I N S I D E T H I S I S S U E :

CONNECT WITH US!

www.rmcinc.org

OIG Work Plan:

An Overview and

Auditing Priorities

for 2017

2

Ransomware 3

Significant Coding

Clinic Changes 3-4

...with Diabetes 4-5

RMC News 6-7

Vol.7 Issue 1 1st Quarter 2017

Documentation Improvement in the Clinic By Chris Breithoff, CPC, CPCO, CRC &

Monique Vanderhoof RHIT, CPC, CCA, CRC

You have probably heard the sayings “If you think it, ink it” or “If you didn’t write it down, it didn’t

happen”. Perhaps you have even used them yourself! As cliché as they might be, these sayings are

very important for providers to understand.

These days we find that documentation is becoming easier for providers to be more thorough thanks

to the rapid adoption of EHRs. Most EHRs can be customized to a provider’s preferences,

specialties, etc. making it easier to document more sufficiently than they did with pen and paper. The

catch is that as more clinics continue to adopt EHRs we are now seeing some new areas of concern

with documentation that providers need to be weary of, so as not to find themselves in hot water.

The sooner we can catch these issues and train providers the right from the wrong, the less difficult it

will be to change habits.

Some of the most common issues being seen with EHR documentation are copy/paste, conflicting

documentation, missing signatures/attestations, and upcoding.

Copy/Paste or Cloned notes: This becomes a problem when a provider copies a previous note

into the current visit and fails to confirm and update the information included in the note so that it

reflects the current visit. If the information contained in the documentation does not accurately

represent the current condition/visit, the provider is at risk for incorrect billings. Worse yet, in an

audit situation if a note(s) appear to be cloned, they are considered unacceptable and insurance com-

panies will recoup any money paid; often plus interest.

Conflicting Documentation: Another issue that we see frequently when notes have been copied

and pasted from previous encounters is that there is conflicting documentation. A provider pulls

information from a previous note and doesn’t edit the information to fit the current situation but

instead adds new information to it. This can leave us with conflicting documentation because part of

the note says one thing and then later also says the opposite. Conflicting documentation renders itself

invalid in the case of an audit because it cannot be deciphered what really happened for that specific

date of service. Documentation MUST reflect only what was done at the time of the visit and not

include information copied from previous visits.

Templated Notes: EHRs give us many options to customize and simplify our work; using

templates is one of those options. Templates allow providers to select predefined text and structured

text boxes, etc. so that completing a note is a much easier process. The problem with templates and

cloned notes comes when all notes appear similar or identical. Documentation must show differences

in the level of services being provided at each visit. For example, you might have fairly lengthy

documentation for a patient presenting with multiple new problems, but you wouldn’t have the same

lengthy documentation with multiple body areas examined for a straightforward condition such as an

ear infection.

Missing Signatures/Attestation: We frequently see documentation in the EHR with no

signatures or attestations attached. Just as a provider would sign a paper note, they must sign an

electronic note for it to be valid for billing purposes. Every note must be signed and dated by the

provider of service. Documentation left in draft form in the EHR is not valid because it can be

changed by anyone at any time; therefore providers must be sure to finalize their documentation with

the appropriate procedure so that a signature and date are attached to the document and it is locked

from editing.

Code Creep/Upcoding: When a provider overuses checkboxes, drop down lists, etc. to create

unnecessarily lengthy documentation this creates a situation called code creep or upcoding. The

increased documentation makes the services billable at a higher level, thus payable for more $$,

when in reality a straightforward visit was all that needed to be performed. CMS states “even if a

Continued...

complete note is generated, only the medically reasonable and necessary services for the condition present at the time of the encounter as

documented can be considered when selecting the appropriate level of an E/M service.” Therefore, regardless of the large amount of

documentation, if the medical necessity for the documentation isn’t proven, it cannot be used for billing purposes.

Moral of our story: While EHR systems have many benefits, caution must be used so that the functions of the EHR are not abused.

Providers should include only information that is pertinent to the medical decision making necessary for the current diagnoses. Be sure to

capture personal, family and social history as it pertains to the current state of the patient. The documentation a provider creates must paint a

clear and concise picture of how sick the patient is at the time of the visit.

Last month I presented a webinar on the OIG Work Plan for 2017. Although we’re almost halfway through the fiscal year 2017, this

presentation provided some key points on how you can incorporate the current plan and future plans into your organization’s auditing and

monitoring functions. Paying attention to what the Office of Inspector General (OIG) for Health and Human Services (HHS) plans to audit and

monitor during the upcoming fiscal year should be a one of the key drivers in developing your own annual audit plan.

As a reminder, auditing and monitoring is one of seven key elements of an effective compliance program. Auditing and monitoring program

functions can help an organization identify risks to business, assists with preventing real or potential risks from escalating and shows a good

faith effort that you are truly looking at your own processes and controls.

This year, the OIG has cleaned up its annual work plan by deleting old items, and adding new items it plans to audit this fiscal year. Although

the plan is specific to what the OIG plans to audit in respect to HHS programs, it provides a plan of the audits that organizations may

experience as well. The annual plan covers Medicare, Medicaid, FDA, Substance Abuse/Mental Health, Public Health, Indian Health Services

and Other.

For the purposes of the presentation and my own experiences in developing an annual audit plan, the items can be grouped into categories: 1)

FYI only, 2) Monitor and 3) Audit. Auditing and compliance staff may then work with operational director to categorize each item somewhat

quickly before taking a deeper look at each item that may be placed on the organization’s work plan.

The remainder of the presentation focused on specific 2017 OIG Work Plan items and how organizations may add them to their own audit

work plan or share them as FYI only items with leadership. For example, organizations that perform Hyperbaric Oxygen Services, could

benefit from conducting a probe audit or sample of claims to ensure that the treatments were for covered conditions and that the medical

documentation adequately supported the treatments.

Perhaps more of an FYI item for those who already have a good understanding of their Provider-based Clinics, this item may prompt

organizations to review their own clinics or simply provide an educational opportunity to alert leadership that the OIG has included an item on

the topic. This may be the case for the Two-Midnight Rule item as well. If an organization has not already, now is a good time to review the

number of outpatient and inpatient services in relation to the changed interpretation to ensure the organization is following the most up-to-date

CMS guidance.

Other notable items for 2017 include items related to inpatient rehab hospitals, skilled nursing facilities and hospice medical documentation

reviews. If an organization provides these services, these may be key items to add to an organization’s audit plan.

No matter the time an organization reviews the OIG Work Plan, this resource is important in creating an annual audit plan and educating

leadership on OIG activities.

“Documentation Improvement” continued...

Page 2 C O M P L I A N C E C O N N E C T I O N S

OIG Work Plan: An Overview and Auditing Priorities for 2017 By Aurae Beidler, MHA, RHIA, CHC, CHPS

Monique Vanderhoof, RHIT, CPC, CCA, CRC is Director of Coding Services at RMC. In this role she is directly responsible for a hospital and professional fee coding project at a large psychiatric hospital. Monique and her Team of coders are well versed in behavioral health cod-

ing. Additionally, Monique is heavily involved in HCC/Risk Adjustment Coding, coder education for clients and internal RMC coders, as well as

education for providers. Monique has over 20 years of experience in the clinic and hospital settings as well as consulting. Monique is also an

AHIMA Trainer in ICD-10-CM.

Aurae Beidler, MHA, RHIA, CHC, CHPS has worked in the health care industry since 2002, for health systems and outpatient clinics including behavioral and dental health, with an emphasis in compliance operations and program implementation, training, auditing and privacy

and security of health records. Aurae has experience with coding and billing issues, risk assessments, regulatory interpretations, internal

investigations, responding to external audits and investigations, writing appeals for denied claims, policy and procedure creation, provider education and training, risk management and provider malpractice insurance and determining clinical billing risk by performing audits and

investigations. She has overseen and assisted with the implementation of a privacy and security program for outpatient clinics and developed an

institutional compliance program. She has also published several articles in Compliance Today and the Journal of AHIMA, and serves on AHIMA’s Privacy and Security Practice Council. Aurae earned a Master’s degree in Healthcare Administration (MHA) from Pacific University in 2010, a

graduate certificate in biomedical informatics from Oregon Health and Sciences University and a B.A. in Journalism from University of Oregon in 2002.

Aurae is currently credentialed as a CHC, certified in healthcare compliance, RHIA, registered health information administrator and CHPS, Certified in

Healthcare Privacy and Security.

Chris Breithoff, CPC, CPCO, CRC is the Director of Physician Coding Services at RMC.. She has worked in the medical arena since 1985 with an emphasis on coding & compliance for over 20 years. Her background includes managing large private practices, as well as managing a

physician coding department for a large teaching hospital. Chris’ areas of expertise are E/M, Critical Care, ER, GI, Pulmonary, Cardiology,

Behavioral Health and Sleep Medicine. Additionally, Chris is heavily involved in education for clients coders and internal RMC coders as well as

provider education.

Ransomware By Chris Apgar, CISSP

Ransomware is not new but it’s ever increasing use to blackmail healthcare organizations should place ransomware attacks as a definite

possibility and a risk that needs to be mitigated. It’s critical for healthcare organizations to prepare for such malicious attacks. Preventing and

quickly responding to malicious attacks should be a part of any healthcare organization’s risk management strategy.

The first place to start is with staff education. Phishing and spear phishing can and are leading to more than ransomware attacks. It can lead to

network compromise, breach and an inability to address critical patient care. Staff need to know how to spot malicious links and email and

what is and isn’t safe to click on. Training is one of the key steps in addressing ransomware.

As part of the training, healthcare organizations should run mock phishing exercises. A mock phishing exercise is a form of social engineering

and it can be used to determine how many staff click on malicious links without harming the organization. This exercise helps identify staff

who may need remedial training and it makes it real for staff. This should not be a onetime exercise. Ongoing training and social engineering

exercises keep the threat of phishing in the forefront of staff’s minds.

It’s important to implement a solid backup plan. A backup plan should cover all critical applications and data and backups of data should occur

on a daily basis. Backup media should be stored offline or a better way to say it is the media should not be accessible from the Internet to

avoid malicious access to the media. Backup media should be stored offsite and encrypted. If the media is stored offsite at a secure location, it

is less likely that the media is accessible to unauthorized individuals.

All healthcare organizations need to develop and implement a formal security incident response plan. The time to plan is not when the ransom-

ware attack occurs. A formal incident response team needs to be appointed and trained. A lot can go wrong in the event of a ransomware

attack if a plan isn’t in place and a team has not been formally trained. The FBI stated healthcare organizations should not pay the ransom and

should engage law enforcement if an attack occurs. That’s good advice but healthcare organizations need to know at what point the ransom

needs to be paid to protect patients and provide needed patient care. You don’t know what that point is if you don’t have a plan and you don’t

test the plan before a malicious attack occurs.

Developing a sound disaster recovery and business continuity plan is another step healthcare organizations can take to reduce the impact of a

ransomware attack. Ideally healthcare organizations will maintain what is called a hot site – an alternate location that can be switched over to

in the event of a ransomware attack. That is not always feasible especially for smaller healthcare organizations because of the cost. Alternate-

ly, a sound and tested plan can be used to identity critical assets such as EHRs and what steps need to be taken to continue the business of

healthcare while the data is inaccessible and how to recover. Plans include such things as what vendors need to be contacted for replacement

servers and other assets and what steps will be taken to rebuild a network and hardware to eradicate the malicious code.

In the end, it is key to make sure staff is trained, phishing tests run and that plans are in place to address malicious attacks before they happen.

It’s more than a regulatory requirement. It is just sound business practice and is needed to provide patient care before, during and after a

malicious attack. This is not a onetime event. The types of risk change over time resulting in the need to periodically test and update plans.

People are the most significant risk hence ongoing training is also required.

2016 proved to be a challenging year for many of us working in ICD-10-CM and ICD-10-PCS. Personally, I felt like I had a good grip on

what was coming down the line with the I-10 go live, but as soon as I thought I knew what I was doing, along would come a scenario which I

struggled with. Coding Clinic did a great job in 2016 clarifying a lot of questions/scenarios that were submitted. This is going to be a brief

summary of some of the clarifications that I felt were important to be reiterated, but remember that there are a lot more that you should read

and take note of.

Heart failure can now be coded with documentation of “HFpEF” (heart failure with preserved ejection fraction) as diastolic heart failure,

and “HFrEF” (heart failure with reduced ejection fraction) as systolic heart failure. No more queries when this documentation or wording

is available! (CC 1Q 16, pg 10)

Following the Coding Conventions, Instructional Notes, and Coding Guidelines when there is documentation of a condition and the words

“with” in the index. Assume a link when the index provides one, unless the provider specifically states the condition is due to another

cause. (CC 1Q 2016, pg 11)

Chris Apgar, founder of Apgar & Associates is a Certified Information systems Security Professional (CISSP). He is one of

the country’s foremost experts and spokespersons on healthcare privacy, security, regulatory arriafs, state and federal

compliance and secure and efficient electronic health information exchange. Chris has more than 19 years of experience in

regulatory compliance and is a leader of regional and national privacy, security and health information exchange forums. As

a member of Workgroup for Electronic Data Interchange, and serving on the Board of Directors since 2006, Chris is an

honest, reliable, trustworthy expert in the field of privacy and security.

Email capgar@apgarandassoc.com for more details.

Page 3 C O M P L I A N C E C O N N E C T I O N S

Continued...

Significant Coding Clinic Changes by Jennifer Jones, CCS

Page 4 C O M P L I A N C E C O N N E C T I O N S

Bleeding associated with a drug as part of anticoagulation therapy should be coded to D68.32, hemorrhagic disorder due to extrinsic

circulating anticoagulants or drug-induced hemorrhagic disorder. (CC 1Q 2016, pg 14)

Hepatic encephalopathy is not synonymous with hepatic coma. Do not code this as “with coma” unless coma is documented in the

record. (CC 2Q 2016, pg 35)

Bronchoalveolar washings and brushings are coded to the root operation of “excision”, while bronchoalveolar lavage is coded to the root

operation of “drainage”. (CC 1Q 16, pg 26)

When a lesion/plaque is an extension and goes from one body part to another, this is considered a continuation of a single lesion. When

surgery is performed on an overlapping lesion in a tubular body part, assign the furthest anatomical site from the point of entry as the

body part when coding endarterectomy, with the root operation of “extirpation”. (CC 1Q 16, pg 31)

Decompressive laminectomy/foraminotomy is coded to the root operation of “release” for the condition of foraminal stenosis, and

discectomy is coded to the root operation of “excision” for the condition of disc herniation. These are separate and distinct diagnoses that

are both treated with separate and distinct procedures. (CC 2Q 2016, pg 16)

When coding arterial catheter placement, if the most distal placement of the catheter tip is not documented, the default body part value is

based on the documentation of the site of catheter placement. If the body part is documented where the catheter tip lies (for example,

superior vena cava), code to that most distal location.

Again, this just touches on a few of the Coding Clinic advices given for first and second quarter of 2016, so make sure you read the entire

documents to keep yourself up to date.

Diabetes has always been a challenge to code since there are many conditions that are related to it. Coders would always have to search for a

documented link between certain conditions and the diabetes. For example, when a patient would have chronic kidney disease and diabetes,

the provider would have to document “chronic kidney disease due to diabetes” or “diabetic chronic kidney disease”. Coders would hope that

the provider would provide this link between the two, and in many instances, have to query to get the documentation needed.

As of 2nd quarter 2016, however, Coding Clinic has clarified that there no longer has to be a link documented between certain conditions and

diabetes. Since the Coding Guideline I.A.15 states that word “with” is interpreted to mean “due to” or “associated with” when it appears in

the Index or code title, this means that a causal relationship can now be presumed. (Unless it is specifically documented that the condition and

diabetes are unrelated or due to another cause).

So what conditions does this pertain to? If you look in the ICD 10-CM Index under diabetes, here are the conditions where you can assume a

relationship:

Betes, diabetic (mellitus) (sugar) E11.9

With

Amyotrophy E11.44

Arthropathy NEC E11.618

Autonomic (poly) neuropathy E11.43

Cataract E11.36

Charcot’s joints E11.610

Chronic kidney disease E11.22

Circulatory complication NEC E11.59

Complication E11.8

Specified NEC E11.69

Dermatitis E11.620

Foot ulcer E11.621

Gangrene E11.52

Gastroparalysis E11.43

Gastroparesis E11.43

Glomerulonephrosis, intracapillary E11.21

Jennifer Jones, CCS has 26 years of experience in the Health Information Management field. She has been a Certified

Coding Specialist for 13 years, but has also worked as a Clinical Documentation Specialist, Manager of Coding Services,

Medical Transcriptionist, Medical Assistant, Medical Biller, and Medical Receptionist. She has worked in hospitals ranging

from a 25-bed Critical Access Hospital in Oregon to a 400-bed Community Hospital in Florida, and physician offices through-

out Oregon, Washington and California. She has been pursuing education in the nursing field to help further her coding skills,

and is working towards her RHIT. Jennifer joined RMC in 2009 and currently is the Manager of Coding Services for RMC.

...with Diabetes By Mary Chelucci

“Coding Clinic Changes” continued...

Continued...

Glomerulosclerosis, intercapillary E11.21

Hyperglycemia E11.65

Hyperosmolarity E11.00

With coma E11.01

Hypoglycemia E11.649

With coma E11.641

Kidney complications NEC E11.29

Kimmelsteil-Wilson disease E11.21

Loss of protective sensation (LOPS) - see Diabetes, by type, with neuropathy

Mononeuropathy E11.41

Myasthenia E11.44

Necrobiosis lipoidica E11.620

Nephropathy E11.21

Neuralgia E11.42

Neurologic complication NEC E11.49

Neuropathic arthropathy E11.610

Neuropathy E11.40

Ophthalmic complication NEC E11.39

Oral complication NEC E11.638

Osteomyelitis E11.69

Periodontal disease E11.630

Peripheral angiopathy E11.51

With gangrene E11.52

Polyneuropathy E11.42

Renal complication NEC E11.29

Renal tubular degeneration E11.29

Retinopathy E11.319

With macular edema E11.311

Resolved following treatment E11.37

Nonproliferative E11.329

With macular edema E11.321

Mild E11.329

With macular edema E11.321

Moderate E11.339

With macular edema E11.331

Severe E11.349

With macular edema E11.341

Proliferative E11.359

With

Combined traction retinal detachment and rhegmatogenous retinal detachment E11.354

Macular edema E11.351

Stable proliferative diabetic retinopathy E11.355

Traction retinal detachment involving the macula E11.352

Traction retinal detachment not involving the macula E11.353

Skin complication NEC E11.628

Skin ulcer NEC E11.622

As you can see this list is quite extensive! So many conditions to remember! It may be in the interest of a Coder to have this list handy when

coding since it is quite a lot to commit to memory. Coders will want to be accurate in their work and be sure to link the condition when

diabetes is documented.

Page 5 C O M P L I A N C E C O N N E C T I O N S

Mary Chelucci, RHIA, CCS, has been in HIM for over 30 years. Mary is currently working as a Project Manager for RMC.

Prior to RMC, she has worked as a Coder, Trauma Registrar, Medical Records Supervisor and Medical Records Coordinator for

acute care hospitals and one outpatient clinic. Mary is an AHIMA approved ICD-10-CM and ICD-10-PCS Train the Trainer,

and has been with RMC since December of 2013.

“...with Diabetes” Continued...

Page 6 C O M P L I A N C E C O N N E C T I O N S

Yep. You read that right. Totally free.

Visit our website: www.rmcinc.org to submit your questions today!

Our new website features a “Coding Questions” button. Submit your question, and one of our

RMC coding experts will reply.

*Also - don’t forget to follow RMC on Facebook, LinkedIn and Twitter. We post coding tips, reminders and updates weekly!

REIMBURSEMENT MANAGEMENT CONSULTANTS, INC. Offering Comprehensive Compliance Review & Coding Services. Nationwide.

Hospital Reviews

Clinic Reviews

Specialized Reviews

Coding Support

Compliance Programs

Education & Training

Contact us today for more information: 800-538-5007

Page 7 C O M P L I A N C E C O N N E C T I O N S

Camille Walker: cwalker@rmcinc.org or Kristin Gibson: kristin@rmcinc.org