was successfully added to your cart.

Cart

Tag

Compliance & Auditing Services explains the HIPAA security risk analysis regulationsHIPPA Omnibus Archives - Compliance and Auditing Services

The Use And Understanding Of X{EPSU} Modifiers

By | Insurance Coding | No Comments
X Modifier Picture(updated February 2, 2023)

I’ve been getting a lot of questions about the -59 modifier and the new X modifiers, so I thought I would take some time here to explain the use of these modifiers and to let you know why most insurers, including Medicare, still continue to use the -59 modifier.

Currently, providers can use the -59 modifier to indicate that a code represents a service that is separate and distinct from another service with which it would usually be considered to be bundled.

The -59 modifier is the most commonly used and commonly abused modifier. According to 2013 CERT Report data, incorrect -59 modifier usage amounts to a $77 million per year overpayment.

Because of this, CMS believes that more precise coding options are needed to reduce the errors associated with this overpayment.

As a result, CMS established the following four new HCPCS modifiers, referred to collectively as -X{EPSU} modifiers, to define specific subsets of the -59 modifier:

  • XE – “Separate encounter.” A service that is distinct because it occurred during a “separate encounter.” This modifier should only be used to describe separate encounters on the same date of service.
  • XP – “Separate Practitioner.” A service that is distinct because it was performed by a different practitioner.
  • XS – “Separate Structure.” A service that is distinct because it was performed on a separate anatomical area.
  • XU – “Unusual Non-Overlapping Service.” The use of a service that is distinct because it does not overlap usual components of the main service.

These -X modifiers are intended to provide greater reporting specificity.

Though CMS will continue to recognize the -59 modifier, the Current Procedural Terminology (CPT) instructions state that the -59 modifier should not be used when a more descriptive modifier is available.

In some instances CMS may selectively require a more specific – X modifier for billing at high risk for incorrect billing.

Because the X modifiers are different versions of the -59 modifier, it would be incorrect to include both modifiers on the same line.

Though the use of the new modifiers was scheduled to start January 1, 2015, don’t hold your breath. Here’s why:

  • Chiropractors are only paid for 98940, 98941 and 98942. None of your adjustment codes would require modifier -59.
  • For now, secondary billing for Medicare is uncertain. Secondary (private) payers haven’t yet stated that they are willing to accept the XE, XS, XP or XU modifiers. It’s likely they will adopt the same rule sooner or later, so keep an eye out for changes.
  • To date, private payers are not requiring the new modifiers. Providers such as BCBS, Aetna, and Cigna haven’t yet stated that they are willing to accept the XE, XS, XP or XU modifiers. It is likely that they will in the future so watch for updates from private payers.

Though it is likely that the -59 Modifier days are numbered, until then continue to code as usual, with modifier -59.

The “Compliance Made Easy” program is the most complete course on office compliance and includes how to documentation requirements.

If you have any questions or concerns don’t hesitate to call or email, we’re here to help you.

All The Best,

Dr. John Davenport
Chief Compliance Officer
Compliance & Auditing Services

The Protected Health Information Cyber Attack Threat

By | Compliance | No Comments

3d rendering of a monit with a chain around it.

Reports of cyber attacks on large corporations such as  Nationwide, JPMorgan Chase and even the Pentagon have been make big news. Yet, every day there are attacks aimed at small to mid-size organizations.

With the increasing use of EHRs, practices are facing increased liability with regard to breaches of protected Health information (ePHI). Hackers know that healthcare providers are less likely to fully protect themselves.

At the same time, increased HIPAA and HITECH security regulations and penalties, for violations, also increase the healthcare providers liability for breaches of ePHI,

Many Doctors simply lack the knowledge and training needed to protect their offices against a cyber attack or meet HIPAA Security Rule requirements.

In this three part series we will discuss simple steps to reduce most major threats to the safety of ePHI. This should be considered basic computer security 101 and not a course on the HIPAA/HITECH rules.

Firewall Protection:

First, unless your practice is totally disconnected from the Internet, it should have a Firewall to protect against threats from outside sources.

Basically, a Firewall is a system that prevents unauthorized access to a private network and works like a filter between your computer network and the Internet. Anything that goes into or out of the network must pass through the firewall.

The firewall examines each message and can be configured to prevent employees from sending certain types of emails or transmitting sensitive data outside of the network.

Additionally, firewalls can be programmed to prevent access to certain websites (like social networking sites) and can prevent outside computers from accessing computers inside your network.

Most computer operating systems come with a firewall installed and firewall software is also available at stores that sell computer products. Both types of firewall software normally provide technical support and guidance for users without the technical savvy.

Anti-virus Protection:

In small offices, attackers compromise computers primarily through viruses, spyware and malware. Computers can become infected by outside sources such as CD- ROMs, e-mail, flash drives, and web downloads. Even a computer that has all  the latest security updates to its operating system and applications can be at risk because of system flaws.

Anti-virus software is used to scan files to identify and eliminate computer viruses andmalicious software. It can also let you know when there has been an attempted threat to your system.

Anti-virus software analysis’s system files to look for known viruses, by means of a virus dictionary, and identifies suspicious behavior that might indicate an infection. Therefore, providing protection against brand-new viruses that do not yet exist in any virus dictionaries.

Without anti-virus software to identify infections, data may be stolen or destroyed. Reliable Anti-virus software is available at most stores that sell computer products, and are relatively inexpensive to buy.

Once you’ve down loaded anti-virus software to your computer, this includes hand held devices, make sure to keep it updated. Anti-virus products require regular updates in order to protect from new computer viruses.

Chained laptop from the frontPasswords:

Passwords are a first line defense in preventing unauthorized access to any computer and should be required to log into your system.  In addition, passwords can be reviewed, using an audit trail log, to see who is accessing specific information and what changes where made to that information.

Passwords can also limit what information individual people have to certain information. This can include certain staff members, your IT contractor, your billing company or anyone who has remote access to your computer system.

Because criminals use special software to try to guess a password, it is important to use strong passwords. A Strong password should:

  • Be at least 8 characters in length
  • Include a combination of upper case and lower case letters, at least one number and at least one special character, such as a punctuation mark
  • Be changed periodically.

You should also have policies in place to remove passwords on staff that leave or are terminated.

An administrator password is used only when you need to make changes or updates to your operating system. This means that anyone with this code can go anywhere and change anything in your system.

To decrease the chance that the administrator password gets stolen, the person in your office authorized to make changes to your system should have a separate user code that is used for daily system access.