Q: Our surgeons perform a lot of blepharoptosis repairs. Because each patient is different, different amounts of eyelid tissue has to be removed. One of our surgeons wants to set a maximum amount that is included in the procedure and then charge a blepharoplasty to cover anything over and above this maximum. We are trying to figure out how to even start to operationalize this. It seems to us that this is just a “patient differential” in the surgery like you have in any other surgery. Is there any guidance or standard for this?
Q: CMS released guidance last summer about not auditing or counting errors for the specificity of an ICD-10-CM code. CMS is not going to count the code as an error as long as the first three digits are correct. Does this apply to medical necessity diagnoses and edits?
Are physician-to-physician transfers for SNF and rehab facilities required under the proposed changes to the Conditions of Participation for discharge planning?
Q: Our providers are reluctant to document a correlation between symptoms and a detailed diagnosis. Do you have any good ways to get them to do this? For example, our providers document "diabetes" but they often don't include additional details that should be there (e.g., gestational diabetes or type II diabetes mellitus in pregnancy).
Creating secure passwords, guest wireless networks, and emailing PHI
by Chris Apgar, CISSP
Q: I work at a doctor's office. If a patient calls and asks to have a copy of his or her medical records sent to his or her home address, are we required to obtain any additional verification beyond checking that the address matches the one we have on file? We have a patient portal where most of our patients are able to access their records, but some still prefer to have copies sent to them.
A: As with any request for PHI from an external party, whether it be the patient or someone else, proper authentication is necessary. This means you need to ask questions such as what is the patient's birthdate before agreeing to send the patient a copy of his or her medical record or designated record set (DRS).
It's a good idea to ask the patient to make the request in writing. Per the HIPAA Privacy Rule, "The covered entity may require individuals to make requests for access in writing, provided that it informs individuals of such a requirement" (45 CFR §164.524(b)(1). This is not a "you shall." It's a "may" so in the end you may elect to not require the request be in writing. However, this might leave your practice vulnerable to the risk of someone impersonating the patient and requesting the record or the patient later complaining you sent a copy of his or her DRS without his or her permission.
If you require patients to make the request in writing, you can't make it too burdensome. For example, you can't require patients get the signed request notarized or walk the request in to the doctor's office. OCR recently published guidance regarding a patient's right to access his or her DRS (www.hhs.gov/hipaa/for-professionals/privacy/guidance/access). It provides more detailed information about the dos and don'ts of meeting the HIPAA Privacy Rule requirement that patients are entitled to view or request a copy of their DRS.
Editor's note: Apgar is president of Apgar & Associates, LLC, in Portland, Oregon. He is also a BOH editorial advisory board member. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions. Opinions expressed are that of the author and do not represent HCPro or ACDIS. Email your HIPAA questions to Associate Editor Nicole Votta at nvotta@hcpro.com.
