Provider Enrollment and Ongoing Responsibilities : Documentation

1099 Miscellaneous Forms

ForwardHealth generates the 1099 Miscellaneous form in January of each year for earnings greater than $600.00, per IRS regulations. One 1099 Miscellaneous form per financial payer and per tax identification number is generated, regardless of how many provider IDs or NPIs share the same tax identification number. For example, a provider who conducts business with both Medicaid and WCDP will receive separate 1099 Miscellaneous forms for each program.

The 1099 Miscellaneous forms are sent to the address designated as the "1099 mailing address."

Availability of Records to Authorized Personnel

The Wisconsin DHS has the right to inspect, review, audit, and reproduce provider records pursuant to Wis. Admin. Code § DHS 106.02(9)(e). The DHS periodically requests provider records for compliance audits to match information against ForwardHealth's information on paid claims, PA requests, and enrollment. These records include, but are not limited to, medical/clinical and financial documents. Providers are obligated to ensure that the records are released to an authorized DHS staff member(s).

Wisconsin Medicaid reimburses providers $0.06 per page for the cost of reproducing records requested by the DHS to conduct a compliance audit. A letter of request for records from the DHS will be sent to a provider when records are required.

Reimbursement is not made for other reproduction costs included in the provider agreement between the DHS and a provider, such as reproduction costs for submitting PA requests and claims.

Also, state-contracted MCOs, including HMOs and SSI HMOs, are not reimbursed for the reproduction costs covered in their contract with the DHS.

The reproduction of records requested by the PRO under contract with the DHS is reimbursed at a rate established by the PRO.

Confidentiality and Proper Disposal of Records

ForwardHealth supports member rights regarding the confidentiality of health care and other related records, including an applicant or member's billing information or medical claim records. An applicant or member has a right to have this information safeguarded, and the provider is obligated to protect that right. Use or disclosure of any information concerning an applicant or member (including an applicant or member's billing information or medical claim records) for any purpose not connected with program administration is prohibited unless authorized by the applicant or member (program administration includes contacts with third-party payers that are necessary for pursuing third-party payment and the release of information as ordered by the court).

Federal HIPAA Privacy and Security regulations establish requirements regarding the confidentiality and proper disposal of health care and related records containing PHI. These requirements apply to all providers (who are considered "covered entities") and their business associates who create, retain, and dispose of such records.

For providers and their business partners who are not subject to HIPAA, Wisconsin confidentiality laws have similar requirements pertaining to proper disposal of health care and related records.

HIPAA Privacy and Security Regulations

Definition of Protected Health Information

As defined in the HIPAA privacy and security regulations, PHI is protected health information (including demographic information) that:

• Is created, received, maintained, or transmitted in any form or media.
• Relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the payment for the provision of health care to an individual.
• Identifies the individual or provides a reasonable basis to believe that it can be used to identify the individual.

A member's name combined with their member identification number or Social Security number is an example of PHI.

Requirements Regarding "Unsecured" Protected Health Information

Title XIII of the American Recovery and Reinvestment Act of 2009 (also known as the HITECH Act) included a provision that significantly expanded the scope, penalties, and compliance challenges of HIPAA. This provision imposes new requirements on covered entities and their business associates to notify patients, the federal government, and the media of breaches of "unsecured" PHI (refer to 45 C.F.R. Parts 160 and 164 and § 13402 of the HITECH Act).

Unsecured PHI is PHI that has not been rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of physical destruction approved by the U.S. HHS. According to HHS, destruction is the only acceptable method for rendering PHI unusable, unreadable, or indecipherable.

As defined by federal law, unsecured PHI includes information in any medium, not just electronic data.

Actions Required for Proper Disposal of Records

To secure PHI, providers and their business associates are required to use one of the following destruction methods approved by the HHS:

• Paper, film, labels, or other hard copy media should be shredded or destroyed such that the PHI cannot be read or otherwise reconstructed.
• Electronic media should be cleared, purged, or destroyed such that the PHI cannot be retrieved according to National Institute of Standards and Technology Special Publication 800-88, Guidelines for Media Sanitization, which can be found on the NIST website.

For more information regarding securing PHI, providers may refer to Health Information Privacy on the HHS website.

Wisconsin Confidentiality Laws

Wis. Stat. § 134.97 requires providers and their business partners who are not subject to HIPAA regulations to comply with Wisconsin confidentiality laws pertaining to the disposal of health care and related records containing PHI.

Wis. Stat. § 146.836 specifies that the requirements apply to "all patient health care records, including those on which written, drawn, printed, spoken, visual, electromagnetic or digital information is recorded or preserved, regardless of physical form or characteristics." Paper and electronic records are subject to Wisconsin confidentiality laws.

"Personally Identifiable Data" Protected

According to Wis. Stat. § 134.97(1)(e), the types of records protected are those containing "personally identifiable data."

As defined by the law, personally identifiable data is information about an individual's medical condition that is not considered to be public knowledge. This may include account numbers, customer numbers, and account balances.

Actions Required for Proper Disposal of Records

Health care and related records containing personally identifiable data must be disposed of in such a manner that no unauthorized person can access the personal information. For the period of time between a record's disposal and its destruction, providers and their business partners are required to take actions that they reasonably believe will ensure that no unauthorized person will have access to the personally identifiable data contained in the record.

Businesses Affected

Wis. Stat.§§ 134.97 and 134.98, governing the proper disposal of health care and related records, apply to medical businesses as well as financial institutions and tax preparation businesses. For the purposes of these requirements, a medical business is any for-profit or nonprofit organization or enterprise that possesses information — other than personnel records — relating to a person's physical or mental health, medical history, or medical treatment. Medical businesses include sole proprietorships, partnerships, firms, business trusts, joint ventures, syndicates, corporations, limited liability companies, or associates.

Continuing Responsibilities for All Providers After Ending Participation

Ending participation in a ForwardHealth program does not end a provider's responsibility to protect the confidentiality of health care and related records containing PHI.

Providers who no longer participate in a ForwardHealth program are responsible for ensuring that they and their business associates/partners continue to comply with all federal and state laws regarding protecting the confidentiality of members' PHI. Once record retention requirements expire, records must be disposed of in such a manner that they cannot be reconstructed — according to federal and state regulations — in order to avoid penalties.

All ForwardHealth providers and their business associates/partners who cease practice or go out of business should ensure that they have policies and procedures in place to protect all health care and related records from any unauthorized disclosure and use.

Penalties for Violations

Any covered entity provider or provider's business associate who violates federal HIPAA regulations regarding the confidentiality and proper disposal of health care and related records may be subject to criminal and/or civil penalties, including any or all of the following:

• Fines up to $1.5 million per calendar year
• Jail time
• Federal HHS Office of Civil Rights enforcement actions

For entities not subject to HIPAA, Wis. Stat. § 34.97(4) imposes penalties for violations of confidentiality laws. Any provider or provider's business partner who violates Wisconsin confidentiality laws may be subject to fines up to $1,000 per incident or occurrence.

For more specific information on the penalties for violations related to members' health care records, providers should refer to § 13410(d) of the HITECH Act, which amends 42 USC § 1320d-5, and Wis. Stat. §§ 134.97(3), (4) and 146.84.

Electronic

Records kept electronically are subject to the same requirements as those maintained on paper. In addition, the following requirements apply to electronic documentation:

• Providers are required to have a paper or electronic back-up system for electronic documentation. This could include having files saved on disk or CD in case of computer failure.
• For audits conducted by the DMS, providers are required to produce paper copies of electronic records upon request.
• Providers are required to have safeguards to prevent unauthorized access to the records.

Providers are required to have the signature of the individual performing each service and maintain each signature in their records. This individual is referred to as the "performer."

Financial Records

According to Wis. Admin. Code § DHS 106.02(9)(c), a provider is required to maintain certain financial records in written or electronic form.

Medical Records

A dated clinician's signature must be included in all medical notes. According to Wis. Admin. Code § DHS 106.02(9)(b), a provider is required to include certain written documentation in a member's medical record.

Medical Records Requiring a Signature

The following are examples of records requiring either a handwritten or electronic signature:

• Assessments.
• Case plans.
• Progress notes.
• All contacts with, or on behalf of, a member.

Member Access to Records

Providers are required to allow members access to their health care records, including those related to ForwardHealth services, maintained by a provider in accordance with Wisconsin Statutes, excluding billing statements.

Fees for Health Care Records

Per Wis. Stat. § 146.83, providers may charge a fee for providing one set of copies of health care records to members who are enrolled in Wisconsin Medicaid or BadgerCare Plus programs on the date of the records request. This applies regardless of the member's enrollment status on the DOS contained within the health care records.

Per Wis. Stat. § 146.81(4), health care records are all records related to the health of a patient prepared by, or under the supervision of, a health care provider.

Providers are limited to charging members enrolled in state-funded health care programs 25 percent of the applicable fees for providing one set of copies of the member's health care records.

Note: A provider may charge members 100 percent of the applicable fees for providing a second or additional set of copies of the member's health care records.

The Wisconsin DHS adjusts the amounts a provider may charge for providing copies of a member's health care records yearly per Wis. Stat. § 146.83(3f)(c).

Policy Requirements for Use of Electronic Signatures on Electronic Health Records

For ForwardHealth policy areas where a signature is required, electronic signatures are acceptable as long as the signature meets the requirements. When ForwardHealth policy specifically states that a handwritten signature is required, an electronic signature will not be accepted. When ForwardHealth policy specifically states that a written signature is required, an electronic signature will be accepted.

Reimbursement for services paid to providers who do not meet all electronic signature requirements may be subject to recoupment.

Electronic Signature Definition

An electronic signature, as stated in Wis. Stats. § 137.11(8), is "an electronic sound, symbol, or process attached to or logically associated with a record and executed or adopted by a person with the intent to sign the record."

Some examples include:

• Typed name (performer may type their complete name)
• Number (performer may type a number unique to them)
• Initials (performer may type initials unique to them)

All examples above must also meet all of the electronic signature requirements.

Benefits of Using Electronic Signatures

The use of electronic signatures will allow providers to:

• Save time by streamlining the document signing process.
• Reduce the costs of postage and mailing materials.
• Maintain the integrity of the data submitted.
• Increase security to aid in non-repudiation.

Electronic Signature Requirements

By following the general electronic signature requirements below, the use of electronic signatures provides a secure alternative to written signatures. These requirements align with HIPAA Privacy Rule guidelines.

General Requirements

When using an electronic signature, all of the following requirements must be met:

• The electronic signature must be under the sole control of the rendering provider. Only the rendering provider or designee has the authority to use the rendering provider's electronic signature. Providers are required to maintain documentation that shows the electronic signature that belongs to each rendering provider if a numbering or initial system is used (e.g., what number is assigned to a specific rendering provider). This documentation must be kept confidential.
• The provider is required to have current policies and procedures regarding the use of electronic signatures. The Wisconsin DHS recommends the provider conduct an annual review of policies and procedures with those using electronic signatures to promote ongoing compliance and to address any changes in the policies and procedures.
• The provider is required to conduct or review a security risk analysis in accordance with the requirements under 45 CFR s. 164.308(a)(1).
• The provider is required to implement security updates as necessary and correct identified security deficiencies as part of its risk management process.
• The provider is required to establish administrative, technical, and physical safeguards in compliance with the HIPAA Security Rule.

Electronic Health Record Signature Requirements

An EHR that utilizes electronic signatures must meet the following requirements:

• The certification and standard criteria defined in the Health Information Technology Initial Set of Standards, Implementation Specifications, Certification Criteria for Electronic Health Record Technology Final Rule (45 CFR Part 170) and any revisions including, but not limited to, the following:
  • Assign a unique name and/or number for identifying, tracking user identity, and establishing controls that permit only authorized users to access electronic health information.
  • Record actions related to electronic health information according to the standard set forth in 45 CFR s. 170.210.
  • Enable a user to generate an audit log for a specific time period. The audit log must also have the ability to sort entries according to any of the elements specified in the standard 45 CFR s. 170.210.
  • Verify that a person or entity seeking access to electronic health information is the one claimed and is authorized to access such information.
  • Record the date, time, patient identification, and user identification when electronic health information is created, modified, accessed, or deleted. An indication of which action(s) occurred and by whom must also be recorded.
  • Use a hashing algorithm with a security strength equal to or greater than SHA-1 as specified by the NIST in FIPS PUB 180-3 (October 2008) to verify that electronic health information has not been altered. (Providers unsure whether or not they meet this guideline should contact their IT and/or security/privacy analyst.)
• Ensure the EHR provides:
  • Nonrepudiation — assurance that the signer cannot deny signing the document in the future
  • User authentication — verification of the signer's identity at the time the signature was generated
  • Integrity of electronically signed documents — retention of data so that each record can be authenticated and attributed to the signer
  • Message integrity — certainty that the document has not been altered since it was signed
  • Capability to convert electronic documents to paper copy — the paper copy must indicate the name of the individual who electronically signed the form as well as the date electronically signed
• Ensure electronically signed records created by the EHR have the same back-up and record retention requirements as paper records.

Preparation and Maintenance of Records

All providers who receive payment from Wisconsin Medicaid, including state-contracted MCOs, are required to maintain records that fully document the basis of charges upon which all claims for payment are made, according to Wis. Admin. Code § DHS 106.02(9)(a). This required maintenance of records is typically required by any third-party insurance company and is not unique to ForwardHealth.

Record Retention

Providers are required to retain documentation, including medical and financial records, for a period of not less than five years from the date of payment, except RHCs, which are required to retain records for a minimum of six years from the date of payment.

According to Wis. Admin. Code § DHS 106.02(9)(d), providers are required to retain all evidence of billing information.

Ending participation as a provider does not end a provider's responsibility to retain and provide access to fully maintained records unless an alternative arrangement of record retention and maintenance has been established.

Maintaining Confidentiality of Records

Ending participation in a ForwardHealth program does not end a provider's responsibility to protect the confidentiality of health care and related records containing PHI.

Providers who no longer participate in a ForwardHealth program are responsible for ensuring that they and their business associates/partners continue to comply with all federal and state laws regarding protecting the confidentiality of members' PHI. Once record retention requirements expire, records must be disposed of in such a manner that they cannot be reconstructed — according to federal and state regulations — in order to avoid penalties. For more information on the proper disposal of records, refer to Confidentiality and Proper Disposal of Records.

All ForwardHealth providers and their business associates/partners who cease practice or go out of business should ensure that they have policies and procedures in place to protect all health care and related records from any unauthorized disclosure and use.

Reviews and Audits

The Wisconsin DHS periodically reviews provider records. DHS has the right to inspect, review, audit, and photocopy the records. Providers are required to permit access to any requested record(s), whether in written, electronic, or micrographic form.

Records Requests

Requests for billing or medical claim information regarding services reimbursed by Wisconsin Medicaid may come from a variety of individuals including attorneys, insurance adjusters, and members. Providers are required to notify ForwardHealth when releasing billing information or medical claim records relating to charges for covered services except in the following instances:

• When the member is a dual eligible (i.e., member is eligible for both Medicare and Wisconsin Medicaid or BadgerCare Plus) and is requesting materials pursuant to Medicare regulations.
• When the provider is attempting to exhaust all existing health insurance sources prior to submitting claims to ForwardHealth.

Request From a Member or Authorized Person

If the request for a member's billing information or medical claim records is from a member or authorized person acting on behalf of a member, the provider is required to do the following:

1. Send a copy of the requested billing information or medical claim records to the requestor.
2. Send a letter containing the following information to ForwardHealth:
   • Member's name
   • Member's ForwardHealth identification number or SSN, if available
   • Member's DOB
   • DOS
   • Entity requesting the records, including name, address, and telephone number

   The letter must be sent to the following address:

   Wisconsin Casualty Recovery — HMS
   Ste 100
   5615 Highpoint Dr
   Irving TX 75038-9984

Request From an Attorney, Insurance Company, or Power of Attorney

1. Obtain a release signed by the member or authorized representative.
2. Furnish the requested material to the requester, marked "BILLED TO FORWARDHEALTH" or "TO BE BILLED TO FORWARDHEALTH," with a copy of the release signed by the member or authorized representative. Approval from ForwardHealth is not necessary.
3. Send a copy of the material furnished to the requestor, along with a copy of their original request and medical authorization release to:

Wisconsin Casualty Recovery — HMS
Ste 100
5615 Highpoint Dr
Irving TX 75038-9984

Request for Information About a Member Enrolled in a State-Contracted Managed Care Organization

1. Obtain a release signed by the member or authorized representative.
2. Send a copy of the letter requesting the information, along with the release signed by the member or authorized representative, directly to the MCO.

The MCO makes most benefit payments and is entitled to any recovery that may be available.

Request for a Statement From a Dual Eligible

If the request is for an itemized statement from a dual eligible, pursuant to HR 2015 (Balanced Budget Act of 1997) § 4311, a dual eligible has the right to request and receive an itemized statement from their Medicare-enrolled health care provider. The Act requires the provider to furnish the requested information to the member. The Act does not require the provider to notify ForwardHealth.

Release of Billing Information to Government Agencies

Providers are permitted to release member information without informed consent when a written request is made by Wisconsin DHS or the federal HHS to perform any function related to program administration, such as auditing, program monitoring, and evaluation.

Providers are authorized under Wisconsin Medicaid confidentiality regulations to report suspected misuse or abuse of program benefits to the DHS, as well as to provide copies of the corresponding patient health care records.