Category Archives: Regulatory Audits
Laboratories Are Under Scrutiny by OIG and State Medicaid!
Laboratories are under scrutiny by the OIG and State Medicaid Departments. Labs get urine samples from behavioral health care companies, substance abuse companies, hospitals, and primary care facilities, who don’t have their own labs. Owners of labs entrust their lab executives to follow procedure on a federal and/or state level for Medicare or Medicaid. Well, what if they don’t. For example, one client paid a urine collector/courier by the mile. That courier service collected urine from Medicaid consumers in NC, sometimes in excess of 90 times a year, when Medicaid only allows 24 per year. I have about 10-15 laboratory clients at the present.
Another laboratory’s urine collector collected the urine, but never brought the urine back to get tested. To which I ponder, where did all those urine specimens go?
Another laboratory had a standing order for over 6 years to test presumptive and definitive testing on 100% of urine samples.
OIG has smelled fraud within laboratories and is widening its search for fraudsters. Several laboratories are undergoing the most serious audits in existence. Not RAC, MAC, or UPIC audits, but audits of even more importance. They received CIDs or civil investigative demands from their State Medicaid Divisions. These requests, like RAC, MAC, or UPIC audits, request lots of documents. In fact, CIDs are legally allowed to request documents for a much longer period of time than RACs, which can only request 3 years back. Most CIDs are fishing for false claims under the False Claims Act (FCA). Stark and Anti-Kickback violations are also included in these investigations. While civil penalties can result in high monetary penalties, criminal violations result in jail time.
As everyone knows, labs must follow CLIA or be CLIA certified, which is the federal standard for which labs. The Clinical Laboratory Improvement Amendments (CLIA) of 1988 (42 USC 263a) and the associated regulations (42 CFR 493) provide the authority for certification and oversight of clinical laboratories and laboratory testing. Under the CLIA program, clinical laboratories are required to have the appropriate certificate before they can accept human samples for testing. There are different types of CLIA certificates, as well as different regulatory requirements, based on the types and complexity of clinical laboratory tests a laboratory conducts. CLIA, like CMS, has its own set of rules. When entities like CLIA or CMS have their own rules, sometimes those rules juxtapose law, which creates a conundrum for providers. If you own a lab, do you follow CLIA rules or CMS rules or the law? Let me give you an example. According to CLIA, you must maintain documentation regarding samples and testing for two years. So, if CLIA audits a laboratory, the audits requests will only go back for two years. Well, that’s all fine and dandy. Except according to the law, you have to maintain medical documents for 5 or 6 years, depending on the service type.
Recently, one of my labs received a CID for records going back to 2017. That is a 6-year lookback. Had the lab followed CLIA’s rules, the lab would only have documentation going back to 2021. Had the lab followed CLIA’s rules, when OIG knocked on its door, it would have NOT had four years of OIG’s request. Now I do not know, because I have never been in the position that my lab client only retained records for two years…thank goodness. If I were in the position, I would argue that the lab was following CLIA’s rules. But that’s the thing, rules are not laws. When in doubt, follow laws, not rules.
However, that takes me to Medicare provider appeals of RAC, MAC, and UPIC audits. Everything under the umbrella of CMS must follow CMS rules. Remember how I said that rules are not laws? CMS rules, sometimes, contradict law. Yet when a Medicare provider appeals an overpayment or termination, the first four levels of appeal are mandated to follow CMS rules. It is not until the 5th level, which is the federal district court that law prevails. In other words, the RAC, MAC, or UPIC, the 2nd level QIC, the 3rd level ALJ, and the 4th level Medicare Appeal Council, all must follow CMS rules. It is not until you appear before the federal district judge that law prevails.
Receiving a CID does not mean that your investigation will remain civil. Most investigations begin civilly. If the evidence uncovered demonstrates any criminal activity, your civil investigation can quickly turn criminal. I co-defend with a federal criminal attorney if the case has a chance to turn criminal. Believe me, there is a huge difference between federal and state criminal lawyers! Even with the best federal criminal lawyers, you want a Medicare and Medicaid expert lawyer on the team to dispute the regulatory accusations that a criminal attorney may not be as well-versed. I am so thankful that I moved my practice to Nelson Mullins, because we have a huge, yet highly-specialized health care practice. While we have a large number of lawyers, each partner specializes in slightly different aspects of health care. So, when I need a federal criminal attorney to partner-up with me, I just walk down the hall.
Laboratories: Beware! Be ready! Be prepared! Be lawyered up!
Ding Dong! PHE Is Dead!!!
The federal Public Health Emergency (PHE) for COVID-19, declared under Section 319 of the Public Health Service (PHS) Act, is expiring at the end of the day on May 11, 2023, today! This is huge. There have been thousands of exceptions and waivers due to COVID throughout the last 2 1/2 years. But on the end of the day on May 11, 2023…POOF….

Most exceptions or waivers will immediately cease.
The Department claims it has been working closely with partners—including Governors; state, local, Tribal, and territorial agencies; industry; and advocates—to ensure an orderly transition out of the COVID PHE.
Yesterday, HHS released a Fact Sheet. It is quite extensive, as it should be considering the amount of regulatory compliance changes that will happen overnight!
Since January 2021, COVID deaths have declined by 95% and hospitalizations are down nearly 91%.
There are some flexibilities and actions that will not be affected on May 11.
Access to COVID vaccinations and certain treatments, such as Paxlovid and Lagevrio, will generally not be affected.
At the end of the PHE on May 11, Americans will continue to be able to access COVID vaccines at no cost, just as they have during the COVID PHE. People will also continue to be able to access COVID treatments just as they have during the COVID PHE.
At some point, the federal government will no longer purchase or distribute COVID vaccines and treatments, payment, coverage, and access may change.
On April 18, 2023, HHS announced the “HHS Bridge Access Program for COVID-19 Vaccines and Treatments.” to maintain broad access to vaccines and treatments for uninsured Americans after the transition to the traditional health care market. For those with most types of private insurance, COVID vaccines recommended by the Advisory Committee on Immunization Practices (ACIP) are a preventive health service and will be fully covered without a co-pay when provided by an in-network provider. Currently, COVID vaccinations are covered under Medicare Part B without cost sharing, and this will continue. Medicare Advantage plans must also cover COVID vaccinations in-network without cost sharing, and this will continue. Medicaid will continue to cover COVID vaccinations without a co-pay or cost sharing through September 30, 2024, and will generally cover ACIP-recommended vaccines for most beneficiaries thereafter.
After the transition to the traditional health care market, out-of-pocket expenses for certain treatments, such as Paxlovid and Lagevrio, may change, depending on an individual’s health care coverage, similar to costs that one may experience for other covered drugs. Medicaid programs will continue to cover COVID treatments without cost sharing through September 30, 2024. After that, coverage and cost sharing may vary by state.
Major telehealth flexibilities will not be affected. The vast majority of current Medicare telehealth flexibilities that people with Medicare—particularly those in rural areas and others who struggle to find access to care—have come to rely upon throughout the PHE, will remain in place through December 2024. Plus, States already have significant flexibility with respect to covering and paying for Medicaid services delivered via telehealth. This flexibility was available prior to the COVID PHE and will continue to be available after the COVID PHE ends.
What will be affected by the end of the COVID-19 PHE:
Many COVID PHE flexibilities and policies have already been made permanent or otherwise extended for some time, with others expiring after May 11.
Certain Medicare and Medicaid waivers and broad flexibilities for health care providers are no longer necessary and will end. During the COVID PHE, CMS used a combination of emergency authority waivers, regulations, and sub-regulatory guidance to ensure and expand access to care and to give health care providers the flexibilities needed to help keep people safe. States, hospitals, nursing homes, and others are currently operating under hundreds of these waivers that affect care delivery and payment and that are integrated into patient care and provider systems. Many of these waivers and flexibilities were necessary to expand facility capacity for the health care system and to allow the health care system to weather the heightened strain created by COVID-19; given the current state of COVID-19, this excess capacity is no longer necessary.
For Medicaid, some additional COVID PHE waivers and flexibilities will end on May 11, while others will remain in place for six months following the end of the COVID PHE. But many of the Medicaid waivers and flexibilities, including those that support home and community-based services, are available for states to continue beyond the COVID PHE, if they choose to do so. For example, States have used COVID PHE-related flexibilities to increase the number of individuals served under a waiver, expand provider qualifications, and other flexibilities. Many of these options may be extended beyond the PHE.
Coverage for COVID-19 testing will change.
State Medicaid programs must provide coverage without cost sharing for COVID testing until the last day of the first calendar quarter that begins one year after the last day of the PHE. That means with the PHE ending on May 11, 2023, this mandatory coverage will end on September 30, 2024, after which coverage may vary by state.
The requirement for private insurance companies to cover COVID tests without cost sharing, both for OTC and laboratory tests, will end at the expiration of the PHE.
Certain COVID data reporting and surveillance will change. CDC COVID data surveillance has been a cornerstone of our response, and during the PHE, HHS had the authority to require lab test reporting for COVID. At the end of the COVID-19 PHE, HHS will no longer have this express authority to require this data from labs, which will affect the reporting of negative test results and impact the ability to calculate percent positivity for COVID tests in some jurisdictions. Hospital data reporting will continue as required by the CMS conditions of participation through April 30, 2024, but reporting will be reduced from the current daily reporting to weekly.
FDA’s ability to detect shortages of critical devices related to COVID-19 will be more limited. While FDA will still maintain its authority to detect and address other potential medical product shortages, it is seeking congressional authorization to extend the requirement for device manufacturers to notify FDA of interruptions and discontinuances of critical devices outside of a PHE which will strengthen the ability of FDA to help prevent or mitigate device shortages.
Public Readiness and Emergency Preparedness (PREP) Act liability protections will be amended. On April 14, 2023, HHS Secretary Becerra mailed all the governors announcing his intention to amend the PREP Act declaration to extend certain important protections that will continue to facilitate access to convenient and timely COVID vaccines, treatments, and tests for individuals.
More changes are occurring than what I can write in one, little blogpost. Know that auditors will be knocking on your doors, asking for dates of service during the PHE. Be sure to research the policies and exceptions that were pertinent during those DOS. This is imperative for defending yourself against auditors knocking on your doors.
And, as always, lawyer-up fast!
And just like the Wicked With of the West, DING DONG! The PHE is dead.
Preparing for Post-PHE Medicare and Medicaid Audits
Hello and happy RACMonitor Monday! As the nation forges ahead in the wake of the COVID-19 pandemic, the audits continue after that brief hiatus in March 2020. Recovery Audit Contractors (RACs), UPICs, and other auditors are dutifully reviewing claims on a post-payment basis. However, since COVID, there is a staffing shortage, which have many provider facilities scrambling on a normal basis. Throw in an audit of 150 claims and you’ve got serious souff-laying.
Yes, audit preparation has changed since COVID. Now you have more to do to prepare. Audits create more work when you have less staff. Well, suck it up sippy-cup because post-PHE audits are here.
The most important pre-audit preparation is knowing the COVID exceptions germane to your health care services. During PHE over the last two years, there has been a firehose of regulatory exceptions. You need to use these exceptions to your advantage because, let’s face it, the exceptions made regulatory compliance easier. For the period of time during which the exceptions applied, you didn’t have to get some signatures, meet face-to-face, have supervision, or what not. The dates during which these exceptions apply is also pertinent. I suggest creating a folder for all the COVID exceptions that apply to your facility. While I would like to assume that whatever lawyer that you hire, because, yes, you need to hire a lawyer, would know all the COVID exceptions – or, at least, know to research them, you never know. It only benefits you to be prepared.
Any medical provider that submits claims to a government program may be subject to a Medicare or Medicaid audit. Just because you have been audited in the past, doesn’t change the fact that you may be audited again in the future. RAC audits are not one-time or intermittent reviews and can be triggered by anything from an innocent documentation error to outright fraud. I get that questions a lot: This is my 3rd audit. At what point is this harassment. I’ve never researched the answer to that question, but I would venture that auditors get tons of latitude. So, don’t be that provider that is low-hanging fruit and simply pays post-payment reviews.
While reduced staff, high patient loads or other challenges may be bogging down your team, it’s important to remember that timeliness is crucial for CMS audit responses.
Locating the corresponding medical records and information can be a hassle at the best of times, but there are a few key things your organization can do to better prepare for a RAC Audit:
According to CMS, if selected for review, providers should discuss with their contractor any COVID-19-related hardships they are experiencing that could affect audit response timeliness. CMS notes that all reviews will be conducted in accordance with statutory and regulatory provisions, as well as related billing and coding requirements. Waivers and flexibilities will also be applied if they were in place on the dates of service for any claims potentially selected for review.
Ensure that the auditor has the appropriate contact information for requesting audit-related documentation. With so many changes to hospitals teams, it’s important to make sure that auditors’ requests for medical records are actually making it to the correct person or team in a timely manner.
Provide your internal audit review teams with proper access to data and other software tools like those used to ensure timely electronic audit responses. With a mix of teams working from home and in the office, it’s a good idea to make sure that teams handling Additional Documentation Requests (ADRs) and audit responses have the necessary access to the data they will need to respond to requests.
Review and document any changes to your audit review team processes.
Meet with your teams to ensure they fully understand the processes and are poised to respond within the required timeframes.
Successfully completing these audits in a timely manner is made much easier when the above processes and steps are in place.
Defending Medicare Providers Against FCA or Qui Tam Lawsuits
As a health care partner at Nelson Mullins, I’ve seen my fair share of False Claims Act (FCA) and Qui Tam actions against health care providers. It’s not uncommon for practices to receive unwarranted accusations of false claims, especially when it comes to billing Medicare. But fear not, my friends, for I’m here to provide some guidance on how to defend yourself. These cases are long and tedious, so it is important to maintain a bit of humor throughout the process – that and hire a really good attorney.
First things first, let’s talk about the False Claims Act. This federal law imposes liability on individuals and companies that defraud the government by submitting false claims for payment. Essentially, if you submit a claim for reimbursement from Medicare that you know is false, you could be on the hook for some serious penalties. However, the government has to prove that you had actual knowledge that the claim was false, which can be a tough burden to meet.
Now, let’s talk about Qui Tam actions. These are lawsuits brought by private individuals, also known as “whistleblowers,” on behalf of the government. The whistleblower stands to receive a percentage of any damages recovered by the government, so there’s a financial incentive for them to pursue these cases. Qui Tam actions can be especially tricky because the whistleblower doesn’t have to prove that you had actual knowledge that the claim was false – they just have to show that you submitted a false claim.
So, what can you do to defend yourself against these accusations? Well, for starters, make sure that you’re submitting accurate claims to Medicare. Seems obvious, right? But you’d be surprised at how many practices make mistakes when it comes to billing. Double-check your codes, make sure you’re only billing for services that were actually provided, and make sure your documentation supports the services you’re billing for.
If you do find yourself facing an FCA or Qui Tam action, don’t panic. You have the right to defend yourself, and there are plenty of strategies that can be employed to fight back. For example, you could argue that the government hasn’t met its burden of proof, or that the whistleblower doesn’t have enough evidence to support their claim. And don’t forget about the power of humor – a well-timed joke can go a long way in disarming your accusers. Obviously, I am kidding. The investigators have no humor.
In all seriousness, though, these cases can be incredibly complex and time-consuming, so it’s important to have experienced legal counsel on your side. At Nelson Mullins, we’ve represented numerous health care providers in FCA and Qui Tam actions, and we have the knowledge and expertise to help you navigate these challenges.
So, to sum it up: be accurate in your billing, be prepared to defend yourself, and don’t be afraid to use a little humor to lighten the mood. And if all else fails, just remember the wise words of Mark Twain: “Humor is the great thing, the saving thing after all. The minute it crops up, all our hardnesses yield, all our irritations and resentments flit away, and a sunny spirit takes their place.”
#FalseClaimsAct #Medicare #QuiTam #HealthcareLaw #NelsonMullins #DefendYourself #AccuracyIsKey #HumorIsTheBestMedicine #MarkTwainQuotes
The Horror Story of 99214 and Insurance to Assist
99214. Is that Jean Valjean’s number? No. It is an E/M code of moderate complexity. Few CPT codes cause goosebumps, chilly air, and a pit in your stomach besides 99214. As I said, 99214 is an E/M code of moderate level of complexity. For a low complexity visit, the code decreases to 99213. Even lower is a 99212, which is considered a straightforward visit. The code goes as high as a 99215, which denotes high complexity. Generally, physicians are good at spotting the 99215s and 99212s; the lowest and highest complexities seem simple to spot. However, the middle complexity codes are a bit subjective. Auditors frequently find 99214s that the auditor thinks should have been a 99213. I am talking about the RACs, MACs, TPEs, UPICs, and other contractors paid with our tax dollars on behalf of CMS. I recently had a BCBS audit, which found that an urgent care center had a 97% error rate. Out of 30 claims, only one claim was considered 99214; 29 claims should have been down coded to a 99213, according to BCBS. Well, my urgent care center disagreed and hired an independent auditor to review the same claims that were audited. The independent audit resulted in vastly different results. According to the independent audit, only 4 of the 30 claims should have been down coded to 99213.
One should ask, how could two separate auditors audit the same documents and issue such disparate results? One reason is that the difference between 99213 and 99214 is subjective. However, subjectiveness was not the only reason for two polar opposite results.
You see, before 2021, facilities had the choice to follow either the 1995 guidelines or the 1997 guidelines for these CPT codes. And, there is a difference between the two guidelines. Instead of choosing either the 1995 or 1997 guidelines, BCBS applied both the 1997 and 1995 guidelines, which falsely created a more stringent criteria for a 99214.
The urgent care center had been verbose about the fact that they use the 1995 guidelines, not the 1997 guidelines. When the independent contractor audited the records, it used the 1995 guidelines only.
All in all, for an accusation of owing $180k, it cost the urgent care center almost $100k to defend itself against what was obviously a faulty audit. So, I’m thinking why in the world is there insurance for physicians for making a mistake in surgery – medical malpractice, but no insurance for False Claims allegations. I mean, med mal allegations mean there is a victim. But you can be accused of false claims unexpectantly and your practice is changed forever.
Recently, I learned of an insurance company that insures doctors and facilities if they are accused of billing Medicare or Medicaid for false claims. Unlike med mal, an accusation of false claims does not yield a victim (unless you see our tax dollars as people); however, an accusation of billing a False Claim can cost a doctor, facility, a hospital hundreds of thousands of dollars. Which, knowing all things are relative, is pennies on the dollar of the penalties under the FCA.
The company’s name is Curi. That is C-U-R-I. Personally, I had never heard of this company. I googled it after I was placed on the panel. This is an insurance company that pays for attorneys’ fees if you are accused of false claims or an overpayment. Personally, I think every listener should procure this insurance directly after RACMonitor. After 23 years of litigating, I have realized the worst part about defending yourself against accusations that you owe the government money is the huge price tag associated with it.
When I presented this story on RACMonitor, David Glaser made a comment about my segment that I would be remiss to omit. SOME med mal insurance policies cover the legal fees for attorneys for regulatory audits. Please review your policy to see whether your insurance company covers the attorneys’ fees for defense of regulatory audits before purchasing more insurance.
Regulatory Fright: Audits Citing Harm, Abuse, Neglect, or Exploitation
There is little more daunting than the Division of Health Services Regulation (“DHSR”) – or whatever acronym is used in your State – slapping penalties on long term care facilities, nursing homes, and other residential facilities, such as residential homes housing handicapped recipients, mentally ill recipients, or substance abuse consumers. Many of these penalties are immediate and can easily put a facility out of business and a resident without a home. DHSR falls under the umbrella of DHHS, the “single State entity” that manages Medicaid in each respective State. DHSR may be a different acronym in your State, but the essence will be the same.
The primary difference between adult care homes and nursing homes is as follows:
“Adult Care Homes” provide care and assistance to people with problems carrying out activities of daily living and supervision to people with cognitive impairments whose decisions, if made independently, may jeopardize the safety or well-being of themselves or others and therefore require supervision. Medication in an adult care home may be administered by designated, trained staff. Smaller adult care homes that provide care to two to six unrelated residents are commonly called family care homes.
“Nursing Homes” are for people who need chronic or rehabilitative care, who, on admission are not acutely ill and who do not usually require special facilities such as an operating room, X-ray facilities, laboratory facilities, and obstetrical facilities. A “nursing home” provides care for people who have remedial ailments or other ailments, for which medical and nursing care are indicated; who, however, are not sick enough to require general hospital care. Nursing care is their primary need, but they will require continuing medical supervision.
Regarding Violations & Penalties in Adult Care Homes
Pursuant to G.S. 131-D-34 (a), the Department shall impose an administrative penalty in accordance with provisions of the Article on any facility which is found to be in violation of requirements of G.S. 131D-21 or applicable State and federal laws and regulations. Citations for violations shall be classified and penalties assessed according to the nature of the violation.
Type A1 and A2 Violations & Penalties: A monetary penalty fine may be imposed when a “Type A1” or “Type A2” violation has occurred.
- “Type A1 Violation” means a violation by a facility of applicable laws and regulations governing a facility which results in death or serious physical harm, abuse, neglect, or exploitation of a resident.
- “Type A2 Violation” means a violation by a facility of applicable laws and regulations governing the licensure of a facility which results in substantial risk that death or serious physical harm, abuse, neglect, or exploitation will occur.
- For family care homes (licensed for two to six beds), the penalty amount may range from $500.00 to $10,000 for each Type A violation.
- For adult care homes (licensed for seven beds or more), the penalty amount may range from $2000.00 to $20,000 for each Type A violation.
Examples of a Type A1 violation may include the following:
- The facility failed to provide supervision to a confused resident who exhibited wandering and exit seeking behaviors resulting in the resident leaving the facility unsupervised and without the knowledge of the facility’s staff. The resident was hit by a car and sustained multiple injuries causing death.
- The facility failed to administer an antibiotic medication for 7 days as ordered for a resident discharged from the hospital with diagnoses including pneumonia. The resident required a subsequent 11-day hospitalization for diagnoses including respiratory failure and an infection in the bloodstream.
Examples of a Type A2 violation may include the following:
- The facility failed to send a resident to the hospital for evaluation after the resident drank approximately 24 ounces of hand sanitizer on one occasion; drank approximately 8 ounces of body wash and ate an unknown amount of solid deodorant on a second occasion; and failed to notify the resident’s primary care provider of the resident drinking non-consumable substances on more than one occasion which placed the resident at substantial risk of serious physical harm and neglect.
- A resident was administered medications that belonged to another resident. The medications administered had the strong potential of adverse side effects. The resident required emergent evaluation and treatment in the emergency department of the local hospital which placed the resident at substantial risk of serious physical harm.
Unabated Violations and Penalties:
If a facility has failed to correct any violation within the specified date of correction (30 days for Type A violations; 45 days for Type B violations), these are “unabated violations.” Additional penalty fines may be imposed for unabated violations.
Unabated Type A1 and A2 Violations & Penalties:
When a facility has failed to correct a “Type A1” or “Type A2” violation within 30 days, a monetary penalty fine may be imposed in the amount of up to $1,000 for each day that the Type A1 or Type A2 violation continued to occur beyond the date specified for correction.
The Department has legal authority to impose a monetary fine for:
- The inspection in which the Type A1 or Type A2 violation was first identified and
- Additional monetary penalty fines as a result of each inspection in which the unabated Type A1 violation or unabated Type A2 violation continued to occur beyond the specified date of correction
Unabated Type B Violations & Penalties:
Another unabated violation that could result in the imposition of penalty fines is a “Type B” violation that has not been corrected by the facility within the specified correction date (45 days per regulatory authority), known as an Unabated B violation.
- A “Type B” violation means a violation by a facility of applicable laws and regulations governing a facility which is detrimental to the health, safety, or welfare of any resident, but which does not result in substantial risk that death or serious physical harm, abuse, neglect, or exploitation will occur.
- The range of the fine for an Unabated “Type B” violation that was not corrected is up to $400.00 for each day that the violation continues beyond the date specified for correction.
- Additional penalty fines may be imposed as a result of each inspection in which the unabated Type B violation continued to occur beyond the specified date of correction.
Examples of Unabated Type B violations may include the following:
- Several residents have orders to receive pain medications every evening but on one evening, staff forget to give the residents the ordered pain medications. One resident suffers from shoulder pain and could not sleep from the missed dose. Subsequent doses are given as ordered. The facility is cited a Type B violation for the non-compliance and on a follow-up visit, additional medication errors are noted; therefore, the facility is fined up to $400/day until compliance with medication administration is determined, which must be verified by another follow-up inspection.
- The facility’s pest management program is not effective, and roaches are noted in a couple of the residents’ rooms on one out of two halls in the facility. The facility is cited a Type B violation for the non-compliance and on a follow-up visit, additional roaches and insects are noted; therefore, the facility is fined up to $400/day until compliance with pest management is determined, which must be verified by another follow-up inspection.
The Department will determine whether each violation has been corrected.
Pursuant to Chapter 150B and N.C. Gen. Stat. § 131D-34(e), adult care homes have the legal right to appeal the imposition of a penalty fine by filing a petition for contested case within 30 days after the Department mails a notice of the penalty imposition decision to a Licensee.
Once a penalty has been imposed, payment is due within 60 days unless an appeal is timely filed at the at the Office of Administrative Hearings (OAH).
If a penalty is appealed, it will go to a hearing at the Office of Administrative Hearings (OAH). Alternatively, the Department and the Licensee may agree to resolve the penalty by executing a settlement agreement.
I emphasize, if you disagree with the sanction and/or the accusation, APPEAL. I have been successful in eliminating severe penalties that a residential home, nursing home, or adult care homes by arguing at the OAH. Just remember, DHSR can accuse anything of happening to constitute “abuse or neglect” of a consumer. But DHSR must prove it to a Judge!
The Importance of the Differences in SMRCs, RACs, and QIOs
The Centers for Medicare & Medicaid Services (“CMS”) has modified the additional documentation request (“ADR”) limits for the Medicare Fee-for-Service Recovery Audit Contractor (“RAC”) program for suppliers. Yet, one of our listeners informed me that CMS has found a “work around” from the RAC ADR limits. She said, “There is the nationwide Supplemental Medical Review Contractor (“SMRC”) audits and now nationwide Quality Improvement Organizations (“QIO”) contract audits. These contracts came about after the Congressional limits on number of audits by the RAC.” Dr. Hirsh retorted, “But SMRC and QIO are not paid contingency fee. So, they are “different” audits. RACs are evil; SMRC and QIO have a few redeeming qualities.” I completely agree with Dr. Hirsh. But her point is well taken – SMRCs and QIOs follow different rules than RACs, so of course the SMRCs and QIOs have distinct ADR limits.
This is similar to the lookback periods. The lookback period varies depending on the acronym: RAC, MAC, or UPIC. RACs’ lookback period is 3 years, yet other acronyms get longer periods. I think what Dr. Hirsh is saying is right, because RACs are paid by contingency instead of a contracted rate, we have to limit the RACs authority because they are already incentivized the find problems., plus they are allowed to extrapolate. The RACs already have too much leash.
So, what are the RAC ADR limits?
Well, interestingly they just changed in April 2022. These limits will be set by CMS on a regular basis to establish the maximum number of medical records that may be requested by a RAC, per 45-day period. Each limit will be based on a given supplier’s volume of Medicare claims paid within a previous 12-month period, in a particular Healthcare Common Procedure Coding System (HCPCS) policy group. The policy groups are available on the pricing, coding analysis, and coding (PDAC), website. Limits will be based on the supplier’s Tax Identification Number (TIN). Limits will be set at 10% of all paid claims, by policy group, paid within a previous 12-month period, divided into eight periods (45 days). Although a RAC may go more than 45 days between record requests, in no case shall a RAC make requests more frequently than every 45 days. Limits are based on paid claims, irrespective of individual lines, although credit/replacement pairs shall be considered a single claim.
I wanted to go into the SMRCs and QIOs’ ADR limits to see whether they are are following THEIR rules, but I’m out of time for today. I’ll research the SMRCs and QIOs ADR limits for next week and I will have an answer for you.
Questions Answered about RAC Provider Audits
Today I’m going to answer a few inquiries about recovery audit contractor (“RAC”) audits from providers. A question that I get often is: “Do I have to submit the same medical records to my Medicare Administrative Contractor (“MAC”) that I submit to a RAC for an audit?” The answer is “No.” Providers are not required to submit medical records to the MAC if submitted to a RAC, but doing so is encouraged by most MACs. There is no requirement that you submit to the MAC what you submit to RACs. This makes sense because the MACs and the RACs have disparate job duties. One of the MACs, Palmetto, instructs providers to send records sent to a RAC directly to the Palmetto GBA Appeals Department. Why send the records for a RAC audit to a MAC appeals department? Are they forecasting your intentions? The instruction is nonsensical unless ulterior motives exist.
RAC audits are separate from mundane MAC issues. They are distinct. Quite frankly, your MAC shouldn’t even be aware of your audit. (Why is it their business?) Yet, many times I see the MACs cc-ed on correspondence. Often, I feel like it’s a conspiracy – and you’re not invited. You get audited, and everyone is notified. It’s as if you are guilty before any trial.
I also get this question for appeals – “Do I need to send the medical records again? I already sent them for the initial review. Why do I need to send the same documents for appeal?” I get it – making copies of medical records is time-consuming. It also costs money. Paper and ink don’t grow on trees. The answer is “Yes.” This may come as a shock, but sometimes documents are misplaced or lost. Auditors are humans, and mistakes occur. Just like, providers are humans, and 100% Medicare regulatory compliance is not required…people make mistakes; those mistakes shouldn’t cause financial ruin.
“Do the results of a RAC audit get sent to your MAC?” The answer is “Yes.” Penalties penalize you in the future. You have to disclose penalties, and the auditors can and will use the information against you. The more penalties you have paid in the past clear demonstrate that you suffer from abhorrent billing practices.
In fact, Medicare post-payment audits are estimated to have risen over 900 percent over the last five years. Medicare provider audits take money from providers and give to the auditors. If you are an auditor, you uncover bad results or you aren’t good at your job.
Politicians see audits as a financial win and a plus for their platform. Reducing fraud, waste, and abuse is a fantastic platform. Everyone gets on board, and votes increase.
Appealing your RAC audits is essential, but you have to understand that you won’t get a fair deal. The Medicare provider appeals process is an uphill battle for providers. And your MACs will be informed.
The first two levels, redeterminations and reconsiderations are, basically, rubber-stamps on the first determination.
The third level is the before an administrative law judge (ALJ), and is the first appeal level that is before an independent tribunal.
Moving to the False Claims Act, which is the ugly step-sister to regulatory non-compliance and overpayments. The government and qui tam relators filed 801 new cases in 2022. That number is down from the unprecedented heights reached in 2020 (when there were a record 922 new FCA cases), but is consistent with the pace otherwise set over the past decade, reflecting the upward trend in FCA activity by qui tam relators and the government since the 2009 amendments to the statute.
See the chart below for reference:

DME Providers Get Repose in RAC Audits
The Centers for Medicare & Medicaid Services (CMS) announced that they have modified the additional documentation request (ADR) limits for the Medicare Fee-for-Service Recovery Audit Contractor (RAC) program for suppliers. ADRs are the about of documents that a RAC auditor can demand from you. This is a win for DME providers.
Currently, the RAC’s methodology is based on a total claim number by NPI without consideration for the number of claims in a particular product category. This means that suppliers can receive large volumes of RAC audits for a product category in which they do minimal business.
These new limits will be set by CMS on a regular basis to establish the maximum number of medical records that may be requested by a RAC, per 45-day period. These changes will be effective beginning April 1, 2022.
Each limit will be based on a given supplier’s volume of Medicare claims paid within a previous 12-month period, in a particular HCPCS policy group (The policy groups are available on the PDAC website). Limits will be based on the supplier’s Tax Identification Number (TIN). Limits will be set at 10% of all paid claims, by policy group, paid within a previous 12-month period, divided into eight periods (45 days). If you get more than the allowed ADRs, call them out. These limits are created to lessen the burden on providers.
Although a RAC may go more than 45 days between record requests, in no case shall a RAC make requests more frequently than every 45 days. Limits are based on paid claims, irrespective of individual lines, although credit/replacement pairs shall be considered a single claim.
For example:
- Supplier A had 1,253 claims paid with HCPCS codes in the “surgical dressings” policy group, within a previous 12-month period. The supplier’s ADR limit would be (1,253 * 0.1) / 8 = 15.6625, or 16 ADRs, per 45 days, for claims with HCPCS codes in the “surgical dressings” policy group.
- Supplier B had 955 claims paid with HCPCS codes in the “glucose monitor” policy group, within a previous 12-month period. The supplier’s ADR limit would be (955 * 0.1) / 8 = 11.9375 or 12 ADRs, per 45 days, for claims with HCPCS codes in the “glucose monitor” policy group.
CMS reserves the right to give a RAC permission to exceed these ADR limits. But that would be in instances of potential fraud.
New Report Points to More Audits of Hospitals
Hospitals across the nation are seeing lower profits, and it’s all because of a sudden, tsunami of Medicare and Medicaid provider audits. Whether it be RAC, MAC, UPIC, or Program Integrity, hospital audits are rampant. Billing errors, especially ‘supposed bundling,’ are causing a high rate of insurance claims denials, hurting the finances of hospitals and providers.
A recent report from American Hospital Association (AHA) found “Under an optimistic scenario, hospitals would lose $53 billion in revenue this year. Under a more pessimistic scenario, hospitals would lose $122 billion thanks to a $64 billion decline in outpatient revenue”*[1]
The “Health Care Auditing and Revenue Integrity—2021 Benchmarking and Trends Report” is an insider’s look at billing and claims issues but reveals insights into health care costs trends and why administrative issues continue to play an outsize role in the nation’s high costs in this area. The data used covers 900+ facilities, 50,000 providers, 1500 coders, and 700 auditors – what could go wrong?

According to the report,
- 40% of COVID-19-related charges were denied and 40% of professional outpatient audits for COVID-19 and 20% of hospital inpatient audits failed.
- Undercoding poses a significant revenue risk, with audits indicating the average value of underpayment is $3,200 for a hospital claim and $64 for a professional claim.
- Overcoding remains problematic, with Medicare Advantage plans and payers under scrutiny for expensive inpatient medical necessity claims, drug charges, and clinical documentation to justify the final reimbursement.
- Missing modifiers resulted in an average denied amount of $900 for hospital outpatient claims, $690 for inpatient claims, and $170 for professional claims.
- 33% of charges submitted with hierarchical condition category (HCC) codes were initially denied by payers, highlighting increased scrutiny of complex inpatient stays and higher financial risk exposure to hospitals.
The top fields being audited were diagnoses, present on admission indicator, diagnosis position, CPT/HCPCS coding, units billed, and date of service. The average outcome from the audits was 70.5% satisfactory. So, as a whole, they got a ‘C’.
While this report did not in it of itself lead to any alleged overpayments and recoupments, guess who else is reading this audit and salivating like Pavlov’s dogs? The RACs, MACs, UPICs, and all other alphabet soup auditors. The 900 facilities and 50,000 health care providers need to be prepared for audits with consequences. Get those legal defenses ready!!!!
[1] * https://www.fiercehealthcare.com/hospitals/kaufman-hall-hospitals-close-between-53-and-122b-year-due-to-pandemic