: Don’t Surprise The Patient. Don’t think it indelicate to discuss money before the visit. It is a business transaction and it is only fair to let the one paying the bill know and understand your policy upfront before the service has been rendered. Read my post on developing your financial policy here.

 

  • COMMUNICATION -This is where most misunderstandings take place. How can you provide as many straightforward means of communication between the practice and the patient as efficiently and productively as possible?
    • Main practice number – should get the patient to a real person during office hours and give an alternative after hours. Malpractice companies will tell you that patients should not be able to leave a message on the main practice number as they may assume it is monitored and your practice may have liability. For routine questions, let your answering service take a message to be passed along on the next business day, or have voice mail box for the answering service to utilize.
    • Automated attendant number – some patients will prefer the automated attendant, especially if your options are published on the website or in the practice brochure and patients can call any time to leave a message.
    • Website – should have detailed information about contacting the practice during and after office hours. If you allow or encourage non-medical emails from patients, let the writer know how and when a response will come. Make clear what types of questions are appropriate in non-encrypted email and use a secure portal or encrypted email for emails with protected health information (PHI.)

More tips for your brochure

  • To be as inclusive as possible, do not use medical terminology, abbreviations or jargon and aim for a readability level of 6th grade. Use the active voice and simple, short declarative sentences, a font of 12 or more and use as few multi-syllabic words as possible. If you wonder how your brochure readability stacks up, you can paste your text here for a free analysis. Microsoft Word 2007 and newer has a function you can turn on for a readability score at the conclusion of your spelling and grammar check.
  • Use as little text in paragraphs and use as many headings and bullets as possible.
  • Don’t cram the brochure with every little detail you can think of – keep it simple with plenty of white space.
  • A map is always a good idea.
  • Your practice name, website, phone numbers and office hours should appear at least twice – maybe on the inside and the outside. Having the basics on both sides is helpful to patients who place your brochure on their refrigerator or tape it inside the kitchen cupboard for easy reference.
  • This article assumes a tri-fold brochure, but your brochure could be bigger or smaller. A tri-fold is not only easy to fold in half and stick in a pocket or a purse, it is also feasible to produce yourself.
  • A digital copy should be available on your website for patients to print out, either in the tri-fold style, or on standard 8 1/2″ x 11″.

Using your brochure as a marketing tool

Make your practice brochures do double duty by providing them to:

  1. The Welcome Wagon
  2. The Chamber of Commerce
  3. Real Estate offices
  4. Rental Agency offices
  5. Hotels
  6. Any location with a display of brochures of local events and services
  7. Libraries and Museums
  8. Hospitals
  9. Urgent Cares
  10. Campgrounds, RV sites, theme parks
  11. Sporting event locations
  12. Spas
  13. Hairdressers and nail salons
  14. Malls and shopping centers
  15. Daycares
  16. Continuing Care Communities
  17. School nurses
  18. Gyms and sports clubs
  19. Parish Nurses
  20. Churches
  21. Any place you give a talk or program
  22. Correspondence you send welcoming a new business to the area
  23. Chiropractors
  24. Complementary Care Practitioners (accupuncture, meditation, etc.)
  25. Convention Centers
  26. The Health Department
  27. Employers
  28. The State Welcome Center
  29. State Rest Stops
  30. Service Clubs (Rotary, Kiwanis, Jaycees)
  31. Medical office programs in local schools (high schools, technical schools, vocational schools, community colleges)
  32. Nursing programs
  33. Other medical offices in your building or medical park
  34. Medical employment agencies
  35. Home Health agencies
  36. The Red Cross
  37. Durable Medical Equipment and Supply Stores
  38. Dentists
  39. Community Centers
  40. Afterschool programs
  41. Pharmacists and Pharmacy Technicians
  42. Physical Therapists
  43. Massage Therapists
  44. Parks and Recreation Centers
  45. Airports
  46. Train stations
  47. Bus stations
  48. Rental car agencies
  49. Any business or individual you buy goods or services from
  50. Radio and television stations

Bonus #51: Give them to your new staff so they understand the fundamentals about your practice very quickly.

Image by S.C. Asher via Flickr

Enhanced by Zemanta



ARRA Changes Rules for HIPAA – Did You Miss These Three February Deadlines?

With so much going on in healthcare, it would not surprise me if a lot of practices missed the February 2010 deadline for three expanded HIPAA rules.  This expansion was dictated by the Health Information Technology for Economic and Clinical Health (HITECH) Act passed by Congress in February 2009.

If you haven’t already, get started now with the new requirements.

  1. New obligations for business associates (BA) – February 17, 2010 Remember that a BA is a person or organization outside of your entity with whom you share protected health information (PHI) so they may provide services to you.  Good examples are your billing service, collection agency, attorney, consultant, computer vendors, attorneys and providers of documentation abstracting or coding services.  Under HITECH, BA have the same responsibilities for breaches as the healthcare entity does, but it is the healthcare organization’s responsibility to have an updated, signed BA agreement in place that describes this new responsibility.  Here is an excellent example of a BA agreement (first link under Publications) that you can download and tweak for your practice.
  2. New disclosure agreement provision – February 18, 2010 This is a big one! Patients now may waive their right to have you file their medical insurance, pay for your services themselves and request that their medical information NOT be disclosed to their insurance plan or any other entity.  In other words, patients may elect to become “self-insured”.  I recommend that you create a new financial class for these patients so they neither fall into the standard self-pay/financial assistance class or into their actual insurance class.  These patients, if you have any, will need to be identified according to their wishes, which could mean that they want you to file insurance for some services and not for others.  This means their record must be tagged for what records can be released and what records cannot.  There could be an argument made either way for whether or not these patients should receive self-pay discounts that you have in place for your non-insured patients.  I would be interested to know how different groups have decided to handle this.  There are sample forms for PHI disclosure accounting and for patients to request an accounting of PHI disclosures in the Manage My Practice Library under Operations.
  3. Information breach notification – February 22, 2010
    We’ve heard a lot about this one as the media (along with HHS) must now be notified if a PHI breach involves 500 people or more.  Breaches are being reported weekly as non-encrypted laptops are stolen or repurposed, and as copier hard drives (story here) go unnoticed as a security risk.  If a breach involves 500 people or less, each individual must receive written notice with details of the breach, the information disclosed, and the steps being taken by the practice or entity to avoid any future breaches, as well as explaining the rights of the patient(s) in protecting their private healthcare information.  Several of my employees have received notification letters from health plans and they have been horrified that this could happen.  Note that entities that secure health information through encryption or destruction don’t have to provide notification in the event of a breach!

Enforcement is also beefed up.
Criminal penalties will apply to covered entities that violate privacy rules AND to those organizations’ individual employees (can you track who accesses whose records when?)  Civil penalties have been increased and harmed individuals may share in the booty.  Probably most importantly, HITECH gives state attorneys general the power to enforce HIPAA rules.

Other resources:

HHS FAQ on HIPAA Privacy

AMA HIPAA Resources

Healthcare Blog Listing