More Stresses In The Practice of Medicine and Cyber Security


Oct. 1, 2015. To the non-healthcare business-minded professional, it’ll just be another Thursday. It could just be another day in the healthcare setting; or oceans could boil as providers begin to use ICD-10 coding sets for the first time. Maybe it’ll be somewhere in between. However, most of the surveys have shown that most physician practices are still not ready for the new coding system.

To help remedy the disruption, American Health Information Management Association/AHIMA will begin offering a code checking service, AHIMA Code-Check, beginning Oct. 12.

In AHIMA’s statement, noted features include:

  • Interpretation and guidance on pathways for code assignment;
  • Nomenclature and terminology relationships;
  • Guidelines for when to query for necessary documentation; and
  • Identification of patient care variables that affect CPT and HCPCS codes.

In addition, beginning in 2016, AHIMA will develop annual white papers with analysis and answers to some of the most commonly asked and challenging questions posed to AHIMA. They will be featured on AHIMA’s website.

There are a number of deadlines up and coming in our or your physicians practicing lives. For example I just pointed out the conversion from the ICD-10 from ICD-9 codes. The 10th revision of the International Classification of Diseases (ICD-10) takes effect October 1 as I mentioned. The transition from ICD-9 to ICD-10 expands the selection of diagnosis codes that surgeons and their coding staffs may use to 68,000 from a relatively small pool of 13,000 codes. In addition, the inpatient procedure code set has evolved, bringing the entire set of new codes to a total of 141,000.

Because most of the information that coders use comes from medical records, accurate and thorough documentation is crucial to ensuring a smooth transition. The American College of Surgeons (ACS) has created a Webpage to help surgeons ease into this transition. Included on this Webpage is an ICD-9-CM to ICD-10-CM crosswalk of the most frequently reported general surgery diagnosis codes, which may be used to help determine what a particular ICD-9 code will translate to in ICD-10 and as a resource to assist in the billing process.

The Centers for Medicare & Medicaid Services (CMS) released guidance in early July that will allow for flexibility in the claims auditing and quality reporting process as the medical community gains experience using the new ICD-10 code set. Specifically, under a one-year grace period, CMS contractors may not deny physician or health care practitioner Medicare Part B claims billed through either automated medical review or complex medical record review solely based on the specificity of the ICD-10 diagnosis code, as long as the claim uses a valid code from the right family. CMS has established an ICD-10 ombudsman to help triage physician and provider issues. In certain circumstances, CMS may also make advance payments to providers if challenges arise in the grace period.

To further help surgeons with the move to ICD-10, the American College of Surgeon’s General Surgery Coding and Reimbursement Committee is sponsoring a Panel Session, Avoiding Reimbursement Pitfalls: ICD-10 and Audits, at Clinical Congress 2015, 2:30-4:00 pm Tuesday, October 6, in McCormick Place West, W375C. Find more information about ICD-10 implementation on the ACS website or

Also consider the Meaningful use ruling.

The Centers for Medicare & Medicaid Services (CMS) is expected to release a final rule soon on implementation of the Meaningful Use (MU) requirements for the Medicare Electronic Health Record (EHR) Incentive Program.. The American College of Surgeons (ACS) is asking Fellows to urge their members of Congress to delay implementation of Stage 3 MU requirements, asserting that implementation of Stage 3 is premature, especially because many surgeons are struggling to comply with existing Stage 2 requirements. Only 19 percent of health care professionals and 48 percent of hospitals have successfully met Stage 2 requirements.

Reps. Renee Ellmers (R-NC); Tom Price, MD, FACS (R-GA); and David Scott (D-GA) are circulating a congressional sign-on letter asking U.S. Department of Health and Human Services Secretary Sylvia Burwell to delay implementation of Stage 3 requirements. The College is urging Fellows to contact their representatives and ask them to add their signatures to this letter. Go to SurgeonsVoice today to learn more and urge your representative to sign the letter. It will take a strong bipartisan showing to affect a delay. For more information, e-mail or call 202-337-2701.

These are deadlines that will affect our practices as doctors as well as our referring, consulting and our personal physicians.

I came up with some suggestions for the doctors who have continued to delay, thinking that somehow the deadline of October 1, 2015 will again be extended. However, even though Medicare has lightened the load, the other insurance companies have said that come October 1, ICD-10 will be the rule of the land.

With regards to ICD-10 and your anxiety, some additional suggestions that I have been giving to my clients who have delayed the inevitable:
1. Sit down with your staff and review the impact areas and modify the process. Where in your practice are the codes used, the organizations that you exchange info with.
2. Pick 20 of the more used ICD-9 codes and have your staff do the transformations even if your software does it for you. This will allow you and your staff to “get to know” the basic set of codes needed ” to survive”.
3. Touch bases with your software company and see if they have any suggestions regarding use and modifications.
4. If you are in a group practice, improve your and your partners’ clinical documentation. Assess and identify potential gaps that will prevent your coder, whether in office or outside billing system, from selecting the appropriate ICD-10 code.
5. Create a budget to include education, software and hardware upgrades as well as needed temporary staffing, additional time for documentation review, and cost of lost clinical and revenue cycle staff productivity.
6. And prepare for the contingencies by setting up a line of credit or short-term loan to get it all covered.
7. Contact your insurance plans and clearing houses to find out their preparedness, revised coverage and payment, do they have “client help” sites or test claims that you can review. Prepare your staff. Have them participate in on-site, off-site or webinars on the ICD-10 codes.

Most hospitals and insurance companies or medical societies have free instructional courses. Also, include your staff in building the implementation, review and communication team.
8. Touch bases with your software vendors about necessary upgrades, compatibility issues, crosswalk or translation programs (are they included in the upgrades and will they be able to list both ICD-9 and ICD-10 codes) and the cost of each and all.
9. Test the system that you have. This is a good strategy if one or all of your insurance companies have test claims sites.
10. Prepare for the worst, including decreased staff productivity and possibilities of other financial challenges. Again, I go back to setting up line of credit or setting aside some cash reserves to get you through. Physicians and hospitals, clinics and ancillary delivery services should anticipate a loss of revenue and plan ahead.
The pros are suggesting that a practice will take as long as 3-6 months to get comfortable with the new system. Canada reported a 50% decrease in productivity when their health care system changed to ICD-10.

Other sites for assistance in the process of conversion to the ICD-10 system are and, Precyseuniversity ICD-10 Doc Guide APP and
Just some suggestions to my fellow care givers.
Now consider-

Also, consider that the government stored sensitive personal information on millions of health insurance customers in a computer system with basic security flaws, according to an official audit that uncovered slipshod practices.

The Obama administration said it acted quickly to fix all the problems identified by the Health and Human Services inspector general’s office. But the episode raises questions about the government’s ability to protect a vast new database at a time when cyberattacks are becoming bolder.

Known as MIDAS, the $110-million system is the central electronic storehouse for information collected under President Barack Obama’s health care law.

It doesn’t handle medical records, but it does include names, Social Security numbers, birthdates, addresses, phone numbers, passport numbers, employment status and financial accounts of customers on and state insurance marketplaces.

“It sounds like a gold mine for ID thieves,” said Jeremy Gillula, staff technologist for the Electronic Frontier Foundation, a civil liberties group focused on technology. “I’m kind of surprised that this information was never compromised.”

The flaws uncovered by auditors included issues of security policy — where mistakes can have bigger consequences — as well as 135 database vulnerabilities, of which nearly two dozen were classified as potentially severe or catastrophic.

Among the policy mistakes: User sessions were not encrypted, contrary to standard practice on financial websites. “Not doing so is inexcusable for such sensitive data,” said Michelle De Mooy, deputy director for consumer privacy at the Center for Democracy & Technology, an Internet rights group.

MIDAS is an internal system operated by the federal Centers for Medicare and Medicaid Services, the agency that administers the health care law. The acronym stands for Multidimensional Insurance Data Analytics System. Officials say it’s an electronic backbone, essential to the smooth operation of the health care law’s insurance markets.

Currently about 10 million people are covered through and state marketplaces offering taxpayer-subsidized private policies. But MIDAS also keeps information on many others, including former customers. Their data is retained for years.

Before went live in 2013, Obama administration officials assured Congress and the public that individuals’ information would be used mainly to determine eligibility for coverage, and that the government intended to store the minimum amount of personal data possible. Things don’t seem to have turned out that way.

Among the technical problems uncovered by the audit:

–Using a shared read-only account for access to the database that contained individuals’ personal information. Gillula said such a shared account creates a serious vulnerability because if data is stolen, it’s much more difficult to tell who was looking at what information, and when.

–Failure to disable “generic accounts” used for maintenance or other special access during testing, an oversight that can foster complacency about security practices when a system becomes operational.

–Failure to conduct certain automated vulnerability scans that mimic known cyberattacks and could reveal weaknesses in MIDAS and the systems supporting it.

–Database weaknesses. A total of 135 such vulnerabilities — oftentimes software bugs– were discovered by the inspector general’s vulnerability scans. Of these, 22 were classified as high risk, meaning they could have potentially severe or catastrophic fallout, and 62 as medium risk.

“MIDAS collects, generates and stores a high volume of sensitive consumer information, and it is critical that it be properly secured,” the inspector general’s report reads. A summary omitting specific details of the vulnerabilities was posted on the IG’s website this week.

In a written response to the audit, Medicare administrator Andy Slavitt said that “the privacy and security and security of consumers’ personally identifiable information are a top priority” for his agency. Slavitt said all of the high vulnerabilities were addressed within a week of being identified, and that all of the IG’s recommendations have been fully implemented.

The Medicare agency is conducting weekly vulnerability assessments of MIDAS, and an annual security review, Slavitt said.

However, the episode indicates how some technical and security issues from the program’s chaotic rollout in 2013 may still linger. Back then, the consumer-facing side of went live without a completed security certification.

Gillula, the technology expert, said he doesn’t question the administration’s intentions. “I’m sure they wanted to do the right thing,” he said. “But regardless of what they wanted, did they accomplish it? There certainly were some gaps.”

Can we trust the CMS and the government to keep our sensitive data secure???

Think carefully and consider the future of our system, your caregivers and all the patients

out there.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s