Here is an article that I wrote that was first published on RACMonitor on March 15, 2018:
All audits are questionable, contends the author, so appeal all audit results.
Providers ask me all the time – how will you legally prove that an alleged overpayment is erroneous? When I explain some examples of mistakes that Recovery Audit Contractors (RACs) and other health care auditors make, they ask, how do these auditors get it so wrong?
First, let’s debunk the notion that the government is always right. In my experience, the government is rarely right. Auditors are not always healthcare providers. Some have gone to college. Many have not. I googled the education criteria for a clinical compliance reviewer. The job application requires the clinical reviewer to “understand Medicare and Medicaid regulations,” but the education requirement was to have an RN. Another company required a college degree…in anything.
Let’s go over the most common mistakes auditors make that I have seen. I call them “oops, I did it again.” And I am not a fan of reruns.
- Using the Wrong Clinical Coverage Policy/Manual/Regulation
Before an on-site visit, auditors are given a checklist, which, theoretically, is based on the pertinent rules and regulations germane to the type of healthcare service being audited. The checklists are written by a government employee who most likely is not an attorney. There is no formal mechanism in place to compare the Medicare policies, rules, and manuals to the checklist. If the checklist is erroneous, then the audit results are erroneous. The Centers for Medicare & Medicaid Services (CMS) frequently revises final rules, changing requirements for certain healthcare services. State agencies amend small technicalities in the Medicaid policies constantly. These audit checklists are not updated every time CMS issues a new final rule or a state agency revises a clinical coverage policy.
For example, for hospital-based services, there is a different reimbursement rate depending on whether the patient is an inpatient or outpatient. Over the last few years there have been many modifications to the benchmarks for inpatient services. Another example is in behavioral outpatient therapy; while many states allow 32 unmanaged visits, others have decreased the number of unmanaged visits to 16, or, in some places, eight. Over and over, I have seen auditors apply the wrong policy or regulation. They apply the Medicare Manual from 2018 for dates of service performed in 2016, for example. In many cases, the more recent policies are more stringent that those of two or three years ago.
- A Flawed Sample Equals a Flawed Extrapolation
The second common blunder auditors often make is producing a flawed sample. Two common mishaps in creating a sample are: a) including non-government paid claims in the sample and b) failing to pick the sample randomly. Both common mistakes can render a sample invalid, and therefore, the extrapolation invalid. Auditors try to throw out their metaphoric fishing nets wide in order to collect multiple types of services. The auditors accidentally include dates of service of claims that were paid by third-party payors instead of Medicare/Medicaid. You’ve heard of the “fruit of the poisonous tree?” This makes the audit the fruit of the poisonous audit. The same argument goes for samples that are not random, as required by the U.S. Department of Health and Human Services (HHS) Office of Inspector General (OIG). A nonrandom sample is not acceptable and would also render any extrapolation invalid.
- A Simple Misunderstanding
A third common blooper found with RAC auditors is simple misunderstandings based on lack of communication between the auditor and provider. Say an auditor asks for a chart for date of service X. The provider gives the auditor the chart for date of service X, but what the auditor is really looking for is the physician’s order or prescription that was dated the day prior. The provider did not give the auditor the pertinent document because the auditor did not request it. These issues cause complications later, because inevitably, the auditor will argue that if the provider had the document all along, then why was the document not presented? Sometimes inaccurate accusations of fraud and fabrication are averred.
- The Erroneous Extrapolation
Auditors use a computer program called RAT-STATS to extrapolate the sample error rate across a universe of claims. There are so many variables that can render an extrapolation invalid. Auditors can have too low a confidence level. The OIG requires a 90 percent confidence level at 25 percent precision for the “point estimate.” The size and validity of the sample matters to the validity of the extrapolation. The RAT-STATS outcome must be reviewed by a statistician or a person with equal expertise. An appropriate statistical formula for variable sampling must be used. Any deviations from these directives and other mandates render the extrapolation invalid. (This is not an exhaustive list of requirements for extrapolations).
- That Darn Purple Ink!
A fifth reason that auditors get it wrong is because of nitpicky, nonsensical reasons such as using purple ink instead of blue. Yes, this actually happened to one of my clients. Or if the amount of time with the patient is not denoted on the medical record, but the duration is either not relevant or the duration is defined in the CPT code. Electronic signatures, when printed, sometimes are left off – but the document was signed. A date on the service note is transposed. Because there is little communication between the auditor and the provider, mistakes happen.
The moral of the story — appeal all audit results.
Premature Recoupment of Medicare or Medicaid Funds Can Feel Like Getting Mauled by Dodgeballs: But Is It Constitutional?
State and federal governments contract with many private vendors to manage Medicare and Medicaid. And regulatory audits are fair game for all these contracted vendors and, even more – the government also contracts with private companies that are specifically hired to audit health care providers. Not even counting the contracted vendors that manage Medicaid or Medicare (the companies to which you bill and get paid), we have Recovery Act Contractors (RAC), Zone Program Integrity Contractors (ZPICs), Medicare Administrative Contractors (MACs), and Comprehensive Error Rate Testing (CERT) auditors. See blog for explanation. ZPICs, RACs, and MACs conduct pre-payment audits. ZPICs, RACs, MACs, and CERTs conduct post-payment audits.
It can seem that audits can hit you from every side.
“Remember the 5 D’s of dodgeball: Dodge, duck, dip, dive and dodge.”
Remember the 5 A’s of audits: Appeal, argue, apply, attest, and appeal.”
Medicare providers can contest payment denials (whether pre-payment or post-payment) through a five-level appeal process. See blog.
On the other hand, Medicaid provider appeals vary depending on which state law applies. For example, in NC, the general process is an informal reconsideration review (which has .008% because, essentially you are appealing to the very entity that decided you owed an overpayment), then you file a Petition for Contested Case at the Office of Administrative Hearings (OAH). Your likelihood of success greatly increases at the OAH level because these hearings are conducted by an impartial judge. Unlike in New Mexico, where the administrative law judges are hired by Human Services Department, which is the agency that decided you owe an overpayment. In NM, your chance of success increases greatly on judicial review.
In Tx, providers may use three methods to appeal Medicaid fee-for-service and carve-out service claims to Texas Medicaid & Healthcare Partnership (TMHP): electronic, Automated Inquiry System (AIS), or paper within 120 days.
In Il, you have 60-days to identify the total amount of all undisputed and disputed audit
overpayment. You must report, explain and repay any overpayment, pursuant to 42 U.S.C.A. Section 1320a-7k(d) and Illinois Public Aid Code 305 ILCS 5/12-4.25(L). The OIG will forward the appeal request pertaining to all disputed audit overpayments to the Office of Counsel to the Inspector General for resolution. The provider will have the opportunity to appeal the Final Audit Determination, pursuant to the hearing process established by 89 Illinois Adm. Code, Sections 104 and 140.1 et. seq.
You get the point.”Nobody makes me bleed my own blood. Nobody!” – White Goodman
Recoupment During Appeals
Regardless whether you are appealing a Medicare or Medicaid alleged overpayment, the appeals process takes time. Years in some circumstances. While the time gently passes during the appeal process, can the government or one of its minions recoup funds while your appeal is pending?
The answer is: It depends.
Before I explain, I hear my soapbox calling, so I will jump right on it. It is my legal opinion (and I am usually right) that recoupment prior to the appeal process is complete is a violation of due process. People are always shocked how many laws and regulations, both on the federal and state level, are unconstitutional. People think, well, that’s the law…it must be legal. Incorrect. Because something is allowed or not allowed by law does not mean the law is constitutional. If Congress passed a law that made it illegal to travel between states via car, that would be unconstitutional. In instances that the government is allowed to recoup Medicaid/care prior to the appeal is complete, in my (educated) opinion. However, until a provider will fund a lawsuit to strike these allowances, the rules are what they are. Soapbox – off.
Going back to whether recoupment may occur before your appeal is complete…
For Medicare audit appeals, there can be no recoupment at levels one and two. After level two, however, the dodgeballs can fly, according to the regulations. Remember, the time between levels two and three can be 3 – 5 years, maybe longer. See blog. There are legal options for a Medicare provider to stop recoupments during the 3rd through 5th levels of appeal and many are successful. But according to the black letter of the law, Medicare reimbursements can be recouped during the appeal process.
Medicaid recoupment prior to the appeal process varies depending on the state. Recoupment is not allowed in NC while the appeal process is ongoing. Even if you reside in a state that allows recoupment while the appeal process is ongoing – that does not mean that the recoupment is legal and constitutional. You do have legal rights! You do not need to be the last kid in the middle of a dodgeball game.
Don’t be this guy:
You are a Medicare health care provider. You perform health care services across the country. Maybe you are a durable medical equipment (DME) provider with a website that allows patients to order physician-prescribed, DME supplies from all 50 states. Maybe you perform telemedicine to multiple states. Maybe you are a large health care provider with offices in multiple states.
Regardless, imagine that you receive 25, 35, or 45 notifications of alleged overpayments from 5 separate “jurisdictions” (the 5th being Region 5 (DME/HHH – Performant Recovery, Inc.). You get one notice dated January 1, 2018, for $65,000 from Region 1. January 2, 2018, you receive a notice of alleged overpayment from Region 2 in the amount of $210.35. January 3, 2018, is a big day. You receive notices of alleged overpayments in the amounts of $5 million from Region 4, $120,000 from Region 3, and two other Region 1 notices in the amount of $345.00 and $65,000. This continues for three weeks. In the end, you have 20 different notices of alleged overpayments from 5 different regions, and you are terrified and confused. But you know you need legal representation.
Do you appeal all the notices? Even the notice for $345.00? Obviously, the cost of attorneys’ fees to appeal the $345.00 will way outweigh the amount of the alleged overpayment.
Here are my two cents:
Appeal everything – and this is why – it is a compelling argument of harassment/undue burden/complete confusion to a judge to demonstrate the fact that you received 20 different notices of overpayment from 5 different MACs. I mean, you need a freaking XL spreadsheet to keep track of your notices. Never mind that an appeal in Medicare takes 5 levels and each appeal will be at a separate and distinct status than the others. Judges are humans, and humans understand chaos and the fact that humans have a hard time with chaos. For example, I have contractors in my house. It is chaos. I cannot handle it.
While 20 distinct notices of alleged overpayment is tedious, it is worth it once you get to the third level, before an unbiased administrative law judge (ALJ), when you can consolidate the separate appeals to show the judge the madness.
Legally, the MACs cannot withhold or recoup funds while you appeal, although this is not always followed. In the case that the MACs recoup/withhold during your appeal, if it will cause irreparable harm to your company, then you need to get an injunction in court to suspend the recoupment/withhold.
According to multiple sources, the appeal success rate at the first and second levels are low, approximately 20%. This is to be expected since the first level is before the entity that determined that you owe money and the second level is not much better. The third level, however, is before an impartial ALJ. The success rate at that level is upwards of 75-80%. In the gambling game of life, those are good odds.
The Centers for Medicare & Medicaid Services (CMS) posted its December 2017 list of health care services that the Recovery Audit Contractors (RACs) will be auditing. As usual, home health is on the chopping block. So are durable medical equipment providers. For whatever reason, it seems that home health, DME, behavioral health care, and dentists are on the top of the lists for audits, at least in my experience.
Number one RAC audit issue:
Home Health: Medical Necessity and Documentation Review
To be eligible for Medicare home health services, a beneficiary must have Medicare Part A and/or Part B per Section 1814 (a)(2)(C) and Section 1835 (a)(2)(A) of the Social Security Act:
- Be confined to the home;
- Need skilled services;
- Be under the care of a physician;
- Receive services under a plan of care established and reviewed by a physician; and
- Have had a face-to-face encounter with a physician or allowed Non-Physician Practitioner (NPP).
Medical necessity is the top audited issue in home health. Auditors also love to compare the service notes to the independent assessment. Watch it if you fail to do one activity of daily living (ADL). Watch it if you do too many ADLs out of the kindness of your heart. Deviations from the independent assessment is a no-no to auditors, even if you are going above and beyond to be sweet. And never use purple ink!
Number two RAC audit issue:
Annual Wellness Visits (AWV) billed within 12 months of the Initial Preventative Physical Examination (IPPE) or Annual Wellness Examination (AWV)
This is a simple mathematical calculation. Has exactly 12 months passed? To the day….yes, they are that technical. 365 days from a visit on January 7, 2018 (my birthday, as an example) would be January 7, 2019. Schedule any AWV January 8, 2019, or beyond.
Number three RAC audit issue:
Ventilators Subject to DWO requirements on or after January 1, 2016
This will be an assessment of whether ventilators are medically necessary. Seriously? Who gets a ventilator who does not need one? I was thinking the other day, “Self? I want a ventilator.”
Number four RAC audit issue:
This will be an assessment of whether cardiac pacemakers are medically necessary. Seriously? Who gets a pacemaker who does not need one? I was thinking the other day, “Self? I want a pacemaker.” Hospitals are not the only providers targets for this audit. Ambulatory surgical centers (ASCs) also will be a target. As patient care continues its transition to the outpatient setting, ASCs have quickly grown in popularity as a high-quality, cost-effective alternative to hospital-based outpatient care. In turn, the number and types of services offered in the ASC setting have significantly expanded, including pacemakers.
Number five RAC audit issue:
Evaluation and Management (E/M) Same Day as Dialysis
Except when reported with modifier 25, payment for certain evaluation and management services is bundled into the payment for dialysis services 90935, 90937, 90945, and 90947
It is important to remember that if you receive a notice of overpayment, you need to appeal immediately. The first level of appeal is redetermination, usually with the Medicare Administrative Contractor (MAC). Medicare will not begin overpayment collection of debts (or will cease collections that have started) when it receives notice that you requested a Medicare contractor redetermination (first level of appeal).
See blog for full explanation of Medicare provider appeals.
Interestingly, how OIG and who OIG targets for audits is much more transparent than one would think. OIG tells you in advance (if you know where to look).
Prior to June 2017, the Office of Inspector General’s (OIG) OIG updated its public-facing Work Plan to reflect those adjustments once or twice each year. In order to enhance transparency around OIG’s continuous work planning efforts, effective June 15, 2017, OIG began updating its Work Plan website monthly.
Why is this important? I will even take it a step further…why is this information crucial for health care providers, such as you?
These monthly reports provide you with notice as to whether the type of provider you are will be on the radar for Medicare and Medicaid audits. And the notice provided is substantial. For example, in October 2017, OIG announced that it will investigate and audit specialty drug coverage and reimbursement in Medicaid – watch out pharmacies!!! But the notice also states that these audits of pharmacies for speciality drug coverage will not begin until 2019. So, pharmacies, you have over a year to ensure compliance with your records. Now don’t get me wrong… you should constantly self audit and ensure regulatory compliance. Notwithstanding, pharmacies are given a significant warning that – come 2019 – your speciality drug coverage programs better be spic and span.
Another provider type that will be on the radar – bariatric surgeons. Medicare Parts A and B cover certain bariatric procedures if the beneficiary has (1) a body mass index of 35 or higher, (2) at least one comorbidity related to obesity, and (3) been previously unsuccessful with medical treatment for obesity. Treatments for obesity alone are not covered. Bariatric surgeons, however, get a bit less lead time. Audits for bariatric surgeons are scheduled to start in 2018. Considering that 2018 is little more than a month away, this information is less helpful. The OIG Work Plans do not specific enough to name a month in which the audits will begin…just sometime in 2018.
Where do you find such information? On the OIG Work Plan website. Click here. Once you are on the website, you will see the title at the top, “Work Plan.” Directly under the title are the “clickable” subjects: Recently Added | Active Work Plan Items | Work Plan Archive. Pick one and read.
You will see that CMS is not the only agency that OIG audits. It also audits the Food and Drug Administration and the Office of the Secretary, for example. But we are concerned with the audits of CMS.
Other targeted providers types coming up:
- Security of Certified Electronic Health Record Technology Under Meaningful Use
- States’ Collection of Rebates on Physician-Administered Drugs
- States’ Collection of Rebates for Drugs Dispensed to Medicaid MCO Enrollees
- Adult Day Health Care Services
- Oversight of States’ Medicaid Information Systems Security Controls
- States’ MCO Medicaid Drug Claims
- Incorrect Medical Assistance Days Claimed by Hospitals
- Selected Inpatient and Outpatient Billing Requirements
And the list goes on and on…
Do not think that if your health care provider type is not listed on the OIG website that you are safe from audits. As we all know, OIG is not the only entity that conducts regulatory audits. The States and its contracted vendors also audit, as well as the RACs, MICs, MACs, CERTs…
Never forget that whatever entity audits you, YOU HAVE APPEAL RIGHTS!
The Center for Medicare and Medicaid Services (CMS) announced the expansion of Targeted Probe and Educate (TPE) audits. At first glance, this appears to be fantastic news coming on the heels of so much craziness at Health and Human Services (HHS). We have former-HHS Secretary Price flying our tax dollars all over. Dr. Don Wright stepping up as our new Secretary. The Medicare appeal backlog fiasco. The repeal and replace Obamacare bomb. Amidst all this tomfoolery, health care providers are still serving Medicare and Medicaid patients, reimbursement rates are in the toilet, which drives down quality and incentivizes providers to not accept Medicare or Medicaid (especially Caid), and providers are undergoing “Audit Alphabet Soup.” I actually had a client tell me that he receives audit letters requesting documents and money every single week from a plethora of different organizations.
So when CMS announced that it was broadening its TPE audits, it was a sigh of relief for many providers. But will TPE audits be the benign beasts they are purporting to be?
What is a TPE audit? (And – Can We Have Anymore Acronyms…PLEASE!)
CMS says that TPE audits are benevolent. CMS’ rhetoric indicates that these audits should not cause the toner to run out from overuse. CMS states that TPE audits will involve “the review of 20-40 claims per provider, per item or service, per round, for a total of up to three rounds of review.” See CMS Announcement. The idea behind the TPE audits (supposedly) is education, not recoupments. CMS states that “After each round, providers are offered individualized education based on the results of their reviews. This program began as a pilot in one MAC jurisdiction in June 2016 and was expanded to three additional MAC jurisdictions in July 2017. As a result of the successes demonstrated during the pilot, including an increase in the acceptance of provider education as well as a decrease in appealed claims decisions, CMS has decided to expand to all MAC jurisdictions later in 2017.” – And “later in 2017” has arrived. These TPE audits are currently being conducted nationwide.
Below is CMS’ vision for a TPE audit:
Clear? As mud?
The chart does not indicate how long the provider will have to submit records or how quickly the TPE auditors will review the documents for compliance. But it appears to me that getting through Round 3 could take a year (this is a guess based on allowing the provider 30 days to gather the records and allowing the TPE auditor 30 days to review).
Although the audit is purportedly benign and less burdensome, a TPE audit could take a whole year or more. Whether the audit reviews one claim or 20, having to undergo an audit of any size for a year is burdensome on a provider. In fact, I have seen many companies having to hire staff dedicated to responding to audits. And here is the problem with that – there aren’t many people who understand Medicare/caid medical billing. Providers beware – if you rely on an independent biller or an electronic medical records program, they better be accurate. Otherwise the buck stops with your NPI number.
Going back to CMS’ chart (above), notice where all the “yeses” go. As in, if the provider is found compliant , during any round, all the yeses point to “Discontinue for at least 12 months.” I am sure that CMS thought it was doing providers a favor, but what that tells me is the TPE audit will return after 12 months! If the provider is found compliant, the audit is not concluded. In fact, according to the chart, the only end results are (1) a referral to CMS for possible further action; or (2) continued TPE audits after 12 months. “Further action” could include 100% prepayment review, extrapolation, referral to a Recovery Auditor, or other action. Where is the outcome that the provider receives an A+ and is left alone??
CMS states that “Providers/suppliers may be removed from the review process after any of the three rounds of probe review, if they demonstrate low error rates or sufficient improvement in error rates, as determined by CMS.”
I just feel as though that word “may” should be “will.” It’s amazing how one word could change the entire process.
Durable Medical Equipment (DME) providers across the country are walking around with large, red and white bullseyes on their backs. Starting back in March 2017, the RAC audits began targeting DME and home health and hospice. DME providers also have to undergo audits by the Comprehensive Error Rate Testing Program (CERT).
The RAC for Jurisdiction 5, Performant Recovery, is a national company contracted to perform Recovery Audit Contractor (RAC) audits of durable medical equipment, prosthetic, orthotic and supplies (DMEPOS) claims as well as home health and hospice claims. Medicare Part B covers medically necessary DME. The following are the RAC regions:
Region 1 – Performant Recovery, Inc.
Region 2 – Cotiviti, LLC
Region 3 – Cotiviti, LLC
Region 4 – HMS Federal Solutions
Region 5 – Performant Recovery, Inc.
As you can see from the above map, we are in Region 3. The country is broken up into four regions. But, wait, you say, you said that Performant Recovery is performing RAC audits in region 5 – where is region 5?
Region 5 is the whole country.
The Centers for Medicare and Medicaid (CMS) has contracted with Performant Recovery to audit DME and home health and hospice across the whole country.
DME and home health and hospice providers – There is nowhere to hide. If you provide equipment or services within the blue area, region 5, you are a target for a RAC audit.
What are some common findings in a RAC audit for DME?
Without question, the most common finding in a RAC or CERT audit is “insufficient documentation.” The problem is that “insufficient documentation” is nebulous, at best, and absolutely incorrect, at worst. This error is by auditors if they cannot conclude that the billed services were actually provided, were provided at the level billed, and/or were medically necessary. An infuriating discovery was when I was defending a DME RAC audit and learned that the “real” reason for the denial of a claim was that no one went to the consumers door, knocked on it, and verified that a wheelchair had, in fact, been delivered. In-person verification of delivery is not a requirement, nor should it be. Such a burdensome requirement would unduly prejudice DME companies. Yes, you need to be able to show a signed and dated delivery slip, but you do not have to go to the consumer’s house and snap a selfie with the consumer and the piece of equipment.
Another common target for RAC audits is oxygen tubing, oxygen stands/racks, portable liquid oxygen systems, and oxygen concentrators. RAC auditors mainly look for medical necessity for oxygen equipment. Hospital beds/accessories are also a frequent find in a RAC audit. A high use of hospital beds/accessories codes can enlarge the target on your back.
Another recurrent issue that the RAC auditors cite is billing for bundled services separately. Medicare does not make separate payment for DME provider when a beneficiary is in a covered inpatient stay. RAC auditors check whether suppliers are inappropriately receiving separate DME payment when the beneficiary is in a covered inpatient stay. Suppliers can’t bill for DME items used by the patient prior to the patient’s discharge from the hospital. Medicare doesn’t allow separate billing for surgical dressings, urological supplies, or ostomy supplies provided in the hospital because reimbursement for them is wrapped into the Part A payment. This prohibition applies even if the item is worn home by the patient when leaving the hospital.
As always, documentation of the face to face encounter and the prescription are also important.
You can find the federal regulation for DME documentation at 42 CFR 410.38 – “Durable medical equipment: Scope and conditions.”
Once you receive an alleged overpayment, know your rights! Appeal, appeal, appeal!! The Medicare appeal process can be found here.
Electronic health records or EHR have metamorphosed health care. Choosing a vendor can be daunting and the prices fluctuate greatly. As a provider, you probably determine your EHR platform on which vendor’s program creates the best service notes… or which creates the most foolproof way of tracking time… or which program is the cheapest.
But…what’s in YOUR contract can be legally deadly.
Regardless how you choose your EHR vendor, you need to keep the following legal issues in mind when it comes to EHR and the law:
Regulatory and Clinical Coverage Policy Compliance
Most likely, your EHR vendor does not have a legal degree. Yet, you are buying a product and assuming that the EHR program complies with applicable regulations, rules, and clinical coverage policies – whichever are applicable to your type of service. Well, guess what? These regulations, rules, and clinical coverage policies are not stagnant. They are amended, revised, and re-written more than my chickens lay eggs, but a little less often, because my chickens lay eggs every day.
Think about it – The Division of Medical Assistance (DMA) publishes a monthly Medicaid Bulletin. Every month DMA provides more insight, more explanations, more rules that providers will be held accountable to follow.
Does your EHR program update every month?
You need to review your contract and determine whether the vendor is responsible for regulatory compliance or whether you are. If you are, should you put so much faith in the EHR program?
You are required to maintain your records (depending on your type of service) anywhere from 5-10 years. Let’s say that you sign a four year contract with EHR Vendor X. The four years expires, and you hire a new EHR vendor. You are audited. But Vendor X does not allow you access to the records because you no longer have a contract with them – not their problem!
You need to ensure that your EHR contract allows you access to your documents (because they are your documents) even in the event of the contract expiring or getting terminated. The excuse that “I don’t have access to that” does not equal a legal defense.
This is otherwise known as the “Blame Game.” If there is a problem with regulatory compliance, as in, the EHR records do not follow the regulations, then you need to know whether the EHR vendor will take responsibility and pay, or help pay, for attorneys’ fees to defend yourself.
Like it or not, the EHR vendor does not undergo audits by the state and federal government. The EHR vendor does not undergo post and pre-payment reviews for regulatory compliance. You do. It is your NPI number that is held accountable for regulatory compliance.
You need to check whether there is an indemnification clause in the EHR contract. In other words, if you are accused of an overpayment because of a mistake on the part of the vendor, will the vendor cover your defense? My guess is that there is no indemnification clause.
HIPAA laws require that you minimize the access to private health information (PHI) and prevent dissemination. With hard copies, this was easy. You could just lock up the documents. With EHR, it becomes trickier. Obviously, you have access to the PHI as the provider. But who can access your EHR on the vendor-side? Assuming that the vendor has an IT team in case of computer issues, you have to consider to what exactly does that team have access.
I recently attended a legal continuing education class on data breach and HIPAA compliance for health care. One of the speakers was a Special Agent with the FBI. This gentleman prosecutes data breaches for a living. He said that hackers will pay over $500 per private medical document. Health care companies experienced a 72% increase in cyberattacks between 2013 and 2014. Stolen health care information is 10 times more valuable than your credit card information.
Obviously, I am exaggerating here. I do not believe that The Walking Dead is real and in our future. But here is my point – You are held accountable for maintaining your medical records, even in the face of an act of God or terrorism.
Example: It was 1996. Provider Dentist did not have EHR; he had hard copies. Hurricane Fran flooded Provider Dentist’s office, ruining all medical records. When Provider Dentist was audited, the government did not accept the whole “there was a hurricane” excuse. Dentist was liable for sever penalties and recoupments.
Fast forward to 2017 and EHR – Think a mass computer shutdown won’t happen? Just ask Delta about its August 2016 computer shutdown that took four days and cancelled over 2000 flights. Or Medstar Health, which operates 10 hospitals and more than 250 outpatient facilities, when in March 2016, a computer virus shut down its emails and…you guessed it…its EHR database.
So, what’s in YOUR contract?