New Year, New Medicare Payment Rules

December 16, 2021

January 1 is not only the start of a new calendar year, it is also the date when several Medicare payment rule changes take effect. Two such rules are the Outpatient Prospective Payment System (OPPS) and the Medicare Physician Fee Schedule (MPFS).

Below is one highlight from each of these rules:

Medicare OPPS – Inpatient Only List

Historically, Medicare maintains a list of approximately 1,700 procedures that are not payable if billed as an outpatient procedure.  These procedures are often referred to as the Inpatient Only List. Under last year’s OPPS rule, Medicare announced it would phase out the Inpatient Only List and allowed 298 procedures to be payable as outpatient procedures.

This year, Medicare reversed this decision and reinstated most of the 298 procedures removed, again designating them as Inpatient Only. As a result, operation workflows (orders, patient status indicators, documentation, etc.) will need to be revised to assure compliance.

Medicare MPFS – Split/Shared Visits

Split/shared evaluation and management (E/M) visits are visits provided in a facility setting by a physician and a non-physician practitioner of the same group.  Under the regulatory changes for 2022:

  • split/shared visits may be reported for new and established patients and are applicable to initial and subsequent visits
  • the visit may be billed under the physician’s NPI if the physician (1) performed either the history, the exam, or medical decision-making, OR (2) provided more than half of the total time for the visit
  • split/shared visits must be billed with a HCPCs modifier (not specified yet) to indicate split/shared status

When Should I Contact the Privacy Team?

When Should I Contact the Privacy Team?

You should contact the Privacy team when:

  • You believe an individual’s privacy rights have been violated
  • A document, information system, or anything else containing patient information has been lost, stolen, or compromised
  • You have a privacy-related question or need guidance
  • You would like privacy education

Some examples include:

  • A patient has a privacy concern or complaint
  • You believe patient information was accessed or disclosed inappropriately
  • You have a question about UConn Health privacy policies or procedures
  • Your department wants guidance on a particular privacy-related regulation or needs a HIPAA refresher

How do I contact the Privacy team? 

You can contact us by phone or email:

When in doubt, give us a shout! We are here to help!

HIPAA and the Holidays

November 17, 2021

The holiday season is here.  Are you sending holiday cards to your coworkers and need their addresses?

Is it okay to look up a coworker’s address in the electronic medical record to send a holiday card?

No. Do not look up a coworker or any other person in the electronic medical record to obtain an address or telephone number. Accessing the electronic medical record system for purposes other than to do your job is not permitted. Inappropriate access to a patient’s electronic medical record may result in disciplinary action, up to and including termination.

Is it okay to look up a coworker’s address using the patient look-up feature in Epic or axiUm?

No.  Employees are not permitted to use the patient lookup feature in Epic or axiUm for personal reasons, even if you do not view other parts of the patient chart. Although the Patient Lookup feature does not open the patient chart, it is part of the electronic health record and displays Protected Health Information (PHI).


  • Epic and axiUm are not address books.
  • Accessing a co-worker’s medical record for a non-work purpose (such as sending holiday cards) is not permitted.
  • PHI should only be accessed when necessary for job-related purposes.
  • Searching for a patient by name or other identifier in Patient Lookup or the medical record without a job-related need is snooping and may result in disciplinary action.

Please contact the Office of Healthcare Compliance and Privacy if you have questions.

PEPPER! It’s Not Just Seasoning!

October 8, 2021

What is a PEPPER report?

PEPPER stands for the Program for Evaluating Payment Patterns Electronic Report. PEPPER reports summarize Medicare claims data for a provider in “target areas” that may be at risk for improper Medicare payments. PEPPER compares a provider’s Medicare claims data statistics with combined Medicare data for the nation, jurisdiction, and the state. PEPPER is an educational tool that is intended to help providers assess their risk for improper Medicare payments. While PEPPER reports started as a report pushed out to providers, it is now the responsibility of the organization to pull the report, which is available on PEPPER Resources (

PEPPER Target Areas: 

PEPPER target areas are identified as potentially at risk for improper Medicare payments (e.g., coding or billing errors, unnecessary admissions/services).

Coding-Focused Admission-Focused
Simple Pneumonia Total Knee Replacement (added with the Q3FY20 release)
Septicemia 30-Day Readmissions to Same Hospital or Elsewhere
Unrelated Or Procedures Two-Day Stays for Medical DRGs
Emergency Department Evaluation & Management Visits One-Day Stays for Medical DRGs

For a complete listing of PEPPER target areas visit PEPPER Resources (

How can providers take advantage of the data PEPPER reports offer?

  • To assist hospitals with monitoring short stays, several target areas in PEPPER focus on one-and two-day stays. Hospitals should examine their statistics for these target areas to help assess their risk for unnecessary admissions and to monitor changes in admission practices over time.
  • PEPPER does not identify the presence of payment errors, but it can be used as a guide for auditing and monitoring efforts. A hospital can use PEPPER to compare its claims data over time to identify areas of potential concern such as:
    • Significant changes in billing practices
    • Possible over-or under-coding
    • Changes in lengths of stay

PEPPER reports were developed as a compliance tool, but the data provided can also assist in revenue cycle optimization and integrity.

Have questions about the PEPPER report? Contact the Office of Healthcare Compliance and Privacy.

Tips for Emailing Patient Information

October is Cyber Security Awareness Month and the
Office of Healthcare Compliance and Privacy has some
tips for you on sending patient information by email.

Responsibilities of individuals authorized to
email protected health information (PHI):

  • Do not email PHI to your personal email address.
  • Do not email PHI to another UConn Health user’s personal email address.
  • When emailing PHI to another UConn Health user, use the recipient’s UConn Health email address.
  • Do not include PHI in the subject line of an email.
  • Emails containing PHI must include [Secure] in the subject line or the body of the email.
  • Double-check all recipient e-mail addresses before hitting the send button, and watch out for the auto-complete function in Outlook.
  • Do not share your password with anyone, and lock your computer when not in use.

Review our internal policies for more information:

For more information, contact the Office of Healthcare Compliance and Privacy.

2021 Annual Compliance Training

September 15, 2021

The Office of Healthcare Compliance and Privacy and the Information Security department are gearing up to kick off the 2021 annual training season. Key training information is highlighted below.

Training modules will be assigned to employees in mid-October and must be completed within the Saba Learning Center.

Three (3) training courses will be required. When training is launched, you will receive 3 separate emails from, one for each of the following courses:

    • 2021 Healthcare Compliance Training
    • 2021 HIPAA Privacy Training
    • 2021 Security Awareness Training

You have 90 days from when the courses are assigned to you to complete them. Different deadlines may apply to employees on a leave of absence.

      Compliance training is a key component of the University’s compliance program and is required by law and University policy. Courses are designed to educate the UConn Health community on identifying, preventing and detecting incidents of non-compliance.

      Many training questions can be answered by visiting our Training FAQ’s page. If you have other questions or concerns, please contact the Office of Healthcare Compliance and Privacy.

      Welcome Melissa Walsh

      August 17, 2021

      The Office of Healthcare Compliance and Privacy is pleased to welcome Melissa Walsh to our team as a Compliance Specialist. Melissa is an experienced healthcare professional with expertise in clinical documentation and coding, revenue cycle management and healthcare compliance.

      In her new role, Melissa will be assisting UConn Health’s clinical operations with their compliance inquiries and initiatives. In addition, she will be assisting with the development and implementation of the institution’s annual compliance plan.

      Please join us in extending a warm welcome to Melissa and wishing her success in her new position!

      FairWarning and axiUm

      Effective September 1, 2021, UConn Health will begin monitoring access to axiUm using FairWarning, a privacy monitoring tool that will enhance UConn Health’s ability to detect and respond to potential privacy violations, such as inappropriate access to patient records.

      To help you understand FairWarning, the UConn Health Privacy team has prepared the following educational materials:

      FairWarning FAQs for Managers;

      A reminder about inappropriate “snooping” into patient records; and

      An important reminder about employees accessing their own or a family member’s medical record.

      In addition, please review Snooping and the Patient Lookup Feature in Epic and axiUm. Remember: searching for a patient by name or other identifier in the patient look up field (i.e. Rolodex) without a job-related need is snooping. Although the patient look up field does not open the patient chart, it is part of the electronic health record and displays protected health information (PHI). Please look up patients only when your job requires it.

      If you have questions about FairWarning or UConn Health privacy policies, please contact your supervisor or a member of UConn Health’s Privacy team at or x7226.

      Thank you for your ongoing commitment to protecting patient privacy at UConn Health!

      What’s the Plan?

      July 29, 2021

      Healthcare providers are encouraged as a best practice to routinely evaluate the OIG Work Plan. However, you might be wondering  –  What is the OIG? What is their Work Plan? Why is it important to evaluate the Work Plan?

      Who are the OIG?
      The Office of Inspector General (OIG) provides independent oversight of the federal agencies under the purview of the U.S. Department of Health and Human Services (HHS). UConn Health receives payments from, and is regulated by, several such agencies including the Centers for Medicare and Medicaid Services (CMS), the Centers for Disease Control (CDC) and the Health Resources and Services Administration (HRSA).

      The OIG continuously audits healthcare providers who receive funding from these and other HHS agencies to assure that providers comply with federal statutory and regulatory requirements.

      What is the OIG Work Plan?
      The OIG issues a Work Plan which identifies areas that the OIG will audit. Areas are selected for audit when mandated by statute or when the OIG determines there is an elevated risk to the financial integrity of a HHS program (such as Medicare).

      The Work Plan is updated monthly as new risk areas are identified, audit scopes are revised or audits are completed.

      Below are two examples of audits that are currently listed in the Work Plan:

      Telehealth Expansion During the COVID-19 Emergency – OIG will determine whether providers complied with Federal and State requirements for telehealth services under the national emergency declaration.”
      “Two Midnight Rule-OIG will review short stay inpatient claims to determine whether they were incorrectly billed as inpatient and should have been billed as outpatient or observation.”

      Why is it important for UConn Health to evaluate the Work Plan?
      Routinely evaluating the OIG Work Plan helps UConn Health:

      • Reduce institutional risk:
        Routinely evaluating the Work Plan allows UConn Health to assess whether its operations comply with legal requirements, and identify and implement any necessary corrective measures.
      • Avoid sanctions:
        The OIG may impose sanctions on healthcare providers found to be out of compliance through an OIG audit. Possible sanctions include financial penalties, civil and/or criminal prosecution, and/or exclusion from participating in federal healthcare programs such as Medicare. In addition, identified overpayments must be refunded to the government.
      • Demonstrate organizational commitment to compliance:
        In determining the severity of sanctions to impose, the OIG may consider the level of organizational commitment to maintaining an effective compliance program. Regular review and assessment of the Work Plan by UConn Health evidences our organization’s commitment to maintaining compliance.
      • Establish a proactive rather than a reactive approach:
        Knowing which areas the OIG considers high risk, assists UConn Health in deciding where to allocate attention and resources before an audit occurs.

      Check out these FY 2020 OIG statistics…

      Statistic Semiannual Reporting Period
      Audit Reports Issued   75
      Evaluations Issued  20
      Expected Audit Recoveries $566.46 million
      Potential Savings $919.97 million
      New Audit and Evaluation Recommendations  228
      Recommendations Implemented by HHS OpDivs 228
      Expected Investigative Recoveries 1.37 billion
      Criminal Actions 221
      Civil Actions 272
      Exclusions  1,036

      At UConn Health, operational owners and the Office of Health Care Compliance and Privacy collaborate to review and evaluate the OIG Work Plan on a quarterly basis. It is a significant undertaking, but one well worth the effort.

          Snooping and the Patient Lookup Feature in Epic and axiUm

          June 25, 2021

          At UConn Health, patient medical information is stored in Epic, and patient dental information is stored in axiUm. If your job requires access to Epic or axiUm, you must have a job-related need to access patient information in those systems. This includes using the “Patient Lookup” feature in Epic and axiUm. Searching for a patient by name or other identifier in Patient Lookup without a job-related need is snooping. Snooping, including the use of Patient Lookup without a job-related need, may result in disciplinary action. Although Patient Lookup does not open a patient’s chart, a search in Patient Lookup reveals several patient identifiers (e.g., name, date of birth, medical record number, legal sex and address). This is Protected Health Information (PHI) and should only be accessed when necessary for job-related purposes.

          Searching for a patient by name or other identifier in Patient Lookup without a job-related need is snooping. Although Patient Lookup does not open the patient chart, it is part of the electronic health record and displays PHI. Please use Patient Lookup only when your job requires it.