Use CMS’ General Principles to Improve Documentation

By Renee Dustman
Apr 1st, 2015

Brevity is an effective approach to letting providers know documentation must support services.

Valerie Milot, BS, CPC, CCS

Last November, the Centers for Medicare & Medicaid Services (CMS) released its revised Evaluation and Management Services Guide. In reviewing the document, I was reminded of how easy it is for any of us to get so caught up in our busy, day-to-day schedules that we overlook opportunities to help providers improve their documentation.

For example: How often do you see, “Patient is here for follow up?”

Now begins a scavenger hunt for information: Follow up for what? What is the chief complaint?

Many of us “work around” these notes, instead of having a quick conversation with the provider to explain that the chief complaint must be clearly documented for each encounter. But that five-minute conversation can save a lot of time down the road.

Start with the Basics

CMS stipulates in the Evaluation and Management Services Guide for medical record documentation to have two general principles:

1. The documentation of each patient encounter should include:

  • Reason for the encounter [chief complaint] and relevant history, physical examination findings, and prior diagnostic test results;
  • Assessment, clinical impression, or diagnosis;
  • Medical plan of care; and
  • Date and legible identity of the observer.

2. The diagnosis and treatment codes reported on the health insurance claim form or billing statement should [must] be supported by the documentation in the medical record.

The guide lists several other principles, but providers seem to overlook the above two most often. Use these guidelines when you need to have a conversation with a provider. Show the provider the document from CMS or reference the AMA’s specific guidelines found in the CPT® codebook. The provider will see that you are asking him or her to follow legitimate regulatory guidelines and requirements to ensure the practice is paid appropriately for services rendered.

Keep Advice Brief

Researchers have repeatedly shown that people in general scan content rather than read it word for word. And the average attention span is only eight seconds, according to Statistic Brain ( To improve comprehension, keep your advice brief. For example, when training providers and new staff, I often refer to the “five Ws:”

  • Why are you seeing the patient?
  • Where is the problem located?
  • What have you done?
  • What tests are you going to order?
  • What are you are going to do to help this patient?

Here’s an example of how a catch phrase can aid comprehension:

A provider with whom I worked continued to under-bill his visits, to the point that the organization chose to audit all of his charts. The provider’s established patients routinely had a minimum of three chronic problems managed per visit. I explained to the provider that if he is treating three or more chronic conditions, and possibly ordering labs or other diagnostic tests and updating medications, the visit likely would qualify as a level four, established patient visit. The physician learned this as the “three for four” rule.

After a month of daily meetings, the physician would say to me as we passed in the hall, “Three for four, Valerie. Three for four!” As his results improved, the percentage of his claims audited was lowered. After 90 days without an audit, a follow-up audit showed his E/M leveling accuracy to be 92 percent — up from less than 50 percent prior to education.

The bottom line: If a provider’s documentation isn’t supporting the services he or she is billing, speak up! But remember to tailor your advice to be as efficient (and, therefore, effective) as possible.



Evaluation and Management Services Guide:

Valerie Milot, BS, CPC, CCS, is an ICD-10-CM/PCS trainer, a coding consultant and auditor, and director of Physician Services at MRS. She is a member of the Manchester, New Hampshire, local chapter.

Building a HIPAA Toolbox: Part 5

By Renee Dustman
Apr 1st, 2015

The core of an effective compliance program is managing risk assessment.

By Stacy Harper, JD, MHSA, CPC

The purpose of Office of Inspector General (OIG) compliance guidance is to encourage use of internal controls to efficiently monitor adherence to applicable statutes, regulations, and program requirements (65 FR 59434, October 5, 2000). HIPAA implements regulations that similarly encourage internal controls for organizations to maintain the privacy and security of protected health information (PHI) (45 C.F.R. §§ 164.530, 164.306). While both OIG guidance and HIPAA regulations provide the basic structure for implementation of compliance programs, HIPAA provides additional details regarding specific safeguards. Although clearly appropriate for PHI confidentiality and security, some of these safeguards are beneficial in developing an effective corporate compliance program.

Risk Assessment and Management Take Focus

Compliance risk assessment and management is a focal point for Office for Civil Rights (OCR) HIPAA investigations, and is a frequently cited deficiency in HIPAA settlement agreements and enforcement actions. Although not as clearly labeled as in the HIPAA regulations, OIG compliance guidance similarly recommends consideration of fraud and abuse topics that need to be addressed, based on your organization’s specific needs (65 FR 59434, 59438, October 5, 2000). Ultimately, whether for fraud and abuse or privacy and security, your organization’s compliance program will not be fully effective without a risk assessment and management process.

Risk assessment is the process of identifying, estimating, and prioritizing information related to organizational risks (NIST Special Publication 800-30, Revision 1, Guide for Conducting Risk Assessments, section 2.3, September 2012). There is no one method that is endorsed by regulators for performing a risk assessment. Every organization may vary in the process to reflect its structure or particular documentation methods; however, an effective risk assessment and management process should include, at least, the following steps:

  1. Inventory
  2. Flow
  3. Scope
  4. Threats/vulnerabilities
  5. Likelihood
  6. Impact
  7. Risk
  8. Response

Take Inventory 

The first step in the risk assessment process is to take an inventory of your organization. For HIPAA compliance, the inventory should focus on identifying all of the locations where PHI is stored or transmitted. This usually begins with the servers storing store electronic health records (EHRs) or practice management software. It should expand to include all other ancillary storage of PHI, such as email systems, Microsoft Office®, backup drives, and laptop computers.

For a corporate compliance program, inventory begins with identifying service lines. Within each service line, inventory should include CPT®, HCPCS Level II codes, ICD-9-CM codes, and modifiers used on claims. Inventory should also include the volumes of each code for each provider.

Diagram Information Flow

The risk assessment should next diagram the flow of information through your organization. For HIPAA compliance, this flow should track the movement of PHI in and out of your organization. For a corporate compliance program, it should track the information relevant for billing from the patient visit through the entire collections process.

Define the Scope

The first two steps assume a comprehensive risk assessment is being performed. Not every risk assessment must be comprehensive. A risk assessment may focus on HIPAA implications related to EHR implementation or other sections of your organization’s information systems. A compliance risk assessment may focus on a specific department or service line. Where the risk assessment is narrower in scope, it should be clearly defined and communicated in the documentation.

Identify Threats/Vulnerabilities

A threat is the potential for a person or thing to exercise (accidentally trigger or intentionally exploit) a specific vulnerability. A vulnerability is a flaw or weakness in system procedures, design, implementation, or internal controls that could be exercised and result in a breach or a violation (NIST Special Publication 800-30, Revision 1, Guide for Conducting Risk Assessments, section 2.3.1, September 2012). This step creates the greatest variance between organizational risk assessments. To determine potential threats and vulnerabilities, your organization might consider information such as:

  • Transmittals, alerts, or relevant guidance from regulatory agencies or payers
  • Recent audit results or compliance investigations
  • Coding or regulatory changes
  • Other industry guidance

The more specific your organization is in identifying threats and vulnerabilities, the more specific the risk assessment will be.

Assess Risk

The end product of any risk assessment is determining the risk level associated with each threat and vulnerability and the overall risk for your organization. A risk is the extent to which your organization is threatened by a particular event considering:

  • The probability that a particular threat will exercise a particular vulnerability; and
  • The resulting impact, if this occurs.

There are a number of different methodologies for calculating risk level. As part of the process, your organization should document the methodology used. What factors were considered in determining the likelihood and probability? What matrix was used to convert the likelihood and probability combination into a risk?


Much of the industry guidance available focuses on performing and documenting the risk assessment. For the process to be complete, your organization must also respond to identified risks and document the responses.

For each identified risk, document the potential options evaluated for response, the option selected, the reason that option was determined to be appropriate, and the plan for implementation. You can then integrate the risk management plan into future assessments to evaluate the effectiveness of each response.

Make It a Driving Force

The risk assessment and management process is the driving force behind an effective compliance program, regardless of whether it’s protecting confidentiality and security of information, or reducing fraud and abuse. If implemented as a continual process within your organization, it can provide the structure necessary for your compliance program to evolve and respond to industry changes.


Stacy Harper, JD, MHSA, CPC, is healthcare attorney with Lathrop & Gage, LLP. She serves on the National Advisory Board and Legal Advisory Board for AAPC. Harper works with healthcare providers around the country to navigate regulatory requirements such as HIPAA, data privacy and security, Stark, Anti-kickback, state licensure, and Medicare conditions of payment and participation. She is a member of the Kansas City, Missouri, local chapter.

VAD Interrogation and Programming

By John Verhovshek
Apr 1st, 2015

Patients with a previously implanted ventricular assist device (VAD) require periodic interrogation of the device, as reported with 93750 Interrogation of ventricular assist device (VAD), in person, with physician analysis of device parameters (e.g. drivelines, alarms, power surges), review of device function (e.g. flow and volume status, septum status, recovery), with programming, if performed, and report. This code includes the physician analysis, review, and report. It also includes device programming, if performed.

Code 93750 is NOT reported with any of the surgical implantation codes (33975, 33976, 33979, 33981-33983), but typically is reported with an E/M visit. VAD management is considered to be a diagnostic service, which must be performed in person, and includes a face-to-face assessment of all device functions. Components that must be evaluated include:

  • Device parameters (e.g., alarms, drivelines, clots, infection, overall assessment of augmenting cardiac output, and power surges)
  • A review of the device function (flow/volume status, septum status, and recovery)

All of the above must be stated in detail, either in its own procedure note (if management is part of the daily rounding) entry or in its own paragraph (separate from the rounding note, if performed during rounding). Adjustments may not be needed each day, but each entry must support assessing the potential need.

A patient on VAD often has numerous issues being managed: One such scenario is where a patient remains on VAD but has failure to thrive (FTT) along with acute on chronic CHF and is awaiting transplant. When this occurs, you may bill an E/M with modifier 25 Significant, separately identifiable evaluation and management service by the same physician or other qualified health care professional on the same day of the procedure or other service and report 93750 with cardiomyopathy (425.4) and VAD status (V43.21).

If the VAD management documentation is limited, report only an E/M service. For example, a patient may remain on the ICU who continues to use the VAD device. If the patient has been an in-patient for some time, the note may state, “The VAD setting remain appropriate and unchanged.” With such limited documentation, do not report 93750; instead, claim only subsequent critical care or the subsequent in-patient level of service.

CMS Answers: Add-on to What?

By John Verhovshek
Apr 1st, 2015
1 Comment

Add-on codes describe procedures or services that are always provided “in addition to” other, related services or procedures. A persistent problem with add-on codes is identifying which code(s) may be reported as primary with a particular add-on. The Centers for Medicare & Medicaid Services (CMS) Manual System provides a handy reference to allow you to identify quickly if your add-on/primary code pair is allowable.

CMS Transmittal 2636 classifies add-on codes into one of three types:

  • Type I – This type of add-on code has a limited number of identifiable primary procedure codes.
  • Type II – These add-on codes do not have a specific list of primary procedure codes. CMS encourages claims processing contractors to develop their own lists of primary procedure codes for this type of add-on codes.
  • Type III – The third type of add-on code has some, but not all, specific primary procedure codes identified in the CPT® manual. CMS advises claims processing contractors that the primary procedure codes in the CPT® manual are not exclusive, and encourages contractors to develop their own lists of additional primary procedure codes.

The transmittal lists each add-on CPT® code, identifies it as either a Type I, Type II, or Type III, and—for those add-ons identified as Type I—lists their acceptable primary procedure codes. Because the majority of add-on codes are classified as Type 1, the transmittal provides a quick reference to find which add-on codes and which primary procedure codes go together. For the small number of Type II and Type III codes, you’ll have to rely on your individual payer for guidance.

Code pairings in Transmittal 2636 are based on Medicare (rather than AMA) guidelines. CMS instructions usually match those in the CPT® manual, but there are exceptions.

Meeting Requirements for Medical Direction of Anesthesia

By John Verhovshek
Apr 1st, 2015

Medical direction rules apply when an anesthesiologist works with one to four other qualified providers in overlapping cases. The American Society of Anesthesiologists and Medicare have agreed on seven elements that the anesthesiologist must personally document to bill his or her medical direction services:

  1. The anesthesiologist must personally perform an exam and evaluation prior to the anesthetic session.
  2. The anesthesiologist must personally decide on the appropriate anesthetic for the procedure (e.g., general anesthesia, regional block, monitored anesthesia care (MAC), etc.), and must document that decision.
  3. The anesthesiologist must be in the room and must participate in induction and emergence where those are elements of the service provided.
  4. A qualified individual must perform any procedures in the anesthesia plan that the anesthesiologist does not perform him- or herself.
  5. Although it is not necessary for the anesthesiologist to be in the room for the entire case, he or she must provide appropriate monitoring throughout the case.
  6. The anesthesiologist must remain physically present for all key and critical portions of the procedure, and be available for immediate diagnosis and treatment of emergencies.
  7. The anesthesiologist remains responsible for the patient until the care of the patient is transferred to another caregiver. The anesthesiologist should document any services performed during post-anesthesia time, especially if the patient requires more care due to adverse reactions.

The sixth rule, above, seems to trip up anesthesiologists, most often. If the physician leaves the immediate area of the operating suite for other than short durations, or devotes extensive time to an emergency case or is otherwise not available to respond to the immediate needs of the surgical patients, the physician’s services to the surgical patients are supervisory in nature and are not billable as Medical Direction. There are a limited number of services that can be performed without breaking the medical direction rule to remain present and available during the case, including:

  • Address an emergency of short duration in the immediate area
  • Administer an epidural or caudal anesthetic to ease labor pain
  • Periodically (rather than continuously) monitor an obstetrical patient
  • Receive patients entering the operating suite for the next surgery
  • Check on or discharge patients in the recovery room
  • Handle scheduling matters

« Older Entries   Newer Entries »

  • ads
  • Poll of The Week

    Does your practice/health system currently use computer assisted coding (CAC)?
  • Hot Topics

Menu Title