Category Archives: Medicare Audits

Premature Recoupment of Medicare Reimbursements Defies Due Process!

Who knows that – regardless your innocence –the government can and will recoup your funds preemptively at the third level of Medicare appeals. This flies in the face of the elements of due process. However, courts have ruled that the redetermination and the reconsideration levels afford the providers enough due process, which entails notice and an opportunity to be heard. I am here to tell you – that is horse manure. The first two levels of a Medicare appeal are hoops to jump through in order to get to an independent tribunal – the administrative law judge (“ALJ”). The odds of winning at the 1st or 2nd level Medicare appeal is next to zilch, although often you can get the alleged amount reduced. The first level is before the same entity that found you owe the money. Auditors are normally not keen on overturning themselves. The second level is little better. The first time that you present to an independent tribunal is at the third level.

Between 2009 and 2014, the number of ALJ appeals increased more than 1,200 percent. And the government recoups all alleged overpayments before you ever get before an ALJ.

In a recent case, Sahara Health Care, Inc. v. Azar, 975 F.3d 523 (5th Cir. 2020), a home health care provider brought an action against Secretary of Department of Health and Human Services (“HHS”) and Administrator for the Centers for Medicare and Medicaid Services (“CMS”), asserting that its statutory and due process rights were violated and that defendants acted ultra vires by recouping approximately $2.4 million in Medicare overpayments without providing a timely ALJ hearing. HHS moved to dismiss, and the provider moved to amend, for a temporary restraining order (“TRO”) and preliminary injunction, and for an expedited hearing.

The case was thrown out, concluding that adequate process had been provided and that defendants had not exceeded statutory authority, and denied provider’s motion for injunctive relief and to amend. The provider appealed and lost again.

What’s the law?

Congress prohibited HHS from recouping payments during the first two stages of administrative review. 42 U.S.C. § 1395ff(f)(2)(A).

If repayment of an overpayment would constitute an “extreme hardship, as determined by the Secretary,” the agency “shall enter into a plan with the provider” for repayment “over a period of at least 60 months but … not longer than 5 years.” 42 U.S.C. § 1395ddd(f)(1)(A). That hardship safety valve has some exceptions that work against insolvent providers. If “the Secretary has reason to believe that the provider of services or supplier may file for bankruptcy or otherwise cease to do business or discontinue participation” in the Medicare program, then the extended repayment plan is off the table. 42 U.S.C. § 1395ddd(f)(1)(C)(i). A provider that ultimately succeeds in overturning an overpayment determination receives the wrongfully recouped payments with interest. 42 U.S.C. § 1395ddd(f)(2)(B). The government’s interest rate is high. If you do have to pay back the alleged overpayment prematurely, the silver lining is that you may receive extra money for your troubles.

The years-long back log, however, may dwindle. The agency has received a funding increase, and currently expects to clear the backlog by 2022. In fact, the Secretary is under a Mandamus Order requiring such a timetable. 

A caveat regarding this grim news. This was in the Fifth Circuit. Other Courts disagree. The Fourth Circuit has held that providers do have property interests in Medicare reimbursements owed for services rendered, which is the correct holding. Of course, you have a property interest in your own money. An allegation of wrongdoing does not erase that property interest. The Fourth Circuit agrees with me.

HIPAA and Football

By Ashley Thomson, Partner at Practus, LLP. A Virtual Law Firm.

On rare occasions a Court can issue an opinion that is so logical and on-point you want to stand up and cheer.  Maybe you’re only cheering if you’re a HIPAA-nerd, like me. My name is Ashley and I work with Knicole. I was the assistant GC for Truman Medical Center for 17 years. As AGC at Truman, I was inundated with so many various issues.

Here’s what got me standing up in my home office as if Patrick Mahomes just threw a pass to Tyreek Hill and the KC Chiefs scored the winning touchdown in the Super Bowl—the 5th Circuit Court of Appeals held that a lost or stolen unencrypted device containing protected health information (“PHI”)[1] does not automatically result in a violation of the HIPAA Disclosure Rule or Encryption Rule. If you want to do your own touchdown dance check out Univ. of Texas M.D. Anderson Cancer Ctr. v. United States Dep’t of Health & Human Servs., No. 19-60226, 2021 WL 127819, at *5 (5th Cir. Jan. 14, 2021).

Unless you’ve spent the last 20 years living under a rock, you are generally aware that HIPAA is a law that protects your health information from public disclosure.  Most people don’t spell it correctly and even less people know what the acronym means.[2]  In 2009, HIPAA was supplemented with the HITECH Act.[3] Together, these laws govern how health care providers handle your medical information and what to do if there is a breach of the information.  HIPAA and HITECH’s implementing regulations (the “Regulations”) require all covered entities[4] “implement a mechanism to encrypt” all PHI that is stored electronically.  45 C.F.R. Section 164.312(a)(2)(iv).  Second, the Regulations prohibit unpermitted disclosure of PHI. 45 C.F.R. Sec. 164.502(a). These two regulations are referred to as the Encryption Rule and the Disclosure Rule respectively. These requirements are enforced by the Department of Health and Human Services (“HHS”) in conjunction with the Office for Civil Rights (“OCR”).

Whew, that was a quick history lesson.  Now, back to the story.

In 2012 and 2013 MD Anderson Cancer Center (“MD Anderson”) had three (3) events happen involving unencrypted devices containing PHI.  First, a laptop was stolen.  Second, a thumb drive was lost during someone’s commute home. Third, a visiting researcher misplaced a thumb drive. Pursuant to the regulations, MD Anderson reported these events to HHS.  

HHS concluded that MD Anderson violated the Regulations and imposed a fine over $4,000,000 (let me spell that out for you. . . FOUR MILLION DOLLARS). 

You may be wondering, what in the world did they violate that would result in such an outrageous fine?  So did MD Anderson!

MD Anderson threw its proverbial, red challenge flag and pursued its appeal rights and ended up, finally, in Federal Court where they succeeded on establishing that the mere loss of unencrypted PHI does not violate the Disclosure Rule and that the Encryption Rule does not require that a covered entity sit down and force each and every person to encrypt their devices.

Let’s look first at the Disclosure Rule. As a general rule, HIPAA prohibits the disclosure of PHI without permission from the patient.[5]  45 C.F.R. Sec. 164.502(a). HIPAA defines disclosure as “the release, transfer, provision of access to, or divulging in any manner of information outside the entity holding the information.” 45 C.F.R. Sec. 164.103. Prior to reaching the 5th Circuit, MD Anderson had been told the mere fact that the unencrypted laptop and thumb drives were lost or stolen resulted in the conclusion the PHI had been improperly disclosed to someone outside of the covered entity.  Thank goodness, the Court stepped in with the reasonable statement that many of us in the health care field have been saying for years. . . just because a device is lost or stolen doesn’t mean the PHI was improperly disclosed.[6]  “It defies reason to say an entity affirmatively acts to disclose information when someone steals it.” Univ. of Texas M.D. Anderson Cancer Ctr.,2021 WL 127819, at *5.

HHS claimed that it would be difficult for them to enforce the Disclosure Rule if it had to show that the PHI was disclosed to someone outside of the covered entity.  Well, go complain to the referees  HHS “that’s precisely the sort of policy argument that HHS could vet in a rulemaking proceeding. It’s not an acceptable basis for urging us to transmogrify the regulation HHS wrote into a broader one.” Id. And with that, the Court unceremoniously stated the obvious and provided some reason in the rather unreasonable world of HIPAA enforcement.

Next up? The Encryption Rule where HHS argued that MD Anderson’s desire to do more to encrypt their devices was an admission of non-compliance with the regulations.  Not so fast, said the Court.  The rule requires that a covered entity have a mechanism for the encryption PHI not that it implements an iron clad, hacker proof, 100% guaranteed encryption system.  MD Anderson had an encryption mechanism which is enough to satisfy the regulation, even if HHS now “wishes it had written a different” regulation.  Id.at *4.  

I feel like this is the SUPERBOWL of HIPAA decisions. You may not be as excited about this opinion as I was.  That’s ok. . . I’m a HIPAA and privacy nerd and I’m ok with that.  

Let’s hope I have many touchdowns to stand up and celebrate on Sunday!  Go Chiefs!    

The legal fine print: As exciting as this opinion is, please  remember that devices should be encrypted and PHI should be protected to the maximum extent possible.  While this is a great decision, it doesn’t remove the obligation to comply with the Regulations. 


[1] PHI contains 18 different identifiers.  42 C.F.R. § 164.514(a)(2)(i).

[2] It’s the Health Insurance Portability and Accountability Act of 1996. 

[3] HITECH stands for the Health Information Technology for Economic and Clinical Health Act of 2009. 

[4] Later, we can delve into what qualifies as a covered entity. Let’s just all agree that MD Anderson is a covered entity.

[5] This is a very simple overstatement, but it works for the purposes of this article.

[6] Let’s face it, most of these devices are lost or stolen and (1) never found or (2) thrown out as the thieves take what they really wanted . . . cold hard cash or credit cards.  An old janky laptop or a random thumb drive is not at the top of the most wanted list for kleptomaniacs.

RAC Report: PET Scans, Helicopter Transportation, and Hospice, Oh My!

The RACs are on attack! The “COVID Pause Button” on RAC audits has been lifted. The COVID Pause Button has been lifted since August 2020. But never have I ever seen CMS spew out so many new RAC topics in one month of a new year. Happy 2021.

Recovery audit contractors (“RACs”) will soon be auditing positron emission tomography (PET) scans for initial treatment strategy in oncologic conditions for compliance with medical necessity and documentation requirements.

Positron emission tomography (“PET”) scans detect early signs of cancer, heart disease and brain disorders. An injectable radioactive tracer detects diseased cells. A combination PET-CT scan produces 3D images for a more accurate diagnosis.

According to CMS’ RAC audit topics, “(PET) for Initial Treatment Strategy in Oncologic Conditions: Medical Necessity and Documentation Requirements,” will be reviewed as of January 5, 2021. The PET scan audits will be for outpatient hospital and professional service reviews. CMS added additional 2021 audit targets to the approved list:

  1. Air Ambulance: Medical Necessity and Documentation Requirements,[1]. This complex review will be examining rotatory wing (helicopter) aircraft claims to determine if air ambulance transport was reasonable and medically necessary as well as whether or not documentation requirements have been met.
  2. Hospice Continuous Home Care: Medical Necessity and Documentation Requirements,[2] and
  3. Ambulance Transport Subject to SNF Consolidated Billing.[3]

Upcoming HHS secretary Xavier Becerra plans to get his new tenure underway quickly.

In False Claims Act (“FCA”) news, Medicare audits of P-Stim have ramped up across the country. A Spinal Clinic in Texas agreed to pay $330,898 to settle FCA allegations for allegedly billing Medicare improperly for electro-acupuncture device neurostimulators. CMS claims that “Medicare does not reimburse for acupuncture or for acupuncture devices such as P-Stim, nor does Medicare reimburse for P-Stim as a neurostimulator or as implantation of neurostimulator electrodes.”

Finally, is your staff getting medical records to consumers requesting their records quickly enough? Right to access to health records is yet another potential risk for all providers, especially hospitals due to their size. A hospital system agreed to pay $200,000 to settle potential violations of the HIPAA Privacy Rule’s right of access standard. This is HHS Office for Civil Rights’ 14th settlement under its Right of Access Initiative. The first person alleged that she requested medical records in December 2017 and did not receive them until May 2018. In the second complaint, the person asked for an electronic copy of his records in September 2019, and they were not sent until February 2020.

Beware of slow document production as slow document production can lead to penalties. And be on the lookout for the next RAC Report.

Remember, never accept the results of a Medicare or Medicaid audit. It is always too high. Believe me, after 21 years of my legal practice, I have yet to agree with the findings if a Tentative notice of Overpayment by any governmental contracted auditor, whether it is PCG, NGS, the MACs, MCOs, or Program Integrity – in any of our 50 States. That is quite a statement about the general, quality of work of auditors. Remember Teambuilders? How did $12 million become $896.35? See blog.

1  CMS, “0200-Air Ambulance: Medical Necessity and Documentation Requirements,” proposed RAC topic, January 5, 2021, http://go.cms.gov/35Jx1co.
2 CMS, “0201-Hospice Continuous Home Care: Medical Necessity and Documentation Requirements,” proposed RAC topic, January 5, 2021, http://go.cms.gov/3oRUyiY.
3 CMS, “0202- Ambulance Transport Subject to SNF Consolidated Billing,” proposed RAC topic, January 5, 2021, http://go.cms.gov/2LOMEbw.

KNICOLE EMANUEL TO HOST JANUARY WEBCAST ON PRFS AND RAC AUDITS

For healthcare providers looking to avoid any of the traps stemming from PRF (Provider Relief Funds) compliance, RACmonitor is inviting you to sign up for Knicole Emanuel’s upcoming webcast on January 21st, 2021. It is titled: COVID-19 Provider Relief Funds: How to Avoid Audits.  You can visit RACmonitor download the order form for the webcast to save yourself a spot. 

Webcast Description: 

If your facility accepted Provider Relief Funds (PRFs) as a consequence of the coronavirus pandemic, you need to be aware of the myriad of rules and regulations that are associated with this funding or else face penalties and takebacks. A word of caution: expect to be audited. In Medicare and Medicaid, regulatory audits are as certain as death and taxes. That is why your facility needs to arm itself with the knowledge of how to address documentation requests from the government, especially while the Public Health Emergency (PHE) is in effect.

This exclusive RACmonitor webcast, led by healthcare attorney Knicole Emanuel, discusses the PRF rules that providers must follow and how to prove that funds were appropriately used. There are strict regulations dictating why, how, and how much PRFs can be spent due to the catastrophic, financial impact of COVID-19. Register now to learn how to avoid penalties and takebacks related to PRFs.

Learning Objectives:

  • Rules and regulations relative to receiving and spending funds provided by the COVID-19 PRF
  • Exceptions to COVID-19 PRF and relevant effective dates
  • PRF documentation and reporting requirements
  • The importance of the legal dates of PHE
  • How to prove your facility’s use of funds is germane to COVID-19

Who Should Attend:

  • CFOs
  • RAC and appeals specialists
  • RAC coordinators
  • Compliance officers
  • Directors and managers

About Knicole C. Emanuel, Esq.

Healthcare industry expert and Practus partner, Knicole Emanuel, is a regular contributor to the healthcare industry podcast, Monitor Mondays, by RACmonitor. For more than 20 years, Knicole Emanuel has maintained a health care litigation practice, concentrating on Medicare and Medicaid litigation, health care regulatory compliance, administrative law and regulatory law. Knicole has tried over 2,000 administrative cases in over 30 states and has appeared before multiple states’ medical boards. 

She has successfully obtained federal injunctions in numerous states. This allowed health care providers to remain in business despite the state or federal laws allegations of health care fraud, abhorrent billings, and data mining. A wealth of knowledge in her industry, Knicole frequently lectures across the country on health care law. This includes the impact of the Affordable Care Act and regulatory compliance for providers, including physicians, home health and hospice, dentists, chiropractors, hospitals and durable medical equipment providers.

The Undefined, Definition of “Medical Necessity”

While the Coronavirus pandemic is horrible and seems to be getting worse. COVID has forced slight, positive changes in the telehealth arena and, perhaps, in the widening of the ambiguous definition of “medical necessity” or, as I call it – the undefined, definition of “medical necessity.” Medical necessity is the backbone of rendering health care services. Without it, services should not be provided. Yet, medical necessity is the most litigated topic in all of audits.

On September 1, 2020, the Centers for Medicare & Medicaid Services (“CMS”) published a proposed rule that will codify a definition of “medical necessity” for Medicare purposes. So far, the definition of medical necessity varies, depending on the source. The MACs have been given long rein in defining the term on an individual and separate basis, creating disparity in definitions and criteria. The proposed rule’s comment period ended November 2, 2020.

All this to say medical necessity is in the eye of the beholder. Much like beauty. Why then, can RAC and MAC auditors who are not doctors, not firsthand, treating providers, not nurses or LCASs, decide that medical necessity does or does not exist for a patient that they have never seen?

Black’s Law Dictionary (the most prominent legal dictionary) has a super, unhelpful definition of medical necessity: “If not carried out the patient’s situation could worsen. For a patient’s treatment found to be necessary is this specific type of procedure or treatment.”

The American Medical Association (“AMA”), on the other hand, has a more detailed definition, probably unintended to make it all the more confusing:

“Our AMA defines medical necessity as: Health care services or products that a prudent physician would provide to a patient for the purpose of preventing, diagnosing or treating an illness, injury, disease or its symptoms in a manner that is: (a) in accordance with generally accepted standards of medical practice; (b) clinically appropriate in terms of type, frequency, extent, site, and duration; and (c) not primarily for the economic benefit of the health plans and purchasers or for the convenience of the patient, treating physician, or other health care provider.”

CMS’ proposed rule codifies a definition of what makes an item or service medically “reasonable and necessary” under the Social Security Act 1861(a)(1)(A). The rule, if finalized, would codify in regulations a definition of “reasonable and necessary” items and services based on a definition currently used by Medicare Administrative Contractors (MACs), with an additional element that potentially would include coverage determinations by commercial insurers as a factor in making Medicare coverage determinations.

The Proposed Definition (To be Codified in 42 CFR 405.201)

“We are proposing to codify the longstanding Program Integrity Manual definition of “reasonable and necessary” into our regulations at 42 CFR 405.201(b), with modification. Under the current definition, an item or service is considered “reasonable and necessary” if it is (1) safe and effective; (2) not experimental or investigational; and (3) appropriate, including the duration and frequency that is considered appropriate for the item or service, in terms of whether it is—

  • Furnished in accordance with accepted standards of medical practice for the diagnosis or treatment of the patient’s condition or to improve the function of a malformed body member;
  • Furnished in a setting appropriate to the patient’s medical needs and condition;
  • Ordered and furnished by qualified personnel;
  • One that meets, but does not exceed, the patient’s medical need; and
  • At least as beneficial as an existing and available medically appropriate alternative.” See Proposed Rule.

In addition, CMS adds that it will also utilize commercial payor standards or have an objective panel determine medical necessity if criteria #1 and #2 were met, but not #3. This additional commentary is another example of how subjective and fact-specific determining medical necessity can be. The LCDs will also be consulted.

If adopted, these proposals would arguably lead to the most wide-ranging changes in Medicare’s coverage standards and procedures in decades. The proposal to codify the definition of “reasonable and necessary” applies to all items and services. The inclusion of commercial payor standards may be a wild card.

The definition of medical necessity has not been officially revised – yet. One could imagine that, in the midst of a RAC or MAC audit, auditors and providers will disagree as to the true definition of medical necessity.

Going forward, when you get audited, immediately look and see whether your claim denials were denied due to “lack of medical necessity.” Ask yourself, “Really? Is there no medical necessity in this case…even in the era of COVID?” Because the auditors may be wrong.

Secondly, ensure that the RAC and MAC entity is CMS-certified to review those certain CPT codes for medical necessity. CMS limits audits on medical necessity because of the vagueness of the definition. When auditors find no medical necessity, then providers must push back. And you should push back, legally, of course!

Fairness in Medicare: Post Payment Review in the Courts of Equity

As children, we say things are or are not fair. But what is fair? In law, fairness is “tried” in the courts of equity rather than law. Equitable estoppel and the defense of laches are arguments made in the courts of equity. Is it fair if you’ve been billing Medicare for services that you were told by CMS was billable and reimburse-able – for years – then, unexpectantly, CMS says, “Hey, providers, what you were told was reimburse-able, actually is not. In fact, providers, even though you relied on our own guidance, we will cease and desist from paying you going forward AND…we are now going back three years to retroactively collect the money that we should never have paid you…”

How is this fair? Yet, many of you have probably encountered RAC or MAC audits and a post payment review. What I described is a post payment review. Let me give you an example of a nationwide, claw-back by CMS to providers.

On January 29, 2020, CMS announced that beginning March 1, 2020, MACs will reject claims for HCPCS code L8679 submitted without an appropriate HCPCS/CPT surgical procedure code. Claims for HCPCS code L8679 billed with an appropriate HCPCS/CPT surgical code will be suspended for medical review to verify that coverage, coding, and billing rules have been met.

At least according to the announcement, it sounded like CMS instructed the MACs to stop reimbursing L8679 going forward, but I read nothing about going back in time to recoup.

In the last few months, my team has been approached by chiropractors and holistic medical providers who received correspondence from a UPIC and their MACs that they owe hundreds of thousands of dollars for L8679 going back three years prior to CMS’ 2020 announcement to cease using the code.

In this particular instance, many of the providers who had been using the L8679 code did so under the direct guidance of CMS, MACs, and other agents over the years. It becomes a fairness question. Should CMS be able to recoup for claims paid for services rendered when CMS had informed the providers it was the correct code for years?

Another factor to consider is that many of these providers are victims of an intentional scheme to sell devices with the false advice that the devices are covered by Medicare. Litigation has already been filed against the company. In a case filed December 6, 2019, in US District Court of the Eastern District of PA, Neurosurgical Care LLC sued Mark Kaiser and his current company, Doc Solutions LLC, claiming that Kaiser’s company falsely marketed the device as being covered by Medicare. Stivax is a “non-narcotic and minimally invasive form of neurostimulation” which is represented as “one of the only FDA approved microchip controlled microstimulation devices for treating back, joint and arthritic pain.”

Recall that, over the years, CMS paid for these approved procedures with no problem. This situation begins to leave the realm of the courts of law and into the court of equity. It becomes an equitable issue. Is there fairness in Medicare?

There may not be fairness, but there is an administrative appeal process for health care providers! Use it! Request redeterminations!

RAC Audits Expected During the COVID Pandemic

Even though the public health emergency (“PHE”) for the COVID pandemic is scheduled to expire July 24, 2020, all evidence indicates that the PHE will be renewed. I cannot imagine a scenario in which the PHE is not extended, especially with the sudden uptick of COVID.

Center for Medicare and Medicaid Services (CMS) has given guidance that the voluminous number of exceptions that CMS has granted during this period of the PHE may be extended to Dec. 1, 2020. However, there is no indication of the RAC, and MAC audits being suspended until December 2020. In fact, we expect the audits to begin again any day. There will be confusion when audits resume and COVID exceptions are revoked on a rolling basis.

Remember the emergency-room physician whom I spoke about on the June 29 on Monitor Mondays? The physician whose Medicare enrollment was revoked due to a computer error or an error on the part of CMS. What normally would have been an easy fix, because of COVID, became more difficult. Because of COVID, he was unable to work for three months. He is back up and running now. The point is that COVID really messed up so many aspects of our lives.

The extension of PHE, technically, has no bearing on RAC and MAC audits coming back. Word on the street is that RAC and MAC audits are returning August 2020.

This month, July 2020, CMS released, “Coronavirus Disease 2019 (COVID-19) Provider Burden Relief Frequently Asked Questions (FAQs).” (herein afterward referred as “CMS July 2020 FAQs”).

The question was posed to CMS: “Is CMS suspending most Medicare-Fee-for-Service (FFS) medical review during the PHE for the COVID-19 pandemic? The answer is, according to CMS, “As states reopen, and given the importance of medical review activities to CMS’ program integrity efforts, CMS expects to discontinue exercising enforcement discretion beginning on Aug. 3, 2020, regardless of the status of the public health emergency. If selected for review, providers should discuss with their contractor any COVID-19-related hardships they are experiencing that could affect audit response timeliness. CMS notes that all reviews will be conducted in accordance with statutory and regulatory provisions, as well as related billing and coding requirements. Waivers and flexibilities in place at the time of the dates of service of any claims potentially selected for review will also be applied.” See CMS July 2020 FAQs.

Monday, July 13, 2020, we began our fourth “COVID-virtual trial.” The Judges with whom I have had interaction have taken a hard stance to not “force” someone to appear in person. It appears, at least to me, that virtual trials are the wave of the future. This is the guidance that conveys to me that RAC and MAC audits will begin again in August. Virtual audits may even be the best thing that ever happened to RAC and MAC audits. Maybe now the auditors will actually read the documents that the provider gives them.

Another specific issue addressed in the CMS’ July 2020 FAQs is that given the nature of the pandemic and the inability to collect signatures during this time, CMS will not be enforcing the signature requirement. Typically, Part B drugs and certain Durable Medical Equipment (DME) covered by Medicare require proof of delivery and/or a beneficiary’s signature. Suppliers should document in the medical record the appropriate date of delivery and that a signature was not able to be obtained because of COVID-19. This exception may or may not extend until Dec. 31, 2020.

The upshot is that no one really knows how the next few months will unfold in the healthcare industry. Some hospitals and healthcare systems are going under due to COVID. Big and small hospital systems are in financial despair. A RAC or MAC audit hitting in the wake of the COVID pandemic could cripple most providers. I will reiterate my recommendation: In the re-arranged words of Roosevelt, “Speak loudly, and carry a big stick.”

Programming Note: Knicole Emanuel is a permanent panelist on Monitor Mondays. Listen to her live reporting every Monday at 10 a.m. EST.

Update on Medicare/Medicaid Audits in the Wake of COVID-19

Published in Today’s Wound Clinic:

When I was asked to draft an article for Today’s Wound Clinic, it was approximately two weeks ago. I was asked to write about the current state of Medicare and Medicaid audits. Specifically, I was asked to provide a legal analysis about CMS suspending audits un-related to COVID-19. In the month of April, we have seen the spike of COVID-19, which has overturned our everyday world. We have been instructed by President Trump to “stay home” and “social distance” to decrease the spread of the virus. This “stay at home” instruction is unprecedented and has uprooted many of our most reliable and commonplace businesses, such as hairdressers, bowling alleys, and tattoo parlors.

Here is the answer: The current state of Medicare/Medicaid audits, at the moment, is dictated by COVID-19.

We can divide the post-COVID-19 audit rules into 3 categories:

  1. Those exceptions published by CMS to apply to all health care providers
  2. Those special, verbal exceptions given directly to an individual provider that were not published by CMS
  3. Effective immediately, new guidelines that CMS will follow until CMS believes it no longer needs to follow (by its own choice, of course).

An example of an “effective immediately” guideline is our current state of Medicare/Medicaid audits in the wake of COVID-19. CMS has not suspended all Medicare/Medicaid regulatory audits. But CMS has suspended most audits.

Effective immediately, survey activity is limited to the following (in Priority Order):

  • All immediate jeopardy complaints (cases that represents a situation in which entity noncompliance has placed the health and safety of recipients in its care at risk for serious injury, serious harm, serious impairment or death or harm) and allegations of abuse and neglect;
  • Complaints alleging infection control concerns, including facilities with potential COVID-19 or other respiratory illnesses;
  • Statutorily required recertification surveys (Nursing Home, Home Health, Hospice, and ICF/IID facilities);
  • Any re-visits necessary to resolve current enforcement actions;
  • Initial certifications;
  • Surveys of facilities/hospitals that have a history of infection control deficiencies at the immediate jeopardy level in the last three years;
  • Surveys of facilities/hospitals/dialysis centers that have a history of infection control deficiencies at lower levels than immediate jeopardy.

See CMS QSO-20-12-ALL. You can see that these “effective immediately” guidelines are usually published on CMS letterhead. The “effective immediately” guidelines explain why CMS is taking the stated action, the stated action, and that the action is temporary and due to COVID-19.

Here are a few recent “effective immediately” guidelines due to COVID-19:

  • On April 27, 2020, CMS said it would no longer expedite Medicare payments to doctors and be more stringent about accelerating the payments to hospitals as Congressional relief aimed at providers reaches $175 billion.
  • The agency is not accepting any new applications for the loans from Part B suppliers, including doctors, non-physician practitioners and durable medical equipment suppliers. CMS will continue to process pending and new requests from Part A providers, including hospitals, but be stricter with application approvals.
  • CMS expanded the Accelerated and Advance Payment Programs in late March as the pandemic continued to gain strength in the U.S. Since then, the agency has approved over 21,000 applications making up $59.6 billion in accelerated payments to Part A providers and almost 24,000 applications making up $40.4 billion in payments for Part B suppliers.

The $2.2 trillion Coronavirus Aid, Relief, and Economic Security stimulus package passed by Congress in March benchmarked $100 billion in funds for hospitals. On Friday, President Donald Trump signed legislation with a second round of emergency funding, called the Paycheck Protection Program and Health Care Enhancement Act, that allocates another $75 billion for providers — roughly three-quarters of what major provider trade associations requested.

An initial $30 billion from the fund was distributed between April 10 and April 17 based on Medicare fee-for-service revenue, sparking criticism that put facilities with a smaller proportion of Medicare business, such as children’s and disproportionate share hospitals, at a disadvantage. HHS on Friday began releasing an additional $20 billion in CARES payments to providers based on their 2018 net patient revenue, with more funding to roll out “soon,” the agency said, including $10 billion for hard-hit areas like New York.

How RAC/MAC auditors are compensated dictates their actions and/or aggressiveness.

RAC Auditors are paid by contingency. They are usually compensated approximately 13%, depending on the State. Imagine what 13% is of 1 million. It is $130,000 – more than most people make in a year. If you do not believe that 13% contingency is enough to incentivize a company, which, in turn, incentivize the employees, then you are sorely mistaken.

RACs were established through a demonstration program under the Medicare Prescription Drug, Improvement, and Modernization Act of 2003 (“MMA”), piloted between 2005 and 2008, and were later made permanent under the Tax Relief and Health Care Act of 2006, which required CMS to establish Recovery Auditors for all states before 2010.

MACs are not compensated by contingency, per se. CMS decided to structure the MAC contracts with 1-year base performance periods and four, optional, 1-year performance periods at the time. The MMA required that these contracts be recompeted at least once every 5 years. The recent enactment of the Medicare Access and CHIP Reauthorization Act of 2015 amended this requirement to authorize a maximum 10-year performance period before MAC contracts must be recompeted. The amendment, which applies to MAC contracts in effect at the time of enactment or entered into on or after enactment, would permit CMS to modify existing MAC contracts or enter into future MAC contracts for 1-year base performance periods and nine optional 1-year performance periods. See Pub. L. No. 114-10, § 509(a)- (b) (April 16, 2015). Therefore, while MACs are not compensated on contingency, MACs are compensated on performance. The less a MAC spends, the more services a MAC allows, the strict oversight a MCA ensues on its providers…all these “performance-based” measures may not be a contingency compensation relationship, but it’s pretty close. Saved money becomes profit for MACs.

Medicare and Medicaid auditors love rules. Even if the rules that auditors are instructed to follow really are not required by actual law. It goes without saying that auditors are not lawyers. Auditors are not trained to decipher whether statutes, regulations or policy are superseded by federal statutes and regulations. The fact is that, more times than one would hope, the auditors are wrong in their assessments that a claim should be denied, not out of malice, but because of a basic misunderstanding of what the law actually requires.

I have all kinds of stories about auditors claiming money is owed, when, really it was not owed because the RAC/MAC auditor failed to follow the actual, correct procedure or misconstrued a regulation. For example, I had a durable medical equipment provider, DME ABC, who was informed by the NSC Supplier Audit and Compliance Unit of Palmetto GBA that it owed $1,075,548.64. Palmetto is one of the MACs for Medicare – durable medical equipment. There was no demand letter. The alleged overpayment amount came to fruition in a telephone conference between the CEO of the company and an employee of Palmetto. Let’s call her Nancy. Nancy told CEO that company owed $1,075,548.64 based on an alleged violation of 42 C.F.R. § 424.58,

Even more disconcerting, was the fact that Palmetto claimed that its alleged, oral overpayment against DME ABC arose from a normal, reoccurring validation process pursuant to 42 C.F.R. §424.57, approved by CMS and in accordance with the requirements of 42 C.F.R. §424.58. No formal letter was necessary was Palmetto’s retort. Not correct; a formal demand letter is always required.

In this case, Palmetto began to backtrack once we pointed out that Palmetto nor Nancy ever sent a formal demand letter with any reconsideration review appeal rights or administrative appeal rights. We knew this was procedurally incorrect because federal law dictates that you receive a formal demand letter with appeal rights and notice of how many days you have to appeal. But out of fear of retribution, DME ABC was willing to write a check without pushing back. Obviously, we did not do so.

I tell this story as an example of how intimidating, scary, and overwhelming auditors can be. If someone off the street asked you for a million dollars, you would laugh them off your doorstep, right? After you tell them to don a mask and maintain social distancing.

But in the new-age world of COVID-19, rules have been broken. This behavior would not be acceptable pre-COVID-19. But this provider honestly was going to pay.

The Trump Administration is issuing an unprecedented array of temporary regulatory waivers and new rules to equip the American healthcare system with maximum flexibility to respond to the 2019 Novel Coronavirus (COVID-19) pandemic.

Pre-COVID-19 if you were to state “paperwork over patients,” everyone in the industry would agree. There would be snickers and eyes rolling, because no one wanted paperwork to be over patients. But it was. Now the mantra has flipped upside down – now the mantra is: Patients over Paperwork.

Post-COVID-19, if documents are lost or misplaced, or otherwise unusable, DME MACs have the flexibility to waive replacements requirements under Medicare such that the face-to-face requirement, a new physician’s order, and new medical necessity documentation are not required. Suppliers must still include a narrative description on the claim explaining the reason why the equipment must be replaced and are reminded to maintain documentation indicating that the DMEPOS was lost, destroyed, irreparably damaged or otherwise rendered unusable or unavailable as a result of the emergency.

Post-COVID-19, CMS is pausing the national Medicare Prior Authorization program for certain DMEPOS items. CMS is not requiring accreditation for newly enrolling DMEPOS and extending any expiring supplier accreditation for a 90-day time period. CMS is waiving signature and proof of delivery requirements for Part B drugs and Durable Medical Equipment when a signature cannot be obtained because of the inability to collect signatures. Suppliers should document in the medical record the appropriate date of delivery and that a signature was not able to be obtained because of COVID-19.

Post-COVID-19, in order to increase cash flow to providers impacted by COVID-19, CMS has expanded the current Accelerated and Advance Payment Program. An accelerated/advance payment is a payment intended to provide necessary funds when there is a disruption in claims submission and/or claims processing. CMS may provide accelerated or advance payments during the period of the public health emergency to any two Medicare providers/suppliers who submits a request to the appropriate MAC and meets the required qualifications. The process of obtaining the funds is a MAC-by-MAC process. Each MAC will work to review requests and issue payments within seven calendar days of receiving the request. Traditionally repayment of these advance/accelerated payments begins at 90 days, however for the purposes of the COVID-19 pandemic, CMS has extended the repayment of these accelerated/advance payments to begin 120 days after the date of issuance of the payment. Providers can get more information on this process here: www.cms.gov/files/document/Accelerated-and-Advanced-Payments-Fact-Sheet.pdf

The Future of Medicare/Medicaid Audits

The beauty of predicting the future is that no one can ever tell you that you are wrong. These are my predictions:

Auditors will deny claims for not having prior authorizations. Auditors will deny claims because the supplier accreditation expired after the 90-day time period. Auditors will deny claims because the percentage of face-to-face time was not met as described per CPT codes.

Obviously, these would be erroneous denials if the denials are within the dates that the COVID-19 pandemic occurred. The problem will be that the auditors will not be able to keep up with all the exceptions, not because the auditors are acting out of malice or dislikes providers. They will be simply trying to do their job. They will simply not be able to take into consideration all the exceptions that were given during the virus. Because, while we do have many written exceptions, if you call CMS with a personal and individualized problem, CMS will, most likely, grant you a needed exception. As long as the exception has the best interest of the consumer at heart. However, this personalized exception will not be written on CMS’s website. In five years, when you undergo a MAC or RAC audit, you better have proof that you received that exception. It will not be enough proof for you to state that you were given the exception over the phone.

So how can you protect yourself from future, erroneous audits?

Write everything down. When you speak to CMS, document concurrently the date, time, name of the person to whom you are speaking, the summary of your conversation, the COVID-19 regulatory exception, sign it and date it.

It is a hearsay exception. Writing down everything does not magically transform your note into the truth. However, writing down everything concurrently does magically allow that note that you wrote to be allowed in a court of law as an exhibit. Had you not written the note contemporaneously with the conversation that you had with CMS, then the attorney on the other side of the case would move to exclude your handwritten or typed note as hearsay.

Hearsay is defined as a statement that (1) the declarant does not make while testifying at the current trial or hearing; and (2) a party offers in evidence to prove the truth of the matter asserted in a statement. There are too many hearsay exceptions to name in this article.

Just know, for purposes of this article, that any health care provider who is relying on an exception to a normally required regulatory mandate – regardless what it is – either be able to: (1) cite the written exception that was published by CMS to the public; or (2) produce the written or typed contemporaneously written note that you wrote to memorialize the conversation.

Knicole Emanuel Appears on the Hospital Finance Podcast – Suspension of Audits

D83B4E86-D9CA-462F-8C54-EDBC90DA00E8

To listen, please click here.

Highlights of this episode include:

  • Background on why CMS will forego all audits unrelated to the coronavirus.
  • What types of audits will CMS continue during the coronavirus pandemic?
  • What providers need to know about complying with current audits, such as TPE audits.
  • How providers can protect themselves by documenting exceptions such as two-day admissions.
  • And more…

Mike Passanante: Hi, this is Mike Passanante and welcome back to the award-winning Hospital Finance Podcast®.

As a result of the COVID-19 crisis, the government has suspended most auditing activities for providers. To sort out what that means for hospitals, I’m joined by Knicole Emanuel. Knicole is an attorney at Potomac Law Group in Raleigh, North Carolina, where she concentrates on Medicare and Medicaid regulatory compliance litigation. Knicole, welcome to the show.

Knicole Emanuel: Thank you and thank you for having me.

Mike: Knicole, the government announced that it is suspending survey activities. Practically what does that mean for providers?

Knicole: Well, so right now because of the Coronavirus, CMS has decided to forego audits that are unrelated to the coronavirus. So actually effective April 3, 2020. The only audits that will be conducted will be those audits that are germane to all immediate Jeopardy complaints. Those kind of cases that represent a situation in which an entities non-compliance has placed the health and safety of recipients in its care at risk for serious injury. So we’re talking about potential serious injury or serious harm.

Another audit that’s going to continue would be complaints alleging infection control concerns because that would obviously be impacted by the coronavirus. Any sort of statutorily required recertification surveys are going to be conducted. I would assume that they’re going to be conducted telephonically. They’re not going to be going on-site and revisits necessary to resolve current enforcement actions. That’s important because when this Coronavirus all came about, there were hundreds and hundreds and hundreds, perhaps thousands upon thousands of healthcare providers already in the middle of TPE audits or RAC audits or MAC audit. And they’d already had on-site visits, they’d already had maybe perhaps a lower accuracy rating. And they’re going to be stuck in this cycle of being stuck in the audit until they can get a resurvey because with this coronavirus the penalties that they’re enduring, whether it’s a suspension of admission, or whether it’s a monetary penalty. These penalties are being administered even if they cannot have a secondary or a revisit of the audit to get them off of the penalty that they’re currently on. So it’s really important that people who are in the middle of audit and when all this came down to get them off of the audit cycle so they can go back to providing care.

Mike: So essentially, there are a number of activities that are suspended. But it’s important for providers to know that there is a subset of activities that will continue even during this period.

Knicole: Correct. But they’re all going to be activities that are of the utmost importance. The items that take lower priority are going to be pushed down.

Mike: Okay, and you mentioned the TPE audits a second ago. So that’s the targeted probe and education. Are they going to continue during this time period as far as you know?

Knicole: Well, so as far as I know, they are not going to continue as in they’re not going to start new TPE audit. Now the question then becomes, “Well, I received a document request a month ago for a TPE audit. Do I need to comply now?” And the conservative safe answer is to go ahead and keep complying with these document requests. Although the deadlines for these document requests, those are going to be extended. I’m sure you’ll be able to get extensions for trying to comply with those. And in reality, if you contact the people who are conducting the audit, you may find that the entire audit in general is put on pause. But don’t assume it’s put on pause. Try to make sure you comply, unless you find out it’s on pause. And if you get something over the email or over a phone that says that your TPE audit is paused currently, follow up with an email and get it in writing. Because future audit, they’re not going to remember that your particular audit was with pause during the coronavirus.

Mike: That’s great advice, Knicole. Do you have any other recommendations for providers as they’re navigating through this time?

Knicole: Yes, I do. There are a number of providers right now that are asking for exceptions, and I can give examples. So for example, in the hospital setting, there are hospitals that are asking for waivers for the inpatient admission standards or the two-day admission, or the moon rules. All those kind of things are asking for exceptions, and a lot of the hospital, A lot of the providers are getting the exceptions they need to allow people to have to stay longer in their hospitals because they have nowhere to discharge them. They can’t go back to their nursing homes where the coronavirus may or may not be. And so, because they’re getting all these exceptions, five years from now when you’re undergoing an audit, no one is going to remember that you had this exception that this particular consumer can stay in my hospital for two extra days or five extra days. And five years from now, you may get audited and say, “Well, you got to recoup all this money because you let them stay in for too long of a time.” When in reality, you are given an exception, write all the exceptions down. Keep one place, keep a computer program, keep a hard copy, whatever you want to do, and notebook, if that you want to get down to not having any technology involved. But keep track of all of these exceptions that you get as little as they may be because if you’re getting an exception for one person, and that one person can stay longer than the two-day allowance for the outpatient stays, and you multiply that by, okay, well, now you’ve got to take that exception and extrapolate it again, 200 people over the course of a year, that’s a lot of money we’re talking about. So you need to make sure you keep track of all the exceptions, no matter how small. And keep track of them somewhere that you’re not going to lose them. If your attrition rate is high with executives, you need to make sure that the next people in line had that knowledge so that in future audit, you can explain that you did not abide by the regulations for good reason. You had an exception, but no one’s keeping track of all these exceptions.

Mike: And so, it’s great advice, Knicole. And I know you’ve got a great blog of your own that people can follow. If people wanted to read more about what’s going on here on that blog or get in touch with you, how can they do that?

Knicole: Well, you’re more than welcome to go onto my blog, which is Medicare and Medicaid law. It is at medicaidlawnc.com. You can also contact me at any time. I’m at Potomac Law Group. I help providers across the country and not only in North Carolina, but in 33 states. And so, I am pretty well versed on all the exceptions that I’m seeing. It’s really fast-paced right now. It’s scary. It’s surreal. But it is really important to make sure that everything is written down because in the future– I mean, that old saying that old adage for nurses, if it’s not written, it doesn’t exist, is really going to matter in the future years.

Mike: Knicole, thanks for adding some clarity around this very complex issue. We appreciate you coming back to the show today.

Knicole: Absolutely. Thank you.

Suspension of Audits During the Coronavirus?

49B70E0C-5089-4D23-925D-54A09DC51563

Effective immediately, survey activity is limited to the following (in Priority Order):

  • All immediate jeopardy complaints (cases that represents a situation in which entity noncompliance has placed the health and safety of recipients in its care at risk for serious injury, serious harm, serious impairment or death or harm) and allegations of abuse and neglect;
  • Complaints alleging infection control concerns, including facilities with potential COVID-19 or other respiratory illnesses;
  • Statutorily required recertification surveys (Nursing Home, Home Health, Hospice, and ICF/IID facilities);
  • Any re-visits necessary to resolve current enforcement actions;
  • Initial certifications;
  • Surveys of facilities/hospitals that have a history of infection control deficiencies at the immediate jeopardy level in the last three years;
  • Surveys of facilities/hospitals/dialysis centers that have a history of infection control deficiencies at lower levels than immediate jeopardy.

See CMS QSO-20-12-ALL.

Obviously, there are so many questions. Providers across the country are asking whether they need to comply with document requests. Are TPE audits continuing? Do they need to comply with ongoing ADRs?

Every bulletin that CMS publishes instigates more detailed and complex questions. With all these relaxed guidelines, won’t RACs, etc. have a field day when this is all over? Of course they will.

General Recommendations:

  • Be proactive.
  • Document everything.
  • Deadlines will be extended.
  • Exceptions will be made.
  • Keep all email correspondence.
  • Maintain copies of everything that you submit. (Do not rely on electronic computer software programs).
  • Keep track of CMS updates.

Email me questions, and I will try to respond.

Also, feel free to reach out to the government: QSOG_EmergencyPrep@cms.hhs.gov.

Effective date: 30 days from the memo, which equals April 3, 2020.