Practice Risk and Provider AccountabilityJanuary 28, 2019
Keeping up-to-date with all the change in healthcare today can be overwhelming—it literally feels like a full-time job staying ahead of the curve when it comes to compliance with state and federal regulations, managed care and commercial payer requirements regarding billing, coding, and documentation content compliance. Providers, administrators, and compliance personnel also need to stay abreast of healthcare evolution including value-based reimbursement models, and recent advancements in technology. Remember, whenever there are new opportunities, there are also associated potential new risks.
Below are just a few of the high-risk categories currently under scrutiny:
Billing and Coding: The revenue cycle is the artery of any practice or organization. It’s also considered to be one of the biggest risk areas. The OIG once said: “If you want to know where your biggest risks lie, follow the money!”
These days it’s not about getting paid, it’s about staying paid. Make sure that the billing and coding staff have access to education and the most up-to-date resources specific to your specialty. Don’t skimp on purchasing this year’s coding books and tools they need to perform their jobs correctly. There are annual updates and changes to the codes and guidelines.
Keeping abreast of payer requirements for the services you provide is crucial. Payers have the ability to monitor claims data at a macro level and they constantly look for outliers, patterns and trends of inappropriate billing practices. SIU units constantly monitor for fraud, waste, abuse, and errors. Be prepared to be audited if you raise a flag. The take away here is to implement effective internal controls to proactively monitor your own data so that potential issues can be identified and corrected early. When issues affecting your revenue cycle integrity arise, it’s recommended that you navigate them with an experienced health law attorney.
General Compliance: Staying current with general compliance requirements can save you major headaches down the road. It’s January, and that means it’s time to review and update your compliance program. Having an effective compliance program is an expectation and a condition of participation with Medicare and Medicaid. Having an out–of- the-box manual sitting on the shelf, or acting as a door stopper does not constitute “having a compliance program”. The key is implementation. Do not let your practice or organization find out the hard way that this method just does not work.
Make sure policies are updated and applicable to your practice. Every practice is unique; practices should avoid cookie cutter compliance programs. Each program should be custom and developed based on a practices size, and need. Never implement a program or policy that you don’t follow. Make sure your annual work plan is updated and get audits on the schedule early so they don’t fall through the cracks. Prepare and schedule training and education for staff, vendors, and the board if you have one. Follow up on all corrective action plans.
HIPAA: Saying there is recent heightened scrutiny and monitoring of compliance with HIPPA regulations is putting it mildly. This is an area of the practice and organization that should be taken seriously from both the privacy and security side. Make sure policies are current and staff is trained on risks and expectations from a compliance perspective. Enforcement is increasing and it’s important to make sure (BAA’s) Business Associate Agreements are updated compliant.
Cybersecurity: According to GHA’s cybersecurity expert Karl Kispert, the cyber and information security risks to small and mid-size practices will continue to rise in 2019. This is because the value of personally identifiable information of patients, that billing and coding professionals have access to, continues to be a valuable commodity on the dark web. Therefore, while you are processing your claims and performing daily operations on an IT network, you must remain vigilant in the requests you get from anyone. As you may know, the phishing risk is the primary way a hacker can infiltrate a network. They may send an email to you requesting something sensitive, it makes sense to you, and you may connect to a link that they provided and suddenly a virus has infected the IT network you are working on. The old saying: ”Why do people rob banks? Because that is where the money is”, applies here. Why does the medical community suffer so many security breaches? Because the value of the information is worth something to those on the dark web. So the lesson here is, if you receive an email or an inquiry via a text or phone call asking for something sensitive, ask yourself three times if you can trust the source requesting the information and then proceed.
In conclusion, be proactive! Dealing with these issues in a reactive state, after the fact of an incident is avoidable. Getting out in front of coding and billing issues, HIPAA, and cybersecurity breeches, and overall compliance failures can save a fortune in fines, penalties and legal fees. Not to mention damaging media, professional, and personal embarrassment. One of my favorite quotes, from a favorite provider is “Make sure we are getting this right, I do not look good in orange.” Unfortunately, he is right because no matter what happens in the practice, he is ultimately going to be held accountable.
For more information, contact, Alicia Shickle, AHFI, CHC, CPCO, CPC, CPMA, CPPM, CRC
Senior Manager, Physician Practice Advisory of GHA at AShickle@grassihealthcareadvisors.com