by Becky Amann, Director of Compliance


In June, the OIG reported that Medicare has paid millions of dollars in Electronic Health Record (EHR) Incentive Payments that did not comply with Federal Requirements.

As an incentive for using certified EHR technology, the Federal Government makes payments to Eligible Professionals (EP’s) that attest to “meaningful use” of EHR’s, by self-reporting data to the Centers for Medicare and Medicaid Services (CMS).

The OIG reviewed EHR incentive payments that Medicare issued to EP’s from May 2011 to June 2014 and selected a random sample of EP’s who received payment. Based on the sample reports, the OIG has estimated that CMS inappropriately paid $729.4 million to EP’s who did not meet the meaningful use requirements.

The OIG has recommended that CMS recover $291,000 in payments made to the sampled EP’s who did not meet meaningful use requirements. In addition, the OIG recommends that CMS review EP incentive payments to determine which EP’s did not meet meaningful use for each program year to attempt to recover the $729.4 million in estimated inappropriate incentive payments.

For OIG’s full report, please access their website at: https://oig.hhs.gov/oas/reports/region5/51400047.asp

For Compliance questions, please contact Becky Amann at 716-389-3202 or beckya@pracfirst.com


By Tammy Bartlett, Billing Manager


MVP Health Care has created reference guidelines that may provide you and your staff with helpful tools that explain HEDIS measures as well as providing the CPT, HCPCS and ICD-10 codes that count towards the completion of these measures.

You will find these coding reference guides by going to mvphealthcare.com, selecting the Provider drop-down, and then selecting the Quality Programs and the Reference Library sections. The Behavioral Health Guide will also be available on their website in the next couple of weeks.

If you have any questions with respect to this notice, please contact Mike Farina at 518-388-2463 or email at mfarina@mvphealthcare.com.


Beginning August 1, 2017, the New York State Department of Health is requiring all Child Health

Plus (CHP) members who originally enrolled in this program through Excellus BlueCross BlueShield to

now complete their renewal for the CHP Program through the New York State of Health Marketplace.

This transition begins with the CHP members who are renewing for an August 1, 2017 effective date.

As a result of this renewal transition, CHP members will be mailed a new Member Identification Card with a new identification number.

In addition, if a CHP member has obtained preauthorization under his or her current identification number, but the preauthorized services will be delivered to the member after the date the member is transitioned to the New York State of Health Marketplace, a new preauthorization must be requested with the member’s new identification number.

As a reminder, please ensure you forward Practicefirst any changes in insurance coverage for your patients, including new identification numbers. This will ensure claims are submitted correctly to the appropriate insurance plan.


Medicare is taking steps to remove Social Security numbers from Medicare cards.  Through this initiative CMS will prevent fraud, fight identify theft and protect essential program funding and the private healthcare and financial information of Medicare beneficiaries.

CMS will issue new Medicare cards with a new unique, randomly-assigned number called a Medicare Beneficiary Identifier (MBI) to replace the existing Social Security-based Health Insurance Claim Number (HICN). This will occur both on the cards and in various CMS systems currently used.  CMS will start mailing new cards to Medicare beneficiaries in April 2018.  All Medicare cards will be replaced by April 2019.

Based on feedback from healthcare providers, practice managers and other stakeholders, CMS is developing capabilities where doctors and other healthcare providers will be able to look up the new MBI through a secure tool at the point of service.  To make this transition easier for you and your business operations, there is a 21 month transition period where all healthcare providers will be able to use either the MBI or the HICN for billing purposes.

Even though your systems will need to be able to accept the new MBI format by April 2018, you can continue to bill and file healthcare claims using either number during the transition period.  Medicare encourages providers to start working with their software vendors to make sure systems will be updated to reflect these changes.

To learn more about this new initiative, please visit:  www.cms.gov/Medicare/SSNRI/Providers/Providers.html

For Billing questions, please contact Tammy Bartlett at 716-389-3223 or tammyb@pracfirst.com


By Emilie DiChristina MBA, for PracticeFirst


Last week, approximately June 28, 2017, major organizations in Europe and the US were attacked by the “Petya” RANSOMWARE. In Pittsburg, Pennsylvania, Heritage Valley Health System were hot by this malware, impacting the safety and treatment of patients across their hospitals and health centers.

About 6 weeks ago everyone heard of the RANSOMWARE attack on the Erie County Medical Center Corporation, and of course on companies across the world.

Possibly the first RANSOMWARE attack in our immediate area, occurred in May 2016 impacting the public, mental and health departments of the Niagara County Health Departments?


Whether you are a provider or a patient, having your records held hostage is scary. The risk of incorrect prescribing, delayed surgeries, unknown allergies and delayed test results and possibly completely lost records cannot be oversold.

Having your records possibly viewed by a hacker is scary. Although the medical information loss is worrisome, the loss of vital identifiers can also be frightening. Your DOB, SS, address, bank account information…shall we go on?

Even scarier, the inability to get the information back, explaining to the government why you were unable to secure your data, and possible law suits, penalties and the loss of trust.


Let’s review what you, as a covered entity are required to do regarding electronic data…

CMS requirements for Electronic Security for any “covered entity” which means anyone:

  • Any provider of medical or other health care services or supplies who transmits any health information in electronic form in connection with a transaction for which HHS has adopted a standard
  • Any individual or group plan that provides or pays the cost of health care (e.g., a health insurance issuer and the Medicare and Medicaid programs).
  • Health Care Clearinghouses – A public or private entity that processes another entity’s health care transactions from a standard format to a non-standard format, or vice-versa.

Why then, if healthcare providers are following the CMS Electronic Security Rules, are they falling victim to RANSOMWARE attacks, or in fact, any virus?

CMS/HIPAA General Rules of meeting the Security Standard includes the following safeguards:

ADMINISTRATIVE – Security Management Process – Assigned Security Responsibility – Workforce Security – Information Access Management – Security Awareness and Training – Security Incident Procedures – Contingency Plan – Evaluation – Business Associate Contracts and Other Arrangements

PHYSICAL – Facility Access Controls – Workstation Use – Workstation Security – Device and Media Controls

TECHNICAL SAFEGUARDS – Access Control – Audit Controls – Integrity – Person or Entity Authentication – Transmission Security

So therefore, if an organization has policies, procedures, and documentation requirements in place to meet the CMS requirements for electronic device and information security, viruses and RANSOMWARE should not be a problem…Right?

Unfortunately, there are 2 major issues (and a host of minor ones) that may put your organization at risk from either a violations of the EPHI security requirements of CMS, or of suffering a virus or RANSOMWARE attack.


The first MAJOR RISK is that we all use, or are, PEOPLE.

The 2017 Level 3 Healthcare Security Study conducted by HIMSS Analytics and sponsored by Level 3 Communications found that approximately 80% of surveyed health IT executives and professional report that employee security awareness is their greatest concern regarding healthcare data security.

In large organizations there are large numbers of people, from the big guns of the Administrators and Providers, extending to housekeeping, students, security and Business Associates.

These big entities have people writing HIPAA and E-Security policies, giving inservices, even auditing HiPAA and e-Security. The job of these “people” are specifically to insure that the rules of CMS are followed up to and including those regarding E-Security.

So, why have these big entities been hit by viruses and RANSOMWARE?

Unfortunately, the sheer volume of people in these organizations make security a real issue both in physical plant (how to prevent someone claiming slip and fall injury), ID theft (people stealing a patient’s demographic information), HIPAA violations (both inadvertent such as the lobby conversation and deliberate as in reviewing the info of a VIP patient), and of course in E-Security.

E-Security can also be the defining factor in the theft of patient information or HIPAA data breaches as well as malware and viruses entering your IT system. Just think how many people have personal phones or other devices such as IPADs, as well as institution provided electronic devices. How many Medical and Dental residents are coming into these places in July, each getting their own usernames, passwords, VPN access to all kinds of IT systems and programs?

People are the issue in small and medium sized healthcare businesses as well. In these situations, the problem may be too little people, with not enough expertise to handle IT concerns, or a feeling that as a small business neither CMS nor RANSOMWARE attackers will come after you.

Personnel working in smaller practices may use their personal electronic devices for work, or may, as with any business plug them into the workstation by USB. Further, people in smaller organizations often travel between offices, take home HIPAA material or electronic devices. Also, more often than not, you begin to think of staff as family members or you have family members working there so you cannot conceive of them doing something that could harm your practice.

When you see this screen in smaller organizations, it is likely that data from your PC can be migrated to the personal device, or from the personal device. This is a common sources of virus and malware transmission as well as HIPAA breaches and data theft!


Bottom line? Unless every person you hire, use as a Business Associate, allow to intern, shadow, contract, clean, etc. for you is completely honest, follows all the rules, never opens personal email or uses personal devices on your system, never uses open Wi-Fi, and always turns off their computer at least once per week (not logging off, turning off) to allow for patches, people put you at risk.

The Identity Theft Resource Center and CyberScout released a survey in 2017 that showed the leading causes of healthcare data breaches was employee error or negligence.

The second MAJOR RISK(s) would be a combo of time, money and fatigue.

The HIMSS Analytics survey listed competing priorities and budget concerns as the top barriers in adopting a comprehensive security program.

While budget concerns may limit the number of people we have monitoring employee behavior, the ability to afford full time IT support, or even whether or not you have purchased licenses for the newest operating systems, the competing priority and fatigue issues may be worse.

In every organization, your specific priority depends on your role in the organization. A CEO or CIO will have different priorities that a clinical provider who just wants to log on, complete a task and get the job done.

The smaller practice gets impact by monetary priority fairly significantly as they cannot always afford IT personnel or regular updates to computer programs, they are often the entities using older Operating Systems, and many do not even have a written compliance and E-Security plan, let alone constantly reminding staff about it. If you are working in a small practice, go to your Administrator or Principle MD and say, “Does our practice have E-security threat intelligence, sandboxing or DDoS mitigation in place?” and watch their eyes glaze over.

And fatigue – One major reality of health care is overall fatigue, mental and physical. It is as real as what we call ICU alarm fatigue – too many things beeping and we tune everything out and miss something important.

We have been bombarded with HIPAA training for about 2 decades. When E-Security was added, we were already so exhausted by HIPAA, we barely listened to the new training.

We have passwords and usernames for so many programs we do the unthinkable, that is to use the same passwords where allowed or to write everything down and stick it near our work station or on our phones, etc.

We also, although trying to remember to log out of programs, or even the PC we are using, often do not turn the actual PC off (the necessary patches and updates to prevent malware can take place when the PC is turned back on0. The reason most of us conveniently forget to turn off the PC is the delay we experience when turning the PC back on, the patches and updates can take quite a bit of time if the machine hadn’t been turned off recently.

We are also so focused on getting our jobs done that we forget the exact policy or process related to IT security, for example clicking on an attachment in an email you think is from a colleague, or accessing streaming sites for radio, music, YouTube, or worse, accessing your Facebook from your work computer.

And we allow people to plug their personal USB or USB driven devices into their work stations!! Making it easy for malware to get into our system and for ePHI or Demographic data to be transferred to the personal device!!!

The HIMSS Analytics study also listed clinical workflows, employee awareness and in-house expertise as top security program barriers.

As they say – brown stuff happens, and sometimes it hits the fan!

So, if you have limited time, limited money, conflicting priorities, your best bet to protect your organization against malware, viruses or RANSOMWARE, even in the smallest organization, is to have a thorough and effective E-Security program as required by CMS.

Sounds too simple? Think about this…

RANSOMWARE attacks, virus intrusions, malware all violate the major 3 tenets of HIPAA Security:

Confidentiality – EPHI is accessible only by authorized people and processes (obviously if your system is hacked… someone unauthorized may be looking

Integrity – EPHI is not altered or destroyed in an unauthorized manner (RANSOMWARE threatens to destroy your data, which would include patient records if you don’t pay up, and even if you don’t pay, some data may still be lost depending on how long ago you backed up data.

Availability – EPHI can be accessed as needed by an authorized person (When a virus or RANSOMWARE locks up your system, and no one can access patient records… well you get the drift).


  1. Make sure you are following the regulations put forth by CMS, no matter how small your organization may be, and that you have the required policies, enforce those policies and audit staff performance under those policies. This may not stop RANSOMWARE or other malware but it can indeed mitigate some of the financial, penalty and risk fallout after the event.
  1. Updated the policies and procedures and have your people sign off on each of them or the entire manual, minimally yearly, when hired and if found to be doing something incorrect.
  2. Have a plan to work without your electronic medical records. How will you cancel patients, move patients, schedule patients? How will you treat those needing immediate care? How will you record your treatment, and then insure if gets updated into the full EMR later?
  3. Strictly enforce, and punish, use of personal devices, use of personal email, opening of streaming radio, YouTube, Facebook, and any email download without first putting through a virus check.
  1. Require all staff in small offices, offices where workstations are not shared, etc. to not only log off, but also shut down their PCs and workstations at the end of their work week so IT updates (if you have an active IT provider), operating system patches, and Anti-Virus and Malware program updates can be installed when the computer is turned on again at the beginning of the week.
  1. Make sure that all of your systems, EMR, medical equipment related, billing related, even things like Quickbooks, etc. are updated regularly.






By Betsy Priest, Coding Manager

Did you know?

You can bill for both an E/M with a vaccination code when the visit warrants it.  Guidelines are below:

  • the presenting problem or problems should be minimal
  • five minutes are spent performing or supervising services such as blood pressure checks
  • There needs to be a diagnosis other than the vaccine itself (Z code) – Rash, reason for vaccine, chronic conditions, etc.
  • These services do not need to be performed by an MD or midlevel, they can be performed by a nurse.

Modifier 25 must be appended to the service and submitted without the vaccine diagnosis code. If done by time it is a 5 minute visit.

If the patient is coming in strictly for an immunization, and there is no counseling or work up for any other issue or side effect, only the Immunization code should be submitted.

If you are counseling the patient on the immunization itself there are codes for the administration with counseling (they may reimburse at a higher level than the regular admin codes). The codes are: 90460 and 90461.

If you would like more information about how we can tailor our services to meet your needs, please contact Betsy Priest, Coding Manager at 716.348.3904 or Betsyp@pracfirst.com


By Becky Amann, Compliance Manager


The Centers for Medicare and Medicaid Services (CMS) has recently reminded providers regarding their MLN publication pertaining to HIPAA Basics for Providers: Privacy, Security and Breach Notification Rules.

PF will be utilizing this document as part of our ongoing employee training regarding HIPAA.

This publication is located: https://www.cms.gov/Outreach-and-Education/Medicare-Learning-Network-MLN/MLNProducts/Downloads/HIPAAPrivacyandSecurity.pdf

For Compliance questions, please contact Becky Amann at 716-348-3902 or beckya@pracfirst.com



By Becky Priest, Coding Manager

Effective February 1, 2017 coders will begin using the following:

  • For new patients, 8 organ systems is STILL a comprehensive exam.
  • Established patients: This will be VERY important on your established level 4’s (Office/ED settings) and subsequent level 3’s (Inpatient/OBS setting).
    • Instead of needing 2-7 body areas/organ systems, you will now need to document 6-7 BODY AREAS/ORGAN SYSTEMS (Expanded documentation of the areas and/or systems examined; requires more than checklists; it needs to have normal/abnormal findings documented upon

  • For an expanded problem focused exam the requirement now is 2-5 BODY AREAS/ORGAN SYSTEMS (Minimal detail for areas and/or systems examined: check list type documentation without any expansion of findings)

To summarize: The new exam scoring change and the E&M codes it affects, please refer to the table below:

Type of Exam OLD SCORING NEW SCORING A MUST for the following E/M levels:


2-5 BODY AREAS/ORGAN SYSTEMS Office established Patient 99213

Office New Patient 99202 & 99203
ED Patient 99282 & 99283

Hospital subsequent patient 99232 (Inpatient), 99225 (Obs)


DETAILED 2-7 BODY AREAS/ORG SYSTEMS (minimal detail) 6-7 BODY AREAS/ORGAN SYSTEMS Office Established Patient 99214

Office New Patient 99203

ED Patient 99284

Hospital subsequent patient 99233 (Inpatient), 99226 (Obs)


Office New Patient 99204

ED Patient 99285

New Hospital patient 99222, 99223 (Inpatient), 99219 and 99220 (Obs)


If you would like more information please feel free to reach out to us.

If you would like more information about how we can tailor our services to meet your needs, please contact Betsy Priest, Coding Manager at 716.348.3904 or Betsyp@pracfirst.com


By Tammy Bartlett, Billing Manager


PF will aggregate your IRS Form 1099’s through February 17th.  These forms (1099-Misc) represent all of the payments made to you during calendar year 2016.  The IRS matches the aggregate of all 1099’s to the appropriate line of your entity’s tax return, to make sure recipients properly report their income.  In addition, any interest paid on claims is separately reportable on IRS Form 1099-Int.  This information is also matched and it is critical to properly report this income on the correct line of your tax return to avoid IRS scrutiny for under reporting income.

By law, insurance carriers are required to mail them by January 31st.  However, our past experience indicates that they do not comply with the due date and therefore they are not all generally received until the third week in February.  At that time, we will send them to you by mail or through our courier service. If you have any questions, please feel free to contact us.


Univera Healthcare will offer Medicaid Managed Care, Child Health Plus and Health and Recovery Plan (HARP) to Erie County residents beginning in the summer of 2017, pending approval by the New York State Department of Health.

Per Univera, you will have an opportunity to provide services for these product lines under your existing Participating Provider Agreement. The reimbursement schedule will be available on the secure portion of their website on or around February 1, 2017 at: UniveraHealthcare.com/Provider

Univera will provide further administrative details and other important information prior to the date when these products will be offered in Erie County. Please direct questions to your Provider Relations representative directly, or call the Provider Relations department at 716-857-4647.

For Billing questions, please contact Tammy Bartlett at 716-348-3923 or tammyb@pracfirst.com



By Tammy Bartlett, Billing Manager



Univera is introducing two new products in January 2017 which will be available to small-group community-rated customers, called Univera Access and Univera Preferred Access. Reimbursements for these products will be in accordance with their Special Programs Fee schedule.


Based on a NYS coverage mandate effective January 1st, Univera Healthcare is expanding the existing health insurance benefit for screening mammography to include diagnostic imaging for the detection of breast cancer.

The expanded services include: diagnostic mammograms, breast ultrasounds, digital breast tomosynthesis and MRI’s in addition to already covered screening mammograms. The mandate applies only to their commercial line of business.


Medicaid Managed Care (MMC) and Child Health Plus (CHP) patients and the impact on individual provider performance will be excluded from the final P4P program. Participating providers were paid incentives at the end of the third quarter of 2016 for current closed HEDIS gaps for MMC and CHP patients regardless of achievement of threshold targets. Incentive payments will be distributed by the end of the first quarter of 2017. This change in program is due to the transition of quality management of Blue Cross’s MMC and CHP members to a shared partnership with Amerigroup.

For Billing questions, please contact Tammy Bartlett at 716-348-3923 or tammyb@pracfir


By Betsy Priest, Coding Manager

As of Oct 1, 2016, updates to the ICD-10 codes were put in to effect.  Some areas that may be of interest to you are:

  • Code assignment/Clinical criteria – A diagnosis will be added when a provider states that a condition exists. It is no longer dependent on showing the clinical criteria that brings the Physician to that diagnosis.
  • Laterality – The laterality of any injury needs to be documented to assign a code. If one side is treated and no longer is an issue, then the documentation needs to change from bilateral to the side that is now affected (cataracts are a good example).
  • Pathologic Fractures – 7th character A is for when the patient is receiving active treatment – not whether the provider has seen the patient before. 7th character D is for after the patient has completed active treatment.
  • Long Term use of Insulin – This needs to be documented so that it can be coded.

In addition to the above bullets, some diagnoses have been added, now requiring a 4th, 5th and 6th digit. It is important to look at any and all code lists that you use to ensure that they include all of the most up to date codes.

If you would like more information about how we can tailor our services to meet your needs, please contact Betsy Priest, Coding Manager at 716.348.3904 or Betsyp@pracfir


By Tammy Bartlett, Billing Manager



We have received numerous letters from CMS for our clients that indicate PQRS criteria has not been met and  payment adjustments will occur, reducing Medicare payments by 2% for 2017 dates of service. The payment adjustments are based on services rendered in 2015. We will forward the letters to the applicable clients, as we receive them.

If you received a letter from CMS regarding reduction in payments and believe you have been incorrectly assessed, please review the payment adjustment resources located on the PQRS webpage at:


As mentioned in previous communications with our providers, Practicefirst recommended to report via a PQRS Qualified Registry.  By utilizing a registry, providers become eligible for measures group reporting, thus decreasing the required number of patients to report on.

As a reminder, due to the increasing requirements of PQRS reporting, Practicefirst no longer provides PQRS reporting services to providers at a reasonable cost.


MVP issued FASTFAX #50W on October 20, 2016 to the provider community regarding Preventive Visits and Modifier 25. Preventive visits (codes 99381-99397) are payable on the same date of service as a separately identifiable E&M service (i.e. 99213). The E&M would be submitted with modifier 25. The additional services for the E&M must be documented in the medical record and the claim should include both the preventive visit diagnosis code(s) and the relevant condition diagnosis code(s).

If the preventive code is not billed, the visit will not count for the preventive service quality measures (well child, adolescent and adult measures).

For additional information, please visit MVP’s website at http://www.mvphealthcare.com/provider/provider-resource-manual.html, select Section 15 for Payment Policies and then select the Modifier Policy from their bookmarks.

For Billing questions, please contact Tammy Bartlett at 716-348-3923 or tammyb@pracfirst.com