Posts Tagged hipaa
By Robert A. Pelaia, Esq., CPC, CPCO
It’s foolish to ignore the signs that set off Office of Inspector (OIG) radar. Look around your work environment. If an OIG investigator walked into your office right now, what would he or she see (or not see) that shows compliance is not taken seriously in your practice?
Here are 10 telltale signs, in no particular order, to show investigators that they should take a second look at your compliance activities:
1. Patient Records are in Plain Sight: This is a big Health Insurance Portability and Accountability Act (HIPAA), red flag. It shows that you have no regards for confidentiality of patient information.
2. You Have No Compliance Contact: Your office should designate someone to be in charge of compliance activities. Whether you have an individual or group of individuals responsible for compliance, it’s important to have a “go-to” person for compliance issues.
3. Coding Books Are Outdated: Coders must keep on top of all the newest coding changes and if coders are using outdated coding books or software, that’s a compliance risk. It’s good to keep old coding books around as a historical reference; however, never code from outdated books.
4. Free Limousine Transportation Offered to Medicaid Patients: Section 1128A(a)(5) of the Social Security Act, enacted as part of HIPAA, imposes significant civil money penalties on providers who offer free gifts or services to Medicare or Medicaid beneficiaries that can influence the beneficiary to order items or services from the provider.
5. Coder “Cheat Sheets” Are Posted: It’s alright for coders to have code lists to help work more efficiently; however, an OIG investigator might have a significant problem if the “cheat sheet” only reflects high level codes. For example, if you are listing new patient evaluation and management (E/M) codes on your “cheat sheet,” make sure you list all five levels of new patient E/M codes, not just ones that pay the most money.
6. Memos Posted Instructing Coders to Change Diagnosis Codes: It’s okay to have a list of “covered” diagnoses, but it is not appropriate for the coder to change the diagnosis to one not supported in the medical record. Posted memos telling coders to use particular codes only when submitted with certain “covered” diagnoses and to change to another code if the “wrong” diagnosis is submitted is a red flag to OIG investigators.
7. Coders Get Bonuses when Revenue Increases: The government will closely scrutinize a bonus structure paid to a coder based on increases in revenue because the arrangement might be an incentive for an unscrupulous coder to “up-code.” Coding is complex enough without muddying the water with bonus structures tied to revenue. The less risky route is to base the incentive on productivity, timeliness, or accuracy, rather than revenue.
8. Dusty Compliance Manual: A compliance manual should not sit on the bookshelf, as it should be a useful and comprehensive reference tool used often and updated periodically.
9. Employee Complaints with No Follow-up: An organization that receives complaints or uncovers evidence of improper billing must demonstrate it responded appropriately to the situation, including taking necessary steps to prevent further similar offenses. If the organization’s management personnel fail to investigate employee complaints promptly, this questions the effectiveness of the program.
10. Not Employing “Certified” Coders: You can tell a lot about a health care employer by the company it keeps—it is true that you get what you pay for. Employers who hire certified coders are employers who maintain higher standards, value integrity, and understand that compliance activities are a requirement.
Disclaimer: Information published in this article is the personal views of the author and is not intended to be, nor should it be considered, legal advice. Readers should consult with an attorney to discuss specific situations in further detail.
April 16th, 2013
By Barbara J. Cobuzzi, MBA, CPC, CENTC, CPC-H, CPC-P, CPC-I, CHCC
Many practices enjoy the benefits of outsourcing their billing functions, which allows them to concentrate on providing patient care. Choose the wrong billing company, however, and you may end up with even greater distractions and financial frustration.
February 25th, 2013
Dramatic modifications to the Health Insurance Portability and Accountability Act’s (HIPAA) Privacy, Security, Enforcement, and Breach Notification Rules that will impact your practice are finalized and begin to take effect next month.
The omnibus final rule, developed to help implement HITECH regulations in the American Recovery and Reinvestment Act and shore up electronic privacy rules in the 17-year-old act, includes changes to how providers and payers must protect personal health information (PHI) and the focus of enforcement from voluntary to punitive. The rule also makes business associates (BA) more accountable for breaches of PHI, with the risk of financial penalties.
The Centers for Medicare & Medicaid Services (CMS) maintains the changes provide the public with increased protection as penalties are increased for noncompliance based on the level of negligence with a maximum penalty of $1.5 million per violation. The changes also strengthen the HITECH breach notification requirements by clarifying when breaches of unsecured health information must be reported to HHS. These changes broaden who is responsible and extends consequences to more parties, including small practice, payers, and BAs like billing services or clearing houses.
CMS says the new rule expands individual rights. For example, patients can request a copy of their electronic medical records in electronic form. When individuals pay by cash they can instruct their provider not to share information about their treatment with their health plan. The omnibus rule sets new limits on how information is used and disclosed for marketing and fundraising purposes and prohibits the sale of an individuals’ health information without their permission.
The rule also streamlines individuals’ ability to authorize the use of their health information for research purposes. The rule makes it easier for parents and others to give permission to share proof of a child’s immunization with a school and gives covered entities and BAs up to one year after the 180-day compliance date to modify contracts to comply with the rule, the health agency says.
- The new rule increases liability for noncompliance for practices. Tiered penalties range from $100 to $50,000 per violation, depending on culpability. Under the new rule, HHS can impose monetary penalties without exhausting informal options.
- The new rule imposes direct liability for BAs and subcontractors, a change that puts billing services and their clients more at risk because a practice is now liable for what its billing service does.
- The rule introduces an objective test of whether PHI has been compromised and requires notification. The four elements are:
- Nature and extent of PHI in the incident
- Recipient of the PHI
- Acquisition or viewing status of PHI
- Mitigation of the risk after disclosure
- The new rule requires patient authorization for all communication of PHI for marketing purposes, closing a loophole that allowed health care organizations, drug companies, and others to use PHI for direct marketing to patients without permission.
- The new rule better defines what a BA is, clarifying how much interaction with PHI an entity can have before it becomes a BA, and establishing additional accountability for those entities.
- The rule loosens what can be used for fund-raising communications, allowing demographic information, dates of service, department, physician, outcome, and payer status for fund-raising and related BAs. Patient authorization is required.
- The rule makes it easier for your patients to authorize PHI to be used for more than one research effort, allowing a patient to designate PHI can be used for multiple and future research efforts at once.
Overall, the new rule clarifies the definition of a covered entity or BA, the responsibilities that each carry, and punishments associated with a lack of compliance. It doesn’t change the basics; an entity or BA must still have a plan, a designated compliance officer, education, analysis of gaps, and privacy notices for patients and their family members. Under the rule’s changes to definition of compliance, culpability, and correction, however, practices need to reassess efforts this year to avoid unexpected fines or punishment.
February 22nd, 2013
Most health care facilities have safeguards in place to keep transmission of patients’ protected health information (PHI) private between health care employees and business associates. Being compliant with Health Insurance Portability and Accountability Act (HIPAA) privacy laws shouldn’t stop there, however. It’s also wise to review your volunteer policies and procedures before PHI becomes public information.
For example, there was a case featured in the article, “Identify Theft Ring Results in Smartphone Ban at Health System,” (January 2013, Report on Patient Privacy (RPP), volume 13, issue 1) where a 21-year-old volunteer’s misuse of a cell phone at Jackson Memorial North hospital landed him in jail and caused a ban for future volunteers. The March 2012 incident involved 556 patients.
Although the volunteer, Loverson Gelmine, didn’t have access to the hospital computer, he still managed to steal PHI containing Social Security numbers by photographing paper records in the emergency room using his smartphone. Gelmine’s theft ring came out in the open when three men were found in a McDonald’s parking lot, trying to file fraudulent tax returns via the restaurant’s free WiFi connection. They were using the Social Security numbers Gelmine had sold them.
Prevent Smartphone Misuse in Your Facility
To prevent this from happening to other hospitals, Elizabeth Litten, a partner with Fox Rothschild LLP in Princeton, N.J., explained in the RPP identity theft article tips to better manage volunteers, visitors, or other onsite workers:
- Reassess the use of volunteers on campus and whether they should be used in units where information is sensitive (mental health ward) or not closely watched (emergency department).
- Conduct background checks and take the same precautionary steps you would when hiring potential employees.
- Make sure to clearly identify volunteers with obvious nametags or special clothing to set them apart easily from staff.
- Show all staff where volunteers are allowed and not allowed to go in the hospital and get all personnel on board to enforce it. Keep volunteers away from patient care areas.
- If a volunteer needs access to PHI to perform his or her duties, limit its visibility. Try to remove Social Security numbers from patient documents and don’t give them access to complete patient files.
- For paper records, place red sheets of paper between pages containing PHI. The red sheets will be like red flags that can be easily seen if a volunteer is searching through private information.
- For electronic PHI, have computer screens that can’t be viewed from the side, only straight on.
Since the incident, Jackson Memorial has new policies and procedures to help prevent future HIPAA breaches:
- There is a thorough orientation for volunteers; and a privacy rule form must now be signed.
- Volunteers are banned from smartphone use in patient-care areas. Volunteers are immediately dismissed if seen with a smartphone in these areas.
- Nursing leaders in every unit give volunteers documentation explaining responsibilities and permitted duties. Both the nurse leader and volunteer must sign this.
February 15th, 2013
With so many Health Insurance Portability and Accountability Act (HIPAA) changes coming down the pike, it’s a great time to look at how privacy and security laws may impact your practice and compliance plan.
In a recent U.S. Department of Health & Human Services (HHS) press release, HIPAA expands the individual rights of patients to their health information. According to the press release, “The final omnibus rule greatly enhances a patient’s privacy protections, provides individuals new rights to their health information, and strengthens the government’s ability to enforce the law.”
This means patients can ask for copies of their electronic health records (EHRs). And when it comes to billing, it also means a patient who wants to pay cash can instruct the provider to not share treatment information with his or her health plan.
Keep Billers Compliant
According to Michael D. Miscoe, JD, CPC, CASCC, CUC, CCPC, CPCO, CHCC, here is why it is important to not bill insurance when a patient pays out-of-pocket:
“Although HITECH does not address billing directly, when a patient pays for a service out-of-pocket and instructs (through an appropriate ‘Restrictions on Uses and Disclosures Form’) that you may not disclose PHI associated with that service for payment or health care operations, you are prevented from submitting a claim since by doing so you would be disclosing PHI. If you chose to bill the service anyway, it would be an unauthorized disclosure constituting a breach. This may subject the provider to a penalty, which could be quite substantial if OCR determines the conduct was reckless (usually due to incomplete or non-compliant HIPAA privacy and security policies). Therefore, when the patient makes such a request, HITECH trumps any perceived contractual duty to file a claim because it can’t be done without violating a federal law. A contractual provision that requires you to violate a law is generally unenforceable.
Usually, the patient is paying cash because the service is non-covered. Most provider contracts as well as the Medicare statute do not require submission of claims for non-covered services on behalf of the beneficiary in any event.”
Under the pre-HITECH regulations, you could ignore the patient’s request not to file the claim. Under HITECH, you cannot.
If a patient pays in full out-of-pocket and does not want to bill insurance, according to Miscoe, here are the best steps to take to stay compliant with HITECH:
- Have the patient sign a request that information relative to self-paid services not be disclosed (usually called a Restrictions on Uses and Disclosures Form). Note that self-paid services do not include circumstance where the patient ultimately pays the entire value of the service because of a deductible. The patient’s signed restriction on such disclosures absolutely precludes the provider from submitting a claim for those services. As noted above, the provider is protected from any allegation regarding provider contract breach for not billing by the patient or the carrier, even assuming such an obligation existed.
- Flag these records somehow so they are not disclosed to the health plan should the health plan make a request. The easiest way is to keep them in a separate file. If that’s not an option, clearly mark the record as “Not for Disclosure for Payment or Health Care Operations.”
- If you are sending the records to another provider (which is permissible), make sure the provider knows the records cannot be sent to the health plan due to the patient’s request. A big red stamp or other notation saying the records may not be disclosed in response to a carrier’s payment or health care operations request should suffice.
« Older Entries