Author: Sheryl Rosen

Disposal of PHI and ePHI

Generally, Protected Health Information (PHI) is any type of Individually Identifiable Health Information held or transmitted by UConn Health or its Business Associates, in any form or media. Electronic Protected Health Information (ePHI) is PHI that is received, maintained or transmitted in electronic form. All UConn Health workforce members must safeguard our patients’ PHI, which includes ePHI.

Safeguards include protecting PHI/ePHI in connection with its disposal. For example:

  • Never place paper documents/printed materials containing patient information in trash bins, recycle bins, or other publicly accessible containers.
  • Always use a secure shredder bin. If you do not have a secure shredder bin, contact your supervisor right away!
  • Follow the procedures in the UConn Health Office of Logistics Management (OLM) Property Control Manual related to receipt, removal, storage, re-use and disposal of hardware and electronic media.
  • Destruction of X-ray film is handled by OLM through the use of a Business Associate.
  • Red Bag Waste must be placed in regulated medical waste bins and incinerated using secure methods.
  • Certain documents and other materials containing PHI may be subject to record retention requirements. Generally, copies are not subject to these requirements. Contact the Office of Healthcare Compliance and Privacy (OHCP) or the Office of the General Counsel (OGC) for guidance.

      For more information please review  Policy 2008-01- Disposal of Protected Health Information (PHI) and Disposal and Re-use of Hardware and Electronic Media Containing Electronic Protected Health Information (ePHI)

      Questions? Contact the Office of Healthcare Compliance and Privacy – we are here to help!

       

       

      Defense Against Cyber Attacks and Privacy Breaches

      Cybersecurity attacks are on the rise and healthcare organizations like UConn Health are often targets. Cyber-attacks can corrupt devices, disable networks and allow bad actors to access patient and employee information. Quite simply, successful cyberattacks put patient safety and privacy at significant risk. We must all work together to lower this risk for our patients and all of UConn Health.

      “Phishing” is the most common type of cyberattack. In this scheme bad actors will send you an email and “trick” you into opening an attachment or clicking a harmful link, allowing them to imbed viruses in your device and gain access to all of the data anywhere in your email account. Some viruses will then send phishing emails that look like they’re from you to other individuals at UConn Health. The cycle repeats and the damage multiplies.

      To help prevent phishing attacks, look for emails that contain:

      • An urgent message that asks for your quick reply
      • A plea for help or financial assistance for a person, cause, campaign, or organization
      • Offers that sound too good to be true
      • Misspelled words and poor grammar
      • Mismatched email address information – look at the email address, not just the sender – make sure the display name matches the email address
      • Generic signature lines – make sure you can verify that the name and contact information are credible
      • Unexpected requests regarding personal information – be wary of clicking links or answering questions from contacts that you didn’t initiate
      • Unsolicited attachments

      Strong security of your work and personal devices can also deter the theft of UConn Health’s data.

      Remember to:

      • Use strong passwords and change them often
      • Create different passwords for different computers
      • Use 2-factor authentication when available
      • Install and update antivirus software frequently, including personal devices and networks

      If you receive an email that looks suspicious, click the “Report Phish” button in the upper right corner of your screen. Please contact the Help Desk or IT Security for phishing or security questions and the Office of Healthcare Compliance and Privacy for privacy-related questions or guidance.

      Compliance Training Due Tomorrow

      Have you completed the 2021 Annual Compliance Trainings? In consideration of the extraordinary circumstances of the public health crisis and challenges faced by our workforce, the deadline for the training was extended to Tuesday, March 15, 2022.

      The following three (3) trainings are due tomorrow (3/15):

      • 2021 Healthcare Compliance Training
      • 2021 HIPAA Privacy Training
      • 2021 Security Awareness Training

      You can access the training by logging into the Saba Learning Center. Any outstanding training can be found under My Learning.

      Compliance training is a key component of the University’s compliance program and is required by law and University policy. Courses are designed to educate the UConn Health community on identifying, preventing, and detecting incidents of non-compliance.

      Please make every effort to complete any outstanding courses by tomorrow (3/15) to avoid disciplinary action. Thank you for your attention and support of the compliance program at UConn Health.

      Contact the Office of Healthcare Compliance and Privacy with any questions.

      Safeguarding Protected Health Information (PHI)

      The Health Insurance Portability and Accountability Act (HIPAA) requires that UConn Health have appropriate safeguards in place to protect the privacy of protected health information (PHI). Here are some helpful hints for protecting PHI:

      • Don’t leave paper records that contain PHI unattended. Use a shredder bin to dispose of paper PHI.
      • Physically secure electronic devices that contain ePHI when not in use to prevent unauthorized access.
      • Don’t discuss PHI in high traffic areas, such as the cafeteria, elevators, and hallways.
      • The same HIPAA rules apply when you are working at home as they do in the office. Make sure PHI is not visible or heard by others in your home.

      If you have any questions, need guidance, or have a privacy concern, please contact The Office of Healthcare Compliance & Privacy.

       

      2022 Split/Shared Visit Changes

      Effective January 1, Medicare split/shared visit guidelines were revised. Medicare defines a split/shared visit as an evaluation and management visit in a facility setting performed by a physician and a non-physician practitioner (NPP) who are in the same group (tax id number). Each practitioner performs components of the visit but only one practitioner bills Medicare for the service.

      Below is a summary of key changes for 2022:

      • Split/shared may now be utilized for:
        • new patient visits
        • initial visits
        • critical care services
        • prolonged services
      • A Split/shared visit must be billed by the provider who performs the substantive portion of the visit. The substantive provider is defined as:
        • Non-Critical Care: the provider who performs one of the three key components in its entirety (history, exam, medical decision making) or who provides more than half of the total visit time
        • Critical Care: the provider who provides more than half of the total visit time

      Because Medicare has different payment rates for physicians and NPPs, it is important to correctly identify and bill under the substantive provider. Otherwise, underpayments or overpayments will occur.

      • The substantive portion can be comprised of time that is with or without a patient face-to-face encounter.
      • One of the providers is required to have face-to-face time with the patient but it does not have to be the provider who bills Medicare.
      • Medicare claims for split/shared visits are now required to have modifier FS. This will allow Medicare to easily identify, monitor and audit provider split/shared visit utilization.

      If you have questions or would like additional split/shared guidance, please contact the Office of Healthcare Compliance and Privacy.

       

      Information Blocking and Test Results

      The Information Blocking Rule permits clinicians to withhold certain electronic health information from a patient’s MyChart if the clinician determines that doing so will substantially reduce a risk to the life or physical safety of the patient or another person (i.e., an “unreasonable risk of harm”).

      If you withhold a test result from MyChart based on an unreasonable risk of harm, you must promptly release the result after you discuss it with the patient. Once the patient knows the result, there is no longer justification for withholding it based on an unreasonable risk of harm.

      Reminder: Concern that a particular test result will be upsetting or confusing to a patient is not sufficient justification for withholding a test result from MyChart.

      Please see these guidelines for more information, or if you have any questions please contact the Office of Healthcare Compliance and Privacy.

      2022 CPT Code Changes and Coding Updates

      Effective January 1, 2022 the American Medical Association (AMA) made a total of 405 changes to the Current Procedural Terminology (CPT) code set. The codes are used to report medical, surgical, and diagnostic procedures to insurers. This uniform code set provides standardized communication of services performed and determines reimbursement to providers. Below is a breakdown of additions, revisions and deletions. The code sets highlighted are those with the most changes.

      2022 Code Set Changes Added Deleted Revised
      Evaluation and Management 5 0 10
      Anesthesia 6 2 0
      Surgery 30 13 25
      Radiology Procedures 4 3 1
      Pathology and Laboratory Procedures 4 3 1
      Medicine Service and Procedures 36 11 4
      Category II Codes 0 0 1
      Category III Codes 72 26 2
      Proprietary Laboratory Analyses (PLA) Codes 62 5 2
      Total 249 63 93
      MSN Healthcare Solutions. 2022. 2022 CPT Updates: New Codes – MSN Healthcare Solutions. [online] Available at: https://msnllc.com/2022-cpt-updates-new-codes/.

      New Subsection of CPT Codes for Principal Care Management

      Chronic Care Management (CCM) and Complex Chronic Care Management (CCCM) require the management of two or more conditions. This left a gap in coding when care management is performed for a single condition. Newly introduced Principal Care Management (PCM) codes are time-based and can be reported once per calendar month.

      99424; (Principal care management services, for a single high-risk disease) A physician or other qualified healthcare professional performs management and care plan services for a patient with a complex chronic condition, expected to last three months, which places the patient at significant risk of hospitalization, acute exacerbation, decompensation, functional decline, or death. Use this code for the first 30 minutes of physician/qualified healthcare professional time.

      +99425; each additional 30 minutes of physician or other qualified healthcare professional time beyond the first 30 minutes.

      Please contact the Office of Healthcare Compliance and Privacy with any questions or concerns.

      New Year, New Medicare Payment Rules

      January 1 is not only the start of a new calendar year, it is also the date when several Medicare payment rule changes take effect. Two such rules are the Outpatient Prospective Payment System (OPPS) and the Medicare Physician Fee Schedule (MPFS).

      Below is one highlight from each of these rules:

      Medicare OPPS – Inpatient Only List

      Historically, Medicare maintains a list of approximately 1,700 procedures that are not payable if billed as an outpatient procedure.  These procedures are often referred to as the Inpatient Only List. Under last year’s OPPS rule, Medicare announced it would phase out the Inpatient Only List and allowed 298 procedures to be payable as outpatient procedures.

      This year, Medicare reversed this decision and reinstated most of the 298 procedures removed, again designating them as Inpatient Only. As a result, operation workflows (orders, patient status indicators, documentation, etc.) will need to be revised to assure compliance.

      Medicare MPFS – Split/Shared Visits

      Split/shared evaluation and management (E/M) visits are visits provided in a facility setting by a physician and a non-physician practitioner of the same group.  Under the regulatory changes for 2022:

      • split/shared visits may be reported for new and established patients and are applicable to initial and subsequent visits
      • the visit may be billed under the physician’s NPI if the physician (1) performed either the history, the exam, or medical decision-making, OR (2) provided more than half of the total time for the visit
      • split/shared visits must be billed with a HCPCs modifier (not specified yet) to indicate split/shared status

      When Should I Contact the Privacy Team?

      When Should I Contact the Privacy Team?

      You should contact the Privacy team when:

      • You believe an individual’s privacy rights have been violated
      • A document, information system, or anything else containing patient information has been lost, stolen, or compromised
      • You have a privacy-related question or need guidance
      • You would like privacy education

      Some examples include:

      • A patient has a privacy concern or complaint
      • You believe patient information was accessed or disclosed inappropriately
      • You have a question about UConn Health privacy policies or procedures
      • Your department wants guidance on a particular privacy-related regulation or needs a HIPAA refresher

      How Do I Contact the Privacy Team?

      You can contact us by phone or email:

      When in doubt, give us a shout! We are here to help!