Category: Compliance, Privacy & Security

This category explores the intersection of legal and technical considerations surrounding data protection and cybersecurity. The topics aim to provide valuable insights for businesses, IT professionals, and individuals on navigating the evolving landscape of compliance, privacy, and security.

Are You Ready for the new Medicare Beneficiary Identifier?

Posted on

Latest Update 12/19/19:  Commencing January 1, 2020, Providers must submit claims to Medicare with the Medicare Beneficiary Identifier (MBI) regardless of the date of service.

Beginning January 1, 2020:

  • Medicare will reject claims submitted with the old Health Insurance Claim Numbers (HICNs) with several exceptions.*
  • Medicare will reject all eligibility transactions submitted with HICNs.
  • Customer service representatives on the phone will not be able to identify patients using the HICN.
  • Since the MBI has more alpha characters than the HICN, CGS suggests using their tool to convert the MBI into characters to use on the telephone number pad for IVR inquiries before calling.  The tool can be located here.
    • Other MACS have a conversion tool, too.
  • The MBI will not be on the Medicare Summary Advice or 835 if the HICN was submitted on the claim and the claim denies for submitting the claim with the HICN.

If you do not use MBIs on claims on and after January 1, 2020 you will receive:

  • Electronic claims reject codes: Claims Status Category Code of A7 (acknowledgment rejected for invalid information), a Claims Status Code of 164 (entity’s contract/member number), and an Entity Code of IL (subscriber)
  • Paper claim denial codes: Claim Adjustment Reason Code (CARC) 16 “Claim/service lacks information or has submission/billing error(s)” and Remittance Advice Remark Code (RARC) N382 “Missing/incomplete/invalid patient identifier”

Railroad Medicare beneficiaries will have the same format of numbers and will not be identifiable by their MBI.  The patient cards will have a Railroad Retirement Board logo on them.

Medicare Advantage plans have their own subscriber identification numbers which are not MBIs.

Quadax EDI has updated several existing edits to accommodate the MBI and edit the HICN for the submission date of January 1, 2020 and after.

*For more information, see the MLN Matters Article.

Updated 6/8/2018

The Medicare Access and CHIP Reauthorization Act (MACRA) of 2015 mandates that the Centers for Medicare & Medicaid Services (CMS) remove Social Security Numbers (SSNs) from all Medicare cards by April 2019. All Medicare accounts will be updated with a new Medicare Beneficiary Identifier (MBI) beginning in April 2018, which will replace the SSN-based Health Insurance Claim Identifier (HICN). From April 1, 2018, through December 31, 2019, a transition period will be in place, during which both the MBI and HICN are accepted for Medicare transactions.

Quadax Medicare Beneficiary Identifier Timeline

To prepare for this change, Quadax will be updating several elements of our software by April 1, 2018. These updates will ensure that Quadax’s suite of Revenue Cycle Management products can seamlessly make the switch to the new MBI.

This page will be a resource for information on Quadax’s efforts to help our clients with the shift to MBIs.

UPDATES:

  • The MLN Fact Sheet, “Transition to New Medicare Numbers and Cards” published by CMS October 2017 answers a number of questions about using the new identifier, and gives information about the format for the MBI, which will be 11 alpha-numeric characters.
  • To assist in communicating the change to patients, CMS created a one minute video to explain when and how patients will receive their new card. Consider playing the New Medicare Cards Are Coming video in your waiting room.
  • 6/18/2018: MBI Lookup Tool Now Available through Your MAC All Medicare Beneficiary Identifier (MBI) lookup tools are ready for use on Medicare Administrative Contractor (MAC) secure portals. If you don’t already have access, sign up for your MAC’s portal to use the tool. Submit four data elements about your patient through the tool, and it will return the MBI if the new Medicare card has already been mailed.
  • Medicare is mailing new cards in phases by geographic location. For more information about the MBI, read the MLN Matters® Special Edition Article. Medicare is currently mailing new cards to people who:
    • Live in Alaska, American Samoa, California, Delaware, District of Columbia, Guam, Hawaii, Maryland, Northern Mariana Islands, Oregon, Pennsylvania, Virginia, and West Virginia
    • Get Railroad Retirement Board benefits
    • Are newly entitled to Medicare

Don’t Have a Meltdown! Practice Cyber Hygiene to Mitigate Risk

Posted on

In the pursuit of speed, processors have been built to feature speculative execution, which has now been found to introduce vulnerabilities by allowing unauthorized viewing of cached content potentially containing passwords, encryption keys, and other sensitive data. Detected by independent researchers, the chip vulnerabilities have been dubbed Meltdown and Spectre. These vulnerabilities affect many CPUs, including those from AMD, ARM, and Intel, as well as the devices and operating systems running on them.

Advisory and Mitigation Information

The Meltdown and Spectre Side-Channel Vulnerability Guidance issued by the United States Computer Emergency Readiness Team (US-CERT) encourages users and administrators to refer to their hardware and software vendors for the most recent information and is maintaining a table that contains links to vendor advisories and software patches. A current concern with the available operating system patches is that they may slow computer performance; impact on performance may vary based on workload volume and type of processing.

Healthcare industry resources advise healthcare organizations to exercise appropriate caution and test operating software patches carefully before implementing on high-value assets including systems which handle PHI and PII. Please refer to the following:

New vulnerabilities like these continue to be revealed on a regular basis and as a normal course of business, Quadax regularly patches systems to proactively eliminate known vulnerabilities. Because of the widespread nature of these specific vulnerabilities and the potential performance impact with the patches, Quadax has organized a committee of experts to focus on Meltdown and Spectre developments and remediation. This committee is monitoring patches, testing patches prior to release, analyzing the potential performance impact, interfacing with third-parties and working together to provide a smooth path to remediation.

Cyber Hygiene – A good defense remains the best protection

Practicing preemptive cybersecurity hygiene can help prevent adversaries from accessing your systems and is an important first line of defense. An enterprise-wide cybersecurity awarenessprogram can strengthen your organization’s security strategy by alerting employees of current security threats and providing them a set of best practices. Using employee security awareness in combination with installing the recommended operating software patches can help to mitigate risk during this time of widespread processor vulnerability.

Reach out to vendors as well. Learn what they are doing to mitigate processor vulnerabilities. The Quadax security team continues to monitor the situation and guard against cyber threats. We also engaged our first line of defense, reminding all employees to exercise cyber hygiene.

Achieving 100% participation in our 2017 enterprise-wide employee security awareness program, Quadax remains fully compliant with security awareness training requirements.  Recognizing that employee security awareness is a continuous process and an integral part of our on-going security strategy, Quadax is proud to be a 2018 Data Privacy Day Champion Data Privacy Day, celebrated January 28th, is an international effort to empower individuals and encourage businesses to respect privacy, safeguard data and enable trust.

Thwart Cyber Threats – Employee Security Awareness & Training

Posted on

Healthcare is under cyber attack. As one of the top five most targeted industry sectors, healthcare organizations are finding that it is often an organization’s own employees who open the door to theft, malware, ransomware, and a host of other security issues. Enterprise-wide cybersecurity awareness training can strengthen your frontline defense.

The best defense is a good offense.

Employee security awareness has been cited as the source of greatest concern regarding threat exposure. The 2017 HIMSS Cybersecurity Survey found that 87% of respondents conduct security awareness training classes for their staff at least once a year. What is your organization’s security strategy and does it include employee security awareness and training?

Risk prevention starts with an informed workforce.

HIPAA’s Security Rule requires covered entities and business associates to “implement a security awareness and training program for all members of its workforce (including management)”. In the OCR July 2017 Cyber Awareness Newsletter, the U.S. Department of Health and Human Services (HHS) provides further guidance and interpretation on this topic. When structuring your employee security awareness strategy, consider a multi-communication approach—training, updates, and alerts.

  • Regularly scheduled training
    Educate workforce members on your security policies, practices, and protocols. As new cyber threats are identified, be sure your educational strategy is flexible enough to keep materials current and up-to-date. Select an annual, semi-annual, or quarterly training program based on the security needs of your organization as determined by your risks analyses. Given the size of your organization, computer-based training may provide the most flexible format and allow for online scoring techniques that can document ongoing enterprise-wide participation and level of engagement. Make sure all new hires receive security training as part of their initial onboarding.

 

  • Periodic security news updates
    Issue periodic security updates and reminders. For many companies, a monthly newsletter is emailed to all employees providing timely, relevant content about new, emerging threats and how employees should respond to them. Frequency and content is based on the security needs of your organization as determined by your risks analyses.

 

  • Immediate security alerts
    Quickly communicate immediate security threats to employees. Predetermine the alert messaging format and channel of distribution. Consider the security needs of your organization as determined by your risks analyses.

 

Your organization is as secure as your employees (and vendors) are aware. That is why at Quadax we engage in on-going, enterprise-wide security awareness training for all-employees, coupled with monthly security news updates and timely alerts. We make employee awareness and training an integral part of our security strategy.

For more information on cybersecurity, check out the 15th Annual Information Security Summit located in Cleveland, OH at the Cleveland I-X Center. Quadax Senior Manager, Information Security, Patrick Duffy, will be presenting Security Awareness Training for the Reluctant Many on Friday, November 3, 2017. If attending the Summit, add Patrick’s session to your agenda to learn more about security awareness training for your employees.

Business Continuity for Your Revenue Cycle – Are You Prepared?

Posted on

Witnessing the aftermath of Hurricane Harvey, businesses are reminded that disaster can strike at any time. Being prepared is critical. For healthcare organizations, the rigors of contingency planning are on-going. Whether a catastrophic event or a localized outage, an interruption in your organization’s operations can be costly, compromising performance, productivity, and cash flow.

Achieving a state of preparedness, business continuity planning considers contingencies to create the options and ensure their reliable availability during and after an event. Effective healthcare IT business continuity planning protects against the inability to access critical data, an interruption in communications, or technology downtime due to an infrastructure failure. Consider all possible risks—natural disaster, power outage, hardware or network failure—analyzing the likelihood of occurrence and its impact on your operations. Determine, document, and regularly test your mitigation strategy and recovery procedures.

To help you get started, The Office of the National Coordinator for Health Information Technology has published the Safety Assurance Factors for EHR Resilience (SAFER) guide complete with self-assessment contingency planning checklists, recommended practice worksheets, and additional resources and references.

Business continuity planning in healthcare is more than just good business, it’s the law. Mandatory under the Health Insurance Portability and Accountability Act (HIPAA), The Department of Health and Human Services (HHS) requires that organizations have a “comprehensive testing and monitoring strategy in place to prevent and manage downtime events.” This mandate, as part of HIPAA’s Security Rule, requires technology and protocols to back up data, be able to rapidly restore data and continue operating in “emergency mode” after an event. For more information, visit Summary of the HIPAA Security Rule and Guidance on Risk Analysis on the HHS website.

When developing and testing your business continuity plan, be sure to assess the preparedness of your service and software vendors, including RCM systems and support in your assessment. Your cash flow is critical to your organization and should not be overlooked.

At Quadax, we are committed to security, privacy and compliance; investing heavily to protect our clients’ data as well as our own, with infrastructure designed for optimal business continuity, risk mitigation, disaster recovery, and HIPAA and HITECH compliance. With robust data centers, we have the redundancy to supply our clients a high level of uptime. To further enhance our effectiveness, Quadax recently installed a 500-kilowatt, 850-gallon diesel-powered generator at our main office. The generator, capable of supplying full power to maintain 100% of our operations at Quadax’s main office, provides our staff with reliable uptime so they can deliver dependable service and support to our clients. Learn more about RCM solutions powered by Quadax.

RAC Audits and What They Mean for Healthcare Providers

Posted on

A legacy of the Medicare Modernization Act of 2003 and mandated by the Tax Relief and Health Care Act of 2006, the Recovery Audit Contractor (RAC) program recovers hundreds of millions of dollars for the Medicare Trust. Designed to identify and correct improper Medicare payments made to providers, RAC audits can cost healthcare providers time and money.

In their 2016 annual report, the Medicare Trust predicted the fund behind Medicare Part A, at the current rate of spending, is due for depletion in 2028.* Concern about this potential insolvency combined with RACs increasing ability to harness the power of big data has led to an enormous increase in RAC audits and their subsequent appeals during the last several years.

The Government Accountability Office (GAO) issued a report in June 2016 stating that there had been a 936% increase in appeals at CMS (Centers for Medicare & Medicaid), which ultimately led to a severe backlog in the appeals process and mounting criticism. In a recent court order, Health and Human Services (HHS) has been mandated to fix the Medicare appeals backlog by the end of 2020 and to meet annual backlog reduction goals during the interim.* While efforts to reduce the case backlog are underway, the RAC program continues to generate new RAC audits. RAC audits are not going away. *Since publication, the appellate court on Friday, August 11, 2017 overturned the recent district court ruling which ordered HHS to clear the Medicare reimbursement appeals backlog by 2020 stating that the order was “an error of law” and “an abuse of discretion.”

How do RAC audits play out for providers?

First, the provider gets a hardcopy letter notifying them of the audit. The contractor will then carry out one of two types of reviews: complex or automated. Complex audits must be done manually and typically involve a Manual Records Request / ADR letter. Automated RAC claim reviews do not require manual input, using powerful algorithms that can potentially land any given provider with fee-for-service Medicare claims in a stressful situation.

A big audit has the potential to cause a lot of damage, especially to smaller providers that may not have the cash to pay the amount indicated by the audit before appealing it. If a provider doesn’t pay the amount right away, it will start gaining interest at a very high percentage (ca. 10-12%). If that provider neglects to pay with the intent to appeal, and then loses the appeal, they will have to pay for the owed amount revealed in the audit as well as the interest accrued. On the other hand, if a provider pays right away, appeals the audit, then wins the appeal, CMS will reimburse the amount with interest. However, considering the current state of CMS’s appeals backlog, this decision is not always an easy one to make.

What can providers do to stay vigilant regarding RAC audits?

Fortunately, there are many steps providers can take to ensure that potential RAC audits don’t lead to any unpleasant surprises.

Stay informed

The CMS website is a good place to start along with the CMS’s three official auditing partners: Performant Recovery, Inc. (Region 1 and 5), Cotiviti, LLC (Region 2 and 3), and HMS Federal Solutions (Region 4). Each of these organizations offers information aimed at preparing providers for a RAC audit.

In addition to Medicare-sponsored resources, there are plenty of industry publications that regularly report on RAC audits and offer RAC-focused articles, blog posts, webinars, and other useful content. To name a few: Becker’s Hospital Review, RACmonitor, HME Business, For the Record Magazine, the American Medical Association, the American Hospital Association, and more.

Make sure your RCM partner uses RAC-specific edits

The best protection is prevention. Healthcare providers of considerable size often elect to partner with Revenue Cycle Management (RCM) organizations to manage everything from claim scrubbing, to bill collection, to appeals management. The best solutions out there will help you stay a step ahead of potential audits by automatically scrubbing your Medicare claims to make sure they are CMS-compliant before you send them.

Take advantage of AHA’s RACTrac Survey with a compatible vendor.

Though RAC audits put providers on the defense, providers do have a voice in negotiations with lobbyists, lawmakers and RAC contractors: the American Hospital Association (AHA). One of the AHA’s initiatives is the RACTrac Survey, which collects data submitted by participating providers and compiles quarterly reports meant to “assess the impact [of] the Medicare Recovery Audit Contractor (RAC) program on providers”.

The survey can be time consuming. But if done with the help of an RCM vendor certified by the AHA to be compatible with the RACTrac survey, your claim data can be automatically imported in a matter of seconds.

As the frequency of RAC audits continues to increase, so does the likelihood that your company will one day face one. They can seem daunting. But with the proper preparation, even a RAC audit can be surprisingly doable.

(*) source: 2016 Annual Report of the Boards of Trustees of The Federal Hospital Insurance and Federal Supplementary Medical Insurance Trust Funds, Actuarial Analysis of Present Value, page 71.

FASB New Standard on Revenue Recognition – Are You Ready for ASC 606?

Posted on

With effective dates looming, ASC 606 implementation readiness is top of list for many executives. All entities that enter into contracts with customers will need to be prepared. Effective dates are set to begin after December 15, 2017 for public entities and after December 15, 2018 for nonpublic entities. The intent of the new Accounting Standards Update (ASU) No. 2014-09 is to establish a core principle for revenue recognition across all industries, both domestically and internationally, with converged guidance from the Financial Accounting Standards Board (FASB) and the International Accounting Standards Board (IASB).

Revenue, as a measure of performance, is used in comparative analysis, risk assessment, and other business venture due diligence. By making revenue recognition consistent, the new standards will help users of financial statements understand the nature, amount, timing, and uncertainty of revenue and cash flows arising from contracts with customers.

Health care providers should understand not only what rules are changing, but also how the updated standards may impact financial modeling and reporting. Detailed attention should be given to the rules’ impact on net patient service revenue given the variety of contractual arrangements present in this revenue stream. For help understanding ASC 606 unique impact on healthcare, The American Institute of CPAs (AICPA) Health care Entities Revenue Recognition Task Force is one of 16 industry task forces created to identify potential implementation issues and provide guidance.

By way of an overview of the New Standard on Revenue Recognition, please reference FASB ASC Topic 606 Fast Facts below. Another excellent resource for Healthcare Financial Management Association members is the article, Healthcare Revenue Recognition 5 Steps for Net Revenue Modeling and Reporting Considerations, published January 2017.

FASB ASC Topic 606 FAST FACTS
Who All entities that enter into contracts with customers.
What Financial Accounting Standards Board (FASB) New Standard on Revenue Recognition

Accounting Standards Codification (ASC) Topic 606 (ASU 2014-09): Revenue from Contracts with Customers

Core principle: recognize revenue to depict the transfer of promised goods or services to customers in an amount that reflects the consideration to which the entity expects to be entitled in exchange for those goods or services.
When On 8/12/15, FASB decided to defer the effective date by one year.

Public organizations should apply the new revenue standard to annual reporting periods beginning after December 15, 2017. Nonpublic organizations should apply the new revenue standard to annual reporting periods beginning after December 15, 2018.
Where To help identify WHERE implementation challenges may be greatest for healthcare providers, please visit AICPA’s Health Care Entities Revenue Recognition Task Force landing page for implementation issue updates and guidance.
Why Objective: Establish the principles to report useful information to users of financial statements about the nature, timing, and uncertainty of revenue from contracts with customers.
How FASB ASC Topic 606 outlines for organizations the five steps to use to determine HOW to recognize revenue from customers.

RR-Graph.png

 

Given healthcare’s variety of contractual arrangements with customers to provide services and goods (performance obligations), the numerous ways that entities are paid may make implementation a challenge. Add to that the industry’s transition to value-based reimbursement, and healthcare providers find themselves facing additional complexity when executing revenue recognition step #3, determining the transaction price.

Companies will need to choose which method they will use to comply with the new FASB standard. There are two transition methods: Full Retrospective and Modified Retrospective. Some companies may opt to restate sales for the required number of prior years, while other companies may choose the modified compliance approach, applying the new rules only to existing and future contracts as of the effective date. Regardless of which method chosen, a significant amount of dual reporting will be required—reporting both under the old Generally Accepted Accounting Principles (GAAP) and the new incorporating FASB ASC Topic 606.

Whether public or nonpublic, affected companies should begin preparing now for the adoption of the new requirements. Inventorying revenue streams—developing reporting formulas for every class or type of contract—and evaluating how revenue will be affected by the new rules is a great place start. ASC 606 countdown has begun!

Don’t Misplace Your Trust, Choose a SOC 2 Certified Service Provider

Posted on

A breach, crash, or targeted attack can be devastating to an organization, so it’s no surprise that IT-based service providers have a vested interest in having qualified third-party auditors certify the security and availability of their organizational systems. Both service providers and their clients have a lot riding on the security of their data as well as the dependability of their organizational controls.

By choosing to work with a SOC (Service Organization Controls) 2® compliant vendor, you can be sure that your vendor’s organizational controls, particularly regarding security, are in place and functioning up to industry standards. This is of focused importance in several industries, including healthcare IT, where patient data is subject to stringent HIPAA compliance regulations for privacy and security.

Scope of SOC 2

To obtain SOC 2 compliance, an independent auditor performs an examination of a service provider’s internal controls for a specified period. The auditor examines the suitability of the design and operating effectiveness of the internal controls to meet the criteria set forth in the Trust Service Principles (TSPs) as defined by the American Institute of CPAs: Security, Availability, Processing Integrity, Confidentiality, and Privacy. Depending on the nature of the business, the organization will designate any number of those five SOC 2 (TSPs) on which to be audited. For the revenue cycle industry, for example, security and availability are particularly relevant areas to examine.

The Criteria Categories provide the framework of the examination of each TSP; they include organization and management, communications, risk management and design and implementation of controls, monitoring of controls, system operations, change management and availability.

During each annual SOC 2 audit, which can consume thousands of hours depending on the size of an organization and the scope of the audit, the independent auditor will go on site and perform a comprehensive examination of the vendor’s organizational controls. After careful scrutiny and analysis, a detailed report of the audit is provided to the vendor, and is also available to its clients.

What’s the value of partnering with a SOC 2 compliant vendor?

Today, thanks to a heightened degree of competition, complexity of environment, and increasingly diverse economy, outsourcing some business functions to an external service provider has become vital to the success of many organizations. By placing your trust in an external service provider to perform an essential function of your business, you inevitably expose yourself to risk factors beyond your control. You can gain control and confidence, however, by requesting that your vendors are SOC 2 audited and can present the report to prove it. After a qualified party meticulously audits and tests your service provider, you can be assured they have all of the important security controls in place and your data is safe.

As an added benefit, it is often the case that a vendor’s SOC 2 compliant status implies that they also insist that their own vendors and partners are SOC 2 audited. This consistently high standard of integrity leads to a more cohesive and transparent security strategy in a given network of partners.

Passing a SOC 2 audit results in more than just a stamp of approval. Your vendor’s SOC 2 audit will give you a framework with which you can carefully study the organization’s security controls. This helps organizations’ management teams make strategic decisions about the security and organizational standards of their future service partners.