Medical billers and coders need to be familiar with laws and guidelines regarding fraud, abuse, and patient privacy.
Fraud & Abuse
Fraud is defined by federal government as anyone who knowingly or willingly executes, or attempts to execute, a scheme to defraud any healthcare benefit program. It is intentional deception or misrepresentation of the services or procedures performed by a provider in an attempt to obtain or increase payment.
Fraud can be punishable by criminal conviction of fines. Abuse is not considered as serious as fraud because it typically occurs due to ignorance or lack of awareness of proper coding and billing guidelines. When abuse is detected, it typically results in recovered or adjusted payments, possible suspension form the insurance payers programs, or in more severe cases financial penalties.
Medicare frequently investigates and prosecutes providers who abuse or manipulate the system.
Examples of Fraud
- Altering medical records to justify fraudulent charges.
- Billing for services not provided.
- Changing dates of service
- Deliberately billing for the same services twice such as billing two separate insurance payers or patients for one service.
- Receive bribes or kickbacks in return for referrals
- Forgive the deductible or copay.
- Upcoding as described in Coding lesson.
- Unbundle charges
- Use of another patient’s insurance to obtain medical care.
- Omitting relevant information from a claim such as secondary insurance.
Examples of Abuse
- Excessive charges
- Unnecessary tests
- Unnecessary referrals
- Unnecessary follow up visits
- Billing Medicare patients at higher rate than other patients.
- Require patient to waive rights to Medicare coverage and require patient to pay for services covered by Medicare.
- Failing to refund excessive charges.
- Requiring patient payments for services not previously billed.
Health Insurance Portability and Accountability Act (HIPAA)
The Health Insurance Portability and Accountability Act (HIPAA) had a significant impact on billing and coding. HIPAA is a law passed in 1996 and phased in over several years that:
- Defined electronic standards for formatting and transmitting health information.
- Mandated use of ICD-10 diagnosis codes.
- Established provider and payer identification standards (NPI).
- Established fines and prison terms for fraud and abuse.
- Established standards for protecting the privacy and security of patient information.
Privacy & Security Standards
HIPAA Administrative Simplification established requirements for protecting patient health information in three categories:
- Privacy Rule defines requirements for protecting and disclosing protected health information (PHI). This applies to covered entities and their business associates.
- Security Rule complements the Privacy Rule and established standards for administrative, physical, and technical requirements for protecting PHI.
- Electronic data standards to establish formats and code sets for the electronic transmission of health information.
Protecting Patient Privacy
When patient information is communicated verbally, make sure conversations are private and cannot be overheard. Any discussions involving Protected Health Information (PHI) should involve only those authorized to know this information.
When communicating patient information electronically, software or systems used should have the appropriate physical, administrative, and technical safeguards in place to protect the confidentiality, integrity, and availability of the ePHI.
When communicating health information by fax, precautions should be taken because you don’t know how secure the fax machine receiving the information is. It is recommended faxing protected information only when there is an immediate need to obtain records for treatment authorization. Recommend a confidentiality notice on fax cover page.
Locate printers or fax machines used for PHI in secure areas that are only available to those with a need to know.
Patient information may not be disclosed or released unless authorized by the patient.
Health care providers, their staff, and any business associates or contractors may remotely access electronic health information. This includes the use of mobile devices to access electronic protected health information (ePHI). This includes medical billing or coding specialists who work for these providers – either directly or for a billing service.
The appropriate physical, administrative, and technical safeguards must be in place to protect the confidentiality, integrity, and availability of the ePHI on mobile devices and when information is stored in the cloud. Business Associate agreements must be in place with any third party service providers for the device and/or the cloud that will have access to the e-PHI.
Consequences of Fraud & Abuse
HIPAA set fines for of $20,000 per claim for false claims plus triple damages.
- Imprisonment up to 10 years for fraud.
- $100,000 fine and 10 years max for Medicare or Medicaid kick-back schemes
Another federal law that impacts billing and coding is the Health Information Technology for Economic and Clinical Health Act (HITECH).
- Strengthened and enhanced HIPAA privacy and protection rights.
- Requires Business Associates to comply with HIPAA.
- Requires notification when an unauthorized disclosure of PHI occurs.
- Increased civil penalties for HIPAA violations to max $50,000 per violation
- Set maximum penalty for violations at $1.5 million
Fraud and abuse can be prosecuted under a variety of federal and state laws.