Category Archives: Medicare Administrative Contractor

Audits Surge with Medicare Advantage and TPE Audits Increased!

Everyone knows about audits of health care providers. But what about the billing companies? Or a data-analytics company? In a complaint filed last week, a New York data-mining company DxID is accused of allegedly helping a Medicare Advantage program game federal billing regulations in a way that enabled the plan to overcharge for patient treatment. As you know, Medicare Advantage plans are paid more for sicker patients. Supposedly, DxID combed medical records for “missed” diagnoses. For example, adding major depression to an otherwise happy consumer. A few years ago, I won an injunction for a provider who 100% relied on the billing company to bill. Because this company aggressively upcoded, we used the victims’ rights statutes in the SSA to defend the provider. And it worked. Providers often forget about the safety net found in the victims’ rights statutes if they wholly rely on a billing company.

This DXID complaint cites medical conditions that it says either were exaggerated or weren’t supported by the medical records, such as billing for treating allegedly unsupported claims for renal failure, the most severe form of chronic kidney disease. The Justice Department is seeking treble damages in the False Claims Act suit, plus an unspecified civil penalty for each violation of the law.

Medicare Advantage has been the target of multiple government investigations, Justice Department and whistleblower lawsuits and Medicare audits. One 2020 report estimated improper payments to the plans topped $16 billion the previous year. In July, the Justice Department consolidated six such cases against Kaiser Permanente health plans. In August, California-based Sutter Health agreed to pay $90 million to settle a similar fraud case. Previous settlements have totaled more than $300 million.

Breaking news: Targeted Probe and Educate audits (TPE) resumed September 1, 2021. Due to COVID, TPE audits had been suspended. Unlike recovery audits, the stated goal of TPE audits is to help providers reduce claim denials and appeals with one-on-one education focused on the documentation and coding of the services they provide. TPE audits are conducted by MACs. While originally limited in scope to hospital inpatient admissions and home health claims, CMS expanded the program to allow MACs to perform TPE audits of all Medicare providers for all items and services billed to Medicare. Beware the TPE audits; they are not as friendly as they purport. A TPE audit can result in a 100 percent prepay review, extrapolation, referral to a Recovery Auditor, or other action, so a carefully crafted response to a TPE audit is critical.  

The TPE audit process begins when a provider receives a “Notice of Review” letter from the MAC which states the reasons the provider has been selected for review and requests 20-40 records be produced. Once the records are produced, the MAC will review the 20-40 claims against the supporting medical records and send the provider a letter detailing the results of their review. If the claims are found to be compliant, the TPE audit ends and the provider cannot be selected for review again for a year unless the MAC detects significant changes in provider billing. However, if the claims are found not to be compliant, the MAC will invite the provider to a one-on-one education session specific to the provider’s documentation and coding practices. The provider is then given 45 days to make changes and a second round of 20-40 records will be requested with dates of service no earlier than 45 days after the one-on-one education. 

The provider will be given three rounds of TPE to pass. Do not use all three rounds; get it right the first time. If the provider fails pass after three rounds, they will be referred to CMS for further action. With MA, TPE, and audits of data-analytics companies ramping up, 2022 is going to be an audit frenzy.

Medicare Payment Parity: More Confusing Audits

Every time a regulation is revised, Medicare and Medicaid audits are altered…sometimes in the providers’ favor, most times not. Since COVID, payment parity has created a large discrepancy in reimbursement rates for Medicare across the country.

Payment parity is a State-specific, Governor decision depending on whether your State is red or blue.

Payment parity laws require that health care providers are reimbursed the same amount for telehealth visits as in-person visits. During the ongoing, pandemic, or PHE, many states implemented temporary payment parity through the end of the PHE. Now, many States are implementing payment parity on a permanent basis. As portrayed in the below picture. As of August 2021, 18 States have implemented policies requiring payment parity, 5 States have payment parity in place with caveats, and 27 States have no payment parity.

Payment Parity

On the federal level, H.R. 4748: Helping Every American Link To Healthcare Act of 2021 was introduced July 28, 2021. HR 4748 allows providers to furnish telehealth services using any non-public facing audio or video communication product during the 7-year period beginning the last day of the public health emergency. Yay. But that doesn’t help parity payments.

For example, NY is one of the states that has passed no parity regulation, temporary or permanent. However, the Governor signed an Executive Order mandating parity between telehealth and physical services. Much to the chagrin of the providers, the managed long-term care organizations reduced the Medicare and Medicaid reimbursements for social adult day care centers drastically claiming that the overhead cost of rendering virtual services is so much lower., which is really not even accurate. You have to ensure that your consumers all have access to technology. About four-in-ten adults with lower incomes do not have home broadband services (43%) or a desktop or laptop computer (41%). And a majority of Americans with lower incomes are not tablet owners.

Amidst all this confusion on reimbursement rates, last week, HHS released $25.5 billion on provider relief funds and promised increased audits. Smaller providers will be reimbursed at a higher rate than larger ones, the department said. Which leads me tov think: and perhaps be audited disproportionately more.

The first deadline for providers to report how they used grants they have already received is coming up at the end of September, but HHS on Friday announced a two-month grace period. HHS has hired several firms to conduct audits on the program.

Remember on June 3, 2021, CMS announced that MACs could begin conducting post-payment reviews for dates of service on or after March 1, 2020. Essentially, auditors can review any DOS with or without PHE exceptions applicable, but the PHE exceptions (i.e., waivers and flexibilities) continue, as the PHE was extended another 90 days and likely will be again through the end of this year.

I’m currently defending an audit spanning a 4-month period of June 2020 – September 2020. Interestingly, even during the short, 4 month, period, some exceptions apply to half the claims. While other apply to all the claims. It can get tricky fast. Now imagine the auditors feebly trying to remain up to speed with the latest policy changes or COVID exceptions.

Here, in NC, there was a short period of time during which physician signatures may not even be required for many services.

In addition to the MAC and SMRC audits, the RAC has shown an increase in audit activities, as have the UPICs and most state Medicaid plans. Commercial plan audits have also been on the rise, though they were under no directive to cease or slow audit functions at any time during the PHE.

Lastly, audit contractors have increasingly hinted to the use of six-year, lookback audits as a means for providers that have received improper payments to refund overpayments due. This 6- year lookback is the maximum lookback period unless fraud is alleged. It is important to note that the recoupments are not allowed once you appeal, so appeal!

Defenses Against Medicare Audits: Arm Yourself!

To defend against RAC, MAC, or TPE audits, we always fight clinically claim by claim. We show that the clinical records do support the service billed despite what an auditor says. But there are other more broad defenses that apply to providers found in the Social Security Act (SSA), even if the clinical arguments are weak.

When faced with an alleged overpayment, look to the SSA. Within the SSA, we have three, strong, provider defenses:

  1. Waiver of liability
  2. Providers without fault
  3. Treating physician rule

The “waiver of liability” defense provides that, even if payment for claims is deemed not reasonable and necessary, payment may be rendered if the provider did not know, and could not have been reasonably expected to know payment would not be made. SSA, § 1879(a); 42 U.S.C. §1395pp; see also Medicare Claims Processing Manual (CMS-Pub. 100-04), Chapter 30, §20. If a provider could not have been reasonably expected to know payment would not be made as the services were medically necessary and covered by Medicare.

Section 1870 of the SSA states that payment will be made to a provider, if the provider was without “fault” with regard for the billing for and accepting payment for disputed services. As a general rule, a provider would be considered without fault if he/she exercised reasonable care in billing for and accepting payment; i.e., the provider complied with all pertinent regulations, made full disclosure of all material facts, and on the basis of the information available, had a reasonable basis for assuming the payment was correct. Here, there is no allegation of fraud; medically necessary services were rendered. The doctors performed a medically necessary service and should be paid for the service despite nominal documentation nit-picking. The SSA does not require Medicare documents to be perfect; there is no requirement of error-free.

            It is well-settled law that the treating physician’s medical judgment as to the medical necessity of the services provided should prevail absent substantial contradictory evidence. Meaning, the doctor who actually physically or virtually treat the consumer has a better vantage point than any desk review audit. Therefore, substantial deference should be given to the treating physician. This is especially important in proving medical necessity.

Lastly, even though this is not in the SSA, question the expertise of your auditors. If you are an MD and provide bariatric services, the auditor should be similarly qualified. Likewise, a dental hygienist should not audit medical necessity for a dental practice. Even if, clinically, your records are not stellar, you still have the broad legal defenses found in the SSA.

CMS Overlooks a Settlement Agreement from 2013 : A 2021 Provider Must Defend!

Today I am talking about a settlement agreement between CMS and the skilled nursing community, which, apparently, CMS conveniently forgot about – just recently. The Jimmo settlement agreement re-defines medical necessity for skilled nursing, especially for terminally, debilitating diseases, such as multiple sclerosis (“MS”). According to CMS/the MAC auditor, my client, who serves 100%, MS patients on Medicare owes over half a million dollars. The alleged overpayment and audit findings are in violation of the Jimmo Settlement and must cease.

My client received correspondence dated February 25, 2021, regarding CMS Inquiry #2349 that re-alleged an overpayment in the amount of $578,564.45, but the audit is in violation of the Jimmo Settlement with CMS. One basis for the claims denials is that “There is doc that the pt. has a dx of MS with no doc of recent exacerbation or change in function status.” After the first level of appeal, on June 8, 2021, the denial reason was as follows:

“The initial evaluation did not document there was an ACUTE exacerbation of this chronic condition that would support the need for skilled services.” This basis is in violation of the Jimmo Settlement. See below excerpt from the Jimmo Settlement.

In January 2013, the Centers for Medicare & Medicaid Services (“CMS”) settled a lawsuit, and the “Jimmo” Settlement Agreement was approved by the Court. Jimmo v. Sebelius, No. 5:11-CV17 (D. Vt., 1/24/2013). The Jimmo Settlement Agreement clarified that, provided all other coverage criteria are met, the Medicare program covers skilled nursing care and skilled therapy services under Medicare’s skilled nursing facility, home health, and outpatient therapy benefits when a beneficiary needs skilled care in order to maintain function or to prevent or slow decline or deterioration. Specifically, the Jimmo Settlement Agreement required Medicare Manual revisions to restate a “maintenance coverage standard” for both skilled nursing and therapy services under these benefits. The Jimmo Settlement Agreement dictates that:

“Specifically, in accordance with the settlement agreement, the manual revisions clarify that coverage of skilled nursing and skilled therapy services in the skilled nursing facility (SNF), home health (HH), and outpatient therapy (OPT) settings “…does not turn on the presence or absence of a beneficiary’s potential for improvement, but rather on the beneficiary’s need for skilled care.” Skilled care may be necessary to improve a patient’s current condition, to maintain the patient’s current condition, or to prevent or slow further deterioration of the patient’s condition.”

In the case of Jimmo v. Sebelius, which resulted in the Jimmo Settlement Agreement, the Center for Medicare Advocacy (“CMA”) alleged that Medicare claims involving skilled care were being inappropriately denied by contractors based on a rule-of-thumb-“Improvement Standard”— under which a claim would be summarily denied due to a beneficiary’s lack of restoration potential, even though the beneficiary did in fact require a covered level of skilled care in order to prevent or slow further deterioration in his or her clinical condition. In the Jimmo lawsuit, CMS denied establishing an improper rule-of-thumb “Improvement Standard.”

While an expectation of improvement would be a reasonable criterion to consider when evaluating, for example, a claim in which the goal of treatment is restoring a prior capability, Medicare policy has long recognized that there may also be specific instances where no improvement is expected but skilled care is, nevertheless, required in order to prevent or slow deterioration and maintain a beneficiary at the maximum practicable level of function. For example, in the federal regulations at 42 CFR 409.32(c), the level of care criteria for SNF coverage specify that the “. . . restoration potential of a patient is not the deciding factor in determining whether skilled services are needed. Even if full recovery or medical improvement is not possible, a patient may need skilled services to prevent further deterioration or preserve current capabilities.” The Medicare statute and regulations have never supported the imposition of an “Improvement Standard” rule-of-thumb in determining whether skilled care is required to prevent or slow deterioration in a patient’s condition.

A beneficiary’s lack of restoration potential cannot serve as the basis for denying coverage, without regard to an individualized assessment of the beneficiary’s medical condition and the reasonableness and necessity of the treatment, care, or services in question. Conversely, coverage in this context would not be available in a situation where the beneficiary’s care needs can be addressed safely and effectively through the use of nonskilled personnel. Thus, such coverage depends not on the beneficiary’s restoration potential, but on whether skilled care is required, along with the underlying reasonableness and necessity of the services themselves.

Any Medicare coverage or appeals decisions concerning skilled care coverage must reflect this basic principle. In this context, it is also essential and has always been required that claims for skilled care coverage include sufficient documentation to substantiate clearly that skilled care is required, that it is provided, and that the services themselves are reasonable and necessary, thereby facilitating accurate and appropriate claims adjudication.

The Jimmo Settlement Agreement includes language specifying that “Nothing in this Settlement Agreement modifies, contracts, or expands the existing eligibility requirements for receiving Medicare coverage. Id. The Jimmo Settlement Agreement clarifies that when skilled services are required in order to provide care that is reasonable and necessary to prevent or slow further deterioration, coverage cannot be denied based on the absence of potential for improvement or restoration.

100% of my client’s consumers suffer from MS. MS is a chronic condition that facilitates a consistent decline over a long period of time. 90% of those with MS do not suffer from acute exacerbations after approximately 5 years of their initial diagnosis. They move into a new phase of their disease called secondary progressive where there are no exacerbations but a slow, consistent decline is now the clinical presentation. According to the Jimmo Settlement, there is no requirement that a provider demonstrate recent exacerbation or change of function. This has been litigated and settled. My client’s Medicare audit is in violation of the Jimmo Settlement and must cease, yet the audit must still be defended.

My client’s documents clearly demonstrate that its consumers who all suffer from MS, qualify for skilled therapy based on the Jimmo Settlement Agreement and their physicians’ recommendations. The Jimmo Settlement clearly states that if the therapist determines that skilled nursing is necessary to stop further decline, then, under the Jimmo Settlement, skilled nursing is appropriate.

Now my client is having to defend itself against erroneous allegations that are clearly in violation of the Jimmo Settlement, which is adversely affecting the company financially. It’s amazing that in 2021, my client is defending a right given in a settlement agreement from 2013. Stay proactive!

OIG Opens Fire on Telehealth Claims during COVID

They’re here….

Steven Spielberg actually directed Poltergeist, crew member confirms | The  Independent | The Independent

The audits of telehealth during COVID. OIG is conducting, at least, seven (7) nationwide audits of providers specific to telemedicine. These audits will review remote patient monitoring, virtual check-ins, and e-visits. In 2018, OIG issued a report regarding a 31% error rate of claims for telehealth – and that report was prior to the explosion of telemedicine in 2020 due to COVID. All providers who have billed telehealth during the public health emergency (“PHE”) should be prepared to undergo audits of those claims.

The following audit projects are as follows:

  • Audits of behavioral health care telehealth in Medicaid managed care;
  • Audits of Medicare Part B telehealth services during PHE;
  • Audits of home health services provided as telehealth during the PHE;
  • Audits of home health agencies’ challenges and strategies in responding to the PHE;
  • Medicare telehealth services during PHE: Program Integrity Risks;
  • Audits of telehealth services in Medicare Parts B (non-institutional services) and C (managed care) during the COVID-19 pandemic;
  • Medicaid: Telehealth expansion during PHE.

Recently added to the “chopping block” of audits via OIG include Medicare payments for clinical diagnostic laboratory tests in 2020. OIG will also audit for accuracy of place-of-service codes on claims for Medicare Part B physician services when beneficiaries are inpatients under Part A. As it always seems is the case, home health and behavioral health care are big, red targets for all audits. Over the pandemic, telehealth became the “new norm.” Audits on telehealth will be forthcoming. Specifically in behavioral health, OIG announced that it will audit Medicaid applied behavior analysis for children diagnosed with autism.

On another note, I recently had a client undergo a meaningful use audit. Everyone knows the government provides incentives for using electronic records. In order to qualify for a meaningful use incentive you must meet 9 criteria. If you fail one criterion, you owe the money back. One of the biggest issue physicians have faced in an audit is demonstrating the “yes/no” requirements that call for attestation proving the security risk analysis was successfully met. In this particular case, opposing counsel was a GA state AG. The attorney told me that he had zero authority to negotiate the penalty amount. It was the first time another lawyer told me that the penalty was basically a “strict liability” issue, and since the funds were federal, the State of GA had no authority to reduce or remove the penalty. But there is an appeal process. It made no sense. In this case, the doctor didn’t want to pursue litigation. So, reluctantly, we paid. I am wondering if any of my readers have encountered this issue of no negotiations for meaningful use penalties.

Post-COVID (ish) RAC Audits – Temporary Restrictions

2020 was an odd year for recovery audit contractor (“RAC”) and Medicare Administrative Contractors (“MAC”) audits. Well, it was an odd year for everyone. After trying five virtual trials, each one with up to 23 witnesses, it seems that, slowly but surely, we are getting back to normalcy. A tell-tale sign of fresh normalcy is an in-person defense of health care regulatory audits. I am defending a RAC audit of pediatric facility in Georgia in a couple weeks and the clerk of court said – “The hearing is in person.” Well, that’s new. Even when we specifically requested a virtual trial, we were denied with the explanation that GA is open now. The virtual trials are cheaper and more convenient; clients don’t have to pay for hotels and airlines.

In-person hearings are back – at least in most states. We have similar players and new restrictions.

On March 16, 2021, CMS announced that it will temporarily restrict audits to March 1, 2020, and before. Medicare audits are not yet dipping its metaphoric toes into the shark infested waters of auditing claims with dates of service (“DOS”) March 1 – today. This leaves a year and half time period untouched. Once the temporary hold is lifted, audits of 2020 DOS will be abound. March 26, 2021, CMS awarded Performant Recovery, Inc., the incumbent, the new RAC Region 1 contract.

RAC’s review claims on a post-payment and/or pre-payment basis. (FYI – You would rather a post payment review rather than a pre – I promise).

The RACs were created to detect fraud, waste, and abuse (“FWA”) by reviewing medical records. Any health care provider – not matter how big or small –  are subject to audits at the whim of the government. CMS, RACs, MCOs, MACs, TPEs, UPICs, and every other auditing company can implement actions that will prevent future improper payments, as well. As we all know, RACs are paid on a contingency basis. Approximately, 13%. When the RACs were first created, the RACs were compensated based on accusations of overpayments, not the amounts that were truly owed after an independent tribunal. As any human could surmise, the contingency payment creates an overzealousness that can only be demonstrated by my favorite case in my 21 years – in New Mexico against Public Consulting Group (“PCG”). A behavioral health care (“BH”) provider was accused of over $12 million overpayment. After we presented before the administrative law judge (“ALJ”) in NM Administrative Court, the ALJ determined that we owed $896.35. The 99.23% reduction was because of the following:

  1. Faulty Extrapolation: NM HSD’s contractor PCG reviewed approximately 150 claims out of 15,000 claims between 2009 and 2013. Once the error rate was defined as high as 92%, the base error equaled $9,812.08; however the extrapolated amount equaled over $12 million. Our expert statistician rebutted the error rate being so high.  Once the extrapolation is thrown out, we are now dealing with much more reasonable amounts – only $9k
  • Attack the Clinical Denials: The underlying, alleged overpayment of $9,812.08 was based on 150 claims. We walked through the 150 claims that PCG claimed were denials and proved PCG wrong. Examples of their errors include denials based on lack of staff credentialing, when in reality, the auditor could not read the signature. Other denials were erroneously denied based the application of the wrong policy year.

The upshot is that we convinced the judge that PCG was wrong in almost every denial PCG made. In the end, the Judge found we owed $896.35, not $12 million. Little bit of a difference! We appealed.

More Covered Health Care Services and More Policing under the Biden Administration!

Happy 55th Medicare! Pres. Biden’s health care policies differ starkly from former Pres. Trump’s. I will discuss some of the key differences. The newest $1.9 trillion COVID bill passed February 27th. President Biden is sending a clear message for health care providers: His agenda includes expanding government-run, health insurance and increase oversight on it. In 2021, Medicare is celebrating its 55th year of providing health insurance. The program was first signed into law in 1965 and began offering coverage in 1966. That first year, 19 million Americans enrolled in Medicare for their health care coverage. As of 2019, more than 61 million Americans were enrolled in the program.

Along with multiple Executive Orders, Pres. Biden is clearly broadening the Affordable Care Act (“ACA”), Medicaid and Medicare programs. Indicating an emphasis on oversight, President Biden chose former California Attorney General Xavier Becerra to lead HHS. Becerra was a prosecutor and plans to bring his prosecutorial efforts to the nation’s health care. President Biden used executive action to reopen enrollment in ACA marketplaces, a step in his broader agenda to bolster the Act with a new optional government health plan.

For example, one of my personal, favorite issues that Pres. Biden will address is parity for Medicare coverage for medically necessary, oral health care. In fact, Medicare coverage extends to the treatment of all microbial infections except for those originating from the teeth or periodontium. There is simply no medical justification for this exclusion, especially in light of the broad agreement among health care providers that such care is integral to the medical management of numerous diseases and medical conditions.

The Biden administration has taken steps to roll back a controversial Trump-era rule that requires Medicaid beneficiaries to work in order to receive coverage. Two weeks ago, CMS sent letters to several states that received approval for a Section 1115 waiver – for Medicaid. CMS said it was beginning a process to determine whether to withdraw the approval. States that received a letter include Arizona, Arkansas, Georgia, Indiana, Nebraska, Ohio, South Carolina, Utah, and Wisconsin. The work requirement waivers that HHS approved at the end of the previous administration’s term may not survive the new presidency.

Post Payment Reviews—Recovery Audit Contractor (“RAC”) audits will increase during the Biden administration. The RAC program was created by the Medicare Prescription Drug, Improvement, and Modernization Act of 2003. As we all know, the RACs are responsible for identifying Medicare overpayments and underpayments and for highlighting common billing errors, trends, and other Medicare payment issues. In addition to collecting overpayments, the data generated from RAC audits allows CMS to make changes to prevent improper payments in the future. The RACs are paid on a contingency fee basis and, therefore, only receive payment when recovery is made. This creates overzealous auditors and, many times, inaccurate findings. In 2010, the Obama administration directed federal agencies to increase the use of auditing programs such as the RACs to help protect the integrity of the Medicare program. The RAC program is relatively low cost and high value for CMS. It is likely that the health care industry will see growth in this area under the Biden administration. To that end, the expansion of audits will not only be RAC auditors, but will include increased oversight by MACs, CERTs, UPICs, etc.

Telehealth audits will be a focus for Pres. Biden. With increased use of telehealth due to COVID, comes increased telehealth fraud, allegedly. On September 30, 2020, the inter-agency National Health Care Take Down Initiative announced that it charged hundreds of defendants ostensibly responsible for—among other things—$4.5 billion in false and fraudulent claims relating to telehealth advertisements and services. Unfortunately for telehealth, bad actors are prevalent and will spur on more and more oversight.

Both government-initiated litigation and qui tam suits appear set for continued growth in 2021. Health care fraud and abuse dominated 2020 federal False Claims Act (“FCA”) recoveries, with almost 85 percent of FCA proceeds derived from HHS. The increase of health care enforcement payouts reflects how important government paid health insurance is in America. Becerra’s incoming team is, in any case, expected to generally ramp up law enforcement activities—both to punish health care fraud and abuse and as an exercise of HHS’s policy-making authorities.

With more than $1 billion of FCA payouts in 2020 derived from federal Anti-Kickback Statute (“AKS”) settlements alone, HHS’s heavy reliance on the FCA because it is a strong statute with “big teeth,” i.e., penalties are harsh. For these same reasons, prosecutors and qui tam relators will likely continue to focus their efforts on AKS enforcement in the Biden administration, despite the recent regulatory carveouts from the AKS and an emerging legal challenge from drug manufacturers.

The individual mandate is back in. The last administration got rid of the individual mandate when former Pres. Trump signed the GOP tax bill into law in 2017. Pres. Biden will bring back the penalty for not being covered under health insurance under his plan. Since the individual mandate currently is not federal law, a Biden campaign official said that he would use a combination of Executive Orders to undo the changes.

In an effort to lower the skyrocketing costs of prescription drugs, Pres. Biden’s plan would repeal existing law that currently bans Medicare from negotiating lower prices with drug manufacturers. He would also limit price increases for all brand, biotech and generic drugs and launch prices for drugs that do not have competition.

Consumers would also be able to buy cheaper priced prescription drugs from other countries, which could help mobilize competition. And Biden would terminate their advertising tax break in an effort to also help lower costs.

In all, the Biden administration is expected to expand health care, medical, oral, and telehealth, while simultaneously policing health care providers for aberrant billing practices. My advice for providers: Be cognizant of your billing practices. You have an opportunity with this administration to increase revenue from government-paid services but do so compliantly.

HIPAA and Football

By Ashley Thomson, Partner at Practus, LLP. A Virtual Law Firm.

On rare occasions a Court can issue an opinion that is so logical and on-point you want to stand up and cheer.  Maybe you’re only cheering if you’re a HIPAA-nerd, like me. My name is Ashley and I work with Knicole. I was the assistant GC for Truman Medical Center for 17 years. As AGC at Truman, I was inundated with so many various issues.

Here’s what got me standing up in my home office as if Patrick Mahomes just threw a pass to Tyreek Hill and the KC Chiefs scored the winning touchdown in the Super Bowl—the 5th Circuit Court of Appeals held that a lost or stolen unencrypted device containing protected health information (“PHI”)[1] does not automatically result in a violation of the HIPAA Disclosure Rule or Encryption Rule. If you want to do your own touchdown dance check out Univ. of Texas M.D. Anderson Cancer Ctr. v. United States Dep’t of Health & Human Servs., No. 19-60226, 2021 WL 127819, at *5 (5th Cir. Jan. 14, 2021).

Unless you’ve spent the last 20 years living under a rock, you are generally aware that HIPAA is a law that protects your health information from public disclosure.  Most people don’t spell it correctly and even less people know what the acronym means.[2]  In 2009, HIPAA was supplemented with the HITECH Act.[3] Together, these laws govern how health care providers handle your medical information and what to do if there is a breach of the information.  HIPAA and HITECH’s implementing regulations (the “Regulations”) require all covered entities[4] “implement a mechanism to encrypt” all PHI that is stored electronically.  45 C.F.R. Section 164.312(a)(2)(iv).  Second, the Regulations prohibit unpermitted disclosure of PHI. 45 C.F.R. Sec. 164.502(a). These two regulations are referred to as the Encryption Rule and the Disclosure Rule respectively. These requirements are enforced by the Department of Health and Human Services (“HHS”) in conjunction with the Office for Civil Rights (“OCR”).

Whew, that was a quick history lesson.  Now, back to the story.

In 2012 and 2013 MD Anderson Cancer Center (“MD Anderson”) had three (3) events happen involving unencrypted devices containing PHI.  First, a laptop was stolen.  Second, a thumb drive was lost during someone’s commute home. Third, a visiting researcher misplaced a thumb drive. Pursuant to the regulations, MD Anderson reported these events to HHS.  

HHS concluded that MD Anderson violated the Regulations and imposed a fine over $4,000,000 (let me spell that out for you. . . FOUR MILLION DOLLARS). 

You may be wondering, what in the world did they violate that would result in such an outrageous fine?  So did MD Anderson!

MD Anderson threw its proverbial, red challenge flag and pursued its appeal rights and ended up, finally, in Federal Court where they succeeded on establishing that the mere loss of unencrypted PHI does not violate the Disclosure Rule and that the Encryption Rule does not require that a covered entity sit down and force each and every person to encrypt their devices.

Let’s look first at the Disclosure Rule. As a general rule, HIPAA prohibits the disclosure of PHI without permission from the patient.[5]  45 C.F.R. Sec. 164.502(a). HIPAA defines disclosure as “the release, transfer, provision of access to, or divulging in any manner of information outside the entity holding the information.” 45 C.F.R. Sec. 164.103. Prior to reaching the 5th Circuit, MD Anderson had been told the mere fact that the unencrypted laptop and thumb drives were lost or stolen resulted in the conclusion the PHI had been improperly disclosed to someone outside of the covered entity.  Thank goodness, the Court stepped in with the reasonable statement that many of us in the health care field have been saying for years. . . just because a device is lost or stolen doesn’t mean the PHI was improperly disclosed.[6]  “It defies reason to say an entity affirmatively acts to disclose information when someone steals it.” Univ. of Texas M.D. Anderson Cancer Ctr.,2021 WL 127819, at *5.

HHS claimed that it would be difficult for them to enforce the Disclosure Rule if it had to show that the PHI was disclosed to someone outside of the covered entity.  Well, go complain to the referees  HHS “that’s precisely the sort of policy argument that HHS could vet in a rulemaking proceeding. It’s not an acceptable basis for urging us to transmogrify the regulation HHS wrote into a broader one.” Id. And with that, the Court unceremoniously stated the obvious and provided some reason in the rather unreasonable world of HIPAA enforcement.

Next up? The Encryption Rule where HHS argued that MD Anderson’s desire to do more to encrypt their devices was an admission of non-compliance with the regulations.  Not so fast, said the Court.  The rule requires that a covered entity have a mechanism for the encryption PHI not that it implements an iron clad, hacker proof, 100% guaranteed encryption system.  MD Anderson had an encryption mechanism which is enough to satisfy the regulation, even if HHS now “wishes it had written a different” regulation.  Id.at *4.  

I feel like this is the SUPERBOWL of HIPAA decisions. You may not be as excited about this opinion as I was.  That’s ok. . . I’m a HIPAA and privacy nerd and I’m ok with that.  

Let’s hope I have many touchdowns to stand up and celebrate on Sunday!  Go Chiefs!    

The legal fine print: As exciting as this opinion is, please  remember that devices should be encrypted and PHI should be protected to the maximum extent possible.  While this is a great decision, it doesn’t remove the obligation to comply with the Regulations. 


[1] PHI contains 18 different identifiers.  42 C.F.R. § 164.514(a)(2)(i).

[2] It’s the Health Insurance Portability and Accountability Act of 1996. 

[3] HITECH stands for the Health Information Technology for Economic and Clinical Health Act of 2009. 

[4] Later, we can delve into what qualifies as a covered entity. Let’s just all agree that MD Anderson is a covered entity.

[5] This is a very simple overstatement, but it works for the purposes of this article.

[6] Let’s face it, most of these devices are lost or stolen and (1) never found or (2) thrown out as the thieves take what they really wanted . . . cold hard cash or credit cards.  An old janky laptop or a random thumb drive is not at the top of the most wanted list for kleptomaniacs.

Provider Relief Funds: The Hottest RAC Audit Subject

Reporting the use of PRFs will be an ongoing issue due to the fraud and abuse implications of misusing PRFs.

The federal Provider Relief Fund (PRF) was created under the provisions of the Coronavirus Aid, Relief, and Economic Security (CARES) Act, which was passed to address the economic harm suffered by healthcare providers that have incurred (or will incur) additional expenses and have lost (or will lose) significant revenue as a result of the COVID-19 pandemic. PRF payments have been made from either the “general distribution” tranche or via various “targeted distributions.” PRF payment amounts and whether the providers complied with the terms and conditions will be a hotly contested topic in Recovery Audit Contractor (RAC) and Medicare Administrative Contractor (MAC) audits for years to come. If Centers for Medicare & Medicaid Services (CMS) auditors put out a monthly magazine, like Time, PRF would be on the cover. This will be the hot topic of RAC audits, come Jan. 1, 2021.

The U.S. Department of Health and Human Services (HHS) Office of Inspector General (OIG) will audit Medicare payments made to hospitals for COVID-19 discharges that qualified for the 20-percent add-on payment under the CARES Act, according to a new item on the agency’s work plan.

To use the PRF funding from either the general or targeted distributions, providers must attest to receiving the funds and agree to all terms and conditions. However, what constitutes a “healthcare-related expense” or how to calculate “lost revenue” is not clearly defined. Similarly, how you net healthcare-related expenses toward lost revenue is also vague and undefined. On Nov. 2, HHS issued a clarification to post-payment reporting guidance for PRF funds.

The current guidance, issued Oct. 22, includes a two-step process for providers to report their use of PRF payments. The guidance specifically cites:

  • Healthcare-related expenses attributable to COVID that another source has not reimbursed and is not obligated to reimburse, which may include general and administrative (G&A) or “healthcare-related operating expenses;” and
  • PRF payment amounts not fully expended on healthcare-related expenses attributable to coronavirus are then applied to lost revenues associated with patient care, net of the healthcare-related expenses attributable to coronavirus calculated under the first step. Recipients may apply PRF payments toward lost revenue, up to the amount of the difference between their 2019 and 2020 actual patient care revenue.

HHS’s newest clarification came from its response to a FAQ, in which it said that healthcare-related expenses are no longer netted against the patient care lost revenue amount cited in the second portion. HHS indicated that a revised notice would be posted to remove the “net of the healthcare-related expenses” language in the guidance. Of course, as of now, we have no guidance regarding when this clarification is to be put into place officially. Yet another moving target for auditors.

Anticipate audits of the use of your PRF payments. CMS is choosing a sample of hospitals across the country that have received PRF payments to verify that such expenditures were for healthcare-related expenses. For each audit, OIG will obtain data and interview HHS/PRF program officials to understand how PRF payments were calculated, and then review actual PRF payments for compliance with CARES Act requirements. OIG will also review whether HHS’s controls over PRF payments ensured that payments were calculated correctly and disbursed to eligible providers.

Audits will also focus on how providers initially applied to receive PRFs, including calculations utilized and how COVID-19 patients are defined. When each hospital ceased netting expenses against lost revenue will now be another hot topic.

Balance billing is another area of interest. The terms and conditions require providers that accept the PRFs not to collect out-of-pocket payments from patients for all care for a presumptive or actual case of COVID-19 that exceeded what they would pay an in-network provider.

More havoc may ensue with any purchases or sales transactions that occur in the next year or so. Providers will need to know how to navigate compliance risks associated with any accepted or transferred PRFs. Tracking and reporting use of the PRFs will also be an ongoing issue due to the fraud and abuse implications of misusing PRFs, and there is limited guidance regarding how use will be audited. Many questions remain unanswered. Many terms remain undefined.

Programming Note: Knicole Emanuel, Esq. is a permanent panelist on Monitor Mondays. Listen to her RAC Report every Monday at 10 a.m. EST.

The Undefined, Definition of “Medical Necessity”

While the Coronavirus pandemic is horrible and seems to be getting worse. COVID has forced slight, positive changes in the telehealth arena and, perhaps, in the widening of the ambiguous definition of “medical necessity” or, as I call it – the undefined, definition of “medical necessity.” Medical necessity is the backbone of rendering health care services. Without it, services should not be provided. Yet, medical necessity is the most litigated topic in all of audits.

On September 1, 2020, the Centers for Medicare & Medicaid Services (“CMS”) published a proposed rule that will codify a definition of “medical necessity” for Medicare purposes. So far, the definition of medical necessity varies, depending on the source. The MACs have been given long rein in defining the term on an individual and separate basis, creating disparity in definitions and criteria. The proposed rule’s comment period ended November 2, 2020.

All this to say medical necessity is in the eye of the beholder. Much like beauty. Why then, can RAC and MAC auditors who are not doctors, not firsthand, treating providers, not nurses or LCASs, decide that medical necessity does or does not exist for a patient that they have never seen?

Black’s Law Dictionary (the most prominent legal dictionary) has a super, unhelpful definition of medical necessity: “If not carried out the patient’s situation could worsen. For a patient’s treatment found to be necessary is this specific type of procedure or treatment.”

The American Medical Association (“AMA”), on the other hand, has a more detailed definition, probably unintended to make it all the more confusing:

“Our AMA defines medical necessity as: Health care services or products that a prudent physician would provide to a patient for the purpose of preventing, diagnosing or treating an illness, injury, disease or its symptoms in a manner that is: (a) in accordance with generally accepted standards of medical practice; (b) clinically appropriate in terms of type, frequency, extent, site, and duration; and (c) not primarily for the economic benefit of the health plans and purchasers or for the convenience of the patient, treating physician, or other health care provider.”

CMS’ proposed rule codifies a definition of what makes an item or service medically “reasonable and necessary” under the Social Security Act 1861(a)(1)(A). The rule, if finalized, would codify in regulations a definition of “reasonable and necessary” items and services based on a definition currently used by Medicare Administrative Contractors (MACs), with an additional element that potentially would include coverage determinations by commercial insurers as a factor in making Medicare coverage determinations.

The Proposed Definition (To be Codified in 42 CFR 405.201)

“We are proposing to codify the longstanding Program Integrity Manual definition of “reasonable and necessary” into our regulations at 42 CFR 405.201(b), with modification. Under the current definition, an item or service is considered “reasonable and necessary” if it is (1) safe and effective; (2) not experimental or investigational; and (3) appropriate, including the duration and frequency that is considered appropriate for the item or service, in terms of whether it is—

  • Furnished in accordance with accepted standards of medical practice for the diagnosis or treatment of the patient’s condition or to improve the function of a malformed body member;
  • Furnished in a setting appropriate to the patient’s medical needs and condition;
  • Ordered and furnished by qualified personnel;
  • One that meets, but does not exceed, the patient’s medical need; and
  • At least as beneficial as an existing and available medically appropriate alternative.” See Proposed Rule.

In addition, CMS adds that it will also utilize commercial payor standards or have an objective panel determine medical necessity if criteria #1 and #2 were met, but not #3. This additional commentary is another example of how subjective and fact-specific determining medical necessity can be. The LCDs will also be consulted.

If adopted, these proposals would arguably lead to the most wide-ranging changes in Medicare’s coverage standards and procedures in decades. The proposal to codify the definition of “reasonable and necessary” applies to all items and services. The inclusion of commercial payor standards may be a wild card.

The definition of medical necessity has not been officially revised – yet. One could imagine that, in the midst of a RAC or MAC audit, auditors and providers will disagree as to the true definition of medical necessity.

Going forward, when you get audited, immediately look and see whether your claim denials were denied due to “lack of medical necessity.” Ask yourself, “Really? Is there no medical necessity in this case…even in the era of COVID?” Because the auditors may be wrong.

Secondly, ensure that the RAC and MAC entity is CMS-certified to review those certain CPT codes for medical necessity. CMS limits audits on medical necessity because of the vagueness of the definition. When auditors find no medical necessity, then providers must push back. And you should push back, legally, of course!