The American Psychiatric Association is in the process of revamping its diagnostic and statistical manual of mental disorders. While the new manual (DSM-5) will not be published until 2013, a draft was released on February 10, 2010 and will be displayed for public comment until April 20, 2010 on www.DSM5.org.

A brief review of the site reveals a vast array of conditions, including mood, sexual, personality and your garden-variety personality and psychiatric conditions.

What apparently has labor lawyers in a tizzy is the possibility that these disorders may provide new found freedom for employees and their attorneys, and place unprecedented restrictions on employers-because employees may demand special accommodations because of their disorders-also known as disabilities-which would render them subject to the ADA.

Some of the examples cited by the concerned attorneys are binge eating and excess gambling. However, in reviewing the site it appears that there are many other conditions contemplated as psychiatric disorders that might give labor lawyers pause.

The real fear is that inclusion in the DSM-5 will give attorneys the opportunity to test newly formulated disorders, increasing potential liability for employers in defending these claims with the added risk of a ruling that would open the floodgates for numerous claims.

While the ADA is truly important and protects many people whose rights might otherwise be trampled, the fear is that the proposed disorders will lead to significant abuse of the ADA.

From a medical billing perspective, these disorders coupled with recent legislation that broadens insurance coverage for mental health disorders, causes one to wonder the future conditions that medical billing operators will be keying into their computers.

Over the years, fax machines have become a fixture in virtually every office – including doctors’ offices. With the advent of HIPAA regulations and their HITECH overlay, however, doctors may begin to look at their fax machines in a totally new light.

Let’s face it; if you have sent enough faxes, chances are that you or a member of your staff has sent a fax to the wrong number. Because of this, virtually every fax cover sheet gives instructions as to what to do if the wrong recipient gets the fax.

What happens when protected health information (PHI) is sent to the wrong recipient?

While technically this may not be covered by the new HITECH rules, it would be covered by the general HIPAA regulations and, therefore, depending on the number of patients affected, HHS would either have to be notified immediately or at the end of the year.

This is especially troubling in light of the fact that many doctors’ offices still send their encounter forms or superbills to medical billing companies by fax. In a recent interview, Susan McAndrew, the Deputy Director for Health Information Privacy for OCR (the new sheriff in town to police HIPAA and HITECH violations), reported that the breach numbers for the month of January 2010 are as follows:
      • As of January 2010, there have been 35 reports of breaches affecting 500+ individuals resulting in 712,000 notices, and
    • Most of the reports were E-PHI and contained lost or stolen unencrypted media or portable devices, and
      • There were more than 300 reports of smaller breaches, and
   • Most of the paper records were sent to wrong fax numbers, wrong addresses, and wrong individuals.

It is frightening to think that a misdialed number on a fax machine can begin the process of risk assessments, notifications and fines simply because of an oversight in your medical practice. There has been very little if any proactive enforcement of HIPAA on the part of the government, and because the enforcement and assessment of penalties for HIPAA violations has been virtually non-existent, many holders of protected health information (PHI) have, at some level, grown accustomed to certain practices that have never been questioned or tested. They have, therefore, convinced themselves that they are in compliance with the law.

The rules of the game, however, are rapidly changing and many people are not aware that the government is mandated to and, in fact, intends to police the medical profession and enforce its laws and regulations through “periodic audits.”

Based on a statement from Susan McAndrew, the calendar for when these periodic audits will take place has not yet been established. Essentially, she said that OCR is considering its budgetary means and the most effective methodologies as there are many ways to accomplish these periodic audits.

In future posts to this blog and submissions to our website www.gs3medicalbilling.com, we will have various materials available to keep medical professionals abreast of developments and to point out some of the issues and challenges they may face regarding compliance with HIPAA HITECH.

On February 1, 2010, 49,352 Medi-Cal beneficiaries were mailed information and their social security numbers were on the address mailing labels.

The first question this raises is why the mailing house or mail room had the recipients’ social security numbers in the first place? Assuming we can get past that, should we assess how the government deals with these types of security breaches and act accordingly?

As a curative notion, Medi-Cal advises that it has sent notification letters to the 49,352 beneficiaries alerting them to the security breach. The letter also advised beneficiaries how to protect themselves from identity theft by contacting the three credit reporting agencies and placing a fraud alert on their files.

We can contrast this with the security breach that occurred with HealthNet who offered its beneficiaries two years of credit bureau monitoring for free. In light of the government’s position, was this move by HealthNet excessive?

In fact, HealthNet is not the only organization that has gone to that length when there were breaches of PHI.

Considering that Medi-Cal is a senior program, one can only wonder what benefit the letter containing information as to how to contact the credit reporting agencies is really worth.

At this point, one might think that the breach at HealthNet was more troublesome than the breach at Medi-Cal. I leave it to the readers of this article to decide.

In the case of HealthNet, an optical drive was missing, and while the information was not encrypted, special software would be needed to be able to view it. One might argue that the likelihood of the drive ending up in a landfill and/or in the hands of someone who neither knew what it contained nor had the ability to extract the information was most likely.

In the case of Medi-Cal, the information was apparently front and center on every envelope. Of course Medi-Cal’s position is that because the numbers were not separated by hyphens they were not clearly identifiable as a social security number. I think that the press coverage of this incident may auger in favor of the fact that the masses know what those nine digits represent.

On the other hand, in the case of HealthNet, a single person having possession of the optical drive would have access to many different health records whereas in the case of the Medi-Cal situation, the almost 50,000 letters are spread throughout the state – unless you have access to the mailbox at senior citizens communities.

Should the Medi-Cal mishap serve as guidance to the private sector?

Considering that the government has allowed the covered entities to do their own risk assessments in the case of unauthorized dissemination of PHI, the Medi-Cal case would apparently give a lot of latitude in the risk assessment process.

Which brings us to the basic question; will the government be held to the same standard as the private sector, and on the other hand, should the private sector learn from how the government deals with HIPAA and HITECH breaches?