Otolaryngology Coding Alert

Contracted vendors are also obligated to adhere to HIPAA rules.

Telehealth services have become a permanent fixture in our healthcare system following the COVID-19 public health emergency (PHE). As the technology evolves and more healthcare organizations adopt the services, your practice will need to stay on top of telehealth regulations and requirements to receive reimbursement and protect your patient data.

“Use These Pro Tips To Attain Telehealth Reporting Perfection,” in Otolaryngology Coding Alert volume 26, number 4, provided insights into best practices for finding the right platform and coding telehealth encounters. Now let’s discuss the other half of the equation: compliance. Continue reading to learn about four steps you can take to help your practice uphold telehealth compliance.

“Evaluation and management [E/M] codes are very often billed instead of the virtual care visits or the telephone-only visits because they more accurately reflect what happened during that visit,” said Stephanie Sjogren, CPC, COC, CRC, CPMA, CDEO, CPC-I, CCS, HCAFA, during her “Telehealth Beyond the Pandemic” session at AAPC’s Collaborative Compliance Conference 2023.

If your otolaryngologist performs a telehealth E/M visit and is basing the E/M code on time alone, the medical record must show the amount of face-to-face and non-face-to-face time spent on the patient on the same day as the encounter. The time-based documentation should include the following information:

• Patient consent for virtual treatment
• Reason for the visit
• The visit occurred through video and audio
• Medically appropriate physical examination
• Assessment and plan
• Physician time spent on patient care

The provider’s documentation of the time in minutes spent on patient care should mention how they accrued the time.

Keep in mind: Under current AMA guidelines, physician time is no longer limited to face-to-face time with the patient. So, you should include time on the date of service dedicated to document review, testing, communication with other providers, documentation, and so on.

“You want to put the precise total number of minutes spent on patient care — make sure you note the time parameters. That way you can accurately pick the code that reflects the time spent and describe how that time was used,” Sjogren said.

Additionally, if the provider is basing their telehealth E/M code on medical decision making (MDM), they should document the visit’s MDM components just as they would for an in-person E/M visit.

Following the telehealth visit, the otolaryngologist should document as much information as possible to ensure prompt and accurate reimbursement. “Post-visit documentation has to still be as thorough. So, if you’re doing stuff after the visit ends, which obviously most providers are, there are a few things that we want to make sure that we’ve captured when we’re documenting,” Sjogren continued.

The telehealth visit documentation is similar to in-person E/M visits, but there are additional elements that need to be included:

• Patient consent: Include a note of written or verbal consent for virtual treatment.
• Telehealth codes: Use only telephone codes for audio-only visits and office/outpatient E/M codes for audio-video visits. These codes can only incorporate the time spent directly communicating with the patient.
• Time of visit: Ensure only the healthcare provider bills for the time they spend on patient care. The provider cannot bill for any time spent by the clinical staff coordinating care.
• Asynchronous visits: Review the store-and-forward rules for each state, as some states do not allow reimbursement for store-and-forward visit activities and require telehealth services to be delivered in real time.
• Eligible sites: Review which originating and distant sites are eligible for reimbursement for telehealth visits. Document when a patient receives telehealth services while they are in their home. This allows for accurate POS reporting and provides support for the code submitted.

According to Jennifer McNamara, CPC, CCS, CRC, CPMA, CDEO, COSC, CGSC, COPC, director of healthcare training and practice support at Healthcare Inspired LLC, in Bella Vista, Arkansas: “It is important to note that since we are billing outpatient visit codes for telehealth currently, it will have to reflect the same amount of documentation we would have gathered in person. We must document time but also what we did during that time.”

Step 2: Pick a HIPAA-Compliant Platform To Safeguard PHI

While the patient may not physically be in the office during a telehealth visit, HIPAA rules still apply to all telehealth services covered by healthcare providers. Healthcare providers must take the necessary steps to safeguard their patients’ protected health information (PHI), and this includes choosing HIPAA-compliant platforms for telehealth services.

For example, not all video conferencing software is developed equally. “If you’re going to have different technology like Zoom for Healthcare, you can’t use the same Zoom you would for healthcare as you would for just your private conversations. Those are different. There are different levels of security with Zoom for Healthcare versus regular Zoom,” Sjogren explained.

Tip: Zoom for Healthcare has a business associate agreement (BAA) available to sign with the practice, so make sure the BAA has been executed.

If your practice is using a software vendor, they are considered a business associate, and are also subject to HIPAA laws. In the end, if the software vendor experiences a data breach that could result in your data being compromised, your practice is still responsible for the data breach.

“Make sure due diligence is followed to protect patient information. Verify all the security practices. As a provider, you’re still responsible. Again, any mistakes that business associates make in protecting security of patient data are your mistakes, too,” Sjogren said.

Step 3: Designate a Compliance Officer

One of your responsibilities as a healthcare practice is to ensure the practice is compliant. Healthcare technology has advanced significantly in the past three years, and maintaining compliance is more than just setting up IT defenses — it requires a combination of technical components and physical administration.

“A lot of this updated technology is something very new for people. The practice employees and practitioners thought, ‘I will just lock the cabinet and make sure the charts are secure.’ Once you’re online, it’s a completely different world,” Sjogren said.

Ensure an effective and adequate compliance program is implemented by selecting a person in your organization to serve as a compliance officer. The compliance officer is then responsible for overseeing the compliance program’s implementation and allocating the necessary resources to help it succeed.