Once You STOP Accepting Medicaid/Care, How Much Time Has to Pass to Know You Will Not Be Audited? (For Past Nitpicking Documentation Errors)
I had a client, a dentist, ask me today how long does he have to wait until he need not worry about government, regulatory audits after he decides to not accept Medicare or Medicaid any more. It made me sad. It made me remember the blog that I wrote back in 2013 about the shortage of dentists that accept Medicaid. But who can blame him? With all the regulatory, red tape, low reimbursement rates, and constant headache of audits, who would want to accept Medicare or Medicaid, unless you are Mother Teresa…who – fun fact – vowed to live in poverty, but raised more money than any Catholic in the history of the recorded world.
What use is a Medicaid card if no one accepts Medicaid? It’s as useful as our appendix, which I lost in 1990 and have never missed it since, except for the scar when I wear a bikini. A Medicaid card may be as useful as me with a power drill. Or exercising lately since my leg has been broken…
The answer to the question of how long has to pass before breathing easily once you make the decision to refuse Medicaid or Medicare? – It depends. Isn’t that the answer whenever it comes to the law?
By Whom and Why You Are Being Investigated Matters
If you are being investigated for fraud, then 6 years.
If you are being investigated by a RAC audit, 3 years.
If you are being investigated by some “non-RAC entity,” then it however many years they want unless you have a lawyer.
If being investigated under the False Claims Act, you have 6 – 10 years, depending on the circumstances.
If investigated by MICs, generally, there is a 5-year, look-back period.
ZPICS have no particular look-back period, but with a good attorney, reasonableness can be argued. How can you be audited once you are no longer liable to maintain the records?
The CERT program is limited by the same fiscal year.
The Alternative: Self-Disclosure (Hint – This Is In Your Favor)
If you realized that you made an oops on your own, you have 60-days. The 60-day repayment rule was implemented by the Centers for Medicare and Medicaid Services (“CMS”), effective March 14, 2016, to clarify health care providers’ obligations to investigate, report, and refund identified overpayments under the Affordable Care Act (“ACA”).
Notably, CMS specifically stated in the final rule that it only applies to traditional Medicare overpayments for Medicare Part A and B services, and does not apply to Medicaid overpayments. However, most States have since legislated similar statutes to mimic Medicare rules (but there are arguments to be made in courts of law to distinguish between Medicare and Medicaid).
We can add one more “oops” to the Department of Health and Human Services (DHHS) repertoire of “oopses.” I am reminded of Captain Edward Smith when he banged the Titanic into an iceberg. Talk about an “oops” moment. Not to mention the lives lost, hitting that iceberg cost $7.5 million in ship building costs back in 1909.
DHHS hit another iceberg yesterday. How much will this “oops” costs?
DHHS made its “oops” by sending 48,752 new Medicaid cards to the WRONG people. Oops! Medicaid cards have HIPAA protected information on them, such as names, Medicaid numbers and dates of birth.
Let me tell you a little about HIPAA. HIPAA stands for the Health Insurance Portability and Accountability Act of 1996 (HIPAA). It was signed into law by Bill Clinton, Title II of HIPAA requires the establishment of national standards for electronic health care transactions and national identifiers for providers, health insurance plans, and employers. Why is this important? This act also provides significant penalties if privileged information is disseminated.
Hence the DHHS Medicaid card debacle. Iceberg, ahoy! “Oops I did it again!”
The questions are (1) how much will NC be penalized for the dissemination of so much private information; and (2) will NC actually have to pay the penalty?
Recently, HIPAA was revamped. Beginning September 2013, HIPAA became even more stringent with harsher penalties and began to apply to more people (including law firms). For example, prior to September 2013, my firm Williams Mullen treated my documents received from clients the same as all other privileged information in our firm. Obviously, almost everything at a law firm is confidential. Now I have to lock my door (we had to install a lock) anytime I leave my office, even for lunch. Bright yellow flags have been added to all my files that contain privileged health information (PHI), which is every file. My partners cannot access my documents on our computer network system unless granted access. I feel like Edward Snowdon.
I also remember a story about a nurse who worked at a hospital. Her husband was admitted into the ER while she was on her shift and she looked up his condition on the computer. She was fired for violating HIPAA.
How bad can it be?
The feds imposed a penalty of $4.3 million against Cignet Health of Prince George’s County, MD, for HIPAA violations in 2011. Oops!
And, in light of the “new HIPAA,” last week, DHHS disseminates privileged information to 48,752 people.
What are the penalties for violating HIPAA?
There are four violation categories (1) did not know; (2) reasonable cause; (3) willful neglect-corrected; and (4) willful neglect-not corrected. Here are the penalties:
Assuming DHHS’ HIPAA violation is the least severe, “did not know,” DHHS could be liable for $100-$50,000 per violation. Here, there are, at least, 48,752 violations. So we are talking a penalty anywhere from $4,875,200 to a number bigger than my calculator allows.
Thankfully for DHHS and, ultimately, our tax dollars, there are caps to HIPAA penalties. There is a $1.5 million cap per calendar year.
However, DHHS could be liable for multiple violations of multiple provisions and a violation of each provision can be counted separately. So, theoretically, DHHS could be liable for multiple violations of up to $1.5 million cap for each violation, which would result in a total penalty well above $1.5 million.
The other question is whether the federal government will hold a state liable for such HIPAA violations. I don’t know the answer to this, but it would seem fundamentally unfair if HIPAA applies to people and companies, but not the state.
Then, again, how many of you want our tax dollars going toward paying these HIPAA penalties?
You can also see this story on WRAL. (Yes, I was interviewed 🙂 )
Will Aldona Wos also have a $7.5 million “oops” like Captain Smith? Because, regardless who committed the “oops,” Wos is captain of the ship. It is believed that Capt. Smith went down with the Titanic.