Provider Enrollment and Ongoing Responsibilities : Documentation

1099 Miscellaneous Forms

ForwardHealth generates the 1099 Miscellaneous form in January of each year for earnings greater than $600.00, per IRS regulations. One 1099 Miscellaneous form per financial payer and per tax identification number is generated, regardless of how many provider IDs or NPIs share the same tax identification number. For example, a provider who conducts business with both Medicaid and WCDP will receive separate 1099 Miscellaneous forms for each program.

The 1099 Miscellaneous forms are sent to the address designated as the "1099 mailing address."

Availability of Records to Authorized Personnel

The Wisconsin DHS has the right to inspect, review, audit, and reproduce provider records pursuant to Wis. Admin. Code § DHS 106.02(9)(e). The DHS periodically requests provider records for compliance audits to match information against ForwardHealth's information on paid claims, PA requests, and enrollment. These records include, but are not limited to, medical/clinical and financial documents. Providers are obligated to ensure that the records are released to an authorized DHS staff member(s).

Wisconsin Medicaid reimburses providers $0.06 per page for the cost of reproducing records requested by the DHS to conduct a compliance audit. A letter of request for records from the DHS will be sent to a provider when records are required.

Reimbursement is not made for other reproduction costs included in the provider agreement between the DHS and a provider, such as reproduction costs for submitting PA requests and claims.

Also, state-contracted MCOs, including HMOs and SSI HMOs, are not reimbursed for the reproduction costs covered in their contract with the DHS.

The reproduction of records requested by the PRO under contract with the DHS is reimbursed at a rate established by the PRO.

Confidentiality and Proper Disposal of Records

ForwardHealth supports member rights regarding the confidentiality of health care and other related records, including an applicant or member's billing information or medical claim records. An applicant or member has a right to have this information safeguarded, and the provider is obligated to protect that right. Use or disclosure of any information concerning an applicant or member (including an applicant or member's billing information or medical claim records) for any purpose not connected with program administration is prohibited unless authorized by the applicant or member (program administration includes contacts with third-party payers that are necessary for pursuing third-party payment and the release of information as ordered by the court).

Federal HIPAA Privacy and Security regulations establish requirements regarding the confidentiality and proper disposal of health care and related records containing PHI. These requirements apply to all providers (who are considered "covered entities") and their business associates who create, retain, and dispose of such records.

For providers and their business partners who are not subject to HIPAA, Wisconsin confidentiality laws have similar requirements pertaining to proper disposal of health care and related records.

HIPAA Privacy and Security Regulations

Definition of Protected Health Information

As defined in the HIPAA privacy and security regulations, PHI is protected health information (including demographic information) that:

• Is created, received, maintained, or transmitted in any form or media.
• Relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the payment for the provision of health care to an individual.
• Identifies the individual or provides a reasonable basis to believe that it can be used to identify the individual.

A member's name combined with their member identification number or Social Security number is an example of PHI.

Requirements Regarding "Unsecured" Protected Health Information

Title XIII of the American Recovery and Reinvestment Act of 2009 (also known as the HITECH Act) included a provision that significantly expanded the scope, penalties, and compliance challenges of HIPAA. This provision imposes new requirements on covered entities and their business associates to notify patients, the federal government, and the media of breaches of "unsecured" PHI (refer to 45 C.F.R. Parts 160 and 164 and § 13402 of the HITECH Act).

Unsecured PHI is PHI that has not been rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of physical destruction approved by the U.S. HHS. According to HHS, destruction is the only acceptable method for rendering PHI unusable, unreadable, or indecipherable.

As defined by federal law, unsecured PHI includes information in any medium, not just electronic data.

Actions Required for Proper Disposal of Records

To secure PHI, providers and their business associates are required to use one of the following destruction methods approved by the HHS:

• Paper, film, labels, or other hard copy media should be shredded or destroyed such that the PHI cannot be read or otherwise reconstructed.
• Electronic media should be cleared, purged, or destroyed such that the PHI cannot be retrieved according to National Institute of Standards and Technology Special Publication 800-88, Guidelines for Media Sanitization, which can be found on the NIST website.

For more information regarding securing PHI, providers may refer to Health Information Privacy on the HHS website.

Wisconsin Confidentiality Laws

Wis. Stat. § 134.97 requires providers and their business partners who are not subject to HIPAA regulations to comply with Wisconsin confidentiality laws pertaining to the disposal of health care and related records containing PHI.

Wis. Stat. § 146.836 specifies that the requirements apply to "all patient health care records, including those on which written, drawn, printed, spoken, visual, electromagnetic or digital information is recorded or preserved, regardless of physical form or characteristics." Paper and electronic records are subject to Wisconsin confidentiality laws.

"Personally Identifiable Data" Protected

According to Wis. Stat. § 134.97(1)(e), the types of records protected are those containing "personally identifiable data."

As defined by the law, personally identifiable data is information about an individual's medical condition that is not considered to be public knowledge. This may include account numbers, customer numbers, and account balances.

Actions Required for Proper Disposal of Records

Health care and related records containing personally identifiable data must be disposed of in such a manner that no unauthorized person can access the personal information. For the period of time between a record's disposal and its destruction, providers and their business partners are required to take actions that they reasonably believe will ensure that no unauthorized person will have access to the personally identifiable data contained in the record.

Businesses Affected

Wis. Stat.§§ 134.97 and 134.98, governing the proper disposal of health care and related records, apply to medical businesses as well as financial institutions and tax preparation businesses. For the purposes of these requirements, a medical business is any for-profit or nonprofit organization or enterprise that possesses information — other than personnel records — relating to a person's physical or mental health, medical history, or medical treatment. Medical businesses include sole proprietorships, partnerships, firms, business trusts, joint ventures, syndicates, corporations, limited liability companies, or associates.

Continuing Responsibilities for All Providers After Ending Participation

Ending participation in a ForwardHealth program does not end a provider's responsibility to protect the confidentiality of health care and related records containing PHI.

Providers who no longer participate in a ForwardHealth program are responsible for ensuring that they and their business associates/partners continue to comply with all federal and state laws regarding protecting the confidentiality of members' PHI. Once record retention requirements expire, records must be disposed of in such a manner that they cannot be reconstructed — according to federal and state regulations — in order to avoid penalties.

All ForwardHealth providers and their business associates/partners who cease practice or go out of business should ensure that they have policies and procedures in place to protect all health care and related records from any unauthorized disclosure and use.

Penalties for Violations

Any covered entity provider or provider's business associate who violates federal HIPAA regulations regarding the confidentiality and proper disposal of health care and related records may be subject to criminal and/or civil penalties, including any or all of the following:

• Fines up to $1.5 million per calendar year
• Jail time
• Federal HHS Office of Civil Rights enforcement actions

For entities not subject to HIPAA, Wis. Stat. § 34.97(4) imposes penalties for violations of confidentiality laws. Any provider or provider's business partner who violates Wisconsin confidentiality laws may be subject to fines up to $1,000 per incident or occurrence.

For more specific information on the penalties for violations related to members' health care records, providers should refer to § 13410(d) of the HITECH Act, which amends 42 USC § 1320d-5, and Wis. Stat. §§ 134.97(3), (4) and 146.84.

Financial Records

According to Wis. Admin. Code § DHS 106.02(9)(c), a provider is required to maintain certain financial records in written or electronic form.

Medical Records

A dated clinician's signature must be included in all medical notes. According to Wis. Admin. Code § DHS 106.02(9)(b), a provider is required to include certain written documentation in a member's medical record.

Documentation for Disposable Medical Supplies and Durable Medical Equipment

Providers are required to prepare and maintain truthful, accurate, complete, legible, and concise documentation of the member's continuing use of the equipment, as well as documentation of all DME/DMS services as stated in Wis. Admin. Code § DHS 106.02(9)(a). A current, signed, and dated physician prescription is required for each DME/DMS for each DOS when requesting Medicaid reimbursement. Per Wis. Admin. Code § DHS 105.02(4), providers are required to maintain medical records for no less than five years from the date of reimbursement.

For DME/DMS requiring a face-to-face visit, documentation of the face-to-face visit is required. Providers are required to produce and/or submit the documentation to ForwardHealth upon request. ForwardHealth may deny or recoup payment for services that fail to meet this requirement.

The documentation of the face-to-face visit must be clearly titled and be a separate and distinct section of (or a clearly titled addendum to) the prescription and must include:

• Date of the face-to-face visit
• Name and credentials of the physician or NPP who conducted the face-to-face visit
• The clinical findings that support the member's need for the impacted DME/DMS
• Signature of the prescribing physician or NPP who conducted the face-to-face visit for impacted DME/DMS

Dates of Service

ForwardHealth defines the DOS as follows:

• The date on which the DME was dispensed to the member or the member's caregiver by the provider
• The date on which the DME was shipped or mailed to the member or the member's caregiver if the provider used a shipping service or mail order

Documentation Requirements for Date of Delivery

The billing provider's record must adhere to all of the following documentation requirements related to the date of delivery of DME.

When Dispensed Directly to the Member or the Member's Caregiver

The billing provider's record must include all of the following documentation related to the date of delivery when the provider dispenses DME to the member or the member's caregiver:

• Written confirmation of delivery of the product/service to the member, which includes the following:
• Date of delivery
• Member's printed name
• Member's acknowledgment of receipt with member's signature and date signed
• If member is not able to sign, the printed name of the person accepting delivery, that person's signature, date signed, and relationship to the member
• Brand, model, and sizes issued to the member
• Quantity dispensed

When Mailed or Shipped to the Member or the Member's Caregiver

The billing provider's record must include all of the following documentation related to the date of delivery when the provider mails or ships DME to the member or the member's caregiver:

• Written confirmation of delivery of the product/service to the member, which includes the following:
• Member's printed name
• Delivery address
• Delivery service's package identification number, supplier invoice number, or alternative method that links the supplier's delivery documents with the delivery service's records (this information should be printed out and kept on file or in the member's medical record)
• Brand, model, and sizes issued to the member
• Quantity delivered
• Date delivered

Any claim for DME that does not include complete proof of delivery from the provider may be subject to recoupment during a provider audit.

Additional Requirements for Compression Garments

Providers are required to maintain the following supporting documentation in their records for compression garments:

• Signed and dated physician prescription that includes the following:
  • Diagnosis
  • Amount of compression ordered
  • Prescribed garment
  • Body part for which the garment was prescribed
• Manufacturer's invoice for the compression garment that was provided
• Clinical information, including the following:
  • Specific documented measurements required for the garment ordered (this information may be found on the manufacturer's order form)
  • Date(s) on which measurements were taken
  • Appropriate periodic circumferential measurements, using consistent units of measurement (e.g., centimeters used at every measurement)
• Documentation submitted with a PA request
• Documentation submitted with a claim

Additional Requirements for Diabetic Shoes and Inserts

The billing provider is required to document and maintain the following information in the member's medical record:

• A physician's prescription for diabetic shoes and/or inserts
• The member's ICD diagnosis (or diagnoses) and any other co-morbid conditions that support the condition for the requested services
• The objective measurement of specific foot deformity, if applicable
• The member's height and weight
• The shoe brand, model number, and size(s)
• Medical records from the prescribing provider that support the claim
• The written report of the member's podiatry exam and results
• The member's ambulatory status and/or transfer abilities
• The member's use of any ambulation aids for mobility, if applicable
• Information regarding the member's functional daily routine (e.g., place of residence, caregiver type, and level of assistance, if applicable)
• Specific reason for the requested service, date of initial issue of the requested service to the member, or the reason for replacement and the last DOS to member, if known
• If mismatched shoes are requested, documentation of the foot size discrepancy

In addition to the above, the medical record for custom molded shoes using HCPCS procedure code A5501 (For diabetics only, fitting [including follow-up], custom preparation and supply of shoe molded from cast[s] of patient's foot [custom molded shoe], per shoe) must include the following:

• Documentation that the member has a foot deformity that cannot be accommodated by a depth shoe
• A detailed description of the nature of the severity of the deformity
• Documentation from the visit that included taking impressions, making cases, or obtaining CAD/CAM images of the member's feet in order to create models of the feet

In addition to the above, the medical record for custom molded inserts using HCPCS procedure code A5513 (For diabetics only, multiple density insert, custom molded from model of patient's foot, total contact with patient's foot, including arch, base layer minimum of 3/16 inch material of shore a 35 durometer [or higher], includes arch filler and other shaping material, custom fabricated, each) must include the following:

• A list of materials that were used
• A description of the custom fabrication process

Additional Requirements for Facial Prosthetics

ForwardHealth requires that the billing provider maintains the following documentation in the member's medical record for coverage of facial prosthetics:

• A written prescription for the facial prosthetic or repair
• Documentation of the loss or absence of facial tissue due to disease, trauma, surgery, or congenital defect
• Documentation of member visits to take impressions and make molds
• A copy of written instructions for the member regarding how to wear and care for the prosthetic
• Date-of-delivery documentation

Additional Requirements for Orthopedic or Corrective Shoes and Foot Orthotics

The billing provider's record of service for orthopedic or corrective shoes or foot orthotics must include all of the following:

• A prescription for orthopedic or corrective shoes or foot orthotics, and for all related services (modifications, repair, etc.), that meets the requirements stated in Wis. Admin. Code § DHS 107.02(2m)(b) and includes the following:
  • An ICD diagnosis that supports the medical need for the requested orthopedic or corrective shoes or foot orthotics
  • If present, an ICD diagnosis of any other co-morbid conditions of the member that support the medical need for the requested orthopedic or corrective shoes or foot orthotics
  • If present, an ICD diagnosis of the member's gross foot deformity and/or other conditions that justify the medical need for the orthopedic or corrective shoes or foot orthotics
  • The quantity to be dispensed and the length of need
  • The member's ICD diagnosis (or diagnoses) and any other co-morbid conditions that support the condition for the requested services
• If present, the objective measurement of specific foot deformity
• The member's height and weight
• The shoe brand, model number, and size(s)
• Medical records from the prescribing provider that support the PA request
• The written report of the member's podiatry exam and results
• The member's ambulatory status and/or transfer abilities
• The member's use of any ambulation aids for mobility, if applicable
• Information regarding the member's functional daily routine (e.g., place of residence, caregiver type, and level of assistance, if applicable)
• Specific reason for the requested service, date of initial issue of the requested service to the member, or the reason for replacement and the last DOS to member, if known
• If new equipment is requested to replace current items, the estimate of charges to repair the member's current equipment and/or the reason repair is not possible or cost-effective
• If mismatched shoes are requested, documentation of the foot size discrepancy
• If custom services are requested, documentation of the services or equipment that have been tried by the member and results indicating what specific medical needs of the member were not met
• A copy of the completed PA request and all records submitted for the service
• Written instruction to the member for the use and care of the items dispensed
• All information to support both PA requests and claims

Additional Requirements for Speech Generating Devices, Digitized

ForwardHealth requires that billing providers maintain the following documentation in their medical records:

• Prescription for the device
• Date-of-Delivery documentation
• A formal evaluation of the member's communication abilities by a SLP. The SLP must document and confirm all of the following:
  • The member has a severe expressive speech impairment, and alternative natural communication methods are not feasible or are inadequate for that individual's daily functional communication needs.
  • The member's speech impairment will benefit from the device.
  • The member has the prerequisite skills to utilize the devices.
  • The member possesses a treatment plan that includes a training schedule for the selected device.
  • The rational for a specific device, including how its features match the member's communication needs and skills.

Member Access to Records

Providers are required to allow members access to their health care records, including those related to ForwardHealth services, maintained by a provider in accordance with Wisconsin Statutes, excluding billing statements.

Fees for Health Care Records

Per Wis. Stat. § 146.83, providers may charge a fee for providing one set of copies of health care records to members who are enrolled in Wisconsin Medicaid or BadgerCare Plus programs on the date of the records request. This applies regardless of the member's enrollment status on the DOS contained within the health care records.

Per Wis. Stat. § 146.81(4), health care records are all records related to the health of a patient prepared by, or under the supervision of, a health care provider.

Providers are limited to charging members enrolled in state-funded health care programs 25 percent of the applicable fees for providing one set of copies of the member's health care records.

Note: A provider may charge members 100 percent of the applicable fees for providing a second or additional set of copies of the member's health care records.

The Wisconsin DHS adjusts the amounts a provider may charge for providing copies of a member's health care records yearly per Wis. Stat. § 146.83(3f)(c).

Policy Requirements for Use of Electronic Signatures on Electronic Health Records

For ForwardHealth policy areas where a signature is required, electronic signatures are acceptable as long as the signature meets the requirements. When ForwardHealth policy specifically states that a handwritten signature is required, an electronic signature will not be accepted. When ForwardHealth policy specifically states that a written signature is required, an electronic signature will be accepted.

Reimbursement for services paid to providers who do not meet all electronic signature requirements may be subject to recoupment.

Electronic Signature Definition

An electronic signature, as stated in Wis. Stats. § 137.11(8), is "an electronic sound, symbol, or process attached to or logically associated with a record and executed or adopted by a person with the intent to sign the record."

Some examples include:

• Typed name (performer may type their complete name)
• Number (performer may type a number unique to them)
• Initials (performer may type initials unique to them)

All examples above must also meet all of the electronic signature requirements.

Benefits of Using Electronic Signatures

The use of electronic signatures will allow providers to:

• Save time by streamlining the document signing process.
• Reduce the costs of postage and mailing materials.
• Maintain the integrity of the data submitted.
• Increase security to aid in non-repudiation.

Electronic Signature Requirements

By following the general electronic signature requirements below, the use of electronic signatures provides a secure alternative to written signatures. These requirements align with HIPAA Privacy Rule guidelines.

General Requirements

When using an electronic signature, all of the following requirements must be met:

• The electronic signature must be under the sole control of the rendering provider. Only the rendering provider or designee has the authority to use the rendering provider's electronic signature. Providers are required to maintain documentation that shows the electronic signature that belongs to each rendering provider if a numbering or initial system is used (e.g., what number is assigned to a specific rendering provider). This documentation must be kept confidential.
• The provider is required to have current policies and procedures regarding the use of electronic signatures. The Wisconsin DHS recommends the provider conduct an annual review of policies and procedures with those using electronic signatures to promote ongoing compliance and to address any changes in the policies and procedures.
• The provider is required to conduct or review a security risk analysis in accordance with the requirements under 45 CFR s. 164.308(a)(1).
• The provider is required to implement security updates as necessary and correct identified security deficiencies as part of its risk management process.
• The provider is required to establish administrative, technical, and physical safeguards in compliance with the HIPAA Security Rule.

Electronic Health Record Signature Requirements

An EHR that utilizes electronic signatures must meet the following requirements:

• The certification and standard criteria defined in the Health Information Technology Initial Set of Standards, Implementation Specifications, Certification Criteria for Electronic Health Record Technology Final Rule (45 CFR Part 170) and any revisions including, but not limited to, the following:
  • Assign a unique name and/or number for identifying, tracking user identity, and establishing controls that permit only authorized users to access electronic health information.
  • Record actions related to electronic health information according to the standard set forth in 45 CFR s. 170.210.
  • Enable a user to generate an audit log for a specific time period. The audit log must also have the ability to sort entries according to any of the elements specified in the standard 45 CFR s. 170.210.
  • Verify that a person or entity seeking access to electronic health information is the one claimed and is authorized to access such information.
  • Record the date, time, patient identification, and user identification when electronic health information is created, modified, accessed, or deleted. An indication of which action(s) occurred and by whom must also be recorded.
  • Use a hashing algorithm with a security strength equal to or greater than SHA-1 as specified by the NIST in FIPS PUB 180-3 (October 2008) to verify that electronic health information has not been altered. (Providers unsure whether or not they meet this guideline should contact their IT and/or security/privacy analyst.)
• Ensure the EHR provides:
  • Nonrepudiation — assurance that the signer cannot deny signing the document in the future
  • User authentication — verification of the signer's identity at the time the signature was generated
  • Integrity of electronically signed documents — retention of data so that each record can be authenticated and attributed to the signer
  • Message integrity — certainty that the document has not been altered since it was signed
  • Capability to convert electronic documents to paper copy — the paper copy must indicate the name of the individual who electronically signed the form as well as the date electronically signed
• Ensure electronically signed records created by the EHR have the same back-up and record retention requirements as paper records.

Preparation and Maintenance of Records

All providers who receive payment from Wisconsin Medicaid, including state-contracted MCOs, are required to maintain records that fully document the basis of charges upon which all claims for payment are made, according to Wis. Admin. Code § DHS 106.02(9)(a). This required maintenance of records is typically required by any third-party insurance company and is not unique to ForwardHealth.

Prescriptions

All services, with few exceptions, require a current, separate, physician's prescription. This requirement applies to both routine and nonroutine repairs for DME.

Record Retention

Providers are required to retain documentation, including medical and financial records, for a period of not less than five years from the date of payment, except RHCs, which are required to retain records for a minimum of six years from the date of payment.

According to Wis. Admin. Code § DHS 106.02(9)(d), providers are required to retain all evidence of billing information.

Ending participation as a provider does not end a provider's responsibility to retain and provide access to fully maintained records unless an alternative arrangement of record retention and maintenance has been established.

Maintaining Confidentiality of Records

Ending participation in a ForwardHealth program does not end a provider's responsibility to protect the confidentiality of health care and related records containing PHI.

Providers who no longer participate in a ForwardHealth program are responsible for ensuring that they and their business associates/partners continue to comply with all federal and state laws regarding protecting the confidentiality of members' PHI. Once record retention requirements expire, records must be disposed of in such a manner that they cannot be reconstructed — according to federal and state regulations — in order to avoid penalties. For more information on the proper disposal of records, refer to Confidentiality and Proper Disposal of Records.

All ForwardHealth providers and their business associates/partners who cease practice or go out of business should ensure that they have policies and procedures in place to protect all health care and related records from any unauthorized disclosure and use.

Reviews and Audits

The Wisconsin DHS periodically reviews provider records. DHS has the right to inspect, review, audit, and photocopy the records. Providers are required to permit access to any requested record(s), whether in written, electronic, or micrographic form.

Records Requests

Requests for billing or medical claim information regarding services reimbursed by Wisconsin Medicaid may come from a variety of individuals including attorneys, insurance adjusters, and members. Providers are required to notify ForwardHealth when releasing billing information or medical claim records relating to charges for covered services except in the following instances:

• When the member is a dual eligible (i.e., member is eligible for both Medicare and Wisconsin Medicaid or BadgerCare Plus) and is requesting materials pursuant to Medicare regulations.
• When the provider is attempting to exhaust all existing health insurance sources prior to submitting claims to ForwardHealth.

Request From a Member or Authorized Person

If the request for a member's billing information or medical claim records is from a member or authorized person acting on behalf of a member, the provider is required to do the following:

1. Send a copy of the requested billing information or medical claim records to the requestor.
2. Send a letter containing the following information to ForwardHealth:
   • Member's name
   • Member's ForwardHealth identification number or SSN, if available
   • Member's DOB
   • DOS
   • Entity requesting the records, including name, address, and telephone number

   The letter must be sent to the following address:

   Wisconsin Casualty Recovery — HMS
   Ste 100
   5615 Highpoint Dr
   Irving TX 75038-9984

Request From an Attorney, Insurance Company, or Power of Attorney

1. Obtain a release signed by the member or authorized representative.
2. Furnish the requested material to the requester, marked "BILLED TO FORWARDHEALTH" or "TO BE BILLED TO FORWARDHEALTH," with a copy of the release signed by the member or authorized representative. Approval from ForwardHealth is not necessary.
3. Send a copy of the material furnished to the requestor, along with a copy of their original request and medical authorization release to:

Wisconsin Casualty Recovery — HMS
Ste 100
5615 Highpoint Dr
Irving TX 75038-9984

Request for Information About a Member Enrolled in a State-Contracted Managed Care Organization

1. Obtain a release signed by the member or authorized representative.
2. Send a copy of the letter requesting the information, along with the release signed by the member or authorized representative, directly to the MCO.

The MCO makes most benefit payments and is entitled to any recovery that may be available.

Request for a Statement From a Dual Eligible

If the request is for an itemized statement from a dual eligible, pursuant to HR 2015 (Balanced Budget Act of 1997) § 4311, a dual eligible has the right to request and receive an itemized statement from their Medicare-enrolled health care provider. The Act requires the provider to furnish the requested information to the member. The Act does not require the provider to notify ForwardHealth.

Release of Billing Information to Government Agencies

Providers are permitted to release member information without informed consent when a written request is made by Wisconsin DHS or the federal HHS to perform any function related to program administration, such as auditing, program monitoring, and evaluation.

Providers are authorized under Wisconsin Medicaid confidentiality regulations to report suspected misuse or abuse of program benefits to the DHS, as well as to provide copies of the corresponding patient health care records.