2
DISCLOSURE Claudia Murray is a principal and CEO of
CMC Consulting, LLC, a firm that specializes in regulatory compliance,
Medicare billing rules and coding audits. Neither Claudia Murray nor her immediate
family members have a financial relationship with a commercial
organization that may have a direct or indirect interest in the content of this
presentation.NO COMMERCIAL INTEREST TO
DISCLOSE
3
AGENDA 2013 HIPAA Privacy, Security,
Breach Notification and Enforcement Rules
PCI DSS Compliance
ICD-9 Coding for Original, Resubmitted and Appealed Claims
Place of Service
Site of Service
5
2013 HIPAA PRIVACY, SECURITY, BREACH NOTIFICATION AND ENFORCEMENT RULES
On January 17, 2013, the Department of Health and Human Services issued the long-awaited revisions to the HIPAA rules
The rules made a number of changes to the current HIPAA privacy, security, breach notification and enforcement requirements
The new rules modify the patient authorization and other requirements related to use and disclosure of PHI for research
6
2013 HIPAA PRIVACY, SECURITY, BREACH NOTIFICATION AND ENFORCEMENT RULES
Consistent with the provisions of the HITECH Act, the new rules expand patients’ rights to receive electronic copies of their PHI and restrict disclosures of PHI to health plans concerning treatment for which the patient paid out of pocket in full
The new rules provide more flexibility with respect to allowing access to decedent PHI to family members and others
7
2013 HIPAA PRIVACY, SECURITY, BREACH NOTIFICATION AND ENFORCEMENT RULES
Consistent with the Genetic Information Nondiscrimination Act, the new rules prohibit most health plans from using or disclosing genetic information for underwriting purposes
The new rules impose additional restrictions on the use and disclosure of PHI for marketing by requiring written patient authorization for all communications where the CE receives remuneration for communicating with a company whose product or service is being marketed
8
2013 HIPAA PRIVACY, SECURITY, BREACH NOTIFICATION AND ENFORCEMENT RULES
The definition of the term “business associate” has been expanded in the new rules to include vendors who maintain PHI, even if they do not view the PHI, and subcontractors of business associates
This change to the rules will likely result in many new vendors being considered business associates
9
2013 HIPAA PRIVACY, SECURITY, BREACH NOTIFICATION AND ENFORCEMENT RULES
The new rules detail that business associates, as well as their subcontractors, are directly liable for compliance with the HIPAA security rules and certain requirements of the HIPAA privacy rules
Business Associate Agreements that were already revised for compliance with the HITECH Act may require amendment but not a significant overhaul
10
2013 HIPAA PRIVACY, SECURITY, BREACH NOTIFICATION AND ENFORCEMENT RULES
The new rules change the notification requirements for breaches of unsecured protected health information (“PHI”)
It replaces the current “risk of harm to the affected patients” standard with a more objective standard to be used in determining whether a breach has occurred and whether notice of the breach must be provided to patients, the government and the media
11
2013 HIPAA PRIVACY, SECURITY, BREACH NOTIFICATION AND ENFORCEMENT RULES
Under the new rules, every improper use or disclosure of PHI is presumed to be a breach unless it is demonstrated that there is low probability that the PHI was compromised as a result of the incident
This change is significant and could result in an increase in the number of breaches requiring notice
12
2013 HIPAA PRIVACY, SECURITY, BREACH NOTIFICATION AND ENFORCEMENT RULES
The new rules adopt an increased, tiered civil money penalty structure for HIPAA violations provided by the HITECH Act
They also give the Office of Civil Rights discretion to impose penalties on covered entities and business associates in cases of violations due to willful neglect without first attempting to resolve the matter through informal means
13
2013 HIPAA PRIVACY, SECURITY, BREACH NOTIFICATION AND ENFORCEMENT RULES
Penalties for HIPAA violations are significant
Specifically, penalties for violations caused by willful neglect, which are corrected, range from $10,000 to $50,000 per violation
The minimum penalty for an uncorrected HIPAA violation caused by willful neglect is $50,000 per violation
The penalties are capped at $1.5 million for all violations of an identical requirement in a calendar year
14
2013 HIPAA PRIVACY, SECURITY, BREACH NOTIFICATION AND ENFORCEMENT RULES
Violation Category – Section 1176(a)(1) Each Violation
All Violations of an Identical Provision in a Calendar Year
(A) Did Not Know $100 - $50,000 $1,500,000
(B) Reasonable Cause
$1,000 - $50,000 $1,500,000
(C)(i) Willful Neglect-Corrected
$10,000 - $50,000 $1,500,000
(C)(ii) Willful Neglect-Not Corrected
$50,000 $1,500,000
15
2013 HIPAA PRIVACY, SECURITY, BREACH NOTIFICATION AND ENFORCEMENT RULES
The new rules provide that each covered entity must revise its notice of privacy practices to address the new HIPAA requirements
Covered entities and business associates generally must comply with the new HIPAA requirements by September 23, 2013
Compliance with the new requirements will also require changes to HIPAA policies and procedures
17
PCI DATA SECURITY STANDARDS The Payment Card Industry Data Security
Standard (PCI DSS) is a set of requirements designed to ensure that ALL companies that process, store or transmit credit card information maintain a secure environment. Essentially any merchant that has a Merchant ID (MID)
The Payment Card Industry Security Standards Council (PCI SSC) was launched on September 7, 2006 to manage the ongoing evolution of the Payment Card Industry (PCI) security standards with focus on improving payment account security throughout the transaction process
18
PCI DATA SECURITY STANDARDS The PCI DSS is administered and
managed by the PCI SSC (www.pcisecuritystandards.org) , an independent body that was created by the major payment card brands (Visa, MasterCard, American Express, Discover and JCB.)
It is important to note, the payment brands and acquirers are responsible for enforcing compliance, not the PCI council
19
WHO MUST COMPLY WITH PCI? PCI applies to ALL organizations or
merchants, regardless of size or number of transactions, that accept, transmit or store any cardholder data
Said another way, if any customer of that organization ever pays the merchant directly using a credit card or debit card, then the PCI DSS requirements apply
The Standard can be found on the PCI SSC's Website: https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml
20
DEFINITIONS Cardholder data is any personally
identifiable data associated with a cardholderThis could be an account number,
expiration date, name, address, social security number, etc.
All personally identifiable information associated with the cardholder that is stored, processed, or transmitted is also considered cardholder data
21
DEFINITIONS For the purposes of the PCI DSS, a merchant
is defined as any entity that accepts payment cards bearing the logos of any of the five members of PCI SSC (American Express, Discover, JCB, MasterCard or Visa) as payment for goods and/or services Note that a merchant that accepts payment
cards as payment for goods and/or services can also be a service provider, if the services sold result in storing, processing, or transmitting cardholder data on behalf of other merchants or service providers For example, an ISP is a merchant that accepts
payment cards for monthly billing, but also is a service provider if it hosts merchants as customers
22
COMPLIANCE DATE All merchants that store, process or
transmit cardholder data must be compliant now
However, if you are a Level 4 merchant, you will have to refer to your merchant bank for their specific validation requirements and deadlines
All deadline enforcement will come from your merchant bank
You may also find more information on Visa’s Website: http://usa.visa.com/download/merchants/payment_application_security_mandates.pdf
23
PCI COMPLIANCE LEVELS All merchants will fall into one of the
four merchant levels based on Visa transaction volume over a 12-month period
Transaction volume is based on the aggregate number of Visa transactions (inclusive of credit, debit and prepaid) from a merchant Doing Business As (‘DBA’)
24
PCI COMPLIANCE LEVELS In cases where a merchant corporation has
more than one DBA, Visa acquirers must consider the aggregate volume of transactions stored, processed or transmitted by the corporate entity to determine the validation level
If data is not aggregated, such that the corporate entity does not store, process or transmit cardholder data on behalf of multiple DBAs, acquirers will continue to consider the DBA’s individual transaction volume to determine the validation level
25
MERCHANT LEVEL DESCRIPTION
Merchant Level Description
1
Any merchant -- regardless of acceptance channel -- processing over 6M Visa transactions per year. Any merchant that Visa, at its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the Visa system.
2Any merchant -- regardless of acceptance channel -- processing 1M to 6M Visa transactions per year.
3Any merchant processing 20,000 to 1M Visa e-commerce transactions per year.
4
Any merchant processing fewer than 20,000 Visa e-commerce transactions per year, and all other merchants -- regardless of acceptance channel -- processing up to 1M Visa transactions per year.
26
MEETING THE REQUIREMENTS To satisfy the requirements of PCI, a
merchant must complete the following steps: Identify your Validation Type as defined by
PCI DSS – this is used to determine which Self Assessment Questionnaire is appropriate for your business
Complete the Self-Assessment Questionnaire according to the instructions in the Self- Assessment Questionnaire Instructions and Guidelines
27
MEETING THE REQUIREMENTS Complete and obtain evidence of a passing
vulnerability scan with a PCI SSC Approved Scanning Vendor (ASV)
Note scanning does not apply to all merchants It is required for Validation Type 4 and 5 – those merchants
with external facing IP addresses Basically if you electronically store cardholder information
or if your processing systems have any internet connectivity, a quarterly scan by an approved scanning vendor is required
Complete the relevant Attestation of Compliance in its entirety
Submit the SAQ, evidence of a passing scan (if applicable), and the Attestation of Compliance, along with any other requested documentation, to your acquirer
28
Control Objectives PCI DSS Requirements
Build and Maintain a Secure Network
1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
5. Use and regularly update anti-virus software on all systems commonly affected by malware
6. Develop and maintain secure systems and applications
Implement Strong Access Control Measures
7. Restrict access to cardholder data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
Regularly Monitor and Test Networks
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
Maintain an Information Security Policy
12. Maintain a policy that addresses information security
29
YOU MIGHT ASK…Q: I’m a small merchant with very few card transactions; do I need to be compliant with PCI DSS?
A: All merchants, small or large, need to be PCI compliant. The payment brands have collectively adopted PCI DSS as the requirement for organizations that process, store or transmit payment cardholder data. Q: If I only accept credit cards over the phone, does PCI still apply to me?
A: Yes. All business that store, process or transmit payment cardholder data must be PCI Compliant.
30
YOU MIGHT ASK…Q: Do organizations using third-party processors have to be PCI compliant?
A: Yes. Merely using a third-party company does not exclude a company from PCI compliance. It may cut down on their risk exposure and consequently reduce the effort to validate compliance. However, it does not mean they can ignore PCI.
31
YOU MIGHT ASK…Q: My business has multiple locations, is each location required to validate PCI Compliance?
A: If your business locations process under the same Tax ID, then typically you are only required to validate once annually for all locations. And, submit quarterly passing network scans by an PCI SSC Approved Scanning Vendor (ASV), if applicable. Q: Are debit card transactions in scope for PCI?
A: In-scope cards include any debit, credit, and pre-paid cards branded with one of the five card association/brand logos that participate in the PCI SSC - American Express, Discover, JCB, MasterCard, and Visa International.
32
SSL CERTIFICATION SSL certificates do not secure a Web
server from malicious attacks or intrusions
High assurance SSL certificates provide the first tier of customer security and reassurance but there are other steps to achieve PCI ComplianceA secure connection between the
customer's browser and the web serverValidation that the Website operators are a
legitimate, legally accountable organization
33
PENALTIES The payment brands may, at their discretion,
fine an acquiring bank $5,000 to $100,000 per month for PCI compliance violations
The banks will most likely pass this fine on downstream till it eventually hits the merchant
Furthermore, the bank will also most likely either terminate your relationship or increase transaction fees
Penalties are not openly discussed nor widely publicized, but they can catastrophic to a small business
It is important to be familiar with your merchant account agreement, which should outline your exposure
34
BREACH NOTIFICATION See the procedures outlined in Visa’s
“What to Do If Compromised Visa Fraud Control and Investigations Procedures” documenthttp
://usa.visa.com/download/merchants/cisp_what_to_do_if_compromised.pdf
There are at least 39 states that have
breach notification laws in placeSee www.privacyrights.org for more detail
on state laws
36
ICD-9, NOT ICD-10???We’re going to discuss: Coding from the report Is there a difference between specificity
and certainty? Assigning a diagnosis code based on the
other information, documentation or medical records
Late entries and amendments Resubmissions and appeals
37
10.1 - ICD-9-CM CODING FOR DIAGNOSTIC TESTS The CMS instruct physicians to report
diagnoses based on test results, if available
Contractors, physicians, hospitals, and other health care providers must comply with the following instructions in determining the appropriate ICD-9-CM diagnoses code for diagnostic test results
38
10.1.1 - DETERMINING THE APPROPRIATE PRIMARY ICD-9-CM DIAGNOSIS CODE FOR DIAGNOSTIC TESTS ORDERED DUE TO SIGNS AND/OR SYMPTOMS For patients receiving diagnostic services
code the condition(s), symptom(s), and diagnosis to the highest degree of certainty for that visit, such as describing symptoms, signs, abnormal test results, or other reasons for the visit
Report additional codes that describe any current coexisting conditions
Do not code diagnoses documented as probable, suspected, questionable or rule out
39
A. CONFIRMED DIAGNOSIS BASED ON RESULTS OF TEST If the physician has confirmed a
diagnosis based on the results of the diagnostic test, the physician interpreting the test should code that diagnosis
The signs and/or symptoms that prompted ordering the test may be reported as additional diagnoses if they are not fully explained or related to the confirmed diagnosis
40
B. SIGNS OR SYMPTOMS If the diagnostic test did not provide a
diagnosis or was normal, the interpreting physician should code the sign(s) or symptom(s) that prompted the treating physician to order the study
41
C. DIAGNOSIS PRECEDED BY WORDS THAT INDICATE UNCERTAINTY
If the results of the diagnostic test are normal or nondiagnostic and the referring physician records a diagnosis preceded by words that indicate uncertainty (e.g., probably, suspected, questionable, rule out, or working), then the interpreting physician should not code the referring diagnosis
Rather the interpreting physician should report the sign(s) or symptom(s) that prompted the study
42
C. DIAGNOSIS PRECEDED BY WORDS THAT INDICATE UNCERTAINTY
Diagnoses labeled as uncertain are considered by the ICD-9-CM Coding Guidelines as unconfirmed and should not be reported
This is consistent with the requirement to code the diagnosis to the highest degree of certainty
43
10.1.2 - INSTRUCTIONS TO DETERMINE THE REASON FOR THE TEST The Balanced Budget Act (BBA) §4317(b)
requires referring physicians to provide diagnostic information to the testing entity at the time the test is ordered
As further indicated in 42 CFR 410.32 all diagnostic tests “must be ordered by the physician who is treating the beneficiary
An “order” is a communication from the treating physician/practitioner requesting that a diagnostic test be performed for a beneficiary
44
10.1.3 - INCIDENTAL FINDINGS
Incidental findings should never be listed as primary diagnoses
If reported, incidental findings may be reported as secondary diagnoses by the physician interpreting the diagnostic test
45
10.1.4 - UNRELATED COEXISTING CONDITIONS/DIAGNOSES Unrelated and coexisting
conditions/diagnoses may be reported as additional diagnoses by the physician interpreting the diagnostic test
46
10.1.5 - DIAGNOSTIC TESTS ORDERED IN THE ABSENCE OF SIGNS AND/OR SYMPTOMS When a diagnostic test is ordered in the
absence of signs/symptoms or other evidence of illness or injury, the testing facility or the physician interpreting the diagnostic test should report the screening code as the primary diagnosis code
Any condition discovered during the screening should be reported as a secondary diagnoses
47
10.1.6 - USE OF ICD-9-CM TO THE GREATEST DEGREE OF ACCURACY AND COMPLETENESS The following longstanding coding guidelines
are part of Official ICD-9-CM Guidelines for Coding and Reporting
The testing facility or the interpreting physician should code the ICD-9-CM code that provides the highest degree of accuracy and completeness (certainty) for the diagnosis resulting from test, or for the sign(s)/ symptom(s) that prompted the ordering of the test
The “highest degree of specificity” means assigning the most precise ICD-9-CM code that most fully explains the narrative description in the medical chart of the symptom or diagnosis
48
WHY AM I TELLING YOU THIS? RAC auditors have been taking a harder
stance on accepting diagnosis information from sources other than the radiology report
MAC denials for medical necessity often lead to resubmissions or appeals with additional diagnosis information
Recent publications detail Medicare’s viewpoint on ancillary documentation, late medical record entries and amendments
49
MEDICARE HAS STATED… Every note stands alone, i.e., the performed
services and necessary signatures must be documented at the outset
Delayed written explanations will be considered for purposes of clarification only
They cannot be used to add and authenticate services billed and not documented at the time of service or to retrospectively substantiate medical necessity
For that, the medical record must stand on its own with the original entry corroborating that the service was rendered and was medically necessary
Published by CGS, a multi-state MAC
50
AMENDED MEDICAL RECORDS Late entries, addendums, or corrections
to a medical record are legitimate occurrences in documentation of clinical services
A late entry, an addendum, or a correction to the medical record, bears the current date of that entry and is signed by the person making the addition or change
Published by Noridian Administrative Services, a multi-state MAC
51
AMENDED MEDICAL RECORDS A late entry supplies additional
information that was omitted from the original entry
The late entry bears the current date, is added as soon as possible and written only if the person documenting has total recall of the omitted information
A late entry following treatment of multiple trauma might add: “The left foot was noted to be abraded laterally.”
52
AMENDED MEDICAL RECORDS An addendum is used to provide
information that was not available at the time of the original entry
The addendum should also be timely and bear the current date and reason for the addition or clarification of information being added to the medical record
An addendum could note: “The chest x-ray report was reviewed and showed an enlarged cardiac silhouette.”
53
AMENDED MEDICAL RECORDS When making a correction to the medical
record, never write over, or otherwise obliterate the passage when an entry to a medical record is made in error
Draw a single line through the erroneous information, keeping the original entry legible
Sign and date the deletion, stating the reason for correction above or in the margin
Document the correct information on the next line or space with the current date and time, making reference back to the original entry
54
AMENDED MEDICAL RECORDS Correction of electronic records should
follow the same principles of tracking both the original entry and the correction with the current date, time and reason for the change
When a hard copy is generated from an electronic record, both records must be corrected
Any corrected record submitted must make clear the specific change made, the date of the change, and the identity of the person making that entry
55
AMENDED MEDICAL RECORDS/ FALSIFIED DOCUMENTATION Providers are reminded that deliberate
falsification of medical records is a felony offense and is viewed seriously when encountered
Examples of falsifying records include: Creation of new records when records are
requested Back-dating entries Post-dating entries Pre-dating entries Writing over, or Adding to existing documentation (except as
described in late entries, addendums and corrections)
56
AMENDED MEDICAL RECORDS Corrections to the medical record legally amended
prior to claims submission and/or medical review will be considered in determining the validity of services billed
If these changes appear in the record following payment determination based on medical review, only the original record will be reviewed in determining payment of services billed to Medicare
Appeal of claims denied on the basis of an incomplete record may result in a reversal of the original denial if the information supplied includes pages or components that were part of the original medical record, but were not submitted on the initial review
57
CMS OPEN DOOR FORUM ON DECEMBER 2, 2011 Melanie Combs-Dyer/Deputy Director
for the Provider Compliance Group at CMS in the Office of Financial Management stated:“…we have instructions in our program
integrity manual that says if it is more than a few days, you know, if you're talking about months after the facts, the delayed documents of late entries made to the medical record, we instruct our contractors to refer those to the fraud department”
59
TRANSMITTAL 2407 Previously the CMS had instructed physicians
to use the POS code where s/he interpreted the service The transmittal was put on hold in January 2010
The CMS provided new POS guidance in Transmittal 2407 with an effective date of April 1, 2012
CMS rescinded Transmittal 2407 in late March stating that they would reissue the transmittal with a new effective date
Transmittal 2435 was issued with an effective date of October 1, 2012
60
TRANSMITTAL 2561 On September 28th Transmittal 2561
replaced Transmittal 2435 without significant changes but the effective date of April 1, 2013
Under the Medicare Physician Fee Schedule (MPFS), some procedures have separate rates for physicians’ services provided in facility and nonfacility settings
Medicare considers the place of service a key element in claims processing when the correct payment is determined by the POS code
61
POS FOR DIAGNOSTIC TESTS General instructions in Transmittal 2561
state that the POS code should reflect the actual place where the patient received the face-to-face encounter to determine whether the facility or nonfacility payment rate is paid
But, instructions for diagnostic radiology services differ since payment is not solely determined by the POS code but most often by modifier
Additionally, Medicare recognizes that the PC and TC are often furnished in different settings
62
PLACE OF SERVICE CODES (POS) AND BILLING INTEGRATED SERVICES
In freestanding imaging setting, POS 11 was standardly billed for the professional and the technical components
In provider-based setting, the TC belongs to the hospital and is billed by the hospital
In provider-based setting, there are multiple POS code possibilities for the pro fee and there are new instructions from Medicare regarding the POS to be billed
63
POS FOR DIAGNOSTIC TESTS In almost all cases, the POS code assigned
to the physician billing for the PC will be the POS where the patient received the TC
For the professional component (PC) of diagnostic tests, the facility and nonfacility payment rates are the same because modifier 26 actually determines the payment– not the POS code on the claim
For a service rendered to a patient who is a hospital inpatient or outpatient, only the PC can be billed because the service must be rendered “Under Arrangements”
64
POS FOR RADIOLOGY INTERPRETATIONS
The appropriate POS code for the interpretation is the setting where the patient received the TC service If the interpretation was performed in the
physician’s office and the patient received the TC service in the outpatient hospital setting, the physician assigns POS 22 on the claim for the PC
Additionally, the name, address, and ZIP code of the office location must be entered in Item 32 of the CMS 1500 claim form (or its electronic equivalent)This may lead one to believe that sending the
correctly completed claim form to the usual MAC is sufficient for payment
65
POS & SITE OF SERVICE (SOS) Transmittal 2561 further addressed
SOS and the carrier jurisdiction issue In Interpretation Provided Under
Arrangement – To A Hospital (Section C) an example shows that:The place of service reflects the patient’s
hospital status (POS 21, 22 or 23), andThe physical location of the radiologist
interpreting the study (entered in Block 32 of the CMS-1500 form)
66
POS, SOS & JURISDICTION Transmittal 2561 added
Determination of Payment Locality (Section E), which states:The payment locality is determined based
on the location where a specific service code was furnished
Subsection E Global Service Code states:To bill for a global diagnostic service the
same physician or supplier entity must furnish both the TC and the PC and must furnish them within the same MPFS payment locality
67
POS, SOS & JURISDICTION (CONTINUED) Subsection E Separate Billing of
Profession Component goes on to say:If the same physician or entity does not
furnish both the TC and PC, or if the professional interpretation was furnished in a different payment locality, the professional interpretation must be separately billed with modifier -26 and the address and ZIP code of the interpreting physician’s location must be reported on the claim form
68
CMS INSTRUCTIONS TO MAC FOR RECEIPT OF SERVICES IN ANOTHER MAC AREA
“When you receive a request for Medicare payment for services furnished outside of your payment jurisdiction, return assigned services as unprocessable, and deny unassigned services. Pay services correctly submitted to you.
Use the following messages: Remittance Advice (RA) - Claim adjustment reason
code 109 – Claim not covered by this payer/contractor. You must send the claim to the correct payer/contractor.
Remark code N104 - This claim/service is not payable under our claims jurisdiction area. You can identify the correct Medicare contractor to process this claim/service through the CMS Web site at www.cms.hhs.gov.
69
POS CODING INSTRUCTIONS ACR-RMBA GUIDANCE Q&AQIf a practice has office locations in two
payment localities in which the doctors practice regularly, and if the PC and TC were performed separately (although by the same practice group) in those two different payment localities, would the PC be billed separately (-26 modifier) from the TC and would the payment amount follow the payment amount in effect for each respective locality?
70
POS CODING INSTRUCTIONS ACR-RMBA GUIDANCE Q&AA Yes, if the PC and TC were performed
separately in two different payment localities, the PC and TC would be billed separately.
Since the PC and TC are in separate payment localities, global billing is prohibited by transmittal 2563 and the components would have to be reported separately.
Additionally, if the PC and TC were performed in separate MAC jurisdictions (e.g., across state lines), then the practice would have to be enrolled in each MAC jurisdiction where the services were performed and payment would be based on each MAC’s payment schedule.
71
POS CODING INSTRUCTIONS ACR-RMBA GUIDANCE Q&AQIf a radiologist reads a study performed
at a hospital at one of the practice’s imaging centers or offices, what POS code should I use?
72
POS CODING INSTRUCTIONS ACR-RMBA GUIDANCE Q&AA The POS code is determined by where the
patient had the study (TC). In this instance, even though the study was
read at the radiologist’s office, if the patient was an outpatient POS code 22 (outpatient hospital) would be reported in Box 24B; if the patient was an inpatient, POS code 21 (inpatient hospital) would be reported in Box 24B; and, if the patient were an ER patient, POS code 23 (emergency room hospital) would be reported in Box 24B.
However, in all instances, the radiologist’s office ZIP code and address would go in to Box 32 because that is where the interpretation was performed.
73
POS CODING INSTRUCTIONS ACR-RMBA GUIDANCE Q&AQWhat if a radiologist reads studies from
their home?
74
POS CODING INSTRUCTIONS ACR-RMBA GUIDANCE Q&AA CMS requires physicians to submit the address
where the physician was when they performed the interpretation.
The only exception to this is when the interpretation was performed in an “unusual and infrequent” location, such as a hotel.
Therefore, if the radiologist frequently interprets studies from home, their home address and ZIP code would go in Box 32.
However, based on CMS’ transmittal language, if the radiologist interprets from home only infrequently, then the “Medicare enrolled location where the interpreting physician most commonly practices” can be listed.
QUESTIONS?Claudia A. Murray, RCC
CMC Consulting, LLCP.O. Box 653
Fallston, Maryland 21047410-538-5891
Thanks!
75
Top Related