Looking Ahead: Meaningful Use Stage 3 Requirements

By Jose Lopez, Senior Consultant, The Verden Group

In my recent blog on the proposed changes to Meaningful Use 2 requirements CMS recognized the barriers providers were facing in meeting the Meaningful Use Stage 2 requirements, and proposed a rule to simplify the Measures and Objectives for 2015 and beyond. CMS clearly heard the complaints from providers that meeting the measures were creating workflow issues. The Verden Group applauds these changes and hope they are approved in their entirety.

Let’s look forward now to what lies beyond meeting the revised Stage 2 requirements in 2015 and 2016, to Stage 3. Following a proposed “optional” year in 2017, all providers will report on the same streamlined definition of Meaningful Use at the Stage 3 level in 2018, regardless of prior participation.

CMS has come out with 8 tentative advanced use objectives for Stage 3 designed to align with national healthcare quality improvement efforts, and to promote interoperability and health information exchange which will focus on the triple aim of reducing costs, improving access and improving quality:

  1. Protect electronic health information
  2. e-Prescribing
  3. Clinical decision support
  4. Computerized provider order entry
  5. Patient electronic access to their data
  6. Coordination of care through patient engagement
  7. Health information exchange
  8. Public health reporting

The specific measures for each objective have yet to be defined but if you think the objectives look like Stage 2, then you would be correct. And as with Stage 2, the most challenging objectives appear to be those where the provider does not have direct control over their outcomes: patient engagement (patient use of portals and e-messaging), health information exchange (by states or other entities), and public health reporting (by states or other entities).

While CMS came under fire in 2014 following the fallout of providers being unable to meet Stage 2 requirements, it is vital that practices continue to advance their use of electronic health information. As Medicare and private payers continue their evolution from fee-for-service to pay-for-performance, data is being used to report on quality outcomes and to differentiate high performing practices to patients.

In closing, it is crucial that providers and provider associations provide feedback when CMS proposes rules for Stage 3 to ensure the data being required isn’t arbitrary (as was the case with Stage 2), but that it meets the intent of the HITECH Act to begin with: reducing costs, improving access, and improving quality.

In our next blog on Meaningful Use, we’ll discuss proper Meaningful Use Attestation documentation and the ugly truth no one wants to hear: CMS plans to audit one in every 20 meaningful use attesters.

CMS Foregoes Direct Supervision Requirement to Encourage Use of Chronic Care Services

By Sumita Saxena, Senior Consultant, The Verden Group

Medicare will start paying physician practices for chronic care management beginning January 1st, and has carved out an exception to the direct supervision requirement for incident-to-billing, which is often considered difficult to comply with. This change is intended to encourage the effective use of the services according to the 2015 Medicare physician fee schedule regulation published on November 13th.  There are conditions surrounding this new move, including the documentation of a care plan for patients with two or more chronic conditions and the use of interoperable electronic health records.

The American Medical Association (AMA) created new CPT codes for chronic care management in 2013, but CMS instead proposed using HCPCS “G” code. CMS has reconsidered its initial position and will pay physicians for CPT 99490 (chronic care management services, at least 20 minutes of staff time directed by a physician or other qualified health professional, per calendar month). The code is billable for patients who have two or more chronic conditions expected to last at least 12 months or until the death of the patient, if the conditions place the patient at significant risk of death, acute exacerbation/decompensation, or functional decline, and “a comprehensive care plan is established, implemented, revised or monitored,” per the regulation.

The new code is both a revenue opportunity and a compliance risk for providers and CMS will be paying attention to how this develops. CMS declined to cover CPT 99487, another chronic care management code, because it doesn’t include face-to-face time with the patient.


To avoid imposing yet a new set of standards for billing management of chronic conditions, CMS stated “it decided to emphasize that certain requirements are inherent in the elements of the existing scope of service for CCM services, and clarify that these must be met in order to bill for CCM services.” They include:

  • Giving patients access to clinicians 24/7 if they have urgent chronic care needs.
  • Managing chronic conditions, including assessment of medical, psychosocial and functional needs, medication reconciliation and review of patient management of medication.
  • Ensuring continuity of care by having patients see the same clinician at successive appointments.
  • Satisfying various documentation requirements. For instance, patients must agree in writing to receive chronic care management services and authorize electronic communication of their medical information with other providers to facilitate care coordination.  Providers must give patients a copy of their care plan and document they received it, and inform patients they can quit receiving chronic care management services at any time.

CMS also eased a regulatory requirement that otherwise could be an obstacle to chronic care management. These services will often be provided by nonphysician practitioners incident-to a physician’s services, which means they can be billed to Medicare under the physician’s provider number at 100% of the fee schedule if they meet certain requirements. Typically, incident-to services have to be provided under the direct supervision of the physician. “Direct supervision” means the physician “must be present in the office suite and be immediately available to provide assistance and direction throughout the service (but does not mean that the supervising physician must be present in the room where the service is furnished),” according to CMS.

That is not always practical in the chronic care management context. With CMS requiring 24/7 patient access to the clinician, CMS recognizes that the physician may not always be available to supervise. CMS created an exception to the incident-to rule, and will require general supervision for chronic care management. General supervision means the services are performed under the physician’s overall control, but he or she doesn’t have to be in the office.


The supervision exception for incident-to billing should reduce noncompliance with the incident-to billing rule. CMS extended the supervision exception to incident-to billing for the non-face-to-face portion of transitional care management services which are hospital oriented. On January 1, 2014 Medicare began paying for two new CPT codes:

  • 99495: Transitional care management including communication (direct contact, telephone, electronic) with the patient and/or caregiver within 2 business days of discharge; medical decision making of at least moderate complexity; and face-to-face visit within 14 days of discharge.
  • 99496: Communication (direct contact, telephone, electronic) with the patient and/or caregiver within 2 business days of discharge; medical decision making of high complexity; and a face-to-face visit within 7 days of discharge.

The codes for transitional care management are designed to encourage primary care physicians to arrange a visit with patients almost immediately after discharge from the hospital with the intent of improving quality of care and reducing readmissions.

Although physicians can bill Medicare for chronic care management incident to the physician’s services, there are still constraints imposed by state scope-of-practice laws. State laws will preempt Medicare rules if it requires direct supervision.

Providers should not bill Medicare for chronic care management if the care plan is unchanged or requires only minimal change, for example medication adjustment. And while chronic care management can be reported on the same day as an evaluation and management service, clinical staff time cannot be attributed to both visits.

The coverage of chronic care management is also tied to meaningful use compliance. To get paid for chronic care management services in 2015, physicians and nonphysician practitioners must use “EHR technology certified to either the 2011 or 2014 edition(s) of certification criteria to meet the final core capabilities for CCM and to fulfill the CCM scope of service requirements whenever the requirements reference a health or medical record,” per the regulation.

For more information please visit:


HIPAA Patient Privacy Update

by Jason Lopata

Patient privacy concerns continue to be in the headlines recently as more and more opportunities for possible breaches exist in our electronic, and ever more interconnected, world.   Importantly for private practices and hospitals alike, a recent hospital survey (published by Press Ganey Associates, Inc., a patient-satisfaction measurement firm) suggested that patients are viewing privacy concerns an increasing important component of patient satisfaction.   This suggests that practices must guard against breaches of personal health information (PHI) disclosure for not only HIPAA compliance purposes, but in order to avoid the loss of patients or a potential marketing disaster.  HITECH now requires disclosure of any privacy or information breach to not only a practice’s patient list, but if the breach affects more than 500 patients, the local media must also be notified.  Clearly this is an occurrence that could affect a practice’s reputation and in turn, their financial bottom line.

As reported by HHS officials in November of this year, the number one source of health data breaches is the theft of a laptop computer.   Practices must put safeguards in place and enforce proper protocols for all employees who may be using laptop computers that contain any form of PHI.  For those practices that use laptops, proper encryption of data remains the best safeguard to unfettered access to the data contained in a laptop, should it fall into the wrong hands.  While there is a cost with such enabling these security measures, it pales in comparison to the potential damage that could be done to your practice without it.

Not all security or privacy breaches involve laptops or “hacker”-like behavior tapping into an otherwise secure computer system.   Rather, as you can see from recent headlines, they come in all forms, such as these recent incidents:

  • A Mesa, AZ medical center lost data cards that contained information on about 2,300 patients.  Memory cards from endoscopic machines went missing, each which contained PHI for patients whose procedures took place between 2008 and 2010.  Notice was required to all patients, and while no credit information was contained on the memory cards, enough personal information existed on the cards such that the medical center offered credit protection and monitoring for one year to all affected patients.
  • An identity theft ring was arrested near Orlando, FL. after stealing nearly 1,500 patient data sheets from an emergency room and associated doctor’s office.  The compromised information includes names, addresses, dates of birth, Social Security numbers and brief initial diagnosis descriptions from ER visits, according to the hospital.  A press release was issued immediately and credit protection monitoring was offered to those who may have been affected.  Interestingly, this did not involve a computer or systems breach, but simply paper data sheets being lifted from the medical facilities.  (Goes to show that some security and privacy breaches can be fairly low-tech!)
  • A hospital in Long Beach, CA was hit with a $225,000 fine by the state compliance division after an employee used nine patients’ medical information to set up fake Verizon telephone accounts.  The employee admitted to memorizing personal patient information during a project to purge the hospital’s older ER records.
  • A medical center in Tennessee had to notify approximately 8,000 patients of a possible privacy breach after patient information was thrown in the trash instead of being shredded.

So the lessons to be learned from these occurrences?  Never stop being on guard for how patient health information can get into the wrong hands or be mishandled.  Constantly review policies for the handling of such data, and make sure that both physician, and non-physician staff, is keenly aware of the proper protocol and properly trained on how to deal with the necessary handling, transfer, and if needed, disposal, of PHI.  Keep this information secure, and avoid making headlines for all the wrong reasons.

From A-B-C to C-A-B

by Tiffany Lauria

‘Look, Listen and Feel’ is a thing of the past….

After years of drilling ‘Look, Listen and Feel’ into first responders heads as step one of the basic CPR process, the American Heart Association has released their 2010 guidelines which changes the sequence of CPR steps from Airway-Breathing-Chest Compressions (ABC) to Chest Compressions-Airway-Breathing (CAB)[1] to emphasize the importance of minimizing delay in starting the chest compressions component of care. Included among the other 2010 recommendations is the total elimination of ‘Look, Listen and Feel’ from the steps. Interestingly, the AHA states that rescuers often find it difficult to open the airway and begin delivering breaths, so the change in sequence is expected to encourage more people to begin CPR immediately without hesitation.

This is actually quite a big change, considering the scope of re-training that needs to be accomplished across a spectrum of populations. From babysitters and school teachers to flight attendants and lifeguards, numerous people in varying professions will now need to be educated and certified on the 2010 changes.  Most importantly, of course, are the healthcare providers that perform this procedure, or stand ready to perform this procedure, routinely as part of their daily tasks. And don’t just think doctors and nurses, there are midwives and radiology technicians and physical therapists, etc. The list goes on.

The American Heart Association has always done a great job in reaching the public to broadcast a message of the importance of CPR training for lay people as well as healthcare workers. Everyone- moms, waitresses, bank tellers, construction workers- everyone may at one point be faced with a life or death crisis that affords them the opportunity to try and help. Still, most people today have never been educated on CPR outside of possibly a high school health class (where the thought of giving mouth-to-mouth to the dorky kid next to you was not much of an enticement to learning). The number of professions that are now requiring CPR training, and the numerous regulations regarding the presence of Automatic External Defibrillators, is an encouraging sign that the AHA is reaching the right sectors with timely information and vital instruction.

There are two steps that you and your facility should take now to prepare for the implementation of the new CPR recommendations.

Step one: Make sure your staff have heard of the changes

Believe it or not, as busy as healthcare workers are on the job, they are just as busy in their personal lives! Many of your staff may have not had a chance in the last week or two to jump online for a news fix or to read a newspaper or journal that updates on important industry topics. But, what they don’t know can hurt them and their patients, so include information on the updated regulations in your next facility newsletter or scheduled staff meeting. Also, be sure to assign department heads or managers the responsibility of informing all staff that changes have occurred and that they will need to be re-trained and certified. You may want to include information on the scientific rationale behind the new recommendations, adjusted for use by clinical, administrative or ancillary staff.

Step two: Construct your training plan to implement the new recommendations

This step is actually a staircase that encompasses-

  • Working with human resources to determine which departments and staff require certification and training and the dates when all personnel are due for training based on their past certifications (The AHA has not released guidelines or recommendations yet on whether previous certifications will be revoked early)
  • Working with your facility’s education department, local Red Cross or other corporate instructional agency to determine training options, such as on-site or off-site training, scheduling and learning materials
  • Project a reasonable budget, allowing for staff overtime and any scheduling changes that will be needed to allow staff to participate in training, and any program and material costs
  • Begin cycling all needed personnel through the selected training programs, updating their personnel files accordingly to reflect up-to-date certification. Prioritize training according to need- clinical staff, then administrative, and so on
  • It may be necessary to revise facility or practice clinical protocols or other protocols related to emergency procedures. Always keep your practice, facility and department Operating Procedures and Clinical Protocols up-to-date


How can you assist in the efforts to inform the public about the importance of CPR training while making it worthwhile to your practice? Keep current brochures from the local Red Cross or continuing education providers handy in your office and share them with patients and parents and caregivers of patients, especially caregivers of young children and older patients. During routine well exams or care appointments for chronic conditions, make it routine to ask if anyone in the household has been CPR certified and talk to them about the importance of CPR education in their personal lives. Consider reaching out to community instructors and offer them use of your waiting room or conference area for holding classes. This allows you to advertise the courses to the public, maximizing your exposure while bringing in potential patients into the practice.

The AHA has scheduled instructor training sessions for November 2010, so while instructors are gearing up to teach the new recommendations to the masses, use your time wisely and start planning now on how to best educate and train your staff in an organized and efficient way.

[1] The sequence has not changed for newborns. To review the full 2010 recommendations, visit:

Telemedicine & Licensure – Will the Law Allow Changes to the Way Medicine is Practiced in the 21st Century?

By Jason E. Lopata, Esq.   There can be no question that the internet has changed the way most of society operates, from our homes and offices, to each and everyone’s smart phone located in their pocket or purse.  Medicine is not immune from the use and development of technologies to bridge the gap in physical distance between two non-electronic parties.  We may have to soon get used to the idea of a physician on one end of teleconferencing or video technology, and a patient on the other end.  Whether that physician is at a video screen at his office desk or holding a hand held device while vacationing in another part of the country, a physician’s office can be boundless in today’s world.

But how does a physician know that he is properly licensed to practice medicine by way of these new technologies?  Does the location of the doctor or the patient (or both) dictate what jurisdiction is relevant to any licensure questions?  While telemedicine has the potential to overcome barriers of distance and improve access to needed health care services, the current state-by-state licensure laws pose an obstacle to achieving this goal.  Requiring licensure in each state where patients may receive care is a disincentive to utilize the new technology and provide specialty care to rural and underserved areas of the country.  As a physician, one must stay informed of your jurisdiction’s regulations, as well as any neighboring states where your patients may be traveling to receive your care and treatment.

With limited exceptions, most states still require full in-state licensure for out-of-state telemedicine providers.  But in New York, like many other jurisdictions that do not specifically address the practice of telemedicine, there are some exceptions that allow out-of-state practice.   These may be applied to telemedicine, such as a physician who is either (1) licensed in a bordering state and who resides near a border of this state, provided such practice is limited in this state to the vicinity of such border and provided such physician does not maintain an office or place to meet patients or receive calls within this state, or (2) Is licensed in another state or country and who is meeting a physician licensed in this state, for purposes of consultation, provided such practice is limited to such consultation.  Most current regulations allow for this doctor to doctor contact, but do not address doctor to patient relationships in the consultation or specialty realm.

On the other hand, states such as Illinois, Mississippi, and Texas all have regulations specifically to deal with the practice of telemedicine, giving specific guidance as to what constitutes telemedicine. An example is Illinois’ definition that  “telemedicine”” means the “rendering written or oral opinions concerning diagnosis or treatment of a patient in Illinois by a person located outside the State of Illinois as a result of transmission of individual patient data by telephonic, electronic, or other means of communication from within this State.”  When regulations exist, specific requirements are spelled out for out-of-state physicians to treat their in-state population.  Physicians who practice telemedicine “without a license” risk criminal and civil penalties, state disciplinary proceedings, and denial of coverage under medical malpractice insurance policies which generally require licensure as a condition of coverage.  This occurs despite the fact that most state licensure procedures have become fairly uniform from jurisdiction to jurisdiction.

The American Bar Association (ABA), in a August 2008 report on telemedicine, believes that the most straightforward method to reduce such barriers to telemedicine is to institute a system of mutual licensure recognition whereby a physician with a current, valid and unencumbered license in any state could file a single application which would permit the physician to practice telemedicine in some or all other states.  The physician would be subject to continuing compliance with those states’ licensure fees, discipline, and other applicable laws and regulations, and adherence to professional standards of medical care.  The ABA further recommends any federal legislation set a uniform definition of “out-of-state telemedicine practice” (e.g., that the physician does not set up an office, appoint a place for meeting patients, or routinely receive calls within the state), the requisite procedures for telemedical licensure, and a requirement that the telemedicine provider must agree to the jurisdiction of the patient’s home state for medical malpractice actions.  But even amidst all the federal legislation affecting the health care industry, uniform telemedicine licensure issues have not yet been proposed.

While a good idea, I don’t yet see a federal standard evolving, as states are going to maintain their regulatory control of the industry.   So as a physician, one must still be prepared for these licensure and liability questions to emerge as you start to adopt technologies that widen the scope and “footprint” of your practice.  Physicians should consult an attorney with any questions whether borders are being “virtually” or literally crossed for purposes of your licensure.

Hospital Gone Mad?

by Tiffany Lauria

In a recent court document[1] , filed against Dimensions Health Corporation, Joseph and Felicia Ann Wheeler allege that while recovering from auto accident injuries at Prince George’s Hospital Center, Mr. Wheeler was misidentified as a female cancer patient 13 years his junior that was scheduled for chest tumor surgery. In the disturbing events that ensued, Mr. Wheeler’s complaint includes physical assault and battery, false imprisonment and infliction of emotional distress.

While the egregious complaint cannot be stated as fact until the matter is settled, a read through the actual complaint brings up multiple areas in which hospitals, indeed all facilities, could benefit by reviewing their operating procedures and more importantly, the extent that these procedures are followed. Two obvious areas of risk  highlighted by the complaint are as follows:

1. Patient Identification Protocols: From his first contact with clinical staff, right down to his interactions with hospital security, not only did staff neglect to check Mr. Wheeler’s ID bracelet, but upon checking and finding a female name, a nurse failed to exhibit common-sense and flag concern over the patient’s identity. A physician brought in to answer the patient’s questions was apparently upset over Mr. Wheeler’s ignorance of the surgical procedure and as a previous nurse did, failed to check Mr. Wheeler’s ID bracelet. The next time Mr. Wheeler states someone at the hospital checked his ID bracelet was following a period of alleged battery at the hands of hospital security.

Some things to consider when reviewing your organizational policies:

– Does your protocol contain enough checks and balances to ensure that the right identification bracelet is placed on the correct patient from the beginning?

– Are there mandatory sign off sheets or tick screens for clinical staff to mark identity checks completed with each interaction?

– Does your protocol also include physicians, obliging them to check patient identification with every patient interaction?

A proper identification protocol will include each of the aforementioned, as well as stated consequences for staff and physicians not performing up to task, the dates of training sessions completed on the importance of correct identification procedures, and proper procedures for following up on any concerns or deviations.

Remind your staff that common sense should always prevail, and the hospital would rather conduct an investigation into correct identity, than defend itself against allegations of misconduct or malpractice. Make that part of your organizational culture – safety comes first.

2. Incidence Response Protocols:

Mr. Wheeler indicates that as soon as he walked out of his exam room to leave the hospital, nursing staff began to argue with him and call for security. The two officers that responded, according to the allegations, immediately unleashed a barrage of physical abuse and verbal expletives in their attempt to hold the patient against his will in the hospital. This abuse subsequently continued through an interaction with the ranking Lieutenant, the apparent wrestling of a cell phone out of Mr. Wheeler’s hands as he attempted to call 911, and culminated in a hospital administrator begging Mr. Wheeler to stay and promising to provide Mr. Wheeler with a private room and any medications or pain killers that he requested.

One has to wonder about the sensitivity training provided to the security staff in dealing with patients, whether they are leaving against medical advice or truly combative. Regardless of whether your facility contracts out for security or hires in-house, it ultimately falls to you to ensure that all personnel have undergone extensive background checks and targeted training on dealing with your patients and their family members. At one point during the alleged physical abuse, Mrs. Wheeler was prohibited from being with her husband and told she could not enter into an elevator with her husband and the two security officers.

Incident training encompasses much more than security, however. Your Incidence Response Manual must be reviewed and updated annually, with revised versions of protocols and documentation logs, and emergency contact information for management and legal staff. A well-done manual is not only written with legal assistance, but final approval on all revisions must be approved by an attorney familiar with healthcare law. Staff training should include all clinical, administrative and ancillary personnel and it is highly recommended that drills be enacted for various situations.

Oh, and regarding the administrator offering patients any drugs or pain killers they want? One word- Don’t.

As Mr. Wheeler’s complaints play out in the judicial system, there will likely be some more points to be gleaned on how not to run hospital operations. In the end, it would benefit all facilities to take a good, hard look at what you have down on paper, and what really happens when things go awry.


Fraud & Abuse News for Your Practice

By Jason E. Lopata, Esq.

Received a take-back letter recently or had a claims audit by an RAC?  Amid the changes found with health care reform laws passed earlier this year are new fraud enforcement powers that have the potential for impacting all medical practices, big and small.  Recently, President Obama took steps to target Medicare and Medicaid fraud and cut down on wasteful healthcare spending.  On August 26, 2010, his administration outlined new federal enforcement efforts to combat healthcare fraud, stating that fraudulent conduct is costing taxpayers billions of dollars each year.  During a healthcare fraud summit in California, Attorney General Eric Holder Jr. and Health and Human Services Secretary Kathleen Sebelius said their agencies were jointly targeting fraud in the federal Medicare and Medicaid programs.

The government initiative, originally launched in May 2009, had so far produced more than 580 criminal convictions and recovered more than $2.5 billion in fraudulent proceeds.  However, while $835 million in questionable Medicare payments were identified by private contractors in 2007, the government managed to recover only $55 million (7 percent) according to a recent report from the Office of the Inspector General.  Congressional investigators found that the average investigation lasted 178 days, long enough for many cases to go cold, making it hard to identify the individuals involved or recover money owed taxpayers.  The Obama administration said it is now reorganizing contracts with private investigators and trying to help them coordinate better with claims processors and law enforcement.

As part of the recent efforts, The Centers for Medicare and Medicaid Services (CMS) expects to transition from some previously used private investigators to zone program integrity contractors (ZPICs) to solve many of the over-spending problems identified.  Two ZPICs became fully operational in February 2009, and all program safeguarding work will be transitioned to the remaining five by the end 0f 2010. The goal is to consolidate all Part A, B, C and D fraud-fighting activities under the ZPICs.   With the transition to more ZPIC enforcement, and the increased use of Recovery Audit Contractors (RACs), CMS is taking multiple avenues toward combating fraud and abuse.

But you’re a good doctor – not engaged in any fraudulent conduct.  How might this still affect your practice?  According to the new legislation, government overpayments must be reported and returned within 60 days of identification.  So constant monitoring for overpayment situations in your office is a must.  Further, since all government payments can be suspended by CMS pending a “credible allegation of fraud,” make certain that you are taking steps to not let the appearance of impropriety arise.  Lastly, HHS’ Office of the Interior General now has greater and broader subpoena power in the event of a government audit, where failure to timely reply to requests for information could be penalized up to $15,000 per day.  So should CMS request supporting documentation from your office in the event of an audit, take immediate measures to collect the data and submit it in a timely fashion.

Other steps your practice can take to prevent fraud include understanding and complying with all state and federal laws.  It sounds simple enough, but make sure that you are staying on top of all regulatory changes that may take place in your jurisdiction.   Also, create a culture of compliance in your office, making it a part of all partnership and staff meetings that take place, as well as employee training and education.   Part of that culture allows for the self-disclosure of any overpayments that are received from Medicare or Medicaid.  Another benefit of such an environment is that your practice does not have to fear for “whistleblowers,” since disclosure of misconduct is encouraged and addressed properly.  Practices that self-disclosure overpayments of government proceeds have more success working with CMS in resolving payment problems.

Protect Your Practice with a Sound Compliance Program

by Jason E. Lopata, Esq.

On an unsuspecting day, you arrive at your practice to discover your nursing manager wants to discuss a matter she overheard discussed in the billing department.  She states that one of the billers is posting out charges for services with modifiers that result in payment, but her colleague found a coding policy that considers that practice ‘unbundling’ of services, and therefore could prompt an audit and potential penalties if found to be the case. The billing employee brushed it off and stated that this is what she was told to do by one of the senior partners in order to make sure the claims got paid. Maybe it was an honest billing mistake, or perhaps something more sinister is occurring – but what do you do now?  Where do you turn for guidance as to how to investigate and properly handle these alleged fraudulent transactions that may be occurring in your practice?   The answer lies in a well-designed compliance program.

The healthcare industry is currently undergoing increased scrutiny of its billing practices, facility-physician relationships, and even treatment protocols, so it is vital that practices arm themselves with a competent compliance program.  Having policies in place shows an organizational commitment to compliance with state and federal regulations, regardless of the specialty or size of the group. A good compliance program should improve the efficiency of claims payments, minimize billing mistakes and improve the documentation of patient medical records.  Another benefit of such a program is a reduction in the chances that an audit will be conducted by CMS, OIG, and commercial Payers, and at the very least, would give your practice the benefit of the doubt should an audit occur.  The increased use of Recovery Audit Contractors (RACs) shows that government agencies are expanding their budgets to actively review all payments made and pursue those practices receiving reimbursements that appear to be outliers on set algorithms, regardless of the reasons for that.

So what is involved in a proper compliance program? Implementing proper, practice-wide procedures is a means to developing a code of conduct and establishing written policies to enforce it.  Key areas that should be addressed include coding and billing, proper documentation of medically necessary services, improper inducements or self-referrals, and record retention.

First, assign compliance monitoring to a compliance officer in the practice. This could be a senior physician, or your office manager.  As you build out the program, employee training should always been kept in mind, so that practice ethics and the policies and procedures established are followed and understood by your staff.  A good program will help your practice develop effective lines of communication.

Second, and most importantly, establish a protocol for responding to detected offenses and give your practice the ability to take immediate corrective action.  Consider the use of a ‘non-compliance’ report for placement in an employee’s file, conducting additional training to address the non-compliant behavior, and regular reviews of the practice’s procedures to ensure that there is guidance as to how to handle the situation should it arise within the practice again.

The top recommendation for all practices is to make compliance part of every staff meeting, by discussing issues that have come up within the practice or in the news, and make compliance adherence a part of every employee evaluation too. Every employee review should contain a rating on compliance and all training on compliance should be fully documented.  Employees must not only receive training on how to perform their jobs in compliance with the standards of the practice, but each employee must understand that compliance is a condition of continued employment.

While the task may seem daunting to integrate internal monitoring, implement compliance protocols, appropriately train employees, and enforce disciplinary standards – making the effort within your practice is necessary should that suspected misconduct or audit every occur.   And if it doesn’t (and there is no way to guarantee such a thing), your practice should still find efficiencies and sound protocols that will positively affect the bottom line. And in the event of an audit, the totality of all of the documentation evidencing the continual reinforcement of compliance policies and procedures could support your practice’s argument that when a billing or claims mistake was made, it was just an “innocent” mistake, rather than an assumption that some type of fraud was being attempted within your practice.

Practice tip:  Don’t wait for an audit to happen, perform one yourself and make the necessary adjustments now. Select 50 files per physician and see if there is a pattern of high level or modified codes that might raise red flags with Medicare or Medicaid.  With those high complexity codes, is there always supporting documentation in the form of diagnostic results and physician notes or reports to support the submitted claims?  If the answer is no, adjustments need to be made in chart documentation policies and coding training at the provider level.  Think about conducting an “in-process audit,” which uses files for claims that have not yet been submitted for payment.  This provides the added benefit of allowing you to correct any mistakes before they are submitted.

Red Flag What Now?

by Tiffany Lauria

Ask any of the physician practices that were scrambling to meet the June 1st deadline for implementing the ‘Red Flags Rule’ about the decision to delay through December 31st and you are sure to be greeted with a chorus of ‘whew’ and  ‘thank goodness’.

To further ease the pain of their efforts, the AMA just recently posted that FTC Chairman Jon Leibowitz is in agreement that physicians should not be required to comply with the hotly debated rule. There have been no changes to the regulation, so practices still have to be prepared for a January 1, 2011 start; however this recent development bodes well for thinking that practices may be legally exempted at some point in the near future.

Speaking at the AMA annual meeting on June 14th, Mr. Leibowitz declared, “We feel your pain on red flags, and we want to fix it”.[1] From a practice management standpoint, why is this rule, which is intended to help identify, prevent and mitigate identity theft, such a hot button issue in the physician practice world? Simply put, more rules and regulations mean more work and expense on the part of the practice.

The ‘Red Flags Rule’, which stems from the Fair and Accurate Credit Transactions Act of 2003, lists a number of steps that must be undertaken by those entities that apparently meet the criteria for needing to comply with the regulation. Included among these steps are the determination of policies and procedures in the physician practice to identify red flags, or warning signs of identity theft, detect and respond to any of these flags, continually update these polices to keep up with changes or new flags that may be identified over time, get these policies reviewed and approved by practice management and finally, train practice staff on these policies and (here’s the kicker) actually implement and follow through with them.

Certainly, no one is debating the need for increased security of personal and financial information, and rightly so, the regulation is designed to put consumer interests first and foremost; however, physician practices are fighting a daily battle just to survive. Decreased payments, increased regulations, revolving payer policies, new technologies and, in the case of smaller practices, large entities eating up the business all combine to make keeping the doors to the practice open more difficult each day.

Add to this, the federal government declaring that your practice must spend a chunk of time identifying and preparing these policies and the loss of productivity of managers and staff during repeated training sessions and this equals a cumbersome requirement to an already overburdened practice. Further, implementing these policies may require a complete overhaul of practice administrative procedures, and may necessitate new technologies in the practice, a difficult thing to accomplish when there is a contested debate on whether physician practices truly meet the criteria for complying with the rule.

So what should a practice be doing right now to help protect patients from the potential for identity theft? A good place to start is by reviewing your current administrative and information storage procedures with an eye on how well your practice does on keeping patient information confidential.

– Are your billing staff dealing with patients at the front desk area or is there a private area where they can discuss patient items such as credit card numbers and balances?
– If your receptionists need to ask patients for a social security number or date of birth, do they provide them with a pen and paper to write the information down or is it relayed to them verbally while other patients wait in the area to be checked in?
– Are shredders or a document shredding service utilized and do staff know which documents and information must be destroyed?

Also, review your staff usernames and passwords policies, making sure that staff understand the consequences of sharing usernames and passwords, use usernames and passwords that are more complex than just first and last names, and if possible, restrict access to certain program areas to staff members that truly have a need for access (e.g. if your medical assistants never do billing functions, restrict their access to patient credit card numbers on file).

There are a number of ways in which practices can minimize the potential for identity theft and exceed HIPAA expectations for privacy and protection, regardless of whether it is determined that physician practices must comply with the ‘Red Flags Rule’ starting in 2011.

Take a look now at what your practice is doing to educate staff and protect patients, and consider having an outside expert do a quick assist in identifying areas for improvement or implementing policies that may increase efficiencies without increasing cost. While practices may be overburdened in many areas, doing things right the first time will always be faster and cheaper in the long run.

[1] Stagg Elliot, Victoria and amednews staff. (2010, posted June 28). AMA meeting: Physicians should not fall under “red flags” rule, FTC chair says. American Medical News. Retrieved from

For more information on FTC Chairman Jon Liebowitz’s comments at the AMA Annual Meeting, visit:

Living in a Facebook World – How is Your Practice Going to Use Social Media?

by Jason E. Lopata, Esq.

Facebook and other social networking websites are posing new ethical issues for physicians.  Virtually every industry feels the impact of social media platforms like Facebook and Twitter, and healthcare is no exception.  As physicians and providers discover the benefits of online marketing and learn to guard against the risks, practices must establish clear guidelines and procedures in how to use these new media.  With questions such as “should I ‘friend’ my doctor on Facebook?” or “is it proper for a doctor to include information obtained online in a patient’s medical record?” there is much ambiguity as these new forms of communication and interaction become more widely used.

While many physicians may be using the technology like the rest of us, for keeping in touch with friends and family, the recent trend has shown that doctors are starting to use social media to reach out to consumers.  Practices can introduce staff, highlight press coverage of the practice, offer general health advice, and share interesting links from around the web, all in an effort to interact with current patients and attract new ones.  However, some doctors are also using the new media, such as Twitter, to bring patients’ families and the general public into the physician’s offices, sometimes providing operating room statuses and sharing step-by-step medical procedures.  They may “tweet” real-time updates and videos as a way to reduce the fear factor of surgeries and educate people about the realities of certain procedures.

Yet, this raises major privacy concerns for the patient.  Even with physicians making efforts not to release personal health information (PHI) through these social media (by not including full names of patients, only initials), questions arise as to the appropriateness of certain public broadcast of medical information.  And with more patients having technology such as cell phone cameras and webcams, protecting privacy can be more challenging than ever before.  The posting of unauthorized pictures or detailing embarrassing treatment stories are possible consequences of allowing Facebook “friends” to post on your practice’s “wall.”  Therefore, practices must develop and implement safeguards across the entire practice – and this extends to the use of social media.  A social media policy should be instituted by your practice so both physicians and staff understand what is acceptable use and communication.

So what does a practice need to be aware of before jumping into the social media deep end?  In short, HIPAA, and its stated purpose of limiting the use of PHI to just treatment, payment, and relevant healthcare operations.   Merely removing names and addresses from patient data will not suffice if such PHI is otherwise broadcast online.  Instead, de-identified data (HIPAA specifies 18 “identifiers” that must be removed before PHI can be considered non-personal data) and limited data sets would better ensure confidentiality and the integrity of patient’s PHI.  In light of the further restrictions to PHI found in the HITECH Act of 2009, practices face stiffer penalties, up to $50,000 for each violation, and must safeguard against unauthorized PHI disclosures in its use of social media.

Your best bet – DON’T use social media to tell about patients or their stories.  Instead, keep posts limited to new information about your practice (such as new staff personnel, office hours, or changes to insurance requirements), articles and reading materials that your patients might find useful, and general information about specific ailments and their treatment.