April 21, 2016

QUESTION:        We received a HIPAA authorization form via e-mail, requesting a copy of the patient’s medical record for life insurance verification purposes.  There is no signature on the form – just a typewritten name and some information regarding when the electronic signature occurred.  Does this type of signature satisfy HIPAA’s requirement that authorization forms be “signed” by the patient?

ANSWER:           Yes.  The Health Insurance Portability and Accountability Act (“HIPAA”) does not require the signature on an authorization form to be physically placed there by the patient, signing with a pen.  Rather, so long as the applicable state (the state where the patient is located and/or the state where the hospital is located) recognizes an electronic signature as legally binding and valid, it is fine for the authorization form to be signed electronically.  In our experience, most states recognize electronic signatures as valid equivalents to signatures, for most purposes.  But, you should check with counsel and have them research the applicable state law, to be sure.

Note the following FAQ from the Department of Health and Human Services Office of Civil Rights’ web page at http://www.hhs.gov/hipaa/for-professionals/faq/554/how-do-hipaa-authorizations-apply-to-electronic-health-information/:

How do HIPAA authorizations apply to an electronic health information exchange environment?

The HIPAA Privacy Rule requires the individual’s written authorization for any use or disclosure of protected health information (PHI) not otherwise expressly permitted or required by the Privacy Rule.  For example, authorizations are not generally required to disclose PHI for treatment, payment, or health care operations purposes because covered entities are permitted to use and disclose PHI for such purposes, with few exceptions.  Thus, to the extent the primary purpose of any electronic health information exchange is to exchange clinical information among health care providers for treatment, HIPAA authorizations are unlikely to be a common method of effectuating individual choice for the exchange.  However, if the purpose of a covered entity sharing PHI through a health information organization is for a purpose not otherwise permitted by the Privacy Rule, then a HIPAA authorization would be required.  In such cases, the Privacy Rule would allow covered entities to disclose PHI pursuant to an electronic copy of a valid and signed authorization.  Further, the Privacy Rule allows HIPAA authorizations to be obtained electronically from individuals, provided any electronic signature is valid under applicable law.
Created 12/15/08

April 7, 2016

QUESTION:        Our physician practice is a separate entity that employs both physicians and non-physician practitioners (“NPPs”).  Many of the physicians bill the NPPs’ services as “incident-to” services.  Our compliance officer wants to audit the “incident-to” billing and wants to know if there is a simple, straightforward way to conduct such an audit.

ANSWER:            Unfortunately, the answer is no.

Medicare does not require that a physician use any type of identifier or modifier in order to identify “incident-to” services.  This became an issue for the OIG in its report entitled “Prevalence and Qualifications of Non-Physicians Who Performed Medicare Physician Services,” OEI-09-06-00430 (August 2009).

The OIG began this report by conceding that “little is known about Medicare services that are performed ‘incident-to’ the professional services of a physician.”  The OIG noted in several places that it has no simple means to determine what services NPPs are providing to Medicare beneficiaries or the qualifications of those NPPs when the services are billed under the “incident-to” rule.

The OIG also recognized that there are a number of limitations to its study and cautioned against extrapolating the conclusions reached in this Report to the Medicare program as a whole.  Nonetheless, it is clear that the Report’s description of what NPPs do, their credentials and how they provide services is instructive to both the OIG and to practices that utilize NPPs.

But before we discuss the OIG Report, let us examine the Medicare “incident-to” rule.  This rule permits a physician to bill Medicare Part B at the full physician fee schedule amount for the services that are performed by an NPP, if the services are:   (i) furnished to beneficiaries who are not inpatients of a hospital or SNF; (ii) commonly provided in a physician’s office; (iii) an integral though incidental part of the services provided by the physician; (iv) included in a treatment plan for an injury or illness where the physician performs an initial service and is involved actively in the course of treatment; (v) commonly furnished without charge or included in the physician’s bill; and (vi) provided under the “direct supervision” of the physician (i.e., the physician must be present in the office suite while the services are being provided and immediately available to provide assistance).

In this report, the OIG wanted to audit exactly what Medicare was paying for when the program reimbursed claims for services that were billed under the Medicare “incident-to” rules.  However, because “incident-to” claims cannot be identified on the face of the claim, the OIG had no simple or direct means to identify “incident-to” claims.

As a result, the OIG had to formulate a means to identify “incident-to” billing.  In order to do so, the OIG looked at all the physician claims submitted to the program during the first quarter of 2007 and converted the E and M codes billed to a period of time using the Medicare Fee Schedule average time associated with each service.  The OIG then identified physicians who billed more than 24 hours in a single day, reasoning that the only ways to do so were either fraud or using NPPs.

Using this methodology, the OIG identified over 200 physicians who had billed more than 24 hours of services in a single day.  The OIG excluded a few physicians who were being investigated for billing fraud.  However, the OIG then determined that billing more than 24 hours in a day was not a concern to the OIG so long as the physicians complied with the “incident-to” rule.

The OIG then sent an audit request to the physicians who were part of the study, requesting that they identify the services that were being provided by the non-physician practitioners and the qualifications of those non-physician practitioners.

While the OIG found that most services billed using the “incident-to” rules were appropriate and most non-physicians involved in the care of those services were authorized to provide the service under state law, the OIG expressed the concern that a significant percentage of “incident-to” services may be performed by unqualified non-physician practitioners, concluding:

Unqualified non-physicians performed 21 percent of the services that physicians did not perform personally.  In the first 3 months of 2007, Medicare allowed $12.6 million for approximately 210,000 services performed by unqualified non-physicians.  These non-physicians did not possess the necessary licenses or certifications, had no verifiable credentials, or lacked the training to perform the services.  Non-physicians with inappropriate qualifications performed 7 percent of the invasive services that physicians did not perform.

The OIG study shows that “incident-to” billing is an area that your compliance program should review.  However, the study also shows the difficulty involved in conducting such an audit.

While you could use the OIG’s methodology, it is probably easier to visit each practice to observe whether the physicians who bill under the “incident-to” rules are following the requirements of the rules and to make sure that the services provided by the NPPs are within the scope of their state license.

January 7, 2016

QUESTION:        Our hospital is interested in using an electronic application that allows individuals to schedule a time to come to our Emergency Department by picking a time slot through our website. Is that going to get us in trouble under the Emergency Medical Treatment and Active Labor Act (“EMTALA”)?

ANSWER:            It’s a good question. The CMS EMTALA Central Office says that simply using such an electronic application is not in and of itself an EMTALA violation. The key point is how patients are treated when they arrive at the ED.

Per the Central Office, the use is not an EMTALA violation because the potential for an EMTALA violation is interpreted as beginning when the patient presents to the ED or is on the hospital’s property. Once a person arrives at the ED or is on the hospital’s property, EMTALA obligations begin equally for everyone, regardless of any prior contact or communication made. So long as the hospital maintains the obligation to perform an appropriate medical screening examination and stabilizing treatment to everyone equally once a person presents for ED care, any other arrangement is irrelevant to EMTALA compliance.

This means that how the electronic application is used is a key to EMTALA compliance. If it’s used so potential patients can see how crowded the ED might be at any given time and plan an arrival time, and if patients are then triaged and screened according to standard procedure, there should not be an EMTALA problem. If, however, the application is used to allow a patient to move to the front of the line when he or she arrives at the ED or on hospital property regardless of what the hospital’s triage and screening processes say, then there would be an EMTALA concern, and so the potential for a violation.

The bottom line, all must be treated equally when they arrive at the ED.

Opening Microsoft Word files with Internet Explorer 8

Internet Explorer 8 struggles to open Microsoft Word 2010 files (those that have a .DOCX file extension). If you’re using IE8 and attempt to open documents in DOCX format, IE may try to open it as an XML file, resulting in a screen full of code like this:





There are three potential workarounds for this:

  1. Use a different browser (Firefox, Chrome, Safari)
  2. Manually type in the correct file extension
  3. Change a setting in IE

How to manually type in the correct file extension

  • Right click the document you want to save, and choose “Save Target As.”
    save target as
  • Change the file type to “All Files.” And, change the file extension at the end of the file name so it ends in “.DOCX” This will trick your computer into saving the document as a Word file.
    change to docx


Please call us at 412.687.7677 if you would like assistance.