HCPro.com - Corporate Compliance - DO NOT USE Top Stories

Providers report first RAC denials in Florida, South Carolina

Tue, 17 Nov 2009 05:00:00 GMT

Healthcare providers in several states received their first RAC denials. Connolly Healthcare, the Region C RAC for Florida, South Carolina, and several other states, has been behind many of them.

One hospital in South Carolina reports having three claims denied. However, learning of those denials did not go smoothly. The hospital received a call in late October from Connolly regarding a denial letter the hospital never received. The RAC sent the original denial letter in early August, and although it was addressed to the hospital, it apparently had no specific contact person listed, and the hospital never received it. The hospital had provided Connolly with the name of the contact person for their facility months prior via the form Connolly provided on its Web site, according to a hospital employee.

“Connolly acknowledged that the absence of a contact person on the letter was their error and they are working to correct it,” she said.

In the meantime, the RAC faxed a copy of the denial letter to the hospital. The total take back was less than $200, but it has given the hospital a chance to test its RAC tracking system, which is reportedly working well thus far.

Another small contract rehab company that contracts with facilities across seven states, mainly in the southeast, also reported receiving RAC denials. Three of its facilities, all skilled nursing facilities averaging 120 beds, have now received demand letters, according to the Florida-based provider.

“A majority of what we are seeing is recoupment of service-based codes billed in error more than once per day, mainly speech therapy (ST) service-based codes,” according to a provider employee. “We have also received two that included recoupment for the ST codes of 92610 and 92526 billed on the same day, which we have disputed and reported this issue to the American Speech-Language-Hearing Association.”

The provider is appealing the denials where the RAC is seeking recoupment of the ST codes 92610 and 92526 billed on the same day.

“We have a dedicated denials and appeals department and we have been handling these very efficiently and effectively,” she said. The provider has had no problems so far with the appeals it has submitted.

The provider also noticed that the demand letters seem to be taking approximately two weeks to arrive, so timing is of the essence, particularly if the provider is going to respond with appeals.

The provider also notes that it has used the denials as a guide for its internal auditing. Staff members are now going back to look for trends or patterns related to those denials.

Note: More on deductibles and coinsurance

Tue, 17 Nov 2009 05:00:00 GMT

Editor’s note: Judith Kares, JD, CPC, regulatory specialist for HCPro, Inc., is the author of this week’s note from the instructor.

CMS recently published the Part A deductible and coinsurance and Part B deductible amounts for CY 2010. For most covered inpatient stays, as well as covered outpatient services, Medicare does not pay the entire Medicare allowable for those stays or outpatient services. Beneficiaries generally are responsible for a portion of the Medicare allowable in the form of deductibles and/or coinsurance.

Under Part A, Medicare beneficiaries are entitled to 90 regular benefit days per benefit period. Regular benefit days renew whenever a new benefit period begins. That is, a patient once again has 90 covered inpatient days every time a new benefit period begins. Medicare beneficiaries are also entitled to 60 lifetime reserve days, which may be used after regular benefit days for that benefit period have been exhausted. Lifetime reserve days do not renew. Once used, they are gone forever.

Click over to the MedicareMentor Blog to read more.

HealthDataInsights posts several new RAC DME claim issues

Thu, 12 Nov 2009 05:00:00 GMT

HealthDataInsights (HDI) has added multiple new RAC issues to their CMS-approved list in late October and early November. The new issues are approved for RAC audits in Region D for DME claims.

According to the HDI Web site, the new issues and their descriptions are as follows:

PEN supplies more than one time a day. The description or the billing guidelines state parenteral/enteral nutrition codes are allowed once a day.
Infusion pump denied/Accessories and drug codes should be denied. When the infusion pump is denied, then the infusion accessories and infusion drug codes are also denied.

To stay on top of the latest RAC-approved issues in your state, visit the “Tools” section of the Revenue Cycle Institute Web site and download the updated chart at the top of the page.

Note: Signature for Laboratory Tests, Clarification in the MPFS Final Rule

Tue, 10 Nov 2009 05:00:00 GMT

This week, I would like to review a “clarification” regarding physician signatures on orders for clinical diagnostic testing that came out in the Final Rule for Payment Policies under the Physician Fee Schedule and Other Revisions to Part B for 2010. Although this publication is hospital-directed and we do not normally report on physician fee schedule issues, this “clarification” could affect hospital policies on obtaining signatures for the laboratory services they provide.

Click over to the MedicareMentor Blog to read more.

Guidance on HIPAA implications of H1N1

Mon, 09 Nov 2009 19:16:00 GMT

Following the recent declaration for H1N1 flu as a national health emergency, the government posted a number of documents that have HIPAA implications, says Frank Ruelas, director of compliance and risk management at Maryvale Hospital and principal, HIPAA Boot Camp, in Casa Grande, AZ.

Ruelas points to this document on the CDC Web site that summarizes other related documents online.

“Many of these documents help clear up questions on whether the subsequent 1135 waivers suspend HIPAA, the time frame related to these waivers, and those provisions of the HIPAA privacy rule where the Secretary of HHS may waive sanctions and penalties,” Ruelas says.

Red Flags Rule enforcement delayed to June 1

Mon, 09 Nov 2009 19:13:00 GMT

The Federal Trade Commission is delaying enforcement of its identity theft Red Flags Rule for a fourth time, pushing back the November 1 deadline to June 1, 2010.

The latest delay comes at the request from Congress, which is considering exempting entities with fewer than 20 employees from the identity theft rule.

The House of Representatives passed the bill late last month. The Senate is now considering the bill.

The previous delay announcement—from August 1 enforcement to November 1—came in July. The House Appropriations Committee requested the additional three months to educate small businesses about Red Flags Rule compliance. The delay also allowed financial institutions and creditors more time to implement written identity theft prevention programs, according to the FTC.

Red Flags requires creditors and financial institutions to have in place identify theft prevention, detection, and response systems. The rule is mandated by the Fair and Accurate Credit Transactions Act of 2003.

Red Flags was initially supposed to go into effect November 1, 2008, but was pushed back to May 1, 2009, then to August 1, 2009, then to November 1, 2009, and now to June 1, 2010.

New HIPAA whitepaper!

Mon, 09 Nov 2009 19:10:00 GMT

Download a free copy of our new white HIPAA whitepaper, “HHS breach notification interim final rule: Form your incident response team, set policies and procedures to comply with new federal HIPAA Regulations. November, 2009.”

Small healthcare entities need Red Flags the most

Wed, 04 Nov 2009 19:29:00 GMT

Small healthcare entities are more likely to have patients who are victims of identity theft. So why exclude them from complying with a mandatory identity theft prevention program?

Randy Berry, B.A., C.P.A., financial leader and Red Flags Rule compliance expert with Columbus Healthcare & Safety Consultants in Columbus, OH, asks that very question.

“The biggest concern that I have is … the smaller the practice, the less internal controls they have and the more apt the smaller practices are to have identity theft," says Berry, author of the Red Flag Manual and Training CD Package. "The most critical thing is protecting patients' identity. It's not about the doctor. It's about the patients' financial identity. The lobbyists forgot that this is not about practices; it's about patients and their customer's financial information."

The House of Representatives unanimously passed a bill October 22 that would exempt a healthcare practice with 20 or fewer employees from the FTC's identity theft Red Flags Rule requirement. The Senate is now considering the bill.

The Red Flags Rule, which will be enforced starting June 1, 2010, requires healthcare entities considered to be "creditors" to implement an identity theft prevention program.

Texas Hospital group pays U.S. $27.5 million in false claims settlement

Wed, 04 Nov 2009 05:00:00 GMT

A Texas hospital group will pay the United States $27.5 million to resolve allegations that it violated the False Claims Act, the Anti-Kickback Statute, and the Physician Self-Referral Law (Stark Law) between 1999 and 2006, according to a Department of Justice (DOJ) press release.

McAllen Hospitals L.P., doing business as South Texas Health System, subsidiary of Universal Health Services Inc., violated all three regulations by paying illegal compensation to physicians in order to persuade them to refer patients within the hospital group.

Under the Stark Law, Medicare providers are prohibited from billing Medicare for referrals from doctors with whom the providers have a financial relationship. The hospital group distributed payments to the physicians through a series of sham contracts, including medical directorships and lease agreements.

The federal government will receive approximately $25.2 million of the settlement and the Texas Medicaid program will receive $2.3 million for the false claims submitted to the program. Bruce Moilan, a former employee of the defendants, raised the case using the False Claims Act’s qui tam provision. Moilan will receive a $5.5 million share of the settlement.

Note: CMS issues 2010 final rule for ambulatory surgery centers and most hospital outpatient departments

Tue, 03 Nov 2009 05:00:00 GMT

Editor’s note: Judith Kares, JD, CPC, regulatory specialist for HCPro, Inc., is the author of this week’s note from the instructor.

CMS has released a display copy of the outpatient prospective payment system (OPPS) final rule for 2010, which also includes the 2010 changes to the rules for ambulatory surgery centers (ASCs). This final rule will be published in the Federal Register on November 20. In terms of reimbursement, OPPS hospitals that meet quality indicator reporting requirements for 2010 are entitled to the “full update,” which will result in a 2.1% increase in their payments for 2010. Those OPPS hospitals that do not meet their quality indicator reporting requirements will be subject to a reduced update of 0.1% in 2010. ASCs, on the other hand, will receive a 1.2% inflation update beginning January 1, 2010.

Among the most anticipated changes in the OPPS final rule are the so-called “incident to” a physician’s services requirements. Most nonphysician outpatient therapeutic services that are provided by hospitals or critical access hospitals (CAHs) are only covered if they are provided “incident to” the services of a physician or another specified nonphysician practitioner.

Click over to the MedicareMentor Blog to read more.

HIPAA Q&A: Red Flags Rule

Mon, 02 Nov 2009 19:42:00 GMT

Q. How does the HIPAA privacy rule coincide with the new Red Flags Rule, which requires providers with covered accounts to contact law enforcement if the provider suspects identity theft? May providers release PHI or discuss the patient’s case with law enforcement officials?

A. The Red Flags Rule does not require you to notify law enforcement officials of suspected identify theft. Instead, the rule permits you to do so. Most states' identity theft protection laws allow this as well. Informing law enforcement officials about a PHI breach and its nature does not violate HIPAA. Patient authorization is necessary before you disclose any specific identifiable information to law enforcement officials. Absent specific authorization, release of PHI to law enforcement would violate the HIPAA privacy rule.

Advising patients to contact law enforcement is the best course of action. If warranted, notify law enforcement of the breach and provide the perpetrator’s name if known, but don’t provide a list of affected patients.

Editor’s note: Chris Apgar, CISSP, answered this question. This is not legal advice. Consult your attorney regarding legal matters.

BA contract addendum

Mon, 02 Nov 2009 19:40:00 GMT

This HIPAA Update blog post has generated some conversation in the last week. Check out the question that got the most people talking:

Does anyone have a sample of an addendum that can be added to our BA agreement that puts us into compliance with the HITECH-HIPAA or do we need to re-write and retain all new BAs to include the requirements for HIPAA?

Go to the HIPAA Update post and weigh in.

Small healthcare entities need Red Flags the most

Mon, 02 Nov 2009 19:36:00 GMT

Small healthcare entities are more likely to have patients who are victims of identity theft. So why exclude them from complying with a mandatory identity theft prevention program?

Randy Berry, B.A., C.P.A., financial leader and Red Flags Rule compliance expert with Columbus Healthcare & Safety Consultants in Columbus, OH, asks that very question.

“The biggest concern that I have is … the smaller the practice, the less internal controls they have and the more apt the smaller practices are to have identity theft," says Berry, author of the Red Flag Manual and Training CD Package. "The most critical thing is protecting patients' identity. It's not about the doctor. It's about the patients' financial identity. The lobbyists forgot that this is not about practices; it's about patients and their customer's financial information."

The House of Representatives unanimously passed a bill October 22 that would exempt a healthcare practice with 20 or fewer employees from the FTC's identity theft Red Flags Rule requirement. The Senate is now considering the bill.

The Red Flags Rule, which was enforced starting November 1, requires healthcare entities considered to be "creditors" to implement an identity theft prevention program.

Enforcement interim final rule published in FR

Mon, 02 Nov 2009 19:30:00 GMT

HHS published in the Federal Register today the HITECH Act enforcement interim final rule as part of the provisions in the February 17, 2009 HITECH Act, according to an OCR press release.

The rule includes no amendments to the enforcement provisions in HITECH, according to the OCR release.

The interim final rule becomes effective November 30. HHS has invited public comments on the interim final rule, which will be considered if received by December 29.

Region B and D RACs post new issues, all states now approved for audits

Thu, 29 Oct 2009 05:00:00 GMT

CGI, the RAC for Region B, has posted three new issues for review in Illinois, Indiana, Kentucky, Michigan, Minnesota, Ohio and Wisconsin. This means CMS has now approved issues for RAC auditing in all states.

The new issues approved for physician and outpatient hospital claim review in these states are:

For more information on these and other issues approved for Region B states, visit the CGI Web site.

In addition, CMS has approved a new issue for DME provider audits in Region D—Knee orthotic bundling. “There are Knee orthotic addition codes that cannot be billed separately due to the fact that they are bundled with the base knee orthotic code or that the addition code is not medically necessary when billed in conjunction with a specific knee orthotic base code,” according to HDI, the Region D RAC.

For more information, visit the HDI Web site.

Three pharmacies and their employees indicted on Medicaid fraud charges

Wed, 28 Oct 2009 05:00:00 GMT

New Jersey Attorney General Anne Milgram announced the indictments of four pharmacists, three pharmacy technicians, and three pharmacies on charges to conspiracy to defraud Medicaid of over $2.3 million, according to an Attorney General’s Office press release.

The three Newark area pharmacies, their owners, and employees allegedly paid cash to any patient who agreed not to take their medicine. Those prescriptions were then used to fraudulently bill Medicaid for thousands of dollars, the AG said. In other instances, medicines were dispensed to patients, then sold back to the pharmacy for a share of the Medicaid reimbursement, according to the AG.

All 10 defendants are charged with conspiracy, healthcare claims fraud, and Medicaid fraud.

Note: CMS Announces the 2010 Medicare Premiums and Deductibles

Tue, 27 Oct 2009 05:06:00 GMT

Editor’s note: Debbie Mackaman, RHIA, CHCO, regulatory specialist for HCPro, Inc., is the author of this week’s note from the instructor.

CMS recently announced the CY2010 Medicare Part A deductible for inpatient hospital services. When a patient is admitted as an inpatient, the deductible will increase from $1,068 in 2009 to $1,100 in 2010. In addition, beneficiaries will pay an additional daily coinsurance of $275 for days 61 through 90 and $550 for lifetime reserve days. For 2009, the corresponding amounts are $267 and $534, respectively.

Click over to the MedicareMentor Blog to read more.

Ask these questions in your harm threshold risk assessment

Mon, 26 Oct 2009 16:35:00 GMT

HHS’ interim final rule on breach notification includes a “harm threshold” provision that provides covered entities (CEs) an avenue to avoid reporting a breach to HHS. If the incident involves encrypted data compliant with HHS guidelines or if a risk assessment shows that the disclosure does not pose a significant risk to the affected individual, there is no breach.

But CEs and business associates (BAs) must follow systematic steps to reach that “no harm, no foul” conclusion. They must document their findings and have them readily available if an auditor requests them. Facilities should always conduct an informal or formal risk assessment regardless of whether the disclosure appears innocent.

John C. Parmigiani, MS, BES, president of John C. Parmigiani & Associates, LLC, in Ellicott City, MD, says your risk assessment should answer the following questions:

Who was involved? How many patients’ information was breached?
Did the perpetrator copy the information, transfer it, change it, or simply look at it?
When did it happen? (This is important because the 60-day breach reporting window to HHS starts when you first learn of it.)
Is there a financial risk to the victim, a personal risk, or both?
Was the motive for the breach nefarious or casual?
Is the risk for further harm still there?
What can the organization do right now to ensure no further damage occurs?
What has the organization learned from the disclosure?
How can the organization prevent this in the future?

Editor’s note: This is an excerpt from the November issue of Briefings on HIPAA, the 12-page HCPro, Inc. newsletter.

Experts: exemption from Red Flags Rule not necessary

Mon, 26 Oct 2009 16:30:00 GMT

Some industry experts do not think small healthcare entities need to be exempt from complying with the FTC’s Red Flags Rule.

The House of Representatives filed a bill October 8 that would exempt a healthcare practice with 20 or fewer employees from the FTC’s Red Flags Rule requirement.

The Red Flags Rule, which will be enforced beginning November 1, requires healthcare entities considered to be creditors to implement an identity theft prevention program.

Chris Apgar, CISSP, president, Apgar & Associates LLC, in Portland, OR, says healthcare entities should already have an identity theft prevention program in place.

Frank Ruelas, director of compliance and risk management at Maryvale Hospital and principal, HIPAA Boot Camp, in Casa Grande, AZ, says the exemption does not make sense because it affects a great number of physician offices. (He cited this data)

“This was most concerning because in isolation, it may sound like it makes sense to base exclusions on the number of employees in a particular healthcare practice,” Ruelas says. “But with a bit more analysis, this exclusion has a sweeping effect on an industry level when speaking of primacy care physicians where most people receive their medical care.”

Read more on our HIPAA Update blog.