Risks You Take Every Day That Will Cost You

Risks You Take Every Day That Will Cost You

RISK

MANAGEMENT

Brandy Brimhall CPC

CMCO, CCCPC, CPCO, CPMA

Have you ever thought about the types and value of patient information your practice creates, maintains, and uses to communicate with third parties when seeking reimbursement? For example, consider that practices have personal contact information, social security numbers, payer ID and group numbers, medical history, treatment information, etc.

In the “old days,” our risk of having information stolen was mainly limited to whoever had access to our written patient files or, in the event of a break-in, how much information that person could pick up and carry out of your practice.

Now, we have the World Wide Web that contains most, if not all, of this protected and vulnerable information. This, of course, compounds the risk of protected information being accessed, disclosed, or otherwise compromised. Should this protected information end up in the wrong hands, a practice’s entire patient database may be vulnerable to things such as identity theft and medical identity theft. Further, protected information is much more accessible and at risk than ever before.

The blessings of technology have enabled practices to expedite time spent on claims preparation, claims submission, and improved the wait time for receiving payment for claims. Technology has also been beneficial to practices in respect to

achieving appropriate levels of documentation in order to meet guidelines and better support billing clahns. Workforce members are saving time in printing, filing, and organization by having software in place that stores this information.

With the benefits of technology come responsibilities that practices must make a priority. The cost of not appropriately managing these responsibilities not only poses a significant risk to the finances and reputation of the practice, but also to all of the patients. For a moment, consider your own personal information that is created, stored, and maintained by healthcare providers. Think of the potential impact on your personal finances, credit, and even healthcare diagnosis, treatment, etc., should your information be obtained in an unauthorized manner.

Compliance-related investigations are actively being conducted and when these occur, both stressful and financial burdens impact the practice. Much of the time, strictly adhering to a sound compliance plan may prevent the obstacle altogether. Let’s evaluate just a few common errors made by practices that may be minimized or avoided completely if appropriate compliance policies and procedures were already in place:

• Unauthorized access to patient files or information systems resulting in the access, use, or disclosure of protected information.

• Inappropriate and/or identifying posts made to social media sites.

• Lost or stolen portable devices with ePHI access (iPads, smartphones, laptops, etc.) resulting in a potential data breach.

• Insufficient backup protocols resulting in loss of data and inability to recover information.

• Insufficient definition of systems and procedures leading to various errors and strained workforce member relationships. (Note that many whistleblower suits or privacy-related complaints reported to the Office of Civil Rights are made by workforce members)

• Improper disposal of records.

• Improper methods of preventing malware and viruses from accessing information systems, resulting in hacked ePHI.

• E-mail or other online communications among workforce members and/or workforce members with patients where protected data is compromised.

• And the list goes on...

Importantly, die items noted in the previous bullet points all have the possibility of impacting the practice in various ways. This not only includes financial penalties and other compliancerelated investigations and penalties, but also damage to practice/ patient relationships. Such errors can also hinder a practice’s good reputation within the community and make it difficult to retain workforce members, among others.

The only solution is for practices to make compliance implementation a priority. A well-trained workforce that strictly adheres to a folly implemented compliance plan preserves the integrity of your practice in many ways. What has been described through the content of this article is only paid of the reason diat compliance implementation and maintenance is critically necessary for practices to have in place. Compliance policies and procedures serve as paid of the foundation of your practice. A solid and reliable structure can be more effectively built upon a solid foundation. Just imagine hying to build a house without a blueprint.

Further, to minimize the risk of these types of incidents, and therefore protect the practice as well as the patients, it is essential for practices to define written protocol that meets the needs of your practice, as well as governing guidelines.

For example, to briefly address just one of the bullet point obstacles as previously described, let’s look at the very common issue of inappropriate posting of identifying information on social media sites. First, your practice must evaluate your social media use to determine what guidance and policy among your workforce must be implemented and enforced to best protect patient identity and prevent a costly and damaging error to your practice. You must document the social media sites utilized by your practice and it should be clear why you are using social media (such as for marketing, reminders of upcoming events, etc.). Next, you must define your policy and

procedure for permitting use of social media. You may elect to prohibit the posting of photos that may identify a patient, or you may incorporate policy that requires appropriate patient authorization to be obtained prior to social media use. Of course, when obtaining authorization from patients, it must be in writing and also must clearly provide details to the patients as to where their photos may be posted, including reminding patients that these photos may be “shared” and/or saved by your followers or other viewers. It is important for patients providing this authorization to understand that once a social media post is made, there is no guarantee that it can ever be completely removed. Patients must also be aware that they have the right to change any permissions granted to your practice at any time they wish, and they may request the removal of their photos (which would be done to the best of the practice’s ability in areas where the practice has control of the posting and removal of photos, but cannot be guaranteed elsewhere).

Additionally, there are other important considerations to make as you define this policy and procedure for your practice. It must be clear who has access to your social media for posting and how these posts may be reviewed, edited, and removed if needed. This may include posting guidance, such as frequency, and limiting those with social media permissions to only access business social media during business hours. Sanctions must be in place for the misuse of social media as well. Policy and procedure must also define the difference between business and personal social media. Businesses may not dictate to

workforce members how they manage personal social media, but they can offer general guidance, such as to not seek out patients as “friends” and that PHI-related posts are prohibited on all personal pages. Practices must also provide training of this policy and procedure to workforce members for their understanding and awareness.

With the brief but detailed example previously mentioned, it is easy to see how practices can benefit in many ways by having documented guidance. Not only is this type of guidance a required element for practices today, but it also serves as significant risk management to practices, workforce members, and patients. Most errors that occur in practices can be limited or avoided completely with clear and consistent communication, which is what compliance programs are all about.

Compliance implementation can be efficiently accomplished by any type and size of practice, though you must have the appropriate guidance. Like our homes, vehicles, and just about everything else in our lives, compliance policies and procedures require evaluation and maintenance to ensure that they continue to be appropriate, efficient, and are properly functioning.

Brandy Brimhall, CPC, CMCO, CCCPC, CPCO, CPMA, Director of Education, Director of Compliance Services, ChiroCode Institute, Chiropractic Compliance Solutions, Her website is www.ChiroCode.com or www.compliantchiro.com