Category Archives: Medicare Administrative Contractor

CMS Overlooks a Settlement Agreement from 2013 : A 2021 Provider Must Defend!

Today I am talking about a settlement agreement between CMS and the skilled nursing community, which, apparently, CMS conveniently forgot about – just recently. The Jimmo settlement agreement re-defines medical necessity for skilled nursing, especially for terminally, debilitating diseases, such as multiple sclerosis (“MS”). According to CMS/the MAC auditor, my client, who serves 100%, MS patients on Medicare owes over half a million dollars. The alleged overpayment and audit findings are in violation of the Jimmo Settlement and must cease.

My client received correspondence dated February 25, 2021, regarding CMS Inquiry #2349 that re-alleged an overpayment in the amount of $578,564.45, but the audit is in violation of the Jimmo Settlement with CMS. One basis for the claims denials is that “There is doc that the pt. has a dx of MS with no doc of recent exacerbation or change in function status.” After the first level of appeal, on June 8, 2021, the denial reason was as follows:

“The initial evaluation did not document there was an ACUTE exacerbation of this chronic condition that would support the need for skilled services.” This basis is in violation of the Jimmo Settlement. See below excerpt from the Jimmo Settlement.

In January 2013, the Centers for Medicare & Medicaid Services (“CMS”) settled a lawsuit, and the “Jimmo” Settlement Agreement was approved by the Court. Jimmo v. Sebelius, No. 5:11-CV17 (D. Vt., 1/24/2013). The Jimmo Settlement Agreement clarified that, provided all other coverage criteria are met, the Medicare program covers skilled nursing care and skilled therapy services under Medicare’s skilled nursing facility, home health, and outpatient therapy benefits when a beneficiary needs skilled care in order to maintain function or to prevent or slow decline or deterioration. Specifically, the Jimmo Settlement Agreement required Medicare Manual revisions to restate a “maintenance coverage standard” for both skilled nursing and therapy services under these benefits. The Jimmo Settlement Agreement dictates that:

“Specifically, in accordance with the settlement agreement, the manual revisions clarify that coverage of skilled nursing and skilled therapy services in the skilled nursing facility (SNF), home health (HH), and outpatient therapy (OPT) settings “…does not turn on the presence or absence of a beneficiary’s potential for improvement, but rather on the beneficiary’s need for skilled care.” Skilled care may be necessary to improve a patient’s current condition, to maintain the patient’s current condition, or to prevent or slow further deterioration of the patient’s condition.”

In the case of Jimmo v. Sebelius, which resulted in the Jimmo Settlement Agreement, the Center for Medicare Advocacy (“CMA”) alleged that Medicare claims involving skilled care were being inappropriately denied by contractors based on a rule-of-thumb-“Improvement Standard”— under which a claim would be summarily denied due to a beneficiary’s lack of restoration potential, even though the beneficiary did in fact require a covered level of skilled care in order to prevent or slow further deterioration in his or her clinical condition. In the Jimmo lawsuit, CMS denied establishing an improper rule-of-thumb “Improvement Standard.”

While an expectation of improvement would be a reasonable criterion to consider when evaluating, for example, a claim in which the goal of treatment is restoring a prior capability, Medicare policy has long recognized that there may also be specific instances where no improvement is expected but skilled care is, nevertheless, required in order to prevent or slow deterioration and maintain a beneficiary at the maximum practicable level of function. For example, in the federal regulations at 42 CFR 409.32(c), the level of care criteria for SNF coverage specify that the “. . . restoration potential of a patient is not the deciding factor in determining whether skilled services are needed. Even if full recovery or medical improvement is not possible, a patient may need skilled services to prevent further deterioration or preserve current capabilities.” The Medicare statute and regulations have never supported the imposition of an “Improvement Standard” rule-of-thumb in determining whether skilled care is required to prevent or slow deterioration in a patient’s condition.

A beneficiary’s lack of restoration potential cannot serve as the basis for denying coverage, without regard to an individualized assessment of the beneficiary’s medical condition and the reasonableness and necessity of the treatment, care, or services in question. Conversely, coverage in this context would not be available in a situation where the beneficiary’s care needs can be addressed safely and effectively through the use of nonskilled personnel. Thus, such coverage depends not on the beneficiary’s restoration potential, but on whether skilled care is required, along with the underlying reasonableness and necessity of the services themselves.

Any Medicare coverage or appeals decisions concerning skilled care coverage must reflect this basic principle. In this context, it is also essential and has always been required that claims for skilled care coverage include sufficient documentation to substantiate clearly that skilled care is required, that it is provided, and that the services themselves are reasonable and necessary, thereby facilitating accurate and appropriate claims adjudication.

The Jimmo Settlement Agreement includes language specifying that “Nothing in this Settlement Agreement modifies, contracts, or expands the existing eligibility requirements for receiving Medicare coverage. Id. The Jimmo Settlement Agreement clarifies that when skilled services are required in order to provide care that is reasonable and necessary to prevent or slow further deterioration, coverage cannot be denied based on the absence of potential for improvement or restoration.

100% of my client’s consumers suffer from MS. MS is a chronic condition that facilitates a consistent decline over a long period of time. 90% of those with MS do not suffer from acute exacerbations after approximately 5 years of their initial diagnosis. They move into a new phase of their disease called secondary progressive where there are no exacerbations but a slow, consistent decline is now the clinical presentation. According to the Jimmo Settlement, there is no requirement that a provider demonstrate recent exacerbation or change of function. This has been litigated and settled. My client’s Medicare audit is in violation of the Jimmo Settlement and must cease, yet the audit must still be defended.

My client’s documents clearly demonstrate that its consumers who all suffer from MS, qualify for skilled therapy based on the Jimmo Settlement Agreement and their physicians’ recommendations. The Jimmo Settlement clearly states that if the therapist determines that skilled nursing is necessary to stop further decline, then, under the Jimmo Settlement, skilled nursing is appropriate.

Now my client is having to defend itself against erroneous allegations that are clearly in violation of the Jimmo Settlement, which is adversely affecting the company financially. It’s amazing that in 2021, my client is defending a right given in a settlement agreement from 2013. Stay proactive!

OIG Opens Fire on Telehealth Claims during COVID

They’re here….

Steven Spielberg actually directed Poltergeist, crew member confirms | The  Independent | The Independent

The audits of telehealth during COVID. OIG is conducting, at least, seven (7) nationwide audits of providers specific to telemedicine. These audits will review remote patient monitoring, virtual check-ins, and e-visits. In 2018, OIG issued a report regarding a 31% error rate of claims for telehealth – and that report was prior to the explosion of telemedicine in 2020 due to COVID. All providers who have billed telehealth during the public health emergency (“PHE”) should be prepared to undergo audits of those claims.

The following audit projects are as follows:

  • Audits of behavioral health care telehealth in Medicaid managed care;
  • Audits of Medicare Part B telehealth services during PHE;
  • Audits of home health services provided as telehealth during the PHE;
  • Audits of home health agencies’ challenges and strategies in responding to the PHE;
  • Medicare telehealth services during PHE: Program Integrity Risks;
  • Audits of telehealth services in Medicare Parts B (non-institutional services) and C (managed care) during the COVID-19 pandemic;
  • Medicaid: Telehealth expansion during PHE.

Recently added to the “chopping block” of audits via OIG include Medicare payments for clinical diagnostic laboratory tests in 2020. OIG will also audit for accuracy of place-of-service codes on claims for Medicare Part B physician services when beneficiaries are inpatients under Part A. As it always seems is the case, home health and behavioral health care are big, red targets for all audits. Over the pandemic, telehealth became the “new norm.” Audits on telehealth will be forthcoming. Specifically in behavioral health, OIG announced that it will audit Medicaid applied behavior analysis for children diagnosed with autism.

On another note, I recently had a client undergo a meaningful use audit. Everyone knows the government provides incentives for using electronic records. In order to qualify for a meaningful use incentive you must meet 9 criteria. If you fail one criterion, you owe the money back. One of the biggest issue physicians have faced in an audit is demonstrating the “yes/no” requirements that call for attestation proving the security risk analysis was successfully met. In this particular case, opposing counsel was a GA state AG. The attorney told me that he had zero authority to negotiate the penalty amount. It was the first time another lawyer told me that the penalty was basically a “strict liability” issue, and since the funds were federal, the State of GA had no authority to reduce or remove the penalty. But there is an appeal process. It made no sense. In this case, the doctor didn’t want to pursue litigation. So, reluctantly, we paid. I am wondering if any of my readers have encountered this issue of no negotiations for meaningful use penalties.

Post-COVID (ish) RAC Audits – Temporary Restrictions

2020 was an odd year for recovery audit contractor (“RAC”) and Medicare Administrative Contractors (“MAC”) audits. Well, it was an odd year for everyone. After trying five virtual trials, each one with up to 23 witnesses, it seems that, slowly but surely, we are getting back to normalcy. A tell-tale sign of fresh normalcy is an in-person defense of health care regulatory audits. I am defending a RAC audit of pediatric facility in Georgia in a couple weeks and the clerk of court said – “The hearing is in person.” Well, that’s new. Even when we specifically requested a virtual trial, we were denied with the explanation that GA is open now. The virtual trials are cheaper and more convenient; clients don’t have to pay for hotels and airlines.

In-person hearings are back – at least in most states. We have similar players and new restrictions.

On March 16, 2021, CMS announced that it will temporarily restrict audits to March 1, 2020, and before. Medicare audits are not yet dipping its metaphoric toes into the shark infested waters of auditing claims with dates of service (“DOS”) March 1 – today. This leaves a year and half time period untouched. Once the temporary hold is lifted, audits of 2020 DOS will be abound. March 26, 2021, CMS awarded Performant Recovery, Inc., the incumbent, the new RAC Region 1 contract.

RAC’s review claims on a post-payment and/or pre-payment basis. (FYI – You would rather a post payment review rather than a pre – I promise).

The RACs were created to detect fraud, waste, and abuse (“FWA”) by reviewing medical records. Any health care provider – not matter how big or small –  are subject to audits at the whim of the government. CMS, RACs, MCOs, MACs, TPEs, UPICs, and every other auditing company can implement actions that will prevent future improper payments, as well. As we all know, RACs are paid on a contingency basis. Approximately, 13%. When the RACs were first created, the RACs were compensated based on accusations of overpayments, not the amounts that were truly owed after an independent tribunal. As any human could surmise, the contingency payment creates an overzealousness that can only be demonstrated by my favorite case in my 21 years – in New Mexico against Public Consulting Group (“PCG”). A behavioral health care (“BH”) provider was accused of over $12 million overpayment. After we presented before the administrative law judge (“ALJ”) in NM Administrative Court, the ALJ determined that we owed $896.35. The 99.23% reduction was because of the following:

  1. Faulty Extrapolation: NM HSD’s contractor PCG reviewed approximately 150 claims out of 15,000 claims between 2009 and 2013. Once the error rate was defined as high as 92%, the base error equaled $9,812.08; however the extrapolated amount equaled over $12 million. Our expert statistician rebutted the error rate being so high.  Once the extrapolation is thrown out, we are now dealing with much more reasonable amounts – only $9k
  • Attack the Clinical Denials: The underlying, alleged overpayment of $9,812.08 was based on 150 claims. We walked through the 150 claims that PCG claimed were denials and proved PCG wrong. Examples of their errors include denials based on lack of staff credentialing, when in reality, the auditor could not read the signature. Other denials were erroneously denied based the application of the wrong policy year.

The upshot is that we convinced the judge that PCG was wrong in almost every denial PCG made. In the end, the Judge found we owed $896.35, not $12 million. Little bit of a difference! We appealed.

More Covered Health Care Services and More Policing under the Biden Administration!

Happy 55th Medicare! Pres. Biden’s health care policies differ starkly from former Pres. Trump’s. I will discuss some of the key differences. The newest $1.9 trillion COVID bill passed February 27th. President Biden is sending a clear message for health care providers: His agenda includes expanding government-run, health insurance and increase oversight on it. In 2021, Medicare is celebrating its 55th year of providing health insurance. The program was first signed into law in 1965 and began offering coverage in 1966. That first year, 19 million Americans enrolled in Medicare for their health care coverage. As of 2019, more than 61 million Americans were enrolled in the program.

Along with multiple Executive Orders, Pres. Biden is clearly broadening the Affordable Care Act (“ACA”), Medicaid and Medicare programs. Indicating an emphasis on oversight, President Biden chose former California Attorney General Xavier Becerra to lead HHS. Becerra was a prosecutor and plans to bring his prosecutorial efforts to the nation’s health care. President Biden used executive action to reopen enrollment in ACA marketplaces, a step in his broader agenda to bolster the Act with a new optional government health plan.

For example, one of my personal, favorite issues that Pres. Biden will address is parity for Medicare coverage for medically necessary, oral health care. In fact, Medicare coverage extends to the treatment of all microbial infections except for those originating from the teeth or periodontium. There is simply no medical justification for this exclusion, especially in light of the broad agreement among health care providers that such care is integral to the medical management of numerous diseases and medical conditions.

The Biden administration has taken steps to roll back a controversial Trump-era rule that requires Medicaid beneficiaries to work in order to receive coverage. Two weeks ago, CMS sent letters to several states that received approval for a Section 1115 waiver – for Medicaid. CMS said it was beginning a process to determine whether to withdraw the approval. States that received a letter include Arizona, Arkansas, Georgia, Indiana, Nebraska, Ohio, South Carolina, Utah, and Wisconsin. The work requirement waivers that HHS approved at the end of the previous administration’s term may not survive the new presidency.

Post Payment Reviews—Recovery Audit Contractor (“RAC”) audits will increase during the Biden administration. The RAC program was created by the Medicare Prescription Drug, Improvement, and Modernization Act of 2003. As we all know, the RACs are responsible for identifying Medicare overpayments and underpayments and for highlighting common billing errors, trends, and other Medicare payment issues. In addition to collecting overpayments, the data generated from RAC audits allows CMS to make changes to prevent improper payments in the future. The RACs are paid on a contingency fee basis and, therefore, only receive payment when recovery is made. This creates overzealous auditors and, many times, inaccurate findings. In 2010, the Obama administration directed federal agencies to increase the use of auditing programs such as the RACs to help protect the integrity of the Medicare program. The RAC program is relatively low cost and high value for CMS. It is likely that the health care industry will see growth in this area under the Biden administration. To that end, the expansion of audits will not only be RAC auditors, but will include increased oversight by MACs, CERTs, UPICs, etc.

Telehealth audits will be a focus for Pres. Biden. With increased use of telehealth due to COVID, comes increased telehealth fraud, allegedly. On September 30, 2020, the inter-agency National Health Care Take Down Initiative announced that it charged hundreds of defendants ostensibly responsible for—among other things—$4.5 billion in false and fraudulent claims relating to telehealth advertisements and services. Unfortunately for telehealth, bad actors are prevalent and will spur on more and more oversight.

Both government-initiated litigation and qui tam suits appear set for continued growth in 2021. Health care fraud and abuse dominated 2020 federal False Claims Act (“FCA”) recoveries, with almost 85 percent of FCA proceeds derived from HHS. The increase of health care enforcement payouts reflects how important government paid health insurance is in America. Becerra’s incoming team is, in any case, expected to generally ramp up law enforcement activities—both to punish health care fraud and abuse and as an exercise of HHS’s policy-making authorities.

With more than $1 billion of FCA payouts in 2020 derived from federal Anti-Kickback Statute (“AKS”) settlements alone, HHS’s heavy reliance on the FCA because it is a strong statute with “big teeth,” i.e., penalties are harsh. For these same reasons, prosecutors and qui tam relators will likely continue to focus their efforts on AKS enforcement in the Biden administration, despite the recent regulatory carveouts from the AKS and an emerging legal challenge from drug manufacturers.

The individual mandate is back in. The last administration got rid of the individual mandate when former Pres. Trump signed the GOP tax bill into law in 2017. Pres. Biden will bring back the penalty for not being covered under health insurance under his plan. Since the individual mandate currently is not federal law, a Biden campaign official said that he would use a combination of Executive Orders to undo the changes.

In an effort to lower the skyrocketing costs of prescription drugs, Pres. Biden’s plan would repeal existing law that currently bans Medicare from negotiating lower prices with drug manufacturers. He would also limit price increases for all brand, biotech and generic drugs and launch prices for drugs that do not have competition.

Consumers would also be able to buy cheaper priced prescription drugs from other countries, which could help mobilize competition. And Biden would terminate their advertising tax break in an effort to also help lower costs.

In all, the Biden administration is expected to expand health care, medical, oral, and telehealth, while simultaneously policing health care providers for aberrant billing practices. My advice for providers: Be cognizant of your billing practices. You have an opportunity with this administration to increase revenue from government-paid services but do so compliantly.

HIPAA and Football

By Ashley Thomson, Partner at Practus, LLP. A Virtual Law Firm.

On rare occasions a Court can issue an opinion that is so logical and on-point you want to stand up and cheer.  Maybe you’re only cheering if you’re a HIPAA-nerd, like me. My name is Ashley and I work with Knicole. I was the assistant GC for Truman Medical Center for 17 years. As AGC at Truman, I was inundated with so many various issues.

Here’s what got me standing up in my home office as if Patrick Mahomes just threw a pass to Tyreek Hill and the KC Chiefs scored the winning touchdown in the Super Bowl—the 5th Circuit Court of Appeals held that a lost or stolen unencrypted device containing protected health information (“PHI”)[1] does not automatically result in a violation of the HIPAA Disclosure Rule or Encryption Rule. If you want to do your own touchdown dance check out Univ. of Texas M.D. Anderson Cancer Ctr. v. United States Dep’t of Health & Human Servs., No. 19-60226, 2021 WL 127819, at *5 (5th Cir. Jan. 14, 2021).

Unless you’ve spent the last 20 years living under a rock, you are generally aware that HIPAA is a law that protects your health information from public disclosure.  Most people don’t spell it correctly and even less people know what the acronym means.[2]  In 2009, HIPAA was supplemented with the HITECH Act.[3] Together, these laws govern how health care providers handle your medical information and what to do if there is a breach of the information.  HIPAA and HITECH’s implementing regulations (the “Regulations”) require all covered entities[4] “implement a mechanism to encrypt” all PHI that is stored electronically.  45 C.F.R. Section 164.312(a)(2)(iv).  Second, the Regulations prohibit unpermitted disclosure of PHI. 45 C.F.R. Sec. 164.502(a). These two regulations are referred to as the Encryption Rule and the Disclosure Rule respectively. These requirements are enforced by the Department of Health and Human Services (“HHS”) in conjunction with the Office for Civil Rights (“OCR”).

Whew, that was a quick history lesson.  Now, back to the story.

In 2012 and 2013 MD Anderson Cancer Center (“MD Anderson”) had three (3) events happen involving unencrypted devices containing PHI.  First, a laptop was stolen.  Second, a thumb drive was lost during someone’s commute home. Third, a visiting researcher misplaced a thumb drive. Pursuant to the regulations, MD Anderson reported these events to HHS.  

HHS concluded that MD Anderson violated the Regulations and imposed a fine over $4,000,000 (let me spell that out for you. . . FOUR MILLION DOLLARS). 

You may be wondering, what in the world did they violate that would result in such an outrageous fine?  So did MD Anderson!

MD Anderson threw its proverbial, red challenge flag and pursued its appeal rights and ended up, finally, in Federal Court where they succeeded on establishing that the mere loss of unencrypted PHI does not violate the Disclosure Rule and that the Encryption Rule does not require that a covered entity sit down and force each and every person to encrypt their devices.

Let’s look first at the Disclosure Rule. As a general rule, HIPAA prohibits the disclosure of PHI without permission from the patient.[5]  45 C.F.R. Sec. 164.502(a). HIPAA defines disclosure as “the release, transfer, provision of access to, or divulging in any manner of information outside the entity holding the information.” 45 C.F.R. Sec. 164.103. Prior to reaching the 5th Circuit, MD Anderson had been told the mere fact that the unencrypted laptop and thumb drives were lost or stolen resulted in the conclusion the PHI had been improperly disclosed to someone outside of the covered entity.  Thank goodness, the Court stepped in with the reasonable statement that many of us in the health care field have been saying for years. . . just because a device is lost or stolen doesn’t mean the PHI was improperly disclosed.[6]  “It defies reason to say an entity affirmatively acts to disclose information when someone steals it.” Univ. of Texas M.D. Anderson Cancer Ctr.,2021 WL 127819, at *5.

HHS claimed that it would be difficult for them to enforce the Disclosure Rule if it had to show that the PHI was disclosed to someone outside of the covered entity.  Well, go complain to the referees  HHS “that’s precisely the sort of policy argument that HHS could vet in a rulemaking proceeding. It’s not an acceptable basis for urging us to transmogrify the regulation HHS wrote into a broader one.” Id. And with that, the Court unceremoniously stated the obvious and provided some reason in the rather unreasonable world of HIPAA enforcement.

Next up? The Encryption Rule where HHS argued that MD Anderson’s desire to do more to encrypt their devices was an admission of non-compliance with the regulations.  Not so fast, said the Court.  The rule requires that a covered entity have a mechanism for the encryption PHI not that it implements an iron clad, hacker proof, 100% guaranteed encryption system.  MD Anderson had an encryption mechanism which is enough to satisfy the regulation, even if HHS now “wishes it had written a different” regulation.  Id.at *4.  

I feel like this is the SUPERBOWL of HIPAA decisions. You may not be as excited about this opinion as I was.  That’s ok. . . I’m a HIPAA and privacy nerd and I’m ok with that.  

Let’s hope I have many touchdowns to stand up and celebrate on Sunday!  Go Chiefs!    

The legal fine print: As exciting as this opinion is, please  remember that devices should be encrypted and PHI should be protected to the maximum extent possible.  While this is a great decision, it doesn’t remove the obligation to comply with the Regulations. 


[1] PHI contains 18 different identifiers.  42 C.F.R. § 164.514(a)(2)(i).

[2] It’s the Health Insurance Portability and Accountability Act of 1996. 

[3] HITECH stands for the Health Information Technology for Economic and Clinical Health Act of 2009. 

[4] Later, we can delve into what qualifies as a covered entity. Let’s just all agree that MD Anderson is a covered entity.

[5] This is a very simple overstatement, but it works for the purposes of this article.

[6] Let’s face it, most of these devices are lost or stolen and (1) never found or (2) thrown out as the thieves take what they really wanted . . . cold hard cash or credit cards.  An old janky laptop or a random thumb drive is not at the top of the most wanted list for kleptomaniacs.

Provider Relief Funds: The Hottest RAC Audit Subject

Reporting the use of PRFs will be an ongoing issue due to the fraud and abuse implications of misusing PRFs.

The federal Provider Relief Fund (PRF) was created under the provisions of the Coronavirus Aid, Relief, and Economic Security (CARES) Act, which was passed to address the economic harm suffered by healthcare providers that have incurred (or will incur) additional expenses and have lost (or will lose) significant revenue as a result of the COVID-19 pandemic. PRF payments have been made from either the “general distribution” tranche or via various “targeted distributions.” PRF payment amounts and whether the providers complied with the terms and conditions will be a hotly contested topic in Recovery Audit Contractor (RAC) and Medicare Administrative Contractor (MAC) audits for years to come. If Centers for Medicare & Medicaid Services (CMS) auditors put out a monthly magazine, like Time, PRF would be on the cover. This will be the hot topic of RAC audits, come Jan. 1, 2021.

The U.S. Department of Health and Human Services (HHS) Office of Inspector General (OIG) will audit Medicare payments made to hospitals for COVID-19 discharges that qualified for the 20-percent add-on payment under the CARES Act, according to a new item on the agency’s work plan.

To use the PRF funding from either the general or targeted distributions, providers must attest to receiving the funds and agree to all terms and conditions. However, what constitutes a “healthcare-related expense” or how to calculate “lost revenue” is not clearly defined. Similarly, how you net healthcare-related expenses toward lost revenue is also vague and undefined. On Nov. 2, HHS issued a clarification to post-payment reporting guidance for PRF funds.

The current guidance, issued Oct. 22, includes a two-step process for providers to report their use of PRF payments. The guidance specifically cites:

  • Healthcare-related expenses attributable to COVID that another source has not reimbursed and is not obligated to reimburse, which may include general and administrative (G&A) or “healthcare-related operating expenses;” and
  • PRF payment amounts not fully expended on healthcare-related expenses attributable to coronavirus are then applied to lost revenues associated with patient care, net of the healthcare-related expenses attributable to coronavirus calculated under the first step. Recipients may apply PRF payments toward lost revenue, up to the amount of the difference between their 2019 and 2020 actual patient care revenue.

HHS’s newest clarification came from its response to a FAQ, in which it said that healthcare-related expenses are no longer netted against the patient care lost revenue amount cited in the second portion. HHS indicated that a revised notice would be posted to remove the “net of the healthcare-related expenses” language in the guidance. Of course, as of now, we have no guidance regarding when this clarification is to be put into place officially. Yet another moving target for auditors.

Anticipate audits of the use of your PRF payments. CMS is choosing a sample of hospitals across the country that have received PRF payments to verify that such expenditures were for healthcare-related expenses. For each audit, OIG will obtain data and interview HHS/PRF program officials to understand how PRF payments were calculated, and then review actual PRF payments for compliance with CARES Act requirements. OIG will also review whether HHS’s controls over PRF payments ensured that payments were calculated correctly and disbursed to eligible providers.

Audits will also focus on how providers initially applied to receive PRFs, including calculations utilized and how COVID-19 patients are defined. When each hospital ceased netting expenses against lost revenue will now be another hot topic.

Balance billing is another area of interest. The terms and conditions require providers that accept the PRFs not to collect out-of-pocket payments from patients for all care for a presumptive or actual case of COVID-19 that exceeded what they would pay an in-network provider.

More havoc may ensue with any purchases or sales transactions that occur in the next year or so. Providers will need to know how to navigate compliance risks associated with any accepted or transferred PRFs. Tracking and reporting use of the PRFs will also be an ongoing issue due to the fraud and abuse implications of misusing PRFs, and there is limited guidance regarding how use will be audited. Many questions remain unanswered. Many terms remain undefined.

Programming Note: Knicole Emanuel, Esq. is a permanent panelist on Monitor Mondays. Listen to her RAC Report every Monday at 10 a.m. EST.

The Undefined, Definition of “Medical Necessity”

While the Coronavirus pandemic is horrible and seems to be getting worse. COVID has forced slight, positive changes in the telehealth arena and, perhaps, in the widening of the ambiguous definition of “medical necessity” or, as I call it – the undefined, definition of “medical necessity.” Medical necessity is the backbone of rendering health care services. Without it, services should not be provided. Yet, medical necessity is the most litigated topic in all of audits.

On September 1, 2020, the Centers for Medicare & Medicaid Services (“CMS”) published a proposed rule that will codify a definition of “medical necessity” for Medicare purposes. So far, the definition of medical necessity varies, depending on the source. The MACs have been given long rein in defining the term on an individual and separate basis, creating disparity in definitions and criteria. The proposed rule’s comment period ended November 2, 2020.

All this to say medical necessity is in the eye of the beholder. Much like beauty. Why then, can RAC and MAC auditors who are not doctors, not firsthand, treating providers, not nurses or LCASs, decide that medical necessity does or does not exist for a patient that they have never seen?

Black’s Law Dictionary (the most prominent legal dictionary) has a super, unhelpful definition of medical necessity: “If not carried out the patient’s situation could worsen. For a patient’s treatment found to be necessary is this specific type of procedure or treatment.”

The American Medical Association (“AMA”), on the other hand, has a more detailed definition, probably unintended to make it all the more confusing:

“Our AMA defines medical necessity as: Health care services or products that a prudent physician would provide to a patient for the purpose of preventing, diagnosing or treating an illness, injury, disease or its symptoms in a manner that is: (a) in accordance with generally accepted standards of medical practice; (b) clinically appropriate in terms of type, frequency, extent, site, and duration; and (c) not primarily for the economic benefit of the health plans and purchasers or for the convenience of the patient, treating physician, or other health care provider.”

CMS’ proposed rule codifies a definition of what makes an item or service medically “reasonable and necessary” under the Social Security Act 1861(a)(1)(A). The rule, if finalized, would codify in regulations a definition of “reasonable and necessary” items and services based on a definition currently used by Medicare Administrative Contractors (MACs), with an additional element that potentially would include coverage determinations by commercial insurers as a factor in making Medicare coverage determinations.

The Proposed Definition (To be Codified in 42 CFR 405.201)

“We are proposing to codify the longstanding Program Integrity Manual definition of “reasonable and necessary” into our regulations at 42 CFR 405.201(b), with modification. Under the current definition, an item or service is considered “reasonable and necessary” if it is (1) safe and effective; (2) not experimental or investigational; and (3) appropriate, including the duration and frequency that is considered appropriate for the item or service, in terms of whether it is—

  • Furnished in accordance with accepted standards of medical practice for the diagnosis or treatment of the patient’s condition or to improve the function of a malformed body member;
  • Furnished in a setting appropriate to the patient’s medical needs and condition;
  • Ordered and furnished by qualified personnel;
  • One that meets, but does not exceed, the patient’s medical need; and
  • At least as beneficial as an existing and available medically appropriate alternative.” See Proposed Rule.

In addition, CMS adds that it will also utilize commercial payor standards or have an objective panel determine medical necessity if criteria #1 and #2 were met, but not #3. This additional commentary is another example of how subjective and fact-specific determining medical necessity can be. The LCDs will also be consulted.

If adopted, these proposals would arguably lead to the most wide-ranging changes in Medicare’s coverage standards and procedures in decades. The proposal to codify the definition of “reasonable and necessary” applies to all items and services. The inclusion of commercial payor standards may be a wild card.

The definition of medical necessity has not been officially revised – yet. One could imagine that, in the midst of a RAC or MAC audit, auditors and providers will disagree as to the true definition of medical necessity.

Going forward, when you get audited, immediately look and see whether your claim denials were denied due to “lack of medical necessity.” Ask yourself, “Really? Is there no medical necessity in this case…even in the era of COVID?” Because the auditors may be wrong.

Secondly, ensure that the RAC and MAC entity is CMS-certified to review those certain CPT codes for medical necessity. CMS limits audits on medical necessity because of the vagueness of the definition. When auditors find no medical necessity, then providers must push back. And you should push back, legally, of course!

RAC Audits Expected During the COVID Pandemic

Even though the public health emergency (“PHE”) for the COVID pandemic is scheduled to expire July 24, 2020, all evidence indicates that the PHE will be renewed. I cannot imagine a scenario in which the PHE is not extended, especially with the sudden uptick of COVID.

Center for Medicare and Medicaid Services (CMS) has given guidance that the voluminous number of exceptions that CMS has granted during this period of the PHE may be extended to Dec. 1, 2020. However, there is no indication of the RAC, and MAC audits being suspended until December 2020. In fact, we expect the audits to begin again any day. There will be confusion when audits resume and COVID exceptions are revoked on a rolling basis.

Remember the emergency-room physician whom I spoke about on the June 29 on Monitor Mondays? The physician whose Medicare enrollment was revoked due to a computer error or an error on the part of CMS. What normally would have been an easy fix, because of COVID, became more difficult. Because of COVID, he was unable to work for three months. He is back up and running now. The point is that COVID really messed up so many aspects of our lives.

The extension of PHE, technically, has no bearing on RAC and MAC audits coming back. Word on the street is that RAC and MAC audits are returning August 2020.

This month, July 2020, CMS released, “Coronavirus Disease 2019 (COVID-19) Provider Burden Relief Frequently Asked Questions (FAQs).” (herein afterward referred as “CMS July 2020 FAQs”).

The question was posed to CMS: “Is CMS suspending most Medicare-Fee-for-Service (FFS) medical review during the PHE for the COVID-19 pandemic? The answer is, according to CMS, “As states reopen, and given the importance of medical review activities to CMS’ program integrity efforts, CMS expects to discontinue exercising enforcement discretion beginning on Aug. 3, 2020, regardless of the status of the public health emergency. If selected for review, providers should discuss with their contractor any COVID-19-related hardships they are experiencing that could affect audit response timeliness. CMS notes that all reviews will be conducted in accordance with statutory and regulatory provisions, as well as related billing and coding requirements. Waivers and flexibilities in place at the time of the dates of service of any claims potentially selected for review will also be applied.” See CMS July 2020 FAQs.

Monday, July 13, 2020, we began our fourth “COVID-virtual trial.” The Judges with whom I have had interaction have taken a hard stance to not “force” someone to appear in person. It appears, at least to me, that virtual trials are the wave of the future. This is the guidance that conveys to me that RAC and MAC audits will begin again in August. Virtual audits may even be the best thing that ever happened to RAC and MAC audits. Maybe now the auditors will actually read the documents that the provider gives them.

Another specific issue addressed in the CMS’ July 2020 FAQs is that given the nature of the pandemic and the inability to collect signatures during this time, CMS will not be enforcing the signature requirement. Typically, Part B drugs and certain Durable Medical Equipment (DME) covered by Medicare require proof of delivery and/or a beneficiary’s signature. Suppliers should document in the medical record the appropriate date of delivery and that a signature was not able to be obtained because of COVID-19. This exception may or may not extend until Dec. 31, 2020.

The upshot is that no one really knows how the next few months will unfold in the healthcare industry. Some hospitals and healthcare systems are going under due to COVID. Big and small hospital systems are in financial despair. A RAC or MAC audit hitting in the wake of the COVID pandemic could cripple most providers. I will reiterate my recommendation: In the re-arranged words of Roosevelt, “Speak loudly, and carry a big stick.”

Programming Note: Knicole Emanuel is a permanent panelist on Monitor Mondays. Listen to her live reporting every Monday at 10 a.m. EST.

Update on Medicare/Medicaid Audits in the Wake of COVID-19

Published in Today’s Wound Clinic:

When I was asked to draft an article for Today’s Wound Clinic, it was approximately two weeks ago. I was asked to write about the current state of Medicare and Medicaid audits. Specifically, I was asked to provide a legal analysis about CMS suspending audits un-related to COVID-19. In the month of April, we have seen the spike of COVID-19, which has overturned our everyday world. We have been instructed by President Trump to “stay home” and “social distance” to decrease the spread of the virus. This “stay at home” instruction is unprecedented and has uprooted many of our most reliable and commonplace businesses, such as hairdressers, bowling alleys, and tattoo parlors.

Here is the answer: The current state of Medicare/Medicaid audits, at the moment, is dictated by COVID-19.

We can divide the post-COVID-19 audit rules into 3 categories:

  1. Those exceptions published by CMS to apply to all health care providers
  2. Those special, verbal exceptions given directly to an individual provider that were not published by CMS
  3. Effective immediately, new guidelines that CMS will follow until CMS believes it no longer needs to follow (by its own choice, of course).

An example of an “effective immediately” guideline is our current state of Medicare/Medicaid audits in the wake of COVID-19. CMS has not suspended all Medicare/Medicaid regulatory audits. But CMS has suspended most audits.

Effective immediately, survey activity is limited to the following (in Priority Order):

  • All immediate jeopardy complaints (cases that represents a situation in which entity noncompliance has placed the health and safety of recipients in its care at risk for serious injury, serious harm, serious impairment or death or harm) and allegations of abuse and neglect;
  • Complaints alleging infection control concerns, including facilities with potential COVID-19 or other respiratory illnesses;
  • Statutorily required recertification surveys (Nursing Home, Home Health, Hospice, and ICF/IID facilities);
  • Any re-visits necessary to resolve current enforcement actions;
  • Initial certifications;
  • Surveys of facilities/hospitals that have a history of infection control deficiencies at the immediate jeopardy level in the last three years;
  • Surveys of facilities/hospitals/dialysis centers that have a history of infection control deficiencies at lower levels than immediate jeopardy.

See CMS QSO-20-12-ALL. You can see that these “effective immediately” guidelines are usually published on CMS letterhead. The “effective immediately” guidelines explain why CMS is taking the stated action, the stated action, and that the action is temporary and due to COVID-19.

Here are a few recent “effective immediately” guidelines due to COVID-19:

  • On April 27, 2020, CMS said it would no longer expedite Medicare payments to doctors and be more stringent about accelerating the payments to hospitals as Congressional relief aimed at providers reaches $175 billion.
  • The agency is not accepting any new applications for the loans from Part B suppliers, including doctors, non-physician practitioners and durable medical equipment suppliers. CMS will continue to process pending and new requests from Part A providers, including hospitals, but be stricter with application approvals.
  • CMS expanded the Accelerated and Advance Payment Programs in late March as the pandemic continued to gain strength in the U.S. Since then, the agency has approved over 21,000 applications making up $59.6 billion in accelerated payments to Part A providers and almost 24,000 applications making up $40.4 billion in payments for Part B suppliers.

The $2.2 trillion Coronavirus Aid, Relief, and Economic Security stimulus package passed by Congress in March benchmarked $100 billion in funds for hospitals. On Friday, President Donald Trump signed legislation with a second round of emergency funding, called the Paycheck Protection Program and Health Care Enhancement Act, that allocates another $75 billion for providers — roughly three-quarters of what major provider trade associations requested.

An initial $30 billion from the fund was distributed between April 10 and April 17 based on Medicare fee-for-service revenue, sparking criticism that put facilities with a smaller proportion of Medicare business, such as children’s and disproportionate share hospitals, at a disadvantage. HHS on Friday began releasing an additional $20 billion in CARES payments to providers based on their 2018 net patient revenue, with more funding to roll out “soon,” the agency said, including $10 billion for hard-hit areas like New York.

How RAC/MAC auditors are compensated dictates their actions and/or aggressiveness.

RAC Auditors are paid by contingency. They are usually compensated approximately 13%, depending on the State. Imagine what 13% is of 1 million. It is $130,000 – more than most people make in a year. If you do not believe that 13% contingency is enough to incentivize a company, which, in turn, incentivize the employees, then you are sorely mistaken.

RACs were established through a demonstration program under the Medicare Prescription Drug, Improvement, and Modernization Act of 2003 (“MMA”), piloted between 2005 and 2008, and were later made permanent under the Tax Relief and Health Care Act of 2006, which required CMS to establish Recovery Auditors for all states before 2010.

MACs are not compensated by contingency, per se. CMS decided to structure the MAC contracts with 1-year base performance periods and four, optional, 1-year performance periods at the time. The MMA required that these contracts be recompeted at least once every 5 years. The recent enactment of the Medicare Access and CHIP Reauthorization Act of 2015 amended this requirement to authorize a maximum 10-year performance period before MAC contracts must be recompeted. The amendment, which applies to MAC contracts in effect at the time of enactment or entered into on or after enactment, would permit CMS to modify existing MAC contracts or enter into future MAC contracts for 1-year base performance periods and nine optional 1-year performance periods. See Pub. L. No. 114-10, § 509(a)- (b) (April 16, 2015). Therefore, while MACs are not compensated on contingency, MACs are compensated on performance. The less a MAC spends, the more services a MAC allows, the strict oversight a MCA ensues on its providers…all these “performance-based” measures may not be a contingency compensation relationship, but it’s pretty close. Saved money becomes profit for MACs.

Medicare and Medicaid auditors love rules. Even if the rules that auditors are instructed to follow really are not required by actual law. It goes without saying that auditors are not lawyers. Auditors are not trained to decipher whether statutes, regulations or policy are superseded by federal statutes and regulations. The fact is that, more times than one would hope, the auditors are wrong in their assessments that a claim should be denied, not out of malice, but because of a basic misunderstanding of what the law actually requires.

I have all kinds of stories about auditors claiming money is owed, when, really it was not owed because the RAC/MAC auditor failed to follow the actual, correct procedure or misconstrued a regulation. For example, I had a durable medical equipment provider, DME ABC, who was informed by the NSC Supplier Audit and Compliance Unit of Palmetto GBA that it owed $1,075,548.64. Palmetto is one of the MACs for Medicare – durable medical equipment. There was no demand letter. The alleged overpayment amount came to fruition in a telephone conference between the CEO of the company and an employee of Palmetto. Let’s call her Nancy. Nancy told CEO that company owed $1,075,548.64 based on an alleged violation of 42 C.F.R. § 424.58,

Even more disconcerting, was the fact that Palmetto claimed that its alleged, oral overpayment against DME ABC arose from a normal, reoccurring validation process pursuant to 42 C.F.R. §424.57, approved by CMS and in accordance with the requirements of 42 C.F.R. §424.58. No formal letter was necessary was Palmetto’s retort. Not correct; a formal demand letter is always required.

In this case, Palmetto began to backtrack once we pointed out that Palmetto nor Nancy ever sent a formal demand letter with any reconsideration review appeal rights or administrative appeal rights. We knew this was procedurally incorrect because federal law dictates that you receive a formal demand letter with appeal rights and notice of how many days you have to appeal. But out of fear of retribution, DME ABC was willing to write a check without pushing back. Obviously, we did not do so.

I tell this story as an example of how intimidating, scary, and overwhelming auditors can be. If someone off the street asked you for a million dollars, you would laugh them off your doorstep, right? After you tell them to don a mask and maintain social distancing.

But in the new-age world of COVID-19, rules have been broken. This behavior would not be acceptable pre-COVID-19. But this provider honestly was going to pay.

The Trump Administration is issuing an unprecedented array of temporary regulatory waivers and new rules to equip the American healthcare system with maximum flexibility to respond to the 2019 Novel Coronavirus (COVID-19) pandemic.

Pre-COVID-19 if you were to state “paperwork over patients,” everyone in the industry would agree. There would be snickers and eyes rolling, because no one wanted paperwork to be over patients. But it was. Now the mantra has flipped upside down – now the mantra is: Patients over Paperwork.

Post-COVID-19, if documents are lost or misplaced, or otherwise unusable, DME MACs have the flexibility to waive replacements requirements under Medicare such that the face-to-face requirement, a new physician’s order, and new medical necessity documentation are not required. Suppliers must still include a narrative description on the claim explaining the reason why the equipment must be replaced and are reminded to maintain documentation indicating that the DMEPOS was lost, destroyed, irreparably damaged or otherwise rendered unusable or unavailable as a result of the emergency.

Post-COVID-19, CMS is pausing the national Medicare Prior Authorization program for certain DMEPOS items. CMS is not requiring accreditation for newly enrolling DMEPOS and extending any expiring supplier accreditation for a 90-day time period. CMS is waiving signature and proof of delivery requirements for Part B drugs and Durable Medical Equipment when a signature cannot be obtained because of the inability to collect signatures. Suppliers should document in the medical record the appropriate date of delivery and that a signature was not able to be obtained because of COVID-19.

Post-COVID-19, in order to increase cash flow to providers impacted by COVID-19, CMS has expanded the current Accelerated and Advance Payment Program. An accelerated/advance payment is a payment intended to provide necessary funds when there is a disruption in claims submission and/or claims processing. CMS may provide accelerated or advance payments during the period of the public health emergency to any two Medicare providers/suppliers who submits a request to the appropriate MAC and meets the required qualifications. The process of obtaining the funds is a MAC-by-MAC process. Each MAC will work to review requests and issue payments within seven calendar days of receiving the request. Traditionally repayment of these advance/accelerated payments begins at 90 days, however for the purposes of the COVID-19 pandemic, CMS has extended the repayment of these accelerated/advance payments to begin 120 days after the date of issuance of the payment. Providers can get more information on this process here: www.cms.gov/files/document/Accelerated-and-Advanced-Payments-Fact-Sheet.pdf

The Future of Medicare/Medicaid Audits

The beauty of predicting the future is that no one can ever tell you that you are wrong. These are my predictions:

Auditors will deny claims for not having prior authorizations. Auditors will deny claims because the supplier accreditation expired after the 90-day time period. Auditors will deny claims because the percentage of face-to-face time was not met as described per CPT codes.

Obviously, these would be erroneous denials if the denials are within the dates that the COVID-19 pandemic occurred. The problem will be that the auditors will not be able to keep up with all the exceptions, not because the auditors are acting out of malice or dislikes providers. They will be simply trying to do their job. They will simply not be able to take into consideration all the exceptions that were given during the virus. Because, while we do have many written exceptions, if you call CMS with a personal and individualized problem, CMS will, most likely, grant you a needed exception. As long as the exception has the best interest of the consumer at heart. However, this personalized exception will not be written on CMS’s website. In five years, when you undergo a MAC or RAC audit, you better have proof that you received that exception. It will not be enough proof for you to state that you were given the exception over the phone.

So how can you protect yourself from future, erroneous audits?

Write everything down. When you speak to CMS, document concurrently the date, time, name of the person to whom you are speaking, the summary of your conversation, the COVID-19 regulatory exception, sign it and date it.

It is a hearsay exception. Writing down everything does not magically transform your note into the truth. However, writing down everything concurrently does magically allow that note that you wrote to be allowed in a court of law as an exhibit. Had you not written the note contemporaneously with the conversation that you had with CMS, then the attorney on the other side of the case would move to exclude your handwritten or typed note as hearsay.

Hearsay is defined as a statement that (1) the declarant does not make while testifying at the current trial or hearing; and (2) a party offers in evidence to prove the truth of the matter asserted in a statement. There are too many hearsay exceptions to name in this article.

Just know, for purposes of this article, that any health care provider who is relying on an exception to a normally required regulatory mandate – regardless what it is – either be able to: (1) cite the written exception that was published by CMS to the public; or (2) produce the written or typed contemporaneously written note that you wrote to memorialize the conversation.

Suspension of Audits During the Coronavirus?

49B70E0C-5089-4D23-925D-54A09DC51563

Effective immediately, survey activity is limited to the following (in Priority Order):

  • All immediate jeopardy complaints (cases that represents a situation in which entity noncompliance has placed the health and safety of recipients in its care at risk for serious injury, serious harm, serious impairment or death or harm) and allegations of abuse and neglect;
  • Complaints alleging infection control concerns, including facilities with potential COVID-19 or other respiratory illnesses;
  • Statutorily required recertification surveys (Nursing Home, Home Health, Hospice, and ICF/IID facilities);
  • Any re-visits necessary to resolve current enforcement actions;
  • Initial certifications;
  • Surveys of facilities/hospitals that have a history of infection control deficiencies at the immediate jeopardy level in the last three years;
  • Surveys of facilities/hospitals/dialysis centers that have a history of infection control deficiencies at lower levels than immediate jeopardy.

See CMS QSO-20-12-ALL.

Obviously, there are so many questions. Providers across the country are asking whether they need to comply with document requests. Are TPE audits continuing? Do they need to comply with ongoing ADRs?

Every bulletin that CMS publishes instigates more detailed and complex questions. With all these relaxed guidelines, won’t RACs, etc. have a field day when this is all over? Of course they will.

General Recommendations:

  • Be proactive.
  • Document everything.
  • Deadlines will be extended.
  • Exceptions will be made.
  • Keep all email correspondence.
  • Maintain copies of everything that you submit. (Do not rely on electronic computer software programs).
  • Keep track of CMS updates.

Email me questions, and I will try to respond.

Also, feel free to reach out to the government: QSOG_EmergencyPrep@cms.hhs.gov.

Effective date: 30 days from the memo, which equals April 3, 2020.