How NOT to Get Caught Up in a Compliance Nightmare – Best Practices for Healthcare Organizations
By Denise M. Walsh, CPC, CHSP
Senior Coding and Reimbursement Specialist, Healthcare Division, RS&F
Federal healthcare compliance laws and regulations help protect patients, ensure quality and equitable care, prevent fraud and abuse, and safeguard a patient’s personal health information (PHI) and privacy. There are laws that are designed to ensure organizations follow proper documentation, coding, and billing practices as well as health information and technology laws that protect sensitive and personal information from data breaches or cybersecurity attacks.
Without a robust and up-to-date compliance program in place, healthcare companies leave themselves vulnerable to costly audits when these regulations are not appropriately followed. Ensuring that your organization is prepared for a federal compliance audit will save hours of time and thousands of dollars in fines and lost revenue.
Whether a practice or organization has one compliance officer, an entire compliance team, or works with a healthcare compliance consultant, having clear policies, procedures, and staff training in place can save a company a big headache later in the form of a formal audit. Our compliance specialists often see practices open themselves up to one of two types of compliance audits when violations are suspected – documentation, coding, and billing, and/or HIPAA (Health Insurance Portability and Accountability Act) and patient information violations. At RS&F, we work with clients to determine the level of compliance help needed as well as assess the company’s programmatic establishment through thorough, ongoing assessments.
Documentation, Billing, and Coding Compliance
Conducting a comprehensive survey of a practice’s billing and documentation is the first step in our assessment process. We first look to make sure a practice complies with all Federal, state, and commercial payor regulations as it relates to documentation, coding, and billing practices. This evaluation includes the review of 10 to 20 patient encounters as a representation of the practice’s payments (e.g. the percentage of Medicare patients compared to commercial payors). We then examine all of the documentation to make sure it supports the level of billing in the practice. As of 2021, the AMA came out with new guidelines for providers for documentation and coding. As such, everything is now based on the time of encounter or medical decision-making. This is an important distinction as medical decision-making takes into consideration the complexity of the case and the treatment plan for the patient including the types of tests being ordered, medications, surgeries, etc.
Following this extensive review, our compliance specialists develop an ongoing compliance plan. RS&F’s internal assessment is scored based on how well the practice performs on aspects such as coding and billing. In this baseline, we want providers to score at least 80 percent, which demonstrates a healthy compliance program with room to grow. Ongoing education and reviews are an important part of our process, which establishes a consistent approach to monitoring documentation and coding practices so that in the event of a Medicare or commercial payor audit, the client is prepared to respond to any corrective action plan and to prove that fraud and abuse do not exist. Preparation is of paramount importance for all healthcare compliance programs as is ongoing training to make sure teams are up to speed on the latest in policies and regulations.
Acing the Annual Security Risk Assessment – Protecting Critical Electronic Patient Information
Most practices and healthcare organizations have well-established privacy plans in place to meet the stringent HIPAA compliance regulations. Patients are familiar with the Notice of Privacy Practices they receive at their office visits which outlines how the provider safeguards documentation and medical records.
However, over the past decade or more, with most providers moving to electronic medical records, making sure electronic patient health information is secure from cyberattacks, data breaches, and other security risks is critical to any compliance program.
Our team works with practices to create policies and procedures around technology security, working with staff and IT companies to perform an annual security risk assessment. This review takes an in-depth look at all software applications that can create, store, maintain, and transmit electronic patient information. We advise companies to have an IT vendor in place to help with software security and the annual assessment.
Security Audits – What Healthcare Practices Need to Know
In the past, healthcare organizations and practices would get audited if there was a problem or complaint. Today, the U.S. Department of Health and Human Services (HHS) Office of Inspector General (OIG) spearheads HIPAA security, working with outside vendors to perform random audits of an organization’s compliance program and electronic security procedures.
The Covid pandemic opened up a slew of new concerns over protecting PHI. With more people working remotely, companies must ensure that staff are working in a secure environment and have protections such as firewalls, VPNs, antivirus applications, and other security measures installed on laptops and remote equipment. In fact, unprotected laptops – computers that have outdated security features, that have been lost, or even stolen – have become one of the leading sources of unsecured data and consequent audits. Coupled with the upswing in cybercriminals taking advantage of the vulnerabilities of remote technology, we’re seeing a dangerous increase in cyberattacks and huge fines for unprotected data as a result. For this reason alone, making sure the annual security risk assessment is completed with a trusted IT partner every year is critical.
In a heavily regulated industry like healthcare, the consequences of non-compliance are serious. Not only are providers and organizations slapped with hefty fines and even legal action for non-compliance, but damages to reputation can all take a heavy toll. No organization is above the law when it comes to protecting patient information. By investing in resources that safeguard health information, establish strong policies and procedures, and provide ongoing staff training and education, healthcare practices can be prepared for and respond to compliance audits with confidence and integrity.