The COVID-19 pandemic has resulted in more people on Medicaid. It’s more important than ever before for the healthcare industry to do its part to ensure compliance with privacy and security regulations.
By Nan Sloan, Vice President of Compliance, Medecision
In the ever-expanding world of Medicaid, there are unfortunately still a lot of gaps related to the sharing of private healthcare data. The HIPAA privacy and security rule establishes national standards to ensure that privacy and security are in place around a patient or member, and to provide tools that assist with compliance. When looking at an individual’s medical records, we need to know who, what, when and why (where isn’t such a concern).
The compliance gap can be particularly pronounced in the government realm, where programs tend to focus on managing members from the perspective of case management, appeals or utilization review. These programs generally don’t use big electronic health record systems (EHRs) to share and secure data. The increasing shift to telehealth and video chats demands an additional layer of security, especially with COVID-19 in the picture and as more and more mental health patients are pushed to Medicaid.
We can’t just throw the word compliance around. We have to really delve into it and make sure we understand what we’re talking about. In the Medicaid Certification Toolkit for Medicaid certification, the Centers for Medicare & Medicaid Services (CMS) stresses the importance of privacy and security, which must take precedence over other important goals, such as interoperability.
The CMS interoperability and patient access rule from last year, like the information blocking rule from the Office of the National Coordinator for Health Information Technology (ONC), is very specific in how to secure data through proven, structured formats or infrastructure. When a payer or provider sends information to a patient or member, that data must be encrypted, with the receiver getting a key to decrypt it, so it stays secure.
Because we, as members and patients, own our data, we have to take some responsibility for keeping it secure. That means we must become educated. To correctly educate people, you have to paint the overall picture. The only way to do that is by sharing information throughout the continuum of care and allowing it to be presented in a single point of view that’s understandable for members or patients at their level, and not in the big words we as healthcare professionals like to use.
People must be educated in their terms—whether that be at a fifth-grade level or in Vietnamese—about how their privacy is being secured and how they can securely access their medical information. That’s a challenge for every payer, provider and healthcare system in the country, because the information being disseminated to patients and members includes codes such as ICD-10 (International Classification of Diseases, Tenth Revision) and HCPCS (Healthcare Common Procedure Coding System). A code, which could be notifying someone that he or she has cancer, must also be understandable in that person’s preferred language.
Other Challenges to Compliance
At its most basic level, of course, all of this comes down to information exchange: between payer and payer, payer and provider, payer and hospital, payer and nursing home, and across the care continuum. One of the biggest hang-ups in our healthcare system has been the tendency of payers or providers to worry about network “leakage” and someone stealing their members. “I don’t have to share that data,” some of them say. But that simply is not true.
Penalties for noncompliance can be severe, including the loss of accreditation or certification, which for a provider in the Medicaid population means loss of contract. Another possible penalty is a dropped reimbursement rate—which, in what is already a bare-bones, dollar-for-dollar system, effectively means you won’t be able to do anything as Medicaid moves to a fee-for-service model.
Differences from state to state or region to region can further complicate our efforts to ensure compliance, as can the inevitable changes that come with a new presidential administration. Meanwhile, the Medicaid population is growing, but the dollars are limited. In general, states do make an effort to follow the minimum standards put out by the government, but where they run into trouble is deciding where to spend the money. While Medicare tells states where and how to spend their dollars, Medicaid gives states flexibility based on their makeup. So states with large homeless populations, such as Texas, Florida and California, often must decide whether to put their Medicaid dollars into those populations, into their Children’s Health Insurance Program or nursing home programs. And COVID-19 has resulted in more people on Medicaid and a need for more government assistance.
As states grapple with these hard decisions, it becomes increasingly important for every player in the healthcare industry to do its part to ensure compliance with privacy and security regulations. With the right processes, software and other tools, we can do a better job of meeting these goals.