HIPAA and Medicare for Chiropractors

HIPAA and Medicare for Chiropractors

Disclaimer None of the CCS employees are healthcare attorneys. All advice given by CCS is for educational purposes only and should not be considered a legal opinion. The information that follows has been obtained from the Federal Register and other associated government documents. Now on with the show

Dr. Jeff Sandquist Chiropractor and Consultant Director of Program Development for CCS CertiGied Chiropractic Professional Coder (CCPC) CertiGied Professional Compliance OfGicer (CPCO)

How Do We Cross the Chasm?

The successful person has the habit of doing things failures don t like to do. They don t like doing them either necessarily. But their disliking is subordinated to the strength of their purpose. Albert Gray

What is HIPAA? h"ps://www.youtube.com/watch?v=1yjqtn0on8g

HIPAA History Objective Improve efgiciency and effectiveness of health care by standardizing electronic exchange of administrative, Ginancial and clinical data Encompasses Transactions standards, electronic signatures, unique identigiers (NPI), privacy, security, breach notigication, coding, and more

HIPAA History Developed by the US Department of Health and Human Services (HHS) and enforced by the OfGice of Civil Rights (OCR) Health Insurance Portability and Accountability Act of 1996 HIPAA Administration SimpliGication in 2006 (HIPAA II) Mandated national standards for electronic health care transactions, required national identigiers for providers (NPI number), mandated security and privacy of health data

HIPAA History Updated in 2009 with HITECH Act Finalized in 2013 with Omnibus Final Rule Original HIPAA law consisted of less than 20 pages HIPAA Omnibus Final Rule law consisted of over 500 pages NOT including HITECH Act!!!

HITECH Health Information Technology for Economic and Clinical Health Act Part of American Recovery and Reinvestment Act (ARRA) stimulus package of 2009 Focused on leveraging INFORMATION (technology) to achieve better health care outcomes

HITECH Promoted adoption of EHR technology Expanded existing Privacy and Security standards BA subject to direct enforcement of Security and Privacy Rules New breach notigication requirements Enhanced enforcement Increased penalties, proactive audits, etc. Gave HIPAA teeth

Omnibus Final Rule The U.S. Department of Health and Human Services (HHS) Of=ice for Civil Rights announces a =inal rule that implements a number of provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act of 2009, to strengthen the privacy and security protections for health information established under the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

What Changed? The changes in the =inal rulemaking provide the public with increased protection and control of personal health information. HHS News Release, January 17, 2013

What Changed? Finalized/implemented many changes from HITECH Act Business Associate and subcontractor liability Breach NotiGication requirements Notice of Privacy Practices requirements Increased penalties for noncompliance Use and disclosure of Protected Health Information (PHI) Expanded individuals rights

New HIPAA Deadlines Jan 25, 2013 Published in Federal Register Mar 26, 2013 Effective Date Sept 23, 2013 Compliance Date

HIPAA Compliance Privacy Rule since 2003 Security Rule since 2005 HITECH Interim Rule 2009 Meaningful Use in 2011 (Security Risk Analysis) HIPAA Omnibus Final Rule September 23, 2013

Penalty Factors Nature and extent of violation Number affected, time period Nature and extent of harm resulting from violation History of prior noncompliance Financial condition of covered entity Other factors

HIPAA Compliance HIPAA compliance is MANDATORY even if you do NOT utilize EHR HIPAA laws do NOT fall under Obamacare (can t blame that) Can blame HIPAA (in part) for ICD- 10

HIPAA Compliance REQUIRED for all Covered Entities (YOU!) Been around but rarely enforced until NOW!

HIPAA Noncompliance agreeing to a $150,000 payment. APDerm will also be required to implement a corrective action plan to correct de=iciencies in its HIPAA compliance program. This case marks the =irst settlement with a covered entity for not having policies and procedures in place to address the breach noti=ication provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act, passed as part of American Recovery and Reinvestment Act of 2009 (ARRA).

HIPAA Noncompliance The investigation revealed that APDerm had not conducted an accurate and thorough analysis of the potential risks and vulnerabilities to the con=identiality of ephi as part of its security management process. Further, APDerm did not fully comply with requirements of the Breach Noti=ication Rule to have in place written policies and procedures and train workforce members.

HIPAA Noncompliance As we say in health care, an ounce of prevention is worth a pound of cure, said OCR Director Leon Rodriguez. That is what a good risk management process is all about identifying and mitigating the risk before a bad thing happens. Covered entities of all sizes need to give priority to securing electronic protected health information. In addition to a $150,000 resolution amount, the settlement includes a corrective action plan requiring APDerm to develop a risk analysis and risk management plan to address and mitigate any security risks and vulnerabilities, as well as to provide an implementation report to OCR.

ACTIVE Compliance PROCESS 8 HIPAA Compliance Elements

HIPAA Compliance Elements 1. Develop and implement WRITTEN policies and procedures, including changes and updates as necessary; NPP, BAA, Use and Disclosure, Privacy and Security, etc. 2. Designate a Privacy and Security OfGicer; Compliance OfGicer

HIPAA Compliance Elements 3. Workforce training for ALL employees; Who, What, When (at least annually and ASAP when hired) 4. Maintain reasonable and appropriate administrative, technical and physical safeguards to prevent intentional or unintentional use or disclosure of PHI; Security Rule = ELECTRONIC PHI (ephi) Perform a Risk Analysis and Risk Management (SRA Tool)

HIPAA Compliance Elements 5. Mitigate harmful effects of use or disclosure of PHI by staff or Business Associates in violation of policies and procedures; Breach, Sanctions, etc. 6. Privacy complaint procedures contained in Notice of Privacy Practices and identify how to and who to make complaints;

HIPAA Compliance Elements 7. NEVER retaliate against staff or patients for exercising their rights for assisting in an investigation or for opposing an act or practice that the person believes violates the Privacy Rule; and 8. Record retention of HIPAA related items for 6 YEARS after their effective date

Privacy Rule What is it? How to comply with it?

Privacy Rule The HIPAA Privacy Rule provides federal protection for individually identi=iable health information held by covered entities. At the same time, the Privacy Rule is balanced so that it permits the disclosure of health information needed for patient care and other important purposes.

Privacy Rule Portion of HIPAA law that pertains to interaction between patient and health care professionals and other entities Final ruling effective as of April, 2003

Protected Health Information (PHI) all individually identi=iable health information that is held or transmitted by a covered entity or its business associates, in any form, whether electronic, paper, or oral.

Individually IdentiGiable Health Info information, including demographic data, that relates to: the individual s past, present or future physical or mental health or condition, the provision of health care to the individual, or the past, present, or future payment for the provision of health care to the individual, and that identi=ies the individual or for which there is a reasonable basis to believe can be used to identify the individual. e.g., name, address, birth date, social security number

PHI Contains health information that identigies individual including but not limited to demographic information Relates to individual s health or the provision of, or payment for health care

PHI Excludes Educational records covered by Family Educational Rights and Privacy Act (FERPA) Employment records held by covered entity in its role as an employer Persons deceased for more than 50 years

PHI De- IdentiGication Health information that does not identify an individual and with respect to which there is no reasonable basis to believe that the information can be used to identify an individual and is not individually identi=iable health information. The following identigiers of the individual, relatives, employers or household members are REMOVED

PHI De- IdentiGication Names All geographic subdivisions smaller than state All elements of dates (except year, unless 89years old and over) Phone numbers Fax number Email addresses Social security numbers Medical record numbers Health plan beneficiary numbers Account numbers CerGficate/license numbers Vehicle idengfiers and serial numbers Device numbers and serial numbers Web Universal Resource Locators (URLs) Internet Protocol (IP) address numbers Biometric idengfiers (finger and voice prints) Full face photos and comparable images Any other unique idengfying number, characterisgc, or code

Use The sharing, employment, application, utilization, examination, or analysis of such information within an entity that maintains such information. i.e. information used INSIDE your practice

Disclosure The release, transfer, provision of access to, or divulging in any manner of information outside the entity holding the information. i.e. information you share OUTSIDE to others

Authorization A covered entity must obtain the individual s written authorization for any use or disclosure of protected health information that is not for treatment, payment or health care operations or otherwise permitted or required by the Privacy Rule.

Authorization Requirements DescripGon of the informagon to be used or disclosed Name or other specific idengficagon of the person(s), or class of persons, authorized to make the requested use or disclosure Name or other specific idengficagon of the person(s), or class of persons, to whom the covered engty may make the requested use or disclosure A descripgon of each purpose of the requested use or disclosure An expiragon date or an expiragon event that relates to the individual or the purpose of the use or disclosure Signature of the individual and date If the authorizagon is signed by a personal representagve of the individual, a descripgon of such representagve s authority to act for the individual must also be provided

Authorization Requirements REQUIRED STATEMENTS The individual s right to revoke the authorizagon in wrigng, and either: The excepgons to the right to revoke and a descripgon of how the individual may revoke the authorizagon; or A reference to the covered engty s nogce The ability or inability to condigon treatment, payment, enrollment or eligibility for benefits on the authorizagon, by stagng either: The covered engty may not condigon treatment, payment, enrollment or eligibility for benefits on whether the individual signs the authorizagon when the prohibigon on condigon of authorizagons; or The consequences to the individual of a refusal to sign the authorizagon the covered engty can condigon treatment, enrollment in the health plan, or eligibility for benefits on failure to obtain such authorizagon

Authorization Requirements The potengal for informagon disclosed pursuant to the authorizagon to be subject to re- disclosure by the recipient and no longer be protected by this subpart. Plain language requirement. The authorizagon must be wri"en in plain language. Copy to the individual. If a covered engty seeks an authorizagon from an individual for a use or disclosure of protected health informagon, the covered engty must provide the individual with a copy of the signed authorizagon.

Minimum Necessary A covered entity must make reasonable efforts to use, disclose, and request only the minimum amount of protected health information needed to accomplish the intended purpose of the use, disclosure, or request.

Min Nec Does NOT Apply To or by health care provider for treatment To the individual With a valid authorization To the Secretary and required by law

Monday Morning Action Steps Address understanding and implementation of Use and Disclosure PHI and de- identigied PHI Minimum necessary Determine if valid authorization is in use

Security Rule What is it? How to comply with it?

Security Rule The Security Rule speci=ies a series of administrative, physical, and technical safeguards for covered entities and their business associates to use to assure the con=identiality, integrity, and availability of electronic protected health information.

Security Rule SpeciGic to ELECTRONIC protected health information AKA ephi Requires specigic Risk Analysis to determine security Administrative safeguards Training/Management Physical Safeguards Facility Access/Security Technical Safeguards Access/Transmission Security

Security Measures Takes into consideration Size, complexity, capabilities Technical, hardware and software infrastructure Cost of security measures Likelihood/possible impact of potential risks to ephi

Required vs. Addressable Required = must be implemented Addressable = does NOT mean optional Determine if reasonable and appropriate OR Adopt alternative measure to achieve purpose of standard if reasonable and appropriate OR DOCUMENT why it was NOT implemented

Risk Analysis Forms the FOUNDATION upon which an entity s necessary security activities are built.

Risk Analysis Part of Administrative Safeguards Security Rule requires you to implement policies and procedures to prevent, detect, contain, and correct security violations.

Threat The potential for a person or thing to exercise (accidentally trigger or intentionally exploit) a speci=ic vulnerability. Natural threats Gloods, earthquakes, tornadoes, etc. Human threats intentional (unauthorized access, theft) or unintentional (incidental) Environmental threats power failure, water, Gire, etc.

Vulnerability A =law or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of the system s security policy. Can be technical (technology) OR non- technical (administrative, physical, policies and procedures, staff, etc.)

Threats and Vulnerabilities ephi = Chickens Threat = Fox, Wolf, Coyote, Hawk, etc. Vulnerability = Hole in fence, tunnel under fence, gate left open, improper shelter, etc.

Risk Function of the likelihood of a given threat triggering or exploiting a particular vulnerability and the resulting impact on the organization. Threat + Vulnerability + Likelihood + Impact

Risk Analysis Overview Evaluate likelihood and impact of potential risks to ephi Implement appropriate security measure to address risks identigied Document chosen security measures and rationale Maintain continuous, reasonable and appropriate security protections ONGOING PROCESS update annually and with major changes

Administrative Safeguards Administrative actions, and policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect ephi and to manage the conduct of the CE s workforce in relation to the protection of that information.

Administrative Safeguards Security management process including Security OfGicer designation and implementing various Policies and Procedures Information access management policies and procedures Workforce training and management including sanctions Periodic evaluation

In Other Words What are the threats, vulnerabilities and risks to ephi and how are they managed? Who is in charge (CO) and involved (TEAM)? Who has access to ephi? Is there authorization, supervision and training? Are there periodic evaluations and assessments?

Physical Safeguards Physical measures, policies and procedures, to protect a covered entity s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.

Physical Safeguards Facility access and control Workstation and device security Policies and procedures for use and access to workstations and electronic media Policies and procedures regarding transfer, removal, disposal, reuse and protection of electronic media

In Other Words Where are the facilities? Who has access to the facilities? How is access to the facilities granted/ controlled? What is the security of workstations and technology? How is transfer, removal, disposal and re- use handled?

Technical Safeguards The technology and the policies and procedures for its use that protect ephi and control access to it.

Technical Safeguards Policies and procedures allow access to authorized users only Hardware, software, procedures to record and examine access Policies and procedures to ensure ephi is not improperly altered or destroyed Technical security to guard against unauthorized access to ephi transmitted

In Other Words ONLY authorized personnel has access to ephi? Audit controls to track and evaluate ephi access/use? What s in place to assure proper destruction and prevent improper destruction or alteration of ephi? What s in place to secure transmission of ephi?

Unsecured PHI PHI that is NOT rendered unusable, unreadable or indecipherable to unauthorized individuals according to NIST guidelines (National Institute of Standards and Technology) or by physical destruction

Encryption Method of converting original message of regular text into encoded text Encrypted by means of algorithm (formula) Done according to National Institute of Standards and Technology (NIST) guidelines

Encryption and Destruction PHI at Rest NIST 800-111 PHI in Motion NIST 800-52, 800-77, 800-113 PHI Disposed Physical Shredded or destroyed so cannot be read or reconstructed Electronic NIST 800-88 PHI in Use No specigic guidelines other than standard access control technologies (and common sense)

PHI at Rest NIST 800-111 STORED PHI in some capacity (e.g. desktop, laptop, phone, Glash drive, memory care, external hard drive, CDs, DVDs, etc.)

PHI in Motion NIST 800-52 PHI MOVING across the wire (i.e. internet or intranet) Transport Layer Security (TLS) recommended Provides authentication, congidentiality, data integrity

PHI Disposed NIST 800-88 Sanitized PHI Use approved techniques/methods Not easily retrieved and reconstructed Track and document sanitation and destruction actions

Sanitation/Destruction Methods Clearing Can not simply delete Overwrite technology Purging Degaussing Destroying ULTIMATE form Disintegration, incineration, pulverizing, shredding, melting, etc.

Disaster Plan LONG- term recovery plan to get you back to where you where before disaster HIPAA REQUIRES access and security of data in the event of a disaster

Contingency Plan AKA Business Continuity Plan SHORT- term temporary resumption of critical business operations, helps business survive during Disaster Recovery HIPAA REQUIRES access and security of data

Contingency Plan Disaster Risk Analysis Access to critical contact info Info about facility (water, gas, electrical shut- offs) Planned steps for various applicable disasters (natural disasters, equipment failure, power failure, communications failure, burst water pipe, loss of key employee, loss of facility access, etc.)

Risk Management REQUIRED under Administrative Safeguards Implement security measures suf=icient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with the Security Rule.

Where is YOUR ephi? At the ofgice? At home? In your pocket? Another ofgice?

Monday Morning Action Steps Perform a Risk Analysis to determine vulnerabilities, threats, and risks Address Administrative, Physical, and Technical Safeguards Perform a Risk Management to implement, revise and monitor

Business Associates Who is involved? What changed? What are the requirements?

Covered Entity A health care provider who transmits any health information in electronic form YOU!!! (also includes healthcare clearing houses and health plans)

Business Associate A person or entity, other than a member of the workforce of a covered entity, who performs functions or activities on behalf of, or provides certain services to, a covered entity that involves access by the business associate to protected health information.

Workforce Employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity or business associate, is under direct control of such covered entity or business associate, whether or not they are paid by the covered entity or business associate.

Business Associate An entity that creates, receives, maintains, or transmits protected health information on behalf of a covered entity (YOU)

Subcontractor An entity that creates, receives, maintains, or transmits protected health information on behalf of another business associate i.e. Your BA s business associate

Business Associate Examples Billing Services EHR Vendor Accounting Consulting Practice Management Transcriptionist Collection Agency Administrative Financial* Accreditation Attorneys Data Aggregation Computer Repair/ Technician Cloud Storage*

Cloud Storage

Business Associate Exceptions Other Healthcare Providers Health Insurance Carriers Financial Institutions for care payment Conduits (USPS, FedEx, UPS, ISP, etc.) Janitor, Electrician, OfGice Repair, Cleaning Service, etc. (NEVER a Business Associate)

BA Exceptions

BA Exceptions

Business Associate or Not? Role or activity based Do they create, receive, maintain or transmit PHI on your behalf? Do they have access to PHI as part of their role or activity? Even if not routinely; need only be POTENTIALLY

What Changed? Revised deginition of a Business Associate Added entities that fall under BA deginition Increased liability and compliance requirements for BA and subcontractors NEW/UPDATED BA Agreements REQUIRED

BA Liability DIRECTLY liable for violations of HIPAA Contractually liable However, liable whether or not they have agreement in place with CE Liable for actions of subcontractors

Business Associate Agreement Contract between you and each of your BA outlining the following: NOTE: Do NOT need BAA w/ subcontractors Permitted uses of PHI Restricted uses of PHI Appropriate safeguards Breach procedures Terms and termination

BAA Requirements Establish permitted/required uses/ disclosures of PHI BA will not use/disclose PHI other than permitted/required BA will implement appropriate safeguards consistent with HIPAA security rule

BAA Requirements BA will report to CE any uses or disclosures not covered in contract, including breaches BA will make PHI available for individuals requests, amendments and accountings BA will comply with applicable HIPAA Privacy Rule requirements

BAA Requirements BA will make available internal practices/ books/records to HHS Termination requires BA to destroy/return PHI received/created BA ensures subcontractors agree to same requirements; may be more but NOT less strict Authorize termination by CE if BA violates terms

Monday Morning Action Steps Make a list of all Business Associates Get an updated and signed Business Associate Agreement from all BAs

Notice of Privacy Practices What is it? Who gets it? Where does it go?

What is in the NPP? Describes how medical information about patient may be used and disclosed and how patients can get access to this information Patient Rights Patient Choices Uses and disclosures

State vs. Federal Usually Federal Laws are more strict HIPAA takes precedence HOWEVER if State Laws are more strict State Law takes precedence

OK Records Request

Patient Rights Receive electronic OR paper copy of medical records Ask to correct medical records Request congidential or alternative communications Ask to limit what we use or share Ex. Insurance carriers for care paid for out of pocket

Patient Rights Get list of those with whom we ve shared info Get copy of this privacy notice Choose someone to act for you File a complaint if you feel your rights are violated WITHOUT fear of retaliation

Patient Choices In these cases, you have both the right and choice to tell us to: Share info with your family, close friends, or others involved in your care

Patient Choices In these cases we NEVER share your info UNLESS you give us WRITTEN permission: Marketing purposes* Sale of your information

Marketing REQUIRES written signed authorization To make a communication about a product or service that encourage the recipient of the communication to purchase or use the product or service.

Marketing An arrangement between a covered entity and any other entity whereby the covered entity discloses PHI to the other entity in exchange for REMUNERATION, for the other entity or its af=iliate to make communication about its own product or service that encourage recipients of the communication to purchase or use that product or service. Financial remuneration means direct or indirect payment from or on behalf of a third party whose product or service is being described. Direct or indirect payment does not include any payment for treatment of an individual.

Marketing EXCEPTIONS Face- to- face communications Promotional gift of nominal value* UNLESS Ginancial REMUNERATION takes place Treatment of patient (i.e. case management, care coordination, alternative treatments, therapies, providers or settings) Health- related products or services as part of a plan of benegits (health care provider/plan network) Case management or care coordination, treatment alternatives that do NOT fall under treatment deginition

Uses and Disclosures Allowed or required to share patient info Treatment Bill for patient services and receive payments Run your organization (practice) Public health and safety issues Conduct research Comply with law

Treatment Provision, coordination, or management of health care and related services among health care providers or by a health care provider with a third party, consultation between health care providers regarding a patient, or the referral of a patient from one health care provider to another.

Payment Encompasses the various activities of health care providers to obtain payment or be reimbursed for their services and of a health plan to obtain premiums, to ful=ill their coverage responsibilities and provide bene=its under the plan, and to obtain or provide reimbursement for the provision of health care.

Health Care Operations Certain administrative, =inancial, legal, and quality improvement activities of a covered entity that are necessary to run its business and to support core functions of treatment and payment.

Uses and Disclosures Allowed or required to share patient info Respond to organ and tissue donation requests Work with medical examiner or funeral director Address workers compensation, law enforcement and other government request Respond to lawsuits and legal actions (against you)

Decedents NOT PHI 50 years following death of person CAN disclose to decedents family members and others involved in care or payment for care prior to death

Provider Responsibilities Required by law to maintain privacy and security of PHI Inform patient promptly if a breach occurs that may compromise the privacy or security of the patient PHI Follow the duties and privacy practices in the NPP and give a copy to the patient Not to use or share info other than described in NPP unless told in writing; can be revoked in writing as well

Who Gets the NPP? ALL NEW patients during initial paperwork Obtain written acknowledgment Placed in patient Gile Anyone else who asks for it (NOT likely)

Where to Post the NPP? Post in, clear and prominent location and have copies of the NPP at the delivery sight for individuals to request to take with them. May post a summary, as long as the full notice is IMMEDIATELY available. (i.e. should NOT have to ask for full notice) Full notice posted on the ofgice website

Monday Morning Action Steps Update NPP Give to all new patients Post in prominent location Post on website

Breach NotiGications What is a Breach? What Changed? What is a Breach NotiGication?

What is a Breach? Acquisition, access, use or disclosure of protected health information in a manner not permitted which compromises the security or privacy of the protected health information. Basically someone has PHI who should NOT have it (NOT authorized or allowed)

Guilty Until Proven Innocent Harm standard REMOVED PRESUMED to be a breach UNLESS covered entity demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment of at least the following factors

4 Risk Assessment Factors 1. Nature and extent of PHI involved, types of identigiers, likelihood of re- identigication 2. Unauthorized person who used PHI or who the disclosure was made to 3. Whether PHI was actually acquired or viewed 4. Extent to which risk to PHI was mitigated

Breach NotiGications Treated as discovered on FIRST day it was known or should have been known Notify EACH individual affected SpeciGic requirements of info included Have 60 days from discovery to do so Business Associates have obligation to notify the Covered Entity (YOU!) about a breach

Individual Breach NotiGications Brief description of what happened Including date of breach and date of discovery Description of types of unsecured PHI involved Steps individual should take to protect themselves Brief description of what you are doing to investigate and mitigate harm and protect in the future Contact procedures Including toll- free number, email address, website or postal address

Breach NotiGications NotiGication to media More than 500 individuals affected NotiGication to Secretary More than 500 individuals affected within 60 days Less than 500 individuals affected by end of year

http://ocrnotigications.hhs.gov

Safe Harbor Encryption according to NIST guidelines NO breach notigication required for PHI encrypted in accordance to NIST guidelines

Monday Morning Action Steps HIPAA policies and procedures up to date Understand breach requirements and notigications Encryption for safe harbor?

HIPPA in the Digital World Email, Cloud Storage, Social Media

Email Standard email (gmail, hotmail, yahoo, etc.) NOT HIPAA compliant Requires Business Associate Agreement Utilizes NIST Standards and encryption?

Email CAN email to patient s unsecure email IF you let them know of the risk But MUST be HIPAA compliant on YOUR end HIPAA compliant email is available through various companies and IT professionals

Cloud Storage Standard cloud storage (e.g. google drive, dropbox, amazon, etc.) NOT HIPAA compliant Requires Business Associate Agreement Utilizes NIST Standards and encryption? HIPAA compliant cloud storage is available through various companies and IT professionals

Text Messaging Standard text messaging (including instant messaging) is NOT HIPAA compliant Like texting and driving just don t do it Requires Business Associate Agreement HIPAA compliant messaging is available through various companies and IT professionals

Social Media What happens on the internet STAYS on the internet Information can spread FAST (go VIRAL) Little to no control over who sees and what s shared NOTHING on the internet is 100% private/ secure

Social Media Taken out of context and misinterpreted Damage to reputation and public trust Unprofessionalism and boundary issues Feelings of anonymity, invisibility, dis- inhibition ConGidentiality, Privacy and Security issues (HIPAA)

Pictures and Testimonials Requires WRITTEN patient authorization Verbal OK from patient is NOT good enough Get it in writing, keep a copy and give a copy Use Girst name and last initial Know your state laws for testimonials Patient can ALWAYS revoke authorization

Doctor- Patient Relationship Exists online TOO! Relationships online should be the SAME as they are in real life Giving advice/recommendations ONLINE may also establish a Doctor- patient relationship

Ask Yourself Would I want my parents to see this? Would I want this on the front page of the local newspaper? Would I share this information in my lobby/waiting room? Could this easily be take out of context or misinterpreted? How would this affect my friends, family, patients, practice, etc.? Am I violating someone s congidentiality and privacy? Does this REALLY need to be said, written, recorded, etc.?

Best Practices Don t friend your patients Direct them to your professional social media account Set and monitor your privacy settings Don t discuss PHI through social media Even if the patient initiates the conversation Follow the SAME professional, ethical, privacy and security standards online as you would in real life

Best Practices Avoid person- specigic advice/ recommendations Do not talk ABOUT patients over social media Talk to your family members about this Monitor each other (within reason) Report, REMOVE and remedy any potential issues ASAP

Monday Morning Action Steps HIPAA compliant email, cloud storage, etc. Determine your online presence Create and implement a social media policy Authorizations for testimonials, photos, etc.

Medicare and Chiropractic Basics ONLY covers SPINAL adjustments 98940, 98941, 98941 (NOT 98943) (MAY cover E&M in the future maybe) Subluxation demonstrated by x- ray OR exam X- ray 12 months prior or 3 months following start Greater than 12 months for some chronic conditions Adjustment by hand or device (won t pay extra)

Participating Provider vs. Non- Participating Provider What are your options? What s the difference?

Participating Provider Par Accepts assignment Charge the Medicare Allowed Amount Depends on your location and MAC Collect applicable deductible and coinsurance 2014 Deductible = $147 Patient coinsurance = 20%

Participating Provider Medicare will pay 5% more than non- par Listed in Provider Directory No restrictions on appeal rights Claims automatically forwarded to secondary insurance carrier

Non- Participating Provider Nonpar Does not accept assignment (usually) Paid at the time of service by patient Charge up to Medicare Limiting Amount Charging over the Limiting Amount = hefty Gines Medicare pays 95% of Allowed Amount to patient Gives up appeal rights to the patient

Changing Participation Status Once per year mid November to Dec 31 st NonPar to Par = CMS 460 Form Par to NonPar = write MAC Stay the same = do nothing

Opting Out of Medicare There is a provision in the law that allows physicians to opt out of Medicare BUT Chiropractors are NOT considered physicians under that rule.

CHIROPRACTORS CANNOT OPT OUT OF MEDICARE!

If You See Medicare Patients You MUST be enrolled with Medicare You MUST send in their claims You MUST play by Medicare rules You can NOT have the patient sign a waiver to NOT submit to Medicare and pay cash

Gifting and Inducement Can NOT legally offer discounted or free services to federal benegiciaries (Medicare, Medicaid, etc.) CMS considers this inducement of federal funds Violations = up to $10,000 per occurrence

Exceptions Gifting and Inducement True Ginancial hardship (exception NOT the rule) Gift up to $10 FAIR MARKET VALUE (retail value) No more than $50 total per year per patient

Medical Necessity What is it? How do I prove and support it?

Chiropractic vs. Medical Necessity Proactive Health and wellness Care for all ages No pain doesn t mean the problem is Gixed Patient focused Reactive Neck and back pain Depends on condition No pain means the problem is Gixed Bottom line focused

Medicare often sets the standard Other insurance carriers follow Follow the Leader

Medical Necessity

Medical Necessity

Medical Necessity Vertebral pinching of spinal nerves may cause headaches, arm, shoulder, and hand problems as well as leg and foot pains and numbness. Rib and rib/chest pains are also recognized symptoms, but in general other symptoms must relate to the spine as such.

Medical Necessity The subluxation must be CAUSAL, i.e., the symptoms must be related to the level of subluxation that has been cited. A statement on a claim that there is pain is insuf=icient. The location of pain must be described and whether the particular vertebra listed is capable of producing pain in the area determined.

Acute Subluxation A patient s condition is considered acute when the patient is being treated for a new injury, identi=ied by x- ray or physical exam as speci=ied above. The result of chiropractic manipulation is expected to be an improvement in, or arrest of progression, of the patient s condition.

Chronic Subluxation A patient s condition is considered chronic when it is not expected to signi=icantly improve or be resolved with further treatment (as is the case with an acute condition), but where the continued therapy can be expected to result in some functional improvement. Once a clinical status has remained stable for a given condition, without expectation of additional objective clinical improvements, further manipulative treatment is considered maintenance therapy and is not covered.

Maintenance Care

Maintenance Care A treatment plan that seeks to prevent disease, promote health, and prolong and enhance the quality of life; or therapy that is performed to maintain or prevent deterioration of a chronic condition.

Determination of Medical Necessity 1. Clinical Documentation 2. CMS 1500 (ANSI 5010)

CMS 1500 Form Version 02/12 Uniform, standardized, universal billing form used by all healthcare practitioners to bill payers for professional services

Box 14

Medicare Box 14 Date For chiropractic services, enter a 6- digit (MM/ DD/YY) or 8- digit (MM/DD/YYYY) date of the initiation of the course of treatment. Date of patient s FIRST visit for that specigic treatment plan Document actual DOI in patient history NOTE: Box 14 is ACTUAL DOI for everyone else Do NOT use QualiGier 431 for Medicare

When Does Box 14 Change? SigniGicant new injury, condition, complaint that requires a NEW treatment plan SigniGicant exacerbation that causes a CHANGE in treatment plan Recurrence of previous injury/condition

Box 21 - Diagnosis Identify which version of ICD codes reported 9 ICD- 9 0 ICD- 10 Up to 12 diagnoses (A- L) Removed periods

Box 21 - Diagnosis

Box 24E Diagnosis Pointer Line letter (A- L) from Box 21 that relates to reason service(s) was performed STILL only 4 diagnosis pointers Be SPECIFIC!

Medicare Diagnosis What s different?

Primary Diagnosis Subluxation is REQUIRED as PRIMARY Dx

Secondary Diagnosis Supports the primary subluxation diagnosis List of approved secondary Dx found in LCD 3 Categories Short- term treatment Moderate- term treatment Long- term treatment

Medicare Diagnosis Hierarchy 1. Subluxation 2. Supporting secondary Dx 3. Subluxation (if one exists) 4. Supporting secondary Dx 5. Subluxation (if one exists) 6. Supporting secondary Dx

Medicare Documentation Initial Visit vs. Subsequent Visits PART Examination Daily SOAAP Note

Medical Necessity Determined By Chief complaint and other conditions Patient history (subjective Gindings) Patient examination (objective Gindings) Functional degiciencies (OATS) Patient progress (30% improvement) Frequency and duration of care DOCUMENTATION!!!

What are OATS? Outcome Assessment Tools Revised Oswestry LBP Disability Questionnaire, Neck Pain Index, Headache Disability Index, Upper and Lower Extremity Disability Index, Shoulder Pain and Disability Index, etc.

Purpose of OATS? Document functional degiciencies Create SPECIFIC treatment goals/care plan Track patient progress and improvement Prove and support medical necessity

Revised Oswestry

SpeciGic Goal Example Initial visit Section 7 Sleeping = 4. Because of my pain my normal nights sleep is reduced by less than three- quarters. Short term goal for 2 weeks Section 7 Sleeping = 3. Because of my pain my normal nights sleep is reduced by less than one- half. Patient is able to sleep without pain for more than half of their normal nights sleep.

When to Use OATS? Initial new patient exam 2 weeks after initial new patient exam 1 st progress exam (30 days after initial exam) Subsequent progress exams (every 30 days) New injury/complaint, recurrences, exacerbations, reactivation, etc.

What to Do with OATS Scores? Create/update treatment goals and care plan Compare to previous OATS 30% improvement between OATS Prove and support medical necessity < 30% improvement between two consecutive OATS = maintenance/supportive care

Medicare PART Examination REQUIRED for documenting subluxation and medical necessity for treatment and payment Documented on EVERY visit, in EVERY area of the spine being adjusted/billed that visit

Medicare PART Examination Pain/tenderness evaluated in terms of location, quality, and intensity Asymmetry/misalignment identigied on a sectional or segmental level Range of motion abnormality in terms of changes in active, passive, and accessory joint movements resulting in an increase or a decrease of sectional or segmental mobility Tissue/tone changes in the characteristics of contiguous, or associated soft tissues, including skin, fascia, muscle and ligament

PART Exam Requirements TWO of the four criteria are REQUIRED ONE of which MUST be Asymmetry/misalignment OR Range of motion abnormality

End Note Did the patient tolerate the treatment well? Patient tolerated the treatment well, and without incident. If NOT document what happened, what you did about it, and what was the outcome

98940 vs. 98941 vs. 98942 Subjective + objective = medical necessity Bill ONLY what is medically necessary Medical necessity is DIFFERENT than Chiropractic necessity NEVER 98942 (asking to be audited)*

Documentation MUST Include SUBJECTIVE patient complaint(s) in ALL regions being adjusted (DIRECT relationship to level of subluxation) OBJECTIVE Gindings to support medical necessity of adjustment in ALL regions Diagnosis for EACH condition being treated Documentation that adjustment was performed in ALL regions

Documentation Warning Signs Illegible records Records in pencil Erasure marks or white- out Writer s own code for records Missing dates and/or signatures Incomplete information such as referrals, exercises, home care, special instructions, etc.

Documentation Warning Signs Notes written MORE than 24 hours after care was provided Failure to document patient noncompliance or displeasure No documentation of phone conversation Documenting only abnormal or positive Gindings Tests recommended WITHOUT follow up comments Travel Cards Blank spaces

Documentation Warning Signs Exaggerated language Egotistical remarks No change in notes ( cookie cutter ) Missing patient name on pages Different color pens on same day s notes Notes AFTER receiving subpoena for records

10 Rules for Documentation 1. Use black or blue pens NO red or other colors or pencil 2. NEVER use correction Gluid or erase 3. Correct errors by putting a SINGLE line through it, write your correction, initial and date the change NEVER add or clarify notes after received subpoena for records You have 24 HOURS after care was provided to document Use an addendum a document that you write, date and then reference a previous day s treatment notes and make the change

10 Rules for Documentation 4. Be concise in measurements and data 5. Be original in the patient s own words 6. Be case SPECIFIC EVERY patient, EVERY visit NO cookie cutter notes

10 Rules for Documentation 7. Use only standard abbreviations OR include a key 8. Write LEGIBLY 9. Patient s name on ALL pages 10. Doctor s signature on ALL notes NO stamps or initials Legible OR must have a signature log

LEGIBLE printed name Signature and Initials Date signed Keep original, make a copy and send with records requests Signature Log

Signature Attestation Statement Must be signed and dated by the author of the medical record entry and must contain sufgicient information to identify the benegiciary I, (print full name of practitioner), hereby attest that the medical record entry for (date of service) accurately re=lects signatures/ notations that I made in my capacity as (insert provider credentials, e.g. DC) when I treated/diagnosed the above listed Medicare bene=iciary. I do hereby attest that this information is true, accurate and complete to the best of my knowledge and I understand that any falsi=ication, omission, or concealment of material fact may subject me to administrative, civil, or criminal liability.

OIG Compliance

OfGice of Inspector General Mission To protect the integrity of the Department of Health and Human Services (HHS) programs, as well as the health and welfare of bene=iciaries served by those programs. Carried out through audits, investigations, and inspections

OIG Compliance Program OfGice of Inspector General Polices CMS/ Medicare Was voluntary but NOW REQUIRED for ALL healthcare providers as part of Patient Protection and Affordable Care Act (PPACA/ACA/Obamacare) Currently NO effective date for implementation Coming sooner than later and is a mitigating factor

Purpose Prevent submission of erroneous claims (inappropriate payments) Prevent engaging in unlawful conduct involving Federal health care programs Create INTERNAL controls and monitoring

BeneGits Speed and optimize proper payment of claims Minimize billing mistakes Reduce chances of an audit by CMS or OIG Avoid conglicts with self- referral (Stark law) and anti- kickback statutes

BeneGits Shows good faith efforts Practicing preventative medicine for practice; prevent future problems Create culture of compliance in practice Protect you, practice, employees, patients

7 Elements of OIG Compliance 1. Conduct internal monitoring and auditing 2. Implement compliance and practice standards 3. Designate a compliance ofgicer or contact 4. Conduct appropriate training and education 5. Respond appropriately to detected offenses and develop corrective action 6. Develop open lines of communication with employees 7. Enforce disciplinary standards through well- publicized guidelines

1. Auditing and Monitoring ONGOING evaluation process Current and accurate practices, standards, policies and procedures Regular and ongoing INTERNAL audits Billing, coding, documentation, medical necessity, etc. Training, document and update as needed

2. Standards and Procedures Method to deal with risk areas WRITTEN policies and procedures manual Update forms and manual as needed Documented training for ALL in practice

Potential Risk Areas Coding and billing Reasonable and necessary services Documentation Improper inducements, kick- backs, and self- referrals

3. Designate Compliance OfGicer One (or more) person responsible for spear- heading compliance in the practice Compliance is a TEAM responsibility

CO Responsibilities Oversee and monitor implementation of compliance program Establish periodic audits Periodically revise compliance program Develop training for practice (regular and documented) Check HHS- OIG Exclusions List (http:// exclusions.oig.hhs.gov) Investigate any reports/allegations and monitor corrective actions

4. Training and Education Who needs training? EVERYONE! What type of training? When, how often, how much? Explains the WHY behind the what General compliance, billing and coding training

5. Responding and Corrective Action Referral or disclosure to appropriate authority Repayment of overpayment Disciplinary actions Review and modify compliance program

6. Open Lines of Communication Open door policy Required reporting by employees Disciplinary actions for nonreporting No retribution for good faith efforts

7. Disciplinary Standards Procedures for enforcing standards and discipline Consistent and appropriate sanctions Training and well publicized in manual Documented non- compliant conduct and follow- up

2006 OIG Review Medicare paid estimated $178 million of $466 million reviewed (almost 40%!) for medically unnecessary, incorrectly coded, or undocumented Chiropractic services

2010-2011 OIG Review Medicare paid approximately $1.4 BILLION for Chiropractic services Selected multiple top provides, including a Chiropractor (among top 5 Chiropractors) Determine if services billed were allowable

Diep Chiropractic Wellness Received Medicare payments of $879,658 for 23,714 Chiropractic services 2010-2011

Diep Chiropractic Wellness Estimated 80% of total services paid by Medicare was UNALLOWABLE for reimbursement These overpayments occurred because Diep Chiropractic did not have adequate policies and procedures to ensure that chiropractic services billed to Medicare were medically necessary, correctly coded, and adequately documented.

Diep Chiropractic Wellness

Diep Chiropractic Wellness ALL services billed with AT modigier Majority of services billed as 98942

Diep Chiropractic Wellness

Diep Chiropractic Wellness Of 100 sampled services, 7 were allowable 70 medically unnecessary, 11 incorrectly coded, 9 undocumented, 3 insufgiciently documented Subluxation of spine not present and/or not treated (56 services) Maintenance therapy and/or not appropriate for treatment of patient s condition (67 services) Chiropractic treatment would not be expected to result in improvement within reasonable time (69 services)

OIG Recommendations Refund $708,022 to the Federal Government and; Establish adequate policies and procedures to ensure that Chiropractic services billed to Medicare are medically necessary, correctly coded, and adequately documented

OIG Work Plan 2014 Summarizes new and ongoing reviews and activities that OIG plans to pursue with respect to HHS programs and operations during the current =iscal year (FY) and beyond. Includes protecting CMS and its benegiciaries by detecting and preventing fraud, waste, and abuse, as well as holding those accountable that don t meet program requirements or violate Federal law

OIG Work Plan 2014 1. Chiropractic services Portfolio report on Medicare Part B payments (NEW) 2. Chiropractic services Part B payments for noncovered services (old) 3. Chiropractic services Questionable billing and maintenance therapy (NEW)

Portfolio Report (NEW) We will compile the results of prior OIG audits, evaluations, and investigations of chiropractic services paid by Medicare to identify trends in payment, compliance, and fraud vulnerabilities and offer recommendations to improve detected vulnerabilities.

Noncovered Services (old) We will review Medicare Part B payments for chiropractic services to determine whether such payments were claimed in accordance with Medicare requirements.

Questionable Billing (NEW) We will determine the extent of questionable billing for chiropractic services. We will also identify trends suggestive of maintenance therapy billing.

Understanding the ABN What is it? When to use it? How to use it?

Advance BeneGiciary Notice of Noncoverage Form CMS- R- 131 (03/11) Use ONLY OFFICIAL form Print on SINGLE page Used ONLY for Chiropractic Maintenance/ Wellness Care Mandatory ABN

Used for Chiropractic Non- Covered Services Do NOT have the patient choose and option or sign CCS RECOMMENDS Make your own voluntary ABN for non- covered services in your ofgice Have patient sign and date Voluntary ABN

Filling Out the ABN A. Name, address, phone number B. Patient name as appears on Medicare card C. Optional, do NOT use Medicare number or SSN D. List non- covered service E. Reason Medicare may not pay F. Estimated cost H. Frequency of care I. Signature J. Date

When to Fill Out the ABN? After the patient has reached maximum degree of improvement subjectively, objectively, AND most importantly functionally they need to be RELEASED from care OR converted from an Active Treatment status to MAINTENANCE or Supportive Care status When Medicare is expected to DENY the claim EACH time the patient transitions from Active Treatment to Maintenance or Supportive Care ONCE per year IF the patient REMAINS on Maintenance or Supportive Care without going back on Active Treatment EACH visit IF the patient is on a PRN care plan that does not meet Active Treatment criteria

ABN Rules VERBALLY review with the benegiciary PRIOR to receiving services Delivered far enough in advance that benegiciary or representative has time to consider the options and make an informed choice You can NOT decide for the benegiciary which of the 3 options A copy must be GIVEN to the benegiciary and the ORIGINAL placed in the patient s Gile (electronic copy can be scanned into EHR and original copy destroyed as long as backed- up)

- AT ModiGier Active Treatment Used with the CMT code (98940, 98941) in ALL acute and chronic (NON- maintenance) spinal cases If the AT modigier is NOT listed with the CMT code it will be considered MAINTENANCE ONLY used for active or corrective treatment NOT used with maintenance or supportive care

- GA ModiGier Got ABN Used to indicate that a current signed and dated waiver of liability statement (ABN Form) is on Gile for the patient Used when provider believes a normally covered service (i.e. CMT 98940, 98941) is likely to be DENIED by Medicare as NOT reasonable or medically necessary Does NOT indicate maintenance care to Medicare REMOVAL of AT modigier does

- GY ModiGier Used when service is statutorily excluded or does NOT meet deginition of any Medicare benegit Automatically signals Medicare to DENY any service that is linked to it May be used to be submitted so the charge can be denied and sent to secondary insurer

S8990 Physical or manipulative therapy performed for MAINTENANCE rather than restoration NEVER used for Medicare Continue to use 9894X for Medicare maintenance care Used for third party payers (with an ANN)

ANN Advanced Notice of Noncoverage Like an ABN but for third party payers Allows you to charge your normal rates and not have to submit claims Check your provider agreement

Monday Morning Action Steps Do you use the ABN? Are you using it correctly? www.compliantchiro.com/trial- signup Do you use OATS? Are you using them correctly? Review and compare your documentation Do you use the PART exam? Does your documentation prove/support medical necessity? Conduct a Box 14 audit

The Time is NOW!!! There has NEVER been a time when you ve been MORE NEEDED!!! There has NEVER been a more important time where you need to be PREPARED!!!

The successful person has the habit of doing things failures don t like to do. They don t like doing them either necessarily. But their disliking is subordinated to the strength of their purpose. Albert Gray

Problems or Purpose?

Contact, Like, Follow www.compliantchiro.com info@compliantchiro.com 952-405- 6700 www.facebook.com/compliantchiro @CompliantChiro on Twitter