Prescriptives from the Consulting Cabinet 2012, Vol. 6

Do you see black clouds but not recognize the storm?

On a recent trip to Disney World I was amazed at the number of people who were caught off guard by a rain storm. My amazement was based upon the following observations:

• It had been raining all week.
• The forecast had called for a 90 percent chance of rain.
• The clouds were black and menacing all day.

So why were the people caught off guard when they heard the rumble of thunder and the rain began? All of the warning signs were there, did they just chose to ignore them?

Over the past several months I have seen various practices deal with risk management issues. As I assist with resolving these issues, I wanted to address the detection and prevention of risk. In this volume of Prescriptives from the Consulting Cabinet, I will provide you with five steps to help keep risk in your sights.

Also, please engage with me on Twitter at irabedenbaugh or on LinkedIn. Through these channels, I routinely share additional thoughts on healthcare and leadership.

-Ira

Five Steps to Keep Risk in Your Sights

#1 – Compliance Program: A “compliance program” might cause some of you distress. However, a well-developed compliance program need not be overwhelming and complex, but rather address the issues facing your practice. In 2005, the Centers for Medicare and Medicaid Services issued guidance for “fee for service” contractors to assist in developing a compliance program. If you do not have a compliance program in place, this document will be a good starting place in helping you to understand the key components.

#2 – Privacy and Security Officer: HIPAA requires that each covered entity have a privacy and security officer. While the responsibilities of each officer differ, the end goal of each is to reduce the covered entity’s HIPAA risk exposure. If you do not have either a privacy or security officer, the US Department of Health and Human Services has a website that would be a good resource.

#3 – Assessments: If you are struggling to “get your arms around” your practice’s risk exposure, having a risk assessment performed is great way to get started. This assessment can be performed by a third party and will assess your practice’s compliance with specific regulations.

Recently, Elliott Davis has provided IT risk assessments for several covered entities as part of their compliance program with the security rule of HIPAA. Upon completion of the assessment, the covered entity was able to identify their risk exposure and properly allocate resources to reduce or mitigate their risk.

#4 – Training: I know I have written about training in prior Prescriptives, but I cannot stress its importance enough. As the old saying goes, “you do not know what you do not know.” If you have never educated your staff about risk and your position on risk, they will be unable to recognize risk. To read my previously newsletter in which I identify “Five Ways to Improve your Training Program,” click here.

#5 – Awareness: The last component is to be aware of ongoing risk management issues. I have found that an easy way for me to stay updated is to subscribe to various e-mail alerts or mailing lists. While they will not educate you on the topic, they will make you aware and redirect you to additional educational material should it be appropriate for your entity.

Q&A from Prescriptives Volume 5
Click here to read Prescriptives Volume 5, Five Ways to Improve Your Training Program

Q: Should we notify all of our insurance payers after we make revisions to our Business Associate Agreements or just common vendors?

A: First, it is important to understand the difference between a business associate and a covered entity. A business associate is a person or entity that requires protected health information (PHI) to provide a service to your organization. A covered entity is a healthcare provider, health plan, or healthcare clearinghouse, and their use of PHI is directly related to treatment, payment, or management of care. Business Associate Agreements are useful to obtain assurance that PHI will be appropriately safeguarded; however, in this case insurance payers would fall in the category of a covered entity. Business Associate Agreements are needed with anyone or any organization to which you disclose PHI that is not a covered entity. All business associates with whom you have a Business Associate Agreements should be immediately notified of revisions to that contract.

About Ira
Ira Bedenbaugh: As chair of Elliott Davis’ Medical Consulting Practice, Ira assists physician practices and hospitals with their strategic initiatives, daily financial management and operational needs. A frequent speaker with more than 13 years of experience in the medical consulting field and 10 years in practice administration, he understands the inner workings, external pressures, challenges and opportunities that practices face.

Phone: 864.552.4715 | Email: ibedenbaugh@elliottdavis.com