.jpg)
Health care is said to be the second most regulated industry after nuclear power. All providers, regardless of size, specialty or revenue, are subject to essentially the same regulatory environment and same sanctions for non-compliance. Common, and potentially expensive, regulatory pitfalls involve reimbursements, HIPAA and contracting.Medicare/Medicaid and other third-party payors are more actively scrutinizing reimbursements and recouping asserted overpayments, and administrative contractors and whistleblowers abound.
Overpayments are often associated with insufficient documentation or erroneous coding. Providers should therefore familiarize themselves with payors’ documentation requirements. For example, practitioners should know the level of review and decision-making required for each evaluation and management (E&M) code, which codes require time notations, or whether there are limits on the number of times a service can be provided. Many sources of free online information are available on insurers’ and CMS and Medicare contractors’ websites and CMS listserves.
If notified by a third party payor of billing problems, practitioners should not assume that it’s just that payor – check Medicare’s and other payors’ requirements for those services and correct the problem, if necessary. Treat payors’ records requests and audits carefully. Practitioners should think about what they need to communicate to the reviewer and what records, even those not specifically requested, will be helpful. Sometimes notes for other dates of service or of other caregivers will help substantiate the services provided.
HIPAA compliance is a must for every practice, especially in light of significant changes in the law, enforcement efforts and sanctions. Today, HIPAA is strict liability statute, which means providers can be fined regardless of whether they knew of or could have prevented the violation. The Department of Health and Human Services implemented an audit program that will be expanded, and it can assess fines of up to $1.5 million.
Every health care provider that submits claims electronically must have policies and procedures in place. They do not have to be voluminous or complex, but they must conform to HIPAA’s requirements and Florida’s more stringent confidentiality laws.
The practice’s workforce must be educated so staff understand and follow the practice’s privacy policies and procedures. Training need not be lengthy or elaborate, but it must happen, and it should be repeated on a regular basis. Practitioners should also be circumspect about the use of electronic media and should insure that PHI that is maintained or transmitted electronically is encrypted. The loss of a flash drive, laptop or iPad containing unencrypted PHI could result in having to undertake a comprehensive risk analysis and breach notification.
Contracts can manage parties’ expectations and avoid or reduce likelihood of conflicts, and can protect the practice’s interests. They must, however be carefully drafted and reviewed to achieve those goals. Regulatory compliance also applies to contracts, such as HIPAA-mandated business associate agreements.
The Stark law, Anti-Kickback statute and Florida laws prohibiting self-referrals and patient brokering must also be considered in contracting, and contracts that implicate any of these laws should fall within a recognized exception or safe-harbor. If they do not, the contract may be unenforceable or, worse, expose the parties to fines, licensure sanctions and even criminal prosecution.
Although operating in the same regulatory environment as large providers, small practices often allocate far fewer resources to regulatory compliance. Given the onerous sanctions for non-compliance, the cost of precautions to insure regulatory compliance is relatively small – and a sound investment.
