2018 Audit Update: What Can We Expect . page 6 - SPRING 2018 OPGA Member Magazine
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
SPRING 2018
OPGA Member Magazine
2018 Audit Update: What Can We Expect? . . . page 6
Cybercrime: Small Business Owners Beware . . . page 16
Tips for Creating a Secure Culture . . . page 24
Managing HIPAA Compliance and Risk in 2018 . . . page 30
1
NEWS from the President A Battle Won, but the War Continues In early February, Congress passed and the president You have OPGA’s continued commitment to advance the O&P signed a continuing resolution bill that included recognition profession and advocate for these important measures. We ask of the prosthetist’s and orthotist’s clinical notes as part of the that YOU stay in the fight by remaining, or becoming, active with Medicare patient’s record for purposes of determining the your representatives at both the federal and state levels. If you medical necessity of O&P care. This is a battle that we have need help and/or resources to do this, please contact us, we are been fighting for several years now and is a HUGE win for the here to assist! O&P profession and the patients we serve. However, the war At your service, continues, and we all must remain diligent and dedicated not to “save” the profession, but to ADVANCE THE PROFESSION! Key sections of the Medicare O&P Improvement Act need continued advocacy efforts around them. Specifically, Section 7, which provides clarification regarding the definition of minimal self-adjustment as it relates to off-the-shelf orthotics and Section 8, which would direct CMS to finally implement BIPA 427, which Todd Eagen links billing Medicare for custom orthotics and prosthetics with President, OPGA practitioner credentials.
Table of Contents
Letter from OPGA President Todd Eagen................................................................................... 2
O&P1.................................................................................................................................................. 2
PEL...................................................................................................................................................... 4
Balancing the Costs and Benefits of Prosthetics
From PEL............................................................................................................................................. 5
2018 Audit Update: What Can We Expect? ........................................................................... 6-7
By Kelly Grahovac, The van Halem Group
Upcoming OPGA Webinars........................................................................................................... 7
OPGA Attends Policy Forum in Washington .............................................................................. 8
Staples............................................................................................................................................... 9
OTS Announces New "You Have a Choice" Guide.................................................................... 10
GAITRite Basic System.................................................................................................................... 10
Off The Shelf Marketing................................................................................................................ 11
GAITRite............................................................................................................................................ 12
Guardian Rehabilitator™ LSO..................................................................................................... 13
BY John Kenney, BOCO
Breg.................................................................................................................................................... 14-15
Cybercrime: Small Business Owners Beware.............................................................................. 16, 20
By Carol Albaugh, Secure Tech Solutions
Secure Tech Solutions...................................................................................................................... 17
Nymbl Systems................................................................................................................................. 18
Martin Bionics.................................................................................................................................... 19
OPGA Woman of the Year........................................................................................................... 21
Össur®................................................................................................................................................ 22
FLO-TECH®........................................................................................................................................ 23
Tips for Creating a Secure Culture............................................................................................... 24
By Megan Kraft, VGM Education
VGM Education................................................................................................................................ 25
DIA-FOOT® ...................................................................................................................................... 26
Drew Shoes....................................................................................................................................... 27
Trulife................................................................................................................................................. 28-29
Managing HIPAA Compliance and Risk in 2018....................................................................... 30, 32
By VGM Insurance Services and the van Halem Group
VGM Insurance Services................................................................................................................. 31
Cintas................................................................................................................................................. 33
Comfort Products.............................................................................................................................. 34
Coyote Design.................................................................................................................................. 35
VGM Market Data.......................................................................................................................... 36
KNIT-Rite............................................................................................................................................ 37
1
3
4
5
Kelly Grahovac, Senior Consultant, The van Halem Group
2018 Audit Update:
What Can We Expect?
It is an interesting time in the DMEPOS industry. CMS While the RAC may be quietly treading water, the ZPICs
and its contractors have indicated that they are taking a and soon to be UPICs are making a huge splash when it
more “provider-friendly” approach to DMEPOS claims. comes to O&P audits. These contractors, responsible for
“Provider-friendly” can most likely be equated to CMS identifying and preventing fraud, waste, and abuse, have
making efforts to reduce the appeals backlog at the been increasingly active, identifying large extrapolated
ALJ level, which as of June 2017 was 607,402 pending overpayments, implementing payment suspensions, and
appeals and a current estimated wait time of three years enacting 100% prepayment reviews. In some instances,
for an appeal to be processed by an Administrative Law these actions are taken against entities for issues that, in the
Judge. DMEPOS claims account for 51% of all pending past, would have experienced a very different outcome.
hearings, which means intervention is imperative.
These contractors are turning up the heat on orthotics. In
CMS’ new approach has included less burdensome particular, back, knee, ankle, shoulder, and wrist orthoses
documentation requirements and, most recently, changes are under heavy scrutiny. It may be that the increase
in legislation that positively impact the O&P world. in mail order orthotics and use of telemedicine visits
In February 2018, legislation was passed that allows have resulted in this surge of orthotic audits. However,
orthotist and prosthetist notes to be considered part of mail order suppliers are not the only ones impacted.
the medical record to establish medical necessity. This In fact, many of these audits are triggered by HCPCS
was a huge win, as practitioners have struggled with codes, which means if you provide these items to your
physicians to appropriately document for these items. patients in person, you may be susceptible to an audit.
Another indication that CMS and its contractors are adopting And if extrapolated overpayments, payment suspensions,
the “provider-friendly” approach is in the slow-moving and prepayment audits are not enough, these contractors
audit activity of the national DMEPOS, home health, and have also begun including language in their correspondence
hospice recovery audit contractor, Performant Recovery. that gives them authority to revoke billing privileges
Performant was awarded the national recovery audit if they determine that “the provider or supplier has
contract in late 2016 but has audited less than 9,000 a pattern or practice of submitting claims that fail to
claims as of September 2017. This is a drastically low meet Medicare requirements.” This pattern or practice
volume of audits in comparison to the first round of RAC can be established in failed rounds of audits. This
audits of years past. DME provided while the beneficiary includes claims denying for medical necessity, but also
was in an inpatient stay still remains at the top of their for technical issues such as invalid proof of delivery
audit list, but they did identify both spinal and ankle-foot/ or incomplete detailed written order. Crossing T’s and
knee-ankle-foot orthoses as CMS approved issues to be dotting I’s is more important than ever before.
audited for complex review. What’s missing on their audit
list are lower limb prostheses, which had a huge negative The OIG has not left O&P completely off its list for 2018
impact on many practices during the first round, and many either. In fact, in January of this year, the OIG announced
of those claims are still pending at ALJ. The RAC can go that it would examine factors associated with questionable
back three years from the claims paid date, and while billing for the three orthotic devices (L0648, L0650, and
they do have the authority, they are currently not including L1833) and describe the billing trends for these devices
extrapolated overpayments as part of their audit program. from 2014-2016. Specifically, the plan is to evaluate the
extent to which Medicare beneficiaries are being supplied
While I cannot say for sure that the RAC has taken a these orthotic devices without an encounter with the referring
slow approach to their audit plan to assist in keeping the physician within 12 months prior to their orthotic claim
appeals backlog down, it certainly seems to be the case. and will analyze billing trends on a nationwide scale. This
The real question is, how long will this respite last? CMS seems to validate my hypothesis that the increase in mail
will eventually look to Performant to provide a return order orthotics and telemedicine visits is not popular with
on their investment. And to provide that return, audit CMS and further emphasizes the need for good supporting
activity will need to increase. Given they have already documentation and an even larger emphasis on the care
been granted approval to review spinal and AFO/KAFO originating with the patient’s primary care physician.
orthoses, you can expect that this is where they will start.
6
Audit activity is also increasing from Medicare HMOs, If you fall under audit scrutiny or want to be sure you are
state Medicaid plans, and private payers. It is essential better prepared in the face of an audit, we can help! The
that providers pay attention to payer policies and van Halem Group provides audit assistance, clinical reviews
effective dates for these policies to ensure they are of your files, and education to ensure that your practice
obtaining appropriate documentation for the orthotics is compliant with payer policies and billing requirements.
and prosthetics provided. Many of these plans have prior Don’t wait until you are under the audit microscope to
authorizations for most equipment; however, in situations get help. Our proactive services will help identify any
that prior authorization does not apply, it is imperative issues and form corrective actions so that you can rest
that providers implement documentation principles. easy knowing you are running efficiently and compliantly.
For more information visit www.vanhalemgroup.com.
The “provider-friendly” approach that CMS has adopted
may have extended to the RAC and even the DME MACs,
but the UPICs are on a very different mission. Combined with
the new auditing efforts of non-FFS Medicare payers, having
good documentation from both the patient’s physician as well
as from you, the practitioner, help to ensure medical necessity
is established and claims are paid.
7
OPGA Attends Policy Forum in Washington
Orthotics and prosthetics practitioners gathered in the ability to choose the practitioner that best meets
Washington, D.C., at the beginning of March for the their needs and receive timely care. This bill is especially
2018 Policy Forum to meet with their elected officials important as a proposal by the Department of Veteran’s
on Capitol Hill. This is OPGA’s 11th consecutive year Affairs, which would give the department the authority
attending the forum to represent and advocate for access to determine where the veteran would receive care.
to quality patient care and choice as well as preserve
veteran’s access to where they receive their care. OPGA and VGM’s Government Relations team will
continue to advocate for independent practitioners to
OPGA met with more than a dozen congressional ensure that they have the tools necessary to provide
offices to discuss O&P legislative priorities to encourage the highest quality of care to the patients they serve.
enforcement of quality standards in the Medicare O&P
Improvement Act among other provisions, which must be
enacted. Earlier this year, sections of the Medicare O&P
Improvement Act were included into the Medicare Part
B Improvement Act, which was included in a continuing
resolution signed by President Trump in February.
The group also discussed the Injured and Amputee Veteran’s
Bill of Rights bill, which would ensure that veterans have
(From left to right) VGM’s Collin Brecher, Tom Powers, and OPGA
President Todd Eagen meet with Sen. Joni Ernst (R-Iowa).
Josie Villanueva (third from left), legislative assistant to Sen.
Tammy Duckworth (D-Ill.), meets with (from left) Collin Brecher
from VGM, OPGA President Todd Eagen, two Alabama O&P
students, Glenn Crumpton from the Alabama Artificial Limb &
Orthopedic Service, and VGM’s Tom Powers.
8 8
9 9
Mary Avenanti, VGM Off-the-Shelf Marketing
Have You Seen Our Newest Edition?
I would like to take this opportunity referral sources on the value you bring to your patients
to make you aware of the newest and caregivers on a daily basis. It is designed as an
edition of our guide to orthotic and educational resource and a highly targeted marketing
prosthetic solutions, “You Have a tool that can be used to strengthen your referral base.
Choice.” Since its inception seven
years ago, it has become one of By now you should have received a sample copy and special
the most highly effective patient promotion in the mail. I encourage you to take some time to
education resources available to look over our newest edition, and pay close attention to new
our members. More than 120,000 and diverse product images and the comprehensive content.
of the guides have been used by members to build
In today’s competitive O&P marketplace, this is
awareness with both consumers and referral sources
one resource that can help you separate yourself
about the innovative products and services available.
significantly from the competition. We invite you to take
“You Have a Choice” is a professional representation advantage of the EXCLUSIVE introductory savings on
of what your practice offers your community–not from this remarkable edition and GROW YOUR BUSINESS!
a product standpoint, but from a ‘‘Quality of Care”
For more information, contact OTS Markting, 888-875-7707,
perspective. This comprehensive educational tool is a
great way to educate your local physicians and other mary.avenanti@vgm.com
GAITRITE
The GAITRite® Basic System
The GAITRite® Basic system automates measuring temporal footfall as a function of time. The application software
and spatial gait parameters via an electronic walkway controls the functionality of the walkway, processes the raw
connected to the USB port of a Windows® laptop, while data into footfall patterns, and computes the temporal and
collecting video of the walk from up to two cameras. The spatial parameters. The software’s relational database
GAITRite Basic is a 12’ electronic walkway containing six stores tests individually under each patient and supports a
sensor pads encapsulated in a rollup carpet to produce an variety of reports and analyses. Testing can be done for
active area 24 inches (61cm) wide and 144 inches (366cm) patients with or without shoes, including those patients using
long. In this arrangement, the active area is a grid, 48 assistive devices and ambulatory aids such as crutches,
sensors by 288 sensors, placed on .5 inch (1.27 cm) centers, walkers, or canes. In addition, testing patients pre- and post-
totaling 13,824 sensors. The walkway is portable, can be treatment is quickly and easily performed when utilizing this
laid over any flat surface, requires minimal setup and test versatile and ingenious measurement tool.
time, and requires no placement of any devices on the
patient. Contact phone: (973) 209-0711
Contact email: sales@gaitrite.Com
How does GAITRite Basic work? Website: http://www.Gaitrite.Com
As the patient ambulates across the walkway, the system
captures the geometry and relative arrangement of each
1011 11
12 12
By John Kenney, BOCO
By John Kenney, BOCO
Guardian Rehabilitator™ Lumbar Sacral Orthosis (LSO)
In a recent blinded, The researchers surmised that the added truck stiffness
randomized, clinical provided by the inextensible LSO added to trunk stiffness
trial for the evaluation and motion limitation, reducing trunk muscle activation.
of lumbosacral The inextensible LSO is believed to reduce pain and
orthoses (LSOs) in the improve function by reducing activity of the spinal muscles
management of lower that are over active to produce intrinsic compensatory
back pain, researchers stiffness in the spine (Morrisette, Logan, & McGowan,
(Morrisette, D., Logan, S, 2014). The researchers concluded the LSO study by stating
& McGowan, S., 2014) that the study demonstrated substantially better patient
found a significant outcomes when an inextensible LSO was used in addition to
statistical difference standard care alone for the treatment of low back pain.
between patients who
received standard Back brace manufacturers have made significant
back care (physical progress over the past decade in improving inextensible
therapy), standard LSO designs. Both comfort and brace effectiveness in
The Guardian Rehabiliator™ LSO
back care (SC), and providing intracavitary pressure to reduce the load on
an inextensible LSO (iLSO), and standard back care the intervertebral discs has been greatly improved. LSO
and an extensible LSO. Patients who received standard pulley strapping systems, either single pull or double
back care and an inextensible LSO had 4.7 times higher pull, can effectively increase inter-abdominal cavity
odds of achieving a 50% or greater improvement in pressure to assist in unloading the spine. The benefit of
Oswestry Disability Index (ODI) scores compared to the pulley strapping system is the adjustable support
those who received standard care. The iLSO group depending on activity and need provided to the patient.
yielded greater improvement in clinical outcomes
The Guardian Rehabilitator™ LSO is Ongoing Care
compared to SC on the ODI, whereas the extensible LSO
Solution’s newest product offering. The Rehabilitator
group did not differ from the standard care group.
LSO provides excellent sagittal plane support and is
The ODI is a low back pain questionnaire used by clinicians indicated for the effective treatment of lower back
and researchers to quantify the level of disability from pain. The Rehabilitator LSO is an inextensible LSO
low back pain. Inextensible lumbar sacral orthoses are design with anterior and posterior panels. A dual pull
lower back braces that reduce truck motion and increase compression system provides adjustable and consistent
trunk stiffness utilizing rigid anterior and posterior panels lower back support. The LSO is lightweight, breathable,
and a strapping system that increases intracavitary and extremely comfortable. The LSO is available in
pressure to reduce the load on the intervertebral discs. small, medium, large, X large, and XX large sizes.
Extensible LSOs do not generally use rigid anterior
and posterior panels and do not incorporate a pulley
strapping system to increase intercavitary pressure.
By their design, extensible LSOs are not as effective
as inextensible LSOs in increasing trunk stiffness.
1314 14
15 15
Carol Albaugh, Secure Tech Solutions
Cybercrime: Small Business Owners Beware
There’s nothing “small” about the small-business sector. Strong Passwords and
According to the U.S. Small Business Administration, the
28 million small businesses in America account for 54% Two-factor Authentication
of all U.S. sales. Small businesses provide 55% of all There are three common password mistakes putting
jobs and 66% of all net new jobs since the 1970’s 1. people at risk. People frequently use the same password
for several accounts, making it easy for cybercriminals
Although your data is critical to your success, many to hack victims on multiple accounts. Weak passwords
small businesses let cybersecurity slip through the cracks. that are easy to crack and storing passwords insecurely
There is no shortage of negative news about business puts users at great risk. To keep your business safe, you
data breaches, and it isn’t just the large corporations. and your employees should consider the following:
The data breach costs for small- and medium-sized
businesses are high, too. According to a Kaspersky Lab 1. Use a unique password for each account.
survey, just one cybersecurity incident can cost small- and 2. Change passwords often, and use a mix of
medium-sized businesses an average of $86,500.2 letters, numbers, and symbols, or better yet use
a password phrase.
Small businesses often lack the budget, staff, and
sophistication to assemble strong defenses, making 3. Avoid the use of personal information.
them an easy target where the chances of thieves 4. Use a password manager to keep them secure
getting caught is much lower. Making sure your and only have to remember one password.
business is adequately protected can seem like an
overwhelming undertaking. Here is a list of the top 5. Use two-factor authentication.
things small businesses can do to help you get started.
Safeguard Your Important Data
Your Employees Are Your First Line Securing IT infrastructure is often an afterthought
for small businesses, but it shouldn’t be. According to
of Defense Security Magazine, only 31% of small businesses take
active measures to guard themselves against security
1. Cyber threats to your business are usually breaches. Additionally, 41% of small businesses are
blamed on outsiders, but sometimes the threat unaware of the risks they face. This unpreparedness
actually originates from within. Small-business makes SMBs great targets for cybercriminals. 3
employees usually wear many hats and often
perform multiple roles.
Update and Patch Software.
2. Ensure your employees know the potential Most hacks are not done using the tactics that were
impact a cyber incident may have on business discovered today; they use tactics that were several months
operations, and have specific rules for email, if not a year old. Many of the nationally recognized hacks
web browsing, mobile devices, and social such as Equifax and the city of Atlanta were likely a result
networks. of outdated software that had a patch or update available,
3. Include cybersecurity training during onboarding and the IT staff did not take the time to do proper backups.
activities for new employees.
4. Make training useful, relevant, and responsive
to real-world examples during regular intervals
throughout the year.
Continued on page 20
1617 17
18
19
CYBERCRIME
Continued from page 16
Smart Firewall If they gain access to a device, not only is the data on that
device wide open to a breach but so is all the data on that
These are often referred to as next generation firewalls. network.
Most insurance companies will require you have this Mobile security is no longer an optional item for small
in place. One way to determine if you have a smart business cybersecurity. Small businesses need to take it just
firewall is if it has a monthly fee associated with as seriously as security for their servers and endpoints.
updating it. Smart firewalls are a great tool as they
are updated several times per day and will protect
you from attacks as hackers find new tactics to use. Use Encryption to Protect Your
Patient Data
Third Party Review It may seem like overkill at first, but as soon as you start
One of the best defenses is to find out where your processing and storing payment or other confidential
current exposure points are. If you hire a third party to information of your customers, encryption is vital. Encryption
launch an attack on your network, they will find exactly is just as important for your business as it is for your
what a hacker would find and allow you to reduce customers. If a computer or device containing protected
your vulnerabilities before a hacker can find them. health information (PHI) or personally identifiable
information (PII) is stolen, your company can be sued if the
Access Control information is leaked or shared.
When considering user access, organizations should take the 1Small Business Trends, SBA.gov, U.S. Small Business Administration
following items into account. 2Kaspersky Lab Press Releases, Kaspersky Lab Survey
• Determine the access control capability of all 3Security Magazine, The Costs and Risks of a Security Breach for
information systems with EPHI. Small Businesses, July 2016
• Ensure that system activity can be traced to a
specific user.
• Establish a formal policy for access control that will
guide the development of procedures.
Protect Your Mobile Devices
Not only are your employees on the move, but it is a safe
bet they’re bringing lots of mobile devices with them.
Whether they carry smartphones or tablets, it’s inevitable
that your corporate data will end up on a device that can
be easily lost or stolen. Complicating matters is the fact that
many mobile devices have weak security, making them an
attractive target for cybercriminals.
FOLLOW OPGA ONLINE!
ADVANCING THE PROFESSION!
2021 21
22 22
23
By Megan Kraft, VGM Education Sales and Service Manager
Tips for Creating a Secure Culture
The biggest mistake companies make with cybersecurity Given that 91% of data breaches start with a phishing
is thinking that good cyber defenses can be accomplished attack, if your employees are not prepared to identify
through technology alone. Technology and software and avoid these attacks, your risk of a breach or malware
should be a big part of the defense, but hackers are attack, such as ransomware, is greatly increased. In addition,
no longer hacking technology; they hack people. So, many regulations and cyber insurance policies require
organizations need to make a serious investment in their awareness training. It’s important to train employees before
employees if they truly want to be secure, and that you have a data breach. Don’t wait to react after the fact.
means creating a secure culture. Here are three tips on
how you can help create a culture of cyber security: TIP # 3
Remember that Management
TIP #1
are Employees, Too!
A Security Culture Should be Very Much
Companies can put in extensive effort and expend valuable
like TSA Culture. resources in strengthening their security culture, but they will
If you see something, say something. That is something fail if there is not a strong and consistent tone delivered
that we see and hear over and over again when we are from the top. It is very important for a company’s senior
traveling through an airport. There are security awareness leadership to be an enthusiastic advocate of security
messages everywhere from the time you check in all the goals and objectives. Management also is often a target
way through the terminal via posters and overhead speaker for hackers because they have access to more company
announcements. Those messages have been ingrained in our information, which means that the hacker can do more
head to the point that right when people get to an airport, damage and the financial payoff can be much larger.
they have become security focused. So, if management doesn’t take cybersecurity seriously,
there is a good chance the rest of the company will not
That is the culture we must create when it comes to take it seriously, which opens the door for a breach.
cybersecurity in the workplace. If you see something, say
something. If you get a suspicious email, report it to your In conclusion, organizational cybersecurity culture depends
IT department. Chances are you are not the only one who not solely on the work of one person but instead on
has received it. Keep your employees in the loop on the the contributions of all employees. By communicating
latest scams, phishing, and ransomware attacks that have security basics, having employees engage in interactive
been happening. The more your employees know, the better security awareness training, and executives providing
defense they will be. Educate, educate, and re-educate. a consistent pro-security tone, you can create a well-
rounded cybersecurity culture in which everyone has
TIP # 2 a stake. For more information on creating a secure
culture and starting a security awareness program for
Invest in Employee Awareness Training your company, contact VGM Education at 866-227-
Most of the time, the threat actually originates from 8171 or email www.vgmeducation@vgm.com.
within the organization, when employee’ ignorance and/
or negligence opens the door for cybercriminals. So,
incorporating a cybersecurity awareness program for your
employees is critical. It is the most effective way to combat
poor password practices, successful phishing attempts, and
other cyberthreats that put your business at risk.
2425
26
27
28 28
29 29
By Bill Wilson and Kelly Grahovac
Managing HIPAA Compliance and Risk in 2018
Brought to you by VGM Insurance Services in conjunction 2. Social Media
with The van Halem Group. Social media is thoroughly ingrained in everyday life.
Many of us take pictures and post regularly as part of
There are a number of good reasons to get and keep our default setting, not considering the content making its
your O&P business on track toward HIPAA compliance way onto the internet. But, when it comes to HIPAA, there
in 2018. For one, throughout 2017, the Office of Civil are some precautions that must be taken. Never post a
Rights (OCR) issued more than $19 million in fines related photo of a patient without written consent. Without proper
to HIPAA violations. Compare that to fines in 2015 documented consent, you’re compromising that patient’s
totaling approximately $6 million, and it becomes clear protection. One of the best and simplest ways to prevent
that businesses responsible for handling patient health this is to ensure all employees are aware of the HIPAA
information (PHI) need to be more diligent than ever. policies in place to prevent the sharing of PHI.
3. Employees Disclosing Information
Common HIPAA Violations
Violations aren’t limited to what gets posted on the
Do a quick search of recent HIPAA violations, and you’ll find internet, however. Employees should be mindful of where
headlines proclaiming multi-million dollar settlements for they’re discussing topics about patients and who they’re
breaches resulting in the loss of hundreds, thousands, or even discussing it with, even around the watercooler at work.
millions of patient records. Keep these conversations with friends and family to a
minimum as well to avoid sharing PHI.
Yes, it’s true that the health care industry is the number one This can be easier said than done in close-knit communities,
target for cyberattacks, and you should use the technology but asking a medical professional about a friend can lead
and resources available to you in order to secure your to a breach as well. If you find yourself in this situation, be
patients’ data. However, there four other common violations sure to have a canned response ready that explains you
that fail to make the headlines but are potentially as cannot disclose any information about a patient.
devastating as experiencing a cyberattack.
4. Accessing Patient Information on
1. Mishandled Medical Records Home Computers
With all the talk of cyberattacks, one might think that Information security officers dislike this as well, referring
keeping all patient records as hard copy could limit to “Bring Your Own Device,” or BYOD. However, sometimes
exposure. It’s important to remember how easy it is to you have to take your work home with you. Your computer
misplace a document and how difficult it can be to pin should never be left alone or without password protection
down who has accessed it. Don’t leave medical records out when it handles PHI. Exposing it to family members or
in the open. Ensure that they are filed and locked away to having it shared to the wrong online channels can lead to
prevent records from falling into the wrong hands. significant fines.
At some point, you will have a need to dispose of some
records, either because they are outdated or you’re
transitioning to digital storage. Proper steps should be
taken to ensure PHI is disposed of properly. Consider
Continued on page 32
working with a secure document shredding company. To
learn about proper disposal methods, you can visit the
U.S. Department of Health and Human Services website at
www.hhs.gov.
3031 31
HIPAA
Continued from page 30
Steps You Can Take in 2018 Stay the Course
It’s never a bad time to plan and re-assess your compliance It may seem like a tall order, but don’t lose sight of your
and risk. Below are five steps you can take to help get HIPAA compliance goals. When it comes to protecting your
you started. patients’ data, the stakes are simply too high.
If you do need a little help working through these steps,
1. Select or Hire a Compliance and though, The van Halem Group has more advice to offer on
Security Officer their blog, as well as their HIPAAwise complete compliance
Having someone on staff dedicated to ensuring compliance program. Visit them at www.vanhalemgroup.com to learn
along with training and updating other employees can help more about what they can do to help get you on the path
mitigate any non-compliance risks. If the budget allows, start toward compliance.
looking to hire or educate a compliance officer. Remember,
if you don’t have someone designated to be leading For more information about Cyber Liability insurance and
compliance efforts, you’re not in compliance. managing your business’s risk, talk to the experts at VGM
Insurance by calling 800-362-3363 or emailing
2. Develop a Risk Assessment info@vgminsurance.com. Also, be sure to check out their
website www.vgminsurance.com for risk management tips and
This is a way of identifying potential risks, vulnerabilities, downloadable resources.
availability, and integrity of PHI. This includes the information
your organization creates, maintains, receives, and transmits,
and having a risk assessment in place is critical to being
compliant. Because entities can now be fined for not
identifying potential risks, this should be the next step after
identifying your compliance officer.
3. Create HIPAA Privacy and Security Policies
These lay the groundwork when developing the rest of your
compliance strategy. The goal in this step is to develop a plan
on how your organization will protect PHI. The work doesn’t
stop with the creation of these policies, though. Review them
with staff on a regular basis and update, at minimum, on an
annual basis.
4. Educate your Employees
This step may come last in this section, but it certainly is not
least. When it comes to breaches, whether by a cyberattack
or the common violations discussed earlier, employee
education is one of the most important ways to minimize
the risk to patient records. Employees should receive annual
education on all the policies and procedures in place, and
accurate documentation of that education should be kept in
case of an audit.
5. Purchase Cyber Liability Insurance
Finally, providers should consider purchasing a Cyber Liability
insurance policy as an additional layer of protection for
their business. Cyber policies can cover a business’s financial
liability for a data breach.
3233
34
35 35
36 36
37 37
1111 W. San Marnan Dr.
PO Box 1467
Waterloo, IA 50704
800-214-6742
A Division of
www.opga.com
VGM Group, Inc.
www.pointhca.comYou can also read
