Browsing articles from "May, 2012"

Payment Issues: Avoid Delays in Treatment

Hotline, Patient Issues, Practice Issues // No Comments

Hans Bruhn, MHS, OMIC Senior Risk Management Specialist

Digest, Winter 2011

By the time a patient is referred and examined by an ophthalmic specialist, he probably has already been seen by a primary care physician and a general ophthalmologist. Most health insurers require patients to go through a referral process before they can be seen by a specialist. This can be problematic if the patient’s eye condition requires rapid diagnosis and treatment by the specialist. Critical care can also be delayed when patients do not have health insurance and cannot pay out of pocket for these services. When delays in critical care result in less than desired or poor outcomes, some patients will file a claim against the specialist and all referring health care providers, alleging failure to provide timely treatment.

Q Can I withhold care because of a patient’s inability to pay (including co-pays)?

A This is always a tricky situation. Ophthalmologists may be required to collect co-pays or deductibles by third party insurers. If emergent care is needed, we recommend separating payment issues from decisions about care. Proceed with providing as much care as possible and sort out the financial issues after the patient is stable. This will avoid delays in treatment and reduce the risk of a claim. Notify the insurance company of the urgent care situation and the patient’s inability to pay the co- payment. The insurance company may allow you to waive the co-payment; however, waiving fees without first checking with the insurer can jeopardize your provider contract. You should make a reasonable effort to work out a payment plan with the patient; document your efforts and the results.

You may have less control over the situation in a surgical facility or hospital setting that requires payment up front as a condition of admission. But before you send the patient elsewhere, act as the patient’s advocate. Explain to the facility the urgent nature of the required treatment and ask if it will work out a payment plan with the patient. If not, promptly refer the patient to another facility that may be willing to do so. If all attempts fail, it may be necessary to refer the patient to the local emergency room, where federal law mandates that treatment be provided. Throughout this process, keep the patient informed about your efforts on his behalf. This will help reduce the likelihood that you will be perceived by the patient as withholding care. Document carefully.

Q During follow-up, I noted that a patient I first saw in the ER needed surgery. Since I am not part of her HMO, I promptly called her primary care physician to secure a referral to a participating ophthalmologist, but the PCP was out of town. What action should I take?

A Advise the patient about the situation (PCP is not available; surgery is needed and you are not in her insurance provider network). If the patient elects to pay out of pocket, get that in writing and proceed with care. If not, help the patient find another provider to assume care. Contact her HMO directly and request a referral to another ophthalmologist. Once another provider is identified, contact that new physician and facilitate transfer of care along with patient authorization and your recommendation for surgery. Advise the patient of your actions and document accordingly.

Q A patient that I have been treating since June 2008 has developed a serious corneal ulcer (OS), possibly fungal. I prescribed Natamycin drops, but the patient has not gotten the drops and has canceled follow-up appointments because of the cost. The patient is blind in his right eye, and now his left eye is compromised with this serious condition. Am I obligated to continuing seeing him?

A Contact the patient and tell him of your concern. Explain that many patients are having trouble affording care and ask if his financial situation is keeping him from getting the care he needs. Advise him of the seriousness of his eye condition, including the consequences of not using the drops you prescribed and not coming in for exams. Given the urgency of the situation in this functionally monocular patient, encourage him to come in to see you so you can conduct an exam and provide care, including drops, if possible. If the patient is still reluctant to see you, ask if there are any relatives to assist him. Offer to set up a payment plan for incurred medical expenses. As a last resort, advise the patient to go to the nearest emergency room for care. If the patient refuses, document your discussion and send a letter reiterating your recommendations and explaining again the consequences of not getting care. If the patient does not respond to your discussions and letter, consider sending OMIC’s “noncompliance” letter, which gives the patient one last chance to come in for care before the physician-patient relationship is terminated.

Contact OMIC’s Risk Management department for assistance or visit our web site, www.omic.com, for our recommendation “Discontinuing Treatment for Financial Reasons and Noncompliance Guidelines.”

Message from the Chairman

Articles // No Comments

My biggest concern as a physician,

and one shared by most clinicians, is that a decision made or a procedure performed results in harm to a patient, leading to pain and suffering, and perhaps adversely affecting quality or length of life. Most patients understand and accept the reality that events occur in the practice

of medicine that fail to salvage vision or restore function. However, patients do not give consent to procedures expecting that they will result in loss of sight, loss of the eye, or injury. Fortunately, such events are rare. After experiencing an adverse outcome, an honest surgeon will ask himself or herself privately, “Did I do something to cause this? Was this my fault? Did I make a mistake? What if I had done things differently?”

Patients who have been harmed, their friends, and family members ask the same questions. Their assessment and answers to those questions are the basis of medical liability claims. It is left to the courts and juries to determine if the complication results from “malpractice” as defined by the courts. All too often, an acceptable complication that occurs in the normal conduct of medical practice results in a claim, particularly when there is observable physical damage, pain and suffering, or financial loss. Physicians may feel cheated if a settlement is paid out when they are certain that everything was done correctly and within acceptable standards of care. However, one can’t escape the reality that a patient lost an eye or vision, suffered a stroke, or passed away in the course of treatment. Even when an adverse outcome is the result of maloccurrence, not malpractice, juries often take the approach that someone has to pay. That “someone” is usually the professional medical liability insurance carrier, which provides protection for physicians both when there is clear evidence of wrongdoing and when there is a settlement in the absence of malpractice. This coverage provides a safety net for patients who have been harmed and protection for the physician’s assets.

When a claim comes in to OMIC, investigation and defense of the claim falls to the claims department headed by Mary Kasher, MSN, JD. Insureds are familiar with OMIC’s outstanding claims history: average indemnity 18% lower than average ophthalmology indemnity reported by other carriers; 79% of cases closed with no indemnity payment; expense per closed claim 30% below industry average; 85% win rate at trial. This remarkable record reflects Mary’s experience and direction and the dedication and skill of senior litigation analysts Ryan Bucsi, Richard Isom, Stacey Meyer, and Randy Morris. This team of claims specialists serves as the intermediary between the attorney and doctor, supervising each claim in their respective geographic jurisdiction and leading each ophthalmologist through the litigation process from beginning to end.

Mary’s biggest challenge has been finding outstanding attorneys in each of the 49 states where OMIC insures ophthalmologists and educating them about the specialty so they could knowledgeably and skillfully defend insureds.

Mary’s approach to claims defense is shared by the OMIC Board and senior leadership: If a doctor is not negligent, provide the best defense possible, and settle those cases that need to be settled early and fairly.

John W. Shore, MD Chairman of the Board

Message from the Chair/CEO

Message from the Chair // No Comments

John Shore, MD

This summer I was flying on Southwest Airlines and picked up the June issue of Spirit, the magazine published by the carrier. It contained several articles celebrating the airline’s 40th anniversary. The lead article, “40 Lessons to Learn from Southwest,” intrigued me. Each lesson was a vignette on an aspect of the company that senior management felt was important to its success. As I was reading, I realized that several lessons could be applied to OMIC’s success.

Target the overcharged and underserved. OMIC helped lower malpractice premiums in many states where ophthalmologists were subsidizing higher risk specialties.
The Web ain’t cool, it’s a tool. OMIC was an early adapter of web technology as a vehicle to disseminate risk management documents to a nationwide audience of policyholders. Every year, thousands of risk management documents are accessed through OMIC.com.

See your business as a cause. Not only does OMIC provide liability insurance, it partners with the American Academy of Ophthalmology and other ophthalmic organizations to improve quality of care for ROP, LASIK, and other eye care services ophthalmologists provide.

Beware of imitators but take them as a compliment. Many other insurance carriers have adopted OMIC’s underwriting guidelines and use our risk management information for their insured ophthalmologists.

In 2012, OMIC will celebrate its 25th year of providing professional liability insurance for members of the American Academy of Ophthalmology and risk management education for ophthalmologists worldwide. OMIC has enjoyed phenomenal growth and success during its 25-year history that parallels Southwest Airlines in certain respects.

Of course, OMIC doesn’t compare in size and capitalization to Southwest Airlines, yet there are similarities worth mentioning. Both companies were started in response to unfavorable market forces and a desire to provide an alternative to existing providers in their industry. Both companies struggled in the beginning to overcome tremendous roadblocks to success. Both companies stuck to their core principles and goals and grew the company from within under the direction of dedicated leaders and the support of loyal employees. Both companies had strong, intuitive, and tenacious executive leadership. In the case of Southwest, it was Herb Kelleher and Rollin King who directed its early growth and established its corporate branding. In OMIC’s case, Bruce Spivey, MD, and Reggie Stambaugh, MD, were the glue that held the company together through the early years. They established the corporate structure that would blend the company’s board of directors and staff into a successful team.

Southwest Airlines and OMIC have earned the respect and loyalty of a growing customer base and, as a result, both companies have cornered substantial market share within their respective industries. With growth and success comes the responsibility of living up to one’s reputation. And this, I believe, is another goal both companies share.

Finally, Please view my good friend and colleague, Tamara Fountain in this new video by the Academy. A true star indeed!

John W. Shore, MD Chairman of the Board

RAC Audit. Cyber/eMD Breach. Who Ya Gonna Call?

Articles, Landing Page Main Post // No Comments

Robert Widi, VP Sales

The Obama Administration continues to focus energy on fighting fraud & abuse within healthcare under the “Campaign to Cut Waste” established nearly three years ago. By some estimates, the government has recovered $7 in fraudulent payments for every $1 spent on the program so far. The Department of Justice recovered over $2.8 billion in healthcare fraud in 2011 and began prosecutions for more than $1 billion in newly identified fraudulent claims.

The focus on healthcare fraud is no surprise given the government estimate of $90 billion in fraudulent payments of CMS’s funds each year. Until recently, however, most claims activity has targeted large hospital networks and facilities rather than smaller private ophthalmic practices. But this is changing.

To date, OMIC has recorded approximately 300 claims against our insureds for Medicare/Medicaid and Commercial Payor billing errors (“fraud and abuse”) allegations.

OMIC was one of the first malpractice carriers in the United States to include regulatory coverage within its malpractice policy. Called BRP (Broad Regulatory Protection) and eMD (Cyber Liability and Patient Notification Protection), policyholders are provided with a benefit sublimit that covers billing errors allegations as well as many other regulatory and electronic data liabilities.

Billing allegations covered:

Billing for services not performed
Upcoding of services
Inadequate documentation to support the services provided
Use of incorrect CPT codes
Unbundling or fragmentation of services
Providing medically unnecessary services

Other covered perils under BRP:

HIPAA Privacy laws
EMTALA
DEA
Stark Act
Red Flag
HITECH
Gramm-Leach-Bliley regulations
FTC and Fair Credit Reporting Act
eMD Network Security
Patient Notification and Credit Monitoring
Data Interference
Data Recovery

Coverage limit: $50,000

For more information on the OMIC BRP and eMD coverage benefits go here.

HIPAA-proofing Your Smart Phone or Mobile Device

Articles, Landing Page Main Post // No Comments

In recent months OMIC has noted a surge in regulatory and HIPAA Privacy claims, especially involving malicious acts by disgruntled employees and unhappy patients.

In one case, a physician’s smart phone was compromised and more than 30 unauthorized breaches were recorded in one four hour period, requiring the practice to notify hundreds of patients of a potential release of their medical information. They also were required to report the incident to government authorities in order to comply with HIPAA requirements.

See here for HIPAA Security Rule.

While some of the costs associated with data breaches may be covered by your insurance (See here for information on OMIC’s BRP and eMD policy benefits) the damage to your reputation would be difficult to measure not to mention the time you and your staff must devote to addressing the issue.

Interestingly, a leading security firm recently “lost” 50 phones to track the behavior of those who found the phones. Of the 50% of the phones that were actually returned, 43% attempted to gain access to a banking app, often attempting to “guess” the login code based on other data accessable on the phone and 80% tried to access folders titled “HR Salaries” “HR Cases” and “saved passwords.”

Unauthorized access to sensitive information on your device would be considered a HIPAA Privacy violation. And while a data breach or HIPAA violation could be the result of a deliberate act of a person intentionally trying to harm you or your practice, it may also simply arise from the loss or theft of your mobile device.

Steps you can take to HIPAA-proof your smart phone:

1. Activate Phone Passcode. Choose a four-digit passcode that would be difficult to easily guess. Don’t use birthdates, street address numbers or anything else that would be obvious if a person was able to identify you and guess basic “expected” codes from an internet search. Your phone will often have a setting that, when turned on, will wipe all information from the phone if the wrong code is entered more than a set number of times. (I have my iPhone set to 10 wrong codes triggers phone data wipe-out). Turn this setting on.

2. Don’t Use Email. Regular email communications are rarely encrypted and should never be used for transfer of HIPAA protected information. Email accounts are easily breached and would almost never provide defensible protections for sensitive medical data or attachments if a HIPAA Privacy claim were filed against you or your practice. If you are sending sensitive information unencrypted, stop now, and use a cloud-based encryption service or VPN only.

3. Set “Required Login” for Apps. Some applications will save your information so that after you log in once on your smartphone you will no longer have to enter the login information for subsequent visits. Although convenient, this would make it easy for anyone gaining access to your phone to also potentially gain access to HIPAA protected information. Make sure that for any app that delivers sensitive data to your device, the settings require physical login credentials each time you enter the app.

4. Download an Encryption App. There are many cloud-based applications you can use to encrypt the data that is being transferred to and from your device but you also need to protect information that is downloaded or resides on your device itself. Therefore if you will download any sensitive information to the device itself, use this type of app. Encryption apps generally run from a buck or two to over $50. There is even a call encryption app for $1,600 that meets FBI standards! (You probably don’t need that one). These apps are available for both Apple and Android phones and they are of varying quality so research online and read app reviews for more information. Simply search for “encryption” in the app store. Your HIPAA-related texts, messages, and images that are downloaded to your device will be encrypted again, requiring another password. This is important since any previous encryption during transfer from a cloud server to your device would most likely not protect the data once it is downloaded to your phone. These apps can be configured to encrypt all data or only certain selectively identified folders, images, or documents.

CLOUD 101:

First, go here to learn about encryption.

“Off-the-Shelf” Cloud Apps: Cloud technology uses the same security as your bank to encrypt and protect data. Search for one that is HIPAA compliant or certified. OMIC does not endorse third-party products, however one popular app is Citrix Sharefile. There may be other HIPAA compliant (or certified) applications that are comparable or superior to Sharefile so do a thorough search before deciding on which service to use. Information sits behind a cloud-protected server. If you wish to share information with another physician, you can send them an invitation and they would receive an email with a link to the cloud-based confidential information.

Personal VPCs and VPNs: If you have installed electronic medical records (EMR) software, your vendor may already have a cloud-enabled HIPAA compliant encryption solution for you such as a VPN (Virtual Private Network) or a VPC (Virtual Private Cloud) and you may not need to search for separate software. They most likely will have discussed this with you during implementation of your EMR system. If not, ask them to describe in detail how sensitive information is protected. VPNs are basically protected private “intranet” networks within the internet that are set up to securely access your practice’s networked computer system. See this HHS article about EMR remote access liability.

Cloud vs. VPN?

There may be reasons you do not want to ever send HIPAA-protected data electronically, however that is becoming almost impossible in today’s web-based world. Many legal and health experts agree that if data is to be transferred, encryption within VPN or VPC would be preferable to completely unprotected email or text communications.

A VPN enables you to extend your own network across one that isn’t necessarily secure (i.e. the internet). You would use VPN for access to your practice’s internal network from your home or when traveling and you would use it to transfer information securely from one computer to another, maintaining confidentiality of data and identity.

Cloud computing (VPC) enables you to send data into the cloud, often using VPN encryption technology as a foundation. Clouds have enhanced capabilities that may not be available in a simple VPN environment however data security in a cloud context depends on who manages the cloud, how easily you can access data, whether the cloud is HIPAA compliant, and who else might have access to it.

ONE MORE TIP: Don’t let your judgment be clouded. You should not assume that “clouds” protect information sent to your device. While the transfer of information may be encrypted, information does “sit” on your phone temporarily. In addition to enacting the “required login” for cloud apps, you should also immediately exit these apps when you are not actively viewing them.

As outlined above, your efforts to limit access for your sensitive data including the passcode for the phone itself, encryption apps for sensitive documents, and protection during access to cloud-based apps or VPNs are all part of a “layered” approach that will help defend your practice against allegations of insufficient HIPAA-related data protocols.

Although a serious “hacker” may be able to penetrate many or all of the individual protections you employ, the more walls you build the more likely a person with a electronic forensic background would simply choose to move on to the next “unprotected” device. Similar to a steering wheel lock or house alarm, the technology is not the primary issue here, but rather a few simple steps that may make a potential criminal feel their time would be better spent moving on to next device.