AAPC CPB Chapter 1 Review
Under the HIPAA Privacy Rule, fully insured group health plans have only 2 obligations. What are they??
(1) Banned from retaliatory acts and waiver of individual rights (2) To provide documentation for the disclosure of PHI through documentation
Examples of Alternative Payment Models (APM) {6}:
-Accountable Care Organizations (ACO's) -Patient Centered Medical Home (PCMH) Models -Bundled Payment Care Improvement -Medicare Shared Savings models -End Stage Renal Disease (ESRD) Prospective Payment System -Others initiated by the Centers for Medicare and Medicaid Innovation (CMMI)
The Privacy Practice Notice must: ??
-Clearly explain the covered entity's obligation to protect privacy -Provide a notice of privacy practices, and abide by the terms of the current notice -Inform the patient of his or her individual rights
If payment is received in error, the ______ ______ ______ requires the money be returned upon identification of the overpayment, under what provision?? -What does the provision state?? -What must the provider do??
-False Claims Act (FCA); Reverse False Claims Act -A provider must report and return an overpayment to the Secretary of HHS, the state, an intermediary, a carrier, or a contractor, as appropriate, by the later of 60 days from the date when the overpayment was identified or the date any correspondence cost report is due -The provider must notify the party to whom the overpayment was returned, in writing, of the reason of the overpayment
The ______ ______ contains ?? and was established by the ?? to establish nation standards to protect and secure patient data that is stored electronically.
-HIPAA Security Rule -Information on transactions and code sets -HIPAA Administration Simplification Regulations
Reporting MIPS Data to CMS includes {4}:
-Medicare Claims -Qualified Clinical Data Registries (QCDR) -Other Registries -EHR or CMS Web-interface
What are the 2 ways can clinicians can choose to participate in the Quality Payment Program (QPP) [of 2019] ??
-Merit-based Incentive Program (MIPS)-eligible MIPS clinicians are subject to a performance-based payment adjustment through MIPS -Advanced Alternative Payment Models (APM's)-eligible clinicians may earn a Medicare incentive payment for sufficiently participating in an innovative payment model
According the the ________, an ______ ______ or ______ is "a secondary use or disclosure that cannot reasonably be prevented, is limited in nature, and that occurs as a result of another use or disclosure that is permitted by the rule."
-OCR (Office of Civil Rights) -Incidental use or -disclosure
Merit-based Incentive Payment System (MIPS) combines the following existing quality reporting programs, to form a new reporting system {3}:
-PQRS -Meaningful Use -Value-Based Payment Modifier
The (HIPPA) ______ ______ requires that appropriate ______, ______, and ______ safeguards are in place to ensure confidentiality and security of patient health information.
-Security Rule -Administrative, physical, and technical
If the practice refers patients to an outside finance company for large balances, it required that there is more expensive disclosure of the info to the patient. Payment plans that extend past 4 installments require the following to be disclosed: {10}??
-The "cash price" of the service -The amount of any down payment -The resulting unpaid balance -The total amount financed -The amount of the finance charge -The annual percentage rate of the finance charge -The total price to be paid under the credit plan -The schedule of payments, including number, amount, and due dates of payments -The sum of such scheduled payments, or total payments -The amount or method of computing the amount of any late payment charges
If a covered entity identifies material breach of a contract agreement with a business associate, after reasonable steps have been taken to cure the breach or end the violation have been unsuccessful and the contract is terminated the problem is reported to: -This is under what rule??
-The HHS Office for Civil Rights (OCR) -HIPAA Privacy Rule
Privacy Rule
-Under HIPAA, the Privacy Rule sets standards for how an individuals protected health information (PHI) is used. It's purpose is to protect individual privacy, while promoting high quality healthcare and well being. -All covered entities (healthcare plans, providers, and clearing houses that transmit health information in an electronic format) are required to follow.
Stabilization Act of ??
1942-Wage and price controls placed on employers and allowed adoption of employee insurance plans.
What is the length of time that False Claim can be investigated??
7 years
A hospital records transporter is moving medical records from the hospital to an off-site building. During the transport, a chart falls from the box on to the street. It is discovered when the transporter arrives at the off-site building and the number of charts is not correct. What type of violation is this?
A breach-occurs when an impermissible release or disclosure of information is discovered.
When a practice sends an electronic claim to a commercial health plan for payment, what is this considered??
A transaction-the electronic transfer of information between two parties for specific purposes.
If a covered entity under HIPAA {provisions were included for Administrative Simplification that mandated HHS to adopt national standards for electronic healthcare transactions and code sets} conducts any of the above transactions electronically, they must use the adopted standard ______ or ______ for each transaction??
ASC X12 Version 5010 or NCPDP (used for certain pharmacy transactions)
Fraud and abuse penalties do NOT include??
Ability to refile claims in question. +Fraud and abuse penalties are stiff and can include monetary penalties, exclusion from Medicare, Medicaid, and other federal healthcare programs and even imprisonment.
A medical practice has been found to be routinely submitting bills to Medicare as the primary payer when Medicare is the secondary payer. This is consider to be ______??
Abuse
The ______ ______ ______ is a federal law that makes it a criminal offense to knowingly or willingly offer, pay, solicit, or receive any remuneration to induce or reward referrals of item or services reimbursable by a federal healthcare program?? What act included the original legislation??
Anti-Kickback Law: any items or services that are received by the physician as payment {such as cash or gifts, free rent, expensive trips, or meals} can be a violation of the law [Fines up to $25,000/violation, False Claim liability, civil liability, subject to OIG to exclude an entity/individual from any and all federal healthcare programs, and/or prison time] -The Social Security Act of 1972; HIPAA (1996) increased the scope of fraud and abuse sanctions
What are conditions of participation (CoP)?? What types of entities do CoP's apply to for health plans??
CMS and other health plans have conditions that healthcare organizations must meet to participate with the plan or program. CoPs are designed to protect patient health and safety, and to ensure quality of care. These apply to entities such as: ambulatory surgical centers, hospitals, hospices, clinics, psychiatric hospitals, long term care facilities, and transplant centers.
Abuse is defined by what and who?? -What are examples of abuse??
CMS defines abuse as an action that results in unnecessary costs to a federal healthcare program, either directly or indirectly. +CMS lists examples of abuse as: -Misusing codes on a claim -Charging excessively for services/supplies -Billing for services that were not medically necessary -Failure to maintain adequate medical or financial records -Improper billing practices -Billing Medicare patients at a higher fee schedule than non-Medicare patients
Fraud is defined by what and who?? -What are examples??
CMS defines fraud as making false statements or misrepresenting facts to obtain an undeserved benefit or payment from a federal healthcare program. +CMS lists examples of fraud as: -Billing for services and/or supplies that you know were not furnished/provider -Altering claim form/receipts to receive a higher payment amount -Billing a Medicare patient above the allowed amount -Billing for services at a higher level than provided/necessary -Misrepresenting the diagnosis to justify payment -Falsifying documentation
Code set established by ______ to represent services not covered by CPT??
CMS; Healthcare Common Procedure Coding System (HCPCS)
What actions are considered under the False Claim Act?
Claims can be submitted for drugs unless the drugs were expired or were provided free to the entity. Incident-to claims are legal when the guidelines are adhered to. Releasing of records inappropriately are covered under the Privacy Rule. Relative to healthcare services, examples of fraud or misconduct subject to the False Claims Act include:- Falsifying a medical chart notation- Submitting claims for services not performed, not requested, or unnecessary- Submitting claims for expired drugs- Upcoding and/or unbundling services- Submitting claims for physician services performed by a non-physician provider (NPP) without regard to Incident-to guidelines
What is required when using a business associate??
Contract
______ ______ are required to develop and implement policies and procedures to reasonable limit uses and disclosures to the minimum necessary.
Covered entities
Code set for dental services, maintained by ______??
Current Dental Terminology (CDT); American Dental Association (ADA)
Code set maintained by the ______ to describe medical procedures and physician services??
Current Procedural Terminology (CPT); AMA
HIPAA mandated what entity to adopt national standards for electronic transactions and code sets
HHS +Provisions were established under the Administrative Simplification portion of HIPAA mandating HHS establish a national standard for electronic transactions.
What entities are exempt from HIPAA and not considered to be covered entities?? (3)
HIPAA allows exemption for entities providing only worker's compensation plans, employers with less than 50 employees as well as government funded programs such as food stamps and community health centers.
A breach notification rule requires ??
HIPAA covered entities are required to provide notification in the event of an unsecured breach of patient health information
HCFAC -When was it enacted, under what, and why?? -Example??
HIPAA established the Health Care Fraud and Abuse Control (HCFAC) program, to combat fraud and abuse in healthcare (both public and private). -HCFAC is designed to coordinate federal, state, and local law enforcement activities with respect to healthcare fraud and abuse. -The US Department of Human Health Services (HHS) and the Department of Justice (DOJ) are required to provide an annual report detailing the efforts and the HCFAC annual report details the efforts and recoveries made.
Patient questions and concerns regarding the Privacy Practices in the clinic should be addressed by what party??
HIPAA rules indicate that all entities should designate a Privacy Official that will develop and implement privacy policies and procedures and be a contact person for individuals with questions.
HIPAA -When were they established?? What is it a part of and what are they??
Health Insurance Portability and Accountability Act of 1996, was enacted on August 21, 1996 to provide rights and protections for participants and beneficiaries of group health plans. -Under this law, exclusions for pre-existing conditions were limited, and discrimination against employees (and dependents) based on their behalf.
HMO Act of ?? Enacted under who, when, and why??
Health Maintenance Organization (HMO) Act of 1973 was passed into law under the Nixon administration to try to help control healthcare costs by authorizing $375 million to assist in establishing and expanding them. -HMO's overrode state laws that prohibited the establishment of prepaid health plans, and required employers with 25 or more employees to offer an HMO option (if they furnished healthcare to their employees).
______ ______ ______ is defined as services or supplies that are furnished incident to a physician's professional services when the services or supplies are furnished as an integral, although incidental, part of the physician's personal professional services in the course of diagnosis or treatment of an injury or illness and services are performed in the physician's office or in the patient's home??
Incident to claim +To qualify for payment under the incident to rules, services must be part of the patient's normal course of treatment, during which a physician personally performed an initial service and remains actively involved in the ongoing course of treatment.
______ contains the diagnosis codes and is maintained by ??
International Classification of Diseases, 10th Revision, Clinical Modification (ICD-10); the National Centers for Disease Control (CDC)
ICD-10-CM -Utilized by who and when??
International Classification of Diseases, 10th Revision, Clinical Modification (ICD-10-CM)-Endorsed by the World Health Assembly, utilized by the World Health Organization (WHO), and implemented in the US, October 1, 2015.
______ contains procedures, used to report procedures for ?? and is maintained by ??
International Classification of Diseases, 10th Revision, Procedure Classification System (ICD-10 PCS)
______, _____, and _____ of Justice are the government agencies enforcing ________??
The Department of Justice (DOJ), the Department of Health & Human Services Office of Inspector General (OIG), and the Centers for Medicare and Medicaid (CMS) are the government agencies that enforce the Federal fraud and abuse laws.
Medical records are requested for a patient for a specific date of service. When records are copied, multiple dates of service are copied and sent in reply to the request. What standard does this violate and under what rule??
The HIPAA Privacy Rule includes guidance for minimum necessary stating the use of PHI should be limited to the minimum necessary. When medical records are requested, records for only the date of service requested should be sent.
A patient is seen in your clinic. Her husband calls later in the day to ask for information about the visit. The practice pulls the patient's privacy authorization to see if they can speak to the husband. What act does this action fall under??
The Privacy Act is under HIPAA and protects the health information of the patient. According to HIPAA, for the practice to release information to the husband, the patient would have to have signed an authorization.
The Federal False Claim Act allows for claims to be reviewed for a standard of how many years after an incident??
The federal False Claims Act (31 USC § 3729) allows for claims to be brought up to seven years after the incident, but has been extended to 10 years in some cases, but this is not the standard.
HMO plans require the enrollee to??
To have referrals to see a specialist that is generated by patient's PCP.
Internal Revenue Code (of what year) ??
Employer contributions to employee health plans exempt from taxable income. 1954.
A private practice hires a consultant to come in and audit some medical records. Under the Privacy Rule, what is this consultant considered??
Business Associate +Perform certain functions or activities, which involve the use or disclosure of individually identifiable health information, on behalf of another person or organization. -These services include claims processing or administration, data analysis, utilization review, billing, benefit management, and re-pricing. Because the consultant will be auditing medical records, PHI will need to be shared from the practice. The practice would be the covered entity.
What penalties can be imposed for fraud and/or abuse related to the United States Code??
Exclusion from participation in the Federal healthcare programs and State healthcare programs may be imposed, along with criminal penalties of fines, imprisonment, or both. -Fraud and abuse carry stiff penalties under 42 USC § 1320a-7a of the United States Code. Civil monetary penalties (CMPs) may be imposed to varying amounts, depending on the type of violation.
FCA
False Claims Act (FCA): {"knowing" and "knowingly"}-Federal statue setting civil and criminal penalties to protect the government from being overcharged or sold substandard goods or services: -falsely billing the government -over-representing the amount of a delivered product ....or.... -under-stating an obligation to the government
In reviewing practice records, it is found that an office is billing Medicare for drugs that it was obtaining at no charge from drug companies. This is consider as ______??
Fraud
If a provider is excluded from federal health plans, what does that mean??
One of the most severe penalties associated with the Social Security Act is the ability of the Office of Inspector General (OIG) to exclude an entity or an individual from participation in any and all federal healthcare programs. This includes Medicare, Medicaid, VA programs, and TRICARE. An excluded individual cannot bill for services, provide referrals, prescribe medications or order services for any beneficiary of a federally administered health plan.
A new radiology company opens in town. The manager calls your practice and offers to pay $20 for every Medicare patient you send to them for radiology services. What does this offer violate??
The Anti-Kickback law-a federal law that makes it a criminal offense to knowingly or willingly offer, pay, solicit, or receive any remuneration to induce or reward referrals of items or services reimbursable by a federal healthcare program.
What act requires CMS to implement an incentive program?? -What did it end??
Medicare Access and CHIP Reauthorization Act (MACRA) of 2015 -It ended the Sustainable Growth Rate (which would have significantly cut payment rates for participating Medicare clinicians)
When was Medicare enacted under who and what title?? What did it offer??
Medicare was passed into law on July 30, 1965 by President Lyndon B. Johnson under the title act XVIII of the Social Security Act. -Automatic enrollment of Part A -Option to enroll in Part B
PHI
Personal Health Information (PHI): -Demographic data (name, address, date of birth, social security number) -Individual's past, present, or future physical or mental health condition -Provision of healthcare to the individual -Past, present, or future payment for the provision of healthcare
According to the Privacy Rule, what health information may not be de-identified??
Physician provider number. To de-identify health information, any information that could help identify the patient is removed.
Two-digit codes placed on all healthcare professional claims that denote the setting in which the service was provided and is maintained by ______??
Place of Service Codes; CMS
PPO -When were they established?? What is it a part of and what are they??
Preferred Provider Organization (PPO) Is within the framework of manged care health insurance. -PPO's set up a group of MD's, hospitals, and other healthcare providers to create a network and negotiated predetermined fees with a given carrier. -PPO's offer members more options in that they don't have to have to maintain a PCP or require referrals.
PPO
Preferred Provider Organization (PPO)-Managed care organization of MD's, hospitals, and other healthcare providers who have agreed with an insurer or a third-party administrator to provide healthcare at reduced rates to the insurers' or administrator's clients
Limited Data Set
Protected Health Information (PHI) from which certain patient identifiers have been removed -May be used for: research, healthcare operations, and public health purposes (as log as there is an agreement with promised safeguards in place for the PHI)
What does PHI stand for?? What does it include??
Protected Health Information-"individually identifiable health information" that includes many common identifiers, such as demographic data, name, address, birth date, and social security number.
The ______ ______ prohibits a physician from making a referral for certain Designated Health Services (DHS) to an entity in which the physician has an ownership/investment interest or with which he/she has a compensation arrangement?? -Amended by?? -Governed by?? -Penalties for violation??
Stark Law -Social Security Act -HHS -Fines up to $15,000/violation, False Claim liability
Minimum Necessary Standard. What should be sent if records are being requested??
The ? requires covered entities to take reasonable steps to limit the disclosure of PHI. Only the dates of service requested should be sent. The PHI would not need to be redacted.
HMO plans are managed and overseen by??
The patient's PCP. The PCP is responsible to manage the referrals for panel of patients assigned to them.
What is the purpose of the Privacy Rule?
The purpose of the Privacy Rule is to protect individual privacy, while promoting high quality healthcare and public health and well-being.
How many national priority purposes are under the Privacy Rules for disclosure of specific PHI without an individual's authorization or permission??
There are 12 national priority purposes. -To strike a balance between the individual interest and public interest for specific PHI, the Privacy Rule permits use and disclosure of this information without an individual's authorization or permission through public interest and benefit activities.
What is the standard time frame established for record retention?
There is no single standard record retention requirement, it varies by state and federal regulations. The five year time line is for CMS providers that submit cost reports.
TILA
Truth In Lending Act (TILA)-{also known as the Truth and Lending Act}-is a federal law enacted in 1968 -Protects consumers in their dealings with lender/creditors +Designed to assure that every customer who needs consumer credit is given meaningful information concerning the costs of such credit +If the practice assesses a finance charge, the amount of the finance charge must be disclosed as an annual percentage rate (APR)
State laws on record retention vary from ______ ______ ______ and the ______ ______ ______??
Type of provider (MD vs hospital) and the age of patient (adult vs minor)
What were the eight standard transactions for electronic data interchange adopted under??
Under HIPAA, provisions were included for Administrative Simplification that mandated HHS to adopt national standards for electronic healthcare transactions and code sets.
In addition to the standardization of the codes used to request payment for medical services, a ______ ______ for employers and providers, must be used on all transactions??
Unique identifier
Code set that identifies vendor, product, and package size of all drugs and biologicals recognized by the FDA, maintained by ______??
Vendor, product, and package size; HHS
The FCA is violated by submitting a FALSE claim ....??
With knowledge* that it is false; even if there is no intent to defraud. *"knowing" and "knowingly"-a person has actual knowledge of the information; acts in a deliberate ignorance or reckless disregard of the truth or falsify the information; and/or requires no proof of specific intent to defraud.
What did HIPAA Administrative Simplification provisions require in 2002??
[Security Rule] That sections of the law be publicized to explain the standards for the electronic exchange, privacy, and security of health information.
