New CMS Interim Final Rule Affects Urgent Care Billing

Regulatory changes are a moving target in the era of COVID-19. In this month’s “3 Things to Know About RCM,” urgent care experts weigh in on how to make good choices when E/M coding in 2021, cybersecurity breaches in healthcare, and changes introduced in a new CMS Interim Final Rule that will affect billing, specifically related to COVID-19.

2021 E/M Coding: Make the right choices between time or MDM

Making the right decision about how to code urgent care encounters with the new E/M coding guidelines will be a challenge until your team becomes familiar with evaluating each claim. This means looking closely at how coding based on time versus medical decision making (MDM) will affect reimbursement.

Criteria have been modified reducing variation in codes that give clinics two options ” medical decision making and time. This switch was designed to make coding more “clinically intuitive” and increase consistency by removing ambiguous terminology.

As of January 1, coding for “time” will include not only face-to-face time, but also nonface-to-face work on the day of the visit. Time-related codes may be more appropriate for longer patient visits with a lower MDM code where there is a significant amount of time spent reviewing labs and tests before a visit, counseling or educating patients, or documenting visits at home. MDM considers visit complexity and will likely still be used for many traditional urgent care visits.

To shrink the learning curve as you convert to new coding guidelines, have staff evaluate test cases to get comfortable. With Experity’s built-in coding engine, the EMR automatically calculates codes based on documentation in the patient’s chart. On the code summary page, providers can review these codes and add their time. The system will then determine which factor to use for billing based on the highest code achieved for the encounter.

Beware of Ransomware and Malware

According to the feds, malware and ransomware attacks are increasing at an alarming rate.

The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS) issued a joint advisory on October 28 alerting providers that hackers are targeting the healthcare industry for financial gain. According to the advisory, “cyber actors” are utilizing TrickBot and BazarLoader malware to infect providers’ IT systems. Once the hackers are in the system, they deploy ransomware, hack networks, breach serves, and shut-down systems—encrypting covered entities’ (CEs) files and accessing private data and electronic protected health information (ePHI)—then demand a ransom in exchange for the remedy needed to decrypt files. But that’s not necessarily the end of the damage. When a network is hacked, it opens the door to credential harvesting, mail exfiltration, cryptomining, point-of-sale data exfiltration, and a host of illegal cyber activity.

The advisory suggests that TrickBot is likely running on many providers’ systems. Read the joint advisory for details about the thread and tips for identifying infiltration.

If you feel your system is compromised, keep the evidence intact for investigation. CISA strongly recommends responding by using the Ransomware Response Checklist located in CISA and MS-ISAC’s Joint Ransomware Guide, which contains steps for detection and analysis as well as containment and eradication.

Mitigating risk begins with a sound security strategy and safeguards that keeps PHI safe from possible threats. Be sure employees and stakeholders are aware of threats and provide training on information security principles, techniques, and emerging security risks and vulnerabilities.

Vaccine Cost-Sharing Policies Unveiled

On Nov. 6, the Centers for Medicare & Medicaid Services (CMS) published an interim final rule with comment period (IFC) in the Federal Register, covering coronavirus updates. This IFC follows through on CARES Act mandates outlined in March with five critical updates you should be aware of.

1. Good News for Non-grandfathered Plans/Issuers
   According to a CMS fact sheet, “Non-grandfathered group health plans and health insurance issuers offering non-grandfathered group or individual health insurance coverage provide coverage, without cost sharing, for qualifying coronavirus preventive services, which includes COVID-19 immunizations.”
2. Vaccine Rates Suggested
   The new Interim Final Rules suggests that for single doses, Medicare will reimburse at a rate of $28.39. For vaccines with a series of two or more doses, Medicare set a payment rate of $16.94 for the initial dose and $28.39 for the final dose. CMS also noted that rates may be geographically adjusted.
3. New and Approved COVID-19 Treatment Payments
   As part of the Inpatient Prospective Payment System (IPPS), the IFC institutes an add-on payment for eligible cases using new and approved COVID-19 treatments “equal to the lesser of: (1) 65 percent of the operating outlier threshold for the claim; or (2) 65 percent of the cost of a COVID-19 stay beyond the operating Medicare payment (including the 20 percent add-on payment under section 3710 of the CARES Act) for eligible cases,” according to CMS.
4. Outpatient Prospective Payment System (OPPS) Changes
   CMS set up a separate payment for new COVID-19 treatments provided at the same time as a Comprehensive Ambulatory Payment Classification (C-APC) service for the duration of the public health emergency in OPPS
5. COVID-19 Testing Prices
   Providers of COVID-19 tests will now need to make the cost of the diagnostic test available online, in writing, or in signage within two days of any request. In addition, the IFC gives
   CMS “discretion” to punish providers who don’t comply. Official guidance includes written warnings, corrective action plans (CAPs), and civil monetary penalties (CMPs) as punishment.

See the CMS Interim Final Rule here.