I.   Background

Over the last few years, a number of health care providers and other “covered entities” (both large and small) have been audited and penalized by the government for improper breaches of protected health information. Enforcement actions taken have varied, ranging from mere warnings to criminal prosecution.

II.   HITECH Raises the Bar for Providers

The “Health Information Technology for Economic and Clinical Health Act” (HITECH) contains a number of significant privacy provisions impacting health care providers.  Two of these provisions include:  (1) The initiation of privacy audits by contractors working for the  Department of Health and Human Services (HHS), Office of Civil Rights (OCR); and (2) The sharing of Civil Monetary Penalties assessed in response to an improper breach with the affected patients.

• Privacy Audits

As OCR has announced, the agency has initiated an audit program intended to help ensure that health care providers are complying with the various medical records privacy provisions laid out in the Health Insurance Portability and Accountability Act of 1996 (HIPAA).  To do so, OCR has contracted with several nationally-recognized audit firms for the purpose of auditing health care provider compliance with HIPAA’s privacy provisions.

When will audits begin? According to OCR, the initial audits of provider compliance with HIPAA / HITECH requirements began in November 2011. Once these initial audits are completed, OCR intends to focus the remaining audits on the issues and concerns identified in the contractors’ first preliminary audits. At this time, all audits are anticipated to be completed by December 2012.

If prior “pilot” programs are any indication of how these audits will be handled, we anticipate that OCR will ultimately adopt an ongoing audit HIPAA / HITECH process, tasked with assessing the compliance of health care providers, covered entities and business associates. It is essential that you critically review your current practices – after you have been audited, it will likely be too late to avoid the imposition of penalties.

How will HIPAA / HITECH audits be conducted? According to OCR, organizations selected for audit will be notified by the agency of their selection. At that time, they will be asked to provide “documentation of their privacy and security compliance efforts.” During this pilot period, each of the covered entities audited will receive a site visit. During the site visit, contractor representatives will be required to interview key personnel. The contractors will also review the covered entity’s practices and determine whether their operations fully comply with HIPAA’s / HITECH’s privacy requirements. After completing the site visit, a draft report will be prepared which outlines how the audit was handled, the conclusions that were reached by the contractor and the remedial actions that were taken by the covered entity. The draft report will be shared with the covered entity prior to finalization and the covered entity will have a chance to respond to the contractor’s findings.

• Sharing of Civil Monetary Penalties

In addition to the HIPAA audit protocol discussed above, HITECH includes a seemingly-innocuous section which commands the Secretary HHS to establish a methodology to distribute a percentage of Civil Monetary Penalties to individuals harmed by an improper breach of protected health information or another HIPAA violation. For instance, if a patient’s medical records or other protected health information is inappropriately accessed or divulged to unauthorized persons and the OCR ultimately investigates the violation and assesses Civil Monetary Penalties against a provider or other covered entity in connection with the breach, the harmed patient may be eligible to receive a portion of the penalties collected by the government.

On its surface, such a clause seems reasonable – after all, why not compensate those who have been hurt by a wrongful disclosure or breach? However, this law (and its soon-to-be-created implementing regulations) will likely have extensive repercussions in reporting and enforcement of HIPAA violations. Giving patients a financial incentive to report wrongful disclosures and breaches of their protected health information will likely lead to increased reporting of incidents since harmed patients may now be eligible to share in any penalties collected.  Similar laws which allow private individuals to receive a portion of penalties and other funds recovered, such as the False Claims Act (FCA), have been extremely successful in detecting and deterring fraudulent activity. While HITECH does not create a “private right of action” for HIPAA violations and is substantially different from the FCA, it is important to note that their basic principles are the same. By giving private citizens, with perhaps greater and more immediate knowledge of an issue than the government, a real reason to report a problem, these problems can be more quickly and effectively remedied.

In 1986, when the FCA was overhauled with new provisions that gave private citizens more power and a greater likelihood of collecting money, the FCA’s usage skyrocketed. In what could be a very similar situation, affected individuals with the chance to receive a portion of fines and penalties will be far more likely to aggressively report and pursue these violations. For covered entities (comprising virtually all providers, billers and business associates), this means that implementing effective HIPAA privacy policies should be at the top of your compliance “to-do” list.

III.   How Health Care Providers Should Respond

Among their first steps, health care providers and other covered entities should:

• Ensure that patient protected health information is fully secured and protected.
• Take steps to prevent improper access by authorized parties.
• Ensure that anyone who accessing protected health information is properly logged so that patients can readily obtain an accounting or listing of anyone who has reviewed all or part of their records. This log should also document the purpose for assessing the record.
• Take steps to prevent the access of protected health information by authorized personnel for unauthorized reasons.
• Take steps to better ensure that no protected health information is inappropriately disclosed to third parties.

While the points outlined are essential, they are far from all-inclusive.  It is imperative that you identify qualified counsel to assist you in meeting your HIPAA / HITECH obligations.

Further, when handling protected health information, health care providers must remain mindful of the “minimum necessary” rule.  Health care providers, other covered entities and business associates who handling protected health information must only disclose the minimum information necessary for a requesting entity to properly do its job.

Ultimately, all health care providers, covered entities and business associates should take reasonable steps to help ensure that applicable HIPAA / HITECH provisions are fully met.

I.   Background

Liles Parker
2233 Wisconsin Ave. NW
Suite 210
Washington, D.C. 20007

Our phone number, fax number and email addresses remain the same. We look forward to assisting you with health law matters, including ZPIC and RAC overpayment appeals, compliance programs and gap analyses, and health care business transactions in 2012. For more information or a free consultation, please do not hesitate to contact us toll-free at 1 (800) 475-1906.

I.          Introduction:

The Office of Civil Rights (OCR), an agency of the Department of Health and Human Services (HHS), is the central organization responsible for enforcing compliance with the Federal Health Insurance Portability and Accountability Act of 1996 (HIPAA).  As OCR’s website reflects, the agency:

“. . [I]nvestigates complaints, enforces rights, and promulgates regulations, develops policy and provides technical assistance and public education to ensure understanding of and compliance with non-discrimination and health information privacy laws.”

II.         Development of HIPAA Audits and Protocols:

After witnessing the effectiveness of Medicare contractors in identifying and recovering improper payments, Congress chose to include a similar compliance measure for HIPAA privacy as part of the Health Information Technology for Economic and Clinical Health (HITECH) Act, passed in 2009. Under HITECH, HHS and OCR were mandated to create an auditing program designed to help ensure that covered entities and their business associates were meeting HIPAA Security and Privacy Rule requirements.

In response, OCR contracted with a large nationally-recognized government contractor last year to develop and assess several HIPAA auditing methodologies for possible implementation. While that assessment was reportedly completed in August 2010, neither the contractor’s report nor the specific method chosen to conduct the upcoming audits has been publicly disclosed.

III.        Timeframe of Initial HIPAA Audits:

In July and August 2011, OCR and the contractor worked to develop their initial audit protocols and the standards they would assess provider compliance against. A national accounting firm was selected to conduct these HIPAA audits in September, 2011. Initially, they are expected to only examine a few providers in order to test the audit protocols and standards which have been developed. Once the accounting contractor documents its initial observations, OCR will work with the contractors to modify the protocols, as necessary.  This is expected to occur during the first quarter of 2012. Starting in May 2012, the remaining initial HIPAA audits are anticipated to be conducted.

Importantly, neither OCR nor its contractors have indicated that there are any limits in terms of the size and / or types of providers to be audited.  Physicians, practice groups, home health agencies and other small to mid-sized providers should not expect audits to solely be conducted on hospitals and other large institutional providers. At this time, all providers are eligible to be subject to audit. Furthermore, you can expect that once the HIPAA audit demonstration project is completed, Congress will more than likely make it permanent and expand the scope of the audit program.

IV.        Recommendations for Effective HIPAA Compliance:

If you have not already done so, now is the time to ensure that your practice remains fully compliant with HIPAA and HITECH requirements. Auditors will primarily be looking for compliance with the HIPAA Privacy and Security Rules.  You should also expect them to examine the security of your electronic transmissions and physical security safeguards.  Additional areas of inquiry are likely to include whether business associate relationships are being properly handled and whether or not providers are fully documenting each person who accesses a medical record so that patients may be given an accurate accounting of such information.

All providers, regardless of size, should have an effective HIPAA privacy policy as part of their overall Compliance Program.  As with other compliance measures, it should be specifically tailored to address the needs of your organization, along with any unique risks faced by your practice.  A “sample” policy downloaded from the Internet, unfortunately, will not suffice. When developing a HIPAA privacy policy, be sure to keep in mind the four “scalability” factors set out in the Code of Federal Regulations in analyzing a provider’s compliance with the Security Rule:

• The size, complexity, and capabilities of the covered entity;
• The covered entity’s technical infrastructure, hardware, and software security capabilities;
• The cost of security measures; and
• The probability and criticality of potential risks to electronic protected health information. 45 CFR 164.306(b)(2).

While small providers may desire to only implement the “basic” requirements, they must be careful to ensure that each of the Privacy Rule’s provisions are fully met.  All providers, regardless of size, must utilize reasonable safeguards to protect paper, electronic and oral transmissions of protected health information.

Liles Parker attorneys have extensive experience in compliance matters, including HIPAA privacy requirements. Our team can assist your practice with gap analyses, mock audits and other reviews designed to help you better comply with applicable statutory and regulatory requirements. For a free consultation, call us today at 1 (800) 475-1906.

I.          Introduction: 

As you know, RACs play an important role in the identification of Part A and Part B overpayments. Since the inception of the RAC Demonstration Project in 2005, RACs have successfully identified a number of improper claims, denying payment for reasons ranging from mere technical errors to broad concerns about medical necessity.  Unlike other contractors engaged in post-payment audits (such as Zone Program Integrity Contractors and Program Safeguard Contractors), RACs are not compensated on a fixed contract or cost-plus basis.  Instead, their compensation is based on the amount of overpayments they identify (which remain overpayments after any administrative appeals have been pursued). This arrangement has roundly been criticized by providers. Regardless of whether or not you agree with the RAC concept, the program is here to stay.  After reviewing the results of the RAC Demonstration Project, the government expanded the program and made it permanent.

II.         Expansion of the RAC’s Responsibilities:

On November 15^th, 2011, CMS announced that it was initiating a new demonstration project designed to help ensure that Medicare claims billed to the government are medically necessary and otherwise proper before they are paid. RACs will now be performing prepayment audits of provider claims. These reviews will likely be conducted in much the same manner as those currently initiated by other Medicare contractors. With the addition of RAC prepayment reviews, CMS hopes to further reduce the number of improper claims paid by the government each year.

III.        States to be Covered in the RAC Prepayment Demonstration Project:

The “RAC Prepayment Review Demonstration Project” is initially slated to target physicians, hospitals and other Medicare providers in Florida, California, Mississippi, Texas, New York, Louisiana, Illinois, Pennsylvania, Ohio, North Carolina and Missouri.  Implementation of the new pilot project is set to begin in January 2012.

IV.        Impact of Being Placed on Prepayment Review:

Importantly, there is no administrative appeals process covering prepayment audits. As a result, it is not uncommon for providers placed on prepayment review to remain in this status for four to six months or until the provider is able to show the contractor that the services billed are both medically necessary and fully meet Medicare’s coverage and documentation requirements.  Unfortunately, being placed on prepayment review can prove disastrous for providers with a large Medicare patient load.  It can effectively delay payment for several months, even if the contractor ultimately finds that the claims qualify for coverage and payment.

V.         Avoiding Prepayment Review:

Unfortunately, there is no “silver bullet” you can use to completely eliminate the risk of being placed on prepayment review. Nevertheless, there are a number of preemptive steps you can take to reduce the likelihood of such an occurrence.  To start, you should conduct a “gap analysis” of your claims.  In doing so, you will be able to learn whether or not the services you are billing meet Medicare’s medical necessity, coverage and documentation requirements.  Additionally, you will likely learn whether your utilization of services is less than, comparable to, or exceeds that of your peers.  Any deficiencies noted can be promptly addressed and added to the risk areas covered in your Compliance Plan.  At this point, you will likely be well situated to respond to any prepayment audits initiated by a RAC or another Medicare contractor.

Liles Parker attorneys and staff have extensive experience conducting gap analyses and providing compliance guidance to health care providers.  Additionally, our attorneys are skilled in assisting providers who have been placed on prepayment review. For more information, please call us today for a free consultation at 1-800 (475) 1906.

I.             What is a CERT Audit?

The “Comprehensive Error Rate Testing” (CERT) program was implemented as a mechanism for the Centers for Medicare and Medicaid Services (CMS) to assess whether their Medicare Administrative Contractors (MACs) are properly paying claims.  In other words, is a particular MAC failing to identify and deny improper claims?  Alternatively, is the MAC denying claims which do, in fact, qualify for coverage and payment? Essentially, the CERT program serves as an integral management tool for CMS as well as an important feedback mechanism for the MACs. When problem areas are identified, they can be actively addressed by a wide variety of Medicare contractors with audit responsibilities.  Notably, several of the MACs around the country have been aggressively reasserting their roles in the corrective action process.

Essentially, MACs write the checks on behalf of CMS.  As a result, they play an extraordinarily important role in the Medicare reimbursement process. Therefore, when a CERT auditor finds that a MAC has been incorrectly reimbursing providers for claims which may not qualify for coverage, it is very important that the MAC immediately address this system-level deficiency.

II.            Recent Actions Taken by MACs in Response to CERT Audit Findings.

In response to certain CERT audit findings, one MAC recently sent notification to providers of Evaluation and Management (E/M) services explaining that new “stringent corrective actions” will be taken to address some of the more common claims errors identified by the CERT auditors when conducting their reviews of MAC payment practices.  As recent correspondence to a provider reflects, MACs are taking the results of CERT audits quite seriously, and are expanding their program integrity efforts.  As one MAC recently wrote, the contractor stands ready to:

• Suspend a provider if that provider has “too many” payment errors (it does not state how many is “too many”);
• “[R]efer every physician” to that region’s ZPIC if those providers continue to bill for services which may constitute payment errors;
• “[R]efer every physician” to the ZPIC if there is a pattern of past payment errors; and,
• “[C]onduct prepayment reviews” of future claims, up to 100% of a provider’s claims.

To be clear, none of these potential corrective actions represent new authorities.  Nevertheless, the fact that MACs are now reasserting these points is reflective of CMS’ ongoing concerns regarding the prevalence of improper claims.  Indirectly, CMS is making it crystal clear that as the initial recipient and screener of Medicare claims submitted by providers for payment, MACs play an essential role in screening out improper claims and bad providers.  As Medicare’s primary gatekeepers, MACs are responsible for identifying both improper claims and providers who may be engaged in abusive and / or fraudulent practices.

III.           What Should You Do if You Are Notified of a CERT Audit?

Should you receive a CERT audit request for documents from a CERT Documentation Contractor (CDC), it is important to keep in mind that your practice or clinic is not being accused of fraud or wrongdoing.  Fundamentally, a CERT audit is primarily designed to identify deficiencies and mistakes made by Medicare contractors.  Nevertheless, it is imperative that you take a CERT audit request quite seriously.  At the end of the day, it will be you, not the MAC, who is responsible for any overpayments identified as a result of the audit. Moreover, bad results on a CERT audit may lead to further auditing in the future.

IV.          What Actions Should a Compliance Officer Take to Being Audited?

As an organization, if you are subjected to a CERT audit, the “horse is already out of the barn,” so to speak.  Your goal is to review and monitor your organization’s coding, billing and utilization practices on an ongoing basis so that improper claims are never submitted to your MAC in the first place.   In most cases, you can check your MAC’s website to determine if their CERT auditor has already identified certain areas of concern. For instance, one MAC recently reported that out of 508 errors identified in a CERT audit of certain Medicare claims, the contractor found that:

• 311 errors were due to “insufficient documentation.”  Notably, a majority of the errors in this category were because the medical record “did not contain a valid physician’s signature” or because a diagnostic test performed “did not contain a valid physician’s order” or an identification of the provider who rendered the service.
• 132 errors were due to “lack of medical necessity” based on the medical documentation submitted.
• 37 errors were due to “incorrect coding” (primarily related to laboratory testing).
• 10 errors were due to “invasive procedures that were assessed to be without medically necessity.”
• 9 errors were due to an “incorrect procedure code” used when billing the service.
• 6 errors were the result of “billing for services that were not rendered.”
• 2 errors were due to “other errors.”
• 1 error was due to an “incorrect discharge code being used.”

Compliance Officers can take these “general” risk areas, add them to the “practice-specific” risk areas already noted, and take special note of these concerns when conducting internal reviews. The only way to avoid the scrutiny of Medicare’s various administrative contractors (MACs, ZPICs, RACs and CERT auditors) is to avoid payment errors altogether.  While no provider is perfect, the development, implementation and adherence to an effective Compliance Plan can significantly reduce the number of improper claims submitted by a provider to a MAC for reimbursement.

V.            What Actions Should a Compliance Officer Take After Receiving a CERT Audit Letter?

As Compliance Officer, upon receipt of a CERT audit request, you should carefully review the request and take steps to assemble a complete set of medical records and other supporting documentation related to the specific claims at issue.  It is important not only to make sure that your documentation is complete when sending in records to a CERT contractor, but to make sure that compliance is a daily part of your practice. Ensuring that your documentation is appropriate and accurately documents both medical necessity and the level of services performed can greatly assist you in avoiding trouble down the road.

Now, more than ever, it is important that you have an effective Compliance Plan in place.  Your Compliance Plan should explicitly set out your organization’s policies about how to correctly assess the need for, and document the services provided to a Medicare beneficiary. Otherwise, as demonstrated by the tough stance being taken by the MAC discussed above, CERT audits and other Medicare post-payment audits could raise serious problems for your practice.

Liles Parker attorneys represent health care providers in CERT, MAC, ZPIC and RAC audits and investigations.  Our attorneys have extensive compliance experience and can conduct “gap” analyses designed to place your practice or clinic on solid regulatory footing.  To speak with one of our attorneys, call 1 (800) 475-1906 for a free consultation today. 

(August 14, 2011):  

I.          Overview:  Over last few years, the government’s reliance on private contractors to both identify overpayments and potential instances of fraud has greatly increased.  Health Integrity is the Zone Program Integrity Contractor (ZPIC) awarded the contract for Zone 4 (Texas, Oklahoma, Colorado and New Mexico) by the  Centers for Medicare and Medicaid Services (CMS).

II.         Home Health Agencies are Currently Being Scrutinized:  As home health agencies in Texas and Oklahoma can readily attest, Health Integrity is carefully examining home health claims billed to Medicare.  Home health agencies may be subjected to the following actions by Health Integrity:

• Unannounced site visits – leading to probe samples, statistically relevant samples and other actions. Failure to cooperate can lead to revocation from the Medicare program.  Notably, there are no statutory restrictions preventing contractors from showing up unannounced and requesting to see documentation related to Medicare claims.  Should Health Integrity show up at your home health agency, you will likely find that Health Integrity’s auditors are both to-the-point and professional in their dealings you and your staff.  Our clients have generally found that Health Integrity’s reviewers have researched an agency’s billing practices before they arrive.  When they show up, they will already have a listing of the claims-related records to be pulled.   ZPICs have been known to show up with their own scanner or copier.  This has led to problems for providers later on because they failed to receive a copy from the contractor before they left.  Should a ZPIC ask you to make copies, the contractor will often identify a handful to take with them and ask that you forward the other within a set period.
• Unannounced interview of home health patients and their families – Health Integrity is actively conducting interview of home health patients and their families in an effort to determine whether a patient was truly “homebound” during the claim period(s) at issue.
• Pre-payment audit – the number of home health agencies and other providers placed on pre-payment  review appears to have significantly increased over the last six months
• Post-payment audit – Health Integrity is actively conducting post-payment audits of Texas and Oklahoma home health agencies and are extrapolating alleged damages identified in these post-payment audits.
• Suspension – exercise caution when using Electronic Medical Records EMR) software – some software programs are better than others.  Avoid any program which minimizes the need for individualization and the documentation of patient-specific observations.  As always, it is important that home health agencies properly document the medical necessity of skilled care.  In some instances, ZPICs have expressed concern that the patient records generated appeared to be “cloned.”
• Medicare number revocation – take care if your home health agency is subjected to a site visit.  As a participating provider, you have an obligation to cooperate with the ZPIC’s review. Should you fail to cooperate, a ZPIC can recommend to CMS that your Medicare number be revoked. This is a very real threat and should not be discounted.  This becomes even more complicated if the ZPIC’s representatives go beyond mere claims-related questions and appear to be seeking information which could subject you (in your individual capacity), to possible civil and / or criminal liability.   Remember your obligations as a participating provider but call your attorney.  
• Referral for criminal investigation and prosecution  – ZPICs are actively referring cases to HHS-OIG and DOJ for formal civil and criminal review.

III.        Primary Reasons of an Audit:  We currently represent a number of home health agencies around the country in connection with post-payment audits and the appeal of overpayment assessments levied by Health Integrity and other ZPICs.  Our clients often ask why their home health agency was targeted by the ZPIC for audit.  After handling many of these cases, the following reasons for targeting have been cited by the ZPIC or ultimately learned when handling the case:

• Predictive Modeling / Data Mining –  As Chapter 2, Sec. 2.3 of the MPIM details: “Claims date is the primary source of information to target abuse activities.”  Data mining may have been used to examine a home health agency’s “error rate.”  This would provide the provider’s history of repeated overpayments   or improperly filed claims.  
• Complaints –  These can include “complaints” filed by beneficiaries, physicians, other providers (such as competitors), disgruntled current and former employees.
• Referrals –  ZPIC audits may be generated based on referrals from other CMS contractors (other ZPICs, PSCs, RACs, MACs, QA Staff), State MFCUs, Offices of the U.S. Attorney, or other Federal agencies.  Notably, it appears that private payors are now also referring cases to the government.
• Reports –  HHS-OIG and GAO regularly issue reports addressing areas of concern.
• State Licensing Boards –State Medical Boards, Nursing Boards, Pharmacy Boards and other regulatory entities responsible for handling State licensing responsibilities regularly hear or learn of improper actions by providers.  This information may be shared with one or more Federal agencies and ultimately be referred to the ZPIC handling a certain zone.

IV.        Reducing Your Risk of Audit:  While many home health agencies believe that their Compliance Plan is satisfactory, it has been our observation that many of the plans currently in place are little more than copies taken from a sample off of the internet.  Unfortunately, many providers view Compliance Plans as mere paperwork, rather than as a useful “tool” to be used by the organization on an ongoing basis. When properly constructed, an effective Compliance Plan can both improve the quality of patient care rendered and assist a provider in its efforts to fully comply with applicable statutory and regulatory requirements.  Therefore, it is imperative that you take steps to ensure that your Compliance Plan takes into account each of the unique risks faced by your home health agency.

To be clear, although there are a number of steps you can take to reduce the likelihood of a ZPIC audit, there is no way to entirely eliminate the risk.  Nevertheless, the development, implementation and consistent application of an effective Compliance Plan can greatly reduce an organization’s potential liability.  In many respects, an effective Compliance Plan is similar to a flu shot.  Although a flu shot cannot prevent you from getting sick, it will hopefully reduce the severity of your illness should you catch the flu.  Similarly, if you have implemented and diligently adhered to an effective Compliance Plan, you could still be audited by a ZPIC, a Recovery Audit Contractor (RAC) or by a law enforcement agency, such as the Department of Health and Human Services, Office of Inspector General (HHS-OIG).  However, as a compliant home health agency, an auditor is much more likely to find that your billing practices comply with applicable coverage requirements.

Robert W. Liles is an attorney with Liles Parker, Attorneys & Counselors at Law.  Mr. Liles has extensive experience representing home health agencies and other providers in connection with the appeal of post-payment audits conducted by ZPICs, Program Safeguard Contractors (PSCs) and RACs.  Mr. Liles has conducted “gap analyses” of many provider organizations and has worked with these providers to implement effective Compliance Plans.  Should you find that your organization is being audited, feel free to call give him a call for a complimentary consultation.  He can be reached at: (202) 298-8750.  

(July 24, 2011):

Recommendation #1:   If you have not already done so, conduct a “gap” analysis and implement an effective Compliance Plan.  Despite the fact that significant strides in compliance have been made by large Medicare providers (such as hospitals and nursing homes),  it has been our observation that most physician practices and small-to-mid sized provider organizations still do not have a tailored Compliance Plan in place.   To be clear, we recognize that many providers may have copied a draft plan right off of the internet, or may have purchased a sample plan from a vendor.  While they may fully have intended to follow through with personalization of the draft document, in most of the cases we have seen, more pressing events have taken precedence and providers have not had the time or expertise to complete the project.

Providers who have not put together a Compliance Plan should immediately do so. As you have likely heard, Section 6401 of the Affordable Care Act (ACA)(generally referred to as the “Health Care Reform Act”) states, “. . . a provider of medical or other items or services or supplier within a particular industry, sector or category shall, as a condition of enrollment in the program under this Title. . .establish a compliance program.”   To be clear, at this time, the Department of Health and Human Services, Office of Inspector General (HHS-OIG) has not announced deadlines effectuating this requirement.  Nevertheless, it is merely a matter of time until all providers who choose to participate in the Medicare program will be required to have an effective Compliance Plan in place.  

Rather than wait until the last minute, Medicare providers who have not already done so should immediately take steps to implement an effective plan.  As a first step, providers should review each of the regulatory and statutory provisions related to the specific services being billed to Medicare.  Next, providers should compare their actual documentation, coding and billing practices with Medicare’s rules.  Any gaps between the applicable requirements and a provider’s actual practices must immediately be remedied. Additionally, should these gaps represent an overpayment, the Medicare provider must repay the overpayment to the government within 60 days of identification.    

Prior to conducting a gap analysis, we recommend that providers contact their legal counsel for assistance with both the internal review and with the implementation of an effective Compliance Plan.   While no Compliance Plan can prevent an audit, the implementation of an effective plan will greatly improve a provider’s likely adherence to Medicare’s rules and regulations should a ZPIC audit be initiated.  

Recommendation #2:   Don’t ignore a ZPIC’s request for documents[1]. At the outset, it is important to keep in mind that ZPICs play an important role.  In addition to  auditing records for possible overpayments, ZPICs are also responsible for identifying fraudulent providers (and potenitally fraudulent providers) and making referrals to the Centers for Medicare and Medicaid Services (CMS), the Department of Health and Human Services, Office of Inspector General (HHS-OIG) and the U.S. Department of Justice (DOJ) for further action.  Possible actions taken include, but are not limited to: 

• CMS — Administrative action such as suspension or revocation from the Medicare program.
• HHS-OIG – Administrative action such as Civil Monetary Penalty action.  HHS-OIG may also investigate and refer a provider to DOJ for possible civil litigation under the False Claims Act.  Finally, HHS-OIG may investigate and refer a provider to DOJ for criminal prosecution under the Federal Anti-Kickback Act or a host of other statutes.
• DOJ – May investigate and prosecute a provider for civil and / or criminal violations of law. 

Should you receive a request for documents from your ZPIC, in many cases it will broken into two sections.  The first section will likely be focused on business related records such as the following: 

“Business contracts or agreements with other providers, suppliers, physicians,  businesses or individuals in place during a specific period.  Additionally, any verbal agreements must be summarized in writing.

A listing of all current and former employes (employed during a specific period), along with their hire date, termination date, reason for leaving, title, qualifications, last known address, phone number.

• A list of all practice locations, along with their address and phone number.
• Leases.
• Employment agreements.
• Medical Director contracts.” 

The unstated purpose of this portion of the ZPIC’s request is likely to identify potential instances of violations of the Federal Anti-Kickback Statute, Stark and / or the False Claims Act.  Should the ZPIC identify a possible violation, it will readily refer the case to CMS, HHS-OIG and / or DOJ, depending on the nature of the potential violation.

In contrast to the first section of the ZPIC’s request, the second section of the request usually lists the patient records and dates of service to be audited by the ZPIC.  While every case is different, the number of claims requested typically ranges from 8 – 100, depending on whether the ZPIC’s request is a “probe review” or a full-blown audit.  On occasion, we have seen the number of claims sought can range from 150 – 300. 

Never ignore a ZPIC request for records.[2] Importantly, should you fail to respond to the ZPIC’s request, the contractor can recommend to the CMS that your organization be suspended[3] or from participation in the Medicare program.  Depending on the ZPIC’s concerns, the contractor can also recommend that CME pursue a revocation action against your organization.  Should you need more time to the ZPIC’s request for supporting documentation, don’t hesitate to request it. 

Recommendation #3:  Remember learning how to “drive defensively” in high school?  Your documentation practices should be approached in a similar fashion.   ZPIC auditors are excellent at identifying one or more ways in which your claims do not meet applicable coverage requirements.  While you may very well disagree with their assessments (especially in “medical necessity” determinations), in all likelihood, when you file a request for redetermination appeal (and later, a request for reconsideration appeal), you will find that your Medicare Administrative Contractor (MAC) and your Qualified Independent Contractor (QIC) agree with the ZPIC’s denial decision.  Rather than endure significant costs and stress when defending against an overpayment assessment, you need to take steps to avoid a denial in the first place. To that end, health care providers should ensure that clinical staff members are fully trained and educated regarding Medicare’s documentation, coding and billing process. 

We recognize that “perfect documentation” is neither required nor realistic to expect from your clinical staff.  Nevertheless, using published reports of other cases, you can show your clinicians that ZPICs  enforce a strict application of Medicare’s documentation and coverage requirements.  Through education and training, your clinical staff will understand why it is imperative that they review, understand and comply with: 

• Any applicable Local Coverage Determinations (LCDs).
• Any Local Medical Review Policies (LMRPs).
• The Medicare Policy Benefit Manual (MPBM).
• The Medicare Program Integrity Manual (MPIM).
• Any statutory provisions which cover the services.
• Any additional guidance issued by Medicare which would apply to these claims.    

It is important that you regularly review the government’s latest concerns and any enforcement actions which have been taken.  Additionally, you should read HHS-OIG’s reports so that you may learn from the mistakes being made by similarly situated providers.  Upon doing so, we recommend that you check the list of “risk areas” in your Compliance Plan and ensure that they reflect both general “risks” and “specific risks” which may be unique to your organization.  Is your organization still in full compliance?  If not, remedial action is likely necessary.  

Recommendation #4:  Retain experienced legal counsel to assist with your efforts. When experiencing symptoms of a cardiac problem, most patients wouldn’t turn over their care to a dermatologist.  Instead, they would seek to be evaluated and treated by a Cardiologist.  Similarly, if you have a health law problem, would it be wise to rely on advice from an attorney specializing in family law?  Ultimately, that’s your call.  While no attorney can guarantee you success — we believe that an experienced health lawyer is well situated to give you advice regarding a Medicare audit or investigation.   Having said that, it is important to recognize that the field of health law is extraordinarily broad.  Should you be audited by a ZPIC or a Recovery Audit Contractor (RAC), don’t hesitate to ask a health lawyer whether they have handled these types of cases before.  If so, how many times have they represented a provider in a ZPIC overpayment case?  When selecting a lawyer, keep in mind that the legal fees charged by an attorney can vary greatly, depending on a variety of factors.  Don’t be shy – ask how much the representation is likely to cost.  While it is often difficult to estimate legal costs due to the various factors faced when handling a ZPIC audit case, most attorneys can give you a range of expected legal fees.  Finally, be sure and ask for references.  Other providers who have been through an administrative appeal case can provide you with invaluable insights into the process.  As a final point, on numerous occasions, our firm has been retained to work with a provider’s existing legal counsel.  We are more than happy to do so and can effectively work with your counsel in a fashion which avoids duplication of efforts yet allows our experience and expertise to be applied to your case. 

Recommendation #5:  The administrative appeals process has become quite complicated in recent years.  ZPIC audits can result in alleged overpayments running into the millions of dollars. Moreover, the ZPIC’s overpayment assessment (and the associated “demand” letter sent by a MAC) isn’t usually the end of the story.  While providers often lose at the redetermination and reconsideration levels of appeal, the third level of appeal – before an Administrative Law Judge (ALJ) – is usually your single best opportunity to prevail in an administrative appeals action.  Over the years, our attorneys have argued cases in front of judges out of each of the field offices of the Office of Medicare Hearings and Appeals (OMHA).   While we may not always agree with their decisions, the ALJs in whose courts we have practiced have been professional, fair and more than willing to hear a provider’s arguments in support of payment. 

Should you choose to forego legal counsel and represent yourself in an ALJ hearing, keep in mind that even though these hearings are intended to be “non-adversarial,”  it can feel quite “adversarial“ during the actual hearing.  Furthermore, these proceedings can be quite complicated.  In most large dollar cases, representatives of the ZPIC are participating in the hearing and arguing their position before the ALJ.  ZPIC representatives can include one or more statisticians (if an extrapolation was conducted), a clinician (usually a Registered Nurse who is experienced in conducting medical reviews) and a lawyer.  In a recent Home Health Agency case we handled, this was precisely what occurred.  Frankly, few providers are experienced in presenting their case and in responding to the arguments raised by statisticians, clinicians and lawyers representing a ZPIC.  As a result, it is strongly recommended that the provider consider engaging an experienced and knowledgable attorney. 

Recommendation #6:  When reviewing your claims, you should abide by the following:  First, “If it doesn’t belong to you, give it back.”  Conversely, “If you don’t owe the money, don’t throw in the towel.”  One of the attorneys in our firm is regularly asked to speak at provider conventions around the country.  For years, he has told providers “If it doesn’t belong to you, give it back.”  This simple concept covers a lot of ground when it comes to alleged Medicare overpayments.  Similarly, if the facts and the evidence shows that the claims should have been paid,  think twice before waiving your right to appeal the denial of these claims.  From a practical standpoint, we have heard of  situations where a provider chooses to “just pay the bill” so that the case will quickly be resolved.  Several providers have commented that when dealing with small dollar assessments, it is just easier to pay the alleged overpayment rather than incur the hassle and expense of contesting the contractor’s denial decision.  Although we understand the reasoning behind such a decision, you should keep in mind that every claim which is denied by a ZPIC (and which remains denied) increases a provider’s “error rate.”  If you were a ZPIC, PSC, RAC or MAC contractor, would you choose to audit a provider with a low error rate or a high error rate?  In any event, the bottom line is fairly straight forward.  Should you find that you are not entitled to payment for one or more claims, you must  repay the money to the government as soon as possible (but no later than 60 days after an overpayment has been identified),  regardless of whether the claim is part of an ongoing or recently completed Medicare audit.  If, however, you are audited and you believe that a ZPIC has incorrectly denied one or your claims, you have the right to appeal the denial of these wrongfully denied claims.

Recommendation #7:  Carefully read a ZPIC’s denial decision letter. When you receive a denial decision letter relied upon by a ZPIC, carefully review the notice and determine whether the contractor has specifically addressed the reasons for denial associated with each of the claims at issue.  Every ZPIC is different.  Over the last few months, one of the ZPICs involved in the cases we are handling has been citing only a general reason for denial (such as “not medically necessary”).  Should the ZPIC in your case not provide sufficient information, you will find it difficult, if not impossible, to address any specific reasons your claims have been denied.   Your legal counsel may be able to get the ZPIC to provide additional specificity in connection with their denial reasons.  Alternatively, legal counsel may be able to argue that the ZPIC’s failure to provide specific reasons for denying your claims is a clear violation of your due process rights. 

Recommendation #8:  Don’t forget – shortly after the “demand letter” is sent, any payments you may be expecting may be recouped by your Medicare Administrative Contractor (MAC).   A demand letter from your MAC usually follows a few days  after you receive a ZPIC’s denial decision letter.  While you have 120 days to file a request for redetermination appeal (as outlined in he MAC’s demand letter)[4], should you fail to file the request for redetermination appeal within 30 days of the date of the MAC’s demand letter (not 30 days after receiving the demand letter!), your Medicare payments will be recouped starting on day 41.  Alternatively, a provider may set up an extended repayment program with the MAC so that the alleged overpayment can be repaid through monthly installments.  We strongly recommend that you set this up.  You will then be able to take advantage of the 120 period permited to file a redetermination appeal rather than try and file a poorly prepared set of arguments within the previously discussed 30 day period.  Similar issues (with completely different deadlines) are present at the reconsideration level of appeal — the next level in the administrative appeals process. Once again, these issues can be quite complicated.  We recommend that you discuss available appeals options with your legal counsel. 

Recommendation #9: Foster a corporate culture which encourages compliance.  ZPICs have increased their audit activities dramatically in numerous areas of the country.  South Texas has been especially hard-hit.  Providers in Houston, McAllen, Harlingen, Edinburgh, Laredo, Corpus Christi and Brownsville appear to have experienced a recent surge in audit activity.  Be aware that ZPICs are looking for aberrations in billing patterns and often target providers based on these variations in coding or billing practices.  Compliance with regulations and consistency in your “message” to employees is essential. Establishing good intake and records management procedures, continuing employee education and training efforts, can facilitate the adoption of an ethical, compliant corporate culture.

           And, last but not least,

Recommendation #10:  When drafting a Compliance Plan, providers should include a “Code of Conduct” that is easily understood by all employees.  We believe that a “Code of Conduct” should accurately reflect the belief system an organization has pursued and sincerely intends to follow.   In doing so, an organization can engender a compliant corporate culture.  Over the years, we have seen organizational “Codes of Conduct” which range from a succinctly described phrase to discusions which take up more than a page.

Our favorite “Code of Conduct” (which also happens to be the “Code of Conduct” adopted by our law firm) is used by Cadets at the United States MilitaryAcademy at West Point. Modified for use by health care providers, the “Code of Conduct” reads: 

“Our clinicians and staff will not lie, cheat, steal, or tolerate those who do.”

This simple, yet elegant “Code of Conduct” succinctly lays out a provider’s ethical responsibilities, both with respect to Medicare and in their other business dealings.  We recommend that you consider adopting and adhering to this or a similar “Code of Conduct.”

Our attorneys have extensive experience representing Physicians, Clinics, Home Health Agencies, Hospices, DME Companies, Skilled Nursing Facilities, Chiropractors, Pain Medicine Clinics, Rehabilitative Medicine Clinics and other Medicare providers in connection with audits by ZPICs, PSCs, MACs and other contractors.  We also have years of experience assisting providers with “gap” analyses and in implementing an effective Compliance Plan.  Should you have questions about these or other health law issues, please feel free to call us for a complementary consultation.  We can be reached at:  1 (800) 475-1906.  

(July 16, 2011):

I.          Scope of the Problem:

            As HHS-OIG’s July 2011 report details, approximately 61% of the power wheelchairs billed to Medicare during the period reviewed were either medically unnecessary or lacked sufficient documentation for HHS-OIG to determine medical necessity.   Collectively, these improper billings accounted for $95 million of the $189 million paid by Medicare for power wheelchairs.

II.         Types of Problems Noted:

              In reviewing these Medicare power wheelchair claims, HHS-OIG conducted a random sample of 375 claims.  HHS-OIG’s review included both standard and complex wheelchairs.  Based on records submitted by DME suppliers, HHS-OIG found that:

• 9% of all power wheelchairs were medically unnecessary
• 52% had claims with insufficient documentation to determine medical necessity.

             A number of specific problems are outlined in HHS-OIG’s July 2001 report.  Two of the most significant concerns included:

• Some Medicare patients received power wheelchairs when only a manual wheelchair, cane, or walker was needed.
• Many of the claims were for power wheelchairs appeared to be justified and medically necessary based on suppliers’ records. However, when HHS-OIG examined the corresponding ordering physicians’ records, most of these same power wheelchairs were found to be either:
  • Medically unnecessary, or
  • Insufficiently documented, or
  • Undocumented.

              Essentially, the suppliers’ records were either unsupported, or, in some cases, were contradicted by the related ordering physicians’ medical documentation.

III.     Summary of HHS-OIG’s Findings:

              HHS-OIG’s July 2011 report is especially significant in light of the fact that the agency previously issued two prior reports based on the same sample of power wheelchairs.  While the earlier reports noted that there significant coding and documentation requirements, this recent report focuses on supplier compliance deficiencies.  Summarizing its findings among the three reports, HHS-OIG noted that 80% of the power wheelchair claims sampled did not meet Medicare’s documentation and / or coverage requirements. HHS-OIG concluded its report by saying:

“Although CMS has taken steps since 2007 to decrease errors among suppliers of power wheelchairs and other DME, Medicare has paid significantly more in recent years for power wheelchairs than it did in 2007. These increases may indicate that CMS continues to pay for power wheelchairs that are not medically necessary and/or have claims that do not meet documentation requirements.”

IV.        Practical Impact of HHS-OIG’s Findings:

              As a participating provider, power wheelchair suppliers have an obligation to ensure that their claims fully comply with Medicare’s coverage and billing requirements.  Unfortunately, as HHS-OIG’s report reflects, most of the power wheelchair claims paid by Medicare have not met these requirements.

            From a practical standpoint, HHS-OIG’s findings are not new – both physicians prescribing power wheelchairs and the suppliers of this equipment have repeatedly failed to either meet Medicare’s documentation requirements or show that this equipment is medical necessity for the care of the patient and that less expensive assistive devices (such as a cane, walker or manual wheelchair) are insufficient to meet the patients’ medical needs.  As a result, these claims have been regularly examined by various government law enforcement agencies (e.g. HHS-OIG, the Federal Bureau of Investigation and the U.S. Department of Justice) and CMS’ contractors (e.g. Zone Program Integrity Contractors (ZPICs), and DME Medicare Administrative Contractors (DME MACs)).  With the release of this report, suppliers will likely find their practices under yet additional scrutiny.

            Both physicians who prescribe power wheelchairs and DMEPOS suppliers who fill these prescriptions must ensure that their practices fully comply with applicable statutory and regulatory requirements.  As discussed below, the completion of a“gap analysis“ is an essential element of an effective Compliance Plan.

V.         Conducting a Gap Analysis:

             From a compliance standpoint, unless they have recently done so, all power wheelchair suppliers should immediately conduct a gap analysis to determine whether their practices fully comply with applicable statutory and regulatory requirements. Gap analyses are routinely used in practically every industry to assist Compliance Officers and others in identifying corrective actions that need to be taken in order to bring an entity’s practices to an acceptable baseline of compliant operations.  Gap analyses conducted by health care providers must analyze two aspects of their practices in order to ensure compliance.  These include:

Requirement #1:  A review of their documentation, coding and billing practices.  Additionally, the evidence must reflect that the power wheelchair billed was medically necessary and appropriate.

Requirement #2: A review of the supplier’s business practices to ensure that the supplier is not committing violations of the Federal Anti-Kickback, Stark or other statutory enforcement requirements.

             This article focuses on the first set of requirements set out above.

            Every gap analysis begins with a review of applicable statutory and regulatory provisions.  Additionally, suppliers must assess Medicare’s latest guidance covering documentation, coding and billing requirements.  In addition to issuances by CMS, Local Coverage Determinations (LCD’s), Local Medical Review Policies (LMRP’s) must be reviewed so that specific regional directives are also identified.

            Upon completing an analysis of the regulatory landscape, suppliers must next conduct a baseline assessment of its existing documentation, coding and billing practices. At this point in the process, a supplier can compare its practices with the government’s requirements. This process is often referred to as a “gap” analysis. In this fashion, a supplier is able to use this performance measurement tool to determine the extent to which action must be taken to bring the supplier’s practices up to the desired level of compliance.

VI.        CMS’ Power Wheelchair Requirements:

             As an initial starting point, power wheelchair suppliers should examine the “Face-to-Face Examination Checklist” that has been issued by CMS in MLM Matters Number SE1112.  As the guidance reflects, Power Wheelchairs are one of several devices collectively classified as “Power Mobility Devices” which qualify for coverage under Medicare Part B.

             CMS has defined “Power Mobility Devices” as covered items of DME which include a Power Wheelchair or a Power Operated Vehicle (POV) that a beneficiary uses in the home. Effective May 5, 2005, CMS revised its national coverage policy to create a new class of DME.  This new class of equipment was identified as “Mobility Assistive Equipment” (MAE), which included a continuum of technology–  from canes to power wheelchairs.

            A.        Ordering / Treating Physician Requirements.

           Regardless of how they are described, prescribing or ordering physicians are the proverbial “front-line” in the claims process. These physicians are responsible for determining whether a PMD is medically necessary and appropriate.  If so, the physician must:

Provide the power wheelchair supplier with supporting documentation consisting of portions of the medical record essential for supporting the medical necessity for the PMD in the beneficiary’s home. In order to document the need for a PMD there are a few specific statutory requirements that must be met before the ordering physician can issue a written prescription for the equipment: 

“1. An in-person visit between the ordering physician and the beneficiary must occur. This visit must document the decision to prescribe a PMD.  

2. A medical evaluation must be performed by the ordering physician. The evaluation must clearly document the patient’s functional status with attention to conditions affecting the beneficiary’s mobility and their ability to perform activities of daily living within the home. This may be done all or in part by the ordering physician. If all or some of the medical examination is completed by another medical professional, the ordering physician must sign off on the report and incorporate it into their records.  

3. Items 1 and 2 together are referred to as the face-to-face exam. Only after the face-to-face examination is completed may the prescribing physician write the prescription for a PMD. This prescription has seven required elements and is referred to as the seven-element order which must be entered on the prescription only by the physician.  

4. The records of the face-to-face examination and the seven-element order must be forwarded to the PMD supplier within 45 days of the completion of the face-to-face examination. 

5. CMS’ National Coverage Determination requires consideration as to what other items of mobility assistive equipment (MAE), e.g., canes, walkers, manual wheelchair, etc., might be used to resolve the beneficiaries mobility deficits. Information addressing MAE alternatives must be included in the face-to-face medical evaluation.”  (MLM SE 1112, page 2 of 7). 

Once the above requirements have been met, an ordering physician can properly issue a prescription for a PMD.

            B.        Ordering / Treating Physician Requirements.

           As MLM SE 1112 reflects, the following checklist is not to be used as a substitute for a patient’s underlying medical records.  Having said that, the checklist serves as a helpful tool for verifying that an ordering physician’s documentation (as reflected by the patient’s medical records) are both complete and sufficient to meet Medicare’s coverage requirements.  The following information should be fully documented in the patient medical records:

Documentation of “History” Component

The medical record for the patient includes the following history:

_____ Signs/Symptoms that limit ambulation;

_____ Diagnoses that are responsible for these signs/symptoms;

_____ Medications or other treatment for these signs/symptoms;

_____ Progression of ambulation difficulty over time;

_____ Other diagnoses that may relate to ambulatory problems;

_____ How far the patient can ambulate without stopping and with what assistive device, such as a cane or walker;

_____ Pace of ambulation;

_____ History of falls, including frequency, circumstances leading to falls, what ambulatory assistance (cane, walker, wheelchair) is currently used and why it is not sufficient;

_____ What has changed in the patient’s condition that now requires the use of a power mobility device;

_____ Reason for inability to use a manual wheelchair; such as assessment of upper body strength;

_____ Why does the patient need a power wheelchair rather than each level of mobility assistive equipment (a cane, walker, optimally configured manual wheelchair, scooter)?

_____ What are the reasons that the patient should not or could not use a cane, walker, optimally configured manual wheelchair or power operated vehicle (scooter) in the home to satisfy their needs? and

_____ Description of the home setting, including the ability to perform activities of daily living in the home, as well as the ability to utilize the PMD in the home.

Documentation of Examination Component

The physical examination is relevant to the patient’s mobility needs and the medical record for the patient contains:

_____ Weight and Height

_____ Musculoskeletal examination

• Arm and leg strength and range of motion;

_____ Neurological examination

• Gait

• Balance and coordination

• If the patient is capable of walking, the report should include a documented observation of ambulation (with use of cane or walker as appropriate).

VII.       Conclusion:

            DMEPOS suppliers have an obligation to ensure that power wheelchairs billed to Medicare fully meet the program’s documentation, coding and billing requirements. To that end, it important that suppliers carefully examine both their relationships with prescribing suppliers and the documentation of medical necessity associated with any claims billed to Medicare.  Importantly, it isn’t merely a paper-only exercise which requires that you “document” medical necessity – a patient must actually require this type of assistive device.  Therefore, the documentation must accurately reflect a patient’s diagnosis, signs / symptoms and clinical limitations which limit ambulation and necessitate the use of a power wheelchair.

Our attorneys have extensive experience representing health care providers in ZPIC audits of post-payment claims.  Additionally, we can assist with the development and implementation of an effective Compliance Plan.  Should you have questions, please call us for a complimentary initial consultation. Call:  1 (800) 475-1906.

(July 15, 2011): 

(1)  “If it isn’t yours, give it back” 

Sound familiar? This is one of the first principles we are taught as children.  Nevertheless, it is as true today as it was then.  Medicare providers have a statutory obligation to promptly return any and all overpayments identified. In fact, with the passage of the Affordable Care Act (ACA) in 2010, it is now a requirement that providers return Medicare overpayments to the government within 60 days of identification or face significant liability under the False Claims Act.

While the prompt, mandatory return of a known overpayment is clearly required, we were recently asked about a provider’s obligations when it comes to less clear, potential overpayments.  For example, suppose that a provider identifies a specific claim that was improperly submitted and paid by Medicare.  When reviewing how the overpayment occurred, the provider also learns that a former employee mistakenly believed that a certain service was covered by Medicare.  While the provider may only have evidence that a single claim was improperly submitted and paid by Medicare, the provider may suspect that the former employee may have incorrectly handled similar claims.  The issue therefore becomes whether a provider has an obligation to further investigate and determine whether other, unconfirmed overpayments may exist.  In considering this issue, we believe that the general principle still applies, regardless of the fact that the mandatory return provisions set out under the ACA may not cover this situation.  Remain unconvinced?  In addition to being the ethical and right action to take, it is important to keep in mind that even if the 60-day repayment provisions of the ACA may not technically apply, a provider who turns a blind eye to possible overpayments is exposing the practice to a potential whistleblower suit under the False Claims Act by a current or former employee. Do you know of a potential overpayment?  More than likely, someone else in your practice is also aware of the problem. The bottom line is simple — “If it isn’t yours, give it back” 

(2)  “Participation in the Medicare program is a privilege, not a right.”

 Remember taking driver’s education in high school?  After 30 years I still remember my driver’s education teacher repeatedly reminding us that we did not have a right to have a driver’s license.  Rather, it was a privilege to be permitted to drive – a privilege that could be taken away by the State as quickly as it was granted if we failed to follow the laws of the State and the rules of the road.  Frankly, Medicare is no different.  Health care providers do not have a right to participate in the Medicare program.  It is a privilege that must be earned.  Should a provider fail to adhere to Medicare’s coverage, coding and billing requirements, this privilege can be taken away.  With this in mind, providers must actively work to better ensure that they fully comply with Medicare’s coding and billing requirements. Should they not fully understand one of more of the program’s guidelines, it is the provider’s responsibility to learn Medicare’s rules and ensure that the provider’s business practices fully comply with the program’s provisions.

(3)  “If it sounds too good to be true, it probably is.”  

Physicians, small group practices and clinics should exercise caution when dealing with ‘consultants’ or ‘experts’ who boast of guaranteed increases in revenues or profits.  Unfortunately, many providers are having to deal with ongoing, steady declines in both Federal and private payor reimbursement rates.  In the current weak economy, unemployment rates have remained high and many patients are having a difficult time meeting their financial obligations (including monies owed to their health care provider).  In this environment, the promises and assertions of unscrupulous  individuals and companies who claim to know of “innovative” business models or ways to modify a provider’s coding / billing practices which will significantly increase a practice’s revenues can be tempting to a provider experiencing financial difficulties.  Have you been approached by someone with a “deal” which sounds too good to be true?  Be sure and check out HHS-OIG’s “Fraud Alert” titled “Special Advisory Bulletin: Practices of Business Consultants.”  While published a decade ago, the lessons and concerns discussed in the bulletin are as current today as they were a decade ago.  Check it out – and remember — the age old cliché “If it sounds too good to be true, it probably is,” is especially true when it comes to health care business opportunities.

(4)  “Everyone does it, so it must be okay.”

 In years past, a number of drug companies and medical device companies played fast and loose with Medicare’s rules, showering physicians with lavish gifts, inviting them to attend paid vacations and entering into sham “advisory” or “consulting” agreements which paid the physicians regular stipends for little, if any, work.  Why did these companies engage in these practices?  In many instances, the companies wanted to influence the physicians’ decision-making when it came time to prescribe certain drug or order medical devices to be used in the care and treatment of their patients. These actions amounted to kickbacks – plain and simple.  Today, drug and medical device industry representatives have made great strides in educating their members and in eliminating these illegal practices.  At the height of these practices, many physicians appeared to take the position that since their peers accepted kickbacks, it must be okay.  Clearly, this mindset is just flat wrong.  Unfortunately, it isn’t limited to drug and medical device companies. Generally, physicians should exercise care before accepting any thing of value from a company or clinical practice with whom the physician works – especially when the physician either makes referrals to the company or recommends / prescribes items or devices sold by that company to their patients.  In considering this issue, it is often helpful to ask, “Where do I send my referrals?” and / or “Where do I send my patients for Medicare-covered medical items or supplies?” Additionally, ask yourself, “From whom do I receive business or referrals?” Once answered, these business relationships should be carefully reviewed to ensure that there are no transactions that could give even the appearance of being improper. A typical example which repeatedly arises involves the use of “Medical Director” agreements where a physician is paid a monthly stipend which exceeds the fair market value of any services which are provided under the agreement.

(5)  “Neatness and accuracy count.”   

Our Firm represents a wide variety of health care providers when responding to post-payment claims audits conducted by ZPICs and other Medicare contractors. Over the last two years, we have noted a significant increase in the number of claims being denied because medical documentation is either illegible or incomplete. From a compliance standpoint, these problems are among the easiest for a provider to remedy on a going-forward basis.

 Handwritten portions of a medical record must be legible by an average reviewer, not merely by the passage’s author –   When assessing claims denial reasons cited by ZPICs, our attorneys, paralegals and other personnel are often required to go through medical records as we assemble responsive arguments in support of payment.  More often than not, we don’t have any problem deciphering the records cited by the ZPIC as being “illegible.”  Having said that, ZPICs and other contractors have an enormous audit caseload, making it difficult to spend an inordinate amount of time trying to make sense out of poorly written passages.  As a result, if their reviewers cannot readily read a passage, they merely deny the claim and move on.

The lesson to be learned is clear – physicians, nurses, therapists, counselors and others must ensure that any handwritten comments, signatures, dates or other information entered into a medical record can easily be read by an outside third party who is not experienced in reading the handwriting of your staff.  It is important ot keep in mind that if there is an audit or review of this information by a ZPIC or another government contractor, it is likely to be several years in the future. During that period, the writer may no longer be with the practice and it may be difficult (if not impossible) to easily locate the writer for assistance in deciphering handwritten passages.  From a compliance standpoint, regular self-audits can prove quite helpful in identifying possible problems.

If you are conducting a self-audit and find that words or passages are illegible or incorrect, you should consider taking the following remedial steps:

Advise your staff of the problem and follow-up to ensure that future entries are legible and accurate – Physicians, nurses and staff should be educated regarding the importance of ensuring that their handwriting is easily legible and the information they are providing is accurate. In most instances, once this is identified as an issue, most staff are willing to work with you so that future problems do not arise.  We recommend that regular follow-ups are conducted to ensure that problematic handwriting does not again deteriorate to where it is again illegible.

Correcting illegible or erroneous words, phrases or passages – Should you find that certain portions of a patient’s record documenting prior services rendered are illegible, you cannot merely erase it or use white out to hide the original handwritten section  before re-writing the passage so that it is legible. We recommend that you contact your Compliance Officer or legal counsel before making any changes to a medical record (regardless of whether the record is handwritten or electronic).  Legal counsel can guide you on the correct way to make changes or corrections to a medical record which documents services previously rendered. If a change or correction to a word or passage is necessary, you should not erase, white-out, scratch out or use a marker to conceal the original remark.  Instead, we usually recommend that a single line through the incorrect or illegible phrase or passage is made. If you are audited, an outside reviewer will be able to readily see the original passage. Next, the corrected entry should be carefully written next to or above the original entry. It should then be signed and dated by the individual making the correction.  In this fashion, an outside reviewer will not be misled in any way about what was originally written, when the corrected entry was made and / or the identity of the person making the change to the record.

As set out in Chapter 3, Section 3.3.2 of the Medicare Benefit Policy Manual, the Centers for Medicare and Medicaid Services (CMS), when conducting a “Medical Review,” CMS advises ZPICs to consider the following:

“3.3.2 – Medical Review Guidance

For example, ZPIC staff looks for some of the following situations when reviewing documentation:

 • Possible falsification or other evidence of alterations including, but not limited to: obliterated sections; missing pages, inserted pages, white out; and excessive late entries;

 • Evidence that the service billed for was actually provided; or,

 • Patterns and trends that may indicate potential fraud.” (emphasis added).

 As a participating provider in the Medicare program, it is essential that you ensure that the care and treatment you provide is factual, accurate and recorded in a legible fashion.

To that end, one Medicare Administrative Contractor (TrailBlazer Health Enterprises) has suggested that when reviewing medical documentation, providers should check to ensure that:

• Records are legible; reasonable clinicians will easily recognize that all abbreviations and symptoms
• The patient’s name and the date of service appears on every page of the record (including the back side of double-sided forms).
• The medical record clearly indicates the identity and professional credentials of all people who contributed to the service and / or the record, and who contributed which portion(s) of the service and or record.
• Information in the record clearly supports all diagnoses reported on the claim.
• Information in the record clearly demonstrates that all of the work described by the code(s) and / or modifier(s) reported on the claim was performed.
• All procedures reported are clearly documented.
• Education and Management (E/M) services reported on the same day as a procedure are clearly documented, medically necessary, significant and separate from the procedure.
• The record of services performed “incident to” a physician service demonstrates the link between the employee’s work and physician’s service.
• The record of services split / shared by a physician and non-physician practitioner demonstrates the face-to-face encounter and contribution to patient management by each practitioner involved.

Ultimately, providers who diligently work to achieve these points will have made significant strides towards a compliant culture in your  practice or clinic.

Liles Parker attorneys have extensive experience assisting providers in establishing an effective Compliance Plan.  Should you have questions regarding compliance, please give us a call for an initial complimentary consultation.  We can be reached at:  1 (800) 475-1906.