Compliance in Audiology: The Ethical and Legal Requirements of our Profession

Editor’s Note: This text course is an edited transcript of a live webinar. Download supplemental course materials.

Learning Objectives

Dr. Kim Cavitt:  After this course, participants will be able to describe how the federal anti-kickback legislation applies to audiology, describe how the Centers for Medicare & Medicaid Services (CMS) update to audiology policies and revision/reissuance of audiology policies apply to daily practice, and describe how the Federal False Claims Act applies to daily practice.

Codes of Ethics

It is important that all audiologists be aware of the ethical guidelines outlined in the state licensure laws.  Sometimes, they are deemed codes of ethics, unprofessional conduct, or codes of conduct, but they all mean the same thing.  These are situations that you need to avoid in dealing with your patients, as these would be infractions of your licensure law.  Failure to comply with those ethical standards or codes of conduct can result in the loss of your license.

Licensure laws are consumer protection laws by nature.  That means that they are driven by a consumer or patient complaint process.  As someone who sits on the licensure board, when you are going through complaints or grievances against a licensee, you do look at these ethical guidelines.  Have they violated their scope of practice?  Have they violated their code of conduct or their ethical practice guidelines?  It is very important that you are aware of what those are in your state. 

In Illinois, for example, our licensure law references both the American Academy of Audiology (AAA) and American Speech-Language Hearing Association (ASHA) codes of ethics.  If you are a member of those organizations, it can obligate you within the Illinois licensure law to those terms.  Ignorance is not a defense as it relates to ethics and legalities.  Not knowing is not going to protect you. 

You also need to be aware of the codes of ethics of organizations of which you are a member.  Failure to comply can result in you being removed from that organization or losing your credentialed status.  For example, if you violate the ASHA code of ethics and a complaint is filed against you, ASHA will have no qualms of going through their well-defined process of evaluating that ethical practice grievance.  If they find merit in the grievance, they publish it in the ASHA Leader.  They can suspend your certification or remove you from the organization. 

Some of the aspects of a professional code of ethics that exists in these organizations can also protect you from violating legal statutes, laws, rules and regulations.  They have created them to protect their members from potential conflicts of interest.  There are professional codes of ethics from both AAA and ASHA.  Many state licensure laws reference these codes of ethics in the laws themselves. 

Ethics vs. Law

It is important to understand the difference between ethics and the law.  Ethics is something that is internal to you, and sometimes it can be governed by your state licensure or professional association, but it is often the personal decisions that you make to feel comfortable in your own personal code of conduct with regard to your practice and treatment. 

Would you feel comfortable telling your patients about a vendor-funded trip?  If you dispense that vendor’s product to patients who have a federal payer paying for the device (Medicaid, Tricare), there are implications that the vendor-funded trip is a kickback.  Business development funds can fall in that same category.  Would you feel comfortable telling your patients about a vendor-funded trip or a business development fund or vendor payment arrangements where the vendor is financing your business or equipment?  If you have received gifts from vendors, would you feel comfortable sharing that with your patients? 

There are laws in other professions called the Sunshine Act, where that aspect of disclosure is part of the statute.  In audiology, that would apply to cochlear implants, because Medicare is the payer in this scenario.  The question is, “Would you feel comfortable with disclosure?”  Ethics is how you personally feel if something is right or wrong, but, again, it can sometimes be governed by laws.  There are also federal rules that impact how we interact with vendors and how that impacts patients.

Ethical Practice Guidelines on Financial Incentives from Manufacturers

In 2011, AAA updated the ethical practice guidelines on financial incentives from hearing instrument manufacturers.  They were originally created in 2003 as a collaboration between AAA and the Academy of Doctors of Audiology (ADA), and they were updated in July 2011 by AAA.  You can access them on the AAA website under About Us>Membership>Ethics. These guidelines address arrangements that you must avoid and quid pro quo, which can be defined as the exchange of goods or services where one transfer is contingent on another; you scratch my back, I scratch yours.  The conflicts of interest are:

• Ownership interests in companies whose products you dispense
• Disclosure of any commercial interests to patients
• Disclosure of consulting relationship to patients
• Acceptance of gifts of any value from manufacturers
• Disclosure of remuneration for research
• Incentive trips (rewarded for conducting business); AAA has defined these trips to be those that are not primarily educational in nature. There are legitimate, ethical manufacturer-funded trips, where you are being brought for education.  It becomes fuzzy when the education is at a resort and the trip is 50% education and 50% fun  
• Business Development Funds, where the manufacturer is giving you X dollars in a fund for every device you dispense, and the funds can be used for anything
• Lease arrangements where a manufacturer helps you lease a space
• Cash rebates on products you dispense
• Manufacturer sales quotas in order to receive an incentive

It is important that you are aware of how a quid pro quo can be problematic, both ethically and legally.

Ethical Violations and the Law

Anti-Kickback

Ethical violations can turn into legal problems.  First and foremost is the anti-kickback legislation, which can be found on the Office of the Inspector General website, at this link.   Anti-kickback carries criminal penalties, which means that there is federal prison time associated with monetary fines.  The Office of the Inspector General, which is the police department of Medicare and Medicaid, manages overutilization.  They have a plan of things that they are going to audit and things to focus on to recoup inappropriate expenditures.  Every day I get an email from them outlining people's infractions.  We probably assume that these are primarily physicians, but that is not the case.  There are ancillary health professionals, including audiologists.  You can go to their website and look up audiology infractions, as this is all public information.  In most states if you are convicted of a felony for anti-kickback issues, your license will be, at a minimum, suspended.  It is very important that you are aware of these legal implications of some of the ethical decisions you make.

Anti-kickback has criminal penalties.  From the statute, “It is a felony to knowingly and willfully solicit or receive any remuneration directly or indirectly, overtly or covertly, in cash or in-kind, in return for purchasing, leasing, or ordering or recommending the purchase, lease, or ordering of any item or service reimbursable in whole or in part under a federal healthcare program.”  This would be Medicare, Medicaid, and Tricare; Federal Blue Cross Blue Shield does not apply.  Medicare can come into play when we are talking about cochlear implants, auditory osseointegrated devices, and auditory brainstem implants.  Those are paid for by Medicare.  Hearing aids can come in to play, as well as those other devices, when the payer is Medicaid or Tricare.  Anti-kickback can come into play for us with regard to hearing aid fittings. 

In cash or in kind means it can be money or a trip, money for an iPad, a computer, a favorable lease arrangement, or car.  It does not have to be just cash.  Directly or indirectly means there can be a middleman.  The middleman does not always protect you.  It is important for you to know that certain quid-pro-quo ethical decisions can have anti-kickback implications. 

Anti-kickback creates an incentive to over-utilize particular goods and services, impinge upon the patient care process, and create an unfair competitive environment to those who refuse to provide remuneration.  The incentive to over-utilize is there.  If you have a quota that you have to meet, you are going to use more of that product than you would if you did not have a quota.  Research shows the influence of that.   The decisions you make can have legal implications. 

Audiology Examples

Here are some examples from our field.  An audiologist furnishes hearing tests to a physician’s patients at less than fair market value or often times for free in exchange for hearing aid referrals, where some of these referrals may be for instruments covered under a federal healthcare program.  A physician reaches out to an audiologist and says, “I want you to do all my audiological testing.  I will bill for it, collect all the payment, and in return for that, you can get all the hearing aids.”  That would be a kickback violation.  When someone approaches you to enter into these types of relationships, it is very important that you have a contract that has been created by an attorney, which can protect you from these types of potential violations.  I am not fear-mongering; there are cases where this very thing has occurred.  You need to be careful of these relationships and set them up appropriately.

Another example is when an audiologist purchases X number of products and gets X number free from a manufacturer and bills a federal payer for any of these products once they have been provided to the patient without disclosing the buy-one get-one deal.  A very prominent example of this is with a manufacturer in Florida.  There was a settlement, but it became an implication and they ended up auditing all of the physicians and audiologists that were part of this deal.  Have these types of relationships vetted before you agree to them. 

The manufacturer’s responsibility is to dispense and sell product.  It is not to make sure that you are legally protected.  It is your responsibility as you enter into these relationships to hire your own attorney.  You would want patients to pay you for your expertise at a rate of somewhere between $200 and $300 an hour.  We need to be willing to spend money on legal assistance at similar rates to make sure that we are making the right decisions and doing the right things.

Avoid Free Hearing Tests

To avoid anti-kickback, you want also avoid free hearing tests.  When you are Medicare provider, offering free hearing tests appears to be in clear violation of Medicare rules and regulations.  Medicare prohibits offering free services as an inducement to generate other services, such as diagnostic audiology services or hearing aids.  If you are a Medicare provider, you cannot be “free” in one situation and then charge Medicare in another.  That same language exists in most private-pay contracts.  When you are a Medicare/Medicaid provider, you cannot be giving the same service away at no charge.  You bill someone, or the patient is responsible.

Referral Pads

There have been audits regarding the use of referral pads in audiology, because it can be seen as a solicitation of a Medicare order.  Anti-kickback is knowing and willfully soliciting.  Referral pads that have your name and your identifying information on them can be seen as a solicitation of an order.  It is important that the orders be generated by the physician.  There is a way around a referral pad.  You could supply the physician with a referral pad that had no identifying information of your practice on it.  That physician could use it to refer any audiologic services to any facility.  That is okay.  It is when it contains all your identifying information that it can be deemed as solicitation.

Write-Offs of Co-Pays and Deductibles

Medicare has rules about write-offs of co-pays and deductibles.  Patients have to meet their financial responsibilities.  Private insurers often have language in their agreements that you cannot advertise or market that you are waiving co-pays or deductibles or coinsurance.  That can be deemed a solicitation as well.  There are exceptions to this. 

When a patient is indigent, you have very clear processes and policies about how you write-off bad debt for the poor or use a sliding scale, but you need to be consistent.  Always writing off co-pays and deductibles is a Medicare violation, and would violate the terms of most private insurance contracts as well.

Be mindful of reminder mailings for annual hearing tests where you are seeking third-party coverage.  That can be deemed as solicitation.  If you are reminding people to come in, is there medical necessity in that?  Are you soliciting them to bill something to a third-party payer?  As far as Medicare is concerned, patients should be going to physicians stating they have a hearing disorder or balance disorder.  The physician should then be referring out with a written order.  If a patient comes to you or you are reaching out to them, you have to be careful that you are not soliciting.  If the patient comes to you directly, you can tell them what they need for coverage. 

You also need to tell them what they need for medical necessity.  If it is about a hearing aid and they have no change in history or condition, the insurer is not responsible.  The patient is then responsible for procuring their order, not you.  You should not be reaching out to physicians’ offices to secure an order.  That is something the patient is responsible for if they want coverage.  Otherwise, it can be deemed a solicitation.

Anti-Kickback

“Section 1128B(b) of the Social Security Act (42 U.S.C. 1320a-7b(b)), previously codified at sections 1877 and 1909 of the Act, provides criminal penalties for individuals or entities that knowingly and willfully offer, pay, solicit or receive remuneration in order to induce business reimbursed under the Medicare or State health care programs. The offense is classified as a felony, and is punishable by fines of up to $25,000 and imprisonment for up to 5 years.” That is per patient and some can overlap, but that can be a per-patient charge.  This provision is written extremely broadly.  The types of remuneration specifically covered include kickbacks, bribes and rebates made directly or indirectly, overtly or covertly, in cash or in kind.  In addition, prohibited conduct includes not only that intended to induce referrals of patients, but also intended to induce the purchasing, leasing, ordering, or arranging for any good, facility service, or item paid for by a Medicare or state healthcare program.  Again, you should not be soliciting, and you should not be giving things in return for orders or referrals.  You need to be very careful.  When in doubt, seek the advice of counsel.

False Claims Act

There is also something called the False claims Act, which carries criminal penalties when violated.  Unfortunately, I see many violations of this in audiology practice.  A good resource on this act is www.falseclaimsact.com.

The False Claims Act says to not submit fraudulent claims to any entity.  The provisions that you see in the False Claims Act often are part of state licensure laws.  You will see this language and information also very commonly listed in many state licensure laws.

Claims for Services not Performed

The first is submitting claims for services not performed.  An example is billing 92557 (comprehensive hearing test) without the -52 modifier that indicates that you only tested one ear when you did only test one ear.  You billed for services you did not perform.  Other examples are billing for rotational chair testing when you do not have a rotational chair, billing for computerized dynamic posturography when you do not have a platform, or billing for comprehensive hearing tests when you did not do a speech reception threshold or you did not do bone.  Those are common examples of submitting a claim for services not performed. 

One more example is billing for a product that the patient does not have.  That would be billing for services not performed or something not dispensed.  You should not be billing for hearing aids that the patient does not physically have in their possession.  That would be a false claim. 

Billing Under Someone Else’s Provider Number

Billing under someone else's provider number is a violation of the False Claims Act.  For example, you hire a new audiologist and that audiologist has graduated from their AuD program, but they are not fully licensed, and they are not enrolled in Medicare or their insurance plans.  So you billed the services they provided under your provider number.  That would be a false claim.  That person is unlicensed, and they are not a student.

Once they have graduated, they are not a student and they are an unlicensed professional until their license has been granted, or they are uncredentialed if they are licensed when you are waiting for the Medicare paperwork to go through.  Nothing should ever be billed under your provider number unless you did it yourself or are personally supervising a student 100% of the time.  Audiologists should not be billing services provided by a technician under their license number or national provider identifier (NPI).  That is prohibited, also

Another example is if you are on maternity leave or sick leave and someone is filling in for you.  That person is licensed, but is not credentialed with the payers with which you are credentialed.  They bill out everything in order to get it paid underneath your provider number when you were off on leave.  That would be a false claim.  It is very important that you are careful with how your NPI is used.  You would be the responsible party, because you are the one filing the false claims for services you did not perform. 

Unbundling

Unbundling means breaking a code into the sum of its parts.  This is unbundling not as it relates to hearing aids, but as it relates to procedures.  Let's talk about the basic vestibular evaluation 92540, which is one of our bundled codes.  Let's say instead of billing 92540, you bill its components, 92541, 92542, 92544, 92545, that you performed on the same patient on the same date of service.  When you bill it individually and the bundle exists, you are inappropriately unbundling.  That claim will be denied, but it also is deemed a false claim. 

Upcoding

Upcoding is when you bill for more than what you provided.  Billing for a comprehensive hearing test when you only did air conduction, billing for a comprehensive hearing test and not adding a modifier when you only tested one ear, billing for 10 units of the central auditory processing disorder (CAPD) code of each additional 15 minutes of CAPD testing and report, or evaluation of aural rehab status 92627 are all examples of upcoding.  In that case, you are billing entirely too many units.  Ten units of either of those codes would mean 150 minutes, in addition to the 60 minutes.  You would be billing something like that 210 minutes of those procedures.  You need to be very careful that you are not over billing and upcoding the procedure.

Billing for Services Known to not be Covered

Billing for services known to not be covered and not adding the appropriate modifier, billing for hearing aids, billing for aural rehabilitation, and billing for evaluation and management codes are all violations.  There were many audiologists in the western region that were billing for evaluation and management codes to Medicare without a modifier.  They were getting inadvertently paid.  All of those 64 audiologists were audited, and all of those monies had to be paid back.  They were inappropriately accepting payment.

Any time you bill Medicare for a statutorily excluded item or service, for hearing aid, aural rehab, vestibular rehab including canalith repositioning, any cerumen removal, any form of treatment, or a hearing test for the sole purpose of getting a hearing aid, you need a modifier.  Without that modifier, you are filling a false claim.  You are billing for an item or service that you know is not covered and seeking payment.  The modifier that you would use to get a Medicare denial for things that are statutorily excluded is GY, which means the item or service is statutorily excluded or does not meet the definition of a Medicare benefit. 

This is a good time to mention that if you want to know more about coding, reimbursement, Medicare, or enrollment, there are separate modules on Audiology Online that specifically address these topics.  You may search under my name, Cavitt, for those courses.

Submitting Claims for Services that are not Medically Necessary

Another false claim would be submitting claims for services which are not medically necessary, such as an annual hearing test, and not adding the appropriate modifier.  Medicare does not pay for annual or routine services.  They do not pay for screenings.  They pay for items and services that are medically necessary to diagnose or treat a medical or surgical condition.  A date of the year does not make Medicare responsible for the cost of the test, even if it is ordered by a physician. 

You must be able to document medical necessity, and it is important that it exists in your records.  If you are billing annual hearing tests to Medicare and you do not have medical necessity, even if you have an order, you do not add the GY modifier and have the patient privately, you would be filing a false claim.  Hearing tests for the sole purpose of getting a hearing aid; the presence of a physician order does not guarantee medical necessity.

FDA Requirements

Many state dispensing laws reference the Food and Drug Association (FDA) referral red flags.  In many states, you might even see language that states that a waiver is not appropriate if the patient presents with one of the FDA warning signs of ear disease.  One of them, which is acute or chronic dizziness, is also part of the physicians’ quality reporting system.  The following is a list of the eight warning signs of ear disease:

• Active drainage within the previous 90 days
• History of sudden or rapidly progressive hearing loss
• Unilateral hearing loss (or asymmetrical hearing loss)
• Conductive hearing loss or an air-bone gap
• Impacted cerumen or foreign body in the ear canal; There is a difference between impacted and non-occluding cerumen.  Impacted cerumen is when you cannot see clinically significant portions of the eardrum and is very hard and deep in the canal.  The little ball that you need to remove for a hearing aid or for hearing testing would not constitute impacted cerumen.
• Pain or discomfort (otalgia)
• Visibly congenital or traumatic deformity of the ear; that can include a cauliflower ear, exostoses, atresia, or acute or chronic dizziness.

The FDA says that if the patient presents with any of these eight warning signs, they should be seen by a physician (preferably a physician who specializes in the ear) for medical clearance, rather than allowing that patient to sign a medical waiver.  This is where ethics can come into the equation. 

You need to decide personally if you are willing to fit a patient who presents with one of these eight warning signs with a medical waiver only and no medical clearance.  This will vary person-to-person.  For me, if this was the first time I had ever seen this patient and they presented with any of the eight warning signs of ear disease, with the exception of impacted cerumen if I was able to get it out, I would want a medical clearance before I fit them.  However, if this was someone who had a well-established conductive hearing loss that was in the process of treatment or if the patient has decided they were not going to seek surgical intervention but have sought medical intervention, I would feel more comfortable having them sign a waiver.  Everyone needs to decide, within their state dispensing laws, what they are comfortable with.

Some state dispensing laws will say if a patient has any of these eight warning signs of ear disease, you must have a signed medical waiver.  It is very important, even as an audiologist and even if you are not obligated under state dispensing laws, to know what those are, because in some state licensure laws, it will state that while you may not be licensed under the dispensing act, you are obligated to the act as an audiologist.  These laws are easy to find.  ASHA has a state-by-state guide that you can find on their site.  They will give you the general rules of dispensing and licensure for each state with links to the state licensure laws. 

There are two links for the FDA requirements: link 1 and link 2.

To dispense a hearing aid to the patient, the user brochure that comes with a hearing aid from the manufacturer needs to be given to the patient at every fitting per FDA requirement.  The FDA also requires medical clearance or the medical waiver.  If the patient is over 18 years of age, they may sign a medical waiver, even if they present with some of the warning signs of ear disease.  I would instruct you to consult state law. 

At under 18 years of age, you must have a medical clearance in place for every fitting.  Both medical clearance and the medical waiver need to be in the FDA language, which you can find on the FDA link.  When you are in doubt about whether something is illegal, whether this is an arrangement into which you should enter, or whether this is something that could be problematic for you, it is important that you reach out to legal counsel, specifically an attorney that specializes in healthcare or Medicare law.  Do not enter into contractual relationships with other parties including physicians, buying groups, skilled nursing facilities, assistive living facilities, or management services without having legal counsel review that agreement. 

Another way to find an attorney is by going to your State Bar Association websites.  They oftentimes have attorney locator services.  You also can use Google.  When I was seeking healthcare counsel, I went to Google and searched my State Bar Association as well as healthcare attorneys in Chicago.  I read about these firms, put a list together, and interviewed them.  Sometimes you might need a business attorney and healthcare attorney.  A healthcare attorney will help you through these very specific healthcare situations, where a business attorney will help you with the lease of your building or your loan.   Seek counsel that is specific when you need it.  There is something called advice of counsel.  If you have sought legal counsel, and they have given you advice which is documented, and that advice was incorrect, you do have legal remedies from that.   

The Role of State Licensure

State licensure dictates your scope of practice.  National associations do not dictate your scope of practice, but can model licensure laws.  They can advise you on things you might want include in your state scope of practice, if you are making modifications, but not dictate what you do. 

Payers do not dictate your scope of practice, nor do they have to cover all the items or services you provide that are within your scope of practice.  You do not get to interpret this alone.  Further, just because something may not be mentioned does not make it okay.  You do not get to say what is in your scope of practice; your state licensure laws and board get to determine that. 

You should be aware of the requirements of the scope of the hearing aid or audiology licensure board in your state and your practice limitations.  If you are unsure if something you want to do is within your scope of practice, I strongly recommend that you send a personal message to your licensure board and ask.  We have learned recently as it pertains to cerumen removal and intraoperative monitoring that just because it was not mentioned did not make it in our scope.  It is important that you do not practice outside of your scope of practice.  You should get that determined in writing.  Not all states allow audiologists to perform intraoperative monitoring or cerumen removal or screening for depression.  It is your responsibility to pose those questions to your licensure board when you need clarification.

Audiology Assistants, Technicians and Support Staff

It is important that you know the scope of these support personnel.  Audiology assistants, technicians, and support staff can be unlicensed in some cases.  Some states license, provide certificates or register an audiology assistant or technician, and other states have no mention of this.  In some cases these people may potentially practice audiology or hearing aid dispensing without a license.  You need to be very careful of what they are doing. 

Audiology assistants and technicians cannot perform testing on Medicare beneficiaries and receive payment.  Technicians can perform testing under the direct supervision of physicians.  They can perform otoacoustic emissions (OAEs), auditory brainstem response (ABR), vestibular family of codes and tympanometry under a physician, but not under an audiologist.  They cannot perform a hearing test under Medicare and receive payment.  The only people who can perform hearing tests under Medicare are audiologists, physicians, or any non-physician provider who is practicing within their state-defined scope of practice.  It is important that you do not have people doing things that they are not appropriately licensed to do, especially if they seek coverage for that. 

CMS Audiology Policies

The Medicare update to audiology policies became effective October 1, 2008, and the revisions and reissuance of audiology policies, which was a redefinition of some of those original update to audiology policies, went into effect September 2010.  The following are links to both of those documents on the CMS website: Update to audiology policies, and revisions and reissuance of audiology policies.

Incident-to Billing

In a nutshell, the CMS audiology policies address “incident-to billing.  That means if an audiologist personally performs the vast majority of audiology procedures, the only exceptions to this incident to billing rule are electroneurography (ENOG), intraoperative monitoring, canalith repositioning, and cerumen removal.  Otherwise, the services we provide are on a list called the audiology code list.  If those services are provided by an audiologist, they need to be billed to Medicare under the NPI of that rendering audiologist, not under the NPI of the attending physician.  If you provide the services, you should be billing it. 

Physician’s Orders

Also, the update to audiology policies was very clear to indicate that you need a physician order prior to services being rendered for Medicare coverage.  It also stressed that treatment services were not covered if provided by an audiologist.  That would include aural rehabilitation, tinnitus management, vestibular rehabilitation including canalith repositioning, cerumen removal, or any auditory processing treatment.

Computerized Audiometry

Another area is computerized audiometry.  If there is automatic interpretation of an audiogram and there are no human hands involved in that testing, that testing is non-covered.  An audiogram, 92557, requires the skills of an audiologist or physician. 

Technicians

Technicians can work under the direct supervision of a physician only.  Students can serve in the role of a technician if they are appropriately trained.  Technicians need to be appropriately trained, and they are working under the direct supervision of that patient's attending physician.  Direct supervision means that the physician is in the office suite.  They do not need to be in the room, but they need to be in the office suite and be available to be directly involved in the patient's care.  Technicians can perform the vestibular family of codes, OAEs, ABR and tympanometry.  Everything else requires the skills of an audiologists or physician.

Students

The audiology policies also talk about students.  Regardless of the year in the program, students must be supervised 100% of the time with you in the room with them for Medicare to cover the testing.  It is called personal supervision.  The only exception is if the student is one of those few people that is licensed.  The vast majority of students in this country have not been granted a license. 

Reasonable and Necessary Coverage

Medicare also indicates that they only cover testing that is medically reasonable and necessary.  That means that the patient has had a change in hearing or condition, that you have never established their hearing or balance disorder, or that they have a condition that needs to be monitored such as otosclerosis, Ménière's disease, or acoustic neuroma.  Things that would be covered would be for a patient who failed a hearing screening, or a patient doing pre or post testing on an auditory prosthetic device like a cochlear implant, an osseointegrated device, or auditory brainstem implant; this is not about a hearing aid services or an annual hearing tests.  The patient has noticed a change in hearing or condition or you have not established their hearing loss.  If you do not have that, you have not met medical necessity, and the patient is financial responsible for the cost of the testing.

Prior to the update to audiology policies, if an audiologist performed a procedure like vestibular testing and there was a technical professional component split, the audiologist could only be reimbursed for providing the service, not interpreting the service.  With the update to audiology policies, audiologists were allowed to both provide and be reimbursed for interpretation of these test procedures.  The update to audiology policies is very clear that you need documentation that the testing was ordered.  An audiogram, in and of itself, does not constitute sufficient documentation.  Your audiological report in the medical record needs to indicate the testing was ordered, the testing results and coverage. 

That means that you had medical necessity with an explanation of what that medical necessity was for each of the procedures you provided.  You need to explain in your report or medical record why you did what you did. 

Documentation

It also indicates that you need to show that you are qualified to provide the service.  All of your reports or your chart notes need to indicate your full name and credentials.  This will show that you are qualified to provide the procedure.  If you are working with students, then the student would sign and you would sign the report or the medical record.  Again, audiograms and test results by themselves are not sufficient documentation.  You need a report or chart note in the medical record.  I would never trust a physician to be documenting what is needed for my medical necessity.  Remember these claims are being billed to Medicare under the provider number of the rendering audiologist.  You are the responsible party, not the ordering or attending physician.

Coding

The update to audiology policies indicated that if an item or service did not have a code, you should use the unlisted 92700.  92700 would be appropriate for saccade testing, for use of goggles, for vestibular evoked myogenic potential (VEMP), for tinnitus management, for high-frequency audiometry, or any other procedure in the wide range of vestibular testing that do not have a code to represent them.  Many of the middle and late evoked potentials and auditory steady-state response (ASSR) do not have codes to represent them.  Remember the ABR code is for a threshold search or an otoneurologic.  You would not use 92700 in that case, but you would if you are doing middle or late latency response or ASSR.

Opting Out of Medicare

Finally, the update to audiology policies indicates that audiologists cannot opt out of Medicare.  That means that we are mandatory claims submitters and Medicare beneficiaries have the right to access their benefits.  As a result, we cannot opt out and enter in to private contracts with Medicare beneficiaries and provide services to them that may be covered by Medicare and have the patients pay us privately.  If we are seeing Medicare beneficiaries, we need to be enrolled either as a Medicare participating providers, enrolled as Medicare non-participating providers, or we need to be providing all of our testing all the time, regardless of payer to patients at no charge.  A fourth option to opt out does not exist.

Audiologists cannot enter into these private relationships with Medicare beneficiaries.  We can charge Medicare beneficiaries for items and services that are statutorily excluded or not medically necessary, but charging Medicare beneficiaries privately would mean that we have inappropriately opted out, and that is a violation of the Medicare rules.

Health Insurance Accountability and Portability Act

The Health Insurance Accountability and Portability Act (HIPAA) was put in by Clinton, PQRS (Physician Quality Reporting System) was Bush, and Affordable Care is Obama.  HIPAA now is over 10 years old and is something that should be commonplace in your practice.  You can access materials from the Department of Health and Human Services, which is the parent department.  It is a cabinet level department and is the parent department of the CMS. 

HIPAA now has civil and criminal penalties.  It covers the Standard Transaction and Code Sets, the NPI, the National Employer Identifier, HIPAA 5010, Security, HITECH (Breach Notification) and Privacy, as it relates to marketing and business associates.

Standard Transaction and Code Sets

HIPAA says that for every payer to represent the items and services you provide, Current Procedural Terminology (CPT) is to be used for the procedures, ICD-9 or ICD-10 (as of October 1, 2015) to represent your diagnoses and symptoms, and Healthcare Common Procedure Coding System (HCPCS) (V and L codes) to represent product and some additional services.  All payers should be recognizing and accepting these codes.  You may still see some exceptions, and the most prominent would be Medi-Cal, which has some unique codes.  Just because a code is recognized does not mean it is covered, however.  It merely means that it belongs to a code set that you use to represent what you have provided. 

NPI

HIPAA requires that each individual provider utilize their own individual provider identification number for all payers, which is the NPI.  Medicare still has the additional number called the PTAN, but your NPI is on every claim you submit to every payer.  In box 24J of the CMS 1500 form or its electronic equivalent, you will have the rendering provider be your NPI.  This number stays with the provider as they move from employer to employer.  You need to make sure that this NPI is linked to every clinic or facility with which you work.  When you leave that facility, you need to update your enrollment through PECOS, which is the website where you can maintain your Medicare enrollment.  You can login and make those changes when you move. 

Your NPI is managed by the National Plan and Provider Enumeration System (NPPES).   You will get your NPI once in your lifetime.  Every individual provider needs this.  You need this number as you enroll with every other health plan.  This is separate from your Medicare enrollment.  Medicare enrollment is done through PECOS; always do your Medicare enrollment electronically. 

National Employer Identifier

HIPAA also requires a National Employer Identifier, or EIN.  It also requires that each individual practice or facility utilize their own practice or facility identification number.  This is required for every practice of facility, except a sole proprietorship.  In a sole proprietorship, you use your social security number in the EIN space.  The EIN is issued by the Internal Revenue Service.

Each practice/facility also needs the NPI for an organization.  You will have an EIN that the IRS gives you, and you will have a facility or organizational NPI that National Plan & Provider Enumeration System (NPPES) will give you. 

When you enroll in Medicare, you will need to enroll as an individual through PECOS for the electronic version of the 855-I, and then if you open practice, your facility also needs enrollment as an organization through the electronic version of the 855-B.  When you get to the Medicare Provider Enrollment, Chain, and Ownership System (PECOS) website, there are instructions at the bottom of page one of the website that will walk you through the entire process.  If you would like to know more about enrollment, we have an AudiologyOnline course specific to insurance enrollment as part of the Billing and Coding Bootcamp series. 

HIPAA 5010

HIPAA 5010 was a systems update that went into effect January 1, 2012; enforcement began March 31, 2012.  It contained updates to allow for the transition of ICD-10.  It allowed for increased fields for more digits.  HIPAA 5010 tried to move beyond the confines of the CMS 1500 form or electronic equivalent into the 837 format.  It is much more of an electronically, field-driven format for claims and integration.  You want to make sure that all the systems you use including your software vendors, office management vendors, payers and the clearinghouses all are able to accept the new codes.  If not, your claims will be denied.

Protected Health Information

Protected health information (PHI) can be categorized into 18 items.  PHI includes the patient's first and last name, street number and name, city and last two digits of their ZIP Code.  When we are talking about things being protected, it means that you are obligated to follow the HIPAA rules before disclosing these things. 

Other PHI are dates directly related to the individual such as their birthdate, their phone number, their fax number, their email address, and their social security number.  It is important to understand that their email address is just as protected as their Social Security number.  One is not more protected than the other. 

More PHI are their medical record number, their health insurance member number if that differs from their social security number, any internal account numbers they have, any certificate or license numbers that assigned of this patient, any vehicle identifiers or serial numbers, or device identifiers and serial numbers.  These would include hearing aid or cochlear implant serial numbers; you cannot share those without disclosure. 

Next are URLs from websites, IP addresses, biomedical indicators such as fingerprints, retinal print or voice prints, and their photo.  You would never use a patient’s photo without their written approval.  The last PHI is any unique identifying number, characteristic, or code that has not yet been created.

Security Rule

The security rule is an extension of the privacy policy.  It is important to know that this went into effect over 10 years ago.  Every practice should have these things in place.  If you do not, it is important that you get a security policy under your belt. 

Security policies are protections not just for HIPAA, but to make sure that your systems are appropriately stored and backed up, that you have the appropriate access restrictions in place so that your information, including that of your patients, is protected.  Going through the security policy will take you through that process. 

This requirement took effect April 20, 2005 and applies to electronic formats.  In other words, it applies to anything that is plugged into the wall to either run or to recharge.  In audiology, it will apply to electronic audiometers, ABR equipment, your OAE equipment, and any type of suite that has the tympanometer and audiometer attached as well.  

It applies to your office management system, fax machine if it stores information, NOAH or any stand-alone manufacturers’ software packages in which you save information.  Your telephone is included if it records and stores information, as well as your cell phones.  Cell phones, even if they are privately owned, are subject to the security rule if they are accessing patient information. 

Personal computers or any computers in the office and personal computers at home where people are accessing things via the cloud or via a server are also applicable.  This includes tablets and anything of that nature where people are accessing your office either in the office or remotely.

It includes administrative safeguard needs, physical safeguard needs, and technical safeguard needs.  You also need policies and procedures related to operations and documentation.  You can find more information on the security rule at the Health and Human Services website www.hhs.gov and at this direct link.  The security rule states, “to ensure the confidentiality, integrity, and availability of all electronic (E)PHI they create, receive, maintain, or transmit” that you need to ensure that your electronic health records are confidential, available, and cannot be accessible.  If you are creating them, receiving them, maintaining them or transmitting them, you must identify and protect against reasonably anticipated threats to the security or integrity of the information.  You must protect against reasonably anticipated impermissible uses or disclosures, and you must ensure compliance by your workforce.

Risk Assessment

The biggest step of the security rule is a risk assessment.  A risk analysis process includes, but is not limited to the following activities.  You need to evaluate the likelihood and impact of a potential risk to EPHI.  You need to implement appropriate security measures to address the risk identified in the risk analysis.  You need to document the chosen security measures and, where required, the rationale for adopting these measures.  You must maintain continuous reasonable and appropriate security protections. 

I instruct people to go room by room in their practice and look at everything that stores or accesses information.  You need to talk to each of your staff and ask them how they are accessing your business information, whether it is your patient database or your business and financial databases, et cetera.  Do they access that remotely?  

You need to do a risk assessment.  Have you evaluated the likelihood and impact of potential risks?  You need to find out if someone uses their personal computer at home to access your office management system.  Is it all password-protected?  Do the shut it down?  If they have a cell phone or tablet, are they accessing it from those devices?  Who else has accessibility that phone or tablet?  How do you dispose of private information?  Who has accessibility to it?  Is it appropriately backed up?  Do you have an appropriate power source and appropriate firewalls?  Is your system secured? 

If you have new computers or equipment, how are you disposing of the old equipment?  Are you are you completely clearing out the hard drives?  Are you destroying them?  When you get a new phone, what happens to whatever is stored on that phone?  It is important that you have safeguards in place for all these things. 

Administrative Safeguards

Security measures are needed to reduce the risk of breaching PHI.  How secure are your systems?  Do you have firewalls?  Are they secured in the evening?  Are they password-protected?  Who has access?  Do they have the appropriate power source?  Are they appropriately backed up? How secure are your systems, computers, tablets, phones, et cetera?  Tablets and phones are an important source to consider, because so much information is transmitted and accessed through these devices.

Just as you need a privacy officer, you need a security officer that is going to oversee your security program.  Do you have information access management?  Do you regulate who has access to PHI?  Everyone should have minimally necessary access.  Does everyone need access to QuickBooks?  Does everyone need remote access to the database?  Is having everything accessible via the cloud good for you?  What protections can you put in so that everyone does not have that accessibility?  Who has that accessibility and ow have they been trained?  Access, on all accounts, should be regulated. 

Who can come into your office?  For example, do you have policies as to when people can come into your office outside of business hours?  Can they bring people with them, and if so, who are those people?  If they access at home, should they have a separate computer that they use to do that from?  You have to ask a lot of questions in this process to make sure you have covered that information access management piece.

Training and accountability.  Have you trained your staff on security protections and what everyone's roles and responsibilities are?  Who have you authorized access to PHI?  Do you hold your staff accountable to breaches?  If they come in the office and brought people without you knowing and breached the policies, or if they have accessed your QuickBooks or your office management system from the home computer rather than a computer assigned to them, you need have measures in place and people need to be sanctioned.  Those sanctions need to be documented.  It is very important that you are strongly protecting your patient's information, and these systems are a way to do that.

Physical Safeguards

Do you have physical safeguards?  Do you have facility access and control limitations?  Do you limit who can come in and when they can come in?  You should have policies on coming in after-hours, nonemployees coming in, and where they can go.  Who can come in certain rooms of the building?  All these regulations need to be written down.  Physically, things need to be locked.  Electronically, computers need to be logged off and shut down at the end of the day.    You also need to have unique logins that are changed periodically. 

Workstation and device security includes proper use and access to workstations and electronic devices.  Who has access and at what times?  What are the controls on that access?  This goes for personal devices, employee owned phones, tablets, and home computers.  What is the security for what they are able to access when they are in your office and outside of the office?  Everyone focuses on things within the office, but now that people can access things via the cloud or Internet, what are those protections outside of your work environment.  You need policies and procedures related to transferring information.  You need to be using encrypted email so that you have transmission security. 

How are things removed when you get a new computer or you get a new phone?  How do you clear the cache and the hard drive?  How are you disposing of things that you are not going to be using anymore?  How do you destroy them?  How can you reuse something in a means that does not violate any HIPAA security policies?

Technical Safeguards

Control of access is one technical safeguard.  Your electronic devices need to be password-protected.  For NOAH, please change your password away from ABC123.  You need to have novel passwords.  With the skills of the right people, passwords can easily be broken.  People just broke into government employee records; it is not impossible.  We do not need to make it easier by not password-protecting things.  You need to have screens turn off after certain periods of time requiring passwords to get back in.  The same thing goes for your phones and tablets.

You need to have safeguards to record and examine access.  If people are accessing your patient's records or your business records, I always tell people to think about them like your QuickBooks and business financials as well.  HIPAA does not apply to those, but the security process can help you make sure that those are protected as well. 

You need to have integrity controls to ensure the PHI is not improperly altered or destroyed. Let's say you have an employee that is going leave you.  They could hook up a hard drive and download all your patient information.  You need to be able to put safeguards in place to know when external hard drives are connected or when data is transferred.  There needs to be documentation in the administrative aspect of your systems so that you can have that integrity control in place.  Nothing is worse than knowing after-the-fact that someone has compromised your system with an external hard drive.

Transmission security protects against hacking.  Do you have firewalls and Internet software securities that will protect from hacking?  You need to put all these technical safeguards in place. 

Policies, Procedures and Documentation

All of these items need to be documented in writing, and you need to develop policies and procedures to comply with that rule.  If you need guidance, consult an information technology consultant who specializes in HIPAA.  I have had multiple clients go through this process.  In many of these cases, they hire an outside entity and have found that it is some of the best money they have ever spent. 

They have found that these security implications were not just about meeting their HIPAA requirements.  One found out that they did not have an appropriate power source to their server.  One found out that their server was below a flood plain.  One found out that while they thought everything was being backed up, it was not.  One found they had no firewalls or security in place.  One found that they had an employee stealing information to start working towards opening their own practice.  There are lots of examples of how this protects your business; it is not just about complying with HIPAA.

You must have written policies and procedures.  Your staff must be trained on them.  You have to document staff training and audit this.  Whenever there is an infraction, you need to retrain the employee and write the actions of retraining in the employees’ record or any activities.  All your risk assessments need to be documented and performed periodically.  Any time an employee is sanctioned, this needs to be documented in both your HIPAA security rule log and in the patient’s employee records.  

HITECH Breach Notification

The effective date of the HITECH breach notification was February 17, 2010.  It defined a breach as an impermissible or unauthorized use of disclosure of PHI.  This applies both to electronic and paper formats.  You may have seen the financial services version of this when the Target credit card breach or the J.P. Morgan breach happened.  Those are the same thing, but on the financial services sector.  My personal health plans have had breaches where they send me very detailed notifications of their security breach.  If you have a breach, what is your process of notifying patients of that breach? 

A breach notification must occur when the patient's health information has been compromised, either electronically where someone has hacked a secure system, your computer was stolen, or your phone was stolen and someone had access.  It could also be where you have lost a patient's paper chart.  Breach notification must incur within 60 days of your knowledge of that breach.  You are the covered entity to who the patient gave some PHI in the course of their health care or business.  As the covered entity, you gave that PHI to a vendor like a hearing aid manufacturer, your attorney, your accountant, or your computer specialist.  You are the covered entity, and they are your business associates.  They are not covered entities unless the patient is giving it to them directly.  If you or your business associate have a breach, you have the burden of proof that the notifications have been made.  You need to document in a breach notification file that you had a breach and the actions you have taken.  I would also document the patients in question. 

If a business associate, like a hearing aid manufacturer, has a breach, they need to notify all the covered entities and all the providers who sent them the information.  You need to notify in writing the patients who may be affected within 60 days.  Most entities, when they notify the patient of a breach or potential breach, offer some form of identity theft protection.  That is very commonplace in a breach process. 

After you have done a complete evaluation of this breach, you need to explain what transpired, whether or not this is something that you feel was incidental or purposeful.  Every breach needs to have a risk assessment done as part of it to determine what happened.  Is there a low or high probability that this breach will have a profound impact on the patient?  You have to go through that risk assessment aspect, and when you have your results, you need to notify the patient or patients affected in writing, explain what happened, explain your risk assessment aspect, and again likely offer identity theft protection. 

If the breach is of more than 500 individuals, you also need to notify the media, newspaper, television, radio, and the Secretary of Health and Human Services in Washington D.C.   I have been involved in audiology now for close to 25 years, and in many cases, people do not take the missing chart or someone getting into their system seriously.  A breach would also be if an employee a hard drive and accessed all the records and took them to another employer.  That is a massive violation.  You could file criminal charges in that case.  It is important that we take this seriously. 

I would contact an attorney before you start naming names, because you may or may not have proof, unless you are going to file criminal charges.  When you notify the patient that the system was hacked, you can do this without naming names. Those are some common scenarios in audiology that we do not always take as seriously as we probably should.

Privacy Rule

Privacy comes down to protecting the PHI.  It affects both paper and electronic records.  This is the hallmark of HIPAA.  “Individually identifiable health information” is information, including demographic data, that relates to:

• The individual’s past, present or future physical or mental health or condition;
• The provision of health care to the individual;
• The past, present, or future payment for the provision of health care to the individual, and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual;
• Individually identifiable health information includes any of the 18 common identifiers (e.g., name, address, birth date, Social Security Number).

With regard to privacy, you can only give out information without disclosure if it is for treatment or as part of continuity of care to the referring physician or physician to whom you are referring.  You can disclose without authorization for payment.  This means that you can send things to the insurer or a third-party entity such as a vocational rehab that is paying for treatment on the patient's behalf. 

Healthcare Operations

The next thing is healthcare operations.  If patient charts are being audited for Joint Commission Accreditation (JCAHO) or if patient charts are being audited by an insurance company for utilization review, that does not require the patient's authorization.  Any other disclosure requires authorization from the patient.  It is important that you know how you need to keep people's information private.  You are protecting all 18 pieces of PHI and all other payment information that is contained in the medical record.  That is why I do not recommend people putting invoices in charts, electronic or paper, because the patient has access to anything in the medical record.  Invoices are not about payment; they are about what you are paying for something.  Those should be batched separately and not in the medical record.  You want to keep disclosures to the minimum necessary.  A disclosure now is the same as what used to be called a medical release. 

Privacy Officer

Every facility needs a privacy officer.  This is to whom a patient will go if they have questions about their medical records or if their privacy has been violated.  All of your providers need to be trained on privacy and documented.  I recommend that HIPAA training, privacy and security be done annually. 

Complaint Process

You must have a complaint process.  It needs to be in your notice of privacy practices as to how a patient files a grievance if they feel their privacy has been compromised, and you must have record safeguards for storage.  They do not have to be locked, but they have to be secured.  You need to lock your office doors at night.  You need to make sure that people are not taking charts home, which would be a massive HIPAA violation. 

Document Disposal

How do you dispose of charts?  You need to follow your state and third-party contract medical records retention requirements of how long you must be keeping medical records.  HIPAA says seven years, but in some states, medical retention laws are greater, especially as they pertain to children or minors.  Some insurance companies are even greater than that.  How do you go through that disposal process?  For me, it is very inexpensive in the grand scheme of things to have them professionally disposed of or professionally transferred.  You want to document all the charts that were in that disposed.  This comes back to access. Who has access to patient records? 

Disclosures

I want to talk about disclosures.  Say you have a patient whose spouse came in and he wants to know what happened at his spouse’s appointment.  Unless that patient has indicated that you can talk to the spouse, that would not be a disclosure you should make without the spouse’s direct approval or the adult child’s approval. 

You need to keep disclosures when it comes to children.  You might even need to go as far as to seek custodial agreements.  When you are in the midst of a divorce and custody arrangement, people hold everything to the letter of the law.  You do not want to get caught up in other people’s drama.  It is important that you know to who things can be disclosed and who cannot.  As a rule, it should be the minimum necessary. 

Before you disclose things to a school, you must have the parents’ approval.  You may have individuals who restrict disclosures.  It is always better to err on the side of getting the patient’s approval than it is to give the information without it.  The general rule of thumb is you can give to the ordering physician or who you are referring the patient to in the health care/care coordination or continuity of care environment, and you can send things to the payer when you are seeking payment.  Otherwise, you should have the patient sign a disclosure. 

Also, patients can restrict you from sending things to a payer or sending things to an ordering physician.  If they restrict it, you cannot disclose to those people, even if it is within the treatment paradigm.  They get to control where their records go.  Without authorization or disclosure, you can send to the ordering physician, who you are referring to, and the payer; otherwise you need a use and disclosure form. 

Privacy Rule: Marketing

I see many audiologists struggle in marketing.  The privacy rule defines marketing as making a communication about a product or service that encourages recipients of the communication to purchase or use the product or service.  HIPAA only applies to your database and to patients who gave you information.  If you notice, physicians do not market to you.  People in healthcare do not market to you, because of HIPAA.  There are a few exceptions to that marketing rule.  People can be reminded of their need for a mammogram or annual physical, et cetera. 

You cannot use your database to solicit people to buy things or utilize services.  It does not apply to direct mail or newspaper ads.  Even if some of those people ultimately are your patients on this list, it only applies to your own database.  As of HIPAA day one, you need authorization to send marketing materials to patients in your database.  There is a difference between marketing and education. 

A rule of thumb is to ask if the communication meets the four Ps of marketing, whether it is electronic, by mail or by phone.  Are you marketing product, place, promotion or price?  If you are, you are marketing and you are not educating.  Educating does not require authorization.  Educating is when you are talking about a technology.  There is no promotion or special pricing.  You are just talking about a new technology, procedure, or a specific condition and how it can best be managed.  That is education.  The minute someone else is paying for the communication, even if it is education, or the minute you are marketing the four Ps, you have crossed over to marketing and you need authorization.  You need at least a one-sentence marketing authorization to market to your database. 

Marketing can also be an arrangement between a covered entity and any other entity whereby the covered entity discloses PHI to the other entity in exchange for indirect or direct remuneration or the other entity or its affiliate to make a communication about its own product or service that encourages recipients of the communication to purchase or use the product or service.  That means if another entity is paying for the communication, even if it is educational in nature, you need a more detailed marketing authorization that discloses who that entity is and what they have given you. 

Marketing Decision Matrix

This quick poll will help you think about what kind of marketing authorization you need. 

• Do you co-op market with a third-party?  If the answer is yes, you need a long form marketing authorization that came to be as part of the Omnibus rule of 2013.  One sentence will not suffice. 
• Are you an equity member of a buying group whose products you market?  If yes, you would need a long form because you are getting something in return for the marketing communication you are doing. 
• Do you have a lease or loan from a third-party vendor whose products you are marketing?  If yes, you will need a long form marketing authorization. 
• Do you have a business development fund for products or services you market?  If yes, you will need a long form marketing authorization. 
• Do you go on vendor-funded trips for product or marketing?  If yes, a long form marketing authorization is needed. 
• Do you offer discounts, promotions, or offers?  If yes, but no third-party is involved in any payment, you can have a one sentence short form marketing authorization. 

Finally, you need to be careful of what you are marketing and how you are marketing if you participate Medicare, Medicaid, Worker’s Comp, or Tricare.  This is when anti-kickback relationships can come into play on top of the HIPAA issue. 

Business Associate

“A business associate is a person or organization other than a member of the covered entity’s workforce that performs certain functions or activities on behalf of or provides certain services to a covered entity that involved the use or disclosure of individually identifiable health information.  Business associate functions or activities on behalf of a covered entity could include claims processing, data analysis, utilization review, and billing.  Business associate services to a covered entity can include, but are limited to legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services.”  I would also add hearing aid and earmold manufacturers to which you are giving patient information in the course of getting orders processed.  This information can all be found at www.hhs.gov

Providers are responsible for the actions of their business associates.  That is why you need a business associate agreement in place with these entities.  This is so you know they are protecting the patient information in accordance with your own privacy standards, and that they are notifying you if there is any breach or problem with those communications or data. 

Omnibus Rule

The Omnibus rule became effective September 23, 2013.  The Omnibus rule has some very specific components.  Because of all of these changes in the Omnibus rule, every one needed to create a new privacy policy that took into account the changes, and they needed to create and have completed a new business associate agreement with all the applicable entities.

It did require you have a new privacy policy, also.  Additionally, if your marketing authorization needed to be changed, you potentially had to have a new marketing authorization.

Omnibus stated that business associates or any entity that creates, receives, maintains, or transmits PHI on behalf of a provider who has supplied this information to them and their contractors and subcontractors are required to comply with both the HIPAA privacy and security rules, including breach notification.  If they had a breach, it clarified the fact that they needed to go through the breach notification process as well, and that they were obligated to the security rules. 

It also stated that patients have the right to request that a copy of their electronic medical record be supplied to them in an electronic format.  The patient has the right to access anything you are storing electronically in your office management system, in your electronic health records, or electronic medical records.  If they ask for it electronically, you need to be able to give it to them electronically. 

It also states that patients who are paying privately for an item or service have the right to restrict any disclosure about this item or service to their health plan.  If a patient does not want their health plan to know because their employer might know if they are self-insured or if they do not want their health plan to know that they are paying privately, you do not have to tell their health plan.  That is where they are restricting from those three things that do not require authorization; again, this is where a patient can restrict a disclosure. 

Under Omnibus, “marketing” has been redefined as any patient communication where the provider receives financial remuneration from a third party whose products or services are being marketed.  When marketing is being performed using PHI, a patient authorization must be in place prior to sending this marketing communication.  It is very clear that marketing needs patient authorization before you market. 

The sale of PHI is prohibited.  It also indicates that there must be a defined breach notification process where a situation is presumed to be a breach until the provider or business associate, contractor, or subcontractor determines that there is a low probability that the patient’s privacy has been compromised.  A risk assessment must be performed anytime there is a breach.  I would also say that risk assessment needs to be documented.  Let’s say you accidentally faxed the patient’s information/results to the wrong physician’s office.  That would be a breach of low probability, because on the other end, that physician has a lot of HIPAA protections in place.  You do need to ask them to destroy it, and you would document that in the patient’s record. 

Let’s say you mailed patient information to the wrong patient.  That would be a breach.  The patient would need to be notified and it would need to be documented, both in your HITECH log and in the patient’s chart.  There is a difference.  You have done a risk assessment.  You need to go through that risk assessment for every breach, no matter how incidental, especially when you have lost charts. 

Omnibus allows the broader use of PHI for fundraising and research opportunities.  Again, if you are in either of these situations, I recommend that you contact a HIPAA consultant of how you can utilize these in those situations.  Because so many people were scoffing at HIPAA, penalties have increased up to $1.5 million maximum per calendar year.  Many fines range between $100 and $50,000 per violation and degree of culpability, and up to 10 years in jail.  You need to take HIPAA seriously. 

What Every Practice Needs

Every practice needs a 2013 or newer revised notice of privacy practices, and every patient needs to sign it.  When new people and existing patients who have not signed the update come in, they have to sign the new privacy policy. 

Every office needs a 2013 or newer completed business associate agreement, a 2013 or newer revised breach notification policy, a 2013 or newer revised marketing authorization and you need to be utilizing marketing authorization before you send marketing to your database. 

You need a facility NPI, as well as an individual NPI.  You need a use and disclosure form.  You need an acknowledgment of the receipt of notice of privacy practices.  You need a security policy and process.  You need a breach notification policy and process, and all of this needs to be documented.  You need a risk assessment process.  I strongly recommend an independent contractor agreement that includes HIPAA language for whenever you are entering into a provider relationship with another entity, whether it is a skilled nursing facility, a physician, or an assisted living facility. 

How is that patient information going to be shared?  It all needs to be documented in an independent contractor agreement.  On top of that, who is the responsible financial party?  Document staff training, and as I indicated, staff should be trained every year.  I strongly recommend an employee confidentiality form that binds every employee to these policies and also the confidentiality of your business information. 

Summary

The take-away message today is that you should read what your national associations send you on the topic of ethical and legal situations.  It is important.  Read your licensure laws.  Read the AAA Ethical Practice Guidelines.  If you are an AAA, ADA, or ASHA member, read the codes of ethics.  Know to what you are obligated and make decisions based on that.  When you are not sure, ask legal counsel. 

Do not worry about yesterday.  Fix tomorrow.  Unless you have received payment inadvertently from Medicare or Medicaid, do not go backwards and worry about yesterday.  Work on what you are going to do differently tomorrow.  You can always file a complaint if you feel, as an employee, you are put in a bad situation.  If you feel like you know people who are breaking significant ethical and legal standing, file a complaint with the licensure board or with the Office of the Inspector General.  You can go to the Office of the Inspector General website and report fraud.  If your gut tells you that might not be a good idea, consult an attorney who specializes in health care law.  Always protect yourself, no matter where you work, no matter your situation.