Part 2 Remains Intact

The hopes of HIM professionals, HIPAA Privacy Officers and some SUD program administrators were dashed with the decision by Congress that the bicameral version of the pending opioid legislation will not include provisions to align 42 CFR Part 2 with HIPAA in respect to the Treatment, Payment, and Operations (TPO) exclusions. As health systems increasingly diversify offerings to include services meeting the definition of a Part 2 program, the complexity of managing consents, authorizations, and routine exchange of clinical information for continuity of care will not be eased as was hoped by the stakeholders managing the intersection of HIPAA and Part 2 compliance.

Not all stakeholders are disappointed. The Legal Action Center (LAC) released a celebratory notice, stating in part, ““In the midst of the nation’s worst addiction epidemic in history, we must ensure that our policies encourage people to seek the care they need to get and stay well.”

Liquid Gold & Lincoln Law Violations: The Saga Continues

Lots of focus in compliance circles lately on the urine toxicology laboratory sector and widespread allegations of fraud, waste, and abuse. In the rush to throw every resource at managing the opioid addiction crisis, a formerly staid and boring sector of the laboratory services industry is having a moment in the spotlight. Unfortunately, the liquid gold rush is turning into a bust featuring false claims act investigations and settlements.

The latest DOJ settlement comes from the Eastern District of Kentucky against a laboratory in Woburn, Massachusetts. Calloway Laboratories, Inc. has been ordered to pay $1.3 million to settle False Claims Act and Anti-Kickback violations. According to the DOJ announcement, “As part of the settlement agreement, Calloway acknowledged that it provided free testing supplies to physicians for the purpose of inducing or rewarding referrals of urine drug testing to Calloway.  Calloway then submitted claims to Medicare and TRICARE seeking payment for the testing referred by these physicians.”

All-payer Claims Databases: Are the promises to lower costs real? or just wishful thinking?

All-payer claims databases are touted as one key to reducing overall healthcare costs because the notion is that the transparency associated with these tools will lead providers to change their behavior if they are an outlier and patients will use the associated tools to make better decisions about how they spend their healthcare dollars. So far? Not so much.

It’s tempting to view healthcare as a rational market where the customers (patients) make data driven decisions, but as Bannow (2018, September 15) points out, “Despite the rise in high-deductible health plans, the majority of Americans still are “very insulated” from the actual cost of healthcare…That's one thing that dampens the use of the tools resulting from all-payer claims databases.” The other factor is the emotion, belief systems, and non-rational thought that plays a role in healthcare decisions. If only we had a database to solve for that!

Beware. Wearables and the data transmitted are not subject to HIPAA protections....yet.

The average patient may not be super health literate on their individual chronic conditions, how their health plans work, or how to comparison shop using the emerging price transparency tools but they do know one healthcare acronym- HIPAA.

According to Donovan (2018, September 11) in an interview with Andrew Boyd, Assistant Professor in the Masters of Health Informatics program at the University of Illinois,

Health data collected by Fitbit, for example, is not governed by the HIPAA Privacy Rule. It is governed by contract law and the licensing agreement with your software provider,” Boyd noted.

“When it becomes part of the health record, that is when the security protection gets added on. But right now it appears that, for all of the patient health data generated, these devices are not governed by healthcare law,” Boyd said.

“Do people realize that the data collected by wearables is not necessarily protected by the HIPAA Privacy and Security Rules?”

While it’s probably pretty natural and expected that those on the leading edge of technical innovation might not think about something as staid and boring as HIPAA, until the healthcare industry and regulators catch up, perhaps at the very least these devices should come with appropriate warnings regarding data security and privacy?

HHS/OCR Cybersecurity Newsletter: Considerations for Securing Electronic Media and Devices

In addition to enforcing compliance with the Privacy and Security Rules, the Office of Civil Rights (OCR) within the U.S. Department of Health and Human Services issues guidance for HIPAA covered entities in the form of newsletters. The August 2018 Cybersecurity Newsletter may have gotten lost in the end-of-summer vacation and Labor Day shuffle, but given the near daily stories of data breaches resulting from internal staff errors, hackers and technical failures, the physical safeguard vulnerabilities of portable media and devices merit review.

In the newsletter, the OCR concedes healthcare organizations deploy myriad electronic devices, including hardware such as desktop workstations, laptops, smartphones, and tablets; as well as electronic media storage devices, like hard drives, USB/thumb drives, CDs/DVDs, tapes and memory cards. With the possible exception of larger hardware like servers and desktops, theft or loss is a risk. The PHI contained on devices and media can also be compromised by improper disposal. The newsletter also offers suggestions on questions covered entities should ask internally when developing policies and procedures to reduce risks of loss, theft, and/or breach of PHI through appropriate Physical Safeguards and device/media tracking.

The Issue Behind the Headline: Is Long-Term Care a Right?

For revenue cycle consultants in New England, the September 5th headline in McKnight's Long-Term Care News begs clicking to learn more, MassHealth found to be in violation of federal regulations.

The article describes a June 2018 Suffolk County Superior Court ruling against Mass Health for "violation of federal Medicaid regulations by issuing “standardized” eligibility denial notices in long-term care coverage cases for excess countable assets held in a trust." Seems pretty esoteric but the impact on SNF/Nursing Home residents as described in he article, as well as on the facilities caring for the residents, appears significant. The generic notices left the elder and their family (if they have family that is involved) without specific information to track down support to refute the determination and the facilities are left without reimbursement because the law prohibits discharging the resident for non-payment.

Increasingly, individuals and advocacy groups refer to healthcare as a right. Our laws implicitly support this view to the extent healthcare providers and hospitals accepting Medicare or Medicaid must provide emergency care without regard to ability to pay, cannot balance bill patients covered by government programs, and in states like Massachusetts, cannot evict a long-term care facility resident for lack of ability to pay in situations detailed in the McKnight's article. Healthcare delivery has also evolved into a big business. Arguably, a business unlike any other due to the aforementioned laws and more.

As the silver wave crests and the ranks of the 'oldest old' swell, long-term care demand may outstrip supply, we'll need to collectively address the question the article begs, is long-term care a right?

Vulnerable medical devices putting patients at risk

Due to the cost of replacing expensive medical devices such as infusion pumps or network connected MRIs, healthcare organizations typically keep equipment until it no longer works. Unfortunately, this means that these devices remain vulnerable and a possible opening for malicious attackers.

The fear is that, beyond freezing systems or hijacking medical records as they did during WannaCry, hackers could also actively manipulate medical equipment to harm patients by, say, administering a lethal dose of medication via an infusion pump. While newer devices aren’t ironclad, they are typically built with more robust security features.

Under a proposed new program "health-care providers would be compensated for junking old equipment, and could use the rebates toward the purchase of new devices." And, in April 2018, the FDA took steps towards incorporating a security review into any new device's premarket review with the Medical Device Safety Action Plan.

VantagePoint's Take: Physician Fee Schedule Proposed Rule Listening Session

VantagePoint HealthCare Advisors consultants have been monitoring the various CMS announcements, propaganda, and industry reactions to CMS proposed changes to Evaluation & Management (E/M) documentation standards, coding and reimbursement since first announced  in late Spring by CMS Administrator Seema Verma.

 On Wednesday, August 22, 2018, The CMS Administrator opened up the Physician Fee Schedule Proposed Rule: Understanding 3 Key Topics Listening Session with much of the same ballyhoo that has accompanied the rollout of the Patients Over Paperwork initiative and then CMS staffers got down to explaining the details to the industry audience on the call. CMS promotes the E/M and related fee schedule changes as "focused on reducing administrative burden while improving care coordination, health outcomes and patients’ ability to make decisions about their own care." and address concerns of physicians who "struggle with excessive regulatory requirements and unnecessary paperwork that steal time from patient care." (Medicare Learning Network Listening Session Handout, 8/22/2018).

Two concerns standout, among many, regarding the CMS proposal. Firstly, in one breath, the CMS presenters stated that clear and concise medical record documentation is critical to providing quality care and is required for reimbursement, and on the other hand, are suggesting a minimum documentation standard that arguably will not promote the use of the patient medical record for substantiating quality, let alone tell the patient story. While VantagePoint consultants concur that the 1995 and 1997 documentation guidelines for E/M visits bear some updating, we also know from our experience auditing client records that more robust and detailed documentation is needed to tell the patient story, not less.

The other concern, shared by VantagePoint, is one that seemed to dominate the comments and questions from those selected to speak during the listening session - the fee schedule and new add-on codes. In the proposed fee schedule world, providers who currently provide the majority of their services at E/M level 1 - 3 might win, and those with high numbers of complex patients on their panels or E/M level visits of 4-5 will lose or need to justify the gamut of add-on codes to get up to the same par level. Our quick math using the charts provided in the handouts, including the various (and confusing) add-on payments, including the murky multiple procedure payment adjustment, did little to change the opinion of some of our consultants that the initiative is more about wrapping up a fee reduction in a patient-friendly wrapper than reducing provider stress.

The transcript of the listening session should be available online in a week to ten days and there is still time for stakeholders to submit formal comments, but not much time. The deadline is September 10, 2018 [Comment Here: ]

VantagePoint Presenting at CtHIMA Annual Meeting in Mystic, CT

Calling all Health Information Management professionals in New England! VantagePoint HealthCare Advisors consultants Regina Alexander, FACHE, CHC, HCS-H and Cheryl Krusch, LPN, CPC, CPMA,COC, ICDCT-CM are presenting "Making the Case for HIM Professionals in Home Health, Hospice, and Long-term care" at the CtHIMA Annual Conference on September 16, 2018. 

The further you venture along the continuum of care away from the acute care setting, there is less awareness regarding the value of HIM, CDI, and Coding expertise. Utilizing real-world scenarios and observations based on their experience performing revenue cycle assessments, as well as claim and clinical documentation reviews ‘beyond hospital walls’, Ms. Krusch and Ms. Alexander will explore industry and regulatory changes in Home Health, Hospice, and Long-Term Care that may open the door of opportunity for HIM professionals to venture "beyond hospital walls".

State of Maryland fails OIG security audit, Medicaid data at risk

OIG performed a vulnerability assessment scan to determine if there were existing vulnerabilities on the MMIS (Medicaid Management Information System) network, devices, websites and database. And while OIG officials found the state adopted a security program for the system, there were “significant system vulnerabilities.”

Officials did not disclose details of the vulnerabilities found, but said that they were significant enough to "have allowed unauthorized access and exposed Medicaid data and the disruption of critical Medicaid operations.”

The State said there was no evidence of a breach or unauthorized access. And, while a security program was in place, the control were not sufficient to keep the systems protected. Recommendations were made to the state to update the security program and systems to meet federal requirements. 

Updates to the OIG Work Plan: August 2018 Highlights

VantagePoint monitors the monthly updates to the Office of Inspector General (OIG) work plan. The month of August is proving to be somewhat light in comparison to July with only one item posted to the Recently Updated items page (linked to the title of this post).

The August 2018 sole updated relates to the OIG's planned review focusing on the "care and well-being of all children residing in ORR-funded facilities, including the subset of children who were separated and deemed ineligible for reunification." The OIG also plans to focus on the effectiveness of the Office of Refuge Resettlement efforts to unify separated children with their parents.

CMS Finalizes Hospital Price Transparency Rule

CMS has finalized the rule requiring hospitals to post a list of their standard charges online. The list must be provided in machine readable format and updated as often as necessary to keep the list current (minimum once per year).

The healthcare industry has traditionally struggled with operationalizing price transparency. The reasons for the struggle are myriad. From the maze of contracts with health plans that dictate different terms of payment, to the general discomfort with quoting a firm price for a procedure sight unseen due to the variability of potential patient outcomes, to the variability in physician preferences and prescribing patterns for inpatients, coming up with a firm price has been a moving target. The CMS final rule requiring hospitals to post a list of standard charges is a necessary shove in the right direction but there will be pain associated with making this information available to a patient population that experiences the price of care as a co-pay or deductible and has limited perspective on the actual cost of the care they receive.

Trojan Horse? The Patients Over Paperwork Initiative

The allusion of the Trojan Horse is often used (and maybe overused) to describe situations in business or politics in which the true motivation of an initiative or proposal is wrapped in something positive or innocuous. The "Patients Over Paperwork" initiative promoted by the Centers for Medicare and Medicaid (CMS) has all the hallmarks of that mythical wooden vessel the Greeks used to gain entry into the city of Troy.

Direct-care providers [physicians, nurse practitioners, physician assistants] are understandably vulnerable to buying into the arguments that reducing documentation requirements and updating guidelines for evaluation and management services (E&M) is a benefit to patient care because ostensibly, providers will have more time to spend with patients. Fair enough. The promise of efficiency that was supposed to be inherent once a practice implements an EHR has not been fully realized and many providers are spending more time than ever on their documentation obligations. Furthermore, accurately coding E&M services can be tricky and even trickier to defend upon audit. Pretty tempting to accept this initiative on it's face and 'open the gates' to the idea that lessening the requirements for documentation will liberate time for patients.

Revising documentation requirements and E&M guidelines is a great idea, but shouldn't be construed as merely a patient-centric effort. CMS is also proposing to eliminate the higher level fees associated with the highest level of E&M visit care. Does this incentivize providers to spend more time with the patient and less on paperwork? Or does this incentivize providers to increase the volume of patients they see, rather than the quality of time spent with current patients while reducing the quality of documentation? The CMS site devoted to this initiative states the program is meant to, among other things, improve the beneficiary experience.

What is the real goal of this proposal? Eliminating the higher level of reimbursement for level 4 and 5 visits, reimbursement levels designed to compensate providers for the time and work effort associated with the most complex patients certainly feels more like an effort to reduce Medicare expenditures than a patient-centric initiative.

Electronic Health Records & Ransomware: To Pay or Not to Pay - Is that the right question?

The most recent ransomware attack to impact a healthcare organization comes from Cass Regional Medical Center in Harrisonville, Missouri. The organization experienced a ransomware attack July 9, 2018. The attack targeted the organization's communication system and prevented staff from logging onto Meditech, the facility's electronic medical record (EHR) system.

Healthcare organizations must consider the risk of a ransomware attack in the annual security risk assessments (SRA) and make plans regarding how they will respond. To pay or not to pay the ransom, that is something that should be considered in advance. In the moment, with access to the EHR and other systems locked down, patient data inaccessible, the panic of the situation and lack of prior planning may lead to a rash decision to pay, which is not necessarily the best choice.


Updates to the OIG Work Plan: July 2018 Highlights

Back in June 2017, the Office of the Inspector General (OIG) announced they would begin posting monthly updates to their work plan. Keeping tabs on the OIG Work Plan is a best practice for compliance and revenue cycle professionals. The items may at times appear esoteric, but the appearance of a new initiative is akin to the proverbial canary in a coal mine.

The additions posted in July 2018 include:

  • New review of CMS payment policy in respect to 3-D radiation therapy planning services. Medicare policy prohibits payments for separately billed radiation planning services when the services are billed on a different date of service. The review by the OIG is designed to determine if the prohibition had been extended to 3-D radiation therapy.
  • The HHS OIG will perform a series of audits to assess cybersecurity vulnerabilities at HHS.
  • OIG assess the effectiveness of the Health Resources and Services Administration (HRSA) oversight of the Access Increases in Mental Health and Substance Abuse Services (AIMS) grants.
  • OIG working on a report discussing the describing the impact  of additional Medicare outlier payments in balancing the reduction in DRG, DSH, and IME payments of transfer claims. This is one for hospital revenue cycle compliance folks to watch!
  • Another CMS focused audit by the OIG was added in respect to post-operative services provided in the global surgery payment period and whether global surgery fees reflected the actual number of post-operative services provided.
  • The final item added in July is a series of audits of the Substance Abuse and Mental Health Services Administration's process and oversight in respect to SAMHSA-approved accrediting bodies that have accredited Opioid Treatment Programs (OTP).

Patients Over Paperwork? Or just part of an agenda to reduce costs?

The Center for Medicare and Medicaid Services (CMS) has started the annual roll-out of proposed changes to the physician and other fee schedules. Wrapped up in the 2019 proposals, and opened for comment from the public and stakeholders, is a proposal regarding evaluation and management codes (E&M). The proposal is shrouded in the idea that it puts patients over paperwork by reducing the clinical visit documentation requirements for physicians, but ignores the reasons why there is a higher standard of documentation associated with the E&M codes that are reimbursed at higher levels because of the time and effort required to treat and evaluate the patient.

Under the proposal, all E&M visits (ie: most outpatient office visits) will be reimbursed at the same dollar amount, regardless of the level assigned to the visit and without needing to meet the current documentation standards for the level; however, providers must still code the level of the visit accurately. Beyond the concerns that we are taking a step backwards as an industry in respect to encouraging quality, detailed patient care documentation that truly tells the patient story, and that lowering documentation standards does little to support value-based care initiatives, physicians treating complex patients are financially penalized under this proposal.

Fresh Tactics - Getting new providers to supply information required for credentialing and enrollment

On Wednesday, June 20, 2018, VantagePoint HealthCare Advisors President and COO Susan Prior, CHC and Senior Consultant Regina K. Alexander, FACHE, CHC presented a live webinar, The Unknown-Unknowns of Credentialing, Privileging, and Enrollment for the Health Care Compliance Association (HCCA). The webinar drew a diverse audience, including attendees from hospitals, health systems, health plans, post-acute care, law and consulting firms. During the Q&A portion of the event, we responded to many questions; however, time ran out with questions still pending in the queue. HCCA has provided VantagePoint with the list of unanswered questions. We'll base some of our upcoming posts on these questions.

Our first unanswered question from the webinar centers on tactics to gather the data and documents necessary to credential and enroll new providers. The attendee queried, "Do you think a robust credentialing process is as manageable as we would like it? Despite changing around the wording of my welcome letters for providers they tend to miss many data points I need to properly credential and to pass along this info to eventually enroll with health plans."

Yeah. This one is tough! The questioner has already attempted to streamline his/her process by revising the welcome letter sent to new providers. While revising the letter is an approach is absolutely on VantagePoint's to-do list, and electronic applications are available to help with tracking, we'd suggest taking another look at the letter and consider the following:

  •  How long is the letter? This is the time to be succinct to avoid losing the new provider's attention or muddling the message.
  • Avoid over-explaining. The letter should open with a welcoming sentence followed by a statement regarding items required to credential/enroll. Consider a polite, yet to the point sentence explaining the most compelling reason for timely and complete submissions of the information requested.
  • Consider an even shorter letter per the previous bullet point with a checklist attached. People generally like the feeling they get from checking items off a long to-do list, so this may motivate the provider toward completion. The checklist should include all items needed to complete the credentialing & enrollment process, perhaps a brief description or specific requirements statement for each item if potentially confusing, include a box to check-off the items (like a shopping list), a box for the provider to write comments and a place for the provider to sign-off/date that all items requested are enclosed.
  • Provide an email address and phone number for questions. Welcome questions from providers during the process and be ready to explain the 'why' we need all this stuff types of questions.

One step closer to aligning 42 CFR Part 2 with HIPAA

The Overdose Prevention and Patient Safety Act was passed by the U.S. House of Representatives and is on it's way to consideration by the U.S. Senate. Among other provisions,  H.R. 6082 allows the health records of substance abuse disorder patients to be disclosed without specific written consent from patients for the purposes of treatment, payment, and healthcare operations (TPO).  Currently, the only exception to the specific consent requirement of Part 2 is a bona fide medical emergency. If passed by the Senate and signed into law, the one sticking point for most medical providers who are either Part 2 programs or lawful holders of Part 2 protected information will be unstuck because of the alignment with the HIPAA Privacy Rule. 

When it comes to claims and compliance, be payer agnostic

On Wednesday, June 20, 2018, VantagePoint HealthCare Advisors President and COO Susan Prior, CHC and Senior Consultant Regina K. Alexander, FACHE, CHC presented a live webinar, The Unknown-Unknowns of Credentialing, Privileging, and Enrollment for the Health Care Compliance Association (HCCA). The webinar drew a diverse audience, including attendees from hospitals, health systems, health plans, post-acute care, law and consulting firms. During the Q&A portion of the event, Susan and Regina responded to questions about use of locums, primary source verification for allied health professionals, and multiple questions regarding submitting claims when services have been rendered by a provider not yet enrolled.

A memorable question that bears follow-up and focus pertained to what was allowable when filing claims with commercial payers. The attendee acknowledged understanding it would not be allowable to substitute the name and NPI of a participating, enrolled provider in the 'rendering provider' box on the claim for a non-participating (or not yet enrolled) provider in respect to a claim submission to a government payer, and then asked if the same scenario is allowable with a private payer. The short answer provided on the webinar was a 'no', but the question itself reveals a more universal misunderstanding that healthcare providers can play by a different set of rules in their approach to private, commercial payers.

When it comes to claims and compliance, healthcare organizations should be payer agnostic in their attitude and approach to the basics, like the information reported on claim forms. While it's true that the Lincoln Law (False Claims Act) is enforced in respect to Medicare and Medicaid claims, the Health Care Fraud Statute (18 U.S.C. § 1347) applies to obtaining payment under false pretenses from both government AND private payers. Another consideration ancillary to submitting accurate claims is the claim as a secondary medical record. Medical records are legal documents and purposely altering the content of a claim in a manner that does not reflect the services as documented in the primary medical record could have implications under state laws. Lastly, commercial health plans build benefit structures to consider specific member-cost sharing in respect to out-of-network care. Provider groups and healthcare organizations can not only run afoul of contractual obligations by misrepresenting non-par provider services as rendered by a participating provider, if the plan is employer-sponsored, enforcement remedies are available under the  Employee Retirement Income Security Act of 1974 (ERISA).


99% of Physicians Seeking APM Bonuses in 2017 Qualified

Healthcare Financial Management Association (HFMA) reported that 99% of physicians who sought advanced alternative payment model (APM) bonuses in the first year (2017) did qualify.  This is not surprising due to the relatively low thresholds and the fact that those who do apply do so knowing it is attainable for their group.  Forthcoming changes to MACRA include the launch of an all-payer combination option, which allows clinicians to be eligible for the 5 percent APM bonus if they see patients in both Medicare and qualifying payment models offered by Medicaid managed care plans and Medicare Advantage plans.  Moving forward, clinicians should continuously review their eligibility and their strategy to qualify or join models of care that offer such incentives.