Welcome to the March module of HIPAA MMM. As you complete each activity, please print and place the completed documents in your HIPAA Manual in a location you will remember and be able to easily locate if needed.
Instructions for the routine repeated monthly QUICK CHECK review audit
It is advised that every month you do this same QUICK CHECK audit by using the following audit tool and place any written updates in your HIPAA manual – make sure to review the QUICK CHECK every month as items are added periodically based on changes in focus and enforcement activities within the federal government.
Below are the instructions to correspond with each item on the Monthly Audit List;
1. If yes, perform a risk analysis for that device, as you did for the devices when you prepared your original risk analysis from the Do It Yourself Kit or by copying the format for the risk analysis used in the Silver or Gold program originally provided for you (you can also use your Do It Yourself Kit as a reference/templates) Add this newly prepared document to your HIPAA manual.
2. If yes, then remember to document what you did to assure that the device had no patient health information /electronic data remaining on it (i.e. had a service clean the hard drive, destroyed the hard drive, shredded information –if paper etc., at the time of disposition).
3. If yes, remember to have them sign an employee confidentiality form and assure that you perform a full HIPAA training within 45 days of hire. (Remember there is an audio training in the Do It Yourself KIT that can be paired with giving your new employee a copy of your office HIPAA policies and having them sign off that they agree to read, understand and abide by those policies to satisfy this training — remember to document this in your HIPAA manual.)
4. Regardless of the specific customized evaluation/review/audit you will perform THIS month, due to the increase in ransomware, it is advised to assure and document that all patches, updates, firewalls, antivirus, malware etc. are current and installed on at least a monthly basis.
5. Again, especially due to ransomware, the required HIPAA contingency plan, most especially focused on the area of data recovery, has become a major center of attention. One of the key components is that your backups are readily available and your data can be restored in the event of an attack on your patient data that shuts down your main computers etc.
Monthly security reminder
This months’ reminder will likely require modifications to fit the circumstances in your specific office. While you may need to eliminate some items, as they do not apply to your particular office, there may also be items to add.
Activity for this month:
Download the document provided below to complete your Security Audit Activity
BONUS OIG Quarterly Training & Video:
Due to popular demand and specific challenges relative to Medicare reimbursement and audits, we have now upgraded our MMM program to include OIG updates for those offices accepting Medicare patients. Below is your quarterly OIG Training Audit and Video Link.
As you know, if you see even ONE Medicare patient or Medicare eligible patient per year you are required, BY LAW, to have and keep current a Medicare OIG (Office of the Inspector General) compliance program.
Since OIG compliance is not as ‘cumbersome’ as HIPAA, the relevant OIG updates occur approximately every three months vs. HIPAA task updates that occur monthly, with this program.
Therefore, depending on which MMM module you are presently completing, there may or may not be an OIG compliance task or training video in this particular month or there may be some duplication in the following IMMEDIATE ACTION recommendation for new members of MMM, below:
IF THIS IS YOUR FIRST MONTH ON THE MMM PROGRAM WE RECOMMEND THE FOLLOWING;
We are frequently asked, ‘What is the best thing I can do RIGHT NOW to be protected from Medicare enforcement activities?’
The short answer is to realize the MMM program is to KEEP YOUR EXISTING OIG program current, this means you have implemented your FREE OIG program, that came with the purchase of your original HIPAA INSTALL program (DIY Kit, Silver, or Supercharge Silver). It is impossible to keep something current that was never implemented to start.
So, if you did not implement the program, we recommend you do so now!
This is the way to be the safest. In the event you HAVE implemented your OIG program and want to do a quick ‘safety check’— regardless of what may appear as a task within this months’ module – this is what we recommend:
Do a baseline claims submission audit to help determine what areas of your billing, coding and documentation are, or are not, in compliance and come into compliance on any issues that are exposed during the audit. A five to ten-patient chart audit is usually adequate and should take minimal time to perform.
Information regarding audit tools and how to perform such are in your initial program.
Specific areas to address in audits are determined by current governmental payer initiatives and current billing data that may be outside “normal” parameters. The baseline audits also assist clinics with noting trends in the practice that might fall outside a bell curve (outliers), which alert doctors to the possibility of services billed that might not be medically necessary, and can be creating “flags” on your profile.
- Look back over the history of claims that were not paid. Learn from issues that occurred in the past and monitor to make sure the issues are resolved (i.e. does the diagnosis support the service?).
- Check managed care contracts. Most payers also have coverage and payment policies available on their website. Make sure the services you are performing and billing for, are not on the carrier’s “exclusion” list.