Health Insurance Portability and Accountability Act (HIPAA)
The Health Insurance Portability and Accountability Act (HIPAA) had a big impact on Billing and Coding. This was a significant law passed in 1996 and phased in over several years:
- Defined electronic standard for medical billing
- Mandated ICD-10 diagnosis codes
- Established provider and payer identification standards (NPI)
- Established fines and prison terms for fraud and abuse
- Established standards for protecting privacy and security of patient information
Privacy & Security Standards
HIPAA Administrative Simplification established requirements for protecting patient health information in three categories:
- Privacy Rule defines requirements for protecting and disclosing protected health information (PHI). This applies to covered entities and their business associates.
- Security Rule complements the Privacy Rule and established standards for administrative, physical, and technical requirements for protecting PHI.
- Electronic data standards to establish formats and code sets for the electronic transmission of health information. ANSI X12.
Protecting Patient Information
When communicating verbally make sure conversations are private and cannot be overheard. Any discussions involving Protected Health Information (PHI) should involve only those authorized to know.
When communicating electronically – systems should have appropriate physical, administrative, and technical safeguards in place to protect the confidentiality, integrity, and availability of the ePHI.
When communicating by fax any documents containing PHI, be very careful. It is recommended faxing protected information only when there is an immediate need to obtain records for treatment authorization. Recommend a confidentiality notice on fax cover page.
Locate printers or fax machines used for PHI in secure areas that are only available to those with a need to know.
Patient information may not be disclosed or released unless authorized by the patient.
Working Remotely
Health care providers, their staff, and any business associates or contractors may remotely access electronic health information. This includes the use of mobile devices to access electronic protected health information (ePHI).
The appropriate physical, administrative, and technical safeguards must be in place to protect the confidentiality, integrity, and availability of the ePHI on the mobile device and in the cloud.
Business Associate agreements must be in place with any third party service providers for the device and/or the cloud that will have access to the e-PHI.
Fraud & Abuse
Fraud is defined by federal government as anyone who knowingly or willingly executes, or attempts to execute, a scheme to defraud any healthcare benefit program.
Fraud is intentional deception or misrepresentation of the services or procedures performed by a provider in an attempt to obtain or increase payment. Fraud can be punishable by criminal conviction of fines.
Abuse is not considered as serious because it typically results from an ignorance or lack of awareness of proper coding and billing guidelines. When abuse is detected, it typically results in recovered or adjusted payments, possible suspension form the insurance payers programs, or in more severe cases financial penalties.
Examples of Fraud and Abuse
FRAUD
- Altering medical records to justify fraudulent charges.
- Billing for services not provided.
- Changing dates of service
- Deliberately billing for the same services twice such as billing two separate insurance payers or patients for one service.
- Receive bribes or kickbacks in return for referrals
- Forgive the deductible or copay.
- Upcoding as described in Coding lesson.
- Unbundle charges
- Use of another patient’s insurance to obtain medical care.
- Omitting relevant information from a claim such as secondary insurance.
ABUSE
- Excessive charges
- Unnecessary tests
- Unnecessary referrals
- Unnecessary follow up visits
- Billing Medicare patients at higher rate than other patients.
- Require patient to waive rights to Medicare coverage and require patient to pay for services covered by Medicare.
- Failing to refund excessive charges.
- Requiring patient payments for services not previously billed.
Consequences
HIPAA set fines for of $20,000 per claim for false claims plus triple damages.
- Imprisonment up to 10 years for fraud.
- $100,000 fine and 10 years max for Medicare or Medicaid kick-back schemes
Another federal law that impacts billing and coding is the Health Information Technology for Economic and Clinical Health Act (HITECH).
- Strengthened and enhanced HIPAA privacy and protection rights.
- Requires Business Associates to comply with HIPAA.
- Requires notification when an unauthorized disclosure of PHI occurs.
- Increased civil penalties for HIPAA violations to max $50,000 per violation
- Set maximum penalty for violations at $1.5 million
Fraud and abuse can be prosecuted under a variety of federal and state laws.
Medicare frequently investigates and prosecutes providers who abuse or manipulate the system.