Record Number of Major Healthcare Data Breaches in 2021

Amid the global COVID-19 pandemic, the federal tally shows that a record number of major health data breaches were reported in the U.S. in 2021. The overwhelming majority of them involved hacking/IT incidents.

As of January 17, the Department of Health and Human Services’ HIPAA Breach Reporting Tool website shows 713 major health data breaches affecting more than 45.7 million individuals posted for 2021.

4 Common Date Breaches

• Hacking/IT incidents were the most dominant type of health data breach. Hacking/IT incidents were involved in 73% of all 2021 breaches posted to the HHS website so far, but those incidents were responsible for about 94% of individuals affected.
• Some 147 “unauthorized access/disclosure” breaches affected more than 2.2 million individuals in 2021. That’s about 20% of total breaches and about 4.8% of those individuals involved in 2021.
• Only 16 loss/theft breaches involving unencrypted computing devices – such as laptops and mobile storage gear – were posted to the HHS website in 2021. Those incidents, which were the primary source of significant health data breaches in years past, affected fewer than 100,000 individuals in 2021.
• Business associates were reported as being involved in 251 breaches affecting 21.3 million individuals in 2021. That means vendors and other business associates handling protected health information were involved in about 35% of major HIPAA breaches in 2021. Those business associate incidents affected about 46% of all individuals affected by major health data breaches last year.

Driving Forces Behind Cyberattacks

“Breaches will increase as businesses continue to automate more. Data is the new currency in the cyber world,” says Tom Walsh, founder of privacy and security consultancy tw-Security.

But that is not just a healthcare sector problem, some professionals note. “I assume the number of breaches across industries has risen. [This] goes along with the worldwide nature of cyber business and security and crime. And the pandemic exacerbates it all,” says Kate Borten, president of privacy and security consultancy The Marblehead Group.

Hacking incidents, in particular, will continue to plague the healthcare sector, Walsh says. “Hackers have stepped up their efforts. With new tools available, it’s even easier for someone with basic experience to launch a more sophisticated attack,” he says.

Walsh says hackers had to be technically skilled in operating systems and software to launch an attack successfully. But now, software-as-a-service tools and tools using artificial intelligence are making it easier for novice hackers.

Source: https://www.govinfosecurity.com/record-number-major-health-data-breaches-in-2021-a-18327

Medicare was scheduled to set large physician cuts in motion at the beginning of 2022. As of December 9^th, 2021, Congress has passed legislation that prevents those cuts from taking place. This legislation lessens the severity of the -3.75% impact that Medicare was planning to make by 3%. This mitigation expressed by Congress has to do with the previously delayed 2021 budget neutrality adjustments that were set to affect the physician fee schedule in 2022.

This legislation invalidates the required 4% pay-as-you-go sequester that was a result of the American Rescue Plan Act for 2022, as well as delaying reinstatement of Medicare’s current 2% sequester until March of 2022. Plans are to phase in a 1% sequester through June of 2022. “Sequestration is the automatic reduction (i.e., cancellation) of certain federal spending, generally by a uniform percentage. The sequester is a budget enforcement tool that was established by Congress in the Balanced Budget and Emergency Deficit Control Act of 1985 (BBEDCA, also known as the Gramm-Rudman-Hollings Act; P.L. 99-177, as amended) and was intended to encourage compromise and action, rather than actually being implemented (also known as triggered). Generally, this budget enforcement tool has been incorporated into laws to either discourage or encourage certain budget objectives or goals. When these goals are not met, either through the enactment of a law or the lack thereof, a sequester is triggered and certain federal spending is reduced,” (Congressional Research Service, 2021).

Further delays have been brought into motion due to this legislation being passed; cuts to physician office laboratories and the next round of data reporting are only just a few. Congress has expressed their gratitude for the thousands of letters sent by MGMA members that prevented Medicare from subjecting physician offices to payment reductions. They are still calling upon Congress to reform current policies that allow such things (such as the Medicare sequester) to take place unless a movement is made by MGMA, Congress, etc.

Sources:
Medicare and Budget Sequestration. https://sgp.fas.org/crs/misc/R45106.pdf
“Medical Group Management Association.” MGMA, https://www.mgma.com/

Unexpectedly, the United States Department of Health and Human Services has reopened the Provider Relief Fund portal as of December 13^th at 9:00 AM ET. This grants more time to those providers and offices that did not get a chance to complete and submit of reports for the first reporting period. The portal will be open for submissions from December 13^th 2021 to December 20^th 2021 at 11:59 PM ET.

Medical practices and providers that have already submitted a report for the first reporting period can access their report if there are errors that need to be corrected. Please contact the provider support line at (866) 569-3522 to be granted access to your submission. Take into account that the second reporting period will begin at the first of the new year on January 1^st, 2022.

To access the portal, please follow the link above or visit https://prfreporting.hrsa.gov/

Starting January 1^st 2022, changes within Medicare’s physician fee schedule will take effect. These changes that were issued on November 2^nd, 2021, will update policies for Medicare payments. “The calendar year (CY) 2022 PFS final rule is one of several rules that reflect a broader Administration-wide strategy to create a health care system that results in better accessibility, quality, affordability, empowerment, and innovation,” (CMS, 2021).

Previously, for a majority of services that were performed in the office setting, Medicare made their payments on a single rate based on the resources involved in performing the service. Starting in 2022, CMS released a series of proposals that include standard rate-setting refinements. With these changes starting January 1^st 2022, CMS is authorizing Medicare to make direct payments to physician assistants for services they perform under Medicare part B. As it stands right now, Medicare can only make payments to the employer or independent contractor. “The 2022 Physician Fee Schedule proposed regulatory changes would align policies with the Federal statute of the Consolidated Appropriations Act of 2021 [section 403]. The act amends the Social Security Act and removes the requirement that payment for services performed by PAs be made to their employer and allow payment to be made directly to a PA,” (DePalma).

Along with the changes to the PA PFS, these proposals “revise telehealth services under the Consolidated Appropriations Act, 2021, which allows use of audio-only communications technology when furnishing mental health services in certain circumstances. It also finalizes recent changes to Evaluation and Management (E/M) visit codes, such as policies for split (or shared) E/M visits, critical care services, and services furnished by teaching physicians. Modifications are also being made to payments for therapy services furnished in whole or in part by a Physical Therapist Assistant or Occupational Therapy Assistant. Updates to payment regulation for Medical Nutrition Therapy services are similarly being added as well as finalization for vaccine administration services,” (CMS, 2021).

Please follow this link for the original article pertaining to the above information.

Sources:

“Fact Sheet Calendar Year (CY) 2022 Medicare Physician Fee Schedule Final Rule.” CMS,

https://www.cms.gov/newsroom/fact-sheets/calendar-year-cy-2022-medicare-physician-fee

 “Physician Fee Schedule.” CMS, https://www.cms.gov/Medicare/Medicare-Fee-for-Service

Payment/PhysicianFeeSched.

“Physician Assistants Will Benefit with Direct Pay under CMS Proposed Rule.” Healio,

https://www.healio.com/news/nephrology/20210812/physician-assistants-will-benefit-with

direct-pay-under-cms-proposed-rule.

The Department of Health and Human Services has extended the PHE (public health emergency) for Covid-19; this newest order went in to effect on October 18, 2021. For another 90 days, all “telehealth waivers and other flexibilities pursuant to the PHE determination” will continue. This pushes the most current PHE declaration to end on January 16, 2022. Indicated by the Biden Administration, they intend to give the healthcare community 60 days’ notice before allowing the PHE to lapse in order to give them time for preparation. You can view the full renewal here.

This renewal will be the 8^th order revolving around Covid-19 nationally. The initial order titled “Determination that a Public Health Emergency Exists Nationwide as the Result of the 2019 Novel Coronavirus,” was put into effect on January 31, 2020. On April 21, 2020, this PHE was extended, and is also when this disease got its name that we know it as now “Coronavirus; Covid-19.” According to the CDC, “an outbreak is called an epidemic when there is a sudden increase in cases. As COVID-19 began spreading in Wuhan, China, it became an epidemic. Because the disease then spread across several countries and affected a large number of people, it was classified as a pandemic.”

Sources:

https://www.phe.gov/emergency/news/healthactions/phe/Pages/default.aspx

https://www.phe.gov/emergency/news/healthactions/phe/Pages/COVDI-15Oct21.aspx

A new surprise billing rule that “establishes dispute resolution process for patients, providers, and plans,” was released recently in September of this year. The Department of Health and Human Services released an addition to the rules that outlines the “No Surprises Act.” The No Surprises Act “prohibits balance billing in the case of surprise medical bills — those for non-emergency services furnished by out-of-network providers during a visit by the patient at an in-network facility — unless the law’s notice and consent requirements are met,” (National Law Review, Cummings). This act was first introduced as a part of the Consolidated Appropriations Act, which was enacted in December of 2020.

“A surprise bill is an unexpected bill from a health care provider or facility. This can happen when a person with health insurance unknowingly gets medical care from a provider, facility, or provider of air ambulance services outside their health plan’s network. Surprise billing happens in both emergency and non-emergency care settings,” (CMS, 2021). In an emergency, the patient will be treated by the facility nearest them; this can result in care being performed by those not in-network with the patient’s insurance. In non-emergency cases, patients may have chosen a facility and/or physician that is in-network with their insurance, however, someone behind the scenes of their care, for example a radiologist or an anesthesiologist, may not be in-network. This can cause an outstanding bill for the patient that they were not expecting, which is where this No Surprises Act comes into play.

This new rule continues to protect patients against surprise medical bills by following through with out-of-pocket limits, and requiring patient consent before performing any medical procedures or examinations. Along with following previous procedures and ideals for this rule, MDHHS has included a new process and guidelines for independent dispute resolution (IDR). This allows patients to dispute a surprise medical bill when the care provided was not discussed and approved beforehand. Patients will also be granted good faith estimates for uninsured (or self-pay) individuals. Patient-provider dispute resolution processes are outlined in this new rule, allowing patients to discuss these matters directly with their medical provider with expanded rights to external review. The process that agencies will use to evaluate the IDR disputes are outlined as well. IDR will be implemented starting at the first of the year in 2022. The Federal Register released the second interim final rule on their website.

Please visit the new CMS Surprise Billing Page for all of the latest updates. “The Departments and OPM intend to post additional information over the next several months, including information about how to initiate an independent dispute resolution process in the federal portal, and plan to highlight different provisions as they become more relevant to different stakeholders and audiences,” (CMS, 2021).

Sources:

https://www.natlawreview.com/article/federal-agencies-release-interim-final-rule-to-implement-no-surprises-act

https://www.cms.gov/newsroom/fact-sheets/requirements-related-surprise-billing-part-ii-interim-final-rule-comment-period?mkt_tok=MTQ0LUFNSi02MzkAAAF_-Z7Rq4t6LtH4XO94aNvLgdrMXckHFlUzYOiYaVuXSMXmvgJdLUnk_PULrga7oyfT7u170ig8dhBRxugMCmGOYffSsmAvCIfj2gy-qSGO

Article Updated September 30, 2021

Starting September 29, 2021, health care providers will be able to apply for $25.5 billion in relief funds that includes $8.5 billion in American Rescue Plan (ARP) resources for providers who serve rural Medicaid, Children’s Health Insurance Program (CHIP), or Medicare patients. Additionally, $17 billion is available for Provider Relief Fund (PRF) Phase 4 for a broad range of providers who can document revenue loss and changes in expenses associated with the pandemic.

Those providers that can provide documentation of significant losses due to the pandemic from July 1, 2020, to March 31, 2021, may be eligible for funding. The providers’ most recent tax documents and financial statements for the second half of calendar year (CY) 2020 and the first quarter of CY 2021, may be used as supporting documentation.

The application will be open for four weeks. Providers must submit their completed application by the deadline of October 26 at 11:59 p.m. ET.

• Eligibility requirements, application instructions and links, technical webinars and other helpful resources are available on the Health Resources and Services Administration (HRSA) website here: https://www.hrsa.gov/provider-relief/future-payments

To ensure equity and to support healthcare providers with the most need, HRSA will reimburse a higher percentage for those providers that are considered smaller than others. They will also provide extra payments to providers based on the amount of services rendered to Medicaid, CHIP, and Medicare patients.

For those providers that render services to those patients that live in Federal Office of Rural Health Policy-defined rural areas, $8.5 billion will be distributed based on the number of services provided. Price payments will be at the higher Medicare rates for Medicaid and CHIP patients.

• Review what areas qualify providers for this potential funding here: https://data.hrsa.gov/tools/rural-health?tab=Address 

Sources:

“Future Payments.” Official Web Site of the U.S. Health Resources & Services Administration, 10 Sept. 2021, www.hrsa.gov/provider-relief/future-payments.

“Rural Health Grants Eligibility Analyzer.” Rural Health Grants Eligibility Analyzer, data.hrsa.gov/tools/rural-health?tab=Address.

“Provider Relief Fund Reporting Requirements and Auditing.” Official Web Site of the U.S. Health Resources & Services Administration, 10 Sept. 2021, www.hrsa.gov/provider-relief/reporting-auditing.

“The Centers for Medicare & Medicaid Services has established code pairs that identify procedure codes that are either mutually exclusive or incidental to one another, or that shouldn’t be reported together due to an overlap in services. [They] currently use the National Correct Coding Initiative, or NCCI, list as published by CMS,” (BCBS, 2021). When in line with Medicare Plus Blue claims, BCBS will begin editing claims that have a 59-modifier attached. The list from NCCI establishes whether or not a 59-modifier can be applied to allow two opposing codes to be billed together and accepted. Along with changes for Medicare Plus Blue claims, changes surrounding the 59-modifier will impact Medicare Advantage PPO claims as well. These changes will promote appropriate use of this modifier to prevent any inaccuracy when billing. Modifier 59 is used when services are performed on the same day that aren’t normally reported together. This code separates the two services as two billable codes. Please see the attached articles for more information and specific scenarios, as well as guidelines to follow when billing in the future.

https://www.bcbsm.com/content/dam/microsites/corpcomm/provider/the_record/2021/sep/Record_0921v.shtml

https://www.bcbsm.com/content/dam/microsites/corpcomm/provider/the_record/2021/aug/Record_0821r.shtml

Sources:

“Claim Editing Update for Modifier 59 Coming Later This Year to MEDICARE PLUS Blue Claims.” The

Record,www.bcbsm.com/content/dam/microsites/corpcomm/provider/the_record/2021/sep/ ecord_0921v.shtml.

“Claim Editing Update Coming This Year to Medicare Advantage Ppo Claims with Modifier 59.” The

Record,www.bcbsm.com/content/dam/microsites/corpcomm/provider/the_record/2021/aug/

ecord_0821r.shtml.

“Starting in November 2021, Blue Cross Blue Shield of Michigan will begin working with Optum, a data, analytics and consulting group, for enhanced prospective claim editing for services provided to our commercial members. We anticipate that this change will help promote correct coding and support payment accuracy,” (BCBS, 2021). In a recent article from BCBS, they explained to surgical providers that coding will need to be changed starting in November of 2021. However, it is highly recommended to start this process sooner, rather than later. In addition to normal CPT codes for surgical procedures, there will need to be an anatomical code attached to let insurance companies know the part of the body in which the surgery was performed.

BCBS will begin performing enhanced prepayment claim reviews; these reviews will help monitor the usage of codes and if they are being overutilized – in addition, they will prevent unnecessary costs. As a result of these reviews, providers may be asked to provide medical records to back these codes. When asked to submit medical records, there will be complete instructions on each request letter as to how to do that. Forewarning, there is limited allotted time to get the medical records submitted, otherwise providers will see denials on their claims until Optum gets the requested information.

Please follow the links below for more information, and to know which CPT code range needs these enhancements.

https://www.bcbsm.com/content/dam/microsites/corpcomm/provider/the_record/2021/sep/Record_0921w.shtml

https://www.bcbsm.com/content/dam/microsites/corpcomm/provider/the_record/2021/aug/Record_0821q.shtml

Sources:

“Claim Editing Enhancements Coming to Blue CROSS Commercial Claims.” The Record, www.bcbsm.com/content/dam/microsites/corpcomm/provider/the_record/2021/sep/Record_0921w.shtml.

“Optum to Provide ENHANCED Prospective CLAIM Editing for Blue CROSS Commercial Claims.” The Record, www.bcbsm.com/content/dam/microsites/corpcomm/provider/the_record/2021/aug/Record_0821q.shtml.

The Covid-19 National Public Health Emergency has been extended as of July 19^th, 2021 to October 17^th, 2021; this will affect the temporary provisions that have already been in place for testing and patient visits that are Covid related. The temporary provisions were expected to be just that, temporary. The PHE was scheduled to end July 19^th, however, due to the new Delta variant of the virus, new precautions have been put into effect and the emergency has been extended.

Continuing from February of 2020, United Healthcare will continue to waive cost-sharing for in and out-of-network Covid-19 testing and Covid related patient visits, including telehealth visits and antibody testing. This does not include routine or surveillance testing (i.e. testing in order to return to the workplace, travel, or entertainment purposes). Cost -sharing only applies to tests that are physician, or licensed health care professional, ordered and administered. Covid-19 testing that has been purchased over the counter that will not have been ordered or administered by a healthcare professional will not be covered by the member’s insurance plan, however, the patient may choose to use their health savings account (HSA). If an over the counter test has been ordered, the patient may submit a claim for reimbursement. Some services that are outside of the Covid-19 scope can continue to be done through telehealth, however, there are no cost-sharing waivers in effect at this time and will continue to be the member’s responsibility. Please reference the links below for more information on what services still fall under the umbrella of cost-sharing waivers. 

During the Public Health Emergency, United Healthcare will not require a referral for an emergency for those with a Medicare Advantage plan, as well as others. Again, please follow your states specific guidelines as they may vary from state-to-state. In regards to credentialing and recredentialing, “these are consistent with National Council on Quality Assurance (NCQA) standards, as well as any specific state and federal regulations for participation in Medicare and Medicaid programs. Some states may have additional requirements as part of the credentialing and recredentialing process,” (United Healthcare Services, Inc.). Any radiology services that are performed related to potential Covid-19 exposure or symptoms does not require prior-authorization, but providers are asked to submit particular CPT codes when billing. Please reference the Covid-19 Temporary Provisions link for more information, specifically page 6, 12, 13, and 18.

Please refer to your states specific Covid-19 website or hotline for more information on Medicaid variations state-by-state.

For more information, please follow the links below. 

Covid-19 Information and Resources | Covid-19 Temporary Provisions 

Sources:

“Covid-19 Information and Resources.” UnitedHealthcare Provider, United Healthcare Services, Inc., 19 July 2021, www.uhcprovider.com/en/resource-library/news/Novel-Coronavirus-COVID-19.html.

“Covid-19 Temporary Provisions.” Uhcprovider.com, United Healthcare Services, Inc., 19 July 2021, www.uhcprovider.com/content/dam/provider/docs/public/resources/news/2020/covid19/COVID-19-Date-Provision-Guide.pdf?cid=em-providernews-PCA12102634-jul21.

Recently, the Centers for Medicare and Medicaid services released a new proposal of the Medicare physician fee schedule for 2022; this may mean big changes to all requirements for 2022. The final ruling is expected to be set by November 1^st of this year. This new proposal is expected to make a more easily accessible and inclusive health care system.

This proposal includes changes to the Merit-based Incentive Payment System, more commonly known as MIPS. MIPS is a program that allows eligible clinicians to receive a bonus in payments, or a penalty on their payments, based on their performance score. The performance model’s threshold will be set at 75 points, while the threshold for exceptional performance will be placed at 89 points. Changes proposed may also include the options for participation for the Alternative Payment Model, APM for short. APM is a way to incentivize affordable quality care. There could be potential changes in payment rates using a conversion factor, that would decrease just under 4% from 2021 rates.

Another change to note would be the delay of the payment penalty phase of the Appropriate Use Criteria (AUC) until 2023, or until the end of COVID-19 health emergency – whichever comes later. AUC is a criterion in which procedures can be determined if they are suitable for the patient or not, expecting that the medical gains significantly outweigh the medical risks. With reference to COVID-19, these changes will allow the continuation of audio-only visits for mental health services. This proposal is hoping to extend the CMS web interface in order to allow collections and submissions.

One final topic to note is the setting of 2023 as the first year that will follow the new MIPS Value Pathways (MVPs). MVPs are predetermined measures and activities that allow eligible clinicians to meet the MIPS requirements with guidance. With this change, in 2023, it will allow more to participate in the program; i.e. clinical social workers and certified nurse midwives. The list continues as they plan to include these select clinical topics: rheumatology, stroke care and prevention, heart disease, chronic disease management, emergency medicine, lower extremity joint repair, and anesthesia. As of now there is no policy in place on how to remove activities that raise possible safety concerns for patients, so in addition to adding to the list of approved activities, this proposal allows some to be removed. There is already a program in place to reweight to MIPS eligible clinicians, and along with allowing more clinicians to register for the program, they plan to apply automatic reweighting for them as well. Currently, smaller practices with 15 or fewer eligible clinicians, can apply for an exemption for hardship, that way the reweighting can be applied to a different performance category.

Changes to quality reporting are going to continuously grow in ways that allow more medical affiliates to report. Currently, Care Compare allows quality reporting to be displayed for hospital affiliations, which then links the corresponding office to that report. Moving forward, this proposal expects to add more facility types, including but not limited to: inpatient rehab centers, hospice, and skilled nursing facilities. In addition to those joining the program, there are also reporting requirement additions to note. Reports under the foundational layer will need to include population health measures and promotions of the interoperability performance category. Under the quality performance category, MVP participants will need to select 4 quality measures, which would have to include an outcome measure; this can be measured by CMS through administrative claims (if available). Additionally, the improvement activities performance category requires participants to choose 2 medium-weighted improvement activities, or one high-weighted activity of the same nature. Furthermore, another area of reporting comes from the cost performance category. CMS calculates a facility’s performance solely on the cost measures that are apart of the MVP administrative claims data. For specifics on how CMS will score these categories, please follow the link below. For a quick look at reporting requirements, registration deadlines, and the information required when registering, please read over the tables below provided by CMS.

View Table 1 | View Table 2 | View Table 3

For more information regarding this proposal, please direct your attention to the following links.

QPP Fact Sheet | PFS Fact Sheet | Proposal Article

“Medicare Proposes 2022 Payment and Quality Reporting Changes.” MGMA,

pages.mgma.com/index.php/email/emailWebview?md_id=6605.

The Occupational Safety and Health Administration (OSHA) issued a COVID-19 emergency temporary standard (ETS) with which healthcare employers will be required to comply. This ETS includes an outline and description for an effective COVID-19 plan designed to reduce injuries and illnesses in healthcare workplaces. A COVID-19 plan is essential to responding to COVID-19 hazards in an effective manner. These safety and health programs must proactively and constantly identify and mitigate hazards before employees develop illness or injury in order to be truly effective. In the case of COVID-19 hazards in healthcare settings, this includes identifying employees at risk of exposure to the virus and developing ways to protect them. This type of approach helps employers meet their obligation to provide a safe workplace under the OSH Act. The ETS requires a COVID-19 plan that contains the main components of this kind of safety and health program. According to the ETS OSHA released, there are studies showing that these programs are positively impacting the safety, health, and performance of healthcare workers.

OSHA has identified seven core elements of a successful safety and health program. These are:

1. Management Leadership – establish a safety plan, communicate it to all employees and assign a coordinator to track the progress.
2. Worker Participation – train employees to recognize hazards and develop open communication to use their expertise and insight to identify and address hazards. This is the most important.
3. Hazard Identification & Assessment – use a team approach to identify hazards. Observe work habits and evaluate employee input from surveys or meetings to determine if, where, and how workers could be exposed and if there are safeguards in place to reduce those risks.
4. Hazard Prevention & Controls – assess if hazards can be eliminated (e.g. work from home) and when they cannot be, consider how the risks may be reduced (e.g. disinfecting, social distancing, physical barriers, ventilation).
5. Evaluation and Improvement – evaluate regularly to make sure the plan is implemented as intended, continue to identify new hazards, and make improvements where necessary.
6. Coordination & Communication at Multi-Employer Sites – in some settings, employees may travel from one site to another, possibly exposing employees of a different location. Communicate with all affiliated employers to review your plans and to share information on reported hazards and illness.
7. Education & Training – ensure that all employees are able to recognize hazards and know the procedures for addressing them. Establish ways for employees to contribute to the safety and health plan.

In addition to the COVID-19 plan, the ETS also requires that covered employees:

• Clean and disinfect the workplace.
• Screen employees for symptoms of COVID-19 and follow requirements for removing potential infected employees from the workplace.
• Ensure social distancing.
• Screen patients upon arrival.
• Report COVID-19 hospitalizations and fatalities.
• Provide reasonable time off and paid leave for COVID-19 vaccinations.

View the full ETS document here. Here is a list of Frequently Asked Questions.

Works Cited
Occupational Exposure to COVID-19; Emergency Temporary Standard, 29 C.F.R. §1910.502. (June 21, 2021).

On June 11, 2021, the U.S. Department of Health and Human Services (HHS) released a revision to the reporting requirements for practices that received Provider Relief Fund (PRF) payments. This revision supersedes the previous update from January of this year. The deadlines for spending the PRF money and for reporting the spending have been extended to relieve some of the burden experienced by smaller practices. The PRF Reporting Portal will be open on July 1, 2021 for providers to begin submitting information. Providers can register for PRF Reporting Portal accounts now.

The revisions apply to those providers who received one or more payments of over $10,000 during a single Payment Received Period (including General, Targeted, Skilled Nursing Facility, and Nursing Home Infection Control distributions). These reporting requirements do not apply to Rural Health Clinic COVID-19 Testing Program, HRSA COVID-19 Uninsured Program or the HRSA COVID-19 Coverage Assistance Fund. Rather than require all payments be used by June 30, 2021, the availability of the funds is dependent on the date the payment was received. The funds received must only be used for expenses within the period of availability. Practices that received one or more payments over, in total, $10,000 must report for each applicable Payment Received Period (rather than $10,000 total across all PRF payment periods). The previous 30-day reporting period has been extended to 90 days. Practices must complete the reporting by the last day of the reporting period or be subject to recoupment. The table below outlines specific dates for both spending and reporting in each period.

	Payment Received Period	Deadline to Use Funds	Reporting Time Period
Period 1	April 10, 2020 – June 30, 2020	June 30, 2021	July 1 – September 30, 2021
Period 2	July 1, 2020 – December 31, 2020	December 31, 2021	January 1 – March 31, 2022
Period 3	January 1, 2021 – June 30, 2021	June 30, 2022	July 1 – September 30, 2022
Period 4	July 1, 2021 – December 31, 2021	December 31, 2022	January 1 – March 31, 2023

According to the HHS notice, the Reporting Entity is that which registers its Tax Identification Number (TIN) and reports on the payments received by that TIN and/or its subsidiaries. The following table outlines types of PRF recipients.

Type of PRF Recipient	Definition
General Distribution recipient that received payment in Phase 1 only	Entity that received Phase 1 General Distribution payment totaling more than $10,000 in a Payment Received Period
General Distribution recipient with no parent organization or subsidiaries except PRF recipients that received Phase 1 General Distribution only	Entity (TIN level) that received one or more General Distribution payments totaling more than $10,000 in a Payment Received Period
General Distribution recipient with one or more subsidiaries that received payments in Phase 1 to 3	Entity that meets these 3 criteria: 1. Is the parent of one or more subsidiary billing TINs that received General Distribution payments in Phase 1 to 3 2. Has associated providers that were providing diagnoses, testing, or treatment for individuals with possible or actual cases of COVID-19 on or after January 31, 2020 3. Can otherwise attest to the Terms and Conditions
Targeted Distribution recipient (including Nursing Home Infection Control Distribution)	Entity (TIN level) that received Targeted Distribution payments totaling more than $10,000 in a Payment Received Period

Parent entities can report on their subsidiaries’ General Distribution payments whether the subsidiaries received the payments directly or the money was transferred to them by the parent company. The parent entity can report on the General Distribution payments no matter which entity, the parent or subsidiary, agreed to the Terms and Conditions. However, for Targeted Distribution payments, the original recipient is always the Reporting Entity. Parent entities may not report on their subsidiaries’ Targeted Distribution payments regardless of whether the original recipient transferred the payment. A subsidiary Reporting Entity must note the amount of the Targeted Distributions received that were transferred to or by the parent entity. Transferred Targeted Distribution payments are more likely to be audited by HRSA.

For more information regarding the steps for reporting on the use of the PRF payments, see pages 4 through 11 of the HHS publication, “Provider Relief Fund General and Targeted Distribution Post-Payment Notice of Reporting Requirements,” linked here.

Works Cited

“HHS Issues Revised Notice of Reporting Requirements and Reporting Timeline for Recipients of Provider Relief Fund Payments.” HHS.gov, U.S. Department of Health & Human Services, 11 June 2021, www.hhs.gov/about/news/2021/06/11/hhs-issues-revised-reporting-requirements-timeline-for-provider-relief-fund-recipients.html?mkt_tok=MTQ0LUFNSi02MzkAAAF9uNPWCB3NbbYhyumTBHK6pfIynjAWdjpGChnfxH4n8K9-TuAevbeYoIoEuSWc6lGpI24iL_kXpC2LNO1TGbDnziySn24OslezAzeFPUdj.

According to a recent alert issued by Blue Cross Blue Shield, value-based reimbursement will be applied to the new codes for COVID-19 vaccine administration. This change is effective July 1, 2021 and applies to primary care providers (PCPs) and specialists receiving value-based reimbursement. Currently, value-based reimbursement for PCPs is applied to select E&M, preventative health, telehealth, and care management codes. The procedure codes that will now receive value-based reimbursement under this change are:

*0001A	*0021A
*0002A	*0022A
*0011A	*0031A
*0012A

Additionally, value-based reimbursement for PCPs will be applied to six other vaccine administration codes, effective July 1, 2021. These codes are:

*90460	*90472
*90461	*90473
*90471	*90474

Works Cited
“We’re Applying Value‑Based Reimbursement to Procedure Codes for COVID‑19 Vaccine, Other Immunizations.” The Record, Blue Cross Blue Shield of Michigan, May 2021, www.bcbsm.com/content/dam/microsites/corpcomm/provider/the_record/2021/may/Record_0521i.shtml.

Yeo & Yeo Medical Billing & Consulting is pleased to announce that Denise Garrett has earned the Certified Outpatient Clinical Appeals Specialist (COCAS^SM) credential. The COCAS credential formally recognizes Garrett’s expertise in medical insurance claims, denials and appeals.  

“I continue to stay current with new developments in medical billing and gain knowledge in all areas of revenue cycle management, so I am armed with the tools necessary to help our healthcare clients,” Garrett said. “When it comes to medical insurance appeals, if the documentation supports the billing and the insurance company policy, I will fight to ensure that the practice’s denied claims are paid.”

To earn the credential, Garrett passed the American Institute of Healthcare Compliance’s COCAS exam, which encompasses four main topics:

1. Appeals and revenue cycle management
2. Auditing before the appeal and understanding medical necessity
3. Medicare and ERISA appeals processes
4. How to create an effective appeals program to avoid unnecessary investigations and probes

Garrett is an account manager with more than 20 years of medical billing and coding experience. She is a Certified Healthcare Auditor (CHA), Certified Professional Coder (CPC), Certified Physician Practice Manager (CPPM^®), Certified Professional Compliance Officer (CPCO™), Certified Professional Medical Auditor (CPMA^®), and a Certified Foot & Ankle Surgical Coder (CFASC), with expertise in the coding of diagnoses, services, and procedures for physician practices. Garrett serves on the national board of directors of the American Academy of Professional Coders Chapter Association (AAPCCA). She is also a member of the American Medical Billers Association and the American Institute of Healthcare Compliance.

Since 2012, Medicare payments to medical practices have been subject to a -2% sequestration in an effort by Congress to address the debt ceiling crisis. The Coronavirus Aid, Relief, and Economic Security (CARES) Act temporarily suspended that sequestration in May of 2020, meaning that physicians have seen a 2% increase in their payments on Medicare claims. The expiration of this suspension – previously extended from December 21, 2020 to March 31, 2021 – has again been extended through the end of 2021. On April 13, 2021, Congress passed legislation approving this extension and President Biden is expected to sign the bill into law soon.

Back at the end of March, the Centers for Medicare & Medicaid Services (CMS) instructed Medicare Administrative Contractors (MACs) to hold claims with dates of service on or after April 1 without affecting the practitioners’ cash flow. They recommended this hold until this legislation was passed to avoid having to reprocess the claims. Now that the legislation is passed, these claims will be processed. The expense of this suspension is expected to be recouped by extending the sequester through the end of the 2030 budget year.

Works Cited
Coronavirus Aid, Relief, and Economic Security Act of 2020, Pub. L. 116-136, §3709, 134 Stat. 421 (2020).
To prevent across-the-board direct spending cuts, and for other purposes., Pub. L. 117-7, §1 (2021).

The Medicare Accelerated and Advance Payment Program (AAP) were expanded on March 28, 2020. The Centers for Medicare & Medicaid Services (CMS) made the program available to most Medicare physicians and group practices. The AAP provided loans to medical practices suffering financial distress or disruption due to COVID-19. The loans were determined based on the practice’s history of Medicare billing. Originally, providers were to begin payments on these loans in August of 2020. However, the repayment was delayed until one year after the payment was issued to the practice. This means that repayment could begin as early as April 2021 for some providers.

Group practices that have received AAP loans have two repayment options, automatic claims recoupment and lump sum repayment. The automatic claims recoupment is the default method and involves automatically reducing the Medicare payments owed to providers to gradually recoup the amount of the loan. Beginning one year after the loan disbursement, Medicare Administrative Contractors (MACs) will reduce the payments owed to the provider by 25% for 11 months. If the loan has not been paid in full after the 11-month period, the Medicare payments will be reduced by 50% for 6 more months. Any balance remaining after that is due within 30 days or it will accrue 4% interest until it is payed off. Loans paid off before this time will not accrue interest. Providers may also repay their AAP loans by making a lump sum payment(s) to their MAC. If a group practice is interested in making lump sum payments, they should consult their MAC for details and forms to accompany the payments.

The CMS has not issued further details on the repayment process. They have not yet stated exactly when recoupment will begin. Questions should be directed to providers’ MACs at this time. 

Works Cited:  Continuing Appropriations Act, 2021 & Other Extensions Act, 5 U.S.C. §2501 (2020).

Due to the COVID-19 public health emergency, the Centers for Medicare & Medicaid Services (CMS) will be applying the MIPS extreme and uncontrollable circumstances (EUC) policy automatically for all eligible clinicians for the 2020 performance period. This policy applies to providers that are unable to submit sufficient MIPS data for the 2020 reporting year during the submission period. MIPS eligible individual providers will not be required to submit an application to reweight the MIPS performance categories.

However, the enforcement of the EUC policy does not automatically apply to groups or virtual groups. Groups, virtual groups, and Alternative Payment Model entities wishing to request reweighting of any or all of the MIPS performance categories due to COVID-19 must submit an EUC exception application by the extended deadline of March 31, 2021. Groups that do not apply for EUC will be scored by the existing MIPS scoring policies. The individual clinicians in the group will receive the payment adjustment associated with the group’s final score unless their individual participation score is higher. Virtual groups will be scored according to the existing MIPS scoring policies regardless of data submission and the eligible clinicians in the group will receive the payment adjustment associated with the group’s final score.

The four MIPS performance categories are Quality, Promoting Interoperability, Improvement Activities, and Cost. The MIPS Cost category is calculated automatically based on data from claims and does not require reporting. There are concerns, however, that COVID-19 will have significant effects on the cost measures. For that reason, the cost category will be weighted at zero percent under the automatic EUC policy even if data is submitted for any or all of the other performance categories. If a practice covered under the EUC policy does not submit data for any of the other (3) categories, they will receive a neutral or no payment adjustment for the 2020 MIPS performing year (the 2022 MIPS payment year). If data is submitted for only one of the three categories, that category will be weighed for 100% of the score and the practice will receive a neutral or no payment adjustment under the EUC policy. If data is submitted for two or more of the three performance categories, each category will be weighed according to the table (Appendix A) published by the CMS and a positive, negative, or neutral payment adjustment will be issued for the 2022 MIPS payment year.

If you believe that you qualified for the automatic EUC policy and it does not appear to be reflected in your performance feedback, you can submit a targeted review within 60 days following the release of your 2020 performance feedback. 

Works Cited: Scoring, 42 C.F.R. §414.1380. (2021). 

According to Alissa Knight, a former hacker, personal health information (PHI) is the most highly valued data on the dark web. She states that the value of a single PHI record is 10 times more the price of a credit card number. Knight partnered with Approov, a mobile security company, to test mobile health apps by hacking them through their application program interfaces (APIs). They tested 30 apps this way to identify threats to said apps and the PHI they contain. Their findings were then published in a report, “All That We Let In.”

Knight and Approov discovered that all 30 of the apps they tested were vulnerable to API attacks. Some even allowed them to access electronic health records such as x-rays, pathology reports, prescriptions, mental health services, etc. Upwards of 20 million mobile heath users are exposed to potential attacks by these tested apps alone. The vast majority of the tested apps had hardcoded API keys. As Approov CEO, David Stewart explains it, APIs are channels of communication between an app and a server or hospital infrastructure. Essentially, they are the keys to a deeper wealth of information. If these API keys are hardcoded into the mobile app, hackers can dig through the programming and find the API keys, thus gaining access to PHI and more. The report by Approov also states that a small percentage of the tested apps had hardcoded usernames and passwords.

Knight hacked a hospital system as part of the test and was able to access health records and additional registration information for a patient’s family members by simply changing the EHR value by one digit. She used a tool that made it appear as though the access was coming from a mobile health app. She sates that, “The traffic looks exactly the same as traffic that’s coming from the actual mobile app, and that gives the hackers so much more flexibility about the things that they can do.” It was also discovered that these apps are susceptible to various other attacks including Broken Object Level Authorization attacks.

API attacks continue to rise in frequency and are on their way to being the most frequently used attack against mobile applications. The current global heath crisis due to COVID-19 has increased the use of mobile health applications and virtual healthcare which is why Alissa Knight and Approov decided to join for this study. Though the names of the applications tested are being kept anonymous, Stewart acknowledges that apps from large healthcare systems and mobile health vendors were among those tested and found to have vulnerabilities. These vulnerabilities put large amounts of PHI at risk which is why it is critical for APIs to be secured.

How to Protect Against API Attacks

Tools such as APIsec are recommended. These tools perform security testing to find vulnerabilities in APIs. Secure mobile and web applications begin with building secure APIs. The controls for these apps should be monitored and adjusted to comply with the Health Insurance Portability and Accountability Act (HIPAA). Additionally, Knight states that security should be implemented from the very beginning when developing and coding new apps because healthcare needs to keep up with the technological advances of the time despite the security threats posed against mobile apps.

Works Cited:
Horowitz, Brian T. “Mobile Health Apps Leak Sensitive Data through APIs, Report Finds.” FierceHealthcare, Questex, 24 Feb. 2021.

Due to the current COVID-19 health emergency, healthcare providers need to schedule vast numbers of appointments for individuals to receive COVID-19 vaccinations. In the interest of ease and efficiency for all parties, they may use apps and other digital scheduling tools to do so.

Covered providers will not be penalized for potential violations of the Health Insurance Portability and Accountability Act (HIPAA) related to use of online scheduling applications for COVID-19 vaccinations. The Office for Civil Rights (OCR) of the U.S. Department of Health and Human Services announced that it will not enforce fines against healthcare providers for use of such apps that may not be fully HIPAA compliant.

This discretion of HIPAA enforcement applies to covered healthcare providers and their associates, including web-based scheduling applications vendors (WBSAs), when these vendors are a) used in good faith and b) limited to the scheduling of COVID-19 vaccination appointments during the nationwide health emergency. This enforcement discretion is retroactively affective to Dec. 11, 2020 and will remain in effect until it is deemed that the public health emergency has ended.

WBSAs offer online or web-based apps that are non-public facing for the purpose of scheduling appointments for COVID-related services on a large scale. According to the OCR, “non- public facing” means that these apps only allow the patient and intended health care provider(s) to access the data created, received, maintained, or transmitted by the app. The OCR encourages the reasonable use of safeguards to protect privacy security of patients’ protected health information (PHI). These safeguards include using only the minimum of necessary data to complete the scheduling as well as encryption technology and enabling all available privacy settings.

Healthcare providers are encouraged to use vendors that state that their WBSAs support HIPAA compliance when seeking additional privacy protection for PHI. Additionally, they can look for vendors that will enter into a business agreement in connection with use of their WBSAs.

Works Cited
Notification of Enforcement Discretion, 45 C.F.R. §§ 160, 164. (2021).