Next to hands-on patient care, no part of healthcare carries as much importance as protecting a patient’s personal information from a breach of privacy, charging honestly for the care provided, and auditing the compliance of a practice or facility.
All medical organizations face healthcare compliance worries. Healthcare compliance is a general term describing the observance of conventions, guidelines, and state and federal laws. Practices, clinics, and facilities normally have a staff members dedicated to fulfilling regulations that protect patients and staff, assure privacy of personal information, and that medical information is presented using standardized means.
Since 2003, when the Healthcare Information Portability and Accountability Act of 1996 (HIPAA) was implemented, a new role of Compliance Officer has evolved. Compliance Officers assure compliance with all facets of HIPAA rules, developing and maintaining compliance plans, training staff and providers, and correcting any irregularities.
HIPAA requires providers and facilities to maintain compliance plans requiring monitoring and training. Often, there is a designated compliance officer who must develop, track, and report on these plans, which may include regulations from the Occupational Safety and Health Administration (OSHA), the Health Information Technology for Economic and Clinical Health Act (HITECH), the Office of Inspector General (OIG), and others.
Follow the links to answers to your questions about HIPAA.
Become a Healthcare Compliance Officer
AAPC offers the Certified Professional Compliance Officer (CPCO™) credential to help address the ever-growing compliance requirements of government laws, regulations, rules, and guidelines.
This healthcare compliance certification demonstrates that you understand the key requirements needed to effectively develop, implement, and monitor a health care compliance program for your practice based on governmental regulatory guidelines. This includes being knowledgeable in compliance reviews, audits, risk assessments, and staff education and training. With the CPCO™, you’ll obtain expertise in areas such as:
- Office of Inspector General (OIG) compliance guidance
- Health care fraud and abuse laws (False Claims Act, Stark Laws, and Anti-kickback Statute, etc.) including associated penalties
- Provider Enrollment and Chain Ownership System (PECOS) verification
- How the Affordable Care Act will affect medical practices
- Health Insurance Portability and Accountability Act (HIPAA), EMTALA, and Clinical Laboratory Improvement Amendments (CLIAs)
- Handling investigations, including self-disclosure protocols
- Requirements under Corporate Integrity Agreements (CIAs) and Certificate of Compliance Agreements (CCAs)
- Government investigative audit programs (for example, recovery audit contractors (RACs), Zone Program integrity contractors (ZPICs), State Medicaid Fraud Control Units (MFCUs))
- Risk areas such as receiving gifts or gratuities, conflicts of interest, use of Advance Beneficiary Notices (ABNs), teaching physicians guidelines, and incident-to services
If you are a certified healthcare compliance officer and want to take your expertise, credentials, and career to the next level, consider becoming a CPCO™ through AAPC. You already have the background and know how to follow proper coding, billing, and claim requirements, so you have a jumpstart on understanding government rules and regulations in health care. Find out more here.
Overview of Healthcare Compliance
Healthcare compliance grows out of three needs – the need to protect private patient information, to compile that information easily and securely, and to be able to share that information accurately only with those who should have access to it honestly so that pay meets the service performed.
In 1992, the General Accounting Office (GAO) identified Medicare claims to be at high risk for fraud and abuse. In 1996 the Office of Inspector General (OIG) initiated an audit of the Health Care Finance Administration (later renamed Centers for Medicare & Medicaid Services [CMS]) Medicare claims payment system. This resulted in an estimated finding of more than $23 billion in improper payments, and prompted provider audits and the need for compliance.
The first major audit targets were teaching hospitals. An investigation of the University of Pennsylvania resulted in a settlement with the Department of Justice (DOJ) for $30 million (without admitting any wrongdoing). The audit identified that the medical records did not sufficiently document teaching physicians’ involvement in services provided by resident physicians. The audit also determined that some of the teaching physicians had up-coded their claims. The Physician at Teaching Hospital (PATH) audits targeted insufficient medical record documentation to support whether a physician either performed the service or was present when a resident or fellow performed the service.
The OIG and the DOJ created a nationwide initiative to determine if compliance with the Medicare billing rules was being adhered to by other teaching hospitals. Other initiatives followed the PATH audits. Operation Bad Bundle involved clinical laboratories, durable medical equipment (DME) fraud initiatives, hospice, and home health fraud initiatives, and many more.
The OIG created the first compliance guidance document for hospitals in February 1998. Similar compliance guidance documents were issued for other sectors of the healthcare industry beginning in August 1998.
Healthcare billing and reimbursement compliance is not the only type of regulation that must be followed by providers. Healthcare Information Portability and Accountability Act of 1996 (HIPAA), which has fraud and abuse provisions, also has mandatory privacy and security compliance program requirements overseen by both the Office of Civil Rights (OCR) and the U.S. Department of Health and Human Services (HHS). The Department of Labor requires compliance with employee and employer laws including, the Fair Labor Standards Act (FLSA), the Occupational Safety and Health Act (OSHA), the Civil Rights Act (CRA), and the employment provisions of the Employee Retirement and Income Security Act (ERISA). Laboratories are regulated and overseen by CMS and by the Centers for Disease Control and Prevention (CDC). There are even more agencies and regulations that affect health providers of all sizes. Entities and their compliance officers must understand the laws that regulate their workplaces and responsibilities.
Most importantly, the federal government turned to intentional and accidental breaches of personal health information (PHI) took many forms. Some of these included the following:
- Public discussions with patients regarding their health in clinical and pharmaceutical settings
- Release of medical records to banks so they could call in loans owed by seriously ill patients
- Gossiping about patients with lay people by healthcare professionals
- Careless disposal of patient records, so that bystanders could access them
- Confusion with payers about how to receive and share information uniformly
HIPAA, implemented in 2003, was developed to solve these problems. HIPAA, Public Law 104-191, included Administrative Simplification provisions that required HHS to adopt national standards for electronic healthcare transactions (ASC X12N or NCPDP) and code sets (CPT®, HCPCS, ICD-10-CM/PCS, CDT, NDC), unique health identifiers, and security. At the same time, Congress recognized that advances in electronic technology could erode the privacy of health information. Consequently, Congress incorporated into HIPAA provisions that mandated the adoption of federal privacy and security protections for individually identifiable health information
The Privacy Rule has two parts: The first is the responsibilities of the covered entities to use, disclose, and protect all patients’ PHI, and the second contains the rights of patients regarding their PHI and the information contained within their medical record. The Privacy Rule defines and limits the circumstances in which an individual’s PHI may be used or disclosed by covered entities.
Depending on the situation and the type of information that is to be disclosed, there are different requirements for permissions obtained from the patient or their legal representative. The first level involves the disclosure of PHI without the need for a patient’s written authorization and without the need to obtain a patient’s agreement or disagreement.
The next level includes the circumstances when there is no need for a patient’s written authorization, but the patient has the right to agree or disagree to the disclosure. The third level is when specific written authorization must be obtained from the patient or their legal representative to disclose the PHI. The authorization level covers all other disclosures not in the first two categories.
Simply put, PHI may be used or disclosed either:
- As permitted by the patient or patient representative in writing; or
- As the Privacy Rule allows.
PHI is all individually identifiable health information in any form, electronic or non-electronic, that is held or transmitted by a covered entity. This includes individually identifiable health information in paper records that has never been electronically stored or transmitted. PHI excludes the information found in education records covered by the Family Educational Rights and Privacy Act, health records of students who are 18 years of age and older, and HHS employment records.
The following are components of PHI:
- Patient's name
- Streets, city, county, precinct (used in some practice management software, indicating a certain district for government reporting), ZIP code
- Dates directly related to a patient, including birth date, admission date, discharge date, and date of death
- Telephone numbers
- Fax numbers
- Email addresses
- Social Security numbers
- Medical record numbers
- Health plan beneficiary numbers
HHS' Office of Inspector General (OIG) was tasked with enforcing HIPAA.
One of the most recent compliance initiatives by the federal government can be found in the Patient Protection and Affordable Care Act (ACA or, more commonly, Obamacare), as amended seven days later by the Health Care and Education Reconciliation Act of 2010 (collectively referred to as Healthcare Reform Law). Sections 6102 and 6401 in the ACA mandate a broad range of providers, suppliers, and physicians to adopt a compliance and ethics program.
Compliance means watching the rules of HIPAA and HITECH, annually checking the OIG Workplan for what areas of fraud and abuse are being watched, and assuring the safety of patients. Fines can be stiff. Federal guidelines determine how quickly and through what means patients are notified. If a large breach occurs, CMS may step in and impose a compliance plan on a covered entity or a business associate (BA).
The Medicare Modernization Act of 2003 (MMA) created the largest overhaul of Medicare in the public health program’s history. Among other changes, MMA included the requirement of electronic prescribing (e-prescribing) to reduce illegible physician handwriting or other handwriting errors.
Compliance also means assuring safety. The Occupational Safety and Health Act of 1970 (OSHA) spawned many state and federal rules for safety in the workplace. For practices and facilities, this includes requirements for practices to, for example, prevent needle sticks, avoid falls, manage chemicals and biological materials properly, and maintain medical devices used for treatment.
Facilities also must abide by Emergency Medical Treatment and Active Labor Act (EMTALA), a statute that was included in the Consolidated Omnibus Reconciliation Act of 1985 (COBRA). Congress enacted EMTALA in response to increasing concerns that hospitals were denying emergency care to indigent and uninsured patients, and "dumping" them to another facility for care (usually "charity" or "county" hospitals or to no facility at all, by discharging the patient after a token, inadequate medical exam. EMTALA is a non-discrimination statute.
Clinical Laboratory Improvement Amendments (CLIA) adds compliance with rules from the Federal Drug Administration (FDA) and the Centers for Disease Control and Prevention (CDC) to the provider’s office or facility’s compliance worries.
Congress passed the CLIA in 1988, establishing quality standards for all laboratory testing to ensure the accuracy, reliability, and timeliness of patient test results, regardless of where the test was performed. A laboratory is defined as any facility that performs lab testing on specimens derived from humans for providing information for the diagnosis, prevention, treatment of disease, or impairment or assessment of health.
CLIA is a user fee-funded program, and all costs of administering the program must be covered by the regulated facilities (i.e., paid through fees assessed to the laboratories for obtaining their certificates, fees for testing, and fees for inspections). The final CLIA regulations published on February 28, 1992, have undergone several updates in recent years, and are based on the complexity of the test method; the more complicated the test, the more stringent the requirements.
What It Means to Patients
Compliance means each patient can rest assured their information is not only protected but the right information is accessible to the right audience. While the obvious focus is making sure providers have the information they need, support workers such as social workers need access to the right information. And the right information needs to go to payers and regulators.
Compliance and the audits needed to confirm the practice are necessary to the proper care of each patient.
What It Means to the Healthcare Industry
Compliance adds levels of complexity to healthcare. Providers and facilities were forced to appoint or hire Compliance Officers to assure procedures are updated, training is performed, rooms are modified, computers and other electronic means are secured, and audits and reporting are carried out.
While this has presented new challenges to providers and facilities, it has also helped standardize how patients and everything associated with them are treated. As a result, quality management becomes easier as the data is prepared for tracking and improvement.
What It Means to AAPC Members
AAPC members are finding that new roles are growing from the role of a coder all the time, and Compliance Officer is one of them. Coders are often chosen to serve as Compliance Managers because of their expertise of HIPAA.
This growth can be enhanced with Certified Professional Compliance Officer (CPCO) certification.