Essential resources for health care providers & attorneys during hurricane season

Hurricane season has arrived and health care providers in affected areas are focusing on providing services to injured individuals and rebuilding damage to facilities, but not necessarily on compliance with Medicare and Medicaid laws and regulations. To assist providers, federal and state agencies are temporarily waiving some regulatory requirements and providing other emergency services. While active hurricane recovery efforts are underway, Health Law Daily will feature links to federal and state resources.

Federal information:

State- and commonwealth-specific information:

How to avoid coding pitfalls for ambulatory services billing

Ambulatory services documentation offers compliance challenges as complex as inpatient services documentation that providers need to be aware of to avoid potential compliance risks while documenting for billing. Ellis Knight, M.D., Senior Vice President/Chief Medical Officer, of the Coker Group, focused on ambulatory coding in an HCCA webinar titled “Clinical Documentation for Compliant Coding—It’s No Longer Just an Inpatient Issue.”

Clinical documentation improvement

Knight noted that coders “speak” a different language than clinicians and therefore clinical documentation improvement (CDI) has been mainly a translational process. Specifically in relation to medical diagnoses, translating what a clinician may write down in the clinical note versus how the coder interprets the clinical note for billing purposes. Historically the focus has been on inpatient documentation, especially documentation to justify diagnostic related group (DRG) assignment and capture of major complications and co-morbidities (MCCs) and complications and co-morbidities (CCs). As a result, the “problem” is that reimbursement occurs with parties arriving at the same diagnosis with different billing codes.

Ambulatory documentation

As such, ambulatory documentation is equally as complex as the inpatient documentation arena, involving thousands of codes. A major complicating factor is that time-frame and volume of patient encounters makes ambulatory CDI a much different work process than inpatient CDI. Knight noted that among the many compliance risks associated with ambulatory CDI, documentation must support: (1) medical necessity of services rendered (CPT codes); (2) specific services and level of care provided to the patient (CPT and HCPCS codes); (3) diagnoses (ICD-10); (4) severity of illness and clinical complexity (HCCs); and (5) quality of care rendered (HEDIS).

For medical necessity, the clinical documentation must justify the ordering of tests, performance of procedures, referrals to specialists or consultants, prescribing of medications and other activities which payers must cover. It must document services and level of services performed, as errors leave practitioners at risk for overbilling the carrier which could result in treble damages under the False Claims Act. Moreover, Knight stressed that it is not enough to just document. HCCs must be documented on an annual basis and addressed, i.e., monitored, evaluated, assessed or treated, in order to be captured. In regards to quality of care, the clinical documentation must include provision of certain quality of care measures, e.g., immunizations, tobacco use, smoking cessation counseling, BMI measurement, obesity counseling, preventive care (colonoscopy, mammography).

AMA provides resources to help physicians with MIPS reporting

As part of its effort to improve Medicare Payment Reform, the American Medical Association (AMA) is providing tools for physicians to better understand and meet the reporting requirements under the new Quality Payment Program from CMS. The AMA has created a “One Patient, One Measure, No Penalty” campaign to help physicians understand the reporting requirements and avoid the 4 percent penalty for not reporting under the Merit-Based Incentive Payment System (MIPS) track. Along with this campaign, the AMA has created an interactive MIPS Action Plan that provides deadlines and a step-by-step plan of how to meet the reporting requirement deadlines.

As part of the “One Patient, One Measure, No Penalty” campaign, the AMA has provided a short video that demonstrates how to fill out CMS forms to accurately report a quality measure on a patient encounter. A step-by-step guide is also provided as a supplement to the video, along with a sample form to review. There are also links to other tools, such as the CMS Quality Measure Search tool, so that all of the resources are available in one easy-to-find location.

The MIPS Action Plan is a ten-step plan that begins with a determination of whether MIPS applies to the physician. The AMA provides a detailed breakdown of some of the determining factors, such as whether a physician is considered a hospital-based physician, in a frequently asked questions supplemental resource. The MIPS Action Plan then proceeds to walk through the process of reporting, including deadlines to start reporting, and submitting 2017 MIPS data.

Security management process is the foundation for compliance with HIPAA Security Rule

Security management process can be an organization’s biggest strength or biggest weakness, and most organizations lack one or all of the components that establish a security management process. In a Health Care Compliance Association (HCCA) webinar entitled, “Is Your Security Management Process Your Biggest Risk?” presenters Kezai Cook-Robinson and Ahmad M. Sabbarini of Ernst & Young LLP emphasized that a security management process is the foundation for an organization’s compliance with the Health Insurance Portability and Accountability Act’s (HIPAA) (P.L. 104-191) Security Rule.

Under 45 C.F.R. Sec. 164.308(a)(1) a covered entity or business associate is required to implement policies and procedures to prevent, detect, contain, and correct security violations. This process requires covered entities and business associates to implement standards and required implementation specifications and to implement, when appropriate and reasonable, addressable implementation specifications through risk analysis, risk management, sanction policy, and information system activity review.

Risk analysis

Covered entities and business associates must conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate. This means, said the presenters, that covered entities and business associates must conduct an enterprise-wide risk analysis and develop a current, comprehensive, and thorough risk analysis of security risks and vulnerabilities to include the electronic personal health information (e-PHI) created, received, maintained, or transmitted by the organizations’ facilities and applications. This should be done periodically (calendar-based) and in response to events (event-based triggers).

As part of the risk analysis, organizations should conduct a comprehensive inventory of e-PHI. Assets can be grouped into a common grouping for purposes of the inventory—for example, if work stations have the same number and type of e-PHI, they can be grouped into one asset category. In addition, to save time and money, organizations should start with lists that have already created from financial statements and privacy compliance activities.

Risk management

Covered entities and business associates should establish and implement an organization-wide risk management plan to address and mitigate any security risks and vulnerabilities found in the risk analysis. It should include a process and timeline for an organization’s implementation, evaluation, and revision of its risk remediation activities. The presenters noted that the higher the risk, the more robust controls are needed.

Sanctions policy and information system activity review

The security management process also requires covered entities and business associates to apply appropriate sanctions against workforce members who fail to comply with security policies and procedures and to implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.

Documentation

“Document, document, document,” said Cook-Robinson, because “it does not exist unless it’s in writing.” She advised that covered entities and business associates document and keep as records the analyses, decision making, and rationale for overall risk assessments, as well as individual risk analyses for implemented safeguards.

NIST guidelines

Cook-Robinson and Sabbarini also advised organizations to align as necessary with the guidelines and frameworks that HHS leverages, including the National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity (CSF) and NIST 800-30.