Remember: contracted vendors are also subject to HIPAA regulations. Now that we’ve turned a corner on the COVID-19 public health emergency (PHE), telehealth services are here to stay. As the technology evolves, and more healthcare organizations adopt the services, your practice will need to stay on top of telehealth regulations and requirements to receive reimbursement and protect your patient data. Pulmonology Coding Alert has gathered advice to help your practice maintain compliance for telehealth visits. Gather the Required Documentation “Evaluation and management (E/M) codes are very often billed instead of the virtual care visits or the telephone-only visits because they more accurately reflect what happened during that visit,” said Stephanie Sjogren, CPC, COC, CRC, CPMA, CDEO, CPC-I, CCS, HCAFA, during her “Telehealth Beyond the Pandemic” session at AAPC’s Collaborative Compliance Conference 2023.
If the pulmonologist performs a telehealth E/M visit and is basing the E/M code on time alone, the documentation must reflect this information. The documentation must show the amount of face-to-face and non-face-to-face time spent on the patient over a 24-hour period. The time-based documentation should include the following information: The provider’s documentation of the minutes spent on patient care should mention how they accrued the time. “You want to put the precise total number of visits spent on patient care — make sure you note the time parameters. That way you can accurately pick the code that reflects that the time you spent and you want to describe how that time was used,” Sjogren said. Additionally, if the provider is basing their telehealth E/M code on medical decision making (MDM), they should document the visit’s MDM components just as they would for an in-person E/M visit. Following the telehealth visit, the pulmonologist should document as much information as possible to ensure prompt and accurate reimbursement. “Post-visit documentation has to still be as thorough. So, if you’re doing stuff after the visit ends, which obviously most providers are, there are a few things that we want to make sure that we’ve captured when we’re documented,” Sjrogen continued. The telehealth visit documentation is similar to in-person E/M visits, but there are additional elements that need to be included: Remember That HIPAA Applies to Business Associates While the patient may not physically be in the office during a telehealth visit, HIPAA rules still apply to all telehealth services covered by healthcare providers. Healthcare providers must take the necessary steps to protect their patients’ protected health information (PHI), and this includes choosing HIPAA-compliant platforms for telehealth services.
For example, not all video conferencing software are developed equally. “If you’re going to have different technology like a Zoom for Healthcare, you can’t use the same Zoom you would for healthcare as you would for just your private conversations. Those are different. There are different levels of security with Zoom for Healthcare versus regular Zoom,” Sjrogen explained. If your practice is using a software vendor, they are considered a business associate, and they are also subject to HIPAA as well. In the end, if the software vendor experiences a data breach that could result in your data being compromised, then your practice is still responsible for the data breach. “You have to make sure you perform your due diligence. You have to verify all the security practices. As a provider, you’re still responsible. Again, any mistakes that they make in protecting security of your data are your mistakes, too,” Sjrogen said. Designate a Compliance Officer One of your responsibilities as a healthcare practice is to ensure the practice is compliant. Healthcare technology has advanced significantly in the past three years, and maintaining compliance is more than just setting up IT defenses — it requires a combination of technical components and physical administration. “A lot of this new technology is something very new for people. People just thought, I will just lock my cabinet and make sure the charts are secure. Once you’re online, it’s a completely different world,” Sjrogen said. You can ensure an effective and adequate compliance program by selecting a person in your organization to serve as a compliance officer. The compliance officer then has the responsibility to oversee the compliance program’s implementation and allocate the necessary resources to help it succeed. Provide Regular Staff Training and Education Assigning a compliance officer and connecting with reliable and compliant software vendors isn’t enough to having a compliant telehealth program. Your practice should also conduct regular training sessions to educate anyone who works for or with your practice on compliance policies. Examples of those who should receive continuing education include: Through regular webinars, newsletters, memos, and other methods, your employees can refresh their knowledge and standard operating procedures.