by Tammy Bartlett, Billing Manager


Effective May 1, 2017, Independent Health (IHA) will recognize “incident to” billing practices for their Commercial, Medicare Advantage and Self-Funded plans.  IHA’s state products (MediSource, MediSource Connect, Child Health Plus and Essential Plan) will not be eligible for “incident to” billing.

Please ensure your staff carefully reads IHA’s requirements for “incident to”, which can be found in their Participating Practitioner Reimbursement Manual, located on their website at:


The guidelines for “incident to” begin on Page 10. Any questions pertaining to these requirements should be directed to the following email address:  Reimbursement.Manual@independenthealth.com

After the implementation of this new policy, IHA will conduct audits to ensure their requirements are being met by the provider community.



On May 17, 2017, CMS updated their policy for Hepatitis B coverage as reflected in bold print below.

Payment for Hepatitis B will apply to the following HCPCS and CPT codes, effective for dates of service on or after September 28, 2016: G0499, 86704, 86706, 87340 & 87341.  CMS will allow coverage for HBV screenings only when services are ordered by the following provider specialties found on the provider’s enrollment record.

  • 01- General Practice
  • 08- Family Practice
  • 11- Internal Medicine
  • 16- Obstetrics/Gynecology
  • 37- Pediatric Medicine
  • 38- Geriatric Medicine
  • 42- Certified Nurse Midwife
  • 50- Nurse Practitioner
  • 89- Certified Clinical Nurse Specialist
  • 97- Physician Assistant

Claims submitted by providers other than the specialty types noted above will be denied.

For Billing questions, please contact Tammy Bartlett at 716-348-3923 or tammyb@pracfirst.com


by Becky Amann, Director of Compliance


In June, the OIG reported that Medicare has paid millions of dollars in Electronic Health Record (EHR) Incentive Payments that did not comply with Federal Requirements.

As an incentive for using certified EHR technology, the Federal Government makes payments to Eligible Professionals (EP’s) that attest to “meaningful use” of EHR’s, by self-reporting data to the Centers for Medicare and Medicaid Services (CMS).

The OIG reviewed EHR incentive payments that Medicare issued to EP’s from May 2011 to June 2014 and selected a random sample of EP’s who received payment. Based on the sample reports, the OIG has estimated that CMS inappropriately paid $729.4 million to EP’s who did not meet the meaningful use requirements.

The OIG has recommended that CMS recover $291,000 in payments made to the sampled EP’s who did not meet meaningful use requirements. In addition, the OIG recommends that CMS review EP incentive payments to determine which EP’s did not meet meaningful use for each program year to attempt to recover the $729.4 million in estimated inappropriate incentive payments.

For OIG’s full report, please access their website at: https://oig.hhs.gov/oas/reports/region5/51400047.asp

For Compliance questions, please contact Becky Amann at 716-389-3202 or beckya@pracfirst.com


By Tammy Bartlett, Billing Manager


MVP Health Care has created reference guidelines that may provide you and your staff with helpful tools that explain HEDIS measures as well as providing the CPT, HCPCS and ICD-10 codes that count towards the completion of these measures.

You will find these coding reference guides by going to mvphealthcare.com, selecting the Provider drop-down, and then selecting the Quality Programs and the Reference Library sections. The Behavioral Health Guide will also be available on their website in the next couple of weeks.

If you have any questions with respect to this notice, please contact Mike Farina at 518-388-2463 or email at mfarina@mvphealthcare.com.


Beginning August 1, 2017, the New York State Department of Health is requiring all Child Health

Plus (CHP) members who originally enrolled in this program through Excellus BlueCross BlueShield to

now complete their renewal for the CHP Program through the New York State of Health Marketplace.

This transition begins with the CHP members who are renewing for an August 1, 2017 effective date.

As a result of this renewal transition, CHP members will be mailed a new Member Identification Card with a new identification number.

In addition, if a CHP member has obtained preauthorization under his or her current identification number, but the preauthorized services will be delivered to the member after the date the member is transitioned to the New York State of Health Marketplace, a new preauthorization must be requested with the member’s new identification number.

As a reminder, please ensure you forward Practicefirst any changes in insurance coverage for your patients, including new identification numbers. This will ensure claims are submitted correctly to the appropriate insurance plan.


Medicare is taking steps to remove Social Security numbers from Medicare cards.  Through this initiative CMS will prevent fraud, fight identify theft and protect essential program funding and the private healthcare and financial information of Medicare beneficiaries.

CMS will issue new Medicare cards with a new unique, randomly-assigned number called a Medicare Beneficiary Identifier (MBI) to replace the existing Social Security-based Health Insurance Claim Number (HICN). This will occur both on the cards and in various CMS systems currently used.  CMS will start mailing new cards to Medicare beneficiaries in April 2018.  All Medicare cards will be replaced by April 2019.

Based on feedback from healthcare providers, practice managers and other stakeholders, CMS is developing capabilities where doctors and other healthcare providers will be able to look up the new MBI through a secure tool at the point of service.  To make this transition easier for you and your business operations, there is a 21 month transition period where all healthcare providers will be able to use either the MBI or the HICN for billing purposes.

Even though your systems will need to be able to accept the new MBI format by April 2018, you can continue to bill and file healthcare claims using either number during the transition period.  Medicare encourages providers to start working with their software vendors to make sure systems will be updated to reflect these changes.

To learn more about this new initiative, please visit:  www.cms.gov/Medicare/SSNRI/Providers/Providers.html

For Billing questions, please contact Tammy Bartlett at 716-389-3223 or tammyb@pracfirst.com


By Emilie DiChristina MBA, for PracticeFirst


Last week, approximately June 28, 2017, major organizations in Europe and the US were attacked by the “Petya” RANSOMWARE. In Pittsburg, Pennsylvania, Heritage Valley Health System were hot by this malware, impacting the safety and treatment of patients across their hospitals and health centers.

About 6 weeks ago everyone heard of the RANSOMWARE attack on the Erie County Medical Center Corporation, and of course on companies across the world.

Possibly the first RANSOMWARE attack in our immediate area, occurred in May 2016 impacting the public, mental and health departments of the Niagara County Health Departments?


Whether you are a provider or a patient, having your records held hostage is scary. The risk of incorrect prescribing, delayed surgeries, unknown allergies and delayed test results and possibly completely lost records cannot be oversold.

Having your records possibly viewed by a hacker is scary. Although the medical information loss is worrisome, the loss of vital identifiers can also be frightening. Your DOB, SS, address, bank account information…shall we go on?

Even scarier, the inability to get the information back, explaining to the government why you were unable to secure your data, and possible law suits, penalties and the loss of trust.


Let’s review what you, as a covered entity are required to do regarding electronic data…

CMS requirements for Electronic Security for any “covered entity” which means anyone:

  • Any provider of medical or other health care services or supplies who transmits any health information in electronic form in connection with a transaction for which HHS has adopted a standard
  • Any individual or group plan that provides or pays the cost of health care (e.g., a health insurance issuer and the Medicare and Medicaid programs).
  • Health Care Clearinghouses – A public or private entity that processes another entity’s health care transactions from a standard format to a non-standard format, or vice-versa.

Why then, if healthcare providers are following the CMS Electronic Security Rules, are they falling victim to RANSOMWARE attacks, or in fact, any virus?

CMS/HIPAA General Rules of meeting the Security Standard includes the following safeguards:

ADMINISTRATIVE – Security Management Process – Assigned Security Responsibility – Workforce Security – Information Access Management – Security Awareness and Training – Security Incident Procedures – Contingency Plan – Evaluation – Business Associate Contracts and Other Arrangements

PHYSICAL – Facility Access Controls – Workstation Use – Workstation Security – Device and Media Controls

TECHNICAL SAFEGUARDS – Access Control – Audit Controls – Integrity – Person or Entity Authentication – Transmission Security

So therefore, if an organization has policies, procedures, and documentation requirements in place to meet the CMS requirements for electronic device and information security, viruses and RANSOMWARE should not be a problem…Right?

Unfortunately, there are 2 major issues (and a host of minor ones) that may put your organization at risk from either a violations of the EPHI security requirements of CMS, or of suffering a virus or RANSOMWARE attack.


The first MAJOR RISK is that we all use, or are, PEOPLE.

The 2017 Level 3 Healthcare Security Study conducted by HIMSS Analytics and sponsored by Level 3 Communications found that approximately 80% of surveyed health IT executives and professional report that employee security awareness is their greatest concern regarding healthcare data security.

In large organizations there are large numbers of people, from the big guns of the Administrators and Providers, extending to housekeeping, students, security and Business Associates.

These big entities have people writing HIPAA and E-Security policies, giving inservices, even auditing HiPAA and e-Security. The job of these “people” are specifically to insure that the rules of CMS are followed up to and including those regarding E-Security.

So, why have these big entities been hit by viruses and RANSOMWARE?

Unfortunately, the sheer volume of people in these organizations make security a real issue both in physical plant (how to prevent someone claiming slip and fall injury), ID theft (people stealing a patient’s demographic information), HIPAA violations (both inadvertent such as the lobby conversation and deliberate as in reviewing the info of a VIP patient), and of course in E-Security.

E-Security can also be the defining factor in the theft of patient information or HIPAA data breaches as well as malware and viruses entering your IT system. Just think how many people have personal phones or other devices such as IPADs, as well as institution provided electronic devices. How many Medical and Dental residents are coming into these places in July, each getting their own usernames, passwords, VPN access to all kinds of IT systems and programs?

People are the issue in small and medium sized healthcare businesses as well. In these situations, the problem may be too little people, with not enough expertise to handle IT concerns, or a feeling that as a small business neither CMS nor RANSOMWARE attackers will come after you.

Personnel working in smaller practices may use their personal electronic devices for work, or may, as with any business plug them into the workstation by USB. Further, people in smaller organizations often travel between offices, take home HIPAA material or electronic devices. Also, more often than not, you begin to think of staff as family members or you have family members working there so you cannot conceive of them doing something that could harm your practice.

When you see this screen in smaller organizations, it is likely that data from your PC can be migrated to the personal device, or from the personal device. This is a common sources of virus and malware transmission as well as HIPAA breaches and data theft!


Bottom line? Unless every person you hire, use as a Business Associate, allow to intern, shadow, contract, clean, etc. for you is completely honest, follows all the rules, never opens personal email or uses personal devices on your system, never uses open Wi-Fi, and always turns off their computer at least once per week (not logging off, turning off) to allow for patches, people put you at risk.

The Identity Theft Resource Center and CyberScout released a survey in 2017 that showed the leading causes of healthcare data breaches was employee error or negligence.

The second MAJOR RISK(s) would be a combo of time, money and fatigue.

The HIMSS Analytics survey listed competing priorities and budget concerns as the top barriers in adopting a comprehensive security program.

While budget concerns may limit the number of people we have monitoring employee behavior, the ability to afford full time IT support, or even whether or not you have purchased licenses for the newest operating systems, the competing priority and fatigue issues may be worse.

In every organization, your specific priority depends on your role in the organization. A CEO or CIO will have different priorities that a clinical provider who just wants to log on, complete a task and get the job done.

The smaller practice gets impact by monetary priority fairly significantly as they cannot always afford IT personnel or regular updates to computer programs, they are often the entities using older Operating Systems, and many do not even have a written compliance and E-Security plan, let alone constantly reminding staff about it. If you are working in a small practice, go to your Administrator or Principle MD and say, “Does our practice have E-security threat intelligence, sandboxing or DDoS mitigation in place?” and watch their eyes glaze over.

And fatigue – One major reality of health care is overall fatigue, mental and physical. It is as real as what we call ICU alarm fatigue – too many things beeping and we tune everything out and miss something important.

We have been bombarded with HIPAA training for about 2 decades. When E-Security was added, we were already so exhausted by HIPAA, we barely listened to the new training.

We have passwords and usernames for so many programs we do the unthinkable, that is to use the same passwords where allowed or to write everything down and stick it near our work station or on our phones, etc.

We also, although trying to remember to log out of programs, or even the PC we are using, often do not turn the actual PC off (the necessary patches and updates to prevent malware can take place when the PC is turned back on0. The reason most of us conveniently forget to turn off the PC is the delay we experience when turning the PC back on, the patches and updates can take quite a bit of time if the machine hadn’t been turned off recently.

We are also so focused on getting our jobs done that we forget the exact policy or process related to IT security, for example clicking on an attachment in an email you think is from a colleague, or accessing streaming sites for radio, music, YouTube, or worse, accessing your Facebook from your work computer.

And we allow people to plug their personal USB or USB driven devices into their work stations!! Making it easy for malware to get into our system and for ePHI or Demographic data to be transferred to the personal device!!!

The HIMSS Analytics study also listed clinical workflows, employee awareness and in-house expertise as top security program barriers.

As they say – brown stuff happens, and sometimes it hits the fan!

So, if you have limited time, limited money, conflicting priorities, your best bet to protect your organization against malware, viruses or RANSOMWARE, even in the smallest organization, is to have a thorough and effective E-Security program as required by CMS.

Sounds too simple? Think about this…

RANSOMWARE attacks, virus intrusions, malware all violate the major 3 tenets of HIPAA Security:

Confidentiality – EPHI is accessible only by authorized people and processes (obviously if your system is hacked… someone unauthorized may be looking

Integrity – EPHI is not altered or destroyed in an unauthorized manner (RANSOMWARE threatens to destroy your data, which would include patient records if you don’t pay up, and even if you don’t pay, some data may still be lost depending on how long ago you backed up data.

Availability – EPHI can be accessed as needed by an authorized person (When a virus or RANSOMWARE locks up your system, and no one can access patient records… well you get the drift).


  1. Make sure you are following the regulations put forth by CMS, no matter how small your organization may be, and that you have the required policies, enforce those policies and audit staff performance under those policies. This may not stop RANSOMWARE or other malware but it can indeed mitigate some of the financial, penalty and risk fallout after the event.
  1. Updated the policies and procedures and have your people sign off on each of them or the entire manual, minimally yearly, when hired and if found to be doing something incorrect.
  2. Have a plan to work without your electronic medical records. How will you cancel patients, move patients, schedule patients? How will you treat those needing immediate care? How will you record your treatment, and then insure if gets updated into the full EMR later?
  3. Strictly enforce, and punish, use of personal devices, use of personal email, opening of streaming radio, YouTube, Facebook, and any email download without first putting through a virus check.
  1. Require all staff in small offices, offices where workstations are not shared, etc. to not only log off, but also shut down their PCs and workstations at the end of their work week so IT updates (if you have an active IT provider), operating system patches, and Anti-Virus and Malware program updates can be installed when the computer is turned on again at the beginning of the week.
  1. Make sure that all of your systems, EMR, medical equipment related, billing related, even things like Quickbooks, etc. are updated regularly.






By Jackie Lucas, Billing Manager



In an effort to make user data more secure and to improve system performance, eMedNY will be installing a new feature that will impact ePACES users when signing on to the ePACES application. This new feature, commonly called CAPTCHA, is a program that can distinguish whether the user attempting to sign on is a human or a computer.

EFFECTIVE June 1, 2016: When users attempt to sign on to ePACES from the eMedNY website, the user will be asked to verify that he/she is a person and not a computer by selecting specific images. Once the user has successfully verified the correct images, he/she will be allowed to sign into the ePACES account. If the incorrect images are selected, the user will be asked to verify another set of images before being allowed access to ePACES.

This new feature is widely utilized by other secure websites. Many people are familiar with it and have probably had to use it to gain access to those secure websites. The NYS Department of Health is adding this feature to help secure your data, and to prevent unauthorized computer-automated access to ePACES that could adversely impact ePACES performance.

IMPORTANT NOTE: All users will need to have installed Internet Explorer (IE) version 10 or greater or any alternative browsers including Google Chrome, Mozilla Firefox, or Apple Safari. IE versions 9 and below will NOT be supported. Please be sure to coordinate with your IT department to upgrade your internet browser, if necessary, before the effective date shown above.

Questions about ePACES can be directed to the eMedNY Call Center at 800-343-9000.



In accordance with the New York State Medicaid Program, Independent Health requires a valid 11-digit NDC number on claims when billing for all physician administered drugs that use J codes for its state products (MediSource, Child Health Plus, Essential Plan). The New York State Medicaid Program addressed this requirement in its April 2015 update (link below).

To participate properly in New York State’s All Payer Database, Independent Health is expanding this reporting requirement to all other fully-insured lines of business (Commercial plans and Medicare Managed Care plans) for dates of service beginning June 1, 2016.

The NDC is maintained by the U.S. Food and Drug Administration (FDA) and contains identifying information regarding the labeler/manufacturer, strength, dosage form and formulation of a drug product. The code is located on drug invoices, inserts and/or product packages.

Beginning for dates of service June 1, 2016, Independent Health will require the following when providers submit claims for physician administered drugs that use J-codes (J0000-J9999):

  • Valid NDC number
  • Quantity and measurement

Please note, Independent Health will deny claims submitted without this information for dates of service June 1, 2016 or after.

The use of NDC codes follows similar efforts for improved specificity in health care operations, similar to the recent move to ICD-10 coding.

Link to April 2015 Medicaid Update Addressing NDC Requirement:

Link to New York State All Payer Database Program:

If you have questions, please contact Independent Health’s Provider Services Department at providerservice@servicing.independenthealth.com or call (716) 631-3282 or 1-800-736-5771, Monday through Friday from 8 a.m. to 6 p.m.




You may have patients who are currently uninsured – or who could potentially lose their health insurance coverage this coming year as a result of loss of employment or a change in benefits.

Per Univera, the Essential Plan, a new health plan for 2016, costs much less than what other health plans offer but at the same essential benefits. Those who qualify can enroll any time of the year.

Plans for as low as $0 or $20 per month are available to eligible individuals who meet household size and income guidelines. The Essential Plan has NO deductible and covers the same services covered by other quality insurance plans:

  • office visits (including specialists) and ordered tests
  • prescription drugs
  • inpatient and outpatient care
  • free preventive care (routine exams and screenings)

Important Note: Essential Plan is only available in the eight counties of our Western New York service area (Erie, Niagara, Cattaraugus, Chautauqua, Allegany, Orleans, Wyoming and Genesee), and only practitioners located within those counties are eligible to provide services to Essential Plan members. Uninsured patients can go online or call Univera for help determining if they qualify. The Essential Plan is only available

through the New York State of Health Marketplace, but they offer an online calculator at ChooseUnivera.com to help determine eligibility.



For claims received on or after 6/1/2016, tetanus vaccines will be subject to denial when a routine non-covered diagnosis code is linked to the CPT code. Providers must be aware that if the tetanus vaccine is medically necessary, the appropriate ICD-10 diagnosis code must be linked to the CPT code. For routine vaccines, which are expected to be denied, procedure codes including the administration need to be submitted with modifier GY for correct denial.

NGS is aware that not all providers have been using modifier GY to obtain a denial for supplemental insurance processing. Claims paid in error with a routine non-covered diagnosis code will be adjusted for refunds.


National Government Services (NGS) has seen an increase in claims for CPT 90471/90472 using ICD-10 code Z23 (Encounter for immunization), that were paid even though the provider was expecting the service to deny.

NGS advised that effective for claims received 1/1/2016 with dates of service 10/1/2015 and after, claims submitted with a combination of non-covered routine diagnosis codes and payable diagnosis codes would be considered for payment. Providers that submit claims with the intent of denial for supplemental insurance will no longer be able to submit a routine diagnosis for denial unless all of the reported diagnosis codes are routine non-covered. A combination of the routine diagnosis and the use of the GY modifier will be required for denial.

For Billing questions, please contact Jackie Lucas at 716-348-3923 or jackiel@pracfirst.com.


By Becky Amann, Compliance Officer



MVP has issued letters to the provider community regarding provider’s attestation to monitoring of the Exclusionary Databases on OIG’s website. MVP implemented a new policy requiring provider groups to attest that they are monitoring their employees, staff and agents associated with the group, against the exclusionary database on a monthly basis. This policy is located in section 4.17 of MVP’s Provider Resource Manual, which can be located on their website at:https://www.mvphealthcare.com/provider/documents/MVP_Health_Care_ProviderResourceManualSection_4_ProviderResponsibilities.pdf

The attestation form must be completed and returned to MVP by December 31, 2014.

The form can be faxed to 585-327-5747. The attestation is located on their website at:http://www.mvphealthcare.com/provider/documents/MVP_Health_Care_Provider_Attestion_Monitoring_Exclusionary_Databases.pdf


Univera has also notified the provider community in a bulletin dated November 10, 2014 regarding Medicaid Employment Compliance Requirements. This notification refers to monitoring the exclusionary database on a monthly basis. The notification included an attestation to be completed by providers. Unfortunately the attestation is not located on their website. If you did not receive this notification from Univera, please contact your provider relations representative at Univera or Becky Amann at Practicefirst for a copy.

OIG 2015 WORK PLAN – Released 10/31/14

The Office of Inspector General (OIG) has issued their Work Plan for 2015 which summarizes new and ongoing reviews and activities that they will pursue.

New investigations in 2015:

MCO payments for services after beneficiaries’ death: The OIG will identify Medicaid managed care payments made on behalf of deceased beneficiaries. They will also identify trends in Medicaid claims with service dates after the beneficiaries’ dates of death. Prior OIG reports have found that Medicare paid for services that purportedly started or continued after the beneficiaries’ date of death.

MCO payments for ineligible beneficiaries: The OIG will identify Medicaid managed care payments made on behalf of beneficiaries that were not eligible for Medicaid. Prior OIG work has found that Medicaid paid for services that purportedly started or continued during periods where the beneficiary was not eligible for Medicaid.

Continuing investigations in 2015:

Nursing Home Stays: The OIG will continue to identify questionable billing patterns associated with Medicare providers for Part B services provided to nursing home residents during stays not paid under Part A. For example, stays during which benefits are exhausted or the 3-day prior-inpatient-stay requirement is not met. Several broad categories of services, such as foot care will be examined.

Hospitalizations of nursing home residents for manageable and preventable conditions: The OIG will determine the extent to which Medicare beneficiaries residing in nursing homes are hospitalized as a result of conditions thought to be manageable or preventable in the nursing home setting. Hospitalizations of nursing home residents are costly to Medicare and may indicate quality-of-care problems in nursing homes.

Anesthesia Services: The OIG will continue to review Medicare Part B claims for personally performed anesthesia services to determine whether they were supported in accordance with Medicare requirements. They will also determine whether Medicare payments for anesthesiologist services reported on a claim with the “AA” modifier met Medicare requirements. Reporting an incorrect modifier on the claim, as if services were personally performed, when they were not, will result in Medicare paying a higher amount.

Ophthalmological Services: The OIG will continue to review Medicare claims data to identify potentially inappropriate payments and/or questionable billing for ophthalmological services during 2012. The OIG will determine the locations and specialties of providers with questionable billing.

Place of Service Coding Errors: The OIG will continue to review physicians’ coding on Medicare Part B claims for services performed in ambulatory surgical centers and hospital outpatient departments to determine proper coding of the place of service. There is concern that physicians are reporting the place of service as non-facility (office), when in fact services were rendered at a facility which would generate a lower payment.

Payments for outpatient drugs and administration of drugs: The OIG will continue to review Medicare outpatient payments to providers for certain drugs (e.g. chemotherapy drugs). Review of billed units will determine if overpayments have occurred due to incorrect coding or overbilling of units.

All practices and facilities should read the OIG Work Plan in its entirety and take steps to identify and rectify any potential issues they may have, before the OIG does.

The full 2015 Work Plan can be accessed at: http://oig.hhs.gov/reports-and-publications/archives/workplan/2015/FY15-Work-Plan.pdf

For Compliance questions, please contact Becky Amann at 716-348-3902 or beckya@pracfir


By Emilie J DiChristina, MBA for Practicefirst

With the HIPAA Privacy  Rule Compliance date of 2003, the Security Rule transfer to the OCR for compliance in 2009, and subsequent increased requirements and focus such as those involving Business Associates and Breach Policies, enforcement and audit activities have INCREASED.

First, consider the activities SPECIFIC TO COMPLAINTS ALONE.    

As of May 2014, in HHS’s own statements regarding investigations, they summarized as follows:

“…since the compliance date in April 2003, HHS has received over 97,072 HIPAA complaints. We have resolved ninety-five percent of complaints received (over 91,768): through investigation and enforcement (over 22,613); through investigation and finding no violation (10,182); and through closure of cases that were not eligible for enforcement (58,973)”.

HHS has also been helpful by providing guidance as to what their investigations into the PRIVACY RULE found specifically as follows:

“From the compliance date to the present, the compliance issues investigated most are, compiled cumulatively, in order of frequency”:

  1.  Impermissible uses and disclosures of protected health information;
  2.  Lack of safeguards of protected health information;
  3. Lack of patient access to their protected health information;
  4. Uses or disclosures of more than the minimum necessary protected health information; and
  5. Lack of administrative safeguards of electronic protected health information.

“The most common types of covered entities that have been required to take corrective action to achieve voluntary compliance are, in order of frequency”:

  1. Private Practices;
  2. General Hospitals;
  3. Outpatient Facilities;
  4. Health Plans (group health plans and health insurance issuers); and,
  5. Pharmacies.

As far as Security Rule investigations and findings, HHS states: “…since OCR began reporting its Security Rule enforcement results in October 2009, HHS has received approximately 880 complaints alleging a violation of the Security Rule. During this period, we closed 644 complaints after investigation and appropriate corrective action. As of May 31, 2014, OCR had 301 open complaints and compliance reviews”.

It may be easy to look at the numbers of complaints reported above as being found to be valid as of no concern to you or your practice as about 23,000 negative findings throughout the US, involving all types of healthcare providers would seem to present very low odds of you or your practice every being involved in a complaint investigation….BUT WAIT!


By some calculations, random audits of the Privacy and Security Rules as required under HITECH have increased almost 140% since OCR/HHS’s initial pilot program in 2011.

You need to know that the first random audits under the pilot program have been published as show that the negative findings against covered entities indicated that 65% of the negative findings (65%) resulted from incomplete implementation of the Security Rule.

More importantly, 80% of the negative findings were against health care providers, rather than health insurance plans or clearinghouses, etc.

Are you prepared to survive an audit by HHS/OCR or even the NY State Attorney General (who have also gained the right to audit for compliance)?

Taken directly from the HHS website, the following represents the audit protocol currently being followed and under which the State Attorney Generals have been trained:

“The OCR HIPAA Audit program analyzes processes, controls, and policies of selected covered entities pursuant to the HITECH Act audit mandate. OCR established a comprehensive audit protocol that contains the requirements to be assessed through these performance audits. The entire audit protocol is organized around modules, representing separate elements of privacy, security, and breach notification. The combination of these multiple requirements may vary based on the type of covered entity selected for review.

  • The audit protocol covers Privacy Rule requirements for (1) notice of privacy practices for PHI, (2) rights to request privacy protection for PHI, (3) access of individuals to PHI, (4) administrative requirements, (5) uses and disclosures of PHI, (6) amendment of PHI, and (7) accounting of disclosures.
  • The protocol covers Security Rule requirements for administrative, physical, and technical safeguards
  • The protocol covers requirements for the Breach Notification Rule.”

Whether your practice comes under scrutiny from investigation of Privacy or Security Rule complaints, whistleblowing or just a random audit, understand that no one is safe (HHS has even found compliance issues with state agencies throughout the country) and that a lot of money may be on the line.

In fact, settlement payments have ranged from $750,000 to over $2M, and civil monetary penalties have reached in excess of $4M.

It goes without saying that success in auditing and investigation finding is being successful  and nothing drives future auditing like finding that there are still entities out there NOT doing things the way the rules require.

Is it time to shore up your processe


By Sarah Howarth, Billing Manager


On May 1 2014, Independent Health began issuing new ID cards with new ID numbers to members.  Please ask Independent Health patients for a copy of their new ID card, update your systems with their new ID number and notify Practicefirst of the change.


National Government Services will be conducting service-specific prepayment reviews targeting E&M services.  The primary focus of the reviews will be to identify common errors, develop educational efforts and prevent improper payments.  These prepayment audits will review documentation to determine if it supports the service billed.  If you receive correspondence from National Government Services requesting documentation, please notify Practicefirst immediately.

The Centers for Medicare & Medicaid Services (CMS) has identified issues relating to the processing of claims for new patient visits billed by the same physician or physician group within the past three years.  CMS has determined that the edits implemented in October 2013, generated incorrect overpayments and denials for some claims.  CMS will be issuing refunds on any offset or recouped payments and interest in the next 90 days.


Effective June 16, 2014, Univera Healthcare, Univera Community Health, Excellus and Monroe Plan will require a taxonomy code on all claim submissions.  Claims submitted without taxonomy will be returned.  Practicefirst has implemented the necessary changes to include taxonomy codes on claim submission.


We are nearing the halfway mark of the 2014 PQRS reporting period.  To avoid the 2016 payment adjustment, individual providers must report a minimum of 3 measures for at least 50% of eligible Medicare fee for service patients throughout the reporting period.  Providers interested in obtaining the 2014 PQRS payment incentive must report on 9 measures for at least 50% of Medicare fee for service patients throughout the reporting period. The reporting period begins January 1st and ends December 31, 2014.  Providers interested in avoiding the payment adjustment and/or obtaining the payment incentive, must begin reporting immediately.

Additional assistance in determining appropriate measures and claims reporting is available.  Please contact Practicefirst for more information.


Silent PPO is the term used to describe when a non-contracted payer or plan administrator applies a contracted payer’s fee schedule to services rendered by a provider, without the provider’s prior knowledge or consent.

The most common scenario is when a contracted network leases, for a fee, it’s contracted rates to a non-contracted network or administrator.

Tips to mitigating the impact of Silent PPO’s:

  • Review payer contracts.  Watch for “all payers” clause or similar verbiage which could be an indication that the payer leases its network.
  • If this language is present, contact the payer to request an updated contract network affiliated payer list.  Payers typically update these lists no less than every 90 days.
  • Know your contract term date(s).
  • Consider contracting directly with non-contracted payers, as justified by patient volume & fee schedule analysis.
  • Please notify Practicefirst prior to contracting with any network.

Note that there are times where practices decide to deliberately contract with a network. Carriers such as Multiplan have hundreds of payers that rent their network.  By participating with large, national networks such as this, please be sure your office staff is trained in recognizing the various logo’s etc. that give patients access to your practice, although you don’t directly contract with their insurance carrier.  For example, a patient presents with an Aetna insurance card, which you are not contracted with.  However, you are contracted with Multiplan.  If the card has a Multiplan logo on it, that patient can be treated as they’d be considered “in network” due to your contract with the network, Multiplan.

For Billing questions, please contact Sarah Howarth at 716-348-3923 or sarahh@pracfir

The Effect of The “Two-Midnights Rule” on Your Practice

By Emilie DiChristina, MBA for PracticeFirst

If your practice accepts Medicare and your providers admit those Medicare patients to hospitals you are aware of the Two-Midnight Rule for observation. The real question is…Is your practice ready for the ramifications of this rule’s effect on your patients?

Before we discuss the ramifications to the practice, we need to consider the what and why of the two-midnights rule. The why is that Medicare, in reviewing inpatient “admissions”, came to a conclusion that many of the admissions were not necessary. They did not go so far as to say that treatment or care in a higher level setting was not necessary, just that the conditions did not warrant admission.

As potential patients yourself, you may at this point be scratching your head and saying “Huh?”, but from this CMS finding arose the term “observation status” and since then, the ratio of observation stays to inpatient admissions increased at the rate of about 34% per year with current  discussion indicating that almost 20% of Medicare patients sent to the hospital for treatment are admitted under “observation status” versus “inpatient” stays.

Early on, hospitals and providers found that even though they were initially admitting patients as inpatients, retrospective reviews by CMS were resulting in a finding that “observation status would have been more appropriate”. The hospitals had money taken back for these admissions, the providers heard from the hospitals that observation should be used, and the system began to muddle as the financial ramifications clashed with the previously defined standards of care.

For Medicare patients sent to a hospital, they filled out paperwork, received admission packets, had a bed, treatment, tests and medications so for all they knew, they had been admitted.

But just like the hospitals and providers facing the financial ramifications of observation versus inpatient, the patients who thought they had been “an inpatient” now found out about this “observation” status when they started receiving bills for medications, provider visits, labs, diagnostic tests, and more. If the patient was unfortunate enough to have had an observation admission for a condition requiring rehab, or a stay in a SNF, the patients also found out that would not be fully covered by Medicare.

When a Medicare patient is admitted as “observation” their care is not covered by Medicare Part A — which covers a complete hospital stay once a one-time deductible is met; but Part B, instead, meaning that patients must pay part of their provider’ fees, and co-payments for labs, scans and hospital drugs. Medicare also does not cover rehab at a skilled nursing facility for observation patients. .

On Oct. 1, 2013, and recently upheld by a new law, Medicare created a rule dubbed the “two midnights rule” went into effect as a method of clarifying what is an observation stay and what is an inpatient stay.

The Connecticut-based Center for Medicare Advocacy, which has long opposed the Medicare observation policy, has said the new rule does nothing to help patients. “Prior to this two-midnight rule, if you thought someone was sick enough to spend the night in the hospital, then the hospital got reimbursed,” said Dr. Dan Fisher, a surgeon and the chief of staff at Erlanger Health System.

“Now you have to be sick enough to spend two nights in the hospital for it to count toward that. If you’re not sick enough to spend two nights, then Medicare is starting to say that you’re not very sick at all.”

So what effects of the “Two-Midnights Rule” may hurt your practice?

Your providers have more paperwork, and hassle at the hospital:

  • If your provider feels that a patient really needs an inpatient admission, they may have to complete a “medical necessity” form justifying the admission and somehow guessing the expected findings of tests, the success of treatment, the rapidity of the patient’s improvement.
  • The hospital Utilization Review staff may be calling asking that an inpatient visit be changed by the provider to an order for observation status.
  • The doctors may decide to refer patients to Hospitalists, avoiding this one more hassle

Your patients will not be happy and translate this unhappiness to your practice:

  • When the patient receives the first packet of bills, or finds out that their rehab is not covered, the complaints will be directed to the physician who admitted them. After all, you sent them to the hospital, you directed their care, you had the power of writing “inpatient” versus “observation”.
  • Your practice will also suffer from the customer satisfaction measures required as part of the ACA, as an unhappy patient who does not understand the reasons they are bearing all of the costs will certainly blame you.

Your practice finances suffer:

  • Reimbursement for observation is lower than for inpatient, critical care, etc.
  • A patient who is on a fixed income now has to pay co-pays, and lab fees, and drug costs, and possible SNF fees, so paying you may not even be possible, let alone high on the list of importance.


You may want to think about preparing a packed for your Medicare patients advising them of the role CMS plays in directing how any potential hospital admissions or care may be “named” and subsequently billed.

Be prepared to document any patient refusal to go to the hospital, which is a good rule for any patient, but in the case of the Medicare patient who may be refusing because of fear of an inability to pay. As word of the two-midnights rule begins to be discussed in senior communities, senior magazines and even in families, you may face more patients making this difficult


By Becky Amann, Compliance Officer


The first week in January, we forwarded a Modifier Memo and corresponding letter to your office. A copy of both documents is attached in case you are unaware of our initial mailing. If we anticipate a claim will deny due to a lacking modifier, the Modifier Memo and the corresponding charge slip will be sent to your office as a “Chart Return” as explained in the Billing Updates section of this client memo. The Modifier Memo does not apply to PF’s PBS Medcode Corp. clients.   



National Government Services (NGS) will be conducting prepay audits for multiple Non-invasive Diagnostic Vascular Studies.

The CPT codes to be reviewed are as follows:

  • 93880 or 93882 when reported on the same day as 93970, 93971, 93925, and/or 93926
  • 93970 or 93971 when reported on the same day as 93880, 93882, 93925, and/or 93926
  • 93925 or 93926 when reported on the same day as 93880, 93882, 93970, and/or 93971

Providers can assist in this process by:

  • Reviewing all contractor provider publication and local coverage determinations (LCDs).
  • Understanding Medicare coverage requirements.
  • Ensuring office staff is familiar with claim filing requirements.
  • Performing self-audits of medical records against billed claims using coverage criteria, LCD, and coding guidelines.
  • Responding to request(s) for records in a timely manner. CMS requires that providers respond to an Additional Development Request (ADR) within 30 days of the request.
  • Ensuring documentation is legible and demonstrates that the patient’s condition warrants the services being reported and billed.


National Government Services (NGS) will be conducting prepay audits for Rhythm ECG’s, one to three leads; Interpretation and Report, CPT 93042.

Medical review data has recently identified a large volume of claims being billed for CPT 93042 reported in an in-patient place of service.

Per NGS, a review of medical documentation supports beneficiaries were receiving telemetry monitoring. It is not appropriate to bill this procedure code for reviewing monitor strips taken from a telemetry monitoring system.

The Coding Tip in the CPT Manual for reporting electrocardiographic recordings states:

“Codes 93040-93042 are appropriate when an order for the test is triggered by an event, the rhythm strip is used to help diagnose the presence or absence of an arrhythmia, and a report is generated. There must be a specific order for an electrocardiogram or rhythm strip followed by a separate, signed, written, and retrievable report. It is not appropriate to use these codes for reviewing the telemetry monitor strips taken from a monitoring system. The need for an electrocardiogram or rhythm strip should be supported by documentation in the patient medical record.”

A prepayment review consists of a medical review of claims prior to payment. Request for records are most frequently electronically generated and referred to as ADR’s.

The primary focus of these edits will be to better identify common billing errors, develop educational efforts, and prevent improper payments. Providers will be receiving ADR’s asking for documentation to support the service billed. Medical Review encourages providers to respond with the requested documentation in a timely manner to expedite adjudication of these claims.



Blue Cross’s STAT dated December 13, 2013 is targeting providers who are participating with their Medicare Advantage plans.

The STAT indicates that Fraud, Waste and Abuse training is required for providers who render services to Medicare Part C enrollees (Medicare Advantage plan members).

What providers need to do:

  • If you are enrolled in Medicare, you fall under the “deeming” exception based on your enrollment with Medicare.
    • This means you can access Blue Cross’s website and enter basic information that will qualify you for the Fraud, Waste and Abuse training. Please access their website at: www.bcbswny.com/fwa and complete the information requested. Your Medicare Enrollment Number is your Medicare PTAN. If you do not have a record of your PTAN, please contact your Medical Billing Specialist assigned to your account and PF and he/she can provide that number to you.
  •  If you have already completed Fraud, Waste and Abuse training that meets CMS’s requirements, Blue Cross will accept documentation of the training.
  • Blue Cross will also accept documentation confirming the completion of CMS’s Fraud, Waste and Abuse training, that is located at: www.cms.gov/MLNProducts
  • After accessing CMS’s website, click on the link to MLN Provider Compliance under the MLN Products list. Scroll down and click on the link to the Fraud, Waste and Abuse Educational Products and select the Web-Based Training Course.

To review the Blue Cross STAT regarding this requirement, please access www.bcbswny.com

Click on Provider, → News & Events, → Provider Bulletins, → Volume 19, 2013, and scroll down to Issue 30 (Fraud, Waste and Abuse Training