By Emilie J DiChristina, MBA for Practicefirst

In every practice, regardless of size, operational costs are increasing, capital expenditures (such as those for an EMR) are increasing, human resource costs are increasing, supply costs are increasing, utility costs are increasing, and the providers do not have the time to look for the best deals or negotiate with payers to offset these costs.

What to do? What to do?

One of the ways medical providers (including hospitals and physicians), and many other organizations such as schools, small businesses and not-for-profits are dealing with these challenges are through the development of a MSO – Management Services Organization.

While MSOs are often hospital driven, locally we are seeing a push  to develop MSO which bring together similar specialties, or specialties which will be supportive through a referral base and/or one-stop-shop model. The providers who join the MSO have some degree of financial buy-in either as part of the overall MSO umbrella, or through the purchasing of certain “menu” items such as billing, human resources, payroll, IT, purchasing, etc.

While very large practice may have their own Practice Administrator, their own in-house IT support, compliance personnel, Meaningful Use specialists and HR generalists, most practices do not have the size and scope to offer all those services internally, leaving practices at real risk, Likewise, even the largest practice does not have to bargaining power to achieve hospital sized discounts when purchasing, or negotiate higher rates from third-party payers.

Physician practices are suffering from rising costs and decreasing revenues, and individual practitioners are suffering from a decreased quality of life, particularly if they are trying to be the provider and “chief cook and bottle washer” for the practice.  Increased numbers of physicians are seeking out alliances in droves, looking for help and benefit without giving up their autonomy to practice as they see fit.

So whether seeking to work with other providers of the same specialty, or with a wider range of provider types, the goal is to become more collaborative and more integrated while avoiding any potential regulatory risks (price fixing, anti-trust, inurement, fraud and abuse) and the MSO is generally thought to be the most flexible option. MSOs bring together providers into beneficial alliances without requiring the provider to give up their autonomy.

The way a MSO is set-up (simply described) is to have a management team and an executive director run a business if which the customers (providers buying into the MSO) help define the services which will be provided, the most cost effective way to provide those services, and then to collect fees for those services from the client providers and insure that the services meet the needs of the clients.

For example the MSO usually offers a purchasing department. For a fee, providers who wish to use this centralized purchasing department will receive greater purchasing power when buying the everyday practice items including paper and pens, exam table paper, otoscope tips, and will also have greater power in negotiating for the high ticket items such as capital equipment. The goal is to standardize where possible, negotiate with the greater volume and decrease cost to the client practices.

The whole purpose of an MSO is to offer a specific menu of services made available to practices and structured in a cooperative fashion.  What we are seeing in WNY are MSOs which involve physician equity positions with a stated goal of assistance and guidance without interference.  The physicians are involved in an advisory policy-making capacity, to prioritize efforts and to pick services which will have universal appeal, are apolitical, and offer immediate payback.

The menu of services of an MSO frequently include overall management and consultative practice services, billing and collection, purchasing, equipment and personnel pooling, risk management and human resources/r


By Emilie J DiChristina, MBA for Practicefirst

With the HIPAA Privacy  Rule Compliance date of 2003, the Security Rule transfer to the OCR for compliance in 2009, and subsequent increased requirements and focus such as those involving Business Associates and Breach Policies, enforcement and audit activities have INCREASED.

First, consider the activities SPECIFIC TO COMPLAINTS ALONE.    

As of May 2014, in HHS’s own statements regarding investigations, they summarized as follows:

“…since the compliance date in April 2003, HHS has received over 97,072 HIPAA complaints. We have resolved ninety-five percent of complaints received (over 91,768): through investigation and enforcement (over 22,613); through investigation and finding no violation (10,182); and through closure of cases that were not eligible for enforcement (58,973)”.

HHS has also been helpful by providing guidance as to what their investigations into the PRIVACY RULE found specifically as follows:

“From the compliance date to the present, the compliance issues investigated most are, compiled cumulatively, in order of frequency”:

  1.  Impermissible uses and disclosures of protected health information;
  2.  Lack of safeguards of protected health information;
  3. Lack of patient access to their protected health information;
  4. Uses or disclosures of more than the minimum necessary protected health information; and
  5. Lack of administrative safeguards of electronic protected health information.

“The most common types of covered entities that have been required to take corrective action to achieve voluntary compliance are, in order of frequency”:

  1. Private Practices;
  2. General Hospitals;
  3. Outpatient Facilities;
  4. Health Plans (group health plans and health insurance issuers); and,
  5. Pharmacies.

As far as Security Rule investigations and findings, HHS states: “…since OCR began reporting its Security Rule enforcement results in October 2009, HHS has received approximately 880 complaints alleging a violation of the Security Rule. During this period, we closed 644 complaints after investigation and appropriate corrective action. As of May 31, 2014, OCR had 301 open complaints and compliance reviews”.

It may be easy to look at the numbers of complaints reported above as being found to be valid as of no concern to you or your practice as about 23,000 negative findings throughout the US, involving all types of healthcare providers would seem to present very low odds of you or your practice every being involved in a complaint investigation….BUT WAIT!


By some calculations, random audits of the Privacy and Security Rules as required under HITECH have increased almost 140% since OCR/HHS’s initial pilot program in 2011.

You need to know that the first random audits under the pilot program have been published as show that the negative findings against covered entities indicated that 65% of the negative findings (65%) resulted from incomplete implementation of the Security Rule.

More importantly, 80% of the negative findings were against health care providers, rather than health insurance plans or clearinghouses, etc.

Are you prepared to survive an audit by HHS/OCR or even the NY State Attorney General (who have also gained the right to audit for compliance)?

Taken directly from the HHS website, the following represents the audit protocol currently being followed and under which the State Attorney Generals have been trained:

“The OCR HIPAA Audit program analyzes processes, controls, and policies of selected covered entities pursuant to the HITECH Act audit mandate. OCR established a comprehensive audit protocol that contains the requirements to be assessed through these performance audits. The entire audit protocol is organized around modules, representing separate elements of privacy, security, and breach notification. The combination of these multiple requirements may vary based on the type of covered entity selected for review.

  • The audit protocol covers Privacy Rule requirements for (1) notice of privacy practices for PHI, (2) rights to request privacy protection for PHI, (3) access of individuals to PHI, (4) administrative requirements, (5) uses and disclosures of PHI, (6) amendment of PHI, and (7) accounting of disclosures.
  • The protocol covers Security Rule requirements for administrative, physical, and technical safeguards
  • The protocol covers requirements for the Breach Notification Rule.”

Whether your practice comes under scrutiny from investigation of Privacy or Security Rule complaints, whistleblowing or just a random audit, understand that no one is safe (HHS has even found compliance issues with state agencies throughout the country) and that a lot of money may be on the line.

In fact, settlement payments have ranged from $750,000 to over $2M, and civil monetary penalties have reached in excess of $4M.

It goes without saying that success in auditing and investigation finding is being successful  and nothing drives future auditing like finding that there are still entities out there NOT doing things the way the rules require.

Is it time to shore up your processe


By Sarah Howarth, Billing Manager


Excellus’s electronic data interchange clearinghouse recently implemented front-end edits to meet industry standards for effective processing of clean claims. As a result, some claims submitted between May 30th and June 20th paid in error, while others were rejected upfront for invalid gender code and/or unique characters or spaces in the patient’s name. 

Practicefirst will resubmit any claims impacted by this issue for correct processing.

Additionally, some claims incorrectly processed with the subscriber receiving services instead of the dependent who actually received the services. Excellus will automatically adjust these claims within their system to reflect the member who received the service. No additional action is required.


Effective July 1, 2014, Excellus will consolidate the Customer Care and Medical Intake/Preauthorization phone number to a single phone number. (This change does not apply to their Federal Employee Program, Monroe Plan, Behavior Health, Radiology and after-hours preauthorization.)

Excellus Customer Care: 1-800-920-8889

Excellus Medical Intake/Preauthorization: 1-800-363-4658


Clinical Editing Policy:  Urinalysis with Evaluation & Management and Preventative Medicine.

This clinical editing policy identifies procedure codes for urinalysis without microscopy when billed with Evaluation and Management procedures including Preventative Medicine procedure codes. The justification for this policy considers urinalysis to be one of the most frequently used indicators of health and disease and is essential in the diagnosis and detection of renal and metabolic disorders. Like the measurement of blood pressure, it is considered an inherent component of an Evaluation & Management service performed in an outpatient setting. The limited resources required for the examination should be properly included, along with consideration of the obtained data in the selection of the appropriate level of E&M service intensity.

For Billing questions, please contact Sarah Howarth at 716-348-3923 or sarahh@pracfirst.com<