Kathy Mills Chang, MCS-P, CCPC

If you are or know a chiropractor, odds are good that one of the last words that comes to mind is “compliant.” Most DCs didn’t go to chiropractic college because they’re big on being joiners and obedient rule-followers. In fact, hang around chiropractors long enough and other terms tend to come up: maverick, game-changer, independent, rebel.

Can you honor your independent streak and still stay in good standing with third-party payers? Absolutely, you can. That’s what makes you a rebel, albeit a rebel with a clause. And that clause reads: “make sure you’re not the droids they are looking for.”

It doesn’t take mad Jedi skillz to avoid the Stormtroopers from Medicare and other third-party payers. All it requires is a solid understanding of the rules, and, truly, common sense.

Don’t make easily avoidable mistakes.

The Office of the Inspector General (OIG) hasn’t been shy about sharing its low opinion of chiropractic documentation. Most notably, it’s said that chiropractic services have the highest improper payment rates among Medicare Part B services.

This is mostly due to totally avoidable errors, like billing for non-covered maintenance therapy, using an AT modifier to code care that wasn’t actually active treatment, or using a red flag-waving percentage of 98942 (five spine region) codes when the OIG says your 98942s should represent 10% or less of your coding. Other mistakes include being one number off on a code, failing to update a patient’s insurance information, or—duh!–forgetting to sign the documentation.

Take records requests seriously.

Because chiropractic offices receive requests for records every day, it’s tempting to downplay them without considering that they may well be a precursor to a full- blown audit. These seemingly simple requests can be fishing expeditions on the part of a government entity or third-party payer to see if they can find errors in the way you document medical necessity.

How to handle this? Start with an often-overlooked step: make sure the request is accompanied by a legal authorization for release of information. If it’s not there, acting in haste will put you in violation of your own HIPAA policy, unless it is patient-approved for TPO (Treatment, Payment, and Healthcare Operations). Also, don’t be shy about getting help. Reach out to a compliance specialist to learn how to respond to records requests effectively.

Get clear on what your contracted carriers consider “medically necessary care.”

You know what you consider clinically appropriate care. But what you may not know is much more important from a reimbursement standpoint: what does each of your contracted carriers define as medically necessary care? If you have a contract with a third-party payer, make no mistake: it doesn’t much matter what you think—by signing up, you’ve agreed to play by their rules.

You still have complete autonomy when it comes to deciding what treatment you’ll recommend to each patient—but the carrier can and will dictate that portion of treatment for which they’ll pay. So treat your patients as your experience and best clinical judgment dictate, but make sure that you only submit the part of your documentation that aligns with each carrier’s medical review policy for reimbursement.

Get HIPPA-fied

Did you install a HIPPA program over a decade ago and basically forget about it? If so, you’re not alone. But there’s no safety in numbers here. It’s critical that your HIPAA compliance be up to date.

Start with the HIPAA Security Compliance Evaluation and the HIPAA Security Risk Analysis, both required by law and both essential to maintain. If you create, receive, maintain, or transmit any electronic PHI (Protected Health Information, you must understand the difference between the two. HIPAA’s Security Evaluation asks, “Where do we stand and how well are we achieving ongoing compliance in this area?”  HIPAA’s Risk Analysis, on the other hand, asks, “What’s the exposure to our Protected Health Information? What do we need to do in order to mitigate possible risks? Are our backup plans working?”

Put policies and procedures in place.

You need your own Privacy and Security Risk Management and Governance Program. This means that you have policies and procedures in place, update them regularly, and train all team members. This isn’t a binder or manual you can buy, although you can use a template to guide you—this is you writing up your individual policies and procedures. That means detailing exactly what you’ll do in the event of a breach, whether minor (team member opens a patient record they didn’t need to see) or major (your laptop gets stolen). What safeguards can you put in place to make sure breaches don’t happen—and what will you do if they occur?

Remember, you can be a rebel without being irresponsible. Get a handle on the rules that aren’t bendable and breakable, and you’ll actually experience more freedom than you have when you fly blind without knowing where the obstacles are.


Kathy Mills Chang is a Certified Medical Compliance Specialist (MCS-P) and Certified Chiropractic Professional Coder (CCPC), and a Certified Clinical Chiropractic Assistant (CCCA)  and since 1983, has been providing chiropractors with reimbursement and compliance training, advice, and tools to improve the financial performance of their practices. Kathy leads a team of 22 at KMC University, and is known as one of our profession’s foremost experts on Medicare. She or any of her team members can be reached at (855) 832-6562 or info@KMCUniversity.com.