Founder Letter: The Compliance Challenges Facing Today’s Therapists

In my new role as Chief Compliance Officer, I’m never short of things to do. Compliance is a complex topic to begin with, and with CMS and payers introducing new rules all the time, it’s difficult to stay on top of all the requirements to treat patients and bill for that care. So, I wanted to take this opportunity to highlight a few of the biggest issues I’ve noticed when it comes to compliance and how you can avoid running afoul of auditors. It’s also an excellent chance for me to highlight all of the incredible training material that WebPT has built to help you tackle these and almost any other compliance questions you come across.    

Providers placing patient statements on hold put themselves at risk. 

One trend I’ve noticed quite a bit recently is practices putting a patient’s statement on hold. Most of the time, this is an effort to avoid asking the patient for money at the time of service or via a statement. While those practices and providers are undoubtedly doing it with the best intentions, they risk being booted from a payer’s network—or inadvertently violating kickback laws. If the patient is unable to pay, you can do a hardship discount. If you do not believe the statements are correct and a month or two are required to clean them up, that is acceptable.

If you’re in-network or have a preferred provider agreement with a payer, your contract typically contains a clause requiring you to make every effort to collect any unpaid balance from your patients. I’m aware of instances where providers chose not to collect coinsurance or copays from a patient and were removed from that payer’s network once they found out. 

There are also potential legal ramifications. The Physician Self-Referral Law, also known as the Stark Law, prevents providers from filing claims in which the patient has a financial relationship with the provider. How would that apply here? In this instance, the provider placing a hold on the patient’s statement creates a financial inducement for the patient to choose their services over those of another PT—in the form of free therapy, essentially. Granted, that might not be the spirit of what the provider intended, but the letter of the law is fairly clear on the matter.

The solution is simple: make sure you’re sending out statements and trying to collect from every patient, even if you don’t end up collecting on every dollar owed. Also,  make sure you’re collecting copay and coinsurance at the time of service, and that you’re logging those payments so that Medicare can be notified.         

Excludes1 edits are causing ICD-10 denials.

I’ve also seen a sharp rise in ICD-10 denials—largely due to the presence of Excludes1 edits. In case you need a refresher, Excludes1 notes prevent certain sets of codes from being used together, largely to prevent coding of conditions that cannot exist concurrently. In my estimation, 70% of payers have begun using editing software that applies coding rules and catches these Excludes1 edits. 

Fortunately, you can avoid running into this issue quite easily. For a start, WebPT has Excludes1 edits baked right into our EMR to notify you if you’re using codes that would create an Exculdes1 edit. But, there also needs to be some preliminary research on the part of providers into the primary diagnosis codes they’re thinking of using to see what the Excludes1 edits are before they use that code. There are a couple of great resources for ICD-10 codes: both icd10data.com on desktop or ICD10 Consult in the Apple and Google Play stores give you detailed information on each code and any Excludes1 edits.

Proper use of ICD-10 codes still eludes some clinicians.

• Primary dx and secondary dxssome text
  • Don’t add secondaries that are part of a primary
  • Z codes primary followed by a secondary that is applicable to the reason for surgery

New plan of care signature rules could change existing workflows. 

If you’ve read the 2025 proposed rule—or our much shorter recap covering all the important parts for rehab therapists—you know that one change CMS is toying with is the requirements for a physician’s signature on a plan of care. It can be hard to get a physician's signature on a POC promptly, so CMS is proposing to allow for an NPP or physician’s signed and dated order or referral to meet the signature requirements within that 30-day window —provided that you have evidence you’ve submitted the POC to the patient’s physician or NPP.

It sounds like great news—and it very well might be—but I would caution against getting too excited too soon. For a start, we need to see what the language in the final rule is for this new guideline; the wording can make a huge difference in how this rule can be applied. With the final rule coming out in November 2024 and going into effect on January 1, 2025, that’s very little time for everyone to change their software and workflows to adapt to this potentially new way of doing things.  

And it’s worth noting that the regulation as we’re understanding it—which, again, is not in its final form—isn’t absolving PTs from collecting a physician’s signature entirely. If you want care covered beyond that initial 30 days, you’re still going to have to hound a patient’s primary care doctor to sign off on your POC at some point, so don’t fall into the trap of thinking a few attempts to get that signature gets you off the hook entirely.      

Google’s new AI functionality could lead you astray. 

One concerning development outside the regulatory space is the way providers may be getting their information. You’ve probably noticed during recent Google searches that the top result may be an AI summation of information gathered and synthesized on the topic. Unfortunately, Google’s AI tool is still fairly rudimentary, and the information it’s providing at present is typically wrong at best and potentially harmful at worst. 

Rehab therapists are knowledgeable enough to spot the obvious bad information, but what if AI is pulling information that looks correct but is out of date? Therapists should be extremely cautious of taking anything provided by AI-powered search results as absolute truth. I prefer to stick to primary sources when possible, and I’d recommend others take that same approach to get the most reliable and up-to-date information.

Cyberattacks will remain an ongoing concern.     

While Change Healthcare may have fallen out of the headlines, that doesn’t mean that ransomware attacks and other efforts to breach healthcare companies’ servers are going away. Unfortunately, the hackers’ success only encourages more groups to try similar tactics for an easy payday. 

Luckily, you can take steps to protect yourself and your data. For example, WebPT uses real-time monitoring tools and automated tools that help quarantine any potential risks. We take security very seriously; that’s why we’ve obtained ISO certification and completed a SOC2 (Service Organization Controls 2) audit, which are the gold standards for security in our industry. And for our Members, we’re offering features like single sign-on (SSO), multi-factor authentication (MFA), and a federated login option.    

In addition to having the right security tools in place, it’s also about having the right practices in place. WebPT does annual security training that covers topics like phishing as a reminder to never click on links or open attachments from sources you don’t know and trust. Rehab therapy practices can and should be doing the same with their staff regularly; all it takes is one slip-up to compromise practice data and your patient’s privacy.            

WebPT has a wealth of training available.

I enjoy talking about billing and compliance, but with my new responsibilities, I only have so much time to tackle questions from Members and other rehab therapists. (If you do have a particularly challenging question, though, you can send it to billingquestions@webpt.com.) That’s why we’ve built an extensive library of knowledge for Members to access help with just about any question. WebPT University has a lot of educational material on therapist intervention charge training, ICD-10 coding, and other billing, coding, and compliance topics.  We’re also working on a free Medicare compliance training package that would help providers meet the requirements for your staff mandated by Medicare.  

If your questions are related to how to use particular features within the EMR, you can access our knowledge base articles through the Support Hub to find answers and best practices for how to use our products. You can also get questions answered by using our chat feature to talk to the Member Support team.

Busy or not, I’m also carving out time for educational content on compliance issues. I host a monthly(ish) Billing Bootcamp webinar series where I tackle some of the trickiest compliance, billing, and payer issues and answer viewer questions. Every October, Heidi and I do our live billing Q&A webinar where viewers get a chance to ask their toughest billing questions. And I contribute to the WebPT blog periodically with updates on the latest payer and regulatory developments providers need to know. 

Compliance is a moving target—and WebPT is always evolving to hit the mark.  

WebPT can’t take compliance concerns off your plate entirely; at the end of the day, clinicians and billers are still responsible for the codes they choose to bill. But we’re constantly working to make it as easy as possible, with edits and notifications built into the EMR to catch any coding errors as well as the aforementioned library of educational material to help you keep your knowledge up to date. We’re always working on the next update as well to stay ahead of the latest changes coming from payers or risks posed by bad actors. So, be sure to stay up to date on our blog and product emails to learn about the latest developments in the world of compliance.