o Novitas Presenters – Pete Lawson, Manager, Provider Audit, Hunt Valley, MD – Barb Shadle, Lead Auditor, Provider Audit, Mechanicsburg, PA
o Your Questions for Novitas Solutions (slides 2-3)
o Other Audit Issues (slides 4-7)
o Encryption of Sensitive Information in Email (slides 8-17)
o Novatisphere Portal Overview (slides 18-53, time permitting)
1
Novitas Agenda – NJHFMA Education Session 09/13/2016, 1:10-2:15pm
GuideWell Source | Encryption of Sensitive Information in Email
o 2005 Final Settlement Issuances (no updates available from CMS)
o Update on Allina Health issue from CMS (no update available from CMS)
o 3. The audit process – for example, why are audits being done for KNOWN issues such as bad PS&R (i.e. Model 1 Issue)… the provider will have to file for a reopening. (Clarify - Model 1 PS&R was fixed 10/28/15)
o 4. Wage Index Audit Process (see next slide)
o 5. How does Novitas plan on auditing the S-10 Worksheet? Similar process as the Wage Index Audits? (awaiting instructions from CMS)
o 6. When the auditors send out their proposed and/or final adjustments; can Novitas auditors make it a common practice to also send the HFS Medicare Auditor file? This way the providers can easily import the adjustments to quickly determine the impact of any given entry without having to manually enter all the adjustments. Other MACs are providing this file. (discuss)
2
Questions for Novitas Solutions
GuideWell Source | Encryption of Sensitive Information in Email
Proprietary and Confidential
Wage Index Time Table – FFY 2018 All important deadlines
1. 09/02/16 Deadline for Hospitals to submit revisions
2. 10/24/16 Deadline for MACS to complete assigned Hofc WI reviews.
3. 11/4/16 Deadline for MACS to notify State Hospital Assoc about non responsive providers
4. 11/15/16 Deadline for MACS to submit wage files to CMS
5. 01/30/17 First revised PUF filed issued by CMS
6. 02/17/17 Deadline for Hospitals to request changes to PUF issued 1/30/17
7. 03/24/17 Deadline for MACS to submit revised files to CMS (make sure to send adj to providers, CMS mentions this in timeline)
8. 04/05/17 Deadline for Hospitals to appeal MAC determinations
9. 04/28/17 Final revised PUF issued by CMS
10. 05/30/17 Deadline for Hospital to request corrections due to errors only
11. 08/01/17 Final Rule PUF issued by CMS
GuideWell Source | Presentation Title | 3
o SSI update – what’s being settled, and when; - 2014 SSI, for 12/31/14 cost reports 07/15/16 – CMS issued SSI% and allowed it for use in cost report settlements; 09/08/16 – CMS issued a notice for MACS to stop settling cost reports that utilize the 2014
SSI% (indefinitely), due to the provider’s having the option to submit amended w/s S-10 (until 09/30/16).
- 2013 SSI, Novitas JL has settled 176 out of 178 cost reports - 2012 SSI, Novitas JL has settled 202 out of 206 cost reports - Other reasons for holding settlements take precedence, such as RAC PIP, outlier
hold, or material negative charges
o CMS quality initiatives – MAC workpapers under close scrutiny – Bed days available for IME; – NAHE, legal operator;
4
Audit Issues
GuideWell Source | Encryption of Sensitive Information in Email
o Cost report reopenings for HiTech data elements – CMS compared the settled hospital’s worksheet S Hitech settlement to
the FISS payment screens, any discrepancies need to be resolved by MACS by September 30.
– Some potential issues: • A cost report includes Hitech elements, but is not used for Hitech
settlement - reopening required • FISS screen does not match the final settled cost report – fiss
update required; • FISS screen is correct but does not have the “F” indicator for final
payment – fiss update required;
See the following two slides for examples . . .
5
Audit Issues
GuideWell Source | Encryption of Sensitive Information in Email
6
Cost report Worksheet S
GuideWell Source | Presentation Title |
7
FISS Hitech payment screen
GuideWell Source | Presentation Title |
ENCRYPTION OF SENSITIVE INFORMATION IN EMAIL Centers for Medicare & Medicaid Requirements September 8, 2016
o CMS Sensitive Information includes: – Personally Identifiable Information (PII) – Protected Health Information (PHI) – Federal Tax Information (FTI) – Information system component information
o The following elements are not required to be sent in encrypted attachments unless they are combined with other elements above:
– Provider Name – Provider Address – Provider Telephone Number – Provider Email Address – Provider Transaction Access Number (PTAN) – National Provider Identifier (NPI)
9
CMS Sensitive Information
GuideWell Source | Encryption of Sensitive Information in Email
o PHI must be in an encrypted attachment when sent by email – PHI is individually identifiable health information related to past, present or future
physical or mental health or condition of an individual; provision of health care to an individual; or past, present or future payment for provision of health care to an individual
10
Protected Health Information (PHI)
GuideWell Source | Encryption of Sensitive Information in Email
Protected Health Information (PHI) includes all of the following information:
• Name • Dates – birth date, admission date, discharge date, date of death
• Device identifier and serial numbers
• Address • Medical record numbers • Web Universal Resource Locators (URLs)
• Telephone Numbers
• Health plan beneficiary numbers
• Internet Protocol (IP) address numbers
• Fax Numbers • Account numbers • Biometric identifiers, including finger and voice prints
• Email Address • Certificate/license numbers • Full face photographic images and any comparable images
• Social Security Numbers
• Vehicle identifiers and serial numbers, including license plate
• Any other unique identifying number, characteristic or code
CMS Information Security Acceptable Risk Safeguards (ARS) 2.0 SC-CMS-1 – Electronic Mail (High)
o Control Controls shall be implemented to protect sensitive information that is sent via email.
o Implementation Standard(s) 1. Prior to sending an email, place all sensitive information in an encrypted
attachment.
CIO Directive 16-01 CMS Encryption of Sensitive Information in Email
o Must use encryption that meets Federal Information Processing Standard (FIPS) 140-2 requirements (e.g., SecureZIP)
o Encryption/decryption password/passphrase can no longer be communicated by email effective 7/15/2016
11
CMS Requirements for Sending Sensitive Information by Email
GuideWell Source | Encryption of Sensitive Information in Email
o SecureZIP must be used to CMS Sensitive Information in an encrypted attachment when sending an external email
– External includes emails sent outside of the GuideWell Source, First Coast and Novitas domains
– Must check options for ZIP and Encrypt attachments
12
SecureZIP
GuideWell Source | Encryption of Sensitive Information in Email
o Password/passphrase must: – Include at least eight characters – Contain at least one (1) upper case letter, one (1) lower case letter, one (1)
number and one (1) special character
o Never include the password/passphrase in the same email as the encrypted attachment
o Effective July 15, 2016, the password/passphrase cannot be sent by email when sending CMS Sensitive Information in encrypted attachments
13
Password/Passphrase Requirements
GuideWell Source | Encryption of Sensitive Information in Email
o Faxination – This is the preferred method to send a password/passphrase. – Refer to Faxination Instructions
o Fax – When using a physical fax machine, verify that you entered the correct phone
number before sending the fax.
o Phone call – The password cannot be left on voice message. – If you do not reach the individual your first time calling, you may leave them a
message to call you back so that they may retrieve their decryption password/passphrase.
Note: If using any method other than Faxination, record the password on a log to ensure that the encrypted attachments can be opened if necessary when required for company or legal purposes
– Log can be in a spreadsheet, database, or application – Refer to department specific procedures
14
Approved Methods to Share Password/Passphrase
GuideWell Source | Encryption of Sensitive Information in Email
o Standard password/passphrase may be used and shared using one of the approved methods
o A standard passphrase can be used for no longer than 365 days with an external organization
o Password should be different for each organization
o Guidelines for routine emails that involve multiple organizations – If there is a group email that always goes to the same set of individuals at
differing organizations each time, then these organizations can share the same password.
– If the group email does not go to the same individuals at differing organizations each time, then separate emails should be sent to the different organizations. The password for each organization would need to be different.
o Emails sent to a group distribution list within the same organization – Single password could need to be shared to the entire distribution list.
15
Standard Password/Passphrase
GuideWell Source | Encryption of Sensitive Information in Email
o If recipient cannot open email with the SecureZIP encrypted attachment, send the troubleshooting tips to the recipient using these links:
– First Coast – First Coast Spanish version – Novitas JH – Novitas JL
o If recipient continues to experience issues with SecureZIP, open a ticket with the IT Service Desk by calling x18737, option 1, option 4, option 2
o Ironport can only be used after receiving approval by System Security. – Approval is on a case-by-case basis and must be requested each time or for a
specific period of time (e.g., for the completion of an audit). There is no one time approval.
– Once approved by System Security, type the word ‘Secure’ in the Subject line to encrypt an email. This will encrypt the message, and a link will be emailed to the recipient so they can access the email at a secure, external site.
16
SecureZIP Troubleshooting Tips
GuideWell Source | Encryption of Sensitive Information in Email
o Recipient cannot open the SecureZIP® file – SecureZIP® files must be opened with ZIP Reader by PKWARE. This software is
free and can be downloaded from www.zipreader.com.
o Recipient receives an error message that the password is not correct
– File may be opening using the standard Windows compressed/zipped function.
• Make sure that ZIP Reader by PKWARE is installed. • Ensure that the file association for *.zip is set to open using ZIP Reader by PKWARE.
o The recipient’s IT support may need to be contacted if the recipient does not have the ability to install software or access file associations (Control Panel).
17
Most Common SecureZIP Issues
GuideWell Source | Encryption of Sensitive Information in Email
Novitas Solutions Medicare Part A Presents:
Novitasphere Portal Overview
Today’s Presentation
Agenda: • General Novitasphere Screens • Eligibility, Secure Message and MailBox
Features • Helpful Resources
Objectives:
• Examine how to access Novitasphere • Explore Novitasphere’s features • Provide helpful resources
What is Novitasphere?
Free web-based Portal
Part A users will have access to obtain patient Eligibility, submit Medical Review Records
and Provider Audit & Reimbursement Cost Reports
For demonstrations and more information on Novitasphere visit:
• JH Providers: http://www.novitas-solutions.com/webcenter/portal/Novitasphere_JH/
• JL Providers: http://www.novitas-solutions.com/webcenter/portal/Novitasphere_JL/
Eligibility, Secure Message and MailBox Features
Novitasphere Disclaimer
Users with Roles with Multiple Organizations –Switch Org
Users with Roles with Multiple Providers –Switch Provider
Benefits & Eligibility
Benefits & Eligibility Results
Eligibility Information
Eligibility
• Part A Eligibility Effective and Termination Dates • Part B Eligibility Effective and Termination Dates • Inactive Periods • End Stage Renal Disease (ESRD) dates and
information
•Deductible
Part B Total Deductible Remaining for Calendar year Occupational, Physical and Speech Therapy amounts
applied to the capitation limits Rehabilitation Session counts
Medicare Advantage Plan (MAP)
• Contract Name and Number • Type of Medicare Advantage Plan • The Bill Option code of the Plan type • Effective and Termination Dates • Plan Address and Telephone Number
Medicare Secondary Payer (MSP)
• The reason Medicare is secondary • Effective and Termination Dates • Name of Insurance Company and Address
Hospice/Home Health • Certification codes and dates • Home Health Eligibility History • Insurer Name and Address • Home Health Episode Start and End Dates • Home Health Episode termination date • Provider NPI Number of the Home Health Facility
Preventive Services • Number of Smoking Sessions remaining for the
beneficiary • Next Available Smoking Cessation Date • Preventive Service Procedure Code • Preventive Technical and Professional Dates • Calendar Year • Deductible Applied for the Calendar Year • Deductible Remaining for the Calendar Year • Coinsurance Remaining for the Calendar Year
Inpatient • Date of earliest and latest billing activity for the
spell of illness • Hospital Information • Skilled Nursing Facility Information
Secure Message Medical Review Record Submission
Medical Review Record Submission Confirmation
Secure Message Provider Audit and Reimbursement Form
Submit an Initial or Amended Cost Report
Initial or Amended Cost Report Form
Initial or Amended Cost Report Form – Sub Document Type Descriptions
Completed Initial or Amended Cost Report Form
Cost Report Submission Acknowledgement
Submit a Low or No Medicare Utilization Cost Report
Low or No Utilization Report Form
Submit Additional Documentation
Miscellaneous Documentation Submission
• Cost Report Reopening: • Used for Submission of reopening
Requests for a cost report after it has been settled
• Cost Report Appeals: • Used for the submission of supporting
documents for cost reposts that are under appeal
• SSI Realignment Request (DSH): • Used to request an update to a provider’s
disproportionate share statistics • Provider-Based Determination:
• Used to request initial setup or change in a unit’s provider-based status
• Wage Index/Occupational Mix Submissions:
• Used to upload documentation for the yearly wage index and occupational mix audits
• Desk Review/Audit Additional Documentation:
• Used to upload documentation requested by the Novitas audit staff during the time of a desk review and/or audit
• Submit FOIA Request: • Used to submit a Freedom of Information
Act request for Medicare cost reports • Submit PS&R Request:
• Used to submit a Provider Statistical & Reimbursement report request for fiscal years not covered on the CMS PS&R online system. Providers may utilize this selection if they are currently experiencing PS&R access issues as well
• General Correspondence: • Used to submit documentation for items
not covered in the above-mentioned table selections; such items include: Request for Interim Rate Change Request for Tentative Settlement Change TEFRA Exception Request SCH Low Volume Request Request for Change in Statistical Basis CMS Tie-In-Notice Bankruptcy Other Supporting Documentation 50%Reduction Request
Submit Miscellaneous Documentation
Miscellaneous Documentation Form
Secure Message Submission History – Search by Date Range
Secure Message Submission History – Search by Confirmation ID
Secure Message Submission History – Medical Review Submission Results
Secure Message Submission History – Audit & Reimbursement Submission Results
MailBox Secure Message Communications
Secure Message PDF
MailBox Medicare Communications
Reference
Contact Us
Live Chat
Helpful Resources
Novitasphere References
Novitasphere Part A User Manual: http://www.novitas-
solutions.com/webcenter/content/conn/UCM_Repository/uuid/dDocName:00126973
Part A Novitasphere Frequently Asked Questions: http://www.novitas-
solutions.com/webcenter/content/conn/UCM_Repository/uuid/dDocName:00126974
Eligibility Guide: http://www.novitas-
solutions.com/webcenter/content/conn/UCM_Repository/uuid/dDocName:00098576
Cost Report Submission Quick Steps: http://www.novitas-
solutions.com/webcenter/content/conn/UCM_Repository/uuid/dDocName:00134848