- Количество слайдов: 69
Georgia Chiropractic Association October 20, 2017 Chiropractic Recordkeeping, ICD-10, Medicare and HIPAA Compliance Dr. Marty Kotlar, President, Target Coding
No Audio or Video Taping Allowed any Unauthorized Reproduction, Dispensing, Forwarding or Copying of this Target Coding Presentation is illegal. DISCLAIMER & LEGAL NOTICE: The information contained in this presentation is for educational purposes and is not intended to be and is not legal advice. The laws, rules and regulations regarding the establishment and operation of a healthcare facility vary greatly and are constantly changing. Target Coding does not engage in providing legal services. If legal services are required, the services of a healthcare attorney should be attained. The information in this presentation is for educational purposes only and should not be construed as written policy for any organization. No part of this presentation covered by the copyright herein may be reproduced, transmitted, transcribed, stored in a retrieval system or translated into any language in any form by any means (graphics, electronic, mechanical, including photocopying, recording, taping or otherwise) without the expressed written permission of Target Coding assumes no liability for data contained or not contained in this presentation and assumes no responsibility for the consequences attributable to or related to any use or interpretation of any information or views contained in or not contained in this presentation. CPT® is a registered trademark of the AMA. The AMA does not directly or indirectly assume any liability for data contained or not contained in this presentation. This presentation provides information in regard to the subject matter covered. Every attempt has been made to make certain that the information in this presentation is 100% accurate, however it is not guaranteed.
Marty Kotlar, DC, CPCO, CBCS President, Target Coding • • Certified in CPT Coding (CBCS) Certified Professional Compliance Officer (CPCO) CPT & ICD-10 coding, Medicare, HIPAA compliance Chiropractic recordkeeping, treatment plans, compliant cash plans Author of 10 compliance & documentation training manuals Writer for Chiropractic Economics & Dynamic Chiropractic Guest speaker at many state association conferences
HIPAA Basics Key Points: • HIPAA became law on August 21, 1996. • Main purpose is protect patient health information also known as PHI (protected health information). • HIPAA applies to all Covered Entities. • Covered entities include healthcare providers, insurance companies and clearinghouses. • Are you a Covered Entity?
Are You a Covered Entity?
Are You a Covered Entity? Question #1: Do you bill or receive payment from insurance companies? YES = Covered Entity NO = Not a Covered Entity
Are You a Covered Entity? Question #2: Do you submit claims electronically? YES = Covered Entity NO = Not a Covered Entity
Are You a Covered Entity? Key Points: • What about all cash practices? • Use a billing company. • Everything is in the cloud. • Most of my practice is personal injury. • I do not use a computer. • I still use handwritten notes and forms. • I do not have any employees. Having a few HIPAA forms signed or using a certified software company, DOES NOT mean you’re HIPAA compliant.
Are You a Covered Entity? Key Points: • Can you opt out? • Most DCs are covered entities = HIPAA is mandatory. • May not have to implement a formal HIPAA program although some state requirements may be stricter that federal. • Better off safe than sorry. • Having a HIPAA program in your practice is like buying homeowners insurance – you feel better knowing you have it in case of emergency.
HIPAA Compliance Key Points: • Sign-in sheets. • Place paper files/records face down. • Face computer screens away from public view. • Log out when taking breaks and at end of day. • Speak quietly in open therapy rooms and at the front desk about PHI. • Speak loudly about chiropractic.
HIPAA Compliance Security Rule • Relates to the protection of electronic PHI (e. PHI). • This includes e. PHI at rest or in transit. • 3 Safeguards: Administrative, Physical and Technical. • Administrative: implementation of employee termination procedures, a recovery plan for power failures, backup procedures. • Physical: ensure servers are in a safe place, limit access to servers, implement a workstation use policy, install privacy screens, who has authorized access to servers, anti-virus software and firewalls. Do you have an IT person? Firewall: blocks or stops unauthorized access thru certain ports/networks (http, ftp). Example, Linksys. Anti-virus: protects against malicious software (trojan, worms). Scans computer files and quarantines viruses/malware. Example, Norton, Mc. Afee.
HIPAA Compliance Security Rule • Technical: Only open emails from trusted sources. • Keep passwords confidential. • Do not use a password that can be easily guessed. • Do not share your password with anyone. • Change the default password. • Automatic lock after 3 failed attempts. • Encryption is very important. • Keep software up-to-date. • Do not use “unsupported” software. • Older windows versions.
HIPAA Compliance Email • Can you email patients? The Security Rule does not prohibit communication via e-mail or other electronic means. Information can be sent over the internet as long as it is adequately protected. • In general, e-mailing information such as appointment reminders is allowable as a part of treatment and does not require authorization under the Privacy Rule. • Providers should make sure that the e-mail contains the minimum amount of information needed, should verify the email address and confirm that the patient wants to receive e -mails.
HIPAA Compliance Email • If your email does not contain protected health information (PHI), then it does not need to be encrypted - example, sending an email newsletter about health and fitness or even an appointment reminder. • If you want to communicate with patients via email that contains PHI, then this should be done through a patient portal that automatically encrypts the information - most software includes this feature. • You can also encrypt your email without a patient portal, check with your IT person.
HIPAA Compliance Officer • A compliance officer is an employee of your organization whose responsibilities include ensuring that the company complies with federal and state regulatory requirements and internal policies. • A compliance officer may also design or update internal policies to mitigate the risk of the company breaking laws and regulations, as well as lead internal audits of procedures. • If a staff member is not qualified to be a compliance officer, it is appropriate for the doctor to name him/herself the office compliance officer.
HIPAA Compliance Officer • The compliance officer must have an excellent and thorough understanding of the business and have skills and human qualities which allow him/her to advise, train and raise awareness amongst company staff on the significance of business ethics and compliance. • The compliance officer should organize and supervise training sessions either through meetings or e-learning. • Compliance officers are expected to provide an objective view of company policies and be on the alert for potential areas of vulnerability or risk.
HIPAA Basics Common Business Associates: • Billing companies • Software companies • Clearinghouses • Attorneys • IT consultants • Collection agencies • Transcription services • Cloud service vendors • ICs accessing your system from an outside location • Who is not an employee that can access PHI?
Social Media & HIPAA
HIPAA Basics Social Media: • Do not recommend conversations regarding PHI on any social media platform (Snapchat, FB Live). • No selfies or posting without written authorization. • Breach violations can occur easily and inadvertently. • Discourage staff members from “friending” patients.
HIPAA Basics Did ESPN Violate HIPAA? • Jason Pierre-Paul (NY Giants). • Hospital chart shows right index finger amputated. • Employee of hospital gave information to ESPN. • HHS could fine hospital. • Pierre-Paul could sue hospital for negligence.
HIPAA Compliance Online Reviews • Even the best providers have patients that may not agree with your approach • Reviews could be “minor” such as long wait times or unfriendly staff • Most patient complaints are about bedside manner • Take time before responding • If review is fake or misleading, contact review site, explain situation and provide evidence
HIPAA Compliance Online Reviews • Respond to negative reviews (if possible) professionally – try to diffuse all situations • If patient is very unhappy, respond privately – show sincerity and compassion • Suing patients is probably a bad idea, doctors rarely win
HIPAA Policies & Procedures
HIPAA Compliance SRA (Security Risk Assessment) • All covered entities must perform a SRA. • The purpose of a SRA is to identify where e. PHI is located, the threats to e. PHI, the risks to e. PHI and determine safeguards to better protect e. PHI.
HIPAA Compliance SRA (Security Risk Assessment) • Sample Risk Assessment questions: Do you have a disaster recovery procedure in place? The HIPAA Security Rule requires a policy be in place and staff trained in case of fire, vandalism, system failure, and natural disaster that damages systems that contain electronic protected health information. A disaster recovery plan and procedure is required to restore any loss of data.
HIPAA Compliance SRA (Security Risk Assessment) • Sample Risk Analysis questions: Are workforce members aware of workstation use policies that prohibit online activities such as email, social networks, etc. ? The HIPAA Security Rule states that all workforce members should be made aware of proper workstation use. Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access electronic protected health information.
HIPAA Compliance SRA (Security Risk Assessment) • Sample Risk Assessment questions: Is anti-malware (anti-virus and anti-spyware) installed and updated on each of the organizations workstations and servers? Malware (computer viruses and spyware) is one of the leading cause of data being stolen or breached. It is critical to have anti-malware installed on all systems including workstations, laptops, servers, etc. The antimalware should be automatically updated with new definition files. Do workforce members with laptops take the system home, or out of the office? One of the leading causes of e. PHI data breaches is lost laptops and portable media. Laptops that contain e. PHI should be tracked and only authorized workforce members should be allowed to remove them from an organization's offices.
HIPAA Compliance SRA (Security Risk Assessment) • Sample Risk Assessment questions: Are all the office’s laptops encrypted to protect the data stored on them? One of the leading causes of e. PHI data breaches is lost laptops and portable media. Laptops that contain e. PHI should be encrypted to prevent access to e. PHI in the event a laptop if lost or stolen. Are workforce members required to change their passwords periodically? Requiring workforce members to change passwords every 30 or 60 or 90 days will help secure their user account. Password changes prevent breached accounts from being access over a long period of time.
HIPAA Compliance SRA (Security Risk Assessment) • Sample Risk Assessment questions: Does the office have a procedure for the disposal of electronic media that stores e. PHI? Media that contains e. PHI must be properly disposed of. All e. PHI must be removed prior to disposing. Simply deleting the e. PHI from the media is not enough to safeguard the data. Special programs that totally eliminate the data from the media must be used. The HIPAA Security Rule states: Disposal (Required). Implement policies and procedures to address the final disposition of electronic protected health information, and/or the hardware or electronic media on which it is stored.
HIPAA Basics Key Points: • Start with a security risk assessment. • Designate a compliance officer. • Create written policies & procedures. • Identify your BAs & update your BAAs. • Have formal staff trainings. • Log trainings and actions in a procedure manual.
HIPAA Basics HIPAA vs Medicare Compliance: • Main purpose of HIPAA compliance is to protect PHI. • Main purpose of Medicare/OIG compliance is to prevent billing and coding errors. • How do you provide proof that you make formal efforts to prevent billing, coding errors (fraud and abuse)? • A Medicare/OIG policy & procedure manual can provide the “proof. ”
Medicare Policies & Procedures
HIPAA Compliance Office of Inspector General (OIG): • The mission of the OIG is to protect the integrity of the Department of Health & Human Services (HHS) programs as well as the health and welfare of program beneficiaries. • Chiropractic is a covered service in the Medicare program. • There have been 9 OIG reports on chiropractic.
Can you treat Medicare patients without being enrolled in the Medicare program? Can you collect cash from Medicare patients without billing Medicare? Have you re-validated your Medicare organization profile within the last 3 years? Can DCs opt out of Medicare? Opt out is a private contract – DCs are not on the list of providers that can opt out. MDs can opt out. Can DCs opt out of HIPAA?
Why Have Billing & Coding Policy Manual? For Your Staff: Your staff members want organization and leadership. They want to work in an ethical and trustworthy atmosphere. A billing & coding policy manual creates a culture of compliance and is an extension of your mission and values. Also, if you have a staff member that is accusing you of wrongdoing, a policy manual is your ammunition to defend any alleged misconduct. For Insurance Companies/State Boards/Malpractice: A billing & coding policy and procedure manual can prevent audits. And if audited, it can mitigate fines and penalties. You look bad and unprofessional if you cannot prove to an investigator, state board or patient what your billing & coding policies are. They must be formal. . . that means in-writing and kept track of in training logs. For The Doctor: A billing & coding policy manual is a custom-made document for your particular type of practice. For example, do you have a policy on full-spine adjusting when you only bill 98940? A billing & coding compliance manual allows you to tell "your story" in a professional manner. It will definitely help you S. W. A. N. (Sleep Well At Night).
L l ll ll ll ll l l l l Chart Audit Tool
HIPAA Compliance Action Steps to Prevent Problems: • Read your local Medicare LCDs, read the chiropractic policies from the health plans you bill, review with staff and log the training into your office policy & procedure manual. • Attend seminars, webinars, watch videos and read books. • Review your patient notes with a certified coder that specializes in chiropractic. • Medicare Policy & Procedure Manual: can prevent audits, help you sleep better, plus it may improve office efficiency.
HIPAA Compliance Summary: • Start with a security risk assessment. • Designate a compliance officer. • Create written policies & procedures. • Identify your BAs & update your BAAs. • Have formal staff trainings. • Log trainings and actions in a procedure manual.
Useful Links: HIPAA for Healthcare Professionals: https: //www. hhs. gov/hipaa/for-professionals/index. html
Useful Links: Do it yourself Security Risk Assessment: https: //www. healthit. gov/providers-professionals/security-risk-assessmenttool
The ABN Form Advanced Beneficiary Notice of Non-Coverage
www. cms. gov/Regulationsand. Guidance/Manuals/ Downloads/clm 104 c 30. pdf
• The ABN form has ten (10) customizable areas labeled (A) through (J). • Areas (A) - (F): complete prior to giving to the patient. • Area (G): MUST be completed (check an option box) by the patient (or his/her representative). • Area (I): MUST be signed by the patient or his/her representative (cursive signature). • Area (J): patient enters the date the form was signed.
Non-covered services: http: //www. cms. gov/Regulations-and. Guidance/Manuals/downloads/cl m 104 c 01. pdf From: Medicare Claims Processing Manual (chap. 1) Payment Condition 1. There is no required notice if beneficiaries elect to receive services that are excluded from Medicare by statute. This is understood as: • not being part of a Medicare benefit, or • not covered for another reason that a provider can define, but that would not relate to potential denials under §§ 1879 or 1862 (a) of the Act (listed above in 60. 1). If written notification of potential liability for statutory exclusions is desired to aid beneficiaries, even though not required by Medicare, the ABN may be used for such voluntary notification purposes. Explanation of this use can be found at the Centers for Medicare and Medicaid Services (CMS) Web site: • www. cms. hhs. gov/medicare/bni/; Any other situations in which a patient is informed a service is not covered should also be documented in patient records, making clear the specific reason a beneficiary was told a service would be billed as noncovered.
Closing Comments: You must check with all the carriers you bill prior to submitting claims based on the information provided in this presentation to ensure that it is compliant. Target Coding does not guarantee that the information provided in this presentation will guarantee payment from any insurance carrier or patient. Target Coding is not responsible for any insurance carrier or managed care organization laws, rules and guidelines that may change following this presentation. Please understand that insurance carrier rules, laws, guidelines and regulations change – so it’s important to do your best to stay on top of any changes that may occur by attending seminars, webinars and joining your National and State Professional Associations.
Thank You For Attending!
Contact Info: Ø E: [email protected] com Ø W: Target. Coding. com Ø T: 1 -800 -270 -7044 Ø F: 1 -844 -831 -2347