Medical Billing, Coding and Documentation Services

4 Steps to HIPAA Omnibus Rule Compliance for Medical Practices

Posted by Harold Gibson on Wed, Aug 28, 2013

how to keep your practice hipaa compliantAccording to The American Academy of Family Physicians, the US Department of Health and Human Services (HHS) released a final rule altering security and privacy requirements relating to Patient Health Information (PHI), as defined in the Health Insurance Portability and Accountability Act (HIPAA) of 1996. The Omnibus Rule became effective on March 26, 2013. Physicians and other specified organizations must be compliant by September 23, 2013.

Under HIPAA and the HITECH Act, a new breach standard clarifies the definition of business associates and implements the increased liability mandated by the HITECH Act. There are some grandfathered business associate agreements. However, covered entities and business associates must be fully compliant with the Omnibus Rule by the September 23, 2013 deadline. These four steps will help you meet these new regulatory requirements in time for this rapidly approaching deadline.

Internal Policy Updates – You may want to either replace or update your existing policies. HHS can help you assess compliance of a covered entity. The audit protocol provides a helpful guide to determining HIPAA compliance. Whenever existing policies generally meet audit protocol, it makes sense to update rather than replacing existing forms. Key changes to your internal privacy policies that must be made are outlined below.

  • Decedents’ PHI - Protected health information now includes the health information of individuals who have died up to 50 years ago. The Omnibus Rule provides for the disclosure of PHI of deceased individuals to family members provided that they have not been excluded by that person.
  • Breach standard - The Omnibus Rule changes the standard for determining whether a breach of unsecured PHI has occurred and thus whether a provider must follow the notification requirements under HIPAA. The new breach standard should be included in your internal policies and applies to potential breaches occurring prior to September 23, 2013 as well as those that follow.
  • Marketing and sale of PHI – In most cases PHI marketing is prohibited. In cases where patient authorization has been provided prohibitions do not apply. Whenever providers wish to market outside services to patients based on their PHI, or even to provide access to PHI for payment, the provider must obtain valid authorization from the patient. Provider policies must reflect these definitions.
  • Disclosures to schools - Disclosure of proof of immunizations to schools is permitted under the Omnibus Rule.
  • Patient rights to limit disclosures – A patient has the right to restrict PHI regarding a specific health care service so that it is not disclosed to a health plan.
  • Electronic copies of medical records - PHI requests by patients in electronic format must be provided if they are readily producible.

2. Notice of Privacy Practices

The Omnibus Rule extends the scope of the notice of privacy practices (NPP). Once you have updated your NPP, you must make your new privacy practices available to existing patients and post your revised notice on your website and on the practice premises in a public place. Whenever you modify your NPP, new patients must receive a copy of the revision. A copy of NPPs should be maintained together with associated patient acknowledgements.

3. Business Associate Agreements

Your business associate agreement (BAA) forms must be updated to meet the Omnibus Rule requirements. Updates and new BAAs may be submitted by September 23, 2013. However, new BAAs entered after January 25, 2013 and those modified after March 26, 2013 do not require updating until September 23, 2014. It’s advisable to conduct an inventory of all current BAAs. To meet Omnibus Rule requirements, each BAAs must have an amendment or be replaced by a new BAA. Because the definition of business associate has been expanded, the BAA may require multiple revisions. One major change is that business associates that contract with subcontractors must enter into a BAA.

4. Staff Training.

As a provider, your policies must be updated and implemented. Staff members must be trained on any new policies as well as revisions of existing policies. Management and technical staff should familiarize themselves with the new breach standard in order to effectively and correctly complete the required analysis. Training is essential to ensure compliance HIPAA and the HITECH Act. Documentation of training programs and training histories will be helpful during audits and investigations.

Time is of the essence. The Omnibus Rule has resulted in many HIPAA changes. We at M-Scribe Technologies can help you meet your Omnibus Rule obligations. Visit our site or call us today for expert assistance.



Image courtesy of


How to Assess Practice Risk to HIPAA and the HITECH Act

Posted by Harold Gibson on Mon, Aug 19, 2013

Practice risk for HIPPA and HITECH ACT Since President Obama signed the HITECH Act (Health Information Technology for Economic and Clinical Health Act) in February 2009, the relationship between and influence of the Act on HIPAA (Health Information Portability and Accountability) has drawn physician and practice manager attention to effective risk assessment.

American Health Lawyers Association Recommendation

This group recommends that practice professionals approach risk assessment regarding HIPAA and HITEC as a component of an Enterprise Risk Management (ERM) program. ERM, used by public and private corporations around the globe, is an ongoing decision-making program. In the healthcare industry, the board of directors or executive administrators typically design, install and use their plan to assess and reduce risk of all areas of patient care, compliance and to maximize the return on investment.

The Association reminds executives and administrators that Section 6401 of the Affordable Care Act requires that medical providers establish a compliance program as a condition of enrollment in the coming affordable healthcare legislation.

Risk Assessment Parameters

The core fundamentals of risk assessment programs, common to most businesses, regardless of industry, are familiar to many veteran executives. Components include the following items.

  • Written policy and procedure manuals.
  • Designating a Compliance Officer and/or Compliance Committee.
  • Providing staff with thorough training and education.
  • Disciplinary standards that are clearly defined.
  • A workable monitoring and auditing program.
  • Written response plan to mitigate losses.

Your risk assessment and compliance program should be as specific as you can make it. While it is impossible to address every possible eventuality, noting every potential risk you can identify in your policy and procedure manuals helps your staff manage their daily responsibilities more efficiently—with less risk.

Have the Compliance Officer or Committee monitor staff to be sure they follow the procedures your program mandates. Spend the time to write a plan to respond to increased risks your Compliance Officer discovers. This encourages fast action by your Compliance Officer or Committee to lower losses and quickly solve perceived risk issues.

The CMS (Centers for Medicare & Medicaid Services) Manual outlines the risk assessment compliance program guidelines, which emphasize the following issues.

  • Prevention, detection and correction of non-compliance conditions.
  • Identifying and reducing fraud, abuse and waste.

Evaluating Risk Involving HIPAA and the HITECH Act

Compliance program guidelines specify three assessments providers should conduct. These actions also fit ERM parameters and guidelines, along with being specified by the Code of Federal Regulations (C.F.R.).

  • Security Evaluation. This is required under the Security Rule section and applies to providers, business associates or partners and subcontractors alike. All must “perform periodic technical and nontechnical evaluations . . .” when responding to environmental or operational changes affecting the security of electronic health information protected by law.
  • Risk Assessment of Specific Items. This is required under Security Rule stated at 45 C.F.R. (Code of Federal Regulations), section 164.308(a)(a)(ii)(A). Highly technical, this requirement should be performed per NIST SP800-30, Revision 1 Guide for Conducting Risk Assessments.
  • Risk of Harm Assessment. A requirement of the Breach Notification Rules, the practice must address “the implications and notification requirements” that are part of its ERM program.

The bottom line is that physicians must complete these three assessments and design an overall ERM plan that addresses as many risk issues as they can identify for their specific practices. It is vital that all medical providers create an organizational risk assessment program that encourages long-term compliance with HIPAA, the HITECH Act and all other regulations that apply.

Designing an ERM plan, as described, makes assessing potential practice risk of and avoiding HIPAA, HITECH Act and other regulation violations become normal operating procedure instead of compliance or loss practice crises.

Image courtesy of


ASC Survival Depends on Implementation of an EHR

Posted by Harold Gibson on Wed, Dec 12, 2012

ASCs ChallengesToday ambulatory surgery centers (ASCs) are under pressure because of economy conditions and ever changing healthcare environment. Lower reimbursement by insurance companies and greater scrutiny by regulatory bodies are few of the many threats facing their business.

To overcome these challenges ASCs are trying to identify ways to continue provide high quality of care while compliance with CMS requirements and managing their operational costs. One of the most popular ways to do so is to adopt and implement Electronic Health Record (EHR) in their daily processes. There are many other reasons why EHR is a natural progression for ASCs.

1. Ensure Compliance.  The increased documentation opportunities that EHRs offer means that medical records are more complete.  They contain necessary information tailored to each ASC’s needs.  Templates can be designed to accurately document each type of patient encounter or procedure in order to ensure that required information is included for accurate billing and coding.  Third-party payers, including government healthcare programs and commercial insurers, require the medical record document pertinent information to prove medical necessity for performed procedures.  
2. Enhances Operation Room Efficiency.  Ever have to wait in mid-procedure for lab results or a radiology report before proceeding with an important procedure.  EHR brings logically arranged medical history and consultation reports to the operating suite.  Entries can be made as events occur in the OR, making documentation a real time record of medically necessary services.
3. Improves Patient Safety.  Instant access to pertinent information is essential for providing quality patient care.  With EHR, medical records are available at the press of a button, anywhere in the clinic, in the office, or on mobile devices.  No need to ruffle through papers to find the right lab report when the results are only a mouse click away.
4. Increase Physician and Staff Satisfaction.  Documentation is the most burdensome part of delivering effective health care.  EHRs allow for templated records and pre-written entries that can be tailored to each individual case.  Documentation time is reduced so that physicians can do what they are trained to do: treat patients.
5. Boost Profitability.  Back office operations depend on access to medical records to ensure correct coding.  Most coding and billing is done electronically.  Seamlessly integrate the flow of information from the surgical suite to the third-party payer.  Reduce the time between when a record and completed and bills can be submitted. 

6. Reduce Costs.  Paper records take up valuable floor space.  They are inefficient and often misfiled.  How many times has a physician had to examine a patient without the paper record at hand?  Eliminate the costs of supplies and storage space with an effective and efficient EHR system.

 7. Easy to work with. Given a choice between paper records and EHR, nobody like paper records since it can be a challenge searching old paper records for audit and other compliance purposes and at the same time administratively putting together complete paper work is always hard for support staff.

8. Clinical Reporting and Quality Outcome Requirements.  By design, an EHR is more thorough than a handwritten SOAP note.  The format of a SOAP note is not abandoned, but an effectively useful EHR prompts providers to document to the highest degree of specificity.  Beginning in 2014, ASCs that participate in the Ambulatory Surgical Center Quality Reporting (ASCQR) program will qualify for full annual update of their annual ASC payment rate.  Accurate documentation will allow an ASC to take full advantage of the ASCQR program.

9. Increase Patient Satisfaction.  Patient care improves when information is readily available to the health care team.  Nurses, doctors, and ancillary staff can all review a patient’s EHR at the same time from different locations.  When a patient has a question for a medical assistant, she doesn’t have to say she will have to check the paper record once the doctor has finished with it.  She can check the EHR to answer the patient’s question promptly.  With a stack of paper records on his or her desk, who knows when this patient’s record would make its way to the to-be-filed box and then to the shelf.

10.  Mitigate Risk.  In the event of a RAC audit or any question regarding questionable billing practices, a complete and integrated EHR is the best defense against charges of fraudulent intent.  EHR eliminates the chance of lost or misplaced required supporting documentation.  If records are requested, they can be quickly retrieved, copied and submitted to justify reasonable and necessary claims for reimbursement.

Write to us if you have any other suggestion why ASCs need EHR today.

Tags: RAC Audit, EHR, HIPAA, Electronic Health Record

Facts about ICD-10 codes

Posted by Harold Gibson on Sat, Jul 14, 2012

CMS ICD 10 Logo resized 600All “covered entities”—as defined by the Health Insurance Portability and Accountability Act of 1996 (HIPAA)—are required to adopt ICD-10 codes for use in all HIPAA transactions with dates of service on or after the October 1, 2014 compliance date. For HIPAA inpatient claims, ICD-10 diagnosis and procedure codes are required for all inpatient stays with discharge dates on or after October 1, 2014.  Transition to ICD-10 does not directly affect provider use of the Current Procedural Terminology (CPT) and Healthcare Common Procedure Coding System (HCPCS) codes. 

Some other facts about ICD-10:

Coders will have use thousands of new codes
Diseases aren’t changing. The codes on how to report them are changing to become more specific and dependable. Users won’t necessarily have to learn more new codes, but they will have to change ingrained habits on how to access more powerful and specific codes.

Coders will need to change their processes, workflow and beef up their knowledge of anatomy, and physicians will be required to shore up clinical documentation with more specific nomenclature in documentation that translates to effective coding. Vague descriptions of conditions by physicians and rote memorization by coders—or guessing what they think the correct code is—will no longer suffice with ICD-10. Training for staff is critical and cannot be overstated.

ICD-10 and EHR implementation are complementing each other
Some healthcare professionals are avoiding the task of transitioning from ICD-9 to ICD-10 because they are confused about priorities and feel caught between competing initiatives. But implementing EHRs, attesting to meaningful use, and transitioning to ICD-10 are closely aligned and complement each other. These initiatives together should be considered as a comprehensive package to improve documentation efforts.

A speedy, efficient EHR can ease the ICD-10 implementation. EHRs may streamline the coding process by functioning as coding crib sheets, providing boundaries and helping providers select the most appropriate code. Transitioning to ICD-10 ensures that EHRs, value-based reimbursement, and meaningful use incentive programs all speak the same language.

Detailed medical record documentation will be the Key for ICD-10 to be implemented
As with ICD-9-CM, ICD-10-CM/PCS codes should be based on medical record documentation. While documentation supporting accurate and specific codes will result in higher-quality data, nonspecific codes are still available for use when documentation doesn’t support a higher level of specificity. As demonstrated by the American Hospital Association/American Health Information Management Association field testing study, much of the detail contained in ICD-10-CM is already in medical record documentation but is not currently needed for ICD-9-CM coding.

ICD-10-CM-based super bills will not be long or complex
Practices may continue to create super bills that contain the most common diagnosis codes used in their practice. ICD-10-CM-based super bills will not necessarily be longer or more complex than ICD-9-CM-based super bills. Neither currently-used super bills nor ICD-10-CM-based super bills provide all possible code options for many conditions. The super bill conversion process includes:

  • Conducting a review that includes removing rarely used codes; and
  • Cross walking common codes from ICD-9-CM to ICD-10-CM, which can be accomplished by looking up codes in the ICD-10-CM code book or using the General Equivalence Mappings (GEM).

ICD-10 has great benefits for stakeholders
Everyone wins with ICD-10—from providers to patients. As mentioned, the specificity of ICD-10 is its forte. Because it facilitates more accurate diagnoses, ICD-10 enhances patient outcomes, supplements evidence-based research, and improves public health tracking and population health analysis.

As providers become more accountable for patient outcomes, less ambiguous coding will help specify reasons for patient noncompliance. Enhanced documentation of a patient’s condition will improve shared data with health information exchanges, facilitate auditing efforts, and decrease fraud and abuse. The ability to leverage ICD-10’s greater granularity will help increase reimbursement and establish more effective processes.

Time is perfect for the transition to ICD-10
Conversion from ICD-9 to ICD-10 CMS is long overdue. ICD-9 was created in 1979—before the identification of many diagnostic and technological developments that have occurred in the past 30 years. We need coding that matches recent medical discoveries and aligns with other developed countries that adopted ICD-10 years ago.

Tags: ICD-10, HIPAA 5010, ICD-10 Coding, medical coding, Medical Billing, ICD-9, HIPAA

HIPAA 5010 Rule explained

Posted by Harold Gibson on Wed, Mar 21, 2012

HIPAA 5010 stop signHIPAA X12 standard - version 5010 is a new standard that regulates the electronic transmission of specific healthcare transactions.

Covered entities, such as healthplans, health care clearinghouses, and health care providers, are required to conform to HIPAA 5010 standards. The compliance date for use of these standards is January 1, 2012. It is necessary to implement the new standard to prepare for the transition to ICD-10-CM and ICD-10-PCS. The compliance date for ICD-10 is  October 1, 2014.

As a provider should I care?

HIPAA 5010 can be understood as an upgrade on the existing form of HIPAA rather than a significant change in the way HIPAA-defined benchmarks have been defined for processing transactions in the healthcare industry. The changes put forth as a part of HIPAA 5010 were being anticipated for some time since the existing standards of HIPAA were beginning to seem a bit outdated. HIPAA 5010 has been created in such manner that the forthcoming changes in the revised medical billing/coding data of ICD- 

10-CM & ICD-10-PCS will be accommodated by all covered entities in a better manner. These changes in the coding systems are scheduled to be made effective from October 1, 2014 and thus, adoption of HIPAA 5010 will mean that all covered entities and their business associates have sufficient time and proper understanding of the altered coding systems. However, this doesn’t mean that HIPAA 5010 doesn’t present any challenges to the US healthcare industry.

Whats the difference between old HIPAA 4010A1 and new HIPAA 5010?

There are some major differences between HIPAA 5010 Rule and the existing, HIPAA 4010A1 standards. As a result, the entire process of upgrading to HIPAA 5010 could be a bit time consuming. However, this slight deterrent is largely negated by the fact that the adoption of HIPAA 5010 will improve the quality of transactions in many ways. The most notable advantages would be the removal of ambiguities in the existing healthcare information processing systems, ensuring more consistency in healthcare transactions. This will also help to graduate towards adopting NPI regulations in a more comprehensive manner and easier elimination of patient data that has no relevance. Covered entities or business entities in the US healthcare industry shouldn’t feel threatened by the introduction of HIPAA 5010 since it doesn’t put forth a financial stress on their operations. These entities merely need to review their existing systems and that of their business partners and understand how HIPAA 5010-defined standards can be adopted, i.e. ensuring HIPAA 5010 compliance in the most undemanding manner is possible.

What do I need to do to prepare for ANSI 5010 compliance? 

1. Speak with your current practice management system vendor. Software vendors are not covered “entities” and therefore, not responsible for compliance. However, your compliance depends on your vendor’s implementation of compliant products. 

Ask your vendor(s):

    • Will you upgrade your current system to accommodate Versions 5010 transactions?
    • Will the upgrade include acknowledgement of transactions 277CA and 999?
    • Will the upgrade include a “readable” error report produced from 277CA and 999 transactions?
    • When will you be capable of supporting Version 5010 transactions?
    • Will you be able to support both Version 4010A1 and 5010 transactions concurrently?
    • When will the current system accommodate both the data collection and transactions conduction for Version 5010?
    • When will the upgrades be available and will there be a charge?
    • When will the software installation to the systems be completed? Before January 1, 2012?
    • Will there be adequate lead time to test the new software prior to the January 1, 2012 compliance date?

Note: If your current system cannot handle 5010 transactions or your vendor isn’t planning on updating their system to accommodate 5010 transactions, you may have to purchase new software. If so, you’ll need to set aside enough time to research different programs and an appropriate budget for paying for the cost of new software or a system.

It is very important that your vendor completes the installation of system upgrades in your practice early enough to allow to test the transaction process with your electronic trading partners (billing service, clearinghouse, health plan, etc.). You will also want to plan appropriately in advance for training your staff.

2. Speak with your clearinghouses, billing services and health insurance payers. You’ll want to ask them:

    • Are you planning to upgrade your systems to accommodate Version 5010 transactions?
    • When will you complete the upgrades?
    • Will you change your fees for Versions 5010 transactions?
    • Will we need to register in order to conduct 5010 transactions? How?
    • When can we send you our test transactions to ensure the system works accurately?

Note: Based on the responses to the above questions, you will know if your clearinghouses and billing service can continue to support your business. This information will help you plan budget needs and help develop a timeframe for testing and implementing. It is essential that you contact all of your payers, billing services and clearinghouses to ensure your transition to 5010 will run without payment interruptions. 

M-Scribe uses 5010 complaint web based practice managment software which works with windows and mac operating systems.

Tags: ICD-10, HIPAA 5010, ICD-10 Coding, Medical Billing, ICD-9, Medical Documentation, HIPAA

Blog Search

Subscribe by Email

Contact Us

Browse by Tag

Follow Me