Directors - Hospice Keys

Do you have a reportable data breach?

by editor | Jul 31, 2022 | Clinical Compliance, Compliance and Regulatory - Directors, Data Security, Emergency Preparedness Plan

Concerned that you have a data breach?

Not everything that looks like a data breach is, in fact, a reportable data breach. Before you report a data disclosure to the US Department of Health and Human Services Office for Civil Rights (OCR), you should confirm that what you are concerned is a reportable data breach is, in fact, a HIPAA breach.

A HIPAA breach is defined as the acquisition, access, use, or disclosure of protected health information (PHI) in a manner not permitted under HIPAA that compromises the security or privacy of the data.

Not every disclosure of PHI is a breach. There are three important exceptions.

Three data disclosures that are not considered a reportable breach:

Unintentional Access:

An employee unintentionally accesses PHI but does not further disclose the PHI in a manner that is not permitted per the HIPAA regulations. For example, a clinician wishes to enter information in the chart for patient “John Smith”. The clinician opens the chart for patient John Smith living on Bay Ridge street instead of patient John Smith living on Reed Street. The clinician closes the chart as soon as the mistake is identified.

Inadvertent Disclosure to Authorized Person:

An individual who is authorized to see the PHI inadvertently shares the PHI with another person in the organization. That second person does not further disclose the information in a manner that is not permitted per HIPAA regulations. For example, a technician sends lab results for the wrong patient to a physician. The physician deletes the results.

Inability to Retain the PHI:

PHI is inadvertently disclosed to someone unauthorized to have access to the information but that person would not be reasonably expected to retain the information. For example, a clinician’s young child is on the phone while the clinician is discussing patient PHI.

Is every disclosure that does not fall into one of these three exception categories considered a reportable breach?

The regulations allow for a four factor analysis to assess the overall level of risk of compromise, to discover the extent of the data breach, and to determine whether or not notification is required. Only after this four factor analysis is completed, the hospice agency determines whether or not a breach occurred and the level of risk.

The following are the four factors:

Factor 1: Nature and Extent of PHI Involved

What information is involved? Can the patients be identified? What personal or helath information is included?

Factor 2: Who Accessed the Data/ to Whom was the Data Disclosed

Was the data disclosed to a person in the organization or in another HIPAA covered organization who is required to follow data privacy rules? In either of these cases, the risk is reduced as both of these types of persons are trained in HIPAA regulations.

Factor 3: Was PHI Actually Acquired or Viewed

Was the PHI actually viewed or acquired? For example, an encrypted device with PHI is stolen but based upon forensic analysis it is determined that no one accessed the PHI. In this case, there was a risk of data breach but analysis determined that PHI was not actually acquired or viewed.

Factor 4: To What Extent have you Mitigated the Risk

What actions have been taken to reduce the risk of PHI access. For example, has the PHI been returned to you? Have you taken steps to track down the device that was not returned by the former employee?

What should I do if a breach has occurred?

If, upon completion of the four factor analysis, it is determined that a breach has occurred, then notification is required.

Affected person must be notified and media and the state may be required to be notified as well.

If fewer than 500 persons are involved, the OCR must be notified at the end of the calendar year. Otherwise, the OCR must be notified within 60 days.

Take appropriate action

Not every disclosure of data is a breach. Investigation must be conducted to determine if the disclosure constitutes a reportable data breach. If the disclosure is a data breach then appropriate actions must be taken to report the breach to all relevant parties within the required time frames. Note that required actions may vary by state.

Where can you get more information?

This informative podcast from Husch Blackwell contains more information on this topic: HIPAA Breaches – When It Is, and When It Is Not a Breach
Here is a discussion in HIPAA Journal on categories of HIPAA violations and associated penalties: HIPAA violations
Listing of top HIPAA penalties: Top HIPAA penalties

Accounts Receivable by Payer

by editor | Jul 25, 2022 | Accounts Receivable, Billing, Billing - General, Financials, Metrics and KPIs

Who are Hospice Agency Payers?

A payer is the company of government agency that pays the provider, i.e., the hospice agency, for the medical service that is administered to the patient.

For most hospice agencies, Medicare is the primary payer for hospice services. See, for example, this study published by Bazell et al., 2019, https://bit.ly/3RS805r. The characteristics of payment vary by payer. As such, an agency should understand the distribution of its revenues and receivables across different payers. In addition to understanding the breakdown of total receivables, the agency should look at distribution of receivables by payer – further broken down by aging bucket.

Expected time to be paid on a claim varies by payer. For example, payment for a Medicare claim is usually received within 14 days of the date the claim is submitted. A claim submitted to a commercial payer will take longer and further varies by the commercial payer. It is important to monitor time until payment is received for each payer. Delay in payment is an opportunity to quickly identify if there is a billing error that needs to be corrected. Or, there may be an opportunity to improve the billing and collection process that will result in an increase in speed of collections.

It is also useful to compare your agency’s metrics to industry standards. Metrics that are worse than industry standards could point to areas of the collections process that could benefit from process improvement.

Aging Accounts Receivables for Medicare and Commercial Payers

The following graph shows aging accounts receivable for the Medicare payer. As we see from the graph, over 90% of the receivables are less than two months old.

In contrast, here we can see the distribution of aging accounts receivable for commercial payers for the same hospice agency.

In contrast to the Medicare accounts receivables, here only 43% of the receivables are less than two months old. 25% of the receivables are between four and eight months old. More significantly, more than 25% of the outstanding receivables are more than 12 months old – a sign that there may be a high number of receivables that may have to be written off.

What is the key takeaway?

Different payers have different payment patters and different rules for timely submission of claims. Hospice agencies need to have a good understanding of the distribution of their claims and the distribution of their outstanding accounts receivable to reduce the likelihood of write-offs.

Aging Accounts Receivable

by editor | Jul 25, 2022 | Accounts Receivable, Billing, Billing - General, Financials, Metrics and KPIs

What is Aging Accounts Receivable?

The age of accounts receivable (AR) is the time that has elapsed from the time the agency delivered the service to the patient until current date. Aging AR is typically grouped into monthly buckets (e.g., 0-30 days, 31-60 days, etc.). Total dollar value of outstanding (aging) AR should be monitored each month, grouped by monthly buckets.

Consider the aging AR in the graph above. The horizontal axis shows different buckets of AR, where Medicare is the payer. “Current” represents dollars outstanding for services rendered within the most recent 30 days. “1 month” is dollars outstanding for services rendered in the most recent 31-60 days, etc. The vertical axis represents the percentage of the total Medicare dollar amounts of AR in each of the aging buckets.

How is the Accounts Receivable Distributed over Aging Buckets?

The high dollar amounts in the the first AR bucket followed by a drastic drop in outstanding AR is typical for the Medicare payer. Most agencies bill on a regular cycle (biweekly or monthly) so the large volume of outstanding AR in the “Current” bucket is mostly comprised of services that have not yet been billed out or have just been billed out to Medicare.

The outstanding AR drops but remains elevated in the “1 month” bucket. The agency is waiting to collect on services for which it has billed. It takes approximately 14 days to receive payment from Medicare. Aging AR is low in all remaining aging buckets. This is because the agency has billed and collected for most of its Medicare AR services.

What is Medicare Timely Filing?

Medicare claims must be filed no later than 12 months from the date services were provided. This includes resubmitting corrected claims that were unable to be processed. Again considering the aging AR in the graph above, note the volume of AR in the 10 month and 11 month aging buckets. AR in these aging buckets may be approaching Medicare’s timely filing deadline. Any claims in these buckets that have not yet been billed to Medicare will be not be able to be billed due to timely filing. The agency should quickly investigate the AR in these buckets.

Most agencies have a greater than 99% collection rate for Medicare AR. There should not be significant Medicare AR that is uncollectible.

In addition to monitoring total dollar value of aging AR, there are other useful classifications and breakdowns of aging AR that should be monitored on a monthly or even weekly basis.

Next Entries »