Free Webinar: Grow Your Medical Billing Service

Lea Chatham July 3rd, 2014

Leave a Comment Latest by COMMENTOR NAME

Register Now3 Ways to Grow Your Medical Billing Service
Thursday, July 10, 2014
10:00 AM PT, 1:00 PM ET

There has never been a better time to grow your billing service. According to the 2014 Black Book Survey, many practices see outsourcing their revenue cycle management as one of the keys that can help them stay independent. In fact, 42% of small physician practices with employed billing staff hope to move billing out-of-house to an outsourcer in next twelve months.

In this webinar, billing service and marketing experts will help you understand what you need to do to take advantage of this growth in outsourcing. You’ll learn how to:

  • Improve your marketing and online reputation
  • Close more deals
  • Use resources from Kareo to strengthen your business offerings

There are many tools that you can add to your arsenal to grow your business and revenue. Kareo can help.

Who should attend?
Billing service managers and staff who are interested in finding ways to grow the business and meet the increasing demand from physician practices.

Register now to learn how to grow your medical billing service

Read More

4 Steps to Assess a Possible HIPAA Data Breach

Lea Chatham July 1st, 2014

Leave a Comment Latest by COMMENTOR NAME

By Ron Sterling

Tweet the articleThe HIPAA Omnibus Rules dramatically elevated your risk of data breaches. From lowering the breach standard to requiring documentation on why you think that you didn’t commit a breach, your practice needs to diligently work to avoid problems and properly handle a breach.

An event that compromises the security or privacy of Protected Health Information (PHI) is considered an impermissible use or disclosure of PHI. Impermissible use or disclosure is a breach unless you can show that there was a low probability that the PHI was compromised. This is not an academic discussion since you are required to properly notify patients and the Department of Health and Human Services (HHS) about breaches, and you are subject to fines for breaches. For example, mailing patient information to the wrong party, and unauthorized access to your electronically stored patient records are breaches unless you can show that there is low probability that PHI was compromised.

There are three exceptions to the breach trigger: unintentional acquisition, access, or use of PHI while employees are performing their jobs, inadvertent disclosure to someone authorized to access PHI, and situations where you have a good faith belief that the recipient will not be able to retain the information. For example, a fleeting view of some PHI on a computer screen may not be considered a relevant incident.

Using a “good faith evaluation” and “reasonable conclusion”, you evaluate the incident based on four factors:

  1. PHI Nature and Extent: The sensitivity of the information and ability to identify the patient as well as presentation options are factors in determining the probability. Deidentifying PHI is not easy or straightforward. In addition to name and phone numbers, a picture of a face or a free form text note about the patient could easily lead to identifying the patient. For example, a list of dated deidentified lab results with a separate list of patient appointments for the day of the lab would not present a low probability of compromise. On the other hand, loss of electronically stored diagnostic data that requires special software from the device manufacturer may present a low probability of compromise. This answer would be different if the lost information was PHI contained in an unsecured PDF file.
  2. Unauthorized Person Received or Used PHI: The status of the recipient of the PHI may offer a reasonable way to avoid a breach. For example, sending the patient report to the wrong doctor may lead to a low probability of compromise since the receiving doctor has been properly trained in HIPAA Privacy and Security.
  3. Actual Acquisition or Viewing of PHI: If your organization quickly uncovered the incident, you may be able to prevent the viewing or even possession of the PHI. For example, contacting the receiving party and recovering the information before the other people open the information may present a low probability of compromise. Similarly, if an envelope with PHI was lost, but upon recovery, you determine that the envelope was never opened, you may have a low probability of disclosure or use.
  4. Mitigation Factors: In the final step of your evaluation, you can determine if there were mitigating issues that lead you to a good faith and reasonable conclusion that the information was not disclosed. For example, a thumb drive containing PHI on a patient lost in a healthcare facility but recovered in a nonpublic area may present a mitigating factor.

If you determine that the probability of compromised PHI is low, you do not have a problem. Otherwise, you have a breach and have to respond according to the breach notification requirements.

If you have encountered a breach, within 60 days of discovery of the breach, you have to:

  • Contact the Patients: You have to mail a letter to the last known address of the affected patients. If you cannot contact more than 10 patients, your website or public media with an 800 number should be publically presented for 90 days.
  • Inform HHS: You have to maintain a log of breaches to send to HHS annually. If a breach involves over 500 patients, you have to directly contact the Office of Civil Rights.

With the lower “bar” for a breach and the documentation standards, your practice needs to maintain appropriate procedures, train employees, and enforce your policies to minimize the risk of impermissible uses and disclosures. In order to monitor evolving issues and avoid future problems:

Review each data breach to determine if changes to policies and procedures need to be made as well as remedial training to avoid future breaches.Tweet this Kareo story

On a periodic basis review the impermissible use and disclosures for trends and issues that may require adjustments to your HIPAA compliance strategy. Indeed, continuing incidents that are not breaches could indicate a serious weakness that could lead to a breach. For example, continuing loss and recovery of EHR backups could indicate the need to change the backup procedures or strategy.

Breaches can cost you money and undermine the confidence of your patients in the confidentiality of their PHI. With the lower breach trigger and the documentation requirement for your analysis to determine if a breach has occurred, you need to work to avoid breaches as well as impermissible uses and disclosures.

About Ron Sterling

Ron Sterling Photo 2012Ron Sterling is a nationally recognized thought leader on the implementation and use of electronic health records (EHR). He authored the HIMSS Book of the Year, Keys to EMR/EHR Success: Selecting and Implementing an Electronic Medical Record. Ron has worked with a wide array of practices on EHR decisions and issues, and has reviewed products from over 150 vendors.




Read More

Welcome to Getting Paid, a weblog by Kareo offering ideas, news and opinions about medical billing and practice management with the goal of making medical billing easier and yes, getting you paid. Visit the Product Blog for more information on our products.

Subscribe to the Newsletter

Enter your email address to receive "Getting Paid" as a monthly email newsletter. Privacy Policy

Subscribe to RSS Feed

CDW 2015 TOP 50 Health IT Blog

Follow Kareo

Find Kareo on LinkedIn Find Kareo on Facebook Find Kareo on Twitter Find Kareo on YouTube Find Kareo on Flickr

Search the Blog


Monthly Archives

Web–Based Software by Kareo

Practice Management

Simplify the daily essential tasks of your medical office from patient records, to scheduling and more.

Electronic Medical Records

Improve patient care with electronic charting, electronic prescribing and medical labs interfaces.

Medical Billing & Collections

Streamline your entire medical billing and collections process from charge entry to reporting.

Clearinghouse Services

Integrated electronic claims, electronic remittance advice and insurance eligibility services.

Analytics & Data

Store and access data with insightful reports, document management and faxing, and an integration