Monthly Archives: November 2017

Quick Facts about the HITECH and Omnibus Rule

Have you heard the terms HITECH and Omnibus Rule tossed around, but you aren’t entirely sure what they are? You aren’t alone. Here are fast facts about the HITECH and Omnibus Rule.

What are they?

HITECH: This is a provision to the American Recovery and Reinvestment Act of 2009, which provided incentives to physicians and healthcare providers to move to electronic health records.

Omnibus Rule: This was created by The U.S. Department of Health and Human Services as a response to the HITECH rule. It is comprised of four rules concerning updated privacy protections, new patient rights to their health information and gave the government authority to enforce the HIPAA regulations.

How it Works with HIPAA:

HITECH: Even though HITECH and HIPAA aren’t directly related, HITECH states it can’t compromise HIPAA privacy laws. It also requires providers must perform a risk assessment. HITECH established the data breaches notification rules, along with establishing the rule making sure business associates are just as accountable for data breaches as providers are.

Omnibus Rule: Made up of four rules regarding HIPAA:

  1. Final updates were made to the HIPAA Privacy, Security and Enforcement Rules.
  2. Changes to the enforcement rule to incorporate a penalty structure created by the HITECH Act.
  3. There were changes made regarding Breach Notifications, also under HITECH.
  4. Modifications were made to the HIPAA Privacy Rule to prohibit health plans from using genetic information for insurance underwriting.

Bottom Line:

HITECH: HITECH established compliance requirements for business associates while also providing clarity to the public about how security and breaches were to be handled by businesses and other entities.

Omnibus Rule: The Omnibus rule was created to better support HIPAA regulation as technology changes and evolves, especially as the HITECH Act encouraged providers to move to EHR. This rule also covers entities and business associates to abide by HIPAA rules and be accountable to those rules.

If you have questions concerning HITECH or the Omnibus Rule and how they relate to your business, contact us today.

Codes Changed to E1399 for Cures Act Adjustments

CGS and Noridian DME MAC jurisdictions are processing thousands of claims on a daily basis in accordance with MLN Matters Article MM9968. The jurisdictions reported that they are on track to have all adjustments processed by November 15.

Suppliers with oxygen claims covered under these mass adjustments may see miscellaneous code “E1399CC” on some Medicare Remittance Advice statements. Due to system limitations, the code E1399 is being used when previous oxygen CMNs have been deleted and are no longer on file due to a new CMN superseding the previous CMN. HCPCS code E1399 was used since it will not impact current or future oxygen claims. The “CC” modifier also signifies that the HCPCS was changed during processing.

Further, both CGS and Noridian DME MAC jurisdictions have published that in order to process the wheelchair accessories claims adjusted by the Cures Act, in some cases, the DME MAC jurisdictions may need to change the submitted HCPCS code to E1399 with a “cc” modifier. This step is needed to pay the correct amount. There are various billing and modifier rules that cannot be accommodated with the limitation of four modifiers for pricing and system edits on the submitted wheelchair accessory HCPCS. The best solution is to change the HCPCS to E1399 with a “cc” modifier.

RAC Issues: Approved and Proposed

On November 13, 2017, CMS began posting a list of review topics that have been proposed, but not yet approved, for RACs to review. These topics will be listed, on a monthly basis, on the Provider Resources page. So far there is only one topic proposed for RAC review affecting DMEPOS suppliers, listed below.

Respiratory Assistive Devices: Meeting Requirements to be considered Reasonable and Necessary

Description: Review for reasonable and necessary requirements, including but not limited to the following:

  • treating practitioner had a face-to-face examination with the beneficiary in the six (6) months prior to the date of the written order for the specified items of DME
  • a completed, signed and dated 5-Element Order for Respiratory Assist Device dated on or before the delivery date of the item
  • the 5-Element Order contains ALL of the following:
    • Beneficiary’s name
    • Item of DME ordered – this may be general – e.g., “hospital bed” – or may be more specific
    • Signature of the prescribing practitioner
    • Prescribing practitioner’s National Practitioner Identifier (NPI)
    • The date of the order
    • proof of delivery, such as a delivery slip, which is signed and dated (on or before the date of service and on or after the initial order date) by the beneficiary or his/her designee

The proof of delivery documentation contains the following elements:

  1. Beneficiary’s name;
  2. Delivery address;
  3. Sufficiently detailed description to identify the item(s) being delivered (i.e. brand name, model number, narrative description);
  4. Delivery service’s package identification number, supplier invoice, or alternative method that links the supplier’s delivery documents with the delivery service’s records;
  5. Quantity delivered; and
  6. Date delivered

State(s)/MAC regions where reviews will occur: All states

Review type: Complex review

Provider type: DME Supplier

Affected code(s):

  • E0470 – Respiratory Assist Device, bi-level pressure capability, without backup rate feature, used with noninvasive interface, e.g., nasal or facial mask (intermittent assist device with continuous positive airway pressure device)
  • E0471 – Respiratory Assist Device, bi-level pressure capability, with back-up rate feature, used with noninvasive interface, e.g., nasal or facial mask (intermittent assist device with continuous positive airway pressure device)

Applicable policy references:

  • 42 C.F.R. sections 405.980 (b) & (c) and section 405.986
  • CMS, IOM Publication 100-02, Medicare Benefit Policy Manual, Chapter 15, Sections 110
  • CMS, IOM Publication 100-08, Medicare Program Integrity Manual, Chapter 4, Section 4.26
  • CMS, IOM Publication 100-08, Medicare Program Integrity Manual, Chapter 5, Section 5.2.4 – 5.2.8, 5.7, 5.8, and 5.9
  • Related LCDs and Policy Articles

Currently CMS has approved the following issues for the RAC to review:

Automated Date Posted
CPAP without OSA Diagnosis 9/8/2017
Nebulizers 2/2/2017
Hospital beds with mattresses billed with Group I or Group II support surfaces 4/12/2017
Group 3 PWC Underpayments 5/17/2017
DME while beneficiary is in an inpatient stay 2/16/2017
Spring Powered Devices Billed for >1 in a 6 Month Period 1/5/2017
CPM Billed without Total Knee Replacement 2/2/2017
Glucose Monitor 1/5/2017
Multiple DME Rentals in one month 3/31/2017
Complex Date Posted
PAP Devices for the treatment of OSA 9/19/2017
Spinal Orthoses 8/2/2017
Chest Wall Oscillation Devices 2/8/17
Tracheotomy suction catheters, suction pumps, catheters and other supplies 2/8/2017
AFO/KAFO 7/7/2017
Negative Pressure Wound Therapy Pumps 4/28/2017
PMDs not subject to PA Demonstration 6/6/2017
Nebulizers 4/14/2017
Osteogenesis stimulators 2/14/2017
Group 2 Support Surfaces 2/15/2017
Blood Glucose Monitors with Integrated Voice Synthesizer 5/12/2017
Enteral Nutrition Therapy 5/11/2017

Approved issues can be found on Performant Recovery’s website, here.

If you receive a RAC audit, The van Halem Group can help! Contact us to find out more information!

Four Common HIPAA Violations and How to Avoid Them

With $23 million in fines issued, 2016 was a year of unprecedented amounts of HIPAA violations. It also doesn’t look like the Office of Civil Rights is slowing down on issuing these fines for 2017, either. Learn about four common HIPAA violations many people overlook and how you can avoid them.


Mishandling Medical Records

If you’re still keeping patient records on paper, you run the risk of having them exposed. Don’t leave medical records in exam rooms or at the billing desk. They should be filed and locked away to prevent records from falling into the wrong hands.

Some practices or medical groups have disposed of medical records improperly. Proper steps should be taken to prevent this violation. Consider working with a secure document shredding company. To learn about proper disposal methods for protected health information, visit The U.S. Department of Health and Human Services website here.


Social Media

Social media has become a way of life for most of us. When it comes to HIPAA there are some precautions that must be taken. Never post a photo of a patient without written consent. Without the proper consent, you’re compromising the patient protection. Ensure all employees are aware of the HIPAA policies in place to prevent from sharing any PHI. This is one of the best ways to prevent a legal pitfall.


Employees Disclosing Information

Watercooler talk about patients should always be avoided. Employees should be mindful of where they’re discussing topics about patients and who they’re discussing it with. Keep work conversations with friends and family to a minimum and avoid sharing PHI with them.

Common in smaller towns, asking about a friend to a medical professional is considered a breach as well. If in this situation, it’s important to have a canned response explaining how you can’t disclose any information about a patient.


Accessing Patient Information on Home Computers

Sometimes you have to take your work home with you. Whether you’re updating patient notes or records, your computer should never be left alone or without password protection. Having PHI exposed to family members or having it shared to the wrong online channels can lead to significant fines.

If you must leave your computer or device unattended, store it somewhere it cannot be seen to prevent theft. Practices have faced heavy fines from having devices with PHI stolen or accessed by the wrong people.

What is a HIPAA Risk Assessment?

In 2003, the original HIPAA Privacy Rule was issued, and the requirement to have a HIPAA Risk Assessment was put in place. However, many entities did not comply. Since the Office of Civil rights is issuing fines and cracking down more than ever before, it’s a great time to learn what a HIPAA Risk Assessment is and how you can create one for your company.

What’s the purpose of a Risk Assessment?

The U.S. Department of Health & Human Services intends a risk assessment to identify potential risks, vulnerabilities, availability and integrity of Patient Health Information that an organization creates, maintains, receives and transmits.

By identifying these potential risks, you can work to mitigate the potential for breaches of PHI and prevent fines for your organization. Developing this assessment is beneficial to help determine just how secure and where improvements need to be made within your organization.

What Happens if I Don’t Have a Risk Assessment?

Like other HIPAA violations, you will be fined for not identifying these potential risks. A breach no longer has to occur for you to be fined; it’s the potential of a breach happening where fines are also being issued. The Office of Civil Rights is auditing all organizations that deal with PHI and if you’re not assessing where these risks are within your organization you can expect a fine.

*What Needs to Be Included in My Risk Assessment?

  1. Identify where your PHI is stored, transmitted and received.
  2. Identify and document threats and vulnerabilities.
  3. Assess your current security measures.
  4. Determine the likelihood of a threat occurrence.
  5. Determine the potential impact of a threat occurring.
  6. Determine the level of risk.
  7. Identify your security measures and finalize documentation.
  8. Take action.

While risk assessments can vary from every organization, these can help you get started with your assessment.

How Often Should I Update My Risk Assessment?

While there’s currently no guidelines on how often these assessments should occur, they should be conducted at the minimum of once a year. As technology evolves, so do the threats to it, so taking the time to assess the threat of the changes can pay off in the long run.

If you’re looking for assistance in creating your HIPAA Risk Assessment, HIPAAwise, – The van Halem Group Solution can help you with becoming compliant. Contact us here to learn more or start your month-long free trial.

*For more information on how the OCR defines threats, vulnerabilities and risks, visit their website here.