Click here for more sample CPC practice exam questions with Full Rationale Answers

Practice Exam

Click here for more sample CPC practice exam questions and answers with full rationale

Practice Exam

CPC Practice Exam and Study Guide Package

Practice Exam

What makes a good CPC Practice Exam? Questions and Answers with Full Rationale

CPC Exam Review Video

Laureen shows you her proprietary “Bubbling and Highlighting Technique”

Download your Free copy of my "Medical Coding From Home Ebook" at the top left corner of this page

Practice Exam

2016 CPC Practice Exam Answer Key 150 Questions With Full Rationale (HCPCS, ICD-9-CM, ICD-10, CPT Codes) Click here for more sample CPC practice exam questions with Full Rationale Answers

Practice Exam

Click here for more sample CPC practice exam questions and answers with full rationale

Tag Archives: data

New Proposed Rule to Reduce EHR Data Reporting

A new CMS proposed rule contains two provisions intended to reduce hospital eCQM reporting requirements in response to feedback calling for less aggressive EHR data reporting policies.

A couple provisions in a new Hospital Inpatient Quality Reporting (IQR) Program rule proposal outline modifications to electronic clinical quality measure (eCQM) reporting requirements and validation processes.

In a public document in the Federal Register, CMS proposed reductions to hospital eCQM reporting policies. In the 2017 calendar year reporting period (and 2019 fiscal year payment determination), hospitals would be required to choose six available eCQMs listed in the Hospital IQR Program measure set and offer two chosen calendar year quarters of data…


Continue reading this article


The post New Proposed Rule to Reduce EHR Data Reporting appeared first on Outsource Management Group, LLC..

General Info – Outsource Management Group, LLC.

The cost of a data breach

Data breaches

The cost of a data breach

Complicated Medicare, Medicaid, and private insurer reimbursement rules can easily throw a hospital for a loop and leave it running dangerously low on revenue. An organization’s leaders know they must work better and smarter and make strategic investments that will pay off in savings, while privacy and security officers may sometimes struggle to make the connection between their concerns and those of leadership.

But sound information security programs act as a kind of insurance: money spent up front to protect against an even greater financial loss down the road. Getting that message across can be challenging, but may transform the way an organization approaches information security.

Getting the numbers

Prevention is better than a cure, but privacy and security officers will be expected to back up conventional wisdom with hard numbers. So just how much does a data breach cost on average? The answer depends on the industry, according to the Ponemon Institute’s 2016 Cost of Data Breach Study: Global Analysis ( The study, sponsored by IBM Security, tracks and analyzes data breach costs and mitigation factors in industries around the world. The average per record cost of a data breach is $ 158 in the U.S., but in the healthcare industry that cost is more than double that at $ 355 per record. That can add up quickly if an organization experiences multiple breaches a year.

Several factors play into the higher costs seen in the healthcare industry, Diana Kelley, executive security advisor at IBM Security, says. Highly regulated industries such as healthcare typically see higher costs for breaches in a combination of fines and administrative costs.

"Whenever there’s a fine coming into play, that could lift up the total cost of recovery post-breach because in addition to all of the work you have to do to eradicate the threat, help your customers, and deal with the cleanup and recovery, you have to pay these fines," she says.

A surprising factor driving breach costs is the cost of breach notification. At more than half a million dollars, the U.S. has higher breach notification costs than any of the other countries in the 2016 Ponemon survey. The U.S. has strong data breach notification laws, Kelley says, and there are both federal and state breach notification laws that organizations must comply with.

What drives that cost? Simply the price of first class postage can quickly add up when breach notification letters must be mailed to hundreds or even thousands of affected patients, Kate Borten, CISSP, CISM, HCISSP, founder of The Marblehead Group in Marblehead, Massachusetts, says. In fact, the rising cost of postage is one way state and federal governments hope to encourage organizations to spend money on prevention rather than remediation.

"The threat of such costs is intended to be a deterrent to lax security and to spur healthcare organizations to do their best to avoid breaches," Borten says. "Some breaches are not avoidable, but many or most are with better, yet still reasonable, security."

Some organizations may only look at fines when calculating how much a breach could cost, but by overlooking the seemingly smaller costs of a breach they may be missing the bigger picture. Breach notification is only one of the smaller individual and indirect costs of a breach that can add up to significant losses. Legal fees, security forensics, and any necessary security replacements or upgrades are only some of the indirect costs. Indirect costs may not be immediately apparent but they hit an organization’s bottom line all the same, Borten says.

"The indirect costs of a breach are probably not well understood by many healthcare organizations, especially smaller organizations that don’t have a good grasp of the Breach Notification Rule and a comprehensive incident response program," she says.


The value of a medical record

Information security may not be a traditionally strong point for some healthcare organizations. Previously, financial and retail organizations were hot targets for hackers after identity and financial information, but healthcare is quickly overtaking those industries. In comparison to the financial industry, healthcare isn’t known for strong security, Borten says.

"One reason is that organizations have been slow to recognize the value of their data. After all, it’s not like money in a bank account or credit card details that can be used for financial identity theft," she says. "Ironically, healthcare data now has a much higher street value than credit card information."

Healthcare organizations are in a unique position because of the amount of data they hold. A retail organization like Target, which experienced a massive data breach in 2013, likely only stores payment card information and mailing addresses, but most healthcare organizations also store insurance information along with sensitive details of an individual’s health. A 2015 survey by the Ponemon Institute and the Medical Identity Fraud Alliance (MIFA), the Fifth Annual Study on Medical Identity Theft, found that more than two million adults were the victim of medical identity theft and fraud in 2014 and according to Ann Patterson, senior vice president and program director of MIFA, that number will only go up.

That prediction may be supported by some of the biggest breaches this year. In July, a hacker offered millions of patient records for sale and posted samples of the records, showing names, contact information, and Social Security numbers, so interested buyers could verify the records. Other incidents this year have seen hackers offering similar teasers. Some of that data is bound to fall into the wrong hands and be used for financial and medical identity theft. Medical identity theft can cost an individual more than $ 13,000 on average, according to the 2015 MIFA/Ponemon survey, but healthcare organizations inevitably wind up absorbing some of the cost in bad debt. (For more on medical identity theft, see the July and August issues of BOH.)


Timing and teamwork saves money

The 2016 Ponemon study drew a link between the cost of a data breach and the time and manner in which an organization responds to the breach. The longer it takes an organization to detect a breach, the more it costs—approximately $ 1 million more per incident, the survey shows. The average overall cost of a breach that took a mean time to identify of less than 100 days was $ 3.2 million, while those that took more than 100 days to be identified cost an average of $ 4.38 million. The time it takes an organization to contain a breach also impacts the overall cost, according to the study.

Having a security incident response team in place lowered the costs. An organized, planned team can act quickly to identify, contain, and remediate breaches, key factors in keeping breach costs down, Kelley says. And that can give a clear picture of the actual return on investment for security in terms that the C-suite will easily understand. "If you’re trying to argue for incident response and building out the incident response plan or growing that team, here’s some real dollar value that you could tie to what the return on investment could be," she says.

Participation in threat sharing also showed a clear win for organizations. Threat sharing can give organizations a heads up on the latest and most common threats and help them make smart security investments and strategic threat reduction measures.

"This is becoming very important in healthcare as it is in all industries," Kelley says. "The attackers are very organized and collaborative: they’re sharing data, they’re sharing their tips and tricks with each other so they can get data more effectively."

If information sharing is winning for the bad guys, it can do the same for the good guys, she adds. Cyber threats shift quickly, making real-time or near-real-time information crucial. Organizations can share information on threats, like suspicious websites and server addresses that launch phishing attacks, and tips on shutting them down. But some may hesitate to engage in information sharing out of concern that it may expose sensitive business and security information.

An IBM study released in February looked at the C-suite’s attitudes and actions on cybersecurity ( More than half (53%) of respondents agreed that information sharing between organizations is important for cybersecurity, yet 68% said they were unwilling to do so. It’s not surprising that chief executive officers would be uncomfortable sharing information with rival organizations but it can be done without disclosing sensitive data, Kelley says.

"Nobody wants to give away the keys to the kingdom, and if you’ve been breached you don’t want to show everybody where you went wrong and how you went wrong," she says. "That’s not the kind of information sharing that we need to do to succeed. What we really need to share is what the bad guys are doing."

An organization doesn’t need to discuss its intellectual property, specific security controls, or other corporate secrets. The information an organization should share could be the general content of a phishing email, the IP address it was sent from, and the type of malware attached. This allows cybersecurity researchers and experts to create protections and update anti-malware and anti-virus software.

And as stakeholders and the Office of the National Coordinator of Health IT continue to push for interoperability, doing your part to ensure other organizations steer clear of hackers and malware could become even more important. "I think the more we tie systems together and we share with our partners, there are a couple things we can do. One of those is sharing information about threats," Kelley says.


Customer cost

No one likes to hear that their personal data has been breached, but how that dissatisfaction plays into the cost of a breach isn’t clear. According to the 2016 Ponemon study, the healthcare industry is the second most vulnerable to what it calls "churn"—a sharp drop in customers following a data breach. This may surprise those who assume healthcare is relatively immune to consumer pressure, but it’s supported by other trends that see healthcare becoming consumer-driven. It might also offer a clue as to how strongly some patients feel about breaches of PHI. It’s relatively simple to change banks, but changing healthcare insurers or providers is a more complicated process that takes more motivation, Kelley says.

"What’s it cost you to go from one bank to another bank if you don’t like their practices or they suffered a major breach?" she says. "Healthcare, it’s a little bit more difficult, but there’s still a level of choice and healthcare is very personal for people."

But privacy and security officers might want to rely on something other than consumer pressure to make the case for better security, Borten says. Often, patients simply have no better alternative and can’t switch providers or insurers if they’re unhappy over a data breach. And those who do switch may find themselves back in the same system after a few years.

"The reality is more complicated," she says. "As seen in some of the big retail breaches, after some initial falloff, customers come back in full force. In healthcare, some patients may not have other options: they may be locked in to a given provider by their health plan, or they may stay with an organization after a breach because they have long-established relationships they do not want to give up."


Cost conscious

Another recent study on the cost of data breaches by RAND raises questions about how the cost of a breach measures up against other financial risks organizations face. The RAND study, published in the Journal of Cybersecurity (, found that the average cost of a data breach is roughly equal to an organization’s average IT budget, which is itself only 0.04% of an organization’s estimated revenue. The study authors suggest that public concerns about data breaches don’t match up with the relatively modest financial impact on organizations. Organizations, like individuals, are often motivated by self-interest and will not spend on risks that don’t have a significant impact on them; expecting them to act otherwise is not realistic, the study argues.

While that may in fact be the attitude of some executives when faced with competing demands and costs, the study leaves some significant questions unanswered. Bad debt is identified by the RAND study as the top financial risk for healthcare organizations, but data breaches can add to that cost. Victims of medical identity theft may be hit with thousands of dollars in medical expenses someone else racked up under their name. These fraudulent bills often wind up adding to an organization’s bad debt. Bad debt may often be a problem an organization can’t control, but by reducing data breaches, an organization can cut its risk of bad debt caused by medical identity theft. – Briefings on HIPAA

Health Plan Data Unlocks Population Health Improvements

Health Leaders Media

Please add this newsletter to your Safe Sender list
View this email as a Web page | Manage Account

  January 27, 2016 Follow us on FacebookFollow us on TwitterJoin us on LinkedInRSS feed

Health Plan Data Unlocks Population Health Improvements

Rene Letourneau, Senior Editor for HealthLeaders Media

By analyzing claims data, Milwaukee-based Children’s Hospital has measurably increased immunization rates and boosted care delivery and outcomes for some of the city’s most vulnerable citizens. >>>


Editor’s Picks

3 Ways Telemedicine is Changing Healthcare

From increasing access to influencing better patient outcomes, health systems are recognizing the benefits of virtual patient visits and remote monitoring—and finding ways to mitigate the costs. >>>

Population Health Really Does Work

At self-insured Houston Methodist, a population health pilot designed for staff members saw 50% of high-risk participants move into the low-risk pool within the first six months. >>>

Workarounds in Hospitals Raise Ethical Questions

A disconnect between how an organization imagines work is happening and what staff feel they must do puts healthcare workers on potentially ethically shaky ground. >>>

Postacute Strategies Vary Widely, Lack Standards

Two studies point to the need for a more thoughtful approach to postacute care strategies because readmission rates are simply not improving for some patients. >>>

How Public / Private Accelerators are Fostering eHealth Innovation

It is no surprise that a growing number of healthcare institutions are seeking partnerships to fund and nourish innovative startups. Massachusetts and New York are at the forefront of fostering such relationships. >>>

Readmission-reducing RED Protocol Adoption Lagging

The creators of the 12-step Re-Engineered Discharge protocol say it saves money, but hasn’t yet been widely or fully adopted. Follow-up studies have shown that problems arise when RED is diluted. >>>

Bringing the Healthcare Quality Message to the Masses

A documentary film honoring the AHRQ and the late John Eisenberg, a health systems research pioneer, also aims to promote health policy and patient safety, says his son, the filmmaker. From MedPage Today. >>>

Intelligence Report

Intelligence Report: The Outpatient Opportunity—Expanding Access, Relationships, and Revenue

In this HealthLeaders Media research report, the reasons behind ambulatory and outpatient care expansion may originate from different strategic points of view, but the tactics and objectives have much in common.
Order Today >>>

News Headlines

Trump calls for Medicare to negotiate drug prices

The Hill, January 27, 2016

Has Obamacare’s Medicaid expansion reached a tipping point?

CNBC, January 27, 2016

Medica, Blue Cross notch big growth in public insurance

Star Tribune, January 27, 2016

Health insurer Centene missing data drives with client information

Reuters, January 26, 2016

CBO lowers estimated Obamacare sign-ups by 40%

The Hill, January 26, 2016

Fidelity moves deeper into healthcare space with new exchange

Boston Business Journal, January 26, 2016

Deficiencies found at Theranos lab

The Wall Street Journal, January 25, 2016

Drug shortages in American ERs have increased more than 400%

Chicago Tribune, January 25, 2016

Law keeps ID health insurance CEO’s salaries secret / Associated Press, January 25, 2016

Broward Health CEO kills himself, sheriff’s office says

Sun Sentinel, January 25, 2016

Stay Connected to HealthLeaders

Don’t Miss the News You Want.

Spam filters exist for a reason, but not for the news you need. Make sure you aren’t missing your daily and/or weekly industry coverage. Add our address — — to your address book or e-mail whitelist to keep the news you need in your inbox.

Is All of Your Leadership Team In The Know?

Our award-winning Daily News & Analysis e-newsletter can keep your leadership team abreast of relevant breaking news, and with in-depth industry coverage through 10 weekly e-newsletters that hit every pillar of healthcare, we’ve got your whole leadership team covered. Subscribe to any — or all — of our e-newsletters.


Webcast: Building Reputation, Managing Risk—ProMedica’s Model

Date: February 9, 2016, 1:00–2:00 p.m. ET
In this expert webcast, learn how establishing a proactive program to build reputation capital, manage reputational risk, and create a collaborative connection will better prepare providers for dealing with crises in the future.
Register Today >>>

From HealthLeaders Magazine

Big Ideas

What big ideas have you enacted? What big opportunities await your organization? >>>


Ups and Downs of High Volume


Remaking the Board

Sponsor this Newsletter

For advertising opportunities in this or other HealthLeaders Media email newsletters, please contact or call 800.639.7477.

  MAGAZINE | NEWS | TERMS OF SERVICE | PRIVACY POLICY | ADVERTISE Follow us on FacebookFollow us on TwitterJoin us on LinkedInRSS feed

©2016 HealthLeaders Media

If you prefer not to receive this email newsletter, let us know.
HealthLeaders Media Health Plan Insider is a division of Fortis Business Media
100 Winners Circle, Brentwood, TN 37027
Serving the business information needs of healthcare executives and professionals. – Health Plan Insider

data points for review of mri report

If my physician says in his documentation that he personally reviewed the IMAGES of the patients mri scan and also reviewed the report from the radiologist, can he get three points in the data section of medical decision making? So, in other words, he did not just read the radiologist report but actually looked at the scan himself. It states, "independent visualization of image, tracing or specimen itself (not simply review of report), which he did an independent visualization. Does he have to give his own interpretation to get the two points and if so, does it have to be a "formal" report? Can he also get the one data point for review and/or order of tests in the radiology section of CPT as well since he states that he reviewed the report? I wasn’t sure if getting three points would be considered "double dipping". Any comments would be appreciated!

Medical Billing and Coding | AAPC Forum