• E-mail
• Print
• RSS

* Can a human resources employee serve as our privacy officer?
* How can our lab get proper documentation from a physician?
* Pay-per-view article: Managed care: Determine whether you are complying with state prompt-pay regulations

Compliance Monitor, March 13, 2003

Want to receive articles like this one in your inbox? Subscribe to Compliance Monitor!

Can a human resources employee serve as our privacy officer?

Q: Do hospitals or other covered entities under the Health Insurance Portability and Accountability Act (HIPAA) have to create an organizational policy that designates a privacy officer? Or, can we simply choose someone from our human resources department? If we have someone from our human resources department assume that role, I'm concerned that our workforce will not know about our privacy policies beyond the initial required privacy training.

A: Each covered entity must designate a "Privacy Official" responsible for the development and implementation of your organization's policies and procedures.

That said, if your human resources job description meets that definition, you should be in compliance.

"The [entire] regulation outlines the tasks of the privacy official, by specifying the policies and procedures required, and explaining the duties of covered entities," according to guidance from the Department of Health and Human Services. "Your privacy policies and procedures will define many roles and responsibilities of your privacy officer."

The government refers to privacy officers as a "single focal point." We can best interpret this to mean that you should always appoint a single privacy officer, even if you have a department or committee devoted to privacy efforts. The privacy officer may, however, be someone in the organization who has other duties, such as an office manager in a private practice, or a compliance officer in a larger organization.

The most important thing your workforce needs to know is when to refer special situations to the privacy officer. For instance, your policies and procedures might require referral when patients request access, amendment, or an accounting of their information disclosures, or if a law enforcement official demands access. Use formal and informal training to help your workforce know under which circumstances to refer issues to the privacy officer. Training also gives you an opportunity to help workers learn about the privacy officer's other roles and duties.

Your workforce needs to know that the privacy officer has the authority to set and enforce privacy policies and procedures, and that these apply to every worker. This is best communicated from the top-not through a written job description, rather through the words, actions, and attitudes of your organization's leaders.

This question was answered by Marion Neal, President, HIPAASimple.com.

Managed care: Determine whether you are complying with state prompt-pay regulations

State regulators are closely monitoring whether payers are paying claims within required time frames and, if not, whether they are paying the required interest. Managed care organizations (MCO) are facing steep penalties for noncompliance, and those penalties may get even worse as providers and beneficiaries team up to advocate prompt payments.

Go to "Managed care: Determine whether you are complying with state prompt-pay regulations" for the rest of this article. The cost is $10. Subscribers to the online version of Health Care Auditing Strategies have free access to this article. Subscribers to the print edition can find it in their February issues.

A $30 steal!

You can read this article-and much more-in the entire February issue of Health Care Auditing Strategies. Your cost: Four stories for only $30! You'll learn how to validate your compliance program's effectiveness through auditing, and tips for auditing inpatient bad debt. Choose between a PDF and HTML version for just $30. Online subscribers have free access to this issue; print newsletter subscribers can find it in their mailboxes.

Q: A physician is refusing to provide our laboratory with any form of diagnostic information, even though we have told her we cannot bill without an ICD-9 code. We've also explained the liabilities. I hope you can provide me or direct me to Medicare rules regarding the provision of diagnostic information that I can cite for her.

A: The Centers for Medicare & Medicaid Services (CMS) sent a Program Memorandum (Transmittal AB-03-021) to all Part B Medicare Carriers on February 14, 2003-and it addressed this common problem. The name of this memorandum is "Additional Documentation Requests (ADR) Requirements for Ordering Providers of Laboratory Services."

It provides guidance for carriers about when claims have been denied due to lack of documentation. It also outlines instructions for how a laboratory may submit appropriate documentation to support denied services. In addition, it states that a carrier may request supporting documentation directly from a referring physician.

According to CMS, if carriers find that documentation does not meet medical necessity requirements, they must allow the performing provider and the ordering provider to submit the appropriate documentation in order to get the claims paid. If the referring physician does not provide the appropriate ICD-9 and CPT codes that your laboratory needs, carriers are then required to provide both the performing provider (the lab) and the referring provider (the treating physician) an opportunity to send proper documentation.

With that explanation in mind, it becomes clear that your referring physicians must give your laboratory the appropriate documentation in order for you to collect proper payment, if the service meets medical necessity. If referring physicians do not provide that information, then they will be required to provide it to the carrier directly. The information should include

1. why the laboratory test was ordered
2. whether the services of the referring physician were also warranted, including those portions of the services that were associated with the ordered lab work, such as collection of sample, etc.

This question was answered by Rick Oliver, JD, CHCO, CPC, MT (ASCP), director of compliance at AmeriPath, Inc.

Want to receive articles like this one in your inbox? Subscribe to Compliance Monitor!

• E-mail to a Colleague
• Print
• RSS
• Archive