Your 2 biggest risks with EHR compliance

EHR has come to stand for more than electronic health records, and EHR compliance negligence can cost you

When it comes to EHR compliance, there are two compliance risks that could put you out of business overnight. Yes, it’s a scary thought. The term “compliance” is a bit of an enigma. What is it referring to?

• HIPAA?
• PCI?
• Medical necessity?
• Coding/billing?
• Discounting?
• OSHA?
• State board marketing compliance?

The term “EHR” can be a little misleading as well, since most EHR companies today are providing much more than electronic health records.

So where do you begin? Let’s focus on what could put you out of business the fastest:

HIPAA violations
Improper discounting

HIPAA violations

Each HIPAA violation can cost you as much as $50,000. That means a practice that violates the privacy of one patient could put itself out of business. Violations rarely happen in isolation. If there is one violation there are probably many others.

The biggest exposure we see these days is with client-server EHR companies. Client-server systems are those that are not cloud-based, although even cloud-based systems are not all created equal in terms of HIPAA and EHR compliance.

Patient data is some of the most valuable data there is on the black market. If you were a hacker, where would you go to get such data? Would you try to hack a HIPAA compliant data center? Or would you try to hack a small practice where data is sitting on a server in the back office?

You would likely choose the latter. Why?

Small practices are busy. They tend not to keep their firewalls up to date. It is relatively easy to hack into their WI-FI network and have a field day.

Client-server systems also have other inherent weak spots. For example, online patient intake forms, and nightly data backups to the cloud.

In the event of a data breach, who will be fined? It’s not the “tech guy” who is also a patient. The responsibility is that of the practice owner.

Moving your EHR to the cloud is a big way to mitigate this risk. By doing so, you’re basically outsourcing the liability. As long as that cloud system uses the highest level of encryption to transmit data over the internet and their data center is a true HIPAA-compliant data center, you’re in a much better position.

In the case of a data breach, the EHR company is on the hook. In most cases, they are covered by insurance for such a breach. Remember, though, that these data centers are staffed 24/7 with the highest level of security possible. You decrease the risk while maintaining ownership of your patient data.

EHR compliance and improper discounting

When using your EHR, it’s common practice to apply discounts to your services. When posting your services, it’s important to make sure the discounts are compliant and posted correctly. In summary, there are four primary ways to provide discounts compliantly:

Required by Mandate
This is if the patient is covered by a state or federal program with a mandated fee schedule (Medicare, Medicaid, etc.). When patients are receiving a mandated discount (i.e. Medicare), in essence you are agreeing to accept what they reimburse by treating the patient.For example, if your fee is $55 for a service and Medicare’s allowed amount is $35, you have not agreed to charge $35; you have agreed to discount your $55 service by $20.
Documented Hardship
Patients who meet state and/or federal poverty guidelines or other special circumstances outlined in your “Hardship Policy” may be offered a discount for a period of time as determined by the clinic. Verification of hardship status is required. Lastly, no more than 5% of your patient base population should be on hardship.Note that you cannot define someone as “hardship” simply because they are cash patients. This is important, as we have seen examples where doctors say they use hardship discounts for all cash patients. This is not in line with EHR compliance.
Contractual Agreement
This is if you’re a participating provider in the patient’s health insurance plan. If you are a member of a Discount Medical Plan Organization (DMPO), the patient will be entitled to network discounts similar to those of your insured patients.Like mandated discounts, you are agreeing to accept what the insurance company or DMPO allows by treating the patient. For example, if your fee is $100 for a service and the insurance company or DMPO-allowed amount is $75, you have not agreed to charge $75; you have agreed to discount your $100 service by $25.
Prompt Pay
You can offer patients a discount on non-covered services (i.e. cash services) when they pay for services promptly. The clinic can define what “promptly” means. For example, you may define it as “payment on the same day or prior to when the service is provided.” Or, “within the same week or month the service is provided,” or, “within the number of days of service being provided.”The limitation on how large of a discount can be offered is defined by the OIG (Office of Inspector General) Department of Health and Human Services. In 2009 they rendered an opinion letter saying that a prompt pay discount can be provided and should be between 5-15%.

It is for this reason that we recommend you limit your prompt-pay discount to 15% or less. In practice, this means that for non-covered services, you could apply a discount of up to 15% when the service qualifies for your definition of a prompt-pay discount.

For all patients, non-covered services (i.e. cash-paid services) are the only services that can be discounted with a prompt-pay discount for EHR compliance.

Enforcement

When it comes to EHR compliance, it’s not too uncommon to hear doctors say, “Who’s going to enforce it?” Well, for some perspective, the OIG seems to think it’s worth pursuing violations.

Reference to ROI by OIG for Audit Investigations — it’s boldly proclaimed by Inspector General Daniel Levinson within the first several pages of the OIG’s 2019 fiscal year budget report requesting more funds to do their work. The statement is plain and simple: “…the OIG returned $5 to the Federal Government for every $1 invested.”

If you knew for every $1 you invested, you always got $5 in return, how many $1s would you invest? And would you keep doing it as long as you kept getting a 5-to-1 return?

Here are some example cases from the OIG:

U.S. Department of Justice vs. Dr. Brown

Dr. Brown from Iowa has agreed to pay $79,919 to resolve allegations he violated the False Claims Act by improperly billing Medicare and Medicaid for chiropractic adjustments after providing free electrical stimulation to beneficiaries to influence those beneficiaries to receive chiropractic adjustments from Brown.

The government alleged that this conduct violated the Anti-Kickback Statute and, in turn, the False Claims Act. The claims at issue were submitted between Jan. 1, 2012, and Sept. 30, 2016.

U.S. Department of Justice vs. Forest Park Healthcare

Instead of billing patients for out-of-net-work co-payments, instituted by insurers to de-incentivize the high costs associated with out-of-network treatment, Forest Park allegedly assured patients they would pay in-network prices.

Because they knew insurers wouldn’t tolerate such practices, they concealed the patient discounts and wrote off the difference as uncollected “bad debt.”

Make sure that you’re vetting the companies you’re going to be working with in your practice. It’s ultimately your responsibility as a business owner to ensure compliance in all areas of the business, not just your EHR.

MILES BODZIN, DC, is the founder and CEO of Cash Practice Systems, “Chiropractic’s #1 Technology Platform for Creating Loyal Patients. Providing Care Plans, Payment Processing, Wellness Scores, and Email Marketing under one cloud-based platform.” He can be contacted at drbodzin@cashpractice.com. To schedule a complimentary consultation with Cash Practice, call 877-343-8950 or visit cashpractice.com.

BRIAN CAPRA, DC, founded Genesis Chiropractic Software and Billing Network in 2004. Genesis pioneered the use of cloud-based software and patented artificial intelligence workflow to help doctors increase their revenue, patient retention, compliance and overall staff efficiency. He can be contacted at drbrian@genesischiropracticsoftware.com. To schedule a complimentary consultation with Genesis, call 877-601-5986 or visit genesischiropracticsoftware.com.