A Medley of Compliance Questions
By Mary R. Daulong, PT, CHC, CHP
Q: Does Medicare require all outpatient therapists, billing Part B, to be enrolled in Medicare and to have a Medicare Provider Transaction Access Number (PTAN)?
A: Yes, I believe that Medicare mandates that a physical therapist be enrolled in the Federal Program when billing Part B Medicare. The rationale for my “yes” is based on the following regulations:
Therapist refers only to a qualified physical therapist, occupational therapist, or speech-language pathologist. TPP refers to therapists in private practice (qualified physical therapists, occupational therapists, and speech-language pathologists).
To qualify to bill Medicare directly as a therapist, each individual must be enrolled as a private practitioner and employed in one of the following practice types: an unincorporated solo practice, unincorporated partnership, unincorporated group practice, physician/NPP group or groups that are not professional corporations if allowed by state and local law. Physician/NPP group practices may employ TPP if state and local law permits this employee relationship.1
For purposes of this provision, a physician/NPP group, practice is defined as one or more physicians/NPPs enrolled with Medicare who may bill as one entity. For further details on issues concerning enrollment, see the provider enrollment Website at www.cms.hhs.gov/MedicareProviderSupEnroll and Pub. 100-08, Medicare Program Integrity Manual, chapter15, section 126.96.36.199.
This CMS Program Integrity Manual specifies the resources and procedures Medicare fee-for-service contractors must use to establish and maintain provider and supplier enrollment in the Medicare program. These procedures apply to carriers, fiscal intermediaries, Medicare administrative contractors, and the National Supplier Clearinghouse (NSC), unless contract specifications state otherwise.
No provider or supplier shall receive payment for services furnished to a Medicare beneficiary unless the provider or supplier is enrolled in the Medicare program. Further, it is essential that each provider and supplier enroll with the appropriate Medicare fee-for-service contractor.2
Q: Is it true that Medicare is using a Fraud Prevention System (FPS) to identify aberrant billing by providers and suppliers? If so, how do I know what they consider aberrant?
A: Yes, Medicare introduced this system about three years ago, and it has been very successful. The system allows Medicare to identify atypical or aberrant billing behavior. This predictive analytic technology is used to identify the highest risk claims for fraud, waste, and abuse in real time; and it stopped, prevented, or identified $115 million in payments, resulting in an estimated $3 for every $1 spent in its very first year.
A few examples of aberrant billing that would could be identified by the FPS for therapists are:
- Redundant coding (e.g., using the same code sets for each date of service and/or for all patients regardless of their diagnosis)
- Excessive use of the therapy cap exceptions (exceeding the peer average with no evidence of co-morbidities or complexities to justify the coding behavior)
- Billing up to the therapy cap and never attesting to a therapy cap exception need
- Abnormally high units of service under one National Provider Idenitifier (NPI)
- Abnormally high billing with Advanced Beneficiary Notices (ABNs) noting “not medically necessary or statutorily non-covered services”
- Disregard of Local Coverage Determination requirements and/or restrictions
Q: I know one of the seven recommended elements of a Compliance Program is monitoring and auditing. What should I be monitoring and auditing?
A: You are very prudent to be concerned about the “monitoring and auditing” element of a Compliance Program as this is how you prove its effectiveness. Compliance Programs are dynamic and require regular monitoring to determine if a policy, procedure, or process is current and reflects present day regulations. Many practitioners use a question process which, while revealing, can be less than comprehensive. Questions such as:
- Is there a risk of internal fraud or theft?
- Is there a risk of a protected health information (PHI) breach?
- Is there a risk of hiring a person who is excluded from providing services to federal beneficiaries?
- Is there a risk of exposing an employee to Bloodborne Pathogens?
- Is there a risk of filling inaccurate or fraudulent claims?
- Is there a risk of non-compliance with federal and/or state supervisory requirements?
- Is there a risk of a patient abandonment claim?
- Is there a risk of patient and/or staff harm due to a fire in the facility?
A risk assessment is a more thorough method to monitor effectiveness. The risk assessment is often divided into regulatory categories so it can be managed in separate time frames. These categories, typically, have many subsections which identify specific requirements or risk areas associated with the regulations; the detail of this method assists in the monitoring or auditing process. An example of some regulatory categories would be:
- Fraud & Abuse
- Office of the Inspector General List of Excluded Individuals & Entities
- Payor Regulations
- Human Resources/Labor Law
Health Insurance Portability and Accountability Act (HIPAA)/Health Information Technology for Economic and Clinical Health Act (HITECH)
- Occupational Safety and Health Administration
- Americans with Disabilities Act
- State Practice Act
- Town, City & Municipality Ordinances
In addition, I recommend using a compliance calendar to provide guidance regarding the timing of required activities mandated by payers, agencies, and other regulators. The use of a compliance tracking system is, also very helpful in verifying the status of functions completed, as well as corrective action plans.
Q: What is the difference between a HIPAA security incident and a HIPAA security breach?
A: HIPAA security standards define a “security incident” as an attempted or successful access, use, disclosure, modification, or destruction of information on a system without appropriate authorization. The incident need not involve “protected health information” to qualify as a security incident, as many security incidents occur because they compromise the security of the system and are attempts to bypass security controls.
Some examples of security incidents that would be germane and/or of potential risk are:
- Shared passwords
- Unlocked screens and/or extended log-off times
- Worm, virus, and/or malware infections
- Access and/or attempts to access applications or the Internet without authorization
- Social browsing (employees/students without E-PHI access rights)
- Unauthorized software downloads (e.g., screen savers)
- Saving data to the local drive verses the server
- Unprotected laptops used in or in transit to remote sites
On the other hand, a “security breach” is any impermissible use or disclosure of PHI that is presumed to be a breach, with a subsequent requirement to provide a breach notification, unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the PHI has been compromised. Importantly, the covered entity or business associate, as applicable, has the burden of demonstrating that all notifications were provided or that an impermissible use or disclosure did not constitute a breach, and they must maintain documentation sufficient to meet that burden of proof.
In determining whether notice of a breach is required, a covered entity or business associate must consider at least the following factors:
- The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification
- The unauthorized person who used the PHI or to whom the disclosure was made
- Whether the PHI was actually acquired or viewed
- The extent to which the risk to the PHI has been mitigated
Q: What audits that should be performed to comply with HIPAA/HITECH/Affordable Care Act Security Regulations?
A: Some of the typical security audits that you should conduct to be proactive are:
- Network or Local Drive Audits (e.g., patches and ports)
- Baseline Security Analyzer Audits (e.g., Security Update Status)
- Back Up Logs or Reports (verify reproducibility)
- Electronic Medical Records Access Audits
- Practice Management Program Access Audits
- Web Access Audits
- Company and Personal Device Password Compliance
- Remote User Security Measures (e.g., firewalls, antivirus software).
Mary R. Daulong, PT , CHC, CHP, is a PPS member and the owner of Business & Clinical Management Services, Inc., a consulting firm specializing in outpatient therapy compliance, including documentation, coding and billing, enrollment and credentialing, and Health Insurance Portability and Accountability Act and Occupational Safety and Health Administration regulation education. She is also the author of both The Private Practice Compliance Manual and The Third-Party Biller Compliance Manual. She can be reached at firstname.lastname@example.org.
1. CMS Benefits Policy Manual, Chapter 15 Section 230.4, Services Furnished by a Therapist in Private Practice (TPP),(Rev. 179, Issued: 01-14-14, Effective: 01-07-14, Implementation: 01-07-14).
2. CMS Program Integrity Manual, Chapter 15 Section 15.1, Introduction to Provider Enrollment, (Rev. 347, Issued: 07-15-10, Effective: 07-30-10, Implementation: 07-30-10).