Regulatory changes are a moving target in the era of COVID-19. In this month’s “3 Things to Know About RCM,” urgent care experts weigh in on how to make good choices when E/M coding in 2021, cybersecurity breaches in healthcare, and changes introduced in a new CMS Interim Final Rule that will affect billing, specifically related to COVID-19.
Making the right decision about how to code urgent care encounters with the new E/M coding guidelines will be a challenge until your team becomes familiar with evaluating each claim. This means looking closely at how coding based on time versus medical decision making (MDM) will affect reimbursement.
Criteria have been modified reducing variation in codes that give clinics two options ” medical decision making and time. This switch was designed to make coding more “clinically intuitive” and increase consistency by removing ambiguous terminology.
As of January 1, coding for “time” will include not only face-to-face time, but also nonface-to-face work on the day of the visit. Time-related codes may be more appropriate for longer patient visits with a lower MDM code where there is a significant amount of time spent reviewing labs and tests before a visit, counseling or educating patients, or documenting visits at home. MDM considers visit complexity and will likely still be used for many traditional urgent care visits.
To shrink the learning curve as you convert to new coding guidelines, have staff evaluate test cases to get comfortable. With Experity’s built-in coding engine, the EMR automatically calculates codes based on documentation in the patient’s chart. On the code summary page, providers can review these codes and add their time. The system will then determine which factor to use for billing based on the highest code achieved for the encounter.
According to the feds, malware and ransomware attacks are increasing at an alarming rate.
The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS) issued a joint advisory on October 28 alerting providers that hackers are targeting the healthcare industry for financial gain. According to the advisory, “cyber actors” are utilizing TrickBot and BazarLoader malware to infect providers’ IT systems. Once the hackers are in the system, they deploy ransomware, hack networks, breach serves, and shut-down systems—encrypting covered entities’ (CEs) files and accessing private data and electronic protected health information (ePHI)—then demand a ransom in exchange for the remedy needed to decrypt files. But that’s not necessarily the end of the damage. When a network is hacked, it opens the door to credential harvesting, mail exfiltration, cryptomining, point-of-sale data exfiltration, and a host of illegal cyber activity.
The advisory suggests that TrickBot is likely running on many providers’ systems. Read the joint advisory for details about the thread and tips for identifying infiltration.
If you feel your system is compromised, keep the evidence intact for investigation. CISA strongly recommends responding by using the Ransomware Response Checklist located in CISA and MS-ISAC’s Joint Ransomware Guide, which contains steps for detection and analysis as well as containment and eradication.
Mitigating risk begins with a sound security strategy and safeguards that keeps PHI safe from possible threats. Be sure employees and stakeholders are aware of threats and provide training on information security principles, techniques, and emerging security risks and vulnerabilities.
On Nov. 6, the Centers for Medicare & Medicaid Services (CMS) published an interim final rule with comment period (IFC) in the Federal Register, covering coronavirus updates. This IFC follows through on CARES Act mandates outlined in March with five critical updates you should be aware of.