Compliance in Practice: Mitigating Risk in Clinics and Physician Practices

By Steve Emery; Jan McDavid, Esq.; and Deborah Robb, BSHA, CPC, RMAI, RPI

Managing compliance can be a challenge for physician practices short on staff and budget.
Reducing risk and capturing benefits begins with a focus on the areas of greatest concern.

The Office of Inspector General (OIG) first issued guidance for physician practices on compliance with federal legislation nearly 10 years ago, yet many practices still lack a proactive, cost-effective approach to achieving it. Taking this critical step can be a daunting endeavor in an environment of complex rules, heightened regulations, and dwindling staff.

However, practices must keep current with new regulatory developments to ensure quality patient care, profitability, improved outcomes, and protection against penalties. HIM professionals play a vital role.

HIM skills can help clinics and physician practices shore up their compliance with federal mandates before auditors and fines arrive at the door and incentive deadlines pass.

Practices can demonstrate due diligence and sound intentions even if they lack resources for developing a formal compliance program. They can do so by exploring the most common areas of compliance concern and following practical recommendations in three key areas of risk:

  • Privacy, security, and meaningful use
  • Clinical coding
  • Quality data reporting

HITECH: Increased Funding, Increased Regulation

A substantial part of the American Recovery and Reinvestment Act is designated to promote health IT. Within ARRA, the HITECH Act assigns millions of dollars toward the “meaningful use” incentive program intended to increase adoption and use of EHR systems. At the same time, HITECH modifies HIPAA to bolster the privacy and security of patient information.

While physicians stand to benefit from the new legislation, they must be prepared to comply with the changes to HIPAA or face the consequences of noncompliance. Some changes are already in effect, while others are scheduled for enforcement starting in 2011 and beyond.

In addition, even those practices that choose not to participate in the meaningful use program initially must meet its criteria by 2014 or face financial penalties beginning in 2015.

Practices can expect closer scrutiny for HIPAA privacy and security compliance. Penalties have increased significantly under the new regulations. Practices can face fines up to $50,000 per occurrence-quickly offsetting or negating the EHR incentives they received.1

Physicians can no longer afford to be relaxed about HIPAA compliance. They must have sound privacy and security protocols in place to protect against violations that could result in severe penalties.

A prime example occurred in July 2009, when a physician and two former employees of an Arkansas medical center pleaded guilty to misdemeanor federal charges that they inappropriately accessed the medical records of a local television anchor, thereby violating the HIPAA privacy rule. Each faces a maximum penalty of one year in prison, a fine of up to $50,000, or both.2

Key Changes to HIPAA under ARRA

Accounting of Disclosures. The HIPAA privacy rule requires that the patient record must contain a release form signed by the patient that authorizes who can release information, who can receive information, and for what purpose the information can be used, if any information is to be disclosed. Covered entities must provide an accounting of nonroutine disclosures to the patient upon request.

Under ARRA, any covered entity using or maintaining an EHR must also begin accounting for disclosures made for “routine” purposes of treatment, payment, and operations. Effective dates vary from as early as January 2011 to January 2016, based on when the EHR was purchased.

Practices should begin their compliance efforts now by evaluating all HIPAA processes, including statements of privacy practices, patient attestation documents, and release-of-information procedures. Practices that may have used manual logs and journals to document disclosures in the past may be forced to implement tracking technology or outsource the process entirely.

HIM skills will be important to meet the new accounting requirements, specifically as they relate to tracking uses of protected health information (PHI) for treatment, payment, and operations.

Direct Liability for Business Associates. By definition, a business associate is a company that uses or discloses PHI for, or on behalf of, the provider or payer. Under ARRA, business associates that support practices are directly covered by sections of the HIPAA privacy and security rules, meaning they are subject to the same penalties as a covered entity.

Practices must take an in-depth look at all business associate agreements and update them accordingly. Practitioners should ask vendors what types of training and certification programs are in place to educate the vendor’s staff and what levels of liability insurance they carry to protect themselves in case of a breach of PHI.

Encryption. As a security measure required for interoperability, encryption is defined simply as an electronic means of making PHI inaccessible or unreadable by any unauthorized person. Practices should ensure their IT applications provide this level of security and encryption.

Sale of Protected Health Information. ARRA also introduces new prohibitions on the sale of PHI. Regulations are due in August, and the planned effective date for compliance is February 2011. Physician practices must be aware of the rules and avoid any type of sale of PHI for pharmaceutical and medical device marketing, a practice ARRA appears to be trying to prevent.

New Powers for State Attorneys General. State attorneys general can now bring lawsuits against practices on behalf of patients and receive costs and fees. This change makes mitigation of damages a top priority upon notification of a breach.

Breach Notification. Consistent with the original privacy rule, ARRA requires investigation, mitigation, correction, and reporting of any breach defined as “wrongful use/disclosure of PHI.” In addition, the act includes new requirements for notifying breach victims and the federal government. The legislation extends to noncovered entities, primarily vendors of personal health records.

Along with increased penalties for wrongful disclosure of PHI, ARRA introduces the concept of “willful neglect,” defined as willfully disregarding knowledge of a violation.

With so many areas of the law expanded and additional dollars at risk, 2010 is a critical year for physicians and clinics to re-assess their HIPAA compliance programs and prepare for HITECH’s next milestone: meaningful use of electronic health records.

Common Coding Mistakes in Practice

Improper Evaluation and Management (E&M) levels and failure to demonstrate medical necessity are common coding errors in physician practices.

Level of Coding. Some physicians intentionally undercode an office visit with an established Medicare patient to reduce the out-of-pocket amount the patient owes. This costs the practice more money than it saves for the patient. In addition to surrendering revenue, these physicians are at risk of Medicare noncompliance, even though the government comes out ahead financially. Physicians also undercode out of fear of a Medicare audit, which in fact can initiate an audit.

While physicians must avoid undercoding, Medicare data suggests that overcoding is far more common in E&M services. This also raises questions regarding medical necessity.1

Medical Necessity. AMA emphasizes the importance of medical necessity in its CPT manual. The reference book defines five categories of presenting problems-minimal, self-limited or minor, low severity, moderate severity, and high severity-and specifies a category for each E&M code. Pinning down the nature of the presenting problem level is the key to accurate coding.2


  1. Lowes, Robert. “Coding Secrets Unlocked.” Physicians Practice, May 2009. Available online at
  2. Ibid.

Coding Compliance and Physician Responsibility

Physicians are ultimately responsible for the actions of their entire staffs. If practices cannot validate a charge, they should not bill for it.

With increasingly rigid regulations, physicians face greater liability and mounting pressure to address issues that can arise due to improper coding-denial of fees, fines, payback, and increased scrutiny from payers. A proactive approach that validates all insurance information through proper capture of information will save time and money in the long run.

Secondly, the growing threat of recovery audits from Medicare’s Recovery Audit Contractor (RAC) program, Medicaid, and other third-party payers, in addition to increased legislation designed to fight fraud in the medical system, is forcing physicians to take strong measures to ensure proper clinical coding.

HIM professionals offer practices clinical documentation and coding compliance skills, especially related to maintaining legally sound electronic records and designing for and managing data integrity.3 Furthermore, they can educate physicians and staff on Centers for Medicare and Medicaid Services (CMS) guidelines.

Practices should work to ensure that every diagnostic test or lab order has complete documentation, whether in paper format or within an EHR. Documentation must back the decision to conduct the test or exam and validate the nature of the procedure or service. The best practice is to document encounter information during the episode of care, as concurrent documentation results in more complete data for coding, reimbursement, patient care, and auditing purposes.

While many physicians document their own encounters using EHR structured templates or handwritten notes, some have begun to use nurse assistants or medical scribes in the exam room, specifically to ensure complete documentation is obtained. A few minutes spent documenting in the exam room-regardless of data capture modality-can save hours trying to justify a test or procedure after the fact should a payer deny reimbursement or demand a take-back.

Every encounter must be documented to stand entirely on its own. Beyond avoiding fines, quality coding supported by accurate, complete documentation improves patient care and supports the capture of higher levels of service.

OIG’s 2010 Audit Targets

OIG publishes an annual work plan that details the types of potential violations it intends to investigate, including incorrect and fraudulent coding within the Medicare program. Specifically, OIG’s targeted audits and evaluations seek to identify significant improper payments and problems in specific parts of the Medicare program. Six areas have been identified and are summarized below.

Place-of-Service Errors. OIG will review physician coding on Medicare Part B claims for services performed in ambulatory surgical centers and hospital outpatient departments. Since federal regulations provide for different levels of payment depending on where services are performed, audits will look for proper coding on “place of service.”

E&M Services. Given that evaluation and management coding is a recognized source of errors (see sidebar), OIG will be reviewing industry practices related to the number of E&M services provided by physicians and reimbursed as part of the global surgery fee. Audits will ensure compliance with CMS’s global surgery fee period and evaluate if practices have changed since the global surgery fee concept was developed in 1992.

Laboratory Test Unbundling by Clinical Laboratories. OIG will also review clinical laboratories this year. Auditors will be looking to uncover inappropriate unbundling of laboratory profile or panel tests that maximize Medicare payments.

Payments for Services Ordered or Referred by Excluded Providers. Reports of excluded or terminated providers, practitioners, or suppliers engaging in fraud and program abuse are on the rise. Additionally, some secondary providers may not have national provider identifiers (NPIs), as efforts to completely transition Medicare providers to the NPI system was just completed in April 2009. To address these two issues, the OIG will examine CMS oversight mechanisms to identify and prevent improper payments for services based on orders or referrals by excluded providers.

Medicare Payments for Transforaminal Epidural Injections. Medicare claims for transforaminal epidural injections will come under OIG review. This is an important area for practice and clinics, because Medicare Part B physician claims for transforaminal epidural injections increased by 130 percent between 2003 and 2007.

Comprehensive Error Rate Testing Program: Fiscal year 2008 Part A and Part B Error Rates. Finally, certain aspects of CMS’s CERT methodology for determining the 2008 Part A and Part B error rates will be reviewed by an independent medical review organization. The reviewers will be looking at contractor’s payment determinations for 1,000 Part A and Part B claims (excluding inpatient claims) and investigate medical review determinations underlying the error rate testing conducted by the CERT contractor.

National Reporting in Practice

Quality coding is the key to successful quality data reporting, the third area of practice risk. Quality data reporting for national agencies is a growing concern for both private practices and clinics as providers prepare to embrace healthcare reform, transition from fee-for-service to pay-for-performance reimbursement, and meet meaningful use requirements.

Data reporting is a known challenge for physicians, because the staff resources and technology tools needed to capture and report these data are commonly out of reach and beyond budget for practices and clinics. Despite these shortcomings, quality data must be reported. Two quality data reporting programs with the potential for a major impact on practices include PQRI and meaningful use.

EHR Data for PQRI

The Physician Quality Reporting Initiative provides Medicare incentive payments to physicians who submit claims-based data to a quality measures program. The Centers for Medicare and Medicaid Services is considering expanding the program to include data on quality measures submitted from EHRs.

In a proposed rule setting the Medicare physician fee schedule for year 2010, the agency indicates that now may be the time to formally start the incentive program with EHR data. If the proposal is finalized, an eligible professional would be able to earn a PQRI incentive payment through EHR-based reporting in 2010.4

In 2008 PQRI paid out more than $92 million in incentives to doctors. More than 153,600 physicians and other eligible professionals successfully reported quality-related data, making them eligible to receive the payments. For practices and clinics, the future is clear: more programs like PQRI are ahead, and physicians should get involved.

Data Reporting to Meet “Meaningful Use”

In January CMS published draft criteria for the EHR “meaningful use” program. Quality reporting is a major component.Which quality measures will be required to prove meaningful use will be debated through a 60-day comment period on the proposed rule that ends this month.

No one doubts that every clinician and practice will be required to report some type of outcome-based statistics in order to qualify for ARRA incentives. The most obvious candidates are the most commonly tracked chronic diseases, particularly diabetes and hypertension. However, other health quality categories are under discussion as well, including obesity, depression, and smoking cessation.

CMS made clear in the notice of proposed rulemaking that it is interested in dozens of measures to inspect and drive quality and ultimately to reduce the cost of care. In 2011 the required statistics will include a set of core measures for all providers, and then a set of specialty measures, chosen by each provider.

While many of these measures are aligned with current PQRI measures, nearly half are new. In addition, CMS has indicated that it will add measures year by year with incentives for compliance in the early years and penalties for noncompliance in later years.

Addressing Common Areas of Concern

The complexities of managing a practice while also complying with rigorous payer, state, and federal regulations have become too numerous and complicated for one person to manage. HIPAA, coding, and data reporting pressures have continued to climb while revenues have dropped and operational costs have soared.

HIM professionals can work side by side with physicians and practice staff to understand compliance rules, identify risk, assess current operations, and implement new procedures to meet compliance needs. Practices that cannot afford a full-time HIM staffer can explore part-time, freelance, or consultancy options.

Process improvement efforts must focus on strengthening compliance while capitalizing on staff performance and supporting quality patient care. Although resources may be limited, a dollar spent on HIM expertise may save thousands in reduced risk for fines, denied reimbursement, and recovery auditor take-backs.


  1. O’Keefe, John. “Insist on Certification.” Healthcare IT News, May 2009. Available online at
  2. “Three Plead Guilty to HIPAA Violations.” Health Data Management, July 22, 2009. Available online at
  3. “Big Plans for Small Practices.” Journal of AHIMA, March 3, 2009. Available online at
  4. “Medicare Eyes EHR Data for PQRI.” Health Data Management, July 13, 2009. Available online at

Steve Emery ( is director of product management, Jan McDavid ( is general counsel and compliance officer, and Deborah Robb ( is a physician management consultant at HealthPort.

Article citation:
Emery, Steven; McDavid, Jan P; Robb, Deborah. "Compliance in Practice: Mitigating Risk in Clinics and Physician Practices" Journal of AHIMA 81, no.3 (March 2010): 28-31.