Late last week, the Centers for Medicare and Medicaid Services (CMS) announced that prepayment reviews by Recovery Audit Contractors (RACs) would begin (again) on or after June 1, 2012.  As we previously discussed, CMS had originally delayed the program amid significant provider concerns about its operation.

II.   Background:

RACs have long served an important role in detecting and recovering both Part A and Part B overpayments since the program began in 2005. Utilizing both automatic review edits and complex medical reviews to identify a multitude of claims errors, RACs have greatly assisted the government in its efforts to protect the integrity of the Medicare Trust Fund.  As you know, RACs are paid on a contingency basis, based on the amount of improper payments (either overpayments or underpayments) each RAC identifies and actual recovers. Despite harsh criticism from the provider community, RACs have been successful in their audit and recovery tasks, prompting the Federal government to expand their authority to review claims.

III.   RAC Prepayment Review Demonstration:

Initially announced on November 15, 2011, CMS’ RAC Prepayment Review Demonstration Project was slated to start in 11 states on January 1, 2012, including Florida, California, Mississippi, Texas, New York, Louisiana, Illinois, Pennsylvania, Ohio, North Carolina and Missouri. Through the project, CMS was hoping to ensure that Medicare claims reimbursed by the government were medically necessary and met coding and billing criteria before such claims were paid. Due, at least in part, to significant concerns from providers and hospitals about the substantial administrative burden such review would cause, CMS announced last month that it was indefinitely delaying the RAC Prepayment Review Demonstration Project. As we noted when CMS first announced this delay, while providers may have considered this postponement a victory, CMS still has numerous other contractors actively performing prepayment review audits each day around the country. At the end of the day, the issue really isn’t whether CMS is going to instruct its contractors to conduct prepayment reviews, it really comes down to whether providers are properly meeting applicable medical necessarily, coverage, documentation, coding and billing requirements.

IV.   Impact of Being Placed on Prepayment Review:

As you may know, there is no prepayment review administrative appeals process. As a result, providers placed on prepayment review have little recourse to reverse the decision, and often remain on review for four to six months (although we have seen reviews lasting up to a year) or until the provider is able to show their Medicare Administrative Contractor (MAC) that the services billed meet medical necessity, coverage and documentation requirements. Importantly, this determination is entirely based on the respective MAC’s subjective view of the propriety of a provider’s claims.

It is important to note that prepayment review audits can prove disastrous for providers and hospitals who mainly treat Medicare beneficiaries. Prepayment review effective delays payment for several months, even assuming that the MAC finds the provider’s claims are payable. Often times, providers must also take many of these claims through the administrative appeals process, adding another one to two years before payment is made (again assuming that an Administrative Law Judge finds the claims payable).

V.   Avoiding Prepayment Review:

With RAC prepayment reviews on their way, providers may consider investing in the time and energy now to make sure their claims meet applicable payment requirements. While there is no “silver bullet” to completely eliminate the risk of prepayment audit, a number of preemptive steps exist to reduce the likelihood of such an occurrence. You should consider conducting a “gap analysis” of your practice, and in so doing, you will learn whether your billed services, and associated documentation, meet medical necessity and coverage requirements. You may also review your utilization rates of certain procedures and compare these rates to those of your local, regional and national peers. In all, you need to identify the regulatory benchmarks applicable to your practice, identify where you fail to meet these benchmarks, consider the manner and method to rectify these deficiencies, and add proper procedures and additional risk areas to your Compliance Plan. Such efforts now can leave you in an excellent position to respond to any billing questions by RACs or other Medicare contractors. While RAC prepayment reviews are just another type of audit in a long list of concerns for providers, don’t underestimate the ability of these RACs to identity errors and deny payment.

VI.   Reading the Tea Leaves:

CMS’ rekindled RAC prepayment review program is slated to begin again on June 1, 2012.  With the reimplementation of this project, CMS moves yet another step away from its “pay-and-chase” model.  Among its many advantages, the prepayment review approach greatly reduces the likelihood that the claims being paid by the government are improper. We believe that the scope of RAC and ZPIC prepayment reviews will continue to grow in the near future and will represent a key component of the government’s fraud prevention efforts in years to come.

Liles Parker attorneys have extensive experience conducting “gap analyses” and conducting compliance reviews for health care providers of all types. In addition, our attorneys are skilled in assisting providers who have been placed on prepayment review or subjected to post-payment audit. For more information, please call us today for a complimentary consultation.  We can be reached at: 1 (800) 475-1906.

(February 6, 2012):

Later on, there is a dispute on whether or not the corporation owes for certain services or supplies.  You get a demand letter from an attorney.  You are unconcerned about the letter, however, because if the corporation is sued, you will have an attorney file an answer on behalf of the corporation.

You are then served with a lawsuit – not to the corporation – but to you, individually.  The lawsuit alleges that “you” agreed to pay any debts or past due amounts.

You ask “How can this be?”

Beware of the small print – it can be bad for your wallet.   Read the small print at the bottom of an account application or agreement with a service company, such as a print shop, or supply store, such as office supplies or production materials.  Many times the small print contains a provision that states something like: “The party signing this agreement acknowledges he/she will be individually liable on this account and that he/she has the full authority to act as agent for the party in whose name this order is placed.”

By signing the agreement, you have not only agreed that you had the authority to enter into the agreement on behalf of the corporation, but also that you would be individually liable for any debts or past due amounts.

So, if you are an officer, president, or manager of a corporation, always read the fine print before you sign a contract. Better yet, call your attorney and have him/her review the contract.  Many times the other party will agree to strike that provision, or the corporation can agree to indemnify you individually. As always, an ounce of prevention is worth a pound of cure.

Leonard Schneider and other Liles Parker attorneys have extensive experience in business litigation, contract review and drafting. Call 1 (800) 475-1906 today for a free consultation.

The acceptance of a fiduciary duty can occur, for example, by being a General Partner in a Limited Liability Partnership, a Finance Advisor to an individual, or by managing the funds, property or affairs of another.

When you handle the money or manage the assets of another person or entity, you assume a higher duty to that person or entity than is normal – this duty is called a “fiduciary duty”.  The basic definition of “fiduciary duty” is to put the interests of others you are representing or assisting above your own interests.  For example, you cannot steal or double-dip from the funds you are managing, grossly mismanage another’s assets or fail to keep adequate records.

However, many times the person or entity that takes on the management of another’s money, business or assets does not understand this fiduciary duty, becomes complacent or just doesn’t care about his duties.  Thus, as Henry Silverman, former CEO of Cendant Corporation, famously said when uncovering accounting improprieties of a business recently acquired by Cendant: “There is a fiduciary duty here. It’s really inconceivable to us.”

What he was saying is that it was inconceivable that proper care was not used to manage the funds or affairs of others, even in spite of the fiduciary duty owed.  The failure to exercise proper care in handling the money and affairs of others can not only place you or your business in great danger of incurring civil liability, but also opens a serious threat of possible criminal charges against you.

So, if you are about to manage, oversee, or care for the money or assets of another,  be sure to call your attorney, explain what you want to do, determine if there is a fiduciary duty and what type of risk management control you need to have to make sure you do not violate that fiduciary duty.   As always, an ounce of prevention is worth a pound of cure.

Leonard Schneider and other Liles Parker attorneys have extensive experience in business litigation, contract review and drafting. Call 1 (800) 475-1906 today for a free consultation.

1.   Background:

I.   Background

Over the last few years, a number of health care providers and other “covered entities” (both large and small) have been audited and penalized by the government for improper breaches of protected health information. Enforcement actions taken have varied, ranging from mere warnings to criminal prosecution.

II.   HITECH Raises the Bar for Providers

The “Health Information Technology for Economic and Clinical Health Act” (HITECH) contains a number of significant privacy provisions impacting health care providers.  Two of these provisions include:  (1) The initiation of privacy audits by contractors working for the  Department of Health and Human Services (HHS), Office of Civil Rights (OCR); and (2) The sharing of Civil Monetary Penalties assessed in response to an improper breach with the affected patients.

• Privacy Audits

As OCR has announced, the agency has initiated an audit program intended to help ensure that health care providers are complying with the various medical records privacy provisions laid out in the Health Insurance Portability and Accountability Act of 1996 (HIPAA).  To do so, OCR has contracted with several nationally-recognized audit firms for the purpose of auditing health care provider compliance with HIPAA’s privacy provisions.

When will audits begin? According to OCR, the initial audits of provider compliance with HIPAA / HITECH requirements began in November 2011. Once these initial audits are completed, OCR intends to focus the remaining audits on the issues and concerns identified in the contractors’ first preliminary audits. At this time, all audits are anticipated to be completed by December 2012.

If prior “pilot” programs are any indication of how these audits will be handled, we anticipate that OCR will ultimately adopt an ongoing audit HIPAA / HITECH process, tasked with assessing the compliance of health care providers, covered entities and business associates. It is essential that you critically review your current practices – after you have been audited, it will likely be too late to avoid the imposition of penalties.

How will HIPAA / HITECH audits be conducted? According to OCR, organizations selected for audit will be notified by the agency of their selection. At that time, they will be asked to provide “documentation of their privacy and security compliance efforts.” During this pilot period, each of the covered entities audited will receive a site visit. During the site visit, contractor representatives will be required to interview key personnel. The contractors will also review the covered entity’s practices and determine whether their operations fully comply with HIPAA’s / HITECH’s privacy requirements. After completing the site visit, a draft report will be prepared which outlines how the audit was handled, the conclusions that were reached by the contractor and the remedial actions that were taken by the covered entity. The draft report will be shared with the covered entity prior to finalization and the covered entity will have a chance to respond to the contractor’s findings.

• Sharing of Civil Monetary Penalties

In addition to the HIPAA audit protocol discussed above, HITECH includes a seemingly-innocuous section which commands the Secretary HHS to establish a methodology to distribute a percentage of Civil Monetary Penalties to individuals harmed by an improper breach of protected health information or another HIPAA violation. For instance, if a patient’s medical records or other protected health information is inappropriately accessed or divulged to unauthorized persons and the OCR ultimately investigates the violation and assesses Civil Monetary Penalties against a provider or other covered entity in connection with the breach, the harmed patient may be eligible to receive a portion of the penalties collected by the government.

On its surface, such a clause seems reasonable – after all, why not compensate those who have been hurt by a wrongful disclosure or breach? However, this law (and its soon-to-be-created implementing regulations) will likely have extensive repercussions in reporting and enforcement of HIPAA violations. Giving patients a financial incentive to report wrongful disclosures and breaches of their protected health information will likely lead to increased reporting of incidents since harmed patients may now be eligible to share in any penalties collected.  Similar laws which allow private individuals to receive a portion of penalties and other funds recovered, such as the False Claims Act (FCA), have been extremely successful in detecting and deterring fraudulent activity. While HITECH does not create a “private right of action” for HIPAA violations and is substantially different from the FCA, it is important to note that their basic principles are the same. By giving private citizens, with perhaps greater and more immediate knowledge of an issue than the government, a real reason to report a problem, these problems can be more quickly and effectively remedied.

In 1986, when the FCA was overhauled with new provisions that gave private citizens more power and a greater likelihood of collecting money, the FCA’s usage skyrocketed. In what could be a very similar situation, affected individuals with the chance to receive a portion of fines and penalties will be far more likely to aggressively report and pursue these violations. For covered entities (comprising virtually all providers, billers and business associates), this means that implementing effective HIPAA privacy policies should be at the top of your compliance “to-do” list.

III.   How Health Care Providers Should Respond

Among their first steps, health care providers and other covered entities should:

• Ensure that patient protected health information is fully secured and protected.
• Take steps to prevent improper access by authorized parties.
• Ensure that anyone who accessing protected health information is properly logged so that patients can readily obtain an accounting or listing of anyone who has reviewed all or part of their records. This log should also document the purpose for assessing the record.
• Take steps to prevent the access of protected health information by authorized personnel for unauthorized reasons.
• Take steps to better ensure that no protected health information is inappropriately disclosed to third parties.

While the points outlined are essential, they are far from all-inclusive.  It is imperative that you identify qualified counsel to assist you in meeting your HIPAA / HITECH obligations.

Further, when handling protected health information, health care providers must remain mindful of the “minimum necessary” rule.  Health care providers, other covered entities and business associates who handling protected health information must only disclose the minimum information necessary for a requesting entity to properly do its job.

Ultimately, all health care providers, covered entities and business associates should take reasonable steps to help ensure that applicable HIPAA / HITECH provisions are fully met.

I.   Background

Liles Parker
2233 Wisconsin Ave. NW
Suite 210
Washington, D.C. 20007

Our phone number, fax number and email addresses remain the same. We look forward to assisting you with health law matters, including ZPIC and RAC overpayment appeals, compliance programs and gap analyses, and health care business transactions in 2012. For more information or a free consultation, please do not hesitate to contact us toll-free at 1 (800) 475-1906.

Background:

Last month, we discussed a new demonstration project by the Centers for Medicare and Medicaid Services (CMS) to test Recovery Audit Contractors’ (RACs’) ability to conduct prepayment review of Medicare Part A and B claims. RACs have successfully identified a wide variety of Medicare overpayments and have become one of CMS’ most important post-payment audit tools. In light of their continued success, last November, CMS announced that RACs would also now conduct  prepayment audits. An initial RAC Prepayment Demonstration Project was intended to cover many of the same types of prepayment review as those currently conducted by Zone Program Integrity Contractors (ZPICs) around the country.  The RAC Prepayment Demonstration Project was initially slated to be conducted in Florida, California, Mississippi, Texas, New York, Louisiana, Illinois, Pennsylvania, Ohio, North Carolina and Missouri.

Recent Developments:

After CMS announced the RAC Prepayment Demonstration Project, it reportedly received an outpouring of concerns regarding the scope of these prepayment audits.  In consideration of these concerns, yesterday CMS announced that it was indefinitely delaying implementation of the Project, and would give 30 days notice before the RAC Prepayment Demonstration Project was reactivated.

Commentary:

Importantly, CMS’ decision to delay the RAC Prepayment Demonstration Project does not mean that they will not ultimately pursue RAC prepayment reviews in the future. Moreover, it is essential that health care providers keep in mind that other CMS contractors are already placing a wide variety of Part A and Part B providers on prepayment review.  As before, providers should regularly review their activities to ensure that all regulatory and statutory requirements are being met.  Broken down into areas of concern, providers should examine:

(1) Were the services administered medically necessary?

(2) Do the services meet Medicare’s coverage requirements?

(3) Have the services been properly and fully documented?

(4) Were the services correctly coded?

(5) Were the services correctly billed to Medicare?

If you are unable to answer “Yes” to each of the above questions, you have a serious problem.   It is important to keep in mind that there is no administrative appeals process or other effective legal remedy to get off prepayment review.  In fact, there is no “silver bullet,” despite what you have heard or been told.  The only way to be taken off of prepayment review is to show the responsible Medicare contractor that your claims fully meet each of Medicare’s myriad statutory and regulatory requirements for coverage and payment.  To that end, there are a number of preemptive steps a provider can take to reduce the chances of being selected for prepayment review in the first place.

To start, we recommend that you (or your qualified legal counsel) conduct a “gap analysis” of your claims.  In doing so, you will readily identify any possible deficiencies in your medical necessity assessments, coverage, documentation, coding and / or billing activities.  Moreover, you should consider assessing your utilization rate against the local and national average. For instance, for basic Evaluation and Management (E/M) services, are you or your providers billing higher level codes more often than your peers?  Medicare contractors use this data to identify possible outliers who may be engaging in improper coding and / or billing.  Data mining can also be used by contractors to identify potential problem providers who may need to be audited and / or placed on prepayment review.  Keep in mind, should you identify any overpayments when you conduct a gap analysis, you must report the overpayment and return it to the government within 60 days.  Any deficiencies noted in your review can be promptly addressed and added to the risk areas covered in your Compliance Plan.  After taking these steps, you will likely be well situated to respond to any prepayment audits initiated by a Medicare contractor, regardless of whether the contractor is a RAC or another Medicare contractor.

I.          Introduction:

The Office of Civil Rights (OCR), an agency of the Department of Health and Human Services (HHS), is the central organization responsible for enforcing compliance with the Federal Health Insurance Portability and Accountability Act of 1996 (HIPAA).  As OCR’s website reflects, the agency:

“. . [I]nvestigates complaints, enforces rights, and promulgates regulations, develops policy and provides technical assistance and public education to ensure understanding of and compliance with non-discrimination and health information privacy laws.”

II.         Development of HIPAA Audits and Protocols:

After witnessing the effectiveness of Medicare contractors in identifying and recovering improper payments, Congress chose to include a similar compliance measure for HIPAA privacy as part of the Health Information Technology for Economic and Clinical Health (HITECH) Act, passed in 2009. Under HITECH, HHS and OCR were mandated to create an auditing program designed to help ensure that covered entities and their business associates were meeting HIPAA Security and Privacy Rule requirements.

In response, OCR contracted with a large nationally-recognized government contractor last year to develop and assess several HIPAA auditing methodologies for possible implementation. While that assessment was reportedly completed in August 2010, neither the contractor’s report nor the specific method chosen to conduct the upcoming audits has been publicly disclosed.

III.        Timeframe of Initial HIPAA Audits:

In July and August 2011, OCR and the contractor worked to develop their initial audit protocols and the standards they would assess provider compliance against. A national accounting firm was selected to conduct these HIPAA audits in September, 2011. Initially, they are expected to only examine a few providers in order to test the audit protocols and standards which have been developed. Once the accounting contractor documents its initial observations, OCR will work with the contractors to modify the protocols, as necessary.  This is expected to occur during the first quarter of 2012. Starting in May 2012, the remaining initial HIPAA audits are anticipated to be conducted.

Importantly, neither OCR nor its contractors have indicated that there are any limits in terms of the size and / or types of providers to be audited.  Physicians, practice groups, home health agencies and other small to mid-sized providers should not expect audits to solely be conducted on hospitals and other large institutional providers. At this time, all providers are eligible to be subject to audit. Furthermore, you can expect that once the HIPAA audit demonstration project is completed, Congress will more than likely make it permanent and expand the scope of the audit program.

IV.        Recommendations for Effective HIPAA Compliance:

If you have not already done so, now is the time to ensure that your practice remains fully compliant with HIPAA and HITECH requirements. Auditors will primarily be looking for compliance with the HIPAA Privacy and Security Rules.  You should also expect them to examine the security of your electronic transmissions and physical security safeguards.  Additional areas of inquiry are likely to include whether business associate relationships are being properly handled and whether or not providers are fully documenting each person who accesses a medical record so that patients may be given an accurate accounting of such information.

All providers, regardless of size, should have an effective HIPAA privacy policy as part of their overall Compliance Program.  As with other compliance measures, it should be specifically tailored to address the needs of your organization, along with any unique risks faced by your practice.  A “sample” policy downloaded from the Internet, unfortunately, will not suffice. When developing a HIPAA privacy policy, be sure to keep in mind the four “scalability” factors set out in the Code of Federal Regulations in analyzing a provider’s compliance with the Security Rule:

• The size, complexity, and capabilities of the covered entity;
• The covered entity’s technical infrastructure, hardware, and software security capabilities;
• The cost of security measures; and
• The probability and criticality of potential risks to electronic protected health information. 45 CFR 164.306(b)(2).

While small providers may desire to only implement the “basic” requirements, they must be careful to ensure that each of the Privacy Rule’s provisions are fully met.  All providers, regardless of size, must utilize reasonable safeguards to protect paper, electronic and oral transmissions of protected health information.

Liles Parker attorneys have extensive experience in compliance matters, including HIPAA privacy requirements. Our team can assist your practice with gap analyses, mock audits and other reviews designed to help you better comply with applicable statutory and regulatory requirements. For a free consultation, call us today at 1 (800) 475-1906.

I.          Introduction: 

As you know, RACs play an important role in the identification of Part A and Part B overpayments. Since the inception of the RAC Demonstration Project in 2005, RACs have successfully identified a number of improper claims, denying payment for reasons ranging from mere technical errors to broad concerns about medical necessity.  Unlike other contractors engaged in post-payment audits (such as Zone Program Integrity Contractors and Program Safeguard Contractors), RACs are not compensated on a fixed contract or cost-plus basis.  Instead, their compensation is based on the amount of overpayments they identify (which remain overpayments after any administrative appeals have been pursued). This arrangement has roundly been criticized by providers. Regardless of whether or not you agree with the RAC concept, the program is here to stay.  After reviewing the results of the RAC Demonstration Project, the government expanded the program and made it permanent.

II.         Expansion of the RAC’s Responsibilities:

On November 15^th, 2011, CMS announced that it was initiating a new demonstration project designed to help ensure that Medicare claims billed to the government are medically necessary and otherwise proper before they are paid. RACs will now be performing prepayment audits of provider claims. These reviews will likely be conducted in much the same manner as those currently initiated by other Medicare contractors. With the addition of RAC prepayment reviews, CMS hopes to further reduce the number of improper claims paid by the government each year.

III.        States to be Covered in the RAC Prepayment Demonstration Project:

The “RAC Prepayment Review Demonstration Project” is initially slated to target physicians, hospitals and other Medicare providers in Florida, California, Mississippi, Texas, New York, Louisiana, Illinois, Pennsylvania, Ohio, North Carolina and Missouri.  Implementation of the new pilot project is set to begin in January 2012.

IV.        Impact of Being Placed on Prepayment Review:

Importantly, there is no administrative appeals process covering prepayment audits. As a result, it is not uncommon for providers placed on prepayment review to remain in this status for four to six months or until the provider is able to show the contractor that the services billed are both medically necessary and fully meet Medicare’s coverage and documentation requirements.  Unfortunately, being placed on prepayment review can prove disastrous for providers with a large Medicare patient load.  It can effectively delay payment for several months, even if the contractor ultimately finds that the claims qualify for coverage and payment.

V.         Avoiding Prepayment Review:

Unfortunately, there is no “silver bullet” you can use to completely eliminate the risk of being placed on prepayment review. Nevertheless, there are a number of preemptive steps you can take to reduce the likelihood of such an occurrence.  To start, you should conduct a “gap analysis” of your claims.  In doing so, you will be able to learn whether or not the services you are billing meet Medicare’s medical necessity, coverage and documentation requirements.  Additionally, you will likely learn whether your utilization of services is less than, comparable to, or exceeds that of your peers.  Any deficiencies noted can be promptly addressed and added to the risk areas covered in your Compliance Plan.  At this point, you will likely be well situated to respond to any prepayment audits initiated by a RAC or another Medicare contractor.

Liles Parker attorneys and staff have extensive experience conducting gap analyses and providing compliance guidance to health care providers.  Additionally, our attorneys are skilled in assisting providers who have been placed on prepayment review. For more information, please call us today for a free consultation at 1-800 (475) 1906.