Expand

JUN – Meetings/Exams

By Jennifer Robison
Jun 1st, 2015
0 Comments
86 Views

Scheduling Exams
When scheduling exams please correctly identify the number of examinees your site can accommodate. Officers often list the site as accommodating an unlimited number of examinees because the room is very large. Please be aware that every room has a finite number of seats to provide. Do not fall into the trap of agreeing to proctor more examinees than possible. There have been instances where proctors have agreed to proctor more than they should have, and are left scrambling to find additional seats so examinees are not turned away.

penegra paypal
toradol online
novo pharmacy
zovirax pills
levaquin no prescription
metformin generic name
prednisone for dogs for sale australia

JUN – Miscellaneous

By Jennifer Robison
Jun 1st, 2015
0 Comments
76 Views

Hot Sheet for Use at Your May Meeting
Keep your chapter members informed about what is happening at AAPC by sharing this “Hot Sheet” of AAPC events/information at your next chapter meeting. Be sure to contact AAPC for details if you have any questions beforehand.

Earn .5 CEU for Reading this Officer News
Thank you for reading this important information for chapter officers. Now take this quiz and earn half a CEU (0.5). Stay on top of all AAPC updates for officers by visiting the Local Chapter Officer News page often. One new quiz offered each month!

Get to Know Telemedicine Payment Criteria

By Guest Contributor
Jun 1st, 2015
0 Comments
45 Views

By Nancy G. Higgins, CPC, CPC-I, CIRCC, CPMA, CEMC

Telemedicine is a rapidly expanding component of healthcare in the United States. According to statistics provided by the American Telemedicine Association (ATA), over half of all hospitals in this country use some form of telemedicine. It’s viewed as a cost-effective alternative to traditional face-to-face encounters.

The ATA broadly defines telemedicine as “the use of medical information exchanged from one site to another via electronic communications to improve a patient’s clinical health status.” They also indicate the term “telemedicine” is synonymous with the term “telehealth.”

The Centers for Medicare & Medicaid Services (CMS) have set Medicare payment criteria for these services. Some commercial and managed care payers have also set payment guidelines for telemedicine services.

CMS has established the following criteria for Medicare patients.

Patient Must Be at a Qualifying Location

The patient must be present at a qualified originating site. A site is considered “qualified” if it meets two criteria. First, the originating site must be physically located in either:

  • A rural health professional shortage area (HPSA) located either outside of a metropolitan statistical area (MSA) or in a rural census tract, or
  • A county outside of an MSA.

Second, the patient must be at one of the following places of service:

  • The office of a physician or practitioner
  • Hospital
  • Critical access hospital (CAH)
  • Rural health clinic
  • Federally qualified health center
  • Hospital-based or CAH-based renal dialysis center, including satellites
  • Skilled nursing facility
  • Community mental health center

Practitioner Must be Qualified to Receive Payment

Practitioners at the distant site who may provide telehealth services and receive payment for them are:

  • Physicians
  • Nurse practitioners
  • Physician assistants
  • Nurse midwives
  • Clinical nurse specialists
  • Certified registered nurse anesthetists
  • Clinical psychologists and clinical social workers (excluding CPT® codes 90792, 90833, 90836, and 90838)
  • Registered dietitians or nutrition professionals

Use Modifiers GT and GY, as Appropriate

When billing for telehealth services provided from an eligible originating site, append modifier GT Via interactive audio and video telecommunications system to the CPT® or HCPCS Level II code that describes the provided telehealth service.

If a telehealth service is provided for a Medicare patient located at an ineligible originating site, consider appending both modifier GT and modifier GY Item or service statutorily excluded, does not meet the definition of any Medicare benefit or for non-Medicare insurers, is not a contract benefit. Appending both modifiers will allow tracking of telehealth services provided while indicating the payer’s reimbursement criteria have not been met.

Check for Medicare Accepted Telehealth Codes

Medicare provides a list of CPT® and HCPCS Level II codes eligible for reimbursement when provided via telehealth on its website (www.cms.gov/Medicare/Medicare-General-Information/Telehealth/Telehealth-Codes.html).

Individuals can submit a request to CMS for an addition to the approved list, but their submission must meet the CMS criteria to be considered (see www.cms.gov/Medicare/Medicare-General-Information/Telehealth/Criteria.html). Not all payers cover telehealth services.

Fulfill Documentation Requirements

Providers should be aware that documentation requirements for a telehealth service are the same as that required for any face-to-face patient encounter, with the addition of the following:

  • A statement that the service was provided using telemedicine;
  • The location of the patient;
  • The location of the provider; and
  • The names of all persons participating in the telemedicine service and their role in the encounter.

Example: Mrs. Smith, a Medicare patient, was seen by her family practice doctor, Dr. Jones, with complaints of palpitations, shortness of breath, and fatigue. During his examination of Mrs. Smith, Dr. Jones discovered a new heart murmur not identified previously. Because the practice was located in a remote area, far from any cardiology practices, Dr. Jones contacted Dr. Black, a cardiologist, and asked him to evaluate Mrs. Smith via an interactive telecommunications system, and to provide recommendations regarding Mrs. Smith’s care.

Mrs. Smith was taken to a special room at Dr. Jones’s practice that was fully equipped for providing services via telemedicine. Dr. Jones’s nurse used the equipment to contact Dr. Black, and he conducted an evaluation of Mrs. Smith. Dr. Black gathered and documented a detailed patient history. Using a specialized stethoscope, he examined Mrs. Smith’s heart and lungs. Dr. Black performed and documented a detailed exam. Dr. Black ordered an echocardiogram and scheduled an in-person follow-up encounter with Mrs. Smith. His documentation supported moderate complexity decision-making.

Dr. Jones’s practice is located in a qualified rural HSPA outside of an MSA. Because this was his first encounter with this patient, Dr. Black billed the service provided for Mrs. Smith as 99203-GT Office or other outpatient visit for the evaluation and management of a new patient, which requires these 3 key components: A detailed history; A detailed examination; Medical decision making of low complexity-via interactive audio and video telecommunications system.

The American Medical Association (AMA) believes appropriate use of telemedicine could improve access to services and quality of care. In June 2014, the AMA voted to approve a list of guiding principles to ensure appropriate coverage of and payment for telemedicine services. As telemedicine becomes increasingly popular, and CPT® codes are added to the list of approved services, you will need to continually update your understanding of the billing and documentation requirements associated with this innovative type of service.


 

Nancy G. Higgins, CPC, CPC-I, CIRCC, CPMA, CEMC, is a manager in the Carolinas HealthCare System Medical Group Coding and Charge Capture department. She was the 2009 AAPC Coder of the Year and is a past-president of the Charlotte, North Carolina, local chapter.

Coder Assists Physician in DevelopingTCM Tool

By Michelle Dick
Jun 1st, 2015
0 Comments
31 Views

Results turn out to be a win-win for patients, physicians, and coders.

Initially, Phyzit, Inc. co-founders Stephen Canon, MD, and Mike Canon, JD, launched a software tool aimed at improving patient-physician communication via telemedicine and mobile messaging. It turned out to be an opportunity to streamline transitional care management (TCM) and chronic care management (CCM), as well.

After evaluating the market and interviewing customers, they pivoted their strategy to streamline billing workflow and improve TCM reporting.

When creating this app, Stephen Canon consulted Pam Brooks, CPC, COC, coding manager at Wentworth-Douglass Hospital in Dover, New Hampshire, about TCM and CCM services in regards to how they are coded and reimbursed. Brooks said:

“I see the value in such an application … as [practices and facilities] try to navigate the complexities of CCM billing, improve revenue, and decrease patient admissions/re-admissions. Tracking these services along with unplanned admissions, time, bundling issues and payer and CPT® guidelines is a full-time job. And frankly, our organization had to develop this technology within our own EHR system, which was both costly and time consuming. I can see this application being a very cost-effective alternative for providers who don’t have the deep pockets of corporate medicine.”

Here’s How It Works

The TCM process has an interface that saves time for office staff, reduces workflow demands on primary care physicians, and increases revenue. Patients have direct communication with their doctors and can add family members or other caregivers to their health management plan.

The application, Phyzit TCM, “incorporates secure electronic messaging, phone calls, telemedicine video sessions, and SMS text messaging into a cloud-based platform designed to increase patient engagement and aid physicians in keeping patients healthy after hospital discharge,” according to Arkansas Small Business and Technology Development Center.

Takes Clunks Out of TCM Billing

The process of billing TCM services can be clunky, according to Brooks, with areas that can use improvement. “Although CMS is headed in the right direction by reimbursing for TCM to help prevent costly readmissions, the logistics in regards to proper billing and coding is sometimes confusing and time-consuming,” Brooks said. “A tool such as this will go a long way towards simplifying the process.”

When the smartphone app was beta tested last fall, Brad Bibb, MD, a family practice physician in Ash Flat, Arkansas, made an additional

JUN – Meetings/Exams

By Jennifer Robison
Jun 1st, 2015
0 Comments
86 Views

Scheduling Exams
When scheduling exams please correctly identify the number of examinees your site can accommodate. Officers often list the site as accommodating an unlimited number of examinees because the room is very large. Please be aware that every room has a finite number of seats to provide. Do not fall into the trap of agreeing to proctor more examinees than possible. There have been instances where proctors have agreed to proctor more than they should have, and are left scrambling to find additional seats so examinees are not turned away.

JUN – Miscellaneous

By Jennifer Robison
Jun 1st, 2015
0 Comments
76 Views

Hot Sheet for Use at Your May Meeting
Keep your chapter members informed about what is happening at AAPC by sharing this “Hot Sheet” of AAPC events/information at your next chapter meeting. Be sure to contact AAPC for details if you have any questions beforehand.

Earn .5 CEU for Reading this Officer News
Thank you for reading this important information for chapter officers. Now take this quiz and earn half a CEU (0.5). Stay on top of all AAPC updates for officers by visiting the Local Chapter Officer News page often. One new quiz offered each month!

Get to Know Telemedicine Payment Criteria

By Guest Contributor
Jun 1st, 2015
0 Comments
45 Views

By Nancy G. Higgins, CPC, CPC-I, CIRCC, CPMA, CEMC

Telemedicine is a rapidly expanding component of healthcare in the United States. According to statistics provided by the American Telemedicine Association (ATA), over half of all hospitals in this country use some form of telemedicine. It’s viewed as a cost-effective alternative to traditional face-to-face encounters.

The ATA broadly defines telemedicine as “the use of medical information exchanged from one site to another via electronic communications to improve a patient’s clinical health status.” They also indicate the term “telemedicine” is synonymous with the term “telehealth.”

The Centers for Medicare & Medicaid Services (CMS) have set Medicare payment criteria for these services. Some commercial and managed care payers have also set payment guidelines for telemedicine services.

CMS has established the following criteria for Medicare patients.

Patient Must Be at a Qualifying Location

The patient must be present at a qualified originating site. A site is considered “qualified” if it meets two criteria. First, the originating site must be physically located in either:

  • A rural health professional shortage area (HPSA) located either outside of a metropolitan statistical area (MSA) or in a rural census tract, or
  • A county outside of an MSA.

Second, the patient must be at one of the following places of service:

  • The office of a physician or practitioner
  • Hospital
  • Critical access hospital (CAH)
  • Rural health clinic
  • Federally qualified health center
  • Hospital-based or CAH-based renal dialysis center, including satellites
  • Skilled nursing facility
  • Community mental health center

Practitioner Must be Qualified to Receive Payment

Practitioners at the distant site who may provide telehealth services and receive payment for them are:

  • Physicians
  • Nurse practitioners
  • Physician assistants
  • Nurse midwives
  • Clinical nurse specialists
  • Certified registered nurse anesthetists
  • Clinical psychologists and clinical social workers (excluding CPT® codes 90792, 90833, 90836, and 90838)
  • Registered dietitians or nutrition professionals

Use Modifiers GT and GY, as Appropriate

When billing for telehealth services provided from an eligible originating site, append modifier GT Via interactive audio and video telecommunications system to the CPT® or HCPCS Level II code that describes the provided telehealth service.

If a telehealth service is provided for a Medicare patient located at an ineligible originating site, consider appending both modifier GT and modifier GY Item or service statutorily excluded, does not meet the definition of any Medicare benefit or for non-Medicare insurers, is not a contract benefit. Appending both modifiers will allow tracking of telehealth services provided while indicating the payer’s reimbursement criteria have not been met.

Check for Medicare Accepted Telehealth Codes

Medicare provides a list of CPT® and HCPCS Level II codes eligible for reimbursement when provided via telehealth on its website (www.cms.gov/Medicare/Medicare-General-Information/Telehealth/Telehealth-Codes.html).

Individuals can submit a request to CMS for an addition to the approved list, but their submission must meet the CMS criteria to be considered (see www.cms.gov/Medicare/Medicare-General-Information/Telehealth/Criteria.html). Not all payers cover telehealth services.

Fulfill Documentation Requirements

Providers should be aware that documentation requirements for a telehealth service are the same as that required for any face-to-face patient encounter, with the addition of the following:

  • A statement that the service was provided using telemedicine;
  • The location of the patient;
  • The location of the provider; and
  • The names of all persons participating in the telemedicine service and their role in the encounter.

Example: Mrs. Smith, a Medicare patient, was seen by her family practice doctor, Dr. Jones, with complaints of palpitations, shortness of breath, and fatigue. During his examination of Mrs. Smith, Dr. Jones discovered a new heart murmur not identified previously. Because the practice was located in a remote area, far from any cardiology practices, Dr. Jones contacted Dr. Black, a cardiologist, and asked him to evaluate Mrs. Smith via an interactive telecommunications system, and to provide recommendations regarding Mrs. Smith’s care.

Mrs. Smith was taken to a special room at Dr. Jones’s practice that was fully equipped for providing services via telemedicine. Dr. Jones’s nurse used the equipment to contact Dr. Black, and he conducted an evaluation of Mrs. Smith. Dr. Black gathered and documented a detailed patient history. Using a specialized stethoscope, he examined Mrs. Smith’s heart and lungs. Dr. Black performed and documented a detailed exam. Dr. Black ordered an echocardiogram and scheduled an in-person follow-up encounter with Mrs. Smith. His documentation supported moderate complexity decision-making.

Dr. Jones’s practice is located in a qualified rural HSPA outside of an MSA. Because this was his first encounter with this patient, Dr. Black billed the service provided for Mrs. Smith as 99203-GT Office or other outpatient visit for the evaluation and management of a new patient, which requires these 3 key components: A detailed history; A detailed examination; Medical decision making of low complexity-via interactive audio and video telecommunications system.

The American Medical Association (AMA) believes appropriate use of telemedicine could improve access to services and quality of care. In June 2014, the AMA voted to approve a list of guiding principles to ensure appropriate coverage of and payment for telemedicine services. As telemedicine becomes increasingly popular, and CPT® codes are added to the list of approved services, you will need to continually update your understanding of the billing and documentation requirements associated with this innovative type of service.


 

Nancy G. Higgins, CPC, CPC-I, CIRCC, CPMA, CEMC, is a manager in the Carolinas HealthCare System Medical Group Coding and Charge Capture department. She was the 2009 AAPC Coder of the Year and is a past-president of the Charlotte, North Carolina, local chapter.

Coder Assists Physician in DevelopingTCM Tool

By Michelle Dick
Jun 1st, 2015
0 Comments
31 Views

Results turn out to be a win-win for patients, physicians, and coders.

Initially, Phyzit, Inc. co-founders Stephen Canon, MD, and Mike Canon, JD, launched a software tool aimed at improving patient-physician communication via telemedicine and mobile messaging. It turned out to be an opportunity to streamline transitional care management (TCM) and chronic care management (CCM), as well.

After evaluating the market and interviewing customers, they pivoted their strategy to streamline billing workflow and improve TCM reporting.

When creating this app, Stephen Canon consulted Pam Brooks, CPC, COC, coding manager at Wentworth-Douglass Hospital in Dover, New Hampshire, about TCM and CCM services in regards to how they are coded and reimbursed. Brooks said:

“I see the value in such an application … as [practices and facilities] try to navigate the complexities of CCM billing, improve revenue, and decrease patient admissions/re-admissions. Tracking these services along with unplanned admissions, time, bundling issues and payer and CPT® guidelines is a full-time job. And frankly, our organization had to develop this technology within our own EHR system, which was both costly and time consuming. I can see this application being a very cost-effective alternative for providers who don’t have the deep pockets of corporate medicine.”

Here’s How It Works

The TCM process has an interface that saves time for office staff, reduces workflow demands on primary care physicians, and increases revenue. Patients have direct communication with their doctors and can add family members or other caregivers to their health management plan.

The application, Phyzit TCM, “incorporates secure electronic messaging, phone calls, telemedicine video sessions, and SMS text messaging into a cloud-based platform designed to increase patient engagement and aid physicians in keeping patients healthy after hospital discharge,” according to Arkansas Small Business and Technology Development Center.

Takes Clunks Out of TCM Billing

The process of billing TCM services can be clunky, according to Brooks, with areas that can use improvement. “Although CMS is headed in the right direction by reimbursing for TCM to help prevent costly readmissions, the logistics in regards to proper billing and coding is sometimes confusing and time-consuming,” Brooks said. “A tool such as this will go a long way towards simplifying the process.”

When the smartphone app was beta tested last fall, Brad Bibb, MD, a family practice physician in Ash Flat, Arkansas, made an additional $1,400 per month using the app, and his hospital readmissions were cut by 50 percent. Zana Johnson, care manager for Family Clinic of Ashley County in Crossett, Arkansas, also uses the app. “In today’s healthcare, we must utilize all the tools available to be efficient and still maintain the level of care our patients deserve,” Johnson said. “That’s what Phyzit does — it makes my job easier without all the stress, so I can concentrate on patients and their needs.”

CCM is another area that would benefit from this approach to patient management workflow and greater coding and billing efficiency. Phyzit CCM is in the planning stages, and Stephen Canon assures us it will streamline the CCM practice opportunity.

Sources:

http://phyzit.com/

http://asbtdc.org/arkansas-company-phyzit-tackles-transitional-care-management-nationally/


 

Michelle A. Dick is executive editor at AAPC.

Conduct a Security Analysis for Your Practice

By Guest Contributor
Jun 1st, 2015
0 Comments
32 Views

The first step to ensuring your patients’ ePHI is secure is assessing your office’s HIPAA compliance.

By Joette Derricks, MPA, CMPE, CPC, CHC, CSSGB

Prior to the HIPAA Security Rule, a generally accepted set of security standards to govern electronic protected health information (ePHI) didn’t exist. Today, all covered entities, including small health plans, are required to comply with the Security Rule. To ensure compliance with HIPAA security standards, start by assessing how ePHI is handled in your practice.

HIPAA Security Rule Risk Assessment

One major difference between the HIPAA Privacy Rule and the Security Rule is that the Security Rule applies only to ePHI, which includes information that is created, received, maintained, transmitted (e.g., over the Internet), or stored electronically on a computer hard drive or removable disk. The Security Rule does not cover PHI stored on paper or communicated verbally.

The Security Rule requires covered entities (including physician practices) to have in place appropriate administrative, technical, and physical safeguards to protect ePHI against intentional or unintentional use or disclosure.

Meaningful Use Security Assessment

Physician practices are also faced with ensuring ePHI security if participating in either the Medicare or Medicaid Electronic Health Records (EHR) Incentive Program. The meaningful use core objective to which I refer requires participating practices to secure ePHI created or maintained by certified EHR technology through the implementation of appropriate technical capabilities. As part of its risk management process, an organization must conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1), implement security updates, as necessary, and correct any identified security deficiencies.

The meaningful use requirements are not intended to supersede or substitute compliance required under HIPAA. As a covered entity, you’re still required to comply with the HIPAA Privacy and Security Rules. The section of the Code of Federal Regulations cited in the meaningful use core objective refers back to the HIPAA regulations.

The question then becomes: What action is required to adequately comply with both the HIPAA Security Rule and the meaningful use requirements associated with EHR incentive payments?

In a nutshell: If you are in compliance with the HIPAA Security Rule, you should be able to attest to meeting the meaningful use core objective for security of ePHI.

Risk Assessment Requirements

The Security Rule has detailed instructions for implementing safeguard standards. Each standard may be either required or addressable. (Table 1 shows some of the administrative safeguards standard, with the implementation specifications noted as either (R) Required or (A) Addressable).

security analysis table 1

When a standard is addressable, your practice must assess whether it’s a reasonable and appropriate safeguard in your environment. This involves analyzing the specification in regards to the likelihood of protecting your ePHI from reasonably anticipated threats and hazards. If your practice chooses not to implement an addressable specification based on its assessment, it must document the reason and, if reasonable and appropriate, implement an equivalent alternative measure.

Two required standards in the administrative safeguard section are: (1) conduct a risk analysis; and (2) implement a risk management plan. Together, these two standards form the foundation upon which you build necessary security protections.

A risk assessment helps organizations ensure they are compliant with HIPAA’s administrative, physical, and technical safeguards. The required risk analysis and risk management implementation specifications serve as the foundation for your practice’s overall HIPAA compliance program.

  • Risk Analysis: Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by the organization.
  • Risk Management: Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply.

The Office of Civil Rights (OCR) has published extensive reports, guides, and tools to help organizations of all sizes comply with the HIPAA Security Rule. They are available on the U.S. Department of Health & Human Services website.

In addition, the Health IT website provides an interactive tool any organization may use to complete a security risk assessment. Although the tool allows the information to be entered online, you may find it easier to download the requirements.

While on the Health IT website, be sure to download a copy of Guide to Privacy and Security of Health Information (www.healthit.gov/sites/default/files/pdf/privacy/privacy-and-security-guide.pdf). This guide provides an excellent overview of what is required for both the Privacy and Security Rules.

The Cost of Noncompliance

Neither the Security Rule nor meaningful use mandates for physician practices to use a particular tool. The HIPAA Security Rule is clear that the standards are scalable and flexible; however, the penalties for noncompliance are substantial.

Under HIPAA, penalties start at $100, per violation, and can grow to an annual maximum fine of $1.5 million, contingent on the type of the violation and whether the violator acted unknowingly or deliberately. Another factor in the penalty calculation is whether the violator became aware of the violation and implemented corrective action in a timely manner. The penalty under meaningful use is a total payback of any incentive funds received through the program.

Take That First Step to Compliance

Your practice is ultimately responsible for conducting a risk assessment. Although the task may appear overwhelming, it’s obtainable. To tackle it, appoint a team that includes your practice administrator, a physician representative, and one or two staff members (perhaps the billing manager or front desk person). Set aside an hour or two each week to go through the administrative, technical, and physical standards and implementation specifications. Before you know it, the risk assessment will be completed.

Unfortunately, this task is not a “once and done” requirement. Provisions in both meaningful use and the Security Rule require you to perform reviews at least annually, and whenever there has been a change in your practice. Changes that may affect the security assessment and require an update include implementing new technology that accesses PHI, entering into a joint venture or merger with another practice, and moving to a new facility.


 

Joette Derricks, MPA, CMPE, CPC, CHC, CSSGB, has 35 years of healthcare finance, operations, and compliance experience. A national speaker and author, her unique style is to bridge the regulatory requirements with the practical realities of day-to-day operations. Derricks has provided numerous expert reports and testimony regarding Medicare, Medicaid, and third-party payer regulations with an emphasis on coding, billing, and reimbursement rules. She serves as the vice president, regulatory affairs at Anesthesia Business Consultants, and is a member of the Ann Arbor, Michigan, local chapter.

« Older Entries   Newer Entries »

Responsive Menu Clicked Image
,400 per month using the app, and his hospital readmissions were cut by 50 percent. Zana Johnson, care manager for Family Clinic of Ashley County in Crossett, Arkansas, also uses the app. “In today’s healthcare, we must utilize all the tools available to be efficient and still maintain the level of care our patients deserve,” Johnson said. “That’s what Phyzit does — it makes my job easier without all the stress, so I can concentrate on patients and their needs.”

CCM is another area that would benefit from this approach to patient management workflow and greater coding and billing efficiency. Phyzit CCM is in the planning stages, and Stephen Canon assures us it will streamline the CCM practice opportunity.

Sources:

http://phyzit.com/

http://asbtdc.org/arkansas-company-phyzit-tackles-transitional-care-management-nationally/


 

Michelle A. Dick is executive editor at AAPC.

Conduct a Security Analysis for Your Practice

By Guest Contributor
Jun 1st, 2015
0 Comments
32 Views

The first step to ensuring your patients’ ePHI is secure is assessing your office’s HIPAA compliance.

By Joette Derricks, MPA, CMPE, CPC, CHC, CSSGB

Prior to the HIPAA Security Rule, a generally accepted set of security standards to govern electronic protected health information (ePHI) didn’t exist. Today, all covered entities, including small health plans, are required to comply with the Security Rule. To ensure compliance with HIPAA security standards, start by assessing how ePHI is handled in your practice.

HIPAA Security Rule Risk Assessment

One major difference between the HIPAA Privacy Rule and the Security Rule is that the Security Rule applies only to ePHI, which includes information that is created, received, maintained, transmitted (e.g., over the Internet), or stored electronically on a computer hard drive or removable disk. The Security Rule does not cover PHI stored on paper or communicated verbally.

The Security Rule requires covered entities (including physician practices) to have in place appropriate administrative, technical, and physical safeguards to protect ePHI against intentional or unintentional use or disclosure.

Meaningful Use Security Assessment

Physician practices are also faced with ensuring ePHI security if participating in either the Medicare or Medicaid Electronic Health Records (EHR) Incentive Program. The meaningful use core objective to which I refer requires participating practices to secure ePHI created or maintained by certified EHR technology through the implementation of appropriate technical capabilities. As part of its risk management process, an organization must conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1), implement security updates, as necessary, and correct any identified security deficiencies.

The meaningful use requirements are not intended to supersede or substitute compliance required under HIPAA. As a covered entity, you’re still required to comply with the HIPAA Privacy and Security Rules. The section of the Code of Federal Regulations cited in the meaningful use core objective refers back to the HIPAA regulations.

The question then becomes: What action is required to adequately comply with both the HIPAA Security Rule and the meaningful use requirements associated with EHR incentive payments?

In a nutshell: If you are in compliance with the HIPAA Security Rule, you should be able to attest to meeting the meaningful use core objective for security of ePHI.

Risk Assessment Requirements

The Security Rule has detailed instructions for implementing safeguard standards. Each standard may be either required or addressable. (Table 1 shows some of the administrative safeguards standard, with the implementation specifications noted as either (R) Required or (A) Addressable).

security analysis table 1

When a standard is addressable, your practice must assess whether it’s a reasonable and appropriate safeguard in your environment. This involves analyzing the specification in regards to the likelihood of protecting your ePHI from reasonably anticipated threats and hazards. If your practice chooses not to implement an addressable specification based on its assessment, it must document the reason and, if reasonable and appropriate, implement an equivalent alternative measure.

Two required standards in the administrative safeguard section are: (1) conduct a risk analysis; and (2) implement a risk management plan. Together, these two standards form the foundation upon which you build necessary security protections.

A risk assessment helps organizations ensure they are compliant with HIPAA’s administrative, physical, and technical safeguards. The required risk analysis and risk management implementation specifications serve as the foundation for your practice’s overall HIPAA compliance program.

  • Risk Analysis: Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by the organization.
  • Risk Management: Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply.

The Office of Civil Rights (OCR) has published extensive reports, guides, and tools to help organizations of all sizes comply with the HIPAA Security Rule. They are available on the U.S. Department of Health & Human Services website.

In addition, the Health IT website provides an interactive tool any organization may use to complete a security risk assessment. Although the tool allows the information to be entered online, you may find it easier to download the requirements.

While on the Health IT website, be sure to download a copy of Guide to Privacy and Security of Health Information (www.healthit.gov/sites/default/files/pdf/privacy/privacy-and-security-guide.pdf). This guide provides an excellent overview of what is required for both the Privacy and Security Rules.

The Cost of Noncompliance

Neither the Security Rule nor meaningful use mandates for physician practices to use a particular tool. The HIPAA Security Rule is clear that the standards are scalable and flexible; however, the penalties for noncompliance are substantial.

Under HIPAA, penalties start at 0, per violation, and can grow to an annual maximum fine of

JUN – Meetings/Exams

By Jennifer Robison
Jun 1st, 2015
0 Comments
86 Views

Scheduling Exams
When scheduling exams please correctly identify the number of examinees your site can accommodate. Officers often list the site as accommodating an unlimited number of examinees because the room is very large. Please be aware that every room has a finite number of seats to provide. Do not fall into the trap of agreeing to proctor more examinees than possible. There have been instances where proctors have agreed to proctor more than they should have, and are left scrambling to find additional seats so examinees are not turned away.

JUN – Miscellaneous

By Jennifer Robison
Jun 1st, 2015
0 Comments
76 Views

Hot Sheet for Use at Your May Meeting
Keep your chapter members informed about what is happening at AAPC by sharing this “Hot Sheet” of AAPC events/information at your next chapter meeting. Be sure to contact AAPC for details if you have any questions beforehand.

Earn .5 CEU for Reading this Officer News
Thank you for reading this important information for chapter officers. Now take this quiz and earn half a CEU (0.5). Stay on top of all AAPC updates for officers by visiting the Local Chapter Officer News page often. One new quiz offered each month!

Get to Know Telemedicine Payment Criteria

By Guest Contributor
Jun 1st, 2015
0 Comments
45 Views

By Nancy G. Higgins, CPC, CPC-I, CIRCC, CPMA, CEMC

Telemedicine is a rapidly expanding component of healthcare in the United States. According to statistics provided by the American Telemedicine Association (ATA), over half of all hospitals in this country use some form of telemedicine. It’s viewed as a cost-effective alternative to traditional face-to-face encounters.

The ATA broadly defines telemedicine as “the use of medical information exchanged from one site to another via electronic communications to improve a patient’s clinical health status.” They also indicate the term “telemedicine” is synonymous with the term “telehealth.”

The Centers for Medicare & Medicaid Services (CMS) have set Medicare payment criteria for these services. Some commercial and managed care payers have also set payment guidelines for telemedicine services.

CMS has established the following criteria for Medicare patients.

Patient Must Be at a Qualifying Location

The patient must be present at a qualified originating site. A site is considered “qualified” if it meets two criteria. First, the originating site must be physically located in either:

  • A rural health professional shortage area (HPSA) located either outside of a metropolitan statistical area (MSA) or in a rural census tract, or
  • A county outside of an MSA.

Second, the patient must be at one of the following places of service:

  • The office of a physician or practitioner
  • Hospital
  • Critical access hospital (CAH)
  • Rural health clinic
  • Federally qualified health center
  • Hospital-based or CAH-based renal dialysis center, including satellites
  • Skilled nursing facility
  • Community mental health center

Practitioner Must be Qualified to Receive Payment

Practitioners at the distant site who may provide telehealth services and receive payment for them are:

  • Physicians
  • Nurse practitioners
  • Physician assistants
  • Nurse midwives
  • Clinical nurse specialists
  • Certified registered nurse anesthetists
  • Clinical psychologists and clinical social workers (excluding CPT® codes 90792, 90833, 90836, and 90838)
  • Registered dietitians or nutrition professionals

Use Modifiers GT and GY, as Appropriate

When billing for telehealth services provided from an eligible originating site, append modifier GT Via interactive audio and video telecommunications system to the CPT® or HCPCS Level II code that describes the provided telehealth service.

If a telehealth service is provided for a Medicare patient located at an ineligible originating site, consider appending both modifier GT and modifier GY Item or service statutorily excluded, does not meet the definition of any Medicare benefit or for non-Medicare insurers, is not a contract benefit. Appending both modifiers will allow tracking of telehealth services provided while indicating the payer’s reimbursement criteria have not been met.

Check for Medicare Accepted Telehealth Codes

Medicare provides a list of CPT® and HCPCS Level II codes eligible for reimbursement when provided via telehealth on its website (www.cms.gov/Medicare/Medicare-General-Information/Telehealth/Telehealth-Codes.html).

Individuals can submit a request to CMS for an addition to the approved list, but their submission must meet the CMS criteria to be considered (see www.cms.gov/Medicare/Medicare-General-Information/Telehealth/Criteria.html). Not all payers cover telehealth services.

Fulfill Documentation Requirements

Providers should be aware that documentation requirements for a telehealth service are the same as that required for any face-to-face patient encounter, with the addition of the following:

  • A statement that the service was provided using telemedicine;
  • The location of the patient;
  • The location of the provider; and
  • The names of all persons participating in the telemedicine service and their role in the encounter.

Example: Mrs. Smith, a Medicare patient, was seen by her family practice doctor, Dr. Jones, with complaints of palpitations, shortness of breath, and fatigue. During his examination of Mrs. Smith, Dr. Jones discovered a new heart murmur not identified previously. Because the practice was located in a remote area, far from any cardiology practices, Dr. Jones contacted Dr. Black, a cardiologist, and asked him to evaluate Mrs. Smith via an interactive telecommunications system, and to provide recommendations regarding Mrs. Smith’s care.

Mrs. Smith was taken to a special room at Dr. Jones’s practice that was fully equipped for providing services via telemedicine. Dr. Jones’s nurse used the equipment to contact Dr. Black, and he conducted an evaluation of Mrs. Smith. Dr. Black gathered and documented a detailed patient history. Using a specialized stethoscope, he examined Mrs. Smith’s heart and lungs. Dr. Black performed and documented a detailed exam. Dr. Black ordered an echocardiogram and scheduled an in-person follow-up encounter with Mrs. Smith. His documentation supported moderate complexity decision-making.

Dr. Jones’s practice is located in a qualified rural HSPA outside of an MSA. Because this was his first encounter with this patient, Dr. Black billed the service provided for Mrs. Smith as 99203-GT Office or other outpatient visit for the evaluation and management of a new patient, which requires these 3 key components: A detailed history; A detailed examination; Medical decision making of low complexity-via interactive audio and video telecommunications system.

The American Medical Association (AMA) believes appropriate use of telemedicine could improve access to services and quality of care. In June 2014, the AMA voted to approve a list of guiding principles to ensure appropriate coverage of and payment for telemedicine services. As telemedicine becomes increasingly popular, and CPT® codes are added to the list of approved services, you will need to continually update your understanding of the billing and documentation requirements associated with this innovative type of service.


 

Nancy G. Higgins, CPC, CPC-I, CIRCC, CPMA, CEMC, is a manager in the Carolinas HealthCare System Medical Group Coding and Charge Capture department. She was the 2009 AAPC Coder of the Year and is a past-president of the Charlotte, North Carolina, local chapter.

Coder Assists Physician in DevelopingTCM Tool

By Michelle Dick
Jun 1st, 2015
0 Comments
31 Views

Results turn out to be a win-win for patients, physicians, and coders.

Initially, Phyzit, Inc. co-founders Stephen Canon, MD, and Mike Canon, JD, launched a software tool aimed at improving patient-physician communication via telemedicine and mobile messaging. It turned out to be an opportunity to streamline transitional care management (TCM) and chronic care management (CCM), as well.

After evaluating the market and interviewing customers, they pivoted their strategy to streamline billing workflow and improve TCM reporting.

When creating this app, Stephen Canon consulted Pam Brooks, CPC, COC, coding manager at Wentworth-Douglass Hospital in Dover, New Hampshire, about TCM and CCM services in regards to how they are coded and reimbursed. Brooks said:

“I see the value in such an application … as [practices and facilities] try to navigate the complexities of CCM billing, improve revenue, and decrease patient admissions/re-admissions. Tracking these services along with unplanned admissions, time, bundling issues and payer and CPT® guidelines is a full-time job. And frankly, our organization had to develop this technology within our own EHR system, which was both costly and time consuming. I can see this application being a very cost-effective alternative for providers who don’t have the deep pockets of corporate medicine.”

Here’s How It Works

The TCM process has an interface that saves time for office staff, reduces workflow demands on primary care physicians, and increases revenue. Patients have direct communication with their doctors and can add family members or other caregivers to their health management plan.

The application, Phyzit TCM, “incorporates secure electronic messaging, phone calls, telemedicine video sessions, and SMS text messaging into a cloud-based platform designed to increase patient engagement and aid physicians in keeping patients healthy after hospital discharge,” according to Arkansas Small Business and Technology Development Center.

Takes Clunks Out of TCM Billing

The process of billing TCM services can be clunky, according to Brooks, with areas that can use improvement. “Although CMS is headed in the right direction by reimbursing for TCM to help prevent costly readmissions, the logistics in regards to proper billing and coding is sometimes confusing and time-consuming,” Brooks said. “A tool such as this will go a long way towards simplifying the process.”

When the smartphone app was beta tested last fall, Brad Bibb, MD, a family practice physician in Ash Flat, Arkansas, made an additional $1,400 per month using the app, and his hospital readmissions were cut by 50 percent. Zana Johnson, care manager for Family Clinic of Ashley County in Crossett, Arkansas, also uses the app. “In today’s healthcare, we must utilize all the tools available to be efficient and still maintain the level of care our patients deserve,” Johnson said. “That’s what Phyzit does — it makes my job easier without all the stress, so I can concentrate on patients and their needs.”

CCM is another area that would benefit from this approach to patient management workflow and greater coding and billing efficiency. Phyzit CCM is in the planning stages, and Stephen Canon assures us it will streamline the CCM practice opportunity.

Sources:

http://phyzit.com/

http://asbtdc.org/arkansas-company-phyzit-tackles-transitional-care-management-nationally/


 

Michelle A. Dick is executive editor at AAPC.

Conduct a Security Analysis for Your Practice

By Guest Contributor
Jun 1st, 2015
0 Comments
32 Views

The first step to ensuring your patients’ ePHI is secure is assessing your office’s HIPAA compliance.

By Joette Derricks, MPA, CMPE, CPC, CHC, CSSGB

Prior to the HIPAA Security Rule, a generally accepted set of security standards to govern electronic protected health information (ePHI) didn’t exist. Today, all covered entities, including small health plans, are required to comply with the Security Rule. To ensure compliance with HIPAA security standards, start by assessing how ePHI is handled in your practice.

HIPAA Security Rule Risk Assessment

One major difference between the HIPAA Privacy Rule and the Security Rule is that the Security Rule applies only to ePHI, which includes information that is created, received, maintained, transmitted (e.g., over the Internet), or stored electronically on a computer hard drive or removable disk. The Security Rule does not cover PHI stored on paper or communicated verbally.

The Security Rule requires covered entities (including physician practices) to have in place appropriate administrative, technical, and physical safeguards to protect ePHI against intentional or unintentional use or disclosure.

Meaningful Use Security Assessment

Physician practices are also faced with ensuring ePHI security if participating in either the Medicare or Medicaid Electronic Health Records (EHR) Incentive Program. The meaningful use core objective to which I refer requires participating practices to secure ePHI created or maintained by certified EHR technology through the implementation of appropriate technical capabilities. As part of its risk management process, an organization must conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1), implement security updates, as necessary, and correct any identified security deficiencies.

The meaningful use requirements are not intended to supersede or substitute compliance required under HIPAA. As a covered entity, you’re still required to comply with the HIPAA Privacy and Security Rules. The section of the Code of Federal Regulations cited in the meaningful use core objective refers back to the HIPAA regulations.

The question then becomes: What action is required to adequately comply with both the HIPAA Security Rule and the meaningful use requirements associated with EHR incentive payments?

In a nutshell: If you are in compliance with the HIPAA Security Rule, you should be able to attest to meeting the meaningful use core objective for security of ePHI.

Risk Assessment Requirements

The Security Rule has detailed instructions for implementing safeguard standards. Each standard may be either required or addressable. (Table 1 shows some of the administrative safeguards standard, with the implementation specifications noted as either (R) Required or (A) Addressable).

security analysis table 1

When a standard is addressable, your practice must assess whether it’s a reasonable and appropriate safeguard in your environment. This involves analyzing the specification in regards to the likelihood of protecting your ePHI from reasonably anticipated threats and hazards. If your practice chooses not to implement an addressable specification based on its assessment, it must document the reason and, if reasonable and appropriate, implement an equivalent alternative measure.

Two required standards in the administrative safeguard section are: (1) conduct a risk analysis; and (2) implement a risk management plan. Together, these two standards form the foundation upon which you build necessary security protections.

A risk assessment helps organizations ensure they are compliant with HIPAA’s administrative, physical, and technical safeguards. The required risk analysis and risk management implementation specifications serve as the foundation for your practice’s overall HIPAA compliance program.

  • Risk Analysis: Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by the organization.
  • Risk Management: Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply.

The Office of Civil Rights (OCR) has published extensive reports, guides, and tools to help organizations of all sizes comply with the HIPAA Security Rule. They are available on the U.S. Department of Health & Human Services website.

In addition, the Health IT website provides an interactive tool any organization may use to complete a security risk assessment. Although the tool allows the information to be entered online, you may find it easier to download the requirements.

While on the Health IT website, be sure to download a copy of Guide to Privacy and Security of Health Information (www.healthit.gov/sites/default/files/pdf/privacy/privacy-and-security-guide.pdf). This guide provides an excellent overview of what is required for both the Privacy and Security Rules.

The Cost of Noncompliance

Neither the Security Rule nor meaningful use mandates for physician practices to use a particular tool. The HIPAA Security Rule is clear that the standards are scalable and flexible; however, the penalties for noncompliance are substantial.

Under HIPAA, penalties start at $100, per violation, and can grow to an annual maximum fine of $1.5 million, contingent on the type of the violation and whether the violator acted unknowingly or deliberately. Another factor in the penalty calculation is whether the violator became aware of the violation and implemented corrective action in a timely manner. The penalty under meaningful use is a total payback of any incentive funds received through the program.

Take That First Step to Compliance

Your practice is ultimately responsible for conducting a risk assessment. Although the task may appear overwhelming, it’s obtainable. To tackle it, appoint a team that includes your practice administrator, a physician representative, and one or two staff members (perhaps the billing manager or front desk person). Set aside an hour or two each week to go through the administrative, technical, and physical standards and implementation specifications. Before you know it, the risk assessment will be completed.

Unfortunately, this task is not a “once and done” requirement. Provisions in both meaningful use and the Security Rule require you to perform reviews at least annually, and whenever there has been a change in your practice. Changes that may affect the security assessment and require an update include implementing new technology that accesses PHI, entering into a joint venture or merger with another practice, and moving to a new facility.


 

Joette Derricks, MPA, CMPE, CPC, CHC, CSSGB, has 35 years of healthcare finance, operations, and compliance experience. A national speaker and author, her unique style is to bridge the regulatory requirements with the practical realities of day-to-day operations. Derricks has provided numerous expert reports and testimony regarding Medicare, Medicaid, and third-party payer regulations with an emphasis on coding, billing, and reimbursement rules. She serves as the vice president, regulatory affairs at Anesthesia Business Consultants, and is a member of the Ann Arbor, Michigan, local chapter.

« Older Entries   Newer Entries »

Responsive Menu Clicked Image
.5 million, contingent on the type of the violation and whether the violator acted unknowingly or deliberately. Another factor in the penalty calculation is whether the violator became aware of the violation and implemented corrective action in a timely manner. The penalty under meaningful use is a total payback of any incentive funds received through the program.

Take That First Step to Compliance

Your practice is ultimately responsible for conducting a risk assessment. Although the task may appear overwhelming, it’s obtainable. To tackle it, appoint a team that includes your practice administrator, a physician representative, and one or two staff members (perhaps the billing manager or front desk person). Set aside an hour or two each week to go through the administrative, technical, and physical standards and implementation specifications. Before you know it, the risk assessment will be completed.

Unfortunately, this task is not a “once and done” requirement. Provisions in both meaningful use and the Security Rule require you to perform reviews at least annually, and whenever there has been a change in your practice. Changes that may affect the security assessment and require an update include implementing new technology that accesses PHI, entering into a joint venture or merger with another practice, and moving to a new facility.


 

Joette Derricks, MPA, CMPE, CPC, CHC, CSSGB, has 35 years of healthcare finance, operations, and compliance experience. A national speaker and author, her unique style is to bridge the regulatory requirements with the practical realities of day-to-day operations. Derricks has provided numerous expert reports and testimony regarding Medicare, Medicaid, and third-party payer regulations with an emphasis on coding, billing, and reimbursement rules. She serves as the vice president, regulatory affairs at Anesthesia Business Consultants, and is a member of the Ann Arbor, Michigan, local chapter.

« Older Entries   Newer Entries »

Menu Title
Responsive Menu Clicked Image