De-mystifying HIPAA Requirements on Backing-Up your Information…

By William Palisano, Owner of Lincoln Archives, (, 716-871-7040, ext 105)

Among other requirements, per “45CFR 164.308 – Administrative Safeguards” covered entities MUST perform : (1) Risk analysis (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity. (2) Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information. (3) Establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information. (4) Establish (and implement as needed) procedures to restore any loss of data. (5) Establish (and implement as needed) procedures to enable continuation of critical business processes for protection of the security of electronic protected health information while operating in emergency mode. (6) Implement procedures for periodic testing and revision of contingency plans. (7) Perform a periodic technical and nontechnical evaluation.

So, for basic compliance under HIPAA, you have to have a backup & recovery plan, and you must test it, document it, and revise it periodically. Aside from the law, it’s just good business practice, because as you know ‘stuff happens’. I’ve worked with medical practices for 21 years and have seen a lot of different ways it’s been done. Some I do NOT recommend:

(1) Assuming RAID Technology is the same as backing up your information. RAID is a system of storing the same data in different places on multiple hard drives within a server or disk storage array. If a hard drive goes down, the system can re-build it exactly, thus no loss of that drive’s data. (Also, re-building a drive can be extremely time consuming). This is a very good technology for hardware failure. But, it is NOT the same as backup. (2) Someone (or a s/w automatically) copying files to an external hard drive, and that drive stays right next to the server or primary storage device (it needs to be in a different location). (3) Or, same scenario but someone takes the drive home, to a safe deposit box, etc. but the data WAS NOT ENCRYPTED before being written, and leaves office: A BIG No-No. Any time data leaves the primary server or storage repository and leaves the protection of the facility, its security, its firewalls, etc., it must be encrypted. Period.

Other scenarios that work, are fairly inexpensive, simple, and are low touch. (1) You can buy an external tape drive, automatic backup s/w, and tapes for a few hundred dollars (Tapes cost less than external hard drives. Hence, multiple generations of backups will cost less vs. buying multiple ext. hard drives). If you go this route: MAKE SURE YOUR SOFTWARE ENCRYPTS YOUR DATA before written. Also, keep a minimum of five (5) full backups (four of them off-site; 1 in tape drive and ROTATE). (2) A better strategy includes adding weekly, monthly and annual backups. Repeat: encrypt then get backups off-site. Bank vaults/safe deposit boxes are “OK”, but try to get tapes out after hours: not likely. There are companies that are very good at providing backup tape rotation and storage services, and some scenarios can be very cost effective (Google: “backup tape vaulting Buffalo”).

And then, there’s ‘the cloud’. There are plenty of local providers (Google: “cloud backup buffalo, ny”). These scenarios can be fully automatic, low touch, highly secure and cost effective. Some require only software installed (no hardware necessary) which encrypts and then streams data off-site to providers secured vault for true Disaster Recovery protection. Some use a backup appliance (pre-configured and do all the work) attached to your network. These systems can be quickly deployed, installed, configured, and up and running. If the provider is good, he/she will assist in creating a backup and recovery strategy (selecting critical data to protect, how many generations of each file, scheduling the backups, creating a retention program), and he/she will test the backups (and more importantly test the restores). He/she can also document the tests which meets HIPAA requirement). Another benefit is that these solutions are typically scalable (as your data needs grow, the solution accommodates it; primarily non-appliance solutions). Many charge only based on the amount of data protected or stored. Hence, there is no up-front cost (Cap-Ex), rather, a pay-as-you-go model (Op-Ex). You can change your strategy on the fly; increase or decrease your protection (and costs). Very flexible.

Btw: if your data is hosted somewhere else, it doesn’t mean it’s backed up to another off-site location. It’s just not at YOUR site and is still subject to risk. You need to ask your provider that question – it is critical (even Amazon, Google, Yahoo go down, lose data and have to restore from backups). A good cloud backup provider can actually backup your data from your hosted site (and restore to an alternative site), just in case…). So, regardless of which way you protect your data, just make sure you do. Test it, and document it. An ounce of prevention…

Posted in Newsletters and Blogs | Leave a comment

The Federal Government Reports Health Care Fraud Recoveries

Director of Coding and Auditing
Compliance Officer

Despite the soaring costs of healthcare reform, the federal government has been very successful in recuperating funds that would have otherwise been counted as a loss to healthcare fraud. Although the investment to maintain agencies that combat fraud, abuse, and waste has proven to be costly—the payoff has been alarmingly profitable. The Department of Justice (DOJ) and the Department of Health and Human Services (HHS) has reported that the figures prove that the feds have recovered $8.10 for every $1.00 spent on this crusade.

Attorney General Eric Holder disclosed (in his February 2014 report) that the previous five years in health care fraud prevention and enforcement have recouped $19.2 billion dollars—twice as much as the previous five year period where only $9.4 billion were recovered. The Health Care Fraud and Abuse Control Program (HCFAC) began in 1997 and has since recovered $26 billion dollars from healthcare providers and organizations that were forced to pay penalties and to refund payments for which they were not entitled. Continue reading

Posted in Newsletters and Blogs | Leave a comment

Provider Enrollment: What to Expect and How to Help When Adding a New Provider to yor Practice

By Teresa Kroll, MS, Healthcare Solutions WNY, LLC

As practice administrators you have all asked the question – We have a new provider joining our group – how long will it take to enroll him or her with the insurance plans so we can bill for services? As a credentialing professional, it is never an easy answer, and inevitably there is frustration on both parts of how long the process takes.

It is often a logistical nightmare when adding a new provider to your group. If he/she is not participating with insurance plans, scheduling is difficult because staff can’t consider all patients for the new provider’s schedule, not to mention lost revenue if you cannot bill for services.

When a practice is adding a new provider, you need to start the credentialing process far in advance — sometimes six to nine months before the provider plans to see patients. The amount of time is slightly less for the provider who has practiced locally before joining your group. It is never safe to assume that the provider has participated with the same plans your group does. Even if he/she has, new contracts are often needed with the new tax identification information. You need to plan ahead for providers who have practiced locally as well.

Consummating health plan contracts can take time. Billing for your non-credentialed physician will result in denied claims to government health programs and either denials or out of network claims payment by commercial plans resulting in an out of pocket expense by the patient. Continue reading

Posted in Newsletters and Blogs | Leave a comment

Ordering/Referring Enrollment and Claims Editing Implementation for Fee-For-Service Medicaid

By Teresa Kroll, Healthcare Solutions WNY, LLC

There is a new Federal law effective January 1, 2014 that is a bit confusing and affects Medicaid Fee-for-Service (FFS) patients. The credentialing staff at Healthcare Solutions WNY dealt with this issue this past week and gained a better understanding of what is required of the physician/provider community which we would like to share with our readers.

The law impacts patients enrolled in FFS Medicaid and does not impact patients enrolled in a Managed Care Plan. A physician or other healthcare provider that orders, prescribes, refers or attends to Medicaid FFS patients must be Medicaid-enrolled for Medicaid to reimburse for prescription drugs and the other services that were ordered/referred. If the ordering professional is not enrolled, under federal law Medicaid must deny the claim for the ordered service.

If a provider is currently enrolled in the Medicaid program you do not need to do anything. If you are not enrolled and see a Medicaid FFS patient in the hospital as an inpatient, emergency room, nursing home, etc. and write a prescription, refer the patient for a test or consultation, etc., then a provider must be enrolled in Medicaid as Ordering/Prescribing/Referring/Attending (OPRA) provider in order for the service to be reimbursed. If a provider is not sure if he/she is enrolled you can check here

There are now two applications for enrolling in the Medicaid program –

Option 1 – enroll as an Individual billing Medicaid (also includes if a provider is attached to a group and bills through the group) OR

Option 2 – Order/Prescribe/Refer/Attend ONLY.

In simplistic terms, the easiest way to understand this is if you do not want to participate with the Medicaid program but have instances where you may see a FFS Medicaid patient, for example on service at the hospital, then you need to enroll in Option 2. Typically, physician practices are able to supervise the appointment making process in a private office setting so that they may schedule patients covered by insurance plans he/she participates with. This is often not the case when in a different setting such as hospital, nursing home, or urgent care facilities. Therefore, the opportunity is greater that you may see a Medicaid patient and need to order a service. If a provider enrolls as an OPRA provider only, this does not mean you will need to accept Medicaid patients in your practice/group.

The application can be obtained online at as well as a Medicaid Update Newsletter explaining the new requirement:

Posted in Newsletters and Blogs | Leave a comment

New Interprofessional Consultation Services for Consulting Providers in 2014

Director of Coding and Auditing
Compliance Officer

The New Year will ring in with new Evaluation and Management codes. Four of these were developed to capture the service between two qualified healthcare providers who are engaged in a consultation between each other: generally, the attending or primary care physician and the specialist whose opinion is being requested by the attending or PCP. Providers have time constraints as it is and any service not requiring face-to-face time is an advantage. Clinicians have been performing consultative services over the internet and phone for years. Only now has the American Medical Association (AMA) recognized a need for a code to capture potential revenue and to identify a service for data collection purposes.

99446 — Interprofessional telephone/Internet assessment and management service provided by a consultative physician including a verbal and written report to the patient’s treating/requesting physician or other qualified health care professional; 5-10 minutes of medical consultative discussion and review

99447 … 11-20 minutes of medical consultative discussion and review

99448 … 21-30 minutes of medical consultative discussion and review

99449 … 31 minutes or more of medical consultative discussion and review

These new codes ranging from CPT 99446 to 99449 are intended for the consulting provider to assign and bill for—not for the attending or PCP.

The rules regarding the definition and requirement of a consultation service has not changed. A request for a consultation must be documented by the consultant in the written report, the service of providing the consultation must be documented in the report, and a copy of the written consultation report must be sent to the requesting provider.

The only additional requirements with these special non face-to-face services are that:

1) the consulting provider will also have to communicate with the requesting provider for a discussion and review, either via telephone or via internet, and;

2) the verbal (telephone/internet) discussion must be documented in minutes. Each of the four codes is defined by a range of time spent in the verbal discussion. A verbal discussion of less than 5 minutes does not meet the code requirements. It is important to note that while the requesting provider (attending, PCP) is not allowed to assign these codes for his/her portion of the consultation discussion, if the consultation discussion exceeded 30 minutes beyond the typical time for an E/M performed on the premises for the patient still present, the attending or PCP may be eligible to assign the appropriate prolonged service code.

It is not yet confirmed whether payors will honor these services. We will eagerly await feedback from Medicare and commercial carriers for more information by the end of 2013.

Posted in Newsletters and Blogs | Leave a comment

Employers Beware! The CAARA Bill Intends to Protect Your Whistle-Blower Employees

Director of Coding and Auditing
Compliance Officer
Healthcare Solutions WNY, LLC

On January 21st a bill was sponsored (by Senator Leahy of Vermont) to promote transparency and accountability across many government and private organizations and to further discourage acts of misconduct and fraud. As of November 4, 2013, the U.S. Senate has unanimously passed this bill with an amendment onto the House of Representatives where it is currently awaiting their vote.

Senate Bill 42, or S.42, is titled the “Criminal Antitrust Anti-Retaliation Act of 2013” (CAARA) may be signed into Law as early as 2014. It will serve to protect employees, contractors, subcontractors, and agents of the employer from retaliatory actions. This proposed law would not however, protect the “whistle-blower” if he/she had initiated the fraudulent act that he/she accuses the employer of, or in the event that this individual obstructs the Department of Justice (DOJ) investigation. Aside from the advantage of protection against employer termination, the “whistle-blower” would also receive reinstatement, back pay with interest and would be compensated for any cost or fees incurred during the 180 day-period starting with the date of the reported violation. A clear definition for identifying all that are protected by this Bill may soon be further revised.

To view the seven page bill as it was originally introduced on January 21, 2013:

The following is a summary of the Criminal Antitrust Anti-Retaliation Act of 2013 (S.42):

I. Prohibits discharging or in any other manner discriminating against a whistleblower in terms and conditions of employment because:

A. the whistleblower provided information to the employer or the federal government concerning a violation of antitrust law or another criminal law committed in conjunction with a potential violation of antitrust law; or

B. the whistleblower participated in, or otherwise assisted, an investigation relating to such a violation.

II. The CAAR Act would allow a whistleblower who alleges discharge or other discrimination to seek relief:

A. by filing a complaint with the Secretary of Labor; or

B. if the Secretary has not issued a final decision within 180 days of filing such complaint, to bring an action at law or equity, and;

C. entitles a whistleblower who prevails in any such action to all relief necessary to make such whistleblower whole.

Disgruntled workers may initiate alleged reports of misconduct or fraud, but any ensuing investigation would stand little chance if your business practices mirror your organization’s Standard Operating Procedure manual, Human Resource Employee Policies/handbook, and Compliance Plan. Prevention is the best defense. Proper and accurate documentation of your periodic compliance duties, their outcomes, including adverse events and corrective action taken is what is recommended. Furthermore, when an employee violates any company rules, administration should complete and file documentation of such events. A well-documented paper trail of verbal and written counseling for any employee misconduct will also assist in defending your company against the accusation of unjust, whistle-blower retaliation.

Posted in Newsletters and Blogs | Leave a comment

FAQ: How Obamacare Affects Employers And How They’re Responding

Reprinted from NPR website

This is one of several explainers to help consumers navigate their health insurance choices under the Affordable Care Act, or as some call it, Obamacare.

Do employers have to do anything different under the Affordable Care Act?
Not right away. The only thing required of employers at the start is that they notify workers that the new health insurance exchanges have opened. You may have received a letter from your employer to this effect — you probably don’t need to do anything.

Starting in 2015, large employers with 50 or more workers have a responsibility — but no mandate — to offer employees health coverage. If they don’t, they may face fines, but only if their workers go to health insurance exchanges and have earnings low enough to qualify for federal subsidies. Stores and restaurants — less likely to offer health insurance in the past — may be most affected. The coverage rule doesn’t affect workers who put in less than 30 hours a week.

There are no responsibilities for small employers with fewer than 50 workers. If they want to buy coverage for their employees, the insurance exchanges represent a new option for them in terms of where to shop. Certain employers with fewer than 25 workers are eligible for federal tax credits. To qualify, the company has to cover at least half of the premium for all of its employees, and also have average wages of less than $50,000. For details on these tax credits, see this answer sheet from the IRS.

Will my employer cut back on my insurance coverage?
A number of employers have been overhauling the health benefits they offer employees, citing rising costs.

There are two themes to what they are doing. In trying to control their own spending, employers often are shifting health costs to employees. So the average annual deductible for an individual — what consumers pay before insurance kicks in — nearly doubled in the past seven years, from $584 in 2006 to $1,135 this year, according to the Kaiser Family Foundation.

But employers aren’t just making workers pay more. They’re trying to make them think more about health-related expenses and behavior.

Companies such as grocer Kroger Co. pay only a fixed amount for particular drugs or procedures, giving patients incentive to shop around for the best price. IBM started giving rebates to workers who adopt healthy lifestyles. Penalizing smokers with surcharges is one of the few discriminatory measures the health act allows.

What about part-time workers?
Nothing in the Affordable Care Act says that employers have to cover part-time workers. The law defines part time as someone who works less than 30 hours a week.

Some employers that have offered part-time workers minimal coverage, such as Trader Joe’s and Home Depot, have dropped it on the grounds that those workers can now find coverage through the insurance exchanges. Most workers in this situation will be pleased with the outcome. They’ll likely find better coverage than what they had for less money. Although depending on the situation, some people may see their premiums go up.

Are employers reducing their workforce as a result of the Affordable Care Act?
There have been reports of employers holding back on hiring in order to stay under the 50-employee threshold that triggers health insurance responsibilities. There also have been reports of employers cutting workers’ hours to below 30 per week so that they don’t count as full-time. While there is anecdotal evidence of both things happening, there’s no evidence that those cases have added up to a broader drag on the economy as a whole.

Will my company stop offering coverage to my spouse and dependents?
Some companies, including UPS, have decided to stop covering working spouses if they have access to coverage at their own jobs. The health law does not require employers to cover spouses, but surveys show that only a minority of companies have implemented a “spousal exclusion.”

However, employers increasingly offer incentives to get spouses off their plans. They may charge workers extra if a covered spouse has access to other insurance, or they may pay bonuses when spouses are not on the company policy.

The health law requires employers who offer coverage to employees to also offer coverage to dependent children, or pay a penalty.

Posted in Newsletters and Blogs | Leave a comment