Physicians including anesthesiologists are fleeing private practice and there are now two more reasons why this trend is likely to continue or even accelerate: Governmental audits and breaches of protected health information (PHI). Audits and PHI are on the rise in physician’s practices which are threatening revenue streams at levels never seen before due to fines and penalties.
Audits are on the rise in regards to governmental and other third party payers, pre-payment reviews by Medicare Administrative Contractors (MACs) are the dominant activity in practices thus far. The second audit risk comes from Recovery Area Contractors (RACs) who are ramping up their presence for anesthesia practices especially in the hospital setting. While both threaten the anesthesia practice revenue stream, the MACs pose a greater revenue cycle issue. MACs pend claims upon submission. Reimbursement to the practice is held while the case is reviewed. MACs also have no limit to the number of cases they can audit, whereas RACs have a legally mandated limit.
There are two “best” practices for dealing with all audits. The first is an automated tracking system that manages timelines and status of all audits. Most practices are either handling this manually or in an Excel spreadsheet. The second best practice is to bolster clinical documentation improvement efforts. Improving documentation minimizes auditor red flags and provides quick justification for medical necessity and payment.
The cost of a PHI breach is going up. Statistically, breaches of PHI are going to happen to every practice. However the risk of breach shows considerable variance due to some practices have the technology, policy and procedures and education to mitigate their risk while others pay lip service to the issue. The enforcement of breach reporting with fines and disclosure notification is becoming much more onerous with the possibility of up to $1.5 million fines per incident. Most breaches are caused by human error through staff carelessness and forgetfulness. Best practice is full encryption at the drive level-not the file level. If electronic PHI is lost or stolen in an encrypted format, it is not considered a reportable breach. Encryption is just part of the full policy and procedure program that practices must train their staffs to implement. This is not a situation where practices can write policy and procedure manuals and keep them on the shelf collecting dust. They must be living documents, which are regularly updated and presented to staff in an educational setting. The costs of breaches also include patient notification, potential bill write-off, credit monitoring/identity theft monitoring and legal fees, as well as time and effort of staff and management.
If there is a breach and practices can demonstrate they took the necessary steps to prevent disclosures, the penalty can be mitigated-perhaps even avoided. Efforts should include:
1)Detailed policy and procedures
2)Regular staff training
3)Ongoing internal audits
4)A plan for response to incidents
5)Detailed risk assessments
6)Detail record kept of the facts surrounding disclosures, particularly dates of events
As audits and breaches increase they will become a much great thereat to the practice’s profitability.
Staff and resources should be bolstered now before the auditors and attorneys come knocking.