Posts Tagged manage

Plan While You Still Can

Plan While You Still Can

In our work with hundreds of medical practices, and in our Firm’s medical practice manager roundtable meetings, a common issue among medical practitioners is the uncertainty about the economic future of their medical practices.

Reimbursement levels may drop, many patients may choose medical coverage offered by a state-sponsored exchange, and the burden of changing technology is felt in many areas of practice. Since so many aspects of a medical practice are beyond the control of physicians, it is essential that doctors, in a private practice, exercise intentional control over the areas where they still can. This strategic planning is less daunting than many think, and can produce a more dynamic practice than you have experienced in years.

The process of strategic planning begins with an honest assessment of your practice’s current situation. Each physician’s candid opinions must be sought and considered in the development of an agenda for the group meeting. Since candor, among even the most collegial doctors in a given practice may be difficult to elicit, consider having an outside facilitator conduct these interviews. Based on the content of each doctor’s concerns, build an agenda for the planning meeting. It is recommended that these meetings be held at a neutral site outside the office but can be held in the practice conference room as long as no physician is permitted to exert his or her authority by sitting in their “power” chair or heavy‐handedly controlling the agenda.

Prior to the actual retreat, the administrator and facilitator must assemble background information and construct schedules necessary to answer as many fact‐based questions as possible. The goal of these schedules is to lessen the likelihood that a decision is postponed for want of additional data or a projection of the impact of the decision. Physicians are among the worst at group decision making. Some are so accommodating of their partners that they permit everyone to have “veto power” over any issue. Others let one member of the group require that the matter be tabled until every conceivable question can be addressed. Some groups apply their appropriately cautious medical decision-making processes to business decisions, which are not nearly as lethal or consequential. Whatever the reason, these result in what we refer to as Decision Deficit Disorder in medical practices. This too is a reason to have an outside facilitator.

With an agenda built on the issues of concern to all members of the group and background material developed for each point, the meeting is a time to make strategic decisions and assign tactical responsibilities. Select one of the easier matters for first on the agenda to establish a quick tempo, gain a positive perspective and promote participation by the entire group. If painful issues must be addressed, these should be handled privately unless that avenue has been tried and failed.

A sufficient content would be five to seven decisions, depending on the magnitude of the topics. We have been involved in planning processes where more than ten issues were resolved but a recent strategic process resolved five matters. In that instance, the group decided where to open a satellite office, determined to recruit two new physicians, renewed their commitment to reach out to referring physicians, decided to hire a marketing director for the practice and affirmed a plan to make their clinic days more accessible to patients. This proves that major things can happen when doctors focus on their own business needs.

 

Article contributed by Sae Evans, Maddox Casey and Jim Stroud, Members, Warren Averett Healthcare Consulting Group. Warren Averett is an official partner with the Medical Association.

Posted in: Leadership

Leave a Comment (0) →

Before You Lock the Door and Turn Out the Lights . . .

Before You Lock the Door and Turn Out the Lights . . .

Necessary Steps When Closing a Physician Practice

The Gilberto Sanchez Story [1]

Shortly after a group of DEA agents and other law enforcement personnel sporting tactical gear arrived in the parking lot with search and arrest warrants on a Tuesday early in August, Dr. Gilberto Sanchez was hauled away from his medical practice in the 4100 block of Atlanta Highway in Montgomery, Ala. Dr. Sanchez had been indicted for operating a medical clinic that dispensed controlled substances inappropriately, unlawfully, and for non-medical reasons. Since his arrest, Sanchez has pled not guilty and been released on bond.

The unfortunate saga of Dr. Sanchez highlights a difficult issue for both physicians and patients — who takes care of a physician’s patients when his or her practice closes shop, whether voluntarily or otherwise? Montgomery news sources reported on a patient of Dr. Sanchez who encountered this exact struggle. After Sanchez was arrested, the patient and his wife (also a patient of Sanchez) began the arduous search for another physician. They also encountered trouble getting their medical records from Sanchez’s office, reporting that they received no answers beyond a voicemail box too full to receive additional messages.

Dr. Sanchez’s story is unique in many regards, but it highlights the need for an effective transition plan upon the closing of a physician practice. Doctors sell practices, retire, die, seek the protection of the United States bankruptcy laws, and generally quit practicing medicine all the time. Whether you’re packing up to hit the links or being packed up and hauled to jail like Dr. Sanchez (let’s hope it’s not the latter), here are a few things to think about in order to wind up your practice’s affairs in accordance with applicable legal and ethical considerations.

A Few Things Before You Leave

A number of factors come into play when you decide to close your practice. Below we consider legal and ethical requirements regarding continuity of patient care and access to records from the Alabama Board of Medical Examiners (“BME”) and the American Medical Association (“AMA”), notification requirements for various government and third-party payors, and miscellaneous corporate formalities that must be undertaken when dissolving a business.

Board of Medical Examiners Requirements and AMA Ethical Considerations

Perhaps the most important part of closing down your practice (maybe for you, but certainly for your patients) is making sure that your patients have adequate notice and opportunity to find a new doctor, as well as access to their medical records. These notice and access considerations are addressed on the state level by the BME in accordance with ethical opinions issued by the AMA.

Consider the following items when closing your practice. Take note of whether each is a suggested best practice or a mandatory requirement.[2]

  1. Notify the BME. You need to advise the BME of any change in your status (closing practice, retiring, etc.) and of your new address, if applicable, and you are required to notify the Medical Licensure Commission within 15 days of a change in your address.[3] You may also submit a request for the removal and disposal of unused medications, especially controlled substances.
  2. Notify Your Patients. To ensure continuity of care for your patients, they have to receive a reasonable notification that your practice is closing and an opportunity to arrange for the transfer of their medical records.[4] The BME recommends that (i) each active patient of the practice receive a direct mail notification of the practice’s closing at their last known address and that (ii) the practice issue a public advertisement (e.g. in the local newspaper) about the closing of the practice to notify the public more generally. All notices (public or direct notice to active patients) should indicate the expected date the practice will close, and the direct notice to active patients should specifically identify instructions for how patients can access or transfer their medical records, and, if the medical practice is being assumed by another physician or practice, the name, address, and telephone number of that physician or practice.[5]
  3. Notify the Drug Enforcement Administration (“DEA”). Notify the DEA of the closing of your practice. This notification can be especially important as you plan for the appropriate disposition of unused medications, including controlled substances.
  4. Post a Written Notice at the Practice. After you actually close your practice, you should consider posting a written notice of its closing on the door or other visible areas of the office/building where your practice is located. The notice should contain instructions for patients to transfer or obtain copies of their medical records, as well as the current location of such records. These instructions must be made available to leasing agents, new tenants, or new owners of the building where the practice is located.
  5. Records Management. As mentioned briefly in the description of notices above, you have to maintain and provide access to patient medical records for a period of time after you close your practice. The BME generally recommends maintaining such records for a period of 10 years after your practice closes. However, some types of medical records (e.g., pediatric records and immunization records) may have different retention requirements, and records associated with anticipated litigation should be kept until the litigation is resolved, even if such resolution does not occur until after the regular record retention period. In addition, BME regulations and AMA ethics opinions require that you make records available to a patient’s succeeding physician, to third parties as requested by your patients or their authorized representatives, and as otherwise required by law.[6]

These record maintenance practices serve multiple purposes: (i) you can satisfy your ethical obligation to provide access to medical records for your patients so they can obtain copies or transfer copies of their medical records to their new physician; and (ii) you fulfill applicable recordkeeping requirements for government and other third party payors in the event of an audit.

  1. Provide Access to Patient Records.  Your patients have a right to access their medical records, or at least a copy of them. This right extends to any person who has a properly executed authorization from the patient to access such records.[7] According to state law and regulations, when providing copies of patient records, you may charge up to $1.00 per page for the first 25 pages, up to $.50 for each page after that, and up to $5.00 as a search fee.[8] The costs of mailing the medical records to the requestor or their designee may also be included in the copying charges. However, state regulations (and in some cases HIPAA) require physicians to consider the needs of their patients and waive the fees where appropriate.[9]

Notify Government and Third Party Payors

There are several parties in addition to your patients who want to know if you close your practice. Medicare, Medicaid, and private insurers will want to know when you close your practice in order to terminate your provider agreement. There are likely requirements in your provider agreement with each payor regarding what you should do when closing your practice. However, generally you need to take the following steps for each payor below:

  1. Medicare. File a form 855B within 30 days of a change of ownership or practice location and within 90 days of other changes in enrollment, as required by 42 CFR § 424.516.
  2. Medicaid. There are no general requirements for closing a physician practice in the Medicaid Administrative Code or the Medicaid Provider Billing Manual. However, providers should notify HPE/DXC (Medicaid’s fiscal agent) on the provider disenrollment form.[10]
  3. Private Insurers. Frequently, insurance payors require notices prior to termination. For private insurers, such as Blue Cross Blue Shield of Alabama, check your provider agreement for the applicable notice requirements, if any.

The “Business” Side of Things

As if the steps listed above were not enough, you still have to think about what you want to do with the business entity from which you operated your practice. Unless you sold your practice, your name is probably still in a partnership, limited liability company, or professional corporation somewhere. To fully dissolve the business entity that formed your practice, you have to file articles of dissolution (or their comparable form for other types of business entities).[11] Be sure to file a copy of the articles of dissolution (or their comparable form) with the BME within 30 days of the effective date of dissolution.[12] In addition, you may be required to file notices with applicable federal and state taxing authorities, local governmental entities, and other agencies, as well as known creditors.

In addition to the above, there are several other nuances that must be explored when dissolving your practice. These nuances can be different based on the type of entity you chose to form your practice and may very well be different between two practices formed of the same type of entity. Consult counsel to look at the relevant provisions in the applicable statutes and the governing documents for your practice.

Lights Out, Lock the Door

As you can see, closing a physician practice is not as simple as turning off the lights and locking the door when you leave. There are a number of legal, ethical, and practical considerations you have to be aware of as you close or transition away from your practice. It may seem like a daunting task at first, but it has to be done in order to provide continuity of care for your patients and to provide for the orderly winding down of your practice’s affairs. To accomplish these objectives, be sure to plan ahead, consult counsel in the planning and implementation process, and don’t leave any stone unturned. It could be the one that trips you up unexpectedly.

For additional inquiries regarding this article or the steps to close a medical practice, please contact Christopher Richard or Gregg Everett at:

Christopher Richard, Esquire
Gilpin Givhan, PC
P.O. Drawer 4540 (36103-4540)
2660 EastChase Lane, Suite 300
Montgomery, Alabama  36117
Telephone: (334) 244-1111
Direct Dial: (334) 409-2233
Fax: (334) 244-1969
E-mail: crichard@GilpinGivhan.com

 

Gregg B. Everett, Esquire
Gilpin Givhan, PC
Lakeview Center, Suite 300
2660 EastChase Lane
Montgomery, Alabama  36117
Telephone: (334) 244-1111
Direct Dial: (334) 409-2228
Fax: (334) 244-1969
E-mail: geverett@GilpinGivhan.com

Article contributed by Christopher Richard, an attorney at Gilpin Givhan. Gilpin Givan is a Bronze Partner with the Medical Association.

 

REFERENCES

[1] Jennifer Horton, Alleged AL pill mill doc’s patients lined walls, sat on floor, U.S. attorney says, WSFA12 News (August 1, 2017), http://www.wsfa.com/story/36021670/alleged-al-pill-mill-docs-patients-lined-walls-sat-on-floor-us-attorney-says; Samantha Day, Patient of alleged Montgomery pill mill doctor speaks out, WSFA12 News (August 4, 2017), http://www.wsfa.com/story/36066718/patient-of-alleged-pill-mill-doctor-speaks-out.

[2] These action items come from a publication by the Alabama State Board of Medical Examiners, available on the BME website. Recommended Procedure in Closing/Discontinuing a Medical Practice, Alabama State Board of Medical Examiners, available at http://www.albme.org/closeprac.html (last visited September 5, 2017).

[3] Ala. Code § 32-24-338 (1975).

[4] Ala. Admin. Code r. 540-X-9-.10(3). See also AMA Code of Medical Ethics, Opinion 1.1.3: Patient Rights (stating the patient’s right to continuity of care, as well as sufficient notice and reasonable assistance in making alternative arrangements for care prior to a physician discontinuing care); AMA Code of Medical Ethics, Opinion 1.1.5: Terminating a Patient-Physician Relationship (requiring physicians to notify the patient or an authorized decision maker sufficiently in advance to permit the patient to secure another physician and to facilitate transfer of care where appropriate).

[5] Ala. Admin. Code r. 540-X-9-.10(3); AMA Code of Medical Ethics, Opinion 3.3.1: Management of Medical Records.

[6] Id. With regard to disclosure as required by law, check the record management requirements in your provider agreements with Medicare, Medicaid, and private third party payors, as applicable, to confirm the minimum length of time you should preserve records and make them available for inspection. However, in most cases, the 10 years recommended by the BME should suffice.

[7] See Ala. Admin. Code r. 540-X-9-.10(2); Ala. Admin. Code r. 545-X-4-.06 (including in the definition of “unprofessional conduct” any refusal to comply, within a reasonable time, with a request from another physician for medical records or information when such request is accompanied by a properly executed authorization from the patient).

[8] Ala. Code § 12-21-6.1 (1975); Ala. Admin. Code r. 540-X-9-.10(2).

[9] Ala. Admin. Code r. 540-X-9-.10(2); AMA Code of Medical Ethics, Opinion 3.3.1: Management of Medical Records(d)-(e).

[10] http://medicaid.alabama.gov/content/9.0_Resources/9.4_Forms_Library/9.4.16_Provider_Enrollment_Forms.aspx. The form contains additional instructions regarding the disenrollment process.

[11] As a practical matter, your business will be “dissolved” once the articles of dissolution are approved, but the entity will continue to exist for a period of time for purposes of winding down its affairs by paying off creditors and distributing remaining assets to the owners, among other things.

[12] Ala. Admin. Code r. 540-X-9-.01(5).

Posted in: Legal Watch

Leave a Comment (0) →

CMS Proposes 2018 Payment and Policy Updates for the Physician Fee Schedule

CMS Proposes 2018 Payment and Policy Updates for the Physician Fee Schedule

The Centers for Medicare & Medicaid Services issued a proposed rule that would update Medicare payment and policies for doctors and other clinicians who treat Medicare patients in the calendar year 2018. The proposed rule is one of several Medicare payment rules for CY 2018 that reflect a broader strategy to relieve regulatory burdens for providers; support the patient-doctor relationship in health care; and promote transparency, flexibility, and innovation in the delivery of care.

The Physician Fee Schedule is updated annually to include changes to payment policies, payment rates, and quality provisions for services furnished to Medicare beneficiaries. In addition to physicians, a variety of medical professionals, including nurse practitioners, physician assistants, and physical therapists, as well as radiation therapy centers and independent diagnostic testing facilities, are paid under the Physician Fee Schedule.

This proposed rule would provide greater potential for payment system modernization and seeks public comment on reducing administrative burdens for providing patient care, including visits, care management, and telehealth services. The rule takes steps to better align incentives and provide clinicians with a smoother transition to the new Merit-based Incentive Payment System under the Quality Payment Program (QPP). The rule encourages fairer competition between hospitals and physician practices by promoting greater payment alignment, and it would improve the payment for office-based behavioral health services that are often the therapy and counseling services used to treat opioid addiction and other substance use disorders. In addition, the proposed rule makes additional proposals to implement the Center for Medicare and Medicaid Innovation’s Medicare Diabetes Prevention Program expanded model starting in 2018.

These updates would help reduce regulatory burdens and allow practitioners to improve outcomes based on the unique needs of their patients. In addition to the proposed rule, CMS is releasing a Request for Information to welcome continued feedback on the Medicare program. CMS is committed to maintaining flexibility and efficiency throughout Medicare. Through transparency, flexibility, program simplification, and innovation, CMS aims to transform the Medicare program and promote the availability of high-value and efficiently-provided care for its beneficiaries. This will inform the discussion on future regulatory action related to the Physician Fee Schedule.

Click here for a fact sheet on the proposed rule.

Posted in: CMS

Leave a Comment (0) →

Just a Guy with a Ladder with Lee Irvin, M.D.

Just a Guy with a Ladder with Lee Irvin, M.D.

MOBILE – You probably don’t know Lee Irvin, M.D., of Mobile, and he’s fine with that. He’s the kind of gentleman you’d love to hang out with and have a drink or dinner with…swap stories with. But it’s easy to see that his medical mission over the last couple of years wears heavy on his heart.

Dr. Irvin is a pain physician. Yes, a pain physician. He said he has no problem with introducing himself that way, even though there is a bit of a stigma associated with the treatment of pain, especially in Mobile following the arrest and conviction in February 2017 of Mobile physicians Xiulu Ruan and John Patrick Couch. Couch and Ruan were convicted in federal court for operating their clinics as pill mills, raking in millions of dollars by overprescribing potent, and deadly, narcotic pain medications to patients.

“It was like driving down the road, seeing a house on fire, and you’re the guy with a ladder,” Dr. Irvin said. “I was the guy with the ladder. Of course, I was going to help those patients.”

Dr. Irvin was the first physician in Mobile to treat patients with pain pumps more than 30 years ago, so he was the first physician to step up and render aid to the patients Couch and Ruan left behind who were on pain pumps. Dr. Irvin said he had about 35 of his own patients on pain pumps at that time, but there was an influx of nearly 350 pain pump patients from the now-closed practice in need of immediate care, some exhibiting signs of withdrawal by the time he intervened.

“Unfortunately, there were another reported 7,000 to 8,000 medication-managed patients from that practice that needed assistance,” Dr. Irvin said. “There was no way I could take on all of them, but in that year and a half, I took on another several hundred more. We were on a clock. It took almost a year to get those patients weaned off that medication. So, when you ask whether I had to do this, yeah…I did.”

One huge problem Dr. Irvin noted was the lack of resources for patients who have addiction issues, resources on the local and state levels that have left patients in need of specialized care falling through the proverbial cracks.

“We are in dire need of addiction specialists, social workers, mental health professionals – resources these patients need to get better. How can there be this tremendous need, yet we still do not have these resources to help our patients?” Dr. Irvin questioned.

Dr. Irvin continues to work closely with investigators with the Alabama Board of Medical Examiners to ensure the safety and health of the patients. As he puts it, “Doctors are supposed to help,” but he said he feels the reputation of most pain physicians has been tarnished by those who have put money above the welfare of their patients.

“When someone asks me now what my specialty is, I have no trouble saying I’m in pain management. I started in anesthesiology, but for the last 10 years or so, pain physicians have had such a bad reputation because of those bad physicians mistreating this profession and endangering the lives of their patients. We don’t want to write a bunch of narcotics to cover up an underlying disease. I have an old-fashioned idea that as a physician you should sit down with your patient and talk, get a complete history…and listen. It’s amazing how much information you can get from your patients if you just listen. I haven’t done anything amazing. I just listen and take care of my patients,” Dr. Irvin explained.

It may be an old-fashioned idea, according to Dr. Irvin, but his decision to make pain management his life’s work is actually deeply rooted in the illness of a family friend.

“I had a personal reason for specializing in pain,” Dr. Irvin said. “There was a fellow I grew up next door to who was like my second father. He was my hunting and fishing buddy. There were some kids out shooting while he was quail hunting, and he caught a .22 round in the hip. His doctors kept telling him it would do more harm than good to take that round out, but it was really a red herring. There was something else going on causing his pain.”

It was about 18 months later when Dr. Irvin’s old friend was told he had prostate cancer with mets. His pain wasn’t being managed very well, and one of the last times he visited with him, he had been warned that he might not recognize him…but he did.

“I wasn’t expecting that. He was in a lot of pain, sitting on a sack of medicine, and basically not knowing where he was, but he still recognized me. I couldn’t help but think there has got to be a better way. That was my moment. That was my reason for choosing pain medicine,” Dr. Irvin said.

Posted in: Physicians Giving Back

Leave a Comment (0) →

Keep Calm & Carry On… Insight for Changes in Post-Election Uncertainty

Keep Calm & Carry On… Insight for Changes in Post-Election Uncertainty

The year 2017 is going to be a year of change like we have not seen for a very long time. For some, it’s a welcomed change. For others, it’s not. The uncertainty of the details/extent of the changes makes planning difficult, if not impossible. As a business owner, you want to be prepared. So how do you get ready when faced with so much uncertainty? We think the best way is to stay the course — Keep Calm & Carry On. In other words, make decisions based on what you know and keep moving forward until you have more certainty.

President Trump promised a lot, especially in his first 100 days in office. The timeline below can help you stay calm and focused when the media begins reporting on the new President’s 100 Day Plan in the coming months.

January 3
Congress returns to Washington

January 20
Inauguration of President-elect Trump

January 23
IRS accepts e-filing of returns. This is the official start of 2017 Tax Season.

January 31
Due date for W-2s and 1099s; new deadline for this year for Forms 1094 and 1095s to employees

February 28
Due date for paper-filed Forms 1094-C and 1095-C to IRS

March 15
Due date for corporate business returns and new this year, partnership/LLC returns

March 31
Due date for e-filed Forms 1094-C and 1095-C to IRS

April 18
Due date for individual tax returns and first quarter estimated tax payment. Due date extended by Federal law through the weekend because of Washington, D.C. holiday on Friday, April 15.

April 30
End of President Trump’s first 100 days

Tax season officially started January 23. The first date e-filed returns will be accepted by the IRS marks the opening of tax season. However, get your tax information ready early and send to your tax preparer. This is going to be a very busy tax season with several new early due dates. As news comes from Washington during the first 100 days, your tax preparer will be bombarded with questions about how the changes impact taxes. President Trump’s tax reform changes will require additional planning by you and your tax preparer. The sooner you get your information to your tax preparer, the better.

Extension for tax return. Additional time may be needed to make decisions for accounting methods that defer income or accelerate deductions. An extension gives certain individuals additional time to make retirement plan contributions or recharacterize contributions to a Roth IRA.

New tax due dates for partnerships and LLCs. Historically, Partnerships and LLCs had a due date of April 15. Starting in 2017, this due date will be March 15. This shortened filing period means a compression of time for filing these returns on the same date as corporation returns. Schedule K-1s are required to be provided to the entity’s partners. LLPs and general partnerships must file their tax returns by March 15 or file extensions.

Affordable Care Act Repeal. As of the writing of this article, the Senate has voted to move ahead with the fiscal 2017 budget resolution that would include reconciliation instructions repealing Obamacare. Both the Senate and House hope to see the budget resolution adopted by January 20. Repeal could come quickly but changes, including ACA’s tax provisions, may not be in place until 2018 or later. Predictions from various members of Congress indicate no changes in 2017.

Mandated penalties. In 2016, ACA penalties increase to $695 per adult or 2.5 percent of income, with a family maximum of $2,085 per person. This is a significant increase from the 2015 penalty of $285 per adult or 2 percent of income above the filing limit. Even with repeal of Obamacare contemplated, this penalty will apply for 2016 tax returns.

Form 1094 and 1095 Reporting. These forms are prepared by employers to report the health insurance coverage offered by employers and accepted by employees. The sole purpose of the form is to assess penalties under the individual mandate penalty and the applicable large employer penalty. Until the law is repealed, employers should continue to follow the law regarding offering of qualified health insurance and file the returns required. Starting with the 2016 reporting year, employers with 50 or more full-time employees must file these forms. The due date of these forms changed in 2017 and are required to be furnished to employees by January 31. An automatic extension was provided by the IRS pushing this date to March 2, 2017. No other extension will be approved for furnishing these forms to employees. However, it’s important to remember the forms are required to be filed with the IRS by February 28 if filing on paper or March 31 if filing electronically. An extension of time can be obtained for filing with the IRS.

MACRA and MIPS. There is no indication that these requirements will be repealed along with the repeal of Obamacare. Opinion from leading experts is that these payment programs will stay in place. What you do in 2017 will determine your MIPS payment adjustment in 2019. It is very important that you not wait but get on board. Penalties start at 4 percent in 2019, 5 percent 2020, 7 percent 2021 and 9 percent in 2022 and forward. In the MACRA final rule, CMS added several ways for doctors to participate. They call the various options Pick Your Pace. With Pick Your Pace, hardly anyone will be penalized – but you must choose how much you will participate in MIPS in 2017 to benefit from the new options.

Delayed Refunds. The IRS expects to issue most refunds in less than 21 days. However, the PATH act of 2015 mandates the IRS hold refunds on tax returns claiming the Earned Income Tax Credit (EITC) or the Additional Child Tax Credit (ACTC) until February 15.

Article contributed by Patti G. Perdue, CPA.CITP, Jackson Thornton CPAs and Consultants. Jackson Thornton is a Bronze Partner with the Medical Association. The information in this article is not intended as tax or legal advice. Please consult your tax advisor for specific information regarding your individual situation.

Posted in: Management

Leave a Comment (0) →

Managing Your Practice: Is Your Practice Cyber Secure?

Managing Your Practice: Is Your Practice Cyber Secure?

With the increased use of technology in health care comes the increased risk of cyber attacks and cyber liability, as well as regulatory investigations, fines and penalties. Anything created, stored or transmitted electronically is at risk of being compromised by an innocent mistake or – worse yet – maliciously stolen by a criminal.

According to a compilation of data breach statistics, there were 1,673 reported data security breach incidents worldwide in 2015, and 1,222 of those occurred in the United States. Of that total, 374 – approximately 22 percent – were breaches of medical or health care information. This equated to more than 134 million individual health care data records being accessed or stolen by cyberattacks just in calendar year 2015 alone.1

Many people don’t believe — or understand why — medical information is valuable or at risk.

Medical records are targeted because they contain a wide variety of a patient’s personal information: social security number, financial, health, demographic and family information. This gives criminals many potential uses for the stolen information, including identity theft and applying for credit cards, store accounts, or other lines of credit. But they also use the information to purchase medical equipment and pharmaceuticals that can be resold, or to fraudulently bill health insurers or the government for fictitious medical care by masquerading as health care providers. One cybersecurity expert estimates that a medical record can fetch up to $50 on the black market, while a credit card number may go for as little as $5.2

Big or small, all health care organizations are at risk.

Large health care systems, hospitals, group practices and individual health care providers have all been attacked, but the size of the entity is no clear indication of the size of the breach. One need only reference the HIPAA data breach “wall of shame” to bear out the truth of this assertion. Data breach incidents at very large organizations have exposed anywhere from several hundred to several million patient records. Likewise, cyber attacks on small solo practices — though frequently in the range of several hundred to several thousand — have exposed tens of thousands of patient records with a single breach.

Transition to EHRs, dated systems, and weak security measures pave the way for cyberattacks.

The transition to electronic health records has given criminal hackers more opportunities to steal medical records. The chief information officer for a hospital system in Utah estimates his hospital’s EHR system fends off thousands of attempts to penetrate its network each week.3

Another reason is ease of access. Many hospitals and physician practices are using EHR systems that have not been updated in more than 10 years. While hospitals and physician practices grappled with more urgent matters like ICD-10 implementation and Meaningful Use, robust cybersecurity measures fell down the priority list. Once a hacker penetrates whatever security the system does have, the exposed information is there for the taking.4

Cyberattacks on EHR systems take many forms.

In addition to outright theft of medical information, emerging cyber threats also include various forms of cyber terrorism and cyber extortion. Recent reports of ransomware attacks are particularly troublesome. Sophisticated hackers launch malicious codes (typically via entry through email) that crawl through a target’s computer system, encrypting and locking up data files, and then demand payment (ransom) in exchange for providing the decryption key. Cybersecurity experts believe health care providers make good targets for ransomware attacks because they do not typically have the advanced backup systems and other resilience measures in place that are typical of other types of organizations.5

What can you do to safeguard EHRs and protect patient information?

Patient trust in your practice’s ability to protect medical information is critical. To maintain that trust, it is important to have safeguards in place that help prevent data breaches. When implementing or updating an EHR system for your practice, talk to your vendor about cybersecurity. Ask whether the stored information is encrypted. It is also a good idea to determine if or when the vendor will provide security updates for your EHR software.

You may need to invest more resources in shoring up the walls around your electronically stored and transmitted data. Cybersecurity is a highly specialized area that requires a certain degree of expertise and experience. Your EHR vendor may be able to provide some assistance in this area, but remember their expertise is more about creation and functionality and less about security. Hiring an in-house cybersecurity expert or contracting with a cybersecurity firm specializing in this area may be the best option to protect your practice and your patients.

ProAssurance also helps protect you against cyber liability threats.

ProAssurance is also committed to helping you reduce uncertainty and increase the control you have over cybersecurity — it’s only fair. That’s why we partnered with NAS Insurance Services to provide coverage for certain types of cyber liability risk exposures. This coverage, called CyberAssurance Plus®, is now embedded in your existing ProAssurance professional liability insurance policy and is provided at no cost to you. Through CyberAssurance Plus® you have coverage for Network Asset Protection, Privacy Breach Response Costs and Patient Notification Expenses, Patient Support and Credit Monitoring Expenses, Privacy and Security Liability, as well as coverage for Regulatory Defense Costs and certain Fines and Penalties. This embedded coverage was recently enhanced to also include coverage for Multimedia Liability, Cyber Extortion and Cyber Terrorism, PCI DSS Assessments, and a unique coverage feature called BrandGuard® for lost revenue as a result of an adverse media report or customer notification of a security or privacy breach. Your CyberAssurance Plus® coverage is limited to $50,000 per claim and subject to an annual aggregate limit (determined by group size) for all claims in a single policy year. You may, however, purchase higher coverage limits for cyber liability threats through ProSecure®, which is a co-branded insurance program with NAS Insurance Services that is exclusive to ProAssurance insureds. Through ProSecure® you can purchase an additional $1 million in cyber liability coverage that is designed to work seamlessly with CyberAssurance Plus® coverage already embedded in your ProAssurance policy.

As a ProAssurance insured, you and your staff also have access to webinars, toolkits, bulletins, posters, FAQs, and online training programs to help you address cyber liability risks. For example, you can access:

  • Summaries of major changes to the HIPAA/HITECH Rules (effective September 2013), including required changes to your Notice of Privacy Practices; the expanded definition of Business Associates (with updated sample Business Associate and Vendor Agreements); and patients’ ability to request medical records in electronic form
  • Webinars, tool kits, and sample documents, including basic data privacy/security, encryption, and destruction practices; sample HIPAA Privacy/Security Rule policies and procedures; social media training tools; sample mobile and personal device user policies, procedures, and agreements; and how to implement a data security plan
  • Breach notification requirements under federal and state laws (where applicable); sample HIPAA Breach/Risk Assessment Worksheets; examples of incidents to report, how to report data security incidents, and more

You can access these resources from NAS Insurance Services’ Data Security Risk Resource Website through your proassurance.com account. Please Note: Content on the NAS Insurance Services’ Data Security Risk Resource Website is provided by third party sources. ProAssurance is not responsible for the content and does not consider it to be legal advice.

For more information about cyber liability, cybersecurity, risk management, CyberAssurance Plus® and ProSecure®, contact your ProAssurance representative. Article by ProAssurance, a Platinum Partner with the Association. ProAssurance insured physicians and their practice managers may contact Risk Resource for prompt answers to liability questions by calling (844) 223-9648 or email riskadvisor@proassurance.com.

SOURCES

1   2015 The Year Data Breaches Got Personal: Findings from the 2015 Breach Level Index. Gemalto website. http://www.gemalto.com/press/Pages/Gemalto-releases-findings-of-2015-Breach-Level-Index.aspx. February 23, 2016. Accessed September 8, 2016.

2   Murphy T., Bailey B. Hackers mine for gold in medical records. The Boston Globe website. https://www.bostonglobe.com/business/2015/02/06/why-hackers-are-targeting-medical-sector/xxjFN6G3cFJZ8Fh3mF3XhN/story.html. February 6, 2015. Accessed September 1, 2016.

3   Humer C., Finkle J. Your medical record is worth more to hackers than your credit card. Reuters website. http://www.reuters.com/article/2014/09/24/us-cybersecurity-hospitals-idUSKCN0HJ21I20140924. September 24, 2014. Accessed September 1, 2016.

4   Radcliffe S. Patients beware: hackers are targeting your medical information. Healthline News website. http://www.healthline.com/health-news/hackers-are-targeting-your-medical-information-010715#1. January 7, 2015. Accessed September 1, 2016.

5   Conn J. Hospital pays hackers $17,000 to unlock EHRs frozen in ‘ransomware’ attack. Modern Healthcare website. http://www.modernhealthcare.com/article/20160217/NEWS/160219920. February 18, 2016. Accessed September 1, 2016.

Posted in: Management

Leave a Comment (0) →

RCO Implementation Changes and Service Delivery Network Timelines

RCO Implementation Changes and Service Delivery Network Timelines

The Alabama Medicaid Agency is working with Centers for Medicare and Medicaid Services to amend the approved 1115 waiver to allow for an Oct. 1, 2017, start date for the Regional Care Organization program.

The deadline for probationary RCOs to demonstrate the existence of an adequate service delivery network by submitting to Medicaid signed contracts from their network providers is Jan. 10, 2017. As probationary RCOs work to meet this service delivery network adequacy deadline, providers may be contacted by probationary RCOs with whom they are not currently contracted.

Information about RCOs, implementation or other aspects of this managed care program may be found on the Agency’s RCO webpage

Posted in: Medicaid

Leave a Comment (0) →