In the July/August issue of normal">Healthcare Finance News there was an article titled ‘Physicians Fleeing Private Practice.’ To add insult to injury, there are two more reasons why this trend is likely to continue or even accelerate: Governmental audits and breaches of protected health information (PHI).
Audits and PHI are on the rise in physician practices and groups, threatening revenue streams at levels never seen before due to fines and penalties. These problems have seen considerable attention by the press and the market but, for the most part, related primarily to the hospital setting.
As the government ramps up its audit function and gets much tougher on PHI breaches, physician practices and groups will see greater audit activity.
Audits on the Rise
With regard to governmental and other third party payers, pre-payment reviews by Medicare Administrative Contractors (MACs) are the dominant activity in practices thus far. The second audit risk comes from Recovery Area Contractors (RACs) who are slowly ramping up their presence in ambulatory settings.
While both threaten the practice revenue stream, the MACs pose a greater revenue cycle issue. MACs pend claims upon submission. Reimbursement to the practice is held while the case is reviewed. MACs also have no limit to the number of cases they can audit, whereas RACs have a legally mandated limit.
The best practice for dealing with all audits is an automated tracking system that manages timelines and status of all audits. Most practices and groups are either handling this process manually or in a Microsoft Excel spreadsheet. As volumes increase, the revenue risk associated with these recovery audits is too high to be left to part-time, manual attention.
Another best practice is to bolster clinical documentation improvement (CDI) efforts. Improving documentation minimizes auditor red flags and provides quick justification for medical necessity and payment.
The Cost of a Breach
Statistically, breaches of PHI are going to happen to every practice. However, the risk of breach in physician practices shows considerable variance. Some practices have the technology, policy and procedures, and education to mitigate their risk while others pay lip service to the issue.
The enforcement of breach reporting with fines and disclosure notification is becoming much more onerous with the possibility of up to $1.5 million fines per incident. Most breaches are caused by human error through staff carelessness and forgetfulness. Many practice breaches occur when medical records leave the office. Physician and staff laptop computers pose another major risk.
Best practice is full encryption at the drive level – not at the file level. If electronic PHI is lost or stolen in an
encrypted format, it is not considered a reportable breach. Encryption is just part of the full policy and procedure program that practices must train their staffs to implement.
This is not a situation where practices or groups can write policy and procedure manuals and keep them on the shelf collecting dust. They must be living documents, which are regularly updated and presented to staff in an educational setting.
The costs of breaches also include patient notification, potential bill write-off, credit monitoring/identity theft monitoring, and legal fees, as well as time and effort of staff and management. Perhaps more onerous is the potential loss of market share.
Patients can move to different physician’s practices more easily than changing hospitals. The rate of patient churn in healthcare is higher than the average customer churn in other industries, indicating a willingness on the part of patients to move to different providers.
Resources and new risks
Physician practices in the U.S. are already overwhelmed with administrative costs. Adding human and technological resources to manage audits and prevent information breach may dramatically increase this figure. However, proof that the practice tried to prevent a breach is critical.
If there is a breach and practices can demonstrate they took the necessary steps to prevent disclosures, the penalty can be mitigated—perhaps even avoided. Efforts should include:
Symbol">· Detailed policy and procedures
Symbol">· Regular staff training
Symbol">· Ongoing internal audits
Symbol">· A plan for response to incidents
Symbol">· Detailed risk assessments
Symbol">· Detailed records kept of the facts surrounding disclosures, particularly dates of events
As audits and breaches increase in physician practices and groups, they will become a much greater threat to profitability. Prevention will cost much less in the long run than dealing with each issue as a “one off.” Staffs and resources should be bolstered now – before auditors and attorneys come knocking.
Lori Brocato is Audit Product Manager at HealthPort and Jan McDavid is General Counsel at HealthPort.