By Emilie J DiChristina, MBA for PracticeFirst

It is time to get serious about Compliance! Yes I mean you ~ don’t roll your eyes and move on!

The Department of Health and Human Services (HHS) Office of Inspector General (OIG) and other regulatory bodies have made it clear that a compliance program must be demonstrated as being fully effective.  A weak program would likely be viewed as a “sham” program and that is worse than no program at all.  Thus, the OIG has noted that effective compliance programs should incorporate independent reviews of the compliance program.

I can feel your eyes rolling again…but this is important, and small practices are not exempt!

Let’s start with the real reasons YOUR PRACTICE needs to sit up and take notice:

The ACA (Obamacare) is an expensive program. Whether you agree with it or not, you HAVE to agree that the money has to come from somewhere, and lack of compliance with Fraud & Abuse prevention and HIPAA/HITECH makes perfect sense for the government because…;

a.    The various federal and local OIGs feel if you are not compliant with the laws and updates by now…you actually are asking for an audit (and they are happy to comply)!b.    The government has had success with RAC audits (Billions $$$$) and OCR findings for HIPAA violations are also raking in the bucks!
c.    Electronic health records are fraught with the opportunity to “cut & paste”, “upcode” and violate HIPAA through staff error!
d.    They (the various OIG offices) know your practices have let “fraud & abuse” compliance slide, and may be giving lip service to the recent HIPAA changes because there is so much else on your plates and most small practice do not have Practice Administrators.

So let’s get down to what your practice needs to do – sooner than later – having an “effective” program in place. 

1.  First, be sure that you have a designated compliance officer, a designated privacy officer and a designated security officer.  

THE GOOD NEWS? In small practices this can be one person designated as compliance officer but with a job description which notes responsibility for privacy and security as well. This person needs to have authority to act, but will also report to the CEO or principal provider of the practice, and if the practice is a large one, will report to/lead the compliance committee.

2. Second, concentrate on training and education. The OIG considers “the proper and periodic education and training of all managers, physicians and facility personnel” to be a major component of an “effective” program.

Ideally, this will be performed in person, at least yearly, by your compliance officer, and will then be available in multiple other formats to insure absorption by the employee (many of whom learn in different ways).

The education should be tailored to the type of employee as well. Obviously, cleaners, couriers, etc. need a different level of training that do providers, clinical staff and billing staff.

All training must minimally include your practice’s “rule of conduct”, an explanation of CMS and OCR requirements for the prevention of fraud and abuse, and the maintenance of Privacy and Security as well as the duty to report misconduct and potential breaches.

3. Policies, forms, audits and more ~ Oh My!

Without written policies, how will your employees be judged, how will they receive guidance in a sticky situation, and what will you show to the OIG when they arrive?

Without forms (largely to be used with Privacy, but also with assignment of access levels in EMR/PM systems, and of course when there is a coding question), how will you have the requisite paper trail that defines “effectiveness”?

Audits, not just for the RAC! If your compliance officer, or an outside contractor performs regular audits on E&M, procedures, security access, and even your money flow – you can be both “effective” in the eyes of the OIG and potentially identify revenue drain, embezzlement risk and opportunities for improvement.

You know the old adage…”You can’t fix it if you don’t know it’s broken!”

4. Next, insure that communication is at the foremost in all employees’ minds and they can regularly access your compliance officer with questions, and the compliance officer regularly works with and communicates with all employees.

As part of the “effectiveness” component of any plan scrutinized by the OIG, there needs to be a clear understanding by all employees that there will be no retaliation for bringing problems to the attention of the practice, and when requested, confidentiality of the person advising of a problem will be maintained.

 5, Fifth, record maintenance. When it comes to billing, everyone knows they need to keep encounter sheets (super bills) with the billing materials in case of audit or question. When it comes to medical records, everyone knows they must keep records for a designated number of years.

But does your practice have a plan for keeping the records associated with problems brought to your attention by employees or others AND the investigation, findings, actions and correction or mitigation that was needed?

Do you have a breach investigation process? Do you have a process for notifying the OCR Secretary if you have a breach?

If you answer NO, you may have a problem meeting the “effectiveness” requirements of an audit.

6. Finally, there is employee management. This means that you use the compliance, privacy and security plans and policies as a measure when evaluating employee performance, and to guide your disciplinary process.

The OIG “effectiveness” measure includes your willingness to set policies and rules for the discipline of employees who violate the policies, for the evaluation of an employee based on their compliance, and for reporting to licensing and certification boards, or the police for major violations by employees.

So, in the final analysis…

  • Do you think your practice or organization has an “effective plan”.
  • Do you know what to do if your billing company notifies you of a suspected breach?
  • Do you know how to investigate a suspected breach?
  • Do you know if your practice is at risk under the “cloning” or “cut and paste” EMR audits currently being undertaken by government and private insurers?
  • Does your practice really have the depth to handle this on your own, or is this falling to you as the provider who has soooo many other things on your plate.

WARNING – Pre-paid compliance and HIPAA policy books and tool-kits abound, but without everything noted in this article, they may just give you a false sense of security about “effectiveness” so I urge you to take the time to really consider where your organization stands on the effectiveness of all policies, procedures and underpinnings of your practice. After all, you just want to provide health care – make sure you can without loss and reputational harm – make sure you are effective!

Emilie DiChristina may be reached at 716.474.2429 or for more in


By Becky Amann, Compliance Manager

2014 OIG WORK PLAN – Released January 31, 2014

New OIG investigations in 2014:

  • Anesthesia Services: The OIG will review Medicare Part B claims for personally performed anesthesia services to determine whether they were supported in accordance with Medicare requirements. They will also determine whether Medicare payments for anesthesiologist services reported on a claim with the “AA” modifier met Medicare requirements. Reporting an incorrect modifier on the claim, as if services were personally performed, when they were not, will result in Medicare paying a higher amount. 

Continuing OIG investigations in 2014:

  • Nursing Home stays: The OIG will identify questionable billing patterns associated with Medicare providers for Part B services provided to nursing home residents during stays not paid under Part A (for example, stays during which benefits are exhausted or the 3-day prior-inpatient-stay requirement is not met). Congress explicitly directed OIG to monitor Part B billing abuse for non-Part A stays.
  • Ophthalmological Services: The OIG will review Medicare claims data to identify inappropriate payments and/or questionable billing for ophthalmological services during 2012. They will also determine the geographic locations of providers exhibiting questionable billing.
  • Payments for outpatient drugs and administration of drugs: The OIG will review Medicare outpatient payments to providers for certain drugs (e.g. chemotherapy drugs). Review of billed units will determine if overpayments have occurred due to incorrect coding or overbilling of units.
  • Payments for Incarcerated Beneficiaries: The OIG will review Medicare payments for incarcerated beneficiaries to determine whether the payments were made for beneficiaries who did not meet the criteria for exception identified in Medicare regulations.
  • Place of Service Coding Errors: The OIG will continue to review physicians’ coding on Medicare Part B claims for services performed in ambulatory surgical centers and hospital outpatient departments to determine proper coding of the place of service. There is concern that physicians are reporting the place of service as non-facility (office), when in fact services were rendered at a facility which would generate a lower payment. Report is expected in 2014.
  • E/M services – Inappropriate Payments: OIG will determine the extent to which selected payments for E&M services were inappropriate. They will also review multiple E&M services associated with the same providers and beneficiaries to determine vulnerabilities in documentation. Medicare contractors have noted an increased frequency of medical records with identical documentation across services.

All practices and facilities should read the OIG Work Plan in its entirety, and take steps to identify and rectify any potential issues they may have, before the OIG does.The full 2014 Work Plan can be accessed at:


Occasionally, PF has encountered inadvertent breaches of unsecured PHI from our clients, via e-mail. In the past, our Compliance Dept. would have provided further guidance to our client regarding the breach.

The HIPAA Breach Notification Rule requires HIPAA covered entities (providers) to perform a risk assessment to establish any probability that PHI has been compromised.

Moving forward, when a PF employee identifies a breach of PHI from our client, they will notify them of this occurrence and we would expect that the client will follow the necessary steps regarding the breach. Our Compliance Dept. will not become involved as it is ultimately the provider’s responsibility to monitor potential breaches including training of your staff.   

 For Compliance questions, please contact Becky Amann at 716-348-3902 or<


By Sarah Howarth, Billing Manager

Exchange Claim Processing

There are four levels of health insurance plans offered by each carrier through the Health Insurance Exchange.   Bronze plans hold the lowest cost with the highest out-of-pocket patient responsibility.  Platinum plans have the highest monthly premium with the lowest out-of-pocket responsibility.  Claim submission and payment processing will be handled the same way as all other insurance claims.  The carrier will follow their standard commercial fee schedule. 

If a patient fails to make their premium payment:

  • 90 day grace period for all carriers.
    • During the first 30 days, claims will be processed as normal.
    • 31-90 days of payment lapse, claims will be suspended (not denied) until premium payment is made.
      • Patients may not be billed for claim balances outside of copay amounts during this time.
    • After 90 days, if the premium payment has not been received, carriers may terminate the patient’s insurance policy and the patient will be held responsible for outstanding claim balances.

 Univera Exchange plans

New members enrolling in Child Health Plus as of January 1, 2014 must enroll through the NYS health plan marketplace.  Although enrollment is completed through the marketplace, the Affordable Care Act rules do not apply to Child Health Plus.  Members will be assigned one ID number per household, patient names will serve as a unique identifier. 

 Independent Health

Last month we notified you that Independent Health will no longer offer MediSource in Niagara County.  In February, IHA was able to obtain the funding to continue to offer MediSource in Niagara County.  Patients have been notified that there are no actions necessary to continue their insurance coverage. 


Medicare has released the 2014 requirements for PQRS reporting.  To avoid the 2016 payment adjustment, individual providers must report a minimum of 3 measures for at least 50% of eligible Medicare fee for service patients throughout the reporting period.  Providers interested in obtaining the 2014 PQRS payment incentive must report on 9 measures for at least 50% of Medicare fee for service patients throughout the reporting period. The reporting period begins January 1st and ends December 31, 2014.

  • Measure requirements are driven by diagnosis and procedure codes.
  • Providers may opt to report through a 3rd party registry, an EMR or by adding appropriate coding to their claims when billed.
  • Billing clients who select claim reporting must add the appropriate numerator quality-data code to the claim.
  • Providers must meet the requirements of the measure, add the appropriate numerator to the claim and ensure supportive documentation has been completed.

Medicare has a dedicated service line to answer questions specific to PQRS: 1-866-288-8912.

Additional information may be found at:

Practicefirst will be happy to provide billing clients with the following upon request:

  • Summary of Medicare payments from 2013 to estimate the impact of the 1.5% payment reduction.
  • A report of ICD-9 and CPT codes billed in 2013 for cross-reference with the qualifying requirements of each measure.Additional assistance in determining appropriate measures and claims reporting is available.  Please contact Practicefirst for more information.

 For Billing questions, please contact Sarah Howarth at 716-348-3923 or<