Category Archives: Legal Analysis

Premature Recoupment of Medicare Reimbursements Defies Due Process!

Who knows that – regardless your innocence –the government can and will recoup your funds preemptively at the third level of Medicare appeals. This flies in the face of the elements of due process. However, courts have ruled that the redetermination and the reconsideration levels afford the providers enough due process, which entails notice and an opportunity to be heard. I am here to tell you – that is horse manure. The first two levels of a Medicare appeal are hoops to jump through in order to get to an independent tribunal – the administrative law judge (“ALJ”). The odds of winning at the 1st or 2nd level Medicare appeal is next to zilch, although often you can get the alleged amount reduced. The first level is before the same entity that found you owe the money. Auditors are normally not keen on overturning themselves. The second level is little better. The first time that you present to an independent tribunal is at the third level.

Between 2009 and 2014, the number of ALJ appeals increased more than 1,200 percent. And the government recoups all alleged overpayments before you ever get before an ALJ.

In a recent case, Sahara Health Care, Inc. v. Azar, 975 F.3d 523 (5th Cir. 2020), a home health care provider brought an action against Secretary of Department of Health and Human Services (“HHS”) and Administrator for the Centers for Medicare and Medicaid Services (“CMS”), asserting that its statutory and due process rights were violated and that defendants acted ultra vires by recouping approximately $2.4 million in Medicare overpayments without providing a timely ALJ hearing. HHS moved to dismiss, and the provider moved to amend, for a temporary restraining order (“TRO”) and preliminary injunction, and for an expedited hearing.

The case was thrown out, concluding that adequate process had been provided and that defendants had not exceeded statutory authority, and denied provider’s motion for injunctive relief and to amend. The provider appealed and lost again.

What’s the law?

Congress prohibited HHS from recouping payments during the first two stages of administrative review. 42 U.S.C. § 1395ff(f)(2)(A).

If repayment of an overpayment would constitute an “extreme hardship, as determined by the Secretary,” the agency “shall enter into a plan with the provider” for repayment “over a period of at least 60 months but … not longer than 5 years.” 42 U.S.C. § 1395ddd(f)(1)(A). That hardship safety valve has some exceptions that work against insolvent providers. If “the Secretary has reason to believe that the provider of services or supplier may file for bankruptcy or otherwise cease to do business or discontinue participation” in the Medicare program, then the extended repayment plan is off the table. 42 U.S.C. § 1395ddd(f)(1)(C)(i). A provider that ultimately succeeds in overturning an overpayment determination receives the wrongfully recouped payments with interest. 42 U.S.C. § 1395ddd(f)(2)(B). The government’s interest rate is high. If you do have to pay back the alleged overpayment prematurely, the silver lining is that you may receive extra money for your troubles.

The years-long back log, however, may dwindle. The agency has received a funding increase, and currently expects to clear the backlog by 2022. In fact, the Secretary is under a Mandamus Order requiring such a timetable. 

A caveat regarding this grim news. This was in the Fifth Circuit. Other Courts disagree. The Fourth Circuit has held that providers do have property interests in Medicare reimbursements owed for services rendered, which is the correct holding. Of course, you have a property interest in your own money. An allegation of wrongdoing does not erase that property interest. The Fourth Circuit agrees with me.

HIPAA and Football

By Ashley Thomson, Partner at Practus, LLP. A Virtual Law Firm.

On rare occasions a Court can issue an opinion that is so logical and on-point you want to stand up and cheer.  Maybe you’re only cheering if you’re a HIPAA-nerd, like me. My name is Ashley and I work with Knicole. I was the assistant GC for Truman Medical Center for 17 years. As AGC at Truman, I was inundated with so many various issues.

Here’s what got me standing up in my home office as if Patrick Mahomes just threw a pass to Tyreek Hill and the KC Chiefs scored the winning touchdown in the Super Bowl—the 5th Circuit Court of Appeals held that a lost or stolen unencrypted device containing protected health information (“PHI”)[1] does not automatically result in a violation of the HIPAA Disclosure Rule or Encryption Rule. If you want to do your own touchdown dance check out Univ. of Texas M.D. Anderson Cancer Ctr. v. United States Dep’t of Health & Human Servs., No. 19-60226, 2021 WL 127819, at *5 (5th Cir. Jan. 14, 2021).

Unless you’ve spent the last 20 years living under a rock, you are generally aware that HIPAA is a law that protects your health information from public disclosure.  Most people don’t spell it correctly and even less people know what the acronym means.[2]  In 2009, HIPAA was supplemented with the HITECH Act.[3] Together, these laws govern how health care providers handle your medical information and what to do if there is a breach of the information.  HIPAA and HITECH’s implementing regulations (the “Regulations”) require all covered entities[4] “implement a mechanism to encrypt” all PHI that is stored electronically.  45 C.F.R. Section 164.312(a)(2)(iv).  Second, the Regulations prohibit unpermitted disclosure of PHI. 45 C.F.R. Sec. 164.502(a). These two regulations are referred to as the Encryption Rule and the Disclosure Rule respectively. These requirements are enforced by the Department of Health and Human Services (“HHS”) in conjunction with the Office for Civil Rights (“OCR”).

Whew, that was a quick history lesson.  Now, back to the story.

In 2012 and 2013 MD Anderson Cancer Center (“MD Anderson”) had three (3) events happen involving unencrypted devices containing PHI.  First, a laptop was stolen.  Second, a thumb drive was lost during someone’s commute home. Third, a visiting researcher misplaced a thumb drive. Pursuant to the regulations, MD Anderson reported these events to HHS.  

HHS concluded that MD Anderson violated the Regulations and imposed a fine over $4,000,000 (let me spell that out for you. . . FOUR MILLION DOLLARS). 

You may be wondering, what in the world did they violate that would result in such an outrageous fine?  So did MD Anderson!

MD Anderson threw its proverbial, red challenge flag and pursued its appeal rights and ended up, finally, in Federal Court where they succeeded on establishing that the mere loss of unencrypted PHI does not violate the Disclosure Rule and that the Encryption Rule does not require that a covered entity sit down and force each and every person to encrypt their devices.

Let’s look first at the Disclosure Rule. As a general rule, HIPAA prohibits the disclosure of PHI without permission from the patient.[5]  45 C.F.R. Sec. 164.502(a). HIPAA defines disclosure as “the release, transfer, provision of access to, or divulging in any manner of information outside the entity holding the information.” 45 C.F.R. Sec. 164.103. Prior to reaching the 5th Circuit, MD Anderson had been told the mere fact that the unencrypted laptop and thumb drives were lost or stolen resulted in the conclusion the PHI had been improperly disclosed to someone outside of the covered entity.  Thank goodness, the Court stepped in with the reasonable statement that many of us in the health care field have been saying for years. . . just because a device is lost or stolen doesn’t mean the PHI was improperly disclosed.[6]  “It defies reason to say an entity affirmatively acts to disclose information when someone steals it.” Univ. of Texas M.D. Anderson Cancer Ctr.,2021 WL 127819, at *5.

HHS claimed that it would be difficult for them to enforce the Disclosure Rule if it had to show that the PHI was disclosed to someone outside of the covered entity.  Well, go complain to the referees  HHS “that’s precisely the sort of policy argument that HHS could vet in a rulemaking proceeding. It’s not an acceptable basis for urging us to transmogrify the regulation HHS wrote into a broader one.” Id. And with that, the Court unceremoniously stated the obvious and provided some reason in the rather unreasonable world of HIPAA enforcement.

Next up? The Encryption Rule where HHS argued that MD Anderson’s desire to do more to encrypt their devices was an admission of non-compliance with the regulations.  Not so fast, said the Court.  The rule requires that a covered entity have a mechanism for the encryption PHI not that it implements an iron clad, hacker proof, 100% guaranteed encryption system.  MD Anderson had an encryption mechanism which is enough to satisfy the regulation, even if HHS now “wishes it had written a different” regulation.  Id.at *4.  

I feel like this is the SUPERBOWL of HIPAA decisions. You may not be as excited about this opinion as I was.  That’s ok. . . I’m a HIPAA and privacy nerd and I’m ok with that.  

Let’s hope I have many touchdowns to stand up and celebrate on Sunday!  Go Chiefs!    

The legal fine print: As exciting as this opinion is, please  remember that devices should be encrypted and PHI should be protected to the maximum extent possible.  While this is a great decision, it doesn’t remove the obligation to comply with the Regulations. 


[1] PHI contains 18 different identifiers.  42 C.F.R. § 164.514(a)(2)(i).

[2] It’s the Health Insurance Portability and Accountability Act of 1996. 

[3] HITECH stands for the Health Information Technology for Economic and Clinical Health Act of 2009. 

[4] Later, we can delve into what qualifies as a covered entity. Let’s just all agree that MD Anderson is a covered entity.

[5] This is a very simple overstatement, but it works for the purposes of this article.

[6] Let’s face it, most of these devices are lost or stolen and (1) never found or (2) thrown out as the thieves take what they really wanted . . . cold hard cash or credit cards.  An old janky laptop or a random thumb drive is not at the top of the most wanted list for kleptomaniacs.

Medicaid Suspension Lifted Because No Evidence of Intent!

Happy 2021! I bring great news and good tidings. I’m fairly sure that everyone reading is educated in what a preliminary injunction is and how important it can be for a health care provider falsely accused of credible allegations of fraud to lift the mandatory suspension of reimbursements. Finally, over the holidays, a Judge found that an indication of intent is required for an accusation of credible allegations of fraud, unlike past cases in which a mere accusation results in suspensions. 42 CFR §455.23 mandates that a health care provider’s reimbursements be suspended based on “credible allegations of fraud.” Which is a low bar. My client, an oral surgeon, had a disgruntled employee complaint and a baseless PCG audit of $6k. A double threat.

For those who are not in the know: An injunction is an extraordinary legal tool that allows the judge to suspend whatever bad action the government or one of its auditors do.

You have to prove:

  1. Likelihood of success on the merits
  2. Irreparable harm
  3. Balance of equities
  4. Public Interest.

I would guestimate that only 10-20% of requests for TROs and PIs are granted. Last week, we won for the oral surgeon. Everyone can learn from his success. This is how we won. Let me set the stage. We have an oral surgeon who underwent an infamous PCG audit resulting in an alleged $6k overpayment. PCG concurrently sends his data to program integrity, and one month later and without any notice, his reimbursements are suspended based on a “credible allegation of fraud.” Concurrently, he had a disgruntled employee threatening him.

Remember that the bar to demonstrate “credible allegation of fraud” is amazingly low. It is an “indicia of reliability.” An inaccurate PCG audit and a disgruntled employee, in this case, were the catalyst for the oral surgeon’s Medicaid reimbursements. His practice comprised of 80% Medicaid, so the suspension would cause irreparable harm to the practice.

We filed a TRO, PI, and Motion to Stay. The day before Christmas, we had trial.

The Judge ruled that the Department cannot just blindly rely on an anonymous accusation. There has to be some sort of investigation. It is not OK to accept accusations at face value without any sort of independent fact-checking. The Judge created an additional burden for the Department in cases of accusations of fraud that is not present in the regulation. But it is logical and reasonable to expect the Department to explore the accusations. The Judge emphasized that fraud requires intent. He also pointed out that fraud is not defined in the regulations. He emphasized that billing errors are not intentional acts.

The Judge held that, “[i]n light of the large number of Medicaid beneficiaries treated by the Petitioner’s practice, the rarity of the physician’s skills, and the apparent demand for those services, the relatively small amount of money now or formally in controversy, the lack of evidence of actual fraud and the contrary indications, the high probability that good cause exists for not suspending Petitioner’s Medicaid payments, and the near certainty of irreparable harm to the Petitioner if the relief is not granted, a TRO should be granted.”

Even better, the Judge ordered that the surgeon did not have to put up a bond, which is normally required by law. By the stroke of the Judge’s pen, the surgeon could go back to work performing medically necessary services to Medicaid recipients, which, by the way is rare for an oral surgeon to accept Medicaid. This is a success for health care providers. Accusations of fraud should require independent corroboration and evidence of intent.

Goodbye, 2020: New Resolutions for Health Care Providers

By Ashley Thomson. (Knicole Emanuel‘s law partner. See below for a bio).

As 2020 ends and we look forward to starting a new chapter in 2021, we offer you this little nugget of advice—a resolution that sounds deceptively easy—read your mail.  Yes, friends you heard it here first. . . the best thing you can do to protect yourself, your business, your patients, and your loved ones is to read the dang mail.  Email, text messages, real mail, carrier pigeon or messages in a bottle.  READ THEM!  

2020 brought us a lot of curve balls and unexpected events but some of those events could have been avoided had mail been opened and read.

CMS and its third party contractors hold a lot of power in the healthcare world and can cause your practice to come crashing down by hitting send or putting a forever stamp on a letter.  A regular practice of reading your mail can avoid that CMS avalanche of doom. [1]

You may be reading this and thinking, you’ve got to be crazy I always read my mail.  Or perhaps you are thinking, this is the easiest new year’s resolution yet—all I have to do is read the mail.

Don’t be too hasty with your self-confidence. This is a hard practice to establish and an even harder one to maintain.

First, you have to actually read the mail.  All of the mail.  Even the mail you think will contain bad news.  Constitutional due process requires only notice NOT successful notice. If successful notice were required, “then people could evade knowledge, and avoid responsibility for their conduct, by burning notices on receipt—or just leaving them unopened.” See Ho v. Donovan, 569 F.3d 677, 680 (7th Cir. 2009). “Conscious avoidance of information is a form of knowledge.” Id.

Second, you need a policy or procedure regarding the opening and reading of mail.  One client we worked with did not have a system for logging mail once it was received in the office.  Mail was lost.  Deadlines were missed.  Payments from the largest payer were suspended. The cost – too much to print.

It’s like that old Mastercard ad, yes, I’m talking to those of you out there who were around in the late 90s.[2] 

The cost of establishing a policy for logging in mail. . . zero.   

The cost of reading mail. . . zero.

The cost of neglecting your mail, missing deadlines, and losing your practice. . . priceless.

So, as this year ends and you contemplate ways to improve your practice in 2021, please, please, please take our advice and READ YOUR MAIL.


[1]It’s not just CMS that has holds the mailbox power.  Just ask the City of North Charleston, SC.  A motorist’s emailed complaint to the city over injuries sustained in an accident was not forwarded to the insurance carrier resulting in a multi-million dollar default judgement against the city.  See Campbell v. City of North Charleston, 431 S.C. 454,459 (SC Ct. App. 2020) (holding that “the failure to forward an email did not amount to good cause shown for failure to timely file an answer).   

[2] For those of you who have no idea what we are talking about see https://www.aaaa.org/timeline-event/mastercard-mccann-erickson-campaign-never-got-old-priceless/  

Click for past blogs with other helpful tips to avoid Medicare and Medicaid recoupments. medicaidlaw-nc.wordpress.com – Tip #2. 4. 6.

Ashley Thomson brings 20 years of extensive in-house, hospital counsel and law firm experience to our team.  Well-versed in a variety of disciplines, her emphasis is in health care, insurance and compliance, specifically medical malpractice, employment, healthcare and privacy law compliance and defense, including matters involving HIPAA. Ashley has also been heavily involved in risk management, patient safety, corporate governance, contract and policy drafting, negotiations and healthcare management. Prior to joining Practus, Ashley served as Associate General Counsel for Truman Medical Center (TMC) where she oversaw litigation, managed all aspects of their corporate compliance matters, including governmental audits and investigations, cybersecurity issues, HIPAA enforcement, 340B compliance and provider-based billing.  As their Staff Litigation Counsel, she defended and litigated medical malpractice and general liability matters on behalf of the hospital, its employees, physician group and residents. Prior to joining TMC, Ashley was an Associate Attorney for Husch Blackwell.

Ashley is an outdoors woman at heart. When she’s not working, she’s hiking, walking, working in her yard, or playing with her kids. She’s also an avid reader and a football fan especially when she’s watching her favorite team, the Kansas City Chiefs! 

“Credible Allegations of Fraud”: Immediate Medicare Payment Suspension!

If you are accused of Medicare fraud, your Medicare reimbursements will be immediately cut off without any due process or ability to defend yourself against the allegations. If you accept Medicare and Medicaid then you are held to strict regulations, some of which are highly, Draconian in nature without much recourse, legally, for providers. Many, many a provider have gone bankrupt and been forced out of business due to “credible allegations of fraud.” You see, legally, “credible allegations of fraud” is a low standard to meet. The definition of “credible” is “an indicia of reliability.” “Indicia” is defined as “signs, indications, circumstances which tend to show or indicate that something is probable. It is used in the form of “indicia of title,” or “indicia of partnership,” particularly when the “signs” are items like letters, certificates, or other things that one would not have unless the facts were as the possessor claimed. It can be a disgruntled worker. I am sure that none of the listeners here today have ever dealt with a disgruntled employee. Yes, that is sarcasm.

42 CFR § 405.372 is the regulation outlining the requirements for suspending Medicare payments. 42 CFR § 455.23 is the regulation mandating suspension of Medicaid payments upon credible allegations of fraud.

Pursuant to Medicare regulations, CMS must suspend Medicare reimbursements to a healthcare provider “in whole or in part” if it has been “determined that a credible allegation of fraud exists against a provider or supplier.” 42 C.F.R. § 405.371(a)(2). A credible allegation of fraud is “an allegation from any source, including … civil fraud claims cases, and law enforcement investigations.” 42 C.F.R. § 405.370(a). The decision to suspend Medicare payment or continue a payment suspension is made at the discretion of CMS – not the MAC. If you receive a letter from a MAC alleging fraud, be sure to check whether the letter states that the decision was made in collaboration with CMS. The MACs do not have the authority.

The suspension, however, is not indefinite, although the length is normally a year, which is financially devastating. The regulations allow CMS to maintain the suspension until a “legal action is terminated by settlement, judgment, or dismissal, or when the case is closed or dropped because of insufficient evidence to support allegations of fraud.” 42 C.F.R. §§ 405.370(a) and .372(d)(3); see also § 405.371(b)(3)(ii) (CMS may extend the suspension of payment if the Department of Justice submits a written request that “suspension of payments be continued based on the ongoing investigation and anticipated filing of criminal or civil action or both or based on a pending criminal or civil action or both.”).

When you receive a fraud accusation of any type – it is imperative to send it to your counsel. If you opt to litigate the suspension by asking the Court to enjoin the suspension, your first legal obstacle will be to argue that you do not have to exhaust your administrative remedies before appearing for the injunction. Cases have been decided both in the favor of providers and their suspensions have been lifted and against the providers. These cases usually win or lose on the argument that the suspension of reimbursements is an ancillary subject from the actual investigation of fraud. It is a jurisdictional argument.

It is my opinion that the federal regulations that allow for suspension of payments upon credible allegations of fraud need to be revised. Any of you with lobbyists, we need to revise the regulations to require due process – notice and an opportunity to be heard – prior to the government suspending Medicare and Medicaid reimbursements based on a spurious accusation from an anonymous source.

Back in 2015, I am sure that you all recall the case in New Mexico where NM accused 15 BH care provider of credible allegations of fraud. The providers constituted 87.5% of the BH in NM. I was one of the attorneys representing the larger BH cos. Prior to my involvement, all 15 providers requested good cause. All were denied. Lawmakers think that the good cause exception written into the regulation is enough defense for providers. But when the good cause is almost always denied, it isn’t much help. Write to your congress people. Amend the regulations to require due process.

PHE Is an Enigma for Most Providers

As of now, the public health emergency (PHE) for the COVID-19 pandemic will expire July 24, 2020, unless it is renewed. Fellow contributor David Glaser and I have both reported on the potential end date of the PHE. Recent intel from Dr. Ronald Hirsh is that the Centers for Medicare & Medicaid Services (CMS) may renew the PHE period. Each time the PHE period is renewed, it is effective for another 90 days. Recent news about the uptick in COVID cases may have already alerted you that the PHE period will probably be prolonged.

CMS has given guidance that the exceptions that it has granted during this period of the PHE may be extended to Dec. 1, 2020. There is no indication of the Recovery Audit Contractor (RAC) and Medicare Administrative Contractor (MAC) audits being suspended until December 2020. In fact, we expect the audits to begin again any day. There will be confusion when audits resume and COVID exceptions are revoked on a rolling basis.

I witnessed some interesting developments as a health care attorney during this ongoing pandemic. Three of my physician clients were erroneously placed on the Medicare exclusion lists. One would think that during the pandemic, CMS would move mountains to allow a Harvard-trained ER doctor to work in an ER. Because of the lack of staff, it was actually difficult to achieve an easy fix. This doctor was suspended from Medicare based on an accidental and inadvertent omission of a substance abuse issue more than 10 years ago. He disclosed everything except an 11-year-old misdemeanor. He did not omit the misdemeanor purposely. Instead, this ER physician relies on other hospital staff to submit his Medicare re-credentialing every year, as he should. It just happened that this year, the year of COVID, this doctor got caught up in a mistake that in normal times would have been a phone call away from fixing. We cleared up his issue, but not until he was unable to work for over two months, during the midst of the PHE.

At the time of the announcement of the public health emergency, another company, a home health provider, was placed on prepayment review. I am not sure how many of you are familiar with prepayment review, but this is a Draconian measure that all States and the federal government may wield against health care providers. When you are on prepayment review, you cannot get paid until another independent contracted entity reviews your claims “objectively.” I say objectively in quotes because I have yet to meet a prepayment review audit with which I agreed.

Mostly because of COVID, we were forced to argue for a preliminary injunction, allowing this home heath provider to continue to provide services and get paid for services rendered during the PHE. We were successful. That was our first lawsuit during COVID. I believe we went to trial in April 2020. We had another trial in May 2020, for which we have not received the result, although we have high hopes. I may be able to let you know the outcome eventually. But for now, because of COVID, with a shortage of court reporters willing to work, we will not receive the transcript from the trial until over four weeks after the trial.

Tomorrow, Tuesday, we begin our third COVID trial. For the first time since COVID, it will not be virtual. This is the guidance that conveys to me that RAC and MAC audits will begin again soon. If a civil judge is ordering the parties to appear in person, then the COVID stay-at-home orders must be decreasing. I cannot say I am happy about this most recent development (although audits may be easier if they are conducted virtually).

The upshot is that no one really knows how the next few months will unfold in the healthcare industry. Some hospitals and healthcare systems are going under due to COVID. Big and small hospital systems are in financial despair. A RAC or MAC audit hitting in the wake of the COVID pandemic could cripple most providers. In the rearranged words of Roosevelt, “speak loudly, and carry a big stick.”

Update on Medicare/Medicaid Audits in the Wake of COVID-19

Published in Today’s Wound Clinic:

When I was asked to draft an article for Today’s Wound Clinic, it was approximately two weeks ago. I was asked to write about the current state of Medicare and Medicaid audits. Specifically, I was asked to provide a legal analysis about CMS suspending audits un-related to COVID-19. In the month of April, we have seen the spike of COVID-19, which has overturned our everyday world. We have been instructed by President Trump to “stay home” and “social distance” to decrease the spread of the virus. This “stay at home” instruction is unprecedented and has uprooted many of our most reliable and commonplace businesses, such as hairdressers, bowling alleys, and tattoo parlors.

Here is the answer: The current state of Medicare/Medicaid audits, at the moment, is dictated by COVID-19.

We can divide the post-COVID-19 audit rules into 3 categories:

  1. Those exceptions published by CMS to apply to all health care providers
  2. Those special, verbal exceptions given directly to an individual provider that were not published by CMS
  3. Effective immediately, new guidelines that CMS will follow until CMS believes it no longer needs to follow (by its own choice, of course).

An example of an “effective immediately” guideline is our current state of Medicare/Medicaid audits in the wake of COVID-19. CMS has not suspended all Medicare/Medicaid regulatory audits. But CMS has suspended most audits.

Effective immediately, survey activity is limited to the following (in Priority Order):

  • All immediate jeopardy complaints (cases that represents a situation in which entity noncompliance has placed the health and safety of recipients in its care at risk for serious injury, serious harm, serious impairment or death or harm) and allegations of abuse and neglect;
  • Complaints alleging infection control concerns, including facilities with potential COVID-19 or other respiratory illnesses;
  • Statutorily required recertification surveys (Nursing Home, Home Health, Hospice, and ICF/IID facilities);
  • Any re-visits necessary to resolve current enforcement actions;
  • Initial certifications;
  • Surveys of facilities/hospitals that have a history of infection control deficiencies at the immediate jeopardy level in the last three years;
  • Surveys of facilities/hospitals/dialysis centers that have a history of infection control deficiencies at lower levels than immediate jeopardy.

See CMS QSO-20-12-ALL. You can see that these “effective immediately” guidelines are usually published on CMS letterhead. The “effective immediately” guidelines explain why CMS is taking the stated action, the stated action, and that the action is temporary and due to COVID-19.

Here are a few recent “effective immediately” guidelines due to COVID-19:

  • On April 27, 2020, CMS said it would no longer expedite Medicare payments to doctors and be more stringent about accelerating the payments to hospitals as Congressional relief aimed at providers reaches $175 billion.
  • The agency is not accepting any new applications for the loans from Part B suppliers, including doctors, non-physician practitioners and durable medical equipment suppliers. CMS will continue to process pending and new requests from Part A providers, including hospitals, but be stricter with application approvals.
  • CMS expanded the Accelerated and Advance Payment Programs in late March as the pandemic continued to gain strength in the U.S. Since then, the agency has approved over 21,000 applications making up $59.6 billion in accelerated payments to Part A providers and almost 24,000 applications making up $40.4 billion in payments for Part B suppliers.

The $2.2 trillion Coronavirus Aid, Relief, and Economic Security stimulus package passed by Congress in March benchmarked $100 billion in funds for hospitals. On Friday, President Donald Trump signed legislation with a second round of emergency funding, called the Paycheck Protection Program and Health Care Enhancement Act, that allocates another $75 billion for providers — roughly three-quarters of what major provider trade associations requested.

An initial $30 billion from the fund was distributed between April 10 and April 17 based on Medicare fee-for-service revenue, sparking criticism that put facilities with a smaller proportion of Medicare business, such as children’s and disproportionate share hospitals, at a disadvantage. HHS on Friday began releasing an additional $20 billion in CARES payments to providers based on their 2018 net patient revenue, with more funding to roll out “soon,” the agency said, including $10 billion for hard-hit areas like New York.

How RAC/MAC auditors are compensated dictates their actions and/or aggressiveness.

RAC Auditors are paid by contingency. They are usually compensated approximately 13%, depending on the State. Imagine what 13% is of 1 million. It is $130,000 – more than most people make in a year. If you do not believe that 13% contingency is enough to incentivize a company, which, in turn, incentivize the employees, then you are sorely mistaken.

RACs were established through a demonstration program under the Medicare Prescription Drug, Improvement, and Modernization Act of 2003 (“MMA”), piloted between 2005 and 2008, and were later made permanent under the Tax Relief and Health Care Act of 2006, which required CMS to establish Recovery Auditors for all states before 2010.

MACs are not compensated by contingency, per se. CMS decided to structure the MAC contracts with 1-year base performance periods and four, optional, 1-year performance periods at the time. The MMA required that these contracts be recompeted at least once every 5 years. The recent enactment of the Medicare Access and CHIP Reauthorization Act of 2015 amended this requirement to authorize a maximum 10-year performance period before MAC contracts must be recompeted. The amendment, which applies to MAC contracts in effect at the time of enactment or entered into on or after enactment, would permit CMS to modify existing MAC contracts or enter into future MAC contracts for 1-year base performance periods and nine optional 1-year performance periods. See Pub. L. No. 114-10, § 509(a)- (b) (April 16, 2015). Therefore, while MACs are not compensated on contingency, MACs are compensated on performance. The less a MAC spends, the more services a MAC allows, the strict oversight a MCA ensues on its providers…all these “performance-based” measures may not be a contingency compensation relationship, but it’s pretty close. Saved money becomes profit for MACs.

Medicare and Medicaid auditors love rules. Even if the rules that auditors are instructed to follow really are not required by actual law. It goes without saying that auditors are not lawyers. Auditors are not trained to decipher whether statutes, regulations or policy are superseded by federal statutes and regulations. The fact is that, more times than one would hope, the auditors are wrong in their assessments that a claim should be denied, not out of malice, but because of a basic misunderstanding of what the law actually requires.

I have all kinds of stories about auditors claiming money is owed, when, really it was not owed because the RAC/MAC auditor failed to follow the actual, correct procedure or misconstrued a regulation. For example, I had a durable medical equipment provider, DME ABC, who was informed by the NSC Supplier Audit and Compliance Unit of Palmetto GBA that it owed $1,075,548.64. Palmetto is one of the MACs for Medicare – durable medical equipment. There was no demand letter. The alleged overpayment amount came to fruition in a telephone conference between the CEO of the company and an employee of Palmetto. Let’s call her Nancy. Nancy told CEO that company owed $1,075,548.64 based on an alleged violation of 42 C.F.R. § 424.58,

Even more disconcerting, was the fact that Palmetto claimed that its alleged, oral overpayment against DME ABC arose from a normal, reoccurring validation process pursuant to 42 C.F.R. §424.57, approved by CMS and in accordance with the requirements of 42 C.F.R. §424.58. No formal letter was necessary was Palmetto’s retort. Not correct; a formal demand letter is always required.

In this case, Palmetto began to backtrack once we pointed out that Palmetto nor Nancy ever sent a formal demand letter with any reconsideration review appeal rights or administrative appeal rights. We knew this was procedurally incorrect because federal law dictates that you receive a formal demand letter with appeal rights and notice of how many days you have to appeal. But out of fear of retribution, DME ABC was willing to write a check without pushing back. Obviously, we did not do so.

I tell this story as an example of how intimidating, scary, and overwhelming auditors can be. If someone off the street asked you for a million dollars, you would laugh them off your doorstep, right? After you tell them to don a mask and maintain social distancing.

But in the new-age world of COVID-19, rules have been broken. This behavior would not be acceptable pre-COVID-19. But this provider honestly was going to pay.

The Trump Administration is issuing an unprecedented array of temporary regulatory waivers and new rules to equip the American healthcare system with maximum flexibility to respond to the 2019 Novel Coronavirus (COVID-19) pandemic.

Pre-COVID-19 if you were to state “paperwork over patients,” everyone in the industry would agree. There would be snickers and eyes rolling, because no one wanted paperwork to be over patients. But it was. Now the mantra has flipped upside down – now the mantra is: Patients over Paperwork.

Post-COVID-19, if documents are lost or misplaced, or otherwise unusable, DME MACs have the flexibility to waive replacements requirements under Medicare such that the face-to-face requirement, a new physician’s order, and new medical necessity documentation are not required. Suppliers must still include a narrative description on the claim explaining the reason why the equipment must be replaced and are reminded to maintain documentation indicating that the DMEPOS was lost, destroyed, irreparably damaged or otherwise rendered unusable or unavailable as a result of the emergency.

Post-COVID-19, CMS is pausing the national Medicare Prior Authorization program for certain DMEPOS items. CMS is not requiring accreditation for newly enrolling DMEPOS and extending any expiring supplier accreditation for a 90-day time period. CMS is waiving signature and proof of delivery requirements for Part B drugs and Durable Medical Equipment when a signature cannot be obtained because of the inability to collect signatures. Suppliers should document in the medical record the appropriate date of delivery and that a signature was not able to be obtained because of COVID-19.

Post-COVID-19, in order to increase cash flow to providers impacted by COVID-19, CMS has expanded the current Accelerated and Advance Payment Program. An accelerated/advance payment is a payment intended to provide necessary funds when there is a disruption in claims submission and/or claims processing. CMS may provide accelerated or advance payments during the period of the public health emergency to any two Medicare providers/suppliers who submits a request to the appropriate MAC and meets the required qualifications. The process of obtaining the funds is a MAC-by-MAC process. Each MAC will work to review requests and issue payments within seven calendar days of receiving the request. Traditionally repayment of these advance/accelerated payments begins at 90 days, however for the purposes of the COVID-19 pandemic, CMS has extended the repayment of these accelerated/advance payments to begin 120 days after the date of issuance of the payment. Providers can get more information on this process here: www.cms.gov/files/document/Accelerated-and-Advanced-Payments-Fact-Sheet.pdf

The Future of Medicare/Medicaid Audits

The beauty of predicting the future is that no one can ever tell you that you are wrong. These are my predictions:

Auditors will deny claims for not having prior authorizations. Auditors will deny claims because the supplier accreditation expired after the 90-day time period. Auditors will deny claims because the percentage of face-to-face time was not met as described per CPT codes.

Obviously, these would be erroneous denials if the denials are within the dates that the COVID-19 pandemic occurred. The problem will be that the auditors will not be able to keep up with all the exceptions, not because the auditors are acting out of malice or dislikes providers. They will be simply trying to do their job. They will simply not be able to take into consideration all the exceptions that were given during the virus. Because, while we do have many written exceptions, if you call CMS with a personal and individualized problem, CMS will, most likely, grant you a needed exception. As long as the exception has the best interest of the consumer at heart. However, this personalized exception will not be written on CMS’s website. In five years, when you undergo a MAC or RAC audit, you better have proof that you received that exception. It will not be enough proof for you to state that you were given the exception over the phone.

So how can you protect yourself from future, erroneous audits?

Write everything down. When you speak to CMS, document concurrently the date, time, name of the person to whom you are speaking, the summary of your conversation, the COVID-19 regulatory exception, sign it and date it.

It is a hearsay exception. Writing down everything does not magically transform your note into the truth. However, writing down everything concurrently does magically allow that note that you wrote to be allowed in a court of law as an exhibit. Had you not written the note contemporaneously with the conversation that you had with CMS, then the attorney on the other side of the case would move to exclude your handwritten or typed note as hearsay.

Hearsay is defined as a statement that (1) the declarant does not make while testifying at the current trial or hearing; and (2) a party offers in evidence to prove the truth of the matter asserted in a statement. There are too many hearsay exceptions to name in this article.

Just know, for purposes of this article, that any health care provider who is relying on an exception to a normally required regulatory mandate – regardless what it is – either be able to: (1) cite the written exception that was published by CMS to the public; or (2) produce the written or typed contemporaneously written note that you wrote to memorialize the conversation.

Knicole Emanuel Appears on the Hospital Finance Podcast – Suspension of Audits

D83B4E86-D9CA-462F-8C54-EDBC90DA00E8

To listen, please click here.

Highlights of this episode include:

  • Background on why CMS will forego all audits unrelated to the coronavirus.
  • What types of audits will CMS continue during the coronavirus pandemic?
  • What providers need to know about complying with current audits, such as TPE audits.
  • How providers can protect themselves by documenting exceptions such as two-day admissions.
  • And more…

Mike Passanante: Hi, this is Mike Passanante and welcome back to the award-winning Hospital Finance Podcast®.

As a result of the COVID-19 crisis, the government has suspended most auditing activities for providers. To sort out what that means for hospitals, I’m joined by Knicole Emanuel. Knicole is an attorney at Potomac Law Group in Raleigh, North Carolina, where she concentrates on Medicare and Medicaid regulatory compliance litigation. Knicole, welcome to the show.

Knicole Emanuel: Thank you and thank you for having me.

Mike: Knicole, the government announced that it is suspending survey activities. Practically what does that mean for providers?

Knicole: Well, so right now because of the Coronavirus, CMS has decided to forego audits that are unrelated to the coronavirus. So actually effective April 3, 2020. The only audits that will be conducted will be those audits that are germane to all immediate Jeopardy complaints. Those kind of cases that represent a situation in which an entities non-compliance has placed the health and safety of recipients in its care at risk for serious injury. So we’re talking about potential serious injury or serious harm.

Another audit that’s going to continue would be complaints alleging infection control concerns because that would obviously be impacted by the coronavirus. Any sort of statutorily required recertification surveys are going to be conducted. I would assume that they’re going to be conducted telephonically. They’re not going to be going on-site and revisits necessary to resolve current enforcement actions. That’s important because when this Coronavirus all came about, there were hundreds and hundreds and hundreds, perhaps thousands upon thousands of healthcare providers already in the middle of TPE audits or RAC audits or MAC audit. And they’d already had on-site visits, they’d already had maybe perhaps a lower accuracy rating. And they’re going to be stuck in this cycle of being stuck in the audit until they can get a resurvey because with this coronavirus the penalties that they’re enduring, whether it’s a suspension of admission, or whether it’s a monetary penalty. These penalties are being administered even if they cannot have a secondary or a revisit of the audit to get them off of the penalty that they’re currently on. So it’s really important that people who are in the middle of audit and when all this came down to get them off of the audit cycle so they can go back to providing care.

Mike: So essentially, there are a number of activities that are suspended. But it’s important for providers to know that there is a subset of activities that will continue even during this period.

Knicole: Correct. But they’re all going to be activities that are of the utmost importance. The items that take lower priority are going to be pushed down.

Mike: Okay, and you mentioned the TPE audits a second ago. So that’s the targeted probe and education. Are they going to continue during this time period as far as you know?

Knicole: Well, so as far as I know, they are not going to continue as in they’re not going to start new TPE audit. Now the question then becomes, “Well, I received a document request a month ago for a TPE audit. Do I need to comply now?” And the conservative safe answer is to go ahead and keep complying with these document requests. Although the deadlines for these document requests, those are going to be extended. I’m sure you’ll be able to get extensions for trying to comply with those. And in reality, if you contact the people who are conducting the audit, you may find that the entire audit in general is put on pause. But don’t assume it’s put on pause. Try to make sure you comply, unless you find out it’s on pause. And if you get something over the email or over a phone that says that your TPE audit is paused currently, follow up with an email and get it in writing. Because future audit, they’re not going to remember that your particular audit was with pause during the coronavirus.

Mike: That’s great advice, Knicole. Do you have any other recommendations for providers as they’re navigating through this time?

Knicole: Yes, I do. There are a number of providers right now that are asking for exceptions, and I can give examples. So for example, in the hospital setting, there are hospitals that are asking for waivers for the inpatient admission standards or the two-day admission, or the moon rules. All those kind of things are asking for exceptions, and a lot of the hospital, A lot of the providers are getting the exceptions they need to allow people to have to stay longer in their hospitals because they have nowhere to discharge them. They can’t go back to their nursing homes where the coronavirus may or may not be. And so, because they’re getting all these exceptions, five years from now when you’re undergoing an audit, no one is going to remember that you had this exception that this particular consumer can stay in my hospital for two extra days or five extra days. And five years from now, you may get audited and say, “Well, you got to recoup all this money because you let them stay in for too long of a time.” When in reality, you are given an exception, write all the exceptions down. Keep one place, keep a computer program, keep a hard copy, whatever you want to do, and notebook, if that you want to get down to not having any technology involved. But keep track of all of these exceptions that you get as little as they may be because if you’re getting an exception for one person, and that one person can stay longer than the two-day allowance for the outpatient stays, and you multiply that by, okay, well, now you’ve got to take that exception and extrapolate it again, 200 people over the course of a year, that’s a lot of money we’re talking about. So you need to make sure you keep track of all the exceptions, no matter how small. And keep track of them somewhere that you’re not going to lose them. If your attrition rate is high with executives, you need to make sure that the next people in line had that knowledge so that in future audit, you can explain that you did not abide by the regulations for good reason. You had an exception, but no one’s keeping track of all these exceptions.

Mike: And so, it’s great advice, Knicole. And I know you’ve got a great blog of your own that people can follow. If people wanted to read more about what’s going on here on that blog or get in touch with you, how can they do that?

Knicole: Well, you’re more than welcome to go onto my blog, which is Medicare and Medicaid law. It is at medicaidlawnc.com. You can also contact me at any time. I’m at Potomac Law Group. I help providers across the country and not only in North Carolina, but in 33 states. And so, I am pretty well versed on all the exceptions that I’m seeing. It’s really fast-paced right now. It’s scary. It’s surreal. But it is really important to make sure that everything is written down because in the future– I mean, that old saying that old adage for nurses, if it’s not written, it doesn’t exist, is really going to matter in the future years.

Mike: Knicole, thanks for adding some clarity around this very complex issue. We appreciate you coming back to the show today.

Knicole: Absolutely. Thank you.

Suspension of Audits During the Coronavirus?

49B70E0C-5089-4D23-925D-54A09DC51563

Effective immediately, survey activity is limited to the following (in Priority Order):

  • All immediate jeopardy complaints (cases that represents a situation in which entity noncompliance has placed the health and safety of recipients in its care at risk for serious injury, serious harm, serious impairment or death or harm) and allegations of abuse and neglect;
  • Complaints alleging infection control concerns, including facilities with potential COVID-19 or other respiratory illnesses;
  • Statutorily required recertification surveys (Nursing Home, Home Health, Hospice, and ICF/IID facilities);
  • Any re-visits necessary to resolve current enforcement actions;
  • Initial certifications;
  • Surveys of facilities/hospitals that have a history of infection control deficiencies at the immediate jeopardy level in the last three years;
  • Surveys of facilities/hospitals/dialysis centers that have a history of infection control deficiencies at lower levels than immediate jeopardy.

See CMS QSO-20-12-ALL.

Obviously, there are so many questions. Providers across the country are asking whether they need to comply with document requests. Are TPE audits continuing? Do they need to comply with ongoing ADRs?

Every bulletin that CMS publishes instigates more detailed and complex questions. With all these relaxed guidelines, won’t RACs, etc. have a field day when this is all over? Of course they will.

General Recommendations:

  • Be proactive.
  • Document everything.
  • Deadlines will be extended.
  • Exceptions will be made.
  • Keep all email correspondence.
  • Maintain copies of everything that you submit. (Do not rely on electronic computer software programs).
  • Keep track of CMS updates.

Email me questions, and I will try to respond.

Also, feel free to reach out to the government: QSOG_EmergencyPrep@cms.hhs.gov.

Effective date: 30 days from the memo, which equals April 3, 2020.

 

 

Inconsequential Medicare Audits Could Morph into a Whopper of a Whale

Emergency room physicians or health care providers are a discrete breed – whales in a sea of fish. Emergency room doctors have – for the most part – been overlooked by the RAC auditors or TPE, ZPIC, or MAC auditors. Maybe it’s because, even RAC auditors have children or spouses that need ER services from time to time. Maybe it’s because ER doctors use so many different billers. Normally, an ER doctor doesn’t know which of his or her patients are Medicaid or Medicare. When someone is suffering from a a broken leg or heart attack, the ER doctor is not going to stop care to inquire whether the patient is insured and by whom. But should they? Should ER doctors have to ask patients their insurer? If the answer includes any sort of explanation that care differs depending on whether someone is covered by Medicare or Medicaid or has private insurance, then, sadly, the answer may be yes.

ER doctors travel to separate emergency rooms, which are owned by various and distinct entities, and rely on individual billing companies. They do not normally work at only one hospital. Thus, they do not always have the same billers. We all know that not all billers are created equal. Some are endowed with a higher understanding of billing idiosyncrasies than others.

For example, for CPT codes 99281-99285 – Hospital emergency department services are not payable for the same calendar date as critical care services when provided by the same physician or physician group with the same specialty to the same patient. 

We all know that all hospitals do not hire and implement the same billing computer software programs. The old adage – “you get what you pay for” – may be more true than we think. Recent articles purport that “the move to electronic health records may be contributing to billions of dollars in higher costs for Medicare, private insurers and patients by making it easier for hospitals and physicians to bill more for their services, whether or not they provide additional care.” – Think a comment like that would red-flag ER doctors services by RAC, MAC and ZPIC auditors? The white whale may as well shoot a water spray 30 feet into the air.

Will auditing entities begin to watch ER billing more closely? And what are the consequences? When non-emergency health care providers are terminated by Medicare, Medicaid, or a MAC or MCO’s network, there is no emergency – by definition. Juxtapose, the need for ER health care providers. ER rooms cannot function with a shortage of  physicians and health care providers. Even more disturbing is if the termination is unwarranted and seemingly inconsequential – only affecting under 4 surgeries per month – but acts as the catalyst for termination of Medicare, Medicaid, and private payors across the board.

I have a client named Dr. Ishmael. His big fish became the MAC Palmetto – very suddenly. Like many ER docs, he rotates ERs. He provides services for Medicare, Medicaid, private pay, uninsured – it doesn’t matter to him, he is an ER doctor. He gets a letter from one MAC. In this case, it was Palmetto. Interestingly enough, Palmetto is his smallest insurance payor. Maybe 2 surgeries a month are covered by Palmetto. 90% of his services are provided to Medicaid patients. Not by his choice, but by demographics and circumstance. The letter from Palmetto states that he is being excluded from Palmetto’s Medicare network, effective in 10 days. He will also be placed on the CMS preclusion list in 4 months.

We appeal through Palmetto, as required. But, in the meantime, four other MACs, State Medicaid and BCBS terminate Dr. Ishmael’s billing privileges for Medicare and Medicaid based on Palmetto’s decision. Remember, we are appealing Palmetto’s decision as we believe it is erroneous. But because of Palmetto’s possibly incorrect decision to terminate Dr. Ishmael’s Medicare billing privileges, all of a sudden, 100% of Dr. Ishmael’s services are nonbillable and nonreimburseable…without Dr. Ishmael or the hospital ever getting the opportunity to review and defend against the otherwise innocuous termination decision.

Here, the hospital executives, along with legal counsel, schedule meetings with Dr. Ishmael. “They need him,” they say. “He is important,” they say. But he is not on the next month’s rotation. Or the next.

They say: “Come and see if ye can swerve me. Swerve me? ye cannot swerve me, else ye swerve yourselves! man has ye there. Swerve me?”

Billing audits on ER docs for Medicare/caid compliance are distinctive processes, separate from other providers’ audits. Most providers know the insurance of the patient to whom they are rendering services. Most providers use one biller and practice at one site. ER docs have no control over the choice of their billers. Not to mention, the questions arises, who gets to appeal on behalf the ER provider? Doesn’t the hospital reap the benefit of the reimbursements?

But one seemingly paltry, almost, minnow-like, audit by a cameo auditor can disrupt an entire career for an ER doc. It is imperative to act fast to appeal in the case of an ER doc.  But balance speed of the appeal with the importance of preparing all legal arguments. Most MACs or other auditing entities inform other payors quickly of your exclusion or termination but require you to put forth all arguments in your appeal or you could waive those defenses. I argue against that, but the allegations can exist nonetheless.

The moral of the story is ER docs need to appeal and appeal fast when billing privileges are restricted, even if the particular payor only constitutes 4 surgeries a month. As Herman Melville said: “I know not all that may be coming, but be it what it will, I’ll go to it laughing.” 

Sometimes, however, it is not a laughing matter. It is an appealable matter.