Category Archives: Administrative code
Effective Jan. 2, 2019, the Centers for Medicare & Medicaid Services (CMS) radically changed its guidance on the use of extrapolation in audits by Recovery Audit Contractors (RACs), Medicare Administrative Contractors (MACs), Unified Program Integrity Contractors (UPICs), and the Supplemental Medical Review Contractor (SMRC).
Extrapolation is a veritable tsunami in Medicare/Medicaid audits. The auditor collects a small sample of claims to review for compliance, then determines the “error rate” of the sample. For example, if 500 claims are reviewed and one is found to be noncompliant for a total of $100, then the error rate is set at 20 percent. That error rate is applied to the universe, which is generally a three-year time period. It is assumed that the random sample is indicative of all your billings, regardless of whether you changed your billing system during that time period or maybe hired a different biller. In order to extrapolate an error rate, contractors must use a “statistically valid random sample” and then apply that error rate on a broader universe of claims, using “statistically valid methods.”
With extrapolated results, auditors allege millions of dollars of overpayments against healthcare providers – sometimes a sum of more than the provider even made during the relevant time period. It is an overwhelming impact that can put a provider and its company out of business.
Prior to this recent change to extrapolation procedure, the Program Integrity Manual (PIM) offered little guidance regarding the proper method for extrapolation.
Prior to 2019, CMS offered broad strokes with few details. Its guidance was limited to generally identifying the steps contractors should take: “a) selecting the provider or supplier; b) selecting the period to be reviewed; c) defining the universe, the sampling unit, and the sampling frame; d) designing the sampling plan and selecting the sample; e) reviewing each of the sampling units and determining if there was an overpayment or an underpayment; and, as applicable, f) estimating the overpayment.”
Well, Change Request 10067 overhauled extrapolation in a huge way.
The first modification to the extrapolation rules is that the PIM now dictates when extrapolation should be used.
Under the new guidance, a contractor “shall use statistical sampling when it has been determined that a sustained or high level of payment error exists. The use of statistical sampling may be used after a documented educational intervention has failed to correct the payment error.” This guidance now creates a three-tier structure:
- Extrapolation shall be used when a sustained or high level of payment error exists.
- Extrapolation may be used after documented educational intervention (such as in the Targeted Probe-and-Educate (TPE) program).
- It follows that extrapolation should not be used if there is not a sustained or high level of payment error or evidence that documented educational intervention has failed.
“High level of payment error” is defined as 50 percent or greater. The PIM also states that the contractor may review the provider’s past noncompliance for the same or similar billing issues or a historical pattern of noncompliant billing practice. This is critical because so many times providers simply pay the alleged overpayment amount if the amount is low or moderate in order to avoid costly litigation. Now, those past times that you simply paid the alleged amounts will be held against you.
Another monumental modification to RAC audits is that the RAC auditor now must receive authorization from CMS to go forward in recovering from the provider if the alleged overpayment exceeds $500,000 or is an amount that is greater than 25 percent of the provider’s Medicare revenue received within the previous 12 months.
The identification of the claims universe was also redefined. Even CMS admitted in the change request that, on occasion, “the universe may include items that are not utilized in the construction of the sample frame. This can happen for a number of reasons, including, but not limited to: a) some claims/claim lines are discovered to have been subject to a prior review; b) the definitions of the sample unit necessitate eliminating some claims/claim lines; or c) some claims/claim lines are attributed to sample units for which there was no payment.”
How many of you have been involved in an alleged overpayment in which the auditor misplaced or lost documents? I know I have. The new rule also states that the auditors must be able to recreate the sample and maintain all documentation pertinent to the calculation of an alleged overpayment.
High-volume providers should face a lower risk of extrapolation if their audited error rate is less than 50 percent and they do not have a history of noncompliance for the same or similar billing issues, or a historical pattern of noncompliant billing practice.
As a Medicare/caid health care provider, you have a property right to your reimbursements for services rendered that were medically necessary.
Why does it matter if your Medicare/caid reimbursements constitute property rights? If you have a property right to something it cannot be taken from you without due process of law. Due process equals a fair hearing and notice. If you have a property right in something then it cannot be usurped from you. For example, since I own my house, you cannot come to my house and claim ownership, even as a squatter. I am afforded due process for my right to my property. Similarly, when you provide Medicare services that are medically necessary and properly completed, your reimbursements for such services cannot be withheld without due process. This means that many rules and regulations across the nation may be unconstitutional.
One of the questionable laws comes into light under many managed care catchment area’s (MCOs) closed network system, which comprises the majority of managed care in America, as well as Medicare Administrative Companies (MACs). MCOs and MACs act as if it are the judge, jury, and executioner when it comes to payments. But, according to the constitution and property rights, Medicare/caid reimbursements are not based on a subjective review by a government contractor.
The ultimate victims in unfair, premature, or erroneous terminations from Medicare or Medicaid programs are the recipients. Often there are too few providers who accept Medicare and Medicaid in certain areas. The other victims in a wrongful termination is the provider and its staff. While the adverse consequences of an unjust termination has minimal to no unfavorable results to the government.
Under numerous Supreme Court holdings, most notably the Court’s holding in Board of Regents v. Roth the right to due process under the law only arises when a person has a property or liberty interest at stake. See also Bowens v. N.C. Dept. of Human Res.
In determining whether a property interest exists a Court must first determine that there is an entitlement to that property. Cleveland Bd. of Educ. v. Loudermill. Unlike liberty interests, property interests and entitlements are not created by the Constitution. Instead, property interests are created by federal or state law and can arise from statute, administrative regulations, or contract. Bowens.
Specifically, the Fourth Circuit Court of Appeals has determined that North Carolina Medicaid providers have a property interest in continued provider status. Bowens, 710 F.2d 1018. In Bowens, the Fourth Circuit recognized that North Carolina provider appeals process created a due process property interest in a Medicaid provider’s continued provision of services and could not be terminated “at the will of the state.” The Court determined that these due process safeguards, which included a hearing and standards for review, indicated that the provider’s participation was not “terminable at will.” The Court held that these safeguards created an entitlement for the provider, because it limits the grounds for his/her termination such that the contract was not terminable “at will” but only for cause, and that such cause was reviewable. The Fourth Circuit reached the same result in Ram v. Heckler, two years later. I foresee the same results in other Court of Appeals’ jurisdiction.
Since Ram, North Carolina Medicaid provider’s right to continued participation has been strengthened through the passage of Chapter 108C. Chapter 108C expressly creates a right for existing Medicaid providers to challenge a decision to terminate participation in the Medicaid program in the Office of Administrative Hearings (OAH). It also makes such reviews subject to the standards of Article 3 of the APA. Therefore, North Carolina law now contains a statutory process that confers an entitlement to Medicaid providers. Chapter 108C sets forth the procedure and substantive standards for which OAH is to operate and gives rise to the property right recognized in Bowens and Ram.
In another particular case, a MAC terminated a provider’s ability to deliver four CPT codes, which comprised of over 80% of the provider’s bailiwick and severely decreased the provider’s financial income, not to mention Medicare recipients lost their access to care and choice of provider.
The MAC’s contention was that the provider was not really terminated since they could still participate in the network in ways. But the company was being terminated from providing certain services.
The Court found that the MAC’s contention that providers have no right to challenge a termination was without merit. And, rightfully so, the Court stated that if the MAC’s position were correct, the appeals process provided by law would be meaningless. This was certainly not the case.
The MAC’s contention that it operates a “closed network” and thus can terminate a provider at its sole discretion was also not supported by the law. No MAC or MCO can cite to any statute, regulation or contract provision that gives it such authority. The statutory definition of “closed network” simply delineates those providers that have contracted with the LME-MCOs to furnish services to Medicaid enrollees. The MAC was relying on its own definition of “closed network” to exercise complete and sole control and discretion which is without foundation and/or any merit. Nothing in the definition of “closed network” indicates that MACs or MCOs have absolute discretion to determine which existing providers can remain in the closed network.
It is well settled law that there is a single state agency responsible for Medicare and Medicaid, which equals the Center for Medicare and Medicaid Services (CMS). Case law dictates that the responsibility cannot be delegated away. A supervisory role, at the very least, must be maintained.
On the Medicaid level, 42 CFR § 438.214 entitled “Provider Selection” requires the State to ensure, through a contract, that each MCO/PIHP “implements written policies and procedures for selection and retention of providers.”). A plain reading of the law makes clear that MCOs that operate a PIHP are required to have written policies and procedures for retention of providers. Requiring policies and procedures would be pointless if they are not followed.
To the extent that a MAC or MCO’s policy states that it can decide not to retain a provider for any reason at its sole discretion, such a policy does not conform with Federal law and the State requirements.
On the Medicare level, 42 U.S.C. § 405(h) spells out the judicial review available to providers, which is made applicable to Medicare by 42 U.S.C. § 1395ii. Section 405(h) aims to lay out the sole means by which a court may review decisions to terminate a provider agreement in compliance with the process available in § 405(g). Section 405(g) lays out the sole process of judicial review available in this type of dispute. The Supreme Court has endorsed the process, for nearly two decades, since its decision in Shalala v. Illinois Council on Long Term Care, Inc., holding that providers are required to abide by the provisions of § 405(g) providing for judicial review only after the administrative appeal process is complete.
The MACs and the MCOs cannot circumvent federal law and State requirements regarding provider retention by creating a policy that allows it to make the determination for any reason in its sole discretion. Such a provision is tantamount to having no policies and procedures at all.
“Medicare for All” is the talk of the town. People are either strong proponents or avid naysayers. Most of the articles that I have seen that have discussed Medicare for All writes about it as if it is a medical diagnosis and “cure-all” for the health care disease debilitating our country. Others articles discuss the amount Medicare for All will cost the taxpayers.
I want to look at Medicare for All from a different perspective. I want to discuss Medicare for All from the health care providers’ perspectives – those who already accept Medicare and those who, currently, do not accept Medicare, but may be forced to accept Medicare under the proposed Medicare for All and the legality or illegality of it.
I want to explore the implementation of Medicare for All by using my personal dentist as an example. When I went to my dentist, Dr. L, today, who doesn’t accept Medicare or Medicaid, he was surprised to hear from the patient (me) in whom he was inserting a crown (after placing a long needle in my mouth to numb my mouth, causing great distress and pain) that he may be forced to accept Medicare in the near future. “I made the decision a long time ago to not accept Medicare or Medicaid,” he said. “Plus, Medicare doesn’t even cover dental services, does it?”
While Medicare doesn’t cover most dental care, dental procedures, or supplies, like cleanings, fillings, tooth extractions, dentures, dental plates, or other dental devices, Medicare Part A (Hospital Insurance) will pay for certain dental services that you get when you’re in a hospital. Part A can pay for inpatient hospital care if you need to have emergency or complicated dental procedures, even though the dental care isn’t covered. However, some Medicare Advantage Plans (Part C) offer extra benefits that original Medicare doesn’t cover – like vision, hearing, or dental. Theoretically, Medicare for All will cover dental services since Part C covers dental, although, there is a question as to how exactly Medicare for All will/would work. Who knows whether dental services would be included in Medicare for All – this is just an example. Insert any type of medical service in lieu of dental, if you wish.
Dr. L had made the decision not accept Medicaid or Medicare. He only accepts private pay or cash pay. If Medicare for All is implemented, Dr. L’s decision to not accept Medicare will no longer be his decision; it would be the government’s decision. The rates that Dr. L charges now and receives for reimbursements now could be slashed in half without Dr. L’s consent or business plan.
In a 2019 RAND study, researchers examined payment and claims data from 2015 to 2017 representing $13 billion in healthcare spending across 25 states at about 1,600 hospitals. The study showed that private insurers pay 235% of Medicare in 2015 to 241% of Medicare in 2017. The statistics differ state to state. In some states private pay reimbursed as low as 150% of Medicare, while in others private pay reimbursed up to 400% of Medicare.
To show how many providers are adverse to accepting Medicare: In 2000, nearly 80% of health care providers were taking new Medicare patients. By 2012, that number dropped to less than 60%. Currently, less than 40% of the health-care system are government run and nearly 33% of doctors won’t see new Medicaid patients. Medicare patients frequently have difficulty finding a new primary-care doctor.
My question is –
Is it legal for the government to force health care providers to accept Medicare rates by issuing a Medicare for All system?
An analogy would be that the government forced all attorneys to charge under $100/hour, or all airplane flights to be $100, or all restaurants to charge a flat fee that is determined by the government. Is this what our country has transformed into? A country in which the government determines the prices of services and products?
Let me be clear and and rebut what some readers will automatically think. This is not simply an anti-Medicare for All blog. Shoot, I’d love to get health care services for free. Instead, I am reviewing Medicare for All from a legal and constitutional perspective to discuss whether government implemented reimbursement rates will/would be legal. Or would government implemented reimbursement rates violate due process, the right to contract, the right to pursue a career, the right to life, liberty, and the pursuit of happiness, and/or our country’s history of capitalism.
The consequences of accepting Medicare can be monumental. Going back to Dr. L, due to the massive decrease of reimbursement rates under Medicare, he may be forced to downsize his staff, stop investing in high tech devices to advance the practice of dentistry, take less of a salary, and, perhaps, work more to offset the reimbursement rate reduction.
Not to mention the immense regulatory oversight, including audits, documentation productions, possible suspensions of Medicare contracts or accusations of credible allegations of fraud that comes hand in hand with accepting Medicare.
I don’t think there is one particular law that would allow or prohibit Medicare for All requiring health care providers to accept Medicare reimbursements, even against their will. Although I do think there is potential for a class action lawsuit on behalf of health care providers who have decided to not accept Medicare if they are forced to accept Medicare in the future.
I do not believe that Medicare for All will ever be implemented. Just think of a world in which there is no need for private insurance companies…a utopia, right? But the private health care insurance companies have enough money and enough sway to keep Medicare for All at bay. Hospitals and the Hospital Association will also have some input regardless the implementation of Medicare for All. Most hospitals claim that, under Medicare for All, they would close.
Regardless the conversation is here and will, most likely, be a highly contested issue in our next election.
Let’s talk targeted probe-and-educate (“TPE”) audits – again.
I received quite a bit of feedback on my RACMonitor article regarding Medicare TPE audits being a “Wolf in Sheep’s Clothing.” So, I decided to delve into more depth by contacting providers who reached out to me to discuss specific issues. My intent is to shed the sheep’s clothing and show the big, pointy ears, big, round eyes, and big, sharp teeth that the MACs will hear, see, and eat you through the Medicare TPE audits. So, call the Woodsman, arm yourself with a hatchet, and get ready to be prepared for TPE audits. I cannot stress enough the importance of being proactive.
The very first way to rebut a TPE audit is to challenge the reason you were selected, which includes challenging the data supporting the reason that you were chosen. A poor TPE audit can easily result in termination of your Medicare contract, so it is imperative that you are prepared and appeal adverse results. 42 C.F.R. § 424.535, “Revocation of enrollment in the Medicare program” outlines the reasons for termination. Failing the audit process – even if the results are incorrect – can result in termination of your Medicare contract. Be prepared and appeal.
In 2014, the Center for Medicare and Medicaid Services (“CMS”) began the TPE program that combines a review of a sample of claims with “education” to allegedly reduce errors in the Medicare claims submission process; however, it took years to get the program off the ground. But off the ground it is. It seems, however, that CMS pushed the TPE program off the ground and then allowed the MACs to dictate the terms. CMS claims that the results of the TPE program are favorable, basing its determination of success on the decrease in the number of claim errors after providers receive education. But providers undergoing the TPE audit process face tedious and burdensome deadlines to submit documents and to undergo the “education” process. These 45-day deadlines to submit documents are not supported by federal law or regulation; they are arbitrary deadlines. Yet, these deadlines must be met by the providers or the MACs will aver a 0% accuracy. Private payors may create and enforce arbitrary deadlines; they don’t have to follow federal Medicare regulations. But Medicare and Medicaid auditors must obey federal regulations. A quick search on Westlaw confirms that no provider has challenged the MACs’ TPE rules, at least, litigiously.
The TPE process begins by the MAC selecting a CPT/HCPC code and a provider. This selection process is a mystery. How the MACs decide to audit sleep studies versus chemotherapy administration or a 93675 versus a 93674 remains to be seen. According to one health care provider, which has undergone multiple TPE audits and has Noridian Healthcare Solutions as its MAC informed me that, at times, they may have 4 -5 TPE audits ongoing at the same time. CMS has touted that TPE audits do not overlap claims or cause the providers to undergo redundant audits. But if a provider bills numerous CPT codes, the provider can undergo multiple TPE audits concurrently, which is clearly not the intent of the TPE audits, in general. The provider has questioned ad nauseam the data analysis that alerted Noridian to assign the TPE to them in the first place. Supposedly, MACs target providers with claim activity that contractors deem as unusual. The usual TPE notification letter contains a six-month comparison table purportedly demonstrating the paid amount and number of claims for a particular CPT/HCPC code, but its accuracy is questionable. See below.
This particular provider ran its own internal reports, and regardless of how many different ways this provider re-calculated the numbers, the provider could not figure out the numbers the TPE letter was alleging they were billing. But, because of the short turnaround deadlines and harsh penalties for failing to adhere to these deadlines, this provider has been unable to challenge the MAC’s comparison table. The MACs have yet to share its algorithm or computer program used to govern (a) which provider to target; (b) what CPT code to target; and (c) how it determines the paid amount and number of claims.
Pushing back on the original data on which the MACs supposedly relied upon to initially target you is an important way to defend yourself against a TPE audit. Unmask the wolf from the beginning. If you can debunk the reason for the TPE audit in the first place, the rest of the findings of the TPE audit cannot be valid. It is the classic “fruit of the poisonous tree” argument. Yet according to a quick search on Westlaw, no provider has appealed the reason for selection yet. For example, in the above image, the MAC compared one CPT code (78452) for this particular provider for dates of services January 1, 2017, through June 30, 2017, and then compared those claims to dates July 1, 2017, through December 31, 2017. Why? How is a comparison of the first half of a year to a second end of a year even relevant to your billing compliance? Before an independent tribunal, this chart, as supposed evidence of wrongdoing, would be thrown out as ridiculous. The point is – the MACs are using similar, yet irrelevant charts as proof of alleged, aberrant billing practices.
Another way to defend yourself is to contest the auditors/surveyors background knowledge. Challenging the knowledge of the nurse reviewer(s) and questioning the denial rate in relation to your TPE denials can also be successful. I had a dentist-client who was audited by a dental hygienist. Not to undermine the intelligence of a dental hygienist, but you can understand the awkwardness of a dental hygienist questioning a dentist’s opinion of the medical necessity of a service. If the auditor/surveyor lacks the same level of education of the health care provider, an independent tribunal will defer to the more educated and experienced decisions. This same provider kept a detailed timeline of their interactions with the hygienist reviewer(s), which included a summary of the conversations. Significantly, notes of conversations with the auditor/surveyor would normally not be allowed as evidence in a Court of law due to the hearsay rules. However, contemporaneous notes of conversations written in close time proximity of the conversation fall within a hearsay exception and can be admitted.
Pushing back on the MACs and/or formally appealing the MAC’s decisions are/is extremely important in getting the correct denial rate. If your appeal is favorable, the MACs will take into your appeal results into account and will factor the appeal decision into the denial rate.
The upshot is – do not accept the sheep’s clothing. Understand that you are under target during this TPE “educational” audit. Understand how to defend yourself and do so. Call the Woodsman. Get the hatchet.
Let’s talk targeted probe-and-educate (TPE) audits. See on RACMonitor as well.
TPE audits have turned out to be “wolf audits” in sheep’s clothing. The Centers for Medicare & Medicaid Services (CMS) asserted that the intent of TPE audits is to reduce provider burden and appeals by combining medical review with provider education.
But the “education” portion is getting overlooked. Instead, the Medicare Administrative Contractors (MACs) resort to referring healthcare providers to other agencies or contractors for “other possible action,” including audit by a Recovery Audit Contractor (RAC), which can include extrapolation or referral to the U.S. Department of Health and Human Services (HHS) Office of Inspector General (OIG) for investigation of fraud. A TPE audit involves up to three rounds of review, conducted by a MAC. Once Congress was instructed that RAC audits are not fair, and providers complained that RAC auditors did not help with education, CMS came up with TPE audits – which, supposedly, had more of an educational aspect, and a more fair approach. But in reality, the TPE audits have created an expensive, burdensome, cyclical pattern that, again, can result in RAC audits. The implementation of TPE audits has been just as draconian and subjective as RAC audits. The penalties can be actually worse than those resulting from RAC audits, including termination from the Medicare program. In this article, I want to discuss the appeal process and why it is important to appeal at the first level of audit.
Chapter Three, Section 3.2.5 of the Medicare Program Integrity Manual (MPIM) outlines the requirements for the TPE process, which leaves much of the details within the discretion of the MAC conducting the review. The MACs are afforded too much discretion. Often, they make erroneous decisions, but providers are not pushing back. A recent one-time notification transmittal provides additional instructions to MACs on the TPE process: CMS Transmittal 2239 (Jan. 24, 2019).
Providers are selected for TPE audit based on data analysis, with CMS instructing MACs to target providers with high denial rates or claim activity that the contractor deems unusual, in comparison to peers. These audits are generally performed as a prepayment review of claims for a specific item or service, though relevant CMS instructions also allow for post-payment TPE audits.
A TPE round typically involves a review of a probe sample of between 20 and 40 claims. Providers first receive notice that they have been targeted by their MAC, followed by additional documentation requests (ADRs) for the specific claims included in the audit.
The MACs have sole discretion as to which providers to target, whether claims meet coverage requirements, what error rate is considered compliant, and when a provider should be removed from TPE. Health care providers can be exposed to future audits and penalties based merely on the MAC’s resolve, and before the provider has received due process through their right to challenge claim denials in an independent appeals process. In this way, the MACs’ misinterpretation of the rules and misapplication of coverage requirements can lead to further audits or disciplinary actions, based on an erroneous determination that is later overturned. Similarly, while the educational activities are supposedly meant to assist providers in achieving compliance, in reality, this “education” can force providers to appear to acknowledge error findings with which they may disagree – and which may ultimately be determined to be wrong. Often times, the MACs – for “educational purposes” – require the provider to sign documentation that admits alleged wrongdoing, and the provider signs these documents without legal counsel, and without the understanding that these documents can adversely affect any appeal or future audits.
The MACs have the power, based on CMS directive, to revoke billing privileges based on a determination that “the provider or supplier has a pattern or practice of submitting claims that fail to meet Medicare requirements.” 42 C.F.R. § 424.535(a)(8)(ii). This language shows that TPE audit findings can be used as a basis for a finding of abuse of billing privileges, warranting removal from participation in the Medicare program. CMS guidance also gives the MACs authority to refer providers for potential fraud investigation, based on TPE review findings. It is therefore vital that providers submit documentation in a timely fashion and build a clear record to support their claims and compliance with Medicare requirements.
TPE audits promise further education and training for an unsuccessful audit (unsuccessful according to the MAC, which may constitute a flawed opinion), but most of the training is broad in nature and offered remotely – either over the phone, via web conference, or through the mail, with documentation shared on Google Docs. Only on atypical occasions is there an on-site visit.
Why appeal? It’s expensive, tedious, time-consuming, and emotionally draining. Not only that, but many providers are complaining that the MACs inform them that the TPE audit results are not appealable (TPE audits ARE appealable).
TPE reviews and TPE audit overpayment determinations may be appealed through the Medicare appeals process. The first stage of appeal will be to request a redetermination of the overpayment by the MAC. If the redetermination decision is unfavorable, Medicare providers and suppliers may request an independent review by filing a request for reconsideration with the applicable Qualified Independent Contractor (QIC). If the reconsideration decision is unfavorable, Medicare providers and suppliers are granted the opportunity to present their case in a hearing before an administrative law judge (ALJ). While providers or suppliers who disagree with an ALJ decision may appeal to the Medicare Appeals Council and then seek judicial review in federal district court, it is crucial to obtain experienced healthcare counsel to overturn the overpayment determination during the first three levels of review.
Appealing unfavorable TPE audits results sends a message. Right now, the MACs hold the metaphoric conch shell. The Medicare appeals process allows the provider or supplier to overturn the TPE audit overpayment, and reduces the likelihood of future TPE reviews, other Medicare audits, and disciplinary actions such as suspension of Medicare payments, revocation of Medicare billing privileges, or exclusion from the Medicare program. In instances when a TPE audit identifies potential civil or criminal fraud, it is essential that the Medicare provider or supplier engage experienced healthcare counsel to appeal the Medicare overpayment as the first step in defending its billing practices, and thus mitigating the likelihood of fraud allegations (e.g., False Claims Act actions).
CMS and the MACs maintain that TPEs are in the providers’ best interest because education is included. In actuality, TPEs are wolves in sheep’s clothing, masking true repercussions in a cloak of “education.” The Medicare appeal process is a provider’s best weapon.
HIPAA mandates the privacy of private health care records. HIPAA is a serious issue, both financially and in the risk-management aspect, for health care providers. Providers need to delegate annual funds to the defense of regulatory audits proactively – before the actual adverse action occurs. Because it’s not an “if;” it’s a “when,” when you accept Medicare/caid. In the Medicare/caid world, HIPAA violations can catastrophically render a company dead for an infraction. In the current days of technical, daily advances and allegations of cybersecurity breaches, health care providers must be cognizant of cyber criminals, their intent, their modus operandi, and what personal/company information is valuable to such criminals. The HIPAA statutes are vague and lack detailed explanations as to penalties.
In 2018, the Office for Civil Rights (OCR) issued a record-breaking $28 million in fines for HIPAA violations. The number of health care providers currently under investigation by HHS, in 2019, will be another record-breaking number.
As more and more data is maintained on computer systems, the more and more accessible the information becomes to potential scammers. In 2017, the number of cyber attacks increased exponentially to 5,207. There is actually an itemization as to how many of the attacks were germane to health care; health care breaches accounted for 8.5% of all breaches. 2.3 billion health care records have been exposed. This isn’t new. In 2015, the most healthcare records ever were breached. 113 million healthcare records were exposed that year. Now, in 2019, we may witness an all-time-high.
Human error is the number 1 reason for HIPAA violations. Employees gossiping and disclosing private health care information among each other is another culprit, along with social media and lack of training.
The largest individual HIPAA settlement was reached in October 2018, when OCR fined health insurer Anthem $16 million.
The oxymoron is that the government (Medicare/caid) and private payors are pushing for collaborative health care and the sharing of health care records amongst varying providers. Yet the possible HIPAA breaches increase with collaboration.
In April 2019, HHS randomly selected 9 HIPAA-covered entities—a mix of health plans and clearinghouses—for Compliance Reviews. The CMS Division of National Standards, on behalf of HHS, has launched a volunteer Provider Pilot Program to test the compliance review process.
The Trump administration has interpreted HIPAA penalties differently than the Obama administration did. Now HHS will apply a different cumulative annual CMP limit for the four penalties tiers in the Health Information Technology for Economic and Clinical Health (HITECH) Act.
There are four tiers of HIPAA violation severity outlined in the HITECH Act, based on the violator’s level of culpability:
Under the Obama administration, the annual limit for each tier was $1.5 million.
HIPAA penalties are appealable and with the disparate amount of penalties, it is well worth the time and expense to appeal.
Shockingly, not all new rules that emerge from the Center for Medicare and Medicaid Services (CMS) are actually compliant with the law. Wait! What? How can CMS publish Final Rules that are not compliant with the law?
This was an eye-opening discovery as a “baby lawyer” back 20 years ago. The government can and does publish and create Rules that, sometimes, exceed its legal authority. Of course, the Agency must follow appropriate rule-making procedure and allow for a comment period (etc.), but CMS does not have to listen to the comments. Theoretically, CMS could publish a Final Rule mandating that all Medicare providers provide 50 hours of free services a year or that the reimbursement rate for all services is $1. Both of my examples violate multiple rules, regulations, and laws, but until an aggrieved party with standing files a lawsuit declaring the Final Rule to be invalid or Congress passes a law that renders the Rule moot, the Rule exists and can be enforced by CMS and its agents.
The Rule-change (the “Site-Neutrality Rule”), which became effective January 1, 2019, reduced Medicare reimbursements to hospitals with outpatient facilities. Medicare will pay hospitals that have outpatient facilities “off campus” at a lower rate — equivalent to what it pays independent physicians for clinic visits. This decrease in Medicare reimbursements hits hard for most hospitals across the country, but, especially, rural hospitals. For the past 10+ years, hospitals have built outpatient facilities to serve more patients, and been reimbursed a higher Medicare reimbursement rate than independent physicians because the services at the hospital’s outpatient facility were connected to an outpatient facility affiliated with a hospital. Now the Site-Neutrality Rule leaves many hospitals trying to catch their breaths after the metaphoric punch to the belly. On the other hand, independent physicians claim that they have been providing the exact, same services as the hospital-affiliated outpatient facilities for years, but have received a lower reimbursement rate. I have no opinion (I do, but my opinion is not the topic in this blog) as to whether physicians and hospitals should be reimbursed equally – this blog is not pro-physician or pro-hospital. Rather, this blog is “pro-holding CMS liable to render Rules that follow the law.” Whether the hospitals or the physicians were receiving a cut in reimbursement rates, I am in favor of the those cuts (and future cuts) abiding by the law. Interestingly, should the AHA win this case, it could set solid, helpful, legal precedent for all types of providers and all types of decreased Medicare/caid reimbursements going forward.
Because of the Site-Neutrality Rule, in 2019, hospitals’ reimbursements will drop approximately $380 million and $760 million in 2020, according to CMS.
Before CMS brags on a decrease in the Medicare budget due to a proposed or Final Rule, it should remember that there is budget neutrality requirement when it comes to Rules implemented by CMS. 42 US.C. § 1395l. Yet, here, for the Site-Neutrality Rule, according to articles and journals, CMS is boasting its Site-Neutrality Rule as saving millions upon millions of dollars for Medicare. Can we say “Budget Non-Neutrality?”
The American Hospital Association filed a lawsuit December 2018 claiming that CMS exceeded its authority by implementing the Final Rule for “site neutral” Medicare reimbursements for hospitals with outpatient facilities. The lawsuit requests an injunction to stop the decrease and an order to repay any funds withheld thus far.
The claim, which, I believe has merit, argues that the Site-Neutrality Rule exceeds CMS’s statutory authority under the Medicare Act because of the budget neutrality mandate, in part – there are other arguments, but, for the sake of this blog, I am concentrating on the budget neutrality requirement. In my humble opinion, the budget neutrality requirement is overlooked by many attorneys and providers when it comes to challenging cuts to Medicare or Medicaid reimbursement rates.
On March 22, 2019, CMS filed a Motion to Dismiss or in the alternative, a Cross Motion for Summary Judgment. On April 5, 2019, AHA (and the rest of the Plaintiffs) responded in opposition. On April 19, 2019, CMS responded to AHA’s response in opposition. The Judge has not ruled on the Motions, as of today, April 25, 2019.
Obviously, I will be keeping a close eye on the progress of this case going forward. In the meantime, more reductions in reimbursement rates are on the horizon…
Recently, CMS recently proposed three new rules that would further update the Medicare payment rates and quality reporting programs for hospices, skilled nursing facilities (SNFs), and inpatient psychiatric facilities.
The ADR rule went into effect Jan. 1, 2019. Original blog post published March 6, 2019, on RACMonitor.
The Centers for Medicare & Medicaid Services (CMS) has updated its criteria for additional document requests (ADRs). If your ADR “cycle” is less than 1, CMS will round it up to 1.
What is an ADR cycle?
When a claim is selected for medical review, an ADR is generated requesting medical documentation be submitted to ensure payment is appropriate. Documentation must be received by CGS (A Celerian Group Company) within 45 calendar days for review and payment determination. Any selected and submitted claim can create an ADR. In other words, a provider is asked to prove that the service was rendered and that the billing was compliant.
It is imperative to understand that you, as the provider, check the Fiscal Intermediary Standard System (FISS) status/location S B6001. Providers are encouraged to use FISS Option 12 (Claim Inquiry) to check for ADRs at least once per week. You will not receive any other form of notification for an ADR.
To make matters even more confusing, there are two different types of ADRs: medical review (reason code 39700) and non-medical review (reason code 39701).
An ADR may be sent by CGS, Zone Program Integrity Contractors (ZPICs), Recovery Audit Contractors (RACs), Supplemental Medical Review Contractors (SMRCs), the Comprehensive Error Rate Testing (CERT) contractor, etc. When a claim is selected for review or when additional documentation is needed to complete the claim, an ADR letter is generated requesting that documentation and/or medical records be submitted.
The ADR process is essentially a type of prepayment review.
A baseline annual ADR limit is established for each provider based on the number of Medicare claims paid in the previous 12-month period that are associated with the provider’s six-digit CMS Certification Number (CCN) and the provider’s National Provider Identifier (NPI) number. Using the baseline annual ADR limit, an ADR cycle limit is also established.
After three 45-day ADR cycles, CMS will calculate (or recalculate) a provider’s denial rate, which will then be used to identify a provider’s corresponding “adjusted” ADR limit. Auditors may choose to either conduct reviews of a provider based on their adjusted ADR limit (with a shorter lookback period) or their baseline annual ADR limit (with a longer lookback period).
The baseline, annual ADR limit is one-half of one percent of the provider’s total number of paid Medicare service types for which the provider had reimbursed Medicare claims.
Effective Jan. 1, 2019, providers whose ADR cycle limit is less than 1, even though their annual ADR limit is greater than 1, will have their ADR cycle limit round up to 1 additional documentation request per 45 days, until their annual ADR limit has been reached.
For example, say Provider ABC billed and was paid for 400 Medicare claims in a previous 12-month period. The provider’s baseline annual ADR limit would be 400 multiplied by 0.005, which is two. The ADR cycle limit would be 2/8, which is less than one. Therefore, Provider ABC’s ADR cycle limit will be set at one additional documentation request per 45 days, until their annual ADR limit, which in this example is two, has been reached. In other words, Provider ABC can receive one additional documentation request for two of the eight ADR cycles, per year.
ADR letters are sent on a 45-day cycle. The baseline annual ADR limit is divided by eight to establish the ADR cycle limit, which is the maximum number of claims that can be included in a single 45-day period. Although auditors may go more than 45 days between record requests, in no case shall they make requests more frequently than every 45 days.
And that is the update on ADRs. Remember, the rule changed Jan. 1, 2019.
So many memos, so little time. Federal prosecutors receive guidance on how to prosecute. Maybe “guidance” is too loose a term. There is a manual to follow, and memos are just guidance until the memos are incorporated into what is known as the Justice Manual. Memos are not as binding as the Justice Manual, but memos are persuasive. For the last 22 years, the Justice Manual has not been revised to reflect the many, many memos that have been drafted to direct prosecutors on how to proceed. Until recently…
Justice Manual Revised
The Justice Manual, which is the manual that instructs federal prosecutors how to proceed in cases of Medicare and Medicaid fraud, has been revised for the first time since 1997. The Justice Manual provides internal Department of Justice (DOJ) rules.
The DOJ has new policies for detecting Medicare and Medicaid fraud and abuse. Some of these policies are just addendums to old policies. Or formal acceptance to old memos. Remember the Yates Memo? The Yates Memo directed prosecutors to indict executives, individually, of fraudulent companies instead of just going after the company.
The Yates Memo has now been codified into the Justice Manual.
Then came the Granston Memo – In a January 10, 2018, memo (the “Granston Memo”), the DOJ directed its prosecutors to more seriously consider dismissing meritless False Claims Act (“FCA”) cases brought by whistleblowers. It lists 7 (non-exhaustive) criteria for determining whether the DOJ should dismiss a qui tam lawsuit. The reasoning behind the Granston Memo is that whistleblower lawsuits have risen over 600 cases per year, but the government’s involvement has not mirrored the raise. This may indicate that many of the whistleblower lawsuits are frivolous and filed for the purpose of financial gain, even if the money is not warranted. Remember qui tam relators (people who bring lawsuits against those who mishandle tax dollars, are rewarded monetarily for their efforts…and, usually, the reward is not a de minimus amount. In turn, people are incentivized to identify fraud and abuse against the government. At least, according to the Granston Memo, the financial incentive works too well and frivolous lawsuits are too prevalent.
The Granston Memo has also been codified into the Justice Manual.
Talk about an oxymoron…the Yates Memo instructs prosecutors to pursue claims against more people, especially those in the executive positions for acts of the company. The Granston Memo instructs prosecutors to more readily dismiss frivolous FCA allegations. “You’re a wigwam. You’re a teepee. Calm down, you’re just two tents (too tense).” – a horrible joke that my husband often quips. But this horrible quote is apropos to describe the mixed messages from DOJ regarding Medicare and Medicaid fraud and abuse.
The Brand Memo, yet another memo that we saw come out of CMS, instructs prosecutors not to use noncompliance as subject to future DOJ enforcement actions. In other words, agency guidance does not cannot create binding legal requirements. Going forward, the DOJ will not enforce recommendations found in agency guidance documents in civil actions. Relatedly, DOJ will not use noncompliance with agency guidance to “presumptively or conclusively” establish violations of applicable law or regulations in affirmative civil enforcement cases.
The Brand Memo was not incorporated into the Justice Manual. It also was not repudiated.
Medicare/caid Audit Targets Broadened
Going forward, traditional health care providers will not be the only targets – Medicare Advantage plan, EHR companies, and private equity owners – will all be audited and reviewed for fraud and abuse. Expect more audits with wider nets to catch non-provider targets to increase now that the Yates Memo was codified into the Justice Manual.
Anti-Kickback Statute, Stark Law, and HIPAA Narrowed
The Stark Law (42 U.S.C. 1395nn) and the Anti-Kickback Statute (42 U.S.C. §1320a‑7b(b)) exist to minimize unneeded or over-utilization of health-care services payable by the federal government. Stark Law and the Anti-Kickback regulations criminalize, impose civil monetary penalties, or impose other legal sanctions (such as termination from Medicare) against health care providers and other individuals who violate these laws. These laws are esoteric (which is one reason that I have a job) and require careful navigation by specialized legal counsel. Accidental missteps, even minute documentation errors, can lead to harsh and expensive results.
In a health care world in which collaboration among providers is being pushed and recommended, the Anti-Kickback, Stark, and HIPAA laws are antiquated and fail to recognize the current world. Existing federal health-care fraud and abuse laws create a “silo effect” that requires mapping and separating financial interests of health-care providers in order to ensure that patient referrals cannot be tainted by self-interest. Under Stark, a strict liability law, physicians cannot make a referral for the provision of “designated health services” to an entity with which they have a financial relationship (unless one of approximately 30 exceptions applies). In other words, for example, a hospital cannot refer patients to the home health care company that the hospital owns.
Going forward – and this has not happened yet – regulators and the Department will begin to claw back some of the more strict requirements of the Stark, Anti-Kickback, and HIPAA regulations to decrease the “silo effect” and allow providers to collaborate more on an individual’s whole health method. I had an example of this changing of the tide recently with my broken leg debacle. See blog. After an emergency surgery on my leg by an orthopedic surgeon because of a contracted infection in my wound, my primary care physician (PCP) called to check on me. My PCP had nothing to do with my leg surgery, or, to my knowledge, was never informed of it. But because of new technology that allows patient’s records to be accessed by multiple providers in various health care systems or practices, my PCP was informed of my surgery and added it to my chart. This never could have happened 20 years ago. But this sharing of medical records with other providers could have serious HIPAA implications if some restrictions of HIPAA are not removed.
In sum, if you haven’t had the pleasure of reading the Justice Manual in a while, now would be an appropriate time to do so since it has been revised for the first time in 22 years. This blog does not enumerate all the revisions to the Justice Manual. So it is important that you are familiar with the changes…or know someone who is.
Effective January 2, 2019, the Center for Medicare and Medicaid Services (CMS) radically changed its guidance on the use of extrapolation in audits by recovery audit contractors (RACs), Medicare administrative contractors (MACs), Unified Program Integrity Contractors (UPICs), and the Supplemental Medical Review Contractor (SMRC).
Extrapolation is the tsunami in Medicare/caid audits. The auditor collects a small sample of claims to review for compliance. She then determines the “error rate” of the sample. For example, if 50 claims are reviewed and 10 are found to be noncompliant, then the error rate is set at 20%. That error rate is applied to the universe, which is generally a three-year time period. It is assumed that the random sample is indicative of all your billings regardless of whether you changed your billing system during that time period of the universe or maybe hired a different biller.
With extrapolated results, auditors allege millions of dollars of overpayments against health care providers…sometimes more than the provider even made during that time period. It is an overwhelming wave that many times drowns the provider and the company.
Prior to this recent change to extrapolation procedure, the Program Integrity Manual (PIM) offered little guidance to the proper method for extrapolation.
Well, Change Request 10067 – overhauled extrapolation in a HUGE way.
The first modification to the extrapolation rules is that the PIM now dictates when extrapolation should be used.
Determining When a Statistical Sampling May Be Used. Under the new guidance, a contractor “shall use statistical sampling when it has been determined that a sustained or high level of payment error exists. The use of statistical sampling may be used after documented educational intervention has failed to correct the payment error.” This guidance now creates a three-tier structure:
- Extrapolation shall be used when a sustained or high level of payment error exists.
- Extrapolation may be used after documented educational intervention (such as in the Targeted Probe and Educate (TPE) program).
- It follows that extrapolation should not be used if there is not a sustained or high level of payment error or evidence that documented educational intervention has failed.
“High level of payment error” is defined as 50% or greater. The PIM also states that the contractor may review the provider’s past noncompliance for the same or similar billing issues, or a historical pattern of noncompliant billing practice. This is HUGE because so many times providers simply pay the alleged overpayment amount if the amount is low or moderate in order to avoid costly litigation. Now those past times that you simply pay the alleged amounts will be held against you.
Another monumental modification to RAC audits is that the RAC auditor must receive authorization from CMS to go forward in recovering from the provider if the alleged overpayment exceeds $500,000 or is an amount that is greater than 25% of the provider’s Medicare revenue received within the previous 12 months.
The identification of the claims universe was also re-defined. Even CMS admitted in the change request that, on occasion, “the universe may include items that are not utilized in the construction of the sample frame. This can happen for a number of reasons, including, but not limited to: (1) Some claims/claim lines are discovered to have been subject to a prior review, (2) The definitions of the sample unit necessitate eliminating some claims/claim lines, or (3) Some claims/claim lines are attributed to sample units for which there was no payment.”
There are many more changes to discuss, but I have been asked to appear on RACMonitor to present the details on February 19, 2019. So sign up to listen!!!