Email and Protected Health Information

Business Email Compromise (BEC) is a type of attack on company email systems where the hacker’s goal is to gain access to an email system and search for data that can be used to commit fraud.

In the healthcare industry, fraudsters are committing BEC to steal protected health information (PHI). Why? Because PHI has many use cases unlike credit card and account data which is only useful until the victim cancels the credit cards and accounts. PHI such as a “Face Sheet” typically contains a treasure trove of information that can be used to commit medical services theft, Medicare/Medicaid fraud, fraudulent insurance billing, and income tax fraud to name a few.

Healthcare companies and their employees are required by HIPAA to protect PHI. You can do your part to protect PHI from BEC by taking the following actions:
• deleting emails containing PHI as soon as they are no longer necessary to retain,
• never sharing your password with anyone,
• changing your password regularly using strong passwords, and
• before clicking any link – STOP. LOOK. THINK.

Ten Simple HIPAA Tips

  1. Ensure discussion of PHI (protected health information) is where you cannot be easily overheard. 
  2. ePHI should not be saved on unencrypted devices such as laptops, desktops, servers, USB drives, etc.
  3. When leaving your workstation unattended, logoff or manually lock your workstation.
  4. Computer equipment should not be left unsecured such as in an unattended vehicle or hotel room.
  5. PHI should not be left on a copier or scanner unattended.
  6. Paper PHI should be disposed of properly by shredding.
  7. Keep passwords safe. Do not write down or share your password.
  8. Double check fax numbers and email addresses to ensure you have the correct information before faxing or emailing PHI.
  9. Patient photos or stories require a signed authorization prior to taking or using. Authorization forms can be obtained on the Reliant portal.  
  10. Report suspected HIPAA violations to your supervisor or the company privacy officer.  Reliant employees may contact their Privacy and Information Security Officer at privacy@reliant-rehab.com.

HIPAA Happenings: Holiday Phishing

Cyber criminals take advantage of the holidays to disguise their phishing campaigns and malware as seasonally accepted email. Requests for donations to fraudulent organizations, bogus holiday advertisements, and posing as package delivery services are common this time of year.
Click here to view a real example of a phishing email impersonating Federal Express.

What to Do If You Suspect You Are a Victim of Phishing:

  • Change your password immediately.
  • Contact your IT Department.
  • For Reliant employees contact support@reliant-rehab.com or call 225-767-7670.

CMS’ FY 2020 SNF PPS Final Rule Released

Yesterday, the Centers for Medicare and Medicaid Services (CMS) issued the FY 2020 Skilled Nursing Facility (SNF) Prospective Payment System (PPS) Final Rule, which will take effect on October 1, 2019. 

This final rule updates the payment rates used under the prospective payment system (PPS) for skilled nursing facilities (SNFs) for fiscal year (FY) 2020. CMS has also made minor revisions to the regulation text to reflect the revised assessment schedule under the Patient Driven Payment Model (PDPM). Additionally, CMS revised the definition of group therapy under the SNF PPS, and implemented a subregulatory process for updating the code lists ICD-10 used under PDPM. Finally, the final rule updated requirements for the SNF Quality Reporting Program (QRP) and the SNF Value-Based Purchasing (VBP) Program.

Below are a few highlights from the final rule: 

  • The federal rates in this final rule reflect an update to the rates that CMS published in the FY 2019 SNF PPS final rule, which reflects the SNF market basket update, as adjusted by the multifactor productivity (MFP) adjustment, for FY 2020.
  • The SNF market basket percentage is 2.4 percent for FY 2020, which is an increase in payments of $851 million compared to FY 2019. This estimated increase is attributable to a 2.8 percent market basket increase factor with a 0.4 percentage point reduction for the multifactor productivity adjustment. This is a decrease from the proposed update of 2.5 percent and $887 million.
  • Effective October 1, 2019, group therapy will be defined as “a qualified rehabilitation therapist or therapy assistant treating two to six patients at the same time who are performing the same or similar activities.”
  • CMS is not finalizing its proposal to expand data collection for SNF QRP quality measures to all SNF residents, regardless of their payer. 
  • CMS is finalizing as proposed, without modification, the process for updating the ICD-10 code mappings and lists associated with PDPM. As proposed, the subregulatory process for updating the ICD-10 codes used under PDPM will take effect beginning with the updates for FY 2020.   
  • The Final Rule updates requirements for the SNF QRP, including the adoption of two Transfer of Health Information quality measures and standardized patient assessment data elements that SNFs would be required to begin reporting with respect to admissions and discharges that occur on or after October 1, 2020. 
  • CMS is finalizing its proposal to exclude baseline nursing home residents from the Discharge to Community Measure.
  • CMS is finalizing its proposal to publicly display the quality measure, Drug Regimen Review Conducted with Follow-Up for Identified Issues, under the SNF Quality Reporting Program.
  • CMS is replacing the terminology for the “5-Day Assessment” with “Initial Medicare Assessment”.

Common HIPAA Violations Employees May Not Realize

Have you ever or do you routinely email Protected Health Information (PHI) to your personal email account so you can catch up on work outside of the facility?  With the many demands of the job to get the work done, it can be tempting.  This commonly results in a HIPAA violation as the information is not properly protected and more easily breached!  Although your intentions may be good, this is not an appropriate practice. Your company may have a policy directly relating to PHI. Reliant employees should refer to Policy 8.3 – Use of E-Mail and Text Messaging for full policy information.

The same caution applies to taking paper patient information outside of the facility.   Removing protected health information from a healthcare facility places that information at risk of exposure.  Without appropriate measures in place to safeguard this information in transport and outside of the facility, it is in violation of HIPAA Rules.  Reliant employees should refer to Policy 3.14 – IT Equipment Protection & Physical Access Controls for full policy information.

CMS Improvements to Recovery Audit Process

The size of the Medicare program is astronomical – the system processes over one billion claims a year. CMS uses several types of contractors to verify that Medicare Fee for Service (FFS) claims are paid based on Medicare requirements. One type of contractor is a Recovery Audit Contractor (RAC). The Medicare FFS RAC Program is one of many tools used to prevent and reduce improper payments. RACs identify and correct overpayments made on claims for health care services provided to beneficiaries, identify underpayments to providers, and provide information that allows CMS to prevent future improper payments.

However, in the past there were numerous complaints about the RAC program. Providers found the audits time-consuming, necessitating high administrative expenses, and often requiring lengthy appeals. CMS listened to what providers were telling them and made meaningful changes. That input informed their thinking as they re-examined all aspects of the RAC process. They identified areas where they could reduce provider burden and appeals, and increase program transparency, while enhancing program oversight and effectiveness.

On May 3rd, CMS Administrator Seema Verma, outlined the key improvements and enhancements that were made to the program including:

  • Better Oversite of RACs:
    • Accountable for maintaining a 95% accuracy score.
    • Maintain an overturn rate of less than 10%.
    • Contingency fee will be delayed until after the second level of appeal is exhausted.
  • Reducing Provider Burden and Appeals:
    • Must audit proportionally to the types of claims a provider submits.
    • Conduct fewer audits for providers with low claims denial rates.
    • Allow more time to submit additional documentation before needing to repay a claim.
  • Increasing Program Transparency:
    • Regularly seeking public comment on proposed RAC areas for review.
    • Required enhancements to provider portals for claim status understanding.

While the audits can become cumbersome and overwhelming at times, ensuring that the care being provided is the most appropriate for each individual patient will only continue to assist in getting the health system where it needs to be. The improvements outlined above have helped and will to continue to help make patient care, not paperwork compliance, the main focus of providers.

CMS’ blog regarding recovery audit improvements:

https://www.cms.gov/blog/recovery-audits-improvements-protect-taxpayer-dollars-and-put-patients-over- paperwork

More information on the Medicare FFS Recovery Audit Program can be found at: https://www.cms.gov/Research-Statistics-Data-and-Systems/Monitoring-Programs/Medicare-FFS- Compliance-Programs/Recovery-Audit-Program/

Indictment of Anthem Breach Hackers

Do you remember hearing about the Anthem breach in 2015? Hackers infiltrated Anthem’s network and breached the personal health information of 78.8 million patients. This was one of the worst data breaches in US history if not the worst. There is some good news being reported. The Department of Justice has indicted two China-based hackers for the Anthem hack and breach.

How did the hackers do it?

The hackers allegedly used methods to hack including spear-phishing emails sent to employees embedded with links. After the employee clicked on the link, the malicious malware was installed to infect and compromise the system. Once inside the system, the hackers installed what is called a “backdoor” which in this case was undetected by the organization infected. This “backdoor” allows the hackers to come and go as they please. Although the hack was discovered in 2015, it began in 2014 with the hackers coming through the back door and conducting reconnaissance to identify information of interest.

What is the Lesson Learned?

Be on the lookout for “phishy” emails. Here are a few tips to assist in identifying Phishing emails.

  1. Does the email invoke a sense of urgency, fear, or curiosity?
  2. Does it ask you to click a link, open an attachment or provide your user Id/password or other sensitive information?
  3. Do you know the person that sent the message and were you expecting it? Hackers can “spoof” messages meaning they make it look like it is coming from a known sender when it is not. If you know the sender but were not expecting it, contact the sender by a means other than email to confirm.

What to do when you suspect a phishing email?

For Reliant employees who use Reliant’s email, a “Phish Alert Button” was recently implemented within the email system. This button is easily accessible within the user’s email and allows the suspicious email to be reported at the click of a button. After clicking this button, it alerts the Reliant support team and allows security measures to be quickly added to prevent others from clicking on similar malicious e-mails.

Customers who don’t have a similar “Phish Alert Button” in place, should report suspicious emails to their support team through established reporting processes.

March 2019 Healthcare Data Breaches

The Health and Human Services Office of Civil Rights (OCR) is responsible for enforcing civil right laws. Covered Entities such as Skilled Nursing Facilities and Business Associates must comply with HIPAA regulations which includes reporting breaches of Protected Health Information (PHI). Breaches affecting 500 or more individuals are posted by OCR on a public website. Breaches affecting less than 500 individuals are also required to be reported but are not posted for public viewing.

To give you an idea of the information available on the public site using March 2019 data, there were 32 breaches reported with 500 or more individuals involving 951,252 individuals. Of these 32 breaches, there were 22 Healthcare Providers, 4 Health Plans, and 6 Business Associates involved.

The types of breaches consisted of

  • 20 – Hacking/IT Incidents
  • 8 – Unauthorized Access/Disclosure
  • 4 – Thefts

Breaches involving email and network servers accounted for 893,502 of the impacted individuals (see chart below). This is why security awareness training, good password management practices, and virus protection are so important.

For a list of the names of companies impacted and other information, visit the OCR portal at https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf

FY2020 Skilled Nursing Facility (SNF) PPS Proposed Rule

On Friday, April 19, 2019, CMS released the FY2020 skilled nursing facility (SNF) proposed rule for public inspection and comment.

There is estimated to be a 2.5% market basket increase for FY2020 aggregate payments as calculated through a 3.0% market basket increase and a 0.5% multifactor productivity adjustment resulting in an $887 million annual increase.

The proposed rule includes three proposed changes related to the Patient Driven Payment Model (PDPM). First, CMS proposes changing the definition of group therapy in a SNF setting to match the definition in the IRF setting. Specifically, CMS proposes defining group therapy in the SNF Part A setting as “a qualified rehabilitation therapist or therapy assistant treating two to six patients at the same time who are performing the same or similar activities.”

Second, CMS proposes using a subregulatory process to provide non-substantive updates to ICD-10 codes used in PDPM through the PDPM website, while substantive changes will still be made through the traditional notice and rulemaking process. Non-substantive updates are those made to maintain consistency with the most recent ICD-10 code set. CMS is proposing that this take effect with the start of PDPM on October 1, 2019.

The third and final proposed change is to update the regulation text to reflect changes in the assessment schedule under PDPM which were already finalized in the FY2019 final rule. These changes are to reflect the policy taking effect under PDPM on October 1, 2019. For the initial patient assessment, the proposed regulation changes would state that “the assessment schedule must include performance of an initial patient assessment no later than the 8th day of post-hospital SNF care.” Additional proposed changes to regulation text would reflect the optional interim payment assessment.

SNF Quality Reporting Program

This rule proposes to update the SNF QRP effective October 1, 2020 to include:

  • Expansion of data collection for the SNF QRP quality measures to all skilled nursing facility residents, regardless of their payer.
  • The addition of two Transfer of Health Information quality measures.
  • Exclusion of baseline nursing home residents from the Discharge to Community Measure.
  • Public display of the quality measure, Drug Regimen Review Conducted with Follow-Up for Identified Issues.

Request for information (RFI) on the importance, relevance, appropriateness, and applicability measures of standardized patient assessment data elements (SPADEs) for future years in the SNF QRP.

SNF Value Based Purchasing Program

The SNF VBP Program is proposing to change the name of the program’s measure to the “Skilled Nursing Facility Potentially Preventable Readmissions after Hospital Discharge” measure. The measure will retain its previous abbreviation (SNFPPR).

The proposed rule also includes an update to the public reporting requirements to ensure that CMS publishes accurate performance information for low-volume SNFs.

CMS encourages comments from stakeholders. The comment period is open until June 18, 2019.

Download the proposed rule from the Federal Register. Download the CMS fact sheet.

To learn more about Reliant’s preparedness for PDPM, visit our website today.

Changes to Nursing Home Compare in April 2019

The Centers for Medicare & Medicaid Services (CMS) has announced updates coming next month to Nursing Home Compare and the Five-Star Quality Rating System including:

  • Lifting the “freeze” on the health inspection star ratings
  • Automatically give one-star staffing ratings to nursing facilities that have four or more days per quarter with no registered nurse (RN) on site, down from the current threshold of seven or more.
  • Establishing separate quality ratings for short-stay and long-stay residents and revising the rating thresholds to better identify the differences in quality among nursing homes making it easier for consumers to find the right information needed to make decisions.

Read on for more information or visit the CMS Nursing Home Compare site.

Guidance Issued Regarding Immediate Jeopardy Situations

Earlier this month, Seema Verma, Administrator for CMS posted a blog entitled “Protecting the Health and Safety of All Americans”. In this blog, Seema states guidance is needed to address violations of health and safety regulations that cause serious harm or death to a patient and require immediate action to prevent further serious harm (immediate jeopardy).

In turn, CMS has issued guidance which clarifies what information is needed to identify immediate jeopardy cases across all healthcare provider types, which they believe will result in quickly identifying and ultimately preventing these situations. This new guidance can be found in Appendix Q of the State Operations Manual that federal and state inspectors use.

Access to CMS training

Revised Guidance Tools Read the full memorandum

SNF Provider Threshold Report (PTR) Now Available

The new Skilled Nursing Facility (SNF) Provider Threshold Report (PTR) is now available. This PTR is a user-requested, on demand report which enables users to obtain the status of their data submission completeness related to the compliance threshold required for the SNF Quality Reporting Program (QRP). For more information, click here.

SNF QRP Provider In-Person Training

The Centers for Medicare & Medicaid Services (CMS) will be hosting a 2-day Skilled Nursing Facility (SNF) Quality Reporting Program (QRP) in-person ‘Train the Trainer’ event for providers on May 7 and 8, 2019. This event will be open to all SNF providers, associations, and organizations. Access more information here.

Guide to Personally Identifiable Information (PHI)

Whether at work, at home, or on the go, data that is often the top target of
cybercriminals is all around us. Protecting that data isn’t a highly technical process, but
rather one that requires common sense and a strong commitment to privacy in every
aspect our lives!


What is PII?
PII, or personally identifiable information, is sensitive data that
could be used to identify, contact, or locate an individual.


What are some examples of PII?
PII includes (but is not limited to) home addresses, personal email addresses,
national ID numbers, credit card numbers, and personal phone numbers.


What are some examples of non-PII?
Info such as business phone numbers and email addresses, race, religion,
gender, workplace, and job titles are typically not considered PII. But they
should still be treated as sensitive, linkable info because they could identify
an individual when combined with other data.


Why is PII so important?
On a personal level, our PII is necessary to acquire some goods and services, such
as medical care and utilities. But in the wrong hands, PII leads to identity theft
and other forms of fraud. On a professional level, you may store PII of customers,
clients, vendors, contractors, employees, and partners. If left unprotected, your
organization could face steep fines and your reputation could be severely damaged.


How do you protect PII at work?
Protecting PII begins and ends with following your organization’s security
policies, which were created to ensure that the data remains
private. Treat all requests for sensitive info with a high degree of scrutiny, stay
alert, think before you click, and if you have any questions, ask them!


How do you protect PII at home?
Develop a home security policy similar to those at work, which calls for common
sense practices, such as not clicking on random links and attachments, guarding
personal info online and in real life, destroying sensitive documents beyond
recognition and setting social media profiles to fully private.

The Customer Connect Webinar Series: A Collaborative Approach to Quality Outcomes

Every month on the third Thursday, Reliant’s Clinical Services offers a webinar to our partners on relevant topics within our industry.

March’s training Restoring Your Restorative Nursing Program provided participants with information regarding the importance of restorative nursing programs, reviewed the criteria for these programs, and identified strategies for successful implementation.

Join us in April for:
A Deep Dive into the PT and OT Components of the
Patient Driven Payment Model (PDPM)

Skilled Nursing Facility Open Door Forum Call

CMS held the first skilled nursing facility (SNF) open door forum (ODF) call for this year on February 14, 2019. The call included updates on CMS’ PDPM website, the SNF Quality Reporting Program (QRP), and Payroll-Based Journaling (PBJ).

SNF QRP Update:

  • CMS announced they are contracting with RTI international to develop and maintain additional SNF QRP quality measures.
  • RTI is convening a Technical Expert Panel (TEP) to inform the direction and development of a claims-based measure of healthcare-associated infections in SNF. For information on this project and nomination steps visit the SNF QRP website.

PBJ Update:

  • Fourth quarter (10/1/18-12/31/18) PBJ staffing data will be considered timely if it was submitted by 2/14/19 and will be posted on Nursing Home Compare.

CMS provided separate emails for questions concerning technical aspects and policy related issues.

Skilled Nursing Facility Provider Review Reports

Skilled Nursing Facility (SNF) Provider Preview Reports have been updated and are now available. Providers have until March 4, 2019 to review their performance data prior to the April 2019 Nursing Home Compare site refresh, during which this data will be publicly displayed. Corrections to the underlying data will not be permitted during this time; however, providers can request CMS review of their data during the preview period if they believe the quality measure scores that are displayed within their Preview Reports are inaccurate. 

To view the full memo and data contained within the report click here.

Program for Evaluating Payment Patters Electronic Report (PEPPER)

Clinical Appeals Corner

PEPPER is an educational tool that summarizes provider-specific data statistics for Medicare services that may be at risk for improper payments. Providers can use the data to support internal auditing and monitoring activities. PEPPER provides resources for using the report, including user’s guides, recorded web-based training sessions and a sample PEPPER.

The PEPPER team has recently updated the maps that display the PEPPER retrieval rates by state. See how you compare and download yours today! Visit PEPPER site.

“Protect” Protected Health Information (PHI)

Phishing attacks are non-stop year-round, and attackers take advantage of holidays and other seasonal events, like tax time, to trick you into clicking links to provide User IDs and passwords. When a phishing attempt is successful, the “Bad Actor” obtains your email login information, and can use your email account to obtain data. Do you have resident information such as face sheets in your emails? If so, there is a wealth of PHI that criminals can use to commit fraud and identity theft. Stay vigilant with these tips.