Valerie Milot, BS, CPC, CCS
Last November, the Centers for Medicare & Medicaid Services (CMS) released its revised Evaluation and Management Services Guide. In reviewing the document, I was reminded of how easy it is for any of us to get so caught up in our busy, day-to-day schedules that we overlook opportunities to help providers improve their documentation.
For example: How often do you see, “Patient is here for follow up?”
Now begins a scavenger hunt for information: Follow up for what? What is the chief complaint?
Many of us “work around” these notes, instead of having a quick conversation with the provider to explain that the chief complaint must be clearly documented for each encounter. But that five-minute conversation can save a lot of time down the road.
Start with the Basics
CMS stipulates in the Evaluation and Management Services Guide for medical record documentation to have two general principles:
1. The documentation of each patient encounter should include:
2. The diagnosis and treatment codes reported on the health insurance claim form or billing statement should [must] be supported by the documentation in the medical record.
The guide lists several other principles, but providers seem to overlook the above two most often. Use these guidelines when you need to have a conversation with a provider. Show the provider the document from CMS or reference the AMA’s specific guidelines found in the CPT® codebook. The provider will see that you are asking him or her to follow legitimate regulatory guidelines and requirements to ensure the practice is paid appropriately for services rendered.
Keep Advice Brief
Researchers have repeatedly shown that people in general scan content rather than read it word for word. And the average attention span is only eight seconds, according to Statistic Brain (www.statisticbrain.com). To improve comprehension, keep your advice brief. For example, when training providers and new staff, I often refer to the “five Ws:”
Here’s an example of how a catch phrase can aid comprehension:
A provider with whom I worked continued to under-bill his visits, to the point that the organization chose to audit all of his charts. The provider’s established patients routinely had a minimum of three chronic problems managed per visit. I explained to the provider that if he is treating three or more chronic conditions, and possibly ordering labs or other diagnostic tests and updating medications, the visit likely would qualify as a level four, established patient visit. The physician learned this as the “three for four” rule.
After a month of daily meetings, the physician would say to me as we passed in the hall, “Three for four, Valerie. Three for four!” As his results improved, the percentage of his claims audited was lowered. After 90 days without an audit, a follow-up audit showed his E/M leveling accuracy to be 92 percent — up from less than 50 percent prior to education.
The bottom line: If a provider’s documentation isn’t supporting the services he or she is billing, speak up! But remember to tailor your advice to be as efficient (and, therefore, effective) as possible.
Evaluation and Management Services Guide:
Valerie Milot, BS, CPC, CCS, is an ICD-10-CM/PCS trainer, a coding consultant and auditor, and director of Physician Services at MRS. She is a member of the Manchester, New Hampshire, local chapter.
By Stacy Harper, JD, MHSA, CPC
The purpose of Office of Inspector General (OIG) compliance guidance is to encourage use of internal controls to efficiently monitor adherence to applicable statutes, regulations, and program requirements (65 FR 59434, October 5, 2000). HIPAA implements regulations that similarly encourage internal controls for organizations to maintain the privacy and security of protected health information (PHI) (45 C.F.R. §§ 164.530, 164.306). While both OIG guidance and HIPAA regulations provide the basic structure for implementation of compliance programs, HIPAA provides additional details regarding specific safeguards. Although clearly appropriate for PHI confidentiality and security, some of these safeguards are beneficial in developing an effective corporate compliance program.
Risk Assessment and Management Take Focus
Compliance risk assessment and management is a focal point for Office for Civil Rights (OCR) HIPAA investigations, and is a frequently cited deficiency in HIPAA settlement agreements and enforcement actions. Although not as clearly labeled as in the HIPAA regulations, OIG compliance guidance similarly recommends consideration of fraud and abuse topics that need to be addressed, based on your organization’s specific needs (65 FR 59434, 59438, October 5, 2000). Ultimately, whether for fraud and abuse or privacy and security, your organization’s compliance program will not be fully effective without a risk assessment and management process.
Risk assessment is the process of identifying, estimating, and prioritizing information related to organizational risks (NIST Special Publication 800-30, Revision 1, Guide for Conducting Risk Assessments, section 2.3, September 2012). There is no one method that is endorsed by regulators for performing a risk assessment. Every organization may vary in the process to reflect its structure or particular documentation methods; however, an effective risk assessment and management process should include, at least, the following steps:
The first step in the risk assessment process is to take an inventory of your organization. For HIPAA compliance, the inventory should focus on identifying all of the locations where PHI is stored or transmitted. This usually begins with the servers storing store electronic health records (EHRs) or practice management software. It should expand to include all other ancillary storage of PHI, such as email systems, Microsoft Office®, backup drives, and laptop computers.
For a corporate compliance program, inventory begins with identifying service lines. Within each service line, inventory should include CPT®, HCPCS Level II codes, ICD-9-CM codes, and modifiers used on claims. Inventory should also include the volumes of each code for each provider.
Diagram Information Flow
The risk assessment should next diagram the flow of information through your organization. For HIPAA compliance, this flow should track the movement of PHI in and out of your organization. For a corporate compliance program, it should track the information relevant for billing from the patient visit through the entire collections process.
Define the Scope
The first two steps assume a comprehensive risk assessment is being performed. Not every risk assessment must be comprehensive. A risk assessment may focus on HIPAA implications related to EHR implementation or other sections of your organization’s information systems. A compliance risk assessment may focus on a specific department or service line. Where the risk assessment is narrower in scope, it should be clearly defined and communicated in the documentation.
A threat is the potential for a person or thing to exercise (accidentally trigger or intentionally exploit) a specific vulnerability. A vulnerability is a flaw or weakness in system procedures, design, implementation, or internal controls that could be exercised and result in a breach or a violation (NIST Special Publication 800-30, Revision 1, Guide for Conducting Risk Assessments, section 2.3.1, September 2012). This step creates the greatest variance between organizational risk assessments. To determine potential threats and vulnerabilities, your organization might consider information such as:
The more specific your organization is in identifying threats and vulnerabilities, the more specific the risk assessment will be.
The end product of any risk assessment is determining the risk level associated with each threat and vulnerability and the overall risk for your organization. A risk is the extent to which your organization is threatened by a particular event considering:
There are a number of different methodologies for calculating risk level. As part of the process, your organization should document the methodology used. What factors were considered in determining the likelihood and probability? What matrix was used to convert the likelihood and probability combination into a risk?
Much of the industry guidance available focuses on performing and documenting the risk assessment. For the process to be complete, your organization must also respond to identified risks and document the responses.
For each identified risk, document the potential options evaluated for response, the option selected, the reason that option was determined to be appropriate, and the plan for implementation. You can then integrate the risk management plan into future assessments to evaluate the effectiveness of each response.
Make It a Driving Force
The risk assessment and management process is the driving force behind an effective compliance program, regardless of whether it’s protecting confidentiality and security of information, or reducing fraud and abuse. If implemented as a continual process within your organization, it can provide the structure necessary for your compliance program to evolve and respond to industry changes.
Stacy Harper, JD, MHSA, CPC, is healthcare attorney with Lathrop & Gage, LLP. She serves on the National Advisory Board and Legal Advisory Board for AAPC. Harper works with healthcare providers around the country to navigate regulatory requirements such as HIPAA, data privacy and security, Stark, Anti-kickback, state licensure, and Medicare conditions of payment and participation. She is a member of the Kansas City, Missouri, local chapter.