Nine Risk Management Tips for Medical Practices

October 3, 2013

Here are tips for managing three medical practice risk areas: HIPAA breaches, Medicare audits, and EHR liability issues.

The fear of a HIPAA breach, the possibility of a Medicare audit, and the threat of a malpractice lawsuit are three of the biggest stressors physicians face.

Each could place your reputation, your career, your finances, and your patients' physical and emotional well-being in jeopardy.

While there's no way to completely eliminate the stress associated with each of these risks, ensuring your practice is doing all it can to mitigate them can help set your mind at ease.

To help, Physicians Practice asked three experts to share their tips. Each will be presenting at this year's Medical Group Management Association (MGMA) 2013 Annual Conference in San Diego.

Risk Area #1: A HIPAA Breach
Risk Area #2: A Medicare Audit
Risk Area #3: A Liability Issue Due to Poor EHR Use

Risk Area #1: A HIPAA Breach.  Practices are potentially facing greater consequences due to HIPAA breaches. The Health Information Technology for Economic and Clinical Health Act, which was signed into law in 2009 and established the EHR incentive program, enhanced HIPAA privacy and security enforcement provisions and increased penalties associated with a breach.

"The government agency that oversees this, The Office for Civil Rights,
has a lot of additional leeway in terms of the actions they can take against a
practice if there is a problem," Robert Tennant, a senior policy adviser for MGMA government affairs, told Physicians Practice. "The fines are much higher. Willful neglect is not an excuse. You can't say, 'Oh I didn't know I had to do that.'"

Tennant is scheduled to co-present a session entitled "Get Ready for the New HIPAA Privacy and Security Changes: An Action Plan for Medical Groups" at MGMA13.

A breach also takes a heavy toll on a practice's patients, and on a practice's reputation. If a breach compromises the protected health information of more than 500 patients, for instance, practices will need to report it to the local media. "If you're in a small town that might be the lead headline," said Tennant. "That could impact the patients wanting to come to your practice; it could impact your referrals; so the business impact of loss of data is very, very important."

To ensure your practice is doing all it can to prevent a breach or HIPAA violation, Tennant shared three of his biggest tips:

1. Encrypt your data. "One of the things that the breach rule is very clear about, is that if the data is encrypted and it is stolen or lost, it is not considered a breach," said Tennant. "It's essentially your 'get out of jail free card.'"

2. Rethink policies and procedures. Many practices developed privacy policies when the original HIPAA Privacy Rule went into effect, but have not updated them since. "That's 10 years ago, and I think many practices have moved to a very different level of technology," said Tennant. " ... If you've moved to an EHR, if you have remote access by your clinicians, you need to be thinking about how to modify not only your policies and procedures, but your staff training as well."

3. Get acquainted with changes. The HIPAA Omnibus Final Rule, which went into effect September 23, includes tougher privacy and security provisions. Make sure you are aware of them and are in compliance.

Risk Area #2: A Medicare Audit. As CMS steps up its efforts to ensure practices are submitting proper claims, it is asking Recovery Audit Contractors (RACs) to audit Medicare claims and determine i

f there is an opportunity to recover incorrect payments.

These auditors "have been very assertive in recent years in finding technical violations and disallowing of payment after the fact," Andrew Wachler, an attorney, owner,and principal at Wachler & Associates PC, scheduled to present a session
entitled "Medicare Audits: AuditRisk Areas, Successful Appeal Strategies, and Compliance," told Physicians Practice. "The authority of the contractors varies
but it includes withholding moneys for claims thatthey feel were paid
incorrectly, and in the projected amounts this can be multiple six figure dollars."

But monetary losses are not the only problems practices could face. Medicare's Zone Program Integrity Contractors (ZPICs) are charged with identifying fraud and abuse. "If you have a pattern of services where you knew or should have known that they would not be appropriate, that can be civil fraud," said Wachler. "If you miss a publication that directs you under what circumstances you can bill for a service, then the ZPICs can come in, and they could place you on a prepayment review, they could refer you for an investigation, they can withhold your money, and they can even ask CMS to suspend your Medicare payments."

To reduce the likelihood your practice will experience an audit, here are three of Wachler's biggest tips:

1. Know where you stand. To identify practices that should be audited, RACs may look for statistical variations or aberrations in billing and coding between practices. If you exceed the "general parameters" you could be audited, said Wachler. Comparative Billing Reports released by CMS can help you determine if you exceed your peers in certain areas. "It puts you on notice that they’re looking at those areas and you should be making sure that your utilization is appropriate and that your documentation complies with the documentation guidelines," he said.

2. Know the requirements. Consider your most highly utilized CPT codes and ensure you understand the requirements to get paid for these services and the limitations associated with them, such as local coverage decisions, said Wachler, adding that practices should pay close attention to reports released by payers regarding coding requirements. "There may be a publication CMS may put out that says, 'We only pay a particular code under certain circumstances.'"

3. Conduct periodic evaluations. At least annually, conduct an internal audit to evaluate whether you are complying with all the billing and coding requirements, said Wachler.

Risk Area #3: A Liability Issue Due to Poor EHR Use. As more practices implement EHRs, they take on risks that are unique to the new technology. If you fail to use the EHR appropriately, you could set yourself up for a successful malpractice lawsuit against your practice.

One of the key risks occurs when practices fail to adjust work flows to accommodate

the new technology, Nancy Babbitt, a consultant with Babbitt & Associates, told Physicians Practice.

Babbitt is scheduled to present "Best Practice EHR Risk Management and Customer
Service: A Winning Proposition" at MGMA13.

"Any time you're doing hand offs, whether it's lab results or transferring care from one clinician [to another] within the practice or outside of the practice, it's really important in those transition areas to look at your work flow design," she said, adding that work flow problems could lead to missed lab or test results and other issues.

Another key risk area practices should look out for: Poor use of templates, said Babbitt. For instance, if a physician fails to use a template appropriately, the text may be unsearchable. "It won't help you when you have clinical decision support tools set up within your EHR," she said.

Here are three ways Babbitt said practices can mitigate some of the risks associated with EHR use:

1. Redesign templates appropriately. "I go into a lot of practices where they just kind of slap together templates, or they'll be using form templates," said Babbitt. Instead, practices should ensure that templates are appropriate for their specialty, that they are easy for physicians to use, and that they make it easy to view significant findings.

2. Cut down on the number of templates. Often practices use too many templates, said Babbitt. "I see more and more errors when they use hundreds of templates and don't control that."

3. Encourage input. Staff often identifies problems with EHR use. Make sure they are comfortable voicing their concerns so that you can correct issues as soon as they are identified, said Babbitt. "Create a culture to make your staff feel empowered to speak up."