De-mystifying HIPAA Requirements on Backing-Up your Information…

By William Palisano, Owner of Lincoln Archives, (Bill@lincolnarchives.com, 716-871-7040, ext 105)

Among other requirements, per “45CFR 164.308 – Administrative Safeguards” covered entities MUST perform : (1) Risk analysis (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity. (2) Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information. (3) Establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information. (4) Establish (and implement as needed) procedures to restore any loss of data. (5) Establish (and implement as needed) procedures to enable continuation of critical business processes for protection of the security of electronic protected health information while operating in emergency mode. (6) Implement procedures for periodic testing and revision of contingency plans. (7) Perform a periodic technical and nontechnical evaluation.

So, for basic compliance under HIPAA, you have to have a backup & recovery plan, and you must test it, document it, and revise it periodically. Aside from the law, it’s just good business practice, because as you know ‘stuff happens’. I’ve worked with medical practices for 21 years and have seen a lot of different ways it’s been done. Some I do NOT recommend:

(1) Assuming RAID Technology is the same as backing up your information. RAID is a system of storing the same data in different places on multiple hard drives within a server or disk storage array. If a hard drive goes down, the system can re-build it exactly, thus no loss of that drive’s data. (Also, re-building a drive can be extremely time consuming). This is a very good technology for hardware failure. But, it is NOT the same as backup. (2) Someone (or a s/w automatically) copying files to an external hard drive, and that drive stays right next to the server or primary storage device (it needs to be in a different location). (3) Or, same scenario but someone takes the drive home, to a safe deposit box, etc. but the data WAS NOT ENCRYPTED before being written, and leaves office: A BIG No-No. Any time data leaves the primary server or storage repository and leaves the protection of the facility, its security, its firewalls, etc., it must be encrypted. Period.

Other scenarios that work, are fairly inexpensive, simple, and are low touch. (1) You can buy an external tape drive, automatic backup s/w, and tapes for a few hundred dollars (Tapes cost less than external hard drives. Hence, multiple generations of backups will cost less vs. buying multiple ext. hard drives). If you go this route: MAKE SURE YOUR SOFTWARE ENCRYPTS YOUR DATA before written. Also, keep a minimum of five (5) full backups (four of them off-site; 1 in tape drive and ROTATE). (2) A better strategy includes adding weekly, monthly and annual backups. Repeat: encrypt then get backups off-site. Bank vaults/safe deposit boxes are “OK”, but try to get tapes out after hours: not likely. There are companies that are very good at providing backup tape rotation and storage services, and some scenarios can be very cost effective (Google: “backup tape vaulting Buffalo”).

And then, there’s ‘the cloud’. There are plenty of local providers (Google: “cloud backup buffalo, ny”). These scenarios can be fully automatic, low touch, highly secure and cost effective. Some require only software installed (no hardware necessary) which encrypts and then streams data off-site to providers secured vault for true Disaster Recovery protection. Some use a backup appliance (pre-configured and do all the work) attached to your network. These systems can be quickly deployed, installed, configured, and up and running. If the provider is good, he/she will assist in creating a backup and recovery strategy (selecting critical data to protect, how many generations of each file, scheduling the backups, creating a retention program), and he/she will test the backups (and more importantly test the restores). He/she can also document the tests which meets HIPAA requirement). Another benefit is that these solutions are typically scalable (as your data needs grow, the solution accommodates it; primarily non-appliance solutions). Many charge only based on the amount of data protected or stored. Hence, there is no up-front cost (Cap-Ex), rather, a pay-as-you-go model (Op-Ex). You can change your strategy on the fly; increase or decrease your protection (and costs). Very flexible.

Btw: if your data is hosted somewhere else, it doesn’t mean it’s backed up to another off-site location. It’s just not at YOUR site and is still subject to risk. You need to ask your provider that question – it is critical (even Amazon, Google, Yahoo go down, lose data and have to restore from backups). A good cloud backup provider can actually backup your data from your hosted site (and restore to an alternative site), just in case…). So, regardless of which way you protect your data, just make sure you do. Test it, and document it. An ounce of prevention…

The Federal Government Reports Health Care Fraud Recoveries

By Liz Wilson, RHIT, CCS, CPC, CEMC, CPMA, CPCO
Director of Coding and Auditing
Compliance Officer

Despite the soaring costs of healthcare reform, the federal government has been very successful in recuperating funds that would have otherwise been counted as a loss to healthcare fraud. Although the investment to maintain agencies that combat fraud, abuse, and waste has proven to be costly—the payoff has been alarmingly profitable. The Department of Justice (DOJ) and the Department of Health and Human Services (HHS) has reported that the figures prove that the feds have recovered $8.10 for every $1.00 spent on this crusade.

Attorney General Eric Holder disclosed (in his February 2014 report) that the previous five years in health care fraud prevention and enforcement have recouped $19.2 billion dollars—twice as much as the previous five year period where only $9.4 billion were recovered. The Health Care Fraud and Abuse Control Program (HCFAC) began in 1997 and has since recovered $26 billion dollars from healthcare providers and organizations that were forced to pay penalties and to refund payments for which they were not entitled. Continue reading →

Provider Enrollment: What to Expect and How to Help When Adding a New Provider to yor Practice

By Teresa Kroll, MS, Healthcare Solutions WNY, LLC

As practice administrators you have all asked the question – We have a new provider joining our group – how long will it take to enroll him or her with the insurance plans so we can bill for services? As a credentialing professional, it is never an easy answer, and inevitably there is frustration on both parts of how long the process takes.

It is often a logistical nightmare when adding a new provider to your group. If he/she is not participating with insurance plans, scheduling is difficult because staff can’t consider all patients for the new provider’s schedule, not to mention lost revenue if you cannot bill for services.

When a practice is adding a new provider, you need to start the credentialing process far in advance — sometimes six to nine months before the provider plans to see patients. The amount of time is slightly less for the provider who has practiced locally before joining your group. It is never safe to assume that the provider has participated with the same plans your group does. Even if he/she has, new contracts are often needed with the new tax identification information. You need to plan ahead for providers who have practiced locally as well.

Consummating health plan contracts can take time. Billing for your non-credentialed physician will result in denied claims to government health programs and either denials or out of network claims payment by commercial plans resulting in an out of pocket expense by the patient. Continue reading →

Ordering/Referring Enrollment and Claims Editing Implementation for Fee-For-Service Medicaid

By Teresa Kroll, Healthcare Solutions WNY, LLC

There is a new Federal law effective January 1, 2014 that is a bit confusing and affects Medicaid Fee-for-Service (FFS) patients. The credentialing staff at Healthcare Solutions WNY dealt with this issue this past week and gained a better understanding of what is required of the physician/provider community which we would like to share with our readers.

The law impacts patients enrolled in FFS Medicaid and does not impact patients enrolled in a Managed Care Plan. A physician or other healthcare provider that orders, prescribes, refers or attends to Medicaid FFS patients must be Medicaid-enrolled for Medicaid to reimburse for prescription drugs and the other services that were ordered/referred. If the ordering professional is not enrolled, under federal law Medicaid must deny the claim for the ordered service.

If a provider is currently enrolled in the Medicaid program you do not need to do anything. If you are not enrolled and see a Medicaid FFS patient in the hospital as an inpatient, emergency room, nursing home, etc. and write a prescription, refer the patient for a test or consultation, etc., then a provider must be enrolled in Medicaid as Ordering/Prescribing/Referring/Attending (OPRA) provider in order for the service to be reimbursed. If a provider is not sure if he/she is enrolled you can check here https://www.emedny.org/info/opra.aspx

There are now two applications for enrolling in the Medicaid program –

Option 1 – enroll as an Individual billing Medicaid (also includes if a provider is attached to a group and bills through the group) OR

Option 2 – Order/Prescribe/Refer/Attend ONLY.

In simplistic terms, the easiest way to understand this is if you do not want to participate with the Medicaid program but have instances where you may see a FFS Medicaid patient, for example on service at the hospital, then you need to enroll in Option 2. Typically, physician practices are able to supervise the appointment making process in a private office setting so that they may schedule patients covered by insurance plans he/she participates with. This is often not the case when in a different setting such as hospital, nursing home, or urgent care facilities. Therefore, the opportunity is greater that you may see a Medicaid patient and need to order a service. If a provider enrolls as an OPRA provider only, this does not mean you will need to accept Medicaid patients in your practice/group.

The application can be obtained online at www.emedny.org as well as a Medicaid Update Newsletter explaining the new requirement: https://www.emedny.org/Notice/DEC2013_MEDUPDATE-OPRA.pdf

New Interprofessional Consultation Services for Consulting Providers in 2014

By Liz Wilson, CCS, RHIT, CEMC, CPMA, CPCO
Director of Coding and Auditing
Compliance Officer

The New Year will ring in with new Evaluation and Management codes. Four of these were developed to capture the service between two qualified healthcare providers who are engaged in a consultation between each other: generally, the attending or primary care physician and the specialist whose opinion is being requested by the attending or PCP. Providers have time constraints as it is and any service not requiring face-to-face time is an advantage. Clinicians have been performing consultative services over the internet and phone for years. Only now has the American Medical Association (AMA) recognized a need for a code to capture potential revenue and to identify a service for data collection purposes.

99446 — Interprofessional telephone/Internet assessment and management service provided by a consultative physician including a verbal and written report to the patient’s treating/requesting physician or other qualified health care professional; 5-10 minutes of medical consultative discussion and review

99447 … 11-20 minutes of medical consultative discussion and review

99448 … 21-30 minutes of medical consultative discussion and review

99449 … 31 minutes or more of medical consultative discussion and review

These new codes ranging from CPT 99446 to 99449 are intended for the consulting provider to assign and bill for—not for the attending or PCP.

The rules regarding the definition and requirement of a consultation service has not changed. A request for a consultation must be documented by the consultant in the written report, the service of providing the consultation must be documented in the report, and a copy of the written consultation report must be sent to the requesting provider.

The only additional requirements with these special non face-to-face services are that:

1) the consulting provider will also have to communicate with the requesting provider for a discussion and review, either via telephone or via internet, and;

2) the verbal (telephone/internet) discussion must be documented in minutes. Each of the four codes is defined by a range of time spent in the verbal discussion. A verbal discussion of less than 5 minutes does not meet the code requirements. It is important to note that while the requesting provider (attending, PCP) is not allowed to assign these codes for his/her portion of the consultation discussion, if the consultation discussion exceeded 30 minutes beyond the typical time for an E/M performed on the premises for the patient still present, the attending or PCP may be eligible to assign the appropriate prolonged service code.

It is not yet confirmed whether payors will honor these services. We will eagerly await feedback from Medicare and commercial carriers for more information by the end of 2013.

Employers Beware! The CAARA Bill Intends to Protect Your Whistle-Blower Employees

By Liz Wilson, CCS, RHIT, CEMC, CPMA, CPCO
Director of Coding and Auditing
Compliance Officer
Healthcare Solutions WNY, LLC

On January 21st a bill was sponsored (by Senator Leahy of Vermont) to promote transparency and accountability across many government and private organizations and to further discourage acts of misconduct and fraud. As of November 4, 2013, the U.S. Senate has unanimously passed this bill with an amendment onto the House of Representatives where it is currently awaiting their vote.

Senate Bill 42, or S.42, is titled the “Criminal Antitrust Anti-Retaliation Act of 2013” (CAARA) may be signed into Law as early as 2014. It will serve to protect employees, contractors, subcontractors, and agents of the employer from retaliatory actions. This proposed law would not however, protect the “whistle-blower” if he/she had initiated the fraudulent act that he/she accuses the employer of, or in the event that this individual obstructs the Department of Justice (DOJ) investigation. Aside from the advantage of protection against employer termination, the “whistle-blower” would also receive reinstatement, back pay with interest and would be compensated for any cost or fees incurred during the 180 day-period starting with the date of the reported violation. A clear definition for identifying all that are protected by this Bill may soon be further revised.

To view the seven page bill as it was originally introduced on January 21, 2013: http://www.gpo.gov/fdsys/pkg/BILLS-113s42is/pdf/BILLS-113s42is.pdf

The following is a summary of the Criminal Antitrust Anti-Retaliation Act of 2013 (S.42):

I. Prohibits discharging or in any other manner discriminating against a whistleblower in terms and conditions of employment because:

A. the whistleblower provided information to the employer or the federal government concerning a violation of antitrust law or another criminal law committed in conjunction with a potential violation of antitrust law; or

B. the whistleblower participated in, or otherwise assisted, an investigation relating to such a violation.

II. The CAAR Act would allow a whistleblower who alleges discharge or other discrimination to seek relief:

A. by filing a complaint with the Secretary of Labor; or

B. if the Secretary has not issued a final decision within 180 days of filing such complaint, to bring an action at law or equity, and;

C. entitles a whistleblower who prevails in any such action to all relief necessary to make such whistleblower whole.

Disgruntled workers may initiate alleged reports of misconduct or fraud, but any ensuing investigation would stand little chance if your business practices mirror your organization’s Standard Operating Procedure manual, Human Resource Employee Policies/handbook, and Compliance Plan. Prevention is the best defense. Proper and accurate documentation of your periodic compliance duties, their outcomes, including adverse events and corrective action taken is what is recommended. Furthermore, when an employee violates any company rules, administration should complete and file documentation of such events. A well-documented paper trail of verbal and written counseling for any employee misconduct will also assist in defending your company against the accusation of unjust, whistle-blower retaliation.

FAQ: How Obamacare Affects Employers And How They’re Responding

Reprinted from NPR website

This is one of several explainers to help consumers navigate their health insurance choices under the Affordable Care Act, or as some call it, Obamacare.

Do employers have to do anything different under the Affordable Care Act?
Not right away. The only thing required of employers at the start is that they notify workers that the new health insurance exchanges have opened. You may have received a letter from your employer to this effect — you probably don’t need to do anything.

Starting in 2015, large employers with 50 or more workers have a responsibility — but no mandate — to offer employees health coverage. If they don’t, they may face fines, but only if their workers go to health insurance exchanges and have earnings low enough to qualify for federal subsidies. Stores and restaurants — less likely to offer health insurance in the past — may be most affected. The coverage rule doesn’t affect workers who put in less than 30 hours a week.

There are no responsibilities for small employers with fewer than 50 workers. If they want to buy coverage for their employees, the insurance exchanges represent a new option for them in terms of where to shop. Certain employers with fewer than 25 workers are eligible for federal tax credits. To qualify, the company has to cover at least half of the premium for all of its employees, and also have average wages of less than $50,000. For details on these tax credits, see this answer sheet from the IRS.

Will my employer cut back on my insurance coverage?
A number of employers have been overhauling the health benefits they offer employees, citing rising costs.

There are two themes to what they are doing. In trying to control their own spending, employers often are shifting health costs to employees. So the average annual deductible for an individual — what consumers pay before insurance kicks in — nearly doubled in the past seven years, from $584 in 2006 to $1,135 this year, according to the Kaiser Family Foundation.

But employers aren’t just making workers pay more. They’re trying to make them think more about health-related expenses and behavior.

Companies such as grocer Kroger Co. pay only a fixed amount for particular drugs or procedures, giving patients incentive to shop around for the best price. IBM started giving rebates to workers who adopt healthy lifestyles. Penalizing smokers with surcharges is one of the few discriminatory measures the health act allows.

What about part-time workers?
Nothing in the Affordable Care Act says that employers have to cover part-time workers. The law defines part time as someone who works less than 30 hours a week.

Some employers that have offered part-time workers minimal coverage, such as Trader Joe’s and Home Depot, have dropped it on the grounds that those workers can now find coverage through the insurance exchanges. Most workers in this situation will be pleased with the outcome. They’ll likely find better coverage than what they had for less money. Although depending on the situation, some people may see their premiums go up.

Are employers reducing their workforce as a result of the Affordable Care Act?
There have been reports of employers holding back on hiring in order to stay under the 50-employee threshold that triggers health insurance responsibilities. There also have been reports of employers cutting workers’ hours to below 30 per week so that they don’t count as full-time. While there is anecdotal evidence of both things happening, there’s no evidence that those cases have added up to a broader drag on the economy as a whole.

Will my company stop offering coverage to my spouse and dependents?
Some companies, including UPS, have decided to stop covering working spouses if they have access to coverage at their own jobs. The health law does not require employers to cover spouses, but surveys show that only a minority of companies have implemented a “spousal exclusion.”

However, employers increasingly offer incentives to get spouses off their plans. They may charge workers extra if a covered spouse has access to other insurance, or they may pay bonuses when spouses are not on the company policy.

The health law requires employers who offer coverage to employees to also offer coverage to dependent children, or pay a penalty.

The Impact on Hospitals and Patients of the “Two Midnight Rule”.

Earlier this year, Centers for Medicare and Medicaid Services (CMS) announced a new standard for determining whether a patient is admitted to a hospital or there for observation, the two midnight rule. Medicare patients must spend at least two continuous midnights in a hospital to be classifid as inpatient, a status which comes with the highest reimbursement rates. Patients that spend less than two midnights will be automatically considered outptients or under observation status.

Patients, however, may not know whether their status is inpatient or observation, because they receive the same services in the same hospital beds. However, the cost to the patient is widely different, with Medicare picking up almost all the cost of a hospital inpatient stay, but only picking up parts of the cost of an observation stay, requiring the patient to pay co-pays for tests and pharmaceuticals.

Local hospitals will surely feel the impact as well. Joseph Koessler, CFO at Kaleida Health was recently quoted in Business First stating “once you admit a patient, they consume the same resources as an inpatient would, so all they’re doing is cutting reimbursements. We probably have 1,000-1,300 cases that would fall into this category”.

Federal officials have indicated that hospitals will not face government audits for at least 90 days on the new rule (October 1 – December 31, 2013), but that does not delay its implementation.

Dr. Michael Edbauer, Catholic Health’s vice president of medical affairs was also quoted in Business First indicating “the rule change will mean an even greater level of detail in documentation by the physicians and other members of the healthcare team to describe and prove the level of complexity of each patients’ medical condition. Sometimes there is a gap between what is needed for the patient and the documentation describing that, and that’s been a challenge for us across the health-care system”.

Even though the rule went into effect as planned, hospitals will be spending the next 90 days addressing their processes and documentation before they are subject to reduction in reimbursement.

Update on CMS Newly Published Proposed Rules

By Liz Wilson, CCS, RHIT, CEMC, CPMA, CPCO
Director of Coding and Auditing
Compliance Officer
Healthcare Solutions WNY, LLC

The medical community had been concerned upon hearing rumors that non-facility physician fees would be slashed by nearly 25% in 2014. This 24.4% reduction estimate was made by Medicare back in March 2013.

Medicare has recently published an overview fact sheet on the Proposed Rule CMS-1600-P that is found in the DHHS Federal Register (published July 19, 2013), 42 CFR Parts 405, 410, 411, 414, 423,and 425, titled “Revisions to Payment Policies Under the Physician Fee Schedule and Other Revisions to Medicare Part B for CY 2014”. Center for Medicare and Medicaid Services (CMS) recognized a flaw in calculating fees with a Sustainable Growth Rate (SGR) factor, and has decided not to address this in the new proposal.

Furthermore, CMS has not included provisions on the Physician Fee Schedule update in this proposed rule because the fee schedule and SGR are determined under a prescriptive statutory formula that cannot be changed by CMS. The percent change to the physician fee schedule conversion factor may end up being very different than the March 2013 update because of various required budget neutrality adjustments described in this newly proposed rule. Continue reading →

Effective Compliance Plans

By Liz Wilson, CCS, RHIT, CEMC, CPMA, CPCO
Director of Coding and Auditing
Compliance Officer
Healthcare Solutions WNY, LLC

The regulators have long supported that physicians develop and implement a written and active plan that would serve as the organization’s guidance with regards to policies, communication, coding and billing, internal auditing and self-disclosures. The Office of the Inspector General (OIG) has developed several official guidelines since 1998, two of which are most relevant to private medicine:

1) Compliance Program Guidance for Individual and Small Group Physician Practices
(65 Fed. Reg. 59434; October 5, 2000), and;

2) Compliance Program Guidance for Third-Party Medical Billing Companies (63 Fed. Reg. 70138; December 18, 1998)

The OIG has recognized the financial hardship that would be imposed on small physician groups in launching a full scale program and states that the compliance plan should be developed “step-by-step”. The OIG has also stated that this guidance is neither mandatory, nor all-inclusive, but rather is intended to serve as a starting point in creating a customized voluntary plan that is appropriate–given the physician office or group operations.

What was once presented as voluntary guidance is currently being forged into a mandatory practice. The increased funding spent last year to hire more government auditors, investigators, law enforcement and specialized legal counselors was only outnumbered by the funds recovered in 2012 by the Department of Justice—a staggering $4 billion. In the current environment of an astronomical federal deficit, any means of reducing cost and recuperating funds is critical to maintaining federal and state operations.

The business of reporting, investigating, and prosecuting physicians has become a lucrative industry for government agencies and public citizens, practically overnight. In April 2013, the Department of Health and Human Services released their proposed rule which would increase the reward to “whistle-blowers”. Their effort to increase public awareness of the potential rewards (ranging from $1,000 and limited to $10 million) created an instant frenzy where physicians became a public target.

In addition, the Patient Protection and Affordable Care Act now includes provisions that will predictably turn this optional participation into a mandate by the end of 2014. If your practice has any intention to develop a Compliance Plan before it becomes a requirement—now is the time.

The OIG Work Plan outlines seven general guidelines for compliance plan development and implementation:

1. Conduct internal monitoring and auditing through the performance of period audits. This can be overseen by a designated member of your staff, however all official coding and billing audits should be performed by certified and experienced medical auditors in the best interest of the organization.

2. Implementing compliance and practice standards. This includes establishing policies and procedures that include an examination of risk areas specific to your practice, such as those relating to coding and billing; reasonable and necessary services; documentation; and improper inducements, kickbacks, and self-referrals.

3. Designating a compliance officer or contact. As a key part of operations, the organization must designate a compliance officer or contact to monitor compliance efforts and enforce practice standards. This individual or group of individuals will orchestrate initiatives and manage the plan actively.

4. Conducting appropriate training and education on practice standards and procedures. Training is the most important portion on a company-wide scale. Education, particularly in regard to coding and billing, is vital in preventing incidents of misconduct and abuse that will lead to costly repayments at best.

5. Responding appropriately to detected offenses and developing corrective action. The appropriate response to any investigated and detected violations is a must, and includes disclosing any such incidents to the appropriate government agencies and in developing the corrective action initiatives.

6. Developing open lines of communication. This will ensure that issues do not arise from a lack of knowledge or guidance. This can be easily and effectively met as a result of having discussions at staff meetings or conspicuously posting information on community bulletin boards on the premises. Having a method in which staff report incidents without retaliation is strongly recommended.

7. Enforcing disciplinary standards through well-publicized guidelines. These operating standards and procedures will help reduce the prospect of erroneous claims and fraudulent activity by identifying risk areas for the practice and establishing tighter internal controls to counter those risks, while also helping to identify any aberrant coding and billing practices.

But what should a physician practice do in the event that regulators have begun an investigation before a plan is developed and rolled out?

The compliance community advises physicians to have legal counsel available before any other individual is contacted. All communications related to the investigation must be maintained as highly confidential and under the “attorney-client” privilege. Once an attorney is retained or already employed, the attention should be turned to selecting key members of the organization who must be trained to respond appropriately to protect the interest of the organization. While it is necessary to cooperate with government agents and enforcers, it is prudent that any employee not designated a key member with responsibilities, duties, or official position related to any aspect of operations being investigated, not be present in the building or on the premises throughout the search or formal interviewing process. All employees must be strongly advised to not text or email any messages that if intercepted could be misconstrued and later presented as damaging information.

In the wake of such a situation, there is little time to prepare and control the situation. The best advice I can offer is to advise a practice to develop a plan now and to invest the time needed to properly implement the plan and to educate your employees. Healthcare Solutions WNY is available to assist in making this transition effortlessly and affordably. Contact us for more information on how we can develop your customized and effective compliance plan.