EHR

Go-Live

: A milestone, not the destination

Read this if your company is considering outsourced information technology services.

For management, it’s the perennial question: Keep things in-house or outsource?

For management, it’s the perennial question: Keep things in-house or outsource? Most companies or organizations have outsourcing opportunities, from revenue cycle to payment processing to IT security. When deciding whether to outsource, you weigh the trade-offs and benefits by considering variables such as cost, internal expertise, cross coverage, and organizational risk.

In IT services, outsourcing may win out as technology becomes more complex. Maintaining expertise and depth for all the IT components in an environment can be resource-intensive.

Outsourced solutions allow IT teams to shift some of their focus from maintaining infrastructure to getting more value out of existing systems, increasing data analytics, and better linking technology to business objectives. The same can be applied to revenue cycle outsourcing, shifting the focus from getting clean bills out and cash coming in, to looking at the financial health of the organization, analyzing service lines, patient experience, or advancing projects.  

Once you’ve decided, there’s another question you need to ask
Lost sometimes in the discussion of whether to use outsourced services is how. Even after you’ve done your due diligence and chosen a great vendor, you need to stay involved. It can be easy to think, “Vendor XYZ is monitoring our servers or our days in AR, so we should be all set. I can stop worrying at night about our system reliability or our cash flow.” Not true.

You may be outsourcing a component of your technology environment or collections, but you are not outsourcing the accountability for it—from an internal administrative standpoint or (in many cases) from a legal standpoint.

Beware of a false state of confidence
No matter how clear the expectations and rules of engagement with your vendor at the onset of a partnership, circumstances can change—regulatory updates, technology advancements, and old-fashioned vendor neglect. In hiring the vendor, you are accountable for oversight of the partnership. Be actively engaged in the ongoing execution of the services. Also, periodically revisit the contract, make sure the vendor is following all terms, and confirm (with an outside audit, when appropriate) that you are getting the services you need.

Take, for example, server monitoring, which applies to every organization or company, large or small, with data on a server. When a managed service vendor wants to contract with you to provide monitoring services, the vendor’s salesperson will likely assure you that you need not worry about the stability of your server infrastructure, that the monitoring will catch issues before they occur, and that any issues that do arise will be resolved before the end user is impacted. Ideally, this is true, but you need to confirm.

Here’s how to stay involved with your vendor
Ask lots of questions. There’s never a question too small. Here are samples of how precisely you should drill down:

• What metrics will be monitored, specifically?
• Why do the metrics being monitored matter to our own business objectives?
• What thresholds must be met to notify us or produce an alert?
• What does exceeding a threshold mean to our business?
• Who on our team will be notified if an alert is warranted?
• What corrective action will be taken?

Ask uncomfortable questions
Being willing to ask challenging questions of your vendors, even when you are not an expert, is critical. You may feel uncomfortable but asking vendors to explain something to you in terms you understand is very reasonable. They’re the experts; you’re not expected to already understand every detail or you wouldn’t have needed to hire them. It’s their job to explain it to you. Without asking these questions, you may end up with a fairly generic solution that does produce a service or monitor something, but not necessarily all the things you need.

Ask obvious questions
You don’t want anything to slip by simply because you or the vendor took it for granted. It is common to assume that more is being done by a vendor than actually is. By asking even obvious questions, you can avoid this trap. All too often we conduct an IT assessment and are told that a vendor is providing a service, only to discover that the tasks are not happening as expected.

You are accountable for your whole team—in-house and outsourced members
An outsourced solution is an extension of your team. Taking an active and engaged role in an outsourcing partnership remains consistent with your management responsibilities. At the end of the day, management is responsible for achieving business objectives and mission. Regularly check in to make sure that the vendor stays focused on that same mission.

Read this is if you are at a healthcare organization and considering telehealth options. 

Given the COVID-19 emergency declaration, telehealth service regulations have been greatly modified to provide flexibility and payment. The guidance on telehealth is very dispersed and can be difficult to navigate. Here are some FAQs based on the many questions we have received. If you have questions related to your specific situation, please contact us. We're here to help.

UPDATED: Are RHCs and FQHCs now eligible as distant site providers for telehealth services? If so, how will they be paid by Medicare?
Yes, the CARES Act includes RHCs and FQHCs as distant sites during the COVID-19 Public Health Emergency (PHE). Distant site telehealth services can be provided by any health care practitioner of the RHC or FQHC within their scope of practice. The practitioners can provide any distant site telehealth service that is approved as a distant site telehealth service under the Physician Fee Schedule (PFS) and from any location, including from the practitioner’s home. CMS has approved an interim payment rate of $92 for RHCs and FQHCs for these services. The rate is based on the average payment for all PFS telehealth services, weighted by the volume of those services paid under the PFS. This rate will apply for services furnished between January 27, 2020 and June 30, 2020. Modifier “95” must be included on the claim. In July 2020, these claims will be automatically reprocessed and be paid at the RHC all-inclusive rate (AIR) and the FQHC prospective payment system (PPS) rate. Reprocessing will begin when the Medicare claims processing system is updated for the new payment rate.

For telehealth distant site services furnished between July 1, 2020 and the end of the COVID-19 PHE, RHCs and FQHCs will need to use RHC/FQHC specific G code, G2025, for services provided via telehealth. These claims will be paid at the $92 rate, not the AIR or PPS rates. If the COVID-19 PHE continues beyond December 31, 2020, the $92 will be updated based on the 2021 PFS average payment rate for these services, again weighted by the volume of those services.

For services in which the coinsurance is waived, RHCs and FQHCs must put the “CS” modifier on the service line. RHC and FQHC claims with the “CS” modifier will be paid with the coinsurance applied, and the Medicare Administrative Contractor (MAC) will automatically reprocess these claims beginning on July 1. Coinsurance should not be collected from beneficiaries if the coinsurance is waived.

UPDATED: Will telehealth visits of any kind affect my FQHC or RHC encounter rate?
Costs associated with telehealth will not affect the prospective payment system rate for FQHCs or the all-inclusive rate calculation for RHCs, but the costs will need to be reported on the cost report. Costs of originating and distant site telehealth services will be reported as follows:

• Form CMS-222-17 on line 79 (Cost Other Than RHC Services) of Worksheet A for RHCs
• Form CMS-224-14 on line 66 (Other FQHC Services) of Worksheet A for FQHCs.

What is telehealth versus telemedicine?
Telemedicine refers to a remote clinical service while telehealth is a broader term that embodies a consumer-based approach to medical care, incorporating both delivery of care and education of patients.

UPDATED: What types of service levels are available?
There are three main types of Medicare virtual services with different payment levels. Here are the key things to know for each type:

Telehealth visits

1. These are considered the same as in-person visits and paid at the same PFS rates as regular, in-person visits.
2. Pre-existing patient relationship requirements have been waived.
3. The patient originating site can be any healthcare facility or the patient’s home.

Virtual check-ins

1. These are brief communications in a variety of technology-based manners.
2. They do require the patient to initiate and consent to the check-in.
3. It cannot be preceded by a medical visit within the previous 7 days and cannot lead to a medical visit within the next 24 hours. 
4. A pre-existing relationship with the patient is required.
5. Common billing codes include HCPCS code G2012 (telephone) and G2010 (captured video or images).

E-visits:

1. These also need to be initiated by the patient in order to be billable and would be conducted using online patient portals (no face-to-face), for example.
2. A pre-existing relationship with the patient is required.
3. Common billing codes include CPT codes 99421-99423 and HCPCS codes G2061-G2063. 

The payment rate for these services will be $24.76 beginning March 1, 2020, through the end of the PHE, instead of the CY 2020 rate of $13.53, and should be billed using code G0071. MACs will automatically reprocess any claims with G00771 furnished on or after March 1, 2020, that were not paid at the new rate.

What codes can be billed as telehealth services?
Here is the listing effective as of March 1, 2020. 

Since this time, 85 additional codes have been added. Click here for the list. 

Do we need to request an 1135 waiver or are these changes covered by a blanket waiver from CMS?
A blanket waiver is in effect, retroactive to March 1, 2020 though the end of the emergency declaration. 

Is patient consent required?
Yes, patients must verbally consent to services. This includes brief telecommunications (which currently have a cost share for Medicare). We recommend it for all payers as a best practice.

Is there additional information expected from Medicare?
Yes, Medicare, Medicaid, and other payers are continually updating their guidance. 

What can we bill for telehealth services for Medicaid and insurance carriers?
This is the most problematic to track as it is continually evolving and every state and carrier is different. Providers must understand each payor’s requirements around audio and video, allowable CPT/HCPCS codes, modifiers, and place of service codes. As you have questions, please reach out to us so we can be sure to provide the most current answer.

Resources
Given how quickly information related to telehealth is changing, please feel free to contact us for the latest resources. 

More and more emphasis is being put on cybersecurity by companies of all sizes. Whether it’s the news headlines of notable IT incidents, greater emphasis on the value of data, or the monetization of certain types of attacks, an increasing amount of energy and money is going towards security. Security has the attention of leadership and the board and it is not going away. One of the biggest risks to and vulnerabilities of any organization’s security continues to be its people. Innovative approaches and new technology can reduce risk but they still don’t prevent the damage that can be inflicted by an employee simply opening an attachment or following a link. This is more likely to happen than you may think.

Technology also doesn’t prepare a management team for how to handle the IT response, communication effort, and workforce management required during and after an event. Technology doesn’t lessen the operational impact that your organization will feel when, not if, you experience an event.

So let’s examine the human and operational side of cybersecurity. Below are three factors you should address to reduce risk and prepare your organization for an event:

1. People: Create and maintain a vigilant workforce
   Ask yourself, “How prepared is our workforce when it comes to security threats and protecting our data? How likely would it be for one of our team members to click on a link or open an attachment that appear to be from our CFO? Would our team members look closely enough at the email address and notice that the organization name is different by one letter?”
    

   According to the 2016 Verizon Data Breach Report, 30% of phishing messages were opened by the target across all campaigns and 12% went on to click on the attachment or link.

   Phishing email attacks directed at your company through your team range from very obvious to extremely believable. Some attempts are sent widely and are looking for just one person to click, while others are extremely targeted and deliberate. In either case, it is vital that each employee takes enough time to realize that the email request is unusual. Perhaps there are strange typos in the request or it is odd the CFO is emailing while on vacation. That moment your employees take to pause and decide whether to click on the link/attachment could mean the difference between experiencing an event or not.
   
   So how do you create and cultivate this type of thought process in your workforce? Lots of education and awareness efforts. This goes beyond just an annual in-service training on HIPAA. It may include education sessions, emails with tips and tricks, posters describing the risk, and also exercises to test your workforce against phishing and security exploits. It also takes leadership embracing security as a strategic imperative and leading the organization to take it seriously. Once you have these efforts in place, you can create culture change to build and maintain an environment where an employee is not embarrassed to check with the CFO’s office to see if they really did send an email from Bora Bora.

2. Plan: Implement a disaster recovery and incident response plan 
   Through the years, disaster recovery plans have been the usual response. Mostly, the emphasis has been on recovering data after a non-security IT event, often discussed in context of a fire, power loss, or hardware failure. Increasingly, cyber-attacks are creeping into the forefront of planning efforts. The challenge with cyber-events is that they are murkier to understand – and harder for leadership – to assist with.
   
   It’s easier to understand the concept of a fire destroying your server room and the plan entailing acquiring new equipment, recovering data from backup, restoring operations, having good downtime procedures, and communicating the restoration efforts along the way. What is much more challenging is if the event begins with a suspicion by employees, customers, or vendors who believe their data has been stolen without any conclusive information that your company is the originating point of the data loss. How do you take action if you know very little about the situation? What do you communicate if you are not sure what to say? It is this level of uncertainty that makes it so difficult. Do you have a plan in place for how to respond to an incident? Here are some questions to consider:
    
   1. How will we communicate internally with our staff about the incident?
   2. How will we communicate with our clients? Our patients? Our community?
   3. When should we call our insurance company? Our attorney?
   4. Is reception prepared to describe what is going on if someone visits our office?
   5. Do we have the technical expertise to diagnose the issue?
   6. Do we have set protocols in place for when to bring our systems off-line and are our downtime procedures ready to use?
   7. When the press gets wind of the situation, who will communicate with them and what will we share?
   8. If our telephone system and network is taken offline, how we will we communicate with our leadership team and workforce?

By starting to ask these questions, you can ascertain how ready you may, or may not be, for a cyber-attack when it comes.

3. Practice: Prepare your team with table top exercises  
   Given the complexity and diversity of the threats people are encountering today, no single written plan can account for all of the possible combinations of cyber-attacks. A plan can give guidance, set communication protocols, and structure your approach to your response. But by conducting exercises against hypothetical situations, you can test your plan, identify weaknesses in the plan, and also provide your leadership team with insight and experience – before it counts.
   
   A table top exercise entails one team member (perhaps from IT or from an outside firm) coming up with a hypothetical situation and a series of facts and clues about the situation that are given to your leadership team over time. Your team then implements the existing plans to respond to the incident and make decisions. There are no right or wrong answers in this scenario. Rather, the goal is to practice the decision-making and response process to determine where improvements are needed.
   
   Maybe you run an exercise and realize that you have not communicated to your staff that no mention of the event should be shared by employees on social media. Maybe the exercise makes you realize that the network administrator who is on vacation at the time is the only one who knows how to log onto the firewall. You might identify specific gaps that are lacking in your cybersecurity coverage. There is much to learn that can help you prepare for the real thing.

As you know, there are many different threats and risks facing organizations. Some are from inside an organization while others come from outside. Simply throwing additional technology at the problem will not sufficiently address the risks. While your people continue to be one of the biggest threats, they can also be one of your biggest assets, in both preventing issues from occurring and then responding quickly and appropriately when they do. Remember focus on your People, Your Plan, and Your Practice.

Editor’s note: read this if you are a hospital or senior living facility administrator, CFO, finance director or manager, patient financial services staff, or revenue team member. 

Unless you own a working crystal ball, no one knows the true impact COVID-19 will have on our communities and our healthcare ecosystem. The very nature of being a healthcare provider demands being prepared for emergencies, crises, and pandemics. This particular pandemic highlights how critical yet fragile the healthcare system is in our country—and across the globe.

Despite differences in payment mechanisms, terminology, and cultural expectations, registration is a critical function shared with all developed health systems across the globe and must be considered when preparing for COVID-19 and other community disasters. This function is responsible for correctly identifying patients, managing where they are in the systems (arrivals, bed management, scheduling, and other functions), and accurately identifying financial responsibility for services provided.  

Insurance verification is important during crisis, but the other functions are more important, as they ensure providers have access to timely and correct medical information and can document each patient's course of treatment and transfer care to other providers. Delays and inaccuracy in upfront functions can lead to decreased patient throughput and possibly impede patient care if access to medical records is delayed.

Preparation for successful patient care

Now is a great time to assess if your system’s patient access teams are properly staffed and trained, and you have contingency plans in place for emergencies and pandemics. Many systems continue to staff their registration functions with entry level/inexperienced staff. Are they dependable and able to handle the high stress that can accompany a crisis in your community? Systems must have contingency plans and training in place before it is needed.

Patient access staffpeople are at the front end of care and we must ensure they have the training, equipment, and tools to protect themselves from sick patients (this is true every day). If there is a health emergency in your community, a high likelihood exists that your patient access staff will be impacted. What is your plan for decreased patient access staff during times of increased/unprecedented demand? Many options exist and preparation prior to a crisis is important to successfully care for patients during the crisis. Here are some options to consider:

• Cross-train billing and coding staff to register patients
  Cross-train revenue cycle staff to improve the strength of your revenue cycle. Billers and coders that fully understand registration can problem solve and collaborate quickly during a crisis, saving valuable time and improving efficiency.
• Develop mass registration processes
  Create forms and/or have mobile laptops and technology ready to register patients in conference rooms and other non-traditional access points. This eliminates bottlenecks at ED and other high-demand registration points, speeding up treatment.
• Continue to invest in self-service and telehealth tools
  Telehealth and self-service registration tools can alleviate staff demands, prevent non-emergency patients from coming to the facility, and improve patient satisfaction.

Patient access assessments

Patient access has been and will continue to be the foundation of the revenue cycle. This is true during normal operations and even more so during emergency and crisis situations. When is the last time you assessed your system’s patient access emergency plans and overall performance of your patient access department?  

BerryDunn’s patient access consultants can assist in ensuring your front-end functions are performing at best-practice levels, based on registration related denials and rework, processes flows, point-of-service collections, authorizations, and other metrics. The assessment will identify financial and revenue cycle improvement opportunities dependent on your people, processes, and technology. Assessments will also review the department’s preparedness for emergencies and provide recommendations to support the needs of the community during normal operations and during a crisis.

For more information, or if you have questions or comments about your specific situation, we're here to help. Please contact our revenue cycle consultants.

Texting has become a simple, convenient, and entrenched component of our everyday lives. We use it with family, friends, coworkers—and clients. My wife and I text to coordinate day care pickup and drop off of our kids every day. It is a quick and easy alternative to our large, and sometimes overwhelming, volume of email.

And with that convenience comes the temptation for clinicians, care teams, and healthcare providers to communicate sensitive content via text in the workplace. The ability to take a photograph of a wound and share with a colleague for a consult is convenient and effective. The number of patients who want to text a non-urgent question to their providers is also growing, particularly with younger patient populations. Population health teams who want to better engage patients may see texting as an easy format to achieve that.

The problem? Texting is not a secure communication method. The native SMS (short message service) used by many phones, including iPhones (at times), is not encrypted, and messages are sent in plain text over cellular networks. SMS messages are vulnerable to “man-in-the-middle” attacks, in which a third-party eavesdrops or potentially manipulates a conversation. The native message format of iPhones has security risks, too. And when a text message contains protected patient information or images, these risks become significant.

On December 28, 2017 CMS released clarification on text messaging. The highlights:

• Texting is permissible between care team members if accomplished through a secure platform.

• Texting of orders: prohibited.

• Computerized Physician Order Entry (CPOE) is the preferred method of provider order entry.

The first bullet allows some consideration of text messaging but with an important caveat: you must use a secure platform. The last two bullets steer providers to using their EHR systems.

What should you do if you find yourself in a position where text messaging has crept into your culture?

• Establish a policy to govern the use of text messaging and update your mobile device policy.

• Determine whether you will implement (and allow your care team to use) a secure texting platform or prohibit texting all together.

• Consider how secure texting impacts your policies and procedures related to data retention, discovery, and the legal health record. 

• Educate your patients about secure messaging available on your patient portal.

• Assess your organization’s usage and level of risk.

• Stop using unsecure text messaging for patient related communications.

For more information, contact me.

Related content:

Watch our video on adopting technology for success. 
Read Dan's article on soft cybersecurity skills.

Do you know what would happen to your company if your CEO suddenly had to resign immediately for personal reasons? Or got seriously ill? Or worse, died? These scenarios, while rare, do happen, and many companies are not prepared. In fact, 45% of US companies do not have a contingency plan for CEO succession, according to a 2020 Harvard Business Review study.  

Do you have a plan for CEO succession? As a business owner, you may have an exit strategy in place for your company, but do you have a plan to bridge the leadership gap for you and each member of your leadership team? Does the plan include the kind of crises listed above? What would you do if your next-in-line left suddenly? 

Whether yours is a family-owned business, a company of equity partners, or a private company with a governing body, here are things to consider when you’re faced with a situation where your CEO has abruptly departed or has decided to step down.  

1. Get a plan in place. First, assess the situation and figure out your priorities. If there is already a plan for these types of circumstances, evaluate how much of it is applicable to this particular circumstance. For example, if the plan is for the stepping down or announced retirement of your CEO, but some other catastrophic event occurs, you may need to adjust key components and focus on immediate messaging rather than future positioning. If there is no plan, assign a small team to create one immediately. 

Make sure management, team leaders, and employees are aware and informed of your progress; this will help keep you organized and streamline communications. Management needs to take the lead and select a point person to document the process. Management also needs to take the lead in demeanor. Model your actions so employees can see the situation is being handled with care. Once a strategy is identified based on your priorities, draft a plan that includes what happens now, in the immediate future, and beyond. Include timetables so people know when decisions will be made.  

2. Communicate clearly, and often. In times of uncertainty, your employees will need as much specific information as you can give them. Knowing when they will hear from you, even if it is “we have nothing new to report” builds trust and keeps them vested and involved. By letting them know what your plan is, when they’ll receive another update, what to tell clients, and even what specifics you can give them (e.g., who will take over which CEO responsibility and for how long), you make them feel that they are important stakeholders, and not just bystanders. Stakeholders are more likely to be strong supporters during and after any transition that needs to take place. 

3. Pull in professional help. Depending on your resources, we recommend bringing in a professional to help you handle the situation at hand. At the very least, call in an objective opinion. You’ll need someone who can help you make decisions when emotions are running high. Bringing someone on board that can help you decipher what you have to work with and what your legal and other obligations may be, help rally your team, deal with the media, and manage emotions can be invaluable during a challenging time. Even if it’s temporary. 

4. Develop a timeline. Figure out how much time you have for the transition. For example, if your CEO is ill and will be stepping down in six months, you have time to update any existing exit strategy or succession plan you have in place. Things to include in the timeline: 

• Who is taking over what responsibilities? 
• How and what will be communicated to your company and stakeholders? 
• How and what will be communicated to the market? 
• How will you bring in the CEO's replacement, while helping the current CEO transition out of the organization? 

If you are in a crisis situation (e.g., your CEO has been suddenly forced out or asked to leave without a public explanation), you won’t have the luxury of time.  

Find out what other arrangements have been made in the past and update them as needed. Work with your PR firm to help with your change management and do the right things for all involved to salvage the company’s reputation. When handled correctly, crises don’t have to have a lasting negative impact on your business.   

5. Manage change effectively. When you’re under the gun to quickly make significant changes at the top, you need to understand how the changes may affect various parts of your company. While instinct may tell you to focus externally, don’t neglect your employees. Be as transparent as you possibly can be, present an action plan, ask for support, and get them involved in keeping the environment positive. Whether you bring in professionals or not, make sure you allow for questions, feedback, and even discord if challenging information is being revealed.  

6. Handle the media. Crisis rule #1 is making it clear who can, and who cannot, speak to the media. Assign a point person for all external inquiries and instruct employees to refer all reporter requests for comment to that point person. You absolutely do not want employees leaking sensitive information to the media. 
 
With your employees on board with the change management action plan, you can now focus on external communications and how you will present what is happening to the media. This is not completely under your control. Technology and social media changed the game in terms of speed and access to information to the public and transparency when it comes to corporate leadership. Present a message to the media quickly that coincides with your values as a company. If you are dealing with a scandal where public trust is involved and your CEO is stepping down, handling this effectively will take tact and most likely a team of professionals to help. 

Exit strategies are planning tools. Uncontrollable events occur and we don’t always get to follow our plan as we would have liked. Your organization can still be prepared and know what to do in an emergency situation or sudden crisis.  Executives move out of their roles every day, but how companies respond to these changes is reflective of the strategy in place to handle unexpected situations. Be as prepared as possible. Own your challenges. Stay accountable. 

BerryDunn can help whether you need extra assistance in your office during peak times or interim leadership support during periods of transition. We offer the expertise of a fully staffed accounting department for short-term assignments or long-term engagements―so you can focus on your business. Meet our interim assistance experts.