2015 ACEP Reimbursement

Las Vegas January 14, 2015.

Hot Topics in ED Coding

and Billing :

The Heat is On

Ed Gaines, JD, CCP Chief Compliance Officer

Zotec-MMP egaines@zotecmmp.com

1

2

The Caveats . . . from my legal advisors…Do-we, Cheat-em and Howe, in honor of Tom Magliozzi

1st: these are my opinions—not organizations that I’m a part of.

2d: seek and obtain experienced professional advice in legal and/or accounting matters—and I will try to flag areas that such advice is warranted.

3d: “Information contained within this document is for general information only and should not be construed as legal advice. It is neither an offer to represent you, nor is it intended to create an attorney-client relationship. Please consult with an attorney for specific legal advice pertaining to your circumstances.”

And you may have been expecting one of my favorite lawyer caricatures ….

“Judge: Mr. Cirroc, are you ready to give your summation? Cirroc: [ stepping out] It's just "Cirroc", your Honor.. and, yes, I'm ready. [ approaches the jury box ] Ladies and gentlemen of the jury, I'm just a caveman. I fell on some ice and later got thawed out by some of your scientists. Your world frightens and confuses me! Sometimes the honking horns of your traffic make me want to get out of my BMW.. and run off into the hills, or wherever.. Sometimes when I get a message on my fax machine, I wonder: "Did little demons get inside and type it?" I don't know! My primitive mind can't grasp these concepts. But there is one thing I do know - when a man like my client slips and falls on a sidewalk in front of a public library, then he is entitled to no less than two million in compensatory damages, and two million in punitive damages. Thank you.”

3

The importance of setting expectations for this talk ….

4

5

Goals and Objectives:

Describe the basics of an effective compliance program, “compliance folklore” and hidden traps for the unwary

Identify pre-billing (e.g. coding) and post billing (e.g. refunds) risks and pitfalls

HIPAA “Omnibus Rule” implications

Analyze compliance risk management strategies

Overview of Federal & State

Gov’t Agencies

and

Key Compliance Issues.

6

Volume was up pre-ACA

Impact

Why would gov’t and private payors care that much about the EDs from compliance & regulatory standpoint?

7

Used to be that you could have a list of acronyms and glossary but that was then and this is now. . . . . . . .

8

http://www.cms.gov/apps/acronyms/

Key Terms and Concepts in Compliance talk to be addressed:

Forward looking risk assessment.

Pre-billing, e.g. coding including modifiers.

Post-billing, e.g. refunds, credit balances.

Upcoding/undercoding, e.g. both can be issues.

Unbundling, e.g. abuse of the -25 or -59 modifiers

Corrective action plans/programs (CAPs).

Compliance—with what or whom?

9

Key Agencies/Players in compliance and fraud and abuse (F&A)

10

Executive Branch

Secretary of Health and

Human Services (HHS)

The Centers for Medicare & Medicaid Services

(CMS)

HHS Office of The Inspector

General (OIG)

US Attorney General

The US Attorney’s Office (USA)

Medicare Administrative

Contractors (MACs)

F&A recovers $7 for every $1

Fraud and Abuse defined in the context of healthcare: not what you may think

In general, fraud is defined as “knowingly” making false statements or representations of material facts to obtain some benefit or payment for which no entitlement would otherwise exist.

In healthcare, “Knowing” includes intentional acts but also deliberate ignorance or reckless disregard of the truth or falsity of the claim

Examples could include: 1. Knowingly billing a higher level of service or when the

documentation does not support the claim submitted. 2. Knowingly adding modifiers to claims without supporting

documentation for the modifier to obtain payment; 3. Knowingly failing to repay refunds or overpayments that are

identified as such and retaining government funds.

11

Fraud and Abuse defined:

Abuse is defined as practices that are— inconsistent with sound medical, business or fiscal

practices; or actions when there is no legal entitlement to

payment, or acts in which the intent to submit false information

cannot be proven. Examples:

Unknowingly billing a charge for a service that was recently bundled into the primary procedure.

Re-billing claims w/out legitimate basis.

12

The Physician’s Obligations Under Medicare (MCA):

http://www.cms.gov/Outreach-and-Education/Medicare-Learning-Network-MLN/MLNProducts/Downloads/Avoiding_Medicare_FandA_Physicians_FactSheet_905645.pdf

13

Physician obligations for coding/billing.

14

CMS reminds us of the ACA’s mandate for compliance programs—subject to final regs.

15

https://oig.hhs.gov/compliance/provider-compliance-training/files/Provider-Compliance-Training-Presentationv2.pdf

http://www.cms.gov/Outreach-and-Education/Medicare-Learning-Network-MLN/MLNProducts/Downloads/Avoiding_Medicare_FandA_Physicians_FactSheet_905645.pdf

OIG’s 2015 Work Plan Highlights:

Provider-Based Svs: OIG is reviewing CMS’ current criteria. 2015 CMS Final Physician Fee Schedule Rule

changes to POS 22. Physician Place of Service (POS) coding errors.

“New vs. Established” E/M Svs.—Urgent Care Clinic issue and office based POS, e.g. “moonlighters” Part B News 9/15/14

Medicaid credit balances (C/Bs) & refunds.

16

OIG Report on Improper Payments for E/M June 2014 Random sample of 657 records, universe of 369

Million Part B claims for 2010. 21% E/M error rate or $6.7 Billion paid in error. 42% E/Ms were incorrect coding, more 19% had insufficient documentation.

OIG excluded important documentation issues.

Top 1% (“high coding physicians”): 56% errors 99% of E/M errors for this cohort were over-

coding. https://oig.hhs.gov/oei/reports/oei-04-10-00181.asp

17

CMS has new Medicare billing revocation authority per final rule published 12/5/14.

Medicare privileges may be revoked for a pattern or practice of non-compliant billing (as opposed to sporadic or occasional denials).

Factors include: 1. % of claims submitted that were denied. 2. Total # of denials 3. Reasons for denials 4. Time period for the pattern of denials 5. Provider’s Hx of “final adverse actions” 6. Length of time the provider has been enrolled.

https://s3.amazonaws.com/public-inspection.federalregister.gov/2014-28505.pdf

18

Stat sampling & extrapolation to prove FCA liability vs. FCA damages, Life Care Centers of America (USDC ED Tenn. 9/29/14).

Extrapolation defined.

Here: feds used 400 inpatient records to extrapolate FCA liability to the universe of 54,396 Pt. admissions/154,621 claims.

Hypothetical: say 1% of the 400 records were found to be coded and billed w/ > “mere negligence”

If 1% of universe meet “deliberate ignorance” or “reckless disregard” stds., then FCA penalties are $8.5 ($5,500 per claim min.) to $17 Million ($11,000 per claim max.).

http://www.beckershospitalreview.com/legal-regulatory-issues/sampling-extrapolation-to-prove-fca-liability-approved-by-district-court.html

19

Strategy for CCP requirement for compliance policies: pre-billing controversial issues.

Examples of areas for policy/procedure development: 1. CC charts—request for time statement or not? 2. Deficient hx, ex or MDM documentation—

request add’l information or not? 3. What is “additional work up planned”? 4. What is “prescription drug management”? 5. How does the individual EDP’s acuity analysis

look versus Medicare data, his/her group or similar practices?

20

21

“So what? Why do I need a culture of compliance and ethics in my

group/company?”

The Federal False Claims Act (FCA)

Sources of liability,

Whistleblowers and Qui Tam Relators.

FCA: All Federal Payors: Medicare (MCA), Medicaid (MCD), Tricare and FEHBP. Governmental payors defined: MCA, MCD, Tricare and the Federal Employees Health

Benefit Plan (FEHBP) Exchange plans??? DHHS says no

FCA liability may be found in any one of the following as “knowing” or “knowingly” submitting false claims:

Knowingly allows or encourages falsity. Deliberate ignorance of the truth or falsity. Reckless disregard of truth or falsity.

The FCA does not require specific intent to defraud.

22

23

$5,500 minimum/$11,000 max penalty per CMS 1500 claim form federal penalties. Plus treble damages (overpayment). State False Claims Act may be in addition

to the federal liability. Relators=Qui Tam provisions of the FCA 15-30% of the FCA recovery + attorney’s fees

FCA (cont.)

FCA Penalties v. Overpayment Liabilities—who’s liable and for what? FCA penalties ($5500 min.

per claim) apply if 1 or more of the 3 standards are met.

“knowingly presents, or causes to be presented, a false or fraudulent claim for payment or approval” 31 USC Section 3729

So FCA penalties apply jointly/severally to the Physician Group AND to the Billing Company (B/C)

Distinguish the “overpayment” liability (damages), over-coded Level IV to Level V.

Remittance of MCA reimbursement to the group’s lock box.

Phys. Group is liable for the difference in Level V and Level IV: $57.00 (2015 RVUs).

24

25

Request billing company or hospital errors and omissions insurance information.

Understand the scope and limitations of coverage, e.g. no B/C coverage for overpayments?

“Fraud” &“Intentional Acts” exclusions.

Deductibles and AM Best Rating of the E&O Carrier:

A++, A+ (Superior) A, A- (Excellent) B++, B+ (Good)

Mitigation Strategy: ED Groups

Hot Topics Round 1:

26

Electronic medical (health) records

(EMR/EHRs),

OIG Studies

And Strategies to

Address Issues.

CMS Transmittal 438 Introduces a new concept: “Limited Space Templates” (Nov. 2012):

Templates are ok, but . . .

“Limited Space Templates” are “discouraged”

http://www.cms.gov/Regulations-and-Guidance/Guidance/Transmittals/Downloads/R455PI.pdf

27

http://oig.hhs.gov/oei/reports/oei-01-11-00571.pdf

28

The January 2014 OIG Report: Study #2

Report cites two documentation practices that can be used to commit fraud: Copy and paste or cloning, and Over-documentation.

29

Tips and Strategies re: EMR risks, from the physician perspective:

“CUT AND PASTE: can be considered fraudulent misrepresentation if importing into YOUR medical record information generated by OTHERS without appropriate attribution.

MACROS: may be compliant if the information they shortcut into the medical record is tailored to specifically reflect the PATIENT-SPECIFIC findings, and that all the QUESTIONS/FINDINGS that the macro incorporates were, in fact, ASKED/FOUND by the provider.”

30

EMR/EHR 5 Strategies for risk mitigation:

1st: track the problematic functionality, e.g. cut & paste or pre-population of notes w/ default narratives,

2d: Looking for similarities in structured fields, e.g. whether same pain scales were found across diags. (Report on Medicare Compliance 11/17/14)

3d: prohibit pre-population of notes w/ default narratives, e.g. particularly w/ the HPI for Medicare.

31

What to do? Strategies Re: EMR compliance issues from legal perspective.

4th: Conduct independent coding audits re: cut/paste and overdocumentation: check the actual chart output/printed against Medicare MAC guidance for TP/residents and NPPs.

5th: Establish & audit clearly defined “electronic signatures”, for orders at shift change and “standing orders” w/ hospital and staff: Palmetto GBA Medicare MAC: the physician’s

name and date appearing in chart w/ log in and password is an electronic signature.

(MPIM Chapter 3)

32

Hot Topics Round 2:

Issues in Short Stay Admissions v.

Observation and Emergency Dept. Physician (EDP)

Newly Announced Qui Tam

settlements & cases

33

Two ED physicians file a Qui Tam against HMA alleging kickbacks offered for admissions.

http://www.beckershospitalreview.com/legal-regulatory-issues/former-ed-directors-claim-hma-offered-kickbacks-to-admit-medicare-patients.html

Two separate sets of allegations against two separate HMA hospitals and HMA corp.

Allegation that HMA required “50% admit rate for MCA pts.”

DOJ has joined the case.

HMA denies allegations.

34

According to the Charlotte Observer Jan. 3, 2014:

http://www.charlotteobserver.com/2014/01/02/4583725/doctors-allege-for-proft-owner.html#.VI9BrDHF-4I

35

Short-stay Admissions vs. Observation continues to be a hot topic

Allegations and outstanding litigation remains against HMA on related issues.

CMS announced in Jan. 2011 that Interqual or Milliman criteria are no guarantee that the admission will pass audit review.

http://www.cms.gov/MLNMattersArticles/Downloads/SE1037.pdf

Highly unlikely that the Feds will endorse “software driven” decision making for admit criteria—yet a role to be played for objective criteria.

http://www.modernhealthcare.com/article/20140804/NEWS/308049939/

36

MedPac Weighs in on the short stay/Obs. Issues.

37

MedPac is intent on addressing multi-layered issues w/ Obs and short stay IPs

Options:

1. Qualify Obs. toward SNF coverage;

2. Reduce $ differences for 1 day IP vs. Obs

3. Permit hospitals to waive charges for self administered drugs for Pts in Obs.

38

39

Documentation, coding and pre-billing issues and risk areas.

CMS Signature Requirements Requirements Met

Legible full signature

Legible first initial & last name

Illegible signature. over typed/printed name

Initials over typed or printed name

Requirements NOT Met Initials alone

Unsigned typed note with providers typed name

Unsigned handwritten note

“signature on file”

Illegible full or partial signature

Stamp signatures

CMS MLN MM6698

March 16, 2010

40

‘If the sig. requirements are not met, the reviewer will conduct the review without considering the documentation with the missing signature.

WPS Medicare MAC, J5 Part B: Definition of electronic signatures for EMRs and Orders.

41

http://www.wpsmedicare.com/j5macpartb/departments/cert/signature-guidance.shtml

http://www.wpsmedicare.com/j8macpartb/departments/medical_review/2010_0510_mrchecklist.shtml

42

43

Risk Areas: Teaching Physicians (TP), Residents and Students CMS Transmittal 1780: TP linkage statement

and key portion note.

CMS Transmittal 811: EMR “macro” statements may not be sufficient.

Students – MD, PA or NP – not licensed practitioners!

Students CANNOT document the Chief Complaint, HPI, perform the Exam or participate in the Decision-Making = NONBILLABLE.

Attending physicians’ Macros: Medicare Transmittal 811

44

Consult with coding and billing gurus on specific areas of risk in the TP settings:

Critical care documentation by the resident critical time for the TP.

Major and minor procedure requirements for TP presence and documentation.

Check for specific MAC guidance on the specificity of the TP statement.

Errors and Omissions Insurance required of your coding and billing company.

45

46

Non-Physician Practitioner

(NPPs)

Definition of Shared Service

"A split/shared E/M visit is defined by Medicare Part B payment policy as a medically necessary encounter with a patient where the physician and a qualified NPP each personally perform a substantive portion of an E/M visit face-to-face with the same patient on the same date of service. A substantive portion of an E/M visit involves all or some portion of the history, exam or medical decision making key components of an E/M service." CMS Transmittal 1776 (emphasis added)

47

Limitations of “shared visit billing” for NPPs

The physician/NPP shared service concept applies ONLY to E/Ms—not procedures performed by NPPs.

NPPs must be enrolled with Medicare and procedures billed under their NPIs, not the EDPs. Check practice mgmt. systems for separate NPP

tracking and enrollment.

Health plans are increasingly trying to adopt Medicare’s 85% reimbursement.

48

Shared Visit or “Face to Face” Concepts

From CMS IOM Publication 100-04, Chapter 12, Section 30.6.1(B) and Section 30.6.13 (H) and CMS Transmittal 1776:

Physician and NPP must be from same group practice.

Both must personally perform “face to face” encounter of the E/M.

Both must document the part(s) they perform

49

“Leased employment” structures for NPPs

General Hospital EIN/Tax ID

MDs are W2s of XYZ ED Group or

Faculty Practice Plan

NPPs are W2 employees of

General Hospital

50

3. ED NPPs are supervised by ED MDs

2. Three way leased employment contract w/ hospital, NPPs and XYZ.

4. NPPs retain hospital benefits & stability.

1. Hospital permits XYZ to bill for NPPs—effectively a subsidy.

Documentation requirements for shared visits—CGS Part B MAC (OH & KY)

“In all cases documentation must substantiate the medical necessity of the shared/split visit … & the medical record should contain enough detail to allow a reviewer to:

• Identify both providers

• Link the physician notes to those of the NPP

• Include legible signatures from both providers

• Confirm that the physician and the NPP both saw the Pt face-to-face

• Include legible/electronic signature”

51

CGS—what is a “face to face encounter”?

CGS provides 2 examples: #1 “ I have personally performed a face to face

diagnostic evaluation on this Pt. My findings are as follows: Pt presents w/ abscess, onset 3 days ago. Has tried warm compress & hot shower for relief. Exam shows right gluteal abscess 3cm warm, tender and fluctuant. Incision & drainage not indicated, started on MRSA antibiotic coverage.” /s/ by supervising physician

52

http://www.cgsmedicare.com/partb/pubs/news/2013/1113/cope23908.html

CGS’ acceptable “face-to-face” documentation.

Example #2: “I have personally performed a face to

face diagnostic evaluation on this Pt. I have reviewed and agree w/ the care plan. Hx and Ex by me shows: abdomen was tender to touch, no rebound. Labs/CT scan negative. IM Toradol given for pain. Pt discharged home.” Signed by supervising physician

53

WPS, J8 MAC (MI & IN) : Examples of Unacceptable Documentation for Shared E/M Visits.

‘"I have personally seen and examined the patient independently, reviewed the PA's Hx, exam and MDM and agree with the assessment and plan as written’ signed by the physician” “Documentation by the NPP stating ‘The

patient was seen and examined by myself and Dr. X., who agrees with the plan’ with a co-sign of the note by Dr. X.”

http://www.wpsmedicare.com/j8macpartb/resources/provider_types/inpatientsplitem.shtml

54

Hidden Traps for

The Unwary in Pursuing

Self Pay (Self Responsible)

Balances:

Waiving Cost Sharing, TCPA & FDCPA

55

Definitions:

“Guarantor”: one responsible for payment (which may be the Pt. or not)

Co-insurance and/or deductibles that Pt. responsibility have been renamed as “cost sharing”.

Distinguish Pt. Self-Responsible vs. Pt. self-responsible after insurance.

56

What is Balance Billing

In-network Provider:

Healthcare provider has negotiated a rate with the insurance plan and agreed to accept that rate as payment in full (there is no “balance”). Guarantor is responsible for the deductible, co-pay, co-insurance, and

non-covered charges (“cost sharing”) This is not balance billing.

Out-of-network Provider:

Insurance company and provider have not agreed to a rate. Thus, no contract has been signed. Guarantor is responsible for the difference between full billed charges

and what insurance pays. In other words, there is usually a balance If the Guarantor gets a bill for the balance, it’s balance billing

57

What is “balance billing” in the OON context?

The difference between: 1. the out-of-network provider’s charge and 2. the amount paid by the insurance place

for out-of-network service. Billed Charge $500 Insurance “Allowable” $300 Balance (difference between $200 Allowable & Charge to the “guarantor”

58

Medical debt is skyrocketing and shows no signs of lessening: Nearly 4 fold increase in Pts. w/ deductibles of $1K or > since 2006,

per the Kaiser Family Foundation http://www.cnbc.com/id/102070499 Bronze plans (60% of actuarial value [AV]) are high deductible

health plans (HDHPs)—little to no first dollar coverage for physician services. Some limits to cost sharing up to 250% of federal poverty

levels (FPL) Silver plans (70% of AV) may have better 1st $ coverage but

similar limits on cost sharing up to 250% of FPL.

20 yrs. ago: 2 Pt statements + “pre-collect” letter.

Today’s challenge: software, systems and process in place to repeatedly and lawfully contact the patient regarding payment. Telephone Consumer Protection Act (TCPA) and Fair Debt Collection Practices Act (FDCPA)

59

60

“Insurance only” & discounting Based on Financial Need: OIG 1st: OIG Fraud Alert: Routine Waiver of Co-

payments or Deductibles, 12/19/94. Waivers may implicate the federal anti-

kickback statute if one purpose is generate more patient volume.

2d: OIG Guidance Feb. 2, 2004: there is no prohibition on discounting services based on financial need.

Factors: 1. local cost of living, 2. patient income and expenses, 3. family size and 4. extend of patient’s bill.

61

BCBS of Alabama’s Provision: waivers are ok for professional courtesy or financial need; otherwise, waiver=breach of contract.

Tips for “prompt pay discount” plans:

Written plan w/ counsel input as state law may control.

Offered to both Pts. & health plans that pay w/in X days, consistent application & communication.

Apply the discount to “usual and customary charges” on the front end.

Discount amount tied to savings of billing/collection costs, e.g. 20-30%

http://www.texmed.org/template.aspx?id=25341

62

Health plans are watching Pt. cost sharing discount programs carefully

TJ Kennedy v. CIGNA, 924 F. 2d 698 (7th Cir. 1991) is one of the leading cases re: waivers of Pt cost sharing.

http://www.law360.com/articles/459700/cigna-knocks-40m-hospital-reimbursement-suit-in-5th-circ

http://www.americanbar.org/publications/aba_health_esource/2014-2015/september/out_of_network.html

63

Strategies for Avoiding Traps and Enhancing Pt. Responsible Balances:

Telephone Consumer Protection Act (TCPA) 1991.

Federal law prohibits automated dialers to cell phones (any # where the called party is charged a fee) w/out the Pt’s prior express consent.

Purpose: to regulate overly aggressive telemarketing/automated “robo-calls” & permit consumers to “opt out”, e.g. “Do Not Call List”

Today: estimated > than 1 of 3 households are mobile-only

64

Here’s where you/your hospital need legal counsel’s advice (see Appendix example):

65

Limitations and restrictions on TCPA Consent.

66

Hidden Trap #3: be careful w/ language in Pt. statements, “pre-collect letters” & phone calls:

Fair Debt Collection Practices Act (FDCPA) strictly regulates collection agencies when/where/how Pts are contacted.

Intent: prohibit abusive debt collection practices, and false, deceptive or misleading representations to collect a debt.

Mandatory notification statements to debtors (known as the “mini-Miranda” statements.

Strict liability statute w/ Attorney Fees and Class Action potential.

67

Be careful in Pt. statement language & phone calls

FDCPA: definition of “debt collector” excludes creditors (physician groups) and those who act for creditors (B/Cs) AND FDCPA applies to only to debts that are “in

default” (15 USC Section 1692a(6)(F)(iii).

Exception: One federal circuit court of appeals has held that a mortgage servicer who treated a mortgage loan as if it was in default (when it was not actually in default) will be considered a debt collector, see Bridge v.Ocwen Federal Bank, FSB, __ F.3d__, 1470148 (6th Cir. 2012)

(MI, OH, KY and TN are all in the 6th Circuit)

68

69

Refunds and credit balances and

unclaimed property– areas of compliance

that have nothing to do with coding

and billing.

CREDIT BALANCES

Definitions: Credit balance – a balance on a patient account or encounter

that is less than $0.00 Small credit balance - a non-governmental credit balance less

than a maximum of -$10.00 Recoupment – the process of a payor recovering a claim

overpayment from a future remittance. This is often referred to as a “take-back”, set-off or voucher deduction.

Governmental payors include Medicare (including Medicare Advantage/HMO), Medicaid FFS and HMOs, Tricare/CHAMPUS and the Federal Employees Health Benefit Program (FEHBP) (administered by Blue Shield [Federal Blue] and several other health plans).

Unclaimed property: small credit balances or returned refund checks that remain unclaimed for an extended period of time.

70

71

Fraud Enforcement and Recovery Act of 2009 (FERA), Enacted 5/20/09

FERA removed any doubt that the failure to refund gov’t payor credit balances is a potential False Claims Act issue

Whistleblowers, attorney’s fees and potentially the US DOJ

FERA created the so-called “reverse” False Claims.

72

Post billing Issues: New obligations for provider overpayment refunds under PPACA.

PPACA now requires that “overpayments” are identified after “reconciliation” and must be repaid within 60 days Gov’t payors=Medicare (MCA), Medicaid (MCD),

TriCare (TC) and Fed. Employees Health Benefit Plan (FEHBP). “Written explanation” must be provided, per

section 6402. CMS’ proposed rule is that the look-back period

should be 10 years. http://www.hbma.org/news/public-news/n_a-look-at-cms-

proposed-rule-on-reporting-and-returning-overpayments

REGULATIONS AND STATUTES

CMS issued Proposed Rules 2/13/12. The 60 day clock runs when the

overpayment is identified; “Identified” means that the person has

had the opportunity to undertake “reasonable inquiry” AND That the person has actual knowledge

of the overpayment OR Is deliberately ignorant of the

overpayment;

73

CMS’ Examples of “identification” of overpayments:

Examples per CMS where the “identification” standard have been met even though the exact amount of the overpayment may not be known: A provider or supplier reviews billing or payment records and

learns that it incorrectly coded and/or billed certain services, resulting in increased reimbursement.

A provider or supplier learns that services were provided by an unlicensed or excluded individual on its behalf.

A provider or supplier performs an internal audit and discovers that overpayments exists.

Through these examples, CMS suggests that “actual knowledge” is present if the provider knows of an overpayment issue, even if the provider has not determined the amount of the overpayment.

74

Recoupments And Credit Balance Procedures

W/ governmental payers, BCs should refund governmental payers and not defer to the recoupment process.

The only time the recoupment process should be relied on for governmental payers is if it is known they will not accept and/or return refund checks.

Relying on the recoupment process can lead to unanticipated risk if recoupment does not occur, No recoupment taken w/in 60 day period, Additional monitoring of the accounts by staff.

75

76

Pre-billing and post-billing risk areas:

HIPAA on steroids

a/k/a The HITECH Act and the

Omnibus Final Rule.

77

The HITECH Act of 2009 took HIPAA to the next level PHI is individually identifiable health

information maintained or transmitted in any form: electronic, paper-based, verbally, other formats (PHI elements are listed in appendix)

Health Information Technology for Clinical & Economic Health (HITECH) Act, Feb. 2009. HHS Guidance Issued April 2009: http://www.hhs.gov/ocr/privacy/hipaa/understan

ding/coveredentities/hitechrfi.pdf Omnibus HITECH Final Rule effective 9/23/2013.

78

The HITECH Act of 2009: Congress and DHHS are Raising the Bar on ePHI.

Section 13402 of HITECH requires “notification” by the covered entity following “breach” of “unsecured PHI.”

“Unsecured PHI”= paper that is not “unusable, unreadable or indecipherable.”

PHI “at rest” (paper or electronic).

PHI “in motion”: electronic demographic SSLs and/or transfers via email of ePHI, e.g. Excel or PDFs files of patient specific ePHI.

79

The HITECH Act of 2009 (cont.)

phi is not “unsecured" if ePHI has been “encrypted”.

Encryption standard is a technical standard—need to understand standard.

ePHI “in motion” (e.g. emailed files) must be per VPN standards in guidance.

So what? If unencrypted laptop is stolen or ePHI files on USB drive are lost, there may be a “notification event” for physician group.

80

The HITECH Act of 2009 (cont.): what if ePHI is “unsecured” and “breached”?

“Breach”=unauthorized acquisition, access, or use + compromises information. Omnibus rule Sept. 2013 major impact on

“breach”.

Covered entity (CE) must notify patients within 60 calendar days of discovery of breach: Notice to patients via US Mail and posting on the

website of the CE; Notice to “prominent media outlets” if ≥ 500

patients.

Notice on the DHHS website required ≥ 500 patients.

If this doesn’t keep your HIPAA security officer up at night nothing will.

81

http://www.modernhealthcare.com/article/20140818/NEWS/308189946

Omnibus Final Security Rule, general compliance effective date of Sept. 23, 2013

Expansion of HIPAA security obligations & potential liabilities from prior Interim Final Rule in ‘09.

Business associates (BAs), e.g. billing and collection companies, and IT vendors…..

who create, receive, maintain or transmit PHI in order to perform function on behalf of Covered Entity (CE), e.g. physician group and/or hospital,

regulated directly by HIPAA & directly liable for HIPAA violations

Each BAA sub-contractor in the chain is also potentially liable.

82

Omnibus Rule expands HIPAA security obligations and potential liabilities for CEs/BAs.

Rule creates the “presumption” of HIPAA “breach”

The acquisition, access, use, or disclosure of unsecured PHI is not permitted under the Privacy Rule, unless a CE or BA demonstrates a low probability that the PHI has been compromised based on a risk assessment considering at least 4 factors. The nature and extent of PHI involved, including types of

identifiers and likelihood of re-identification. The unauthorized person who used PHI or to whom disclosure

was made. Whether PHI was actually acquired or viewed. The extent to which the risk to PHI has been mitigated.

83

HHS Bulletin: HIPAA Privacy in Emergency Situations, Nov. 2014 After Ebola Cases:

PHI may be share w/out Pt. authorization: 1. For “treatment”, e.g. care coordination, management

of Pt., consults & referrals, and w/ family/care givers 2. To public healthcare authorities to prevent or control

disease, injury or disability, and sharing Ebola info. w/ CDC is specifically cited; and

3. To prevent or reduce serious or imminent threat to health or safety of the public.

HIPAA Privacy & Security apply to CEs (hospital/group/EM Doc) and BAs (B/C). http://www.hhs.gov/ocr/privacy/hipaa/understanding/special/emergency/hipaa-privacy-emergency-situations.pdf

84

Tips and strategies to mitigate HITECH risks:

"We love encryption, and those who use encryption love it, too,” Leon Rodriguez, Director of the Office for Civil Rights Director, 1/5/2013 Encryption assures that the information is unreadable, unusable or

undecipherable. Qualifies the entity “safe harbor” under the breach notification rule.

Encryption should cover any stationary data in your environment Desktops and laptops, backup tapes, USB drives (thumb and portable),

servers, mobile devices All laptops and desktops that contain ePHI should be encrypted Flash drives that hold ePHI should be encrypted All mobile devices (iOS and Android) should be have secure

transmission software/appliance. Encryption must be in line with NIST standards

Cyber Liability Policies or Rider to existing Errors & Omissions Policy.

85

Compliance Summary:

Effective programs constantly perform risk assessment and analysis, perform vigorous Q/A, provide training and education and take corrective action.

Zero tolerance for retaliation or hostile environments to questioning.

“Worry about the questions that you not asking—not about the one’s that you are asking.”

86

Contact information:

Ed Gaines, JD, CCP

Chief Compliance Officer

Zotec Partners

Greensboro, NC

egaines@zotecmmp.com

877-271-2506

Follow me on Twitter: @EdGainesIII

http://twitter.com/EdGainesIII

87

Appendix: Distinctions between professional courtesy and waiving cost sharing:

http://www.thehealthlawfirm.com/blog/posts/no-good-deed-goes-unpunished-for-physicians-who-extend-professional-courtesy-or-waive-co-pays-medicare-prohibits-waiver-of-co-pays-and-deductibles.html

88

Appendix: Gaining Consent for TCPA

“[I/patient/other identifier] acknowledge and agree that [insert company name], or any of [your/its] affiliates, including any bill collection or debt collection companies may contact me by telephone or by text message to any telephone number I provide to you, or at any other telephone number associated with my account, including wireless telephone numbers, which I understand could result in charges. I further agree that you may use any method of contact to any of these telephone numbers, including prerecorded or artificial voice messages, text messages and automatic dialing devices. You may also contact me via electronic mail using any email address I have provided to you for use. I acknowledge the contact information provided to you is private to me and I take sole responsibility for maintaining the privacy of any of the information I provide to you. I further understand that in order to revoke my consent to be contacted, I must send a written revocation of my consent to [insert company name] or to the affiliate contacting me on behalf of [insert company name].” (emphasis added)

© Frost-Arnett Company, All Rights Reserved

89

The HHS “Wall of Shame” for breaches of ≥ 500. Direct Costs of

Notification and offering credit monitoring may exceed $30/patient.

Legal fees related to federal and state privacy + costs of litigation in state court w/ possible class action status.

Indirect costs w/ loss of reputation w/ patients and providers.

http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html

90

Appendix: what Is PHI?

Data is “individually identifiable” if they include any of the 18 types of identifiers for an individual or for the individual’s employer or family member, or if the provider or researcher is aware that the information could be used, either alone or in combination with other information, to identify an individual:

18 Types of Identifiers Name Address (all geographic subdivisions

smaller than state, including street address, city, county, zip code)

All elements (except years) of dates related to an individual (including birth date, admission date, discharge date, date of death and exact age if over 89)

Telephone numbers Fax number Email address Social Security number Medical record number Health plan beneficiary number Account number Certificate/license number Any vehicle or other device serial number Device identifiers or serial numbers Web URL Internet Protocol (IP) address numbers Finger or voice prints Photographic images Any other characteristic that could

uniquely identify the individual

91

Appendix: The HITECH Act: can you say “nuclear winter?”

Featured Health Business Daily Story, Nov. 15, 2011

When Protecting PHI, Don’t Forget Ubiquitous But Risky Back-up Tapes

Reprinted from REPORT ON PATIENT PRIVACY, the industry's #1 source of timely news and business strategies for safeguarding patient privacy and data security.

(November 2011, Volume 11 and Issue 11 )

“It wasn’t a sophisticated hacker from a rogue nation or a failure of fancy technology that caused the largest health care data breach on record. The recent loss of data on 4.9 million TRICARE patients happened when a thief made off with back-up tapes left in a worker’s car.

Tapes that were not encrypted but were apparently en route to be encrypted. Tapes that, despite advances in data storage over the last decade, are still in use in perhaps a majority of hospitals today.

Until now, back-up tapes haven’t gotten much attention. That should change given they are at the center of this unprecedented breach, now the focus of a $4.9 billion proposed class-action lawsuit and investigation by the Office for Civil Rights.”

92

Appendix: The full text of the

Palmetto Statement regarding teaching physician

documentation and EMRs.

93

Appendix: Resources, References and Links: HHS Office of Inspector General (OIG)

http://oig.hhs.gov/compliance/compliance-guidance/index.asp lOIG’s compliance guidance to third-party billing

agencies (Dec. 1998) OIG’s compliance guidance to individual physicians and

small group practices (Sept. 2000) ACEP’s Fraud, Compliance, and Emergency Medicine

(Aug. 2004), on the ACEP Practice Resources Website at www.acep.org

Scribe Article: http://aishealth.com/archive/rmc050911-01

94

95

Appendix: Additional Physician Compliance Resources

OIG Advisory Opinions & training slides: http://oig.hhs.gov/fraud/advisoryopinions.asp

http://oig.hhs.gov/compliance/provider-compliance-training/files/Provider-Compliance-Training-Presentationv2.pdf