Click here for more sample CPC practice exam questions with Full Rationale Answers

Practice Exam

Click here for more sample CPC practice exam questions and answers with full rationale

Practice Exam

CPC Practice Exam and Study Guide Package

Practice Exam

What makes a good CPC Practice Exam? Questions and Answers with Full Rationale

CPC Exam Review Video

Laureen shows you her proprietary “Bubbling and Highlighting Technique”

Download your Free copy of my "Medical Coding From Home Ebook" at the top right corner of this page

Practice Exam

2018 CPC Practice Exam Answer Key 150 Questions With Full Rationale (HCPCS, ICD-9-CM, ICD-10, CPT Codes) Click here for more sample CPC practice exam questions with Full Rationale Answers

Practice Exam

Click here for more sample CPC practice exam questions and answers with full rationale

Credentialing & Peer Review Legal Insider, October 2016

Interstate Medical Licensure Compact Commission proposes licensure process

The medical licensing tool aimed at expediting the process through which physicians can obtain licenses to practice in multiple states is one step closer to becoming a reality as more details of the process come into focus. Once it’s up and running, the Interstate Medical Licensure Compact will allow physicians licensed in one participating state to gain licensure in other participating states without having to repeat the entire licensing process in each state.

The Interstate Medical Licensure Compact Commission, which is responsible for the compact’s governing rules and administration, recently released a proposed process for expedited licensure through the compact and opened the period for public comments. The commission will consider the proposed rule at its meeting in early October.

 

The expedited licensure process

The basic process is the same as the one outlined in model legislation released two years ago, says Ian Marquand, chair of the Interstate Medical Licensure Compact Commission. Under the newly proposed process, a physician applies for expedited licensure via the compact through the state where he or she claims principal licensure. The state of principal licensure is where the physician resides, practices, is employed, or files a federal tax return.

"The physician will have to provide some information so that we can make sure that state is legitimately the state of principal license. A physician can’t willy-nilly pick a state in the compact," Marquand says. The applying physician will also have to pay the commission a service fee and submit to a criminal background check through a law enforcement agency, including providing fingerprints or other biometric data.

"There are no heavy applications at this point. The point of this is to make it much easier for a physician to get licensed in additional states and for much less time and energy expended," he says.

The principal licensure state would then review the applicant’s qualifications to determine if he or she is eligible for expedited licensure, perform a criminal background check, and issue a letter to the applicant and the compact commission verifying or denying the physician’s eligibility. Once the applicant receives that letter, he or she can then select from which member states to request expedited licensure and pay those states’ licensure fees. The relevant member boards would then issue full and unrestricted licenses to the applicant. Those licenses would be valid for as long as any other full and unrestricted license normally issued by that state board.

 

Application turnaround time

There is not a set amount of time to process the application for licensure through the compact due to several variables, Marquand says. These variables include how quickly the physician goes to a law enforcement agency to get fingerprinted, the amount of time necessary to complete the criminal background check and deliver the results to the medical board at the state of principal licensure, and how long it takes that state of principal licensure to review the criminal background check and the applicant’s other details (e.g., board certification and medical education).

A few test runs of the process have been performed in Marquand’s home state of Montana. "We find that it only really takes a matter of hours but it’s not the only thing our people have to do. So where it falls in the queue depends on how long it’s going to take for our people to actually get to do the work. That’s a variable. The communication between a state of principal license to compact commission and then compact commission to receiving state, I don’t think those should take very long at all."

In contrast, the applicant’s responsiveness will be a factor in the turnaround time. Marquand provides a hypothetical scenario to illustrate this point: Dr. Smith, whose state of principal licensure is Montana, applies for licensure in three additional states through the commission. He is prompt about providing his fingerprints and submitting to the criminal background check, which allows the staff in Montana to process his application fairly quickly. In a matter of days Dr. Smith is certified by the commission but then puts off paying the licensure fees.

"We can’t do anything until the fees have been paid. So if the physician is slow about paying fees, that’s on them, not on us," Marquand says. "But once the fees are paid and delivered to the receiving states, we don’t expect [the states] to take very long in issuing the license."

To help motivate physicians to stay on track with their applications, the proposed rule sets a 60-day limit for the applicant to submit all requested materials.

"With every application in the professional licensing world, there’s an expiration date on the application. It doesn’t sit there forever waiting for you to finish. If you don’t get it done, it expires. Putting a 60-day limit on that seems pretty reasonable to me," he says.

Returning to the example of Dr. Smith, Marquand says if the physician applies through the compact commission, pays the initial processing fee but then doesn’t have his fingerprints taken and is unresponsive to the commission’s requests for information for more than 60 days, the application is withdrawn.

"It put some onus on the physician to take some action. But will it take 60 days for processing? No, that’s just the time we give the physician to get any information that we need. But I can’t imagine that happening very often, if at all." Marquand says.

Once a physician is certified through the commission, that certification is valid for one year. This means that if Dr. Smith initially selects one compact state for licensure, such as Wyoming, and then decides six months later that he wants a license for Idaho as well, he will not have to reapply, Marquand says. Dr. Smith will simply need to inform his state of principal licensure?Montana?that he’d like to practice Idaho. The board in Montana will notify the commission and then Idaho will issue the license fairly quickly.

"The only thing that would preclude that would be if Dr. Smith gets in trouble with either the Montana or the Wyoming board and his license is suspended. Then his compact eligibility goes out the window," he says.

When a physician’s license is suspended, it is the responsibility of the member state in which the disciplinary action occurred to notify the commission, which in turn, would notify all the states in the compact. At that point, it would be up to each individual state to decide what to do.

"It’s presumed that reciprocal discipline will happen very quickly. So if Dr. Smith gets in trouble in Wyoming, Wyoming reports him to the commission and Montana would probably take very swift action to suspend his license there, Marquand says. "And if he’s licensed anywhere else in the compact, those states would have the option of doing the same. We want to at least make it possible for very swift action in all the states.

He adds that there are circumstances where reciprocal discipline is automatic, such as when a license from a state of principal licensure is revoked, suspended, or surrendered. In such cases, states can change that automatic action to something else, if they choose. So while states would have some discretion, it may come after an initial action.

Physicians who retain clean records and maintain their qualifications would be able to obtain licenses in as many compact states as they want within a year of achieving certification from the commission, as long as they’re willing to pay the fees.

 

Work to be done

Some details of this process have yet to be finalized. For example, the amount of the commission’s processing fee has yet to be determined. The commission will likely take up this issue by the end of the year.

"Each individual state within the compact also needs to have its own discussion of whether it wants to charge an application fee to cover the cost of reviewing the physician’s qualifications," Marquand says. In Montana there is a proposal put forth for a $ 100 fee. That proposal still needs to go through a public comment period and receive final approval from the state medical board.

After considering the provisions of the proposed rule, the commission will have several options: Adopt the rule as-is, adopt it with amendments, send it back to the committee for more work, or scrap it completely.

"I’m certainly optimistic that the commission will adopt these. And whether there are any changes suggested to them through comments, we’ll deal with them. I think the commission is anxious to get these rules in place and move on to the next topic," Marquand says.

If the commission decides that the proposal requires significant changes, the rule could be brought back to the commission as early as December.

Work on the application portal for expedited licensure is also underway but an open date has not been announced, Marquand says. However, the commission has set January 2017 as the target date for the first licenses to be issued by a member state using the compact process.

To assist with all the work that remains to be done, the U.S. Health Resources and Services Administration (HRSA) recently announced a $ 250,000 annual grant for three years to help the commission get up and running. The grant, which was requested by the Federation of State Medical Board, underwrites the cost of the commission.

"That takes a huge load off on us as commissioners. We know that through that grant there will be money available to cover technical costs, meeting costs, and maybe even staff costs for the next three years," Marquand says. He forecasts that after the three years, the commission should be able to stand on its own financially and operate on the service fees it collects.

 

Telemedicine

Often the Interstate Medical Licensure Compact is discussed in the same breath as telemedicine but Marquand emphasizes the distinction between the two. The compact relates exclusively to licensing and therefore does not provide any rules, regulations, or even any guidelines on the use of telemedicine. Although physicians or health organizations may want to use it to allow their own practice or corporate practice to expand into more states, they will still need to follow the regulations of those states once licensed.

"I understand that there may be benefits of the compact for physicians who want to do telemedicine in more places, but that’s not specifically why the compact exists. The compact exists for licensed physicians to get licenses in other states quickly and efficiently, regardless of what kind of practice they want to do," Marquand says.

He recalls this topic came up at a press event in Washington, D.C., designed to promote the compact to members of Congress and major healthcare organizations. When the question was posed of who would be the major user of the compact?large healthcare organizations that want to use telemedicine, or individual physicians who want to expand a practice across state lines either in person or by telemedicine?the answer that came back was it would likely be both.

"Here’s how I look at this: Think of two parallel highways. On one, there are physicians using telemedicine. The compact is on the other, with ramps between them," he explains. "The folks on the telemedicine highway may take a ramp over to the compact highway to get additional licensure, but then they’ll get back on the telemedicine highway."

 

Moving forward

As this issue of CPRLI went to print, 17 states have enacted compact legislation and nine others have introduced it. Marquand is optimistic more will adopt legislation.

"There are a couple that haven’t quite got to the finish line and we understand there are going to be states that are on the sidelines, waiting to see what the commission does and see how the compact really works," he says.

That’s why Marquand says the work the commission is doing to get the compact up and running is so important. The successful operation of the compact will be the commission’s biggest promotional tool for convincing additional states to participate. The hope is to bolster the case for joining once the commission has concrete figures on time frames and the number of licenses issued.

Protecting your facility from successful plaintiff litigation

Identifying red flags within credentialing applications can be the first step to protecting yourself and your facility from a successful plaintiff litigation. In the on-demand webcast, Negligent Credentialing: Best Practices to Prevent Successful Plaintiff Litigation, expert Mark A. Smith, MD, MBA, FACS, discusses ways to recognize issues within a credentialing application that require immediate action or additional questioning. Smith also provides best practices an organization should adopt to prevent credentialing-based lawsuits.

At the end of this on-demand program, participants will be able to:

Identify at least three red flags in credentialing applications that require action or explanation

Know what a negligent credentialing claim entails

Assemble the necessary documentation to help combat negligent credentialing

 

For more information or to order this webcast on demand, visit http://hcmarketplace.com/negligent-credentialing-best-practices-to-prevent-successful-plaintiff-litigation.

 

 

OCR ramps up HIPAA enforcement efforts

The Office for Civil Rights (OCR) stepped up HIPAA enforcement in a big way this year. The agency handed down more than $ 5 million in HIPAA settlement fines in one week in March, and in July reached a HIPAA violation settlement with Advocate Health Care in Illinois that carried a $ 5.55 million payment. OCR kicked off phase two of its HIPAA Audit Program and will likely complete desk audits of covered entities (CE) and business associates (BA) by the end of the year. Comprehensive on-site audits may occur early in 2017.

However, breaches continue to come at a relentless pace and questions have arisen about OCR’s handling of HIPAA violations, particularly repeat HIPAA offenders. And a truly permanent HIPAA audit program may not yet be in sight: OCR states that phase two audits will help the agency plan for a permanent audit program but doesn’t state when that might launch.

In a September 2015 report (https://oig.hhs.gov/oei/reports/oei-09-10-00510.pdf), the Office of Inspector General (OIG) said OCR?and the U.S. Department of Health and Human Services (HHS) as a whole?should strengthen its oversight of CEs and be proactive rather than reactive in its approach to HIPAA enforcement. The report found that in 26% of closed privacy cases, OCR did not have complete documentation of corrective actions taken by CEs. In addition, OCR’s case tracking system has significant limitations and makes it difficult for the agency’s staff to check if a CE under investigation has been the subject of previous investigations.

All of this may make some CEs and BAs feel that HIPAA compliance is merely optional, and that leads to a weaker privacy and security culture throughout the industry. Although OCR does take action to make its presence felt, it could do more, Frank Ruelas, MBA, principal of HIPAA College in Casa Grande, Arizona, says.

"I do believe that OCR is trying to let people know that it considers HIPAA compliance an important objective," he says. "With its guidance and ongoing alerts about the occasional enforcement actions here and there, I see OCR’s enforcement a small step above being a paper tiger in terms of how seriously people take it."

The waiting game

The OIG’s September 2015 report wasn’t the first time that agency has found fault with HHS and OCR’s methods, Kate Borten, CISSP, CISM, HCISSP, founder of The Marblehead Group in Marblehead, Massachusetts, says.

"OIG has published a number of reports over the years, identifying problems with HHS’ oversight and enforcement of these HIPAA rules," she says. "I know of no one in the profession who reads the OIG reports and disagrees."

But HHS and OCR have been slow to take action. More than five years passed between the end of phase one of the HIPAA Audit Program and the announcement of phase two, and OCR still has obligations it’s failed to fulfill. The agency’s slow pace may lead some to take it, and HIPAA, less seriously.

"Since the latest round of rule changes back in 2010, over six years ago, there are still outstanding rules and unmet commitments by HHS and OCR," Ruelas says. "In the end, it not only erodes credibility but also questions just how seriously is OCR taking its enforcement duties."

 

Another day, another fine

HHS and OCR regularly announce breach settlements, but 2016 saw a flurry of high-profile and costly settlements. OCR took the opportunity to make examples of a number of CEs and BAs in its statements, calling attention to the particular violations that tipped the settlements into the hundreds of thousands, or even millions, of dollars.

Although the settlements grab attention and headlines, it may be difficult to determine their positive impact. Some of the HIPAA violations in question date back years. Staff who worked at the organization, and may have been involved in the breach, are likely gone. Even administrators, executive leaders, and owners may change in that time. Some organizations may see OCR’s enforcement actions as too little, too late, Mac McMillan, FHIMSS, CISSM, cofounder and CEO of CynergisTek, Inc., in Austin, Texas, says.

"We all want the same thing: to see our industry do better," he says. "This is just more of the same old, same old. Same issues, different players."

A HIPAA settlement fine might be a crushing blow to a physician practice or small home health or physical therapy organization, but even the largest fines might not make an appreciable impact on larger organizations, McMillan says.

"To be really impactful, there will probably need to be more, they will need to happen closer to the actual event they’re related to, and possibly the fines will need to be bigger," he says. "The fines levied were really not substantial fiscally, and there was no accountability for those responsible for making security decisions, so they pay and move on."

Borten agrees that the long period of time between when a breach is reported and when OCR takes action lessens the impact. "The response or punishment must rapidly follow the event to have a significant impact on future behavior," she says.

Although some find California’s short breach notification timelines and black and white faxing rules burdensome, these measures have caused CEs and BAs to change their behavior and improved privacy and security, McMillan says.

Some CEs and BAs may be willing to take the chance they won’t be caught, Ruelas says. "I truly think that people see enforcement a lot like getting hit by lightning. However, if it does occur, it tends to be a game changer and does make for an interesting day."

But whether the change is meaningful or widespread may be difficult to determine, and any alteration to OCR’s HIPAA enforcement practices would likely be an improvement, he adds.

 

Learning from others’ mistakes

However, CEs and BAs can get something out of HIPAA settlements. Conscientious entities will fulfill the terms of the corrective action plan and even improve on it. And other CEs and BAs can take valuable lessons from OCR’s breach announcements. The agency often draws attention to specific issues that led to the breach, levies a pricey fine, and points out how the organization could have avoided the problem in the first place.

"HIPAA enforcement actions are important teaching tools," Borten says. "Workforce members can be asked if the same problem could arise in their organization, and how individuals can avoid the same fate."

Many privacy or security failures that lead to breaches are the result of human error and are still relevant regardless of when the breach occurred, she adds.

Although the security landscape has expanded beyond missing laptops and smartphones, Ruelas says there’s still a lot CEs and BAs can learn from these enforcement actions. Organizations may see ransomware, phishing, and privacy and security breaches on social media as the biggest threats?and rightly so. Yet many breaches still come down to 10-year-old HIPAA basics: misdirected faxes, incorrectly addressed emails, or handing the wrong documents to a patient.

 

While human error is still a concern, McMillan is most worried about the increasing number of breaches due to hacking, particularly the greater loss of data due to hacking and the effects such breaches have on the industry. "Human errors are still an issue, but the relative impact of those incidents compared to the impacts we see from hacking recently pales in comparison. Many of those attacks were the result of misconfigured or poor administration of systems resulting in serious outages and millions of lost records," McMillan says. "This is where OCR needs to focus attention."

 

Phase two

The launch of phase two of the HIPAA Audit Program may promise some positive change. The audits are intended to help the agency improve HIPAA guidance and tools and pinpoint common problems and challenges CEs and BAs face. Desk audits of CEs began in July, with BAs scheduled to follow in the fall. However, it may take 90 days after submitting documents for CEs to receive a draft audit report. Until then, it will be difficult to predict what OCR’s response to the audits might be.

The audit reports will not be made public, although OCR representatives indicated they will likely be available through a Freedom of Information Act request. Sharing some data might help CEs and BAs.

"I do think that if audit results can somehow be summarized and shared, just by their detailed nature, the audits can be wonderful sources of information for the HIPAA community," Ruelas says.

It took three years for the agency to update the audit protocols to reflect changes made by the HIPAA omnibus rule, he adds. It’s too soon to tell how long it might take the agency to revise or refocus its guidance based on the results of the phase two audits, but it would no doubt be beneficial for all CEs and BAs to see results sooner rather than later.

Establishing a permanent audit program is one of OCR’s responsibilities under HIPAA, and the agency’s failure to develop one has drawn criticism from the industry and from other regulatory agencies such as the OIG. OCR agreed with the OIG’s latest call for a permanent audit program. Phase two is an encouraging step in that direction, but still not quite enough.

"It has been very vocal on its commitment to establishing an effective and permanent auditing program," Ruelas says. "Let’s see if it really is going to walk the talk."

 

Legal and regulatory news roundup

Find out what’s happening in the world of federal healthcare regulations by reviewing some recent headlines from across the country.

 

EMTALA violations declining

The number of U.S. hospitals cited for violating the Emergency Medical Treatment and Active Labor Act (EMTALA) has decreased over a 10-year period, according to a study published in the Annals of Emergency Medicine. Researchers analyzed a list from CMS of EMTALA investigations conducted from 2005?2014 and found that the percentage of U.S. hospitals cited for violations citations decreased from 5.3% to 3.2%. The percentage of hospitals investigated also declined during this period from 10.8% to 7.2%.

EMTALA aims to prevent the practice of discharging or transferring patients to other hospitals before stabilizing treatment is provided for emergency medical conditions. It requires hospital emergency departments to provide medical screening examinations to patients seeking medical treatment regardless of their ability to pay, citizenship, or legal status.

 

Stark Law, EMTALA violation penalty amounts increase

Due to several years of inflation, the U.S. Department of Health and Human Services recently issued an interim final rule that calls for steeper maximum penalties for violating federal regulations, including EMTALA and the Stark Law.

For hospitals with more than 100 beds, the maximum penalty for an EMTALA violation is $ 103,139, up from the previous maximum of $ 50,000 set in 1987. For hospitals with less than 100 beds, the maximum penalty is $ 51,570, up from $ 25,000.

Circumventing the Stark Law’s self-referral restriction can now result in a maximum penalty of more than $ 159,000, up from previous maximum of $ 100,000 set in 1994. Submitting claims in violation of the Stark Law can result in a penalty of nearly $ 24,000, up from $ 15,000.

 

Home health agency owner sentenced for healthcare fraud, kickbacks

Khaled Elbeblawy, the former owner and manager of three home health agencies in the Miami area, will spend 20 years in prison for his role in a scheme that fraudulently billed Medicare for millions of dollars.

Elbeblawy was sentenced to prison and ordered to pay more than $ 36 million in restitutions following his conviction in January of one count of conspiracy to commit healthcare fraud and wire fraud and one count of conspiracy to defraud the United States and pay healthcare kickbacks. According to evidence presented at trial, from 2006?2013, Elbeblawy and his co-conspirators claimed to have provided medically necessary home health services to Medicare beneficiaries through the three agencies: Willsand Home Health Agency Inc., JEM Home Health Care LLC, and Healthy Choice Home Services Inc. In reality, those services were either medically unnecessary or never provided. The conspirators also paid kickbacks to physicians, patient recruiters, and staffing groups for referrals of beneficiaries.

In all, Elbeblawy and his co-conspirators submitted $ 57 million in false or fraudulent claims and received approximately $ 40 million in payments. In 2012, Eulises Escalona, a former owner of Willsand and JEM, pled guilty to one count of conspiracy to commit healthcare fraud and was sentenced to 10 years in prison. Cynthia Vilches, former co-owner of Healthy Choice, also pled guilty to one count of conspiracy to commit healthcare fraud and is awaiting sentencing.

Healthcare systems calls for dismissal of antitrust lawsuit

Carolinas HealthCare System (CHS) has argued that the joint antitrust lawsuit filed against it by the U.S. Justice Department and the North Carolina Attorney General’s office has no basis. According to the Charlotte Observer, the lawsuit alleges CHS uses its size to drive up prices to prevent competition. CHS operates 10 hospitals in the Charlotte area. Its closest competitor, Novant Health, operates five.

The lawsuit alleges CHS uses its clout to encourage health insurers to steer patients away from other lower-priced hospitals and toward CHS hospitals.

In asking for a dismissal, CHS has said the lawsuit has failed to allege any actual competitive harm to the marketplace.

Exciting updates: More content, tools, and news at your fingertips!

The challenges healthcare professionals tackle each day don’t wait for solutions, and neither should you. That’s why Credentialing & Peer Review Legal Insider (CPRLI) is transitioning to a more frequent and robust publishing model this fall by combining with the Credentialing Resource Center (CRC)’s flagship publication, Credentialing Resource Center Journal (CRCJ), to create a single source for all your credentialing, privileging, peer review, and legal news, tools, and best practice strategies.

Your updated member benefits gain you access to expanded content and tools on CRC?with new resources added weekly to the website (www.credential-ingresourcecenter.com). Plus, as a CRC member you gain instant access to over 300 clinical privilege white papers, core privileging forms, Medical Staff Talk, and Credentialing Resource Center Daily (CRCD), CRC’s daily e-newsletter for medical staff leaders and MSPs. If you are already a CRC member, you will continue to receive the news and analysis you’ve come to rely on, plus expanded member benefits this fall.

To help readers keep tabs on available content, we will announce new articles in CRCD. At the end of each month, we’ll roll the corresponding weekly articles into a digital issue of the newly expanded 16-page CRCJ that mirrors the current digital format.

As a member of CRC, you can continue to download and print high-quality PDFs of the current issue, as well as several years of back issues of CRCJ and CPRLI, directly from CRC’s website. We’re looking forward to delivering your peer review and credentialing guidance in a timelier, efficient, and more convenient manner.

Stay tuned for additional details as we near implementation. In the meantime, feel free to contact Editor Son Hoang at [email protected] with any questions.

 

HCPro.com – Credentialing and Peer Review Legal Insider

Credentialing & Peer Review Legal Insider, September 2016

Avoid HIPAA breaches from ransomware attacks

Although ransomware is not a new phenomenon, a recent increase in reported attacks along with several well-publicized cases have raised the public’s awareness of the threat it poses. Ransomware, a variety of malware, can be incredibly damaging because it is designed to infect a system, find and encrypt the system’s data, and lock out users until they pay a ransom–typically in an anonymous electronic currency like bitcoin–to regain access through a decryption key.

According to a U.S. government interagency report, there have been approximately 4,000 ransomware attacks each day since the beginning of the year, up from the 1,000 daily attacks reported last year. Further, a recent analysis by managed security services provider Solutionary found that 88% of ransomware attacks during the second quarter of this year targeted healthcare entities.

"Hospitals rely on data systems not only for the survival of their business, but the survival of their patients. Because of this, the perceived value of the data becomes much greater, meaning the criminals can charge premium ransoms against their victims," says Travis Smith, senior security research engineer at Tripwire, a Portland, Oregon-based cybersecurity firm.

The variants of ransomware that exist can complicate a hospital or other healthcare provider’s response, says Doron S. Goldstein, partner and co-head of privacy, data, and cybersecurity practice at Katten Muchin Rosenman, LLP, in New York City. In addition to the typical form of ransomware that infiltrates systems and locks users out of their data unless they make some form of payment, some types can also exfiltrate a copy of the locked data to the hacker, or delete the data but make it seem as though it’s encrypted and still present-tricking the user into paying for data that is actually gone.

"In each scenario, you don’t know if there is intention to release the data if you pay or not. You may pay and still get nothing. Or you may get it back. There is no certainty to it. Some victims have gotten access back; others have not," says Goldstein, a former software developer and network administrator. "The general guidance from law enforcement, such as the FBI, is not to pay ransom. But if everything you have is locked out, you may not feel like you have a choice."

HHS guidance

In light of the increased prevalence of ransomware threats, the U.S. Department of Health and Human Services (HHS) recently released guidance to help covered entities understand the risks associated with these types of attacks and how complying with HIPAA can help identify, prevent, and recover from ransomware.

"The HHS is just reacting to what is happening in the marketplace. The sustained increase in the number of successful ransomware attacks is proof that the ransomware problem is going to get worse before it gets better. Issuing guidance is raising awareness of the issue at hand," Smith says.

The HHS guidance states that healthcare entities can better protect against ransomware by implementing security measures required by the HIPAA Security Rule. According to the guidance, these measures include limiting access to electronic protected health information (PHI) to personnel and software that require it; and conducting risk analyses to identify threats and vulnerabilities to PHI.

"You have to do the risk analysis. Ransomware is just another form of malware; it’s particularly insidious, but they all require doing the risk analysis," says Goldstein.

A big takeaway from the HHS guidance is the importance of taking appropriate actions beforehand to mitigate the potential of damage caused by ransomware, he adds. Unlike malware that simply transfers PHI without authorization, ransomware makes the PHI unavailable or destroys it altogether.

"For a healthcare provider in particular, having data exfiltrated means there’s damage to the patients, but likely not to their immediate health. Being locked out of your health data or your patients’ health data is a potential threat to the life and health of patients," he says.

 

HIPAA breaches

The guidance provides clarification on whether a ransomware infection constitutes a HIPAA breach. A breach under HIPAA is any acquisition, access, use, or disclosure of PHI in a manner that is not permitted under the HIPAA Privacy Rule and that compromises the PHI’s security or privacy.

Prior to the release of the HHS guidance, instances of data exposure that revealed individuals’ PHI would be considered a HIPAA breach, says Justin Jett, director of compliance and auditing at Plixer International, a Kennebunk, Maine-based security analytics company. ­However, at that point, one could have made the argument that ransomware wouldn’t technically be considered a breach since it encrypts data rather than exposing it.

Now, according to the new guidance, if a ransomware infection encrypts electronic PHI that was not encrypted prior to the incident, a breach has occurred. The guidance reasons that the PHI has been "acquired" because hackers have taken control or possession of it. In these cases, the hospital must then undertake a risk analysis and, when applicable, comply with the breach notification requirements and notify individuals affected, HHS, and the media.

However, if the hospital had previously (prior to the ransomware attack) encrypted the PHI in a manner that would render it unusable, unreadable, or undecipherable to an unauthorized individual, there is a possibility the ransomware attack wouldn’t be considered a breach.

"I interpret this guidance as removing the loophole of ransomware not actually looking at the data. Since malware changes over time, it’s within the realm of possibility that ransomware will target [PHI] and exfiltrate the data once found. The new guidance states that if the ransomware is unable to actually see the protected healthcare information in cleartext (not encrypted), then it is not a reportable breach," Smith says.

Even in these cases, the guidance says additional analysis would be required to determine if the PHI was sufficiently encrypted prior to the attack. Goldstein says this emphasizes the need for a risk analysis whenever there is a security incident. He further noted that HHS may have included this guidance so covered entities could not view the ransomware’s own encryption of the data as protection against that data being compromised.

"In those cases, the data is technically encrypted by virtue of the ransomware, but it’s not encrypted by the covered entity; it’s encrypted by someone else who controls that encryption. It shouldn’t be viewed as encryption for the purposes of your risk analysis," Goldstein says."

 

Prevention and recovery

To better prevent ransomware, Jett says all staff should be appropriately trained on email and web security as most malware and ransomware comes from those sources. Additionally, companies should invest in heightened email security solutions, like anti-spam firewalls, which will help prevent the most obvious attacks from getting to employees’ inboxes.

The HHS guidance suggests that since HIPAA requires the workforces of covered entities to receive security training on detecting and reporting malware, employees can assist with early detection of ransomware by spotting indicators of an attack. These warning signs could include unusually high activity in a computer’s CPU as the ransomware encrypts and removes files, or an inability to access files that have been encrypted, deleted, or relocated.

Even if hospitals are vigilant, ransomware attacks may still occur. Again, the guidance suggests that HIPAA compliance may help hospitals recover from ransomware attacks due to HIPAA’s mandate for frequent backups of data.

Goldstein warns, however, that some variants of ransomware can lie dormant for a period of time in order to migrate across systems, including into data backups. Many hospitals and companies keep hot backups as part of their disaster recovery plan. These backups can be automatically or manually switched on if a system goes down. If ransomware has infiltrated a backup, the backup’s data could also become compromised and encrypted by the ransomware as soon as it’s activated.

"The important thing about dealing with the impact of ransomware is that it may require additional or different protections compared to what other malware requires to avoid or mitigate its ill effects," he says.

 

Recent ransomware attacks

All types of malicious software attacks are on the rise,but ransomware has recently received more high-profile media coverage, says Doron S. Goldstein, partner and co-head of privacy, data, and cybersecurity practice at Katten Muchin Rosenman, LLP, in New York City. "Ransomware has certainly gotten more coverage lately because of the potential damage, and the sophistication of some of these attacks has increased," he says.

The following are a few of the recent ransomware attacks that made headlines:

Hollywood Presbyterian Medical Center: In February, this Los Angeles hospital paid hackers the equivalent of $ 17,000 in bitcoins to regain access to its computer system, according to the Los Angeles Times. The malware prevented hospital staff from accessing their system for 10 days by encrypting its files; once the hospital paid the ransom, it was given a decryption key to unlock the files. In a statement, CEO Allen Stefanek said paying the ransom was the quickest way to restore the hospital’s systems.

Chino Valley Medical Center and Desert Valley Hospital: In March, hackers targeted these southern California hospitals by infiltrating their computer systems with ransomware. A spokesman for the two hospitals, which are part of Prime Healthcare Services, Inc., said technology specialists were able to limit the attacks so both hospitals remained operational, no data was compromised, and no ransom was paid.

MedStar Health: Also in March, this Columbia, Maryland-based system was targeted with ransomware that encrypted the system’s data. According to the Baltimore Sun, the hackers demanded that MedStar pay three bitcoins, worth approximately $ 1,250, to unlock a single computer, or 45 bitcoins, the equivalent of about $ 18,500, to unlock all of its computers. MedStar refused to pay the ransom, and staff at its 10 hospitals and more than 250 outpatient centers resorted to using paper records while system access was restored.

Kansas Heart Hospital: In May, hackers infected the network system of this Wichita hospital with ransomware. According to local CBS affiliate KWCH12, the hospital paid an undisclosed portion of the ransom demanded but the hackers refused to return full access and demanded a second payment. The hospital announced that it had refused to make the second payment and would work with its IT team and external security experts to restore access to the rest of the system.

 

Exciting updates: More content, tools, and news at your fingertips!

The challenges healthcare professionals tackle each day don’t wait for solutions, and neither should you. That’s why Credentialing & Peer Review Legal Insider (CPRLI) is transitioning to a more frequent and robust publishing model this fall by combining with the Credentialing Resource Center (CRC)’s flagship publication, Credentialing Resource Center Journal (CRCJ), to create a single source for all your credentialing, privileging, peer review, and legal news, tools, and best practice strategies.

Your updated member benefits gain you access to expanded content and tools on CRC–with new resources added weekly to the website (www.credentialingresourcecenter.com). Plus, as a CRC member you gain instant access to over 300 clinical privilege white papers, core privileging forms, Medical Staff Talk, and Credentialing Resource Center Daily (CRCD), CRC’s daily e-newsletter for medical staff leaders and MSPs. If you are already a CRC member, you will continue to receive the news and analysis you’ve come to rely on, plus expanded member benefits this fall.

To help readers keep tabs on available content, we will announce new articles in CRCD. At the end of each month, we’ll roll the corresponding weekly articles into a digital issue of the newly expanded 16-page CRCJ that mirrors the current digital format. As a member of CRC, you can continue to download and print high-quality PDFs of the current issue, as well as several years of back issues of CRCJ and CPRLI, directly from CRC’s website. We’re looking forward to delivering your peer review and credentialing guidance in a timelier, efficient, and more convenient manner.

Stay tuned for additional details as we near implementation. In the meantime, feel free to contact Editor Son Hoang at [email protected] with any questions.

 

Case summary

Maine supreme court upholds immunity for CVO questionnaire

The Supreme Judicial Court of Maine (the "Court") upheld a superior court’s ruling granting immunity to two physicians who provided negative comments regarding a third physician when they responded to a questionnaire from a credentials verification organization (CVO).

The decision stems from a dispute where Kevin F. Strong, MD, sought damages from Rebecca M. ­Brakeley, MD, and Jonathan M. Bausman, MD, alleging defamation and tortious interference with his business relationship with St. Mary’s Regional Medical Center in Lewiston, Maine.

In 2013, Strong applied for staff privileges at St. Mary’s, which reached out to its contracted CVO, Synernet, to collect, verify, and dispense Strong’s credentialing information. Synernet sent professional reference questionnaires to Brakeley and Bausman, who completed and returned them. Synernet forwarded the responses to St. Mary’s, which ultimately chose to deny staff privileges to Strong. Strong subsequently filed his complaint in the superior court against Brakeley and Bausman, claiming the denial was a result of negative comments in their questionnaires.

In court, Brakeley and Bausman argued that their statements were entitled to absolute immunity pursuant to Section 2511 of the Maine Health Security Act and filed a motion for summary judgment. The superior court granted the motion, and Strong appealed.

Strong made several arguments for why Brakeley and Bausman’s statements didn’t meet the criteria for immunity, but the Court rejected his interpretation of the statute.

In its decision to affirm the superior court’s summary judgment, the Court discussed the language of Section 2511 and its three subsections, which outline the circumstances when a physician is afforded immunity from civil liability, and why Strong’s interpretation was incorrect.

Central to Strong’s argument was Subsection 3 of the statute, which states that physicians "assisting the board, authority, or committee in carrying out any of its duties or functions provided by the law" are afforded immunity. Strong argued that Synernet was not a board, ­authority, or committee and therefore Brakeley and Bausman were not immune. However, the Court interpreted that subsection to include professional competence committees, which the Maine Health Security Act defines to include "[e]ntities and persons, including contractors, consultants, attorneys and staff, who assist in performing professional competence review activities."

Since St. Mary’s contracted with Synernet to collect, verify, and dispense credentialing information for its competence review process, the Court concluded Synernet qualified as a professional competence committee and therefore was a board, authority, or committee pursuant to the statute.

Strong also interpreted the language of Subsection 3 to mean that it only provided protection to a physician if he or she was a member of the board, authority, or committee. The Court found this interpretation illogical as it twisted the meaning of the subsection from protecting the acts of the physician providing assistance to instead protecting the committee receiving the assistance.

 

Source:

Strong v. Brakeley, Docket No. And-15-260 (Me. Apr. 21, 2016).

 

HCPro.com – Credentialing and Peer Review Legal Insider

NP in Credentialing Process

Can anyone give me some advice on if we are in compliance by allowing our NP who is in the process of being credentialed(apps already submitted) to see the patients on her own without the provider going in the rooms with her but who is readily available to answer any questions she may have, provider at the end of the day reads over her chart notes and signs off himself and then its billed as incident-to. We want to make sure that we are staying in compliance and doing everything by the books, any advice?

Medical Billing and Coding Forum

Credentialing question

We have had some issues getting credentialed with Medicare. Our group effective date is 7/31/17, but our provider(we only have 1) is not assigned to the group effective until 10/1/17. Does anyone know of a way to get the claims from 7/31/17 to 9/30/17 processed without the providers name on the claim? My knowledge tells me there needs to be a rendering providers name on the claim, but I just would like to be sure before writing off these claims.

Thanks in advance!

-Sheryl M.

Medical Billing and Coding Forum

Contract Billing and Credentialing from Home

Certified Coder and experienced billing and credentialing from home. Current knowledge of navigating current, complicated billing procedures and guidelines. Would love to talk to small, independent practice. If in the Dallas area, would be available to meet regularly in the office.

Medical Billing and Coding Forum

How Medical Credentialing Can Reduce Healthcare Costs

We all know that there are a lot of extra costs that go into healthcare besides just what we pay for insurance. Medical malpractice is a huge issue, whether there was malpractice or not. So what are hospitals doing these days to help with all of these extra costs in healthcare?

One big step that a lot of hospitals have taken is medical staff credentialing. If you’ve never heard of credentialing, here’s the basic idea: before a doctor or physician can perform a procedure in a hospital they have to have the credentials to do so. So basically it’s a way that the hospital can make sure the doctor is really qualified to do what they are trying to do.

So how does this help the healthcare system? Well, there are a couple of ways this helps:

First, it cuts down on patient injury by real malpractice. Credentialing keeps unqualified doctors from doing a procedure they shouldn’t be doing. If you don’t have the credentials, you don’t do the procedure.

Secondly, it saves on time and expense of investigations. There is a lot of money lost by taking the time of healthcare professionals to track down what happened and why. If there are less incidents, there is less cost.

There are other reasons as well, but these are some of the main reasons why credentialing is a good idea. If any hospitals are not currently using this type of system, they really should.

The other great thing for hospitals is that there are companies that have developed software that will help them to track the credentials that a doctor has. This way they don’t have to run to the filing cabinet and waste time, they can pull the file up immediately and know whether a doctor is qualified or not.

While medical staff credentialing is not the one thing that will fix the extra costs in our healthcare system, it can definitely help. With costs going up every year, anything hospitals can do to reduce the cost of malpractice is a good thing.

Medical staff credentialing is a great way for hospitals to reduce malpractice costs and make sure that your staff is qualified and competent to do what they are supposed to be doing. All hospitals should have a medical credentialing system in place!