1

THE OLD, THE NEW AND THE … DO OVER

RMBAABirmingham, Alabama

Wednesday, February 20, 2013

2

DISCLOSURE Claudia Murray is a principal and CEO of

CMC Consulting, LLC, a firm that specializes in regulatory compliance,

Medicare billing rules and coding audits. Neither Claudia Murray nor her immediate

family members have a financial relationship with a commercial

organization that may have a direct or indirect interest in the content of this

presentation.NO COMMERCIAL INTEREST TO

DISCLOSE

3

AGENDA 2013 HIPAA Privacy, Security,

Breach Notification and Enforcement Rules

PCI DSS Compliance

ICD-9 Coding for Original, Resubmitted and Appealed Claims

Place of Service

Site of Service

4

HIPAA IN 2013

Privacy, Security, Breach Notification and Enforcement Rules

5

2013 HIPAA PRIVACY, SECURITY, BREACH NOTIFICATION AND ENFORCEMENT RULES

On January 17, 2013, the Department of Health and Human Services issued the long-awaited revisions to the HIPAA rules

The rules made a number of changes to the current HIPAA privacy, security, breach notification and enforcement requirements

The new rules modify the patient authorization and other requirements related to use and disclosure of PHI for research

6

2013 HIPAA PRIVACY, SECURITY, BREACH NOTIFICATION AND ENFORCEMENT RULES

Consistent with the provisions of the HITECH Act, the new rules expand patients’ rights to receive electronic copies of their PHI and restrict disclosures of PHI to health plans concerning treatment for which the patient paid out of pocket in full

The new rules provide more flexibility with respect to allowing access to decedent PHI to family members and others

7

2013 HIPAA PRIVACY, SECURITY, BREACH NOTIFICATION AND ENFORCEMENT RULES

Consistent with the Genetic Information Nondiscrimination Act, the new rules prohibit most health plans from using or disclosing genetic information for underwriting purposes

The new rules impose additional restrictions on the use and disclosure of PHI for marketing by requiring written patient authorization for all communications where the CE receives remuneration for communicating with a company whose product or service is being marketed

8

2013 HIPAA PRIVACY, SECURITY, BREACH NOTIFICATION AND ENFORCEMENT RULES

The definition of the term “business associate” has been expanded in the new rules to include vendors who maintain PHI, even if they do not view the PHI, and subcontractors of business associates

This change to the rules will likely result in many new vendors being considered business associates

9

2013 HIPAA PRIVACY, SECURITY, BREACH NOTIFICATION AND ENFORCEMENT RULES

The new rules detail that business associates, as well as their subcontractors, are directly liable for compliance with the HIPAA security rules and certain requirements of the HIPAA privacy rules

Business Associate Agreements that were already revised for compliance with the HITECH Act may require amendment but not a significant overhaul

10

2013 HIPAA PRIVACY, SECURITY, BREACH NOTIFICATION AND ENFORCEMENT RULES

The new rules change the notification requirements for breaches of unsecured protected health information (“PHI”)

It replaces the current “risk of harm to the affected patients” standard with a more objective standard to be used in determining whether a breach has occurred and whether notice of the breach must be provided to patients, the government and the media

11

2013 HIPAA PRIVACY, SECURITY, BREACH NOTIFICATION AND ENFORCEMENT RULES

Under the new rules, every improper use or disclosure of PHI is presumed to be a breach unless it is demonstrated that there is low probability that the PHI was compromised as a result of the incident

This change is significant and could result in an increase in the number of breaches requiring notice

12

2013 HIPAA PRIVACY, SECURITY, BREACH NOTIFICATION AND ENFORCEMENT RULES

The new rules adopt an increased, tiered civil money penalty structure for HIPAA violations provided by the HITECH Act

They also give the Office of Civil Rights discretion to impose penalties on covered entities and business associates in cases of violations due to willful neglect without first attempting to resolve the matter through informal means

13

2013 HIPAA PRIVACY, SECURITY, BREACH NOTIFICATION AND ENFORCEMENT RULES

Penalties for HIPAA violations are significant

Specifically, penalties for violations caused by willful neglect, which are corrected, range from $10,000 to $50,000 per violation

The minimum penalty for an uncorrected HIPAA violation caused by willful neglect is $50,000 per violation

The penalties are capped at $1.5 million for all violations of an identical requirement in a calendar year

14

2013 HIPAA PRIVACY, SECURITY, BREACH NOTIFICATION AND ENFORCEMENT RULES

Violation Category – Section 1176(a)(1) Each Violation

All Violations of an Identical Provision in a Calendar Year

(A) Did Not Know $100 - $50,000 $1,500,000

(B) Reasonable Cause

$1,000 - $50,000 $1,500,000

(C)(i) Willful Neglect-Corrected

$10,000 - $50,000 $1,500,000

(C)(ii) Willful Neglect-Not Corrected

$50,000 $1,500,000

15

2013 HIPAA PRIVACY, SECURITY, BREACH NOTIFICATION AND ENFORCEMENT RULES

The new rules provide that each covered entity must revise its notice of privacy practices to address the new HIPAA requirements

Covered entities and business associates generally must comply with the new HIPAA requirements by September 23, 2013

Compliance with the new requirements will also require changes to HIPAA policies and procedures

16

PCI DSS COMPLIANCE

Does this apply to you?

17

PCI DATA SECURITY STANDARDS The Payment Card Industry Data Security

Standard (PCI DSS) is a set of requirements designed to ensure that ALL companies that process, store or transmit credit card information maintain a secure environment. Essentially any merchant that has a Merchant ID (MID)

The Payment Card Industry Security Standards Council (PCI SSC) was launched on September 7, 2006 to manage the ongoing evolution of the Payment Card Industry (PCI) security standards with focus on improving payment account security throughout the transaction process

18

PCI DATA SECURITY STANDARDS The PCI DSS is administered and

managed by the PCI SSC (www.pcisecuritystandards.org) , an independent body that was created by the major payment card brands (Visa, MasterCard, American Express, Discover and JCB.)

It is important to note, the payment brands and acquirers are responsible for enforcing compliance, not the PCI council

19

WHO MUST COMPLY WITH PCI? PCI applies to ALL organizations or

merchants, regardless of size or number of transactions, that accept, transmit or store any cardholder data

Said another way, if any customer of that organization ever pays the merchant directly using a credit card or debit card, then the PCI DSS requirements apply

The Standard can be found on the PCI SSC's Website: https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml

20

DEFINITIONS Cardholder data is any personally

identifiable data associated with a cardholderThis could be an account number,

expiration date, name, address, social security number, etc.

All personally identifiable information associated with the cardholder that is stored, processed, or transmitted is also considered cardholder data

21

DEFINITIONS For the purposes of the PCI DSS, a merchant

is defined as any entity that accepts payment cards bearing the logos of any of the five members of PCI SSC (American Express, Discover, JCB, MasterCard or Visa) as payment for goods and/or services Note that a merchant that accepts payment

cards as payment for goods and/or services can also be a service provider, if the services sold result in storing, processing, or transmitting cardholder data on behalf of other merchants or service providers For example, an ISP is a merchant that accepts

payment cards for monthly billing, but also is a service provider if it hosts merchants as customers

22

COMPLIANCE DATE All merchants that store, process or

transmit cardholder data must be compliant now

However, if you are a Level 4 merchant, you will have to refer to your merchant bank for their specific validation requirements and deadlines

All deadline enforcement will come from your merchant bank

You may also find more information on Visa’s Website: http://usa.visa.com/download/merchants/payment_application_security_mandates.pdf

23

PCI COMPLIANCE LEVELS All merchants will fall into one of the

four merchant levels based on Visa transaction volume over a 12-month period

Transaction volume is based on the aggregate number of Visa transactions (inclusive of credit, debit and prepaid) from a merchant Doing Business As (‘DBA’)

24

PCI COMPLIANCE LEVELS In cases where a merchant corporation has

more than one DBA, Visa acquirers must consider the aggregate volume of transactions stored, processed or transmitted by the corporate entity to determine the validation level

If data is not aggregated, such that the corporate entity does not store, process or transmit cardholder data on behalf of multiple DBAs, acquirers will continue to consider the DBA’s individual transaction volume to determine the validation level

25

MERCHANT LEVEL DESCRIPTION

Merchant Level Description

1

Any merchant -- regardless of acceptance channel -- processing over 6M Visa transactions per year. Any merchant that Visa, at its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the Visa system.

2Any merchant -- regardless of acceptance channel -- processing 1M to 6M Visa transactions per year.

3Any merchant processing 20,000 to 1M Visa e-commerce transactions per year.

4

Any merchant processing fewer than 20,000 Visa e-commerce transactions per year, and all other merchants -- regardless of acceptance channel -- processing up to 1M Visa transactions per year.

26

MEETING THE REQUIREMENTS To satisfy the requirements of PCI, a

merchant must complete the following steps: Identify your Validation Type as defined by

PCI DSS – this is used to determine which Self Assessment Questionnaire is appropriate for your business

Complete the Self-Assessment Questionnaire according to the instructions in the Self- Assessment Questionnaire Instructions and Guidelines

27

MEETING THE REQUIREMENTS Complete and obtain evidence of a passing

vulnerability scan with a PCI SSC Approved Scanning Vendor (ASV)

Note scanning does not apply to all merchants It is required for Validation Type 4 and 5 – those merchants

with external facing IP addresses Basically if you electronically store cardholder information

or if your processing systems have any internet connectivity, a quarterly scan by an approved scanning vendor is required

Complete the relevant Attestation of Compliance in its entirety

Submit the SAQ, evidence of a passing scan (if applicable), and the Attestation of Compliance, along with any other requested documentation, to your acquirer

28

Control Objectives PCI DSS Requirements

Build and Maintain a Secure Network

1. Install and maintain a firewall configuration to protect cardholder data

2. Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data

3. Protect stored cardholder data

4. Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program

5. Use and regularly update anti-virus software on all systems commonly affected by malware

6. Develop and maintain secure systems and applications

Implement Strong Access Control Measures

7. Restrict access to cardholder data by business need-to-know

8. Assign a unique ID to each person with computer access

9. Restrict physical access to cardholder data

Regularly Monitor and Test Networks

10. Track and monitor all access to network resources and cardholder data

11. Regularly test security systems and processes

Maintain an Information Security Policy

12. Maintain a policy that addresses information security

29

YOU MIGHT ASK…Q: I’m a small merchant with very few card transactions; do I need to be compliant with PCI DSS?

A: All merchants, small or large, need to be PCI compliant. The payment brands have collectively adopted PCI DSS as the requirement for organizations that process, store or transmit payment cardholder data. Q: If I only accept credit cards over the phone, does PCI still apply to me?

A: Yes. All business that store, process or transmit payment cardholder data must be PCI Compliant.

30

YOU MIGHT ASK…Q: Do organizations using third-party processors have to be PCI compliant?

A: Yes. Merely using a third-party company does not exclude a company from PCI compliance. It may cut down on their risk exposure and consequently reduce the effort to validate compliance. However, it does not mean they can ignore PCI.

31

YOU MIGHT ASK…Q: My business has multiple locations, is each location required to validate PCI Compliance?

A: If your business locations process under the same Tax ID, then typically you are only required to validate once annually for all locations. And, submit quarterly passing network scans by an PCI SSC Approved Scanning Vendor (ASV), if applicable. Q: Are debit card transactions in scope for PCI?

A: In-scope cards include any debit, credit, and pre-paid cards branded with one of the five card association/brand logos that participate in the PCI SSC - American Express, Discover, JCB, MasterCard, and Visa International.

32

SSL CERTIFICATION SSL certificates do not secure a Web

server from malicious attacks or intrusions

High assurance SSL certificates provide the first tier of customer security and reassurance but there are other steps to achieve PCI ComplianceA secure connection between the

customer's browser and the web serverValidation that the Website operators are a

legitimate, legally accountable organization

33

PENALTIES The payment brands may, at their discretion,

fine an acquiring bank $5,000 to $100,000 per month for PCI compliance violations

The banks will most likely pass this fine on downstream till it eventually hits the merchant

Furthermore, the bank will also most likely either terminate your relationship or increase transaction fees

Penalties are not openly discussed nor widely publicized, but they can catastrophic to a small business

It is important to be familiar with your merchant account agreement, which should outline your exposure

34

BREACH NOTIFICATION See the procedures outlined in Visa’s

“What to Do If Compromised Visa Fraud Control and Investigations Procedures” documenthttp

://usa.visa.com/download/merchants/cisp_what_to_do_if_compromised.pdf

  There are at least 39 states that have

breach notification laws in placeSee www.privacyrights.org for more detail

on state laws

35

ICD-9 DIAGNOSTIC CODING

GUIDELINES

Revisiting an old rule

36

ICD-9, NOT ICD-10???We’re going to discuss: Coding from the report Is there a difference between specificity

and certainty? Assigning a diagnosis code based on the

other information, documentation or medical records

Late entries and amendments Resubmissions and appeals

37

10.1 - ICD-9-CM CODING FOR DIAGNOSTIC TESTS The CMS instruct physicians to report

diagnoses based on test results, if available

Contractors, physicians, hospitals, and other health care providers must comply with the following instructions in determining the appropriate ICD-9-CM diagnoses code for diagnostic test results

38

10.1.1 - DETERMINING THE APPROPRIATE PRIMARY ICD-9-CM DIAGNOSIS CODE FOR DIAGNOSTIC TESTS ORDERED DUE TO SIGNS AND/OR SYMPTOMS For patients receiving diagnostic services

code the condition(s), symptom(s), and diagnosis to the highest degree of certainty for that visit, such as describing symptoms, signs, abnormal test results, or other reasons for the visit

Report additional codes that describe any current coexisting conditions

Do not code diagnoses documented as probable, suspected, questionable or rule out

39

A. CONFIRMED DIAGNOSIS BASED ON RESULTS OF TEST If the physician has confirmed a

diagnosis based on the results of the diagnostic test, the physician interpreting the test should code that diagnosis

The signs and/or symptoms that prompted ordering the test may be reported as additional diagnoses if they are not fully explained or related to the confirmed diagnosis

40

B. SIGNS OR SYMPTOMS If the diagnostic test did not provide a

diagnosis or was normal, the interpreting physician should code the sign(s) or symptom(s) that prompted the treating physician to order the study

41

C. DIAGNOSIS PRECEDED BY WORDS THAT INDICATE UNCERTAINTY

If the results of the diagnostic test are normal or nondiagnostic and the referring physician records a diagnosis preceded by words that indicate uncertainty (e.g., probably, suspected, questionable, rule out, or working), then the interpreting physician should not code the referring diagnosis

Rather the interpreting physician should report the sign(s) or symptom(s) that prompted the study

42

C. DIAGNOSIS PRECEDED BY WORDS THAT INDICATE UNCERTAINTY

Diagnoses labeled as uncertain are considered by the ICD-9-CM Coding Guidelines as unconfirmed and should not be reported

This is consistent with the requirement to code the diagnosis to the highest degree of certainty

43

10.1.2 - INSTRUCTIONS TO DETERMINE THE REASON FOR THE TEST The Balanced Budget Act (BBA) §4317(b)

requires referring physicians to provide diagnostic information to the testing entity at the time the test is ordered

As further indicated in 42 CFR 410.32 all diagnostic tests “must be ordered by the physician who is treating the beneficiary

An “order” is a communication from the treating physician/practitioner requesting that a diagnostic test be performed for a beneficiary

44

10.1.3 - INCIDENTAL FINDINGS

Incidental findings should never be listed as primary diagnoses

If reported, incidental findings may be reported as secondary diagnoses by the physician interpreting the diagnostic test

45

10.1.4 - UNRELATED COEXISTING CONDITIONS/DIAGNOSES Unrelated and coexisting

conditions/diagnoses may be reported as additional diagnoses by the physician interpreting the diagnostic test

46

10.1.5 - DIAGNOSTIC TESTS ORDERED IN THE ABSENCE OF SIGNS AND/OR SYMPTOMS When a diagnostic test is ordered in the

absence of signs/symptoms or other evidence of illness or injury, the testing facility or the physician interpreting the diagnostic test should report the screening code as the primary diagnosis code

Any condition discovered during the screening should be reported as a secondary diagnoses

47

10.1.6 - USE OF ICD-9-CM TO THE GREATEST DEGREE OF ACCURACY AND COMPLETENESS The following longstanding coding guidelines

are part of Official ICD-9-CM Guidelines for Coding and Reporting

The testing facility or the interpreting physician should code the ICD-9-CM code that provides the highest degree of accuracy and completeness (certainty) for the diagnosis resulting from test, or for the sign(s)/ symptom(s) that prompted the ordering of the test

The “highest degree of specificity” means assigning the most precise ICD-9-CM code that most fully explains the narrative description in the medical chart of the symptom or diagnosis

48

WHY AM I TELLING YOU THIS? RAC auditors have been taking a harder

stance on accepting diagnosis information from sources other than the radiology report

MAC denials for medical necessity often lead to resubmissions or appeals with additional diagnosis information

Recent publications detail Medicare’s viewpoint on ancillary documentation, late medical record entries and amendments

49

MEDICARE HAS STATED… Every note stands alone, i.e., the performed

services and necessary signatures must be documented at the outset

Delayed written explanations will be considered for purposes of clarification only

They cannot be used to add and authenticate services billed and not documented at the time of service or to retrospectively substantiate medical necessity

For that, the medical record must stand on its own with the original entry corroborating that the service was rendered and was medically necessary

Published by CGS, a multi-state MAC

50

AMENDED MEDICAL RECORDS Late entries, addendums, or corrections

to a medical record are legitimate occurrences in documentation of clinical services

A late entry, an addendum, or a correction to the medical record, bears the current date of that entry and is signed by the person making the addition or change

Published by Noridian Administrative Services, a multi-state MAC

51

AMENDED MEDICAL RECORDS A late entry supplies additional

information that was omitted from the original entry

The late entry bears the current date, is added as soon as possible and written only if the person documenting has total recall of the omitted information

A late entry following treatment of multiple trauma might add: “The left foot was noted to be abraded laterally.”

52

AMENDED MEDICAL RECORDS An addendum is used to provide

information that was not available at the time of the original entry

The addendum should also be timely and bear the current date and reason for the addition or clarification of information being added to the medical record

An addendum could note: “The chest x-ray report was reviewed and showed an enlarged cardiac silhouette.”

53

AMENDED MEDICAL RECORDS When making a correction to the medical

record, never write over, or otherwise obliterate the passage when an entry to a medical record is made in error

Draw a single line through the erroneous information, keeping the original entry legible

Sign and date the deletion, stating the reason for correction above or in the margin

Document the correct information on the next line or space with the current date and time, making reference back to the original entry

54

AMENDED MEDICAL RECORDS Correction of electronic records should

follow the same principles of tracking both the original entry and the correction with the current date, time and reason for the change

When a hard copy is generated from an electronic record, both records must be corrected

Any corrected record submitted must make clear the specific change made, the date of the change, and the identity of the person making that entry

55

AMENDED MEDICAL RECORDS/ FALSIFIED DOCUMENTATION Providers are reminded that deliberate

falsification of medical records is a felony offense and is viewed seriously when encountered

Examples of falsifying records include: Creation of new records when records are

requested Back-dating entries Post-dating entries Pre-dating entries Writing over, or Adding to existing documentation (except as

described in late entries, addendums and corrections)

56

AMENDED MEDICAL RECORDS Corrections to the medical record legally amended

prior to claims submission and/or medical review will be considered in determining the validity of services billed

If these changes appear in the record following payment determination based on medical review, only the original record will be reviewed in determining payment of services billed to Medicare

 Appeal of claims denied on the basis of an incomplete record may result in a reversal of the original denial if the information supplied includes pages or components that were part of the original medical record, but were not submitted on the initial review

57

CMS OPEN DOOR FORUM ON DECEMBER 2, 2011 Melanie Combs-Dyer/Deputy Director

for the Provider Compliance Group at CMS in the Office of Financial Management stated:“…we have instructions in our program

integrity manual that says if it is more than a few days, you know, if you're talking about months after the facts, the delayed documents of late entries made to the medical record, we instruct our contractors to refer those to the fraud department”

58

LUNCHTIME!More after the Webinar…

59

TRANSMITTAL 2407 Previously the CMS had instructed physicians

to use the POS code where s/he interpreted the service The transmittal was put on hold in January 2010

The CMS provided new POS guidance in Transmittal 2407 with an effective date of April 1, 2012

CMS rescinded Transmittal 2407 in late March stating that they would reissue the transmittal with a new effective date

Transmittal 2435 was issued with an effective date of October 1, 2012

60

TRANSMITTAL 2561 On September 28th Transmittal 2561

replaced Transmittal 2435 without significant changes but the effective date of April 1, 2013

Under the Medicare Physician Fee Schedule (MPFS), some procedures have separate rates for physicians’ services provided in facility and nonfacility settings

Medicare considers the place of service a key element in claims processing when the correct payment is determined by the POS code

61

POS FOR DIAGNOSTIC TESTS General instructions in Transmittal 2561

state that the POS code should reflect the actual place where the patient received the face-to-face encounter to determine whether the facility or nonfacility payment rate is paid

But, instructions for diagnostic radiology services differ since payment is not solely determined by the POS code but most often by modifier

Additionally, Medicare recognizes that the PC and TC are often furnished in different settings

62

PLACE OF SERVICE CODES (POS) AND BILLING INTEGRATED SERVICES

In freestanding imaging setting, POS 11 was standardly billed for the professional and the technical components

In provider-based setting, the TC belongs to the hospital and is billed by the hospital

In provider-based setting, there are multiple POS code possibilities for the pro fee and there are new instructions from Medicare regarding the POS to be billed

63

POS FOR DIAGNOSTIC TESTS In almost all cases, the POS code assigned

to the physician billing for the PC will be the POS where the patient received the TC

For the professional component (PC) of diagnostic tests, the facility and nonfacility payment rates are the same because modifier 26 actually determines the payment– not the POS code on the claim

For a service rendered to a patient who is a hospital inpatient or outpatient, only the PC can be billed because the service must be rendered “Under Arrangements”

64

POS FOR RADIOLOGY INTERPRETATIONS

The appropriate POS code for the interpretation is the setting where the patient received the TC service If the interpretation was performed in the

physician’s office and the patient received the TC service in the outpatient hospital setting, the physician assigns POS 22 on the claim for the PC

Additionally, the name, address, and ZIP code of the office location must be entered in Item 32 of the CMS 1500 claim form (or its electronic equivalent)This may lead one to believe that sending the

correctly completed claim form to the usual MAC is sufficient for payment

65

POS & SITE OF SERVICE (SOS) Transmittal 2561 further addressed

SOS and the carrier jurisdiction issue In Interpretation Provided Under

Arrangement – To A Hospital (Section C) an example shows that:The place of service reflects the patient’s

hospital status (POS 21, 22 or 23), andThe physical location of the radiologist

interpreting the study (entered in Block 32 of the CMS-1500 form)

66

POS, SOS & JURISDICTION Transmittal 2561 added

Determination of Payment Locality (Section E), which states:The payment locality is determined based

on the location where a specific service code was furnished

Subsection E Global Service Code states:To bill for a global diagnostic service the

same physician or supplier entity must furnish both the TC and the PC and must furnish them within the same MPFS payment locality

67

POS, SOS & JURISDICTION (CONTINUED) Subsection E Separate Billing of

Profession Component goes on to say:If the same physician or entity does not

furnish both the TC and PC, or if the professional interpretation was furnished in a different payment locality, the professional interpretation must be separately billed with modifier -26 and the address and ZIP code of the interpreting physician’s location must be reported on the claim form

68

CMS INSTRUCTIONS TO MAC FOR RECEIPT OF SERVICES IN ANOTHER MAC AREA

“When you receive a request for Medicare payment for services furnished outside of your payment jurisdiction, return assigned services as unprocessable, and deny unassigned services. Pay services correctly submitted to you.

Use the following messages: Remittance Advice (RA) - Claim adjustment reason

code 109 – Claim not covered by this payer/contractor. You must send the claim to the correct payer/contractor.

Remark code N104 - This claim/service is not payable under our claims jurisdiction area. You can identify the correct Medicare contractor to process this claim/service through the CMS Web site at www.cms.hhs.gov.

69

POS CODING INSTRUCTIONS ACR-RMBA GUIDANCE Q&AQIf a practice has office locations in two

payment localities in which the doctors practice regularly, and if the PC and TC were performed separately (although by the same practice group) in those two different payment localities, would the PC be billed separately (-26 modifier) from the TC and would the payment amount follow the payment amount in effect for each respective locality?

70

POS CODING INSTRUCTIONS ACR-RMBA GUIDANCE Q&AA Yes, if the PC and TC were performed

separately in two different payment localities, the PC and TC would be billed separately.

Since the PC and TC are in separate payment localities, global billing is prohibited by transmittal 2563 and the components would have to be reported separately.

Additionally, if the PC and TC were performed in separate MAC jurisdictions (e.g., across state lines), then the practice would have to be enrolled in each MAC jurisdiction where the services were performed and payment would be based on each MAC’s payment schedule.

71

POS CODING INSTRUCTIONS ACR-RMBA GUIDANCE Q&AQIf a radiologist reads a study performed

at a hospital at one of the practice’s imaging centers or offices, what POS code should I use?

72

POS CODING INSTRUCTIONS ACR-RMBA GUIDANCE Q&AA The POS code is determined by where the

patient had the study (TC). In this instance, even though the study was

read at the radiologist’s office, if the patient was an outpatient POS code 22 (outpatient hospital) would be reported in Box 24B; if the patient was an inpatient, POS code 21 (inpatient hospital) would be reported in Box 24B; and, if the patient were an ER patient, POS code 23 (emergency room hospital) would be reported in Box 24B.

However, in all instances, the radiologist’s office ZIP code and address would go in to Box 32 because that is where the interpretation was performed.

73

POS CODING INSTRUCTIONS ACR-RMBA GUIDANCE Q&AQWhat if a radiologist reads studies from

their home?

74

POS CODING INSTRUCTIONS ACR-RMBA GUIDANCE Q&AA CMS requires physicians to submit the address

where the physician was when they performed the interpretation.

The only exception to this is when the interpretation was performed in an “unusual and infrequent” location, such as a hotel.

Therefore, if the radiologist frequently interprets studies from home, their home address and ZIP code would go in Box 32.

However, based on CMS’ transmittal language, if the radiologist interprets from home only infrequently, then the “Medicare enrolled location where the interpreting physician most commonly practices” can be listed.

QUESTIONS?Claudia A. Murray, RCC

CMC Consulting, LLCP.O. Box 653

Fallston, Maryland 21047410-538-5891

ClaudiaAMurray@aol.com

Thanks!

75