Your compliance questions answered
A: Often it is because we have tried to help someone out that we find ourselves in trouble. If a patient does not have insurance coverage, they are responsible for paying your full fee schedule unless they qualify for your financial hardship policy. In a situation where a patient has little to no insurance coverage, often the best solution is to use a Discount Medical Plan Organization like ChiroHealthUSA. This allows you to set up a discounted fee schedule, and once your patient joins ChiroHealthUSA, they would have access to that discounted schedule.
A: Anytime you provide services for less than your actual fee schedule amount, there must either be a contractual fee schedule in place or a specific policy from your compliance program to support the discount. When providing services for other chiropractors, your professional courtesy policy would apply. Certain third party payers have rules when it comes to treating family members. You must abide by those carriers’ rules. Otherwise you would default your professional courtesy policy for family members as well.
A: A brand-new employee should be completely trained on HIPAA Privacy and Security before they ever answer the phone or view a patient record. Once trained, an employee should receive the HIPAA privacy and security training at least annually.
A: The Office of Inspector General has set a precedent by allowing a 5 to 15% discount when services are paid upfront at the time of service. However, when a third-party payer is involved, this discount must also be passed on to a third-party payer. Because this is often done incorrectly, it could be an unnecessary source of risk in your practice.
A: A security risk assessment or analysis is required by the Department of Health and Human Services. It is a detailed internal evaluation of all the multiple systems that you may use to store or exchange electronic protected health information. This analysis requires you to evaluate and document the level of risk for each device or application used for patients’ health information purposes. It also requires you to document steps you have taken to correct any weaknesses or vulnerabilities that you discovered.
A: Regardless of whether you do your billing on paper or with electronic claims, you are responsible for your patients’ confidential health information and therefore must have an up to date HIPAA compliance program active in your office. We recommend that you reach out to a KMC University Specialist to complete a HIPAA Risk Assessment in order to determine what areas need consideration or improvement when it comes to HIPAA Compliance.
A: HHS doesn't consider cleaning people to be business associates since they aren't accessing, using, inputting, transmitting, or doing anything with ePHI. Signing a Business Associate Agreement doesn't make much sense.
However, you're responsible for ensuring that appropriate safeguards are met to ensure ePHI is not accessible (cabinets locked, unnecessary identifying info shredded, computers shut down or logged out of, etc).
If you want to protect yourself thoroughly, you might want to draw up a short contract with your janitorial service stating that the practice has made reasonable effort to safeguard protected patient information including computers, laptops, tablets, copiers, scanners, fax machines, etc.), but that in the event something is visible to cleaning staff, the review or disclosure of that is prohibited and sanctions will be assessed (such sanctions to include dismissing the janitorial service, and, in the event of an extreme data breach, possibly bringing in authorities).
A: You’re required to provide a PHI Use and Disclosure Authorization form to your patients so that they can exercise their rights as noted in your Notice of Privacy Practices. Within your acknowledgment, include a way the patient can indicate to whom they want to disclose or restrict information. Be sure to include a process for noting any requested restrictions in your practice management software.
A: You certainly can set all of your fees the same for each of the CMT codes. The idea is to make sure that your fees are set according to relative value units (RVUs) and other factors while making sure that no dual fee scenarios are in play. If you charge, for example, $40 for 98940, 98941, and 98942, nothing stops you from doing so. Just make sure that this “actual” fee is the same charged to everyone.
A: HIPAA requires that you have a policy and procedure in place for how you will handle data breach notification (i.e., telling patients) if necessary. This could open you to lawsuits or unexpected expenses. Start by checking with your malpractice carrier to be certain breach coverage is included in your policy. If not, you may want to investigate. Since we're not attorneys, we can't give legal advice - but liability coverage is a good business choice.
A: Let's start with a few questions:
Was your billing CA properly trained to do the job that is expected of her?
How was she trained; webinars, via your policy and procedures in your office compliance program, by the person leaving the position?
Did your billing CA sign off on the training so you know that she received it properly?
Ask yourself if you performed your job properly, as the business owner, by doing periodic audits or having your office manager provide you with the results of audits he/she performed regarding team members' job duties.
What we're saying is that if the office has a broken system, our best recommendation is to get that fixed first, and then see how your billing CA performs with clear training and instruction. If she has received proper training and this is the first time she has been “audited,” it may simply deserve a conversation or a ‘write-up” with an allotted amount of time to improve. That is certainly your decision to make. Refer to your policy on proper handling of reimbursements. If you find that the office could use a tune-up to get your policies and compliance in place, give us a call!
A: Coupons, exam specials, or other similar discounts should not exceed $15 individually or $75 annually per patient. Most likely, your exam is not going to fall into this $10 range, and if it does, we have a lot more to work on!
More information: http://oig.hhs.gov/fraud/docs/alertsandbulletins/SABGiftsandInducements.pdf
A: Not at all. As the owner of your practice, you are ultimately responsible for any PHI disclosure in your office. You can add a policy to your employee manual that states that no smartphones may be used in the office, or at least that no pictures can be taken. State in your policy that the reason for this is to protect patient privacy, for which you are responsible. Do a quick training and have your staff sign off that they understand the new policy. Insist that phones be put away when at work and you should be able to practice with less fear of repercussions of PHI exposure.
A: No. When you agree to a patient’s request to non-disclosure of PHI, you committed yourself to honor that request for every service that was rendered within the time frame for which the non-disclosure was active. This means that you can terminate the agreement and send in claims from the termination date forward since you will have made her aware in writing that it’s been terminated. You MAY NOT send in her information from the date you agreed to non-disclosure through the date the agreement was terminated.
A: HIPAA does not require that notice of privacy practices be signed, but don’t take that to mean you can ignore this policy! HIPAA does require that the patient receive the notice and that you make a meaningful effort to get the acknowledgment signed. To cover yourself, if a patient refuses to sign, note the date, time, and reason - if given. This will show that the effort was made.
A: No, as long as the patient does not object to these communications. With the Privacy Rule you are permitted to share necessary information with family, friends, or anyone else a patient has identified as involved in his/her care. You are also permitted to share the appropriate information even when the patient is incapacitated (if doing so is in the best interest of the patient).
A: Gifting discounts to patients, especially Medicare/Medicaid (federally funded) patients, is considered an inducement. Federal guidelines allow you to give any item or service to a Medicare patient that does not exceed a value of $15 with a $75 annual limit per Medicare patient. You should check with your state regulatory board about gifting as well. Many states have also ruled such gifts as inducements.
A: The HIPAA Privacy Rule requires an authorization for uses or disclosures of protected health information for all marketing communications, except in two circumstances:
1) When the communication occurs in a face-to-face encounter between the covered entity and the individual; or
2) The communication involves a promotional gift of nominal value.
If the marketing communication involves direct or indirect remuneration to the covered entity from a third party, the authorization must state that such remuneration is involved.
Patients should usually receive notice at their first appointment. In an emergency, you could provide notice as soon as possible after the emergency. The notice must also be posted in a clear and easy to find location where patients are able to see it, and a copy must be provided to anyone who asks for one. If you attempt to provide the notice and the patient declines to accept it, be sure you have the acknowledgment of receipt signed for their file. If you have a website, the NPP also must be posted there.
I want to thank you for your expertise and time spent educating and assisting our company, Harmony Healthcare, Ltd. with regards to becoming more HIPAA compliant so that we can better serve our clientele. In our current times, the safety and protection of personal information is of high importance and concern and we are blessed to have KMC be our expert guide. We appreciate you and your team!