aapc rose b. moore, cpc, cpc-i, cpc-h, cpma, cemc, cmco...
TRANSCRIPT
COMPLIANCE;
It’s Not an Option
AAPC
April 17, 2013
Rose B. Moore, CPC, CPC-I, CPC-H, CPMA,
CEMC, CMCO, CCP, CEC, PCS, CMC, CMOM,
CMIS, CERT, CMA-ophth
President/CEO
Medical Consultant Concepts, LLC
Copyright 2013 www.medicalconsultantconcepts.com
OIG Five Point Strategy
The OIG is committed to preventing health care fraud, waste and abuse. In 1990, the OIG published five principles for an effective integrity strategy to eliminate health care fraud, waste and abuse.
• Enrollment: Scrutinize individuals and entities that want to participate as providers and suppliers prior to their enrollment or re-enrollment in the health care programs.
• Payment: Establish payment methodologies that are reasonable and responsive to changes in the marketplace and medical practice
• Compliance: Assist health care providers
and suppliers in adopting practices that
promote compliance with program
requirements.
• Oversight: Vigilantly monitor the programs
for evidence of fraud, waste and abuse.
• Response: Respond swiftly to detected
fraud, impose sufficient punishment to
deter others and promptly remedy program
vulnerabilities.
OIG Compliance Program
• Conduct internal monitoring and auditing
• Implementing compliance and practice standards
• Designating a compliance officer or contact(s) to monitor compliance
• Conducting appropriate training and education
• Responding appropriately to detected violations
• Developing open lines of communication
• Enforcing disciplinary standards through well publicized guidelines
Specific Risk Areas
• Prevent erroneous and fraudulent
conduct in the following areas:
◦ Coding and billing
◦ Reasonable and necessary services
◦ Documentation
◦ Improper inducements, kickbacks and
self-referrals
A well designed compliance program can:
• Speed and optimize proper payment of
claims • Minimize billing mistakes • Help protect patient privacy • Reduce the chances that an audit will
be conducted by CMS or the OIG • Avoid conflicts of interest and help
comply with the self-referral and anti-kickback statutes
Key Enforcement Laws
• Civil Monetary Penalties - $50,000 per violation
• The Health Reform Act requires providers to refund an overpayment to Medicare within 60 days of “identifying” it and provides that an overpayment retained beyond that deadline is an “obligation” under the False Claims Act.
• Exclusion Provisions – exclusion from government programs is a key provision and penalty in the CMP. Penalties can be up to $11,000 per claim plus treble damages for amount claimed for each item or service.
False Claims Act The false claims act imposes civil liability on
persons who knowingly submit a false or fraudulent claim or engage in various types of misconduct involving federal government money or property. These activities include:
• Billing for services not rendered
• Billing for unnecessary medical services
• Double billing for the same service or equipment
• Billing for services at a higher rate than provided (upcoding)
Penalties under the False Claims Act include treble damages plus a penalty of $5,500 - $11,000 for each false claim filed.
Anti-Kickback Statute It is a felony to knowingly and willfully offer,
pay, solicit, or receive anything of value (remuneration) in return for a referral or to induce generation of business reimbursable under a federal health care program. The statute prohibits both the offer or payment of remuneration for patient referrals and the offer or payment of anything of value in return for purchasing, leasing, ordering, arranging for, or recommending the purchase, lease, or ordering of any item or service that is reimbursable by a federal health care program.
Penalties may include a fine of up to $25,000, imprisonment of up to five years and exclusion from participation in federal health care programs for up to one year.
HIPAA
The Privacy Rule defines and limits the circumstances in which an individual’s protected health information (PHI) may be used or disclosed by “covered entities”.
PHI may be used either:
• As permitted by the patient or patient representative in writing
Or
• To the HHS during an investigation or action.
PHI Disclosures without Patient
Authorization
• Treatment, Payment, Health Care Operations.
• Emergencies and Informal Disclosures • Incidental Use and Disclosure • Public Interest and Benefit Activities
Authorization must be written in plain
language with specific terms and can allow the disclosure of PHI by the entity seeking authorization. The authorization should have an expiration and right to revoke.
Privacy Practices Notice
Patients must receive a notice of privacy practices that contains certain elements, including:
• The way PHI may be used and disclosed • The provider’s duties to protect PHI • The patient’s rights to complain to HHS
of a violation • A point of contact for further information
and complaints • Specific distribution requirements for
providers and plans
Minimum Necessary
Minimum necessary means to use or disclose the minimum amount of PHI needed for the intended purpose.
90% of privacy violations are committed by employees.
There should be a policy and attempt to mitigate any harmful effect of a disclosure of PHI. Adopt reasonable and appropriate administrative, technical and physical safeguards to prevent intentional or unintentional use or disclosure of PHI.
Administrative Safeguards
Administrative safeguards are administrative actions, policies and procedures to manage the selection, development, implementation and maintenance of security measures to protect ePHI and to manage the conduct of the covered entitity’s workforce in relation to the protection of the ePHI.
• Security Management Process
• Sanction Policy
• Workforce Security
• Security Awareness and Training
• Contingency Plans
• Business Associate Contracts and other Arrangements
Physical Safeguards
Defined as the “physical measures, policies and procedures to protect a covered entity’s electronic information systems and related buildings and equipment from natural and environmental hazards and unauthorized intrusion.”
• Facility Access Controls
• Maintenance Records
• Device and Media Control
Technical Safeguards
These provisions are defined as the
“technology and the policy and
procedures that protect electronic
protected health information and control
access to it.
• Access Control
• Automatic Logoff
• Person or Entity Authentication
• Transmission Security
Breach Notification
Requirements If there is a breach and PHI is provided
in an unauthorized way, there are several notification requirements. Business associates must also notify covered entities (such as providers) when there has been a breach.
• Individual Notice • Media Notice • Notice to the Secretary • Notification by a Business Associate
HIPAA – Key Components
• Help ensure the privacy of protected health information
• Give patients more control over their health information
• Establish appropriate safeguards that health care providers and others must achieve to protect the privacy of health information
• Hold violators accountable, with civil and criminal penalties that can be imposed if they violate patients’ privacy rights
• Strike a balance when public responsibility supports disclosure of some forms of data (to protect public health)
• Enable patients to find out how their information may be used and about certain disclosures of their information that have been made
• Limit release of information to the minimum reasonably needed for the purpose of the disclosure
• Give patients the right to examine and obtain a copy of their own health records and request corrections
• Empower individuals to control certain uses and disclosures of their health information
OSHA
Occupational Safety and Health
Administration Key issues in a medical setting are blood
borne pathogens, radiation, chemicals and biohazardous waste. Employers have the following responsibilities under OSHA’s General Duty clause:
• Provide a place of employment that is free from recognized hazards that are causing or likely to cause death or serious physical harm.
• Comply with the occupational safety and health standards developed by OSHA.
• Comply with the OSHA rules, regulations and orders.
OSHA
• Exposure Control Plan • Hepatitis B Vaccines and Tuberculosis • Injury Log and Procedure • Employee Training • Engineering Controls • Hazard Communication • Ionizing Radiation Standard • Exit Routes Standards • Electrical Standards • OSHA Poster • Regulated Waste
RAC Recovery Audit Contractors
RACs are paid on a contingency fee basis, receiving a percentage of the improper overpayments and underpayments they collect from providers.
RACs may review the last three years of provider claims for the following types of services: hospital inpatient and outpatient, skilled nursing facility, physician, ambulance and laboratory and durable medical equipment.
• Automated reviews
• Complex reviews
ZPIC Zone Program Integrity Contractors
ZPICs are responsible for preventing, detecting and deterring Medicare fraud.
• Prevents fraud by identifying program vulnerabilities
• Proactively identifies incidents of potential fraud that exist within its service area, and takes appropriate action on each case.
• Investigates (determines the factual basis of) allegations of fraud made by beneficiaries, providers, CMS, OIG and other sources.
• Explores all available sources of fraud leads in its jurisdiction.
• Initiates appropriate administrative actions to deny or suspend payments that should not be made to providers where there is reliable evidence of fraud.
• Refers cases to the Office of Inspector General (OIG)/Office of Investigations for consideration of civil and criminal prosecution and/or application of administrative sanctions.
• Refer any necessary provider and beneficiary outreach to the Provider Outreach and Education (POE) staff at the Affliated Contractors (AC) or MAC
ZPIC
ZPICs are responsible for ensuring the
integrity of all Medicare-related claims
under Parts A and B, Part C, Part D
and coordination of Medicare-
Medicaid data matches.
Unlike RACs, ZPICs are paid on a
contract basis – not a percentage of
what they recover.
MICs
Medicaid Integrity Contractors
CMS contracts with MICs to perform
audits of Medicaid providers. Providers
are selected based on data analysis
done by the other contractors or referred
by state agencies. The audits are
intended to identify overpayments and
inappropriate Medicaid claims. The
auditors will looks to see if the services
were covered by Medicaid and billed and
documented correctly.
RESOURCES
• Current CPT (current procedural terminology) manual
• Current ICD-9 (International Classification of Diseases)
• Current HCPCS (Healthcare Common Procedure
• Carrier Contracts
• 1995/1997 Documentation Guidelines ◦ www.cms.hhs.gov/mlnproducts/downloads/1995dg.pdf
◦ www.cms.hhs.gov/mlnproducts/downloads/Master1.pdf
• Medicare Claims Processing Manual (Pub. 100-4) ◦ www.cms.hhs.gov/Manuals/
Medical Record
Documentation Payers may require reasonable
documentation that services are consistent with the insurance coverage provided in order to validate:
• The site of service
• The medical necessity and appropriateness of the diagnostic and/or therapeutic services provided
• That services furnished have been accurately reported
Medical Record
Documentation To ensure that medical record documentation is
accurate, the following principles should be followed:
• Complete and legible
The documentation of each patient encounter should include:
• Reason for the encounter and relevant history, physical examination findings and prior diagnostic test results
• Assessment, clinical impression or diagnosis
• Medical plan of care
• Date and legible identity of the observer
Audit Triggers
• Consistently using one level of E/M service or routinely using higher level codes
• Ordering excessive tests • Billing Medicare or another government
program for care not provided • Unbundling procedures • Waiving coinsurance and deductibles in
absence of financial hardship • Changing codes to get paid • Coding based only on reimbursement
and not medically necessary services • Practitioner’s profile (utilization pattern)
does not meet the standards of the industry
Top Billing Errors
1. Duplicate claims submitted 2. Place of Service Code is incorrect 3. Facility information not included on
claim 4. Patient not eligible for Medicare 5. Service deemed not medically
necessary 6. Service bundled into payment for
other services 7. Medicare is secondary payer 8. Service not covered by Medicare 9. Provider/Group NPI number missing
or invalid 10. Incorrect modifier used
FINAL WORD
“If it is not documented – it can not be
billed!”
“If it doesn’t belong to you, give it
back.”
THANK YOU
QUESTIONS????
Contact information
Rose B. Moore, CPC, CPC-I, CPC-H, CPMA, CEMC, CMCO, CCP, CEC, PCS, CMC, CMOM, CMIS, CERT, CMA-ophth
President/CEO
Medical Consultant Concepts, LLC
www.medicalconsultantconcepts.com
(804)240-3074