What You Need to Know About Healthcare Risk

When it comes to healthcare risk, the stakes can be extremely high. Whether a data breach results in paying millions of dollars in fines or an incorrect medical code results in a claim denial, ignoring risk can have severe consequences.

Though there are many types of healthcare risk, the three main areas are coding, billing, and data security.

Coding

Coding risk is the potential application of incorrect medical codes to medical diagnoses or to procedures that have been performed. Coding errors can occur a number of ways, from a programming error in the electronic medical record (EMR) system to a medical practitioner or back-office staff member coding a patient’s medical records incorrectly.

Used to identify medical conditions and procedures, the ICD-10 coding classification system introduced nearly eight times as many codes as in ICD-9-CM and changed the codes to alphanumeric instead of numeric only. This transition was happening at the same time that many medical practices and hospitals were switching from paper records to EMR systems or upgrading legacy EMR systems to ones compliant with healthcare regulations. With so many variables changing at once, the potential for coding mistakes increases.

Here are a few categories of possible coding errors:

• Miscoding: Assigning a generic code when there is a more specific and accurate code available.
• Unbundling: Coding a bundled procedure as two or more separate procedures when there is a single code available that covers the procedure. This separation typically results in a higher reimbursement rate and is considered fraudulent by the Centers for Medicare and Medicaid Services (CMS).
• Upcoding: Submitting codes for a more expensive diagnosis or procedure than was actually performed, which is illegal.

Catching coding errors usage early on is crucial because many coding errors lead to billing errors, which can have larger ramifications. In fact, of the fee-for-service improper payments in 2017, just over 13 percent of them were due to incorrect coding. Too many claims with incorrect coding lead to denials, claim reviews, and billing audits.

Preventing coding errors will take an investment in continual training and education to ensure all team members are knowledgeable about best practices. Internal audits – of systems and of coding processes – can help uncover EMR system and procedural weaknesses before they turn into large-scale issues.

Billing

Billing risk involves the potential for errors on medical bills that are submitted to Medicare, insurance providers, or patients, often resulting in improper payment. As mentioned previously, incorrect medical bills often begin with medical coding errors, but billing errors can also result from computer glitches or incorrect clinical diagnostic information. Evolving healthcare regulations and Medicare reimbursement requirements can also be a source of billing errors as providers try to keep current and compliant.

The effects of billing errors can be wide-reaching. Incorrect or incomplete submissions to insurance companies or to Medicare may result in the rejection of the claim. Appealing the claim requires more administrative effort and lengthens the time it takes for providers to receive payment.

Billing errors in Medicare reimbursement requests often lead to improper payments; when they are caught, the provider will be asked to repay the amount along with interest. In extreme cases, repayment may also include penalties, including suspension from the Medicare program or the establishment of a corporate integrity agreement, where the government monitors the provider to ensure they are establishing a compliant framework. Frequent medical billing mistakes can trigger investigations and billing audits that can be damaging both financially and to a practice’s reputation.

One way to prevent medical billing errors is through a revenue cycle assessment. A third-party consultant can often serve as a fresh set of eyes to issues that can be overlooked by those who are engrained in the processes. A revenue cycle assessment takes a comprehensive view of the entire process, analyzing the start of a claim, claim submission, claim management, accounts receivable management, and follow-up. This holistic approach helps ensure that all areas of potential billing exposure are addressed.

Utilizing practice data, benchmarking, and insights from key stakeholders, consultants will identify specific areas for deeper review. Since revenue cycle processes and management vary from practice to practice, there is no one-size-fits-all solution. But by having an outside consultant conduct a regular review of revenue cycle workflows and systems, organizations can help ensure they are addressing weaknesses that could adversely affect their business.

Data Security

Data security risk is the potential exposure of protected health information (PHI). Exposure in the form of network and computer-based attacks and malicious software may be most familiar given their prevalence in the news. But data exposure can also happen from natural threats, such as floods or tornadoes, or from weaknesses in physical security, including leaving confidential information on a printer or even holding the door for someone who then gains unauthorized entry.

The time and expense associated with data security remediation is significant. According to the Health Insurance Portability and Accountability Act (HIPAA) Journal, the average cost of a data breach across industries has increased to $3.86 million, but healthcare data breach resolution costs are the highest at $408 per record, almost double that of the next highest sector. There are potential fines to be levied by the U.S. Department of Health and Human Services as well as from the state attorney general.

Data breaches are not only financially costly, they can damage a healthcare organization’s brand and cause a loss of patients as they question whether their personal information is safe.

HIPAA mandates that all PHI and electronic PHI (ePHI) that an organization creates, receives, maintains, or transmits must be protected. The HIPAA Security Rule requires them to conduct an annual risk assessment, identifying where information is at risk, where it is uncontrolled, or where additional security measures are needed. All too often, however, a risk assessment is seen simply as a check-the-box exercise, leaving organizations vulnerable.

The number one mistake most organizations make is in the assumption that one is enough.  Effective risk management is not a point-in-time assessment of a certain technology or organization element; it is comprehensive in scope and is regularly conducted.

As new tools, processes, and vendors are added to the environment, the risk and required mitigating controls must continuously be assessed. As an example, failing to update the risk register when new internet-connected medical devices are incorporated into the network could expose the organization to additional risks that would not be accounted for in the original risk assessment. In the event of a HIPAA audit or breach, the failure to properly update the risk register and conduct a comprehensive risk assessment could lead to financial penalties.

Conducting a risk assessment does not have to be a cumbersome and expensive process. It can also be used to allow leadership to understand the organization’s current risk posture better, and strategically plan for improvements and enhancements.