By Becky Amann, Compliance Manager


The Centers for Medicare and Medicaid Services (CMS) has recently reminded providers regarding their MLN publication pertaining to HIPAA Basics for Providers: Privacy, Security and Breach Notification Rules.

PF will be utilizing this document as part of our ongoing employee training regarding HIPAA.

This publication is located:

For Compliance questions, please contact Becky Amann at 716-348-3902 or



By Emilie DiChristina for PracticeFirst

Almost everyone has a smartphone now, but even the old style flip phone can be a risk to your practice.

Patient phones can present a HIPAA problem, a customer service nightmare and a medico-legal/malpractice issue. This shouldn’t be a surprise to you, but may be overlooked due to the ubiquitous nature of the technology. We are used to seeing a cell phone in everyone’s hand, no big deal right?

It can be a big deal from a medico-legal standpoint as the presence of a cell phone in the examination room can mean:

  • Your interaction, or your staff member’s interaction is being recorded – even if the phone is not out in the open, it may be recording the conversation. This could be a positive in that the patient is hoping to not miss any vital instruction. It could also be a negative in that any interaction the patient is unhappy with can wind up on social media, or in the hands of a lawyer.
  • When a second person is in the exam room with the patient, they may appear to be playing a game on this phone but may instead by video- taping the interaction. Now you have the same issues of the interaction ending up on social media, or in the hands of a lawyer, or being a civil rights/HIPAA violation.
  • Also, whether it is an old style flip phone or smart phone, pictures can be taken of charts, records, dirt in the corner of an exam room, over-flowing sharps containers…you get where this is going.

Staff and provider phones can also present HIPAA, customer service and medico-legal/malpractice issues as well as Human Resource issues.

  • Customer service can be impacted when employees or providers are perceived as being too involved with their phones. You may be looking up a PDR notation, but to the patient, you are not looking at them. When phones are seen on the desks of staff, patients will assume the worst as well.
  • Of course, recording or video-taping can also be an issue with employees. There are many stories of HIPAA violations when employees have taken pics of a special tattoo, or piercing and posted them on social media for example. Staff can also take a pic of a patient demographic sheet or computer screen as well, allowing PHI or ID information to leave the practice quit easily.
  • Other examples of HIPAA risk include providers and staff texting any information about a patient without using proper encryption software, losing a phone that has any PHI on it, and…
  • An often forgotten risk – the employee plugging their phone into a computer via USB to recharge. Unless your computers are hardened against intrusion, when the phone is plugged in, it becomes a storage device potentially allowing the download of PHI or ID information such as Social Security #’s, DOB, addresses, etc. directly on to the phone. One requirement of HIPAA/OCR is that you have a plan in place to prevent this because the risk is so significant.
  • For people with access to the financial records of the practice or providers, downloading this data to the phone can be a nice safeguard for potential termination.
  • When phones (and other devices) are plugged into computers used for patient care or practice issues there is also the risk of a virus or malware transferring into the computer and/or network. If insurers and governments can get hacked or be held hostage to data breach, your practice is at risk as well.

And there are HR risks as well. Allowing your staff to have a cell phone readily available to them during hours of operation reduces productivity. Practice costs are high enough, but hearing there is not enough time for your staff to get their work done, when you have seen them with their phone in hand should trigger an alert.

Human resources professionals often recommend that employee phones not be allowed in personnel meetings whether it is a positive or negative meeting. You may be aware of the trend for employees to post reviews of former employers, but if they have audio or video to go with their claims, the problems rises to a recruitment nightmare and possible Labor Board investigation should the recorded meeting be juicy enough.

So what do you do?

  • All phones that are used for texting/emailing PHI need to be owned by the practice, be password protected, be able to be wiped immediately if lost or stolen, and should use proper encryption software. These phones should also not be used for personal purposes by staff.
  • Non-provider staff members should not be allowed to use their personal phones at that work station, nor should they be carrying them on their person (e.g. keep them in locker or purse), and use should; be restricted to break time only, and only in a non-patient care area like a break room. Staff members should also be prohibited from charging their personal devices on a practice computer.
  • Providers using their phones in front of patients should explain why/what they are doing so the patient understands that they are not being ignored.
  • Practices should consider requesting that no cell phones be used in examination rooms, even by an accompanying visitor. To make this more palatable, it should be explained that the medical experience is improved when all parties are paying attention to the patient.<



As part of its continued efforts to assess compliance with the HIPAA Privacy, Security and Breach Notification Rules, the HHS Office for Civil Rights (OCR) has begun its next phase of audits of covered entities and their business associates.

The audit process begins with verification of an entity’s address and contact information. This is handled through an e-mail sent to covered entities (CE) and business associates (BA) requesting that their contact information be provided to OCR in a timely manner. Once verification has been received, a pre-audit questionnaire will be transmitted to gather data from the CE. OCR will ask that the covered entity identify their business associates. They are encouraging covered entities to prepare a list of each business associate with their contact information, so they are able to respond to this request. The data that is gathered will be used along with other information to create a potential audit subject pool.

If a CE or BA does not respond to OCR’s request for verification or their pre-audit questionnaire, OCR will use publically available information about the entity to create its audit subject pool. Therefore, if no response is received, the entity may still be selected for an audit or be subjected to a compliance review.

Please check your junk or spam e-mail for any e-mails from OCR. As your business associate, please notify Becky Amann at Practicefirst, should you receive any e-mails from the OCR regarding a Phase 2 audit. This will allow us to watch for any e-mails from OCR as well.

Additional information regarding Phase 2 of the HIPAA Audit Program is available at:

For Compliance questions, please contact Becky Amann at 716-348-3902 or


By Emilie J DiChristina, MBA for Practicefirst

With the HIPAA Privacy  Rule Compliance date of 2003, the Security Rule transfer to the OCR for compliance in 2009, and subsequent increased requirements and focus such as those involving Business Associates and Breach Policies, enforcement and audit activities have INCREASED.

First, consider the activities SPECIFIC TO COMPLAINTS ALONE.    

As of May 2014, in HHS’s own statements regarding investigations, they summarized as follows:

“…since the compliance date in April 2003, HHS has received over 97,072 HIPAA complaints. We have resolved ninety-five percent of complaints received (over 91,768): through investigation and enforcement (over 22,613); through investigation and finding no violation (10,182); and through closure of cases that were not eligible for enforcement (58,973)”.

HHS has also been helpful by providing guidance as to what their investigations into the PRIVACY RULE found specifically as follows:

“From the compliance date to the present, the compliance issues investigated most are, compiled cumulatively, in order of frequency”:

  1.  Impermissible uses and disclosures of protected health information;
  2.  Lack of safeguards of protected health information;
  3. Lack of patient access to their protected health information;
  4. Uses or disclosures of more than the minimum necessary protected health information; and
  5. Lack of administrative safeguards of electronic protected health information.

“The most common types of covered entities that have been required to take corrective action to achieve voluntary compliance are, in order of frequency”:

  1. Private Practices;
  2. General Hospitals;
  3. Outpatient Facilities;
  4. Health Plans (group health plans and health insurance issuers); and,
  5. Pharmacies.

As far as Security Rule investigations and findings, HHS states: “…since OCR began reporting its Security Rule enforcement results in October 2009, HHS has received approximately 880 complaints alleging a violation of the Security Rule. During this period, we closed 644 complaints after investigation and appropriate corrective action. As of May 31, 2014, OCR had 301 open complaints and compliance reviews”.

It may be easy to look at the numbers of complaints reported above as being found to be valid as of no concern to you or your practice as about 23,000 negative findings throughout the US, involving all types of healthcare providers would seem to present very low odds of you or your practice every being involved in a complaint investigation….BUT WAIT!


By some calculations, random audits of the Privacy and Security Rules as required under HITECH have increased almost 140% since OCR/HHS’s initial pilot program in 2011.

You need to know that the first random audits under the pilot program have been published as show that the negative findings against covered entities indicated that 65% of the negative findings (65%) resulted from incomplete implementation of the Security Rule.

More importantly, 80% of the negative findings were against health care providers, rather than health insurance plans or clearinghouses, etc.

Are you prepared to survive an audit by HHS/OCR or even the NY State Attorney General (who have also gained the right to audit for compliance)?

Taken directly from the HHS website, the following represents the audit protocol currently being followed and under which the State Attorney Generals have been trained:

“The OCR HIPAA Audit program analyzes processes, controls, and policies of selected covered entities pursuant to the HITECH Act audit mandate. OCR established a comprehensive audit protocol that contains the requirements to be assessed through these performance audits. The entire audit protocol is organized around modules, representing separate elements of privacy, security, and breach notification. The combination of these multiple requirements may vary based on the type of covered entity selected for review.

  • The audit protocol covers Privacy Rule requirements for (1) notice of privacy practices for PHI, (2) rights to request privacy protection for PHI, (3) access of individuals to PHI, (4) administrative requirements, (5) uses and disclosures of PHI, (6) amendment of PHI, and (7) accounting of disclosures.
  • The protocol covers Security Rule requirements for administrative, physical, and technical safeguards
  • The protocol covers requirements for the Breach Notification Rule.”

Whether your practice comes under scrutiny from investigation of Privacy or Security Rule complaints, whistleblowing or just a random audit, understand that no one is safe (HHS has even found compliance issues with state agencies throughout the country) and that a lot of money may be on the line.

In fact, settlement payments have ranged from $750,000 to over $2M, and civil monetary penalties have reached in excess of $4M.

It goes without saying that success in auditing and investigation finding is being successful  and nothing drives future auditing like finding that there are still entities out there NOT doing things the way the rules require.

Is it time to shore up your processe


By Becky Amann, Compliance Manager


Aetna has recently issued communication requiring all participating providers to register for EFT or be automatically enrolled in Virtual Credit Card (VCC) payments. VCC payments should be avoided as it requires a separate transaction by the provider to initiate the credit card transaction in addition to the cost that the provider will incur to process that transaction by the credit card merchant. Based on the communication we have received from Aetna, VCC payments will begin on August 1, 2014 for all providers, if EFT’s are not in place.

Practicefirst values our partnership with you and is willing to initiate EFT registration for you at a reduced fee based on Aetna’s requirement. The nominal fee will help cover a portion of our costs. If you would like us to provide you with this service, please contact Becky Amann at 716-348-3902 or

Note: If our Practice Management Agreement with you indicates that this type of registration/enrollment is included in the contract as PF’s responsibility, we will submit the registration on your behalf, if you are not currently enrolled in EFT’s for Aetna.

Please notify Practicefirst prior to enrolling in EFT and/or VCC for any payor.


The HIPAA privacy and security rules require all Covered Entities (Providers) to obtain satisfactory assurances from their Business Associates (e.g. Practicefirst) to appropriately safeguard PHI. This is accomplished by a Business Associate Agreement (BAA). As a courtesy to our clients who did not have a working BAA with its vendors, we provided you with a BAA when we began servicing your account. It is the responsibility of Providers to ensure the BAA remains current. Based on the latest revisions and modifications to the privacy and security rules, it may be necessary to update the BAA. If you would like PF to review the BAA that we provided to you or you provided us for signature, to determine if any modifications are necessary, we can provide that service to you for a nominal fee. If you are interested in that service, please contact Becky Amann at the phone number / e-mail address below.

The BAA can be used as a template for any of your Business Associates where an agreement is required (e.g. record/data storage and disposal companies).

For Compliance questions, please contact Becky Amann at 716-348-3902 or



By Emilie J DiChristina, MBA for PracticeFirst

It is time to get serious about Compliance! Yes I mean you ~ don’t roll your eyes and move on!

The Department of Health and Human Services (HHS) Office of Inspector General (OIG) and other regulatory bodies have made it clear that a compliance program must be demonstrated as being fully effective.  A weak program would likely be viewed as a “sham” program and that is worse than no program at all.  Thus, the OIG has noted that effective compliance programs should incorporate independent reviews of the compliance program.

I can feel your eyes rolling again…but this is important, and small practices are not exempt!

Let’s start with the real reasons YOUR PRACTICE needs to sit up and take notice:

The ACA (Obamacare) is an expensive program. Whether you agree with it or not, you HAVE to agree that the money has to come from somewhere, and lack of compliance with Fraud & Abuse prevention and HIPAA/HITECH makes perfect sense for the government because…;

a.    The various federal and local OIGs feel if you are not compliant with the laws and updates by now…you actually are asking for an audit (and they are happy to comply)!b.    The government has had success with RAC audits (Billions $$$$) and OCR findings for HIPAA violations are also raking in the bucks!
c.    Electronic health records are fraught with the opportunity to “cut & paste”, “upcode” and violate HIPAA through staff error!
d.    They (the various OIG offices) know your practices have let “fraud & abuse” compliance slide, and may be giving lip service to the recent HIPAA changes because there is so much else on your plates and most small practice do not have Practice Administrators.

So let’s get down to what your practice needs to do – sooner than later – having an “effective” program in place. 

1.  First, be sure that you have a designated compliance officer, a designated privacy officer and a designated security officer.  

THE GOOD NEWS? In small practices this can be one person designated as compliance officer but with a job description which notes responsibility for privacy and security as well. This person needs to have authority to act, but will also report to the CEO or principal provider of the practice, and if the practice is a large one, will report to/lead the compliance committee.

2. Second, concentrate on training and education. The OIG considers “the proper and periodic education and training of all managers, physicians and facility personnel” to be a major component of an “effective” program.

Ideally, this will be performed in person, at least yearly, by your compliance officer, and will then be available in multiple other formats to insure absorption by the employee (many of whom learn in different ways).

The education should be tailored to the type of employee as well. Obviously, cleaners, couriers, etc. need a different level of training that do providers, clinical staff and billing staff.

All training must minimally include your practice’s “rule of conduct”, an explanation of CMS and OCR requirements for the prevention of fraud and abuse, and the maintenance of Privacy and Security as well as the duty to report misconduct and potential breaches.

3. Policies, forms, audits and more ~ Oh My!

Without written policies, how will your employees be judged, how will they receive guidance in a sticky situation, and what will you show to the OIG when they arrive?

Without forms (largely to be used with Privacy, but also with assignment of access levels in EMR/PM systems, and of course when there is a coding question), how will you have the requisite paper trail that defines “effectiveness”?

Audits, not just for the RAC! If your compliance officer, or an outside contractor performs regular audits on E&M, procedures, security access, and even your money flow – you can be both “effective” in the eyes of the OIG and potentially identify revenue drain, embezzlement risk and opportunities for improvement.

You know the old adage…”You can’t fix it if you don’t know it’s broken!”

4. Next, insure that communication is at the foremost in all employees’ minds and they can regularly access your compliance officer with questions, and the compliance officer regularly works with and communicates with all employees.

As part of the “effectiveness” component of any plan scrutinized by the OIG, there needs to be a clear understanding by all employees that there will be no retaliation for bringing problems to the attention of the practice, and when requested, confidentiality of the person advising of a problem will be maintained.

 5, Fifth, record maintenance. When it comes to billing, everyone knows they need to keep encounter sheets (super bills) with the billing materials in case of audit or question. When it comes to medical records, everyone knows they must keep records for a designated number of years.

But does your practice have a plan for keeping the records associated with problems brought to your attention by employees or others AND the investigation, findings, actions and correction or mitigation that was needed?

Do you have a breach investigation process? Do you have a process for notifying the OCR Secretary if you have a breach?

If you answer NO, you may have a problem meeting the “effectiveness” requirements of an audit.

6. Finally, there is employee management. This means that you use the compliance, privacy and security plans and policies as a measure when evaluating employee performance, and to guide your disciplinary process.

The OIG “effectiveness” measure includes your willingness to set policies and rules for the discipline of employees who violate the policies, for the evaluation of an employee based on their compliance, and for reporting to licensing and certification boards, or the police for major violations by employees.

So, in the final analysis…

  • Do you think your practice or organization has an “effective plan”.
  • Do you know what to do if your billing company notifies you of a suspected breach?
  • Do you know how to investigate a suspected breach?
  • Do you know if your practice is at risk under the “cloning” or “cut and paste” EMR audits currently being undertaken by government and private insurers?
  • Does your practice really have the depth to handle this on your own, or is this falling to you as the provider who has soooo many other things on your plate.

WARNING – Pre-paid compliance and HIPAA policy books and tool-kits abound, but without everything noted in this article, they may just give you a false sense of security about “effectiveness” so I urge you to take the time to really consider where your organization stands on the effectiveness of all policies, procedures and underpinnings of your practice. After all, you just want to provide health care – make sure you can without loss and reputational harm – make sure you are effective!

Emilie DiChristina may be reached at 716.474.2429 or for more in


By Becky Amann, Compliance Manager

2014 OIG WORK PLAN – Released January 31, 2014

New OIG investigations in 2014:

  • Anesthesia Services: The OIG will review Medicare Part B claims for personally performed anesthesia services to determine whether they were supported in accordance with Medicare requirements. They will also determine whether Medicare payments for anesthesiologist services reported on a claim with the “AA” modifier met Medicare requirements. Reporting an incorrect modifier on the claim, as if services were personally performed, when they were not, will result in Medicare paying a higher amount. 

Continuing OIG investigations in 2014:

  • Nursing Home stays: The OIG will identify questionable billing patterns associated with Medicare providers for Part B services provided to nursing home residents during stays not paid under Part A (for example, stays during which benefits are exhausted or the 3-day prior-inpatient-stay requirement is not met). Congress explicitly directed OIG to monitor Part B billing abuse for non-Part A stays.
  • Ophthalmological Services: The OIG will review Medicare claims data to identify inappropriate payments and/or questionable billing for ophthalmological services during 2012. They will also determine the geographic locations of providers exhibiting questionable billing.
  • Payments for outpatient drugs and administration of drugs: The OIG will review Medicare outpatient payments to providers for certain drugs (e.g. chemotherapy drugs). Review of billed units will determine if overpayments have occurred due to incorrect coding or overbilling of units.
  • Payments for Incarcerated Beneficiaries: The OIG will review Medicare payments for incarcerated beneficiaries to determine whether the payments were made for beneficiaries who did not meet the criteria for exception identified in Medicare regulations.
  • Place of Service Coding Errors: The OIG will continue to review physicians’ coding on Medicare Part B claims for services performed in ambulatory surgical centers and hospital outpatient departments to determine proper coding of the place of service. There is concern that physicians are reporting the place of service as non-facility (office), when in fact services were rendered at a facility which would generate a lower payment. Report is expected in 2014.
  • E/M services – Inappropriate Payments: OIG will determine the extent to which selected payments for E&M services were inappropriate. They will also review multiple E&M services associated with the same providers and beneficiaries to determine vulnerabilities in documentation. Medicare contractors have noted an increased frequency of medical records with identical documentation across services.

All practices and facilities should read the OIG Work Plan in its entirety, and take steps to identify and rectify any potential issues they may have, before the OIG does.The full 2014 Work Plan can be accessed at:


Occasionally, PF has encountered inadvertent breaches of unsecured PHI from our clients, via e-mail. In the past, our Compliance Dept. would have provided further guidance to our client regarding the breach.

The HIPAA Breach Notification Rule requires HIPAA covered entities (providers) to perform a risk assessment to establish any probability that PHI has been compromised.

Moving forward, when a PF employee identifies a breach of PHI from our client, they will notify them of this occurrence and we would expect that the client will follow the necessary steps regarding the breach. Our Compliance Dept. will not become involved as it is ultimately the provider’s responsibility to monitor potential breaches including training of your staff.   

 For Compliance questions, please contact Becky Amann at 716-348-3902 or<


By Emilie DiChristina, MBA for PracticeFirst

Notice of Privacy Practices

As covered entities, provider practices must have an updated Notice of Privacy Practice posted in their facilities, and must be offering and receiving signatures for any new patient (new after 9/23/2103) on their receipt of the new NPP.

Not only are you, as covered entities required to post and give the new version of the NPP, the notice must be provided in a clear, user-friendly fashion. As healthcare providers, we become used to acronyms and “special” language, but many of our patients and their families are only able to read and comprehend at somewhere between a 3rd. and 7th. grade reading level.

Further, if your practice has a significant number of patients who have a primary language other than English, you must also provide the NPP in that language or Languages as well.

You also have to be sure that your updated Notice of Privacy Practices is on your website, posted in your waiting areas and available for distribution

The Notice of Privacy Practices must also list all regulatory changes and your wording must provide that information to the patient.

Obviously, the NPP must still provide information to the patient on how you will use and disclose the patient information as well as the responsibility you have to protect the information gathered and used.

Uses and Responsibilities of the Practice: We have the right and approval to use    information to:

  • Run our business
  • Treat and bill for your treatment
  • To do research
  • For designated public safety, emergency and legal disclosures
  • When required for response to organ and tissue donation requests
  • At the request of a medical examiner or funeral director
  • When required by workers’ compensation, law enforcement, and other government requests
  • When required to respond to lawsuits and legal actions

Practice Responsibilities

  • Our practice is required by law to maintain the privacy and security of your protected health information.
  • Our practice will let you know promptly if a breach occurs that may have compromised the privacy or security of your information.
  • Our practice must follow the duties and privacy practices described in this notice and give you a copy of the notice.
  • Our practice will not use or share your information other than as described here unless you tell us we can in writing. If you tell us we can, you may change your mind at any time by notifying us in writing.

The most significant changes are in the Patient Rights and Patient Choices.

Patient Rights (You have the right to…):

  • Get a copy of your medical record whether it is in paper or electronic format
  • Correct your paper or electronic medical record
  • Request confidential communication (in other words request that notices, bills, or PHI be sent to an address other than that listed in the medical record
  • Request limits on the information we share
  • Get a list of those with whom we’ve shared your information (a disclosure record)
  • Receive a copy of this privacy notice (and any updates or revisions to it)
  • Designate someone to act for you in regard to your records
  • File a complaint if you believe your privacy rights have been violated

Patient Choices:

  • Patients have choices in the way that information is shared and used:
  • Tell family and friends about your condition
  • Provide disaster relief
  • Include you in a hospital directory
  • Provide mental health care
  • Market our services and sell your information
  • Raise funds