Learning Outcomes
After this course, participants will be able to:
- Describe how the federal Anti-Kickback legislation applies to audiology.
- Describe how to implement telehealth in a HIPAA compliant manner.
- Describe how the federal False Claims Act applies to daily practice.
Editor's Note: The following course provides helpful links to resources and references. Please cut and paste the links into your browser.
Dr. Kim Cavitt: As consumers of healthcare, we are also consumers of HIPAA. Treat your patients protected health information as you would want physicians and healthcare providers that you see to protect your own. Do unto others as you would want others to do toward you. This course will discuss the federal legislation and how it applies to audiology, ways to implement telehealth in a HIPAA compliant manner and how the federal False Claims Act applies to daily practice.
HIPAA
The Health Insurance Portability and Accountability Act (HIPAA) of 1996. HIPAA is United States legislation that provides data privacy and security provisions for safeguarding medical information. As consumers of healthcare, patients have the right to have their information remain private. The protected health information (PHI) includes:
- Names
- Street number and name, city, and last two digits of the zip code
- Dates directly related to the individual (birth date)
- Phone number
- Fax number
- Email address
- Social security number
- Medical record number
- Health insurance member number
- Account numbers
- Certificate or license numbers
- Vehicle identifiers and serial numbers
- Device identifiers and serial numbers
- Hearing aid serial numbers
- URLs
- IP addresses
- Biometric indicators
- Finger, retinal, and voice prints
- Photos
- Any unique identifying number, characteristic or code
HIPAA is now being audited by Health and Human Services, the governing body of HIPAA. As a result, it is important that practitioners follow the requirements set forth. If any of these provisions are violated, it can result in civil and criminal penalties. Patients may sue a practitioner privately, or they can face criminal prosecution that can lead to incarceration.
HIPAA addresses the following:
- Standard transaction and code sets
- National Provider Identifier (NPI)
- National Employer Identifier (EIN), or your tax ID number.
- HIPAA 5010
- Security
- Health Information Technology for Economic and Clinical Health (HITECH) or Breach Notification
- Privacy
Standard Transaction and Code Sets
To be a covered entity under HIPAA, you need to submit a claim electronically. Standard transaction and code set means when you're submitting electronically, you only can use current procedural terminology (CPT) to represent the procedure. The International Classification of Diseases version 10 (ICD-10), is used to represent the diagnosis, symptom or condition. Healthcare Common Procedure Coding System (HCPCS) is used to represent the item or service. You might see some coding exceptions in worker's compensation claims. The only coding exception that exists now is Medi-Cal in California, which still does use some of their own code set.
The National Provider Identifier (NPI)
HIPAA requires that each individual provider utilize their own distinct and unique individual provider identification number for all payers. The number stays with the provider for life as they move from employer to employer. The NPI is set forth by the National Plan and Provider Enumeration System (NPPES). Audiologists, hearing aid dispensers and audiology assistants can obtain an NPI. However, being eligible to obtain an NPI does not mean you can bill for items or services. You can apply for an NPI on the NPPES website (nppes.cms.hhs.gov/NPPES/Welcome.do). Usually, it takes one to three hours for an NPI to be created. You can also look up NPIs, as they are public information. It is important to be able to look up an NPI if you need that information for a claim of an ordering physician.
The National Employer Identifier (EIN)
HIPAA requires that each individual practice or facility utilize their own distinct and unique practice or facility identification number. This is required for every practice and facility except for a sole proprietor. A sole proprietor is operating under the sole security number and NPI of that owner, or sole proprietor. The EIN is issued by the Internal Revenue Service. Each practice also needs a facility NPI. An entity that's not a sole proprietorship will need an EIN and facility NPI. You can apply for an EIN using the following link: npiregistry.cms.hhs.gov/
HIPAA 5010
HIPAA 5010 is a systems update that went into effect January 1, 2012, and enforcement began March 31, 2012. This update allows for the transition of the seven characters of ICD-10. Before HIPAA 5010, that diagnosis box would only allow for five characters. They had to make systems updates to allow for the seven characters of ICD-10. This did not affect providers as long as your software vendors, payers and clearinghouses were making that change. Your claims would have been denied if you were not HIPAA 5010 compliant.
There are two kinds of claims formats:
837 format. HIPAA 5010 put forth this claim submission format. Discuss with your office management vendors the current claims format in your workplace, because the alternative is CMS 1500. Most have created an electronic version of the CMS 1500 form and that's what is going out to the payer. The CMS 1500 form has limitations because it only allows for six line items on a claim. For services which typically have more than six line items, (e.g., vestibular testing, cochlear implant candidacy, billing a hearing aid) using CMS 1500, you would need to bill it on a second claim. The 837 format has no limits on the amount of line items in a claim.
CMS 1500. Health and Human Services is going to prohibit further use of the CMS 1500 format, either internally or externally. Some of your clearinghouses may be making the transition for you, from a CMS 1500 format to an 837. If you work in a large institution where you're dealing with Epic, G Centricity, or a big hospital system, those are already 837 compliant.
These are some questions you need to ask your office management system vendors:
- Are they using the 837 format or a 1500 format?
- What are their plans for transitioning fully to an 837 format?
- If your office management system is still on a CMS 1500 format, is it the clearinghouse that's making the transition for you to 837?
Plan ahead and press your office management systems to make updates to start moving toward being fully HIPAA compliant.
Security Rule
The Security Rule is an extension of the Privacy Policy and went into effect in April of 2005. It only applies to electronic formats (i.e., anything that you have plugged in either to store, charge or to transmit electronic information). You need to have a policy around all of those types of items in your office. HIPAA Security is not just about protecting the patient's information, but about protecting the patient's information for your business. There have been fires, hurricanes, blizzards, ice storms and flooding that have destroyed practices. What happens if you didn't have the safeguards in place that HIPAA requires? Providers need to have administrative, physical, and technical safeguards. Also, they need to have written policies and procedures related to operations and documentation, in addition to having a process for employee training and sanctioning. All new hire employees should be trained on HIPAA Security and Privacy, and at a minimum annually thereafter. Remember, that this training needs to be documented to be compliant with HIPAA Security.
Any breach of the security or privacy policy needs to be documented in the provider's employee packet. Pertaining to HIPAA Security, you must have documented consequences for HIPAA Security breaches. The security rule states that covered entities must "ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain or transmit." In addition, they have to "identify and protect against reasonably anticipated threats to the security or integrity of that information," as well as to "protect against reasonably anticipated, impermissible uses or disclosures." Finally, employers need to "ensure compliance by their workforce." This is the hallmark of HIPAA security. Every covered entity who submits something electronically must abide by this.
Risk assessment. A risk analysis process includes, but is not limited to, the following activities:
- Evaluate the likelihood and impact of potential risks to e-PHI.
- Implement appropriate security measures to address the risks identified in the risk analysis.
- Document the chosen security measures and, where required, the rationale for adopting those measures.
- Maintain continuous, reasonable, and appropriate security protections.
This isn't solely about firewalls or anti-hacking software. This relates to your procedures of how you will ensure employees are compliant with these policies.
What equipment do audiologists need to think about?
- Computers
- Phones
- Tablets
- Fax Machines
- Answering Machines
- Audiometers
- Test Suites
- OMS/EMR
- NOAH
Does every employee in your practice need to have access to your office management system on their personal electronic device (e.g., cell phones, tablets, laptops)? Probably not, as there is the potential for impermissible uses and disclosures. What if an employee went home and they didn't log out of their laptop? Someone else could easily log into that computer and steal patient information. That's why you need to have these risks analysis procedures in place. Take a look at all equipment and determine whether there is a likelihood of impermissible use and disclosure. Also, if you replace a piece of equipment, how do you properly remove all the information and delete everything off of the old equipment, to either resell or recycle it? You have to have policies for that.
Administrative safeguards. Every practice needs not only a privacy officer, but also a security officer. The designated individual will be responsible for creating, administering, documenting and training on HIPAA security. Your security officer should be someone who's stable to your business (e.g., owner, manager, director), or someone on the security side who has a strong IT background. You will need information access management to regulate who has access to protected health information, where, and by what means. You also need to have training and accountability. You need to authorize and have in writing who has access to what PHI, where, and how. You need to train staff then on your policies and procedures and you need to sanction or discipline staff who don't comply. This entire process needs to be documented in writing.
Physical safeguards. Limit and control physical access by having locks on doors and securing computers or laptops (i.e., workstation device security). You need to have proper use and access to workstation electronic devices. You should have computers go into sleep mode after a certain amount of time or you have to re-login. Have written policies about how to handle the transfer of information from one place to another. That transfer is going to be important as we talk about telehealth because it is about protecting the electronic transfer and removal of information.
Technical safeguards. Control of access is key across this topic. Who has access to what, where, and why? Everything needs to be password protected and those passwords need to be novel and change frequently. If you're not using difficult novel passwords, hackers can break in quickly. You need to audit when you have privacy policies and ensure everyone is following the safeguards. Record and examine access to documents. You should never be able to delete chart notes that have been entered into an electronic system. You should be able to amend or append them, but not delete them. There was a large office management system that used to allow you to delete. That was not HIPAA compliant. This information can be hidden but should be readily located when needed. That's why it can't be improperly altered or destroyed. There always needs to be a trail of what it was before and what was changed. Transmission security provides protection against hacking and includes all the software protections that you can put on your computer. Those still need to be in place.
Policies, procedures and documentation. Develop written policies and procedures to comply with the security rule at your practice. If you need guidance, it is helpful to use an IT consultant who specializes in HIPAA. In my experience, when IT gets involved, they tend to find things that go beyond HIPAA that are important to the security and functionality of your business. This process can help protect your business and patient information and make sure you're operating as efficiently as possible. You must have policies and procedures in writing and document your annual or new hire staff training, any actions, activities or risk assessments.
Mobile devices and HIPAA. If you're going to have patient information on your personal device, you need to make sure that the device is password protected or has user authentication (e.g., Touch ID, Face ID). You need to install and enable encryption. If you are going to send patient information from a mobile device to another mobile device, even if it is the patient, that information needs to be encrypted. If you're going to communicate via text or email, that also needs to be encrypted. You should never be using Skype or FaceTime with a patient. Always use secure encrypted lines and modes of transmission. You need to install and activate remote wiping or remote disabling to your mobile device. You need to disable or uninstall any file sharing applications. You want to install and enable a firewall and security software. Keep your security software up to date. Keep your devices updated so that you don't have these holes in your security. Maintain physical control and do your best not to lose your phone. Use adequate security if you send or receive health information over public Wi-Fi networks. Ensure these are secure networks and delete all stored health information before discarding or reusing a mobile device. Health and Human Services has a great site called HealthIT (https://www.healthit.gov/), and they walk you through HIPAA and mobile devices.
Telehealth and HIPAA Compliance
As outlined by the Department of Health and Human Services, telehealth is "the use of electronic information and telecommunications technologies to support and promote long-distance clinical health care, patient and professional health-related education, public health and health administration. Technologies include video conferencing, the internet, store-and-forward imaging, streaming media, and terrestrial and wireless communications." Store-and-forward means that it was recorded, stored, and then forwarded to someone for review or interpretation. Store-and-forward is asynchronous telehealth, meaning that interaction with the patient is not happening in real-time. Streaming media is live streaming from one entity to another.
Before they begin providing telehealth, audiologists need to ensure that their transmission systems meet all of the HIPAA Security requirements. These requirements state that the provider must "ensure the confidentiality, integrity, availability of all PHI they create, receive, maintain, or transmit." No matter what a hearing aid manufacturer or an implantable device manufacturer tells you, you should not be interacting with a patient remotely without having a HIPAA Security analysis before you do it. Again, I cannot stress that enough. You can't use FaceTime, SMS, Skype, or unencrypted email to store and forward for telehealth. If you had a video file and you needed to send it to another provider, you couldn't do that from an unencrypted email. Please consult with an IT consultant before you make that leap into telehealth. Before you ever do anything via telehealth, you need to ensure a few things:
- Make sure your state license allows for an audiologist to perform telehealth.
- Know how your liability insurance vendor manages you in telehealth. You may not have a provision for telehealth built into your policy.
- Determine how you are going to secure payment in a telehealth world.
Do your homework and make sure to set this up correctly to be compliant to your state licensure, as well as HIPAA compliant.
Business Associate
Per Health and Human Services, a business associate is:
"A person or organization, other than a member of the covered entity's workforce, that performs certain functions or activity on behalf or provides certain services to, a covered entity that involves the use or disclosure of individually identifiable health information. Business associate functions or activities on behalf of a covered entity include claims processing, data analysis, utilization review, and billing."
Providers are responsible for the actions of their business associates. You need to have a written agreement with your business associates in place before you can send anything to a business associate. A copy of the Business Associate Agreement can be found at this link:
https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/index.html
Common audiology business associates are:
- Hearing aid manufacturers
- Earmold manufacturers
- Accountants
- Lawyers
- Office management system (OMS) vendors
- IT consultant
- Buying/management group
HITECH Breach Notification
Effective as of February 2010, the HITECH Breach notification applies both to paper and electronic formats. A breach is defined as an impermissible or unauthorized use or disclosure of protected health information. Let's say that you accidentally faxed a patient report to the wrong physician's office. I would view that as a breach of low complexity. In other words, there is a low likelihood that the patient's protected health information got into nefarious hands. In that case, you would document in the patient's medical record that you had inadvertently faxed the report to the wrong physician, but you had contacted that physician's office and they assured you they shredded the fax or destroyed that e-fax.
As another example is if you accidentally mailed a patient's report to the wrong patient. That would be considered a breach because you can't control the patient on the other end or what they're going to do with that information. This could be problematic if you live in a small town where everyone knows each other. I would categorize this as a more moderate or severe degree of the breach. If this were my practice, I would notify the patient that I had inadvertently sent their information to the wrong person, and then I would offer them some sort of recourse. Typically, that recourse could be in the form of identity theft protection for a window of time. If you find that you have a breach of more moderate to severe complexity, you have 60 days to notify the patient. Providers and business associates have the burden of proof that they have made that notification, which could be sent either via email with a receipt or via certified mail. We used to send ours via certified mail. If a business associate has a breach, they must notify the covered entity. If you have breaches of greater than 500 people, you must notify the media and Health and Human Services. A lost paper chart is considered a breach because you don't know if it was stolen.
More information about breach notification can be found at this link: https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html
The Privacy Rule
The privacy rule is the hallmark of HIPAA. The effective compliance date of the privacy rule was April 14, 2003. It has since been updated as of January of 2013. The Privacy Rule sets forth protections for patient's health information, affecting both paper and electronic formats. The Privacy Rule protects individually identifiable health information, including information that relates to:
- The individual’s past, present or future physical or mental health or condition
- The provision of health care to the individual
- The past, present, or future payment for the provision of health care to the individual, and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual
- Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number)
The bottom line is that you need to protect everything in the patient's medical record. If you have invoices that are scanned into the patient's file, that patient has the right to access those invoices. I would have never put an invoice into a patient medical record. An invoice is a financial transaction between the clinic and the manufacturer, it is not a financial transaction between the patient and the manufacturer. The patient has access to anything in their chart and it all needs to be protected.
The Privacy Rule states that patients have the right to adequate notice of how a covered entity may use and disclose protected health information about them. This is what your Notice of Privacy Practices is supposed to outline. A Notice of Privacy Practices is required for every practice. You must receive an updated acknowledgment from each patient. Acknowledgments prior to 2013 are no longer binding because the privacy policy has been updated. The notice has to be available to any person who asks for it. You must prominently post or make available your notice on your website. You need to make a good faith and effort to obtain the patient's signed acknowledgment of receipt of the notice of privacy practices. If an acknowledgment can't be obtained, you must document your efforts to obtain the acknowledgment and the reason why it wasn't obtained.
Transfer of paper records to electronic records. When transferring from paper records to electronic records, I would recommend consulting your state medical record retention laws. HIPAA requires six years, but your state may have rules that are much more defined. It is not uncommon for a state, especially as it pertains to pediatrics, that records cannot be destroyed until the child turns the age of maturity (which may be different in each state). Please consult your state medical record retention laws. If you transfer everything from the paper chart into the electronic health record, you can destroy those old paper charts. If you did not transfer everything to the electronic record, you must maintain your paper records in accordance with HIPAA and your state medical record retention guidelines, because the patient has the right to access those paper records.
Disclosures that Do Not Require Authorization
Treatment. Conversations or correspondence between the audiologist and the ordering physician and any physician or provider you're referring to in any coordination of care does not require patient authorization. If you have not seen a patient in a long period of time, I would take caution and seek authorization from the patient first. One place where this is especially important is when you are dealing with spouses, parents or adult children of your patients. I would recommend that all of your authorizations are typed because we can't assume that every spouse wants their significant other to know what is going on. We certainly can't assume that any adult child has access to their parents' records.
Payment. Another instance that doesn't require authorization from a patient is payment. It doesn't require specific authorization to submit something to the patient's insurance carrier, although that patient can request that you do not send something to their insurance carrier.
Health Care Operations. Health care operations are defined as "certain administrative, financial, legal, and quality improvement activities of a covered entity that are necessary to run its business." For example, you don't need a patient authorization to send the patient's name or information to your accountant so they can drop a refund check.
Disclosure of Information from Another Provider
People ask all the time, "I have information in my medical record that came from another provider. Can I send that if a patient wants a request for information?" The answer is yes, you can disclose information that's in the medical record but that was obtained from another provider. More information on the disclosure of information from another provider can be found on the U.S. Department of Health and Human Services website:
https://www.hhs.gov/hipaa/for-professionals/faq/214/may-health-care-provider-disclose-parts-of-medical-record/index.html
Privacy Rule Specifics
You need a Privacy Officer that is responsible for the notice of privacy practices. Your office needs training on privacy, and that training must be documented for all new hires, as well as any other additional training (which must occur annually, at a minimum). You must have a complaint process and that needs to be outlined in your Notice of Privacy Practices. You must have record safeguards for storage of information, both paper and electronic. For storage disposal, as per HIPAA, you have to keep records for six years, but to reiterate, state or payer record retention policies may be different than HIPAA guidelines.
Texting and Email. Electronic Protected Health Information should only be submitted through encrypted or secured service providers. You can get encrypted texting and email if you prefer this method of communication with your patients, however, there are costs associated with that. If your practice allows texting and emailing, this needs to be addressed in your privacy policy. You need to add the email and text consent to your patient intake form and have a separate acknowledgment form. You want to make sure that they acknowledge and allow for you to text or email them, keeping in mind that some patients will say no.
Use and Disclosure. A Use and Disclosure form is a HIPAA-specific form. It is the HIPAA version of a medical release. It can also list to whom information can be disclosed on an intake form. It allows the patient to list to whom and what type of information can be disclosed. This form can also be used so that the patient can restrict disclosures. For example, they might not want you to send information to their insurer.
Marketing. The Privacy Rule defines marketing as making "a communication about a product or service that encourages recipients of the communication to purchase or use the product or service." This only applies to marketing that you're sending to your database. It doesn't apply to direct mail, television, or newspapers. Marketing in the omnibus was also defined as "an arrangement between a covered entity and any other entity whereby the covered entity discloses protected health information to the other entity in exchange for direct or indirect remuneration for the other entity or its affiliate to make the communication about its own product or service that encourages recipients of the communication to purchase or use that product or service." More information about marketing can be found at this link:
https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/marketing/index.html
Testimonials. Patient testimonials are an important part of marketing. In order to do this compliantly, the following must be considered:
- No PHI can be shared in the testimonial or published review (no name, hearing loss, device serial numbers or address).
- A patient’s written authorization must be obtained prior to public use of their review or testimonial.
- The Notice of Privacy Practices must outline your policies related to publication or dissemination of testimonials and reviews.
- Staff must be trained on these policies and that training must be documented.
Marketing vs. Education. Since the inception of HIPAA, marketing requires authorization. If your communication to your patient is being paid for in whole or in part by a third party, with the goal of someone to purchase an item or service, this is considered marketing. Furthermore, if you're talking about price, product, and promotion, then it is marketing and not education. Thus, marketing requires authorization. Education does not require authorization since it is informational (e.g., if it discusses technology, but not a specific product). With education, there is no mention of product or price, and there is no promotion in the communication. It is to inform patients about new locations, addresses, providers, or new technologies or research, but nothing specific to a product.
Marketing Decision Matrix. The Privacy Rule requires that you use either a short-form marketing authorization or a long-form marketing authorization. How do you determine which one you need? By answering the following questions:
- Do you co-op marketing with a third-party?
- Are you an equity member of a buying group whose products you market?
- Do you have a lease or loan from a third-party vendor of products you market?
- Do you have a business development fund for products you market?
- Do you go on vendor-funded trips for products you market?’
If you answered yes to any of the above questions, you need a long-form marketing authorization if you want to continue to market those specific products. Let's say you have diabetes and a physician is recommending a certain insulin pump. Would you want to know if the marketing presented to you was paid by the insulin pump manufacturer? Would you want to know if that insulin pump manufacturer has provided the lease to that physician for the space?
With the short-form marketing authorization:
- No remuneration, in cash or in kind, exchanges hands in any form for products you market.
- You pay for all of your own marketing communications, in full, that are sent to your database.
- Remuneration, in cash or in kind, occurs regarding a product or service you are marketing.
- The vendor is paying in whole or in part for the communication.
- One page document.
- Need assistance of legal counsel to draft.
The Omnibus Rule
The Omnibus Rule went into effect on September 23, 2013. It states that business associates and their contractors and subcontractors are required to comply with the updated HIPAA Privacy and Security Rules, including breach notification. In addition, it states that if you maintain electronic health records, patients have the right to request that the records be sent electronically. Patients who are paying privately for any item or service have the right to restrict any disclosure about this item or service to their health plan.
Within the Omnibus Rule, marketing has been redefined as any patient communication where a provider receives financial remuneration from a third party whose products or services are being marketed. When marketing is being performed using PHI, a patient authorization must be in place prior to sending this marketing communication to your patient or database. The sale of protected health information is prohibited.
With regard to breaches, the Omnibus Rule states that there must be a defined breach notification process where a situation is presumed to be a breach until the provider, business associate, contractor, or subcontractor determines that there's a low probability that the patient's privacy has been compromised. Also, the risk assessment must be performed anytime a breach occurs and needs to be documented.
The omnibus rule allows for broader use of protected health information for research and fundraising reasons. The rule also allows for a streamlined authorization process for the use of PHI for research purposes. Penalties have increased to up to $1.5 million maximum per calendar (many fines range between $100 and $50,000 per violation and degree of culpability) and up to 10 years in jail.
Requirements for Every Practice
In summary, every practice needs:
- 2013 or newer revised Notice of Privacy Practices
- 2013 or newer revised Business Associate Agreement
- 2013 or newer revised Breach Notification Policy
- 2013 or newer revised Marketing Authorization
- Providers with individual NPIs
- Facility NPI
- Use and Disclosure form
- Acknowledgment of Receipt of Notice of Privacy Practices
- Can be added to your intake form.
- Security Policy and Process
- Breach Notification Policy and Process
- Risk Assessment Process for breaches
- Independent Contractor Agreement that includes HIPAA Language
- Documentation of Staff Training
- Employee Confidentiality Form
Differences Between Law and Ethics
A law refers to the systematic body of rules that governs a whole society and the actions of its individual members. Ethics is a branch of moral philosophy that guides people about their basic human contact and human conduct. Laws are a set of rules and regulations and ethics is a set of guidelines. Laws are governed by governments and ethics are often governed by an individual's legal and professional norms. Laws are typically in writing and ethics can be abstract. Legal violations may not be permissible and can result in punishment, whereas ethical violations that aren't illegal often times don't have punishment. Laws are created with the intent to maintain societal order and peace in society, whereas ethics are about right and wrong and how people treat each other and how they want to be treated. More information about law and ethics can be found at this link:
keydifferences.com/difference-between-law-and-ethics.html
Examples of Cases
I want to stress that we are not immune to actions from the government. The following case examples all occurred within the last five years.
The first case I would like to discuss is that of an audiologist who was the second-largest biller of services to Medicare up until 2014. She was found guilty on charges which included health care fraud and wire fraud, money laundering and identity theft. She is in now in federal prison with a term of 174 months and a 2.5 million dollar fine.
There was also a case where people in Texas were billing Blue Cross Blue Shield differently than they billed their general population. They were billing $10,000 for hearing aids and giving gift cards for people to access their hearing aid benefits.
In another case, an audiologist conducted unwarranted and unnecessary hearing tests on nursing home residents, including those with severe mental deterioration, such as Alzheimer's disease, senility, and dementia. He billed and was paid hundreds of thousands of dollars for these services. This illegal activity occurred from January 1998 through January 2003.
Yet another case involved an audiologist who made arrangements with a nursing facility and affiliated physicians to get orders for hearing exams that were not medically necessary. The audiologist used this access to residents exclusively to market hearing aids. In this case, the facility and physicians, in addition to the audiologist, could be held liable for false or fraudulent claims if they acted with knowledge of the claims for unnecessary services.
The Importance of Codes of Ethics
It is important to know the ethical and legal responsibilities that we have in the hearing care profession. We need to be aware of the guidelines outlined in our state licensure law. Failure to comply can lead to suspension or revocation of your license. Ignorance is not a defense.
Here are links to the AAA and ASHA Professional Codes of Ethics.
- AAA: https://www.audiology.org/resources/documentlibrary/Pages/codeofethics.aspx
- ASHA: https://www.asha.org/Code-of-Ethics/
Would you feel comfortable if a provider told you that they went on a vendor-funded trip? Or, that they have a business development fund from a vendor of products they're marketing to you? What if they have a vendor payment arrangement, or if they receive gifts from vendors? The public often knows about such things, especially the vendor-funded trips and gifts received because audiologists post it on social media.
Ethical Questions
Here are some examples of ethical questions that we need to ask ourselves in the hearing care industry:
- Should you inform patients of the existence of over the counter amplification options, that could be appropriate for their hearing loss?
- What if an OTC option is just as appropriate as a provider-delivered option? If the patient has a very mild hearing loss or they don't have a large hearing handicap, would you mention it to a patient?
- Should you inform patients of their funded and discount benefits from third-party administrators that you do not participate with?
- Should your patients know of your relationships with vendors prior to purchase?
- Should hearing aids be sold which are proprietarily locked? Is this good for the patient?
- What if a vendor offers you cash?
- Should you tell your patients that a vendor paid for your training and the travel associated with that training?
- Does that change if the training is accompanied by a resort or “vacation-like” activities?
- What if you post this on social media and your patient sees you?
- Should you make fun of your patients on social media, even if you do not specifically state their names or disclose PHI?
- What if you show their hearing aids?
- Should you bill insurance differently than you bill your private pay patients, in an attempt to maximize your third-party coverage?
- Is it ethical to not provide evidence-based care?
- Is it ethical if you do not refer a patient for an auditory osseointegrated device or cochlear implant candidacy determination because you might lose the patient?
- What if the patient can get the same or better technology less expensively at a big box retailer?
- Do you refer to them?
- Do you mention it?
- What if you bill hearing aids to an insurance company that the patient has yet to receive?
Federal Regulations
These ethical questions can lead to legal situations which we will discuss in three sections:
- Anti-Kickback
- Stark Laws
- False Claims
- These apply to items or services paid in whole or in part by a federal healthcare program
- Medicare
- Medicaid
- Tricare
- Veteran’s Administration
- These apply to items or services paid in whole or in part by a federal healthcare program
Be careful with private insurers, because they often co-op these same regulations for their own health plans. Some state licensure laws and private payers apply them, in verbatim, to other situations. You want to consult your state licensure laws and managed care agreements for this language as it pertains to anti-kickback, Stark and false claims.
The Sunshine Act, or the Open Payments Act, requires manufacturers of pharmaceuticals, medical devices, biological and medical supplies covered by Medicare, Medicaid or SCHIP to collect, track and report all financial relations with physicians and teaching hospitals to CMS. In 2017, they added on physician's assistants and nurse practitioners. If they expanded Sunshine to cover audiologists, how prepared would we be that every interaction with a vendor was documented? We all need to be more careful and aware of these relationships and have them vetted by our own personal legal counsel, especially a counsel that specializes in healthcare.
Anti-Kickback
The Roadmap to Compliance is a fantastic document created by the U.S. Department of Health and Human Services Office of Inspector General (OIG) which I encourage every audiologist to review. It can be found by visiting this link:
https://oig.hhs.gov/compliance/physician-education/roadmap_web_version.pdf
This is the anti-kickback rule verbatim:
What can I give patients? You can gift patients anything that is less than $15 in value per item or less than $75 in value per year.
- https://oig.hhs.gov/fraud/docs/alertsandbulletins/OIG-Policy-Statement-Gifts-of-Nominal-Value.pdf
- https://oig.hhs.gov/fraud/docs/alertsandbulletins/SABGiftsandInducements.pdf
- https://www.mcguirewoods.com/Client-Resources/Alerts/2016/12/OIG-Raises-Nominal-Value-Gifts-Medicare-Medicaid-Beneficiaries.aspx
What can I give referral sources or physicians? As per the AMA, although not defined, you can give gifts of "nominal value". Food is a great option that usually falls under any guidance. If vendors are giving things to physicians, teaching hospitals, nurse practitioners and physician's assistants, these items have to be disclosed under the Sunshine Act.
- https://www.hhhealthlawblog.com/2013/11/gifts-to-referral-sources-and-patients.html
- https://www.hawleytroxell.com/2011/11/gifts-to-patients-and-potential-referral-sources/
What gifts can I receive from the industry? Items of nominal value only. Education is always allowed, but beyond that, you shouldn't be receiving anything from the industry.
- https://journalofethics.ama-assn.org/2014/04/coet2-1404.html
- https://www.hhhealthlawblog.com/2013/11/gifts-to-referral-sources-and-patients.html
- https://oig.hhs.gov/compliance/physician-education/04vendors.asp
Some potential anti-kickback issues include:
- Providing free hearing tests. If you are a Medicare provider, providing free hearing tests is a clear violation of the Medicare rules and regulations. Medicare prohibits offering free services, such as hearing testing, as an inducement to generate other services such as other diagnostic services or hearing aids. If someone wants you to provide free hearing testing (e.g., a third-party administrator), you would need to have your own legal counsel help you work through the ramifications of providing free hearing testing given your specific situation. I would never provide free hearing testing if I am billing that same testing to another entity in another situation without the advice of counsel. When you seek legal counsel, you have legal protections called the advice of counsel. If your counsel tells you something and you have that documented and it turns out to be wrong, it is a legal defense that you had the advice of counsel. We are asking patients to pay us a great deal for our expertise. Occasionally, we need to pay attorneys, consultants, accountants, and IT to help us with their expertise.
- Use of referral pads. If you use referral pads that have your practice information on them, that can be seen as a solicitation of a Medicare order. You shouldn't use referral pads that have any identifying information about your practice (your name, fax number, address or email).
- Write-offs of co-pays and deductibles. You should not write off co-pays or deductibles unless you have an established document indigent policy. You especially can't market that you write-off co-pays and deductibles.
- Reminder mailings for annual hearing tests where you are seeking third-party coverage from a federal payer. You can send reminder mailings for hearing aid checks or that their warranties expiring. Do not send out mailings for a test because once you solicit the test, that test is non-covered. Otherwise, it can be deemed a kickback.
Other potential anti-kickback issues that should be avoided include:
- Manufacturer business development funds.
- Manufacturer leases.
- Free streamers or accessories.
- When you charge the patient or payer for the item you were provided for free.
When in doubt, seek legal counsel for clarification.
Stark Laws
Stark laws don't have a huge impact on audiology, but I did want to talk about them a little bit. The Physician Self-Referral Law prohibits physicians from referring patients to receive designated health services payable by Medicare and Medicaid from entities which the physician or an immediate family member has a financial relationship unless an exception applies. Financial relationships include both ownership/investment interests and compensation arrangements. This can affect durable medical equipment, hearing aids, and auditory prosthetic devices. For audiologists, all relationships with ordering or referring physicians should be in writing and created and vetted by legal counsel, preferably a healthcare attorney. Before you get into relationships with physicians, make sure you have an attorney involved in building that contract and building that relationship. You need to ensure that all your agreements are in writing (e.g., employment contracts, rental agreements). Also, be sure that all compensation is of fair market value and that no quid pro quo exists.
False Claims Act
Here is a great link that covers the False Claims Act.
https://downloads.cms.gov/cmsgov/archived-downloads/SMDL/downloads/SMD032207Att2.pdf
Do not submit fraudulent claims to any entity. Examples of fraudulent claims would include:
- Billing for hearing aids that you have not fit on the patient: The date of service is the date of fit. You're submitting a false claim when you're billing for hearing aids that you have yet to fit because they're not in the patient's possession.
- Billing under someone else's provider number: Let's say, I am going on vacation and someone's going to come in and fill in for me. The person filling in for me is a licensed audiologist, but they are not enrolled in the insurance contracts and does not have a Medicare PTAN. If you bill out everything that they performed while you are on vacation under your NPI, as if you performed it, that would be a false claim. Nothing should be billed out under your provider number unless you, the audiologist, personally performed it, or unless you, the audiologist, personally supervised a student performing the procedure.
- Upcoding: An example of upcoding is if you bill for a comprehensive hearing test and all you did was air conduction. Or if you are billing for a comprehensive hearing test and not adding the modifier when you only tested one ear. If you only test one ear, you have to add a 52 modifier, otherwise, you've submitted a false claim.
- Billing for services known not to be covered and not adding the appropriate modifier: Let's say you're billing for hearing aids. You know you're billing hearing aids to Medicare for a denial, but you don't add the GY modifier, that could be deemed a false claim.
- Submitting claims for services which were not medically necessary and not adding the appropriate modifier:
- Annual hearing tests.
- Tests solely for the sale of a hearing aid.
- Presence of a physician order does not guarantee medical necessity.
- GY Modifier
- Presence of a physician order does not guarantee medical necessity.
Part C Compliance Training
Medicare Part C or Medicare Advantage programs require providers and staff to be trained on compliance. This training must be completed within 90 days of a new hire and must be completed at least annually for all employees and training must be documented in your employee records. For more information, follow this link:
www.cms.gov/Outreach-and-Education/Medicare-Learning-Network-MLN/MLNProducts/Downloads/Fraud-Waste_Abuse-Training_12_13_11.pdf
FDA Requirements
FDA requires every patient to receive a user brochure and it should be documented somewhere in their medical record. A medical clearance or medical waiver is needed for each fitting of a child. The medical waiver is not being enforced by the FDA but states may still be requiring and enforcing a medical clearance requirement. “The U.S. Food and Drug Administration today (December 7, 2016) announced important steps to better support consumer access to hearing aids. The agency issued a guidance document explaining that it does not intend to enforce the requirement that individuals 18 and up receive a medical evaluation or sign a waiver prior to purchasing most hearing aids. This guidance is effective immediately. Today, the FDA is also announcing its commitment to consider creating a category of over-the-counter (OTC) hearing aids that could deliver new, innovative and lower-cost products to millions of consumers”.
FDA Referral Red Flags:
- Active drainage within the previous 90 days.
- History of sudden or rapidly progressive hearing loss.
- Unilateral hearing loss.
- Conductive hearing loss or air-bone gap.
- Impacted cerumen or foreign body in the ear canal.
- Pain or discomfort.
- Visible congenital or traumatic deformity of the ear.
- Acute or chronic dizziness.
Those are the FDA warning signs of ear disease. Before you can discontinue using a medical clearance or a medical waiver for adults, please contact your state dispensing and/or audiology licensure boards in writing. It is very important that you get this determination in writing, and sometimes those determinations can be obtained by your state audiology association. When in doubt, hire a lawyer who specializes in health care or Medicare law. Don't enter into contractual relationships with other parties, including physicians, healthcare facilities, buying groups, or management services, without legal advice.
State Licensure
State licensure dictates an audiologist's scope of practice. National associations do not determine our scope of practice. Payers don't dictate a scope of practice. Payers do not have to cover all items or services in our scope of practice. Professional liability coverage is often null if the provider is found to be practicing outside their scope of practice.
Audiology assistants, technicians, and support staff. None of these entities can legitimately perform testing on Medicare beneficiaries and legitimately receive payment. Audiology assistants can obtain an NPI, although its use for billing also depends on the level of independence allowed in both state and managed care agreements. When we're talking about audiology assistants, technicians, and support staff, be careful that you're aware of the scope of practice issues and limitations.
Supervision requirements. What type and level and degree of supervision is required? Just because your state doesn't mention audiology assistants doesn't mean they allow for them. You are ultimately responsible and liable for the situation you are in.
Conclusion
The moral of the story here is when in doubt, seek the guidance of an attorney. Even if you have some ethical questions. If you are unsure how that blends into legalities, seek the advice of counsel. If you work for a large entity, seek the advice of counsel of your compliance department. If you are a small business, private practice or a small center, hire your own attorney. This is your business, license, and livelihood. I hope this course equips you with the resources needed to understand the ethical and legal requirements of an audiology practice.
Citation
Cavitt, K. (2018, April). Ethical and legal requirements of audiology practice - staying compliant. AudiologyOnline, Article 22392. Retrieved from https://www.audiologyonline.com