Update on Medicare/Medicaid Audits in the Wake of COVID-19

Published in Today’s Wound Clinic:

When I was asked to draft an article for Today’s Wound Clinic, it was approximately two weeks ago. I was asked to write about the current state of Medicare and Medicaid audits. Specifically, I was asked to provide a legal analysis about CMS suspending audits un-related to COVID-19. In the month of April, we have seen the spike of COVID-19, which has overturned our everyday world. We have been instructed by President Trump to “stay home” and “social distance” to decrease the spread of the virus. This “stay at home” instruction is unprecedented and has uprooted many of our most reliable and commonplace businesses, such as hairdressers, bowling alleys, and tattoo parlors.

Here is the answer: The current state of Medicare/Medicaid audits, at the moment, is dictated by COVID-19.

We can divide the post-COVID-19 audit rules into 3 categories:

1. Those exceptions published by CMS to apply to all health care providers
2. Those special, verbal exceptions given directly to an individual provider that were not published by CMS
3. Effective immediately, new guidelines that CMS will follow until CMS believes it no longer needs to follow (by its own choice, of course).

An example of an “effective immediately” guideline is our current state of Medicare/Medicaid audits in the wake of COVID-19. CMS has not suspended all Medicare/Medicaid regulatory audits. But CMS has suspended most audits.

Effective immediately, survey activity is limited to the following (in Priority Order):

• All immediate jeopardy complaints (cases that represents a situation in which entity noncompliance has placed the health and safety of recipients in its care at risk for serious injury, serious harm, serious impairment or death or harm) and allegations of abuse and neglect;
• Complaints alleging infection control concerns, including facilities with potential COVID-19 or other respiratory illnesses;
• Statutorily required recertification surveys (Nursing Home, Home Health, Hospice, and ICF/IID facilities);
• Any re-visits necessary to resolve current enforcement actions;
• Initial certifications;
• Surveys of facilities/hospitals that have a history of infection control deficiencies at the immediate jeopardy level in the last three years;
• Surveys of facilities/hospitals/dialysis centers that have a history of infection control deficiencies at lower levels than immediate jeopardy.

See CMS QSO-20-12-ALL. You can see that these “effective immediately” guidelines are usually published on CMS letterhead. The “effective immediately” guidelines explain why CMS is taking the stated action, the stated action, and that the action is temporary and due to COVID-19.

Here are a few recent “effective immediately” guidelines due to COVID-19:

• On April 27, 2020, CMS said it would no longer expedite Medicare payments to doctors and be more stringent about accelerating the payments to hospitals as Congressional relief aimed at providers reaches $175 billion.
• The agency is not accepting any new applications for the loans from Part B suppliers, including doctors, non-physician practitioners and durable medical equipment suppliers. CMS will continue to process pending and new requests from Part A providers, including hospitals, but be stricter with application approvals.
• CMS expanded the Accelerated and Advance Payment Programs in late March as the pandemic continued to gain strength in the U.S. Since then, the agency has approved over 21,000 applications making up $59.6 billion in accelerated payments to Part A providers and almost 24,000 applications making up $40.4 billion in payments for Part B suppliers.

The $2.2 trillion Coronavirus Aid, Relief, and Economic Security stimulus package passed by Congress in March benchmarked $100 billion in funds for hospitals. On Friday, President Donald Trump signed legislation with a second round of emergency funding, called the Paycheck Protection Program and Health Care Enhancement Act, that allocates another $75 billion for providers — roughly three-quarters of what major provider trade associations requested.

An initial $30 billion from the fund was distributed between April 10 and April 17 based on Medicare fee-for-service revenue, sparking criticism that put facilities with a smaller proportion of Medicare business, such as children’s and disproportionate share hospitals, at a disadvantage. HHS on Friday began releasing an additional $20 billion in CARES payments to providers based on their 2018 net patient revenue, with more funding to roll out “soon,” the agency said, including $10 billion for hard-hit areas like New York.

How RAC/MAC auditors are compensated dictates their actions and/or aggressiveness.

RAC Auditors are paid by contingency. They are usually compensated approximately 13%, depending on the State. Imagine what 13% is of 1 million. It is $130,000 – more than most people make in a year. If you do not believe that 13% contingency is enough to incentivize a company, which, in turn, incentivize the employees, then you are sorely mistaken.

RACs were established through a demonstration program under the Medicare Prescription Drug, Improvement, and Modernization Act of 2003 (“MMA”), piloted between 2005 and 2008, and were later made permanent under the Tax Relief and Health Care Act of 2006, which required CMS to establish Recovery Auditors for all states before 2010.

MACs are not compensated by contingency, per se. CMS decided to structure the MAC contracts with 1-year base performance periods and four, optional, 1-year performance periods at the time. The MMA required that these contracts be recompeted at least once every 5 years. The recent enactment of the Medicare Access and CHIP Reauthorization Act of 2015 amended this requirement to authorize a maximum 10-year performance period before MAC contracts must be recompeted. The amendment, which applies to MAC contracts in effect at the time of enactment or entered into on or after enactment, would permit CMS to modify existing MAC contracts or enter into future MAC contracts for 1-year base performance periods and nine optional 1-year performance periods. See Pub. L. No. 114-10, § 509(a)- (b) (April 16, 2015). Therefore, while MACs are not compensated on contingency, MACs are compensated on performance. The less a MAC spends, the more services a MAC allows, the strict oversight a MCA ensues on its providers…all these “performance-based” measures may not be a contingency compensation relationship, but it’s pretty close. Saved money becomes profit for MACs.

Medicare and Medicaid auditors love rules. Even if the rules that auditors are instructed to follow really are not required by actual law. It goes without saying that auditors are not lawyers. Auditors are not trained to decipher whether statutes, regulations or policy are superseded by federal statutes and regulations. The fact is that, more times than one would hope, the auditors are wrong in their assessments that a claim should be denied, not out of malice, but because of a basic misunderstanding of what the law actually requires.

I have all kinds of stories about auditors claiming money is owed, when, really it was not owed because the RAC/MAC auditor failed to follow the actual, correct procedure or misconstrued a regulation. For example, I had a durable medical equipment provider, DME ABC, who was informed by the NSC Supplier Audit and Compliance Unit of Palmetto GBA that it owed $1,075,548.64. Palmetto is one of the MACs for Medicare – durable medical equipment. There was no demand letter. The alleged overpayment amount came to fruition in a telephone conference between the CEO of the company and an employee of Palmetto. Let’s call her Nancy. Nancy told CEO that company owed $1,075,548.64 based on an alleged violation of 42 C.F.R. § 424.58,

Even more disconcerting, was the fact that Palmetto claimed that its alleged, oral overpayment against DME ABC arose from a normal, reoccurring validation process pursuant to 42 C.F.R. §424.57, approved by CMS and in accordance with the requirements of 42 C.F.R. §424.58. No formal letter was necessary was Palmetto’s retort. Not correct; a formal demand letter is always required.

In this case, Palmetto began to backtrack once we pointed out that Palmetto nor Nancy ever sent a formal demand letter with any reconsideration review appeal rights or administrative appeal rights. We knew this was procedurally incorrect because federal law dictates that you receive a formal demand letter with appeal rights and notice of how many days you have to appeal. But out of fear of retribution, DME ABC was willing to write a check without pushing back. Obviously, we did not do so.

I tell this story as an example of how intimidating, scary, and overwhelming auditors can be. If someone off the street asked you for a million dollars, you would laugh them off your doorstep, right? After you tell them to don a mask and maintain social distancing.

But in the new-age world of COVID-19, rules have been broken. This behavior would not be acceptable pre-COVID-19. But this provider honestly was going to pay.

The Trump Administration is issuing an unprecedented array of temporary regulatory waivers and new rules to equip the American healthcare system with maximum flexibility to respond to the 2019 Novel Coronavirus (COVID-19) pandemic.

Pre-COVID-19 if you were to state “paperwork over patients,” everyone in the industry would agree. There would be snickers and eyes rolling, because no one wanted paperwork to be over patients. But it was. Now the mantra has flipped upside down – now the mantra is: Patients over Paperwork.

Post-COVID-19, if documents are lost or misplaced, or otherwise unusable, DME MACs have the flexibility to waive replacements requirements under Medicare such that the face-to-face requirement, a new physician’s order, and new medical necessity documentation are not required. Suppliers must still include a narrative description on the claim explaining the reason why the equipment must be replaced and are reminded to maintain documentation indicating that the DMEPOS was lost, destroyed, irreparably damaged or otherwise rendered unusable or unavailable as a result of the emergency.

Post-COVID-19, CMS is pausing the national Medicare Prior Authorization program for certain DMEPOS items. CMS is not requiring accreditation for newly enrolling DMEPOS and extending any expiring supplier accreditation for a 90-day time period. CMS is waiving signature and proof of delivery requirements for Part B drugs and Durable Medical Equipment when a signature cannot be obtained because of the inability to collect signatures. Suppliers should document in the medical record the appropriate date of delivery and that a signature was not able to be obtained because of COVID-19.

Post-COVID-19, in order to increase cash flow to providers impacted by COVID-19, CMS has expanded the current Accelerated and Advance Payment Program. An accelerated/advance payment is a payment intended to provide necessary funds when there is a disruption in claims submission and/or claims processing. CMS may provide accelerated or advance payments during the period of the public health emergency to any two Medicare providers/suppliers who submits a request to the appropriate MAC and meets the required qualifications. The process of obtaining the funds is a MAC-by-MAC process. Each MAC will work to review requests and issue payments within seven calendar days of receiving the request. Traditionally repayment of these advance/accelerated payments begins at 90 days, however for the purposes of the COVID-19 pandemic, CMS has extended the repayment of these accelerated/advance payments to begin 120 days after the date of issuance of the payment. Providers can get more information on this process here: www.cms.gov/files/document/Accelerated-and-Advanced-Payments-Fact-Sheet.pdf

The Future of Medicare/Medicaid Audits

The beauty of predicting the future is that no one can ever tell you that you are wrong. These are my predictions:

Auditors will deny claims for not having prior authorizations. Auditors will deny claims because the supplier accreditation expired after the 90-day time period. Auditors will deny claims because the percentage of face-to-face time was not met as described per CPT codes.

Obviously, these would be erroneous denials if the denials are within the dates that the COVID-19 pandemic occurred. The problem will be that the auditors will not be able to keep up with all the exceptions, not because the auditors are acting out of malice or dislikes providers. They will be simply trying to do their job. They will simply not be able to take into consideration all the exceptions that were given during the virus. Because, while we do have many written exceptions, if you call CMS with a personal and individualized problem, CMS will, most likely, grant you a needed exception. As long as the exception has the best interest of the consumer at heart. However, this personalized exception will not be written on CMS’s website. In five years, when you undergo a MAC or RAC audit, you better have proof that you received that exception. It will not be enough proof for you to state that you were given the exception over the phone.

So how can you protect yourself from future, erroneous audits?

Write everything down. When you speak to CMS, document concurrently the date, time, name of the person to whom you are speaking, the summary of your conversation, the COVID-19 regulatory exception, sign it and date it.

It is a hearsay exception. Writing down everything does not magically transform your note into the truth. However, writing down everything concurrently does magically allow that note that you wrote to be allowed in a court of law as an exhibit. Had you not written the note contemporaneously with the conversation that you had with CMS, then the attorney on the other side of the case would move to exclude your handwritten or typed note as hearsay.

Hearsay is defined as a statement that (1) the declarant does not make while testifying at the current trial or hearing; and (2) a party offers in evidence to prove the truth of the matter asserted in a statement. There are too many hearsay exceptions to name in this article.

Just know, for purposes of this article, that any health care provider who is relying on an exception to a normally required regulatory mandate – regardless what it is – either be able to: (1) cite the written exception that was published by CMS to the public; or (2) produce the written or typed contemporaneously written note that you wrote to memorialize the conversation.

New Revisions to the Additional Documentation Request (ADR) Process

The ADR rule went into effect Jan. 1, 2019. Original blog post published March 6, 2019, on RACMonitor.

The Centers for Medicare & Medicaid Services (CMS) has updated its criteria for additional document requests (ADRs). If your ADR “cycle” is less than 1, CMS will round it up to 1.

What is an ADR cycle?

When a claim is selected for medical review, an ADR is generated requesting medical documentation be submitted to ensure payment is appropriate. Documentation must be received by CGS (A Celerian Group Company)  within 45 calendar days for review and payment determination. Any selected and submitted claim can create an ADR. In other words, a provider is asked to prove that the service was rendered and that the billing was compliant.

It is imperative to understand that you, as the provider, check the Fiscal Intermediary Standard System (FISS) status/location S B6001. Providers are encouraged to use FISS Option 12 (Claim Inquiry) to check for ADRs at least once per week. You will not receive any other form of notification for an ADR.

To make matters even more confusing, there are two different types of ADRs: medical review (reason code 39700) and non-medical review (reason code 39701).

An ADR may be sent by CGS, Zone Program Integrity Contractors (ZPICs), Recovery Audit Contractors (RACs), Supplemental Medical Review Contractors (SMRCs), the Comprehensive Error Rate Testing (CERT) contractor, etc. When a claim is selected for review or when additional documentation is needed to complete the claim, an ADR letter is generated requesting that documentation and/or medical records be submitted.

The ADR process is essentially a type of prepayment review.

A baseline annual ADR limit is established for each provider based on the number of Medicare claims paid in the previous 12-month period that are associated with the provider’s six-digit CMS Certification Number (CCN) and the provider’s National Provider Identifier (NPI) number. Using the baseline annual ADR limit, an ADR cycle limit is also established.

After three 45-day ADR cycles, CMS will calculate (or recalculate) a provider’s denial rate, which will then be used to identify a provider’s corresponding “adjusted” ADR limit. Auditors may choose to either conduct reviews of a provider based on their adjusted ADR limit (with a shorter lookback period) or their baseline annual ADR limit (with a longer lookback period).

The baseline, annual ADR limit is one-half of one percent of the provider’s total number of paid Medicare service types for which the provider had reimbursed Medicare claims.

Effective Jan. 1, 2019, providers whose ADR cycle limit is less than 1, even though their annual ADR limit is greater than 1, will have their ADR cycle limit round up to 1 additional documentation request per 45 days, until their annual ADR limit has been reached.

For example, say Provider ABC billed and was paid for 400 Medicare claims in a previous 12-month period. The provider’s baseline annual ADR limit would be 400 multiplied by 0.005, which is two. The ADR cycle limit would be 2/8, which is less than one. Therefore, Provider ABC’s ADR cycle limit will be set at one additional documentation request per 45 days, until their annual ADR limit, which in this example is two, has been reached. In other words, Provider ABC can receive one additional documentation request for two of the eight ADR cycles, per year.

ADR letters are sent on a 45-day cycle. The baseline annual ADR limit is divided by eight to establish the ADR cycle limit, which is the maximum number of claims that can be included in a single 45-day period. Although auditors may go more than 45 days between record requests, in no case shall they make requests more frequently than every 45 days.

And that is the update on ADRs. Remember, the rule changed Jan. 1, 2019.

Once You STOP Accepting Medicaid/Care, How Much Time Has to Pass to Know You Will Not Be Audited? (For Past Nitpicking Documentation Errors)

I had a client, a dentist, ask me today how long does he have to wait until he need not worry about government, regulatory audits after he decides to not accept Medicare or Medicaid any more. It made me sad. It made me remember the blog that I wrote back in 2013 about the shortage of dentists that accept Medicaid. But who can blame him? With all the regulatory, red tape, low reimbursement rates, and constant headache of audits, who would want to accept Medicare or Medicaid, unless you are Mother Teresa…who – fun fact – vowed to live in poverty, but raised more money than any Catholic in the history of the recorded world.

What use is a Medicaid card if no one accepts Medicaid? It’s as useful as our appendix, which I lost in 1990 and have never missed it since, except for the scar when I wear a bikini. A Medicaid card may be as useful as me with a power drill. Or exercising lately since my leg has been broken…

The answer to the question of how long has to pass before breathing easily once you make the decision to refuse Medicaid or Medicare? – It depends. Isn’t that the answer whenever it comes to the law?

By Whom and Why You Are Being Investigated Matters

If you are being investigated for fraud, then 6 years.

If you are being investigated by a RAC audit, 3 years.

If you are being investigated by some “non-RAC entity,” then it however many years they want unless you have a lawyer.

If being investigated under the False Claims Act, you have 6 – 10 years, depending on the circumstances.

If investigated by MICs, generally, there is a 5-year, look-back period.

ZPICS have no particular look-back period, but with a good attorney, reasonableness can be argued. How can you be audited once you are no longer liable to maintain the records?

The CERT program is limited by the same fiscal year.

The Alternative: Self-Disclosure (Hint – This Is In Your Favor)

If you realized that you made an oops on your own, you have 60-days. The 60-day repayment rule was implemented by the Centers for Medicare and Medicaid Services (“CMS”), effective March 14, 2016, to clarify health care providers’ obligations to investigate, report, and refund identified overpayments under the Affordable Care Act (“ACA”).

Notably, CMS specifically stated in the final rule that it only applies to traditional Medicare overpayments for Medicare Part A and B services, and does not apply to Medicaid overpayments. However, most States have since legislated similar statutes to mimic Medicare rules (but there are arguments to be made in courts of law to distinguish between Medicare and Medicaid).

 

 

 

Premature Recoupment of Medicare or Medicaid Funds Can Feel Like Getting Mauled by Dodgeballs: But Is It Constitutional?

State and federal governments contract with many private vendors to manage Medicare and Medicaid. And regulatory audits are fair game for all these contracted vendors and, even more – the government also contracts with private companies that are specifically hired to audit health care providers. Not even counting the contracted vendors that manage Medicaid or Medicare (the companies to which you bill and get paid), we have Recovery Act Contractors (RAC), Zone Program Integrity Contractors (ZPICs), Medicare Administrative Contractors (MACs), and Comprehensive Error Rate Testing (CERT) auditors. See blog for explanation. ZPICs, RACs, and MACs conduct pre-payment audits. ZPICs, RACs, MACs, and CERTs conduct post-payment audits.

It can seem that audits can hit you from every side.

“Remember the 5 D’s of dodgeball: Dodge, duck, dip, dive and dodge.”

Remember the 5 A’s of audits: Appeal, argue, apply, attest, and appeal.”

Medicare providers can contest payment denials (whether pre-payment or post-payment) through a five-level appeal process. See blog.

On the other hand, Medicaid provider appeals vary depending on which state law applies. For example, in NC, the general process is an informal reconsideration review (which has .008% because, essentially you are appealing to the very entity that decided you owed an overpayment), then you file a Petition for Contested Case at the Office of Administrative Hearings (OAH). Your likelihood of success greatly increases at the OAH level because these hearings are conducted by an impartial judge. Unlike in New Mexico, where the administrative law judges are hired by Human Services Department, which is the agency that decided you owe an overpayment. In NM, your chance of success increases greatly on judicial review.

In Tx, providers may use three methods to appeal Medicaid fee-for-service and carve-out service claims to Texas Medicaid & Healthcare Partnership (TMHP): electronic, Automated Inquiry System (AIS), or paper within 120 days.

In Il, you have 60-days to identify the total amount of all undisputed and disputed audit
overpayment. You must report, explain and repay any overpayment, pursuant to 42 U.S.C.A. Section 1320a-7k(d) and Illinois Public Aid Code 305 ILCS 5/12-4.25(L). The OIG will forward the appeal request pertaining to all disputed audit overpayments to the Office of Counsel to the Inspector General for resolution. The provider will have the opportunity to appeal the Final Audit Determination, pursuant to the hearing process established by 89 Illinois Adm. Code, Sections 104 and 140.1 et. seq.

You get the point.”Nobody makes me bleed my own blood. Nobody!” – White Goodman

Recoupment During Appeals

Regardless whether you are appealing a Medicare or Medicaid alleged overpayment, the appeals process takes time. Years in some circumstances. While the time gently passes during the appeal process, can the government or one of its minions recoup funds while your appeal is pending?

The answer is: It depends.

Before I explain, I hear my soapbox calling, so I will jump right on it. It is my legal opinion (and I am usually right) that recoupment prior to the appeal process is complete is a violation of due process. People are always shocked how many laws and regulations, both on the federal and state level, are unconstitutional. People think, well, that’s the law…it must be legal. Incorrect. Because something is allowed or not allowed by law does not mean the law is constitutional. If Congress passed a law that made it illegal to travel between states via car, that would be unconstitutional. In instances that the government is allowed to recoup Medicaid/care prior to the appeal is complete, in my (educated) opinion. However, until a provider will fund a lawsuit to strike these allowances, the rules are what they are. Soapbox – off.

Going back to whether recoupment may occur before your appeal is complete…

For Medicare audit appeals, there can be no recoupment at levels one and two. After level two, however, the dodgeballs can fly, according to the regulations. Remember, the time between levels two and three can be 3 – 5 years, maybe longer. See blog. There are legal options for a Medicare provider to stop recoupments during the 3rd through 5th levels of appeal and many are successful. But according to the black letter of the law, Medicare reimbursements can be recouped during the appeal process.

Medicaid recoupment prior to the appeal process varies depending on the state. Recoupment is not allowed in NC while the appeal process is ongoing. Even if you reside in a state that allows recoupment while the appeal process is ongoing – that does not mean that the recoupment is legal and constitutional. You do have legal rights! You do not need to be the last kid in the middle of a dodgeball game.

Don’t be this guy:

 

How Does OIG Target Provider Types for Audits and Who Needs to Worry?

Interestingly, how OIG and who OIG targets for audits is much more transparent than one would think. OIG tells you in advance (if you know where to look).

Prior to June 2017, the Office of Inspector General’s (OIG) OIG updated its public-facing Work Plan to reflect those adjustments once or twice each year. In order to enhance transparency around OIG’s continuous work planning efforts, effective June 15, 2017, OIG began updating its Work Plan website monthly.

Why is this important? I will even take it a step further…why is this information crucial for health care providers, such as you?

These monthly reports provide you with notice as to whether the type of provider you are will be on the radar for Medicare and Medicaid audits. And the notice provided is substantial. For example, in October 2017, OIG announced that it will investigate and audit specialty drug coverage and reimbursement in Medicaid – watch out pharmacies!!! But the notice also states that these audits of pharmacies for speciality drug coverage will not begin until 2019. So, pharmacies, you have over a year to ensure compliance with your records. Now don’t get me wrong… you should constantly self audit and ensure regulatory compliance. Notwithstanding, pharmacies are given a significant warning that – come 2019 – your speciality drug coverage programs better be spic and span.

Another provider type that will be on the radar – bariatric surgeons. Medicare Parts A and B cover certain bariatric procedures if the beneficiary has (1) a body mass index of 35 or higher, (2) at least one comorbidity related to obesity, and (3) been previously unsuccessful with medical treatment for obesity. Treatments for obesity alone are not covered. Bariatric surgeons, however, get a bit less lead time. Audits for bariatric surgeons are scheduled to start in 2018. Considering that 2018 is little more than a month away, this information is less helpful. The OIG Work Plans do not specific enough to name a month in which the audits will begin…just sometime in 2018.

Where do you find such information? On the OIG Work Plan website. Click here. Once you are on the website, you will see the title at the top, “Work Plan.” Directly under the title are the “clickable” subjects: Recently Added | Active Work Plan Items | Work Plan Archive.  Pick one and read.

You will see that CMS is not the only agency that OIG audits. It also audits the Food and Drug Administration and the Office of the Secretary, for example. But we are concerned with the audits of CMS.

Other targeted providers types coming up:

• Telehealth
• Security of Certified Electronic Health Record Technology Under Meaningful Use
• States’ Collection of Rebates on Physician-Administered Drugs
• States’ Collection of Rebates for Drugs Dispensed to Medicaid MCO Enrollees
• Adult Day Health Care Services
• Oversight of States’ Medicaid Information Systems Security Controls
• States’ MCO Medicaid Drug Claims
• Incorrect Medical Assistance Days Claimed by Hospitals
• Selected Inpatient and Outpatient Billing Requirements

And the list goes on and on…

Do not think that if your health care provider type is not listed on the OIG website that you are safe from audits. As we all know, OIG is not the only entity that conducts regulatory audits. The States and its contracted vendors also audit, as well as the RACs, MICs, MACs, CERTs…

Never forget that whatever entity audits you, YOU HAVE APPEAL RIGHTS!

Medicare Audits – TPE Audits Are Here, But For How Long?

The Center for Medicare and Medicaid Services (CMS) announced the expansion of Targeted Probe and Educate (TPE) audits. At first glance, this appears to be fantastic news coming on the heels of so much craziness at Health and Human Services (HHS). We have former-HHS Secretary Price flying our tax dollars all over. Dr. Don Wright stepping up as our new Secretary. The Medicare appeal backlog fiasco. The repeal and replace Obamacare bomb. Amidst all this tomfoolery, health care providers are still serving Medicare and Medicaid patients, reimbursement rates are in the toilet, which drives down quality and incentivizes providers to not accept Medicare or Medicaid (especially Caid), and providers are undergoing “Audit Alphabet Soup.” I actually had a client tell me that he receives audit letters requesting documents and money every single week from a plethora of different organizations.

So when CMS announced that it was broadening its TPE audits, it was a sigh of relief for many providers. But will TPE audits be the benign beasts they are purporting  to be?

What is a TPE audit? (And – Can We Have Anymore Acronyms…PLEASE!)

CMS says that TPE audits are benevolent. CMS’ rhetoric indicates that these audits should not cause the toner to run out from overuse. CMS states that TPE audits will involve “the review of 20-40 claims per provider, per item or service, per round, for a total of up to three rounds of review.” See CMS Announcement. The idea behind the TPE audits (supposedly) is education, not recoupments. CMS states that “After each round, providers are offered individualized education based on the results of their reviews. This program began as a pilot in one MAC jurisdiction in June 2016 and was expanded to three additional MAC jurisdictions in July 2017. As a result of the successes demonstrated during the pilot, including an increase in the acceptance of provider education as well as a decrease in appealed claims decisions, CMS has decided to expand to all MAC jurisdictions later in 2017.” – And “later in 2017” has arrived. These TPE audits are currently being conducted nationwide.

Below is CMS’ vision for a TPE audit:

Clear? As mud?

The chart does not indicate how long the provider will have to submit records or how quickly the TPE auditors will review the documents for compliance. But it appears to me that getting through Round 3 could take a year (this is a guess based on allowing the provider 30 days to gather the records and allowing the TPE auditor 30 days to review).

Although the audit is purportedly benign and less burdensome, a TPE audit could take a whole year or more. Whether the audit reviews one claim or 20, having to undergo an audit of any size for a year is burdensome on a provider. In fact, I have seen many companies having to hire staff dedicated to responding to audits. And here is the problem with that – there aren’t many people who understand Medicare/caid medical billing. Providers beware – if you rely on an independent biller or an electronic medical records program, they better be accurate. Otherwise the buck stops with your NPI number.

Going back to CMS’ chart (above), notice where all the “yeses” go. As in, if the provider is found compliant , during any round, all the yeses point to “Discontinue for at least 12 months.” I am sure that CMS thought it was doing providers a favor, but what that tells me is the TPE audit will return after 12 months! If the provider is found compliant, the audit is not concluded. In fact, according to the chart, the only end results are (1) a referral to CMS for possible further action; or (2) continued TPE audits after 12 months. “Further action” could include 100% prepayment review, extrapolation, referral to a Recovery Auditor, or other action. Where is the outcome that the provider receives an A+ and is left alone??

CMS states that “Providers/suppliers may be removed from the review process after any of the three rounds of probe review, if they demonstrate low error rates or sufficient improvement in error rates, as determined by CMS.”

I just feel as though that word “may” should be “will.” It’s amazing how one word could change the entire process.

EHR: What’s In YOUR Contract? Legal Issues You Need to Know.

Electronic health records or EHR have metamorphosed health care. Choosing a vendor can be daunting and the prices fluctuate greatly. As a provider, you probably determine your EHR platform on which vendor’s program creates the best service notes… or which creates the most foolproof way of tracking time… or which program is the cheapest.

But…what’s in YOUR contract can be legally deadly.

Regardless how you choose your EHR vendor, you need to keep the following legal issues in mind when it comes to EHR and the law:

Regulatory and Clinical Coverage Policy Compliance

Most likely, your EHR vendor does not have a legal degree. Yet, you are buying a product and assuming that the EHR program complies with applicable regulations, rules, and clinical coverage policies – whichever are applicable to your type of service. Well, guess what? These regulations, rules, and clinical coverage policies are not stagnant. They are amended, revised, and re-written more than my chickens lay eggs, but a little less often, because my chickens lay eggs every day.

Think about it – The Division of Medical Assistance (DMA) publishes a monthly Medicaid Bulletin. Every month DMA provides more insight, more explanations, more rules that providers will be held accountable to follow.

Does your EHR program update every month?

You need to review your contract and determine whether the vendor is responsible for regulatory compliance or whether you are. If you are, should you put so much faith in the EHR program?

Document Accessibility

You are required to maintain your records (depending on your type of service) anywhere from 5-10 years. Let’s say that you sign a four year contract with EHR Vendor X. The four years expires, and you hire a new EHR vendor. You are audited. But Vendor X does not allow you access to the records because you no longer have a contract with them – not their problem!

You need to ensure that your EHR contract allows you access to your documents (because they are your documents) even in the event of the contract expiring or getting terminated. The excuse that “I don’t have access to that” does not equal a legal defense.

Indemnification

This is otherwise known as the “Blame Game.” If there is a problem with regulatory compliance, as in, the EHR records do not follow the regulations, then you need to know whether the EHR vendor will take responsibility and pay, or help pay, for attorneys’ fees to defend yourself.

Like it or not, the EHR vendor does not undergo audits by the state and federal government. The EHR vendor does not undergo post and pre-payment reviews for regulatory compliance. You do. It is your NPI number that is held accountable for regulatory compliance.

You need to check whether there is an indemnification clause in the EHR contract. In other words, if you are accused of an overpayment because of a mistake on the part of the vendor, will the vendor cover your defense? My guess is that there is no indemnification clause.

HIPAA Compliance

HIPAA laws require that you minimize the access to private health information (PHI) and prevent dissemination. With hard copies, this was easy. You could just lock up the documents. With EHR, it becomes trickier. Obviously, you have access to the PHI as the provider. But who can access your EHR on the vendor-side? Assuming that the vendor has an IT team in case of computer issues, you have to consider to what exactly does that team have access.

I recently attended a legal continuing education class on data breach and HIPAA compliance for health care. One of the speakers was a Special Agent with the FBI. This gentleman prosecutes data breaches for a living. He said that hackers will pay over $500 per private medical document. Health care companies experienced a 72% increase in cyberattacks between 2013 and 2014. Stolen health care information is 10 times more valuable than your credit card information.

Zombie Apocalypse

Obviously, I am exaggerating here. I do not believe that The Walking Dead is real and in our future. But here is my point – You are held accountable for maintaining your medical records, even in the face of an act of God or terrorism.

Example: It was 1996. Provider Dentist did not have EHR; he had hard copies. Hurricane Fran flooded Provider Dentist’s office, ruining all medical records. When Provider Dentist was audited, the government did not accept the whole “there was a hurricane” excuse. Dentist was liable for sever penalties and recoupments.

Fast forward to 2017 and EHR – Think a mass computer shutdown won’t happen? Just ask Delta about its August 2016 computer shutdown that took four days and cancelled over 2000 flights. Or Medstar Health, which operates 10 hospitals and more than 250 outpatient facilities, when in March 2016, a computer virus shut down its emails and…you guessed it…its EHR database.

So, what’s in YOUR contract?

New OIG Report, But Same, Ole Results: Medicare and Medicaid Fraud Persistent in PCS

How many times have you heard, “Third time’s a charm?”If that is true, then what is the fifth time? The sixth time?

In an October 3, 2016, advisory report, the Office of Inspector General (OIG) recommends that the Center for Medicare and Medicaid Services (CMS) heighten its scrutiny on personal care services (PCS) in states across the country. The OIG claims “that home health has long been recognized as a program area vulnerable to fraud, waste, and abuse.” Past OIG reports have focused on Medicare. This new one focuses on Medicaid.

OIG is a division of the U.S. Department of Health and Human Services (HHS) and is charged with identifying and combating waste, fraud, and abuse in the HHS’s more than 300 programs. But, evidently, OIG is not happy, happy, happy, when HHS disregards its findings, which appears to be what has happened for a number of years.

PCS are nonmedical services for people who need assistance with activities of daily living (ADLs), such as bathing, eating, and toileting. Most of the time, PCS are allowing the person to remain in his or her home, instead of being institutionalized. However, according to OIG, PCS is fraught with fraud.

PCS is an optional service for Medicaid, i.e., states can choose to cover the cost of PCS with government funds. But, on the federal level, PCS is provided, if medically necessary, in all states.

The OIG report summarizes Medicaid fraud schemes from November 2012 through August 2016. OIG goes on to say that the fraud in this report is merely replicate of Medicare fraud found in a prior reports. In other words,OIG is basically saying that it has found Medicare fraud in home health in multiple, past reports and that CMS has not followed through appropriately. In fact, this report makes over five times, in recent years, that OIG has instructed CMS to increase its regulatory oversight of Medicare/caid personal care services. How many times does it take for your spouse to ask you to take out the trash until you take out the trash? Third time’s a charm??

Mark my words…in the near future, there will be heightened investigations and increased audits on home health.

Here are some scenarios that can trigger an audit of home health:

1. High percentage of episodes for which the beneficiary had no recent visits with the supervising physician;
2. High percentage of episodes that were not preceded by a hospital or nursing home stay;
3. High percentage of episodes with a primary diagnosis of diabetes or hypertension;
4. High percentage of beneficiaries with claims from multiple home health agencies; and
5. High percentage of beneficiaries with multiple home health readmissions in a short period of time.

While the above-mentioned scenarios do not prove the existence of Medicare/caid fraud, they are red flags that will wave their presence before health care investigators’ faces.

Here are the states (and cities) which will be targets:

Notice that North Carolina is not highlighted. Notice that Florida is highlighted and contained numerous “hotspots.” Certainly that has nothing to do with the abnormal number of people on Medicare…

Regardless, North Carolina will get its share of Medicare PCS audits. Especially, considering that we have the 7th most number of Medicare beneficiaries in the country – that should have gotten us highlighted per se.

Since the OIG Portfolio report issued in 2012, OIG has opened more than 200 investigations involving fraud and patient harm and neglect in the PCS program across the country. “Given the significant vulnerabilities in the PCS program, including a lack of internal controls, and that PCS fraud continues to be a persistent problem, OIG anticipates that its enforcement efforts will continue to involve PCS cases.”Report.

Fifth time is a ______?? (Sure thing).

CMS Ramps Up Medicare Audits: A Pig and Pony Show?

Monday, February 22, 2016, The Centers for Medicare and Medicaid Services (CMS) announced that it plans to increase onsite visits and monitoring of health care providers. One of the top priorities for CMS is to verify that provider enrollment and address are correct…

Because, as you know, providers with correct addresses on file are less likely to commit Medicare fraud. Medicare Fraud 101 – Give CMS the wrong address. Really? (While I applaud their valiant effort, the fraud that I have witnessed has not been a health care provider using a fake address to provide fake services…that is too Ponzi, too shallow in thought…too easily detected. Oh no, the fraud I have encountered were providers with actual practices with correct addresses, but embellishing on the amount of services provided to an actual Medicare enrollee to cushion their pockets. This is much more difficult to detect.

But CMS has its reasons for sniffing out fake addresses. CMS’ address hunt-down comes on the heels of a report from June 2015 out of the Government Accountability Office (GAO), which determined that approximately 22% of Medicare provider addresses are “potentially ineligible.” Additionally, last March (2015) CMS decreased the amount of audits conducted by Medicare Administrative Contractors (MACs), which are one of the entities that investigate Medicare provider eligibility.

Whenever the GAO finds potential errors, CMS usually puts on the whole dog and pony show…or, maybe, for a change, a pig and pony show…

With all these political talks about donkeys and elephants, I would like to take a moment and blog about a pig. Some of you know that I own a pet pig. She is 4 1/2 years old and about 30 pounds. See below.

Isn’t she cute?! Some of you will remember my last blog about Oink was “Our Medicaid Budget: Are We Just Putting Lipstick on a Pig?”

The reason I bring up Oink is that she is the smartest, most animated animal I have ever encountered. She is also the best “sniffer-outer” I have ever encountered. Her keen sense of smell is well beyond any human’s sense of smell. If you liken Oink to CMS and Medicare fraud to a Skittle, the Skittle would have no chance.

These upcoming and increased number of audits is CMS’ way of sniffing out fraud. However, CMS’ sense of smell is not up to snuff like Oink’s sense of smell.

Searching for erroneous addresses in order to detect fraud, waste, and abuse (FWA) will, inevitably, be over-inclusive. Meaning, many of the erroneous addresses will not be committing Medicare fraud. Some erroneous addresses exist because providers simply moved to another location and either failed to inform CMS or CMS’ database was not updated with the new address. Other erroneous addresses exist because health care providers went out of business and never informed CMS. A new company leases the property and it appears to CMS that fraudulent billing was occurring a couple years ago out of, for example, what is now a Jimmy John’s.

Searching for erroneous addresses in order to detect FWA will, inevitably, be under-inclusive. Meaning, that many providers committing Medicare fraud do so with accurate office addresses.

My contention is that if you want to find FWA, you need to dig deeper than an incorrect address. Sniffing out Medicare fraud is a bit more in depth than finding improper addresses. That would be like tossing handfuls of Skittles on the ground and expecting Oink to only find the green ones.

In fiscal year 2014, Medicare paid $554 billion for health care and related services. CMS estimates that $60 billion (about 10 percent) of that total was paid improperly (not only because of incorrect addresses).

CMS is responsible for developing provider and supplier enrollment procedures to help safeguard the program from FWA. CMS contracts with Medicare Administrative Contractors (MACs) and the National Supplier Clearinghouse (NSCs) to manage the enrollment process. MACs are responsible for verifying provider and supplier application information in Provider Enrollment, Chain and Ownership System (PECOS) before the providers and suppliers are permitted to enroll into Medicare. CMS currently contracts with 12 MACs, each of which is responsible for its own geographic region, known as a “jurisdiction.

As you can see, we live in Jurisdiction 11. These MACs act as the “sniffer-outers” for CMS.

According to the GAO June 2015 report, about 23,400 (22 percent) of the 105,234 addresses that GAO initially identified as a Commercial Mail Receiving Agency (CMRA), vacant, or invalid address are potentially ineligible for Medicare providers and suppliers. “About 300 of the addresses were CMRAs, 3,200 were vacant properties, and 19,900 were invalid. Of the 23,400 potentially ineligible addresses, [GAO] estimates that, from 2005 to 2013, about 17,900 had no claims associated with the address, 2,900 were associated with providers that had claims that were less than $500,000, and 2,600 were associated with providers that had claims that were $500,000 or more per address.”

In other words, out of 105,234 addresses, only 2,600 actively billed Medicare for over $500,000 from 2005 through 2013 (8 years). Had CMS narrowed the scope and looked at practices that billed over $500,000 since 2010, I fancy the the number would have been much lower, because, as discussed above, many of these providers either moved or went out-of-business.

Now, 2,600 is not a nominal number. I am in no way undermining CMS’ efforts to determine the accuracy of providers’ addresses; I am not insinuating that these efforts are unnecessary or a complete waste of time. I think verification of health care providers’ addresses is an important aspect of detecting FWA. Instead, I believe that, as discussed above, verifying providers’ addresses is a poor, under and over-inclusive attempt at searching for FWA. Because, as I stated at the beginning of this blog, the people who are intentionally trying to defraud the system, are not going to intentionally give an erroneous address. It is just too easy for the government to discover the error. No, the people who are intentionally defrauding the state will have a legitimate office.

For example, in my opinion, it is unlikely that anyone intentionally trying to defraud the system will inform the government that they provide health care services from the following places:

Again, if I liken CMS’ search for FWA by detecting inaccurate addresses to Oink, it would be like tossing a handful of Skittles on the ground and expecting Oink to only find the green ones.

If CMS audits are to Oink as fraud is to Skittles, then I think there is a less intrusive, less inclusive way to detect FWA rather than throwing out packets of Skittles for Oink. All that does is make Oink eat too much.

If you are one of the Medicare providers that get caught into CMS’ widely  thrown net, be sure to know your rights! Know the appeal steps!

“Red Rover, Red Rover, Send Lab Services Right Over!” And How To Self Audit

Medicare is the largest payor of clinical lab services in the nation. Clinical lab services include everything from blood counts to urinalyses, and every letter of the alphabet in between. Lab services are performed by hospitals, independent labs, physicians, or other institutions.

Medicare Part B (which covers lab services) has had increased enrollment over the past few years, but the amount billed to Part B over the past few years has increased at a much higher rate. In other words, the amount of lab services billed to Part B has increased disproportionately to the increase in enrollment. Any number of factors could contribute to this: defensive practice of medicine, more reliance on laboratory testing, more labs…

Regardless, the higher billing amounts in lab services has now won the prestigious award of “Increased CMS Scrutiny!” (sarcasm, people). And the crowd goes wild!!!!

Mid-2014, the U.S. Office of Inspector General (OIG) published a study entitled, “Questionable Billing for Medicare Part B Clinical Laboratory Services.” OIG determined that Medicare allowed $1.5 billion to be paid for claims with questionable billing. It recommended that CMS: (1) review the labs identified with questionable billing and take appropriate action; (2) review program integrity strategies and determine whether such strategies are adequate; and (3) ensure that claims with invalid and ineligible ordering-physician numbers are not being paid.

In normal and expectant government time frames, the “dinosauric beast” has now determined, a little over a year later, that laboratory service claims warrant enhanced scrutiny. And a little over 85 years after its discovery, we finally determine that Pluto isn’t a planet.

CMS zoomed in their lens of scrutiny on lab services multiple times over a decade ago. Each “CMS zoom” resulted in millions and millions of money given to the federal government, which perpetuates the feds to zoom more and more…it’s easy money.

For example, in 2000, OIG issued Project LabScam, which resulted in substantial settlements against Laboratory Corporation of America Holdings, SmithKline Beecham, Met/Path, Damon, Roche, and Allied.

In 2002, OIG found that Medicare incorrectly paid $7.4 million for lab services with invalid ordering UPINs and $15.3 million for lab service claims with inactive ordering UPINs.

What does this mean to providers of lab services today?

It means you need to be prepared for an audit.

When I was young, one of my favorite games was “Red Rover.” Children would grasp arms and form a straight line facing the other team, which was doing the same. I would yell, “Red River, Red Rover, send Holly right over!” At which time, little Holly would be released from her line and prepare to run, full speed, into my line of little kids’ arms. Inevitably, once we saw where Holly was running, we would tighten up our grasps on one another’s arms to prepare for the impact.

Similarly, in preparation for upcoming audits, lab service providers need to tighten up.

How?

The best way to be certain of your risks in a potential audit is to hire a professional consultant or an experienced attorney to review a large sample of your documents. This allows an outsider to provide an unbiased opinion as to your risk. You may have the best billing manager in the world, but, when it comes to a self audit, he or she already believes that his or her documentation is stellar and that the organization of such documents is self evident. Having an outsider audit your records is worth its weight in gold and the best way to tighten up pre-audit.

The second best way to be certain of your risks in a potential audit is to self audit. Even if you hire a consultant or an attorney for a one time, third-party audit, you still want to self-audit multiple times a year. Every now and then you need to kick the old tires.

How do you self audit?

FYI: My general explanation of how to self audit will be appropriate for all health care service provider types. I will describe some more detailed ways to self audit that will be specific to lab services.

In order to self audit, I teach the IAKA method, not to be confused with IKEA.

• Identify common risks
• Audit a sample of your documents
• Keep record of each step of your audit, including findings
• Act on the findings.

Identify

What are the common red flags in your industry?

For lab services, common red flags may be high average allowed amounts per ordering physician, high percentage of claims with ineligible ordering-physician numbers, high percentage of claims with compromised beneficiary numbers, and high percentage of duplicate lab tests.

Here’s an area to look into that you may not otherwise consider in a self audit: what percentage of your lab clients live outside 100 miles? This may sound hoaky, but I had a lab service client flagged because 92% of the clients resided over 150 miles away. There was a perfectly reasonable explanation for such anomaly, the lab was located in a large, prestigious hospital in a rural area and people came from miles away to the hospital, but the statistic still flagged it.

Another specific item to review is, on average, how much does each physician bill in the laboratory? Do you have 4 physicians who bill, on average, $60,000+ per ordering physician? Because, for an independent lab, that would be very high.

Audit

For the actual self audit, you want to break up the audit into two categories: standards and procedures and document compliance.

For standards and procedures, you are reviewing whether you are properly orienting new hires, the specific training you implement, your criminal background check procedures, HIPAA training, your license renewal processes, your certification renewal processes, etc.

For document compliance, you are reviewing for physician signatures and dates.

NOTE: It is not required, but it is extremely prudent to print the name of the signator underneath all signatures. I have seen auditors ding providers on “physicians not being licensed/credentialed” because the auditor could not read the name of the physician. 

You are also reviewing for medical necessity, eligible ordering-physician numbers, distance the client is to the lab, amount prescribed to that particular client, amount prescribed by that particular physician, whether that test prescribed for the same client within a 12 month period, coding compliance, etc.

Keep Record

It is imperative that you keep meticulous records while you conducting the audits. You want to be able to show an auditor that you caught a mistake and that you implemented a plan of correction to remedy the mistake going forward. And that, in actuality, you remedied the mistake going forward. This documentation is essential for possible defenses to alleged potential overpayments, false claims, and, even, alleged criminal actions. Your documentation skills could be the difference between paying millions in penalties, or, in the extreme case, jail.

Act

I got ahead of myself in the prior section by saying that you need to document the way in which you fix the mistake. But I cannot emphasize it enough. Acting on your findings is important, obviously, but documenting the actions is more important. Ever hear the saying, “If it isn’t documented, it didn’t happen?” Take that as gospel.

Be prepared. Be proactive. Be ready. Tighten up!