Beginning in January 2011, entities covered under the Health Insurance Portability and Accountability Act (HIPAA) should be ready to test with their trading partners the functionality of the entities’ practice management and/or other related software featuring Version 5010 standards. Use of the Version 5010 standards for HIPAA electronic healthcare transactions—including claims, remittance advice, eligibility inquiries, and referral authorizations—will be mandatory on Jan. 1, 2012. The Version 5010 standards also provide the framework needed to use the revised medical data code sets (ICD-10-CM and ICD-10-PCS) that must be implemented on Oct. 1, 2013.

A fact sheet describing the two regulations governing the ICD-10 code set and Version 5010 electronic transaction standards is available on the CMS website.

However, the Health Insurance Portability and Accountability Act (HIPAA) of 1996 administrative simplification rules require a covered entity, such as a physician billing Medicare, to retain required documentation for six years from the date of its creation or the date when it last was in effect, whichever is later. HIPAA requirements preempt State laws if they require shorter periods. Your State may require a longer retention period.

The Centers for Medicare & Medicaid Services (CMS) requires records of providers submitting cost reports to be retained in their original or legally reproduced form for a period of at least 5 years after the closure of the cost report. This requirement applies to hospitals and not physician practices.

CMS requires Medicare managed care program providers to retain records for 10 years.

Privacy must be maintained even after record retention timelines have expired. While the HIPAA Privacy Rule does not include medical record retention requirements, it does require that covered entities apply appropriate administrative, technical, and physical safeguards to protect the privacy of medical records and other protected health information (PHI) for whatever period such information is maintained by a covered entity, including through disposal.

Additional information:

• Providers/suppliers should maintain a medical record for each Medicare beneficiary that is their patient.
• Medical records must be accurately written, promptly completed, accessible, properly filed and retained.
• Using a system of author identification and record maintenance that ensures the integrity of the authentication and protects the security of all record entries is a good practice.
• The Medicare program does not have requirements for the media formats for medical records. However, the medical record needs to be in its original form or in a legally reproduced form, which may be electronic, so that medical records may be reviewed and audited by authorized entities.
• Providers must have a medical record system that ensures that the record may be accessed and retrieved promptly.

Providers may want to obtain legal advice concerning record retention after CMS-required time periodshave been met.

• New physicians need to be credentialed prior to treating patients. This requirement should be part of the pre-employment checklist. The old days of credentialing a provider after they arrive onsite is over.
• Marketing activity to introduce new physicians to the community and medical staff should be scheduled after the credentialing is completed.  Sometimes this can be tricky, however the referring providers can become disenfranchised when a new provider is not ready to schedule any of their patients.
• One option is to elect to see patients at no charge, both to provide needed care, and to begin establishing their practice.   
• Another option is to  have new physicians spend time in the community meeting potential surgeons and other referral sources.  New physicians can also spend time giving talks and going with colleagues to satellite clinic locations or volunteer clinics.
• New physicians who are not credentialed can treat self-pay patients immediately.  Some practices assign the new physician to the on-call physician to assist with emergencies, which are usually a high volume of uninsured patients.

The CMS system called PECOS (Provider Enrollment, Chain and Ownership System) or PECOS Web is available for enrolling or changing individual or group information. In addition to the retro-billing component for new and re-enrolling physicians, doctors are also required to alert Medicare contractors of a change in practice location within 30 days, via the 855i form.  Failure to do so may result in expulsion from eligibility to see and be paid for Medicare patients for up to two (2) years. This is a new safeguard added by CMS to combat fraud.  

Providers can us the links below to access the PECOS system:

• You must have an active National Provider Identifier (NPI) and have a web user account (User ID/Password) established in NPPES (https://nppes.cms.hhs.gov/NPPES/) .
• If you are a health care provider and do not have an NPI, create a web user account and apply for an NPI at NPPES (https://nppes.cms.hhs.gov/NPPES/) .

1.  The OIG will “review Medicare claims to determine the appropriateness of Medicare Part B payments for transforaminal epidural injections” (page 19).

2.  The OIG also review the extent to which physicians reassign their Medicare benefits to other entities, as well as provider compliance with Medicare assignment rules (pages 17-18). 

3.  The OIG will review industry practices related to E&M billing during the global surgery period to see if industry practices have changed since the global surgery fee concept was developed in 1992 (page 15).  The results of this review will be of interest, as anesthesiologists sometimes bill for E&M services pertaining to post-op pain services during the global surgery period. 

4.   The OIG will review physician claims for proper place-of-service coding (page 15).

Read the complete OIG 2010 Work Plan.

The Rule was promulgated under the Fair and Accurate Credit Transactions Act, in which Congress directed the Commission and other agencies to develop regulations requiring “creditors” and “financial institutions” to address the risk of identity theft. The resulting Red Flags Rule requires all such entities that have “covered accounts” to develop and implement written identity theft prevention programs to help identify, detect, and respond to patterns, practices, or specific activities – known as “red flags” – that could indicate identity theft.

Read the complete article on the deadline extension for Identity Theft Red Flag Rules 

Read the FULL REPORT

How will this affect you? Well if your group practice has not yet put in place a plan to implement the Red Flag rules, you will be at risk of a  HIPPA violation once the enforcement begins.

Most physicians have a trusted legal advisor who can help establish an APP. The APP should be in place from the very first day the physician begins treating patients. You should also do regular updates to the plan at least annually. The rise in lawsuits on questionable claims and liability for partner’s errors may require revisiting your plan strategy and coverage limits.  

At a minimum any asset protection plan (APP) should have the following components:

• Put your estate plan in order before your first day of practice.  Good estate planners develop a plan that will help navigate your way from where you are today to where you want to be in the future. Protect what you have currently, your equity in your home, your retirement plan, etc.  If you wait until a claim gets made, you are too late.
• Educate yourself on your state’s laws regarding malpractice insurance. This way you know your level of exposure.  Understand your exposure for the acts of others. 
• Take Malpractice 101. This is not a real course but a really good malpractice sales person will be happy to educate you on how malpractice works. A bad sales person will simply try to convince you that he knows best. Run from the bad sales people. Understand every line in your policy. Know your policy details inside and out, be clear about what is covered and where coverage ends.
• Review your personal insurance coverage(s).  Consider all types of potential liability; life, disability, accidental death, lost wages insurance, etc.  It is not uncommon for surgeons to carry coverage specifically for loss of work due to a hand injury.  Professional liability is not the only risk to your assets.   Consider the employee who gets in an automobile accident while driving to the work and kills a carload of engineers.
• Structure your professional corporation in such a way as to make insuring the corporation straight forward and affordable. A knowledgeable attoerney can advise you on the benefits of the specific forms of incorporation. Your attorney can also advise you on the best way to maximum your liability protection. 
• Consult a Certified Public Accountant (CPA) to insure that you are following the letter of the law when it comes to your tax liability. Your CPA will also provide the tax benefits of the different forms of incorporation.

The best way to develop and maintain your asset protection plan is to seek the help of your three trusted advisors; your attorney, your CPA and your practice manager. These people are professionals that have been down this road many times and can be invaluable in developing and maintaining the protection that you need to sleep soundly at night.

The RAC program evolved from the three-year RAC demonstration project stipulated by the Medicare Modernization Act (MMA) of 2003. The Tax Relief and Health Care Act (TRHCA) of 2006 made the RAC program permanent and authorized CMS to expand it to all 50 states by 2010. The permanent RAC program limits the medical record review period to three years and prohibits audits on claims paid before Oct. 1, 2007. The program requires RACs to have a physician medical director and certified coders available to discuss denials with providers.  CMS also announced the number of medical records RACs may request per National Provider Identifier (NPI) for 2009. CMS will likely adjust these limits each year.

Medical Record Limits for 2009 are:

• 10 medical records per 45-day period for solo practitioners; 
• 20 medical records per 45-day period for 2 to 5 provider offices; 
• 30 medical records per 45-day period for groups of 6 to 15 providers; and 
• 50 medical records per 45-day period for groups of 16 or more providers.

Every group should start preparing a plan to deal with these audits. The old saying is “failure to plan, is a plan to fail”.  Groups will need to develop a system for documenting each record request and track the audit of each claim to completion. As with any audit, if your group can’t provide the documentation of the services rendered, it is as if the service was never rendered. I have provided the RAC map of the four audit companies, the states they will audit and the contact numbers for each company. 

• Diversified Collection Services 866-201-0580
• CGI Technologies and Solutions 877-316-7222
• Connolly Consulting, Inc. 866-360-2507
• HealthDataInsights, Inc. 866-376-2319

The Federal Trade Commission (FTC) has delayed the enforcement date of the Red Flags Rule until November 1st. This regulation requires creditors and financial institutions to develop identity theft prevention programs.

Practices should continue to develop their Red Flag Identity Theft Plans to insure that they meet the November 1st deadline.

The AMA has created a Red Flag Sample Policy that group practices can use to formulate their own red flag policy.