• Home
    • » e-Newsletters

Radiology Administrator's Compliance & Reimbursement Insider, March 2006

Radiology Administrator's Compliance and Reimbursement Insider, March 1, 2006


Medicare eliminates the use of surrogate UPINs for radiology

Clearing up the confusion: CPT codes 76376 and 76377

Enhancing understanding of ultrasound coding

Prepare now for upcoming HIPAA changes in 2006

Keep HIPAA awareness high with security solutions

Overcome NPI billing and compliance obstacles


Medicare eliminates the use of surrogate UPINs for radiology

Once upon a time, when an ordering physician did not have a unique physician identification number (UPIN), the radiologist could use a substitute—UPIN OTH000—and moved on with his or her busy agenda.

But that time will end in April.

The use of surrogate UPINs reached 10 million claims, an excess that points to apparent abuse, according to CMS.

In the past, suppliers, physicians, and nonphysician practitioners billed for diagnostic, radiology, consultation services, and equipment with a surrogate UPIN if needed. But CMS intended such use only as a last resort, according to a November 2005 Medlearn Matters article.

After studying the surrogate UPINs' use, a Medicare program safeguard contractor identified an excessive number of claims submitted even in cases in which a UPIN was assigned.

The end of surrogate UPINs means radiologists must pay additional attention to detail when billing, says RACRI advisor Thomas W. Greeson, Esq., of Reed Smith, LLP, in Falls Church, VA.

Radiologists must provide a UPIN for the ordering doctor when submitting claims. If the doctor doesn't have a UPIN, radiologists currently use a surrogate. But with this recent ruling, they will be out of luck in this situation, says Greeson.

"It's another case of being penalized for what the doc didn't do," Greeson says.

Insider source

Thomas W. Greeson, Esq., Reed Smith, LLP, Falls Church, VA; tgreeson@reedsmith.com.



Coding corner

Clearing up the confusion: CPT codes 76376 and 76377

by Stacie L. Buck

If determining whether to bill for two-dimensional (2D) or three-dimensional (3D) reconstructions wasn't confusing enough, the American Medical Association (AMA) deleted code 76375 and introduced two new codes to describe 3D rendering in 2006.

The new codes are

  • 76376 —3D rendering with interpretation and reporting of CT, magnetic resonance imaging (MRI), ultrasound, or other tomographic modality; not requiring image postprocessing on an independent workstation
  • 76377 —3D rendering with interpretation and reporting of CT, MRI, ultrasound, or other tomographic modality; requiring image postprocessing on an independent workstation

    The deleted code 76375 was used for coronal, sagittal, multiplanar, oblique, three-dimensional, or holographic reconstruction of CT, MRI, or other tomographic modality.

    AMA implemented the new codes because changes in technology code 76375 no longer adequately represent current methods of reformatting images. In addition, the new codes came as a result of the overuse of code 76375.

    With the deletion of code 76375, reimbursement for 2D reconstructions will be bundled with the base procedure code as of January 1.

    Although CPT provides instruction about how to use these codes through the parenthetical notes that follow them, questions still remain.

    Method of reformatting

    Reformatting the images is done either on the acquisition scanner software or at a separate, independent workstation.

    Note: The key to correct code selection is determining the method of obtaining reformatted images. Typically, the technologist performs reformatting work on the acquisition scanner and the physician either performs reformatting on the independent workstation or supervises a technologist who is specially trained to do so.

    Concurrent physician supervision

    Both codes 76376 and 76377 require concurrent physician supervision of image postprocessing 3D manipulation of volumetric data set and image rendering.

    So what constitutes concurrent physician supervision? For those providers paid under Medicare Physician Fee Schedule (MPFS), the MPFS physician supervision indicators provide clarification (see the related chart on p. 8 of the PDF of this issue).

    Levels of supervision defined in 42 CFR 410.32 are as follows:

  • General supervision means a procedure guided by the physician's overall direction and control, although the physician need not attend the procedure. Under general supervision, physicians retain the continuing responsibility for the training of the nonphysician personnel who perform the diagnostic procedure and maintenance of the necessary equipment and supplies.
  • Personal supervision means a physician must be in the room during the procedure.

    Note: These supervision levels do not apply to hospitals.

    Report codes 76376 and 76377 in addition to the base imaging procedure. However, CPT specifically states that you should not report 76376 and 76377 in conjunction with the following codes: 70496, 70498, 70544-70549, 71275, 71555, 72159, 72191, 72198, 73206, 73225, 73706, 73725, 74175, 74185, 75635, 78814-78816, 0066T, 0067T. Further, do not report these codes in conjunction with nuclear medicine codes or the Category III cardiac CT and CTA codes.

    The CPT Assistant plans to publish this in a future article.

    Documentation required for billing

    The American College of Radiology (ACR) Practice Guideline for Communication recommends that the radiology report include "a description of the studies and/or procedures performed."

    If 3D images are produced, whether on the acquisition scanner or an independent workstation, clearly document the rendering and interpretation of the images in the report, the ACR says.

    As for whether a test order is required to code and bill for these procedures, a recent issue of the ACR Radiology Coding Source provided the following clarification:

    "In the past, the ACR maintained that an order for 2D and 3D reconstruction imaging was not necessary as this was covered under the ordering of diagnostic tests rule test design exception. However, based on the exponential rise in the use of 76375 and in the number of practice investigations evolving out of overutilization (i.e., routine use), the ACR strongly encourages radiology practices to obtain an order from the referring physician in the nonhospital setting. In the hospital setting, radiologists may generate their own order, but are strongly encouraged to justify medical necessity for the use of 3D rendering in a separate dictation.

    The 3D rendering should be done at the request of or in consultation with the referring physician when there is medical necessity. Reserve codes for additional imaging needed for surgical planning or for complete depiction of an abnormality from the two-dimensional study.

    Practices that routinely provide 3D rendering may prompt an investigation by the Office of Inspector General.

    Insider source

    Stacie L. Buck, RHIA, LHRM, Southeast Radiology Management Corp., 512 St. Lucie Crescent Stuart, FL 34994; stacie@southeastrad.com.



    Enhancing understanding of ultrasound coding

    Q: We were told that when performing a lower extremity arterial duplex (93975) we can also bill a bilateral iliac artery duplex (93978) because we look at both common, internal, and external iliac arteries. Can you confirm this?

    A: Per charge contrasting imaging edits consider 93978 a component of 93975. The -59 modifier is not allowed with this particular code pair.

    Q: We are often asked to perform an Advanced Baseline Image (ABI) assessment with the Locally Equivalent Alternative (LEA) Duplex (93975). Can we perform a limited physiological assessment with the Duplex study and also include code 93922? If so, will Medicare only reimburse us for the lower rate and deny the other if the ABI is normal?

    A: There are no edits in place that preclude billing both of these codes together. However, Medicare does not reimburse the ABI separately when performed in conjunction with another service. So if you only perform the ABI for 93922, I would not code for it; however, other payers may allow it.

    Q: When performing a soft tissue ultrasound on a superficial nodule anywhere on the torso (e.g., the chest, abdomen, or pelvis), which CPT code is most appropriate?

    A: Assign the code which best describes the location of the nodule. This may be an unlisted code (e.g., 76999).

    Q: When performing an abdominal aorta ultrasound, which codes are more appropriate: 93978 or the combination of 76775 and 93976? We are looking at the kidneys and the abdominal aorta as well as checking blood flow with spectral Doppler. We were also told that during the second option is acceptable and a common practice.

    A: First, code based on the original order. Assuming that the order requested all exams, code each of them if you perform and document each. Bill codes 76775 and 93976 together with a -59 modifier attached to 76775. However, do not bill 93978 with 93976.

    Insider source:

    Stacie L. Buck, RHIA, LHRM, Southeast Radiology Management Corp., 512 St. Lucie Crescent, Stuart, FL 34994; stacie@southeastrad.com.

    Stacy Gregory, RCC, CPC, Gregory Medical Consulting Services, 4653 North Bristol St., Tacoma, WA 9840; stacygregory@wamail.net.



    Prepare now for upcoming HIPAA changes in 2006

    If you thought your Health Insurance Portability and Accountability Act of 1996 (HIPAA) worries were over, think again, says Patricia Kroken, FACMPE, of Healthcare Resource Providers, LLC.

    Several government initiatives on the horizon in 2006 should keep compliance officers and radiology managers searching for HIPAA enlightenment.

    "Is it over yet? No. Not by a long shot," Kroken told the audience during the 2005 Radiology Society of North America (RSNA) annual conference in Chicago in December 2005.

    Claims attachment standards, national provider identifiers (NPI), new security standards, vendor compliance concerns, and audit preparations represent a few of the HIPAA thoughts necessary for radiologists, Kroken said.

    Compliance with such rules could make a big difference in your bottom line, said RACRI advisor Claudia A. Murray, of Provider Practice Analysis, LLC, in Baldwin, MD. Murray also spoke during the RSNA conference.

    "Fraud control equals HIPAA," she said.

    With nearly $6 billion recovered in healthcare fraud since the late '90s, Murray said HIPAA and associated healthcare regulations helped spur "an entire industry of compliance and regulatory study [comprised] of healthcare lawyers and consulting firms."

    HIPAA issues should be a priority for radiology administrators and all healthcare providers, says RACRI advisor Michael F. Schaff, Esq., of Wilentz, Goldman & Spitzer in Woodbridge, NJ. "Consider these issues in your practice."

    HIPAA history

    In the early 1990s, healthcare industry leaders brainstormed ideas to reduce healthcare costs. They found the essential answer in electronic systems.

    With personal information speeding along the information superhighway, public concern for privacy and security of personal health data grew. However, for such an electronic health system to work, the healthcare industry needed new privacy and reporting standards across the board. In response to these concerns, Congress passed HIPAA in 1996.

    "So, how did we get HIPAA? We asked for it. We wanted to move to electronic records. We wanted to improve the system," Kroken said.

    Writing privacy rules fell to the U.S. Department of Health and Human Services (HHS). Staff training, the appointment of a privacy officer, and the establishment of formal safeguards became priorities under the HIPAA Privacy Rule. HHS required compliance from all agencies, providers, plans, and clearinghouses by April 2004.

    Once organizations put these pieces in place, many believed they'd completed their HIPAA puzzle.

    But, as Kroken told the RSNA Chicago crowd, HIPAA is a process—it is not simply completed "so it can sit on a shelf somewhere."

    New initiatives coupled with ongoing requirements means that "there's a lot for radiologists to be aware of," Kroken said.

    Claims attachment standards

    Formalizing electronic records processes for billing and basic patient information may seem like a no-brainer, but what happens when physicians attach labs, x-rays, or CT scans to documents and send them over the Internet?

    The Federal Register published a proposal to standardize such electronic attachments last year. Comments on the proposal closed in November 2005.

    The claims attachment rules work in tandem with the HIPAA Privacy Rule. They affect healthcare providers who electronically transmit information in connection with transactions normally covered by HIPAA.

    The proposed standards include the use of certain transactions, messaging standards, and a new code set when electronically requesting additional information—and when providing information in response to the request.

    "These HIPAA provisions make processing claims and other healthcare transactions much more efficient and in the long run [will help] save millions of dollars," HHS Secretary Mike Leavitt said in a September 2005 press release.

    Embracing the NPI change

    Today, healthcare providers find themselves with different identifier codes assigned by different health plans—and sometimes within the same health plan.

    Throughout the healthcare industry providers based their identification numbers on location and type of practice. In the world of instantaneous access to information, such encrypted detail potentially reveals a wealth of knowledge to nefarious users.

    In addition, incorrect provider identifiers often lead to inaccurate payments and improper billing practices, costing the healthcare industry millions of dollars.

    As the sun sets on legacy identification numbers to classify physicians and practices, the dawn of NPIs rises.

    Section 1173 of the HIPAA Administrative Simplification calls for "a standard unique health identifier for each individual, employer, health plan, and health care provider for use in the healthcare system."

    NPIs ensure that each provider owns one unique identifier for transactions with all health plans. Each provider must apply for a NPI number by visiting https://nppes.cms.hhs.gov/NPPES/.

    "This is one of those things where the government tells you it's going to be easy, relatively painless," said Kroken, "And this really is. Go do it."

    If you have a new NPI, don't ditch your old legacy number yet. Providers and other organizations must update their legacy information systems, administrative processes, reference files, and forms to ensure continuity between old provider identifiers and the new NPIs.

    Some systems will require major overhauls to accommodate the new standard. Health plans, clearinghouses, and software vendors may have to perform software conversions to meet the requirements.

    Vendor compliance concerns

    Radiology facilities must ensure their own compliance with HIPAA regulations as well as the HIPAA compliance of vendors with whom they contract. "This can be a very cumbersome process," says Schaff.

    For example, if a radiology facility contracts with a billing agency, that facility must have a business associate (BA) agreement with the billing agency. The BA agreement must require the billing agency to protect the radiology facility's patient health information by abiding by specific restrictions on the use and disclosure of such information.

    The agreement must also require that any subcontractor of the billing agency agree to the same restrictions on the use and disclosure of patient health information to which the billing agency has agreed.

    Generally, the radiology facility is not required to monitor or oversee how their business associates and their subcontractors protect the privacy of patient health information. However, if the radiology facility discovers a violation of the BA agreement, it must take reasonable steps to cure the breach.

    Depending upon the nature and scope of the breach, corrective action may require termination of the arrangement with the billing agency. Failure by the radiology facility to cure such breaches could subject it to severe penalties and litigation.

    "You need to make sure all the parties are complying with their respective obligations to ensure that the patient health information is protected," Schaff says.

    Security standards

    Keeping health records—electronic or otherwise—secure remains a challenge for radiology professionals and industry leaders across the healthcare continuum.

    Many administrators expressed concern about proposals for an electronic signature standard.

    Several forms of electronic signatures exist today, ranging from biometric devices to digital signature, according to the Federal Register. However, to satisfy the legal and time-tested characteristics of a written signature, an electronic signature must

  • identify the signatory individual,
  • ensure the integrity of a document's content
  • provide for nonrepudiation (i.e., strong and substantial evidence that will make it difficult for the signer to claim that the electronic representation is not valid)

    Currently, only the digital signature meets those criteria.

    HHS postponed final ruling on electronic signatures and additional details are pending. For more information regarding the pending security standards, visit http://new.cms.hhs.gov/SecurityStandard/Downloads/securityproposedrule.pdf.

    Audit preparations

    Keeping up with HIPAA audits may seem like just another task, but Kroken says it's important to keep your HIPAA policies up to date and your staff trained about the HIPAA changes.

    "Things creep around in an office. You want to make sure they are where they say they are," Kroken said.

    Insider sources

    Patricia Kroken, former president of Radiology Business Managers Association and principal of Healthcare Resource Providers, LLC, Albuquerque, NM; pkroken@comcast.net.

    Claudia A. Murray, Provider Practice Analysis, LLC, Maryland; ClaudiaAMurray@aol.com.

    Michael F. Schaff, Esq., Wilentz, Goldman & Spitzer, New Jersey; ClaudiaAMurray@aol.com.



    Keep HIPAA awareness high with security solutions

    by Kate Borten, CISSP, CISM

    Many healthcare organizations acknowledge that they are not yet compliant with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) security rule. Further, many seem to have lost the will to implement a full-fledged information security program. This attitude heightens the risk to organizations and patients and poses a serious challenge for information security officers (ISO).

    Q: Staff at my organization say they have moved on from HIPAA. No one wants to hear about it—they say they're "HIPAAed out." As the security officer, I'm concerned that we're not fully in compliance with the security rule. We may even be backsliding. What's your advice?

    A: Many ISOs express this valid concern. No one ever said security was easy. In particular, ISOs in provider organizations often struggle with a lack of resources and support.

    Following are eight strategies for healthcare security programs for 2006:

    1. Think beyond HIPAA. Make your security program mission and your job description comprehensive and not just focused on HIPAA. In today's networked world, all connected devices constitute risk—not just those that contain protected health information.

    2. Focus on the big picture. Avoid losing sight of the major security issues and getting sidetracked. That means you must be organized and always have a good grasp of your organization's overall security risks and controls.

    3. Prioritize. You can't address every security issue. There will always be issues left at the end of the day. Step back regularly and look at whether you spend your time on efforts that offer the most payback. Payback comes from heightened awareness and reduced risk.

    4. Offload to others. Not only can't you handle every single security risk by yourself, you shouldn't. Hand off as much responsibility as possible to others, such as midlevel managers. This not only lets you achieve more, but it also engages others in security activities that are rightfully theirs.

    Don't let managers turn their backs on security. Culture change and broad support for security initiatives can only happen with commitment from leadership.

    Document managers' new responsibilities and then provide training.

    For example, make them aware of which procedure to follow for prompt notification of termination and how to conduct a walk-around audit. Only when you spell out responsibilities in this way can you hold managers accountable and apply the sanctions in your policy.

    5. Obtain training. Carnegie Mellon's Computer Emergency Response Team reports that 97% of Internet attacks exploit known vulnerabilities. As with preventable deaths in healthcare, we know how to stop these Internet incidents, so there is no excuse for not doing so.

    System administrators and other technology staff responsible for security duties must be trained about good security practices. Further, many ISOs in healthcare organizations are undertrained.

    Obtain the training you need, use the security resources available, and keep up with security trends. Lack of knowledge won't protect your organization during a lawsuit.

    6. Focus on development and awareness of processes. This entails a lot of work up-front, but it will result in a stronger and more robust security environment.

    Don't underestimate the amount of time you need to spend selling security to all levels of your organization. Be a visible goodwill ambassador for security and cultivate security champions to help you transmit the security mission.

    7. Control security technology. To preserve your time and budget, put the brakes on glitzy technology that often appeals to information technology staff. Invest in security technology only when you identify the need, not simply whenever a vendor comes calling.

    Make sure the solution addresses your problem, keeping in mind that even though there are plenty of risks, not all risks are of equal importance in your setting.

    8. Avoid backsliding. By setting up formal, documented processes (e.g., applying patches, managing server and software change, and providing work force training), you help ensure that security controls are continuous and not one-time or random events.

    Once processes are in place, monitor them periodically and adjust them as needed.

    Editor's note: Borten is author of the HCPro, Inc., books HIPAA Security Made Simple and Guide to HIPAA Security Risk Analysis and founder of The Marblehead Group, Inc., in Marblehead, MA. This article first appeared in the HCPro, Inc., newsletter Briefings on HIPAA . Contact her at kborten@marbleheadgroup.com .



    Overcome NPI billing and compliance obstacles

    Be on the lookout for two of the most problematic areas facing your organization's transition from legacy identification (ID) to national provider identifiers (NPI) that are also at the heart of your bottom line and legal concerns: billing and compliance.

    To overcome the obstacles NPIs pose in these areas, negotiate with your payers or providers early in the process, said Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, OR, who spoke about this topic during the November 15, 2005, HCPro audioconference "National Provider Identifier: Know how changes will affect your business." (Visit www.hcmarketplace.com for more information or to order.)

    NPIs offer business benefits (e.g., the portability to go with you when you move beyond state lines). But expect some headaches because NPIs differ fundamentally from legacy IDs. One particular hardship stems from the struggle to replace the logical information embedded in legacy ID.

    "[Many] legacy IDs have identifiers within the number that say, 'Okay, this was issued to this provider, who is in this city, doing this type of practice,' " Apgar explained.

    NPIs do not contain this information. Instead, to pay and be paid properly for services, providers and payers must find a place for this lost information somewhere on their claims forms.

    Conduct an analysis, replace what is lost

    A sole NPI cannot communicate different payment rates by treatment location, multiple contracts with the same provider at different rates of payment, and differentials within a provider group based on specialty.

    Account for these situations by using an NPI as the core of a smooth business transition. To start this process, Apgar suggests taking stock of your current billing process.

    Analyze how you use your legacy ID to convey information. For example, the ID may tell your payers that you bill from a certain location and at a different pay rate from other locations. Obtain input for this analysis from your information technology staff, those involved in switching your organization over to HIPAA transactions, and people within the claims processing or billing departments, Apgar said.

    After you determine your legacy ID's role in the billing process—and what you'll lose as a result of the switch to NPI—consider alternative ways of communicating location, contract, and specialty information to payers. Apgar suggested the following two alternative avenues:

    1. Multiple NPIs. "There's no specific guidance on how to determine what is necessary in the way of more than one NPI, but you do need to obtain more than one if you're a large organization so you can make sure you're being billed correctly," he said.

    Consider obtaining subpart NPIs to differentiate between treatment locations or specialties within the same organization, depending on with what your payment rates correlate.

    However, an organization with multiple NPIs has no easy way to show that all of the NPIs relate to the same organization because each NPI is location-specific. This can create problems for payers conducting research.

    2. Space on the claims form. This could include the comments field or lie at the claim-line level. The addition of a street address, ZIP code, or other relevant information in these areas may help to ensure that you are paid properly.

    Regardless of which solution you choose, negotiate it with your payer. The payer must understand how you identify your organization and the relevant information. If you add information at the claim-line level, your payer needs to know.

    As part of the negotiations, address the following:

  • Dual reporting during implementation. Dual reporting means using both legacy ID and an NPI during the transition period to ensure that you send enough information to be paid correctly.

    "[The transition] is a long process, and the earlier you can get started on actually obtaining an NPI and testing that with your payers, the better," said Apgar.

  • Secondary identifier needs. NPIs may only get you so far, and they do not take the place of other important IDs (e.g., your taxpayer ID number), Apgar said.

    Look at what you need from the NPI and what you need from secondary identifiers to accurately reflect the services provided and receive correct payments, he explained.

  • Paper claims. The NPI mandate does not extend to paper claims, but from an administrative standpoint, you may be better off making the switch now to standardize everything, Apgar said. Although forms such as the UB-92 and CMS 1500 cannot currently accommodate an NPI, CMS may soon make room for the new identifier.

    Bring vendors up to speed

    Equally important to being paid properly is complying with the NPI mandate in the first place. Unfortunately, compliance may be more difficult to tackle, especially regarding vendors that must make sure that their products can transmit and receive NPIs.

    Although providers and payers both have a vested interest in making sure a particular service is reimbursed correctly, vendors have no direct stake in NPI transition.

    "Vendors are not HIPAA [Health Insurance Portability and Accountability Act of 1996] covered entities and are not necessarily engaged," said Apgar. "One of the biggest lessons we learned rolling out [the initial HIPAA transactions] is that the vendors were lagging behind and in fact still are lagging behind in some areas."

    Because vendors may be out of the loop, let them know what you need. It may come down to saying, "If your software can't use NPI, we can't do business with you," Apgar said.

    Allow enough lead time for the vendor to address problems before you make the permanent NPI switch.

    Editor's note: This article first appeared in Health Information Compliance Insider , published by HCPro, Inc.

    Insider source

    Chris Apgar, CISSP, president, Apgar & Associates, LLC, 10730 SW 62nd Place, Portland, OR 97219, 503/977-9432; capgar@easystreet.com.