By: Shawn M. Frier, CPA, CFE, CMPE Director
The focus of protected health information (PHI) privacy has increased a great deal due to the rise in data breaches. In the last two years at least one case of PHI data breach has been noticed in almost 94% of healthcare practices. The magnitude and frequency of the breaches has increased to such an alarming rate that if this trend continues, the average annual cost to healthcare industries could reach $7 billion dollars.
PHI breaches can happen easily if you’re not aware of the risks that exist, both inside and outside of the practice. Encrypting data helps protect patient data and can help you avoid costly breaches. These breaches, while costly, are usually due to simple human error. For example, an employee might walk away briefly to fetch paperwork, mistakenly leaving a laptop with patient data open. It only takes a glance or a second to download or retrieve that data. Smartphone’s are another high concentrated area for data breaches. Unfortunately, multi-tasking is a necessity and many physicians and staff use Smartphone’s to conduct business due to their easy accessibility. But smartphones are just as easily accessible to a data breach. A report published 2012 by a South Florida Institute; found that 50% of breaches in 2011 were from laptops or mobile devices. 80% of organizations surveyed stated that they allowed employees to use their own mobile device, and had not taken steps to ensure data security for personal devices.
Determine what needs to be encrypted
Assess which technology poses the highest risk of being stolen or accessed by an unauthorized user. The most popular devices usually include phones, laptops, tablets and any portable hard or flash drive. You should put both physical and technical safeguards in place to minimize the amount of confidential data stored on encrypted devices. Steps healthcare providers can take to physically safeguard devices are:
- Keeping an inventory of personal mobile devices used by healthcare professionals to access and transmit PHI,
- Storing mobile devices in locked offices or lockers,
- Installing radio frequency identification (“RFID”) tags on mobile devices to help locate a lost or stolen mobile device and,
- Using remote shutdown tools to prevent data breaches by remotely locking mobile devices.
You can use technical safeguards such as accessing data on servers using remote access connection rather than downloading the data to a device. Other safeguards include:
- Installing and regularly updating anti-malicious software (also called malware) on mobile devices,
- Installing firewalls where appropriate,
- Applying encryption to PHI,
- Installing IT backup capabilities, such as off-site data centers and/or private clouds, to provide redundancy,
- Putting into place biometric authentication tools to verify the person using the mobile device is authorized to access the PHI and,
- Ensuring mobile devices use secure, encrypted Hypertext Transfer Protocol Secure (“HTTP”) similar to those used in banking and financial transactions.
Administrative safeguards are another reasonable approach when putting a plan together to secure data on mobile devices. For example, conducting periodic risk assessments of mobile device use, including an assessment of whether personal mobile devices are being used to exchange PHI and whether proper authentication, encryption and physical protections are in place to secure the exchange of PHI. Also establish an electronic process to ensure the PHI is not destroyed or altered by an unauthorized third party. These are just a few steps that administrators can take to help prevent or reduce data breaches within their practice.
If you have questions or concerns contact us here or give us a call at 716-847-2651.
By: Freed Maxick Healthcare: Carol Cassell, Barbara Losi, Sandra DeSimone
As part of the Affordable Care Act, the IRS has released proposed regulations, in addition to section 501 (r), that provide updated guidance to charitable hospitals on the Community Health Needs Assessment (CHNA.) Requirements under the Affordable Care Act include reporting requirements and the consequences of noncompliance. The regulations loosen the CHNA-related penalties and grant some waivers for minor infractions, among other things. Hospitals can rely on the proposed regulations for guidance until the final rules are released. Hospitals, such as duel status government hospitals, that can’t file form 990 are still required to comply with section 50 (r).
Understanding the requirements
Tax-exempt facilities must conduct, document, and implement a CHNA at least every three years. They also need to gather input from people “representing the broad interests of the community served” by the hospital, including those with special knowledge or expertise in public health. The facility’s authorized body must then adopt an implementation strategy that will meet the community health needs identified through the assessment. In addition, a CHNA must be made widely available to the public. This requirement can be met when the tax exempt hospital puts its CHNA on its website.
IRS Notice 2011-52 provided previous guidance on compliance with the CHNA requirements. The proposed regulations make some important changes to that guidance. Take note that CHNAs and related implementation strategies completed after Oct. 5, 2013, may no longer rely on Notice 2011-52.
Understand the changes
Facilities should be aware of the following changes from previous IRS guidance, per IRS bulletin 2013-21:
Definition of “medically underserved”- Previous guidance required facilities to get input from “medically underserved populations” but failed to define the term. The proposed regulations define it as populations experiencing health disparities or at risk of not receiving adequate medical care as a result of being underinsured or uninsured or because of financial, geographic, language or other barriers.
Relevant community health needs- Under the proposed regulations, facilities now must identify, prioritize and then address all “significant” community health needs, as opposed to every community health need. Hospitals have some flexibility in determining whether a health need is significant, and the regulations don’t require a specific method for prioritizing significant health needs (although examples of the criteria are provided). Facilities are simply advised to identify and prioritize needs based on all the relevant facts and circumstances in the community. The hospital will, however, need to explain their processes and criteria in the CHNA.
Implementing the strategy- Under the proposed regulations, the implementation plan describing how a facility will meet significant community health needs (and, for those it doesn’t intend to address, why) must provide a lot more detail than previously. For example, the hospital must describe:
· Any actions the facility plans to take,
· Any programs and resources the hospital plans to commit to address those actions, and
· Any plans to evaluate the effects.
The good news in all of this is this; the regulations extend the deadline for a hospital’s first implementation strategy. In general, it must be adopted by the end of the same taxable year in which the CHNA was conducted, but the regulations allow more time for the first strategy.
Reporting requirements- The proposed regulations require a facility to attach their most recent implementation strategy to its Form 990 each and every year. It must also describe any actions taken during the taxable year to address the significant health needs. If no actions were taken, the hospital must provide reasons why. The IRS has also added questions to Form 990 to reflect the new reporting requirements.
Safe harbors- The proposed regulations include two “safe harbors” that will protect a facility in violation of the requirements from any negative consequences. Some minor and inadvertent errors or omissions of reasonable cause aren’t considered failures, so long as they’re corrected promptly. And certain non-willful or non-egregious failures will be “forgiven” if hospitals correct them promptly and disclose them.
Watch out for the penalties
The Affordable Care Act calls for a $50,000 excise tax per facility per taxable year of noncompliance with the CHNA requirements. The tax should be disclosed on Form 990. If a charitable hospital is liable for the excise tax, it must file a return on Form 4720.
Any hospital that doesn’t comply may also lose its tax-exempt status. If only a single facility within a health organization doesn’t comply, the organization and its other hospitals will keep their status, but the noncompliant facility may be subject to taxation.
Work with your financial and healthcare advisors
While the proposed regulations don’t carry the weight of law, they do provide valuable protections to those facilities that adhere to them. The regulations also give a pretty reliable preview of the final rules. The bottom line is- make sure you talk to your financial and health care advisors about CHNA compliance.
Sidebar: What if you want to collaborate?
The proposed regulations regarding CHNA allow facilities to collaborate on both the implementation strategies and the reports themselves in some circumstances. Previous guidance required every hospital to create its own CHNA and implementation strategy. Now, a joint CHNA is allowed if:
· The facilities conduct a joint CHNA process,
· They use the same definition of “community,”
· The joint report is identified as applying to each hospital, and an authorized body from each hospital adopts the report. (An “authorized body” is a facility’s governing body or a committee or individual authorized by the governing body.)
A facility can also develop joint implementation strategies if certain conditions are satisfied. But, each hospital must document its own strategy in a separate written plan that takes into account its specific resources and programs, or provide the URL(s) of the web pages where it has made each implementation strategy on Form 990.
Freed Maxick’s Healthcare Practice is the leader in Upstate New York; providing comprehensive assurance and advisory related services to the healthcare provider industry. We assist a broad spectrum of clients including large multi-state integrated healthcare delivery systems, free standing acute care hospitals, skilled nursing facilities, long-term care facilities, home healthcare agencies, physician practices, senior housing facilities, mental health clinics, hospice and more.
Our services include traditional assurance services (financial statement, cost report and A-133 compliance audits) as well as a wide range of innovative advisory services that range from regulatory compliance matters to strategic planning and operations improvement. Our Upstate New York Healthcare practice of over 20 full time professionals is augmented by our national resource capabilities.
2013 NYS Bones Annual Conference
The 6th Annual NYS Bones Conference will be held Thursday and Friday, October 17-18, 2013 in Albany, New York.
This year organizers are expecting a much larger attendance with earlier promotion and a growing member base. The program is being finalized with presentations suggested by membership, including Worker's Comp and legislative updates and a open panel discussion with recognized experts in accounting, legal, HR and finance.
The conference is open to all orthopedic practice managers and key staff, both members and non-members of NYS Bones, from New York and New Jersey. The organization is working closely with NYSSOS to encourage physicians to be sure their office staff take advantage of the educational opportunities offered.
The conference designed to provide focused topics on key issues facing practices and three separate open sessions for discussion of the myriad questions we all face as practice managers. This format is based on the feedback from previous conferences which indicated that most want the opportunity to raise common problems and learn from each other’s ideas, and solutions. This is also an opportunity to develop ongoing working relationships with others. In addition there are over 30 exhibitors who provide products and services to New York orthopedic practices.
Make sure to check out the 10:30 AM – 1:00 PM, FRIDAY, OCTOBER 18, 2013 “Panel Discussion with Legal, Financial, and HR Experts” featuring Shawn M. Frier, CPA, CPE, CMPE, Director, Freed Maxick, Buffalo, NY
A unique opportunity to ask experts about those burning questions we face in our day-to-day practice lives. The session will begin with panel introductions and their perspectives in the challenges facing healthcare and orthopaedic practices. This will follow with an extended time for Q&A with the audience. Bring your questions for a broad perspective of opinion from the experts. Moderator: Megan O’Connor, President, NYS Bones, Practice Manager, Robert Moriatry, M.D., PC, Huntington, NY
Thomson Reuters- President Obama’s signature on the Health Care and Education Reconciliation Act of 2010 completed a massive overhaul of the U.S. health care system that was started with the enactment of the Patient Protection and Affordable Care Act, which contained the bulk of the health reform law. The sweeping changes in these two new laws affect nearly all taxpayers, many employers, and many elements of the health care industry.
The centerpiece of the health care reform legislation is the mandate for most residents of the U.S. to obtain health insurance. This mandate carries with it a host of new tax rules, such as new penalties for individuals who choose to remain uninsured, tax credits, and other sweeteners for participating in new insurance coverage, and new penalties for larger employers that don’t provide insurance (or provide coverage deemed inadequate or unaffordable).
Get the Special Report HERE
You can also check out our recent webinar for more information.
Topics that were covered include:
Which employers are affected?
Which employees are considered?
How is the tax calculated, assessed, and reported?
What are the salient aspects of the tax and health insurance to address?
If you would like to watch the webinar please click the link HERE.
Applying Six Sigma Principles to Your Hospital’s Operations and Management
Author: Jack SieberEven though “lean management” has been around for years, many hospitals are still reluctant to embrace the system. Lean management may not be the cure for everything that challenges your facility, but lean concepts are definitely worth considering.
Cut the waste
Lean management got its start from a Toyota automobile production system. The process involves removing waste and improving workflow. Lean management is sometimes coupled with Six Sigma principles. These use statistical analysis to minimize variations in process execution that can lead to waste.
Now, lean management is being adopted in health care settings. And for hospitals, the functions that typically benefit most from lean principles include admissions, discharge, radiology, purchasing and billing, and the ER.
Practically every organization, including hospitals, operates using a series of processes or sequences of actions that are designed to create value for their customers (or, in this case, patients). With lean management, you can distinguish value-adding process steps from non-value-adding steps, thus allowing you to cut any wasteful steps.
Not a one-time project
Employing lean activities doesn’t mean you can simply assign a handful of employees to do this as a one-time project. If your hospital decides to fully embrace going lean, every staff member will need to learn the system’s principles. Why? Because eventually they will all be called on to help streamline workflow and identify wasteful steps.
Being fully committed to lean practices means you’ll need to identify key processes in your hospital’s value stream. Perhaps it’s an inpatient stay, an office visit or a trip to the ER. You’ll also want to look at both internal processes (supporting primary processes) and primary processes (serving patients and their families) to determine the value that each one aims to create.
The next step is to conduct a kaizen (continuous, incremental self-improvement) event. It’s a three- to five-day session that not only analyzes the hospital’s processes, but also implements changes. Participants must map out how each process functions and then document and quantify the value that was created by each step — as well as the waste in steps or between steps.
Moreover, a conversion to lean may require you to employ the mnemonic PDSA (Plan-Do-Study-Act) system. PDSA describes the steps in changing a process:
- Devise small tests of a change (Plan),
- Conduct the tests on a small scale (Do),
- Measure results against the present state and consider how it could be further improved (Study), and
- Implement changes hospitalwide, monitoring the process for at least 90 days to ensure stability and sustainability (Act).
An exemplary use
Many hospitals use lean management in processes such as moving patients through OR procedures from beginning to end and preparing claims for submission to a payor.
The Exempla Lutheran Medical Center in Colorado provides a detailed case study. The Center wanted to address foot traffic going in and out of the OR during surgical procedures because excessive, unnecessary entry and exit can produce airflow disruptions that can increase the risk of nosocomial infections. Plus, such movement can become a distraction for the OR team, resulting in medical errors.
So the facility conducted a “rapid improvement cycle,” via a four-day kaizen event. They pulled together physicians and frontline staff to analyze the current state of OR work processes and determined how often, when and why someone left or re-entered the OR.
Once they found that the leading cause was the need to retrieve missing instruments, supplies and equipment, the kaizen team redesigned processes to improve equipment and supply availability in the OR. After the changes were made, total OR foot traffic actually dropped by 32% and surgical site infections fell by 14%. Another benefit: 7.9 hours of staff time per day were freed up.
Not for the fainthearted
If going lean sounds good to you, be prepared for a few bumps in the road. Why? Because it requires getting all staff members to buy into the system. Plus, it will likely consume a great amount of time and resources as you look at your hospital’s processes. The end results, however, will be worth it.
If you have any questions about lean management or any other healthcare issue, give us a call at 716.847.2651, or you may contact us here.
New Rule Includes Core Objectives for Hospitals
CMS has, at long last, released its final rule regarding Stage 2 of the Electronic Health Record (EHR) Incentive Program. These final regs address several key areas you should be aware of.
The final rule requires all hospitals to satisfy some 16 “core objectives” and three of six “menu objectives.” The new regs also replace and add other objectives. In Stage 1, for example, hospitals were required to fulfill 14 core objectives and five of 10 menu objectives. Some Stage 1 objectives were either eliminated or combined, but most of them have been finalized. Many require meaningful use by higher thresholds of the patient population, however.
Core objectives of “capability to exchange key clinical information” and “provide patients with an electronic copy of their health information” have now been replaced. The respective replacements are “transitions of care” (which requires the provision of a summary of care record for each referral or transition) and “electronic/online access” to patients’ health information within 36 hours of being discharged.
The final rule also adds a new core objective that requires that facilities “automatically track medications from order to administration using assistive technologies in conjunction with an electronic medication administration record (eMAR).”
And the rule adds these five new menu objectives:
- Record electronic notes in patient records.
- Offer access to imaging results available through Certified EHR Technology (CEHRT).
- Record patient family health history as structured data.
- Generate and transmit permissible discharge prescriptions electronically.
- Provide structured electronic lab results to ambulatory providers.
The sixth menu objective — which is to record whether a patient 65 years old or older has an advance directive — is a holdover from Stage 1.
Hospitals and CQMs
While the final rule removes clinical quality measure (CQM) reporting as a core objective, facilities must still report on CQMs to demonstrate meaningful use. And specifically, all facilities must report on 16 out of 29 CQMs, beginning in 2014.
Moreover, hospitals must select CQMs from at least three of six key health care policy domains as identified in the Department of Health and Human Services’ National Quality Strategy. The domains include:
- Patient and family engagement,
- Patient safety,
- Care coordination,
- Population and public health,
- Efficient use of health care resources, and
- Clinical processes/effectiveness.
Beginning in 2014, Medicare providers that are beyond the first year of demonstrating meaningful use must electronically report CQM data to CMS. Hospitals will provide reporting through the EHR Reporting Pilot infrastructure for hospitals or electronic submission of aggregate data through a CMS Portal.
Medicare payment adjustments are supposed to take effect in fiscal year 2015 (Oct. 1, 2014). Medicare hospitals that demonstrate meaningful use this year will avoid a 25% payment reduction that applies to the percentage increase to the inpatient prospective payment system (IPPS) reimbursement amount in 2015. A Medicare hospital that first demonstrates meaningful use in 2014 will avoid that penalty by registering and attesting to meaningful use by July 1, 2014. If the increase in the IPPS amount in 2015 is 2%, for example, a hospital failing to meet meaningful use would only receive a 1.5% increase (1 – 25% reduction = 75%; 75% × 2% IPPS increase = 1.5% increase for nonconforming hospital).
The final rule also lists three categories of hardship exceptions that facilities may apply for to avoid any payment adjustments: infrastructure, new eligible hospitals and unforeseen circumstances. In the first category, hospitals must demonstrate that they’re in an area without sufficient Internet access or face insurmountable barriers to obtaining infrastructure (for example, the lack of broadband).
The second category allows hospitals with new CMS Certification Numbers that would not have had time to become meaningful users to apply for a limited exception for one full-year cost reporting period. And the third category regards unforeseen circumstances, such as natural disasters.
Getting a jump on the deadline
The Stage 2 rule offers providers more time to meet the Stage 2 criteria than was originally laid out in the Stage 1 regs. Now, the earliest that hospitals must meet Stage 2 criteria is in fiscal year 2014. But savvy hospitals will likely take steps to get a jump on the deadline to avoid 2015 Medicare payment adjustments.
If you have any questions about the Stage 2 rule or any other issue pertaining to the rule change, give us a call at 716.847.2651, or you may contact us here.
Acquiring Physician Practices Brings Risk Along with Benefits
The number of hospitals pursuing acquisitions of physician practices is on the rise. Why? Because they hope it will help improve care, cut costs and boost profits. However, such transactions aren’t without risk and they require comprehensive due diligence. On the financial side, a hospital should perform due diligence in these areas in particular.
The sustainability of the practice’s revenues is key to its value as well as the eventual success of the transaction. But revenues can be inflated because of overdependence on either a limited number of referral sources that could dry up, or a small number of providers who might depart.
Moreover, trends in reimbursement rates may also distort revenue. If rates for one of the practice’s primary services are dropping, the services might bring in less revenue down the road.
Practice revenues and the distribution of procedure codes both should be compared to appropriate benchmarks to determine reasonableness. The facility should also determine each physician’s age and estimate how long he or she might remain with the practice.
Another area to scrutinize is the revenue cycle. Ask yourself how long it should take to convert a procedure into revenue. Also consider the patient flow process, collections and denials, and billing and documentation practices.
Understanding expenses and capital requirements
Do you anticipate any major expenses on the horizon, such as increased rent for more space, supplies or costly equipment? If so, prepare a list of all incurred but unpaid accounts payable and accrued expenses as of your balance sheet date. Next, compare operating expenses, overall and by category, with appropriate benchmarks.
It’s likely that physician compensation is the source of any substantial jumps in expenses. Make sure you review every physician’s employment agreement and compare their compensation with benchmarks. If you find any significant discrepancies, get further explanation.
You should also think about the practice’s future capital requirements. For instance, will significant investment be necessary to implement needed technology upgrades for electronic health records (EHRs)?
Consider other financial obligations
Your facility should gather copies of all outstanding debt agreements and summarize the relevant terms, including covenants, repayment terms and assets pledged as security. Also confirm that no loans are in default.
Some hospitals decline to assume a practice’s debt as part of the transaction. But there may be similar obligations lurking out there in the form of commitments or contingencies that don’t appear on the balance sheet. Your hospital should be aware of any change-in-control payments that could be triggered by a transaction, for example. And a self-insured practice might have incurred, but never reported, a medical malpractice claim that may come back to haunt the hospital.
Do your due diligence
Comprehensive due diligence requires all hospitals to consider many other areas that will affect both the practice’s value and the success of the transaction.
Make sure you engage legal and consulting advisors who are experienced with hospital purchases of physician practices. They can help you navigate all of the compliance, legal, and transition matters that must be addressed.
If you have any questions about due diligence or any other issue pertaining to hospitals, give us a call at 716.847.2651, or you may contact us here.