The Physician Payment Sunshine Rules

Last week, the Centers for Medicare & Medicaid Services (CMS) closed its public comment period regarding proposed regulations for what is being called the “Physician Payment Sunshine Rules.” Generally, these rules require drug and device manufacturers to report payments, in cash or otherwise, to physicians. CMS is then authorized to publish these disclosures on a website for the public to review when researching and choosing their physicians. While a number of requirements and/or informal guidance may already limit or otherwise affect payment to physicians by drug and device manufacturers (for instance, the PhRMA Code), these new rules will require nearly every payment to physicians in this context be publicly reported and available. This may present new challenges for physicians, manufacturers and their interactions and relationships.

I.   The Law

Implementing Section 6002 of the Affordable Care Act, Transparency Reports and Reporting of Physician Ownership or Investment Interests, the law requires that drug or biologic manufacturers, device or medical supply manufacturers and group purchasing organizations submit information regarding any payments to physicians on an annual basis. These payments include not only cash, but also gifts, consulting fees, research activities, speaking fees, meals and travel expenses. The reporting requirements mandate that a drug or device manufacturer or GPO must disclose all payments to physicians greater than $10 if such amounts do not exceed $100 per year. If payments to a specific physician are greater than $100, the manufacturer or GPO must report every payment to the physician, even those less than $10. These are very low dollar requirements, and will substantially affect the reporting requirements for nearly every manufacturer or GPO in the country. Under the proposed law, nearly every meal with a physician will require disclosure.

II.   Effect on Physicians

While manufacturers and GPOs are responsible for actually reporting amounts paid, the law does not affect their business and business practices as much as it will likely affect physicians. Specifically, the law is intended to give the public complete transparency in a provider’s relationships, thus allowing the public to discern whether a physician is making a medical decision based on any factors other than what is best for the patient. In essence, it is taking the intent of Stark and Anti-Kickback laws – to ensure that medical decisions by a physician are made solely in the best interest of the patient – and requiring that any financial interests of a physician be publicly disclosed (even if such interests do not violate the Stark and Anti-Kickback laws). While the law requires compliance by manufacturers and GPOs, it primarily affects the reputation of physicians. As such, physicians and their associates should understand the ins and outs of the proposed rules, so that they can better protect both the reputation of the physician as well as the integrity of the practice as a whole.

III.   Penalties for Failure to Report

Under the law, CMS can assess fines in two situations. The proposed rules state that a manufacturer or GPO that unknowingly fails to report payment or other consideration given to a physician may be liable for $1,000 to $10,000 per violation, not to exceed $150,000 per year. On the other hand, a knowing failure to report payment may subject a company to $10,000 to $100,000 in penalties, capped at $1,000,000 per year. To enforce the law, CMS and the Office of Inspector General (OIG) have reserved the authority to “audit, evaluate, or inspect” applicable entities for compliance. In addition, CMS has mandated that device and drug manufacturers and GPOs maintain documentation of payments made to physicians for at least five years from the date in which the applicable data was made available on CMS’ disclosure website.

IV.   What if the Reported Information is Wrong?

One issue that may concern many physicians is the inaccurate reporting of information. While manufacturers and GPOs have the duty and the authority to report payment information to CMS, the information reported can only substantially impact physicians. As such, if information is incorrectly reported to CMS, a physician may be improperly associated with a certain drug, device or company, and such association may harm the integrity of that physician’s practice. CMS has taken a “hands-off” approach on this issue, leaving it to the involved parties to “resolve disputes about the information reported.” It is also proposing that “if the dispute cannot be resolved, the transaction will be noted as disputed, and both amounts will be published.” Such an approach will likely only confuse patients researching their physicians and negatively impact the integrity of a physician practice.

The new law can present complex problems for physicians and device and drug manufacturers alike. Liles Parker can handle dispute resolution between parties, reporting and appeals of agency decisions. Moreover, Liles Parker attorneys are experienced in assisting providers with implementation of compliance initiatives and other compliance activities to make sure that problems are addressed before they arise. For more information or a free consultation, please do not hesitate to call us at 1 (800) 475-1906.

Data Tools Can Give You a Better Sense of Average Utilization Rates

While we all know that many Medicare post-payment audits are generated as a result of sophisticated data analyses, the particular elements of concern which may give rise to a specific provider audit are not always so clear. In any event, it is always helpful for you to know how you “compare” to similarly-situated providers in your practice area.  In doing so, it can serve as an “advance-warning” of problematic coding, billing or other conduct on your part.

While you can’t completely eliminate the risk of an audit, there are several tools that can help your organization determine how your utilization rates compare to those of your peers.

Among these tools is one of our personal favorites – DecisionHealth’s “E/M Bell Curve Data Book,“ which gives a visual overview of the Center for Medicare and Medicaid Services’ (CMS’) Evaluation and Management (E/M) data rates for 59 different specialties. For instance, a general practitioner can look at his established patient office visits (CPT© codes 99211 – 99215) and compare his utilization rates to the national average for the same CPT© codes. This data can be extremely useful in assessing an office’s billing practices and patterns and give confidence to a provider whose rates are similar to the national average.

Another effective tool, especially for non-E/M practices, such as home health agencies and hospices, is the “The Dartmouth Atlas of Health Care,” which provides a variety of data tools to evaluate Medicare spending by county. Not only does this interactive website have average-spending-per-Medicare-beneficiary maps, it also has a tool which allows providers to examine national and state benchmarks for a variety of statistics. These include Medicare reimbursements, hospice, skilled nursing facility, and home health agency utilization rates, surgical procedures and more. Applied correctly, this data can be instrumental in a practice’s self-evaluation and gives providers significant insight into their own billing patterns.

Unfortunately, staying compliant with Medicare rules and regulations and avoiding audit can be a constant and ever-evolving challenge. Even with the best tools, physicians, group practices, clinics, home health agencies and other providers may still find themselves subject to Medicare post-payment and / or pre-payment audit by a ZPIC or by another one of CMS’ contractors. While it is essential to understand your obligations as a Medicare participant, it is equally important to understanding how and why practices get audited.  Moreover, it is also necessary to know how to appeal an adverse determination that you sincerely feel is unwarranted.

The Latest Risk Area for Providers: CMS’ EHR Incentive Program Post-Payment Audits

(January 26, 2012):

1.   Background:

Are Whistleblower Provisions Coming to HIPAA?

(January 25, 2012):

I.   Background

Over the last few years, a number of health care providers and other “covered entities” (both large and small) have been audited and penalized by the government for improper breaches of protected health information. Enforcement actions taken have varied, ranging from mere warnings to criminal prosecution.

II.   HITECH Raises the Bar for Providers

The “Health Information Technology for Economic and Clinical Health Act” (HITECH) contains a number of significant privacy provisions impacting health care providers.  Two of these provisions include:  (1) The initiation of privacy audits by contractors working for the  Department of Health and Human Services (HHS), Office of Civil Rights (OCR); and (2) The sharing of Civil Monetary Penalties assessed in response to an improper breach with the affected patients.

• Privacy Audits

As OCR has announced, the agency has initiated an audit program intended to help ensure that health care providers are complying with the various medical records privacy provisions laid out in the Health Insurance Portability and Accountability Act of 1996 (HIPAA).  To do so, OCR has contracted with several nationally-recognized audit firms for the purpose of auditing health care provider compliance with HIPAA’s privacy provisions.

When will audits begin? According to OCR, the initial audits of provider compliance with HIPAA / HITECH requirements began in November 2011. Once these initial audits are completed, OCR intends to focus the remaining audits on the issues and concerns identified in the contractors’ first preliminary audits. At this time, all audits are anticipated to be completed by December 2012.

If prior “pilot” programs are any indication of how these audits will be handled, we anticipate that OCR will ultimately adopt an ongoing audit HIPAA / HITECH process, tasked with assessing the compliance of health care providers, covered entities and business associates. It is essential that you critically review your current practices – after you have been audited, it will likely be too late to avoid the imposition of penalties.

How will HIPAA / HITECH audits be conducted? According to OCR, organizations selected for audit will be notified by the agency of their selection. At that time, they will be asked to provide “documentation of their privacy and security compliance efforts.” During this pilot period, each of the covered entities audited will receive a site visit. During the site visit, contractor representatives will be required to interview key personnel. The contractors will also review the covered entity’s practices and determine whether their operations fully comply with HIPAA’s / HITECH’s privacy requirements. After completing the site visit, a draft report will be prepared which outlines how the audit was handled, the conclusions that were reached by the contractor and the remedial actions that were taken by the covered entity. The draft report will be shared with the covered entity prior to finalization and the covered entity will have a chance to respond to the contractor’s findings.

• Sharing of Civil Monetary Penalties

In addition to the HIPAA audit protocol discussed above, HITECH includes a seemingly-innocuous section which commands the Secretary HHS to establish a methodology to distribute a percentage of Civil Monetary Penalties to individuals harmed by an improper breach of protected health information or another HIPAA violation. For instance, if a patient’s medical records or other protected health information is inappropriately accessed or divulged to unauthorized persons and the OCR ultimately investigates the violation and assesses Civil Monetary Penalties against a provider or other covered entity in connection with the breach, the harmed patient may be eligible to receive a portion of the penalties collected by the government.

On its surface, such a clause seems reasonable – after all, why not compensate those who have been hurt by a wrongful disclosure or breach? However, this law (and its soon-to-be-created implementing regulations) will likely have extensive repercussions in reporting and enforcement of HIPAA violations. Giving patients a financial incentive to report wrongful disclosures and breaches of their protected health information will likely lead to increased reporting of incidents since harmed patients may now be eligible to share in any penalties collected.  Similar laws which allow private individuals to receive a portion of penalties and other funds recovered, such as the False Claims Act (FCA), have been extremely successful in detecting and deterring fraudulent activity. While HITECH does not create a “private right of action” for HIPAA violations and is substantially different from the FCA, it is important to note that their basic principles are the same. By giving private citizens, with perhaps greater and more immediate knowledge of an issue than the government, a real reason to report a problem, these problems can be more quickly and effectively remedied.

In 1986, when the FCA was overhauled with new provisions that gave private citizens more power and a greater likelihood of collecting money, the FCA’s usage skyrocketed. In what could be a very similar situation, affected individuals with the chance to receive a portion of fines and penalties will be far more likely to aggressively report and pursue these violations. For covered entities (comprising virtually all providers, billers and business associates), this means that implementing effective HIPAA privacy policies should be at the top of your compliance “to-do” list.

III.   How Health Care Providers Should Respond

Among their first steps, health care providers and other covered entities should:

• Ensure that patient protected health information is fully secured and protected.
• Take steps to prevent improper access by authorized parties.
• Ensure that anyone who accessing protected health information is properly logged so that patients can readily obtain an accounting or listing of anyone who has reviewed all or part of their records. This log should also document the purpose for assessing the record.
• Take steps to prevent the access of protected health information by authorized personnel for unauthorized reasons.
• Take steps to better ensure that no protected health information is inappropriately disclosed to third parties.

While the points outlined are essential, they are far from all-inclusive.  It is imperative that you identify qualified counsel to assist you in meeting your HIPAA / HITECH obligations.

Further, when handling protected health information, health care providers must remain mindful of the “minimum necessary” rule.  Health care providers, other covered entities and business associates who handling protected health information must only disclose the minimum information necessary for a requesting entity to properly do its job.

Ultimately, all health care providers, covered entities and business associates should take reasonable steps to help ensure that applicable HIPAA / HITECH provisions are fully met.

Are Your Privacy Practices Fully Compliant? HIPAA Audits are Here

(December 28, 2011)

I.          Introduction:

The Office of Civil Rights (OCR), an agency of the Department of Health and Human Services (HHS), is the central organization responsible for enforcing compliance with the Federal Health Insurance Portability and Accountability Act of 1996 (HIPAA).  As OCR’s website reflects, the agency:

“. . [I]nvestigates complaints, enforces rights, and promulgates regulations, develops policy and provides technical assistance and public education to ensure understanding of and compliance with non-discrimination and health information privacy laws.”

II.         Development of HIPAA Audits and Protocols:

After witnessing the effectiveness of Medicare contractors in identifying and recovering improper payments, Congress chose to include a similar compliance measure for HIPAA privacy as part of the Health Information Technology for Economic and Clinical Health (HITECH) Act, passed in 2009. Under HITECH, HHS and OCR were mandated to create an auditing program designed to help ensure that covered entities and their business associates were meeting HIPAA Security and Privacy Rule requirements.

In response, OCR contracted with a large nationally-recognized government contractor last year to develop and assess several HIPAA auditing methodologies for possible implementation. While that assessment was reportedly completed in August 2010, neither the contractor’s report nor the specific method chosen to conduct the upcoming audits has been publicly disclosed.

III.        Timeframe of Initial HIPAA Audits:

In July and August 2011, OCR and the contractor worked to develop their initial audit protocols and the standards they would assess provider compliance against. A national accounting firm was selected to conduct these HIPAA audits in September, 2011. Initially, they are expected to only examine a few providers in order to test the audit protocols and standards which have been developed. Once the accounting contractor documents its initial observations, OCR will work with the contractors to modify the protocols, as necessary.  This is expected to occur during the first quarter of 2012. Starting in May 2012, the remaining initial HIPAA audits are anticipated to be conducted.

Importantly, neither OCR nor its contractors have indicated that there are any limits in terms of the size and / or types of providers to be audited.  Physicians, practice groups, home health agencies and other small to mid-sized providers should not expect audits to solely be conducted on hospitals and other large institutional providers. At this time, all providers are eligible to be subject to audit. Furthermore, you can expect that once the HIPAA audit demonstration project is completed, Congress will more than likely make it permanent and expand the scope of the audit program.

IV.        Recommendations for Effective HIPAA Compliance:

If you have not already done so, now is the time to ensure that your practice remains fully compliant with HIPAA and HITECH requirements. Auditors will primarily be looking for compliance with the HIPAA Privacy and Security Rules.  You should also expect them to examine the security of your electronic transmissions and physical security safeguards.  Additional areas of inquiry are likely to include whether business associate relationships are being properly handled and whether or not providers are fully documenting each person who accesses a medical record so that patients may be given an accurate accounting of such information.

All providers, regardless of size, should have an effective HIPAA privacy policy as part of their overall Compliance Program.  As with other compliance measures, it should be specifically tailored to address the needs of your organization, along with any unique risks faced by your practice.  A “sample” policy downloaded from the Internet, unfortunately, will not suffice. When developing a HIPAA privacy policy, be sure to keep in mind the four “scalability” factors set out in the Code of Federal Regulations in analyzing a provider’s compliance with the Security Rule:

• The size, complexity, and capabilities of the covered entity;
• The covered entity’s technical infrastructure, hardware, and software security capabilities;
• The cost of security measures; and
• The probability and criticality of potential risks to electronic protected health information. 45 CFR 164.306(b)(2).

While small providers may desire to only implement the “basic” requirements, they must be careful to ensure that each of the Privacy Rule’s provisions are fully met.  All providers, regardless of size, must utilize reasonable safeguards to protect paper, electronic and oral transmissions of protected health information.

Liles Parker attorneys have extensive experience in compliance matters, including HIPAA privacy requirements. Our team can assist your practice with gap analyses, mock audits and other reviews designed to help you better comply with applicable statutory and regulatory requirements. For a free consultation, call us today at 1 (800) 475-1906.

CERT Audits are Serious – Don’t Take them Lightly

(November 23, 2011):

I.             What is a CERT Audit?

The “Comprehensive Error Rate Testing” (CERT) program was implemented as a mechanism for the Centers for Medicare and Medicaid Services (CMS) to assess whether their Medicare Administrative Contractors (MACs) are properly paying claims.  In other words, is a particular MAC failing to identify and deny improper claims?  Alternatively, is the MAC denying claims which do, in fact, qualify for coverage and payment? Essentially, the CERT program serves as an integral management tool for CMS as well as an important feedback mechanism for the MACs. When problem areas are identified, they can be actively addressed by a wide variety of Medicare contractors with audit responsibilities.  Notably, several of the MACs around the country have been aggressively reasserting their roles in the corrective action process.

Essentially, MACs write the checks on behalf of CMS.  As a result, they play an extraordinarily important role in the Medicare reimbursement process. Therefore, when a CERT auditor finds that a MAC has been incorrectly reimbursing providers for claims which may not qualify for coverage, it is very important that the MAC immediately address this system-level deficiency.

II.            Recent Actions Taken by MACs in Response to CERT Audit Findings.

In response to certain CERT audit findings, one MAC recently sent notification to providers of Evaluation and Management (E/M) services explaining that new “stringent corrective actions” will be taken to address some of the more common claims errors identified by the CERT auditors when conducting their reviews of MAC payment practices.  As recent correspondence to a provider reflects, MACs are taking the results of CERT audits quite seriously, and are expanding their program integrity efforts.  As one MAC recently wrote, the contractor stands ready to:

• Suspend a provider if that provider has “too many” payment errors (it does not state how many is “too many”);
• “[R]efer every physician” to that region’s ZPIC if those providers continue to bill for services which may constitute payment errors;
• “[R]efer every physician” to the ZPIC if there is a pattern of past payment errors; and,
• “[C]onduct prepayment reviews” of future claims, up to 100% of a provider’s claims.

To be clear, none of these potential corrective actions represent new authorities.  Nevertheless, the fact that MACs are now reasserting these points is reflective of CMS’ ongoing concerns regarding the prevalence of improper claims.  Indirectly, CMS is making it crystal clear that as the initial recipient and screener of Medicare claims submitted by providers for payment, MACs play an essential role in screening out improper claims and bad providers.  As Medicare’s primary gatekeepers, MACs are responsible for identifying both improper claims and providers who may be engaged in abusive and / or fraudulent practices.

III.           What Should You Do if You Are Notified of a CERT Audit?

Should you receive a CERT audit request for documents from a CERT Documentation Contractor (CDC), it is important to keep in mind that your practice or clinic is not being accused of fraud or wrongdoing.  Fundamentally, a CERT audit is primarily designed to identify deficiencies and mistakes made by Medicare contractors.  Nevertheless, it is imperative that you take a CERT audit request quite seriously.  At the end of the day, it will be you, not the MAC, who is responsible for any overpayments identified as a result of the audit. Moreover, bad results on a CERT audit may lead to further auditing in the future.

IV.          What Actions Should a Compliance Officer Take to Being Audited?

As an organization, if you are subjected to a CERT audit, the “horse is already out of the barn,” so to speak.  Your goal is to review and monitor your organization’s coding, billing and utilization practices on an ongoing basis so that improper claims are never submitted to your MAC in the first place.   In most cases, you can check your MAC’s website to determine if their CERT auditor has already identified certain areas of concern. For instance, one MAC recently reported that out of 508 errors identified in a CERT audit of certain Medicare claims, the contractor found that:

• 311 errors were due to “insufficient documentation.”  Notably, a majority of the errors in this category were because the medical record “did not contain a valid physician’s signature” or because a diagnostic test performed “did not contain a valid physician’s order” or an identification of the provider who rendered the service.
• 132 errors were due to “lack of medical necessity” based on the medical documentation submitted.
• 37 errors were due to “incorrect coding” (primarily related to laboratory testing).
• 10 errors were due to “invasive procedures that were assessed to be without medically necessity.”
• 9 errors were due to an “incorrect procedure code” used when billing the service.
• 6 errors were the result of “billing for services that were not rendered.”
• 2 errors were due to “other errors.”
• 1 error was due to an “incorrect discharge code being used.”

Compliance Officers can take these “general” risk areas, add them to the “practice-specific” risk areas already noted, and take special note of these concerns when conducting internal reviews. The only way to avoid the scrutiny of Medicare’s various administrative contractors (MACs, ZPICs, RACs and CERT auditors) is to avoid payment errors altogether.  While no provider is perfect, the development, implementation and adherence to an effective Compliance Plan can significantly reduce the number of improper claims submitted by a provider to a MAC for reimbursement.

V.            What Actions Should a Compliance Officer Take After Receiving a CERT Audit Letter?

As Compliance Officer, upon receipt of a CERT audit request, you should carefully review the request and take steps to assemble a complete set of medical records and other supporting documentation related to the specific claims at issue.  It is important not only to make sure that your documentation is complete when sending in records to a CERT contractor, but to make sure that compliance is a daily part of your practice. Ensuring that your documentation is appropriate and accurately documents both medical necessity and the level of services performed can greatly assist you in avoiding trouble down the road.

Now, more than ever, it is important that you have an effective Compliance Plan in place.  Your Compliance Plan should explicitly set out your organization’s policies about how to correctly assess the need for, and document the services provided to a Medicare beneficiary. Otherwise, as demonstrated by the tough stance being taken by the MAC discussed above, CERT audits and other Medicare post-payment audits could raise serious problems for your practice.

Liles Parker attorneys represent health care providers in CERT, MAC, ZPIC and RAC audits and investigations.  Our attorneys have extensive compliance experience and can conduct “gap” analyses designed to place your practice or clinic on solid regulatory footing.  To speak with one of our attorneys, call 1 (800) 475-1906 for a free consultation today. 

CMS’ New “Physician Compare” Website to Report on Provider Performance

(November 15, 2011) Last year, the Centers for Medicare and Medicaid Services (CMS) launched the “Physician Compare” website, a site which allows beneficiaries to research their health care providers. The Affordable Care Act (commonly referred to as “Health Care Reform”) mandated that CMS launch such a website and that it implement physician performance metrics on the site no later than January 1, 2013.  In theory, “Physician Compare” will serve as an invaluable tool for researching Medicare providers in any locality, even allowing for specific criteria searches such as languages spoken, group practice locations, education history, hospital associations and whether a provider accepts the Medicare-approved amount as payment in full on all claims (obviously patients are still responsible for any copayments and deductibles which might be due).  Moreover, by including information from the Physician Quality Reporting System (PQRS), “Physician Compare” has been designed to encourage health care professionals to enhance and improve the quality of care they provide to Medicare beneficiaries.

Since its inception, the “Physician Compare” website has raised  a number of concerns for some health care providers.  Clerical mistakes from the Medicare Provider Enrollment, Chain, and Ownership System (PECOS) could be duplicated on the site, resulting in health professionals not showing up in locality searches.  It could also result in misinformation about current staff members and incorrect Medicare participation status being listed on the website.

Currently, the ”Physician Compare” website only states whether a physician “successfully participated” in the PQRS, but soon the site will be expanded to include actual performance results from the program, ensuring a higher level of scrutiny in physician evaluations.

Why is this important to you?  As a health care provider, your reputation is one of the most important aspects of your business. With this in mind, it is more important than ever to maintain a positive image and relationship with both your patients and the government.  While you can never completely eliminate mistakes, you can work to reduce the likelihood that mistakes may occur.  Compliance initiatives designed to ensure correct information reporting with Medicare, quality documentation and accurate coding and billing serve as an important first step to combating future errors.

Conducting Mock Audits: Goals and Techniques

(November 15, 2011) Recently, health care providers have grown more weary of government audits, malpractice issues, peer review and other actions which may create a legal nightmare for a provider. Understandably, most providers have redoubled their efforts to achieve better compliance with the numerous statutory and regulatory requirements with which they must follow. Drafting and implementing an effective compliance plan, conducting a gap analysis and training your staff on compliance issues are essential steps toward the peace of mind compliance can bring. But the question remains — how do you know when you’ve done enough?

In the end, the answer is that you can never do enough to completely eliminate all the risks, but you can minimize those risks and limit your possible exposure through the implementation of, and adherance to, an effective compliance plan. Mock audits can be used as a way of “testing” your compliance initiatives. In a mock audit, an individual or team acts as a government agency or contractor (such as the OIG, a ZPIC, RAC or MAC), and visits the practice or facility unannounced.  The mock auditor would pull a random set of records to conduct a documentation analysis (often including both medical records and business arrangement records). Once the records are pulled, an analysis of the relevant findings is completed. These results would then be discussed with practice management so that the relevant strengths and potential areas of concern can be addressed.

The goal is to test both your staff’s reaction to the exercise, as well as their understanding of what may be expected in a real audit. Moreover, the documentation analysis may be invaluable, revealing weak points in the facility’s documentation activities.  You may also learn that some of your forms (such as your Encounter Form) are defective. Finally, you will likely learn more about the various training needs of your staff.  A mock audit may also ferret out problems that management didn’t know or didn’t realize existed.  You may learn that a business arrangement or relationship is questionable or that your staff has been relying on the wrong LCD or other guidance when documenting and billing for services.  Fundamental problems such as illegibility and missing signatures may also be identified.  In any event, the results of a mock audit can be used by the practice to bolster and support its compliance initiatives.

Sound like a good idea?  Before you embark on a mock audit, you should contact your attorney and discuss any privilege issues which may exist.  As a final point, keep in mind that should you identify an overpayment, it must be returned to the government within 60 days of identification and reconciliation.  Otherwise, the overpayment could constitute a violation of the False Claims Act.

Liles Parker attorneys and staff are experienced handling gap analyses and mock audits.  Should you have any questions about conducting a mock audit or would like to learn more about having Liles Parker attorneys assist your practice, please call us at 1 (800) 475-1906 for a free consultation today.

Health Integrity’s Audit of Texas and Oklahoma Home Health Agencies are on the Rise — Do You an Effective Compliance Plan in Place?

(August 14, 2011):   

I.          Overview:  Over last few years, the government’s reliance on private contractors to both identify overpayments and potential instances of fraud has greatly increased.  Health Integrity is the Zone Program Integrity Contractor (ZPIC) awarded the contract for Zone 4 (Texas, Oklahoma, Colorado and New Mexico) by the  Centers for Medicare and Medicaid Services (CMS).

II.         Home Health Agencies are Currently Being Scrutinized:  As home health agencies in Texas and Oklahoma can readily attest, Health Integrity is carefully examining home health claims billed to Medicare.  Home health agencies may be subjected to the following actions by Health Integrity:

• Unannounced site visits – leading to probe samples, statistically relevant samples and other actions. Failure to cooperate can lead to revocation from the Medicare program.  Notably, there are no statutory restrictions preventing contractors from showing up unannounced and requesting to see documentation related to Medicare claims.  Should Health Integrity show up at your home health agency, you will likely find that Health Integrity’s auditors are both to-the-point and professional in their dealings you and your staff.  Our clients have generally found that Health Integrity’s reviewers have researched an agency’s billing practices before they arrive.  When they show up, they will already have a listing of the claims-related records to be pulled.   ZPICs have been known to show up with their own scanner or copier.  This has led to problems for providers later on because they failed to receive a copy from the contractor before they left.  Should a ZPIC ask you to make copies, the contractor will often identify a handful to take with them and ask that you forward the other within a set period.
• Unannounced interview of home health patients and their families – Health Integrity is actively conducting interview of home health patients and their families in an effort to determine whether a patient was truly “homebound” during the claim period(s) at issue.
• Pre-payment audit – the number of home health agencies and other providers placed on pre-payment  review appears to have significantly increased over the last six months
• Post-payment audit – Health Integrity is actively conducting post-payment audits of Texas and Oklahoma home health agencies and are extrapolating alleged damages identified in these post-payment audits.
• Suspension – exercise caution when using Electronic Medical Records EMR) software – some software programs are better than others.  Avoid any program which minimizes the need for individualization and the documentation of patient-specific observations.  As always, it is important that home health agencies properly document the medical necessity of skilled care.  In some instances, ZPICs have expressed concern that the patient records generated appeared to be “cloned.”
• Medicare number revocation – take care if your home health agency is subjected to a site visit.  As a participating provider, you have an obligation to cooperate with the ZPIC’s review. Should you fail to cooperate, a ZPIC can recommend to CMS that your Medicare number be revoked. This is a very real threat and should not be discounted.  This becomes even more complicated if the ZPIC’s representatives go beyond mere claims-related questions and appear to be seeking information which could subject you (in your individual capacity), to possible civil and / or criminal liability.   Remember your obligations as a participating provider but call your attorney.  
• Referral for criminal investigation and prosecution  – ZPICs are actively referring cases to HHS-OIG and DOJ for formal civil and criminal review.

III.        Primary Reasons of an Audit:  We currently represent a number of home health agencies around the country in connection with post-payment audits and the appeal of overpayment assessments levied by Health Integrity and other ZPICs.  Our clients often ask why their home health agency was targeted by the ZPIC for audit.  After handling many of these cases, the following reasons for targeting have been cited by the ZPIC or ultimately learned when handling the case:

• Predictive Modeling / Data Mining –  As Chapter 2, Sec. 2.3 of the MPIM details: “Claims date is the primary source of information to target abuse activities.”  Data mining may have been used to examine a home health agency’s “error rate.”  This would provide the provider’s history of repeated overpayments   or improperly filed claims.  
• Complaints –  These can include “complaints” filed by beneficiaries, physicians, other providers (such as competitors), disgruntled current and former employees.
• Referrals –  ZPIC audits may be generated based on referrals from other CMS contractors (other ZPICs, PSCs, RACs, MACs, QA Staff), State MFCUs, Offices of the U.S. Attorney, or other Federal agencies.  Notably, it appears that private payors are now also referring cases to the government.
• Reports –  HHS-OIG and GAO regularly issue reports addressing areas of concern.
• State Licensing Boards –State Medical Boards, Nursing Boards, Pharmacy Boards and other regulatory entities responsible for handling State licensing responsibilities regularly hear or learn of improper actions by providers.  This information may be shared with one or more Federal agencies and ultimately be referred to the ZPIC handling a certain zone.

IV.        Reducing Your Risk of Audit:  While many home health agencies believe that their Compliance Plan is satisfactory, it has been our observation that many of the plans currently in place are little more than copies taken from a sample off of the internet.  Unfortunately, many providers view Compliance Plans as mere paperwork, rather than as a useful “tool” to be used by the organization on an ongoing basis. When properly constructed, an effective Compliance Plan can both improve the quality of patient care rendered and assist a provider in its efforts to fully comply with applicable statutory and regulatory requirements.  Therefore, it is imperative that you take steps to ensure that your Compliance Plan takes into account each of the unique risks faced by your home health agency.

To be clear, although there are a number of steps you can take to reduce the likelihood of a ZPIC audit, there is no way to entirely eliminate the risk.  Nevertheless, the development, implementation and consistent application of an effective Compliance Plan can greatly reduce an organization’s potential liability.  In many respects, an effective Compliance Plan is similar to a flu shot.  Although a flu shot cannot prevent you from getting sick, it will hopefully reduce the severity of your illness should you catch the flu.  Similarly, if you have implemented and diligently adhered to an effective Compliance Plan, you could still be audited by a ZPIC, a Recovery Audit Contractor (RAC) or by a law enforcement agency, such as the Department of Health and Human Services, Office of Inspector General (HHS-OIG).  However, as a compliant home health agency, an auditor is much more likely to find that your billing practices comply with applicable coverage requirements.

Robert W. Liles is an attorney with Liles Parker, Attorneys & Counselors at Law.  Mr. Liles has extensive experience representing home health agencies and other providers in connection with the appeal of post-payment audits conducted by ZPICs, Program Safeguard Contractors (PSCs) and RACs.  Mr. Liles has conducted “gap analyses” of many provider organizations and has worked with these providers to implement effective Compliance Plans.  Should you find that your organization is being audited, feel free to call give him a call for a complimentary consultation.  He can be reached at: (202) 298-8750.  

The Number of ZPIC Audits Being Conducted are Increasing — Have You Taken Steps to Help Ensure that Your Claims Meet Medicare’s Coverage and Payment Requirements? Ten Steps You Can Take to Improve Your Organization’s Compliance with Medicare’s Rules and Regulations.

(July 24, 2011): Has your Texas Physician Practice, Home Health Agency, Hospice, DME Company or PT / OT / ST Clinic been audited by a Zone Program Integrity Program (ZPIC)?  If not, it may only be a matter of time.  Despite your best efforts to follow Medicare’s directives, your organization may still be identified as an “outlier” by a ZPIC and subjected to a probe review or a full-blown audit.  Should you receive a request for records from a ZPIC, being prepared — in advance of receiving a ZPIC request– can help ensure your organization’s compliance with applicable documentation, coding and billing requirements.  The following recommendations can assist with those efforts:  

Recommendation #1:   If you have not already done so, conduct a “gap” analysis and implement an effective Compliance Plan.  Despite the fact that significant strides in compliance have been made by large Medicare providers (such as hospitals and nursing homes),  it has been our observation that most physician practices and small-to-mid sized provider organizations still do not have a tailored Compliance Plan in place.   To be clear, we recognize that many providers may have copied a draft plan right off of the internet, or may have purchased a sample plan from a vendor.  While they may fully have intended to follow through with personalization of the draft document, in most of the cases we have seen, more pressing events have taken precedence and providers have not had the time or expertise to complete the project.

Providers who have not put together a Compliance Plan should immediately do so. As you have likely heard, Section 6401 of the Affordable Care Act (ACA)(generally referred to as the “Health Care Reform Act”) states, “. . . a provider of medical or other items or services or supplier within a particular industry, sector or category shall, as a condition of enrollment in the program under this Title. . .establish a compliance program.”   To be clear, at this time, the Department of Health and Human Services, Office of Inspector General (HHS-OIG) has not announced deadlines effectuating this requirement.  Nevertheless, it is merely a matter of time until all providers who choose to participate in the Medicare program will be required to have an effective Compliance Plan in place.  

Rather than wait until the last minute, Medicare providers who have not already done so should immediately take steps to implement an effective plan.  As a first step, providers should review each of the regulatory and statutory provisions related to the specific services being billed to Medicare.  Next, providers should compare their actual documentation, coding and billing practices with Medicare’s rules.  Any gaps between the applicable requirements and a provider’s actual practices must immediately be remedied. Additionally, should these gaps represent an overpayment, the Medicare provider must repay the overpayment to the government within 60 days of identification.    

Prior to conducting a gap analysis, we recommend that providers contact their legal counsel for assistance with both the internal review and with the implementation of an effective Compliance Plan.   While no Compliance Plan can prevent an audit, the implementation of an effective plan will greatly improve a provider’s likely adherence to Medicare’s rules and regulations should a ZPIC audit be initiated.  

Recommendation #2:   Don’t ignore a ZPIC’s request for documents[1]. At the outset, it is important to keep in mind that ZPICs play an important role.  In addition to  auditing records for possible overpayments, ZPICs are also responsible for identifying fraudulent providers (and potenitally fraudulent providers) and making referrals to the Centers for Medicare and Medicaid Services (CMS), the Department of Health and Human Services, Office of Inspector General (HHS-OIG) and the U.S. Department of Justice (DOJ) for further action.  Possible actions taken include, but are not limited to: 

• CMS — Administrative action such as suspension or revocation from the Medicare program.
• HHS-OIG – Administrative action such as Civil Monetary Penalty action.  HHS-OIG may also investigate and refer a provider to DOJ for possible civil litigation under the False Claims Act.  Finally, HHS-OIG may investigate and refer a provider to DOJ for criminal prosecution under the Federal Anti-Kickback Act or a host of other statutes.
• DOJ – May investigate and prosecute a provider for civil and / or criminal violations of law. 

Should you receive a request for documents from your ZPIC, in many cases it will broken into two sections.  The first section will likely be focused on business related records such as the following: 

“Business contracts or agreements with other providers, suppliers, physicians,  businesses or individuals in place during a specific period.  Additionally, any verbal agreements must be summarized in writing.

A listing of all current and former employes (employed during a specific period), along with their hire date, termination date, reason for leaving, title, qualifications, last known address, phone number.

• A list of all practice locations, along with their address and phone number.
• Leases.
• Employment agreements.
• Medical Director contracts.” 

The unstated purpose of this portion of the ZPIC’s request is likely to identify potential instances of violations of the Federal Anti-Kickback Statute, Stark and / or the False Claims Act.  Should the ZPIC identify a possible violation, it will readily refer the case to CMS, HHS-OIG and / or DOJ, depending on the nature of the potential violation.

In contrast to the first section of the ZPIC’s request, the second section of the request usually lists the patient records and dates of service to be audited by the ZPIC.  While every case is different, the number of claims requested typically ranges from 8 – 100, depending on whether the ZPIC’s request is a “probe review” or a full-blown audit.  On occasion, we have seen the number of claims sought can range from 150 – 300. 

Never ignore a ZPIC request for records.[2] Importantly, should you fail to respond to the ZPIC’s request, the contractor can recommend to the CMS that your organization be suspended[3] or from participation in the Medicare program.  Depending on the ZPIC’s concerns, the contractor can also recommend that CME pursue a revocation action against your organization.  Should you need more time to the ZPIC’s request for supporting documentation, don’t hesitate to request it. 

Recommendation #3:  Remember learning how to “drive defensively” in high school?  Your documentation practices should be approached in a similar fashion.   ZPIC auditors are excellent at identifying one or more ways in which your claims do not meet applicable coverage requirements.  While you may very well disagree with their assessments (especially in “medical necessity” determinations), in all likelihood, when you file a request for redetermination appeal (and later, a request for reconsideration appeal), you will find that your Medicare Administrative Contractor (MAC) and your Qualified Independent Contractor (QIC) agree with the ZPIC’s denial decision.  Rather than endure significant costs and stress when defending against an overpayment assessment, you need to take steps to avoid a denial in the first place. To that end, health care providers should ensure that clinical staff members are fully trained and educated regarding Medicare’s documentation, coding and billing process. 

We recognize that “perfect documentation” is neither required nor realistic to expect from your clinical staff.  Nevertheless, using published reports of other cases, you can show your clinicians that ZPICs  enforce a strict application of Medicare’s documentation and coverage requirements.  Through education and training, your clinical staff will understand why it is imperative that they review, understand and comply with: 

• Any applicable Local Coverage Determinations (LCDs).
• Any Local Medical Review Policies (LMRPs).
• The Medicare Policy Benefit Manual (MPBM).
• The Medicare Program Integrity Manual (MPIM).
• Any statutory provisions which cover the services.
• Any additional guidance issued by Medicare which would apply to these claims.    

It is important that you regularly review the government’s latest concerns and any enforcement actions which have been taken.  Additionally, you should read HHS-OIG’s reports so that you may learn from the mistakes being made by similarly situated providers.  Upon doing so, we recommend that you check the list of “risk areas” in your Compliance Plan and ensure that they reflect both general “risks” and “specific risks” which may be unique to your organization.  Is your organization still in full compliance?  If not, remedial action is likely necessary.  

Recommendation #4:  Retain experienced legal counsel to assist with your efforts. When experiencing symptoms of a cardiac problem, most patients wouldn’t turn over their care to a dermatologist.  Instead, they would seek to be evaluated and treated by a Cardiologist.  Similarly, if you have a health law problem, would it be wise to rely on advice from an attorney specializing in family law?  Ultimately, that’s your call.  While no attorney can guarantee you success — we believe that an experienced health lawyer is well situated to give you advice regarding a Medicare audit or investigation.   Having said that, it is important to recognize that the field of health law is extraordinarily broad.  Should you be audited by a ZPIC or a Recovery Audit Contractor (RAC), don’t hesitate to ask a health lawyer whether they have handled these types of cases before.  If so, how many times have they represented a provider in a ZPIC overpayment case?  When selecting a lawyer, keep in mind that the legal fees charged by an attorney can vary greatly, depending on a variety of factors.  Don’t be shy – ask how much the representation is likely to cost.  While it is often difficult to estimate legal costs due to the various factors faced when handling a ZPIC audit case, most attorneys can give you a range of expected legal fees.  Finally, be sure and ask for references.  Other providers who have been through an administrative appeal case can provide you with invaluable insights into the process.  As a final point, on numerous occasions, our firm has been retained to work with a provider’s existing legal counsel.  We are more than happy to do so and can effectively work with your counsel in a fashion which avoids duplication of efforts yet allows our experience and expertise to be applied to your case. 

Recommendation #5:  The administrative appeals process has become quite complicated in recent years.  ZPIC audits can result in alleged overpayments running into the millions of dollars. Moreover, the ZPIC’s overpayment assessment (and the associated “demand” letter sent by a MAC) isn’t usually the end of the story.  While providers often lose at the redetermination and reconsideration levels of appeal, the third level of appeal – before an Administrative Law Judge (ALJ) – is usually your single best opportunity to prevail in an administrative appeals action.  Over the years, our attorneys have argued cases in front of judges out of each of the field offices of the Office of Medicare Hearings and Appeals (OMHA).   While we may not always agree with their decisions, the ALJs in whose courts we have practiced have been professional, fair and more than willing to hear a provider’s arguments in support of payment. 

Should you choose to forego legal counsel and represent yourself in an ALJ hearing, keep in mind that even though these hearings are intended to be “non-adversarial,”  it can feel quite “adversarial“ during the actual hearing.  Furthermore, these proceedings can be quite complicated.  In most large dollar cases, representatives of the ZPIC are participating in the hearing and arguing their position before the ALJ.  ZPIC representatives can include one or more statisticians (if an extrapolation was conducted), a clinician (usually a Registered Nurse who is experienced in conducting medical reviews) and a lawyer.  In a recent Home Health Agency case we handled, this was precisely what occurred.  Frankly, few providers are experienced in presenting their case and in responding to the arguments raised by statisticians, clinicians and lawyers representing a ZPIC.  As a result, it is strongly recommended that the provider consider engaging an experienced and knowledgable attorney. 

Recommendation #6:  When reviewing your claims, you should abide by the following:  First, “If it doesn’t belong to you, give it back.”  Conversely, “If you don’t owe the money, don’t throw in the towel.”  One of the attorneys in our firm is regularly asked to speak at provider conventions around the country.  For years, he has told providers “If it doesn’t belong to you, give it back.”  This simple concept covers a lot of ground when it comes to alleged Medicare overpayments.  Similarly, if the facts and the evidence shows that the claims should have been paid,  think twice before waiving your right to appeal the denial of these claims.  From a practical standpoint, we have heard of  situations where a provider chooses to “just pay the bill” so that the case will quickly be resolved.  Several providers have commented that when dealing with small dollar assessments, it is just easier to pay the alleged overpayment rather than incur the hassle and expense of contesting the contractor’s denial decision.  Although we understand the reasoning behind such a decision, you should keep in mind that every claim which is denied by a ZPIC (and which remains denied) increases a provider’s “error rate.”  If you were a ZPIC, PSC, RAC or MAC contractor, would you choose to audit a provider with a low error rate or a high error rate?  In any event, the bottom line is fairly straight forward.  Should you find that you are not entitled to payment for one or more claims, you must  repay the money to the government as soon as possible (but no later than 60 days after an overpayment has been identified),  regardless of whether the claim is part of an ongoing or recently completed Medicare audit.  If, however, you are audited and you believe that a ZPIC has incorrectly denied one or your claims, you have the right to appeal the denial of these wrongfully denied claims.

Recommendation #7:  Carefully read a ZPIC’s denial decision letter. When you receive a denial decision letter relied upon by a ZPIC, carefully review the notice and determine whether the contractor has specifically addressed the reasons for denial associated with each of the claims at issue.  Every ZPIC is different.  Over the last few months, one of the ZPICs involved in the cases we are handling has been citing only a general reason for denial (such as “not medically necessary”).  Should the ZPIC in your case not provide sufficient information, you will find it difficult, if not impossible, to address any specific reasons your claims have been denied.   Your legal counsel may be able to get the ZPIC to provide additional specificity in connection with their denial reasons.  Alternatively, legal counsel may be able to argue that the ZPIC’s failure to provide specific reasons for denying your claims is a clear violation of your due process rights. 

Recommendation #8:  Don’t forget – shortly after the “demand letter” is sent, any payments you may be expecting may be recouped by your Medicare Administrative Contractor (MAC).   A demand letter from your MAC usually follows a few days  after you receive a ZPIC’s denial decision letter.  While you have 120 days to file a request for redetermination appeal (as outlined in he MAC’s demand letter)[4], should you fail to file the request for redetermination appeal within 30 days of the date of the MAC’s demand letter (not 30 days after receiving the demand letter!), your Medicare payments will be recouped starting on day 41.  Alternatively, a provider may set up an extended repayment program with the MAC so that the alleged overpayment can be repaid through monthly installments.  We strongly recommend that you set this up.  You will then be able to take advantage of the 120 period permited to file a redetermination appeal rather than try and file a poorly prepared set of arguments within the previously discussed 30 day period.  Similar issues (with completely different deadlines) are present at the reconsideration level of appeal — the next level in the administrative appeals process. Once again, these issues can be quite complicated.  We recommend that you discuss available appeals options with your legal counsel. 

Recommendation #9: Foster a corporate culture which encourages compliance.  ZPICs have increased their audit activities dramatically in numerous areas of the country.  South Texas has been especially hard-hit.  Providers in Houston, McAllen, Harlingen, Edinburgh, Laredo, Corpus Christi and Brownsville appear to have experienced a recent surge in audit activity.  Be aware that ZPICs are looking for aberrations in billing patterns and often target providers based on these variations in coding or billing practices.  Compliance with regulations and consistency in your “message” to employees is essential. Establishing good intake and records management procedures, continuing employee education and training efforts, can facilitate the adoption of an ethical, compliant corporate culture.

           And, last but not least,

Recommendation #10:  When drafting a Compliance Plan, providers should include a “Code of Conduct” that is easily understood by all employees.  We believe that a “Code of Conduct” should accurately reflect the belief system an organization has pursued and sincerely intends to follow.   In doing so, an organization can engender a compliant corporate culture.  Over the years, we have seen organizational “Codes of Conduct” which range from a succinctly described phrase to discusions which take up more than a page.

Our favorite “Code of Conduct” (which also happens to be the “Code of Conduct” adopted by our law firm) is used by Cadets at the United States MilitaryAcademy at West Point. Modified for use by health care providers, the “Code of Conduct” reads: 

“Our clinicians and staff will not lie, cheat, steal, or tolerate those who do.”

 

This simple, yet elegant “Code of Conduct” succinctly lays out a provider’s ethical responsibilities, both with respect to Medicare and in their other business dealings.  We recommend that you consider adopting and adhering to this or a similar “Code of Conduct.”

Our attorneys have extensive experience representing Physicians, Clinics, Home Health Agencies, Hospices, DME Companies, Skilled Nursing Facilities, Chiropractors, Pain Medicine Clinics, Rehabilitative Medicine Clinics and other Medicare providers in connection with audits by ZPICs, PSCs, MACs and other contractors.  We also have years of experience assisting providers with “gap” analyses and in implementing an effective Compliance Plan.  Should you have questions about these or other health law issues, please feel free to call us for a complementary consultation.  We can be reached at:  1 (800) 475-1906.  

Next Page »