In spite of recent rumors, CMS has no intention of delaying the implementation of ICD-10 beyond the Oct. 1, 2013 date. That means every physician group should be taking steps toward the transition of ICD-9 coding to ICD-10 medical coding.

Know Penalties for Nonparticipation

Question: What are the penalties for entities that are covered under HIPAA who decide not to use ICD-10 codes as of Oct. 1, 2013?

Answer: Your claims will be denied — and you technically could face fines since using the ICD-10 codes falls under the HIPAA transaction code set regulations.

From a practical viewpoint, as of service dates of Oct. 1, 2013, in case you still use ICD-9 codes and don’t use ICD-10 codes, most probably your claims will be returned and will be asked to transition to ICD-10.

The penalties are the similar penalties that any HIPAA entity would be subject to. Most of you are acquainted with the ongoing HIPAA transaction code set penalty that calls for a maximum of $25,000 per covered entity per year, however the HITECH legislation of last year in fact upped those transaction and code set penalties, and they can be as much as $1.5 million per entity per year. So evidently it behooves everybody — Medicare and Medicaid inclusive — to ensure you are compliant with these ICD-10 codes by the Oct. 1, 2013 date.

LCD Updates Could Come Later

Question: The Medicare local coverage decisions (LCDs) presently list the payable ICD-9 codes that match up to all Medicare-payable procedures. Will contractors issue updated LCDs to the public before the Oct. 1, 2013 implementation date to demonstrate the payable ICD-10 codes for the procedures?

Answer: The answer to that isn’t that clear yet. The LCDs will be translated as they will need to be translated, [but] as it relates to having them accessible to the public before the implementation date, that is not certain yet, as CMS is working fast and furious on all of its ICD-10 implementation efforts.

Shape Down Your Code List

Question: What can your practice do to get ready for the ICD-10 conversion?

Answer: One thing you won’t need to do is keep in mind a bunch of new codes. In fact, most practitioners perhaps don’t know many ICD9 codes by heart, so they won’t be expected to memorize ICD-10 codes either.

Strategy: You must use your list of the top diagnoses that your practice gets to find the corresponding ICD-10 codes , and you’ve got your cheat sheet. Then, make certain that your coders are trained, that your claims are form 5010 compliant, and that your claim submission system supplier is ICD-10-ready. Besides, in case you have an electronic medical record or you plan to get one, make sure it can handle ICD-10. In case you’re starting to bring in an EMR, you want to convert to ICD-10 first, not bring one in under ICD9 coding and then convert.

Clues abound as to what the feds will consider an adequate relationship.

ICD9 Codes

Compliance officers, how often do you report to your board of directors?
A) All the time; I love those guys.
B) A few times a year.
C) When something goes wrong.
D) Who?

If your answer is C or D, you are not alone, according to a recent survey by the Health Care Compliance Association, but that will be cold comfort should your organization become the target of an investigation.

“[B]oards and even CEOs have less contact with [chief ethics and compliance officers] than recent legislation would suggest is necessary,” notes the HCCA. The U.S. Sentencing Commission recently proposed amendments to the Federal Sentencing Guidelines that allow mitigating points to lessen fines if there is a direct reporting relationship.

Only 55 percent of the 481 respondents in the HCCA survey, “The Relationship Between the Board of Directors and the Compliance and Ethics Officer,” said that in their company the compliance officer reports directly to the board. That number varied significantly depending on the profit structure of the company: COs report to the board in 59 percent of non-profits but in only 41 percent of public companies.

The health care industry, which is dominated by non-profits, fared better than other sectors, according to the survey. In health care, 58 percent of companies confirmed a direct reporting relationship, while in non-health care companies, only 48 percent said their CO reported to their boards.

Another problem raised by the survey is the screening or editing of reports, which is more of a problem in publicly traded companies as well. “There are two concerns about submitting a report to the board,” says HCCA CEO Roy Snell: “that it doesn’t have unsubstantiated accusations, and that it doesn’t excessively water down issues. A good compliance professional substantiates and prioritizes and doesn’t get lost in the weeds. He or she shares the appropriate things with the CEO and the board.”

A recent case involving Pfizer, in which the company accepted a $2.3 billion settlement and a corporate integrity agreement that basically forbids the CO from reporting to the GC, doesn’t seem to have fully sunk in, Snell agrees. Thirty-six percent of public companies said that CO reports are always screened and substantively edited by the company’s general counsel or others, while only 12 percent of non-profits said that was true. In 38 percent of public companies and 62 percent of non-profits, the reports are never screened or edited.

The Pfizer CIA mandates quarterly reports by the chief CO to the company’s audit committee, a direct report to the CEO, and a “divorce” between the general counsel and the CO: “The Chief Compliance Officer shall not be, or be subordinate to, the General Counsel or Chief Financial Officer,” says the CIA.

Another clue to what the feds will consider a direct reporting relationship lies in the U.S. Sentencing Commission’s commentary to its proposed amendments. There, “direct reporting obligations” are defined as a CO having “express authority to communicate personally to the governing authority [or subgroup]… (A) promptly on any matter involving criminal conduct or potential criminal conduct, and (B) no less than annually on the implementation and effectiveness of the compliance and ethics program.”

There is money to be given out to medical practices for using EMRs. AUDIO: Medical Coding 101: The Need-to-Know for CEOs.

Health insurance organizations caught in the middle in suggestions by HHS and DOL.

Self-insured employers should keep young adults up to age 26 on their parents’ health insurance plans before the September 23, 2010 deadline in the Affordable Care Act (or the PPACA) – even if they’re not required to, HHS secretary Kathleen Sebelius said recently in a news conference.

While the feds have issued regulations that require health insurers to cover young adults by the end of the deadline, self-insured employers may delay until January 1, 2011, or the beginning of the next health plan year.

HHS and the Department of Labor describe the move as cost-effective, as insurers will save the administrative costs that would have added up as they dropped people before the deadline only to have to re-enroll them in September. In addition, tax exemptions for employer health benefits will apply to all the young adults who choose to stay on their parents’ plans.

Officials are currently in discussion with large employer groups, “asking them to look at an opportunity to open the plans earlier than mandated and make this coverage available,” Sebelius told Kaiser Health News.

The response they’ve gotten, she said, is tremendous. “So far, every major insurance company — more than 65 in total — and several major self-insured organizations have said they will provide continuous coverage for young adults this summer. That’s great news for graduating seniors and their families who will get added security in exchange for premiums that are only expected to rise by 0.7 percent,” she explained.

The initiative to keep young adults in the fold is long overdue, Sebelius wrote on The White House Blog. “For years, getting a diploma also meant losing your health insurance. And whether you went on to college or not, it was often hard as a young person to find affordable coverage. Overall, Americans in their twenties were twice as likely to go without health insurance as older Americans,” she noted.

A fact sheet and Q&A on the regulations are available from The White House’s website.

There is money to be given out to medical practices for using EMRs. AUDIO: Medical Coding 101: The Need-to-Know for CEOs.

© Canadian Bar Assn.

Use these strategies to update your compliance plan before an auditor strikes if you can.

Although an audit is a routine function that the OIG and payers must perform, it can strike fear into the hearts of medical practices everywhere. If you get word that your practice will soon be audited, follow these basic tips to help put your best foot forward.

1. Prepare Far in Advance. Don’t wait until the OIG or your MAC alerts you that an audit is imminent before you get a handle on where you stand from a compliance standpoint, says Patricia Trites, MPA, CHBC, CPC, CEMC, CHCC, CHCO, CHP, CMP(H), CHAP, vice president of Healthcare Compliance Resources, LLC in Sherman, TX.

“Internal audits are the best way to prepare for an external audit,” Trites advises. “This process allows the practice to find errors and patterns of errors before someone else does.”

“The second step to internal auditing is just as important – education,” she says. “If the providers don’t know or don’t understand why something is incorrect or why another way is better, then the errors are never corrected going forward.”

2. Train Staff When Prepping for Auditor’s Visit. Once you know that an auditor will be paying you a visit, sit down with your staffers to fill them in on the details. Although it may be tempting to keep the audit a secret so you don’t make anyone nervous, it’s in your best interest to keep everyone apprised of the situation.

“I really do believe it is important that affected staff is trained before the auditor comes onsite or even if records are being requested for audit through the mail,” Trites advises. “Staff that knows what is going on are less likely to start rumors or listen to rumors.”

Let staffers know that they should be polite and respectful to the auditor, “and to always, always, always tell the truth,” Trites says. “There are so many types of audits that could be undertaken within a health care practice today it is hard to cover all the bases of what-ifs, but I suggest that staff understand that an audit does not mean that the organization or any of the providers have done anything wrong.”

Remember that many audits are conducted to determine if the carriers/MACs are doing their jobs correctly. Does that mean if they find something the practice has done incorrectly, they will get a pass? “No,” Trites says. “That is why it is important that each person understand their responsibility and liability in performing services, documenting those services, and then billing the services to the various payers.”

3. Follow a Pre-Audit Checklist. If your practice has never performed a self-audit, but you get word that you’ll soon be audited, Trites offers these four tips on how to prepare.

• Don’t panic! Auditors aren’t necessarily on a witch-hunt.
• Pull all encounters that have been selected for audit with all of the accompanying documentation.
• If you believe there may be a problem with your claims or how they were billed, contact an attorney to help you through the audit process.
• Perform an internal audit of the claims and if necessary, hire an external auditor to also review the claims. “It’s best to let the practice attorney engage the external auditor to protect the reports under attorney work product,” Trites notes.

If the attorney hires the consultant, the work performed during the audit falls under the attorney-client privilege, says Michael F. Schaff, a lawyer with Wilentz, Goldman and Spitzer in Woodbridge, NJ.

And remember: If you find a problem, do not alter documentation, alter billing records, destroy records, or in any other way compromise the information, Trites says.

Excerpted from Medicare Compliance & Reimbursement.

There is money to be given out to medical practices for using EMRs. AUDIO: Medical Coding 101: The Need-to-Know for CEOs.

1,250 medical statements contained plethora of identity information.

Medical theft identity is on the rise. Is your organization prepared for a possible mishap?

ICD-9 Codes

Take note of the latest possible casualty: After Rochester, NY-based Strong Memorial Hospital mailed about 1,250 medical bills to the wrong patients in April 2010, the hospital issued a warning of possible misuse of information.

Strong discovered its blunder through patients calling in to report that they’ve received the wrong bills, according to a report in local paper Democrat and Chronicle. An automatic folding machine that also stuffed bills into windowed envelopes broke down, hospital spokeswoman Teri D’Agostino reportedly said, adding that the machine picked up multiple statements, so that patients got their own hospital bills as well as bills of other patients. D’Agostino is assuring patients that important data such as their insurance and social security numbers and dates of birth were unlikely to be used inappropriately.

However, an expert on identity theft thought otherwise. The story quotes John Sileo, who notes that Strong’s statements had more than the average amount of medical identity information that could be stolen. He recommended two precautionary measures that a patient could take to protect the information, including freezing credit and monitoring medical records very closely.

Hospitals and medical facilities can prevent identity theft by taking information security more seriously, according to a recent Ponemon Institute survey, which advises organizations to:

• Educate staff members about the threat of medical ID theft
• Create comprehensive risk management programs
• Designate someone to enforce security policies
• Assess the security policies of business associates

In March 2010, a study by Pleasanton, CA-based market research firm Javelin Strategy & Research revealed that 275,000 cases of medical information theft occurred in the United States last year. Fraud resulting from exposure of health data rose from 3 percent in 2008 to 7 percent in 2009 (a 112 percent increase).

There is money to be given out to medical practices for using EMRs. AUDIO: Medical Coding 101: The Need-to-Know for CEOs.

Compliance officers could see their programs turned into financial footballs.

Health care reform may seem like yesterday’s news. However, now is when the real work begins for many of the major players in the health care industry in the face of the major changes wrought by PPACA.

Provider groups, insurers and of course employers are bracing for new rounds of regulations from HHS and other agencies. Is your compliance program ready to adapt?

When it comes to rule-making HHS is already the third most active federal agency, after the EPA and the DOT, according to the Office of Information and Regulatory Affairs, which reviews draft proposed and final regulations and analyzes their costs and benefits.

Health plans in particular are concerned about how new regulations will affect their bottom lines.

Insurance companies, according to a recent New York Times article, are directing their efforts towards making sure that when rules concerning minimum loss ratios are promulgated, insurers have as many opportunities as possible to classify expenses as going toward “activities that improve health care quality,” which will allow them to avoid paying rebates to subscribers – a PPACA requirement that kicks in Jan. 1, 2011 if insurers don’t meet the MLR standards.

The article quotes Aetna’s chief actuary and VP Michael Fedyna as claiming that no other aspect of PPACA would be so “influential in shaping the future of the health care marketplace in the United States.”

Here’s where compliance programs come in: Insurers want to include in this category “spending on health information technology, nurse hot lines and efforts to prevent fraud,” according to the article. “They also want to include the cost of reviewing care by doctors and hospitals, to determine if it was appropriate and followed clinical protocols.”

Compliance officers will certainly see more attention paid to their programs if those programs are seen as ways to improve quality.

Other PPACA requirements are keeping CEOs of health plans up at night. Another recent article, this one in the Washington Post, notes that since “existing health plans” will be exempt from many of PPACA’s provisions, regulators will have to determine how much a plan can change without giving up that exemption.

Plans that are subject to PPACA will be subject to new rules and will need more attention paid to their compliance programs to make sure they stay within rules concerning coverage of preventive services without co-pays, limits on annual out-of-pocket expenses for members, new internal an external appeals processes, and new reporting requirements.

“For example, if corporate health plans lose grandfathered status,” according to the Post, “their coverage of preventive services could be dictated by the federal government and thereby politicized, as a battle over breast cancer screenings last year illustrated.”

So, again: Compliance officers might have already felt like their programs were subject to every internal politic imaginable. But it’s about to get a lot more interesting.

There is money to be given out to medical practices for using EMRs – Don’t let your coding suffer. AUDIO: Medical Coding 101: The Need-to-Know for CEOs.

Follow these 3 tips when handling patient privacy concerns at your organization.

Compliance officers may think that they’ve dotted all of their i’s and crossed all of their t’s, but if they miss even a small piece of the privacy puzzle, they can compromise their entire system. Take a look at these three reminders concerning protected health information (PHI) to ensure that your privacy program is on track:

1. Don’t Let Paper Get Lost in the Shuffle. You may think of patient privacy exclusively in terms of protecting electronic patient data, but paper files are just as likely to be compromised. “With the advent of the HITECH changes, breaches occurring with paper records will be treated the same way as electronic data,” says Gregory Michaels, manager of security and compliance solutions at BluePrint Healthcare IT in Cranbury, N.J.

“Doctors may take paper records home as opposed to USB keys, or they may take paper records in their car with them to the office or hospital, and obviously those things have the same value in terms of the information contained in them,” Michaels advises.

Even in facilities where paper records are stored securely, there’s still a chance that the information on them might be exposed. “In some hospitals, the main medical record area is very well secured, but other departments may have access to records, take them from the room, and store them temporarily while using them, and may not be keeping them secure,” he says.

“Even if we can move to 50 or 60 percent of medical practices being fully electronic in the next few years, we’re still looking at a long time before paper is eliminated, so make sure any PHI stored on paper in your office is secure.”

2. Know That Patients Are Aware. You’ve asked patients to sign a HIPAA privacy form, now they’re content, right? Not necessarily. “The HITECH Act imposed an affirmative obligation on the government agency overseeing the HIPAA program to investigate compliance breaches,” says Michelle Wilcox DeBarge, a lawyer with Wiggin and Dana LLP in Hartford, CT. “Previously it was driven by complaints only, but they now have an obligation to affirmatively audit and monitor.”

In addition, the government has been hiring people to ensure compliance and will be providing education programs to the public, “and we’re expecting a lot of awareness, and for patients to be asking more questions about the use of their private health information going forward,” says Peter Courtway, chief information officer for Danbury Health Systems in Connecticut.

“There is also a provision under HITECH that will allow individuals who have been harmed by a breach to have a share in the proceeds of the penalties,” DeBarge says. “We don’t have the details yet, but this is another reason that patients will have incentive to pay attention.”

3. Don’t Forget the Front Lines. You may be compromising patient data in other ways besides electronic and paper breaches. Perform a walkthrough in your practice or organization to ensure that no other leaks exist.

According to one HIPAA expert, a compliance officer walked through her practice and was pleased to see that computer monitors at the front desk had been turned so that patients in the waiting area could not see the screens. However, upon going to the elevators, she realized that the monitors were viewable through the glass entryway, and that anyone in the building’s lobby could see the data.

Excerpted from Health Information Compliance Alert.

There is money to be given out to medical practices for using EMRs – Don’t let your coding suffer. AUDIO: Medical Coding 101: The Need-to-Know for CEOs.

Off-label marketing of food and drugs remains in feds’ crosshairs.

Giant drugmakers aren’t the only ones getting busted for off-label marketing: Look out for bad apples whose strange (and criminal) behavior could get themselves and the facility or practice where they work (or shop) into hot water.

That’s the lesson from the latest off-label marketing case out of Colorado.

A U.S. Magistrate judge sentenced Jason Eric Kay, 38, to two years of probation, and ordered him to pay a $1,000 fine for adulteration and removal of a label of food while held for sale, the U.S. Attorney’s Office in Colorado and the Food and Drug Administration Office of Criminal Investigations recently announced.

In 2009, Pfizer, Inc. was sentenced to pay $1.3 billion in criminal fines and revenue forfeiture for promoting four drugs, including the painkiller Bextra, for unapproved uses. Off-label marketing involves the act of routinely marketing and prescribing drugs for health conditions for which they have never even been studied. Drug companies have been accused of conspiring with doctors to carry out off-label marketing and engaging them in huge kickback payments.

According to court documents in the Kay case, beginning in January 2010, Kay made at least 11 separate purchases of various Gatorade products from Safeway and King Soopers stores, removing the labels from those products and replacing them with new ones that he manufactured or produced on his own. He then took the products back to the stores, placing it back on shelves for sale to consumers.

Kay made labels for Gatorade A.M. Tropical-Mango flavored products, but placed the labels on bottles that were not those products, but were, in fact, Gatorade Thirst Quencher Orange flavor. Further, these labels said the product contained vitamin C, when, in fact, Gatorade Thirst Quencher Orange does not contain vitamin C.

“The public needs to be confident that the product they purchase from a retailer is the same as when it left the manufacturer,” United States Attorney David Gaouette said, praising the agents involved in Kay’s arrest. He added that the case should serve as a warning to others who are contemplating jeopardizing the public or the public’s health by misbranding food and drugs.

Collect what your practice really deserves. AUDIO: You Can Use the Appeals Process Like a Pro.

Straight from the horse’s mouth: A former physician turned CO tells all.

Every compliance program needs provider buy-in, which can be tough to secure. Doctors are busy, but they have concerns that you can play into – patient care, quality and safety, to name a few.

Read on to find out how to leverage those concerns into better compliance.

“Candidly, obtaining physician buy-in is always a challenge and begins with educating your compliance staff about how to communicate with physicians,” said Dr. Robert H. Ossoff, assistant vice-chancellor for compliance and corporate integrity at Vanderbuilt University Medical Center in Nashville, TN, who was interviewed by HCCA in its April 2010 issue of Compliance Today.

Ossoff was formerly a practicing surgeon, so he knows what gets doctors going about compliance – and what shuts them down. “Compliance staff should understand that patient care, quality, and safety represent the main areas of focus for most physicians,” he noted.

As every compliance officer knows, documentation is a huge issue in this area, one of the largest risk areas for physicians, and certainly one that is likely to make their eyes glaze over when you bring it up. But “we can get their attention by equating opportunities for improving documentation with improved quality of care, patient safety, and patient satisfaction,” Ossoff said.

“[T]he average physician is out do the right thing, because they are typically perfectionists and are highly competitive in nature,” Ossoff observed, and you can use that competitive streak to encourage physician buy-in: “Explain not only the issues and activities that are causing non-compliance, but also explain, when possible, where they stand when compared to their peers,” he recommended.

But do your research first: Use benchmarking data for your physicians’ local, regional, and national peers to back yourself up.

Another communication tip Ossoff shared concerns how you communicate with your physicians. “[F]ocus on building bridges…rather than burning them,” he said. “A great example of this relates to how not to start a conversation with a physician.” He recommended against starting off with “The OIG says…” or “Per CMS Billing Manual citation…” This approach is sure to put the physician on the defensive and immediately cause her to “block you out,” Ossoff said.

Instead, he said compliance officers should start the conversation on a positive note: “The compliance office has identified an opportunity you can use to improve patient care and patient satisfaction,” or “To ensure your documentation reflects the excellent care that you provide to your patients…”

“Physicians, in general, want to be acknowledged for what they do and what they care about,” Ossoff said. “Use that to your advantage and you will have a much easier time getting your message across.”

Your organization’s patient-satisfaction-data will be posted on the Internet early in 2011 – what will it say about you? What can you do to be sure your patients are satisfied? AUDIO: HH CAHPS How To: The Agency’s Role in HH CAHPS