Open Icon Key

Chiropractic Compliance FAQ

Compliance Basics FAQ

Q: Patients come in and ask for discounts because they don’t have insurance coverage. I have been trying to help them out in the past. Will this get me into trouble?

A: Often it is because we have tried to help someone out that we find ourselves in trouble. If a patient does not have insurance coverage, they are responsible for paying your full fee schedule unless they qualify for your financial hardship policy. In a situation where a patient has little to no insurance coverage, the best solution is often using a Discount Medical Plan Organization like ChiroHealthUSA. This allows you to set up a discounted fee schedule, and once your patient joins ChiroHealthUSA, then they would have access to that discounted schedule.

Q: I want to treat other chiropractors or family members for free. Is this OK?

A: Anytime you provide services for less than your actual fee schedule amount, there must either be a contractual fee schedule in place or a specific policy from your compliance program to support the discount. When providing services for other chiropractors, your professional courtesy policy would apply. Certain third party payers have rules when it comes to treating family members. You must abide by those carriers’ rules. Otherwise you would default your professional courtesy policy for family members as well.

Q: How often do I need to train my employees on HIPAA?

A: A brand-new employee should be completely trained on HIPAA Privacy and Security before they ever answer the phone or view a patient record. Once trained, an employee should receive the HIPAA privacy and security training at least annually.

Q: Can I give a time of service discount my patients?

A: The Office of Inspector General has set a precedent by allowing a 5 to 15% discount when services are paid upfront at the time of service. However, when a third-party payer is involved, this discount must also be passed on to a third-party payer. Because this is often done incorrectly, it could be an unnecessary source of risk in your practice.

Q: I keep hearing about Security Risk Assessment or Risk Analysis. Is this a requirement, if so what is it?

A: A security risk assessment or analysis is required by the Department of Health and Human Services. It is a detailed internal evaluation of all of the multiple systems that you may use to store or exchange electronic protected health information. This analysis requires you to evaluate and document the level of risk for each device or application used for patients’ health information purposes. It also requires you to document steps you have taken to correct any weaknesses or vulnerabilities that you discovered.

Q: I still do billing on paper. Do I need to be HIPAA compliant?

A: Regardless of whether you do your billing on paper or with electronic claims, you are responsible for your patients’ confidential health information and therefore must have a up to date HIPAA compliance program active in your office. We recommend that you reach out to a KMC University Specialist to complete a HIPAA Risk Assessment in order to determine what areas need consideration or improvement when it comes to HIPAA Compliance.

Q: Do I need to have cleaning people sign a Business Associate Agreement?

A: HHS doesn't consider cleaning people to be business associates, since they aren't accessing, using, inputting, transmitting, or doing anything with ePHI, so signing a Business Associate Agreement doesn't make much sense.

However, you're responsible for ensuring that appropriate safeguards are met to ensure ePHI is not accessible (cabinets locked, unnecessary identifying info shredded, computers shut down or logged out of, etc).

If you want to protect yourself thoroughly, you might want to draw up a short contract with your janitorial service stating that the practice has made reasonable effort to safeguard protected patient information including computers, laptops, tablets, copiers, scanners, fax machines, etc.), but that in the event something is visible to cleaning staff, the review or disclosure of that is prohibited and sanctions will be assessed (such sanctions to include dismissing the janitorial service, and, in the event of an extreme data breach, possibly bringing in authorities).



Q: We often treat spouses and partners. Does HIPAA allow us to tell a patient when their spouse/partner’s next appointment is or schedule/reschedule with them?

A: You’re required to provide a PHI Use and Disclosure Authorization form to your patients so that they can exercise their rights as noted in your Notice of Privacy Practices. Within your acknowledgement, include a way the patient can indicate to whom they want to disclose or restrict information. Be sure to include a process for noting any requested restrictions in your practice management software.

Q: I am a par provider with Medicare. If I set my 98940 and 98941 fee to be the same is that ok? I realize that it won’t change anything except on the self-pay side.

A: You certainly can set all of your fees the same for each of the CMT codes.The idea is to make sure that your fees are set according to relative value units (RVUs) and other factors while making sure that no dual fee scenarios are in play. If you charge, for example, $40 for 98940, 98941, and 98942, nothing stops you from doing so. Just make sure that this “actual” fee is the same charged to everyone. 

Q: We received an unsolicited quote from our insurance company for data breach liability coverage. Do we need this?

A: HIPAA requires that you have a policy and procedure in place for how you will handle data breach notification (i.e., telling patients) if necessary. This could open you to lawsuits or unexpected expenses. Start by checking with your malpractice carrier to be certain breach coverage is included in your policy. If not, you may want to investigate. Since we're not attorneys, we can't give legal advice - but liability coverage in a good business choice.

Q: After receiving patient compliants, I found my billing CA has processed several EOBs incorrectly. I looked further, and I'm afraid this may be a bigger problem than I thought. Is this cause for termination?

Let's start with a few questions:

  • Was your billing CA properly trained to do the job that is expected of her?
  • How was she trained; webinars, via your policy and procedures in your office compliance program, by the person leaving the position?
  • Did your billing CA sign off on the training so you know that she received it properly?

Ask yourself if you performed your job as the business owner properly by doing periodic audits or having your office manager provide you with the results of audits he/she is expected to perform of team members job duties.

What we're saying is that if the office has a broken system, our best recommendation is to get that fixed first, and then see how your billing CA performs with clear training and instruction. If she has received proper training and this is the first time she has been “audited,” it may simply deserve a conversation or a ‘write-up” with an allotted amount of time to improve. That is certainly your decision to make. Refer to your policy on proper handling of reimbursements. If you find that the office could use a tune-up to get your policies and compliance in place, give us a call!

Q: What can I give away or discount to my Medicare patients?

A: Coupons, exam specials, or other similar discounts should not exceed $15 individually or $75 annually per patient. Most likely, your exam is not going to fall into this $10 range, and if it does, we have a lot more to work on!

More information:

Q: I am becoming concerned about my staff’s use of smartphones in the office. On break they snap pictures of each other sometimes and post to Facebook, etc. I fear that some PHI may inadvertently be in the picture at some point. Am I being a worry wart?

A: Not at all. As the owner of your practice, you are ultimately responsible for any PHI disclosure in your office. You can add a policy to your employee manual that states that no smartphones may be used in office, or at least that no pictures can be taken. State in your policy that the reason for this is to protect patient privacy, for which you are responsible. Do a quick training and have your staff sign off that they understand the new policy. Insist that phones be put away when at work and you should be able to practice with less fear of repercussions of PHI exposure.

Q: A patient requested I not disclose her PHI to her health insurance company. Now she is in arrears and I don’t think she is going to pay. I know I can terminate the agreement to not disclose her PHI, but can I then send it in to her health insurance to get the money due to me?

A: No. When you agree to a patient’s request to non-disclosure of PHI, you committed yourself to honoring that request for every service that was rendered within the time frame for which the non-disclosure was active. This means that you can terminate the agreement and send in claims from the termination date forward, since you will have made her aware in writing that it’s been terminated. You MAY NOT send in her information from the date you agreed to non-disclosure through the date the agreement was terminated.

Q: I've noticed more patients refusing to sign the acknowledgement of receipt of Patient Privacy Practices. Can I get in trouble for not having this in the patient chart? Does this have to be signed before treatment?

A: HIPAA does not require that notice of privacy practices be signed, but don’t take that to mean you can ignore this policy! HIPAA does require that the patient receive the notice, and that you make meaningful effort to get the acknowledgement signed. To cover yourself, if a patient refuses to sign, note the date, time, and reason - if given. This will show that the effort was made.

Q: Does the HIPAA Privacy Rule cut off all communication between us as a covered entity and the families and friends of our patients?

A: No, as long as the patient does not object to these communications. With the Privacy Rule you are permitted to share necessary information with family, friends, or anyone else a patient has identified as involved in his/her care. You are also permitted to share the appropriate information even when the patient is incapacitated (if doing so is in the best interest of the patient).

Q: We currently extend a birthday gift of $25 off out-of-pocket fees for a birthday visit. If that is the only discount we offer, one time/year, is that legal?

A: Gifting discounts to patients, especially Medicare/Medicaid (federally funded) patients, is considered an inducement. Federal guidelines allow you to give any item or service to a Medicare patient that exceeds a value of $15 with a $75 annual limit per Medicare patient. You should check with your state regulatory board about gifting as well. Many states have also ruled such gifts as inducements.

Q: When do I need authorization from the patient before I can market to him/her?

A: The HIPAA Privacy Rule requires an authorization for uses or disclosures of protected health information for all marketing communications, except in two circumstances:

  1. When the communication occurs in a face-to-face encounter between the covered entity and the individual; or
  2. The communication involves a promotional gift of nominal value.

If the marketing communication involves direct or indirect remuneration to the covered entity from a third party, the authorization must state that such remuneration is involved.