Upcoding & Downcoding
A level 5 E/M service is billed, but documentation only supports level 3. Explain the coding error and potential compliance risk.
What does “if it’s not documented, it didn’t happen” mean in compliance?
Services not documented cannot be billed
What does HIPAA stand for?
What are three red flags that can trigger a Medicare fraud audit?
A coder adjusts an E/M level down to avoid audit risk, despite documentation supporting a higher level. What’s wrong here?
his is downcoding. It misrepresents services rendered and may result in revenue loss and compliance issues.
What key elements must be documented to support an E/M level?
History, exam, medical decision-making
A coder takes home de-identified notes to finish work. The notes include dates of service and patient initials. Is this HIPAA compliant?
No. Even initials and dates can be considered PHI when combined. This may be a HIPAA violation.
A provider uses “rule out” terminology for a serious condition in the inpatient setting (e.g., “rule out PE”) and the coder assigns the code for PE. Was that correct?
No. In inpatient coding, uncertain diagnoses (e.g., “rule out,” “probable”) can be coded as if present only when documented as such — "rule out" alone is insufficient unless aligned with coding guidelines and clinical evidence.
A provider documents a simple skin lesion removal but bills for an excision with complex closure. What is this called?
Upcoding
A provider uses voice recognition software and dictates conflicting information in HPI and A/P. The coder bills based on one section. What’s wrong?
Conflicting documentation should prompt a provider query. Coders cannot assume which section is correct. Billing without clarification risks a compliance error
A nurse looks up a coworker’s medical records out of curiosity. What HIPAA violation is this?
Unauthorized access or snooping.
A provider habitually documents extensive ROS and PFSH that are not medically necessary for the encounter. What's the risk in coding from this documentation?
This could indicate cloning or documentation inflation, potentially supporting inappropriate upcoding.
A teaching physician cosigns a resident's note without adding a personal attestation or key components. Is this compliant for billing?
No. For billing, the teaching physician must document their participation and key elements themselves — a cosign alone does not meet Medicare's teaching guidelines.
A covered entity loses an unencrypted laptop containing patient records. They self-report within 72 hours. Is this enough to avoid penalties?
Not necessarily. While prompt reporting is required under the Breach Notification Rule, penalties may still apply due to failure to implement required technical safeguards (i.e., encryption).
In a surgical consult, a provider selects a high-level E/M based on time alone but fails to document what the time was spent on. Is this billable?
No. Time-based coding requires detailed documentation of total time and what it was spent on (counseling, coordination, etc.). Without this, the level is unsupported
A progress note supports a 99214 E/M level, but a procedure performed is not documented at all. What should be done?
The procedure must be documented before billing. Query the provider or delay coding until documentation is complete.
A coder accidentally emails PHI to the wrong recipient. What should they do first?
Report the breach to the compliance officer immediately.