ZPIC Audits are Here. When it Rains, it Pours . . . DME Compliance is Essential!

ZPICs are Auditing DME Companies. DME Compliance is Essential.

(April 6, 2011): On September 15, 2010, the Inspector General of the Department of Health and Human Services (HHS-OIG), Daniel Levinson, testified before the House Committee on Energy and Commerce, Subcommittee on Health regarding waste, fraud, and abuse in the Medicare program, with a specific focus on durable medical equipment and supplies. Mr. Levinson noted that, over the last three decades, HHS-OIG has detected “significant levels” of fraud and abuse related to durable medical equipment, prosthetics, orthotics, and supplies (DMEPOS). These concerns have resulted in steadily increasing oversight of DMEPOS suppliers by HHS-OIG and Medicare contractors.

I. DME Compliance Concerns Have Led to Multiple Regulatory Changes:

Perhaps most significantly, these concerns have led to the passage and implementation of a host of new statutes and regulations designed to deter and punish DMEPOS-related waste, fraud, and abuse. For instance, the Affordable Care Act (“ACA,” also informally referred to as “Health Care Reform Act” ) was signed into law by President Obama on March 23, 2010. ACA has dramatically expanded the regulatory authority of the Centers for Medicare and Medicaid Services (CMS) as it relates to DMEPOS suppliers. In his testimony before the Subcommittee on Health, Mr. Levinson remarked,

“The ACA provides the Secretary with new authorities and imposes new requirements consistent with OIG’s health care integrity strategy and recommendations. These include promoting data access and integrity; requiring actions to strengthen provider enrollment standards; promoting compliance with program requirements; and enhancing program oversight, including requiring greater reporting and transparency.” (emphasis added).

As set out below, each of these new regulatory measures (many of which have only recently become effective), will have a substantial impact on the way in which DMEPOS suppliers are reviewed and evaluated by Medicare contractors and by law enforcement authorities.

II. Preenrollment and Revalidation Screening Procedures:

The ACA empowered CMS to classify newly-enrolling or revalidating providers based on their perceived risk of fraud and then link those classifications to various types of screening procedures. This new rule, which went into effect on March 25, 2011, creates three categories of risk into which providers will be sorted: (1) Limited, (2) Moderate, and (3) High. The risk level with which a provider is designated is commensurate with the extent and nature of the pre-enrollment or revalidation screening procedures. Under the new rule, currently enrolled, revalidating DMEPOS suppliers have been assigned to the “Moderate Risk” category,[1] while newly-enrolling DMEPOS suppliers (including currently-enrolled DMEPOS suppliers who are adding another location) will be deemed “High Risk.”[2]

(A) Overview of Available Screening Procedures.

The following screening procedures are currently available to CMS:

  • Licensure Requirements – DMEPOS suppliers are required to comply with all applicable licensing, certification, or accreditation requirements in the state where they are located. Medicare contractors are responsible for reviewing state licensing board data every month to ensure that DMEPOS suppliers remain licensed, certified, or accredited.
  • Database Checks – Medicare contractors check various databases to ensure that current and prospective supplier information is accurate. CMS contractors check databases maintained by the Social Security Administration (used to verify an individual’s Social Security Number), the National Plan and Provider Enumeration System (NPPES) (used to verify the national provider identifier (NPI)), HHS-OIG’s “List of Excluded Individuals or Entities,” and the General Service Administration’s “Excluded Parties List System.”
  • Site Visits – The Medicare Program Integrity Manual (MPIM) permits contractors to conduct site visits to determine if a DMEPOS supplier is “operational”[3] or to ascertain whether the supplier is meeting applicable regulatory standards or program requirements. Some examples of site visits include:
  • The National Supplier Clearinghouse (NSC) Medicare Administration Contractor (the Medicare contractor responsible for handling enrollment applications for DMEPOS suppliers) currently conducts pre-enrollment site visits of DMEPOS applicants that are not part of a chain supplier (a chain is a supplier with more than 25 locations).
  • The NSC also conducts post-enrollment site visits to DMEPOS suppliers if CMS or NSC believes that the supplier may be involved in fraudulent or abusive activities. These post-enrollment site visits are intended to help ensure DMEPOS compliance with supplier standards.
  • A state survey agency or an approved national accreditation organization with “deeming authority” may also conduct pre-enrollment surveys of certified providers and suppliers to determine if they meet the Federal conditions of participation.
  • Criminal Background Checks – CMS is now empowered to conduct criminal background checks of DMEPOS “owners” (e.g. those who maintain a 5% or more ownership interest in the supplier), authorized officials, or managing employees.
  • Fingerprinting – the new fingerprinting requirement also applies to all owners, authorized officials, or managing employees of a DMEPOS supplier.

(B) Currently-Enrolled, Revalidating DMEPOS Suppliers.

Currently enrolled, revalidating DMEPOS suppliers, which are deemed “Moderate Risk” under the new regulations, will be subject to the following screening measures:

  • Verification that the provider meets applicable federal regulations and state requirements;
  • Verification that the provider meets applicable licensure requirements;
  • Ongoing database checks to ensure that the provider satisfies all applicable enrollment criteria; and
  • Unannounced or unscheduled site visits prior to and following provider enrollment or revalidation.

CMS has elected to categorize currently-enrolled, revalidating DMEPOS suppliers as “Moderate Risk” because many of them are highly dependent on federal healthcare programs for revenue and because CMS believes that a number of these types of providers enter business without any substantial clinical or business experience.

(C) Newly-Enrolling DMEPOS Suppliers.

Newly-enrolling DMEPOS suppliers will fall into the “High Risk” category and therefore must meet all of the foregoing requirements for “Moderate Risk” providers and undergo:

  • Fingerprinting; and
  • Criminal background checks.

CMS has classified newly-enrolling DMEPOS suppliers as “High Risk” because of the substantial number of such providers already enrolled in the Medicare program and the numerous government reports alleging waste, fraud, and abuse by DMEPOS suppliers in the Medicare program.

(D) Adjustments to a Supplier’s Risk Category.

The new rule also permits CMS to increase a supplier’s risk level from “Limited” or “Moderate” to “High” in any of the following circumstances:

  • CMS imposed a payment suspension on the supplier in the last 10 years;
  • The supplier has been excluded from Medicare by HHS-OIG;
  • The supplier’s billing privileges were revoked in the last 10 years and the supplier is attempting to establish new Medicare billing privileges by enrolling as a new supplier or registering a new practice location;
  • The supplier is precluded from billing Medicaid;
  • The supplier has been subject to any “final adverse action” in the last 10 years;
  • The supplier has been excluded from any federal healthcare program; or
  • CMS has lifted a temporary moratorium for a particular supplier type and a supplier that was prevented from enrolling due to the moratorium applies for enrollment within 6 months from the date the moratorium was lifted.

III. Certification Standards:

There are currently 30 unique standards that DMEPOS suppliers must certify that they meet and remain compliant with in order to be eligible for payment by Medicare. Four of these “standards” recently took effect on September 27, 2010. Additionally, on April 4, 2011, CMS published a proposed rule revising four different, existing standards.

New Certification Standards.

The four recently enacted certification standards with which DMEPOS suppliers must comply include:

  1. Oxygen Procurement: All DMEPOS suppliers must obtain oxygen from a state-licensed oxygen supplier if the DMEPOS supplier is located in a state that requires oxygen suppliers to be licensed. (42 C.F.R. § 424.57(c)(27)).
  2. Records Maintenance: All DMEPOS suppliers must maintain ordering and referring documentation relating to written orders and requests for payments for medical equipment within 7 years of the date of service. (42 C.F.R. § 424.57(c)(28)).
  3. Facility Location: All DMEPOS suppliers are prohibited from sharing a practice location with any other Medicare supplier or provider, except where:
    • The DEMPOS supplier is co-located with and wholly owned by a hospital, home health agency, skilled nursing facility, or other Medicare Part A provider and the DMEPOS supplier operates as a separate unit; or
    • A physician, non-physician practitioner, or physical or occupational therapist furnishes items directly to his or her own patients as part of his or her own professional services. (42 C.F.R. § 424.57(c)(29)).
  4. Business Hours: All DMEPOS suppliers must be open to the public for a minimum of 30 hours per week, except where:
    • A physician, non-physician practitioner, or physical or occupational therapist furnishes items directly to his or her own patients as part of his or her own professional services; or
    • The DMEPOS supplier is working with custom made orthotics and prosthetics (42 C.F.R. § 424.57(c)(30)).

(B) Proposed Revisions to Existing Certification Standards.

A Proposed Rule issued by CMS would alter four certification standards that are currently in force, including the following:

  1. Prohibition Against Direct Solicitation:
    • Current Rule: DMEPOS suppliers are prohibited from engaging in direct solicitations (e.g. by telephone, computer, e-mail, or in-person contact) of Medicare beneficiaries without their consent for the purpose of marketing a DMEPOS supplier’s products or services. (42 C.F.R. § 424.57(c)(11)).
    • Proposed Revision: The new rule would replace the phrase “direct solicitation” with a prohibition on contacting Medicare beneficiaries by telephone.
  2. State Licensure and Contractual Arrangements:
    • Current Rule: If a DMEPOS supplier is located in a State that requires a license to furnish items or services, the supplier must be licensed to provide those services and must employ any professionals so licensed on a full- or part-time basis. DMEPOS suppliers cannot contract with a third party to provide any such licensed services. (42 C.F.R. § 424.57(c)(1)(ii)).
    • Proposed Revision: A DMEPOS supplier may contract with a third party to provide a service that must be licensed under State law where such an arrangement is not expressly prohibited by State law.
  3. Compliance With Local Zoning Ordinances:
    • Current Rule: DMEPOS suppliers must comply with all local zoning requirements as a condition for payment by Medicare. (42 C.F.R. § 424.57(c)(1)(iii)).
    • Proposed Revision: CMS has proposed to eliminate this rule entirely.
  4. Physical Facility and Site Requirements.
    • Current Rule: DMEPOS suppliers must maintain a physical facility on an appropriate site, that meets certain requirements related to minimum square footage, visible signs, posted hours of operation, public accessibility, and adequate space for record storage, among others. (42 C.F.R. § 424.57(c)(7)).
    • Proposed Revision: The current rule exempts State-licensed professionals who provide custom fabricated orthotics or prosthetics in private practice. The proposed revision would extend this exemption to such professionals in States that do not offer such licenses.

In reviewing these proposed changes, most Suppliers believe that CMS’ contemplated regulatory changes merely represent additional “tightening” of the rules applied to DMEPOS Suppliers – effectively strengthening the government’s oversight over the industry. In any event, these proposed changes clearly point to the need for an effective Compliance Program.

IV. Conclusion:

Suppliers who are concerned about these new regulations should contact qualified counsel to assist with developing an effective compliance plan or, if need be, responding to an adverse action taken by CMS against the supplier.

Robert Liles Healthcare Attorney

Robert W. Liles, J.D., M.B.A., M.S., serves as Managing Partner at Liles Parker, Attorneys & Counselors at Law. Our attorneys are experienced in representing DMS suppliers and other Medicare participating providers in a wide range of audits, investigations and other enforcement actions by both contractors and by law enforcement. Should you have any questions regarding this article or other regulatory requirements, please contact us. Initial consultations are free. We can be reached at (202) 298-8750.

  • [1] A DMEPOS supplier who undergoes a change of ownership with no corresponding change to its tax identification number (or vice versa) will fall within the “Moderate Risk” category.
  • [2] A DMEPOS supplier who undergoes a change of ownership and a change to its tax identification number will fall within the “high risk” category.
  • [3] The MPIM defines “operational” to mean that the supplier has a qualified physical location, is open to the public for the purpose of providing healthcare services, is prepared to submit valid Medicare claims, and is properly staff, equipped, and stocked to furnish items or services.