Déjà Vu – RAC Prepayment Reviews Are Back!
February 7, 2012 by rliles
Filed under Health Law Articles, Medicare Overpayments
I. Overview:
Late last week, the Centers for Medicare and Medicaid Services (CMS) announced that prepayment reviews by Recovery Audit Contractors (RACs) would begin (again) on or after June 1, 2012. As we previously discussed, CMS had originally delayed the program amid significant provider concerns about its operation.
II. Background:
RACs have long served an important role in detecting and recovering both Part A and Part B overpayments since the program began in 2005. Utilizing both automatic review edits and complex medical reviews to identify a multitude of claims errors, RACs have greatly assisted the government in its efforts to protect the integrity of the Medicare Trust Fund. As you know, RACs are paid on a contingency basis, based on the amount of improper payments (either overpayments or underpayments) each RAC identifies and actual recovers. Despite harsh criticism from the provider community, RACs have been successful in their audit and recovery tasks, prompting the Federal government to expand their authority to review claims.
III. RAC Prepayment Review Demonstration:
Initially announced on November 15, 2011, CMS’ RAC Prepayment Review Demonstration Project was slated to start in 11 states on January 1, 2012, including Florida, California, Mississippi, Texas, New York, Louisiana, Illinois, Pennsylvania, Ohio, North Carolina and Missouri. Through the project, CMS was hoping to ensure that Medicare claims reimbursed by the government were medically necessary and met coding and billing criteria before such claims were paid. Due, at least in part, to significant concerns from providers and hospitals about the substantial administrative burden such review would cause, CMS announced last month that it was indefinitely delaying the RAC Prepayment Review Demonstration Project. As we noted when CMS first announced this delay, while providers may have considered this postponement a victory, CMS still has numerous other contractors actively performing prepayment review audits each day around the country. At the end of the day, the issue really isn’t whether CMS is going to instruct its contractors to conduct prepayment reviews, it really comes down to whether providers are properly meeting applicable medical necessarily, coverage, documentation, coding and billing requirements.
IV. Impact of Being Placed on Prepayment Review:
As you may know, there is no prepayment review administrative appeals process. As a result, providers placed on prepayment review have little recourse to reverse the decision, and often remain on review for four to six months (although we have seen reviews lasting up to a year) or until the provider is able to show their Medicare Administrative Contractor (MAC) that the services billed meet medical necessity, coverage and documentation requirements. Importantly, this determination is entirely based on the respective MAC’s subjective view of the propriety of a provider’s claims.
It is important to note that prepayment review audits can prove disastrous for providers and hospitals who mainly treat Medicare beneficiaries. Prepayment review effective delays payment for several months, even assuming that the MAC finds the provider’s claims are payable. Often times, providers must also take many of these claims through the administrative appeals process, adding another one to two years before payment is made (again assuming that an Administrative Law Judge finds the claims payable).
V. Avoiding Prepayment Review:
With RAC prepayment reviews on their way, providers may consider investing in the time and energy now to make sure their claims meet applicable payment requirements. While there is no “silver bullet” to completely eliminate the risk of prepayment audit, a number of preemptive steps exist to reduce the likelihood of such an occurrence. You should consider conducting a “gap analysis” of your practice, and in so doing, you will learn whether your billed services, and associated documentation, meet medical necessity and coverage requirements. You may also review your utilization rates of certain procedures and compare these rates to those of your local, regional and national peers. In all, you need to identify the regulatory benchmarks applicable to your practice, identify where you fail to meet these benchmarks, consider the manner and method to rectify these deficiencies, and add proper procedures and additional risk areas to your Compliance Plan. Such efforts now can leave you in an excellent position to respond to any billing questions by RACs or other Medicare contractors. While RAC prepayment reviews are just another type of audit in a long list of concerns for providers, don’t underestimate the ability of these RACs to identity errors and deny payment.
VI. Reading the Tea Leaves:
CMS’ rekindled RAC prepayment review program is slated to begin again on June 1, 2012. With the reimplementation of this project, CMS moves yet another step away from its “pay-and-chase” model. Among its many advantages, the prepayment review approach greatly reduces the likelihood that the claims being paid by the government are improper. We believe that the scope of RAC and ZPIC prepayment reviews will continue to grow in the near future and will represent a key component of the government’s fraud prevention efforts in years to come.
Liles Parker attorneys have extensive experience conducting “gap analyses” and conducting compliance reviews for health care providers of all types. In addition, our attorneys are skilled in assisting providers who have been placed on prepayment review or subjected to post-payment audit. For more information, please call us today for a complimentary consultation. We can be reached at: 1 (800) 475-1906.
The Latest Risk Area for Providers: CMS’ EHR Incentive Program Post-Payment Audits
January 26, 2012 by rliles
Filed under Compliance, Health Law Articles, Medicare Overpayments
(January 26, 2012):
1. Background:
Interested in getting involved with Medicare’s Electronic Health Records (EHR) Incentive Program? No doubt about it, it’s a wonderful program – especially since electronic records will be mandatory in the not-too-distant future. Nevertheless, you need to be mindful of your various obligations should you choose to sign up for the incentive program at this time or in the near future. As discussed below, the Centers for Medicare and Medicaid Services (CMS) is serious about compliance with the program’s requirements.
As you will recall, all Medicare and Medicaid providers are required to transition over to an electronic system of records by 2015. In fact, participating providers and hospitals will face significant penalties if they don’t implement and demonstrate meaningful use of EHR by the 2015 deadline. In light of this requirement, many health care providers are taking advantage of the government’s “incentive” program designed to encourage early and meaningful adoption and implementation of EHR. The government’s EHR incentive payments can be worth up to $44,000 over five years (assuming a provider started in 2011). Importantly, the last day to “attest” to meaningful use of EHR for 2011 is February 29, 2012. By that date, providers seeking to take advantage of the program for 2011 must essentially swear, or certify, that they have engaged in “meaningful use” of EHR during 2011.
While the incentive program has clear rewards, it is important that you carefully assess the program so that each and every requirement is fully understood before you decide whether to make the transition now (and reap the benefits of the incentive program), or later.
II. Risks of Participation:
As we have discussed in prior articles, there are a number of “general” risks faced by health care providers seeking to transition over to an electronic medical records system. Several of those risks include:
- Programming Related Problems - Over the past two years, we have seen two cases involving health care providers who were “early adopters” of electronic medical records. When they purchased their EHR system, it was often difficult to make changes to the format and / or standard language first established in the system without engaging a programmer. As a result, when audited by a Medicare contractor, information in the records sometimes appeared to be inconsistent and / or incorrect. When you finally make the decision to transition over to an electronic system, it is essential that you make sure that your system allows for each block to be easily modified so that over time, the information you are gathering and the format you are using can be revised to better document any points which appear to be problematic.
- Cloning - It is essential that your EHR system be structured in such a way that treating providers are required to document the care provided in an individualized fashion. EHR systems which heavily rely on “drop-down” menus can be quite problematic due to the fact that when printed, they tend to look a lot alike. In some cases, Medicare contractors have alleged that a provider has “cloned” records, basing the allegation on the fact that multiple patient records appear to cite the same or similar language throughout the record.
- Lack of Personalization - Regardless of whether you are currently documenting patient care on paper or electronically, Medicare contractors have repeatedly stated their concern that the patient evaluations conducted and the observations documented are often not sufficiently described to show that a one-on-one evaluation of the patient took place. Similar in some respects to “cloning,” this concern is really focused on the lack of personalized observations noted which lead up to a unique and individualized diagnosis and recommendations for treatment by the treating provider.
- Electronic Signature Problems - In one recent matter (again involving an “early adopter” of EHR), it was difficult to tell whether the electronic signature of the provider had been affixed to the progress note. Although the provider’s name and title appeared at the end of the note, and a signature was printed above the name, the system did not electronically document when the note had been reviewed and approved by the provider. As a result, it was very difficult to tell whether the provider’s electronic signature has been formally affixed to the completed progress note. We recommend that you review your EHR system and verify that this is not a problem for your practice.
In addition to the myriad of “general” EHR risks faced by Medicare providers who have already transitioned to an electronic system of records, it is important to keep in mind that virtually every provider also faces practice-specific risks, unique to their circumstances. As with other risks faced by a practice, we strongly recommend that you conduct a “gap analysis” to assess your current compliance with applicable statutory and regulatory requirements. As you conduct the gap analysis, you should identify any and all general and / or practice-specific risks which should be either addressed now or monitored to help ensure that they do not result or cause a compliance violation.
III. CMS Audits of EHR Incentive Payments:
Understandably, CMS is quite serious about compliance with the program requirements it has identified in connection with the EHR incentive program. As their website reflects, CMS refers to the review of incentive payment recipients as “EHR Incentive Program Post-Payment Audits.” While reference to post-payment audits may be confusing to those with experience handling traditional post-payment audits and appeals, that’s the way CMS has chosen to refer to these incentive program assessments.
According to their website, CMS contractors will be conducting audits of Medicare and dually-eligible providers, while States will each conduct their own audits of Medicaid-only providers. Importantly, the appeals process for the Federal and State audits will likely be different, with each State authorized to manage its own appeals process. However, both Federal and State contractors will be evaluating providers’ attestations of “meaningful use,” as well as compliance with eligibility, reporting and payment requirements.
Should a Medicare contractor determine that a health care provider has failed to comply with the program rules and is therefore ineligible for an EHR incentive payment (or should not have otherwise received payment in the first place), the incentive program payments made to the health care provider will be recouped. Importantly, CMS recommends maintaining documentation in support of “meaningful use” for six years, which may mean that CMS intends to conduct audits of providers until 2015 (when the incentive payments end) and even possibly later.
CMS will review both paper and electronic documentation that supports a provider’s attestation of EHR meaningful use, as well as Clinical Quality Measures.
IV. Possible Concerns:
If a health care provider has yet to identify an EHR system which it feels fully addresses each of the current concerns identified by other providers, it may be in the provider’s best interests to hold-off making a selection at this time, despite the fact that delay could effectively cost the provider a significant amount of money. Although we applaud CMS’ efforts to encourage full participation as quickly as possible, it is very important that you identify a program which fully meets your documentation needs.
To the extent that you have already transitioned over to an electronic system, we strongly recommend that you review your participation obligations and ensure that you are continuing to meet those requirements. If a CMS contractor conducts an EHR-related audit of your practice (or a practice for whom you handle the coding and billing), it is important to keep in mind that there is nothing to restrict them from expanding their review to include an assessment of your medical necessity, documentation and coding practices. With the initiation of EHR incentive program-related audits, it is more important than ever that you ensure that your medical necessity, documentation, coding and billing practices fully comply with applicable statutory and regulatory requirements.
Liles Parker attorneys have extensive experience conducting “gap analyses,” and drafting / implementing tailored Compliance Plans for a wide variety of health care providers, group practices and third-party billing companies. In addition, our attorneys are skilled in handling administrative appeals of denied claims and in counseling providers on a variety of Medicare-related problems and concerns. For more information, please call us today for a free consultation at 1-800 (475) 1906.
Are Whistleblower Provisions Coming to HIPAA?
January 25, 2012 by rliles
Filed under Compliance, Featured, Health Law Articles
(January 25, 2012):
I. Background
Over the last few years, a number of health care providers and other “covered entities” (both large and small) have been audited and penalized by the government for improper breaches of protected health information. Enforcement actions taken have varied, ranging from mere warnings to criminal prosecution.
II. HITECH Raises the Bar for Providers
The “Health Information Technology for Economic and Clinical Health Act” (HITECH) contains a number of significant privacy provisions impacting health care providers. Two of these provisions include: (1) The initiation of privacy audits by contractors working for the Department of Health and Human Services (HHS), Office of Civil Rights (OCR); and (2) The sharing of Civil Monetary Penalties assessed in response to an improper breach with the affected patients.
- Privacy Audits
As OCR has announced, the agency has initiated an audit program intended to help ensure that health care providers are complying with the various medical records privacy provisions laid out in the Health Insurance Portability and Accountability Act of 1996 (HIPAA). To do so, OCR has contracted with several nationally-recognized audit firms for the purpose of auditing health care provider compliance with HIPAA’s privacy provisions.
When will audits begin? According to OCR, the initial audits of provider compliance with HIPAA / HITECH requirements began in November 2011. Once these initial audits are completed, OCR intends to focus the remaining audits on the issues and concerns identified in the contractors’ first preliminary audits. At this time, all audits are anticipated to be completed by December 2012.
If prior “pilot” programs are any indication of how these audits will be handled, we anticipate that OCR will ultimately adopt an ongoing audit HIPAA / HITECH process, tasked with assessing the compliance of health care providers, covered entities and business associates. It is essential that you critically review your current practices – after you have been audited, it will likely be too late to avoid the imposition of penalties.
How will HIPAA / HITECH audits be conducted? According to OCR, organizations selected for audit will be notified by the agency of their selection. At that time, they will be asked to provide “documentation of their privacy and security compliance efforts.” During this pilot period, each of the covered entities audited will receive a site visit. During the site visit, contractor representatives will be required to interview key personnel. The contractors will also review the covered entity’s practices and determine whether their operations fully comply with HIPAA’s / HITECH’s privacy requirements. After completing the site visit, a draft report will be prepared which outlines how the audit was handled, the conclusions that were reached by the contractor and the remedial actions that were taken by the covered entity. The draft report will be shared with the covered entity prior to finalization and the covered entity will have a chance to respond to the contractor’s findings.
- Sharing of Civil Monetary Penalties
In addition to the HIPAA audit protocol discussed above, HITECH includes a seemingly-innocuous section which commands the Secretary HHS to establish a methodology to distribute a percentage of Civil Monetary Penalties to individuals harmed by an improper breach of protected health information or another HIPAA violation. For instance, if a patient’s medical records or other protected health information is inappropriately accessed or divulged to unauthorized persons and the OCR ultimately investigates the violation and assesses Civil Monetary Penalties against a provider or other covered entity in connection with the breach, the harmed patient may be eligible to receive a portion of the penalties collected by the government.
On its surface, such a clause seems reasonable – after all, why not compensate those who have been hurt by a wrongful disclosure or breach? However, this law (and its soon-to-be-created implementing regulations) will likely have extensive repercussions in reporting and enforcement of HIPAA violations. Giving patients a financial incentive to report wrongful disclosures and breaches of their protected health information will likely lead to increased reporting of incidents since harmed patients may now be eligible to share in any penalties collected. Similar laws which allow private individuals to receive a portion of penalties and other funds recovered, such as the False Claims Act (FCA), have been extremely successful in detecting and deterring fraudulent activity. While HITECH does not create a “private right of action” for HIPAA violations and is substantially different from the FCA, it is important to note that their basic principles are the same. By giving private citizens, with perhaps greater and more immediate knowledge of an issue than the government, a real reason to report a problem, these problems can be more quickly and effectively remedied.
In 1986, when the FCA was overhauled with new provisions that gave private citizens more power and a greater likelihood of collecting money, the FCA’s usage skyrocketed. In what could be a very similar situation, affected individuals with the chance to receive a portion of fines and penalties will be far more likely to aggressively report and pursue these violations. For covered entities (comprising virtually all providers, billers and business associates), this means that implementing effective HIPAA privacy policies should be at the top of your compliance “to-do” list.
III. How Health Care Providers Should Respond
Among their first steps, health care providers and other covered entities should:
- Ensure that patient protected health information is fully secured and protected.
- Take steps to prevent improper access by authorized parties.
- Ensure that anyone who accessing protected health information is properly logged so that patients can readily obtain an accounting or listing of anyone who has reviewed all or part of their records. This log should also document the purpose for assessing the record.
- Take steps to prevent the access of protected health information by authorized personnel for unauthorized reasons.
- Take steps to better ensure that no protected health information is inappropriately disclosed to third parties.
While the points outlined are essential, they are far from all-inclusive. It is imperative that you identify qualified counsel to assist you in meeting your HIPAA / HITECH obligations.
Further, when handling protected health information, health care providers must remain mindful of the “minimum necessary” rule. Health care providers, other covered entities and business associates who handling protected health information must only disclose the minimum information necessary for a requesting entity to properly do its job.
Ultimately, all health care providers, covered entities and business associates should take reasonable steps to help ensure that applicable HIPAA / HITECH provisions are fully met.
RACs, PSCs, ZPICs, HIPAA Auditors, State MFCUs, MICs, Medicaid RACs, HHS-OIG, DOJ, FBI, and Now. . . Patients?
January 20, 2012 by rliles
Filed under Featured, Health Law Articles, Medicare Overpayments
(January 20, 2012):
I. Background
The Department of Health and Human Services (HHS) has long used reports and complaints from affected patients to further investigate allegations of possible Medicare fraud, waste and abuse. Last June, it was reported that HHS was planning on implementing a “Mystery Shopper” program, with a Federal contractor posing as a potential patient when calling a physician to inquire about possible care. While HHS quickly abandoned this program, it is important to keep in mind that the Centers for Medicare & Medicaid Services (CMS) has actively promoted its “Senior Medicare Patrol” (SMP) program since 1997.
II. Senior Medicare Patrol
For over a decade, CMS and the Administration on Aging (AoA) have educated Medicare beneficiaries and their caregivers about how to examine Medicare Explanation of Benefits (EOBs) and other forms they may receive in connection with their care. As part of this effort, seniors have been asked to keep an eye out for possible indications of fraud or abuse, such as double-billing or billing for services not rendered. Recently, CMS announced an additional $9 million grant that will be used to bolster this program and teach more beneficiaries how to assist the government in stamping out fraudulent practices.
III. States Involved
As expected, CMS has awarded a majority of grant monies to areas of the country that are hit hardest by Medicare fraud, including California, Texas, Florida, Louisiana, Illinois, Michigan and New York. However, every state is appropriated at least some funding to enhance this program. Moreover, if this program is effective at detecting and deterring fraudulent, wasteful or abusive billing, you can expect that it will be expanded (in terms of both funding and scope) in the future.
IV. Impact on Your Practice
To be clear, we all applaud these grass-roots efforts to identify fraud. Educated seniors could eventually represent CMS’ most effective line of defense in identifying fraud early, before significant harm can occur. Having said that, at this time, we are concerned that few Medicare beneficiaries are experienced or skilled in deciphering an EOB. As a result, many reports of possible wrongdoing cited by beneficiaries may merely be a mistake or a misunderstanding of the coding and billing process. Therefore, if you bill in an area that is complex or otherwise confusing (especially to the untrained eye of a beneficiary), there is an increased likelihood that your practice will be audited or reviewed.
V. Avoiding an Audit
Hopefully, beneficiaries will continue to be trained on reading EOBs and CMS will continue its efforts to simplify the EOBs so that patients and their families can more easily understand what has been billed to Medicare.
In the meantime, health care providers should diligently work to meet all applicable statutory and regulatory requirements. If you do not already have an effective Compliance Plan in place (as opposed to a non-personalized, non-provider specific plan based on a sample off of the internet), the first step would be for you to conduct a “gap analysis” of the services being billed. The gap analysis would also assess the propriety of your organization’s business practices. Through the use of a gap analysis, you will be able to identify any areas of concern and take remedial action. This approach can significantly reduce your level of risk. While no practice is perfect, a gap analysis can greatly assist you in identifying problems – thereby increasing the likelihood that a Medicare contractor will find your claims payable if you are subsequently audited.
We’ve Moved!
Liles Parker’s Washington D.C. office has moved. Our new address is:
Liles Parker
2233 Wisconsin Ave. NW
Suite 210
Washington, D.C. 20007
Our phone number, fax number and email addresses remain the same. We look forward to assisting you with health law matters, including ZPIC and RAC overpayment appeals, compliance programs and gap analyses, and health care business transactions in 2012. For more information or a free consultation, please do not hesitate to contact us toll-free at 1 (800) 475-1906.
CMS Delays RAC Prepayment Demonstration Project . . . For Now.
January 11, 2012 by rliles
Filed under Health Law Articles, Medicare Overpayments
(January 11, 2011):
Background:
Last month, we discussed a new demonstration project by the Centers for Medicare and Medicaid Services (CMS) to test Recovery Audit Contractors’ (RACs’) ability to conduct prepayment review of Medicare Part A and B claims. RACs have successfully identified a wide variety of Medicare overpayments and have become one of CMS’ most important post-payment audit tools. In light of their continued success, last November, CMS announced that RACs would also now conduct prepayment audits. An initial RAC Prepayment Demonstration Project was intended to cover many of the same types of prepayment review as those currently conducted by Zone Program Integrity Contractors (ZPICs) around the country. The RAC Prepayment Demonstration Project was initially slated to be conducted in Florida, California, Mississippi, Texas, New York, Louisiana, Illinois, Pennsylvania, Ohio, North Carolina and Missouri.
Recent Developments:
After CMS announced the RAC Prepayment Demonstration Project, it reportedly received an outpouring of concerns regarding the scope of these prepayment audits. In consideration of these concerns, yesterday CMS announced that it was indefinitely delaying implementation of the Project, and would give 30 days notice before the RAC Prepayment Demonstration Project was reactivated.
Commentary:
Importantly, CMS’ decision to delay the RAC Prepayment Demonstration Project does not mean that they will not ultimately pursue RAC prepayment reviews in the future. Moreover, it is essential that health care providers keep in mind that other CMS contractors are already placing a wide variety of Part A and Part B providers on prepayment review. As before, providers should regularly review their activities to ensure that all regulatory and statutory requirements are being met. Broken down into areas of concern, providers should examine:
(1) Were the services administered medically necessary?
(2) Do the services meet Medicare’s coverage requirements?
(3) Have the services been properly and fully documented?
(4) Were the services correctly coded?
(5) Were the services correctly billed to Medicare?
If you are unable to answer “Yes” to each of the above questions, you have a serious problem. It is important to keep in mind that there is no administrative appeals process or other effective legal remedy to get off prepayment review. In fact, there is no “silver bullet,” despite what you have heard or been told. The only way to be taken off of prepayment review is to show the responsible Medicare contractor that your claims fully meet each of Medicare’s myriad statutory and regulatory requirements for coverage and payment. To that end, there are a number of preemptive steps a provider can take to reduce the chances of being selected for prepayment review in the first place.
To start, we recommend that you (or your qualified legal counsel) conduct a “gap analysis” of your claims. In doing so, you will readily identify any possible deficiencies in your medical necessity assessments, coverage, documentation, coding and / or billing activities. Moreover, you should consider assessing your utilization rate against the local and national average. For instance, for basic Evaluation and Management (E/M) services, are you or your providers billing higher level codes more often than your peers? Medicare contractors use this data to identify possible outliers who may be engaging in improper coding and / or billing. Data mining can also be used by contractors to identify potential problem providers who may need to be audited and / or placed on prepayment review. Keep in mind, should you identify any overpayments when you conduct a gap analysis, you must report the overpayment and return it to the government within 60 days. Any deficiencies noted in your review can be promptly addressed and added to the risk areas covered in your Compliance Plan. After taking these steps, you will likely be well situated to respond to any prepayment audits initiated by a Medicare contractor, regardless of whether the contractor is a RAC or another Medicare contractor.
Are Your Privacy Practices Fully Compliant? HIPAA Audits are Here
December 28, 2011 by rliles
Filed under Compliance, Featured, Health Law Articles
(December 28, 2011)
I. Introduction:
The Office of Civil Rights (OCR), an agency of the Department of Health and Human Services (HHS), is the central organization responsible for enforcing compliance with the Federal Health Insurance Portability and Accountability Act of 1996 (HIPAA). As OCR’s website reflects, the agency:
“. . [I]nvestigates complaints, enforces rights, and promulgates regulations, develops policy and provides technical assistance and public education to ensure understanding of and compliance with non-discrimination and health information privacy laws.”
II. Development of HIPAA Audits and Protocols:
After witnessing the effectiveness of Medicare contractors in identifying and recovering improper payments, Congress chose to include a similar compliance measure for HIPAA privacy as part of the Health Information Technology for Economic and Clinical Health (HITECH) Act, passed in 2009. Under HITECH, HHS and OCR were mandated to create an auditing program designed to help ensure that covered entities and their business associates were meeting HIPAA Security and Privacy Rule requirements.
In response, OCR contracted with a large nationally-recognized government contractor last year to develop and assess several HIPAA auditing methodologies for possible implementation. While that assessment was reportedly completed in August 2010, neither the contractor’s report nor the specific method chosen to conduct the upcoming audits has been publicly disclosed.
III. Timeframe of Initial HIPAA Audits:
In July and August 2011, OCR and the contractor worked to develop their initial audit protocols and the standards they would assess provider compliance against. A national accounting firm was selected to conduct these HIPAA audits in September, 2011. Initially, they are expected to only examine a few providers in order to test the audit protocols and standards which have been developed. Once the accounting contractor documents its initial observations, OCR will work with the contractors to modify the protocols, as necessary. This is expected to occur during the first quarter of 2012. Starting in May 2012, the remaining initial HIPAA audits are anticipated to be conducted.
Importantly, neither OCR nor its contractors have indicated that there are any limits in terms of the size and / or types of providers to be audited. Physicians, practice groups, home health agencies and other small to mid-sized providers should not expect audits to solely be conducted on hospitals and other large institutional providers. At this time, all providers are eligible to be subject to audit. Furthermore, you can expect that once the HIPAA audit demonstration project is completed, Congress will more than likely make it permanent and expand the scope of the audit program.
IV. Recommendations for Effective HIPAA Compliance:
If you have not already done so, now is the time to ensure that your practice remains fully compliant with HIPAA and HITECH requirements. Auditors will primarily be looking for compliance with the HIPAA Privacy and Security Rules. You should also expect them to examine the security of your electronic transmissions and physical security safeguards. Additional areas of inquiry are likely to include whether business associate relationships are being properly handled and whether or not providers are fully documenting each person who accesses a medical record so that patients may be given an accurate accounting of such information.
All providers, regardless of size, should have an effective HIPAA privacy policy as part of their overall Compliance Program. As with other compliance measures, it should be specifically tailored to address the needs of your organization, along with any unique risks faced by your practice. A “sample” policy downloaded from the Internet, unfortunately, will not suffice. When developing a HIPAA privacy policy, be sure to keep in mind the four “scalability” factors set out in the Code of Federal Regulations in analyzing a provider’s compliance with the Security Rule:
- The size, complexity, and capabilities of the covered entity;
- The covered entity’s technical infrastructure, hardware, and software security capabilities;
- The cost of security measures; and
- The probability and criticality of potential risks to electronic protected health information. 45 CFR 164.306(b)(2).
While small providers may desire to only implement the “basic” requirements, they must be careful to ensure that each of the Privacy Rule’s provisions are fully met. All providers, regardless of size, must utilize reasonable safeguards to protect paper, electronic and oral transmissions of protected health information.
Liles Parker attorneys have extensive experience in compliance matters, including HIPAA privacy requirements. Our team can assist your practice with gap analyses, mock audits and other reviews designed to help you better comply with applicable statutory and regulatory requirements. For a free consultation, call us today at 1 (800) 475-1906.
Get Ready – RAC Prepayment Reviews of Medicare Claims Are on the Horizon
December 21, 2011 by rliles
Filed under Featured, Health Law Articles, Medicare Overpayments
(December 19, 2011):
I. Introduction:
As you know, RACs play an important role in the identification of Part A and Part B overpayments. Since the inception of the RAC Demonstration Project in 2005, RACs have successfully identified a number of improper claims, denying payment for reasons ranging from mere technical errors to broad concerns about medical necessity. Unlike other contractors engaged in post-payment audits (such as Zone Program Integrity Contractors and Program Safeguard Contractors), RACs are not compensated on a fixed contract or cost-plus basis. Instead, their compensation is based on the amount of overpayments they identify (which remain overpayments after any administrative appeals have been pursued). This arrangement has roundly been criticized by providers. Regardless of whether or not you agree with the RAC concept, the program is here to stay. After reviewing the results of the RAC Demonstration Project, the government expanded the program and made it permanent.
II. Expansion of the RAC’s Responsibilities:
On November 15th, 2011, CMS announced that it was initiating a new demonstration project designed to help ensure that Medicare claims billed to the government are medically necessary and otherwise proper before they are paid. RACs will now be performing prepayment audits of provider claims. These reviews will likely be conducted in much the same manner as those currently initiated by other Medicare contractors. With the addition of RAC prepayment reviews, CMS hopes to further reduce the number of improper claims paid by the government each year.
III. States to be Covered in the RAC Prepayment Demonstration Project:
The “RAC Prepayment Review Demonstration Project” is initially slated to target physicians, hospitals and other Medicare providers in Florida, California, Mississippi, Texas, New York, Louisiana, Illinois, Pennsylvania, Ohio, North Carolina and Missouri. Implementation of the new pilot project is set to begin in January 2012.
IV. Impact of Being Placed on Prepayment Review:
Importantly, there is no administrative appeals process covering prepayment audits. As a result, it is not uncommon for providers placed on prepayment review to remain in this status for four to six months or until the provider is able to show the contractor that the services billed are both medically necessary and fully meet Medicare’s coverage and documentation requirements. Unfortunately, being placed on prepayment review can prove disastrous for providers with a large Medicare patient load. It can effectively delay payment for several months, even if the contractor ultimately finds that the claims qualify for coverage and payment.
V. Avoiding Prepayment Review:
Unfortunately, there is no “silver bullet” you can use to completely eliminate the risk of being placed on prepayment review. Nevertheless, there are a number of preemptive steps you can take to reduce the likelihood of such an occurrence. To start, you should conduct a “gap analysis” of your claims. In doing so, you will be able to learn whether or not the services you are billing meet Medicare’s medical necessity, coverage and documentation requirements. Additionally, you will likely learn whether your utilization of services is less than, comparable to, or exceeds that of your peers. Any deficiencies noted can be promptly addressed and added to the risk areas covered in your Compliance Plan. At this point, you will likely be well situated to respond to any prepayment audits initiated by a RAC or another Medicare contractor.
Liles Parker attorneys and staff have extensive experience conducting gap analyses and providing compliance guidance to health care providers. Additionally, our attorneys are skilled in assisting providers who have been placed on prepayment review. For more information, please call us today for a free consultation at 1-800 (475) 1906.
CERT Audits are Serious – Don’t Take them Lightly
November 23, 2011 by rliles
Filed under Compliance, Featured, Health Law Articles, Medicare Overpayments
(November 23, 2011):
I. What is a CERT Audit?
The “Comprehensive Error Rate Testing” (CERT) program was implemented as a mechanism for the Centers for Medicare and Medicaid Services (CMS) to assess whether their Medicare Administrative Contractors (MACs) are properly paying claims. In other words, is a particular MAC failing to identify and deny improper claims? Alternatively, is the MAC denying claims which do, in fact, qualify for coverage and payment? Essentially, the CERT program serves as an integral management tool for CMS as well as an important feedback mechanism for the MACs. When problem areas are identified, they can be actively addressed by a wide variety of Medicare contractors with audit responsibilities. Notably, several of the MACs around the country have been aggressively reasserting their roles in the corrective action process.
Essentially, MACs write the checks on behalf of CMS. As a result, they play an extraordinarily important role in the Medicare reimbursement process. Therefore, when a CERT auditor finds that a MAC has been incorrectly reimbursing providers for claims which may not qualify for coverage, it is very important that the MAC immediately address this system-level deficiency.
II. Recent Actions Taken by MACs in Response to CERT Audit Findings.
In response to certain CERT audit findings, one MAC recently sent notification to providers of Evaluation and Management (E/M) services explaining that new “stringent corrective actions” will be taken to address some of the more common claims errors identified by the CERT auditors when conducting their reviews of MAC payment practices. As recent correspondence to a provider reflects, MACs are taking the results of CERT audits quite seriously, and are expanding their program integrity efforts. As one MAC recently wrote, the contractor stands ready to:
- Suspend a provider if that provider has “too many” payment errors (it does not state how many is “too many”);
- “[R]efer every physician” to that region’s ZPIC if those providers continue to bill for services which may constitute payment errors;
- “[R]efer every physician” to the ZPIC if there is a pattern of past payment errors; and,
- “[C]onduct prepayment reviews” of future claims, up to 100% of a provider’s claims.
To be clear, none of these potential corrective actions represent new authorities. Nevertheless, the fact that MACs are now reasserting these points is reflective of CMS’ ongoing concerns regarding the prevalence of improper claims. Indirectly, CMS is making it crystal clear that as the initial recipient and screener of Medicare claims submitted by providers for payment, MACs play an essential role in screening out improper claims and bad providers. As Medicare’s primary gatekeepers, MACs are responsible for identifying both improper claims and providers who may be engaged in abusive and / or fraudulent practices.
III. What Should You Do if You Are Notified of a CERT Audit?
Should you receive a CERT audit request for documents from a CERT Documentation Contractor (CDC), it is important to keep in mind that your practice or clinic is not being accused of fraud or wrongdoing. Fundamentally, a CERT audit is primarily designed to identify deficiencies and mistakes made by Medicare contractors. Nevertheless, it is imperative that you take a CERT audit request quite seriously. At the end of the day, it will be you, not the MAC, who is responsible for any overpayments identified as a result of the audit. Moreover, bad results on a CERT audit may lead to further auditing in the future.
IV. What Actions Should a Compliance Officer Take to Being Audited?
As an organization, if you are subjected to a CERT audit, the “horse is already out of the barn,” so to speak. Your goal is to review and monitor your organization’s coding, billing and utilization practices on an ongoing basis so that improper claims are never submitted to your MAC in the first place. In most cases, you can check your MAC’s website to determine if their CERT auditor has already identified certain areas of concern. For instance, one MAC recently reported that out of 508 errors identified in a CERT audit of certain Medicare claims, the contractor found that:
- 311 errors were due to “insufficient documentation.” Notably, a majority of the errors in this category were because the medical record “did not contain a valid physician’s signature” or because a diagnostic test performed “did not contain a valid physician’s order” or an identification of the provider who rendered the service.
- 132 errors were due to “lack of medical necessity” based on the medical documentation submitted.
- 37 errors were due to “incorrect coding” (primarily related to laboratory testing).
- 10 errors were due to “invasive procedures that were assessed to be without medically necessity.”
- 9 errors were due to an “incorrect procedure code” used when billing the service.
- 6 errors were the result of “billing for services that were not rendered.”
- 2 errors were due to “other errors.”
- 1 error was due to an “incorrect discharge code being used.”
Compliance Officers can take these “general” risk areas, add them to the “practice-specific” risk areas already noted, and take special note of these concerns when conducting internal reviews. The only way to avoid the scrutiny of Medicare’s various administrative contractors (MACs, ZPICs, RACs and CERT auditors) is to avoid payment errors altogether. While no provider is perfect, the development, implementation and adherence to an effective Compliance Plan can significantly reduce the number of improper claims submitted by a provider to a MAC for reimbursement.
V. What Actions Should a Compliance Officer Take After Receiving a CERT Audit Letter?
As Compliance Officer, upon receipt of a CERT audit request, you should carefully review the request and take steps to assemble a complete set of medical records and other supporting documentation related to the specific claims at issue. It is important not only to make sure that your documentation is complete when sending in records to a CERT contractor, but to make sure that compliance is a daily part of your practice. Ensuring that your documentation is appropriate and accurately documents both medical necessity and the level of services performed can greatly assist you in avoiding trouble down the road.
Now, more than ever, it is important that you have an effective Compliance Plan in place. Your Compliance Plan should explicitly set out your organization’s policies about how to correctly assess the need for, and document the services provided to a Medicare beneficiary. Otherwise, as demonstrated by the tough stance being taken by the MAC discussed above, CERT audits and other Medicare post-payment audits could raise serious problems for your practice.
Liles Parker attorneys represent health care providers in CERT, MAC, ZPIC and RAC audits and investigations. Our attorneys have extensive compliance experience and can conduct “gap” analyses designed to place your practice or clinic on solid regulatory footing. To speak with one of our attorneys, call 1 (800) 475-1906 for a free consultation today.
Medicare Post Payment Audits and the “Average” Provider
November 16, 2011 by rliles
Filed under Health Law Articles, Medicare Overpayments
(November 16, 2011) Many providers believe that their practice is a normal one – average billings, average patient load, costs of care which are consistent with industry standards – and that they need not be concerned with undergoing a Medicare post payment audit for being a “statistical outlier.” As you may know, Medicare and Medicaid contractors rely heavily on “data mining” to identify potential audit targets. With “data mining,” RACs, ZPICs and other entities conducting Medicare post payment audits can look at historical billing data, as well as billing date from regional and local peers of a particular provider, and determine if that particular provider’s billings appear suspect.
While a provider might think its billing is in line with or below that of its peers, it is very important to remember that the Medicare post payment auditors are experts in “slicing and dicing” the data in so many ways that virtually every provider could show up as an outlier. For instance, perhaps the cost per patient, cost per procedure or cost per service plotted high, or maybe the total number of services per patient was high. For length-of-stay (LOS) providers, perhaps the total number of days of service on average was high or the billings per day ended up being high.
Moreover, even if a provider thinks they run a “tight ship,” a lot of Medicare claim reimbursement is dictated by the medical necessity of the services provided to each patient. For instance, a provider may have a string of highly complex, highly demanding patients, who need more in-depth care. These same providers may have gained a local reputation for handling high complexity cases, thereby further driving up the data “against” them. In any event, Medicare post payment auditors are looking out for high-billing providers and have many ways of interpreting the relevant data to justify their audit decisions.
Liles Parker handles Medicare post payment audit appeals, in addition to other health law matters. For more information or to speak to one of our attorneys, please call 1 (800) 475-1906 today for a free consultation.
