Interestingly, how OIG and who OIG targets for audits is much more transparent than one would think. OIG tells you in advance (if you know where to look).
Prior to June 2017, the Office of Inspector General’s (OIG) OIG updated its public-facing Work Plan to reflect those adjustments once or twice each year. In order to enhance transparency around OIG’s continuous work planning efforts, effective June 15, 2017, OIG began updating its Work Plan website monthly.
Why is this important? I will even take it a step further…why is this information crucial for health care providers, such as you?
These monthly reports provide you with notice as to whether the type of provider you are will be on the radar for Medicare and Medicaid audits. And the notice provided is substantial. For example, in October 2017, OIG announced that it will investigate and audit specialty drug coverage and reimbursement in Medicaid – watch out pharmacies!!! But the notice also states that these audits of pharmacies for speciality drug coverage will not begin until 2019. So, pharmacies, you have over a year to ensure compliance with your records. Now don’t get me wrong… you should constantly self audit and ensure regulatory compliance. Notwithstanding, pharmacies are given a significant warning that – come 2019 – your speciality drug coverage programs better be spic and span.
Another provider type that will be on the radar – bariatric surgeons. Medicare Parts A and B cover certain bariatric procedures if the beneficiary has (1) a body mass index of 35 or higher, (2) at least one comorbidity related to obesity, and (3) been previously unsuccessful with medical treatment for obesity. Treatments for obesity alone are not covered. Bariatric surgeons, however, get a bit less lead time. Audits for bariatric surgeons are scheduled to start in 2018. Considering that 2018 is little more than a month away, this information is less helpful. The OIG Work Plans do not specific enough to name a month in which the audits will begin…just sometime in 2018.
Where do you find such information? On the OIG Work Plan website. Click here. Once you are on the website, you will see the title at the top, “Work Plan.” Directly under the title are the “clickable” subjects: Recently Added | Active Work Plan Items | Work Plan Archive. Pick one and read.
You will see that CMS is not the only agency that OIG audits. It also audits the Food and Drug Administration and the Office of the Secretary, for example. But we are concerned with the audits of CMS.
Other targeted providers types coming up:
- Security of Certified Electronic Health Record Technology Under Meaningful Use
- States’ Collection of Rebates on Physician-Administered Drugs
- States’ Collection of Rebates for Drugs Dispensed to Medicaid MCO Enrollees
- Adult Day Health Care Services
- Oversight of States’ Medicaid Information Systems Security Controls
- States’ MCO Medicaid Drug Claims
- Incorrect Medical Assistance Days Claimed by Hospitals
- Selected Inpatient and Outpatient Billing Requirements
And the list goes on and on…
Do not think that if your health care provider type is not listed on the OIG website that you are safe from audits. As we all know, OIG is not the only entity that conducts regulatory audits. The States and its contracted vendors also audit, as well as the RACs, MICs, MACs, CERTs…
Never forget that whatever entity audits you, YOU HAVE APPEAL RIGHTS!
The Center for Medicare and Medicaid Services (CMS) announced the expansion of Targeted Probe and Educate (TPE) audits. At first glance, this appears to be fantastic news coming on the heels of so much craziness at Health and Human Services (HHS). We have former-HHS Secretary Price flying our tax dollars all over. Dr. Don Wright stepping up as our new Secretary. The Medicare appeal backlog fiasco. The repeal and replace Obamacare bomb. Amidst all this tomfoolery, health care providers are still serving Medicare and Medicaid patients, reimbursement rates are in the toilet, which drives down quality and incentivizes providers to not accept Medicare or Medicaid (especially Caid), and providers are undergoing “Audit Alphabet Soup.” I actually had a client tell me that he receives audit letters requesting documents and money every single week from a plethora of different organizations.
So when CMS announced that it was broadening its TPE audits, it was a sigh of relief for many providers. But will TPE audits be the benign beasts they are purporting to be?
What is a TPE audit? (And – Can We Have Anymore Acronyms…PLEASE!)
CMS says that TPE audits are benevolent. CMS’ rhetoric indicates that these audits should not cause the toner to run out from overuse. CMS states that TPE audits will involve “the review of 20-40 claims per provider, per item or service, per round, for a total of up to three rounds of review.” See CMS Announcement. The idea behind the TPE audits (supposedly) is education, not recoupments. CMS states that “After each round, providers are offered individualized education based on the results of their reviews. This program began as a pilot in one MAC jurisdiction in June 2016 and was expanded to three additional MAC jurisdictions in July 2017. As a result of the successes demonstrated during the pilot, including an increase in the acceptance of provider education as well as a decrease in appealed claims decisions, CMS has decided to expand to all MAC jurisdictions later in 2017.” – And “later in 2017” has arrived. These TPE audits are currently being conducted nationwide.
Below is CMS’ vision for a TPE audit:
Clear? As mud?
The chart does not indicate how long the provider will have to submit records or how quickly the TPE auditors will review the documents for compliance. But it appears to me that getting through Round 3 could take a year (this is a guess based on allowing the provider 30 days to gather the records and allowing the TPE auditor 30 days to review).
Although the audit is purportedly benign and less burdensome, a TPE audit could take a whole year or more. Whether the audit reviews one claim or 20, having to undergo an audit of any size for a year is burdensome on a provider. In fact, I have seen many companies having to hire staff dedicated to responding to audits. And here is the problem with that – there aren’t many people who understand Medicare/caid medical billing. Providers beware – if you rely on an independent biller or an electronic medical records program, they better be accurate. Otherwise the buck stops with your NPI number.
Going back to CMS’ chart (above), notice where all the “yeses” go. As in, if the provider is found compliant , during any round, all the yeses point to “Discontinue for at least 12 months.” I am sure that CMS thought it was doing providers a favor, but what that tells me is the TPE audit will return after 12 months! If the provider is found compliant, the audit is not concluded. In fact, according to the chart, the only end results are (1) a referral to CMS for possible further action; or (2) continued TPE audits after 12 months. “Further action” could include 100% prepayment review, extrapolation, referral to a Recovery Auditor, or other action. Where is the outcome that the provider receives an A+ and is left alone??
CMS states that “Providers/suppliers may be removed from the review process after any of the three rounds of probe review, if they demonstrate low error rates or sufficient improvement in error rates, as determined by CMS.”
I just feel as though that word “may” should be “will.” It’s amazing how one word could change the entire process.
Durable Medical Equipment (DME) providers across the country are walking around with large, red and white bullseyes on their backs. Starting back in March 2017, the RAC audits began targeting DME and home health and hospice. DME providers also have to undergo audits by the Comprehensive Error Rate Testing Program (CERT).
The RAC for Jurisdiction 5, Performant Recovery, is a national company contracted to perform Recovery Audit Contractor (RAC) audits of durable medical equipment, prosthetic, orthotic and supplies (DMEPOS) claims as well as home health and hospice claims. Medicare Part B covers medically necessary DME. The following are the RAC regions:
Region 1 – Performant Recovery, Inc.
Region 2 – Cotiviti, LLC
Region 3 – Cotiviti, LLC
Region 4 – HMS Federal Solutions
Region 5 – Performant Recovery, Inc.
As you can see from the above map, we are in Region 3. The country is broken up into four regions. But, wait, you say, you said that Performant Recovery is performing RAC audits in region 5 – where is region 5?
Region 5 is the whole country.
The Centers for Medicare and Medicaid (CMS) has contracted with Performant Recovery to audit DME and home health and hospice across the whole country.
DME and home health and hospice providers – There is nowhere to hide. If you provide equipment or services within the blue area, region 5, you are a target for a RAC audit.
What are some common findings in a RAC audit for DME?
Without question, the most common finding in a RAC or CERT audit is “insufficient documentation.” The problem is that “insufficient documentation” is nebulous, at best, and absolutely incorrect, at worst. This error is by auditors if they cannot conclude that the billed services were actually provided, were provided at the level billed, and/or were medically necessary. An infuriating discovery was when I was defending a DME RAC audit and learned that the “real” reason for the denial of a claim was that no one went to the consumers door, knocked on it, and verified that a wheelchair had, in fact, been delivered. In-person verification of delivery is not a requirement, nor should it be. Such a burdensome requirement would unduly prejudice DME companies. Yes, you need to be able to show a signed and dated delivery slip, but you do not have to go to the consumer’s house and snap a selfie with the consumer and the piece of equipment.
Another common target for RAC audits is oxygen tubing, oxygen stands/racks, portable liquid oxygen systems, and oxygen concentrators. RAC auditors mainly look for medical necessity for oxygen equipment. Hospital beds/accessories are also a frequent find in a RAC audit. A high use of hospital beds/accessories codes can enlarge the target on your back.
Another recurrent issue that the RAC auditors cite is billing for bundled services separately. Medicare does not make separate payment for DME provider when a beneficiary is in a covered inpatient stay. RAC auditors check whether suppliers are inappropriately receiving separate DME payment when the beneficiary is in a covered inpatient stay. Suppliers can’t bill for DME items used by the patient prior to the patient’s discharge from the hospital. Medicare doesn’t allow separate billing for surgical dressings, urological supplies, or ostomy supplies provided in the hospital because reimbursement for them is wrapped into the Part A payment. This prohibition applies even if the item is worn home by the patient when leaving the hospital.
As always, documentation of the face to face encounter and the prescription are also important.
You can find the federal regulation for DME documentation at 42 CFR 410.38 – “Durable medical equipment: Scope and conditions.”
Once you receive an alleged overpayment, know your rights! Appeal, appeal, appeal!! The Medicare appeal process can be found here.
Electronic health records or EHR have metamorphosed health care. Choosing a vendor can be daunting and the prices fluctuate greatly. As a provider, you probably determine your EHR platform on which vendor’s program creates the best service notes… or which creates the most foolproof way of tracking time… or which program is the cheapest.
But…what’s in YOUR contract can be legally deadly.
Regardless how you choose your EHR vendor, you need to keep the following legal issues in mind when it comes to EHR and the law:
Regulatory and Clinical Coverage Policy Compliance
Most likely, your EHR vendor does not have a legal degree. Yet, you are buying a product and assuming that the EHR program complies with applicable regulations, rules, and clinical coverage policies – whichever are applicable to your type of service. Well, guess what? These regulations, rules, and clinical coverage policies are not stagnant. They are amended, revised, and re-written more than my chickens lay eggs, but a little less often, because my chickens lay eggs every day.
Think about it – The Division of Medical Assistance (DMA) publishes a monthly Medicaid Bulletin. Every month DMA provides more insight, more explanations, more rules that providers will be held accountable to follow.
Does your EHR program update every month?
You need to review your contract and determine whether the vendor is responsible for regulatory compliance or whether you are. If you are, should you put so much faith in the EHR program?
You are required to maintain your records (depending on your type of service) anywhere from 5-10 years. Let’s say that you sign a four year contract with EHR Vendor X. The four years expires, and you hire a new EHR vendor. You are audited. But Vendor X does not allow you access to the records because you no longer have a contract with them – not their problem!
You need to ensure that your EHR contract allows you access to your documents (because they are your documents) even in the event of the contract expiring or getting terminated. The excuse that “I don’t have access to that” does not equal a legal defense.
This is otherwise known as the “Blame Game.” If there is a problem with regulatory compliance, as in, the EHR records do not follow the regulations, then you need to know whether the EHR vendor will take responsibility and pay, or help pay, for attorneys’ fees to defend yourself.
Like it or not, the EHR vendor does not undergo audits by the state and federal government. The EHR vendor does not undergo post and pre-payment reviews for regulatory compliance. You do. It is your NPI number that is held accountable for regulatory compliance.
You need to check whether there is an indemnification clause in the EHR contract. In other words, if you are accused of an overpayment because of a mistake on the part of the vendor, will the vendor cover your defense? My guess is that there is no indemnification clause.
HIPAA laws require that you minimize the access to private health information (PHI) and prevent dissemination. With hard copies, this was easy. You could just lock up the documents. With EHR, it becomes trickier. Obviously, you have access to the PHI as the provider. But who can access your EHR on the vendor-side? Assuming that the vendor has an IT team in case of computer issues, you have to consider to what exactly does that team have access.
I recently attended a legal continuing education class on data breach and HIPAA compliance for health care. One of the speakers was a Special Agent with the FBI. This gentleman prosecutes data breaches for a living. He said that hackers will pay over $500 per private medical document. Health care companies experienced a 72% increase in cyberattacks between 2013 and 2014. Stolen health care information is 10 times more valuable than your credit card information.
Obviously, I am exaggerating here. I do not believe that The Walking Dead is real and in our future. But here is my point – You are held accountable for maintaining your medical records, even in the face of an act of God or terrorism.
Example: It was 1996. Provider Dentist did not have EHR; he had hard copies. Hurricane Fran flooded Provider Dentist’s office, ruining all medical records. When Provider Dentist was audited, the government did not accept the whole “there was a hurricane” excuse. Dentist was liable for sever penalties and recoupments.
Fast forward to 2017 and EHR – Think a mass computer shutdown won’t happen? Just ask Delta about its August 2016 computer shutdown that took four days and cancelled over 2000 flights. Or Medstar Health, which operates 10 hospitals and more than 250 outpatient facilities, when in March 2016, a computer virus shut down its emails and…you guessed it…its EHR database.
So, what’s in YOUR contract?
You are a provider, and you accept Medicare and Medicaid. You find out that the person with whom you contracted to provide extraction services for your dental patients has been upcoding for the last few months. -or- You discover that the supervisory visits over the past year have been less than…well, nonexistent. -or- Or your licensed therapist forgot to mention that her license was revoked. What do you do?
What do you do when you unearth a potential, past overpayment to you from Medicare or Medicaid?
Number One: You do NOT hide your head!
Do not be an ostrich. First, being an ostrich will have a direct correlation with harsher penalties. Second, you may miss mandatory disclosure deadlines, which will lead to a more in-depth, concentrated, and targeted audits by the government, which will lead to harsher penalties.
As for the first (harsher penalties), not only will your potential, monetary penalties leap skyward, but knowledge (actual or should have had) could put you at risk for criminal liability or false claims liability. As for increased, monetary penalties, recent Office of Inspector General (OIG) information regarding the self disclosure protocol indicates that self disclosure could reduce the minimum multiplier to only 1.5 times the single damages versus 2-10 times the damages without self disclosure.
As for the second (missing deadlines), your penalties will be exorbitantly higher if you had or should have had actual knowledge of the overpayments and failed to act timely. Should the government, despite your lack of self disclosure, decide to audit your billings, you can count on increased scrutiny and a much more concentrated, in-depth audit. Much of the target of the audit will be what you knew (or should have) and when you knew (or should have). Do not ever think: “I will not ever get audited. I am a small fish. There are so many other providers, who are really de-frauding the system. They won’t come after me.” If you do, you will not be prepared when the audit comes a’knocking on your door – and that is just foolish. In addition, never underestimate the breadth and scope of government audits. Remember, our tax dollars provide almost unlimited resources to fund thousands of audits at a time. Being audited is not like winning the lottery, Your chances are not one in two hundred million. If you accept Medicare and/or Medicaid, your chances of an audit are almost 100%. Some providers undergo audits multiple times a year.
Knowing that the definition of “knowing” may not be Merriam Webster’s definition is also key. The legal definition of “knowing” is more broad that you would think. Section 1128J(d)(4)(A) of the Act defines “knowing” and “knowingly” as those terms are defined in 31 U.S.C. 3729(b). In that statute the terms “knowing” and “knowingly” mean that a person with respect to information—(i) has actual knowledge of the information; (ii) acts in deliberate ignorance of the truth or falsity of the information; or (iii) acts in reckless disregard of the truth or falsity of the information. 31 U.S.C. 3729(b) also states that knowing and knowingly do not require proof of specific intent to defraud.
Number Two: Contact your attorney.
It is essential that you have legal counsel throughout the self disclosure process. There are simply too many ways to botch a well-intended, self disclosure into a casus belli for the government. For example, OIG allows three options for self disclosure; however, one option requires prior approval from OIG. Your counsel needs to maintain your self disclosure between the allowable, navigational beacons.
Number Three: Act timely.
You have 60-days to report and pay. Section 1128J(d)(2) of the Social Security Act requires that a Medicare or Medicaid overpayment be reported and returned by the later of (1) the date that is 60 days after the date on which the overpayment was identified or (2) the date any corresponding cost report is due, if applicable. See blog.
If you have a Medicare issue, please continue to Number Four. If your issue is Medicaid only, please skip Number Four and go to Number Five. If your issue concerns both Medicare and Medicaid, continue with Number Four and Five (skip nothing).
Number Four: Review the OIG Self Disclosure Protocol (for Medicare).
OIG publishes a Self Disclosure Protocol. Read it. Print it. Frame it. Wear it. Memorize it.
Since 2008, OIG has resolved 235 self disclosure provider cases through settlements. In all but one of these cases, OIG released the disclosing parties from permissive exclusion without requiring any integrity measures. What that means is that, even if you self disclose, OIG has the authority to exclude you from the Medicare system. However, if you self disclose, may the odds be ever in your favor!
Number Five: Review your state’s self disclosure protocol.
While every state differs slightly in self disclosure protocol, it is surprising how similar the protocol is state-to-state. In order to find your state’s self disclosure protocol, simply Google: “[insert your state] Medicaid provider self disclosure protocol.” In most cases, you will find that your state’s protocol is less burdensome than OIG’s.
On the state-side, you will also find that the benefits of self disclosure, generally, are even better than the benefits from the federal government. In most states, self disclosure results in no penalties (as long as you follow the correct protocol and do not hide anything).
Number Six: Draft your self disclosure report.
Your self disclosure report must contain certain criteria. Review the Federal Registrar for everything that needs to be included.
It is important to remember that you are only responsible for self disclosures going back six years (on the federal side).
Mail the report to:
330 Independence Avenue, Room 5527
Washington, DC 20201
Or you can self disclose online at this link.
Happy New Year, readers!!! A whole new year means a whole new investigation plan for the government…
The Department of Health and Human Services (HHS) Office of Inspector General (OIG) publishes what is called a “Work Plan” every year, usually around November of each year. 2017 was no different. These Work Plans offer rare insight into the upcoming plans of Medicare investigations, which is important to all health care providers who accept Medicare and Medicaid.
For those of you who do not know, OIG is an agency of the federal government that is charged with protecting the integrity of HHS, basically, investigating Medicare and Medicaid fraud, waste, and abuse.
So let me look into my crystal ball and let you know which health care professionals may be audited by the federal government…
The 2017 Work Plan contains a multitude of new and revised topics related to durable medical equipment (DME), hospitals, nursing homes, hospice, laboratories.
For providers who accept Medicare Parts A and B, the following are areas of interest for 2017:
- Hyperbaric oxygen therapy services: provider reimbursement
- Inpatient psychiatric facilities: outlier payments
- Skilled nursing facilities: reimbursements
- Inpatient rehabilitation hospital patients not suited for intensive therapy
- Skilled nursing facilities: adverse event planning
- Skilled nursing facilities: unreported incidents of abuse and neglect
- Hospice: Medicare compliance
- DME at nursing facilities
- Hospice home care: frequency of on-site nurse visits to assess quality of care and services
- Clinical Diagnostic Laboratories: Medicare payments
- Chronic pain management: Medicare payments
- Ambulance services: Compliance with Medicare
For providers who accept Medicare Parts C and D, the following are areas of interest for 2017:
- Medicare Part C payments for individuals after the date of death
- Denied care in Medicare Advantage
- Compounded topical drugs: questionable billing
- Rebates related to drugs dispensed by 340B pharmacies
For providers who accept Medicaid, the following are areas of interest for 2017:
- States’ MCO Medicaid drug claims
- Personal Care Services: compliance with Medicaid
- Medicaid managed care organizations (MCO): compliance with hold harmless requirement
- Hospice: compliance with Medicaid
- Medicaid overpayment reporting and collections: all providers
- Medicaid-only provider types: states’ risk assignments
- Accountable care
Caveat: The above-referenced areas of interest represent the published list. Do not think that if your service type is not included on the list that you are safe from government audits. If we have learned nothing else over the past years, we do know that the government can audit anyone anytime.
If you are audited, contact an attorney as soon as you receive notice of the audit. Because regardless the outcome of an audit – you have appeal rights!!! And remember, government auditors are more wrong than right (in my experience).
Another Win for the Good Guys! RAC Auditors Cannot Look Back Over 3 Years!!! (BTW: We Already Knew This -Shhhhh!)
I love being right – just ask my husband.
I have argued for years that government auditors cannot go back over three years when conducting a Medicaid/Care audit of a health care provider’s records, unless there are credible allegations of fraud. See blog.
42 CFR 455.508 states that “[a]n entity that wishes to perform the functions of a Medicaid RAC must enter into a contract with a State to carry out any of the activities described in § 455.506 under the following conditions:…(f) The entity must not review clams that are older than 3 years from the date of the claim, unless it receives approval from the State.”
Medicaid RAC is defined as “Medicaid RAC program means a recovery audit contractor program administered by a State to identify overpayments and underpayments and recoup overpayments.” 42 CFR 455. 504.
From the definition of a Medicaid RAC (Medicare RAC is similarly defined), albeit vague, entities hired by the state to identify over and underpayments are RACs. And RACs are prohibited from auditing claims that are older than 3 years from the date of the claim.
In one of our recent cases, our client, Edmond Dantes, received a Tentative Notice of Overpayment from Public Consulting Group (PCG) on May 13, 2015. In a Motion for Summary Judgment, we argued that PCG was disallowed to review claims prior to May 13, 2012. Of the 8 claims reviewed, 7 claims were older than May 13, 2012 – one even went back to 2009!
The Administrative Law Judge (ALJ) at the Office of Administrative Hearings (OAH) agreed. In the Order Granting Partial Summary Judgment, the ALJ opined that “[s]tatutes of limitation serve an important purpose: to afford security against stale demands.”
Accordingly, the ALJ threw out 7 of the 8 claims for violating the statute of limitation. With one claim left, the amount in controversy was nominal.
A note as to the precedential value of this ruling:
Generally, an ALJ decision is not binding on other ALJs. The decisions are persuasive. Had DHHS appealed the decision and the decision was upheld by Superior Court, then the case would have been precedent; it would have been law.
Regardless, this is a fantastic ruling , which only bolsters my argument that Medicaid/care auditors cannot review claims over 3 years old from the date of the claim.
So when you receive a Tentative Notice of Overpayment, after contacting an attorney, look at the reviewed claims. Are those reviewed claims over 3 years old? If so, you too may win on summary judgment.