With the range of compliance threats facing today’s clinics, there’s much more to running a successful practice than seeing patients.
Sometimes, it seems like there are risks waiting behind every computer, billing claim, EHR system, and payer. What’s a thoughtful chiropractor to do?
Being conscientious and applying sound compliance practices at your clinic may be the answer. Prevention can be cheaper, less fraught with potential legal concerns, and often better for your patients. Taking steps whenever possible to improve your compliance know-how can yield substantial returns.
Strategies such as improving documentation, conducting a security risk analysis of your EHR, obtaining sensible help with IT and computer security problems and learning how to establish medical necessity in a claim can provide some protection for your clinic.
While there is no way to absolutely guarantee that a clinic is in full compliance with every rule and requirement, there are smart steps you can take to protect your patients and your practice.
First, the basics
“Compliance has five components: billing, coding, documentation, Medicare and HIPAA,” says Marty Kotlar, DC, who is an expert on chiropractic billing and compliance issues. Of the five areas, Kotlar believes that documentation and Medicare present the biggest challenges and areas of scrutiny for most chiropractic clinics.
Each segment of compliance is important. Other issues, such as EHR security, can also impact your practice. The Health Insurance Portability and Accountability Act (HIPAA) of 1996 regulates how patient information is handled, and it protects patient information security and privacy as well.
Billing, coding and documentation, when properly managed by chiropractors, offer some legal and compliance protection for clinics while also helping to ensure that practices receive appropriate financial compensation from payers. Medicare is a significant source of revenue for many clinics and a big source of coverage for chiropractic patients, so learning how to work with Medicare may prove to be a vital effort for your clinic.
In each of these areas, you can benefit from regularly performing a basic risk analysis to identify threats. If you have employees, you should make sure everyone in your practice is at least moderately competent with compliance issues, even if you have a designated “compliance czar.” There is simply no substitute for self-awareness and adequate training.
Sometimes, you may find yourself in need of expert guidance. If your clinic is particularly stuck or if you are unsure of your own compliance know-how, seeking out training or consulting from a compliance professional may be warranted.
Doing your own research to learn how compliance issues impact your clinic is essential. Some compliance matters are too complex, however, for generalized advice. In any case, your best bet is to investigate for yourself to discover any weak areas that may exist.
By undertaking your own research and training, you’ll be on track to take charge of compliance issues before they have a chance to overwhelm your career.
Ransomware and EHR security
Ransomware is a particularly malicious type of virus, and now it’s attacking health care clinics— including chiropractic practices.
Essentially, ransomware locks users out of part or all of their computer system by encrypting the hard drives, and makes a demand that must be answered before the perpetrator will willingly return access. Usually, ransomware asks for a sum of money that must be paid before the attacker will supply a key to decrypt the user’s data. Many would-be hackers see health care organizations of any size and specialty as lucrative sources of quick cash.
In January of last year, a practice in Irvine, Kentucky, found itself to be the target of a ransomware attack. Thankfully, they were able to quickly take down their EHR system and bring in expert help in computer forensics to determine how the attack had happened in the first place. The clinic also immediately took measures to restore patient files and strengthen their computer system security.
Reportedly, the attack affected the records of more than 5,000 patients. All of these individuals were notified by the practice and provided with credit monitoring services. In the end, the practice responded quickly and correctly, but the occurrence was costly. And in early 2016, a hospital in California was attacked by ransom- ware and ultimately had to pay the hackers some $17,000 to regain control of their software.
Can these incidents be prevented? There are effective ways to combat ransomware, says Ty Talcott, DC. As a HIPAA security specialist, he helps chiropractors understand how to protect themselves against security and compliance threats such as ransomware.
“That chiropractor that got hit in Kentucky has to monitor the credit of every patient—at his own expense,” Talcott says. “At $10 a patient per month for two years, that’s $50,000.”
These costs, not to mention the challenges of repairing any reputational damage for your clinic, can put added strain on your practice.
Appropriate notification of affected patients is not only standard industry practice in health care, it’s also required whenever a breach occurs. And credit monitoring for affected patients can rack up a tab quickly. If additional fines, costs of resolving the issue and repairing computer systems are added on top, you may end up with an extraordinarily more expensive breach.
Staff training is an important part of ransomware and virus prevention. Clicking on a link in a malicious email, downloading a corrupted file, or allowing an unauthorized person physical or remote access to your computers and your network can leave you vulnerable. It simply isn’t enough to install anti-virus software you need to properly train everyone in your office on how to recognize possible attacks and prevent them before they can occur.
“Social engineering,” a malicious strategy that involves tricking unsuspecting staff into helping the hacker, basically takes the work of breaking security offline. For example, hackers can call your office phone, impersonate your EHR vendor’s technical support, and ask for system user- name and password details. If a staff member or chiropractor provides this information, that hacker can then begin accessing your network and installing viruses without ever breaking through your firewalls or antivirus software.
Documentation and medical necessity
Medical necessity is a more important piece of the compliance puzzle, as Talcott notes. Chiropractors are asked to prove in their billing claims that the care they are providing for patients is medically indicated and essential to patient health. Maintenance care, in other words, may be scrutinized more closely and will be denied outright by Medicare and some other payers.
“OIG issues stem from coding and billing errors. This stems from documentation issues 80 percent of the time,” says Kathy Mills Chang, a certified medical compliance specialist and a professional coder.
In 2013, Medicare paid $439 million for chiropractic care. A 2016 report released by the HHS Office of Inspector General (OIG) determined that around 82 percent of this total was “not medically necessary” and therefore ineligible for coverage. A Chiropractic Economics staff report from October 2016 quoted Mills Chang as saying that “the challenge is not the AT modifier or the updating of ‘box 14’ … the real problem is the DC understanding which care is ‘medically necessary’ according to Medicare’s definition and which care would be defined as ‘maintenance care’ per Medicare’s definition.”
These findings don’t imply that maintenance care is completely unnecessary for a patient’s health, rather that the strict medical necessity standards aren’t satisfied—Medicare routinely denies such claims. Since the OIG’s report, many chiropractors have made significant strides in improving documentation and billing, providing better justification for billed services.
The American Chiropractic Association (ACA) offers guidelines for documenting medical necessity appropriately. And taking documentation changes to heart may help chiropractors get more of the reimbursements they need.
“I think, from a compliance point of view, one of the most underrated and ignored compliance issues now is the issue of HIPAA,” Mills Chang says. “The majority of doctors actually don’t think about it.” Sadly, she also adds that these mistakes are common and she sees them constantly among chiropractic clinics.
In particular, Mills Chang is concerned that some doctors are relying too heavily on their self-perceived HIPAA knowledge or on outdated, inaccurate information. These chiropractors are setting them- selves up for potential disaster, she says.
Essentially, HIPAA focuses on two major rules, the Security Rule and the Privacy Rule. The first regulation standardizes how patient protected health information (PHI) is handled and transferred electronically. In contrast, the Privacy Rule regulates how patient information is protected and used.
Specific guidelines are in place for “covered entities,” such as chiropractic clinics and other health care providers. Patient information must be kept confidential and properly managed so that unauthorized people don’t have access to it.
Physical, electronic and procedural safeguards must be in place to reduce risk, and practices must anticipate security and privacy weaknesses. Staff need to be familiar with these policies, and regular audits and risk assessments should be conducted to ensure compliance.
You need a plan for HIPAA compliance. It certainly isn’t an area you want to leave to chance. Although Mills Chang has hope for practices seeking to stay compliant with the HIPAA rules, she’s disappointed in what she sees occurring at some practices right now.
“I see at least one HIPAA violation every day,” she says. “No joke.”
When errors become fraud
Talcott notes that billing errors can sometimes paint a negative picture of the profession, even when chiropractors don’t intentionally make these mistakes. In some cases, chiropractors are asked to repay reimbursements made for these claims.
“Investigations by the Office of Inspector General specifically into the chiropractic profession have declared chiropractic is the No. 1 Medicare fraud profession,” he says, “Much of this is due to some billing errors being reclassified as ‘fraud.’ ”
Scott Munsterman, DC, agrees. Munsterman leads a chiropractic consulting group that educates practices on compliance issues. “Initial visit and subsequent visit must- haves within the note, and other key components are typically missing, and that’s what leads to issues in being denied care. The OIG is big on this.
And other payers are beginning to do more reviews to determine medical necessity.”
Getting the billing right is an essential part of building solid revenue for your practice. If you get it wrong, you can end up with flat billing even if you’re seeing more patients each year. At that point, you’ve begun to actively lose revenue as your patient load grows and billing remains the same. Even worse, if you have billing errors that are caught late after you’ve received reimbursements, you could be liable for these totals and be required to return them.
Getting (and staying) compliant
If you’re unsure about compliance at your practice, you need a solid game plan to protect your practice.
Compliance is an ongoing process, and the risks of ignoring potential penalties are far too great to leave to chance.
“This is as simple as knowing the rules,” Chang says, referring to the steps chiropractors can take to proactively protect themselves. “And having your compliance plan in place shows that you’re doing something.”
Kaitlin Morrison is a freelance writer in Washington, and she specializes in health care and technology issues. A frequent contributor to this magazine, she can be contacted at email@example.com, or through kaitlinmorrison.com.