HCPro.com - Compliance Monitor

This month in Briefings on Coding Compliance Strategies

Wed, 08 Feb 2012 14:54:00 GMT

Every month, Compliance Monitor provides a sneak peek at Briefings on Coding Compliance Strategies, a monthly print and electronic newsletter that offers information and strategies for effectively and efficiently following inpatient coding documentation and billing rules.

The February issue examines:

CMS’ rebilling and prepayment demonstrations
Three-day payment window requirements
ICD-9-CM guidelines for coding pain

Visit HCMarketplace for more information or to subscribe to this newsletter.

HIPAA Q&A: Flu shot requirement for hospital employees

Wed, 08 Feb 2012 14:53:00 GMT

Q: Our healthcare facility is requiring employees to get the flu shot or they will have to wear a mask when within 6 feet of patients. Is this not a violation of employee or patient privacy?

A. The Privacy Rule only protects the privacy of patient, not employees. Requiring non-vaccinated employees to wear a respiratory mask to protect the health of patients does not violate the patient’s privacy and may prevent the spread of infection.

Editor’s note: Mary D. Brandt, MBA, RHIA, CHE, CHPS, vice president of HIM at Scott & White Healthcare in Temple, TX answered this question in the February issue of Briefings on HIPAA. Brandt is a nationally recognized expert on patient privacy, information security, and regulatory compliance, and her publications provided some of the basis for HIPAA’s privacy regulations.

Tip: Perform your own internal investigation prior to government audit

Wed, 08 Feb 2012 14:49:00 GMT

If the government is paying your facility a visit, you'd better understand what they're looking for and figure out whether your organization did something wrong, says Lawrence Vernaglia, a partner in the Boston office of Foley & Lardner, LLP. "I think the goal is always to conduct your own analysis," he says. "You want to understand what the rules are and what is billable and not billable.” This investigation is not necessarily something you want to share with investigators unless you are specifically requested to do so.

One problem organizations may run into when they try to investigate a problem is the tight turnaround time they face as a result of the government's new 60-day rule. The Patient Protection and Affordable Care Act now requires all organizations that participate in Medicare and Medicaid to self-report and return overpayments within 60 days after the organization discovers the problem, says Vernaglia. This doesn't give the compliance officer a lot of time to evaluate the situation before responding, he says.

"This has caused a virtual panic among compliance officers. When they have their first sniff of an overpayment, they have an urge to whip out their checkbook," says Vernaglia. While they're right to worry about meeting the new deadline, they shouldn't let the deadline threat force them to forgo internal investigation efforts. If you pay up without looking into the issue, you may actually be negligent in your duties to the organization you represent, he says.

Editor’s note: This tip has been adapted from an article originally published in the February issue of HCPro’s 12-page newsletter Strategies for Health Care Compliance.

HHS task force: Consider privacy, security with text messages

Wed, 08 Feb 2012 14:46:00 GMT

An HHS task force recommends that if the government encourages and helps develop health text messaging and mobile health programs, it better look into privacy and security concerns.

The task force Jan. 26 recommends that HHS conduct “further research” into the privacy and security risks associated with text messaging of health information and establish guidelines for managing such privacy/security issues.

“The exchange of health information via text messages raises privacy and security issues specific to this medium,” the task force wrote in an HHS release. “Text messaging programs may be subject to numerous privacy and security laws, including [HIPAA's] privacy and security rules.”

Read more on the HIPAA Update blog.

HIPAA 5010 deadline extended, but threat remains, says AMA

Wed, 08 Feb 2012 14:43:00 GMT

CMS' Office of E-Health Standards and Services (OESS) has announced a 90-day period of "enforcement discretion" for compliance with the 5010 HIPAA transaction standards, but leading professional organizations say that is not enough, according to a February 6 HealthLeaders Media article.

Expressing serious concerns about the ability of physician practices and payers to make the conversion to the 5010 electronic transaction standards and ICD-10 (a new code set for medical diagnoses) in time, both MGMA and the AMA are calling for change. The two agencies say that the government needs to form a comprehensive contingency plan permitting health plans to adjudicate claims that may not have all the required data content; or the government needs to call an outright halt to the transition.

CMS has extended the 5010 compliance deadline to March 31, 2012. OESS announced that it is delaying compliance enforcement in order to allow more physician practices the opportunity to implement the new billing coding standard without incurring penalties. The 90-day delay did not affect the implementation date for the coding systems, which took effect January 1, 2012 (January 1, 2013, for small health plans).

Read more on the HealthLeaders Media website.

Survey: Do you have a plan for incorporating the Medicaid Recovery Audit Program into your existing Medicare Recovery Audit Program?

Wed, 01 Feb 2012 17:12:00 GMT

Survey: Do you have a plan for incorporating the Medicaid Recovery Audit Program into your existing Medicare Recovery Audit Program?

Yes, we have procedures already in place
Not yet, but we are working on developing complementary policies
No, we plan to develop a separate system for the Medicaid Recovery Audit Program
We have not begun developing procedures at this time

Submit your response by selecting “Quick Poll” at HCPro’s Corporate Compliance website.

HIPAA Q&A: HIPAA-compliant phone messages

Wed, 01 Feb 2012 17:05:00 GMT

Q: What do you recommend for HIPAA-compliant phone messages regarding copay due at time of service and time of surgery change?

A: Since there is no way to know who may listen to voice mail messages left for a patient, always follow the “minimum necessary” rule. Teach your staff to leave the least amount of information needed to accomplish the purpose. If more information is needed, ask the patient to return the call.

Here are some good practice examples:

“This is Karen at the ABC Clinic calling for Mr. Smith. This is a reminder about your appointment on Tuesday, January 10, at 10:30a.m. There is a copayment of $30 due at the time of the visit. If you have any questions, please call us at 999-9999.”

“This is Karen at the ABC Clinic calling for Mr. Smith. We have changed the time for your procedure on Tuesday, January 10. Please report at 1:30 instead of 1p.m. Please call us at 999-9999 if you have any questions. Thank you.”

Note the minimal information left in the messages. There is no information regarding the name of the physician Mr. Smith will see, what services will be provided, or the type of surgery to be done.

Editor’s note: Mary D. Brandt, MBA, RHIA, CHE, CHPS, originally answered this question in the February 2012 issue of the HCPro, Inc. newsletter, Briefings on HIPAA. Brandt is vice president of HIM at Scott & White Healthcare in Temple, TX and a nationally recognized expert on patient privacy, information security, and regulatory compliance. Her publications provided some of the basis for HIPAA’s privacy regulations.

Dealing with data breaches

Wed, 01 Feb 2012 17:02:00 GMT

The following is adapted from an article authored by Greg Freeman that originally appeared in the January 2012 issue of HealthLeaders magazine.

You pick up the phone and someone tells you that a laptop containing thousands of patient files was left behind on the morning train. Or you learn that your own employees have been snooping into sensitive patient records for fun and profit. Or you discover that, for some odd reason, patient records have been posted on a completely unrelated public website for anyone to see, and they’ve been there for nearly a year.

Each of these scenarios has played out for some unfortunate healthcare executive, and they hold lessons in how to avoid such disasters, plus the best way to respond to such a crisis. Some of the most notorious HIPAA violations occurred within the UCLA Health System at the UCLA Medical Center, where singer Britney Spears was hospitalized in early 2008. After the Los Angeles Times reported that employees had been caught perusing Spears’ records with no legitimate reason, the hospital confirmed the HIPAA violations, fired 13 employees, and took disciplinary action against others. It also suspended six physicians.

Read more on the HIPAA Update blog.

Nurse pleads guilty to Medicare fraud

Wed, 01 Feb 2012 16:59:00 GMT

Jorge Pineiro, a registered nurse in Miami who worked for ABC Home Health Care Inc. and Florida Home Health Care Providers, Inc., pleaded guilty to one count of conspiracy to commit healthcare fraud, according to a January 24 Department of Justice press release.

Court documents indicate that between June 2008 and March 2009, Pineiro submitted nursing notes with non-existent symptoms such as tremors, impaired vision, and inability to walk without assistance for Medicare beneficiaries. Pineiro was aware that these beneficiaries did not have these symptoms and did not receive the bill for services. Medicare was billed approximately $118,000 as a direct result of these filed claims.

Pineiro is scheduled for sentencing in April and faces a maximum prison sentence of 10 years in addition to fines and supervised release.

Read more on the OIG website.

Physician referral patterns ripe for scrutiny

Wed, 01 Feb 2012 16:55:00 GMT

When is a general practitioner's referral of a patient to a specialist an appropriate one that will likely lead to better outcomes, and when is it a categorical waste of money? Even worse, when is it something that provokes an unnecessarily harmful intervention involving more radiation, more specialists, false positives, or even useless surgery?

According to a January 26 HealthLeaders Media article, these questions surround the latest quality issue emerging from the dramatic increase in referrals to specialists, highlighted by Harvard Medical School researchers. In a study, they pose even more questions about whether and when a generalist should recommend a patient see another doctor.

The report, by Michael Barnett, MD, Zirui Song, and Bruce Landon, MD, and published in the Archives of Internal Medicine, looks at a sample of data from nearly one million ambulatory visits to primary care providers collected by two respected surveys. They found the number of referrals to a specialist doubled from 1999 to 2009, while during the decade before, rates were stable.

"That fact alone has significant implications for the cost of care and care patterns, because the referral isn't a single visit to a specialist," Landon explains in an interview with HealthLeaders Media. "It potentially opens up a whole cascade of testing and treatments and hospitalizations and procedures, and additional referrals.

Read more on the HealthLeaders Media website.

HIPAA Q&A: Maintenance of medical records after physician death

Wed, 25 Jan 2012 20:13:00 GMT

Q: If a sole family practice physician suddenly dies, what should happen to the patients’ medical records? The practice was simply closed after the physician’s death. Do the records need to be stored, and, if so, by whom? Should patients be notified by mail? Can notices be posted in the local paper with expiration dates on when the records will be available? Can the records simply be shredded?

A: Patient records must be maintained for the minimum time period required by state law, even if the physician who created them retires or dies. In addition, the records must be accessible to patients and their personal representatives for as long as they are maintained.

The law in many states outlines specific requirements for handling patient records in the event of the provider’s retirement or death. If state law does not provide specific requirements for maintaining patient records, they should be kept for at least one year past the statute of limitations for filing a lawsuit. In the event of a physician’s death, the executor of the estate must make arrangements for preserving the records of the physician’s practice. Patients should be notified by mail or through print media so they know how to obtain copies of their records.

Editor’s note: Mary D. Briant, MBA, RHIA, CHE, CHPS, originally answered this question in the February 2012 issue of the HCPro, Inc. newsletter, Briefings on HIPAA. Brandt is vice president of HIM at Scott & White Healthcare in Temple, TX and a nationally recognized expert on patient privacy, information security, and regulatory compliance. Her publications provided some of the basis for HIPAA’s privacy regulations.

Atlanta man gets jail time for stealing PHI

Wed, 25 Jan 2012 20:08:00 GMT

A federal judge sentenced an Atlanta man to 13 months in prison January 10 for intentionally accessing a competing medical practice’s computer without authorization in order to send marketing materials to patients, according to a U.S. Attorney’s office release.

Eric McNeal, a 38-year-old IT specialist, accessed the computer owned by A.P.A, a perinatal medical practice in Atlanta and his old employer, according to United States Attorney for the Northern District of Georgia Sally Quillian Yates. After leaving A.P.A. in November 2009, McNeal joined a competing practice located in the same building.

McNeal downloaded the names, telephone numbers, and addresses of A.P.A.’s patients, and then deleted all the patient information from A.P.A.’s system in April 2010. McNeal then targeted those patients with a direct-mail marketing campaign for his new employer, according to federal officials.

Read more on the Department of Justice website.

Ten arrested for Medicare fraud in Puerto Rico

Wed, 25 Jan 2012 20:05:00 GMT

A federal grand jury in the District of Puerto Rico indicted 10 individuals on 39 counts of conspiracy to commit healthcare fraud for nearly $2 million, according to a January 19 OIG press release. Among those indicted were Gilberto Gómez, president of Monte Mar Health Corporation, PROMEDS Medical Inc., and Quality Care Medical Supply, and his wife Yolanda García-Rodríguez, president of PROMEDS, secretary/treasurer of Monte Mar, and official at Quality.

Court documents indicate that between November 2008 and May 2010, Monte Mar Health Corporation submitted approximately 1,518 fraudulent claims for durable medical equipment (DME) resulting in a total of $1,440,597.65 in Medicare payments.

Gómez purchased PROMEDS in March 2010 and submitted approximately 359 in fraudulent claims to Medicare for DME which resulted in payments from Medicare totaling $335,493.12.

Lastly, Gomez purchased Quality and from October 2010 to May 2011 submitted false claims to Medicare and received $180, 657.77 in payments. Ultimately, Medicare paid a total of $1,956,750.54 to the three companies.

The defendants could face up to 10 years in prison for the healthcare fraud and a fine of up to $250,000.

Cape Fear Valley Medical Center averts Medicare defunding

Wed, 25 Jan 2012 20:00:00 GMT

Cape Fear Valley Medical Center (CFVMC) in Fayetteville, NC has entered into a systems improvement agreement with CMS that will allow the 485-bed safety-net hospital to retain its Medicare funding, according to a January 20 HealthLeaders Media article. As part of the agreement, CFVMC must take action to correct deficiencies that have resulted in three immediate jeopardy status reports since October 2011.

CMS confirmed that until reaching the "rare agreement" with CFVMC, it had intended to publish a public notice that "the Medicare provider agreement between Cape Fear Valley Medical Center (CFVMC) and the Secretary of Health and Human Services (HHS) would be terminated effective January 19, 2012."

Read more on the HealthLeaders Media website.

Survey: RAC audit trending

Wed, 18 Jan 2012 16:21:00 GMT

Does your facility have a system in place for studying RAC trends?

Yes
We are in the process of developing such a system
No

Submit your response by selecting “Quick Poll” at HCPro’s Corporate Compliance website.

Compliance Q&A: Annual log of data breaches

Wed, 18 Jan 2012 16:19:00 GMT

Q: I would like some direction on the annual log of breaches affecting fewer than 500 individuals to be sent annually to HHS. What information is needed on this log? To exactly whom do we send it? Is there a government form we need to use? Any help would be appreciated.

A: The breach notification rule requires covered entities to provide the Secretary of HHS with notice of breaches of unsecured PHI (45 CFR 164.408). The appropriate forms can be found at http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/brinstruction.html.

You must report breaches involving fewer than 500 individuals by March 1 of each year at the latest. This can be done all at once or as breaches occur; it is up to you.

For breaches involving 500 or more individuals, notification must be made without "unreasonable delay" and no later than 60 days after the discovery of the breach.

Editor’s note: Chris Simons, RHIA, originally answered this question in the January 2012 issue of the HCPro, Inc. newsletter, Medical Records Briefing. Simons is the director of utilization management and HIM, and privacy officer at Spring Harbor Hospital in Westbrook, ME.

Study: HIPAA breaches on the rise

Wed, 18 Jan 2012 16:11:00 GMT

Patient information data breaches climbed 32% in 2011, according to the Ponemon Institute’s “2011 Benchmark Study on Patient Privacy and Data Security” report, released in December 2011.

Breaches cost the healthcare industry about $6.5 billion each year, according to report from the Traverse City, MI,-based institute, which conducts independent research on privacy, data protection, and information security policy.

Sloppy mistakes by staff members and unsecured mobile devices cause many of the breaches, according to the study.

Read the rest of this post and more on HCPro’s HIPAA Update blog.

Louisiana DME owner and patient recruiter sentenced to prison for Medicare fraud

Wed, 18 Jan 2012 16:09:00 GMT

A patient recruiter and a DME company owner were sentenced to federal prison for soliciting prescriptions for power wheelchairs for Medicare beneficiaries who did not qualify for the services, according to a January 12 Department of Justice press release.

U.S. District Judge James J. Brady of the Middle District of Louisiana sentenced Unique Medical Solutions owner Nnanta Ngari to five years in prison while Ernest Payne received a prison sentence of four years and seven months.

Court documents indicate Ngari submitted $4.7 million in Medicare claims between 2003 and 2009 for services federal officials said never happened. Medicare made approximately $2.5 million in payments to Ngari over the six year period. From this, Ngari paid kickbacks to Payne and others for their involvement in the scheme.

Read more on the Department of Justice website.

Third immediate jeopardy for Cape Fear Valley Medical Center

Wed, 18 Jan 2012 16:06:00 GMT

Cape Fear Valley Medical Center (CFVMC) in Fayetteville, NC has received notification from the CMS Atlanta office that it faces its third immediate jeopardy status in as many months, according to a January 13 HealthLeaders Media article.

The 485-bed medical center, which is a safety-net hospital, must submit a corrective action plan (CAP) to CMS by Jan. 19. Another survey will be performed to confirm that the CAP has been implemented and is successful.

Although the exact nature of the new problem is unknown, CMS applies the immediate jeopardy designation to situations that represent an immediate and serious threat to patient health and safety. In an e-mail statement, Vince Benbenek, a CFVMC spokesperson, referenced a telemetry problem. "The deficiency found in the Dec. 22 survey relates to our policy for telemetry. Our practice was consistent with national guidelines. Our policy however, was not in line with our practice. Therefore we have updated our policy to match our practice."

Read more on the HealthLeaders Media website.

Tip: Use nontechnical controls to assess individuals who may pose a risk

Wed, 11 Jan 2012 19:10:00 GMT

Editor’s note: Insiders with malicious intent can cause a lot of damage to healthcare organizations. By taking a look at the crimes insiders commit, healthcare organizations can learn how to help prevent these threats. This is the first in a series of tips from the HCPro, Inc. newsletter Briefings on HIPAA to help fight threats from the inside.

Organizations need to use a mix of technical and nontechnical controls to handle insider threats, said Randall F. Trzeciak, technical team lead of the Insider Threat Research Group, which is part of the federally funded Software Engineering Institute CERT® program at Carnegie Mellon University in Pittsburgh.

The same technical controls-multifactor authorization, dual controls, and separation of duties-that help stop threats from outside your organization can stop insiders.

However, you can't solve the problem of inside threats with technical controls alone, said Trzeciak, who spoke at the Fifth HIPAA Summit West in September 2011 in San Francisco. You should have those controls in place, but keep in mind that insiders are trusted individuals. Insiders in your IT department know where your controls are and know ways around them, he said.

Read the rest of this blog post on implementing nontechnical controls on HCPro, Inc.’s HIPAA Update blog.