Chapter 5 Flashcards

Question 1

Q

Abuse

Answer

A

actions inconsistent with accepted, sound medical, business, or fiscal practices

Question 2

Q

ANSI ASC X12N 837

Answer

A

Electronic format supported for health care claim transaction

Question 3

Q

audit

Answer

A

objective evaluation to determine the accuracy of submitted financial statements

Question 4

Q

authorization

Answer

A

documents that provides official instruction, such as the customized document that gives covered entities permission to use specific protected health information (PHI) for specified purposes or to disclose PHI to a third party specified by the individual

Question 5

Q

black box edit

Answer

A

nonpublished code edits, which were discontinued in 2000

Question 6

Q

breach of confidentiality

Answer

A

unauthorized release of patient information to a third party

Question 7

Q

case law

Answer

A

also called common law; based on a court decision that establishes a precedent

Question 8

Q

civil law

Answer

A

area of law not classified as criminal

Question 9

Q

Clinical Data Abstracting Center (CDAC)

Answer

A

requests and screens medical records for the Payment Error Prevention Program (PEPP) to survey samples for medical review, DRG validation, and medical necessity

Question 10

Q

CMS Internet-only manual (IOM)

Answer

A

includes program issuances, day-to-day operating instructions, policies, and procedures that are based on statutes, regulations, guidelines, models, and directives; used by CMS program components, providers, contractors, Medicare Advantage organizations, and state survey agencies to administer CMS programs; also called CMS ONLINE MANUAL SYSTEM

Question 11

Q

CMS Online MAnual System

Answer

A

see CMS Internet-only manual

Question 12

Q

CMS quarterly provider update (QPU)

Answer

A

an online CMS publication that contains information about regulations and major policies currently under development, regulations and major policies completed or cancelled, and new or revised manual instructions

Question 13

Q

CMS transmittal

Answer

A

document published by Medicare containing new and changed policies and/or procedures that are to be incorporated into a specific CMS program manual (e.g., Medicare Claims Processing Manual); cover page (or transmittal page) summarizes new and changed material, and subsequent pages provide details; transmittals are sent to each Medicare administrative contractor

Question 14

Q

common law

Answer

A

also called case law; is based on a court decision that establishes a precedent

Question 15

Q

compliance program

Answer

A

internal policies and procedures that an organization follows to meet mandated requirements

Question 16

Q

Comprehensive Error Rate Testing (CERT) program

Answer

A

assesses and measures improper Medicare fee-for-service payments (based on reviewing selected claims and associated medical record documentation)

Question 17

Q

Conditions for Coverage (CFC)

Answer

A

health and safety regulations that health care organizations, such as end-stage renal disease facilities, must meet in order to begin and continue participating in the Medicare and Medicaid programs

Question 18

Q

Conditions of Participation (CoP)

Answer

A

health and safety regulations that health care organizations, such as hospitals, must meet in order to begin and continue participating in the Medicare and Medicaid programs

Question 19

Q

confidentiality

Answer

A

restricting patient information access to those with proper authorization and maintaining the security of patient information

Question 20

Q

criminal law

Answer

A

public law governed by statute or ordinance that deals with crimes and their prosecution

Question 21

Q

Current Dental Terminology (CDT)

Answer

A

medical code set maintained and copyrighted by the American Dental Association

Question 22

Q

decrypt

Answer

A

to decode an encoded computer file so that it can be viewed

Question 23

Q

deeming

Answer

A

CMS recognition of accreditation organization (e.g., The Join Commission) standards that meet or exceed CoP and CfC requirements)

Question 24

Q

Deficit Reduction Act of 2005

Answer

A

created Medicaid Integrity Program (MIP), which increased resources available to CMS to combat abuse, fraud, and waste in the Medicaid program. Congress requires annual reporting by CMS about the use and effectiveness of funds appropriated for the mip

Question 25

Q

deposition

Answer

A

legal proceeding during which a party answers questions under oath (but not in open court)

Question 26

Q

digital

Answer

A

application of mathematical function to an electronic document to create a computer code that can be encrypted (encoded)

Question 27

Q

electronic Clinical Quality Measure (eCQM)

Answer

A

processes, observations, treatments, and outcomes that quantify the quality of care provided by health care systems; measuring such data helps ensure that care is delivered safely, effectively, equitably, and timely

Question 28

Q

electronic transaction standards

Answer

A

also called transactions rule; a uniform language for electronic data interchange

Question 29

Q

encrypt

Answer

A

to convert information to a secure language format for transmission

Question 30

Q

encrypt

Answer

A

to convert information to a secure language format for transmission

Question 31

Q

False Claims Act (FCA)

Answer

A

passed by the federal government during the Civil War to regulate fraud associated with military contractors selling supplies and equipment to the Union Army

Question 32

Q

Federal Claims Collection Act (FCCA)

Answer

A

requires Medicare administrative contractors (previously called carriers and fiscal intermediaries as agents of the federal government, to attempt the collections of overpayments)

Question 33

Q

Federal REgister

Answer

A

legal newspaper published every business day by the National Archives and Records Administration (NARA)

Question 34

Q

First-look Analysis for Hospital Outlier Monitoring (FATHOM)

Answer

A

data analysis tool, which provides administrative hospital and state-specific data for specific CMS target areas

Question 35

Q

fraud

Answer

A

intentional deception or misrepresentation that count result in an unauthorized payment

Question 36

Q

Health Care Fraud Prevention and Enforcement Action Team (HEAT)

Answer

A

joint effort between the Department of Health and Human Services and the Department of Justice to fight health care fraud by increasing coordination, intelligence sharing, and training among investigators, agents, prosecutors, analysts, and policymakers; implemented as a result of the Patient Protection and Affordable Care Act (also called Obamacare)

Question 37

Q

Hospital Inpatient Quality Reporting (Hospital IQR) program

Answer

A

developed to equip consumers with quality of care information so they can make more informed decisions about health care options; requires hospitals to submit specific quality measures data about health conditions common among Medicare beneficiaries and that typically result in hospitalization; eligible hospitals that do not participate in the Hospital IQR program will receive an annual market basked update with a 2.0 percentage point reduction; part of the Medicare Prescription Drug, Improvement, and Modernization Act (MMA) of 2003. (The Hospital IQR program was previously called the Reporting Hospital Quality Data for Annual Payment Update program)

Question 38

Q

Hospital Outpatient Quality Reporting Program (Hospital OQR)

Answer

A

a “pay for the quality data reporting program” that was implemented by CMS for outpatient hospital services (as part of the Tax relief and health care act of 2006)

Question 39

Q

Hospital Payment Monitoring Program (HPMP)

Answer

A

measures, monitors, and reduces and the incidence of Medicare fee-for service payment errors for short-term, acute, inpatients PPS hospitals

Question 40

Q

hospital value-based purchasing (VBP) program

Answer

A

health care reform measure that promotes better clinical outcomes and patient experiences of care; effective October 2012, hospitals receive reimbursement for inpatient acute care services based on care quality (instead of the quantity of the services provided)

Question 41

Q

Improper Payments Information Act of 2002 (IPIA)

Answer

A

established the Payment Error Rate Measurement (PERM) program to measure improper payments in the Medicaid program and the Children’s Health Insurance Program (CHIP); Comprehensive Error Rate Testing (CERT) program to calculate the paid claims error rate for submitted Medicare claims by randomly selecting a statistical sample of claims to determine whether claims were paid properly (based on reviewing selected claims and associated medical record documentation); and the Hospital Payment Monitoring Program (HPMP) to measure, monitor, and reduce the incidence of Medicare fee-for-service payment errors for short-term, acute care at inpatient PPS hospitals

Question 42

Q

interrogatory

Answer

A

document containing a list of questions that must be answered in writing

Question 43

Q

listserv

Answer

A

subscriber-based question-and-answer forum that is available through -email

Question 44

Q

Medicaid integrity contractor (MIC)

Answer

A

CMS-contracted entities that review provider claims, audit providers and others, identify overpayments, and educate providers, managed care entitles, beneficiaries and others with respect and payment integrity and quality of care

Question 45

Q

Medicaid Integrity Program (MIP)

Answer

A

increased resource available to CMS to combat fraud, waste, and abuse in the Medicaid program; Congress requires annual reporting by CMS about the use and effectiveness and funds appropriated for the MIP

Question 46

Q

medical identity theft

Answer

A

occurs when someone uses another person’s name and/or insurance information to obtain medical and/or surgical treatment, prescription drugs, and medical durable equipment; it can also occur when dishonest people who work in a medical setting use another person’s information to submit false bills to health care plans

Question 47

Q

medical review (MR)

Answer

A

defined by CMS as a review of claims to determine whether services provided are medically reasonable and necessary, as well as to follow up on the effectiveness of previous corrective actions

Question 48

Q

Medicare administrative contractor (MAC)

Answer

A

an organization (e.g., third-party payer) that contracts with CMS to process claims and perform program integrity tasks for Medicare Part A and Medicare Part B, home health and hospice, and DMEPOS; each contractor makes program coverage decisions and publishes a newsletter, which is sent to providers who receive Medicare reimbursement. Medicare transitioned fiscal intermediaries and carriers to create Medicare administrative contractors (MACs)

Question 49

Q

Medicare Drug Integrity Contractors (MEDIC) Program

Answer

A

implemented in 2011 assists with CMS audit, oversight, anti-fraud, and anti-abuse efforts by identifying cases of Medicare Part D fraud, thoroughly investigating the cases, and taking appropriate actioin

Question 50

Q

Medicare Integrity Program (MIP)

Answer

A

authorizes CMS to enter into contracts with entities to perform cost report auditing, medical review, anti-fraud activities, and the Medicare Secondary Payer (MSP) program

Question 51

Q

Medicare Shared Savings Program

Answer

A

as mandated by the Patient Protection and Portable Care Act (PPACA), CMS established Medicare shared savings programs to facilitate coordination and cooperation among providers to improve quality of care for Medicare fee-for-service beneficiaries to reduce unnecessary costs; accountable care organizations (ACOs) were created by eligible providers, hospitals, and suppliers to coordinate care, and t hey are held accountable for the quality, cost, and overall care of traditional fee-for-service Medicare beneficiaries assigned to the ACO

Question 52

Q

merit-based incentive payment system (MIPS)

Answer

A

eliminated PQRS, value-based payment modifier, and the Medicare EHR incentive program, creating a single program based on quality, resource use, clinical practice improvement, and meaningful use of certified EHR technology.

Question 53

Q

message digest

Answer

A

representation of test as a single string of digits, which was created using a formula; for the purpose of electronic signatures, the message digest is encrypted (encodeD) and appended (attached) to an electronic document

Question 54

Q

National Drug Code (NDC)

Answer

A

maintained by the Food and Drug Administration (FDA); identifies prescription drugs and some over-the-counter products

Question 55

Q

National Individual Identifier

Answer

A

unique identifier to be assigned to patients has been put on hold. Several bills in Congress would eliminate the requirement to establish a National Individual Identifier

Question 56

Q

National Plan and Provider Enumeration System (NPPES)

Answer

A

developed by CMS to assign unique identifiers to health care providers (NPI)

Question 57

Q

National Practitioner Data Bank (NPDC)

Answer

A

implemented by Health Care Quality Improvement Act (HCQIA) of 1986 to improve quality of health care by encouraging state licensing boards, hospitals, and other health care entities and professional societies to identify and discipline those who engaged in unprofessional behavior, restricts ability of incompetent physicians, dentists, and other health care practitioners to move from state to state without disclosure or discovery of previous medical malpractice payment and adverse action history; impacts licensure, clinical privileges, and professional society memberships as a result of adverse actions; includes Health Integrity and Protection Data Base (HIPDB), originally established by HIPAA, to further combat fraud and abuse in health insurance and health care delivery by serving as a national data collection program for reporting and disclosing certain final adverse actions taken against health care practitioners, providers and all suppliers

Question 58

Q

National Provider Identifier (NPI)

Answer

A

unique identifier assigned to health care providers as a 10-digit numeric identifier, including a check digit in the position

Question 59

Q

National Standard Employer Identification Number (EIN)

Answer

A

unique identifier assigned to employers who, as sponsors of health insurance for their employees, need to be identified in health care transactions; it is the federal employer identification number (EIN) assigned by the Internal Revenue Service (IRS) and has nine digits with a hyphen (00-0000000); EIN assignment by the IRS began in January 1998

Question 60

Q

National Standard Format (NSF)

Answer

A

flat-file format used to bill provider and non-institutional services, such as services reported by a general practitioner on a CMS-1500 claim

Question 61

Q

overpayment

Answer

A

funds that a provider or beneficiary has received in excess of amounts due and payable under Medicare and Medicaid statues and regulations

Question 62

Q

Part A/B Medicare administrative contractor (A/B MAC)

Answer

A

see Medicare administrative contractor

Question 63

Q

Patient Safety and Quality Improvement Act

Answer

A

amends Title IX of the Public Health Service Act to provide for improved patient safety by encouraging voluntary and confidential reporting of events that adversely affect patients; creates patient safety organizations (PSOs) to collect, aggregate, and analyze confidential information reported by health care providers; and designates information reported to PSOs as privileged and not subject to disclosure (except when a court determines that the information contains evidence of a criminal act or each provider identified in the information authorizes disclosure)

Question 64

Q

Payment Error Prevention Program (PEPP)

Answer

A

required facilities to identify and reduct improper Medicare payment error rate. The hospital payment monitoring program (HPMP) replaced PEPP in 2002

Answer 65

A

number of dollars paid in error out of total dollars paid for inpatient prospective payment system services

Answer 66

A

measures improper payments in the Medicaid program and the Children’s Health Insurance Program (CHIP)

Answer 67

A

see Stark I

Answer 68

A

HHS implemented audits in 1995 to examine the billing practices of physicians at teaching hospitals; the focus was on two issues: (1) compliance with the Medicare rule affecting payment for physician services provided by residents (e.g., whether a teaching physician was present for Part B services billed to Medicare between 1990 and 1996), and (2) whether the level of the physician service was coded and billed properly

Answer 69

A

right of individuals to keep their information from being disclosed to others

Answer 70

A

forbids the Medicare regional payer from disclosing the status of any unassigned claim beyond the following: date the claim was received by the payer; date the claim was paid, denied, or suspended; or general reason the claim was suspended

Answer 71

A

HIPPA provision that creates national standards to protect individuals’ medical records and other personal health information

Answer 72

A

private information shared between a patient and health care provider; disclosure must be in accordance with HIPPA and/or individual state provisions regarding the privacy and security of protected health information (PHI)

Answer 73

A

contains hospital-speciifc administrative claims data for a number of CMS-identified problem areas (e.g. specific DRGs, types of discharges); a hospital uses PEPPER data to compare its performance with that of other hospitals

Answer 74

A

information that is identifiable to an individual (or individual identifiers) such as name, address, telephone numbers, date of birth, Medicaid ID number, medical record number, Social Security Number (SSN), and name of employer

Answer 75

A

abbreviation for the Latin phrase qui tam pro domino rege quam pro sic ipso in hoc parte sequitur, which means “who as well for the king as for himself sues I this matter” IT is a provision of the False Claims Act that allows a private citizen to file a lawsuit in the name of the U.S. government, charging fraud by government contractors and other entities

Answer 76

A

storage of documentation for an established period of time, usually mandated by federal and/or state law; its purpose is to ensure the availability of records for use by government agencies and other third parties

Answer 77

A

mandated by the Medicare Prescription Drug, Improvement, and Modernization Act of 2003 (MMA) to find and correct improper Medicare payments paid to health care providers participating in fee-for-service Medicare

Answer 78

A

guidelines written by administrative agencies (e.g., CMS)

Answer 79

A

ROI is a covered entity (e.g., provider’s office) about protected health information (PHI) requires the patient (or representative) to sign an authorization to release information, which is reviewed for authenticity (e.g., comparing signature on authorization form to documents signed in the patient record) and processed within a HIPAA-mandated 60 day time limit; requests for ROI include those from patients, physicians, and other health care providers; third-party payers; Social Security Disability attorneys; and so on

Answer 80

A

used to document patient information released to authorized requestors; data is entered manually (e.g., three-ring binder) or using ROI tracking software

Answer 81

A

involves the safekeeping of patient information by controlling access to hard copy and computerized records; protecting patient information from alteration, destruction, tampering, or loss; providing employee training in confidentiality of patient information; and requiring employees to sign a confidentiality statement that details the consequences of not maintaining patient confidentiality.

Answer 82

A

HIPPA standards and safeguards that protect health information collected, maintained, used, or transmitted electronically; covered entities affected by this rule include health plans, health care clearinghouses, and certain health care providers

Answer 83

A

responded to concerns about physicians’ conflicts of interest when referring Medicare patients for a variety of services; prohibits physicians from referring Medicare patients to clinical laboratory services in which the physician or a member of the physician’s family has a financial ownership/investment interest and/or compensation arrangement; also called physician self-referral law

Answer 84

A

also called statutory law; laws passed by legislative bodies (e.g., federal congress and state legislatures)q

Answer 85

A

an order of the court that requires a witness to appear at a particular time and place to testify

Answer 86

A

requires documents (e.g., patient record) to be produced

Answer 87

A

created the hospital outpatient quality reporting program (hospital OQR) that is a “pay for quality data reporting program” implemented by CMS for outpatient hospital services

Answer 88

A

series of fixed-length records used to bill institutional services, such as services performed in hospitals

Answer 89

A

computer code that creates an electronic signature message digest that is encrypted (encoded) and appended (attached) to an electronic document (e.g., CMS-1500 claim)

Answer 90

A

assignment of an ICD-10-CM diagnosis code that does not match patient record documentation for the purpose of illegally increasing reimbursement (e.g., assigned the ICD-10 code for heart attack when angina was actually documented in the record)

Answer 91

A

individual who makes specified disclosures relating to the use of public funds, such as Medicare payments. ARRA legislation prohibits retaliation (e.g., termination) against such employees who disclose information that they believe is evidence of gross mismanagement of an agency contract or grant relating to covered funds and so on.

Answer 92

A

program implemented
in 2009 by CMS to review billing trends and patterns, focusing on providers whose billing for Medicare services are higher than the majority of providers in the community. ZPICs are assigned to the Medicare administrative contractor (MAC) jurisdictions, replacing Program Safeguard Contracts (PSCs)

Answer 93

A

Federal and state statues (or statutory law) are laws passed by legislative bodies (e.g., federal Congress and state legislatures).

Answer 94

A

which are guidelines written by administrative agencies (e.g., CMS).

Answer 95

A

is based on court decisions that establish a precedent (or standard) (see example below)

Answer 96

A

When originally passed, New York State Public Health Law (PHL) sections 17 and 18 allowed a reasonable charge to be imposed for copies of patient records. Health care facilities, therefore, charged fees for locating the patient’s record and making copies. These fees were later challenged in court, and reasonable charge language in the PHL was interpreted in Hernandez v. Lutheran Medical Center (1984), Ventura v. Long Island Jewish Hillside Medical Center (1985), and Cohen v. South Nassau Communities Hospital (1987). The original interpretation permitted charges of $1.00 to $1.50 per page, plus a search and retrieval fee of $15. However, sections 17 and 18 of the PHL were amended in 1991 when the phrase, “the reasonable fee for paper copies shall not exceed seventy-five cents per page” was added to the law.

Answer 97

A

Medicare, Medicaid, TRICARE, and Federal Employees Health Benefit Plans (FEHBP). State law regulate insurance companies, record-keeping practices, and provider licensing. State insurance departments determine coverage issues for insurance policies (contracts) and state workers’ compensation plans

Answer 98

A

deals with all areas of law that are not classified as criminal

Answer 99

A

is public law (statute or ordinance) that defines crimes and their prosecution

Answer 100

A

is an order of the court that requires a witness to appear at a particular time and place to testify.

Answer 101

A

requires documents (e.g., patient record) to be produced. A subpoena is used to obtain witness testimony at trial and at deposition, which is testimony under oath taken outside of court (e.g., the provider’s office). In civil cases (e.g., malpractice), the provider might be required to complete an interrogatory, which is a document containing a list of questions that must be answered in writing.

Answer 102

A

is an abbreviation for the Latin phrase qui tam pro domino rege quam pro sic ipso in hoc parte sequitur, meaning “who as well for the king as for himself sues in this matter”.
IT is a provision of the Federal False Claims Act, which allows a private citizen to file a lawsuit in the name of the U.S. government,,, charge government contractors and other entities that receive or use government funds with fraud, and share in any money recovered. Common defendants in qui tam actions involving Medicare/Medicaid fraud include physicians, hospitals, HMOs, and clinics

Answer 103

A

Providers and health insurance specialists can locate legal and regulatory issues found in such publications as the Federal Register and Medicare Bulletin.

Answer 104

A

is a legal newspaper published every business day by the National Archives and Records Administration (NARA). It is available in paper form, on microfiche, and online

Answer 105

A

When originally passed, New York State Public Health Law (PHL) sections 17 and 18 allowed a reasonable charge to be imposed for copies of patient records. Health care facilities, therefore, charged fees for locating the patient’s record and making copies. These fees were later challenged in court, and reasonable charge language in the PHL was interpreted in Hernandez v. Lutheran Medical Center (1984), Ventura v. Long Island Jewish Hillside Medical Center (1985), and Cohen v. South Nassau Communities Hospital (1987). The original interpretation permitted charges of $1.00 to $1.50 per page, plus a search and retrieval fee of $15. However, sections 17 and 18 of the PHL were amended in 1991 when the phrase, “the reasonable fee for paper copies shall not exceed seventy-five cents per page” was added to the law.

Answer 106

A

Federal Statute, Implemented as a Federal Regulation, and Published in the Federal Register

Congress passed the Balanced Budget Refinement Act of 1999 (Public Law No. 106-113), which called for a number of revisions to Medicare, Medicaid, and the State Children’s Health Insurance Program. On May 5, 2000, the Department of Health and Human Services published a proposed rule in the Federal Register to revise the Medicare hospital inpatient prospective payment system for operating costs. This proposed rule was entitled “Medicare Program; Changes to the Hospital Inpatient Prospective Payment Systems and Fiscal Year 2001 Rates; Proposed Rule.” The purpose of publishing the proposed rule is to allow for comments from health care providers. Once the comment period has ended, the final rule is published in the Federal Register.

Answer 107

A

contains new and changed Medicare policies and/or procedures that are to be incorporated into a specific CMS program manual (e.g., Medicare Claims Processing Manual). The cover page of the transmittal summarizes new and changed material, and subsequent pages provide details.

Answer 108

A

includes regulations and major policies that have been implemented or canceled and new/revised Internet-only Manual (IOM) instructions

Answer 109

A

replaced paper-based manuals (except the Provider Reimbursement Manual and the State Medicaid Manual); includes program issuances, day-to-day operating instructions, policies, and procedures that are based on statutes, regulations, guidelines, models, and directives; and is used by CMS program components, providers, contractors, Medicare Advantage organizations, and state survey agencies to administer CMS programs. The transmittals are sent to each Medicare administrative contractor (MAC) (or Part A/B Medicare administrative contractor, abbreviated as A/B MAC), which is an organization (e.g., insurance company) that contracts with CMS to process fee-for-service health care claims and perform program integrity tasks for both Medicare Part A and Part B. MACs also process home health and hospice claims (HHH MACs). (DMEPOS MAC’s are covered in Chapter 8 of this textbook). Each contractor makes program coverage decisions and publishes a newsletter, which is sent to providers who receive Medicare reimbursement

Answer 110

A

They also provide resources for obtaining the most up-to-date information about such issues. Another way to remain current is to subscribe to a listserv, a subscriber-based question-and-answer forum available through e-mail

Answer 111

A

subscriber-based question-and-answer forum that is available through e-mail

Answer 112

A

which are requirements that health care organizations must meet in order to begin and continue participating in the Medicare and Medicaid programs (Medicare and Medicaid participation allows health care organizations to be reimbursed for procedures and services provided to patients).

Answer 113

A

See below for the CoP requirements

Answer 114

A

-Clinics, rehabilitation agencies, and public health agencies are providers of outpatient physician therapy and speech-language pathology services
-Community mental health centers (CMHCs)
-Comprehensive outpatient rehabilitation facilties (CORFs)
-Critical access hospitals (CAHs)
-Home health agencies
-Hospices
-Hospital swing beds
-Hospitals
-Intermediate care facilities for individuals with intellectual disabilities (ICF/IID)
-Programs for all-inclusive care care for the elderly organizations (PACE)
-Psychiatric hospitals
-Religious nonmedical health care institutions
-Transplant Centers

Answer 115

A

-Ambulatory surgical centers (ASCs)
-End-Stage renal disease facilities
-Federally qualified health centers
-Long-term care facilities
-Occupations therapists in independent practice
-Organ procurement organizations (OPOs)
-Portable x-ray suppliers
-Rural health clinics

Answer 116

A

the health care industry is heavily regulated by federal and state legislation.

Answer 117

A

-regulated fraud associated with military contractors selling supplies and equipment to the Union Army
-Used by federal agencies to regulate the conduct of any contractor that submits claims for payment to the federal government for any program (e.g., Medicare)
-Civil monetary penalties (CMPs) are adjusted annually for inflation and impose a maximum (e.g., $23,331 in 2020) per false claim, plus three times the amount of damages that the government sustains; civil liability on those who submit liability on those who submit false of fraudulent claims to the government for payment; and exclusion of violators from participation in Medicare and Medicaid.
NOTE: Federal Statute, Implemented as a Federal Regulation, and Published in the Federal Register

Congress passed the Balanced Budget Refinement Act of 1999 (Public Law No. 106-113), which called for a number of revisions to Medicare, Medicaid, and the State Children’s Health Insurance Program. On May 5, 2000, the Department of Health and Human Services published a proposed rule in the Federal Register to revise the Medicare hospital inpatient prospective payment system for operating costs. This proposed rule was entitled “Medicare Program; Changes to the Hospital Inpatient Prospective Payment Systems and Fiscal Year 2001 Rates; Proposed Rule.” The purpose of publishing the proposed rule is to allow for comments from health care providers. Once the comment period has ended, the final rule is published in the Federal Register.

Answer 118

A

-authorized federal government to monitor the purity of foods and the safety of medicines
-Now a responsibility of the Food and Drug Administration (FDA)

Answer 119

A

-included unemployment insurance, old-age assistance, aid to dependent children, and grants to states to provide various forms of medical care
-Amended in 1965 to add disability coverage and medical benefits

Answer 120

A

-Provided federal grants to modernize hospitals that had become obseolete due to lack of capital investment through the period of the Great Depression and World War II (1929-1945
-Required facilities to provide free or reduced-charge medical services to persons residing in the area who were unable to pay, in return for federal funds
-Program now addresses other types of infrastructure needs, and it is managed by the Health Resources and Services Administration (HRSA), within the Department of Health and Human Services (DHHS)

Answer 121

A

-provided medical and support services to migrant and seasonal farm workers and their families

Answer 122

A

-Created Medicare and Medicaid programs, making comprehensive health care available to millions of Americans
-Established CoP and CfC which are federal regulations that health care facilities must comply with to participate in (receive reimbursement from) the Medicaid and Medicare programs; physicians must comply with billing and payment regulations published by CMS

Answer 123

A

required carriers (processed Medicare Part B claims) and fiscal intermediaries (processed Medicare Part A claims), both which were replaced by Medicare administrative contractors (that administer the Medicare fee-for-program), to attempt the collection of overpayments (funds a provider or beneficiary receives in excess of amounts due and payable under Medicare and Medicaid)

Answer 124

A

-created the Occupational Safety and Health Administration (OSHA), whose mission is to ensure safe and healthful workplaces in America
-Since the agency was created in 1971, workplace fatalities have been cut in half and occupational injury and illness rates have declined 40%; at the same time, U.S. employment has doubled from 56 million workers at 3.5 million work sites to 111 million workers at 7 million sites

Answer 125

A

-Amended the Public Health Service Act of 1798 to more effectively carry out the national effort against cancer
-Part of President Nixon’s “War on Cancer,” which centralized research at the National Institutes of Health (NIH)

Answer 126

A

-Protected patients and federal health care programs from fraud and abuse by curtailing the corrupting influence of moeny on health care decisions
-Violations of the law are punishable by up to 10 years in prison, fines and penalties that are adjusted for inflation (e.g., over $100,000), and exclusion from participation in federal health care programs
-In 1987, DHHS publishes regulations designating specific “safe harbors” for various payment and business practices that, while potentially prohibited by the law, would not be prosecuted (e.g., investments in group practices)

Answer 127

A

-Required that drug and alcohol abuse patient records be kept confidential and not subject to disclosure except as provided by law
-Applied to federally assisted alcohol or drug abuse programs, which are those that provide diagnosis, treatment, and referral for treatment of drug and/or alcohol abuse.
NOTE: General medical care facilities are required to comply with this legislation only if they have an identified drug/alcohol abuse treatment unit or their personnel provide drug/alcohol diagnosis, treatment, or referral.

Answer 128

A

-Strengthened the utilization review process by creating professional standard review organizations (PSROs), which were independent peer review organizations that monitored the appropriateness, quality, and outcome of the services provided to beneficiaries of the Medicare, Medicaid, and Maternal and Child Health Programs
-PSROs are now called quality improvement organizations (QIOs)

Answer 129

A

Ensured that pension and other benefits were provided to employees as promised by employers

Answer 130

A

-Implemented to protect the privacy of individuals identified in information systems maintained by federal government hospitals (e.g., military hospitals) and to give individuals access to records concerning themselves
-Does not preempt state laws that are more restrictive.
Note:General medical care facilities are required to comply with this legislation only if they have an identified drug/alcohol abuse treatment unit or their personnel provide drug/alcohol diagnosis, treatment, or referral.

Answer 131

A

-Amended ERISA to include provisions for continuation of health care coverage, which apply to group health plans of employers with two or more employees
-Participants maintain, at their own expense, health care plan coverage that would have been lost due to a triggering event (e.g., termination of employment); cost is comparable to what it would be if they were still members of the employer’s group

Answer 132

A

-Facilitated ongoing assessment and management of health care services
-Required hospitals to conduct continued-stay reviews to determine the medical necessity, appropriateness and efficiency of health care facilities, procedures, and services used to provide care to Medicare and Medicaid patients; this process is also called utilization management

Answer 133

A

-Established a separate Department of Education
-Health, Education and Welfare (HEW) became known as the Department of Health and Human Services (DHHS) on May 4, 1980

Answer 134

A

-Replaced PSROs with peer review organizations (PROs) (now called QIOs), which were statewide utilization and quality control peer review organizations
-In 1985, PROs incorporated a focused second-opinion program, which referred certain cases for diagnostic and treatment verification

Answer 135

A

-Established the first Medicare prospective payment system, which was implemented in 1983
-Diagnosis-related groups (DRGs) required acute care hospitals to be reimbursed a predetermined rate according to discharge diagnosis (instead of a per diem rate, which compensated hospitals retrospectively based on charges incurred for the total inpatient length of stay, usually 80 percent of charges).
NOTE: Additional prospective payment systems were implemented in subsequent years for other health care settings

Answer 136

A

-Established the National Practitioner Data Bank (NPDB), which improves the quality of health care by encouraging state licensing boards, hospitals and other health care entities, and professional societies to identify and discipline those who engage in unprofessional behavior; restricts the ability of incompetent physicians, dentists, and other health care practitioners to move from state to state without disclosure or discovery of previous medical malpractice payment and adverse action history; and impacts licensure, clinical privileges, and professional society memberships as a results of adverse actions
-The Health Integrity and Protection Data Base (BIPDB), established in 1996 as a result of HIPPA, was merged into the NPDB on May 6, 2013; the HIPDB combats fraud and abuse in health insurance and health care delivery by serving as a national data collection program for reporting and disclosing certain final adverse actions taken against health care practitioners, providers, and suppliers
-Authorized entities used Integrated Querying and Reporting Service (IQRS) to report adverse actions and submit a single query to obtain information from the NPDB

Answer 137

A

-Ensured that residents of nursing homes receive quality care, required the provision of certain services to each resident, and established a Resident’s Bill of Rights
-Allowed nursing homes to receive Medicare and Medicaid payments for long-term care of residents if the homes were certified by the state in which they were located and were in substantial compliance with the requirements of the Nursing Home Reform Act

Answer 138

A

provided health care to the homeless

Answer 139

A

-Enacted a physician self-referral law (or Stark I) that prohibits physicians from referring Medicare patients to a clinical laboratory services in which the physicians or their family members had a financial ownership/investment interest and/or compensation arrangement
-In 1994, because some providers routinely waived coinsurance and copayments, the DHHS Office of Inspector General (OIG) issued the following fraud alert: “Routine waiver of deductibles and copayments by charge-based providers, practitioners or supplies is unlawful because it results in:
1. false claims
2. Violations of the anti-kickback statute, and
3. excessive utilization of items and services paid for by Medicare

Answer 140

A

-audits implemented by DHHS that examine the billing practices of physicians at teaching hospitals
-focus was on two issues:
1. compliance with the Medicare rule affecting payment for physician services provided by residents (e.g., whether a teaching physician was present for Part B services billed to Medicare between 1990 and 1996),
2. whether the level of the physician service was coded and billed properly

Answer 141

A

-Stark II (physician self-referral law) expanded Stark I by including referrals of Medicare and Medicaid patients for the following designated health care services (DHCS): clinical laboratory services, durable medical equipment and supplies, home health services, inpatient and outpatient services, inpatient and outpatient hospitalization services, occupational therapy services, outpatient prescription drugs, parenteral and and enteral nutrients, equipment and supplies, physical therapy services, prosthetics, orthotics and prosthetic devices and supplies, radiation therapy services and supplies, and radiology services, including MRIs, CAT scans, and ultrasound services
- Hospitals must also comply with Stark II regulations because of relationships they establish with physicians
-in 2001, new regulations clarified what a designated health service was and under what circumstances physicians can have a financial relationship with an organization and still make referrals of Medicare patients for services or products provided by that organization
Example:
Home care physicians who served as home health agency medical directors were prohibited from making in excess of $25,000/year if they wanted to make referrals to that agency. That cap was removed in the revised Stark II regulations.

Answer 142

A

Developed by CMS to reduce Medicare program expenditures by detecting inappropriate codes on claims and denying payment for them

Answer 143

A

-Mandated administrative simplification regulations that govern privacy, security, and electronic transaction standards for health care information
-Amended ERISA and COBRA to improve portability and continuity of health insurance coverage in connection with employment; protects health insurance coverage for workers and their families when they change or lose their jobs

Created the Healthcare Integrity and Protection Data Bank (HIPDB), which was merged with the National Practitioner Data Bank (NPDB) on May 6, 2013

Established the Medicare Integrity Program (MIP), which authorizes CMS to enter into contracts with entities to perform cost report auditing, medical review, anti-fraud activities, and the Medicare Secondary Payer (MSP) program

Answer 144

A

Established a health insurance program for infants, children, and teens that covers health care services such as doctor visits, prescription medicines, and hospitalizations

Answer 145

A

Initiated by DHHS to require facilities to identify and reduce improper Medicare payments and, specifically, the Medicare payment error rate (number of dollars paid in error out of the total dollars paid for inpatient prospective payment system services)

Established Clinical Data Abstracting Centers (CDACs), which became responsible for initially requesting and screening medical records for PEPP surveillance sampling for medical review, DRG validation, and medical necessity; medical review criteria were developed by peer review organizations (now called quality improvement organizations or QIOs)

Answer 146

A

Made it possible for millions of Americans with disabilities to join the workforce without fear of losing their Medicaid and Medicare coverage

Modernized employment services system for people with disabilities

Launched initiative on combating bioterrorism

Answer 147

A

CMS transferred responsibility for fraud and abuse detection from carriers and fiscal intermediaries (FIs) to Program Safeguard Contractors (PSCs). (PSCs were replaced by the Zone Program Integrity Contractor, or ZPIC, program in 2009.)

Answer 148

A

Established the Payment Error Rate Measurement (PERM) program to measure improper payments in the Medicaid program and the Children’s Health Insurance Program (CHIP)

Established the Comprehensive Error Rate Testing (CERT) program to assess and measure improper Medicare fee-for-service payments (based on reviewing selected claims and associated medical record documentation)

Established the Hospital Payment Monitoring Program (HPMP) to measure, monitor, and reduce the incidence of Medicare fee-for-service payment errors for short-term, acute care, inpatient PPS hospitals, which included development of the:

First-look Analysis for Hospital Outlier Monitoring (FATHOM) data analysis tool, which provides administrative hospital and state-specific data for specific CMS target areas

Program for Evaluating Payment Patterns Electronic Report (PEPPER), which contains hospital-specific administrative claims data for a number of CMS-identified problem areas (e.g., specific DRGs, types of discharges) (A hospital uses PEPPER data to compare their performance with that of other hospitals.)

Answer 149

A

Mandated implementation of the Recovery Audit Contractor (RAC) program to find and correct improper Medicare payments paid to health care providers participating in fee-for-service Medicare

CMS created the Zone Program Integrity Contractor (ZPIC) program to review billing trends and patterns, focusing on providers whose billings for Medicare services are higher than the majority of providers in the community. CMS programs for detecting fraud and abuse were originally assigned to carriers’ fiscal intermediaries (FIs), all of which were replaced by Medicare administrative contractors (MACs) by 2009. ZPICs are assigned to the MAC jurisdictions, replacing Program Safeguard Contractors (PSCs). (RAC and ZPIC programs were implemented in 2009.)

Developed the Hospital Inpatient Quality Reporting (Hospital IQR) program to equip consumers with quality of care information so they can make more informed decisions about health care options. The Hospital IQR program requires hospitals to submit specific quality measures data about health conditions common among Medicare beneficiaries and that typically result in hospitalization. Eligible hospitals that do not participate in the Hospital IQR program will receive an annual market basket update with a 2.0 percentage point reduction. (The Hospital IQR program was previously called the Reporting Hospital Quality Data for Annual Payment Update program.)

Answer 150

A

The Fair and Accurate Credit Transaction Act of 2003 (FACT Act) includes the Federal Trade Commission’s Identity Theft Red Flags Rule (or Red Flags Rule), which requires businesses and organizations to implement a written Identity Theft Prevention Program designed to detect the warning signs (or red flags) of identity theft in their day-to-day operations. Health care organizations are required to comply with the Red Flags Rule because they extend credit to patients. Their Identity Theft Prevention Program will help prevent medical identity theft, which occurs when someone uses another person’s name and/or insurance information to obtain medical and/or surgical treatment, prescription drugs, and medical durable equipment; it can also occur when dishonest people who work in a medical setting use another person’s information to submit false bills to health care plans. The program must include the following four criteria:

(1)
what patterns, practices, or specific activities the business or organization will identify as red flags indicating potential identity theft;

(2)
how the business or organization intends to detect the red flags it has identified;

(3)
how the business or organization will respond to the detection of a red flag it has identified; and

(4)
how the business or organization intends to evaluate the success of its program and maintain it in the future.

Answer 151

A

Amends Title IX of the Public Health Service Act to provide for improved patient safety by encouraging voluntary and confidential reporting of events that adversely affect patients (e.g., preventable medical errors known as never events or adverse events, which include surgery performed on the wrong site, medications administered in error, and so on)

Creates Patient Safety Organizations (PSOs) to collect, aggregate, and analyze confidential information reported by health care providers

Designates information reported to PSOs as privileged and not subject to disclosure (except when a court determines that the information contains evidence of a criminal act or each provider identified in the information authorizes disclosure)

Answer 152

A

reated Medicaid Integrity Program (MIP), which increased resources available to CMS to combat abuse, fraud, and waste in the Medicaid program. CMS contracts with Medicaid integrity contractors (MICs) to review provider claims, audit providers and others, identify overpayments, and educate providers, managed care entities, beneficiaries, and others with respect to payment integrity and quality of care

Answer 153

A

Created the Hospital Outpatient Quality Reporting Program (Hospital OQR), a “pay for quality data reporting program” that was implemented by CMS for outpatient hospital services; also created the Physician Quality Reporting System, which was replaced by Merit-based Incentive Payment System (MIPS) in 201

Answer 154

A

The Medicare Drug Integrity Contractor (MEDIC) was created to detect and prevent fraud, waste, and abuse of Medicare Part D (prescription drug coverage) and Medicare Part C (Medicare Advantage). The MEDIC works under the direction of CMS’s Center for Program Integrity (PI).

Answer 155

A

The Medicare Improvements for Patients and Providers Act (MIPPA) amended Titles XVIII (Medicare) and XIX (Medicaid) of the Social Security Act to extend expiring provisions under the Medicare program, improve beneficiary access to preventive and mental health services, enhance low-income benefit programs, and maintain access to care in rural areas including pharmacy access

Answer 156

A

The American Recovery and Reinvestment Act (ARRA) protects whistleblowers, who are individuals that make specified disclosures relating to funds covered by the act (e.g., Medicare payments). ARRA prohibits retaliation (e.g., termination) against such employees who disclose information that they believe is:

Evidence of gross mismanagement of an agency contract or grant relating to covered funds

A gross waste of covered funds

A substantial and specific danger to public health or safety related to the implementation or use of covered funds

An abuse of authority related to the implementation or use of covered funds

A violation of law, rule, or regulation related to an agency contract or grant awarded or issued relating to covered funds

Answer 157

A

The Health Information Technology for Economic and Clinical Health Act (HITECH Act) of 2009 published final rules in the January 2013 Federal Register, which impact the HIPAA privacy and security rules. (Content about specific provisions is included in the HITECH Act section of this chapter.)

Answer 158

A

The Patient Protection and Affordable Care Act (PPACA) implemented the hospital value-based purchasing (VBP) program to promote better clinical outcomes and patient experiences of care. Value-based incentive payments are made to hospitals that meet performance standards with respect to a performance period for the fiscal year involved. Thus, reimbursement for inpatient acute care services is based on care quality (instead of quantity of services provided). The program’s measures are a subset of those adopted for the Hospital Inpatient Quality Reporting Program (Hospital IQR program).

The hospital reimbursement repayment program was implemented to require CMS to reduce payments to IPPS hospitals with excess readmissions using readmission measures, such as defining a readmission as the admission of a patient to a subsection (d) hospital (general, acute care, short-term hospital) within 30 days of a previous discharge from the same or another subsection (d) hospital.

The risk adjustment program was implemented to lessen or eliminate the influence of risk selection on premiums charged by health plans and was discussed in Chapter 3 of this textbook.

2011

MEDIC

The Medicare Drug Integrity Contractors (MEDIC) Program was implemented to assist with CMS audit, oversight, anti-fraud, and anti-abuse efforts related to the Medicare Part D benefit. The goal is to identify cases of suspected fraud, investigate them thoroughly and in a timely manner, and take immediate action to ensure that the Medicare Trust Fund does not inappropriately pay claims and that inappropriate payments are recommended for recoupment.

Medicare Access and CHIP Reauthorization Act

Implemented the merit-based incentive payment system (MIPS), which combines parts of PQRS, value-based payment modifier, and the Medicare EHR incentive program into a single program based on quality, resource use, clinical practice improvement, and meaningful use of certified EHR technology.

Answer 159

A

Integration of eCQI Resource Center and USHIK allows users to compare different versions and metadata of electronic Clinical Quality Measures (eCQMs), which are processes, observations, treatments, and outcomes that quantify the quality of care provided by health care systems. Measuring such data helps ensure that care is delivered safely, effectively, equitably, and timely. eCQMs contain measures and specifications for calculating quality metrics established for federal payment reimbursements.

Answer 160

A

Unified Program Integrity Contractors (UPICs) were created to perform Medicare and Medicaid program integrity functions for durable equipment prosthetics, orthotics, and supplies; home health and hospice; and Medicaid and Medicare/Medicaid data matching. UPICs work under the direction of CMS’s Center for Program Integrity (PI)

Answer 161

A

The Supplemental Medical Review Contractor (SMRC) program was created to help lower improper payment rates and increase efficiencies of Medicare and Medicaid medical review. The SMRC (e.g., Noridian Healthcare Solutions, LLC) conducts a medical review of Medicare Part A and B claims nationwide by evaluating patient records to determine whether Medicare claims were billed in compliance with Medicare’s billing, coding, coverage, and payment billing practices. The focus of the medical reviews may include vulnerabilities identified by CMS internal data analysis, the Comprehensive Error Rate Testing (CERT) program, professional organizations, and Federal oversight agencies. The SMRC notifies CMS of identified improper payments and noncompliance with documentation requests, and the appropriate Medicare Administrative Contractor (MAC) initiates claims adjustments and/or overpayment recoupment actions through the standard

Answer 162

A

Record retention is the storage of documentation for an established period of time, usually mandated by federal and/or state law. (The state in which the health care provider practices determines whether federal or state law mandates the retention period.) Its purpose is to ensure the availability of records for use by government agencies and other third parties (e.g., insurance audit, quality of care review). It is acceptable to store medical records and insurance claims (including attachments submitted to third-party payers) in a format other than original hard copy if the storage medium (e.g., microfilm, scanned images) accurately reproduces all original documents.

Answer 163

A

Medicare Conditions of Participation mandate the retention of patient records in their original or legally reproduced form (e.g., microfilm) for a period of at least 5 years. (Individual state laws may require retention of patient records for a longer period, such as 6 years in New York State.)

The Health Insurance Portability and Accountability Act (HIPAA) mandates the retention of health insurance claims and accounting records for a minimum of 6 years, unless state law specifies a longer period.

HIPAA also mandates that health insurance claims be retained for a minimum of 2 years after a patient’s death.

Answer 164

A

Community Hospital is located in North Carolina (NC), which mandates that hospital medical records be retained for a minimum of 11 years following the discharge of an adult, and for a minor the record must be retained until the patient’s 30th birthday. Because NC law is stricter than the HIPAA mandate regarding retention of records, Community Hospital must retain adult patient records for a period of 11 years and minor patient records until the patient’s 30th birthday.

Answer 165

A

Dr. Smith practices in Alabama (AL), which mandates that medical records be retained for 5 years. Because the HIPAA mandate is stricter than AL state law, Dr. Smith must retain patient records for a period of 6 years. For any patient who has died, Dr. Smith must retain the record for a period of 2 years after the date of death.

Answer 166

A

Health care audit and compliance programs have been established by the Department of Health and Human Services (DHHS) to ensure the integrity of government health care programs by:

Combating fraud, waste, and abuse, and finding and correcting improper payments (e.g., overpayments)

Coordinating intelligence sharing among investigators, agents, prosecutors, analysts, and policymakers

Facilitating coordination and cooperation among providers to improve quality of care and reduce unnecessary costs

Detecting inappropriate codes submitted on claims and eliminating improper coding practices

Answer 167

A

An audit is an objective evaluation to determine the accuracy of submitted financial statements (e.g., CMS-1500, UB-04). Audits are conducted to assess the accuracy of submitted medical codes and procedures/services and the quality of care provided to patients

Answer 168

A

A compliance program contains internal policies and procedures that an organization follows to meet mandated requirements. DHHS publishes compliance program guidance documents on their website to assist providers in the development of internal compliance programs.

Answer 169

A

The DHHS Office of Inspector General (OIG) published the final Compliance Program Guidance for Individual and Small Group Physician Practices in the October 5, 2000, Federal Register. (The Compliance Program Guidance for Hospitals was published in the February 23, 1998, Federal Register.) The intent of the guidance documents is to help physicians in individual and small group practices design voluntary compliance programs that best fit the needs of their individual practices. By law, physicians are not subject to civil, administrative, or criminal penalties for innocent errors, or even negligence. The civil False Claims Act covers only offenses that are committed with actual knowledge of the falsity of the claim, or reckless disregard or deliberate ignorance of the truth or falsity of a claim. (The False Claims Act does not cover mistakes, errors, or negligence.) The OIG has stated that it is mindful of the difference between innocent errors (e.g., erroneous claims) and reckless or intentional conduct (e.g., fraudulent claims).

Answer 170

A

A Medicare Part C managed care plan in Florida hired a consulting company to review patients, records. The purpose was to identify additional patient diagnoses (and related ICD-10-CM codes) that would increase risk capitation payments from CMS. The consulting company identified diagnoses (and related ICD-10-CM codes) previously submitted to Medicare that were undocumented or unsupported by patient record documentation. The plan failed to inform Medicare about the undocumented or unsupported diagnosis codes to Medicare, which had inflated its risk capitation payments. As a result, the plan agreed to pay $22.6 million to settle False Claims Act allegations.

The owner-operator of a medical clinic in California used marketers to recruit individuals for medically unnecessary office visits by promising free, medically unnecessary equipment or free food. The clinic billed Medicare more than $1.7 million for the scheme, and the owner-operator was consequently sentenced to 37 months in prison.

Answer 171

A

A voluntary compliance program can help physicians avoid generating erroneous and fraudulent claims by ensuring that submitted claims are true and accurate, expediting and optimizing proper payment of claims, minimizing billing mistakes, and avoiding conflicts with self-referral and antikickback statutes. Unlike other guidance previously issued by the OIG (e.g., Compliance Program Guidance for Third-Party Medical Billing Companies), the physician compliance guidance does not require that physician practices implement all seven standard components of a full-scale compliance program. (Although the seven components provide a solid basis upon which a physician practice can create a compliance program, the OIG acknowledges that full implementation of all components may not be feasible for smaller physician practices.) Instead, the guidance emphasizes a step-by-step approach for those practices to follow in developing and implementing a voluntary compliance program.

Answer 172

A

Perform periodic audits to internally monitor billing practices.

Develop written practice standards and procedures.

Designate a compliance officer to monitor compliance efforts and enforce practice standards.

Conduct appropriate training and education about practice standards and procedures.

Respond appropriately to detected violations by investigating allegations and disclosing incidents to appropriate government entities.

Develop open lines of communication (e.g., discussions at staff meetings regarding erroneous or fraudulent conduct issues) to keep practice employees updated regarding compliance activities.

Enforce disciplinary standards through well-publicized guidelines.

Answer 173

A

proper coding and billing;

(2)
ensuring that services are reasonable and necessary;

(3)
proper documentation; and

(4)
avoiding improper inducements, kickbacks, and self-referrals.
These risk areas reflect areas in which the OIG has focused its investigations and audits related to physician practices. The final guidance also provides direction to larger practices in developing compliance programs by recommending that they use both the physician guidance and previously issued guidance, such as the Third-Party Medical Billing Company Compliance Program Guidance or the Clinical Laboratory Compliance Program Guidance, to create a compliance program that meets the needs of the larger practice.

Answer 174

A

The Medicare Integrity Program (MIP) was mandated by HIPAA in 1996 and gives CMS specific contracting authority to enter into contracts with entities to promote the integrity of the Medicare program, such as medical review (MR), which requires Medicare administrative contractors (MACs) to verify inappropriate billing and to develop interventions to correct the problem. Medical review (MR) is defined by CMS as a review of claims to determine whether services provided are medically reasonable and necessary, as well as to follow up on the effectiveness of previous corrective actions.

Answer 175

A

Increase the effectiveness of medical review payment safeguard activities.

Exercise accurate and defensible decision making on medical review of claims.

Place emphasis on reducing the paid claims error rate by notifying individual billing entities (e.g., providers, DME suppliers) of medical review findings and making appropriate referrals to provider outreach and education.

Collaborate with other internal components and external entities to ensure correct claims payment and to address situations of potential fraud, waste, and abuse.

Answer 176

A

If a MAC reviews a small sample of claims and verifies that an error exists, the MAC classifies the severity of the problem as minor, moderate, or significant. Then, the MAC imposes corrective actions that are appropriate for the severity of the infraction. The following types of corrective actions can result from medical review:

Answer 177

A

Facsimiles of original written or electronic signatures for terminal illness for hospice care

Clinical diagnostic test orders, which do not require a signature (but do require authenticated documentation)

In cases where the relevant regulation, National Coverage Determination (NCD), Local Coverage Determination (LCD), and Medicare Claims Processing Manual have specific signature requirements, those take precedence.

Answer 178

A

CMS’s Targeted Probe and Educate (TPE) Process for Medical Review is designed to help providers and suppliers reduce claim denials and appeals by providing one-on-one help. The intent of the TPE process is to increase claims accuracy through MAC data analysis of specific areas, including

(1)
providers and suppliers who have high claim error rates or unusual billing practices, and

(2)
items and services that have high national error rates and are a financial risk to Medicare.

When a high rate of claims denials persists after the TPE process, providers are referred to CMS for additional action, which may include extrapolation, referral to the Zone Program Integrity Contractor (ZPIC) or Unified Program Integrity Contractor (UPIC), referral to the Recovery Auditor (RA) contractor, and so on.

Answer 179

A

The Medicaid Integrity Program (MIP) was mandated by the Deficit Reduction Act of 2005, which provides funds ($5 million in 2007 to $75 million by 2009 and each year thereafter) to combat fraud, waste, and abuse. Contractors will review the actions of those seeking payment from Medicaid (e.g., providers), perform audits, identify overpayments, and educate providers and others about program integrity and quality of care. Congress mandated that CMS devote at least 100 full-time staff members to the project, who will collaborate with state Medicaid officials.

Answer 180

A

Accountability for the MIP’s activities and those of its contractors and the states

Collaboration with internal and external partners and stakeholders

Flexibility to address the ever-changing nature of Medicaid fraud

National leadership in Medicaid program integrity

Answer 181

A

Balancing the role of the MIP between providing training and technical assistance to states while conducting oversight of their activities; and between supporting criminal investigations of suspect providers while concurrently seeking administrative sanctions

Collaborating and coordinating with internal and external partners

Consulting with interested parties in the development of the comprehensive Medicaid integrity plan

Developing effective return on investment strategies

Employing lessons learned in developing guidance and directives aimed at fraud prevention

Targeting vulnerabilities in the Medicaid program

Answer 182

A

The Recovery Audit Contractor (RAC) program is mandated by the Medicare Prescription Drug, Improvement, and Modernization Act of 2003 (MMA) to find and correct improper Medicare payments paid to health care providers participating in Medicare fee-for-service (FFS), Part C, and Part D. The Patient Protection and Affordable Care Act of 2009 requires state Medicaid programs to contract with RACs to identify and recoup overpayment and underpayment of fees to providers. The Medicaid RAC program was implemented in January 2012.

Medicare processes more than 1.2 billion Medicare claims annually, submitted by more than one million health care providers, including hospitals, skilled nursing facilities, physicians, and medical equipment suppliers. (The federal surety bond, a contract established between DME suppliers and Medicare, is now up to $500,000. In previous years, it was just $25,000.) Errors in claims submitted by these health care providers for services provided to Medicare beneficiaries can account for billions of dollars in improper payments each year.

Answer 183

A

Overpayments (e.g., submitted claims do not meet Medicare’s National Correct Coding Initiative or medical necessity policies, documentation in the patient record does not support codes reported on the claim, or Medicare administrative contractors reimburse providers more than once for the same patient encounter or calculate reimbursement using an incorrect fee schedule) (Table 5-2)

Underpayments (e.g., submitted claims report codes for simple procedures, when review of the record indicates a more complicated procedure was performed)

Answer 184

A

In 2015, more than 600,000 claims with improper payments were collectively identified, resulting in the correction of more than $440 million in improper payments. Almost $360 million in overpayments were collected by providers, and $81 million in underpayments were repaid to providers. This represents an 83 percent decrease from RAC program corrections in 2014, which were $2.5 billion. The RAC Program returned over $141 million to the Medicare Trust Funds in 2015, which represents a 91 percent decrease from FY 2014, when the returned amount was $1.6 billion.

Answer 185

A

The national RAC program is an outgrowth of a successful demonstration program that used RACs to identify Medicare overpayments and underpayments to health care providers and suppliers in California, Florida, New York, Massachusetts, South Carolina, and Arizona. The demonstration project resulted in over $900 million in overpayments that were returned to the Medicare Trust Fund between 2005 and 2008 as well as nearly $38 million in underpayments that were returned to health care providers.

Answer 186

A

Region 1 – Performant Recovery, Inc.

Region 2 – Cotiviti, LLC

Region 3 – Cotiviti, LLC

Region 4 – HMS Federal Solutions

Region 5 – Performant Recovery, Inc.

Answer 187

A

The PPACA created the Health Care Fraud Prevention and Enforcement Action Team (HEAT) in 2009, which is a joint effort between the DHHS and Department of Justice (DOJ) to fight health care fraud by increasing coordination, intelligence sharing, and training among investigators, agents, prosecutors, analysts, and policymakers. A key component of HEAT includes Medicare Strike Force teams, which are comprised of interagency teams of analysts, investigators, and prosecutors who can target emerging or migrating fraud schemes, including fraud by criminals masquerading as health care providers or suppliers. This effort received a boost in 2012 with the formation of a ground-breaking new Healthcare Fraud Prevention Partnership among DHHS, DOJ, and private organizations designed to find and stop scams that cut across public and private payers. This partnership facilitates industry anti-fraud efforts through shared insights among investigators, prosecutors, policymakers, and others.

Answer 188

A

The Medicare Strike Force coordinated three major actions in 2012, with the largest in May 2012 when 107 individuals, including doctors, nurses, and other licensed medical professionals, were charged in seven cities for their alleged participation in Medicare fraud schemes involving more than $452 million in alleged false billing. In 2014, the Medicare Strike Force charged 90 individuals, including 27 doctors, in 6 cities for approximately $260 million in false billing.

Answer 189

A

The Patient Protection and Affordable Care Act (PPACA) required CMS to establish a Medicare shared savings program to facilitate coordination and cooperation among providers so as to improve the quality of care for Medicare fee-for-service beneficiaries and to reduce unnecessary costs. The Medicare shared savings program is designed to improve beneficiary outcomes and increase value of care by:

Promoting accountability for the care of Medicare fee-for-service beneficiaries

Requiring coordinated care for all services provided under Medicare fee-for-service

Encouraging investment in infrastructure and redesigned care processes

Answer 190

A

Medicare continues to pay individual providers and suppliers for specific items and services as it currently does under the fee-for-service payment systems.

CMS develops a level of savings that must be achieved by each ACO if the ACO is to receive shared savings.

CMS develops a level of losses realized by an ACO if it is held liable for losses.

An ACO is accountable for meeting or exceeding quality performance standards to be eligible to receive any shared savings.

Answer 191

A

Overpayments are funds a provider or beneficiary receives in excess of amounts due and payable under Medicare and Medicaid statutes and regulations. Once a determination of overpayment has been made, the amount so determined is a debt owed to the U.S. government. The Federal Claims Collection Act of 1966 requires Medicare administrative contractors (MACs) (as agents of the federal government) to attempt the collection of overpayments. The PPACA of 2010 (Affordable Care Act) established the 60-day overpayment rule, which requires providers to report and return overpayments within 60 days of identification or be subject to civil monetary penalties and exclusion from federal health care programs such as Medicare.

Answer 192

A

Payment based on a charge that exceeds the reasonable charge

Duplicate processing of charges/claims

Payment to a physician on a nonassigned claim or to a beneficiary on an assigned claim (payment made to wrong payee)

Payment for noncovered items and services, including medically unnecessary services

Incorrect application of the deductible or coinsurance

Payment for items or services rendered during a period of nonentitlement

Primary payment for items or services for which another entity is the primary payer

Payment for items or services rendered after the beneficiary’s date of death (postpayment reviews are conducted to identify and recover payments with a billed date of service that is after the beneficiary’s date of death)

Answer 193

A

The letter contains information about the review and statistical sampling methodology used as well as corrective actions to be taken. (An explanation of the sampling methodology that was followed is included.) Corrective actions include payment suspension, imposition of civil money penalties, institution of pre- or post-payment review, additional edits, and so on.

Answer 194

A

Overpayment was discovered subsequent to the third calendar year after the year of payment.

If an overpaid physician is found to be without fault or is deemed without fault, overpayment shifts to the beneficiary (e.g., medically unnecessary services).

When both provider and beneficiary are without fault with respect to an overpayment on an assigned claim for medically unnecessary services, liability is waived for the overpayment (e.g., no action is taken to recover the overpayment).

If a beneficiary is liable for an incorrect payment, CMS or SSA may waive recovery if the beneficiary was without fault with respect to the overpayment and recovery would cause financial hardship or would be against equity and good conscience.

Answer 195

A

Overpayment is not reopened within 4 years (48 months) after the date of payment, unless the case involves fraud or similar fault.

Overpayment is discovered later than three full calendar years after the year of payment, unless there is evidence that the provider or beneficiary was at fault with respect to the overpayment.

Answer 196

A

Overpayment resulted from incorrect reasonable charge determination (because providers are responsible for knowing Medicare reasonable charges for services).

Exception: If the provider’s reasonable charge screen was increased and the physician had no reason to question the amount of the increase, the physician is not liable and the case is referred to CMS for review.

Provider received duplicate payments from the Medicare administrative contractor (because the claim was processed more than once, or the provider submitted duplicate claims).

Provider received payment after agreeing to accept assignment (the provider agreed to accept as payment whatever the payer deemed a reasonable charge), and a beneficiary received payment on an itemized bill and submitted that payment to the provider.
Provider received duplicate payments from Medicare and another payer directly or through the beneficiary, which happens to be the primary payer (e.g., automobile medical or no-fault insurer, liability insurer, or workers’ compensation).

Provider was paid but does not accept assignment.

Provider furnished erroneous information, or provider failed to disclose facts known or that should have been known and that were material to the payment of benefits.
Overpayment was due to a mathematical or clerical error. (Failing to properly collect coinsurance, copayment, or deductible amounts is not a mathematical or clerical error.)

Provider does not submit documentation to substantiate services billed, or there is a question as to whether services were actually performed (e.g., fraud is suspected).

Overpayment was for rental of durable medical equipment, and supplier billed under the one-time authorization procedure. Suppliers of durable medical equipment that have accepted assignment can be reimbursed for rental items on the basis of a one-time authorization by the beneficiary (without the need to obtain the beneficiary’s signature each month).

Answer 197

A

Mary Sue Patient underwent office surgery on May 15, performed by Dr. Smith. Medicare determined the reasonable charge for the office surgery to be $360. In July, Dr. Smith and Mary Sue Patient each received a check from Medicare in the amount of $300. Mary Sue Patient then signed that $300 check over to Dr. Smith. Thus, Dr. Smith received a total of $600 for services provided on May 15, an overpayment of $240 (the amount received in excess of the reasonable charge). Mary Sue Patient is liable for the remaining $60 of the duplicate payment. (If Mary Sue Patient had also previously paid Dr. Smith the $60 as coinsurance, Dr. Smith would be liable for the entire $300 overpayment. Remember! Coinsurance is the percentage of costs a patient shares with the health plan.) Dr. Smith is responsible for contacting the Medicare administrative contractor (MAC) to report the overpayment and make arrangements to provide a refund.

Answer 198

A

A beneficiary is referred to a provider by an employer for a fracture that occurred during a fall at work. The physician billed Medicare and neglected to indicate on the claim that the injury was work related (although that information had been provided by the patient). If Medicare benefits are paid to the provider for services and the injury would have been covered by workers’ compensation, the provider is liable for an overpayment because of failure to disclose that the injury was work related. Thus, the provider is liable whether or not the beneficiary was also paid.

Answer 199

A

A provider submitted an assigned claim showing total charges of $1,000. The provider did not indicate on the claim that any portion of the bill had been paid by the patient. The MAC determined the reasonable charge to be $600 and paid the physician $480 (80 percent of $600) on the assumption that no other payment had been received. The MAC later learned that the beneficiary had paid the physician $200 (which included the $120 coinsurance amount) before the provider submitted the claim. Thus, the payment should have been split between provider and beneficiary, with $400 paid to the provider and an $80 overpayment refund to the beneficiary. The provider is liable for causing the $80 overpayment, as the amount received from the beneficiary was not reported on the claim. (Remember! Coinsurance is the percentage of costs a patient shares with the health plan.)

Answer 200

A

Example 1
A lab test is performed by a nonqualified independent laboratory.

Example 2
Services are rendered by a naturopath (practitioner who uses natural remedies instead of drugs and surgery).

Answer 201

A

A provider is liable for overpayments received unless found to be without fault as determined by the Medicare administrative contractor (MAC). A provider can be considered without fault if reasonable care was exercised in billing for and accepting payment, and the provider had a reasonable basis for assuming that payment was correct. In addition, if the provider had reason to question the payment and promptly brought the question to the attention of the MAC, the provider may be found without liability.
These criteria are always met in the case of overpayments due to an error with respect to the beneficiary’s entitlement to Medicare benefits and the MAC’s failure to properly apply the deductible. Normally, it is clear from the circumstances of the overpayment whether the provider was without fault in causing the overpayment. When this is not clear from the record, the MAC must review the issue (as long as the review occurs within three calendar years after the year in which the overpayment was made).

Answer 202

A

The Centers for Medicare and Medicaid Services (CMS) developed the National Correct Coding Initiative (NCCI) in 1996 to reduce Medicare program expenditures by detecting inappropriate codes submitted on claims and denying payment for them, promote national correct coding methodologies, and eliminate improper coding practices.

Answer 203

A

Analysis of standard medical and surgical practice

Coding conventions included in CPT

Coding guidelines developed by national medical specialty societies (e.g., CPT advisory committee, which contains representatives of major medical societies)

Local and national coverage determinations

Review of current coding practices

Answer 204

A

Under a previous CMS contract, a private company refused to publish NCCI code edits it developed because it considered them proprietary; these nonpublished code edits were called black box edits. Use of these edits was discontinued when CMS did not renew its contract with the company, and future CMS contracts do not allow for such restrictions.

Answer 205

A

NCCI Edit: 1

Description: Invalid Diagnosis Code

Disposition of Claim: Return to Provider

Answer 206

A

NCCI Edit: 2

Description: Diagnosis and age conflict

Disposition of Claim: Return to provider

Answer 207

A

NCCI Edit: 3

Description: Diagnosis and Sex Conflict

Disposition of Claim: Return to provider

Answer 208

A

NCCI Edit: 4

Description: Medicare secondary payer alert

Disposition of Claim: Suspend

Answer 209

A

In 1996, Congress passed the Health Insurance Portability and Accountability Act (HIPAA) because of concerns about fraud (e.g., coding irregularities, medical necessity issues, and waiving of copays and deductibles). While the Federal False Claims Act provides CMS with regulatory authority to enforce fraud and abuse statutes for the Medicare program, HIPAA extends that authority to all federal and state health care programs.

Answer 210

A

Improve the portability and continuity of health insurance coverage in the group and individual markets.

Combat waste, fraud, and abuse in health insurance and health care delivery.

Promote the use of medical savings accounts.

Improve access to long-term care services and coverage.

Simplify the administration of health insurance by creating unique identifiers for providers, health plans, employers, and individuals.

Create standards for electronic health information transactions.

Create privacy standards for health information.
A discussion on each HIPAA component follows. Although HIPAA standards are still being finalized, health care organizations should develop and implement a response to each component.

Answer 211

A

Title I—Health Care Access, Portability, and Renewability

Title II—Preventing Health Care Fraud and Abuse, Administrative Simplification, and Medical Liability Reform

Title III—Tax-Related Health Provisions

Title IV—Application and Enforcement of Group Health Plan Requirements

Title V—Revenue Offsets

Answer 212

A

Limiting exclusions for pre-existing medical conditions

Providing credit for prior health coverage and a process for transmitting certificates and other information concerning prior coverage to a new group health plan or issuer

Providing new rights that allow individuals to enroll for health coverage when they lose other health coverage, change from group to individual coverage, or gain a new dependent

Prohibiting discrimination in enrollment and premiums against employees and their dependents based on health status

Guaranteeing availability of health insurance coverage for small employers and renewability of health insurance coverage in both the small and large group markets

Preserving, through narrow preemption provisions, the states’ traditional role in regulating health insurance, including state flexibility to provide greater protections

Answer 213

A

HIPAA defines fraud as “an intentional deception or misrepresentation that someone makes, knowing it is false, that could result in an unauthorized payment.” The attempt itself is considered fraud, regardless of whether it is successful. Abuse “involves actions that are inconsistent with accepted, sound medical, business, or fiscal practices. Abuse directly or indirectly results in unnecessary costs to the program through improper payments.” The difference between fraud and abuse (Table 5-4) is the individual’s intent; however, both have the same impact of stealing valuable resources from the health care industry.

Answer 214

A

Examples of Fraud:
Accepting or soliciting bribes, kickbacks, and/or rebates

Altering claims to increase reimbursement

Billing for services or supplies not provided

Misrepresenting codes to justify payment (e.g., upcoding)

Entering a health insurance identification number other than the patient’s to ensure reimbursement

Falsifying certificates of medical necessity, plans of treatment, and/or patient records to justify payment

Answer 215

A

Possible Outcomes of Fraud:
Administrative sanctions

Civil monetary penalties

Exclusion from the health program (e.g., Medicare)

Referral to the Office of Inspector General:

Exclusion from Medicare program

Sanctions and civil monetary penalties

Criminal penalties (e.g., fines, incarceration, loss of license to practice, restitution, seizure of assets)

Answer 216

A

Examples of Abuse:
Billing noncovered services as covered services

Billing or claim processing errors

Reporting duplicative charges on a claim

Charging excessively for services, equipment, and/or supplies

Improper billing that results in payment by a government program when another payer is responsible

Submitting claims for services not medically necessary

Violating participating provider agreements with third-party payers

Answer 217

A

Possible Outcomes of Abuse:
Education

Referral for Medical Review:

Prepayment review of submitted claims

Post-payment review (audit) of submitted claims

Recoup overpaid funds:

Provider refunds payer

Payment is withheld from future processed claims

Suspension of payer payments (e.g., MAC holds checks)

Warnings

Answer 218

A

Civil penalties that are adjusted for inflation (and are now over $20,000) per false claim plus triple damages under the False Claims Act (The provider pays an amount equal to three times the claim submitted, in addition to the civil penalties fine.)

Criminal fines and/or imprisonment of up to 10 years if convicted of the crime of health care fraud as outlined in HIPAA or, for violations of the Medicare/Medicaid Anti-Kickback Statute, imprisonment of up to 10 years and/or a criminal penalty fine of up to $250,000 (for individuals) or $500,000 (for organizations)

Administrative sanctions, which are now over $20,000 for the civil monetary penalty per false claim, assessments of up to triple the amount falsely claimed, and/or exclusion from participation in Medicare and state health care programs

In addition to these penalties, those who commit health care fraud can also be tried for mail and wire fraud.

Answer 219

A

A Durable Medical Equipment (DME) business owner served almost 6 years in prison and paid $1.9 million in restitution after pleading guilty to conspiracy to commit health care fraud and aggravated identity theft. The DME company owner created several different companies and submitted more than 1,500 false and fraudulent claims to Medicare for unnecessary medical equipment.

Answer 220

A

A court sentenced a home health agency provider/owner to 14 years in prison for submitting $45 million in false claims to Medicare. The provider submitted claims to Medicare for twice-daily injections to supposedly homebound diabetic patients. The investigation revealed most patients were not homebound or insulin-dependent diabetics.

Answer 221

A

Medicare recouped $656,000 from a clinic that had submitted claims for lipid panel tests and cholesterol tests (on the same patients) when, upon review of patient records, there was no documentation of medical necessity for the cholesterol tests.

Answer 222

A

A new coder mistakenly submitted inaccurate ICD-10-CM codes on several submitted claims, which was discovered upon routine audit (as part of the office’s compliance program). The coder was retrained, and the claims were corrected and resubmitted to ensure accurate payment from Medicare.

Answer 223

A

Operation Restore Trust was a special HHS initiative against fraud, waste, and abuse that launched in May 1995, targeting three areas of high-spending growth: durable medical equipment suppliers, home health agencies, and nursing facilities. Efforts were targeted at five states, which comprised more than one-third of all Medicare and Medicaid beneficiaries: California, Florida, Illinois, New York, and Texas. Over $24 million was paid back into the Medicare Trust Fund as a result of court-ordered criminal restitutions, fines, and recoveries. Over $14 million was paid back into the Fund as a result of civil judgments, settlements, and civil monetary penalties. Criminal convictions and civil judgments also resulted, with individuals sentenced to prison.

Answer 224

A

mprove efficiency and effectiveness of the health care system by standardizing the interchange of electronic data for specified administrative and financial transactions

Protect the security and confidentiality of electronic health information
The requirements outlined by law and the regulations implemented by DHHS require compliance by all health care organizations that maintain or transmit electronic health information (e.g., health plans; health care clearinghouses; and health care providers, from large integrated delivery networks to individual physician offices).

Answer 225

A

California implemented a regulation that prohibits the use of Social Security numbers on health plan ID cards and health-related correspondence. In 2018, a Medicare Beneficiary Identifier (MBI) replaced Social Security numbers on Medicare cards.

Answer 226

A

Each violation: $100

Maximum penalty for identical violations may not exceed $50,000

Maximum penalty for identical violations during a calendar year may not exceed $1,500,000

Answer 227

A

Health Plan Identifier (HPID) (formerly called PAYERID and PlanID) is assigned to third-party payers; it was rescinded in 2019 as part of administrative simplification. The voluntary other entity identifier (OEID) and its implementation specifications were also rescinded.

National Individual Identifier (patient identifier) has been put on hold. Several bills in Congress eliminated the requirement to establish a National Individual Identifier.

National Provider Identifier (NPI) is assigned to health care providers as a 10-digit numeric identifier, including a check digit in the last position.

National Standard Employer Identification Number (EIN) is assigned to employers who, as sponsors of health insurance for their employees, must be identified in health care transactions. It is the federal employer identification number (EIN) assigned by the Internal Revenue Service (IRS) and has nine digits with a hyphen (00-0000000). EIN assignment by the IRS began in January 1998.

Answer 228

A

Apply just once because every health plan, including Medicare and Medicaid, will use the same NPI for the provider.

Obtain an NPI even if they use a billing agency to prepare standard insurance transactions.

Continue to participate in health plan enrollment and/or credentialing processes.

Safeguard the NPI because it is a private identification number.

Answer 229

A

HIPAA requires payers to implement electronic transaction standards (or transaction rules), which result in a uniform language for electronic data interchange. Electronic data interchange (EDI) is the process of sending data from one party to another using computer linkages. The CMS Standard EDI Enrollment Form must be completed prior to submitting electronic media claims (EMC) to Medicare. The agreement must be executed by each provider of health care services, physician, or supplier that intends to submit EMC.

Answer 230

A

Health care providers submit electronic claims data to payers on computer tape or disk, or by computer modem or fax. The payer receives the claim, processes the data, and sends the provider the results of processing electronic claims (an electronic remittance advice).

Answer 231

A

(Encrypt means to encode a computer file, making it safe for electronic transmission so that unauthorized parties cannot read it.) The recipient of the transmitted electronic document decrypts (decodes) the message digest and compares the decoded digest with the transmitted version. If they are identical, the message is unaltered and the identity of the signer is proven.

Answer 232

A

Three electronic formats are supported for health care claim transactions: the UB-04 flat file format, the National Standard Format (NSF), and the ANSI ASC X12N 837 (American National Standards Institute [ANSI], Accredited Standards Committee [ASC], Insurance Subcommittee [X12N], Claims validation tables [837], and further subdivided into 837I and 837P formats).

The UB-04 flat file is a series of fixed-length records that is used to bill institutional services, such as services performed in hospitals. (The UB-04 is discussed in Chapter 11 of this textbook.)

The National Standard Format (NSF) flat file format is used to bill physician and noninstitutional services, such as services reported by a general practitioner on a CMS-1500 claim.

The ANSI ASC X12N 837I variable-length file format is used to submit institutional claims, and the ANSI ASC X12N 837P is used to submit professional claims.

Dental services use Current Dental Terminology (CDT) codes. Current Dental Terminology (CDT) is a medical code set maintained and copyrighted by the American Dental Association.

Diagnoses and inpatient hospital services are reported using ICD-10-CM.

Physician services are reported using Current Procedural Terminology (CPT) codes.

Procedures are reported using ICD-10-PCS (hospital inpatient) and CPT and HCPCS level II (outpatient and physician office).

Institutional and professional pharmacy transactions are reported using HCPCS level II (national) codes.

Retail pharmacy transactions are reported using the National Drug Code manual. No standard code set was adopted for nonretail pharmacy drug claims.

Answer 233

A

Example
During an office encounter, a physician administered 4 mg of Zofran intravenously (IV) to a Medicaid patient. Enter the following codes on the CMS-1500 claim:

J2405 as the HCPCS level II code for “ondansetron hydrochloride, per 1 mg,” which is the generic form of Zofran. (Also enter the number 4 in the Units field of the CMS-1500 claim.)

00173044202 as the National Drug Code for “Zofran 2 mg/mL in solution form.” (The NDC is located on the medication container.)

Answer 234

A

Any information communicated by a patient to a health care provider is considered privileged communication, and HIPAA provisions address the privacy and security of protected health information. Protected health information (PHI) is information that is identifiable to an individual (individual identifiers) such as name, address, telephone numbers, date of birth, Medicaid ID number, medical record numbers, Social Security number (SSN), and name of employer. In most instances, covered entities (providers, payers, and clearinghouses) are required to obtain an individual’s authorization prior to disclosing the individual’s health information, and HIPAA has established specific requirements for an authorization form. Privacy is the right of individuals to keep their information from being disclosed to others.

Answer 235

A

Providers should develop a policy that prohibits taking cell phone pictures of patients unless taken with the patient’s own phone at the patient’s request. Cell phone pictures of patients have appeared on the Internet, and employees have been terminated as a result because that is a breach of patient privacy.

Answer 236

A

Controlling access to hard copy and computerized records (e.g., implementing password protection for computer-based patient records)

Protecting patient information from alteration, destruction, tampering, or loss (e.g., establishing office policies)

Providing employee training in confidentiality of patient information (e.g., conducting annual in-service education programs)

Requiring employees to sign a confidentiality statement that details the consequences of not maintaining patient confidentiality (e.g., employee termination)

Answer 237

A

Discussing patient information in public places (e.g., elevators)

Leaving patient information unattended (e.g., computer screen display)

Communicating patient information to family members without the patient’s consent

Publicly announcing patient information in a waiting room or registration area

Accessing patient information without a job-related reason

Answer 238

A

The signed consent form accepting financial responsibility allows the provider to collect payment from the patient.

Answer 239

A

A dated, signed special release form is generally considered valid for 1 year. Be sure to obtain the patient’s signature on the special release form each year. Undated signed forms are assumed to be valid until revoked by the patient or guardian. CMS regulations permit government programs to accept both dated and undated authorizations. Established medical practices must update patient information and obtain the necessary authorization forms. Patients who regularly seek care must sign a new authorization each year.

Answer 240

A

Ask the patient to sign a special release form that is customized by each practice and specifically names the patient’s insurance company (Figure 5-8); or

Ask the patient to sign Block 12, “Patient’s or Authorized Person’s Signature,” on the CMS-1500 claim (Figure 5-9).

Answer 241

A

Computerized practices must obtain the patient’s signature on the special release form and provide a copy to the patient’s insurance company upon request. With this method, the CMS-1500 claim generated will contain “SIGNATURE ON FILE” in Block 12 (Figure 5-9).

Answer 242

A

It is usually acceptable to submit a copy of the medical record for legal proceedings. If the original record is required, obtain a receipt from the court clerk and retain a copy of the record in the storage area. Be sure to properly protect the original record when transporting it to court by placing the record in a locked storage container. Make sure that the original record remains in the custody of the health care personnel transporting the record until the record is entered into evidence.

Answer 243

A

Discussing, diagnosing, and treating HIV/AIDS is a sensitive, private issue between a patient and provider. This privacy is especially important because any breach of privacy may result in stigmatization or discrimination against HIV/AIDS patients. Patients who are concerned that their health information will not be held private or secure may be discouraged from being tested for HIV and may be dissuaded from pursuing or adhering to recommended treatment regimens.

The need for privacy and security must be carefully balanced with the appropriate sharing of patient information. Health information technology poses risks for maintaining patient privacy and security, but also offers providers and HIV/AIDS patients potential benefits. There are instances in which providers must reveal patient information to someone other than the patient, such as reporting the names of persons who have a positive HIV test to public health authorities for infectious disease surveillance. In some states, providers are also required to report the names of partners of those who test positive for HIV.

Medical information may also need to be shared with the patient’s other medical providers to coordinate care and to manage HIV/AIDS as a chronic condition. Established regulations allow providers to share patient health information when necessary and appropriate, while maintaining the confidentiality, privacy, and security of this information.

Patients who undergo screening for the human immunodeficiency virus (HIV) or AIDS infection should sign an additional authorization statement for release of information regarding their HIV/AIDS status (Figure 5-11). Several states require very specific wording on this form. Be sure to determine if your state requires a special form

Answer 244

A

The Drug Abuse and Treatment Act of 1972 is a federal law that requires drug and alcohol abuse patient records be kept confidential and not subject to disclosure except as provided by law. This law applies to federally assisted alcohol or drug abuse programs, which are those that provide diagnosis, treatment, or referral for treatment of drug and/or alcohol abuse. General medical care facilities are required to comply with the legislation only if they have an identified drug/alcohol abuse treatment unit or their personnel provide drug/alcohol diagnosis, treatment, or referral.

Answer 245

A

The HIPAA privacy rule creates national standards to protect individuals’ medical records and other personal health information. This rule also gives patients greater access to their own medical records and more control over how their personal health information is used. The rule addresses the obligations of health care providers and health plans to protect health information, requiring doctors, hospitals, and other health care providers to obtain a patient’s written consent and an authorization before using or disclosing the patient’s protected health information to carry out treatment, payment, or health care operations (TPO).

Answer 246

A

$50,000 and/or up to 1 year in prison for persons who knowingly obtain and disclose protected health information

$100,000 and/or up to 5 years in prison for persons who under “false pretense” obtain and disclose protected health information

$250,000 and/or up to 10 years in prison for persons with intent to sell, transfer, or use PHI for malicious reasons or personal gain

Answer 247

A

The DHHS Office for Civil Rights announced in 2011 that it has imposed a $4.3 million civil monetary penalty for violations of the HIPAA privacy rule on Cignet Health of Prince George’s County, Maryland, as follows:

$1.3 million for failing to grant 41 individuals access to their health records within 30 days

$3 million for “willful negligence” when the organization failed to cooperate with the investigation

Answer 248

A

Patient Access to Records. The HIPAA privacy rule states that “an individual has the right to inspect and obtain a copy of the individual’s protected health information (PHI) in a designated record set,” except for the following:

Psychotherapy notes

Information compiled in anticipation of use in a civil, criminal, or administration action or proceeding

PHI subject to the Clinical Laboratory Improvements Amendments (CLIA) of 1988, which is the federal law that delineates requirements for certification of clinical laboratories

PHI exempt from CLIA (e.g., information generated by facilities that perform forensic testing procedures)

Answer 249

A

The HIPAA security rule adopts standards and safeguards to protect health information that is collected, maintained, used, or transmitted electronically. Covered entities affected by this rule include health plans, health care clearinghouses, and certain health care providers. Effective with implementation of the HITECH Act of 2009, health care business associates and their subcontractors must also follow the HIPAA security rule for electronic protected health information (PHI). Business associates must obtain HIPAA-compliant agreements with their subcontractors (instead of the business associate’s covered entity doing so).

Answer 250

A

Define authorized users of patient information to control access.

Implement a tracking procedure to sign out records to authorized personnel.

Limit record storage access to authorized users.

Lock record storage areas at all times.

Require the original medical record to remain in the facility at all times.

Answer 251

A

Individual states (e.g., New York) may have passed laws or established regulations for patient access to records; providers must follow these laws or regulations if they are stricter than HIPAA provisions.

Answer 252

A

Health care business associates and their subcontractors must comply with the HIPAA security rule for electronic protected health information (PHI). This means that business associates must obtain HIPAA-compliant agreements with their subcontractors (instead of the business associate’s covered entity doing so).

Patients must authorize any health marketing they receive, except for notices such as prescription refill reminders, and business associates must obtain patient authorization prior to marketing.

The sale of PHI by a covered entity or business associate (and their subcontractors) is prohibited.

Compound authorizations for research are permitted, with adherence to applicable rules.

Individually identifiable health information of a person deceased for more than 50 years is no longer considered PHI under the HIPAA privacy rule.

Covered entities are permitted to disclose a decedent’s PHI to family members and others who were involved in the care or payment for care of a decedent prior to death, unless doing so is inconsistent with any known prior expressed preference of the individual.

Covered entities can disclose proof of immunization to a school where state or other law requires it prior to admitting a student. Written authorization is no longer required, but an agreement must still be obtained, and it can be oral.

Covered entities must provide recipients of fundraising communication with a clear and conspicuous opportunity to opt out of receiving further such communications.

Patients can restrict health plan (third-party payer) access to medical records that pertain to treatment paid for by the patient out of pocket.

Patient access to electronic PHI is required, which means covered entities must provide a copy of protected health information that is maintained electronically and located in one or more designated record sets.

Covered entities must produce a copy of the electronic record in the format requested by the patient (or authorized individual).

Fees for paper and electronic copies are defined, which means providers can charge for costs of labor and materials required to copy PHI (whether in paper or electronic form). A reasonable cost-based fee for skilled technical staff time spent creating and copying the electronic file can be included in labor costs.

A covered entity cannot withhold copies of records due to the failure to pay for services above and beyond copying costs.

Timeliness for the provision of paper and electronic records was defined.

The breach notification rule’s “harm threshold” was replaced with the new “low probability standard” with respect to breach of patient information notifications. This standard, which is used to determine whether a disclosure constitutes a breach, requires covered entities and business associates (and their subcontractors) to send breach notification letters to all individuals whose information has been compromised and report the incident (including detailed, publicly reported information about the breach based on the risk assessment system) to the Office of Civil Rights (OCR).

DHHS adopted a new risk assessment system that must be used to assess a possible breach, and it is mandatory that the following four factors are addressed during risk assessment analysis:

What are the nature and extent of the PHI involved in the breach (e.g., types of identifiers, likelihood of reidentification of PHI involved in the breach)?

Who is the unauthorized person who used the PHI or to whom was the disclosure made?

Was PHI actually acquired or viewed by an inappropriate recipient?

To what extent has risk to the PHI been mitigated (e.g., disclosing entity received receipt of assurances from recipient that PHI was not used inappropriately)?

Changes were made to the Genetic Information Nondiscrimination Act (GINA). Title I of GINA required a revision of the HIPAA Privacy Rule. Genetic information is defined as health information, and it may not be used or disclosed for underwriting purposes.

Revised notice of privacy practices (NPP) requirements require providers to revise the document patients read and sign before their first visit. Providers are not required to print and distribute a revised NPP to all individuals seeking treatment. However, providers are required to provide a copy of the NPP and obtain a good faith acknowledgement of receipt from new patients. The revised NPP must be posted in a clear and prominent location with copies available for individuals to easily take one. (Individuals should not have to ask the receptionist for a copy of the revised NPP.) The NPP contains the following new requirements:

Statement indicating that most uses and disclosures of psychotherapy notes (where appropriate) require patient (or authorized individual) authorization

Statement indicating that uses and disclosures of PHI for marketing purposes require patient (or authorized individual) authorization

Statement that disclosures constituting a sale of PHI require patient (or authorized individual) authorization

Statement that other uses and disclosures not described in the NPP will be made only upon authorization from the patient (or authorized individual)

Statement about fundraising communications and an individual’s right to opt out

Statement informing individuals about their new right to restrict certain disclosures of PHI to a health plan if they pay for a service in full and out of pocket

Statement about an individual’s right to be notified of a breach of unsecured PHI in the event the individual is affected

Answer 253

A

According to the Federal Trade Commission (FTC), medical identity theft is a concern for patients, health care providers, and health care plans, and the victims of medical identity theft are typically identified when they are contacted by a debt collector about medical debt they do not owe, find erroneous listings of office visits or treatments on an explanation of benefits (EOB), have been denied insurance because their patient records document a condition they do not have, receive a bill for medical services that they did not receive, see medical collection notices on their credit report that they do not recognize, and/or were informed by their health care plan that they have reached their limit on benefits.

Answer 254

A

Conducting an investigation. If patients report they were billed for services not received, review financial and medical records relating to services performed to verify identities of persons receiving services. If medical identity theft is identified, notify everyone who accessed the patient’s records to let them know what information is inaccurate and ask them to correct the records.

Understanding provider obligations under the Fair Credit Reporting Act (FCRA). If patients report that debts have been reported to credit reporting companies, determine how the medical identity theft affects the provider’s responsibilities under FCRA. If patients provide identity theft reports detailing thefts, FCRA states that debt associated with thefts cannot be reported to credit reporting companies. An identity theft report is a police report that contains enough detail for credit reporting companies and businesses involved to verify that the consumer is a victim, and it also states which accounts and inaccurate information resulted from the theft.

Reviewing data security practices. Even if information used to commit the fraud was not generated by the provider, it is important to periodically review data security practices and compliance with information safeguard provisions associated with HIPAA privacy and security rules.

Providing any necessary breach notifications. If an investigation reveals that the provider improperly used or shared protected health information (PHI) (e.g., health information was improperly shared with an identity thief), determine whether a breach occurred under the HIPAA Breach Notification Rule (45 CFR part 164 subpart D) or any applicable state breach notification law.

Answer 255

A

Provide patients with a copy of the provider’s notice of privacy practices. The notice should include contact information for someone who can respond to questions or concerns from patients about the privacy of their health information. Hospitals may also put the person in touch with a patient representative or ombudsman.

Provide patients with copies of their records in accordance with the HIPAA privacy rule. Patients may ask for copies of their medical and billing records to help identify the impact of the theft and to review their records for inaccuracies before seeking additional medical care. There is no central source for medical records, so patients need to contact each provider they do business with, including doctors, clinics, hospitals, pharmacies, laboratories, and health plans. For example, if a thief obtained a prescription in your patient’s name, the victim may want a copy of the record from the pharmacy that filled the prescription and the health care provider who wrote the prescription. Explain to the patient that there may be fees and mailing costs to obtain copies of medical or billing files.

Educate patients about their right to have their medical and billing records amended or corrected. Encourage patients to write to their health plan or provider to dispute the inaccurate information. Tell them to include copies (because they should keep the originals) of any documents that support their position. Their letter should identify each disputed item, the reasons for disputing it, and a request that each error be corrected or deleted. Patients may want to include a copy of medical or billing records with items in question circled.

Send an accounting of disclosures to patients. An accounting of disclosures about medical information provided to third parties (e.g., attorneys, third-party payers, and Social Security disability offices) may help indicate to patients whether there has been an inappropriate release of their medical information. HIPAA allows patients to order one free copy of the accounting from each of their providers and health plans every 12 months. The accounting includes a record of the date of the disclosure, the name of the person or entity who received the information, a brief description of the information disclosed, and a brief statement about the purpose of the disclosure or a copy of the request for disclosure.

Inform patients that they have the right to file a complaint if they believe their privacy rights have been violated. For example, it would be a violation if a medical provider refused to provide someone with a copy of their own medical record. Patients can file a complaint with the U.S. Department of Health and Human Services’ Office for Civil Rights (www.hhs.gov/ocr).

Encourage your patients to notify their health plan if they suspect medical identity theft. Obtaining a list of benefits paid in their name can help patients determine whether there are any fraudulent charges. Patients also should carefully review EOB statements that third-party payers send after treatment is provided, and patients should verify that the claims paid match care received, ensuring that the name of the provider, dates of service, and services provided are correct. Patients should report discrepancies to their third-party payer.

Tell your patients to file a complaint with the FTC. Patients can file a complaint with the FTC. They also should file a report with local police and send copies of the report to their health plan’s fraud department, health care provider(s), and the three nationwide credit reporting companies.

Encourage patients to look for signs of other misuses of their personal information. Someone who engages in medical identity theft also may use their victim’s personal information to commit more traditional forms of identity theft, such as opening a credit card account in the victim’s name. Tell patients to order copies of credit reports and to review them carefully. Once victims have their reports, they should look for inquiries from companies they did not contact, accounts they did not open, and debts that they cannot explain. They also should verify that their Social Security number, address(es), name and/or initials, and employers’ names are listed correctly.

Answer 256

A

Release of information (ROI) by a covered entity (e.g., provider’s office) about protected health information (PHI) requires the patient (or representative) to sign an authorization to release information, which is reviewed for authenticity (e.g., comparing the signature on the authorization form to documents signed in the patient record) and processed within a HIPAA-mandated 60-day time limit. Requests for ROI include those from patients, physicians and other health care providers, third-party payers, Social Security disability, attorneys, and so on. A release of information log is used to document patient information released to authorized requestors, and data are entered manually (e.g., three-ring binder) or using ROI tracking software.

Answer 257

A

Carry out treatment, payment, and health care operations (TPO)

Comply with requests that occurred prior to the compliance date for the covered entity

Create entries in the facility’s directory

Fulfill requests from correctional institutions or law enforcement officials

Individuals (e.g., patients), themselves

Persons involved in the individual’s care

Send notifications to national security for intelligence purposes

Answer 258

A

One area of concern regarding breach of confidentiality involves the clarification of insurance data by telephone. A signed release statement from the patient may be on file, but the office has no assurance of the identity or credentials of a telephone inquirer. It is very simple for a curious individual to place a call to a physician’s office and claim to be an insurance company benefits clerk. The rule to follow is, always require written requests for patient information. (The only circumstance that would allow the release of information over the telephone is an emergency situation that involves patient care. In this situation, be sure to authenticate the requesting party by using the “call-back method,” which involves calling the facility’s switchboard and asking to be connected to the requesting party.)

Answer 259

A

An urgent need for the health record and mailing the record will cause unnecessary delays in treatment, or

Immediate authorization for treatment required from a primary care physician or other third-party case manager.

Answer 260

A

Name of the facility to receive the facsimile

Name and telephone number of the person authorized to receive the transmission

Name and telephone number of the sender

Number of pages being transmitted

A confidentiality notice or disclaimer (Figure 5-12)

Instructions to authorized recipient to send verification of receipt of transmittal to the sender
The practice should keep a dated log of the transmission of all medically sensitive facsimiles and copies of all “receipt of transmittal” verifications signed and returned by the authorized recipient. Special care must be taken to ensure that proper facsimile destination numbers are keyed into the fax machine prior to transmission.

Answer 261

A

At present, there is no guarantee of confidentiality when patient records are transmitted via the Internet. If time constraints prevent sending sensitive information through a more secure delivery system, special arrangements may be made with the requesting party to transmit the document after deleting specific patient identification information. It is best to call the party requesting the documents to arrange for an identifier code to be added to the document so that the receiving party is assured that the information received is that which was requested. This transmission should be followed by an official unedited copy of the record, sent by overnight delivery, that includes specific patient material that was deleted from the previous transmission. In 1998, the HCFA Internet Security Policy issued guidelines for the security and appropriate use of the Internet for accessing and transmitting sensitive information (e.g., Medicare beneficiary information). The information must be encrypted so that information is converted to a secure language format for transmission, and authentication or identification procedures must be implemented to ensure that the sender and receiver of data are known to each other and are authorized to send and/or receive such information.

Answer 262

A

Carefully review all e-mails before sending to ensure receipt by intended recipients only. Sending an e-mail to an unintended recipient can result in a breach of confidentiality (e.g., patient, facility). For example, when an investigator selected “reply all” to an e-mail that included claims abuse information about several providers, state and CMS officials had to be notified and an investigation was conducted.

Answer 263

A

Providers must notify individuals to whom the PHI pertains within 60 days after discovery of the breach.

Providers also have a duty to notify the media of any breach that affects more than 500 individuals residing in one state or jurisdiction.

Some situations of unauthorized disclosure, access, or use of unsecured PHI do not constitute a breach requiring notification. Examples include:

Employees who unintentionally access PHI within the scope of their authority

PHI that is inadvertently disclosed to an employee who normally has access to certain types of PHI

Individuals to whom PHI was disclosed but who cannot readily retain the information

Answer 264

A

The threat of excessive awards in medical liability cases has increased providers’ liability insurance premiums and resulted in increased health care costs. As a result, some providers stop practicing medicine in areas of the country where liability insurance costs are highest, and the direct result for individuals and communities across the country is reduced access to quality medical care. Although medical liability reform was included in HIPAA legislation, no final rule was published. Individual states, such as Ohio, have passed medical liability reform, and the U.S. Congress is also formulating separate federal medical liability reform legislation.

Answer 265

A

The Patient Safety and Quality Improvement Act allows providers to report health care errors on a voluntary and confidential basis. Patient safety organizations (PSOs) analyze the problems, identify solutions, and provide feedback to avoid future errors. A database tracks national trends and recurring problems.

Answer 266

A

Subtitle A: Medical Savings Accounts
Section 302: Medical Savings Accounts

Subtitle B: Increase in Deduction for Health Insurance Costs of Self-Employed Individuals

Section 311: Increase in deduction for health insurance costs of self-employed individuals

Subtitle C: Long-Term Care Services and Contracts, such as Long-Term Care Insurance

Part I: General Provisions

Section 321: Treatment of long-term care insurance

Section 322: Qualified long-term care services treated as medical care

Section 323: Reporting requirements

Part II: Consumer Protection Provisions

Section 325: Policy requirements

Section 326: Requirements for issuers of qualified long-term care insurance contracts

Section 327: Effective dates

Subtitle D: Treatment of Accelerated Death Benefits

Section 331: Treatment of accelerated death benefits by recipient

Section 332: Tax treatment of companies issuing qualified accelerated death benefit riders

Subtitle E: State Insurance Pools

Section 341: Exemption from income tax for state-sponsored organizations providing health coverage for high-risk individuals

Section 342: Exemption from income tax for state-sponsored worker’s compensation reinsurance organizations

Subtitle F: Organizations Subject to Section 833 (Section 833 of the United States Code covers treatment of BlueCross BlueShield organizations, etc.)

Section 351: Organizations subject to Section 833

Subtitle G: IRA Distributions to the Unemployed

Section 361: Distributions from certain plans may be used without additional tax to pay financially devastating medical expenses

Subtitle H: Organ and Tissue Donation Information Included with Income Tax Refund Payments

Section 371: Organ and tissue donation information included with income tax refund payments

Answer 267

A

Subtitle A: Application and Enforcement of Group Health Plan Requirements

Section 401: Group health plan portability, access, and renewability requirements

Section 402: Penalty on failure to meet certain group health plan requirements

Subtitle B: Clarification of Certain Continuation Coverage Requirements

Section 421: COBRA clarifications

Answer 268

A

Subtitle A: Company-Owned Life Insurance

Section 501: Denial of deduction for interest on loans with respect to company-owned life insurance

Subtitle B: Treatment of Individuals Who Lose U.S. Citizenship

Section 511: Revision of income, estate, and gift taxes on individuals who lose U.S. citizenship

Section 512: Information on individuals losing U.S. citizenship

Section 513: Report on tax compliance by U.S. citizens and residents living abroad

Subtitle C: Repeal of Financial Institution Transition Rule to Interest Allocation Rules

Section 521: Repeal of financial institution transition rule to interest allocation rules

Answer 269

A

Federal and state statutes are laws passed by legislative bodies and implemented as regulations (guidelines written by administrative agencies). The Federal Register is a legal newspaper published every business day by the federal government. Medicare program transmittals are legal notices about Medicare policies and procedures, and they are incorporated into the appropriate CMS program manual (e.g., Medicare Claims Processing Manual). Federal and state legislation have regulated the health care industry since 1863, when the False Claims Act (FCA) was enacted.

Record retention is the storage of documentation for an established period of time, usually mandated by federal and/or state law. HIPAA mandates the retention of health insurance claims for a minimum of 6 years, unless state law specifies a longer period. HIPAA also mandates that patient records and health insurance claims be retained for a minimum of two years after a patient’s death. Health care audit and compliance programs ensure the integrity of government health care programs by combating fraud, waste, and abuse, and finding and correcting improper payments; coordinating intelligence sharing among investigators, agents, prosecutors, analysts, and policymakers; facilitating coordination and cooperation among providers to improve quality of care and reduce unnecessary costs; and detecting inappropriate codes submitted on claims and eliminating improper coding practices. An audit is an objective evaluation to determine the accuracy of submitted financial statements, and a compliance program contains internal policies and procedures that an organization follows to meet mandated requirements.

The Health Insurance Portability and Accountability Act (HIPAA) includes the following provisions: health care access, portability, and renewability; prevention of health care fraud and abuse, administrative simplification, and medical liability reform; tax-related health provisions; application and enforcement of group health plan requirements; and revenue offsets.

HIPAA’s administrative simplification regulations established the HIPAA security and privacy rules. Do not confuse the purpose of each rule. The HIPAA security rule defines administrative, physical, and technical safeguards to protect the availability, confidentiality, and integrity of electronic protected health information (PHI). The HIPAA privacy rule establishes standards for how PHI should be controlled by indicating authorized uses (e.g., continuity of care) and disclosures (e.g., third-party reimbursement) and patients’ rights with respect to their health information (e.g., patient access).

Answer 270

A

Healthcare workers are responsible for keeping up with constantly changing federal laws and regulations. Laws are passed by legislative bodies (e.g., U.S. Congress) and then are implemented as regulations, which are guidelines written by administrative agencies (e.g., Centers for Medicare and Medicaid Services). Federal laws and regulations affect healthcare in that they govern programs, such as Medicare, Medicaid and TRICARE.

Answer 271

A

False Claims Act - It is illegal to submit claims for payment to Medicare or Medicaid that are false or fraudulent. Filing false claims may result in civil fines of up to three times the programs’ loss plus $11,000 per claim filed. Criminal penalties for submitting false claims include imprisonment and fines.
The False Claims Act provides one of the strongest whistleblower protection provisions in the U.S. Qui tam is a mechanism in this law that allows citizens with evidence of fraud against Medicare and Medicaid to share in any money recovered.

Federal Anti-Kickback Act - In the federal healthcare programs, it is a crime for providers to reward anything of value to those who refer business to them. This includes cash, expensive meals, or tickets to sporting events. Criminal penalties and administrative sanctions for violating this Act include fines, jail terms, and exclusion from participation in the federal healthcare programs.

Stark Law - Stark Law prohibits physician self-referral to a medical facility in which the physician has a financial interest. Self-referral is a conflict of interest because the physician can benefit financially from the referral, and such arrangements can encourage over-utilization of services. Penalties for physicians who violate the Stark law include fines, as well as exclusion from participation in the federal healthcare programs.

Answer 272

A

case law
civil law
criminal law
desposition
emancipated minor
embezzlement
respondeat superior
statute of limitations
subpoena
subpoena duces tecum

Answer 273

A

Common data comprising PHI includes the patient’s name, address, date of birth, and Social Security number. However, other examples of PHI are email addresses, cell phone numbers, medical record numbers, insurance identification numbers, health histories, lab test results, diagnoses, treatment information, lists of allergies, certain photographic images, and biometric identifiers (e.g., fingerprints).

Answer 274

A

Because PHI is very sensitive information, it needs to be handled with confidentiality. Confidentiality is both a legal rule and an ethical concept that establishes the healthcare employee’s responsibility to protect patient information from unauthorized use or disclosure and maintaining the security of that information.

Confidentiality of patient information matters. When patients are comfortable sharing any information they need to discuss with their health professionals, it increases the chances that people will seek help when they need it.

On the other hand, a breach of confidentiality occurs when patient information has been made available or disclosed, either intentionally or carelessly, to unauthorized persons. Providers are required to notify patients in writing when the security of their protected health information has been breached. Consequences for breaches of confidentiality can range from disciplinary action by the employer (including termination), legal action by the patient claiming damages, and fines or other penalties under regulatory statutes.

Answer 275

A

The security, or safekeeping, of patient information is accomplished by implementing password protection of electronic records, limiting a staff member’s access to PHI when the information isn’t necessary for that person’s job, and training the entire staff in procedures regarding PHI.

Answer 276

A

Providers need to have the patient’s written consent or authorization before they can release protected health information.

Consent: General document that gives permission for something to happen. Patients can consent to treatment or consent for their insurance benefits to be paid directly to the provider.

Authorization: A more customized document. It gives permission for a provider to use only specified PHI for identified purposes and directs to whom the information can be disclosed. In addition, an authorization has an expiration date.

Answer 277

A

The Health Insurance Portability and Accountability Act was passed by Congress in 1996 as a broad attempt at healthcare reform. It initially had two objectives:

The Portability part of the Act was relatively straightforward and ensured that individuals would be able to continue their health insurance between jobs.
The Accountability part of the Act was designed to ensure the security and confidentiality of patient information.
Other objectives of the Act were to prevent fraud and abuse in health insurance, promote the use of medical savings accounts by introducing tax breaks, provide coverage for employees with pre-existing medical conditions, and simplify the administration of health insurance.

Answer 278

A

HIPAA is massive in scope and organized according to five separate titles. Once HIPAA had been signed into law, the US Department of Health and Human Services (HHS) was required to create standards to protect the privacy and security of a patient’s protected health information. To fulfill this requirement, HHS published what are commonly known as the HIPAA Privacy Rule and the HIPAA Security Rule. These Title II rules apply to all covered entities.

Covered entities are defined as:

A health insurance plan
A healthcare clearinghouse
A healthcare provider

Answer 279

A

An individual’s right to keep healthcare information from being disclosed to others.

Answer 280

A

Under the HIPAA Privacy Rule, individuals have a federally protected right to control the use and release of their health information. The Privacy Rule defines and limits the circumstances under which an individual’s PHI is used or disclosed. It also gives patients the right to examine and obtain a copy of their health records and request corrections as necessary. The patient also has the right to an accounting of disclosures; what health information is shared with other professionals treating you, what health information is sent to health insurers, and what information is used by the practice to improve care and plan for the future.

Answer 281

A

The healthcare provider has a duty to limit access to, use of, and disclosure of PHI to that which is minimally necessary to accomplish the purpose of the use or disclosure. In other words, PHI is available to individuals on a need-to-know basis.

For instance:

All of a patient’s health information is available for the physician, nurse, and other healthcare providers to use to provide direct patient care. However, this same information is not available to the office’s scheduling staff.

If a patient fell at work and has authorized his or her attorney to request medical records in support of a lawsuit, the medical office should release only those records pertaining to the work injury.

If a patient’s elementary school has requested immunization records, only that information should be released upon the parent’s authorization.

Answer 282

A

In general, PHI can be released only with the written authorization of the individual. However, a patient’s signed authorization is not required under the Privacy Rule for the following circumstances: Treatment, Payment and Healthcare Operations (TPO).

In addition, permitted disclosures of PHI without a patient’s authorization can be done as required by law, such as when a court order is issued by a judge or magistrate. Also, in some states, there is mandatory reporting of child abuse and elder abuse. Finally, some states require the reporting of gunshot wounds and stabbings to law enforcement.

Answer 283

A

The HIPAA Privacy Rule permits a healthcare provider to disclose protected health information about an individual to another healthcare provider for that provider’s treatment of the individual.

Answer 284

A

HIPAA privacy regulations allow providers to release healthcare information to payers for the processing of insurance claims.

Answer 285

A

Protected health information may be disclosed to support healthcare operations, which are the administrative, financial, legal, and quality improvement activities of a covered entity (provider, hospital, or insurer) that are necessary to run its business.

Answer 286

A

All states have laws that require the reporting of specific cases of infectious diseases to public health offices. In these circumstances, the disclosure of PHI without a patient’s consent is justified to protect the health of the public.

Answer 287

A

-Covid
-Foodborne disease outbreak
-Hepatitis (viral)
-HIV
-Influenza
-Lead (elevated blood levels
-Lyme Disease
-Measles
-Meningitis (viral)
-Mumps
-Pertussis
-Poliomyelitis
-Rabies (animal and human)
-Syphilis
-Tuberculosis
-Zika viral infection

Answer 288

A

Everyone has a right to oral privacy with regard to their PHI. However, the Privacy Rule is not intended to stop healthcare providers from talking to their patients, staff, or with each other and recognizes that oral communications often must occur freely and quickly in treatment areas. Thus, healthcare professionals are free to engage in communications as required to provide high quality healthcare. The Privacy Rule also recognizes that overheard conversations in these settings may be unavoidable. However, reasonable precautions should be taken to minimize the chance of being overheard by others who are nearby.

On the other hand, confidential information should never be discussed in public areas where people may overhear who are not authorized to have access to the information. These public areas include elevators, stairways, corridors, cafeterias, parking lots, and restrooms.

Answer 289

A

Whereas the HIPAA Privacy Rules deals with Protected Health Information (PHI), the HIPAA Security Rule is narrower in scope and focuses solely on electronic Protected Health Information (ePHI). As the healthcare industry began to move away from paper processes and rely more heavily on the use of electronic information systems, the Department of Health and Human Services (HHS) adopted standards for the security of electronic PHI.

Answer 290

A

Administrative safeguards to create procedures to clearly show how the covered entity will comply with the Act.
Physical safeguards to control physical access to areas of data storage to protect against unauthorized access.
Technical safeguards to protect communications containing ePHI when transmitted over open networks, a process which often involves encryption

Answer 291

A

Encryption is the process of transforming text into an unintelligible string of characters that can be transmitted over open networks with a high degree of security and then decrypted (translated) when it reaches a secure destination.

Answer 292

A

The HIPAA Privacy Rule gives patients a fundamental right to be informed about how a healthcare provider will use, disclose, handle, collect, and protect the patients’ PHI. Providers are required to give a copy of their Notice of Privacy Practices to all new patients that clearly explains these rights and practices. The patients must sign an acknowledgement form that confirms they have received a copy of the Notice.

The NPP should be reviewed and revised annually to reflect changes in the way the practice uses the patients’ health information. For instance, the practice may now offer the option of receiving appointment reminders via text messaging.

Answer 293

A

Violating the privacy and security regulations of HIPAA can result in civil or criminal penalties.

Civil Penalties: The U.S. Department of Health and Human Service (HHS) Office for Civil Rights (OCR) is responsible for enforcing HIPAA Privacy and Security Rules. Information submitted to the OCR is carefully reviewed and, in some cases, it may be determined that the organization did not violate the requirements of the Privacy and Security Rules.

If noncompliance did occur, OCR will attempt to resolve the case by obtaining corrective action and a resolution agreement with the organization. If the organization does not satisfactorily resolve the matter, OCR may impose civil monetary penalties. The amount of the penalty is based on the nature and extent of the violation and the nature and extent of the harm resulting from the violation.

Criminal Penalties: The U.S. Department of Justice (DOJ) prosecutes HIPAA violations that result in criminal penalties. Persons who deliberately obtain or disclose patient health information risk fines of $50,000, as well as one year in prison. If such private information is sold or used for personal gain or malicious harm, fines are increased to $250,000 with imprisonment up to 10 years.

Answer 294

A

Healthcare insurance billing fraud is a serious problem that demands the attention of billers and coders. HIPAA made billing fraud a federal offense and defines fraud as “an intentional deception or misrepresentation that someone makes, knowing it is false, that could result in an unauthorized payment.” With fraud, individuals deliberately intend to collect unauthorized payments—they know what they’re doing. Administrative, civil and criminal penalties apply with the intent to punish.

Examples of fraudulent billing practices are falsifying a patient’s diagnosis, billing services for a patient who is deceased, billing for services that were not performed, and upcoding.

Answer 295

A

Selecting medical codes at a higher level than is justified by the patient’s documentation for the purpose of increasing the insurance reimbursement.

NOTE: The Medicare program is the target of most of the billing fraud.

Answer 296

A

The Office of Inspector General (OIG) is part of the U.S. Department of Health and Human Services (HHS). According to the website, OIG is “dedicated to combating fraud, waste and abuse and to improving the efficiency of HHS programs. A majority of OIG’s resources goes toward the government oversight of Medicare and Medicaid—programs that represent a significant part of the Federal budget and affect this country’s most vulnerable citizens.”

When a Medicare or Medicaid provider commits fraud, the OIG prepares the case for referral to the Department of Justice for prosecution. A provider found guilty of Medicare or Medicaid fraud faces criminal, civil, and/or administrative sanction penalties. These include fines, imprisonment, and exclusion from further participation in Medicare and Medicaid.

Answer 297

A

Abuse also results in improper payments, but it’s not done deliberately. According to HIPAA, abuse “involves actions that are inconsistent with accepted, sound medical, business, or fiscal practices.” The health insurance specialist is in a unique position to help physicians identify abusive practices and offer prevention strategies. These include updating medical codes, reading payer bulletins that contain up-to-date billing practices, and attending coding and billing webinars. Penalties for abuse are intended to educate rather than punish, and they typically involve recovering overpayments from providers.

Answer 298

A

Using outdated coding manuals
Inadvertent billing and coding errors
Excessive charges.

Answer 299

A

Release of information is critical for the continuity of care provided to the patient, as well as serving an essential function in reimbursement, healthcare policy, public health tracking, and research.

Physicians’ offices frequently receive requests for medical records from multiple sources. To protect patient confidentiality, no patient information or medical record should ever be released without written authorization from the patient, or from the patient’s guardian or legal representative if the patient is a minor, deceased, or incompetent.
Remember!
There are some exceptions when patient information can be released without written authorization, as discussed earlier in this lesson.

Answer 300

A

The health information released must be complete, appropriate, and timely to fulfill its intended purpose.
Medical records typically include progress notes, consultations, history & physical exams, medication records, lab reports, radiology reports, diagnostic testing, hospital discharge summaries, and emergency department reports.
Medical records obtained from another provider that are included in the patient’s medical record may be released, especially when the request is related to developing a treatment plan.
A separate statement authorizing release is required for HIV status, psychiatric/mental health conditions, and alcohol/substance abuse. These sensitive issues need more careful handling.
Insurance claim information must also be provided, if requested.
The physician may prepare a summary of the medical record, if acceptable to the patient.

NOTE: When releasing patient information, always release copies only and not the original records.

Answer 301

A

An outpatient provider usually designates a staff member whose job description includes the release of information. This person should do the following when someone requests information: log, verify and track the request; authenticate the requestor; retrieve the records; determine the minimum information needed to meet the request; reproduce and mail or fax the documents. Everyone in the office should understand this protocol so that nothing is released inappropriately.

Answer 302

A

A health insurance plan, a healthcare clearinghouse, and a healthcare provider.

Answer 303

A

The PHI that is disclosed must be the minimum necessary to accomplish the purpose of the request.

Answer 304

A

An intentional deception or misrepresentation that someone makes that could result in an unauthorized payment

Answer 305

A

Actions that are inconsistent with accepted, sound medical, business, or fiscal practices that could result in improper payments.

Answer 306

A

Selecting codes at a higher level than is justified by the patient’s medical record for the purpose of increasing the reimbursement.

Answer 307

A

an individual who is legally designated to act on behalf of a minor or an incompetent adult

Brainscape's Knowledge GenomeTM

Chapter 5 Flashcards

Legal Aspects of Health Insurance and Reimbursement

Brainscape's Knowledge Genome^TM