Liability issues related to coding can be significant and require the attention of the risk manager. Know and monitor the top issues of concern.

• The culture must encourage reporting concerns about fraud.

• Healthcare organizations must audit coding practices routinely.

• Consider implementing a coding fraud hotline.

Coding and reimbursement are so complex, and so vital, that healthcare organizations devote substantial resources to doing it correctly, making it easy for risk managers to assume someone else is taking care of that department while you have so much else on your plate.

However, the best strategy is to work closely with counterparts in coding and reimbursement to ensure the organization is not exposed to substantial liability from deliberate fraud or inadvertent errors.

Coding and reimbursement can create liability in many ways, and risk managers must ensure the correct safeguards are in place, says Donna K. Thiel, JD, a shareholder with the Baker Donelson law firm in Washington, DC.

“There are so many systems that must be in place for reimbursement, starting with the initial service provider and on through the process until the claim is submitted to the insurer, and at any point along that chain you can have a problem,” Thiel says.

“It could be a surgeon who doesn’t do notes on time, transposed numbers in the record, a coder who enters the wrong code for reimbursement,” she adds. “As a risk manager it’s really hard to anticipate where you would look, but you have to follow the path, walk a claim all the way through the system, and see where mistakes can happen.”

The risk manager may not be directly responsible for ensuring coding compliance, but he or she should make sure the correct processes are in place, Thiel says. Work closely with the person in charge of reimbursement systems, offering expertise in process management and emphasizing the potential liability when procedures are not followed.

Major Prosecution Focus

Billing and coding fraud is a primary target for regulators and prosecutors now, says Geoffrey R. Kaiser, JD, a partner with the law firm of Rivkin Radler in Uniondale, NY.

Coding misconduct is a species of billing fraud, he notes, which is a major source of civil and criminal liability in the healthcare industry. Such misconduct may be prosecuted civilly under the False Claims Act, or under a range of criminal statutes, including healthcare fraud.

“For example, hospitals and other providers might utilize improper diagnosis codes to justify the performance of services for which there is no actual medical necessity and which are therefore non-reimbursable,” he says. “Or providers may bill a procedure code for a more complex, higher-paying service than was actually performed or justified, a practice known as ‘upcoding.’”

Some of the top coding risk areas for hospitals include the Two-Midnight Rule, short stay claims, inpatient psychiatric services, and inpatient rehabilitation services, Kaiser says.

The Two-Midnight Rule addresses concerns about hospital use of short inpatient and long outpatient stays, Kaiser explains, and states that inpatient payment generally is appropriate if physicians expect Medicare beneficiaries’ care to last at least two midnights. Otherwise, outpatient payment is more appropriate.

Short stay claims refer to outpatient outlier payments made to a hospital when the hospital’s charges, adjusted to cost, exceed a fixed multiple of the normal Medicare payment, he says.

“The purpose is to ensure access to care by having Medicare share in the financial loss incurred by the hospital in connection with individual, extraordinarily expensive cases,” Kaiser says. “OIG has previously determined that high charges incurred by hospitals unrelated to cost lead to excessive inpatient outlier payments, and OIG is examining the same issue for outpatient stays.”

Rehab, Psych Are Hot Topics

The Health and Human Services Office of Inspector General (OIG) is examining Medicare outlier payments to hospitals providing psychiatric treatment for those with acute mental health issues, Kaiser notes. Total Medicare payments for inpatient stays resulting in outlier payments have been increasing, so OIG is examining whether hospital providers are complying with Medicare documentation, coverage, and coding requirements related to such stays.

OIG also is examining whether hospitals specializing in providing intensive therapy to inpatients recovering from illness, injury, or surgery are providing such rehab therapy to those who are not suitable candidates, Kaiser says.

The best way to mitigate risk, he says, is to implement a robust compliance program with policies and procedures tailored to these and other hospital risk areas.

“Any effective compliance program includes periodic risk assessments and auditing/monitoring to ensure compliance. Such auditing/monitoring will include random sampling of medical and billing records for review to examine coding practices,” Kaiser says. “This can be performed on either an historical or prospective basis. The advantage of a prospective or prepayment review is that any errors can be corrected before claims are submitted and payment is received from payers.”

Such a compliance review can then be followed by supplemental training for affected personnel as appropriate, he says.

Fraud Hotline Is a Must

Fraud reporting is a key element in any coding compliance program. Any effective compliance program will include procedures for employees to report fraud anonymously and confidentially, and will establish clear channels of communication within the organization for the reporting and receipt of information related to fraud and other compliance violations, Kaiser says.

An effective compliance program also will contain a strict prohibition against retaliation for an employee’s good faith reporting of compliance violations, Kaiser says.

Thiel agrees, emphasizing the need for a culture in which employees have no fear of retaliation and feel they will be rewarded for bringing potential coding liability to the attention of superiors.

“If anyone feels something is being done incorrectly, it is critical for the organization to have a way for employees to report that to compliance easily and quickly, anonymously if they want, and without any fear of retaliation,” she says. “There should not be any hospital in existence without that mechanism in place.”

“Any hospital that doesn’t is very much at risk, vulnerable to accusations that they did not do everything possible to encourage reporting and they were negligent for that reason,” she adds.

Kaiser notes that Anti-Kickback Statute and Stark Law violations are a focus of law enforcement, with agencies interested in hospital-physician relationships and unlawful payments to, and financial relationships with, referral sources.

Five Key Elements for Compliance

Although a hospital’s revenue cycle management team ultimately is responsible for billing compliance, which includes coding, billing, and collections, the risk manager should consult with them concerning potential liability and compliance efforts, says Ben Wright, senior solutions architect in the Fraud and Security Intelligence Division at SAS, a company based in Cary, NC, that provides software and compliance consulting.

Wright says the risk manager should look for these key elements in billing compliance:

1. There must be a current coding compliance policy. The integrity of coded data and the ability to turn it into functional information requires all users to consistently apply the same official coding rules, conventions, guidelines, and definitions. Put more plainly, Wright says, this should be a policy that all staff will only use the codes that are clearly and consistently supported by authenticated clinical documentation in accordance with code set rules and guidelines.

2. The policy should be segmented. It should be laid out by care setting, department, and medical specialty (such as inpatient, outpatient, ambulatory surgery, observation, emergency) and segmented into public plan requirements and private (commercial) plan requirements.

3. The policy must be reviewed and updated at least annually. The review should take into consideration coding rule changes, additions, and deletions, which generally occur annually.

4. The plan needs to consider the effects of newer reporting technology. This may include electronic health record software that makes it possible to complete check boxes that formerly were on paper or nondigital media and will now require an audit trail. Who actually checked the box? Was it a template? Was it copied from another record? All of those questions and more should be determined in an audit trail.

5. There should be a plan for continuous monitoring and analytical evaluation. This will help detect, prevent, and investigate coding anomalies and/or practices that maximize revenue at the expense of compliance.

Follow OIG Work Plan

The risk manager should follow the OIG work plan, says Arlene Baril, senior director of facility coding and audit services at Change Healthcare, a company based in Nashville, TN, that assists healthcare organizations with transitioning to value-based care. The OIG work plan used to be published on an annual basis, but now is updated monthly.

The work plan denotes OIG’s areas of interest, including billing compliance issues that are on the radar of regulators. (The work plan is available online at: https://bit.ly/2rzhtUM.)

Also stay abreast of CMS Program Transmittals to determine coding changes, changes in coding/billing rules, updated or deleted regulations and similar issues, and make sure coding professionals are doing the same, she says. (The transmittals are available online at: https://go.cms.gov/2IhciiE.)

Be sure to review all coding changes for ICD-10-CM and ICD-10-PCS, which are updated annually in the Federal Register in October, Baril advises. (They are available online at: https://go.cms.gov/2vHIhok.) Also stay on top of Outpatient Prospective Payment System coding changes, which are updated on a quarterly basis in the Federal Register in January, April, July, and October.

Baril also suggests reviewing your organization’s Program for Evaluating Payment Patterns Electronic Report, also known as PEPPER. This report shows how one’s facility fares with other facilities in the nation on billing compliance. (The quarterly reports are available online at: https://bit.ly/2HLLhCN.)

Determine who your Recovery Audit Contractor (RAC) is and subscribe to their updates to keep abreast of all CMS compliance topics, she advises.

Best Practice Coding Policies

Baril recommends establishing the following best practice coding policies and procedures:

1. Standards of Ethical Coding from the American Health Information Management Association (AHIMA);

2. AHIMA’s Ethical Standards for Clinical Documentation Improvement Specialists;

3. Physician Query Process;

4. HIM Coder Training and Education;

5. Home Office Compliance Audits;

6. Internal Coder Monitoring;

7. Internal Coding Quality Assurance Program;

8. Chart Elements required for Final Coding (by Chart Type);

9. New Hire Training/Orientation;

10 Contract Coding Arrangements;

11. External Coding Consultants;

12. External Clinical Documentation Consultants;

13. External Coding Compliance Audits;

14. Coding Continuing Education Requirements Policy.

Each coder should be audited internally on a quarterly basis, Baril says.

“Findings and education should be timely to correct any abnormal trends. Follow-up audits should provide another review of previous findings to determine if the issue has been resolved,” she says. “It is also recommended to have an external audit on a minimum annual basis. Many facilities opt to have external audits done on a quarterly basis, especially after the coding changes go into effect.”

Review samples can be determined on a per-coder basis, and they might also target particular MS-DRGs/APCs, RAC-approved issues, PEPPER report items, OIG targets from the work plan, or a combination of all items, she says.

“Every employee should have annual education on the hospital’s compliance program. They should have copies of all related compliance policies and procedures,” she says. “The employees should be made aware of the coding compliance hotline if they decide to remain anonymous. If they decide to come forward, they must be assured of the non-retaliation policy in effect.”


• Arlene Baril, Senior Director, Facility Coding and Audit Services, Change Healthcare, Nashville, TN. Phone: (888) 363-3361.

• Geoffrey R. Kaiser, JD, Partner, Rivkin Radler, Uniondale, NY.

• Donna K. Thiel, JD, Shareholder, Baker Donelson, Washington, DC. Phone: (202) 508-3404.

• Ben Wright, Senior Solutions Architect, Fraud and Security Intelligence Division, SAS, Cary, NC. Phone: (919) 677-8000.