Medicare Compliance & Reimbursement

When CPT® revised the psychotherapy and psychiatry codes last year, many mental health clinicians started using the codes immediately without giving much thought to how documentation would have to change to support the codes. CMS has taken note of the most common issues with this code set and recently released MLN Matters article SE1407 to set the record straight.

“The main error that CERT has identified with the revised psychiatry and psychotherapy codes is not clearly documenting the amount of time spent only on psychotherapy services,” the article states. Because the psychotherapy codes can be reported with E/M codes, your documentation will have to include not just the total time spent during the visit, but the specific amount of time spent performing psychotherapy.

“Because time is indicated in the code descriptor for the psychotherapy CPT® codes, it is important for providers to clearly document in the patient’s medical record the time spent providing the psychotherapy service rather than entering one time period including the E/M service,” CMS says in the article.

If you bill an E/M service and a psychotherapy code (such as 90836) but you only have one notation of the time spent (such as “50 minutes”), CMS will request a refund for the overpayment and will tell you that you’ve made a billing error.

To read the complete MLN Matters article, visit www.cms.gov/Outreach-and-Education/Medicare-Learning-Network-MLN/MLNMattersArticles/Downloads/SE1407.pdf.

Random HIPAA Audit Program Ramps Up

Can your HIPAA procedures withstand scrutiny?

Get ready: All signs point to an imminent return of random HIPAA audits from the Department of Health and Human Services.

In the Feb. 24 Federal Register, HHS announced that it will conduct a HIPAA Covered Entity and Business Associate Pre-Audit Survey. The survey will include up to 1,200 covered entities (CEs) and business associates (BAs), with an aim to determine their suitability for the HHS Office for Civil Rights (OCR) HIPAA Audit Program.

The survey will gather information about CEs and BAs for OCR to assess the respondents’ size, complexity, and fitness for an audit, HHS states. The survey will determine the recent number of patient visits or insured lives, use of electronic health information, revenue, business locations, and much more.

Significance: “This means that the 2014 HIPAA random audit program is now ramping up, with the first wave of contracts going out once the comment period is over,” warns Jim Sheldon-Dean, founder and director of compliance services for Lewis Creek Systems in Charlotte, Vt. CMS will take comments on the information collection request until April 25.

“The time to get ready is now,” Sheldon-Dean urges.

Note: You can view the Federal Register posting at www.federalregister.gov/articles/2014/02/24/2014-03830/agency-information-collectionactivities-proposed-collection-public-commentrequest.

County Settles With HHS Over HIPAA Violations

Even government entities are finding that keeping up with patient privacy laws can be a tough task. This week, Skagit County, Washington settled with HHS for $215,000 over potential HIPAA violations.

“This case marks the first settlement with a county government and sends a strong message about the importance of HIPAA compliance to local and county governments, regardless of size,” said Susan McAndrew, deputy director of health information privacy at the HHS Office for Civil Rights (OCR) in a March 7 statement. “These agencies need to adopt a meaningful compliance program to ensure the privacy and security of patients’ information.”

The county came under investigation after a breach report revealed that financial receipts containing electronic protected health information (ePHI) of seven individuals were accessed by others after the ePHI had been moved to a publicly accessible server. The subsequent investigation revealed that the ePHI of 1,581 individuals was actually at risk.

To read the Resolution Agreement, visit www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/skagit-agreement.html.

Beware: A HIPAA Breach May Bring You More Than Health Information Law-Related Penalties

If you have a HIPAA security breach, you know you could face the wrath of the HHS Office for Civil Rights. But did you know that you could also face enforcement actions by the Federal Trade Commission?

So says a recent court decision involving the Atlanta-based medical laboratory LabMD Inc. On Aug. 29, 2013, the FTC filed an administrative complaint against LabMD for two separate breaches affecting more than 10,000 consumers’ information. The FTC charged that the company failed to “reasonably protect the security of consumers’ personal data” and medical information. Specifically, the FTC’s enforcement action against LabMD was for allegedly “unfair and deceptive acts” under Section 5 of the FTC Act.

In a motion to dismiss the complaint, “LabMD argued that because it was regulated by HIPAA, the FTC lacked authority to enforce privacy and security violations” that were within HHS’s jurisdiction, wrote attorneys Linn Foster Freedman and Kathryn M. Sylvia in a recent Nixon Peabody analysis. But on Jan. 16, 2014, the FTC voted unanimously to reject LabMD’s arguments.

The FTC’s refusal to dismiss the enforcement action “confirms that HIPAA regulated businesses will now also have to worry about compliance with FTC regulations and enforcement actions for security breaches,” warned Freedman and Sylvia.

This also means that, “whether or not a privacy or security problem is noted by HHS, the FTC could become involved if there have been deceptive trade practices (e.g., promising security and then not providing it),” explains Jim Sheldon-Dean, founder and director of compliance services for Lewis Creek Systems in Charlotte, Vt.