Bulletproof Your Documentation, Coding and Compliance in 2017€¦ · PAYMENT VULNERABILITY...

www.KMCuniversity.com 11/19/2017

(855) 832-6562 1

Risk Management for Medicare, Billing, and

ReimbursementKathy Mills Chang, MCS-P, CCPC, CCCA

KMC University

Who is This KMC Person?• 33 years of

chiropractic experience

• Practical guidance

• Founder and CEO of KMC University

• Nationally recognized consultant to major chiropractic industries

• Doubly certified in compliance, coding, and reimbursement

2

Do You Feel Like This?

3

Or This?

4

Learn the Basics to Reduce Your Risk

•Many DCs don’t knowwhat they don’t know, when it comes to compliance in healthcare today!

•OIG Compliance is that rule book that many don’t know they must follow

5

Let's be clear

•None of this is new

•Compliance is been around for decades

•The difference now, is auditors, insurance companies and the government are bothering to look!

•Now for some “Risk Management”

6


(855) 832-6562 2

Seems like we’re always waiting for the other shoe to drop…

I T FINALLYH A P P E N E D !

A F T E R WA R N I N G C H I R O P R A C T O R S F O R

OV E R 3 D E C A D E S , M A C R A M A K E S I T L AW

WHAT HAPPENED?

$359

The Collection Coach

million

Vis

it n

um

bers

incr

eas

ed…

…………………………………………… Medical N

ece

ssity Decre

ased

Should Chiropractic Visits Be Limited?


Lack of Medical Necessity

-Incorrect Coding

-Insufficient Documentation



(855) 832-6562 3

$359million


Oig82% Error

RateThe Collection Coach

OIG 105

claimsThe Collection Coach

Cms51.7% Error

RateThe Collection Coach

cms 451

claimsThe Collection Coach

STATISTICALLY VALID, RANDOM SAMPLE?

❖Statistics can be made to prove anything…

“Say you were standing with one foot in the oven and one

foot in an ice bucket. According to the percentage people,

you should be perfectly comfortable.” ~Bobby Bragan, 1963



(855) 832-6562 4

KEEP PERSPECTIVE


$6.7billion

THE AGE OLD QUESTION


1895 Modern Chiropractic is Born

1897 Palmer

School of Chiropractic

D. D. Palmer

1902 1st

Grad Class

1906 DD Jailed

Practicing

Without a license

CHIROPRACTIC GAINS MOMENTUM


1913 Kansas legalizes

Chiropractic

EARLY 1960 – AMA CONCERNED ABOUT MEMBERS COOPERATING WITH CHIROPRACTORS


1960AMA goal to eliminate chiropractic

Chiros were “stealing money” from MDs.

1963AMA organizes the

Committee on Quackery

MEDICARE DOES NOT INCLUDE CHIROPRACTIC


1966 Medicare begins,

does NOT include Chiropractic

1966AMA forbids

MDs: associate, refer,

labs or x-ray or

teach chiropractors1969AMA publishes official anti-chiropractic

opinion and began to widen it’s base of chiro

haters to include other health related groups.

1970’S CONTINUED THE FIGHT WITH AMA


1972 chiropractic gets included in Medicare.

Limited coverage.

1973AMA strong-arms hospitals with “Standard X” which

threatened revocation of accreditation if associated with chiros.

XSTANDARD


(855) 832-6562 5

THE MID 1970’S CONTINUED THE FIGHT WITH AMA


1974 Chiropractic is licensed in

All 50 states and reimbursable

MC, MD and MM

1976Wilk V AMA

☺

SHERMAN ANTI TRUST ACT

1. Restraint of trade

2. Prohibit Monopoly


WILK CASE DRUDGES FOR MANY YEARS…


1978AMA Res. 14:

“Duty to expose

Unscientific practitioners”

14

1979AMA Report UU

UU“Chiropractic may be a valid healthcare field,

BUT, the AMA knows of no scientific

Evidence to support spinal manipulation…”

RESOLUTION REPORT

1980’S WAR ON CHIROPRACTIC


1980AMA reverses position on chiropractic

“Nothing has changed!”

CHIROPRACTIC STRUGGLES IN THE 1980’S


1983Wilk loses!

1986OIG Report

MC EXPANSION OF CHIROPRACTIC?

1

Straights

vs.

mixers

2

Legal battle: AMA vs.

chiropractic cont’d

3

The x-ray requirement was to limit chiropractic



(855) 832-6562 6

MC EXPANSION OF CHIROPRACTIC?

4

Serious problems with record keeping

NO X-rays

No Complaints

5

The soft cap review after 12 visits was not working/costly


THE OUTCOME?

HCFA should vigorously oppose any movement to expand chiropractic coverage.

01Should IMPOSE a 12 visit yearly cap on chiropractic service.

02


WILK V AMA – THE CONCLUSION


1987Wilk WINS!

☺

1998OIG Report

1997 Balance Budget Act

Adds Utilization Guideline

1997

Guidelines

CONTROLS USED BY MC AND OTHER PAYERS

1

Most common mechanisms of control

2

Utilization caps are the most successful

3

Fail to prevent payments for Maintenance care


THE OUTCOME?

Use of modifier to identify active care

01Frequency edits to identify maintenance

02


UTILIZATION LIMITS FOR CHIROPRACTIC


1999

Limit chiropractic visits

to 12 per year!


(855) 832-6562 7

PAYMENT VULNERABILITY ANALYSIS


2005

Limit chiropractic visits

to 12 per year

INAPPROPRIATE MEDICARE PAYMENTS FOR CHIROPRACTIC SERVICES


2009

Withhold payments and reform prepayment

review for chiropractors that repeatedly fail

documentation requirements.

HIGH ERRORS AND POOR DOCUMENTATION

1

New modifier to distinguish episodes of care

2

Allow caps of chiropractic services

3

Withhold payments & review repeat offenders


THE OUTLIERS ARE AUDITED AND MADE EX AMPLE


2013 2014 2015 2015

“Establish adequate policies and procedures

to ensure that chiropractic services billed to

Medicare are medically necessary, correctly

coded and adequately documented.”

AUGUST 2015 – BUSY YEAR!• CERT shows decreased of

improper payments for last 5

years,

• Chiropractic improper

payments went up!


WHAT THEY FOUND


High visit #

Maintenance

High potential up coding

Beneficiary sharing

Unlikely # of services

Fraud


(855) 832-6562 8

RECOMMENDATIONS

1. Establish more reliable controls for chiropractic

care


Date of Initial Treatment

RECOMMENDATIONS

2. Develop and use measures to identify questionable

payments


FPS – Fraud Prevention System

RECOMMENDATIONS

3. Make sure MACs are using the Diagnosis Control


Subluxation Diagnosis

RECOMMENDATIONS

4. Use the pre and post payment reviews to enforce

visit caps under MACRA


12 VISIT CAP

AUGUST 2016


“Establish adequate policies and procedures

to ensure that chiropractic services billed to

Medicare are medically necessary, correctly

coded and adequately documented.”

OCTOBER 2016

$359


million


(855) 832-6562 9

WHAT THEY RECOMMENDED

• Determine a reasonable number of

chiropractic services that are necessary to

actively treat spinal subluxation and implement

a system edit to identify services for review in

excess of that number.



• Determine whether there should be a limit for the

number of chiropractic services that Medicare will

reimburse; if so, take appropriate action to put that

limit into effect, and implement a system edit to

disallow services in excess of that limit.



• Improve education of chiropractors on Medicare

coverage requirements for chiropractic services and

the proper use of the AT modifier to ensure that only

medically necessary chiropractic services are billed

to Medicare.



• Specifically identify significant obstacles to developing

a more reliable control for identifying maintenance

therapy and work to establish such a control. (For

example, CMS could determine a reasonable length for

a chiropractic treatment episode and implement a

system edit to identify services for review when the

number of days between the date of initial treatment and

the date of service exceeds that length.)


HOW DID CMS RESPOND?

• Regarding our first recommendation, CMS stated that the Medicare

Access and CHIP Reauthorization Act of 2015 requires prior

authorization for specified chiropractic services furnished on or

after January 1, 2017, by a chiropractor whose pattern of billing is

aberrant and for episodes of treatment that included more than 12

services. CMS stated that it will monitor the results of this effort

and determine whether further action is warranted.


MACRA: PRE-PAY REVIEW

Pattern of billing is aberrant compared to peers; and

01Services denial percentage in the 85th percentile or greater

02Can obtain approval for multiple services at one time

03



(855) 832-6562 10

ENDING PRE-PAY REVIEW

1

If the secretary determines that the chiropractor has a low denial rate under prior authorization

2

May reapply prior authorization medical review if aberrant billing and denial rate returns


W H AT D O Y O U T H I N K ?

S TAT I S T I C S B E I N G M A N I P U L AT E D ?


P R O B L E M W I T H I N C H I R O P R A C T I C ?

C O N T I N U A T I O N O F A M A

C O N S P I R A C Y

I S C H I R O P R A C T I C I T ’ S O W N W O R S T

E N E M Y ?

The Gospel According to KMC…•“It’s ridiculous to think that in 2017 you can run the business of healthcare without a mandatory compliance program. It’s tantamount to thinking that you can adjust without going to chiropractic school.”

Good Documentation Tells a Story


(855) 832-6562 11

Is All Care Medically Necessary?

Clinically Appropriate Care

•Maintenance care

• Supportive care

• Palliative care• Life enhancing and

wellness care

• Symptom relieving only

• Care that doesn’t have as its goal improved function and correction

Medically Necessary Care

•Acute problems

• Care that can provide measurable functional improvement

• Chronic care with expected functional improvement

•Often defined by the carrier’s medical policy

Medical Necessity: Per Medicare

Acute and Chronic Subluxation The patient must have a significant health problem in the form of a neuromusculoskeletal condition necessitating treatment, and the manipulative services rendered must have a direct therapeutic relationship to the patient’s condition and provide reasonable expectation of recovery or improvement of function.

The patient must have a subluxation of the spine as demonstrated by x-ray or physical examination (PART)

Case Management is the Ticket

•When a payer is considering a service for reimbursement, they want to be sure SOMEONE is managing the patient’s care• Is the condition “fixable”?• Is there any more improvement to be expected?

Quarterly Review-Railroad


(855) 832-6562 12

Please Respond When Asked

69

Under the Magnifying Glass70

AUGUST 2016


“Establish adequate policies and proceduresto ensure that chiropractic services billed to Medicare are medically necessary, correctly coded and adequately documented.”

MN: Chiropractic Per CMSAcute and Chronic Subluxation

The patient must have a significant health problem in the form of a neuromusculoskeletal condition necessitating treatment, and the manipulative services rendered must have a direct therapeutic relationship to the patient’s condition and provide reasonable expectation of recovery or improvement of function.

The patient must have a subluxation of the spine as demonstrated by x-ray or physical examination (PART)

If above not met or exceeded = Not Medically Necessary!

72


(855) 832-6562 13

Is this visit AT or GA worthy?

• If the visit is inside a Treatment Plan/Active Episode of Care = AT

• If the visit is outside a Treatment Plan/Active Episode of Care = GA (and requires use of ABN form)

AT vs. GA Modifier

•Has to be a Doctor Decision

•Needs to be clarified in the Assessment

•Patient needs to understand the difference

•Definitely Gray Areas

You Must Decide!

• It is up to the office, not the patient, to determine whether the visit is medically necessary or not

• It’s a clinical decision

• It’s not a money decision

Not Medicare Only…

The concept of medical necessity, active episodes of care, and maintenance care are the same for any type of

third-party pay situation


(855) 832-6562 14

Let’s Follow

theSimple “YES” Path

Let’s FollowAlt. 1 “YES” Path

Let’s FollowAlt. 2 “YES” Path

I know they need care…now what?

This is the $64,000 Question

DCs Must Answer with Certainty!

If No….

If YES…it’s time to plan…

HINT: Setting internal treatment protocols keeps you from

reinventing the wheel with each new condition


(855) 832-6562 15

Incident Protocols• Documentation within

CMT• May not be necessary

to provide E/M• Keep up your PQRS• Beware of incidents

that happen once a month like clockwork

Burst may be the most

common used

The

Foundational

Visit of the

Episode

Typical Episode of Care

•Likely to require at least one re-evaluation•Chronic diagnosis and significant lack of function


(855) 832-6562 16

Meanwhile, back on the other side… It has to be one or the other…

HINT: All team members should understand what it means to be “in an active

episode of care” in order to assist with in-processing

Let’s Go

Down the

“YES” Path

Let’s Go

Down the

“NO”Path


(855) 832-6562 17

Let’s Go Down

the TrueNon-AT

(GA)PathPart One

Let’s Go Down the

TrueNon-AT

Path“Part Two”No Thank

You

Improper ABN Usage

100

GA Modifier


(855) 832-6562 18

Analyze the ABN Forms for…

• Are all the “D” categories filled in properly?

• What fees are included on the ABN?

• Was the appropriate option selected with the appropriate outcome? Billing?

• Does it include services excluded by Medicare?•Stay tuned!

Your new patient call procedure

should be followed for any type of

patient. We recommend the

KMC University NP Phone Call Flow

Sheet


(855) 832-6562 19

Determine Ways to Know This…

Best practices include having a

system for determining this

on a call. Collect updated data before the

patient goes in to see the doctor.

Even if it should not have been a routine visit appointment, the DC can

determine if more time is needed after checking the patient

Meanwhile, on the other side…

Clarify Once and For All…

Hint: ABN forms are mandatory when a CMT service may not be

medically necessary


(855) 832-6562 20

Routine use of the ABN form is strictly

forbidden. If you use it incorrectly, you could invalidate all of your

ABN forms.

It is up to the doctor

to direct the team

member on when the

visit may be considered

maintenance rather than

active treatment

(AT)

As with the previous discussion, it has to be ONE or the OTHER!

Let’s Follow

the “YES” Track

All team members

should understand when a CMT may not be considered medically

necessary…therefore

maintenance care that is

the responsibility of the patient

ABN discussions

with the patient

should be clear,

concise and in plain

language.

Keep in mind

that not every

patient will

agree to pay for GA care


(855) 832-6562 21

The Illusive Voluntary ABN

Voluntary Use = “MAY I?”

ABN for Voluntary Use

Although not required, good

office and financial policy

includes making sure

patients understand

their financial responsibility…

preferably in writing


(855) 832-6562 22

GY Modifier

www.patientmedia.com/medicare

Auditing-Medicare Initial Visit Checklist


(855) 832-6562 23

Keep in Mind…

•Any “no” answered means not enough documentation to support the guidelines•Any spinal area not indicated in each of the subsections indicates not enough documentation to support the episode

History and Examination Prompts

Assessment and TX Plan Prompts General Considerations and Scoring

Medicare Documentation Guidelines

Initial Visit•History•Description of Present Illness -

including functional deficit(s)•Proof of Subluxation

• PART or X-ray•Physical Exam (PART)•Assessment & Diagnosis

• 1° Subluxation• 2nd Condition

• Treatment Plan•Date of initial treatment

Subsequent Visits•History•Review of chief complaint•Physical Exam (PART)•Document daily treatment•Progress related to treatment goals/plan (Assessment)

History 1


(855) 832-6562 24

History 2 History 3




• PART or X-ray•Physical Exam (PART)•Assessment &Diagnosis




Examination 1

Exam 2


(855) 832-6562 25

PART = What Does Medicare Require

Each visit must document subluxation/segmental dysfunction

•To Document Subluxation• P- Pain and Tenderness•A- Asymmetry/Misalignment• R- Range of Motion• T- Tissue tone changes

•Two (2) of PART are required

•One (1) must be either A or R

Noridian Requirement








Assessment = Dr. Thinking

Assessment = Diagnosis Noridian Oddity


(855) 832-6562 26

Assessment = Case Management Initial Assessment

•Interpret the facts –don’t add new facts•The assessment is the place to record your professional opinions and judgments as to the patient’s diagnosis, their progress, and prognosis

Initial Assessment

•Use this area to really make your case to the reviewer or adjuster•Your assessment must use the patient reporting, measurements, complicating and co-morbidity factors, test results, and any unusual circumstances to paint the clearest picture

Document More “Thinking”•Easier and more fun to exam, test, and treat than to explain your thoughts

•Time to put on the metaphorical white coat

•Real Doctoring

•Why you went to school

Bad Assessment Examples An Assessment is Not a DX


(855) 832-6562 27

Assessment and Plan Contradict Assessment Gets Lost in the Sauce

What is a Good Assessment

•More than Diagnosis

•Case management factors

•Consideration of co-morbidities

•Explaining why you think they need treatment


(855) 832-6562 28

Diagnosis Is Supported by a Thorough History and Physical Examination

• Examination is needed to substantiate Hx findings and to quantify condition w/ objective data

• Use exam to prove your Dx from history

Positive Hx components become ortho/neuro/palpation exams

• Physical exam quantifies how right you were with your working Dx

• Exclusion may also contribute to diagnosis








Treatment Plan

•CMS requires a written treatment plan for all LCD’s

•Your treatment plan is the written road map expected to be followed for all MN care

Meet the Requirements

•Frequency and duration•Treatment goals for each region/treatment to include long term goal•An evaluation of treatment effectiveness measurement•Date of the plan

13 Points

22 Points+

13 Points __________

35 Points

35/50 = 70% Disability


(855) 832-6562 29

70% = Crippled

Use for Evaluation of Treatment EffectivenessBeginning Score: 70% Disabled

Goal Score: 10% or Better

Review Items with Highest Disability

•Walking, sitting, standing, sleeping, traveling, and pain intensity all = 4 points

•Choose one or more that are easily measured to set as functional goals for treatment

Use Tools to Help with Your Goal Writing

•Use OATs to assist with identifying functional limitations•Use mnemonics as cues to assist with including all necessary elements •Goals should ALWAYS be functional in nature

Standing and Sleeping•Standing and sleeping most greatly affect patient’s ADLs•Easily measured on a daily basis•Easily tracked through treatment•Easy for the patient to manage and report on

Treatment Plan Components Treatment Plan Components


(855) 832-6562 30

Date of Initial Treatment•Relates to beginning of this treatment episode

•First date provider evaluated patient

•Submitted in Box 14 on the CMS-1500 form

•Referred to in subsequent visit documentation








S + O = A → P and PART

•SOAP •Documentation system

for patient encounters• Best for daily visits

•PART• Required

documentation for subluxation/segmental dysfunction•Many providers believe

that PART is enough

How do each of these fit into our

daily documentation?

S (P) + O (ART) = A → PSubsequent Visit - History

•Review chief complaint

•Changes since last visit

•ROS if relevant


(855) 832-6562 31

Subjective - P=Pain or Tenderness• Observed facial expressions of pain or discomfort

• Antalgic postures and movements

• Grooming deficiencies that could be due to limitations caused by pain

• Mood

• Overt pain behaviors

• Pain scales/Pain diagrams and drawings

• Functional questionnaires

• Pain resulting from static palpation

• Pain resulting from motion palpation

• Pain reported during regional and/or segmental range of motion tests

• Pain reported during physical, orthopedic, neurological and/or chiropractic examination procedures

• Algometry

Subjective = Pain and Tenderness

Subsequent Visit – Physical Exam

•Examine area(s) of spine•They want to see PART•How has the PART

changed due to treatment

•Presence or absence of subluxation (PART) •PART documentation on

EVERY visit!

Objective = ART

•Quantifies the Subjective

•Daily physical exam

•Gathers data for treatment

A= Asymmetry or Misalignment• Observable region asymmetry

(posture or scoliosis screening)

• Observed local asymmetry (static palpation)

• Antalgic posture

• Gait abnormalities

• Functional or anatomical leg length discrepancies

• Muscle atrophy and asymmetry.

R= Range of Motion Abnormality

• Active ROM (observed and estimated)

• Passive ROM

• Resisted ROM

• Segmental motion palpation

• Joint fixation (hypomobility)

• Joint laxity (hypermobility)

• Joint crepitus

• ROM measurements


(855) 832-6562 32

T=Tissue Tone Changes

• Observable hypertonicity, spasm, hypotonicity, and atrophy

• Fasciculations

• Edema

• Bruising, discoloration

• Heat

• Muscle-tendon crepitus

• Muscle weakness

• Heat measuring instruments

Objective

Subsequent Visit -Assessment

Documentation needs to show what the doctor is thinking:•Treatment effectiveness•Assessment of change since last visit•How and Why

•What is the progress towards the functional goals?

Assessment

S (P)+ O (ART)= A

•How has the patient responded to treatment?

•Why do they need more care?

•Are they meeting goals?

N/C, Guarded, Improving is not enough!

Assessment Progress Toward Goals

•Can be unchanged

•Must be quantitative

•Function is the key


(855) 832-6562 33

Plan

S (P) + O (ART) = A → P

Treatment is a result of

•S+O findings

•Your assessment that TX will help condition

Subsequent Visit - Treatment•CMT• List spinal/vertebral areas

adjusted that are MN • Include secondary areas of

compensation that were treated• Include technique•Manual manipulation • Can include handheld device

with manual force•How did patient handle the

treatment •Passive/Active therapies•Document what was done,

why it was done, and how it affected the patient

Plan ROV-1

ROV-2


(855) 832-6562 34

Getting Started with OIG Compliance

OIG Report Facts

•The OIG is not “out to get us all”•There is enough “low hanging fruit” to take care of the federal budget deficit•Be aware of the specific errors pointed out in the reports like this

A Warning that Should be Heeded

Another Recent Decision Why Implement a

compliance program?

Integrate policies and procedures into the physician’s practice that are necessary to promote adherence to federal and state laws, and statutes and regulations applicable to the delivery of healthcare services


(855) 832-6562 35

Is it Mandatory?•Came out of the sentencing guidelines•Affordable Care Act: Mandatory Compliance Plans Included thanks to Obama Care PPACA•CMS has NOT finalized the requirements •CMS will advance specific proposals at some point in the future

Your Office Compliance Program

• Customized to your individual practice

• No two are the same because no two practices are exactly the same

• Provides a mechanism to ensure office compliance with all applicable laws, rules, and regulations

Parts of an Effective Office Compliance Program

• CMS/Medicare

• OIG compliance

• HIPAA

• OSHA

• CLIA

• Anti-Kickback Laws

• Stark Laws

• State laws

• Employment Laws

Federal Register Vol. 81, No. 29 February 12, 2016

• (pg. 7661) We believe that undertaking no or minimalcompliance activities to monitor the accuracy and appropriateness of a provider or supplier’s Medicare claims would expose a provider or supplier to liability under the identified standard articulated in this rule based on the failure to exercise reasonable diligence if the provider or supplier received an overpayment.

•We also recognize that compliance programs are not uniform in size and scope and that compliance activities in a smaller setting, such as a solo practitioner’s office, may look very different than those in larger setting, such as a multi-specialty group.

Can We Say Mitigating Factor Boys and Girls?

209

A “Program” is not a “Manual”

• Each practice will customize a program to their needs.

• Don’t do muscle work? Your policies won’t include those referring to your muscle work coding!


(855) 832-6562 36

Step 1- Implement Policies and Procedures

Why You Need Both

•Policy: This is how and why we do things here

•Procedure: Standard Operating Procedure (SOP)—It’s how we implement the policy we’ve decided upon.

Know and Apply These Two Important Concepts

•A clear knowledge of both policy and procedure ensures a proper compliance program.•Every issue may not

need both•Less is not more in this

instance!• It’s a journey, not a

destination.

Step 2- Compliance Officer or Contact

Step 3- Employ Comprehensive Education and Training


(855) 832-6562 37

Step 4- Enforce Disciplinary Standards

Step 5- Respond Swiftly to Detected Offenses

Step 6-Internal Audits and Monitoring All Kinds of Auditing

•Initial baseline audit

•Periodic E/M audits

•Periodic medical necessity audits

•Coding audits

•EOB audits

222


(855) 832-6562 38

Step 7- Open Lines of Communication

Install Your Program•Create materials yourself•Train on the concepts and then document your decision making•Create policy •Create or refresh procedure•Train everyone on policy•Sign off

224

Can take 2-12 months depending on what you start with

Maintain Your Program

•1-3 hours per month•Go-to resource•Got a question? Is there a policy for that?•Create more policy and procedure as you go•Keep to a compliance calendar

225

Daily, Weekly, Monthly Duties

Daily:Ongoing monitoringWeekly:Team meeting training; review recommended concernsMonthly:Compliance meeting with doctor; spot check 1-4 notes per provider; random EOB review; EOB denial review

Annual Duties

• Complete baseline audit of 5-10 charts per provider

• Conduct coding audit• Review provider contracts• Review all existing policy

and procedure and update as necessary

• Annual compliance meeting with team

• Renew the Code of Conduct• Confirm key team members

completed annual training• Conduct formal compliance

training with the entire team

As Needed Duties

•Initial compliance training for new team members, within 10 to 90 days of employment

•Ongoing and remedial training based on audit findings or spot check findings

•Ongoing case work for compliance incidents


(855) 832-6562 39

230

Fascinating Fee Schedule Facts

Fees, Wonderful Fees!

• One of the most common areas of non-compliance

• Providers are often not aware of the danger and penalties associated with non-compliance

• We’ll clear all of that up for a win-win!

Oversight


(855) 832-6562 40


(855) 832-6562 41

Actual Fees

Actual Fees: $21,275.49

Who Pays Actual Fees?• What you bill is

what you expect to collect

• Personal Injury Claims

• Cash Patients

• Out-of-Network Patients

Personal Injury Patients


(855) 832-6562 42

• What you charge may not be what you collect– PIP Fee Schedule

– Contracted Rates

– Inappropriate reductions

– Attorney requests for adjustments

Cash Patients

• You should be charging your actual fee

• 5-15% discount guidance from the Feds

• Three states have rules on the books for TOS allowances

• Your fee is your fee is your fee

Out of Network Patients• If you represent full fee

to the insurer, the patient must pay full fee

• What you bill is what you expect to collect, outside of any agreements/contracts

• Charge correctly, bill correctly, collect according to your office policy

Evaluate Actual Fees Annually

Contracted Fees


(855) 832-6562 43

Initial Visit

Exam: $120

X-Rays: $130

CMT: $6597014: $35

Total: $350

Routine Visit

CMT $65

97110: $50

97014: $3597012: $35

Total: $185

Initial Visit

Exam: $95

X-Rays: $75

CMT: $3597014: $15

Total: $220

Routine Visit

CMT $35

97110: $30

97014: $1597012: $15

Total: $95

98940: $25.15

98941: $34.86

98942: $42.75

100% Poverty: 75% Discount



Actual Fees: $21,275.49/Insurance Paid: $2052.95

Contracted Fees Are Not a Violation

• By contract, you agree to the fee schedule

• The write-off happens automatically by agreement

• Not a dual-fee schedule by definition

Contracted Fees in Software

• Setting up fee schedules within software is best practices

• Patients are attached to the appropriate fee to keep your ledger clean

• Pay close attention to updates to the fee schedule by the carrier


(855) 832-6562 44

Hardship Fees

Clear Understanding of Hardship Fees

• Do you need a hardship fee schedule?

• Your hardship agreement can co-exist with other fee schedules

• You must set the standard up front, have qualifying factors, and verify eligibility.

• Utilize a standardized form and system

Mistakes and Blunders• What may NOT be

financial hardship?– No insurance

– High deductible

– I don’t wanna pay that much

– My other doctor didn’t charge my copays

– Pulse and a spine

• Don’t confuse it with what a general discount is!! That’s what CHUSA is for!


(855) 832-6562 45

Co-Pay or Deductible Waivers for Hardship

• The waiver is not offered as part of any advertisement or solicitation;

• Waivers are not routinely offered to patients;

• The waiver occurs after determining in good faith that the individual is in financial need;

• The waiver occurs after reasonable collection efforts have failed.

Managing Hardship Fees in Software

• Set a fee schedule

• Keep actual fee and then use “hardship write-off” entries

• Assign patients as necessary to that fee schedule

• If working with copay/deductible, use write off sparingly

Professional Courtesy


(855) 832-6562 46

What About Professional Courtesy?

• Who do you offer courtesy to?

• Staff?

• Other DCs? Clergy? Military?

• What about when insurance is involved?

• Is it in writing?

Define Your Policy

Define Your Policy


(855) 832-6562 47

Getting Started with HIPAA Privacy and Security

What is HIPAA?

•HIPAA = Health Insurance Portability and Accountability Act

•Or…Helping Increase Paperwork Across America

Should You Bother With Compliance?

Cardiac Practice Fined for failing to Shield Patient

Information


The Federal government fined a

Phoenix cardiac medical practice

$100,000 for posting patient appointment information online


The practice agreed to pay the penalty

to settle HIPAAviolations


(855) 832-6562 48


HHS investigation could find no policies

and/or procedures and few safeguards to

protect PHI

There was nodocumentation showing

employee training, norisk analysis was

conducted, and there was no designated privacy or security

official


HIPAA Privacy

•Protection for the privacy of Protected Health Information (PHI)•Sets the standard for how to maintain privacy for personal information and focuses on confidentiality

What’s Permitted?

•Disclosure to the person that is the subject of the information

•TPO: Treatment, Payment, Healthcare Operations

•OK for care coordination

•Billing & collections activities

•Business management, admin, QC, audits, training

Uses and Disclosures for Treatment, Payment, and Health Care Operations

•To avoid interfering with an individual’s access to quality health care or the efficient payment for such health care, the Privacy Rule permits a covered entity to use and disclose protected health information—with certain limits and protections—for treatment, payment, and health care operations activities.

What’s Treatment?“Treatment” generally means the provision, coordination, or management of health care and related services among health care providers; by a health care provider with a third party; consultation between health care providers regarding a patient; or the referral of a patient from one health care provider to another.


(855) 832-6562 49

What’s Payment?• “Payment” encompasses the various

activities of providers to obtain payment or be reimbursed for services

• The Privacy Rule provides examples of common payment activities

• Determining eligibility or coverage under a plan and adjudicating claims

• Billing and collection activities

• Reviewing health care services for medical necessity, coverage, justification of charges, etc.

• Utilization review activities

• Disclosures to consumer reporting agencies (limited to specified identifying information about the individual, his or her payment history, and identifying information about the covered entity).

What are Healthcare Ops?

• “Health care operations” are certain administrative, financial, legal, and quality improvement activities of a

covered entity that are necessary to run its

business and to support the core functions of

treatment and payment.

• Reviewing the competence or qualifications of health care professionals, evaluating provider performance, training health care and non-health care professionals, or credentialing activities

• Conducting or arranging for medical review, legal, and auditing services, including fraud and abuse detection, and compliance programs

• Business management and general administrative activities, resolution of internal grievances, sale or transfer of assets, creating de-identified health information

7 Steps to Achieve Privacy Compliance

1. Install a Privacy Officer

2. Define Minimum Necessary for Your Office

3. Write HIPAA Privacy Policies and Procedures

4. Customize Your NPP (Notice of Privacy Practices)

5. Train Your Team Members

6. Monitor Your Active Privacy Program

7. Initiate business Associate Agreements

It’s the Rule!

•Assigning a Privacy Officer (PO) is part of HIPAA law•Someone has to be in charge•Better when the PO is someone other than the doctor•The buck must stop with someone

What Makes a Good Privacy Officer (PO)?

Competencies•Project Management•Communication Proficiency•Change Agent•Ethical Conduct•Learning Orientation•Technical Capacity•Thoroughness

Install a Privacy Officer

Choose someone able to:

•Understand the intricate rules and guidelines that govern HIPAA

•Apply updated guidance and new HIPAA rules and regulations

•Comfortably work alongside practice leadership


(855) 832-6562 50

Minimum Necessary• Develop policies and procedures

that reasonably limit disclosures of, and requests for, protected health information for payment and health care operations to the minimum necessary.

• Develop role-based access policies and procedures that limit which members of the workforce may have access to PHI for TPO based on those who need access to the information to do their jobs.

• Not required to apply the minimum necessary standard to disclosures to or requests by a health care provider for treatment purposes.

What is the Minimum Necessary Standard?

•According to HHS, this is a “reasonableness standard” to limit unnecessary sharing of medical information.

• The standard is developed by each individual practice; it is based on best practices and guidelines already used by many providers.

First Step- What is the Minimum?

•What PHI access does your Front Desk staff need in order to carry out their job duties?•What PHI access does your Back Office Assistant need to accomplish his/her responsibilities? •What PHI access does your Billing Manager currently have, and how does that access help him/her carry out the job duties associated with the position?

What is Necessary?

•Develop Role-Based Access to PHI•Document Access Privileges and Restrictions•Communicate or Set restrictions in Practice Management Software and EHR programs

PHI

CADC

MT

General Privacy Rules

•Designated record set

•Minimum necessary defined

•Notice of Privacy Practices

•Safeguarding and storing PHI

•Emailing and Faxing PHI

•Business Associates

Patient Rights

•Access to PHI

•Accounting of PHI disclosures

•Amending PHI

•Filing complaints

•Restrictions of permitted PHI use


(855) 832-6562 51

Write HIPAA Policies & ProceduresIncidental Uses and Disclosures

•Unintentional

•Overhead phone conversations at the front desk.

•A patient passing a room where treatment is taking place

•Everyday operations

Write HIPAA Policies & ProceduresAccidental Disclosures

•Faxing or emailing PHI to the wrong destination

•Disclosing PHI to an unauthorized person

•If harmful, must be disclosed to the patient

•Always included in non-TPO disclosure log

Write HIPAA Policies & Procedures Sample for Faxes

PRIVILEGED AND CONFIDENTIAL: This document and the information contained herein are confidential and protected from disclosure pursuant to federal law. This message is intended only for the use of the Addressee(s) and may contain information that is PRIVILEGED AND CONFIDENTIAL. If you are not the intended recipient, you are hereby notified that the use, dissemination, or copying of the information is strictly prohibited. If you have received this communication in error, please erase all copies of the message and its attachments and notify the sender immediately.

Write HIPAA Policies & Procedures Sample for Emails

This email, including any attachments, may include PRIVILEGED AND CONFIDENTIAL information and may be used only by the person or entity to whom it is addressed. If the reader of this email is not the intended recipient, or his or her authorized agent, the reader is hereby notified that any dissemination, distribution, or copying of this email is prohibited. If you have received this email in error, please notify the sender by replying to this message, and delete this email immediately.

Write HIPAA Policies & Procedures EOB’s and COB’s

•When coordinating benefits, blacken any other patient’s PHI on EOB•Remove anything that does not apply to the claim•Otherwise it is in violation of HIPAA law.

Write HIPAA Policies & ProceduresMarketing

It is ok to:

•Encourage the purchase of products or services that are not for treatment purposes

•Use part of a treatment plan (e.g., information about asthma if that is the DX on file)

•Speak face to face about a Product of the Month


(855) 832-6562 52

Write HIPAA Policies & Procedures Use of Photographs

•Permitted but must be out of the public view•As part of a testimonial or other marketing effort but you must have authorization•Can include them in electronic or paper form

Write HIPAA Policies & Procedures What’s OK?

•Sign in sheets: with minimal information—name, time, etc.

•Verification of Callers: PHI over phone—Password, SSN, DOB, Zip, Maiden Name, etc.

•Social Security Number: use sparingly, or, better yet, use the last four digits only

Write HIPAA Policies & Procedures Phone Messages/ Appt. Reminders

•Reminders are good

•Postcards are ok

•Answering machines are ok

•Do not leave PHI or test results on a machine

•OK to say that this is to remind the patient of an appointment & give the date/time

• Include what was said in the NPP

Write HIPAA Policies & ProceduresMore Common Sense

•You are NOT required to have :

•Private rooms

•Sound-proof rooms

•Wireless encryption

•Encrypted telephones

• It’s GOOD to have:• Patients wait a few steps

back from the front desk• Curtains or screens•Quiet voices• Files turned backward • Folders marked

“Confidential”•All faxes/email containing

PHI marked “Confidential”• Fax machines placed in

secure locations

Business Associates and Breach Notification

•A breach is: Generally speaking, impermissible use or disclosure that compromises the security or privacy of PHI under the Privacy Rule

•Following a breach of unsecured PHI: covered entities must provide notification of the breach to affected individuals, the Secretary, and, in certain circumstances, to the media.


(855) 832-6562 53

Getting Started with HIPAA Security

A KMC University Rapid Tutorial

Get the Basics First!

STOP!

Notice of Privacy

Practices

HIPAA Privacy

Business Associates

What is HIPAA Security ?

The Health Insurance Portability and Accountability Act (HIPPA) sets Security Standards for the Protection of Electronic Protected Health Information or ePHI.

This act is also known as the Security Rule

Security Rule vs. Privacy Rule

•Access Control

•Audit Controls

• Integrity Controls

• Transmission Security

•Workstation and device security

•Minimum Necessary Standard

•Access Permissions

•Who can change PHI?

•Use and Disclosure for TPO

•Workstation and device privacy

What is ePHI?

ePHI is “individually identifiable” “protected health information” sent or stored electronically

• An individual’s past, present, or future physical or mental health or condition

•The past, present, or future provisioning of health care to an individual

•The past, present, or future payment-related information for the provisioning of health care to an individual

Examples of PHI

• Name and address

• Any date, including birth date

• Telephone or fax #

• Account Number

• Photographic Image

• IP Address

• Email addresses

• SSN

• Medical Record Number

• Health Plan ID #


(855) 832-6562 54

What is “Individually Identifiable”?

Email address is:

[email protected]

✓The patient’s name is not

included in the email

✓There are no identifying

numbers or information

So it’s not identifiable, right ?

NO!

The description of ePHI states that “all email addresses, no matter

what, are identifiable”; because someone,

somewhere, by some means has the ability to

link this back to the individual.

Yes, we have completed our EHR Incentive Program and it covers all

the Security issues. Right?

Thinking of skipping Security

Compliance?

Think again..

EHR Incentive Program and the Security Rule (SR) are the Same, Right?

SR “ requires you to assess the potential risks and vulnerabilities to the confidentiality, integrity, and availability of all the electronic Protected Health Information (ePHI) that an organization creates, receives, maintains, or transmits — not just the ePHI maintained in Certified EHR Technology (CEHRT)…all forms of electronic media, such as hard drives, floppy disks, compact discs (CDs), digital video discs (DVDs), smart cards or other storage devices, personal digital assistants, i-Phones, tablets, transmission media, or other portable electronic media.”

Should You Bother With Security Compliance?

Cardiac Practice Fined for not having policies and procedures to safeguard patient information.

What is the Purpose ?

•To protect health information that is held or transferred in electronic form also known as (ePHI)

•The Security Rule “operationalizes the protections” contained in the Privacy Rule by addressing technical and non-technical safeguards

What was Missing?

They did not have a Security Officer; did not conduct a Risk Analysis; didn’t document staff training.

RESULT: $100,000 Fine

mailto:[email protected]


(855) 832-6562 55

Security Self Assessment General Security Rules• Ensure the confidentiality,

integrity, and availability of all e-PHI created, received, maintained or transmitted

• Identify and protect against reasonably anticipated threats to the security or the integrity of the information

• Protect against reasonably anticipated, impermissible uses or disclosures

• Ensure workforce compliance through documented training.

Security Terms

•Confidentiality- ePHI should not be available

or disclosed to unauthorized persons (this

supports the Privacy Rule)

• Integrity- ePHI is not altered or destroyed in an

unauthorized manner

•Availability- ePHI is accessible and useable on

demand by authorized person(s)

HIPAA Security Acronyms • EHR Electronic Health Record

• ePHI Electronic Protected Health Information

• HHS U.S. Department of Health and Human Services

• HITECH Health Information Technology for Economic and Clinical Health Act

• NIST National Institute of Standards and Technology

• OCR The Office for Civil Rights within HHS

• ONC The Office of the National Coordinator for Health Information Technology within HHS

• OS Operating System

• PDF Portable Document Format

• PHI Protected Health Information

• SRA Tool Security Risk Assessment Tool

HIPAA Security General Rules

The Security Rule requires covered entities to maintain reasonable and appropriate administrative, technical, and physicalsafeguards to protect e-PHI.

HIPAA Security Safeguards

Administrative✓ Assigned Security Personnel ✓ Security Management Process ✓ Information Access

Management ✓ Workforce Training and

Management ✓ Contingency Plan✓ Evaluation✓ Security Awareness and

Training✓ Security Incident Procedures✓ Business Associate Agreements

Physical ✓ Facility Access and Control✓ Workstation and Device

Security

Technical✓ Access Control✓ Audit Controls✓ Integrity Controls ✓ Authentication✓ Transmission Security


(855) 832-6562 56

Is the Security Rule Optional? It says “addressable”

Addressable – The concept of "addressable implementation specifications" was developed to provide covered entities additional flexibility as it applies to compliance with the security standards.

Required – If an

implementation

specification is

described as

“required,” the

specification must be

implemented.

Required Security Items

•Unique User Identification – no shared passwords allowed

• Risk Analysis – Most HIPAA fines are based on a missing, old, or incomplete Risk Analysis

•Risk Management – HIPAA Security Rule requires you to document the actions you are going to take to reduce risks

•Disaster Plan – procedure to restore data access

More Required Security Items

•Business Associate Agreements – 2013 HIPAA Omnibus Final Rule requires updated Business Agreements with more of the liability falling on covered entities (your practice)

•Audit Controls – find out where ePHI is located, viewed, and transmitted, and by whom; Access Logs be created and stored for six (6) years

Addressable Items(optional)

•Encryption (data at rest) – a device with encrypted data that is lost or stolen is not reportable as a breach. On the other hand, unencrypted data (on thumb drives, laptops) can lead to severe fines.

•Automatic Logoff/Lockout – It is worth the inconvenience!

Is it Unreasonable or Inappropriate to..?

•Protect Access to PHI by using passwords

•Require Business Associate Agreements prior to allowing PHI access

• Lock down or encrypt portable devices and laptops

•Train staff on how to handle emails and other business postings online

7 Steps to Achieving Security Compliance

1. Assign a Security Officer

2. Perform an Initial Risk Assessment

3. Develop an Action Plan for Compliance

4. Implement Safeguards

5. Write HIPAA Security Policies and Procedures

6. Train Your Team Members to Prevent Breaches

7. Monitor, Audit, and Update Security on an Ongoing Basis


(855) 832-6562 57

Install a Qualified Security Officer

•Knowledge of technology and various business applications

•Understanding of HIPAA laws and regulations in regard to the Security Rule

•Excellent organizational skills; able to create and implement policies and procedures

•Solid leadership skills; able to perform risk analyses and train staff.

Refresh Your Knowledge

•Review the HIPAA Privacy Rules

•Check with your State Association for any local laws that relate to HIPAA Security

Get to Know Your EHR

Schedule a meeting with the EHR vendor and ask about:

• What are the current Security Settings?

• How do you configure Settings to align with your Policies and Procedures?

• What is the process to correct security-setting deficiencies found by you or your staff?

• Is training for staff on the security features of the software offered ?

Assess Your SafeguardsDoes your practice have:

• A training program that makes each individual with access to ePHI aware of security measures?

• Policies and procedures for providing a unique identifier for each authorized user?

• Policies and procedures for the physical protection of facilities and equipment?

• Inventory and location records for workstation devices and regularly review to see where they are vulnerable to unauthorized use, theft, or viewing?

• A documented initial risk assessment and action plan?

Quick Assessment

Great Starting

Point

What is a Risk Assessment?

•HIPAA Security Rule REQUIRES all Covered Entities (your practice) to conduct a risk assessment.

•This requirement involves answering specific questions concerning access and storage of ePHI in your practice.

•The goal is to reveal any potential risks within your practice and document the findings for your compliance plan.


(855) 832-6562 58

Assessment or Analysis?

• A risk assessment involves evaluating existing security and controls and assessing their adequacy relative to the potential threats to the organization.

• A risk analysis involves identifying the most probable threats to an organization and analyzing the organization’s related vulnerabilities to these threats.

Find ePHI in Your Clinic

Assess the Threats and Vulnerabilities Assessment turns into Analysis

In order to analyze the vulnerabilities of your Security you need to answer questions related to Administrative, Technical, and Physical Safeguards.

What is the BEST Risk Assessment Tool?

OPTIONS

• Online electronic Risk Assessment Tools

• Professional Compliance Specialist Services

• A customized, downloadable risk assessment worksheet

KMC’s Risk Assessment Workbook


(855) 832-6562 59

Electronic Security Risk Assessment

The SRA Tool, available at HealthIT.gov, takes you through each HIPAA requirement by presenting a question about your organization’s activities.

Your “yes” or “no” answer is an indication of whether you need to take corrective action for that particular item.

What Information Will You Need?

• Practice Demographics

• List of Business Associates (BAs)

• List of IT Assets

• List of Assignees

Document the Results- REQUIRED

•Create a report using the SRA Tool.

•Review the Results

• Identify areas that need attention.

•Address these in the order of risk level of high, medium and low.

Create an Action Plan

5 Components

1. Administrative Safeguards

2. Physical Safeguards

3. Technical Safeguards

4. Organizational Standards

5. Policies And Procedures

$$$ Affordable $$$Safeguards

• Say “no” to staff requests to take laptops containing unencrypted

ePHI home .

• Remove/destroy hard drives before disposing of old computers.

• Do not email ePHI unless you know the data is encrypted.

• Server room should be locked/accessible to authorized staff only

Stress that passwords are not be shared/are not be easy to guess.

• Notify staff that you are required to monitor access randomly.

• Maintain a working fire extinguisher in case of fire.

• Check your EHR server often for viruses and malware.

Administrative Safeguards

Administrative Issues

•No designated security officer

•Assessment and reassessment are not performed

•Workforce is not trained and is unaware of security policies

Safeguard Actions

•Designated Security Officer

•Security risk analysis is performed periodically; changes made as needed

•Workforce training begins at hire and is conducted on a regular and frequent basis


(855) 832-6562 60

Physical Safeguards

ISSUES

• Computer equipment is easily accessible to the public.

• Portable devices are not tracked and/or are not locked when not in use

SAFEGUARDS

• Offices are locked. Screens are shielded from secondary viewers.

• Log created for all devices.

• Encryption installed on all devices. Laptop locks applied.

Technical Safeguards

ISSUES

• No measures in place to keep electronic patient data from improper changes

• Electronic exchanges of patient information are not encrypted or otherwise secured

SAFEGUARDS

• Secure user IDs, passwords, and appropriate role-based access are used.

• Routine audits of access and changes to EHR are conducted

• Data is encrypted

Organizational Safeguards

ISSUES

• No breach notification and associated policies exist

• Business Associate (BA) agreements have not been updated in several years

SAFEGUARDS

• Create a Breach Notification process

• Conduct regular reviews of agreements and update as necessary

Policy & Procedure Safeguard

ISSUE

• Generic template policies and procedures were purchased but not followed

SAFEGUARD

• Written and tailored policies and procedures are implemented and staff is trained

Policy & Procedures • Contractor Access ( IT tech, other

outside contractors)

• Electronic Communication, E-Mail, Internet Usage

• Screen Lock

• Audit of Login ID’s

• User Lockout

• Password Length, Change, and Reuse

• Antivirus Software & Updates

• Security System, Secure Doors, Motion Detectors, Security Cameras

• Provide Equipment Security (mobile devices, laptops)

• Record Retention

• Sanction Policy

Breach Notification

• BREACH –impermissible use or disclosure, under the Privacy Rule, that compromises the security or privacy of protected health information.

• NOTIFICATION – must

provide notification of the

breach to affected

individuals, the Secretary,

and, in some cases, to the

media. In addition, Business

Associates (BA) must notify

covered entities if the

breach was caused by the

BA.


(855) 832-6562 61

3 EXCEPTIONS To Reporting a Breach

• Unintentional access by a workforce member; in good faith and within scope of authority

• Inadvertent disclosure by one authorized person to another authorized person

• Good faith belief that the unauthorized person would not be able to retain the information

Train Your Workforce

Staff Needs to:

•Know how to safeguard patient information in the practice

•Know the procedures & processes used to monitor security and steps for breach notifications

•Possess a copy of the practice’s policies and procedures for easy reference

Importance of Training EmployeesISSUE: Hacker accessed email accounts through phishing incident

RESULT: 3200 individuals’ ePHI obtained

PENALTY- MCPN fined $400,000 FOR NOT HAVING a Risk Management plan that included employee training and Risk Analysis

Monitor Security

• Does each workforce member have a unique user identifier?

• Is the automatic logoff feature activated on all workstations with access to EPHI?

• Are role-based access settings active on all software?

Perform Regular Audits

•Password changes

• Incident Identification and Response

•Procedure to maintain retrievable exact copies of ePHI

Check out HHS.GOV Audit Protocol for a detailed list.

Update Policies and Procedures

Compliance is not a “once done, I’m

done!” task. Continue to:

ASSESS, MAKE CHANGES, DOCUMENT, TRAIN


(855) 832-6562 62

Ongoing Staff Training

• Schedule Regular Meetings to REMIND Staff of your Security Policies.

• Share examples of tactics being used to gain Unauthorized Access to ePHI.

Don’t be a HIPAA-crit !

• Think about your patients!

• Commit to providing the protection they deserve!

Take The Time

An active HIPAA Security Program is worth the effort!

Need [email protected]

Bulletproof Your Documentation, Coding and Compliance in 2017€¦ · PAYMENT VULNERABILITY...

Documents

Transcript of Bulletproof Your Documentation, Coding and Compliance in 2017€¦ · PAYMENT VULNERABILITY...