Monthly Archives: February 2021

Medicaid Provider Enrollment Process: Stuck in a Snowbank?’s cold out there for health care providers! Expect a more stringent re-certification process going forward! DHHS was cited for being lax on provider enrollment or stuck in a metaphoric snowbank. I, on the other hand, got stuck in an actual snowbank.

Over President’s Day weekend, my mom, sister, daughter, niece, and nephew all drove to the Omni Homestead in Hot Springs, VA for a few days of skiing and snow tubing. Fun, right? It was a wonderful time, but getting there was an absolute fiasco that we will laugh about for years to come. Now, however, it’s too soon.

Friday the 12th, I almost successfully drove over a snowy, icy hill, known as Airport Rd. Then, this happened…

Caught in a snowbank.

The catastrophic first day (the 12th), as bad as it was, the tomfoolery gave me the inspiration for this blog. On the way to The Homestead, I got my car stuck in a snowbank with my daughter for hours waiting for a tow truck, who had a really hard time finding us. I drive a two-wheel drive, sedan. My sister, on the other hand, enjoyed her youngest daughter (my niece) throwing up from car sickness the entire 5-hour drive. On the bright side, my daughter was excited to sit in the back of a police officer’s car. She even held up the handcuffs as a pose.

As I sat in my Dodge Dart with my 15-year-old girl for hours, I had 3 dentists call me regarding small, alleged overpayments. The tiniest amount at issue was $34k. The largest was just $56k. One dentist was undergoing a RAC audit. Another was undergoing a CERT audit. The third dentist was undergoing a “meaningful use” audit. My 5-hour drive quickly became 8.

The next call informed me that DHHS was being scrutinized for allowing providers maintain a Medicaid contract, who, purportedly, were not qualified. Considering I have had multiple provider-clients lately accused of not being qualified when they were qualified. My interest was perked. As I sat stuck in a snowbank, was DHHS’ provider enrollment process stuck in a similar snowbank and unable to move?

The NC State Auditor released the February 2021 Performance Audit, “Medicaid Provider Enrollment.”


The Medicaid Provider Enrollment process did not ensure that only qualified providers were approved to provide services to Medicaid beneficiaries and to receive payments from North Carolina’s Medicaid program. Specifically, the Division:

  • Did not identify and remove enrolled providers from the Medicaid program who had their professional license suspended or terminated.
  • Allowed all providers who had professional license limitations to remain enrolled in the Medicaid program.
  • Did not ensure that its contractor verified all professional credentials during the Medicaid provider enrollment re-verification process.
  • Did not require its contractor to verify provider ownership information during the Medicaid provider enrollment re-verification process.

As a result, there was an increased risk that providers whose actions posed a threat to patient safety were enrolled in Medicaid and could receive millions of dollars in improper payments from the State.

According to the Performance Audit, the following are three, specific examples of providers allowed to continue to participate in the Medicaid program:

  1. A physician had a license limitation that prohibited treating any female patients. A previous license limitation had required that a chaperone be present and document their presence any time the physician examined a female patient because of multiple past sexual and professional misconduct allegations. Despite the license limitation restricting the physician from treating female patients, the physician billed Medicaid for services provided to 208 female patients in the amount of $78,000 from October 18, 2018, through June 30, 2020.
  2. A physician was placed on probation for multiple “departure[s] from the standards of acceptable and prevailing medical practice.” The physician used a single-use syringe on multiple patients, injected unused pharmaceutical product from a previously used syringe into more than one patient, and failed to properly dispose of human waste – instead, the physician stored it “in a box in a closet near the nurse’s station.”
  3. A physician had a license limitation that prohibited treating any female patients. The medical board was “concerned about the process [the physician] follows for breast examinations” and found the physician’s conduct to be “a departure from the standards of acceptable and prevailing medical practice within the meaning of NCGS §90-14(a)(6).” Despite not receiving payments from Medicaid, the provider remained active in the Medicaid claims processing system (NCTracks) and was eligible to receive payments.

While I will be the first to admit that these examples are egregious, I can vouch that there are also providers accused of not being qualified when they are truly qualified. False accusation of not being qualified is also a problem. However, in light of this Performance Audit, DHHS will surely be more strict in future re-credentialing. There may be a blizzard of Medicaid provider terminations.

DHHS’ excuse when confronted with the accusation of sloppy provider enrollment process was, “The Division said that it did not have the authority to remove providers with current license limitations from the Medicaid program.” I call bullshxx and yellow snow.

DHHS routinely argues in court that it has the authority to terminate Medicaid providers’ contracts without cause. Now, I disagree, but that has been DHHS’ stance. For DHHS to claim it does not have the authority to terminate providers’ Medicaid contracts is disingenuous.

CMS was involved in this Performance Audit and instructed DHHS that it does have the authority to terminate providers who do not qualify for Medicaid participation.

Numerous home health agencies and adult care facilities were found to have staff who were not qualified. It appears that the State Auditor’s argument is that, if an agency has unqualified staff, then 100% recoupments are in order. We will have to wait and see whether DHHS attempts recoupments or terminations, as it is instructed.

Meanwhile, my daughter and I were towed out of the snowbank.

Back of the police car!

Premature Recoupment of Medicare Reimbursements Defies Due Process!

Who knows that – regardless your innocence –the government can and will recoup your funds preemptively at the third level of Medicare appeals. This flies in the face of the elements of due process. However, courts have ruled that the redetermination and the reconsideration levels afford the providers enough due process, which entails notice and an opportunity to be heard. I am here to tell you – that is horse manure. The first two levels of a Medicare appeal are hoops to jump through in order to get to an independent tribunal – the administrative law judge (“ALJ”). The odds of winning at the 1st or 2nd level Medicare appeal is next to zilch, although often you can get the alleged amount reduced. The first level is before the same entity that found you owe the money. Auditors are normally not keen on overturning themselves. The second level is little better. The first time that you present to an independent tribunal is at the third level.

Between 2009 and 2014, the number of ALJ appeals increased more than 1,200 percent. And the government recoups all alleged overpayments before you ever get before an ALJ.

In a recent case, Sahara Health Care, Inc. v. Azar, 975 F.3d 523 (5th Cir. 2020), a home health care provider brought an action against Secretary of Department of Health and Human Services (“HHS”) and Administrator for the Centers for Medicare and Medicaid Services (“CMS”), asserting that its statutory and due process rights were violated and that defendants acted ultra vires by recouping approximately $2.4 million in Medicare overpayments without providing a timely ALJ hearing. HHS moved to dismiss, and the provider moved to amend, for a temporary restraining order (“TRO”) and preliminary injunction, and for an expedited hearing.

The case was thrown out, concluding that adequate process had been provided and that defendants had not exceeded statutory authority, and denied provider’s motion for injunctive relief and to amend. The provider appealed and lost again.

What’s the law?

Congress prohibited HHS from recouping payments during the first two stages of administrative review. 42 U.S.C. § 1395ff(f)(2)(A).

If repayment of an overpayment would constitute an “extreme hardship, as determined by the Secretary,” the agency “shall enter into a plan with the provider” for repayment “over a period of at least 60 months but … not longer than 5 years.” 42 U.S.C. § 1395ddd(f)(1)(A). That hardship safety valve has some exceptions that work against insolvent providers. If “the Secretary has reason to believe that the provider of services or supplier may file for bankruptcy or otherwise cease to do business or discontinue participation” in the Medicare program, then the extended repayment plan is off the table. 42 U.S.C. § 1395ddd(f)(1)(C)(i). A provider that ultimately succeeds in overturning an overpayment determination receives the wrongfully recouped payments with interest. 42 U.S.C. § 1395ddd(f)(2)(B). The government’s interest rate is high. If you do have to pay back the alleged overpayment prematurely, the silver lining is that you may receive extra money for your troubles.

The years-long back log, however, may dwindle. The agency has received a funding increase, and currently expects to clear the backlog by 2022. In fact, the Secretary is under a Mandamus Order requiring such a timetable. 

A caveat regarding this grim news. This was in the Fifth Circuit. Other Courts disagree. The Fourth Circuit has held that providers do have property interests in Medicare reimbursements owed for services rendered, which is the correct holding. Of course, you have a property interest in your own money. An allegation of wrongdoing does not erase that property interest. The Fourth Circuit agrees with me.

HIPAA and Football

By Ashley Thomson, Partner at Practus, LLP. A Virtual Law Firm.

On rare occasions a Court can issue an opinion that is so logical and on-point you want to stand up and cheer.  Maybe you’re only cheering if you’re a HIPAA-nerd, like me. My name is Ashley and I work with Knicole. I was the assistant GC for Truman Medical Center for 17 years. As AGC at Truman, I was inundated with so many various issues.

Here’s what got me standing up in my home office as if Patrick Mahomes just threw a pass to Tyreek Hill and the KC Chiefs scored the winning touchdown in the Super Bowl—the 5th Circuit Court of Appeals held that a lost or stolen unencrypted device containing protected health information (“PHI”)[1] does not automatically result in a violation of the HIPAA Disclosure Rule or Encryption Rule. If you want to do your own touchdown dance check out Univ. of Texas M.D. Anderson Cancer Ctr. v. United States Dep’t of Health & Human Servs., No. 19-60226, 2021 WL 127819, at *5 (5th Cir. Jan. 14, 2021).

Unless you’ve spent the last 20 years living under a rock, you are generally aware that HIPAA is a law that protects your health information from public disclosure.  Most people don’t spell it correctly and even less people know what the acronym means.[2]  In 2009, HIPAA was supplemented with the HITECH Act.[3] Together, these laws govern how health care providers handle your medical information and what to do if there is a breach of the information.  HIPAA and HITECH’s implementing regulations (the “Regulations”) require all covered entities[4] “implement a mechanism to encrypt” all PHI that is stored electronically.  45 C.F.R. Section 164.312(a)(2)(iv).  Second, the Regulations prohibit unpermitted disclosure of PHI. 45 C.F.R. Sec. 164.502(a). These two regulations are referred to as the Encryption Rule and the Disclosure Rule respectively. These requirements are enforced by the Department of Health and Human Services (“HHS”) in conjunction with the Office for Civil Rights (“OCR”).

Whew, that was a quick history lesson.  Now, back to the story.

In 2012 and 2013 MD Anderson Cancer Center (“MD Anderson”) had three (3) events happen involving unencrypted devices containing PHI.  First, a laptop was stolen.  Second, a thumb drive was lost during someone’s commute home. Third, a visiting researcher misplaced a thumb drive. Pursuant to the regulations, MD Anderson reported these events to HHS.  

HHS concluded that MD Anderson violated the Regulations and imposed a fine over $4,000,000 (let me spell that out for you. . . FOUR MILLION DOLLARS). 

You may be wondering, what in the world did they violate that would result in such an outrageous fine?  So did MD Anderson!

MD Anderson threw its proverbial, red challenge flag and pursued its appeal rights and ended up, finally, in Federal Court where they succeeded on establishing that the mere loss of unencrypted PHI does not violate the Disclosure Rule and that the Encryption Rule does not require that a covered entity sit down and force each and every person to encrypt their devices.

Let’s look first at the Disclosure Rule. As a general rule, HIPAA prohibits the disclosure of PHI without permission from the patient.[5]  45 C.F.R. Sec. 164.502(a). HIPAA defines disclosure as “the release, transfer, provision of access to, or divulging in any manner of information outside the entity holding the information.” 45 C.F.R. Sec. 164.103. Prior to reaching the 5th Circuit, MD Anderson had been told the mere fact that the unencrypted laptop and thumb drives were lost or stolen resulted in the conclusion the PHI had been improperly disclosed to someone outside of the covered entity.  Thank goodness, the Court stepped in with the reasonable statement that many of us in the health care field have been saying for years. . . just because a device is lost or stolen doesn’t mean the PHI was improperly disclosed.[6]  “It defies reason to say an entity affirmatively acts to disclose information when someone steals it.” Univ. of Texas M.D. Anderson Cancer Ctr.,2021 WL 127819, at *5.

HHS claimed that it would be difficult for them to enforce the Disclosure Rule if it had to show that the PHI was disclosed to someone outside of the covered entity.  Well, go complain to the referees  HHS “that’s precisely the sort of policy argument that HHS could vet in a rulemaking proceeding. It’s not an acceptable basis for urging us to transmogrify the regulation HHS wrote into a broader one.” Id. And with that, the Court unceremoniously stated the obvious and provided some reason in the rather unreasonable world of HIPAA enforcement.

Next up? The Encryption Rule where HHS argued that MD Anderson’s desire to do more to encrypt their devices was an admission of non-compliance with the regulations.  Not so fast, said the Court.  The rule requires that a covered entity have a mechanism for the encryption PHI not that it implements an iron clad, hacker proof, 100% guaranteed encryption system.  MD Anderson had an encryption mechanism which is enough to satisfy the regulation, even if HHS now “wishes it had written a different” regulation. *4.  

I feel like this is the SUPERBOWL of HIPAA decisions. You may not be as excited about this opinion as I was.  That’s ok. . . I’m a HIPAA and privacy nerd and I’m ok with that.  

Let’s hope I have many touchdowns to stand up and celebrate on Sunday!  Go Chiefs!    

The legal fine print: As exciting as this opinion is, please  remember that devices should be encrypted and PHI should be protected to the maximum extent possible.  While this is a great decision, it doesn’t remove the obligation to comply with the Regulations. 

[1] PHI contains 18 different identifiers.  42 C.F.R. § 164.514(a)(2)(i).

[2] It’s the Health Insurance Portability and Accountability Act of 1996. 

[3] HITECH stands for the Health Information Technology for Economic and Clinical Health Act of 2009. 

[4] Later, we can delve into what qualifies as a covered entity. Let’s just all agree that MD Anderson is a covered entity.

[5] This is a very simple overstatement, but it works for the purposes of this article.

[6] Let’s face it, most of these devices are lost or stolen and (1) never found or (2) thrown out as the thieves take what they really wanted . . . cold hard cash or credit cards.  An old janky laptop or a random thumb drive is not at the top of the most wanted list for kleptomaniacs.