Health Information Compliance Alert

Published on Wed Sep 07, 2011 PDF

Despite the fact that HIPAA requirements have been around for several years now, it can still be difficult to keep patients' protected health information (PHI) secure, one hospital recently found.

Stanford Hospital in Palo Alto, Calif., recently learned this lesson the hard way when it was discovered that the names and diagnosis codes of 20,000 emergency room patients were posted on a commercial Website for nearly a year, the New York Times reported on Sept. 8.

The detailed spreadsheet that contained PHI was posted by a billing contractor to a Web site that allowed students to solicit help with schoolwork, along with a question asking how to convert the data into a bar graph. The attachment, which included six months worth of patient data from 2009, remained on the site for nearly a year until a patient discovered it and reported it to the hospital, which then removed the post and reported the breach.

To read the original Times article, visit www.nytimes.com/2011/09/09/us/09breach.html.

The HIPAA fines and settlements you've seen may be just the tip of the iceberg. HHS Secretary Kathleen Sebelius has appointed a former Department of Justice official as the new Director of the Office for Civil Rights. HHS OCR is responsible for HIPAA enforcement.

New head Leon Rodriguez "will be dedicated to ensuring consumers' health information is kept private and secure," HHS says in a release.

"Consumers need to know that private and secure access to their health information is a given," Rodriguez says in the release.

Don't waste your time with an extra face-to-face visit when you don't have to. That's the takeaway from a recent question-and-answer issued by Medicare Administrative Contractor NHIC. "If a home health patient is admitted twice within the same 90-day period for the same reason, can the first face-to-face encounter documentation be used for both admissions?" asked a home health agency in NHIC's Aug. 3 Ask the Contractor Teleconference.

"In this instance, the same face-to-face encounter could be utilized for both home health admissions," NHIC replies in the ACT summary. But home health agencies may not like another of NHIC's answers to a F2F question quite as much. "If a home health patient was scheduled to have the face-to-face encounter on day 10, but transferred to hospice on day eight, and is now refusing to go to the doctor for the home health face-to-face encounter, would this be considered an exceptional circumstance?" a provider asked in the conference.

"The face-to-face encounter is a requirement for payment," NHIC says. "The home health services could not be billed if it does not occur." NHIC also reminds providers that they must have the signed F2F documentation in hand before billing Medicare for an episode. "You cannot bill Medicare until you have the signed documentation," NHIC explains. "The face-to-face encounter is part of the re-certification."

Resource: The four-page ACT summary is online at www.medicarenhic.com/RHHI/billing/J14%20HHH%20ACT8311QAs.pdf.