Category Archives: Legal Remedies for Medicaid Providers

CMS Overlooks a Settlement Agreement from 2013 : A 2021 Provider Must Defend!

Today I am talking about a settlement agreement between CMS and the skilled nursing community, which, apparently, CMS conveniently forgot about – just recently. The Jimmo settlement agreement re-defines medical necessity for skilled nursing, especially for terminally, debilitating diseases, such as multiple sclerosis (“MS”). According to CMS/the MAC auditor, my client, who serves 100%, MS patients on Medicare owes over half a million dollars. The alleged overpayment and audit findings are in violation of the Jimmo Settlement and must cease.

My client received correspondence dated February 25, 2021, regarding CMS Inquiry #2349 that re-alleged an overpayment in the amount of $578,564.45, but the audit is in violation of the Jimmo Settlement with CMS. One basis for the claims denials is that “There is doc that the pt. has a dx of MS with no doc of recent exacerbation or change in function status.” After the first level of appeal, on June 8, 2021, the denial reason was as follows:

“The initial evaluation did not document there was an ACUTE exacerbation of this chronic condition that would support the need for skilled services.” This basis is in violation of the Jimmo Settlement. See below excerpt from the Jimmo Settlement.

In January 2013, the Centers for Medicare & Medicaid Services (“CMS”) settled a lawsuit, and the “Jimmo” Settlement Agreement was approved by the Court. Jimmo v. Sebelius, No. 5:11-CV17 (D. Vt., 1/24/2013). The Jimmo Settlement Agreement clarified that, provided all other coverage criteria are met, the Medicare program covers skilled nursing care and skilled therapy services under Medicare’s skilled nursing facility, home health, and outpatient therapy benefits when a beneficiary needs skilled care in order to maintain function or to prevent or slow decline or deterioration. Specifically, the Jimmo Settlement Agreement required Medicare Manual revisions to restate a “maintenance coverage standard” for both skilled nursing and therapy services under these benefits. The Jimmo Settlement Agreement dictates that:

“Specifically, in accordance with the settlement agreement, the manual revisions clarify that coverage of skilled nursing and skilled therapy services in the skilled nursing facility (SNF), home health (HH), and outpatient therapy (OPT) settings “…does not turn on the presence or absence of a beneficiary’s potential for improvement, but rather on the beneficiary’s need for skilled care.” Skilled care may be necessary to improve a patient’s current condition, to maintain the patient’s current condition, or to prevent or slow further deterioration of the patient’s condition.”

In the case of Jimmo v. Sebelius, which resulted in the Jimmo Settlement Agreement, the Center for Medicare Advocacy (“CMA”) alleged that Medicare claims involving skilled care were being inappropriately denied by contractors based on a rule-of-thumb-“Improvement Standard”— under which a claim would be summarily denied due to a beneficiary’s lack of restoration potential, even though the beneficiary did in fact require a covered level of skilled care in order to prevent or slow further deterioration in his or her clinical condition. In the Jimmo lawsuit, CMS denied establishing an improper rule-of-thumb “Improvement Standard.”

While an expectation of improvement would be a reasonable criterion to consider when evaluating, for example, a claim in which the goal of treatment is restoring a prior capability, Medicare policy has long recognized that there may also be specific instances where no improvement is expected but skilled care is, nevertheless, required in order to prevent or slow deterioration and maintain a beneficiary at the maximum practicable level of function. For example, in the federal regulations at 42 CFR 409.32(c), the level of care criteria for SNF coverage specify that the “. . . restoration potential of a patient is not the deciding factor in determining whether skilled services are needed. Even if full recovery or medical improvement is not possible, a patient may need skilled services to prevent further deterioration or preserve current capabilities.” The Medicare statute and regulations have never supported the imposition of an “Improvement Standard” rule-of-thumb in determining whether skilled care is required to prevent or slow deterioration in a patient’s condition.

A beneficiary’s lack of restoration potential cannot serve as the basis for denying coverage, without regard to an individualized assessment of the beneficiary’s medical condition and the reasonableness and necessity of the treatment, care, or services in question. Conversely, coverage in this context would not be available in a situation where the beneficiary’s care needs can be addressed safely and effectively through the use of nonskilled personnel. Thus, such coverage depends not on the beneficiary’s restoration potential, but on whether skilled care is required, along with the underlying reasonableness and necessity of the services themselves.

Any Medicare coverage or appeals decisions concerning skilled care coverage must reflect this basic principle. In this context, it is also essential and has always been required that claims for skilled care coverage include sufficient documentation to substantiate clearly that skilled care is required, that it is provided, and that the services themselves are reasonable and necessary, thereby facilitating accurate and appropriate claims adjudication.

The Jimmo Settlement Agreement includes language specifying that “Nothing in this Settlement Agreement modifies, contracts, or expands the existing eligibility requirements for receiving Medicare coverage. Id. The Jimmo Settlement Agreement clarifies that when skilled services are required in order to provide care that is reasonable and necessary to prevent or slow further deterioration, coverage cannot be denied based on the absence of potential for improvement or restoration.

100% of my client’s consumers suffer from MS. MS is a chronic condition that facilitates a consistent decline over a long period of time. 90% of those with MS do not suffer from acute exacerbations after approximately 5 years of their initial diagnosis. They move into a new phase of their disease called secondary progressive where there are no exacerbations but a slow, consistent decline is now the clinical presentation. According to the Jimmo Settlement, there is no requirement that a provider demonstrate recent exacerbation or change of function. This has been litigated and settled. My client’s Medicare audit is in violation of the Jimmo Settlement and must cease, yet the audit must still be defended.

My client’s documents clearly demonstrate that its consumers who all suffer from MS, qualify for skilled therapy based on the Jimmo Settlement Agreement and their physicians’ recommendations. The Jimmo Settlement clearly states that if the therapist determines that skilled nursing is necessary to stop further decline, then, under the Jimmo Settlement, skilled nursing is appropriate.

Now my client is having to defend itself against erroneous allegations that are clearly in violation of the Jimmo Settlement, which is adversely affecting the company financially. It’s amazing that in 2021, my client is defending a right given in a settlement agreement from 2013. Stay proactive!

RAC Audit Update: Renewed Focus on the Two-Midnight Rule

In RAC news, on June 1, 2021, Cotiviti acquired HMS RAC region 4. Don’t be surprised if you see Cotiviti’s logo on RAC audits where you would have seen HMS. This change will have no impact in the day-to-day contract administration and audit timelines under CMS’ guidance. You will continue to follow the guidance in the alleged, improper payment notification letter for submission of medical documentation and discussion period request. In March 2021, CMS awarded Performant an 8.5 year contract to serve as the Region 1 RAC. 

There really cannot be any deviations regardless the name of the RAC Auditor because this area is so regulated. Providers always have appeal rights regardless Medicare/caid RAC audits. Or any other type of audit. Medicaid RAC provider appeals are found in 42 CFR 455.512. Whereas Medicare provider redeterminations and the 5 levels of appeal are found in 42 CFR Subpart I. The reason that RAC audits are spoken about so often is that the Code of Federal Regulations applies different rules for RAC audits versus MAC, TPE, UPIC, or other audits. The biggest difference is that RAC auditors are limited to a 3 year look back period according to 42 CFR 455.508. Other auditors do not have that same limitation and can look back for longer periods of time. Of course, whenever “credible allegations of fraud” is involved, the lookback period can be for 10 years.

The federal regulations also allow States to request exceptions from the Medicaid RAC program. CMS mandates every State to participate in the RAC program. But there is a federal reg §455.516 that allows exceptions. To my knowledge, no State has requested exceptions out of the RAC Audit program.

RAC auditors have announced a renewed focus on the two-midnight rule for hospitals. Again. This may seem like a rerun and it is. You recall around 2012, RACs began noticing high rates of error with respect to patient status in certain short-stay Medicare claims submitted for inpatient hospital services. CMS and the RACs indicated the inpatient care setting was medically unnecessary, and the claims should have been billed as outpatient instead. Remember, for stays under 2 midnights, inpatient status may be used in rare and unusual exceptions and may be payable under Medicare Part A on a case-by-case basis.

Provider Medicaid Contract Termination Reversed in Court!

First and foremost, important, health care news:

The Medicare Administrative Contractors (MACs) have full authority to renew post-payments reviews of dates of service (DOS) during the COVID pandemic. The COVID pause is entirely off. It is going to be a mess to wade through the thousands of exceptions. RAC audits of COVID DOS will be, at best, placing a finger on a piece of mercury. I hope that the auditors remember that everyone was scrambling to do their best during the past year and a half. In the upcoming weeks, I will keep you posted.

I am especially excited today. Last week, I won a permanent injunction for a health care facility that but for this injunction, the facility would be closed, its 300 staff unemployed, and its 600 Medicare and Medicaid consumers without access to their mental health and substance abuse providers, their primary care physicians, and the Suboxone clinic. The Judge’s clerk emailed us on Friday. The email was terse although the clerk signified that the email was important by clicking the little, red, exclamation point. It simply stated: After speaking with Judge X, she is dismissing the government’s MTD and granting Petitioner’s permanent injunction. Petitioner’s counsel can send a proposed decision within 10 days. Such a simple email affected so many lives!

We hear Ellen Fink-Samnick MSW, ACSW, LCSW, CCM, CRP, speak about social determinants of health (SDoH) on RACMonitor. Well, this company is minority-owned and the mass percentage of staff and consumers are minorities.

Why was this company on the brink of closing down? The managed care organization (MCO) terminated the company’s Medicaid contract. Medicaid comprised the majority of its revenue. The MCO’s reason was that the company violated 42 CFR §455.106, which states:

“Information that must be disclosed. Before the Medicaid agency enters into or renews a provider agreement, or at any time upon written request by the Medicaid agency, the provider must disclose to the Medicaid agency the identity of any person who:

(1) Has ownership or control interest in the provider, or is an agent or managing employee of the provider; and

(2) Has been convicted of a criminal offense related to that person‘s involvement in any program under Medicare, Medicaid, or the title XX services program since the inception of those programs.”

The former CEO – for years – he relied on professional tax accountants for the company’s taxes and his own personal family’s taxes. His wife, who is a physician, relied on her husband to do their personal taxes as one of his “honey-do” tasks. CEO relied on a sub-par accountant for a couple years and pled guilty to failing to pay personal taxes for two years. The plea ended up in the newspaper and the MCO terminated the facility.

We argued that the company, as an entity, was bigger than just the CEO. Quickly, we filed for a TRO to keep the company open. Concurrently, we transitioned the company from the CEO to Dr. wife. Dr became CEO in a seamless transition. A long-time executive stepped up as HR management.

Yet, according to testimony, the MCO terminated the company’s contract when the newspaper published the article about CEO’s guilty plea. The article was published in a local paper on April 9 and the termination notice was sent out April 19th. It was a quick decision.

We argued that 42 CFR §455.106 didn’t apply because CEO’s guilty plea was:

  1. Personal and not related to Medicare or Medicaid; and
  2. Not a conviction but a voluntary plea agreement.

The Judge agreed. We won the TRO for immediate relief. After a four-day hearing and 22 witnesses for Petitioner, we won the preliminary injunction. At this point, the MCO hired outside counsel with our tax dollars, which I did bring up in the final hearing on the merits.

New outside counsel was super excited to be involved. He immediately propounded a ton of discovery asking for things that he already had and for criminal documents that we had no access to because, by law, the government has possession of and CEO never had. Well, new lawyer was really excited, so he filed motions to compel us to produce these unobtainable documents. He filed for sanctions. We filed for sanctions back.

It grew more litigious as the final hearing on the merits approached.

Finally, we presented our case for a permanent injunction, emphasizing the importance of the company and the smooth transition to the new, Dr. CEO. We won! Because we won, the company is open and providing medically necessary services to our most needy population.

And…I get to draft the proposed decision.

To Disclose or Not to Disclose: The Answer Could Terminate Your Medicaid Contract

Changes of ownership of a facility can spur RAC, MAC, and MCO audits. In fact, federal regulations require disclosure of changes of ownership within 35 days after any change of ownership. 42 CFR 455.104. The regulations require disclosure, but there is no guidance regarding acceptance of said change of ownership. In other words what if your company undergoes a change in ownership and the MCO or MAC terminates the participation agreement because they don’t appreciate who the new owner is. The federal regulations also require disclosure of any convictions related to Medicaid. 42 CFR 455.106. In the particular case I am discussing, the MCO audited this company 10-15 times over two years. There seemed to be a personal vendetta, for whatever reason, against the company from higher-ups at the MCO.

Managed care can be tricky because, by definition, it removes the management of Medicaid and Medicare from the government agencies into these quasi-private/quasi-governmental agencies. I still think that managed care violates 42 CFR 410(e), the single state agency requirement that states that “The Medicaid agency may not delegate, to other than its own officials, the authority to supervise the plan or to develop or issue policies, rules, and regulations on program matters.” Despite my personal opinion, managed care is definitely the trend. To date, 40 States have managed care organizations (MCOs) to manage Medicaid.

This company is a behavioral health care provider, which provides substance abuse services, SAIOP, SACOT, PSR, OPT, urine tests; they run a Suboxone clinic, a laboratory, and a pharmacy. It also provides free/charitable transportation services to get the consumers to the facility without receiving any money in return. The CEO was accused of personal, tax fraud. He and his wife never submitted their own taxes; they relied on professionals. One, below-stellar accountant performed the companies’ taxes and the CEO’s personal taxes a few years ago. I am no tax expert, but apparently the problem was that he took no salary for two years while the facility was bringing in little profit. His wife is a physician, so they were able to sustain on one income. A lot of confusion later and multiple tax and criminal attorneys, CEO pled guilty to a personal tax plea. It is a Martha Stewart mistake, not a Bernie Madoff. The guilty plea was not germane to Medicaid.

Once the CEO pleads guilty to the personal plea, the newspaper publishes a story. The MCO first terminates the contract based on 42 CFR 455.106, which requires disclosure if – and the exact wording is important – “Has been convicted of a criminal offense related to that person’s involvement in any program under Medicare, Medicaid, or the Title XX services program since the inception of those programs.” This guilty plea was not related to Medicaid so the termination was erroneous.

Concurrently, in light of the CEO’s plea, he steps down and his wife who is also a medical physician steps in to transition as CEO to keep the company going. Obviously, a company is bigger than its CEO’s personal transgressions. 200 staff and hundreds of consumers relied on its viability as a company.

Once we argued that the personal guilty plea was not related to Medicaid, the MCO added the additional reason for termination – failing to disclose a change in ownership. A double whammy!

We were able to successfully file a preliminary injunction arguing that irreparable harm would ensue if the termination were upheld. We also argued that the terminations were erroneous. The Judge agreed in this case agreeing that a company is indeed bigger than its CEO’s transgressions.

We always think about audits involving medical records. But audits can also involve audits of corporate disclosures or nondisclosures of managerial issues. Audits of provider executive teams can be deadly to any company.

Terminations of provider agreements are always tricky because, most often, the MCO or MAC will argue that it can terminate the Medicaid/care contract at will. I disagree, first and foremost. See blog, “Property Rights.”

If a facility is terminated for cause, that reason better be accurate!

In this case, the CEO had no duty to disclose his personal, guilty plea per the regulations. Secondly, the MCOs’ assertion that it had no notice of the transfer of ownership was equally as disingenuous. The facility had been open and honest regarding the transition of the company to a new CEO. While no formal notice was ever provided, there was clear communication about the transition to/from the MCO.

Thus, we were successful in obtaining an injunction; thereby keeping the company viable.

Knicole Emanuel Interviewed by “Ask the Attorney” and Alex Said, “I Love You!”

Medicare Appeal Backlog Dissolves and SMRC Audits Escalate

I have good news and bad news today. I have chosen to begin with the good news. The ALJ backlog will soon be no more. Yes, the 4-6 years waiting period between the second and third level will, by sometime in 2021, be back to 90 days, with is the statutory requirement. What precipitated this drastic improvement? Money. This past year, CMS’ budget increased exponentially, mostly due to the Medicare appeals backlog. OMHA was given enough dough to hire 70 additional ALJs and to open six additional locations. That brings the number of ALJs ruling over provider Medicare appeals to over 100. OMHA now has the capability to hear and render decisions for approximately 300,000 appeals per year. This number is drastically higher than the number of Medicare appeals being filed. The backlog will soon be nonexistent. This is fantastic for all providers because, while CMS will continue to recoup the alleged overpayment after the 2nd level, the providers will be able to have its case adjudicated by an ALJ much speedier.

Now the bad news. Remember when the RAC program was first implemented and the RACs were zealously auditing, which is the reason that the backlog exists in the first place. RACs were given free rein to audit whichever types of service providers they chose to target. Once the backlog was out of hand, CMS restricted the RACs. They only allowed a 3 year lookback period when other auditors can go back 6 years, like the SMRC audits. CMS also mandated that the RACs slow down their number of audits and put other restrictions on RACs. Now that OMHA has the capacity to adjudicate 300,000 Medicare appeals per year, expect that those reins that have been holding the RACs back will by 2021 or 2022 be fully loosened for a full gallop.

Switching gears: Two of the lesser known audits that are exclusive to the CMS are the Supplemental Medical Review Contractor (“SMRC”) and the Targeted Probe and Educate (“TPE”) audits. Exclusivity to CMS just means that Medicare claims are reviewed, not Medicaid.

The SMRCs, in particular, create confusion. We have seen DME SMRC audits on ventilator claims, which are extremely document intensive. You can imagine the high amounts of money at issue because, for ventilators, many people require them for long periods of time. Sometimes there can 3000 claim lines for a ventilator claim. These SMRC audits are not extrapolated, but the amount in controversy is still high. SMRCs normally request the documents for 20-40 claims. It is a one-time review. It’s a post payment review audit. It doesn’t sound that bad until you receive the request for documents of 20-40 claims, all of which contain 3000 claim lines and you have 45 days to comply.

Lastly, in a rare act, CMS has inquired as whether provider prefer TPE audits or continue with post payment review audits for the remainder of the pandemic. If you have a strong opinion one way or the other, be sure to contact CMS.

Medicare Auditors Fail to Follow the Jimmo Settlement

Auditors are not lawyers. Some auditors do not even possess the clinical background of the services they are auditing. In this blog, I am concentrating on the lack of legal licenses. Because the standards to which auditors need to hold providers to are not only found in the Medicare Provider Manuals, regulations, NCDs and LCDs. Oh, no… To add even more spice to the spice cabinet, common law court cases also create and amend Medicare and Medicaid policies.

For example, the Jimmo v. Selebius settlement agreement dictates the standards for skilled nursing and skilled therapy in skilled nursing facilities, home health, and outpatient therapy settings and importantly holds that coverage does not turn on the presence or absence of a beneficiary’s potential for improvement.

The Jimmo settlement dictates that:

“Specifically, in accordance with the settlement agreement, the manual revisions clarify that coverage of skilled nursing and skilled therapy services in the skilled nursing facility (SNF), home health (HH), and outpatient therapy (OPT) settings “…does not turn on the presence or absence of a beneficiary’s potential for improvement, but rather on the beneficiary’s need for skilled care.” Skilled care may be necessary to improve a patient’s current condition, to maintain the patient’s current condition, or to prevent or slow further deterioration of the patient’s condition.”

This Jimmo standard – not requiring a potential for improvement – is essential for diseases that are lifelong and debilitating, like Multiple Sclerosis (“MS”). For beneficiaries suffering from MS, skilled therapy is essential to prevent regression.

I have reviewed numerous audits by UPICs, in particular, which have failed to follow the Jimmo settlement standard and denied 100% of my provider-client’s claims. 100%. All for failure to demonstrate potential for improvement for MS patients. It’s ludicrous until you stop and remember that auditors are not lawyers. This Jimmo standard is found in a settlement agreement from January 2013. While we will win on appeal, it costs providers money valuable money when auditors apply the wrong standards.

The amounts in controversy are generally high due to extrapolations, which is when the UPIC samples a low number of claims, determines an error rate and extrapolates that error rate across the universe. When the error rate is falsely 100%, the extrapolation tends to be high.

While an expectation of improvement could be a reasonable criterion to consider when evaluating, for example, a claim in which the goal of treatment is restoring a prior capability, Medicare policy has long recognized that there may also be specific instances where no improvement is expected but skilled care is, nevertheless, required in order to prevent or slow deterioration and maintain a beneficiary at the maximum practicable level of function. For example, in the regulations at 42 CFR 409.32(c), the level of care criteria for SNF coverage specify that the “. . . restoration potential of a patient is not the deciding factor in determining whether skilled services are needed. Even if full recovery or medical improvement is not possible, a patient may need skilled services to prevent further deterioration or preserve current capabilities.” The auditors should understand this and be trained on the proper standards. The Medicare statute and regulations have never supported the imposition of an “Improvement Standard” rule-of-thumb in determining whether skilled care is required to prevent or slow deterioration in a patient’s condition.

When you are audited by an auditor whether it be a RAC, MAC or UPIC, make sure the auditors are applying the correct standards. Remember, the auditors aren’t attorneys or doctors.

Beware the Ides of March! And Medicare Provider Audits!

Hello! And beware the Ides of March, which is today! I am going to write today about the state of audits today. When I say Medicare and Medicaid audits, I mean, RACs, MACs, ZPICs, UPICs, CERTs, TPEs, and OIG investigations from credible allegations of fraud. Without question, the new Biden administration will be concentrating even more on fraud, waste, and abuse germane to Medicare and Medicaid. This means that auditing companies, like Public Consulting Group (“PCG”) and National Government Services (“NGS”) will be busy trying to line their pockets with Medicare dollars. As for the Ides, it is especially troubling in March, especially if you are Julius Caesar. “Et tu, Brute?”

One of the government’s most powerful tool is the federal government’s zealous use of 42 CFR 455.23, which states that “The State Medicaid agency must suspend all Medicaid payments to a provider after the agency determines there is a credible allegation of fraud for which an investigation is pending under the Medicaid program against an individual or entity unless the agency has good cause to not suspend payments or to suspend payment only in part.” (emphasis added). That word – “must” – was revised from “may” in 2011, part of the Affordable Care Act (“ACA”).

A “credible allegation” is defined as an indicia of reliability, which is a low bar. Very low.

Remember back in 2013 when Ed Roche and I were reporting on the New Mexico behavioral health care cluster? To remind you, the State of NM accused 15 BH health care providers, which constituted 87.5% of the BH providers in NM, of credible allegations of fraud after the assistant AG, at the time, Larry Heyeck, had just published a legal article re “Credible Allegations of Fraud.” See blog and blog. Unsurprisingly, the suicide rate and substance abuse skyrocketed. There was even a documentary “The Shake-Up” about the catastrophic events in NM set off by the findings of PCG.

This is another example of a PCG allegation of overpayment over $700k, which was reduced to $336.84.

I was the lawyer for the three, largest entities and litigated four administrative appeals. If you recall, for Teambuilders, PCG claimed it owed over $12 million. After litigation, an ALJ decided that Teambuilders owed $836.35. Hilariously, we appealed. While at the time, PCG’s accusations put the company out of business, it has re-opened its doors finally – 8 years later. This is how devastating a regulatory audit can be. But congratulations, Teambuilders, for re-opening.

Federal law mandates that during the appeal of a Medicare audit at the first two levels: the redetermination and reconsideration, that no recoupment occur. However, after the 2nd level and you appeal to the ALJ level, the third level, the government can and will recoup unless you present before a judge and obtain an injunction.

Always expect bumps along the road. I have two chiropractor clients in Indiana. They both received notices of alleged overpayments. They are running a parallel appeal. Whatever we do for one we have to do for the other. You would think that their attorneys’ fees would be similar. But for one company, NGS has preemptively tried to recoup THREE times. We have had to contact NGS’ attorney multiple times to stop the withholds. It’s a computer glitch supposedly. Or it’s the Ides of March!

HIPAA and Football

By Ashley Thomson, Partner at Practus, LLP. A Virtual Law Firm.

On rare occasions a Court can issue an opinion that is so logical and on-point you want to stand up and cheer.  Maybe you’re only cheering if you’re a HIPAA-nerd, like me. My name is Ashley and I work with Knicole. I was the assistant GC for Truman Medical Center for 17 years. As AGC at Truman, I was inundated with so many various issues.

Here’s what got me standing up in my home office as if Patrick Mahomes just threw a pass to Tyreek Hill and the KC Chiefs scored the winning touchdown in the Super Bowl—the 5th Circuit Court of Appeals held that a lost or stolen unencrypted device containing protected health information (“PHI”)[1] does not automatically result in a violation of the HIPAA Disclosure Rule or Encryption Rule. If you want to do your own touchdown dance check out Univ. of Texas M.D. Anderson Cancer Ctr. v. United States Dep’t of Health & Human Servs., No. 19-60226, 2021 WL 127819, at *5 (5th Cir. Jan. 14, 2021).

Unless you’ve spent the last 20 years living under a rock, you are generally aware that HIPAA is a law that protects your health information from public disclosure.  Most people don’t spell it correctly and even less people know what the acronym means.[2]  In 2009, HIPAA was supplemented with the HITECH Act.[3] Together, these laws govern how health care providers handle your medical information and what to do if there is a breach of the information.  HIPAA and HITECH’s implementing regulations (the “Regulations”) require all covered entities[4] “implement a mechanism to encrypt” all PHI that is stored electronically.  45 C.F.R. Section 164.312(a)(2)(iv).  Second, the Regulations prohibit unpermitted disclosure of PHI. 45 C.F.R. Sec. 164.502(a). These two regulations are referred to as the Encryption Rule and the Disclosure Rule respectively. These requirements are enforced by the Department of Health and Human Services (“HHS”) in conjunction with the Office for Civil Rights (“OCR”).

Whew, that was a quick history lesson.  Now, back to the story.

In 2012 and 2013 MD Anderson Cancer Center (“MD Anderson”) had three (3) events happen involving unencrypted devices containing PHI.  First, a laptop was stolen.  Second, a thumb drive was lost during someone’s commute home. Third, a visiting researcher misplaced a thumb drive. Pursuant to the regulations, MD Anderson reported these events to HHS.  

HHS concluded that MD Anderson violated the Regulations and imposed a fine over $4,000,000 (let me spell that out for you. . . FOUR MILLION DOLLARS). 

You may be wondering, what in the world did they violate that would result in such an outrageous fine?  So did MD Anderson!

MD Anderson threw its proverbial, red challenge flag and pursued its appeal rights and ended up, finally, in Federal Court where they succeeded on establishing that the mere loss of unencrypted PHI does not violate the Disclosure Rule and that the Encryption Rule does not require that a covered entity sit down and force each and every person to encrypt their devices.

Let’s look first at the Disclosure Rule. As a general rule, HIPAA prohibits the disclosure of PHI without permission from the patient.[5]  45 C.F.R. Sec. 164.502(a). HIPAA defines disclosure as “the release, transfer, provision of access to, or divulging in any manner of information outside the entity holding the information.” 45 C.F.R. Sec. 164.103. Prior to reaching the 5th Circuit, MD Anderson had been told the mere fact that the unencrypted laptop and thumb drives were lost or stolen resulted in the conclusion the PHI had been improperly disclosed to someone outside of the covered entity.  Thank goodness, the Court stepped in with the reasonable statement that many of us in the health care field have been saying for years. . . just because a device is lost or stolen doesn’t mean the PHI was improperly disclosed.[6]  “It defies reason to say an entity affirmatively acts to disclose information when someone steals it.” Univ. of Texas M.D. Anderson Cancer Ctr.,2021 WL 127819, at *5.

HHS claimed that it would be difficult for them to enforce the Disclosure Rule if it had to show that the PHI was disclosed to someone outside of the covered entity.  Well, go complain to the referees  HHS “that’s precisely the sort of policy argument that HHS could vet in a rulemaking proceeding. It’s not an acceptable basis for urging us to transmogrify the regulation HHS wrote into a broader one.” Id. And with that, the Court unceremoniously stated the obvious and provided some reason in the rather unreasonable world of HIPAA enforcement.

Next up? The Encryption Rule where HHS argued that MD Anderson’s desire to do more to encrypt their devices was an admission of non-compliance with the regulations.  Not so fast, said the Court.  The rule requires that a covered entity have a mechanism for the encryption PHI not that it implements an iron clad, hacker proof, 100% guaranteed encryption system.  MD Anderson had an encryption mechanism which is enough to satisfy the regulation, even if HHS now “wishes it had written a different” regulation.  Id.at *4.  

I feel like this is the SUPERBOWL of HIPAA decisions. You may not be as excited about this opinion as I was.  That’s ok. . . I’m a HIPAA and privacy nerd and I’m ok with that.  

Let’s hope I have many touchdowns to stand up and celebrate on Sunday!  Go Chiefs!    

The legal fine print: As exciting as this opinion is, please  remember that devices should be encrypted and PHI should be protected to the maximum extent possible.  While this is a great decision, it doesn’t remove the obligation to comply with the Regulations. 


[1] PHI contains 18 different identifiers.  42 C.F.R. § 164.514(a)(2)(i).

[2] It’s the Health Insurance Portability and Accountability Act of 1996. 

[3] HITECH stands for the Health Information Technology for Economic and Clinical Health Act of 2009. 

[4] Later, we can delve into what qualifies as a covered entity. Let’s just all agree that MD Anderson is a covered entity.

[5] This is a very simple overstatement, but it works for the purposes of this article.

[6] Let’s face it, most of these devices are lost or stolen and (1) never found or (2) thrown out as the thieves take what they really wanted . . . cold hard cash or credit cards.  An old janky laptop or a random thumb drive is not at the top of the most wanted list for kleptomaniacs.

A Study of Contractor Consistency in Reviewing Extrapolated Overpayments

By Frank Cohen, MPA, MBB – my colleague from RACMonitor. He wrote a great article and has permitted me to share it with you. See below.

CMS levies billions of dollars in overpayments a year against healthcare providers, based on the use of extrapolation audits.

The use of extrapolation in Medicare and private payer audits has been around for quite some time now. And lest you be of the opinion that extrapolation is not appropriate for claims-based audits, there are many, many court cases that have supported its use, both specifically and in general. Arguing that extrapolation should not have been used in a given audit, unless that argument is supported by specific statistical challenges, is mostly a waste of time. 

For background purposes, extrapolation, as it is used in statistics, is a “statistical technique aimed at inferring the unknown from the known. It attempts to predict future data by relying on historical data, such as estimating the size of a population a few years in the future on the basis of the current population size and its rate of growth,” according to a definition created by Eurostat, a component of the European Union. For our purposes, extrapolation is used to estimate what the actual overpayment amount might likely be for a population of claims, based on auditing a smaller sample of that population. For example, say a Uniform Program Integrity Contractor (UPIC) pulls 30 claims from a medical practice from a population of 10,000 claims. The audit finds that 10 of those claims had some type of coding error, resulting in an overpayment of $500. To extrapolate this to the entire population of claims, one might take the average overpayment, which is the $500 divided by the 30 claims ($16.67 per claim) and multiply this by the total number of claims in the population. In this case, we would multiply the $16.67 per claim by 10,000 for an extrapolated overpayment estimate of $166,667. 

The big question that normally crops up around extrapolation is this: how accurate are the estimates? And the answer is (wait for it …), it depends. It depends on just how well the sample was created, meaning: was the sample size appropriate, were the units pulled properly from the population, was the sample truly random, and was it representative of the population? The last point is particularly important, because if the sample is not representative of the population (in other words, if the sample data does not look like the population data), then it is likely that the extrapolated estimate will be anything but accurate.

To account for this issue, referred to as “sample error,” statisticians will calculate something called a confidence interval (CI), which is a range within which there is some acceptable amount of error. The higher the confidence value, the larger the potential range of error. For example, in the hypothetical audit outlined above, maybe the real average for a 90-percent confidence interval is somewhere between $15 and $18, while, for a 95-percent confidence interval, the true average is somewhere between $14 and $19. And if we were to calculate for a 99-percent confidence interval, the range might be somewhere between $12 and $21. So, the greater the range, the more confident I feel about my average estimate. Some express the confidence interval as a sense of true confidence, like “I am 90 percent confident the real average is somewhere between $15 and $18,” and while this is not necessarily wrong, per se, it does not communicate the real value of the CI. I have found that the best way to define it would be more like “if I were to pull 100 random samples of 30 claims and audit all of them, 90 percent would have a true average of somewhere between $15 and $18,” meaning that the true average for some 1 out of 10 would fall outside of that range – either below the lower boundary or above the upper boundary. The main reason that auditors use this technique is to avoid challenges based on sample error.

To the crux of the issue, the Centers for Medicare & Medicaid Services (CMS) levies billions of dollars in overpayments a year against healthcare providers, based on the use of extrapolation audits. And while the use of extrapolation is well-established and well-accepted, its use in an audit is not an automatic, and depends upon the creation of a statistically valid and representative sample. Thousands of extrapolation audits are completed each year, and for many of these, the targeted provider or organization will appeal the use of extrapolation. In most cases, the appeal is focused on one or more flaws in the methodology used to create the sample and calculate the extrapolated overpayment estimate. For government audits, such as with UPICs, there is a specific appeal process, as outlined in their Medical Learning Network booklet, titled “Medicare Parts A & B Appeals Process.”

On Aug. 20, 2020, the U.S. Department of Health and Human Services Office of Inspector General (HHS OIG) released a report titled “Medicare Contractors Were Not Consistent in How They Reviewed Extrapolated Overpayments in the Provider Appeals Process.” This report opens with the following statement: “although MACs (Medicare Administrative Contractors) and QICs (Qualified Independent Contractors) generally reviewed appealed extrapolated overpayments in a manner that conforms with existing CMS requirements, CMS did not always provide sufficient guidance and oversight to ensure that these reviews were performed in a consistent manner.” These inconsistencies were associated with $42 million in extrapolated payments from fiscal years 2017 and 2018 that were overturned in favor of the provider. It’s important to note that at this point, we are only talking about appeal determinations at the first and second level, known as redetermination and reconsideration, respectively.

Redetermination is the first level of appeal, and is adjudicated by the MAC. And while the staff that review the appeals at this level are supposed to have not been involved in the initial claim determination, I believe that most would agree that this step is mostly a rubber stamp of approval for the extrapolation results. In fact, of the hundreds of post-audit extrapolation mitigation cases in which I have been the statistical expert, not a single one was ever overturned at redetermination.

The second level of appeal, reconsideration, is handled by a QIC. In theory, the QIC is supposed to independently review the administrative records, including the appeal results of redetermination. Continuing with the prior paragraph, I have to date had only several extrapolation appeals reversed at reconsideration; however, all were due to the fact that the auditor failed to provide the practice with the requisite data, and not due to any specific issues with the statistical methodology. In two of those cases, the QIC notified the auditor that if they were to get the required information to them, they would reconsider their decision. And in two other cases, the auditor appealed the decision, and it was reversed again. Only the fifth case held without objection and was adjudicated in favor of the provider.

Maybe this is a good place to note that the entire process for conducting extrapolations in government audits is covered under Chapter 8 of the Medicare Program Integrity Manual (PIM). Altogether, there are only 12 pages within the entire Manual that actually deal with the statistical methodology behind sampling and extrapolation; this is certainly not enough to provide the degree of guidance required to ensure consistency among the different government contractors that perform such audits. And this is what the OIG report is talking about.

Back to the $42 million that was overturned at either redetermination or reconsideration: the OIG report found that this was due to a “type of simulation testing that was performed only by a subset of contractors.” The report goes on to say that “CMS did not intend that the contractors use this procedure, (so) these extrapolations should not have been overturned. Conversely, if CMS intended that contractors use this procedure, it is possible that other extrapolations should have been overturned but were not.” This was quite confusing for me at first, because this “simulation” testing was not well-defined, and also because it seemed to say that if this procedure was appropriate to use, then more contractors should have used it, which would have resulted in more reversals in favor of the provider.   

Interestingly, CMS seems to have written itself an out in Chapter 8, section 8.4.1.1 of the PIM, which states that “[f]ailure by a contractor to follow one or more of the requirements contained herein does not necessarily affect the validity of the statistical sampling that was conducted or the projection of the overpayment.” The use of the term “does not necessarily” leaves wide open the fact that the failure by a contractor to follow one or more of the requirements may affect the validity of the statistical sample, which will affect the validity of the extrapolated overpayment estimate. 

Regarding the simulation testing, the report stated that “one MAC performed this type of simulation testing for all extrapolation reviews, and two MACs recently changed their policies to include simulation testing for sample designs that are not well-supported by the program integrity contractor. In contrast, both QICs and three MACs did not perform simulation testing and had no plans to start using it in the future.” And even though it was referenced some 20 times, with the exception of an example given as Figure 2 on page 10, the report never did describe in any detail the type of simulation testing that went on. From the example, it was evident to me that the MACs and QICs involved were using what is known as a Monte Carlo simulation. In statistics, simulation is used to assess the performance of a method, typically when there is a lack of theoretical background. With simulations, the statistician knows and controls the truth. Simulation is used advantageously in a number of situations, including providing the empirical estimation of sampling distributions. Footnote 10 in the report stated that ”reviewers used the specific simulation test referenced here to provide information about whether the lower limit for a given sampling design was likely to achieve the target confidence level.” If you are really interested in learning more about it, there is a great paper called
“The design of simulation studies in medical statistics” by Burton et al. (2006). 

Its application in these types of audits is to “simulate” the audit many thousands of times to see if the mean audit results fall within the expected confidence interval range, thereby validating the audit results within what is known as the Central Limit Theorem (CLT).

Often, the sample sizes used in recoupment-type audits are too small, and this is usually due to a conflict between the sample size calculations and the distributions of the data. For example, in RAT-STATS, the statistical program maintained by the OIG, and a favorite of government auditors, sample size estimates are based on an assumption that the data are normally (or near normally) distributed. A normal distribution is defined by the mean and the standard deviation, and includes a bunch of characteristics that make sample size calculations relatively straightforward. But the truth is, because most auditors use the paid amount as the variable of interest, population data are rarely, if ever, normally distributed. Unfortunately, there is simply not enough room or time to get into the details of distributions, but suffice it to say that, because paid data are bounded on the left with zero (meaning that payments are never less than zero), paid data sets are almost always right-skewed. This means that the distribution tail continues on to the right for a very long distance.  

In these types of skewed situations, sample size normally has to be much larger in order to meet the CLT requirements. So, what one can do is simulate the random sample over and over again to see whether the sampling results ever end up reporting a normal distribution – and if not, it means that the results of that sample should not be used for extrapolation. And this seems to be what the OIG was talking about in this report. Basically, they said that some but not all of the appeals entities (MACs and QICs) did this type of simulation testing, and others did not. But for those that did perform the tests, the report stated that $41.5 million of the $42 million involved in the reversals of the extrapolations were due to the use of this simulation testing. The OIG seems to be saying this: if this was an unintended consequence, meaning that there wasn’t any guidance in place authorizing this type of testing, then it should not have been done, and those extrapolations should not have been overturned. But if it should have been done, meaning that there should have been some written guidance to authorize that type of testing, then it means that there are likely many other extrapolations that should have been reversed in favor of the provider. A sticky wicket, at best.

Under the heading “Opportunity To Improve Contractor Understanding of Policy Updates,” the report also stated that “the MACs and QICs have interpreted these requirements differently. The MAC that previously used simulation testing to identify the coverage of the lower limit stated that it planned to continue to use that approach. Two MACs that previously did not perform simulation testing indicated that they would start using such testing if they had concerns about a program integrity contractor’s sample design. Two other MACs, which did not use simulation testing, did not plan to change their review procedures.” One QIC indicated that it would defer to the administrative QIC (AdQIC, the central manager for all Medicare fee-for-service claim case files appealed to the QIC) regarding any changes. But it ended this paragraph by stating that “AdQIC did not plan to change the QIC Manual in response to the updated PIM.”

With respect to this issue and this issue alone, the OIG submitted two specific recommendations, as follows:

  • Provide additional guidance to MACs and QICs to ensure reasonable consistency in procedures used to review extrapolated overpayments during the first two levels of the Medicare Parts A and B appeals process; and
  • Take steps to identify and resolve discrepancies in the procedures that MACs and QICs use to review extrapolations during the appeals process.

In the end, I am not encouraged that we will see any degree of consistency between and within the QIC and MAC appeals in the near future.

Basically, it would appear that the OIG, while having some oversight in the area of recommendations, doesn’t really have any teeth when it comes to enforcing change. I expect that while some reviewers may respond appropriately to the use of simulation testing, most will not, if it means a reversal of the extrapolated findings. In these cases, it is incumbent upon the provider to ensure that these issues are brought up during the Administrative Law Judge (ALJ) appeal.

Programming Note: Listen to Frank Cohen report this story live during the next edition of Monitor Mondays, 10 a.m. Eastern.