Durable Medical Equipment (DME) providers across the country are walking around with large, red and white bullseyes on their backs. Starting back in March 2017, the RAC audits began targeting DME and home health and hospice. DME providers also have to undergo audits by the Comprehensive Error Rate Testing Program (CERT).
The RAC for Jurisdiction 5, Performant Recovery, is a national company contracted to perform Recovery Audit Contractor (RAC) audits of durable medical equipment, prosthetic, orthotic and supplies (DMEPOS) claims as well as home health and hospice claims. Medicare Part B covers medically necessary DME. The following are the RAC regions:
Region 1 – Performant Recovery, Inc.
Region 2 – Cotiviti, LLC
Region 3 – Cotiviti, LLC
Region 4 – HMS Federal Solutions
Region 5 – Performant Recovery, Inc.
As you can see from the above map, we are in Region 3. The country is broken up into four regions. But, wait, you say, you said that Performant Recovery is performing RAC audits in region 5 – where is region 5?
Region 5 is the whole country.
The Centers for Medicare and Medicaid (CMS) has contracted with Performant Recovery to audit DME and home health and hospice across the whole country.
DME and home health and hospice providers – There is nowhere to hide. If you provide equipment or services within the blue area, region 5, you are a target for a RAC audit.
What are some common findings in a RAC audit for DME?
Without question, the most common finding in a RAC or CERT audit is “insufficient documentation.” The problem is that “insufficient documentation” is nebulous, at best, and absolutely incorrect, at worst. This error is by auditors if they cannot conclude that the billed services were actually provided, were provided at the level billed, and/or were medically necessary. An infuriating discovery was when I was defending a DME RAC audit and learned that the “real” reason for the denial of a claim was that no one went to the consumers door, knocked on it, and verified that a wheelchair had, in fact, been delivered. In-person verification of delivery is not a requirement, nor should it be. Such a burdensome requirement would unduly prejudice DME companies. Yes, you need to be able to show a signed and dated delivery slip, but you do not have to go to the consumer’s house and snap a selfie with the consumer and the piece of equipment.
Another common target for RAC audits is oxygen tubing, oxygen stands/racks, portable liquid oxygen systems, and oxygen concentrators. RAC auditors mainly look for medical necessity for oxygen equipment. Hospital beds/accessories are also a frequent find in a RAC audit. A high use of hospital beds/accessories codes can enlarge the target on your back.
Another recurrent issue that the RAC auditors cite is billing for bundled services separately. Medicare does not make separate payment for DME provider when a beneficiary is in a covered inpatient stay. RAC auditors check whether suppliers are inappropriately receiving separate DME payment when the beneficiary is in a covered inpatient stay. Suppliers can’t bill for DME items used by the patient prior to the patient’s discharge from the hospital. Medicare doesn’t allow separate billing for surgical dressings, urological supplies, or ostomy supplies provided in the hospital because reimbursement for them is wrapped into the Part A payment. This prohibition applies even if the item is worn home by the patient when leaving the hospital.
As always, documentation of the face to face encounter and the prescription are also important.
You can find the federal regulation for DME documentation at 42 CFR 410.38 – “Durable medical equipment: Scope and conditions.”
Once you receive an alleged overpayment, know your rights! Appeal, appeal, appeal!! The Medicare appeal process can be found here.
Electronic health records or EHR have metamorphosed health care. Choosing a vendor can be daunting and the prices fluctuate greatly. As a provider, you probably determine your EHR platform on which vendor’s program creates the best service notes… or which creates the most foolproof way of tracking time… or which program is the cheapest.
But…what’s in YOUR contract can be legally deadly.
Regardless how you choose your EHR vendor, you need to keep the following legal issues in mind when it comes to EHR and the law:
Regulatory and Clinical Coverage Policy Compliance
Most likely, your EHR vendor does not have a legal degree. Yet, you are buying a product and assuming that the EHR program complies with applicable regulations, rules, and clinical coverage policies – whichever are applicable to your type of service. Well, guess what? These regulations, rules, and clinical coverage policies are not stagnant. They are amended, revised, and re-written more than my chickens lay eggs, but a little less often, because my chickens lay eggs every day.
Think about it – The Division of Medical Assistance (DMA) publishes a monthly Medicaid Bulletin. Every month DMA provides more insight, more explanations, more rules that providers will be held accountable to follow.
Does your EHR program update every month?
You need to review your contract and determine whether the vendor is responsible for regulatory compliance or whether you are. If you are, should you put so much faith in the EHR program?
You are required to maintain your records (depending on your type of service) anywhere from 5-10 years. Let’s say that you sign a four year contract with EHR Vendor X. The four years expires, and you hire a new EHR vendor. You are audited. But Vendor X does not allow you access to the records because you no longer have a contract with them – not their problem!
You need to ensure that your EHR contract allows you access to your documents (because they are your documents) even in the event of the contract expiring or getting terminated. The excuse that “I don’t have access to that” does not equal a legal defense.
This is otherwise known as the “Blame Game.” If there is a problem with regulatory compliance, as in, the EHR records do not follow the regulations, then you need to know whether the EHR vendor will take responsibility and pay, or help pay, for attorneys’ fees to defend yourself.
Like it or not, the EHR vendor does not undergo audits by the state and federal government. The EHR vendor does not undergo post and pre-payment reviews for regulatory compliance. You do. It is your NPI number that is held accountable for regulatory compliance.
You need to check whether there is an indemnification clause in the EHR contract. In other words, if you are accused of an overpayment because of a mistake on the part of the vendor, will the vendor cover your defense? My guess is that there is no indemnification clause.
HIPAA laws require that you minimize the access to private health information (PHI) and prevent dissemination. With hard copies, this was easy. You could just lock up the documents. With EHR, it becomes trickier. Obviously, you have access to the PHI as the provider. But who can access your EHR on the vendor-side? Assuming that the vendor has an IT team in case of computer issues, you have to consider to what exactly does that team have access.
I recently attended a legal continuing education class on data breach and HIPAA compliance for health care. One of the speakers was a Special Agent with the FBI. This gentleman prosecutes data breaches for a living. He said that hackers will pay over $500 per private medical document. Health care companies experienced a 72% increase in cyberattacks between 2013 and 2014. Stolen health care information is 10 times more valuable than your credit card information.
Obviously, I am exaggerating here. I do not believe that The Walking Dead is real and in our future. But here is my point – You are held accountable for maintaining your medical records, even in the face of an act of God or terrorism.
Example: It was 1996. Provider Dentist did not have EHR; he had hard copies. Hurricane Fran flooded Provider Dentist’s office, ruining all medical records. When Provider Dentist was audited, the government did not accept the whole “there was a hurricane” excuse. Dentist was liable for sever penalties and recoupments.
Fast forward to 2017 and EHR – Think a mass computer shutdown won’t happen? Just ask Delta about its August 2016 computer shutdown that took four days and cancelled over 2000 flights. Or Medstar Health, which operates 10 hospitals and more than 250 outpatient facilities, when in March 2016, a computer virus shut down its emails and…you guessed it…its EHR database.
So, what’s in YOUR contract?
You are a provider, and you accept Medicare and Medicaid. You find out that the person with whom you contracted to provide extraction services for your dental patients has been upcoding for the last few months. -or- You discover that the supervisory visits over the past year have been less than…well, nonexistent. -or- Or your licensed therapist forgot to mention that her license was revoked. What do you do?
What do you do when you unearth a potential, past overpayment to you from Medicare or Medicaid?
Number One: You do NOT hide your head!
Do not be an ostrich. First, being an ostrich will have a direct correlation with harsher penalties. Second, you may miss mandatory disclosure deadlines, which will lead to a more in-depth, concentrated, and targeted audits by the government, which will lead to harsher penalties.
As for the first (harsher penalties), not only will your potential, monetary penalties leap skyward, but knowledge (actual or should have had) could put you at risk for criminal liability or false claims liability. As for increased, monetary penalties, recent Office of Inspector General (OIG) information regarding the self disclosure protocol indicates that self disclosure could reduce the minimum multiplier to only 1.5 times the single damages versus 2-10 times the damages without self disclosure.
As for the second (missing deadlines), your penalties will be exorbitantly higher if you had or should have had actual knowledge of the overpayments and failed to act timely. Should the government, despite your lack of self disclosure, decide to audit your billings, you can count on increased scrutiny and a much more concentrated, in-depth audit. Much of the target of the audit will be what you knew (or should have) and when you knew (or should have). Do not ever think: “I will not ever get audited. I am a small fish. There are so many other providers, who are really de-frauding the system. They won’t come after me.” If you do, you will not be prepared when the audit comes a’knocking on your door – and that is just foolish. In addition, never underestimate the breadth and scope of government audits. Remember, our tax dollars provide almost unlimited resources to fund thousands of audits at a time. Being audited is not like winning the lottery, Your chances are not one in two hundred million. If you accept Medicare and/or Medicaid, your chances of an audit are almost 100%. Some providers undergo audits multiple times a year.
Knowing that the definition of “knowing” may not be Merriam Webster’s definition is also key. The legal definition of “knowing” is more broad that you would think. Section 1128J(d)(4)(A) of the Act defines “knowing” and “knowingly” as those terms are defined in 31 U.S.C. 3729(b). In that statute the terms “knowing” and “knowingly” mean that a person with respect to information—(i) has actual knowledge of the information; (ii) acts in deliberate ignorance of the truth or falsity of the information; or (iii) acts in reckless disregard of the truth or falsity of the information. 31 U.S.C. 3729(b) also states that knowing and knowingly do not require proof of specific intent to defraud.
Number Two: Contact your attorney.
It is essential that you have legal counsel throughout the self disclosure process. There are simply too many ways to botch a well-intended, self disclosure into a casus belli for the government. For example, OIG allows three options for self disclosure; however, one option requires prior approval from OIG. Your counsel needs to maintain your self disclosure between the allowable, navigational beacons.
Number Three: Act timely.
You have 60-days to report and pay. Section 1128J(d)(2) of the Social Security Act requires that a Medicare or Medicaid overpayment be reported and returned by the later of (1) the date that is 60 days after the date on which the overpayment was identified or (2) the date any corresponding cost report is due, if applicable. See blog.
If you have a Medicare issue, please continue to Number Four. If your issue is Medicaid only, please skip Number Four and go to Number Five. If your issue concerns both Medicare and Medicaid, continue with Number Four and Five (skip nothing).
Number Four: Review the OIG Self Disclosure Protocol (for Medicare).
OIG publishes a Self Disclosure Protocol. Read it. Print it. Frame it. Wear it. Memorize it.
Since 2008, OIG has resolved 235 self disclosure provider cases through settlements. In all but one of these cases, OIG released the disclosing parties from permissive exclusion without requiring any integrity measures. What that means is that, even if you self disclose, OIG has the authority to exclude you from the Medicare system. However, if you self disclose, may the odds be ever in your favor!
Number Five: Review your state’s self disclosure protocol.
While every state differs slightly in self disclosure protocol, it is surprising how similar the protocol is state-to-state. In order to find your state’s self disclosure protocol, simply Google: “[insert your state] Medicaid provider self disclosure protocol.” In most cases, you will find that your state’s protocol is less burdensome than OIG’s.
On the state-side, you will also find that the benefits of self disclosure, generally, are even better than the benefits from the federal government. In most states, self disclosure results in no penalties (as long as you follow the correct protocol and do not hide anything).
Number Six: Draft your self disclosure report.
Your self disclosure report must contain certain criteria. Review the Federal Registrar for everything that needs to be included.
It is important to remember that you are only responsible for self disclosures going back six years (on the federal side).
Mail the report to:
330 Independence Avenue, Room 5527
Washington, DC 20201
Or you can self disclose online at this link.
Happy New Year, readers!!! A whole new year means a whole new investigation plan for the government…
The Department of Health and Human Services (HHS) Office of Inspector General (OIG) publishes what is called a “Work Plan” every year, usually around November of each year. 2017 was no different. These Work Plans offer rare insight into the upcoming plans of Medicare investigations, which is important to all health care providers who accept Medicare and Medicaid.
For those of you who do not know, OIG is an agency of the federal government that is charged with protecting the integrity of HHS, basically, investigating Medicare and Medicaid fraud, waste, and abuse.
So let me look into my crystal ball and let you know which health care professionals may be audited by the federal government…
The 2017 Work Plan contains a multitude of new and revised topics related to durable medical equipment (DME), hospitals, nursing homes, hospice, laboratories.
For providers who accept Medicare Parts A and B, the following are areas of interest for 2017:
- Hyperbaric oxygen therapy services: provider reimbursement
- Inpatient psychiatric facilities: outlier payments
- Skilled nursing facilities: reimbursements
- Inpatient rehabilitation hospital patients not suited for intensive therapy
- Skilled nursing facilities: adverse event planning
- Skilled nursing facilities: unreported incidents of abuse and neglect
- Hospice: Medicare compliance
- DME at nursing facilities
- Hospice home care: frequency of on-site nurse visits to assess quality of care and services
- Clinical Diagnostic Laboratories: Medicare payments
- Chronic pain management: Medicare payments
- Ambulance services: Compliance with Medicare
For providers who accept Medicare Parts C and D, the following are areas of interest for 2017:
- Medicare Part C payments for individuals after the date of death
- Denied care in Medicare Advantage
- Compounded topical drugs: questionable billing
- Rebates related to drugs dispensed by 340B pharmacies
For providers who accept Medicaid, the following are areas of interest for 2017:
- States’ MCO Medicaid drug claims
- Personal Care Services: compliance with Medicaid
- Medicaid managed care organizations (MCO): compliance with hold harmless requirement
- Hospice: compliance with Medicaid
- Medicaid overpayment reporting and collections: all providers
- Medicaid-only provider types: states’ risk assignments
- Accountable care
Caveat: The above-referenced areas of interest represent the published list. Do not think that if your service type is not included on the list that you are safe from government audits. If we have learned nothing else over the past years, we do know that the government can audit anyone anytime.
If you are audited, contact an attorney as soon as you receive notice of the audit. Because regardless the outcome of an audit – you have appeal rights!!! And remember, government auditors are more wrong than right (in my experience).
Another Win for the Good Guys! RAC Auditors Cannot Look Back Over 3 Years!!! (BTW: We Already Knew This -Shhhhh!)
I love being right – just ask my husband.
I have argued for years that government auditors cannot go back over three years when conducting a Medicaid/Care audit of a health care provider’s records, unless there are credible allegations of fraud. See blog.
42 CFR 455.508 states that “[a]n entity that wishes to perform the functions of a Medicaid RAC must enter into a contract with a State to carry out any of the activities described in § 455.506 under the following conditions:…(f) The entity must not review clams that are older than 3 years from the date of the claim, unless it receives approval from the State.”
Medicaid RAC is defined as “Medicaid RAC program means a recovery audit contractor program administered by a State to identify overpayments and underpayments and recoup overpayments.” 42 CFR 455. 504.
From the definition of a Medicaid RAC (Medicare RAC is similarly defined), albeit vague, entities hired by the state to identify over and underpayments are RACs. And RACs are prohibited from auditing claims that are older than 3 years from the date of the claim.
In one of our recent cases, our client, Edmond Dantes, received a Tentative Notice of Overpayment from Public Consulting Group (PCG) on May 13, 2015. In a Motion for Summary Judgment, we argued that PCG was disallowed to review claims prior to May 13, 2012. Of the 8 claims reviewed, 7 claims were older than May 13, 2012 – one even went back to 2009!
The Administrative Law Judge (ALJ) at the Office of Administrative Hearings (OAH) agreed. In the Order Granting Partial Summary Judgment, the ALJ opined that “[s]tatutes of limitation serve an important purpose: to afford security against stale demands.”
Accordingly, the ALJ threw out 7 of the 8 claims for violating the statute of limitation. With one claim left, the amount in controversy was nominal.
A note as to the precedential value of this ruling:
Generally, an ALJ decision is not binding on other ALJs. The decisions are persuasive. Had DHHS appealed the decision and the decision was upheld by Superior Court, then the case would have been precedent; it would have been law.
Regardless, this is a fantastic ruling , which only bolsters my argument that Medicaid/care auditors cannot review claims over 3 years old from the date of the claim.
So when you receive a Tentative Notice of Overpayment, after contacting an attorney, look at the reviewed claims. Are those reviewed claims over 3 years old? If so, you too may win on summary judgment.
Dr. Isaac Kojo Anakwah Thompson, a Florida primary care physician, was sentenced in July 2016 to 4 years in prison and a subsequent two years of supervised release. Dr. Thompson pled guilty to health care fraud. He was further ordered to pay restitution in the amount of $2,114,332.33. Ouch!! What did he do?
According to the Department of Justice, Dr. Thompson falsely reported that 387 of his clients suffered from ankylosing spondylitis when they did not.
Question: How does faking a patient’s disease make a physician money???
Answer: Hierarchal condition category (HCC) coding. Wait, what?
Basically, Medicare Advantage assigns HCC coding to each patient depending on the severity of their illnesses. Higher HCC scores equals substantially higher monthly capitation payments from Medicare to the managed care organization (MCO). In turn, the MCO will pay physicians more who have more extremely sick patients (higher HCC codes).
Ankylosing spondylitis is a form of arthritis that causes inflammation and damage at the joints; eventually, the inflamed spinal joints can become fused, or joined together so they can’t move independently. It’s a rare disease, affecting 1 in 1000 people. And, importantly, it sports a high HCC code.
In this case, the Office of Inspector General (OIG) found it odd that, between 2006-2010, Dr. Thompson diagnosed 387 Medicare Advantage beneficiaries with ankylosing spondylitis and treated them with such rare disease. To which, I say, if you’re going to defraud the Medicare system, choose common, fabricated diseases (kidding – it’s called sarcasm – I always have to add a disclaimer for people with no humor).
According to the Department of Justice, none or very few of Dr. Thompson’s 387 consumers actually had ankylosing spondylitis.
My issue is as follows: Doesn’t the managed care organization (MCO) share in some of the punishment? Shouldn’t the MCO have to repay the financial benefit it reaped from Dr. Thompson?? Shouldn’t the MCO have a duty to report such oddities?
Let me explain:
In Florida, Humana acted as the MCO. Every dollar that Dr. Thompson received was funneled through Humana. Humana would pay Dr. Thompson a monthly capitation fee from Medicare Advantage based on his patient’s hierarchal condition category (HCC) coding. Increasing even just one patient’s HCC code means more bucks for Dr. Thompson. Remember, according to the DOJ, he increased 387 patients’ HCC codes.
Dr. Thompson reported these diagnoses to Humana, which in turn reported them to Medicare. Consequently, Medicare paid approximately $2.1 million in excess capitation fees to Humana, approximately 80% of which went to Dr. Thompson.
In this case, it is reasonable to expect that Humana had knowledge that Dr. Thompson reported abnormally high HCCs for his patients. For comparison, ankylosing spondylitis has an HCC score of 0.364, which is more than an aortic aneurysm and three times as high as diabetes. Plus, look at the amount of money that the MCO paid Dr. Thompson. Surely, it appeared irregular.
What, if anything, is the MCO’s duty to report physicians with an abnormally high number of high HCC codes? If you have knowledge of someone committing a crime and you do nothing, isn’t that called aiding and abetting?
With the publication of the Yates memo, I expect to see CMS holding MCOs and other state agencies accountable for the actions of its providers. Not to say that the MCOs should actively, independently investigate Medicare/caid fraud, but to notify the Human Services Department (HSD) if abnormalities exist, especially if as blatant as one doctor with 387 patients suffering from ankylosing spondylitis.
I have blogged about peeing in a cup before…but we will not be talking about dentists in this blog. Instead we will be discussing pain management physicians and peeing in a cup.
Pain management physicians are under intense scrutiny on the federal and state level due to increased urine testing. But is it the pain management doctors’ fault?
When I was little, my dad and I would play catch with bouncy balls. He would always play a dirty little trick, and I fell for it every time. He would toss one ball high in the air. While I was concentrating on catching that ball, he would hurl another ball straight at me, which, every time, smacked into me – leaving me disoriented as to what was happening. He would laugh and laugh. I was his Charlie Brown, and he was my Lucy. (Yes, I have done this to my child).
The point is that it is difficult to concentrate on more than one thing. When the Affordable Care Act (ACA) came out, it was as if the federal government wielded 500, metaphoric, bouncy balls at every health care provider. You couldn’t comprehend it in its entirety. There were different deadlines for multiple changes, provider requirements, employer requirements, consumer requirements…it was a bloodbath! [If you haven’t seen the brothers who trick their sister into thinking it’s a zombie apocalypse, you have to watch it!!]
A similar “metaphoric ball frenzy” is occurring now with urine testing, and pain management physicians make up the bulk of prescribed urine testing. The urine testing industry has boomed in the past 4-5 years. This could be caused by a number of factors:
- increase use of drugs (especially heroine and opioids),
- the tightening of regulations requiring physicians to monitor whether patients are abusing drugs,
- increase of pain management doctors purchasing mass-spectrometry machines and becoming their own lab,
- simply more people are complaining of pain, and
- the pharmaceutical industry’s direct-to-consumer advertising (DTCA).
Medicare’s spending on 22 high-tech tests for drugs of abuse hit $445 million in 2012, up 1,423% in five years. “In 2012, 259 million prescriptions were written for opioids, which is more than enough to give every American adult their own bottle of pills.” See article.
According to the American Association of Pain Management, pain affects more Americans than diabetes, heart disease and cancer combined. The chart below depicts the number of chronic pain sufferers compared to other major health conditions.
In the world of Medicare and Medicaid, where there is profit being made, the government comes a-knockin’.
But should we blame the pain management doctors if recent years brought more patients due to increase of drug use? The flip side is that we do not want doctors ordering urine tests unnecessarily. But aren’t the doctors supposed to the experts on medical necessity??? How can an auditor, who is not a physician and never seen the patient opine to medical necessity of a urine test?
The metaphoric ball frenzy:
There are so many investigations into urine testing going on right now.
Ball #1: The machine manufacturers. A couple of years ago, Carolina Liquid Chemistries (CLC) was raided by the federal government. See article. One of the allegations was that CLC was misrepresenting their product, a urinalysis machine, which caused doctors to overbill Medicare and Medicaid. According to a source, the federal government is still investigating CLC and all the physicians who purchased the urinalysis machine from CLC.
Ball #2: The federal government. Concurrently, the federal government is investigating urine testing billed to Medicare. In 2015, Millennium Health paid $256 million to resolve alleged violations of the False Claims Act for billing Medicare and Medicaid for medically unnecessary urine drug and genetic testing. I wonder if Millennium bought a urinalysis machine from CLC…
Ball #3: The state governments. Many state governments are investigating urine testing billed to Medicaid. Here are a few examples:
New Jersey: July 12, 2016, a couple and their diagnostic imaging companies were ordered to pay more than $7.75 million for knowingly submitting false claims to Medicare for thousands of falsified diagnostic test reports and the underlying tests.
Oklahoma: July 10, 2016, the Oklahoma attorney general’s office announced that it is investigating a group of laboratories involved in the state’s booming urine testing industry.
Tennessee: April 2016, two lab professionals from Bristol, Tenn., were convicted of health care fraud in a scheme involving urine tests for substance abuse treatments.
If you are a pain management physician, here are a few recommendations to, not necessarily avoid an audit (because that may be impossible), but recommendations on how to “win” an audit:
- Document, document, document. Explain why the urine test is medically necessary in your documents. An auditor is less likely to question something you wrote at the time of the testing, instead of well after the fact.
- Double check the CPT codes. These change often.
- Check your urinalysis machine. Who manufactured it? Is it performing accurately?
- Have an experienced, knowledgeable, health care attorney. Do not wait for the results of the audit to contact an attorney.
And, perhaps, the most important – Do NOT just accept the results of an audit. Especially with allegations involving medical necessity…there are so many legal defenses built into regulations!! You turn around and throw a bouncy ball really high – and then…wallop them!!