Presentation is loading. Please wait.

Presentation is loading. Please wait.

RMBAA Birmingham, Alabama Wednesday, February 20, 2013 1.

Similar presentations

Presentation on theme: "RMBAA Birmingham, Alabama Wednesday, February 20, 2013 1."— Presentation transcript:

1 RMBAA Birmingham, Alabama Wednesday, February 20, 2013 1

2 Claudia Murray is a principal and CEO of CMC Consulting, LLC, a firm that specializes in regulatory compliance, Medicare billing rules and coding audits. Neither Claudia Murray nor her immediate family members have a financial relationship with a commercial organization that may have a direct or indirect interest in the content of this presentation. NO COMMERCIAL INTEREST TO DISCLOSE 2

3  2013 HIPAA Privacy, Security, Breach Notification and Enforcement Rules  PCI DSS Compliance  ICD-9 Coding for Original, Resubmitted and Appealed Claims  Place of Service  Site of Service 3

4 Privacy, Security, Breach Notification and Enforcement Rules 4

5  On January 17, 2013, the Department of Health and Human Services issued the long- awaited revisions to the HIPAA rules  The rules made a number of changes to the current HIPAA privacy, security, breach notification and enforcement requirements  The new rules modify the patient authorization and other requirements related to use and disclosure of PHI for research 5

6  Consistent with the provisions of the HITECH Act, the new rules expand patients’ rights to receive electronic copies of their PHI and restrict disclosures of PHI to health plans concerning treatment for which the patient paid out of pocket in full  The new rules provide more flexibility with respect to allowing access to decedent PHI to family members and others 6

7  Consistent with the Genetic Information Nondiscrimination Act, the new rules prohibit most health plans from using or disclosing genetic information for underwriting purposes  The new rules impose additional restrictions on the use and disclosure of PHI for marketing by requiring written patient authorization for all communications where the CE receives remuneration for communicating with a company whose product or service is being marketed 7

8  The definition of the term “business associate” has been expanded in the new rules to include vendors who maintain PHI, even if they do not view the PHI, and subcontractors of business associates  This change to the rules will likely result in many new vendors being considered business associates 8

9  The new rules detail that business associates, as well as their subcontractors, are directly liable for compliance with the HIPAA security rules and certain requirements of the HIPAA privacy rules  Business Associate Agreements that were already revised for compliance with the HITECH Act may require amendment but not a significant overhaul 9

10  The new rules change the notification requirements for breaches of unsecured protected health information (“PHI”)  It replaces the current “risk of harm to the affected patients” standard with a more objective standard to be used in determining whether a breach has occurred and whether notice of the breach must be provided to patients, the government and the media 10

11  Under the new rules, every improper use or disclosure of PHI is presumed to be a breach unless it is demonstrated that there is low probability that the PHI was compromised as a result of the incident  This change is significant and could result in an increase in the number of breaches requiring notice 11

12  The new rules adopt an increased, tiered civil money penalty structure for HIPAA violations provided by the HITECH Act  They also give the Office of Civil Rights discretion to impose penalties on covered entities and business associates in cases of violations due to willful neglect without first attempting to resolve the matter through informal means 12

13  Penalties for HIPAA violations are significant  Specifically, penalties for violations caused by willful neglect, which are corrected, range from $10,000 to $50,000 per violation  The minimum penalty for an uncorrected HIPAA violation caused by willful neglect is $50,000 per violation  The penalties are capped at $1.5 million for all violations of an identical requirement in a calendar year 13

14 Violation Category – Section 1176(a)(1) Each Violation All Violations of an Identical Provision in a Calendar Year (A) Did Not Know$100 - $50,000$1,500,000 (B) Reasonable Cause$1,000 - $50,000$1,500,000 (C)(i) Willful Neglect- Corrected $10,000 - $50,000$1,500,000 (C)(ii) Willful Neglect- Not Corrected $50,000$1,500,000 14

15  The new rules provide that each covered entity must revise its notice of privacy practices to address the new HIPAA requirements  Covered entities and business associates generally must comply with the new HIPAA requirements by September 23, 2013  Compliance with the new requirements will also require changes to HIPAA policies and procedures 15

16 Does this apply to you? 16

17  The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that ALL companies that process, store or transmit credit card information maintain a secure environment. Essentially any merchant that has a Merchant ID (MID)  The Payment Card Industry Security Standards Council (PCI SSC) was launched on September 7, 2006 to manage the ongoing evolution of the Payment Card Industry (PCI) security standards with focus on improving payment account security throughout the transaction process 17

18  The PCI DSS is administered and managed by the PCI SSC (, an independent body that was created by the major payment card brands (Visa, MasterCard, American Express, Discover and JCB.)  It is important to note, the payment brands and acquirers are responsible for enforcing compliance, not the PCI council 18

19  PCI applies to ALL organizations or merchants, regardless of size or number of transactions, that accept, transmit or store any cardholder data  Said another way, if any customer of that organization ever pays the merchant directly using a credit card or debit card, then the PCI DSS requirements apply  The Standard can be found on the PCI SSC's Website: ty_standards/pci_dss.shtml ty_standards/pci_dss.shtml 19

20  Cardholder data is any personally identifiable data associated with a cardholder  This could be an account number, expiration date, name, address, social security number, etc.  All personally identifiable information associated with the cardholder that is stored, processed, or transmitted is also considered cardholder data 20

21  For the purposes of the PCI DSS, a merchant is defined as any entity that accepts payment cards bearing the logos of any of the five members of PCI SSC (American Express, Discover, JCB, MasterCard or Visa) as payment for goods and/or services  Note that a merchant that accepts payment cards as payment for goods and/or services can also be a service provider, if the services sold result in storing, processing, or transmitting cardholder data on behalf of other merchants or service providers For example, an ISP is a merchant that accepts payment cards for monthly billing, but also is a service provider if it hosts merchants as customers 21

22  All merchants that store, process or transmit cardholder data must be compliant now  However, if you are a Level 4 merchant, you will have to refer to your merchant bank for their specific validation requirements and deadlines  All deadline enforcement will come from your merchant bank  You may also find more information on Visa’s Website: ayment_application_security_mandates.pdf ayment_application_security_mandates.pdf 22

23  All merchants will fall into one of the four merchant levels based on Visa transaction volume over a 12-month period  Transaction volume is based on the aggregate number of Visa transactions (inclusive of credit, debit and prepaid) from a merchant Doing Business As (‘DBA’) 23

24  In cases where a merchant corporation has more than one DBA, Visa acquirers must consider the aggregate volume of transactions stored, processed or transmitted by the corporate entity to determine the validation level  If data is not aggregated, such that the corporate entity does not store, process or transmit cardholder data on behalf of multiple DBAs, acquirers will continue to consider the DBA’s individual transaction volume to determine the validation level 24

25 Merchant Level Description 1 Any merchant -- regardless of acceptance channel -- processing over 6M Visa transactions per year. Any merchant that Visa, at its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the Visa system. 2 Any merchant -- regardless of acceptance channel -- processing 1M to 6M Visa transactions per year. 3 Any merchant processing 20,000 to 1M Visa e- commerce transactions per year. 4 Any merchant processing fewer than 20,000 Visa e- commerce transactions per year, and all other merchants -- regardless of acceptance channel -- processing up to 1M Visa transactions per year. 25

26  To satisfy the requirements of PCI, a merchant must complete the following steps:  Identify your Validation Type as defined by PCI DSS – this is used to determine which Self Assessment Questionnaire is appropriate for your business  Complete the Self-Assessment Questionnaire according to the instructions in the Self- Assessment Questionnaire Instructions and Guidelines 26

27  Complete and obtain evidence of a passing vulnerability scan with a PCI SSC Approved Scanning Vendor (ASV)  Note scanning does not apply to all merchants  It is required for Validation Type 4 and 5 – those merchants with external facing IP addresses  Basically if you electronically store cardholder information or if your processing systems have any internet connectivity, a quarterly scan by an approved scanning vendor is required  Complete the relevant Attestation of Compliance in its entirety  Submit the SAQ, evidence of a passing scan (if applicable), and the Attestation of Compliance, along with any other requested documentation, to your acquirer 27

28 Control ObjectivesPCI DSS Requirements Build and Maintain a Secure Network 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability Management Program 5. Use and regularly update anti-virus software on all systems commonly affected by malware 6. Develop and maintain secure systems and applications Implement Strong Access Control Measures 7. Restrict access to cardholder data by business need-to-know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data Regularly Monitor and Test Networks 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes Maintain an Information Security Policy 12. Maintain a policy that addresses information security 28

29 Q: I’m a small merchant with very few card transactions; do I need to be compliant with PCI DSS? A: All merchants, small or large, need to be PCI compliant. The payment brands have collectively adopted PCI DSS as the requirement for organizations that process, store or transmit payment cardholder data. Q: If I only accept credit cards over the phone, does PCI still apply to me? A: Yes. All business that store, process or transmit payment cardholder data must be PCI Compliant. 29

30 Q: Do organizations using third-party processors have to be PCI compliant? A: Yes. Merely using a third-party company does not exclude a company from PCI compliance. It may cut down on their risk exposure and consequently reduce the effort to validate compliance. However, it does not mean they can ignore PCI. 30

31 Q: My business has multiple locations, is each location required to validate PCI Compliance? A: If your business locations process under the same Tax ID, then typically you are only required to validate once annually for all locations. And, submit quarterly passing network scans by an PCI SSC Approved Scanning Vendor (ASV), if applicable. Q: Are debit card transactions in scope for PCI? A: In-scope cards include any debit, credit, and pre-paid cards branded with one of the five card association/brand logos that participate in the PCI SSC - American Express, Discover, JCB, MasterCard, and Visa International.PCI SSC 31

32  SSL certificates do not secure a Web server from malicious attacks or intrusions  High assurance SSL certificates provide the first tier of customer security and reassurance but there are other steps to achieve PCI Compliance  A secure connection between the customer's browser and the web server  Validation that the Website operators are a legitimate, legally accountable organization 32

33  The payment brands may, at their discretion, fine an acquiring bank $5,000 to $100,000 per month for PCI compliance violations  The banks will most likely pass this fine on downstream till it eventually hits the merchant  Furthermore, the bank will also most likely either terminate your relationship or increase transaction fees  Penalties are not openly discussed nor widely publicized, but they can catastrophic to a small business  It is important to be familiar with your merchant account agreement, which should outline your exposure 33

34  See the procedures outlined in Visa’s “What to Do If Compromised Visa Fraud Control and Investigations Procedures” document  what_to_do_if_compromised.pdf what_to_do_if_compromised.pdf  There are at least 39 states that have breach notification laws in place  See for more detail on state 34

35 Revisiting an old rule 35

36 We’re going to discuss:  Coding from the report  Is there a difference between specificity and certainty?  Assigning a diagnosis code based on the other information, documentation or medical records  Late entries and amendments  Resubmissions and appeals 36

37  The CMS instruct physicians to report diagnoses based on test results, if available  Contractors, physicians, hospitals, and other health care providers must comply with the following instructions in determining the appropriate ICD-9-CM diagnoses code for diagnostic test results 37

38  For patients receiving diagnostic services code the condition(s), symptom(s), and diagnosis to the highest degree of certainty for that visit, such as describing symptoms, signs, abnormal test results, or other reasons for the visit  Report additional codes that describe any current coexisting conditions  Do not code diagnoses documented as probable, suspected, questionable or rule out 38

39  If the physician has confirmed a diagnosis based on the results of the diagnostic test, the physician interpreting the test should code that diagnosis  The signs and/or symptoms that prompted ordering the test may be reported as additional diagnoses if they are not fully explained or related to the confirmed diagnosis 39

40  If the diagnostic test did not provide a diagnosis or was normal, the interpreting physician should code the sign(s) or symptom(s) that prompted the treating physician to order the study 40

41  If the results of the diagnostic test are normal or nondiagnostic and the referring physician records a diagnosis preceded by words that indicate uncertainty (e.g., probably, suspected, questionable, rule out, or working), then the interpreting physician should not code the referring diagnosis  Rather the interpreting physician should report the sign(s) or symptom(s) that prompted the study 41

42  Diagnoses labeled as uncertain are considered by the ICD-9-CM Coding Guidelines as unconfirmed and should not be reported  This is consistent with the requirement to code the diagnosis to the highest degree of certainty 42

43  The Balanced Budget Act (BBA) §4317(b) requires referring physicians to provide diagnostic information to the testing entity at the time the test is ordered  As further indicated in 42 CFR 410.32 all diagnostic tests “must be ordered by the physician who is treating the beneficiary  An “order” is a communication from the treating physician/practitioner requesting that a diagnostic test be performed for a beneficiary 43

44  Incidental findings should never be listed as primary diagnoses  If reported, incidental findings may be reported as secondary diagnoses by the physician interpreting the diagnostic test 44

45  Unrelated and coexisting conditions/diagnoses may be reported as additional diagnoses by the physician interpreting the diagnostic test 45

46  When a diagnostic test is ordered in the absence of signs/symptoms or other evidence of illness or injury, the testing facility or the physician interpreting the diagnostic test should report the screening code as the primary diagnosis code  Any condition discovered during the screening should be reported as a secondary diagnoses 46

47  The following longstanding coding guidelines are part of Official ICD-9-CM Guidelines for Coding and Reporting  The testing facility or the interpreting physician should code the ICD-9-CM code that provides the highest degree of accuracy and completeness (certainty) for the diagnosis resulting from test, or for the sign(s)/ symptom(s) that prompted the ordering of the test  The “highest degree of specificity” means assigning the most precise ICD-9-CM code that most fully explains the narrative description in the medical chart of the symptom or diagnosis 47

48  RAC auditors have been taking a harder stance on accepting diagnosis information from sources other than the radiology report  MAC denials for medical necessity often lead to resubmissions or appeals with additional diagnosis information  Recent publications detail Medicare’s viewpoint on ancillary documentation, late medical record entries and amendments 48

49  Every note stands alone, i.e., the performed services and necessary signatures must be documented at the outset  Delayed written explanations will be considered for purposes of clarification only  They cannot be used to add and authenticate services billed and not documented at the time of service or to retrospectively substantiate medical necessity  For that, the medical record must stand on its own with the original entry corroborating that the service was rendered and was medically necessary Published by CGS, a multi-state MAC 49

50  Late entries, addendums, or corrections to a medical record are legitimate occurrences in documentation of clinical services  A late entry, an addendum, or a correction to the medical record, bears the current date of that entry and is signed by the person making the addition or change Published by Noridian Administrative Services, a multi-state MAC 50

51  A late entry supplies additional information that was omitted from the original entry  The late entry bears the current date, is added as soon as possible and written only if the person documenting has total recall of the omitted information A late entry following treatment of multiple trauma might add: “The left foot was noted to be abraded laterally.” 51

52  An addendum is used to provide information that was not available at the time of the original entry  The addendum should also be timely and bear the current date and reason for the addition or clarification of information being added to the medical record An addendum could note: “The chest x-ray report was reviewed and showed an enlarged cardiac silhouette.” 52

53  When making a correction to the medical record, never write over, or otherwise obliterate the passage when an entry to a medical record is made in error  Draw a single line through the erroneous information, keeping the original entry legible  Sign and date the deletion, stating the reason for correction above or in the margin  Document the correct information on the next line or space with the current date and time, making reference back to the original entry 53

54  Correction of electronic records should follow the same principles of tracking both the original entry and the correction with the current date, time and reason for the change  When a hard copy is generated from an electronic record, both records must be corrected  Any corrected record submitted must make clear the specific change made, the date of the change, and the identity of the person making that entry 54

55  Providers are reminded that deliberate falsification of medical records is a felony offense and is viewed seriously when encountered  Examples of falsifying records include:  Creation of new records when records are requested  Back-dating entries  Post-dating entries  Pre-dating entries  Writing over, or  Adding to existing documentation (except as described in late entries, addendums and corrections) 55

56  Corrections to the medical record legally amended prior to claims submission and/or medical review will be considered in determining the validity of services billed  If these changes appear in the record following payment determination based on medical review, only the original record will be reviewed in determining payment of services billed to Medicare  Appeal of claims denied on the basis of an incomplete record may result in a reversal of the original denial if the information supplied includes pages or components that were part of the original medical record, but were not submitted on the initial review 56

57  Melanie Combs-Dyer/Deputy Director for the Provider Compliance Group at CMS in the Office of Financial Management stated:  “…we have instructions in our program integrity manual that says if it is more than a few days, you know, if you're talking about months after the facts, the delayed documents of late entries made to the medical record, we instruct our contractors to refer those to the fraud department” 57

58 More after the Webinar… 58

59  Previously the CMS had instructed physicians to use the POS code where s/he interpreted the service  The transmittal was put on hold in January 2010  The CMS provided new POS guidance in Transmittal 2407 with an effective date of April 1, 2012  CMS rescinded Transmittal 2407 in late March stating that they would reissue the transmittal with a new effective date  Transmittal 2435 was issued with an effective date of October 1, 2012 59

60  On September 28 th Transmittal 2561 replaced Transmittal 2435 without significant changes but the effective date of April 1, 2013  Under the Medicare Physician Fee Schedule (MPFS), some procedures have separate rates for physicians’ services provided in facility and nonfacility settings  Medicare considers the place of service a key element in claims processing when the correct payment is determined by the POS code 60

61  General instructions in Transmittal 2561 state that the POS code should reflect the actual place where the patient received the face-to-face encounter to determine whether the facility or nonfacility payment rate is paid  But, instructions for diagnostic radiology services differ since payment is not solely determined by the POS code but most often by modifier  Additionally, Medicare recognizes that the PC and TC are often furnished in different settings 61

62  In freestanding imaging setting, POS 11 was standardly billed for the professional and the technical components  In provider-based setting, the TC belongs to the hospital and is billed by the hospital  In provider-based setting, there are multiple POS code possibilities for the pro fee and there are new instructions from Medicare regarding the POS to be billed 62

63  In almost all cases, the POS code assigned to the physician billing for the PC will be the POS where the patient received the TC  For the professional component (PC) of diagnostic tests, the facility and nonfacility payment rates are the same because modifier 26 actually determines the payment– not the POS code on the claim  For a service rendered to a patient who is a hospital inpatient or outpatient, only the PC can be billed because the service must be rendered “Under Arrangements” 63

64  The appropriate POS code for the interpretation is the setting where the patient received the TC service  If the interpretation was performed in the physician’s office and the patient received the TC service in the outpatient hospital setting, the physician assigns POS 22 on the claim for the PC  Additionally, the name, address, and ZIP code of the office location must be entered in Item 32 of the CMS 1500 claim form (or its electronic equivalent)  This may lead one to believe that sending the correctly completed claim form to the usual MAC is sufficient for payment 64

65  Transmittal 2561 further addressed SOS and the carrier jurisdiction issue  In Interpretation Provided Under Arrangement – To A Hospital (Section C) an example shows that:  The place of service reflects the patient’s hospital status (POS 21, 22 or 23), and  The physical location of the radiologist interpreting the study (entered in Block 32 of the CMS-1500 form) 65

66  Transmittal 2561 added Determination of Payment Locality (Section E), which states:  The payment locality is determined based on the location where a specific service code was furnished  Subsection E Global Service Code states:  To bill for a global diagnostic service the same physician or supplier entity must furnish both the TC and the PC and must furnish them within the same MPFS payment locality 66

67  Subsection E Separate Billing of Profession Component goes on to say:  If the same physician or entity does not furnish both the TC and PC, or if the professional interpretation was furnished in a different payment locality, the professional interpretation must be separately billed with modifier -26 and the address and ZIP code of the interpreting physician’s location must be reported on the claim form 67

68  “When you receive a request for Medicare payment for services furnished outside of your payment jurisdiction, return assigned services as unprocessable, and deny unassigned services. Pay services correctly submitted to you.  Use the following messages:  Remittance Advice (RA) - Claim adjustment reason code 109 – Claim not covered by this payer/contractor. You must send the claim to the correct payer/contractor.  Remark code N104 - This claim/service is not payable under our claims jurisdiction area. You can identify the correct Medicare contractor to process this claim/service through the CMS Web site at 68

69 QIf a practice has office locations in two payment localities in which the doctors practice regularly, and if the PC and TC were performed separately (although by the same practice group) in those two different payment localities, would the PC be billed separately (-26 modifier) from the TC and would the payment amount follow the payment amount in effect for each respective locality? 69

70 AYes, if the PC and TC were performed separately in two different payment localities, the PC and TC would be billed separately. Since the PC and TC are in separate payment localities, global billing is prohibited by transmittal 2563 and the components would have to be reported separately. Additionally, if the PC and TC were performed in separate MAC jurisdictions (e.g., across state lines), then the practice would have to be enrolled in each MAC jurisdiction where the services were performed and payment would be based on each MAC’s payment schedule. 70

71 QIf a radiologist reads a study performed at a hospital at one of the practice’s imaging centers or offices, what POS code should I use? 71

72 AThe POS code is determined by where the patient had the study (TC). In this instance, even though the study was read at the radiologist’s office, if the patient was an outpatient POS code 22 (outpatient hospital) would be reported in Box 24B; if the patient was an inpatient, POS code 21 (inpatient hospital) would be reported in Box 24B; and, if the patient were an ER patient, POS code 23 (emergency room hospital) would be reported in Box 24B. However, in all instances, the radiologist’s office ZIP code and address would go in to Box 32 because that is where the interpretation was performed. 72

73 QWhat if a radiologist reads studies from their home? 73

74 ACMS requires physicians to submit the address where the physician was when they performed the interpretation. The only exception to this is when the interpretation was performed in an “unusual and infrequent” location, such as a hotel. Therefore, if the radiologist frequently interprets studies from home, their home address and ZIP code would go in Box 32. However, based on CMS’ transmittal language, if the radiologist interprets from home only infrequently, then the “Medicare enrolled location where the interpreting physician most commonly practices” can be listed. 74

75 Claudia A. Murray, RCC CMC Consulting, LLC P.O. Box 653 Fallston, Maryland 21047 410-538-5891 Thanks ! 75

Download ppt "RMBAA Birmingham, Alabama Wednesday, February 20, 2013 1."

Similar presentations

Ads by Google