2020 Physician Fee Schedule Proposed by CMS – Call To Action

As promised, we have reviewed the 2020 Physician Fee Schedule proposed by CMS. There are many complexities that we must study before we can give you all of the details. In the meantime, please consider reviewing the items (via links) listed below so you can have the information readily available. It is critical that you take the time to send your comments to CMS. The APTA has created a template to use for comments about the PTA/OTA modifier proposed methodology. The template is excellent and only requires a small amount of scripting on your part. They are drafting a template suitable for patient submission; please share it with them as Medicare beneficiaries’ comments carry a great deal of weight with regulators.

Important Links:

    • Telehealth pages 108-110
    • Therapy KX Threshold pages 249-252
    • Dry Needling CPT Code pages 300-302
    • PTA/OTA Modifier Provision 252-273
    • Quality Payment pages 858-1572
    • PFS Conversion Factor pages 1180-1187
  • 2020 PFS Fact Sheet: (Click Here)
  • APTA Regulatory Issues:  (Click Here)
  • Template comment Letter for Clinicians Regarding the PTA/OTA Modifier Issue: (Click Here)
  • CMS Site for Submitting Comments Regarding the PTA/OTA Modifier Issue.  (Click Here)

 

KX Threshold Modifier

We mentioned, in Issue 257 of SIPA, that CMS was continuing to require the KX modifier to be affixed on claims, and now CMS via the 2020 PFS Proposed Rules is reiterating that the purpose of the KX modifier is to attest that the services provided over the annual monetary threshold (not cap) were and are medically necessary. Documentation to support medical necessity should be evidenced when the Initial Evaluation and Progress Reports are performed. The Treatment Encounter Note’s (daily note) purpose is to demonstrate that skilled services were delivered and that the units billed represent the services rendered and documented.

Please refrain from calling the KX a CAP modifier as that will give patients and others the impression that there is still a therapy cap

 

Physician Free Schedule Conversion Factor (CF) for 2020

CMS estimates that the 2020 conversion factor will have a slight increase over the 2019 CF ($36.0896 to $36.04). The impact estimate on therapy services will be 0% because of the mix of services adjusted positively and negatively.

 

Trigger Point Dry Needling—CPT Codes 205X1 and 205X2

CMS is proposing:

  • A work RVU of .32 for CPT code 205X1 (needle insertion(s) without injection(s) 1 or 2 muscles with 10 minutes of intraservice work time
  • A work RVU of .48 for CPT code 205X2 (needle insertion(s) without injection(s) 3 or more muscles with 15 minutes of intraservice work time
  • The RUC will assign the practice expense

 

Merit-based Incentive Payment System

  • There are changes to the PT/OT measure set planned which will include both adding and deleting measures
  • MIPS Performance Threshold for eligible clinicians with a final score equaling or exceeding 45 points should result in a positive adjustment
  • CMS anticipates that more clinicians will receive positive adjustments than negative adjustments

 

Physical Therapists Assistant & Occupational Therapy Assistant Modifiers 

The following statements are facts:

  • The required use of the CQ & CO modifiers will be effective January 1, 2020.
  • The CQ modifier indicates that the outpatient physical therapy services were furnished in whole or in part by a physical therapist assistant.
  • The CO modifier indicates that the outpatient occupational therapy services were furnished in whole or in part by an occupational therapy assistant.
  • The use of the modifiers will be required for all outpatient settings that are paid under the Physician Fee Schedule, therefore, Critical Access Hospitals are excluded.
  • The modifiers are not required if the OTA or PTA provides less than 10% of the total minutes for the services rendered.
  • The modifiers are to be affixed on each claim line in which PTA/OTA exceeds 10% of the total minutes billed for the listed CPT code.
  • The modifiers must be affixed on each claim line for services wholly furnished by PTAs or OTAs.
  • The modifiers do not have to be affixed on claim lines for services wholly furnished by the Physical Therapist or Occupational Therapist.
  • The applicable modifier must be utilized if the PTA/OTA furnishes services concurrently with the PT/OT, respectively, and the time exceeds 10% of the total minutes billed.
  • The applicable modifier must be utilized if the PTA/OTA and PT/OT, respectively, furnish services to the same patient at different times when the PTAs/OTAs time with that patient exceeds 10% of the total time billed.
  • CMS proposes to round to the nearest whole number above the 10% de minimis standard. Example: Where the total time of a service is 60 minutes, the 10 percent standard is six (6) minutes, and adding one-minute yields seven (7) minutes. Once the PTA/OTA furnishes at least 7 minutes of the service, the CQ/CO modifier is required to be added to the claim for that service. For example, when the total time for the service is 45 minutes, the 10 percent calculation would be 4.5 which would be rounded up to 5, and the PTA/OTA’s contribution would need to meet or exceed 6 minutes before the CQ/CO modifier is required to be reported on the claim

Click here to download Table 19

  • Documentation requirements begin on January 1, 2020. The Treatment Encounter Note will  need to include a short phrase or statement to explain why the modifier was or was not affixed  on each line of service. This applies to non-time services as well. Example:
    • PTAs/OTAs assist PTs/OTs to furnish services, the treatment note could state one of the following, as applicable:
      • “Code 97110: CQ/CO modifier applied ‒ PTA/OTA wholly furnished”; or,
      • “Code 97150: CQ/CO modifier applied ‒ PTA/OTA minutes = 15%”; or
      • “Code 97530: CQ/CP modifier not applied ‒ PTA/OTA minutes less than 10% standard.”
      • Services furnished exclusively by therapists without the use of PTAs/OTA, the PT/OT could note one of the following:
      • “CQ/CO modifier NA”, or
      • “CQ/CO modifier NA ‒ PT/OT fully furnished all services.”
  • For details relating to modifier calculations for  evaluations, supervised modalities, group  therapy, etc. please study pages 252-273 of the  PFS. Links to the various documents a listed in the “A Note from Mary” section of this SIPA

BCMS highly recommends reviewing the proposed provisions noted above and the entire clinician response/comment template provided by the APTA. Without everyone’s input, this disastrous rule may become reality.

We will provide information on other matters covered in the Proposed Rules in the next issue. They are:

  • Biofeedback codes
  • Physiological monitoring codes
  • Potential impact in 2021 if CSM increases the proposed E/M increases

If you are interested in learning more about our newsletters (SIPA – Seriously Important Practice Alerts) or subscribing, please click here.

For more information on BCMS’s services, email Alicia Nevins Mahoney at nevinsa@bcmscomp.com or schedule time for a free compliance program consultation here.

 

Direct Access in Texas for Physical Therapy

The wait for Direct Access in Texas for physical therapy is nearly over (this means treatment with out referral)!  The Texas Board of Physical Therapy Examiners has approved a draft of the proposed Rules that will govern the new provisions for Direct Access in the Practice Act. These Rules are the vehicle that give Direct Access its wings as well as its brakes. The purposed Rules was sent to the Governor and will be published in the Texas Register for public comments. Please note that the Rules are not official until after the public comment period ends and the Rules are codified in the Texas Administrative Code. This is estimated to take approximately 30-45 days.

Frequently Asked Questions Regarding Direct Access in Texas:

Q:  When can physical therapists begin treating patients without a referral?

A:  Effective September 1, 2019 a physical therapist may begin accepting patients without a referral, if all specified qualifications and requirements are met.

 

Q:  What qualifications must a physical therapist possess to be eligible to treat patients under the direct access law?

A:  Qualifications & requirements of a physical therapist include the following:

  • A physical therapist with a doctoral degree in physical therapy will be able to treat patients without a referral for not more than ten (10) consecutive business days;
  • A physical therapist who does not have a doctoral degree but has completed thirty (30) CCUs in the area of differential diagnosis will be able to treat patients without a referral for not more than ten (10) consecutive business days;
  • A physical therapist with a doctoral degree in physical therapy who has completed a residency or fellowship will be able to treat patients without a referral for not more than fifteen (15) consecutive business days;
  • A physical therapist must have been licensed to practice physical therapy for at least one year;
  • A physical therapist must be covered by professional liability insurance; (proposed amount $100,000 per claim and $300,000 aggregate per year);
  • A physical therapist must obtain a signed disclosure from the patient receiving Treatment Without Referral. (This requirement does not go into effect until 11-1-19)

 

Q: What happens when the allotted days for direct access has been reached?

A:  Once the number of allotted days has been reached, a referral from a qualified healthcare practitioner will be required in order to continue physical therapy treatments.

 

Q:  What individuals are considered qualified healthcare practitioners for referring to physical therapists?

A:  Qualified referrers have not changed since 1990’s when the rules were expanded to include healthcare practitioners licensed in the state or country in which they practice and have the authority to refer, they are:

  • Physicians
  • Dentists
  • Chiropractors
  • Podiatrists
  • Physician Assistants
  • Advanced Nurse Practitioners

 

Q:  What is meant by Direct Access Disclosure Statement?

A:  The Physical Therapy Practice Act requires that physical therapists who utilize direct access provide his/her patients with a disclosure document (to be drafted by the TBPTE) relating to Treatment Without Referral. This Disclosure Document becomes mandatory November 1, 2019.

 

Q:  Did the new direct access language replace the previous ‘limited’ direct access provisions?

A:  Yes and No.

The direct access provisions that were not eliminated by the new law apply to physical therapists regardless of what degree level they have obtained and without any additional requirements. The remaining provisions are:

  • Physical therapists will still be able to evaluate a patient without a referral;
  • Physical therapists will still be able to provide instructions to a person who is asymptomatic relating to the instructions being given, including instruction to promote health, wellness, and fitness;
  • Physical therapists will still be able to provide emergency medical care to a person after the sudden onset of a medical condition manifesting itself by acute symptoms of sufficient severity if the absence of immediate medical attention could reasonably be expected to result in a serious threat to the patient’s health, serious impairment to bodily functions, or serious dysfunction of any bodily organ or part.

Unfortunately, it appears that there was an oversight and the following “Prior Referral” provision is no longer permitted.

**Please note:  The section below is what is no longer permitted: 

Prior referrals. A physical therapist may treat a patient for an injury or condition that is the subject of a prior referral, if all the following conditions are met.

    • The physical therapist must notify the original referring healthcare personnel of the commencement of therapy by telephone within five days, or by letter postmarked within five business days;
    • The physical therapy provided must not be for more than 20 treatment sessions or 30 consecutive calendar days, whichever occurs first. At the conclusion of this time or treatment, the physical therapist must confer with the referring healthcare personnel before continuing treatment; Texas Board of Physical Therapy Examiners January 2019.
    • The treatment can only be provided to a client/patient who received the referral not more than one year previously; and
    • The physical therapist providing treatment must have been licensed for one year. The physical therapist responsible for the treatment of the patient may delegate appropriate duties to another physical therapist having less than one year of experience or to a physical therapist assistant. A physical therapist licensed for more than one year must retain responsibility for and supervision of the treatment.

 

Q:  According to billing requirements physical therapists affix both medical and impairment ICD-10 codes on the 1500 and UB-04 forms or their electronic equivalent. Will Texas physical therapist be permitted to affix medical ICD-10 codes on claims?

A:  No, not if it means they are making a medical diagnosis related to a disease. The Texas Physical Therapy Practice Act states in Sec. 453.006 Practice of Medicine. (a) A person may not engage in diagnosing diseases or in practicing medicine (b) A person may not use an affix indicating or implying that the person is a physician…

Daulong’s comment:

However, Texas physical therapists have been coding impairment diagnoses for years and may continue to do so. The APTA has an extensive list of codes frequently used by physical therapists, please go to this link: https://www.apta.org/ICD10/IdentifyingCodes/.

 Physical therapist should continue to document what the patient relates about diagnoses or conditions they have or have had in the clinical record in order to assist in determining the complexity of the patient’s case and the selection of the correct evaluation code. Therapists should also list signs, symptoms, characteristics, observations and the patient’s medical history.

 Example: Patient states that he/she has diabetes and takes medication to control it. The therapist should relate that statement and confirm that a diabetic medication was included in his/her medication list.

 

Q:  Should physical therapists engage in Direct Access, in Texas, without having the rules approved?

A:  BCMS’ position is that it is risky to carry out a law prior to rules being promulgated; the proposed rules are posted in on the TBPTE website (Click Here for proposed rule). They will be also posted in the Texas Register by September 6, 2019 for at least 30 – 45 days.

Q:  When will the Treatment Without Referral Waiver Form be available for use?

A:  The Waiver Form is being drafted by the TBPTE and will be available for use November 1, 2019. BCMS will send it to Texas clients as soon as it is approved. The form will be available on the TBPTE’s website.

 

Q:  How do we handle Medicare patients with the new law granting Treatment Without Referral?

A:  Medicare does not require a referral and hasn’t for many years, but it does require two things that are stumbling blocks for Treatment Without Referral:

    • The first issue is that therapists must still obtain a signed Plan of Care in the same time frames as dictated in the Medicare Benefit Policy Manual (MBPM)…i.e. by 30 days and recertifications within 90 days. Medicare does state that it does not expect treatments to be held until the Plan of Care is certified.
    • The second issue is that Medicare claims must contain the NPI of the certifying physician.

Please remember that if you believe you will have problems with either of the two items above you should engage the patient to assist in expediting the cooperation of his/her physician. Medicare considers an uncertified Plan of Care to result in a technical denial which transfers the financial liability to the patient for therapists in private practice; unfortunately, this is not the case for Rehab Agencies as the provider assumes the financial liability when there is no signed Plan of Care.

Q:  Will the Texas Division of Worker Compensation honor the new treatment without Referral?

A:  No, the DWC is governed by laws that require physicians and other specified individuals to refer patients and under Texas laws physical therapists do not have that authority.

 

Learn More or Get Help!

Do you like getting timely information like above?  If yes, and if you want to continue to get timely information like above or learn how to better understand how compliance plays a role in your over all outpatient physical therapy compliance requirements, contact Alicia N. Mahoney at 713-899-9812 or schedule time for a free compliance program overview.

Physical Thearpy OSHA Compliance

Physical therapy OSHA Compliance is of utmost importance when running a sound private practice.  So many practice owners think it’s ‘overkill’ or ‘we aren’t a hospital, so why do we have to do these things?’.  OSHA addresses and provides regulation to ensure the safety of patients, therapist and employees within your practice.

What do we need physical therapy OSHA compliance?

Plainly stated….it’s the law.

According to The United States Department of Labor:

“The mission of the Occupational Safety and Health Administration (OSHA) is to assure safe and healthy working conditions for working men and women by developing, setting and enforcing standards and by providing outreach, education, training and compliance assistance. Under the law, employers have the responsibility to provide a safe workplace.”  

In reality, as a healthcare provider, you should want to provide the safest environment of healing for not just your patients, but your staff as well.

OSHA Violations & Penalties:

 The most common physical therapy OSHA compliance violations are:

  • Failure to train on the Bloodborne Pathogens Standard.
  • Failure to implement and maintain Bloodborne Pathogens & Hazard. Communication Plan
  • Failure to keep training records.
  • Failure to keep a Sharps Injury Log.
  • Failure to provide Safety Data Sheets.
  • Failure to train on the Hazard Communication Standard.

Penalty Administration

OSHA uses four (4) classification for penalty administration. The DeMinimus classification is not elaborated upon as it only results in the Agency documenting a minor infraction of the business or entity. However, the following three categories do have significant penalties per violation:

Willful. 

A willful violation exists under the OSH Act where an employer has demonstrated either an intentional disregard for the requirements of the Act or a plain indifference to employee safety and health. Penalties range from $5,000 to $70,000 per willful violation. If an employer is convicted of a willful violation of a standard that has resulted in the death of an employee, the offense is punishable by a court-imposed fine or by imprisonment for up to 6 months, or both. A fine of up to $250,000 for an individual, or $500,000 for a corporation, may be imposed for a criminal conviction.

Serious. 

Section 17(k) of the OSHA Act provides that “a serious violation shall be deemed to exist in a place of employment if there is a substantial probability that death or serious physical harm could result from a condition which exists, or from one or more practices, means, methods, operations, or processes which have been adopted or are in use, in such place of employment unless the employer did not, and could not with the exercise of reasonable diligence, know of the presence of the violation.” OSHA may propose a penalty of up to $7,000 for each violation.

Other-Than-Serious.

This type of violation is cited in situations where the accident/incident or illness that would be most likely to result from a hazardous condition would probably not cause death or serious physical harm but would have a direct and immediate relationship to the safety and health of employees. OSHA may impose a penalty of up to $7,000 for each violation.

OSHA will also create press releases to “shame” businesses that have violations, letting the public know about their wrongdoing.

Learn More or Get Help!

It’s not worth it to put your patients and staff at risk by not having physical therapy OSHA compliance.  To learn more or to better understand how OSHA compliance plays a role in your over all outpatient physical therapy compliance requirements, contact Alicia N. Mahoney at 713-899-9812 or schedule time for a free compliance program overview.

Physical Therapy HIPAA Compliance: What A HIPAA Violations Mean for Your Practice

Physical Therapy HIPAA Compliance can be overwhelming if you don’t know enough about protecting your patients health information.

The Health Insurance Portability and Accountability Act (HIPAA) has been protecting the privacy and security of certain health information for Americans everywhere since its implementation in 1996. Despite its intentions, there continues to be a concern for individuals’ health information as our healthcare system becomes increasingly digitized.

Do you know how this affects your physical therapy clinic? Let’s review:

The Consequences of HIPAA Violations

The severity of the consequence depends on the severity of the violation itself. These incidents can result in penalties costing your practice thousands or even millions of dollars in fines, not to mention a loss in credibility, reputation, and patients. With all violations, there are also the costs associated with civil and criminal investigations. Needless to say, the best thing for your practice is to know how to avoid any type of HIPAA breach.

According to Joette Derricks’ Security Risk Assessment for Small Practices: Tools and Case Studies, HIPAA violations and their resulting ramifications can be divided into four categories.

Categories:

  1. An individual did not know and would not have known based on reasonable diligence that they violated HIPAA. This violation carries the most minor repercussion, with minimum penalties of $100 per violation and an annual maximum of $25,000 for repeated violations.
  2. An individual did not willfully neglect to protect individuals’ rights but did so with reasonable cause. The minimum penalty per violation increases dramatically, costing your practice $1,000 per violation or a maximum of $100,000 annually.
  3. An individual expressed willful neglect but corrected the violation quickly. At $10,000 for every violation or $250,000 for repeat violations, it’s clear that intent to disregard HIPAA increases the fines dramatically.
  4. An individual willfully neglected patients’ rights and did not correct the situation. The minimum penalty for this situation is also the maximum fine for a HIPAA violation in any of the situations listed. If a practice does not correct the situation, they can expect to forfeit $50,000 per violation or an annual maximum of $1.5 million.

It should be noted, however, that the most costly consequence may actually be the inability to recover from such an incident. When a practice is penalized for violating HIPAA and has, therefore, disregarded a patient’s rights to privacy regarding their personal health information, current and prospective patients may choose to seek care elsewhere where they believe their fundamental rights will be respected.

If you have concerns about your practice’s Physical Therapy HIPAA Compliance , we have the resources you need to remain compliant. For more information on HIPAA violations, security risk analysis, and more, reach out to us at (713) 899-9812 or visit our website today!

Compliance for Physical Therapy – What are the Rules and Requirements Anyway?

Compliance for Physical Therapy… the required evil that everyone with a physical therapy practice wants to avoid.  What does this mean for your practice and why should you care?

Why You Need Compliance for Physical Therapy Practices

What does this mean for your practice and why should you care?  In a broad sense it means that there are requirements you need to ensure both your practice and your staff are aware of, have documented, and are following daily.  The caring part is a bit more straightforward; compliance is required by law and can carry both civil and/or criminal penalties for non-compliance.   So, unless you are fond of fines or jail, let’s take a quick look at some of the key compliance components for your practice.

HIPAA, The Privacy and Security Rules

The most well-known compliance component is HIPAA, the privacy and security rules that most everyone is familiar with. HIPAA/HITECH requires the security of protected health information (PHI) both in paper and electronic formats.  Additionally, approximately 2/3 of the requirements involve having documented policies and procedures for how your practice handles PHI.  Do you have written out policies and procedures that your staff has been trained on?  Would your staff know where these are located if someone asked?  Does your staff know the 18 PHI identifiers? https://www.hhs.gov/hipaa/for-professionals/privacy/special-topics/de-identification/index.html#protected  If you cannot answer yes to these questions you may need to update/revise your existing HIPAA compliance program.

Other Laws and Requirements

True or False?  If we are compliant with HIPAA there are no other regulations we need to focus on?  Unfortunately, false; just being HIPAA compliant is not enough.  There are other laws and requirements that also apply to your practice.  The Fair Labor Standards Act, Fair Credit Reporting Act, Civil Rights Act, and Age Discrimination Employment Act at the federal level along with numerous state, county, and city laws govern how you employ, pay, provide benefits for, and even background check or drug test your staff.  One of the most confusing issues is the classification of staff as exempt or non-exempt.  Failure to properly classify an employee could lead to fines, payment of back pay and/or an EEOC compliant.  The Department of Labor provides guidance if you need a quick review https://www.dol.gov/whd/overtime/fs17a_overview.htm .  The Occupational Safety and Health Administration (OSHA) governs how you ensure your staff is safe at work.  Their requirements include such things as requiring Safety Data Sheets and pictogram labels for hazardous chemicals (including Tide Pods), eye wash stations and sharps containers.  The American with Disabilities Act (ADA) has requirements that impact both employees and patients of your practice from both an employment, facility and language accessibility standpoint.

Policies & Procedures are a Must

Sadly, the list continues if you participate in Medicare, Medicaid, or any private payer for reimbursement.  Each payer has their own list of requirements and compliance expectations.  Compliance with all laws, standards, and/or regulations is mandatory.  A critical first step to ensuring your practice is on the right path is to have written policies and procedures that detail how you do work and that cover all the requirements.

According to the APTA:

The policy and procedure manual plays an important role in every business and organization, and physical therapy is no exception. The development and enforcement of policies and procedures is an important responsibility of physical therapist (PT) managers.

A well-written and comprehensive manual communicates to both internal and external stakeholders the rules, regulations, and processes that govern an entity. Policy and procedure manuals are integral to the orientation and training of new and current staff; ensuring compliance with laws, regulations, and accrediting organizations; and promoting consistency, safety, and best practices.

A poorly developed manual, conversely, fosters confusion and inconsistency, increasing the risk that laws, regulations, and health and safety standards will be violated. Even worse, an inadequate manual can heighten the risk of injury or harm to patients and employees, and place the organization at risk for lawsuits and other damages. Taking the time to carefully and accurately develop and maintain policies and procedures, therefore, is an important investment for all managers.  https://www.apta.org/PolicyandProcedureManuals/ 

Once you have these in place train your staff and have them acknowledge the information.  Ongoing hold staff to the standards, audit to check for compliance, and provide education to ensure all compliance requirements continue to be met.  Compliance is never ending.  Annual updates, new information, and changes to laws require practice owners to keep informed to keep compliant.  Start the New Year off stress free by ensuring your practice is compliant!

Business & Clinical Management Services (BCMS) is an outpatient rehab consulting firm that provides the keys to unlocking the compliance regulatory vault.  For more information about our services, contact Alicia N. Mahoney at https://bcmscomp.com/contactus/  or schedule time for a free compliance program overview.

Mandatory Claims Submissions… Is it really Mandatory? Here’s What You Should Know!

 

Physical therapists must submit claims to Medicare for covered services provided to Medicare patients. That’s my story and I’m sticking to it!

Manditory Claims Sumbmissions?  Is it Really Manditory?  Here’s What You Should Know!

Last week I jointly presented a program about Medicare’s Mandatory Claims Submission requirement with Kara Gainer, JD, Director of Regulatory Affairs for the APTA.   The presentation clearly demonstrated that, physical therapists must submit claims for covered services provided to Medicare patients, with a few exceptions. By not doing so they may be subject to civil monetary penalties of up to $2,000 per claim and face exclusion from the Medicare Program for up to five years.

The Legal Opinion

A plethora of legal authorities validated the position upheld and reinforced the fact that there is no wiggle room for accepting cash in lieu of enrolling in Medicare. Physical therapists, at this time, cannot Opt-Out of Medicare like physicians and several other practitioners.

For more information on Opting-Out of Medicare please go to: https://www.cms.gov/Outreach-and-Education/Medicare-Learning-Network-MLN/MLNMattersArticles/downloads/MM3016.pdf. Therapists are not required to accept Medicare patients but if they do they MUST enroll in the program.

References:  Powers, Pyles, Sutter & VervilleHealth Policy AlternativesMintz an AM Law 100 Firm

The Cash-Based Practice

Physical therapists who have cash-based practices and who are adept in collecting monies at the time of service would do well enrolling as a non-participating Medicare supplier.  This means they choose not to accept Medicare’s allowable fee schedule as payment in full but are subject to the’ limiting charge’ proviso:  i.e. they may not collect more than 115% of Medicare’s allowable fees and they must also comply with other conditions set forth relating to their non-participating status.

For more information on provider enrollment and on non-participating suppliers please go to: https://www.medicare.gov/your-medicare-costs/part-a-costs/lower-costs-with-assignment and https://www.cms.gov/Outreach-and-Education/Medicare-Learning-Network-MLN/MLNProducts/downloads/MedEnroll_PhysOther_FactSheet_ICN903768.pdf

The Exception

There is an exception to the mandatory claim submission provision, but it isn’t a result of HIPAA’s (HITECH’s) Patient Rights as many individuals believe. It is a Medicare provider specific Patient Right which allows the beneficiary/legal representative to (of his/her free will) refuse to authorize the submission of a claim to Medicare if the provider is enrolled in the Program. The HIPAA Patient Right specific to restriction of Protected Health Information (PHI) is the option to request that a Covered Entity/healthcare provider not disclose (PHI) to a health plan. That right is preempted by the Mandatory Claims Submission requirement as noted in § 164.502(a)(2)(ii), § 164.510(a) or § 164.512, which stipulates:

“If a provider is required by State or other law  (Mandatory Claims Submission) to submit a claim to a health plan for a covered service provided to the individual, and there is no exception or procedure for individuals wishing to pay out of pocket for the service, then the disclosure is required by law and is an exception to an individual’s right to request a restriction to the health plan pursuant to 154.522(a)(1)(vi)(A) of the Rule.”

References

For more information on Mandatory Claims Submission please see the attached reference document as well as linking into the APTA’s FAQs on the subject: https://www.apta.org/Payment/Billing/CashPractice/MedicareRulesExamples/

Additional references for the relationship between cash practices and Medicare.

Business & Clinical Management Services (BCMS) is an outpatient rehab consulting firm that provides the keys to unlocking the compliance reglatory vault.  For more information about our services, contact Alicia N. Mahoney at https://bcmscomp.com/contactus/

HIPAA Compliance – What Physical Therapy Practice Owners Need to Know

It can be a daunting task for small business owners to navigate the complexities of physical therapy HIPAA compliance.

Questions and Answers Regarding HIPAA that all Physical Therapy Practice Owners Should Know

WHILE WE TYPICALLY FOCUS ON ISSUES RELATED to payment compliance, it is paramount that we understand what other federal regulations apply to us as practitioners in the health care business arena. Understanding the laws, performing associated risk assessments, developing policies and procedures, educating the workforce, monitoring compliance with the statute, and enforcing their requirements is the only way we can mitigate our risk and safeguard our practices.

This article will focus on the Health Insurance Portability and Accountability Act (HIPAA), based on HIPAA questions posed or violations noted from 2016–2018.

Question:  Do I have to encrypt my computers, emails and test messages?

Answer:  Yes, you must address Security Rules 164.312, which mandates encryption of data both at rest and in transmission.  All data, including emails and text messages, that contain ePHI must be encrypted or otherwise addressed to meet the minimum encryption standards before transmission.  The upside, however, is that stolen ePHI that is encrypted does not have to be reported (aka if you have an encrypted laptop or flash drive and it is stolen you do not have to report the ePHI as a security breach).

Question:  Can my staff use personal devices (smart phones, iPad, etc.) for patient documentation?

Answer:  Yes, your staff may use personal devices at work.  However, you need to ensure that they also comply with all provisions under HIPAA, the Security Rule, and the HITECH Act.  All the same rules apply as for your practice-owed computers, laptops, tablets, etc., including encryption, login monitoring, data backup, unique user identification, workstation security, and more.  Additionally, you will need written out policies and procedures in place for personal device use.

Question:  What are the Patient Rights that came about via HITECH and the Omnibus Rule?

Answer:  The newest Patient Rights are in blue and italizes.  These rights must be included in your Privacy Notice

  • Access to PHI
  • Amend PHI
  • Request limited use or disclosure
  • Request confidential communication of PHI
  • Be informed of breach of privacy
  • Make complaints about noncompliance
  • Revoke authorization
  • Be notified of opt-out options for marketing, fundraising, and sale of PHI
  • Restrict PHI from health plans
  • Recieve a paper copy of the Privacy Notice

Question:  What do I have to include in a Breach Notification?

Answer:  When notifying a patient of a breach, include the following information:

  • A description of the breach (what happened)
  • A description of the types of information that were involved in the breach (waht data was shared)
  • The steps that the affected individual(s) should take to protect themselves from potential harm
  • A brief description of what the covered entity (CE) is doing to:
    • Investigate the breach
    • Mitigate the harm
    • Prevent further breaches
    • Provide contact information at no cost to the individual

Also, remember that the breach must also be reported to the secretary of the US Department of Health and Human Services (HHS).  Breaches over 500 individuals require additional reporting to media outlets and websites.  Timelines for breaches vary by state so be sure to check your local reporting requirements.

The exception for reporting comes with knowledge that the breached PHI/ePHI was not usable, readable or decipherable.  According to the American Health Information Management Association:

“The interim final rule defines unsecured PHI as information that is not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by the HHS Secretary in the guidance issued under section §13402(h)(2) of the American Recovery and Reinvestment Act. The guidance specifies that only encryption and destruction consistent with the National Institute of Standards and Technology (NIST) guidelines renders PHI unusable, unreadable, or indecipherable.

These guidelines, if used, create the functional equivalent of a safe harbor and notification is not required in the event of a breach. The guidance may be used to render PHI unusable, unreadable, and indecipherable to unauthorized persons, and is published on the HHS website. If PHI has not been secured in accordance with the specified guidance and a violation has occurred, then it must be presumed to be a breach.”

Question: Who should initiate a Business Associate (BA) Agreement (BAA)? The Business Associate or the Covered Entity (CE)?

Answer:  Covered Entities should initiate the BA agreement so that they are certain that all the requirements set forth by the Health Information Technology for Economic and Clinical Health (HITECH) Act and the Omnibus Rule are in the agreement. They are:

  • Allowed and required disclosures:  what the BA can and can’t do with the data, as well as what they’re required to do with the data
  • Reference to “downstream” subcontractors: Ensure that they are responsible to abide by the same terms as the BA’s.
  • BA’s responsibility to safeguard the data: with reference to the security rule
  • Reporting obligations:  BA’s methods for notifying CE of impermissible disclosures, which could include a data breach incident
  • Satisfactory assurance from the Business Associate that it complies with HIPAA Security and Privacy as it pertains to BA’s
  • Termination clause:  CE can terminate contract for violation of terms, and in the event of termination, the BA must return or destroy the data.

In addition to these provisions, there are optional elements such as:

  • Liability and indemnification clauses for both parties
  • Monitoring and auditing rights of the Covered Entity

Question: I have a Privacy Notice available for patients to read if they wish to; most don’t. I heard that I must provide each patient with the notice before I ask them to sign our Acknowledgment of Receipt, is this true?

Answer:  Yes, you are required to offer the Privacy Notice to all new patients and any active patients if the Notice is modified in any way.  In addition to offering the notice, you must post it or have it readily available in the reception or common space so that a patient, visitor, etc., can access it without requesting it from you.  Don’t forget that you must also post the notice on your website, if you have one.

Your patients should never be asked to sign the Acknowledgement of Receipt without first having access to the Privacy Notice.

Question: How do I prove that all my staff need access to both protected health information (PHI) and electronic protected health information (ePHI)?

Answer:  HIPAA requires covered entities to develop role-based access to written policies and procedures to validate that access to PHI and ePHI is based on the individual’s need to access either or both to do their jobs.  If this is the case, you may list all of them with full access to PHI and ePHI.

For more information on HIPAA requirments for Physical Therapist and other outpatient healthcare provides, contact BCMS

HIPAA Compliance Issues for Physical Therapists – Avoid Small Issues that Can Cost Big Money

In this post, BCMS will point out How can you avoid HIPAA Compliance issues for physical therapists. The Office of Civil Rights compiled a list of the top 10 HIPAA compliance issues for 2017.   Their investigations and enforcement of HIPAA resulted in millions of dollars in fines and penalties.   Take a moment to look at the top issues and ensure you are not making the same mistakes!

HIPAA Compliance Issues for Physical Therapists – Avoid These Errors and Put Your Mind at Ease

#1 – Affirmative Disclosures Not Permitted.  This means sharing/posting/disclosing patient photos, reviews, videos etc. without signed disclosures must be avoided.  Double check patients in the background of posted media.  Do you have permission of everyone that is shown?  Having written policies and procedures in place prior to disclosing PHI would ensure that all disclosures are permitted.

#2 – Lack of BAA.  You must have a signed Business Associate Agreement for all Business Associates who have access to your PHI/ePHI.  Be sure you have signed agreements with EMR, IT, Marketing, and other vendors!  A $31K fine was levied last year to a small practice that was missing a BAA.  Be proactive and send a BAA to your vendors; don’t wait until they send one to you.  Per the rule you cannot share PHI/ePHI prior to having a signed BAA in place. Avoid this costly mistake and ensure all yours are in place and signed.

What Is a “Business Associate?” A “business associate” is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.  A member of the covered entity’s workforce is not a business associate.  A covered health care provider, health plan, or health care clearinghouse can be a business associate of another covered entity.  The Privacy Rule lists some of the functions or activities, as well as the particular services, that make a person or entity a business associate, if the activity or service involves the use or disclosure of protected health information. The types of functions or activities that may make a person or entity a business associate include payment or health care operations activities, as well as other functions or activities regulated by the Administrative Simplification Rules.   For more details, see the HHS.gov overview.  

#3 – No, Incomplete or Inaccurate SRA.  You must have an annual Security Risk Analysis per the Security Rule.  This is a comprehensive analysis that includes both an assessment and a review for system vulnerabilities.  The assessment looks at physical, technical and administrative safeguards for ePHI.  It is possible to conduct your own SRA however ensure that the person conducting the assessment has the knowledge and skills necessary to complete the task.  Also, be sure your assessment does not include bias and is objective to ensure your practice is taking the right steps to protect ePHI.  Consider outsourcing this process as a solution to both the knowledge and bias concerns.

Under the HIPAA Security Rule, you are required to conduct an accurate and thorough analysis of the potentialrisks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI) held by the covered entity or business associate. Once you have  completed the risk analysis, you must take any additional “reasonable and appropriate” steps to reduce identified risks to reasonable and appropriate levels.  (45 CFR 164.308(a)(1)(ii)).   Click HERE for the Security Risk Analysis Tip Sheet from CMS

BCMS is a full-service compliance consulting firm specializing in outpatient physical therapy practices.  Our focused, PT specific compliance program can help you meet all your compliance needs.  We also offer on-site SRA and include BAAs in our compliance program.  Contact us for more information.  We are the key to unlocking the compliance mystery.  For more information or to contact us, click HERE

Physical Therapy Private Practice Compliance – Where to Start

Many practice owners believe that physical therapy private practice compliance is a complex problem.  It doesn’t have to be.  In this post, we will outline exactly where you should start.

Physical Therapy Private Practice Compliance Points to Address

First, identify the regulations, laws, rules and policies that govern your work.  These could include:

  • Federal, state and local labor laws
  • State Practice Act and Licensing Requirements
  • HIPAA, HITECH and the Security Rule
  • Medicare
  • Other federal and commercial payors
  • OSHA
  • ADA

If you don’t know where to start, the APTA has a great resource with links to physical therapy practice acts in each of the 50 states.

Licensure is required in each state in which a physical therapist practices and must be renewed on a regular basis, with a majority of states requiring continuing education as a requirement for renewal. PTs must practice within the scope of physical therapy practice defined by these state licensure laws (physical therapy practice acts). The entire practice act, including accompanying rules, constitutes the law governing physical therapy practice within a state.  Reference: APTA Website

Next review your existing policies and procedures.  Do you have them in place?  Are they updated annually including staff review and sign off?  Over 70% of a successful compliance program is having the appropriate written policies and procedures in place and understood by staff.  Policies really do matter!

As you implement your policies look at how you do your work. For example, email containing PHI must be encrypted.  Numerous programs are available to facilitate compliance with this requirement, but do you really need the added expense?  Review how often and in what instances you are sending PHI via email.  Perhaps the same outcome can be accomplished by using your EMR internal communications?  A little time looking at the process can save money, and even more time, in the long run.

Finally, create a culture of compliance.  The entire team must work together to ensure your practice stays compliant.  Share the ‘fun’ and have your staff involved in the ongoing compliance requirements. Have regular meetings to discuss successes and challenges.  Encourage suggestions to overcome compliance obstacles. Build a culture and compliance will no longer be a ‘task’ on a to do list but the way your practice moves forward every day!

BCMS is a full-service compliance consulting firm specializing in outpatient physical therapy practices.  Our focused, PT specific compliance program can help you meet all your compliance needs.  Contact us for more information.  We are the key to unlocking the compliance mystery!

For more information and to contact us, click here.