HCCA June Recap
The Health Care Compliance Association (HCCA) hosts regional conferences across the United States each month. They aim to educate and update members on the latest in health care news and resources. If you did not attend any of the HCCA Regional Conferences in June, here is an overview of the three hot topics.
Why Prepare For ICD-10?
In Philadelphia, Betty Bibbins, Founder and CEO of DocuComp LLC, gave a presentation on what compliance officers should do to prepare for the implementation of ICD-10 and why it matters. Although there will be no change in the practice of medicine, Bibbins ensured attendees the improvements lie in the reporting of the practice of medicine.
Many organizations have yet to begin taking steps toward the implementation of ICD-10, but Bibbins reminded conference goers why ICD-10 “really is a big deal.” Here are just a few of the benefits organizations will see once they being their implementation:
- ICD-10 gives more detailed information than ICD-9.
- More accurate and complete reporting will improve patient care.
- ICD-10 allows providers to get a more clear picture of a physician’s clinical judgement.
- Recording more detailed information will shift the focus to better communication of patient care.
- More specific clinical assessments will help support the intensity of the patient evaluation, or treatment, and improve medical decision making.
- Identifying fraud, abuse, and any inappropriate payments will be made simpler with better documentation.
Even though the “real” timeline may have passed, Bibbins encourages organizations to begin planning their ICD-10 implementation approach by moving ahead in confidence.
Incident Response Plan
In Seattle, Chris Apgar of Apgar & Associates discussed the differences between an actual breach and a security incident as well as the importance of having an incident response plan.
According to Apgar, most security incidents are not breaches. Incidents may include attempts to hack a firewall, a lost encrypted laptop, or stealing prescription medications from a locked medicine cabinet. For an incident to be considered a breach, Protected Health Information (PHI) would have to be compromised. The National Institute of Standards and Technology (NIST) defines “compromised” as a “disclosure of information to unauthorized persons, or a violation of the security policy of a system in which unauthorized intentional or unintentional disclosure, modification, destruction, or loss of an object may have occurred.”
Having an incident response plan is not only encouraged but is a part of the HIPAA Security Rule requirements and has been since 2005. An incident response plan is the best way to manage risks, address vulvernabilites when they first arise, and prevent breaches before they happen. The use of a governance, risk and compliance (GRC) tool can help simplify this process and also act as a central repository for all your audit efforts.
Three Components of a Risk Assessment
In Santa Ana, California, Dwight Claustre of Aegis Compliance & Ethics Center, and Shirley Komoto of Moss Adams, defined risk and explained the three main components of a risk assessment process.
According to Claustre and Komoto, a risk is defined as a factor or thing involving uncertain dangers, while a risk assessment is the identification, measurement and prioritization of risks. The management of your organization’s risks is a continuous process and is recommended by the Office of Inspector General, the American Health Lawyers Association, and the Center for Medicare & Medicaid Services, just to name a few.
Here is a breakdown of the three key components:
- Identify risks based on experiences, regulations, current trends, the OIG work plan, and past audits. Involve all stakeholders including but not limited to: Compliance, Board of Representatives, C-suite, Human Resources and Legal.
- Assess and prioritize risks based on the probability an adverse event will occur and the impact it would have. Developing a ranking system that allows you to plot your risks on a heat map is a great way to visualize all your organizational risks so you can begin remediation.
- Respond to each risk by either accepting, avoiding, or mitigating based on management’s discretion. This is where your mitigation and remediation plans will be put in place, depending on the individual risk.
Risk assessments can be a daunting task if your organization is still utilizing manual processes or outdated tools. A GRC tool can help by sending out bulk assessments to your entire enterprise so you can get a full picture of what is keeping each department up at night. With a tool such as Keylight, you will also be able to link data to each individual risk, giving you the contextual information you need to begin remediating risks.
For more information on future HCCA conferences, please visit: HCCA Events
Learn about how HIPAA Compliance plays a role in protecting against cybercriminals.
Learn about Principled Performance: Why should your company pursue it?
Read about the GAO’s report on CRA oversight