Uncategorized

Imagine your organization potentially discloses electronic protected health information (ePHI) of thousands of individuals.

Do you have safeguards in place to reduce or prevent the risk of compromise to patients’ health information?   

The Office for Civil Rights (OCR) announced St. Joseph Health agreed to settlement in the amount of $2,140,500 and adopt a comprehensive corrective action plan to settle potential violations of HIPAA Privacy and Security Rules:

• St. Joseph Health reported that files containing ePHI were publicly accessible through internet search engines from 2011 until 2012.
• From February 1, 2011 to February 13, 2012 PHI of 31,800 individuals was potentially disclosed.
• Evidence indicated that St. Joseph Health failed to conduct an evaluation in response to the environmental and operational changes presented by implementation of a new server for its meaningful use project, thereby compromising the security of ePHI.
• Although SJH hired a number of contractors to assess the risks and vulnerabilities to the confidentiality, integrity and availability of ePHI held by SJH, evidence indicated that this was conducted in a patchwork fashion and did not result in an enterprise-wide risk analysis, as required by the HIPAA Security Rule.

As part of their corrective action plan St. Joseph Health is required to conduct an enterprise-wide risk analysis, develop and implement a risk management plan, revise its policies and procedures, and train its staff on these policies and procedures.

Imagine your practice filed a breach report with the U.S. Department of Health and Human Services, Office for Civil Rights (OCR – a few years ago – regarding the loss of a smartphone that contained unsecured electronic protected health information (ePHI) for several individuals. As part of the process, you provided notification and included mitigation steps your practice will do to correct the breach and future incidents.

Over the span of a couple of years your practice implemented some changes you think will sufficiently safeguard your devices.  

Now, imagine you have the theft of a laptop from your facility. The laptop is contains access to and storage of ePHI for several individuals. Your investigation reveals the laptop is not encrypted and is missing an equivalent alternative measure on your devices containing ePHI.

How might OCR respond to a separate breach report regarding an unsecured device?

OCR Announcement

OCR recently announced a civil monetary penalty against Children’s Medical Center of Dallas based on its impermissible disclosure of unsecured ePHI and non-compliance over many years with multiple standards of the HIPAA Security Rule.  As a result, Children’s Medical Center of Dallas paid a full civil monetary penalty of $3.2 million.

According to OCR’s investigation, Children’s Medical Center of Dallas:

• Was in noncompliance with HIPAA Rules, specifically, a failure to implement risk management plans, contrary to prior external recommendations to do so.
• Failed to deploy encryption or an equivalent alternative measure on all of its laptops, work stations, mobile devices and removable storage media until after the second breach occurred.

What does this tell us?

OCR takes non-compliance with HIPAA Rules very seriously. Your practice must ensure you must comply with HIPAA Rules and ensure you have reasonable and adequate safeguards in place on any devices that may access, create, modify or store ePHI. If you are using an unsecure device for any of these purposes, you should work with your compliance officer to make sure HIPAA requirements are addressed.  

In the healthcare industry, providers, professionals and organizations are allowed some flexibility – standards may be required while others may be addressable.  While there technically is not a specific statute or regulation that required you to check the U.S. Department of Health and Human Services (HHS) Office of the Inspector General’s (OIGs) List of Excluded Individuals and Entities (LEIE), recent enforcement actions by the OIG demonstrate you should be.   

In this first part of our two part series, we will provide a brief overview of the LEIE and discuss the importance of exclusion list checks.

Who should be checked against the LEIE?  How often should exclusion list screening be performed?  Are there potential penalties for not checking the OIG exclusion list?  

Exclusion List 101 – an Overview  

In a nutshell, the OIG’s LEIE (Exclusion List)  is where individuals and entities currently excluded from participation in Medicare, Medicaid and all other Federal healthcare programs, can be found. According to the OIG, exclusions are imposed for a number of reasons:

• Mandatory exclusions – conviction of Medicare or Medicaid fraud; patient abuse or neglect; felony convictions for other health care-related fraud, theft, or other financial misconduct; and felony convictions relating to unlawful manufacture, distribution, prescription, or dispensing of controlled substances; among others.

• Permissive exclusions – OIG has discretion to exclude individuals and entities on a number of grounds:  misdemeanor convictions related to health care fraud; misdemeanor convictions relating to the unlawful manufacture, distribution, prescription, or dispensing of controlled substances; submission of false or fraudulent claims to a Federal health care program; among others.

The exclusion list is updated on a monthly basis, and if an individual or entity has been reinstated, they are removed from the list.  Further, the OIG is authorized to impose exclusions under the authority of sections 1128 and 1156 of the Social Security Act.  

The LEIE can be accessed in a couple of ways:

• First, the OIG provides an  Online Searchable Database where you can enter the name of an individual or entity and determine whether they are currently excluded.  If there is a match, the database allows for verification with other identifiers including an

individual’s Social Security Number (SSN), Employer Identification Numbers (EIN), Date of Birth (DOB), and others.

• Second, the OIG provides a Downloadable Database where you can download the entire LEIE.  The Downloadable Database does not include SSN’s or EINs; therefore, if you choose to verify an individual using these identifiers is must be accomplished using the Online Searchable Database.

Recently, OIG released an important notice regarding the Downloadable Database.  According to the notice, OIG is transitioning toward offering data in a new file format.   The current downloadable files are offered in DBF format and contained within self-extracting/compressed files (EXE and ZIP).  OIG will now offer raw data in comma-separated value (CSV) format, which is contained in both TXT and CSV file types. The DBF, EXE, and ZIP files will be eliminated .  This means that in order to effectively check the list on your own you should attempt downloading the CSV-formatted file type of your preference and testing it in your software environment.  

Both the Online Searchable Database and the Downloadable Database are updated on a monthly basis.  Additionally, these lists are being heavily enforced by a task force that is responsible for checking for excluded individuals (more on this later).

Who Should be Checked Against the LEIE?

Your organization is responsible for not employing or contracting with excluded individuals or entities, whether in a physician practice, a clinic, or in any capacity or setting in which Federal healthcare programs may reimburse for the items or services furnished by those employees or contractors.  If you participate in Medicare, Medicaid or any other Federal health care programs all employees/vendors/subcontractors are required to be checked against the exclusion list.

How Often Should Exclusion List Screening be Performed?  

You should be checking all employees, vendors and subcontractors against the exclusion list prior to hiring or contracting and then re–check monthly thereafter.    In a Special Advisory Bulletin on the Effect of Exclusion from Participation in Federal Health Care Programs, the following emphasizes how often exclusion list screening should be performed:

To avoid potential CMP liability, providers should check the LEIE prior to  employing or contracting with persons and periodically check the LEIE to determine the exclusion status of current employees and contractors.

Inspector General Daniel Levinson of the HHS has emphasized the need for monthly checks.  He has stated that it is his recommendation and best practice to search the OIG exclusion list monthly because the records are updated monthly.

Are There Potential Penalties for not Checking the OIG Exclusion List?   

It’s not a question of if, but when: if you employ or contract with excluded individuals or entities you will be subject to fines and penalties.  Remember the task force responsible for checking excluded individuals mentioned above? The OIG has increased focus on checking for excluded individuals, and make no mistake, if the task force finds that you have employed or contracted with excluded individuals or entities, you could face fines and penalties (42 CFR 1001.1901).  

According to the OIG, an excluded person violates the exclusion if the person furnishes to Federal health care program beneficiaries items or services for which Federal health care program payment is sought. In other words, an excluded person who submits a payment to a Federal health care program, or causes such a claim to be submitted, may be subject to a civil monetary penalty (CMP) of $10,000 for each claimed item or service furnished during the period that the person was excluded.  In addition, you may be subject to an assessment of up to three times the amount claimed for each item or service, and denial of reinstatement by OIG to Federal health care programs because of an exclusion violation (section 1128A(a)(1)(D) of the Act).

Examples of Enforcements  

Below are just two examples of several enforcement actions:  

Maryland Cardiology Associates, P.C. (MCA), Maryland, agreed to pay $134,506.47 for allegedly violating the Civil Monetary Penalties Law. OIG alleged that MCA employed an individual that it knew or should have known was excluded from participation in Federal health care programs.

Trinity Mission & Rehab of Farmville, LLC (Trinity Mission), Virginia, agreed to pay $399,573.85 for allegedly violating the Civil Monetary Penalties Law. OIG alleged that Trinity Mission employed an individual that it knew or should have known was excluded from participation in Federal health care programs.

Many administrators have asked us about electronic communications, more specifically about third party email providers such as Gmail, Yahoo! Mail, Hotmail, and others. This is part one of a two part article series.

Recently a practice manager asked us:  What does HIPAA say with about practices that use services like Gmail, Yahoo Mail, and Hotmail as their email provider with regard to PHI being transferred via email? Even if the client gives authorized consent or if it is for TPO purposes, what about PHI that could potentially be sitting on Gmail’s servers indefinitely? What is required if an email is sent to the wrong recipient?

Encrypted and Unencrypted Electronic Communications

The Privacy Rule allows covered health care providers to communicate electronically, such as through e-mail with their patients, provided they apply reasonable safeguards when doing so.

Encrypted email is considered safe and provides adequate protection of health information being sent and received electronically. Encrypted email has several benefits such as hiding the content from an eavesdropper, the use of a digital signature mechanism and the use of a secret private key to decrypt messages.  Encryption is preferred when communicating electronically.

Encrypted email is a safe option, but not the only option. Law permits physicians to send PHI through unsecure email. In other words, there is not a law prohibiting the use of unsecure electronic communication.

According to the HIPAA Omnibus Final Rule, covered entities are permitted to send individuals unencrypted emails if they have advised the individual of the risk, and the individual still prefers the unencrypted email.  If individuals are notified of the risks and still prefer unencrypted email, the individual has the right to receive protected health information in that way, and covered entities are not responsible for unauthorized access of protected health information while in transmission to the individual based on the individual’s request. Further, covered entities are not responsible for safeguarding information once delivered to the individual.

Third Party Email Providers

If a patient requests for you to send them information to their Gmail, Yahoo! Mail, Hotmail or other third part email account, it is important to inform them there is a potential risk their information could be accessed or viewed by unintended eyes. Let them know it is potentially unsafe. As long as they are notified, it is considered to be HIPAA compliant.  

Third party providers like Microsoft (e.g. Office 365) and Google (e.g. Gmail) offer HIPAA compliance solutions ranging from encrypted messages to signing a Business Associate Agreement (BAA) if you intend on using services, such as apps, in connection with protected health information. These business associates are required to sign an agreement that states they will protect a patient’s confidential information.

The three apps Google’s BAA agreement covers are Gmail, Calendar and Drive, in addition to Google Apps Vault, the service responsible for archiving user data from the three apps.  

An administrator can electronically sign a BAA once they answer three questions from the Google APPs website:

• Are you a Covered Entity, or Business Associate of a Covered Entity, under HIPAA?
• Will you be using Google Apps in connection with PHI?
• Are you authorized to request and agree to a Business Associate Agreement with Google for your Google Apps domain?

It is important to note the BAA does not cover Google+ and other Google services, or third party Marketplace Apps.

Microsoft Office 365 is a cloud based solution for email, instant messaging, calendaring, and data storage. Microsoft will sign a BAA with a covered entity that used Microsoft Office 365.

Once the agreement is reviewed and the terms are accepted, you can get a signed copy of the Office 365 and CRM Online HIPAA/HITECH Act BAA.

Google Apps (Gmail, Calendar and Drive) and Microsoft Office 365 are two reasonable and affordable HIPAA compliant third party email providers. Customers using the services are responsible for determining if they are subject to HIPAA requirements, and if they intend to use the services in connection with PHI.  

Electronic Communication Disclaimer

HIPAA requires for reasonable steps to be taken to protect against risks of electronic communication such as an email or fax being sent to the wrong person, or being captured electronically in route.  It is essential to include a disclaimer notifying the recipient of the insecurity of email or facsimile, and providing a contact the recipient can report a misdirected message to.

Below is an Example of an Email Disclaimer:

The information contained in this transmission may contain privileged and confidential information, including patient information protected by federal and state privacy laws. It is intended only for the use of the person(s) named above. If you are not the intended recipient, you are hereby notified that any review, dissemination, distribution, or duplication of this communication is strictly prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message.

In conclusion, encrypted email is safe and provides adequate protection of health information. Encryption is the preferred and recommended option.  Covered entities are allowed to send individuals unencrypted email as long as the individual is aware of the risks and they still prefer unencrypted email.  There are affordable and reasonable HIPAA compliant options including Microsoft Office 365 and Google Apps. HIPAA does require reasonable steps to be taken to protect against risks involved with electronic communication. A disclaimer (e.g. email disclaimer) is essential, especially when transmitting health information.

Part two of the article series will address what to do if electronic communications were sent to the wrong recipient, including how to determine whether or not protected health information (PHI) has been compromised, requiring breach notification. Part two will be published next week.   

Some stories about Ebola say the risks are real, while others say we shouldn’t fear. The Centers for Disease Control and Prevention (CDC) released new guidance for U.S. healthcare workers on personal protective equipment for Ebola. Would that suggest the risks of Ebola are very real?

The CDC is tightening previous infection control guidance for healthcare workers caring for patients with Ebola. The guidance focuses on specific personal protective equipment health care workers should use including step by step instructions how to put the equipment on and take it off safely.  According to the CDC, workers who have followed the enhanced guidance have not contracted the illness.

The enhanced guidance from the CDC is centered on three principles:

• All healthcare workers undergo rigorous training and are practiced and competent with PPE, including taking it on and off in a systematic manner.
• No skin exposure when PPE is worn.
• All workers are supervised by a trained monitor who watches each worker taking PPE on and off.

In anticipation of this tightened guidance, we sat down with Timothy J. Sullivan, MD, a physician with several years’ experience in tropical medicine. We asked him some questions about Ebola and guidance from the CDC.  In addition, we had a discussion about the upcoming influenza season, as many of the signs and symptoms of influenza and Ebola may be similar.

There have been conflicting reports in the media. Some say the fear of Ebola outweighs the risks. Other reports say the risks of Ebola are very real.  In your professional opinion, should healthcare workers be concerned?

So far, Ebola has cost millions and millions of dollars.  Healthcare workers ought to be aware of Ebola including the signs and symptoms. It is not unreasonable to require a patient who is coughing or sneezing to put a mask on. In addition, if a patient has a fever or gastrointestinal issues, it is important to take caution. For adequate protection, healthcare workers should wear masks that can protect against droplets, such as a N100 mask.

With concerns about Ebola and with influenza season just around the corner, if a patient or visitor to your practice is coughing or sneezing while waiting to see the physician, what measures should be taken to ensure the safety of other patients?

The likelihood of the patient having Ebola is small.  However, if someone is coughing they should be required to have a mask on. This should be a high priority.

Are there specific questions that should be asked to a patient to determine if they may have been exposed to Ebola?

It is not unreasonable to ask these patients if they have traveled to West Africa or if they were potentially exposed to someone with Ebola. If a patient is showing signs and symptoms of Ebola or if the patient states they have been exposed to someone with Ebola, you are obligated to make a phone call to the local health department.  

Do you have any additional recommendations for healthcare workers?

The CDC is publishing updated guidelines for healthcare workers. Whoever is taking care of someone with Ebola should have their skin covered. Because Ebola may be spread by respiratory secretions, it is important to have a mask on a patient who is coughing or sneezing. We ought to protect against the droplets. Speaking of droplets, it is important for healthcare workers to be aware that a surgical mask doesn’t protect against droplets. The big gap is not using a mask that can protect against droplets, such as a N100 mask.

Currently, are there any other illnesses that healthcare workers should be concerned about?

Influenza is at the top of the list.  Each year over 30 million people are infected with influenza. If a patient has not received a flu shot, they should be encouraged to do so. However, those with a severe allergy to chicken eggs, anyone who has had a severe allergic reaction to the influenza vaccine in the past, and children younger than six months should not be immunized.

According to Vicki Lyons, MD and Timothy J. Sullivan, MD in a publication titled Ignoring the Flu Can Be Deadly, “Flu season is from late November through March. Each year 35 to 50 million people are infected with influenza. Annual deaths from influenza in the United States have ranged from as few as 3,000 to as high as 49,000.”

Some of the suggestions Dr. Lyons and Dr. Sullivan recommend for preventing the spread of germs that cause respiratory illnesses like the flu include:

• Cover your nose and mouth with a tissue when you cough or sneeze, and then discard the tissue in the trash.
• Wash your hands often with soap and water. If soap and water are not available, use an alcohol-based hand rub.
• Avoid touching your eyes, nose or mouth. Germs spread this way.

OSHA Guidance for Healthcare Workers and Healthcare Employers

OSHA has a publication titled “Pandemic Influenza Preparedness and Response Guidance for Healthcare Workers and Healthcare Employers.”  One of the sections in the publication is titled “Respiratory Hygiene / Cough Etiquette.” OSHA recommends:

• Posting signs requesting that patients and family members immediately report symptoms of respiratory illness on arrival to the facility and use cough etiquette.
• Posting signs requesting that persons with respiratory illness refrain from visiting the healthcare facility if they are not seeking medical treatment.
• Providing conveniently located masks, tissues, and alcohol-based hand rubs for waiting areas and patient evaluation areas to facilitate source control.
• Providing no-touch receptacles for used tissue disposal.
• Ensuring that supplies for hand washing (i.e., soap, disposable towels) are consistently available where sinks are located.
• Educating healthcare workers, patients, family members, and visitors on the importance of containing respiratory droplets and secretions to help prevent transmission of influenza and other infections.

Conclusion

Healthcare workers should be aware of the signs and symptoms of Ebola. The CDC released updated guidance on specific personal protective equipment health care workers should use including step by step instructions how to put the equipment on and take it off safely.  Because Ebola may be spread by respiratory secretions, it is important to have a mask on a patient who is coughing or sneezing. While the risks of Ebola are real, the likelihood of a patient having Ebola is small. When it comes to illnesses healthcare workers should be concerned about, influenza is on top of the list. Some ways to protect patients and healthcare workers include requiring patients who are coughing or sneezing to wear masks while they are visiting your facility and ensuring the supplies for hand washing are consistently available where sinks are located.  

The National Institute of Standards and Technology’s (NIST) National Cybersecurity Center of Excellence (NCCoE)  released a draft guide that demonstrates how health care providers can make mobile devices, such as smartphones and tablets, more secure, in order to better protect patient information while still taking advances of electronic communications technology.

According to the draft guide titled Securing Electronic Records on Mobile Devices “the use of mobile devices to store, access, and transmit electronic health care records is outpacing the privacy and security protection on those devices.”  The draft guide:

• maps security characteristics to standards and best practices from NIST and other standards organizations, and to the HIPAA Security Rules
• provides a detailed architecture and capabilities that address security controls
• facilitates ease of use through transparent, automated configuration of security controls
• addresses the need for different types of implementation, whether in-house or outsourced
• provides guidance for implementers and security engineers

Further, the NIST stresses the importance of conducting risk assessments and the importance of the risk management process by stating:

Assessing risks and making decisions about how to mitigate them should be continuous to account for the dynamic nature of your businesses processes and technologies, the threat landscape, and the data itself. The guide describes our approach to risk assessment. We recommend that organizations implement a continuous risk management process as a starting point to adopting this or other approaches that will increase the security of electronic health records.

According to NCCoE Director Donna Dodson, “healthcare organizations want to protect their clients’ personal information and themselves from the high costs associated with breaches. This guide can be an important tool among the many to reduce risk.”

Mobile device usage and mobile device thefts are on the rise and are outpacing privacy and security protection on those devices. Because of this we have added a sample Bring Your Own Device (BYOD) Policy and User Agreement to our forms section and we recently addressed mobile device security in our multi-part HIPAA article series. If you haven’t already, we highly recommend you conduct a thorough risk assessment before moving forward with mobile devices and review or develop your corresponding policies and procedures.

The U.S. Department of Justice (DOJ) announced that the operators of seven bogus medical clinics were among 12 defendants taken into custody on federal drug trafficking charges that allege they diverted at least 2 million prescription pills – such as oxycodone and other addictive and dangerous narcotics – to the black market.

The DOJ announcement goes on to say that two indictments were returned last month by a federal grand jury that alleges members of the conspiracy profited from illicit prescriptions that were issued without any legitimate medical purpose through a series of clinics that periodically opened and closed in a “nomadic” style.  In addition, the fraudulent prescriptions allegedly allowed the conspirators to obtain bulk quantities of prescription drugs that were sold on the street.

The announcement goes on to say that Minas Matosyan (“Maserati Mike”) is charged with leading the scheme and controlling six of the sham clinics. Matosyan allegedly hired corrupt doctors who allowed the conspirators to issue fraudulent prescriptions under their names in exchange for kickbacks.     

Read more about the DOJ Investigation HERE.

The purpose of the Final Rule is “to establish national emergency preparedness requirements to ensure adequate planning for both natural and man-made disasters, and coordination with federal, state, tribal, regional and local emergency preparedness systems.”  

Providers and Suppliers impacted by the Final Rule

According to the Centers for Medicare & Medicaid Services (CMS), Providers/Suppliers Facilities Impacted by the Emergency Preparedness Rule includes:

1. Hospitals
2. Religious Nonmedical Health Care Institutions (RNHCIs)
3. Ambulatory Surgical Centers (ASCs)
4. Hospices
5. Psychiatric Residential Treatment Facilities (PRTFs)
6. All-Inclusive Care for the Elderly (PACE)
7. Transplant Centers
8. Long-Term Care (LTC) Facilities
9. Intermediate Care Facilities for Individuals with Intellectual Disabilities (ICF/IID)
10. Home Health Agencies (HHAs)
11. Comprehensive Outpatient Rehabilitation Facilities (CORFs)
12. Critical Access Hospitals (CAHs)
13. Clinics, Rehabilitation Agencies, and Public Health Agencies as Providers of Outpatient Physical Therapy and Speech-Language Pathology Services
14. Community Mental Health Centers (CMHCs)
15. Organ Procurement Organizations (OPOs)
16. Rural Health Clinics (RHCs) and Federally Qualified Health Centers (FQHCs)
17. End-Stage Renal Disease (ESRD) Facilities

Further, according to Nicole Lurie, M.D., M.S.P.H., Assistant Secretary for Preparedness and Response, U.S. Department of Health and Human Services (HHS):

CMS issued this new rule to create a consistent foundation of emergency preparedness across the health care system, ensuring that providers across the spectrum are better positioned to respond to disasters and to ensure continuity of care for some of our most at-risk populations.

These providers include home health services, dialysis centers, long-term care facilities, community mental health centers, rural health clinics, intermediate care facilities for people with intellectual disabilities, critical-access hospitals, and others which together care for many millions of people across our nation.

Does the Emergency Preparedness Final Rule apply to your facility?

CMS published requirements for certain Providers/Suppliers Facilities Impacted by the Emergency Preparedness Rule.  The Final Rule will require impacted providers and supplier to meet four common standards: Emergency Plan; Policies and Procedures; Communication Plan; Training and testing plan. 

If you are one of the 17 Providers/Suppliers Facilities Impacted by the Emergency Preparedness Rule, click on the following link to access Emergency Preparedness Requirements by Provider Type.

Did you know?

While all provides and office providers are not impacted by the final rule, Emergency Response and Preparedness is an OSHA requirement.   

We are often asked questions about employees’ rights. Occasionally we are asked about terminated employees’ rights to employment records.

You have an ex-employee that was terminated a few weeks ago. The employee has asked that you mail her a copy of her entire employee H/R file with everything in it from the time she was hired until the day she was terminated. What are your recommendations on this request?

Law

Generally, as your policy states – personnel files are the property of an organization, and usually employees do not have a right to have a copy of their records upon termination. However, access to or copies of medical records, is typically handled on the State level. And generally, requests to access or receive a copy of personnel records must be made in writing.

For example, states we are aware of that have laws regarding access to or copies of medical records upon termination include:  Alaska, California, Connecticut, Delaware, Illinois, Iowa, Maine, Massachusetts, Michigan, Minnesota, Nevada, New Hampshire, Oregon, Pennsylvania, Rhode, Island, Washington and Wisconsin.

Our Response

An employee’s right to access or receive a copy of his/her employee records are typically handled on a State level. As we mentioned above, we briefly searched Tennessee State laws for private sector employee and could not find any requirements for providing copies to an ex-employee. Therefore, in our opinion it would be based on your organization’s policy. The language you have in your current policy states: “Personnel files are the property of (Name of Organization), and access to the information they contain is restricted.” And, “Current active employees who wish to review their own file should contact human resources. With legitimate reason and advance notice…”

Please let us know if you have any additional questions.

Anyone who enters anything into a patient encounter must make sure the documentation is detailed, accurate and thorough.  Now more than ever before “if you didn’t document it, it’s the same as if you didn’t do it.” Below are three examples that demonstrate why documentation is more important than ever before.

Physician Documentation

According to the U.S. Department of Health & Human Services Office of Inspector General (OIG) physicians should maintain accurate and complete medical records and documentation of the services they provide.  In addition to ensuring patients receive appropriate care, good documentation practices helps address challenges raised against the integrity of bills – especially Medicare and Medicaid billing.

ICD-10

ICD-10-CM uses three to seven alpha numeric digits and full code titles.  The changes in ICD-10-CM are in its organization and structure, code composition, and level of detail.  For ICD-10-CM, good documentation practices are critical. Your documentation must be very specific about the details of procedures that are performed.  With ICD-9, there were some “catch-all” codes; ICD-10 does not have these “catch-all” codes. To ensure proper reimbursement, your documentation must be specific and document in detail services that were provided to support ICD-10-CM codes.

Meaningful Use

Your documentation may be in either paper or electronic format – however, it is important to have it stored in one convenient location so that it is retrievable and reviewable upon request. If you are requested for an audit, the documentation will be used to validate that you accurately attested and to verify that the incentive payment was accurate. Therefore, it is extremely important that your documentation supports attestation data for meaningful use objectives and clinical quality measures.

Conclusion

As we mentioned in the opening paragraph “if you didn’t document it, it’s the same as if you didn’t do it.”  For providers and healthcare organizations good documentation practices are more important than ever before – especially for ICD-10 and Meaningful Use purposes.