Author: Sheryl Rosen

HIPAA and the Holidays

The holiday season is here.  Are you sending holiday cards to your coworkers and need their addresses?
READ THIS:

Is it okay to look up a coworker’s address in the electronic medical record to send a holiday card?

No. Do not look up a coworker or any other person in the electronic medical record to obtain an address or telephone number. Accessing the electronic medical record system for purposes other than to do your job is not permitted. Inappropriate access to a patient’s electronic medical record may result in disciplinary action, up to and including termination.

Is it okay to look up a coworker’s address using the patient look-up feature in Epic or axiUm?

No.  Employees are not permitted to use the patient lookup feature in Epic or axiUm for personal reasons, even if you do not view other parts of the patient chart. Although the Patient Lookup feature does not open the patient chart, it is part of the electronic health record and displays Protected Health Information (PHI).

Remember

  • Epic and axiUm are not address books.
  • Accessing a co-worker’s medical record for a non-work purpose (such as sending holiday cards) is not permitted.
  • PHI should only be accessed when necessary for job-related purposes.
  • Searching for a patient by name or other identifier in Patient Lookup or the medical record without a job-related need is snooping and may result in disciplinary action.

Please contact the Office of Healthcare Compliance and Privacy if you have questions.

PEPPER! It’s Not Just Seasoning!

What is a PEPPER report?

PEPPER stands for the Program for Evaluating Payment Patterns Electronic Report. PEPPER reports summarize Medicare claims data for a provider in “target areas” that may be at risk for improper Medicare payments. PEPPER compares a provider’s Medicare claims data statistics with combined Medicare data for the nation, jurisdiction, and the state. PEPPER is an educational tool that is intended to help providers assess their risk for improper Medicare payments. While PEPPER reports started as a report pushed out to providers, it is now the responsibility of the organization to pull the report, which is available on PEPPER Resources.

PEPPER Target Areas

PEPPER target areas are identified as potentially at risk for improper Medicare payments (e.g., coding or billing errors, unnecessary admissions/services).

Coding-Focused Admission-Focused
Simple Pneumonia Total Knee Replacement (Added with the Q3FY20 Release)
Septicemia 30-Day Readmissions to Same Hospital or Elsewhere
Unrelated OR Procedures Two-Day Stays for Medical DRGs
Emergency Department Evaluation and Management Visits One-Day Stays for Medical DRGs

For a complete listing of PEPPER target areas, visit PEPPER Resources.

How can providers take advantage of the data PEPPER reports offer?

  • To assist hospitals with monitoring short stays, several target areas in PEPPER focus on one-and two-day stays. Hospitals should examine their statistics for these target areas to help assess their risk for unnecessary admissions and to monitor changes in admission practices over time.
  • PEPPER does not identify the presence of payment errors, but it can be used as a guide for auditing and monitoring efforts. A hospital can use PEPPER to compare its claims data over time to identify areas of potential concern such as:
    • Significant changes in billing practices
    • Possible over-or under-coding
    • Changes in lengths of stay

PEPPER reports were developed as a compliance tool, but the data provided can also assist in revenue cycle optimization and integrity.

Have questions about the PEPPER report? Contact the Office of Healthcare Compliance and Privacy.

Tips for Emailing Patient Information

October is Cyber Security Awareness Month and the
Office of Healthcare Compliance and Privacy has some
tips for you on sending patient information by email.

Responsibilities of individuals authorized to
email protected health information (PHI):

  • Do not email PHI to your personal email address.
  • Do not email PHI to another UConn Health user’s personal email address.
  • When emailing PHI to another UConn Health user, use the recipient’s UConn Health email address.
  • Do not include PHI in the subject line of an email.
  • Emails containing PHI must include [Secure] in the subject line or the body of the email.
  • Double-check all recipient e-mail addresses before hitting the send button, and watch out for the auto-complete function in Outlook.
  • Do not share your password with anyone, and lock your computer when not in use.

Review our internal policies for more information:

For more information, contact the Office of Healthcare Compliance and Privacy.

2021 Annual Compliance Training

The Office of Healthcare Compliance and Privacy and the Information Security department are gearing up to kick off the 2021 annual training season. Key training information is highlighted below.

Training modules will be assigned to employees in mid-October and must be completed within the Saba Learning Center.

Three (3) training courses will be required. When training is launched, you will receive 3 separate emails from sabacloud@uchc.edu, one for each of the following courses:

    • 2021 Healthcare Compliance Training
    • 2021 HIPAA Privacy Training
    • 2021 Security Awareness Training

You have 90 days from when the courses are assigned to you to complete them. Different deadlines may apply to employees on a leave of absence.

      Compliance training is a key component of the University’s compliance program and is required by law and University policy. Courses are designed to educate the UConn Health community on identifying, preventing and detecting incidents of non-compliance.

      Many training questions can be answered by visiting our Training FAQ’s page. If you have other questions or concerns, please contact the Office of Healthcare Compliance and Privacy.

      Welcome Melissa Walsh

      The Office of Healthcare Compliance and Privacy is pleased to welcome Melissa Walsh to our team as a Compliance Specialist. Melissa is an experienced healthcare professional with expertise in clinical documentation and coding, revenue cycle management and healthcare compliance.

      In her new role, Melissa will be assisting UConn Health’s clinical operations with their compliance inquiries and initiatives. In addition, she will be assisting with the development and implementation of the institution’s annual compliance plan.

      Please join us in extending a warm welcome to Melissa and wishing her success in her new position!

      FairWarning and axiUm

      Effective September 1, 2021, UConn Health will begin monitoring access to axiUm using FairWarning, a privacy monitoring tool that will enhance UConn Health’s ability to detect and respond to potential privacy violations, such as inappropriate access to patient records.

      To help you understand FairWarning, the UConn Health Privacy team has prepared the following educational materials:

      FairWarning FAQs for Managers;

      A reminder about inappropriate “snooping” into patient records; and

      An important reminder about employees accessing their own or a family member’s medical record.

      In addition, please review Snooping and the Patient Lookup Feature in Epic and axiUm. Remember: searching for a patient by name or other identifier in the patient look up field (i.e. Rolodex) without a job-related need is snooping. Although the patient look up field does not open the patient chart, it is part of the electronic health record and displays protected health information (PHI). Please look up patients only when your job requires it.

      If you have questions about FairWarning or UConn Health privacy policies, please contact your supervisor or a member of UConn Health’s Privacy team at privacyoffice@uchc.edu or x7226.

      Thank you for your ongoing commitment to protecting patient privacy at UConn Health!

      What’s the Plan?

      Healthcare providers are encouraged as a best practice to routinely evaluate the OIG Work Plan. However, you might be wondering  –  What is the OIG? What is their Work Plan? Why is it important to evaluate the Work Plan?

      Who are the OIG?
      The Office of Inspector General (OIG) provides independent oversight of the federal agencies under the purview of the U.S. Department of Health and Human Services (HHS). UConn Health receives payments from, and is regulated by, several such agencies including the Centers for Medicare and Medicaid Services (CMS), the Centers for Disease Control (CDC) and the Health Resources and Services Administration (HRSA).

      The OIG continuously audits healthcare providers who receive funding from these and other HHS agencies to assure that providers comply with federal statutory and regulatory requirements.

      What is the OIG Work Plan?
      The OIG issues a Work Plan which identifies areas that the OIG will audit. Areas are selected for audit when mandated by statute or when the OIG determines there is an elevated risk to the financial integrity of a HHS program (such as Medicare).

      The Work Plan is updated monthly as new risk areas are identified, audit scopes are revised or audits are completed.

      Below are two examples of audits that are currently listed in the Work Plan:

      Telehealth Expansion During the COVID-19 Emergency – OIG will determine whether providers complied with Federal and State requirements for telehealth services under the national emergency declaration.”
      “Two Midnight Rule-OIG will review short stay inpatient claims to determine whether they were incorrectly billed as inpatient and should have been billed as outpatient or observation.”

      Why is it important for UConn Health to evaluate the Work Plan?
      Routinely evaluating the OIG Work Plan helps UConn Health:

      • Reduce institutional risk:
        Routinely evaluating the Work Plan allows UConn Health to assess whether its operations comply with legal requirements, and identify and implement any necessary corrective measures.
      • Avoid sanctions:
        The OIG may impose sanctions on healthcare providers found to be out of compliance through an OIG audit. Possible sanctions include financial penalties, civil and/or criminal prosecution, and/or exclusion from participating in federal healthcare programs such as Medicare. In addition, identified overpayments must be refunded to the government.
      • Demonstrate organizational commitment to compliance:
        In determining the severity of sanctions to impose, the OIG may consider the level of organizational commitment to maintaining an effective compliance program. Regular review and assessment of the Work Plan by UConn Health evidences our organization’s commitment to maintaining compliance.
      • Establish a proactive rather than a reactive approach:
        Knowing which areas the OIG considers high risk, assists UConn Health in deciding where to allocate attention and resources before an audit occurs.

      Check out these FY 2020 OIG statistics…

      Statistic Semiannual Reporting Period
      (10/1/2020-3/31/2021)
      Audit Reports Issued   75
      Evaluations Issued  20
      Expected Audit Recoveries $566.46 million
      Potential Savings $919.97 million
      New Audit and Evaluation Recommendations  228
      Recommendations Implemented by HHS OpDivs 228
      Expected Investigative Recoveries 1.37 billion
      Criminal Actions 221
      Civil Actions 272
      Exclusions  1,036

      At UConn Health, operational owners and the Office of Health Care Compliance and Privacy collaborate to review and evaluate the OIG Work Plan on a quarterly basis. It is a significant undertaking, but one well worth the effort.

          Snooping and the Patient Lookup Feature in Epic and axiUm

          At UConn Health, patient medical information is stored in Epic, and patient dental information is stored in axiUm. If your job requires access to Epic or axiUm, you must have a job-related need to access patient information in those systems. This includes using the “Patient Lookup” feature in Epic and axiUm. Searching for a patient by name or other identifier in Patient Lookup without a job-related need is snooping. Snooping, including the use of Patient Lookup without a job-related need, may result in disciplinary action. Although Patient Lookup does not open a patient’s chart, a search in Patient Lookup reveals several patient identifiers (e.g., name, date of birth, medical record number, legal sex and address). This is Protected Health Information (PHI) and should only be accessed when necessary for job-related purposes.

          Searching for a patient by name or other identifier in Patient Lookup without a job-related need is snooping. Although Patient Lookup does not open the patient chart, it is part of the electronic health record and displays PHI. Please use Patient Lookup only when your job requires it.

          Exclusions Checking at UConn Health

          Did you know that UConn Health conducts “exclusion checks” on its employees, contractors, vendors, students, residents, fellows and volunteers to ensure compliance with Federal law?

          Exclusion checking” is UConn Health’s process of verifying that a current or potential employee, contractor, vendor, student, resident, fellow or volunteer has not been excluded or debarred by any Federal agency and certain state agencies. Typically the government excludes or debars individuals who have been convicted of Medicare or Medicaid fraud or a similar offense.

          Federal law generally prohibits UConn Health from employing or contracting with excluded persons. To ensure that we are screening appropriately, our office may reach out to you for additional information about an individual, such as date of birth or previous address.

          Violations of these federal requirements may result in civil monetary penalties (“CMP”). By screening our new and current employees, contractors, vendors, students, residents, fellows and volunteers for exclusion, we avoid CMP liability and ensure compliance with federal law.

          For more information about exclusion checking at UConn Health, check out the FAQs 

           

          Connecticut Telehealth Legislation

          On May 10, 2021, Governor Lamont signed into law Public Act 21-9 which extends until June 30, 2023 certain telehealth provisions that were originally enacted through executive order as a result of the COVID-19 pandemic.

          Some of the major provisions of the law are that it:

          • Continues to allow a broad range of providers to deliver services via telehealth including among others: physicians, physician assistants, advanced practice registered nurses, psychologists, marital and family counselors, licensed clinical social workers, pharmacists, and dentists as long as the providers are in network or enrolled in the Connecticut medical assistance program.
          • Allows audio-only telehealth for providers who are in network and/or enrolled in the Connecticut medical assistance program.
          • Requires telehealth providers to obtain and document in the medical record, patient consent to receiving services via a telehealth platform. Patient consent is required to be obtained at the patient’s initial telehealth encounter.
          • Requires telehealth providers to document in a patient’s medical record if a patient revokes consent to receive services via a telehealth platform.
          • Places parameters around when schedule I, II or III controlled substances may be prescribed through telehealth.
          • Prohibits providers from charging a facility fee for a telehealth service.
          • Prohibits providers from delivering services via telehealth until the provider has determined that the patient’s insurance covers the telehealth services.
          • Prohibits health insurance carriers from reducing the in person reimbursement rate when service delivered via telehealth.

          If you have questions regarding the telehealth law, please contact us.