PHI Thieves Are Usually After Financial Information

Now that many physicians and other healthcare organizations are purchasing and utilizing EMRs, they seem to be focused on safeguarding the clinical Protected Health Information (PHI) of their patients. In the process, some are forgetting to protect patient financial information even though it is also PHI.

The FierceHealthIT newsletter of October 24, 2012 indicates that healthcare system data thieves are usually after financial information.

Despite reports of efforts to blackmail patients and the possibility of hacking pacemakers, healthcare data breaches in the end are similar to other cyber crimes, according to a new report from Verizon. In an examination of approximately 60 confirmed data breaches over the past two years, the report concludes that those who attack healthcare systems primarily look for information from which they can make a profit.

According to this Verizon report, point-of-sale systems (credit card machines) and desktop and laptop computers are the most common points of breach. Thieves attack the weakest links in the payment chain. Rather than going after your server, they hack into peripheral equipment that can get them access to this financial information.

Here at SOS, we harp on the need to secure the data in your billing and clinical record software. We have been amazed at the lack of awareness of even our largest customers. Every week, we receive emails that contain PHI or a direct way to get to PHI. Employees of behavioral health organizations often do not realize that sending an email with PHI in it is like sending a postcard with the same information. Anyone who sees that postcard and who knows how to read can take a look at your message. The same is true with insecure, unencrypted email. Anyone who knows how to do so and who has any interest can take a look at your email.

This study indicated that, among the breaches they studied, most of the incidents occurred at businesses that had from one to one hundred employees.

The simple solution….encrypt all PHI while it is resting on your system and while it is in transit from one place to another. If you don’t know how to do that, learn how, now!

Please share your experiences, direct or indirect, with safeguarding PHI. Do you encrypt? What procedures has your organization developed to assure that all of the PHI in your possession is as safe as possible from thieves?

Psychiatry CPT Codes for 2013

A few weeks ago I wrote about the upcoming changes in the CPT codes for psychiatric services. Lots of people have been looking for detail on those changes, but the American Medical Association has not yet released all of the specifics. They are planning major changes to the general illness codes as well.

The AMA invites the health care community to learn more about the significant changes to the 2013 CPT codes and descriptors by attending the CPT/RBRVS Symposium in Chicago from Nov. 14-16, 2012. For additional information, please visit the AMA website at:

If you are not going to be in Chicago in November for the symposium, there will likely be some other venues through which you can obtain more detail. The American Psychiatric Association (aPa) has created some documents that should be helpful, but they too cannot release the codes to the general public until the AMA gives them the go ahead. aPa members can obtain more specific information at their website.

The National Council announced their own upcoming workshop in today’s Public Policy Update. The challenge is that the codes are changing for everyone who provides mental health services. While some changes happen every year, this is a pretty involved set requiring the use of evaluation and management codes. The Council has already put together a fact sheet that you might find helpful. You might consider attending the webinar they are planning in November.

This is a topic for all of us to get informed about and stay on top of. Please share any information or links that you become aware of. Just enter them in the Comments below.

Psychiatric CPT Codes Changing in 2013

Every year, changes are made to the Current Procedural Terminology® codes to reflect changes in actual practice of medicine and related fields. Use of these CPT® codes, as they are called, is required for reimbursement by insurance carriers. The American Medical Association establishes procedures including workgroups in various disciplines to assure that the codes keep up with the times. Since payment is based on the codes used, it is essential that providers keep informed about changes.

In 2013, significant changes to psychiatry and psychotherapy codes will occur. While those changes are not yet finalized, providers should understand what they are and be on the alert for the publication of the final codes.

The American Psychological Association participated with the American Psychiatric Association, the American Academy of Child and Adolescent Psychiatry, the American Nurses Association and the National Association of Social Workers to examine the definitions of the CPT psychotherapy codes. Most of the codes that have previously been used will be removed and new ones adopted.

Since these codes are the basis for payment for most behavioral health services, the billing of most behavioral health organizations will be affected. The National Council and other professional groups will be reporting on these changes. Stay tuned…


Current Procedural Terminology (CPT®) copyright 2012 American Medical Association. All rights reserved.

Secondary Insurance and Medicare

It is fascinating to me how rapidly and completely something can move from primary to secondary. I started writing this blog post one and a half weeks ago. After all sorts of interruptions, it has finally made it back to primary position in my task queue. Since I have no formal rules for how a task becomes primary or secondary, it can sometimes be a challenge to prioritize.

An active discussion on our SOS User Group site on Medicare Crossover claim filing started me thinking about this matter of primary and secondary insurance. Somehow, in our day-to-day lives, we have complete understanding of what these words mean, even if we have no formal definitions. When it comes to insurance, everything changes; the meanings and functions of primary and secondary become murky. Because we have addressed this issue here in this blog and in a couple of documents on our web site, internet searches for ‘filing secondary insurance’ often hit upon the article that Manon wrote on the subject or on the blog post. I am surprised at how frequently those searches and hits happen.

Our User Group discussion (just scroll to the top for the start of the thread) talked about the requirements placed upon Medicare Participating Providers to file secondary or crossover claims for their patients. Most of the participants indicated their understanding that it is necessary for Participating Providers to do this. Some discussants indicated that crossover claims are sent to the secondary insurer automatically. A couple of others indicated that there is some special process that they must go through to make this happen.

I know that one of the most important improvements in the 5010 version of the 837 claims transaction is requirement for the inclusion of more specific Coordination of Benefit information in the claim. Manon attended a Medicare webinar this week that discussed progress on meeting the 5010 requirements. Apparently, crossovers have been a big issue in this 5010 transition, but CMS indicates that they have made significant advance in working out the issues about crossovers.

Medicare regulations detail requirements for Coordination of Benefit Agreements and Coordination of Benefit Contractors. Unfortunately, wading through 124 pages of regulations to completely understand this process seems like overkill for an individual provider. Add to that the fact that different Medicare Administrative Contractors (MACs) may have different procedures, different Coordination of Benefit Contractors, and be in different stages of implementation of this process. In fact, a Google search for Medicare Crossovers comes up with documents created by many of the different MACs.

Getting your MAC to tell you what must be in your claims, what you as a provider are required to do for your patient, and what your patient may be required to do to complete the filing of secondary (crossover) claims seems like the reasonable course of action. I would be amazed if there is not detailed information on your MAC’s website.

Let us know if you are able to find out useful information. We can post the links here to make it easier for others to find what they need about the topic of Medicare Crossovers. Please share your comments below.

Medicare Fraud: CMS engages patients in fighting fraud

Do you have an elderly parent or friend? Have you ever taken a look at the Medicare Summary Notice (MSN) they receive each quarter from Medicare?

I don’t know when the last time was that my 92 year old mother looked at hers. I usually check it to make sure there is not some gross overbilling going on, but Mom ignores the statement. It is not the easiest document to review.

According to Karen M. Cheung at, Medicare is taking several steps to make it easier for elderly patients to review their monthly charges. The form and the website has been re-designed to make reviewing the explanation of benefits easier for the elderly Medicare subscribers who use the site. Sample


Drilling down by clicking on  

allows the user to see the details of the Medicare Summary Notice for each claim.

CMS is also making it more obvious that subscribers can earn a reward of up to $1000 for a tip that leads to uncovering fraud. That’s right . . . CMS will pay a Medicare recipient up to $1000 if their tip leads to finding actual fraud. Last year, consumer input resulted in $4 billion of savings, thanks to those who reported suspicious billing. On the MSN, just under the explanation of “How to Check This Notice”, the subscriber sees the following announcement:



Encouraging subscribers to report suspected fraud is one of the major ways CMS plans to save money. If by accident or on purpose, a provider bills for services not provided, for products not delivered, for medically unnecessary services or for misrepresented services, they become subject to a whole host of consequences based on the amount of money involved.

According to Wikipedia, The Office of the Inspector General for the U.S. Department of Health and Human Services is responsible to protect the integrity of HHS programs. The Office of Investigations for HHS works with the FBI to combat Medicare Fraud. The site has its own pages on Fraud & Abuse. The U.S. Department of Health & Human Services and the U.S. Department of Justice have created a site aimed directly at stopping Medicare fraud.

Clearly, this initiative is extremely important to CMS. We were recently surprised by a telephone call from someone claiming to be an FBI agent investigating one of our customers. Whether this was an unhappy patient, a disgruntled former employee, or an actual agent, we do not know. If we were to receive a supoena or request through proper channels, we might know more, but we would never provide information in response to a telephone call.

None of this is unique to the behavioral healthcare community, nor are mental health and addiction providers exempt from concerns about Medicare fraud. Abuses happen in all areas of healthcare.

What is your personal or professional experience with Medicare fraud or abuse? Does your organization have processes in place to prevent mistaken Medicare billing? We would love to hear about how you deal with these issues . . . short of not serving Medicare patients!

Please post your comments below.