logo - Liles Parker PLLC
(202) 298-8750 (800) 475-1906
Washington, DC | Houston, TX
Baton Rouge, LA

We Defend Healthcare Providers Nationwide in Audits & Investigations.

Guide to Selecting an Independent Review Organization (IRO) for Your Corporate Integrity Agreement (CIA)

Download PDF


The Coronavirus Aid, Relief and Economic Security (CARES) Act: Provisions Relevant to Healthcare Providers

Download PDF

By Michael Cook, Jennifer Papapanagiotou & Andy Lynch –  Partners at Liles Parker, PLLC.

(March 31, 2020):  On March 27, 2020, the Coronavirus Aid, Relief and Economic Security (CARES) Act[1] passed the House of Representatives by a voice vote. The President then signed the bill into law. The bill is the third round of federal government support in the wake of the coronavirus public health crisis and associated economic fallout, succeeding the $8.3 billion in public health support passed two weeks ago and the Families First Coronavirus Response Act.  Liles Parker has published a series of articles highlighting the waivers and other actions taken by the Centers for Medicare & Medicaid Services and other Federal and State agencies to ease the burden on healthcare providers during the COVID-19 public health emergency.[2]  This article is the first in a two-part series that will highlight some of the more significant provisions of the Cares Act.

I.   Support for Healthcare Providers

  • Section 3211, Supplemental Awards for Health Centers: The CARES Act provides for supplemental awards for FY 2020 for federally qualified health centers, including an additional $1,320,000,000 for the prevention, diagnosis, and treatment of COVID-19 or the detection of SARS-CoV-2.
  • Sections 3212 – 3213, Reauthorizations of HRSA Rural Development and Telehealth Network Grant Programs: The Act reauthorizes HRSA’s Rural Health Care Services Outreach, Rural Health Network Development and Small Health Care Provider Quality Improvement grant programs, as well as the Telehealth Network and Telehealth Resource Center grant programs.
  • Section 3214, Modernization of the Public Health Service: The legislation creates a Ready Reserve Corps to ensure that there are enough doctors and nurses ready to respond to public health emergencies like COVID-19.
  • Section 3215, Limitation of Liability for Volunteer Health Professionals During COVID-19 Emergency Response: This section holds harmless from liability under federal or state law, health care professionals who volunteer their service during the public health emergency for the COVID-19 pandemic declared by the Secretary of HHS.  There are a number of conditions that must be satisfied for this limitation of liability to be effective.

Among these, the limitation of liability covers only professionals who are truly volunteers and who do not receive compensation in the course of providing health care services in the diagnosis or treatment of COVID-19.  The professional must be acting within the scope of her/his license, registration, or certification under the State of licensure/certification, and may not exceed the scope of the license/certification of similar professionals in the State in which the action or omission occurs.  The limitation of liability does not cover willful or criminal misconduct, gross negligence and other similar types of flagrant misconduct.

The provision applies only to conduct that occurs on or after the date of enactment of the CARES Act and is only in effect during the period of the public health emergency declared by the Secretary during the pandemic.

  • Section 3216, Flexibility for Members of the National Health Service Corps During the Emergency Period: During the period of the emergency declaration, this provision allows the Secretary to temporarily re-assign members of the National Health Services Corps to provide service outside of the areas to which they have been assigned to respond to the COVID-19 pandemic. The assignment would need the member’s voluntary agreement and would need to be “within a reasonable distance” of the original assignment, and the member would need to maintain the number of hours originally required of her/him.    

II.   Provisions Affecting Coverage and Payment Under the Medicare & Medicaid Programs

  • Section 3701, Health Savings Accounts for Telehealth Services: This section allows a high-deductible health plan (HDHP) with a health savings account (HSA) to cover telehealth services prior to a patient reaching the deductible, increasing access for patients who may have the COVID-19 virus and protecting other patients from potential exposure.
  • Section 3702, Over-the-Counter Medical Products without Prescription: This section allows patients to use funds in HSAs and Flexible Spending Accounts for the purchase of over-the-counter drugs and menstrual care products without a prescription from a physician. This section appears to reverse the ACA and makes permanent the over-the-counter drug changes during the 2020 plan year and after.
  • Section 3703, Expanding Medicare Telehealth Flexibilities: This section eliminates the requirement included in the Coronavirus Preparedness and Response Supplemental Appropriations Act of 2020 (Public Law 116-123) that limits the Medicare telehealth expansion authority during the COVID-19 emergency period to situations where the physician or other professional has treated the patient in the past three years. This enables beneficiaries to access telehealth, including in their home, from a broader range of providers, reducing COVID-19 exposure for the duration of the public health emergency.
  • Section 3704, Allowing Federally Qualified Health Centers and Rural Health Clinics to Furnish Telehealth in Medicare: This section allows, during the COVID-19 emergency period, Federally Qualified Health Centers and Rural Health Clinics to serve as a distant site for telehealth consultations. A distant site is where the practitioner is located during the time of the telehealth service. This section will allow FQHCs and RHCs to furnish telehealth services to beneficiaries in their home. Medicare will reimburse for these telehealth services based on payment rates similar to the national average payment rates for comparable telehealth services under the Medicare Physician Fee Schedule. It will also exclude the costs associated with these services from both the FQHC prospective payment system and the RHC all-inclusive rate calculation.
  • Section 3705, Expanding Medicare Telehealth for Home Dialysis Patients: This section eliminates a requirement during the COVID-19 emergency period that a nephrologist conduct some of the required periodic evaluations of a patient on home dialysis face-to-face, allowing these vulnerable beneficiaries to get more care in the safety of their home.
  • Section 3706, Allowing for the Use of Telehealth during the Hospice Care Recertification Process in Medicare: Under current law, hospice physicians and nurse practitioners cannot conduct recertification encounters using telehealth. This section allows, during the COVID-19 emergency period, qualified providers to use telehealth technologies in order to fulfill the hospice face-to-face recertification requirement.
  • Section 3707, Encouraging the Use of Telecommunications Systems for Home Health Services in Medicare: This section requires the Department of Health and Human Services (HHS) to issue clarifying guidance encouraging the use of telecommunications systems, including remote patient monitoring, to furnish home health services consistent with the beneficiary care plan during the COVID-19 emergency period.
  • Section 3708, Improving Care Planning for Medicare Home Health Services: This provision enables nurse practitioners, clinical nurse specialists, and physician assistants to order home health services, and certify and recertify patients for home health care. These changes also apply to Medicaid and become effective when HHS publishes implementing regulations, which must be within six months of the enactment of the CARES Act.  Unlike many of the provision of the Act, this provision is permanent and survives the end of the emergency.
  • Section 3709, Adjustment of Sequestration:  The CARES Act suspends the mandatory 2% global reductions under the sequestration order for the period May 1 through the remainder of calendar year 2020.
  • Section 3710, Medicare Hospital IPPS Add-On Payment for COVID-19 Patients During Emergency Period: The Act increases DRG weights by 20% for patients diagnosed with COVID-19 during the emergency period.
  • Section 3711, Increasing Access to Post-Acute Care During the Emergency Period: The Act waives certain requirements for inpatient rehabilitation facilities (IRFs) and long-term acute care hospitals (LTCHs).  For IRFs, the provision waives the requirement that a patient receive at least 15 hours of therapy per week.  For LTCHs, the provision waives the requirement of a payment adjustment where an LTCH does not have a discharge percentage of 50% of patients who would meet the eligibility requirements during the emergency period.  The provision also waives the site-neutral payment rate for discharges occurring during the emergency period that are in response to the public health emergency.
  • Section 3712, Revising Payment Rates for DME Under Medicare During the Emergency Period: This Section prohibits scheduled payment reductions in Medicare DME during 2020 and the emergency period.
  • Section 3715, Providing Home and Community-Based Services in Acute Care Hospitals:  A number of waivers under sections 1915 and 1115 of the Social Security Act provide for home and community-based services for individuals who otherwise would require care in a hospital, nursing facility, or ICF/MR.  This provision allows states to cover these services to individuals under certain of these waivers while they are in an acute care hospital if they meet certain conditions, including that they are identified in the individual’s care plan, not provided through the hospital, not a substitute for services that the hospital is otherwise required to provide, and are designed to ensure a smooth transition to the community and preserve the individual’s functional abilities.
  • Section 3719, Expansion of Medicare Hospital Accelerated Payment Program During COVID-19 Public Health Emergency: During the period of the emergency, this provision expands the accelerated hospital payment program by allowing acute care hospitals, cancer hospitals, children’s hospitals, and critical access hospitals (CAHs) to apply for up to 6-months’ advance payment of up to 100%, and for CAH’s 125%, of anticipated payments.  The provision also provides for 120 days before claims are offset to recoup these payments and not less than 12 months after the date of the first accelerated payment before the outstanding balance must be paid in full.

Administrative Implementation to Encompass All Providers:  On March 28, 2020, CMS published a press release and a Fact Sheet that expanded the availability of the accelerated advance payment program to all Medicare participating health care providers and suppliers.  These advance payments will be based on historical payments.  The Press Release states that “… [t]he payments can be requested by hospitals, doctors, durable medical equipment suppliers and other Medicare Part A and Part B providers and suppliers.”  The applicants must: have billed Medicare for claims within 180 days of the request; not be in bankruptcy; not be under active medical review or program integrity investigations; and not have delinquent Medicare overpayments.  Applications are made to the MACs, and CMS anticipates that payments will be issued within seven days of a request.  Providers described in the legislation, above, can request payments for an amount for up to a six-month period, while other types of providers can request up to a three-month period.  The Fact Sheet provides further instructions on the process.[3]

  • Section 3720, Delaying Requirements for Enhanced FMAP to Enable State Legislation Necessary for Compliance: The The Families First Coronavirus Relief Act increases State Federal assistance matching percentages (FMAP) percentages by 6.2% during the calendar quarters that encompass the emergency period if the State meets certain conditions, one of which was that it did not increase premiums in excess of what they were on January 1, or impose new premiums, during this period.  This provision gives any state that has raised or imposed such premiums since January 1, a thirty-day delay in the enforcement of that requirement – presumably to provide the State an opportunity to come into compliance without losing the increased matching rate.

III.   Health and Human Services Extenders

  • Section 3811, Extension of Money Follows the Person Rebalancing Demonstration: The CARES Act extends and provides funds for the demonstration through November 30, 2020.
  • Section 3812, Extension of Spousal Impoverishment Protections: This section of the Act extends certain protections from spousal impoverishment through November 30, 2020 to help a spouse of an individual who qualifies for nursing home care to live at home in the community.
  • Section 3813, Delay of DSH Reductions: The CARES Act delays Medicaid DSH reductions that were to begin on May 23, 2020, to begin, instead, on December 1, 2010.

IV.   Economic Stabilization and Assistance to Severely Distressed Sectors of the United States Economy

Title IV of the Act provides $500 billion in funding for loans and financial assistance to mid-size and large businesses, states and municipalities and non-profits.  $46 billion of these funds are specially allocated to the airline industry and industries critical to national security.  Assistance to airlines and national security industries will be via direct U.S. Department of Treasury loans and investments.

The remaining $454 billion is available to assist other businesses, states and municipalities and non-profits. The financial assistance will be made available via a Federal Reserve Act Section 13(3) program to provide financing through banks and other lenders.  This assistance targets businesses employing between 500 and 10,000 employees.  The assistance is contemplated primarily as low interest loans (interest rate not exceeding 2% per annum) with payments of principal and interest deferred for the first six months or longer.

The Act provides conditions on eligibility and terms and conditions of loans, including:  (i) economic conditions make the loan necessary to support ongoing operations, (ii) funds will be utilized to retain or restore at least 90% of workforce, (iii) prohibitions on dividends and stock buybacks while the loan is outstanding, and (iv) restrictions on offshoring jobs and a requirement that a majority of employees are based in the U.S. Other requirements, terms and conditions for loans and assistance will be determined and set forth in the Department of Treasury and Federal Reserve guidelines.  Title IV assistance does not provide for future loan forgiveness.

Application procedures and guidelines for the Title IV program are to be published shortly by the Department of Treasury and the Federal Reserve.

V.   HHS – Public Health and Social Services Emergency Fund

The CARES Act establishes a $100 billion “Public Health and Social Services Emergency Fund” to reimburse eligible providers for health care related expenses or lost revenues that are attributable to the coronavirus.  The Act further defines eligible health care providers to be public entities, Medicare or Medicaid enrolled suppliers and providers, and other entities that the Secretary includes that provide diagnosis, testing, or care for individuals with possible or actual cases of COVID-19.  These funds are available for building or construction of temporary structures, leasing of properties, medical supplies and equipment including personal protective equipment and testing supplies, increased workforce and trainings, emergency operation centers, retrofitting facilities, and surge capacity.  To be eligible, providers are required to apply to HHS.

VI.   Conclusion:

Liles Parker attorneys and staff are closely monitoring HHS, CMS and CDC guidance and will update as new information becomes available. Please contact us with questions or for assistance with your response to this unprecedented National Emergency.







Michael Cook, Jennifer Papapanagiotou and Andy Lynch are Partners at Liles Parker, PLLC.  They each have decades of experience representing health care providers and suppliers and other businesses around the country in connection with a wide range of matters.  Questions regarding the impact of recent coronavirus guidance on your organization?  Call Liles Parker for a free consultation.  We can be reached at:  1 (800) 475-1906.

[1] See this link for a full copy of the CARES Act.

[2] For a collection of all articles written by Liles Parker attorneys related to the COVID-19 public health emergency, please visit our webpage at this link.

[3] The CMS Press Release on the Accelerated and Advanced Payment process can be accessed here and the Fact Sheet can be accessed here.

Medicare, Medicaid and CHIP Enrollment Revocation and Denial Authorities Have Expanded.  What Steps are You Taking to Reduce Your Level of Risk?

Download PDF
Medicare Enrollment

Big Changes to CMS Form 855 are on the Horizon

(September 18, 2019):  On September 10, 2019, the Department of Health and Human Services (HHS) and Centers for Medicare and Medicaid Services (CMS) published a Final Rule in the Federal Register entitled, “Medicare, Medicaid, and Children’s Health Insurance Programs; Program Integrity Enhancements to the Provider Enrollment Process.” Issuance of the Final Rule is necessary in order to implement sections 1866(j)(5) and 1902(kk)(3) of the Social Security Act (as amended by the Affordable Care Act), which require that providers and suppliers fully disclose information related to affiliations, uncollected debts and certain adverse actions that may impact the program integrity of the affected government health plan.  As discussed below, the impact of the Final Rule on the Medicare enrollment disclosure requirements of providers and suppliers has been significantly enhanced.  Moreover, the authority of CMS to revoke or deny the enrollment of a participating provider or supplier has been greatly expanded.  Under the Final Rule, the reporting obligations of Medicare, Medicaid, and CHIP providers and suppliers will dramatically increase when they file a new enrollment application, revalidate their enrollment, need to file a change of information, or need to notify the agency of a change in ownership .[1]  This article is intended to take a “first look” at the impact of the Final Rule on the obligations  faced by providers and suppliers. Additionally this article reviews CMS’ new revocation and denial authority, and it explores a number of the challenges that you or other providers may face, as a result.

I.  Background – Medicare Enrollment and Revalidation Program Integrity Measures:

Approximately, 54 million individuals are enrolled in the Medicare program.[2]  In order to qualify to provide care and treatment services to these beneficiaries, a health care provider or supplier must meet a number of administrative, regulatory, and statutory requirements that are meant to protect both the patient and the financial integrity of the Medicare program.  The Medicare enrollment process effectively serves as one of the agency’s primary ways to protect patients and the Medicare Trust Fund from the actions of providers and suppliers whose participation would represent a significant risk of fraud or abuse.

When enrolling in the Medicare program, an applicant provider or supplier must complete and submit an appropriate enrollment application (i.e., a Form CMS-855) to their assigned Medicare contractor.  The enrollment application can be submitted by paper or electronically through the agency’s Provider Enrollment, Chain, and Ownership System (PECOS).  Several of the previous rules promulgated by CMS to strengthen the overall effectiveness and program integrity of the enrollment process have included:

  • April 21, 2006: CMS published a Final Rule entitled “Medicare Program; Requirements for Providers and Suppliers to Establish and Maintain Medicare Enrollment.”[3] This Final Rule laid out a number of requirements that must be met by providers and suppliers in order to maintain their Medicare billing privileges.
  • February 2, 2011: CMS published a Final Rule entitled “Medicare, Medicaid, and Children’s Health Insurance Programs; Additional Screening Requirements, Application Fees, Temporary Enrollment Moratoria, Payment Suspensions and Compliance Plans for Providers and Suppliers.”[4]  This Final Rule established a number of new provider enrollment screening requirements.
  • March 1, 2016: CMS published a Proposed Rule entitled “Medicare, Medicaid, and Children’s Health Insurance Programs; Program Integrity Enhancements to the Provider Enrollment Process.” This Proposed Rule set out the enrollment revocation and denial changes CMS planned to implement in an effort to address long-standing program integrity risks that have previously been exploited in the past.[5]

A little more than three years after the issuance of the March 2016 Proposed Rule, CMS has now issued its much-anticipated Final Rule entitled, “Medicare, Medicaid, and Children’s Health Insurance Programs; Program Integrity Enhancements to the Provider Enrollment Process.” [6]  With the implementation of this Final Rule,  CMS will now have expanded authority to deny the enrollment and / or revalidation of a provider or supplier if it determines that an “affiliation” presents an undue risk of fraud risk or abuse.  The Final Rule will also make it much easier to revoke the enrollment of existing providers and suppliers whose continued participation in the Medicare, Medicaid, or CHIP programs is determined to represent a program integrity risk.

II.  Why Has CMS Tightened Up the Medicare Enrollment and Revalidation Process?

Despite past efforts to strengthen the Medicare provider enrollment process, existing Medicare, Medicaid, and CHIP systems haven’t been fully effective in identifying direct owners, managing employees, and close affiliates of provider and supplier applicants with a history of certain adverse  events.  As representatives of the Office of Inspector General (OIG) have testified before Congress, health care providers and suppliers engaging in wrongful billing practices have often been found to have relied on networks of affiliations with other fraudulent providers and suppliers. For example, in south Florida, law enforcement has previously found that some Medicare providers and suppliers have taken steps to hide their ownership through the use of straw owners.  The real owners (who are likely prohibited from participating or likely to be denied participation in Federal health care programs) are then free to engage in improper billing practices.[7]

The issuance of the new Final Rule requires that as part of the enrollment and revalidation process, providers and suppliers must disclose any business affiliations that may pose an undue risk of fraud, waste and / or abuse to the Medicare, Medicaid and CHIP programs. CMS will be phasing the new affiliation reporting requirements in over a period of years. First, the agency will update and issue new provider enrollment Form CMS-855 applications, and then it will require reporting of certain affiliations “upon request.”[8] At least initially, only those providers or suppliers who are asked to report affiliations on the new enrollment forms will be required to do so. CMS states in the new Final Rule that it will publish further rulemaking to expand this reporting requirement after assessing the progress of its initial phased-in approach.

Notably, CMS estimates that the new disclosure requirements and revocation authorities implemented by the Final Rule will result in approximately 2,600 new revocations each year and will save the affected government health programs an estimated $4.16 billion over the next 10 years.

III.  Reporting Affiliations:

Under the Final Rule, the “affiliations” that a provider or supplier may have to disclose upon request by CMS include the following:

The term “affiliation” is defined under 42 CFR §424.519 as meaning any of the following:

  • A 5 percent or greater direct or indirect ownership interest that an individual or entity has in another organization.
  • A general or limited partnership interest (regardless of the percentage) that an individual or entity has in another organization.
  • A 5 percent or greater direct or indirect ownership interest that an individual or entity has in another organization.
  • An interest in which an individual or entity exercises operational or managerial control over, or directly or indirectly conducts, the day-to-day operations of another organization (including, for purposes of § 424.519 only, sole proprietorships), either under contract or through some other arrangement, regardless of whether or not the managing individual or entity is a W–2 employee of the organization.
  • An interest in which an individual is acting as an officer or director of a corporation.
  • Any reassignment relationship under 42 CFR § 424.80.”

The new affiliation provisions are intended to identify individuals and entities that have an ownership interest or exercise managerial control in multiple Medicare program providers or suppliers. Both OIG and CMS have repeatedly identified situations where providers and suppliers whose Medicare billing privileges have been revoked for fraud and / or other improper conduct have managed to surreptitiously re-enter the program using a nominee owner to disguise their true ownership or through other deceptive means.  As the agency has noted, the broad definition of affiliation that has been adopted, is needed so that providers and suppliers fully disclose any prior or current relationships that could pose risks of fraud, waste or abuse to the Medicare program.  CMS has estimated that if the new affiliation provisions had been in place over the previous five years, it could have prevented $51.9 billion from being paid to 2,097 entities with affiliations with a previously-revoked individual or entity.

IV.  Disclosable Events Under 42 CFR § 424.519:

When initially enrolling or revalidating with the Medicare program, the new regulations will require that a provider or supplier disclose whether it or any of its owning or managing employees or organizations (consistent with the terms ‘‘owner’’ and ‘‘managing employee’’ as defined in 42 CFR § 424.502) has or, within the previous 5 years, has had an affiliation with a currently or formerly enrolled Medicare, Medicaid, or CHIP provider or supplier that has had any “disclosable events.”[9] Importantly, the term, “disclosable event“ is defined in the new regulation as an affiliation with a currently or formerly enrolled Medicare, Medicaid or CHIP provider or supplier that:

“(1) Currently has an uncollected debt to Medicare, Medicaid, or CHIP, regardless of – (i) The amount of the debt; (ii) Whether the debt is currently being repaid (for example, as part of a repayment plan); or (iii) Whether the debt is currently being appealed;

(2) Has been or is subject to a payment suspension under a federal health care program (as that latter term is defined in section 1128B(f) of the Act), regardless of when the payment suspension occurred or was imposed;

(3) Has been or is excluded by the OIG from participation in Medicare, Medicaid, or CHIP, regardless of whether the exclusion is currently being appealed or when the exclusion occurred or was imposed; or

(4) Has had its Medicare, Medicaid, or CHIP enrollment denied, revoked, or terminated, regardless of— (i) The reason for the denial, revocation, or termination; (ii) Whether the denial, revocation, or termination is currently being appealed; or (iii) When the denial, revocation, or termination occurred or was imposed.”

Responding to comments submitted in connection with the Proposed Rule, CMS clarified who must be reported as an owner or managing employee of a provider or supplier, and likewise, who the organization must collect information from to identify all “affiliations” and “disclosable events.” CMS commented that the following situations would (1) require disclosure of a person or organization as an owner or managing employee, and (2) require disclosure of those persons or organizations “affiliations” if there has been a disclosable event:

      • Does a “Physician Director” or “Director of Nursing” have to be reported as part of the enrollment process? Yes, if the Physician Director or the Director of Nursing fall within the definition of “managing employee”[10] under 42 CFR § 424.502, he or she would have to be reported [on the Form CMS-855 application as a managing employee]. Moreover, if the Physician Director or the Director of Nursing was previously a managing employee of another provider or supplier with a “disclosable event,” the Physician Director or Director of Nursing would have to be reported.
      • Do the members of the Board of Trustees of a tax-exempt entity have to be reported as part of the enrollment process? Yes, as set out in CMS Publication 100-08, Program Integrity Manual (PIM), Chapter 15, Section 15.5.5 (Owning and Managing Organizations) members of a Board of Trustees are considered to be Corporate Directors and must be reported on CMS Form 855.  As an aside, CMS takes the position that non-profit entities and offices would fall under the affiliation definition to the same extent as for-profit entities and officials.
      • Does an entity with a 5% or greater mortgage or security interest have to be reportedConsistent with the PIM, Chapter 15, Section 15.5.5:  “All entities with at least a 5 percent mortgage, deed of trust or other security interest in the provider must be reported in section 5. This frequently will include banks, other financial institutions, and investment firms.”
      • Does a billing agency or a collection agency have to be reported? Yes, if the billing agency or collection agency meets the definition of a managing employee (as it applied to organizations), then they would have to be reported on the CMS Form 855.
      • Does a public company that owns 5% of more of an enrolling or reenrolling company have to be reported?   CMS takes the position that public companies fall within the purview of 42 CFR §424.519.
      • Does an affiliated managing individual have to be reported in CMS Form 855 even if he or she has no responsibilities concerning payment for services? The definition of managing employee under 42 CFR §?424.502 includes all persons who directly or indirectly conduct a provider’s or supplier’s day-to-day operations. There is no requirement that these individuals must have responsibilities related to payment for services.

In short, the above individuals must be disclosed in the owner and managing employee sections of the Form CMS-855 applications (or their counterpart in PECOS), and if those owners or managing employees have affiliations that have disclosable events, then those must be reported as well. As we stated earlier, in response to the many comments and concerns submitted by providers and suppliers, for now, CMS is not requiring that providers and suppliers disclose affiliations with disclosable events under 42 CFR §?424.519 unless CMS specifically requests that they do so.[11]  Moreover, CMS does not intend to request these disclosures until it has updated CMS Form-855.  However, as CMS further noted:

“Although we will initially be implementing a more targeted approach to the disclosure requirement, we recognize that section 1866(j)(5) of the Act requires every provider and supplier (regardless of the relative risk they may pose) to disclose affiliations upon initial enrollment and revalidation. While section 1866(j)(5) of the Act does give the Secretary some discretion in applying this provision in terms of form, manner, and timing, it does not permanently exempt any provider or supplier from its applicability . . . Consequently, CMS must eventually secure affiliation data from all initially enrolling and revalidating providers.” (emphasis added).

Therefore, at this time, providers and suppliers are not required to report disclosable affiliations until CMS has an opportunity to update its Form CMS-855 applications so that this data can be collected.  Furthermore, CMS will be issuing additional sub-regulatory guidance regarding the affiliation disclosure process.  This sub-regulatory guidance is expected to set out the agency’s expectations with respect to the level of effort that is required of a provider or supplier to research and secure an owner or managing employees relevant affiliation information.

V.  When Will a Disclosed Affiliation be Found to “Pose an Undue Risk of Fraud, Waste or Abuse”?

The Final Rule makes it clear that just because an affiliation must be disclosed, does not necessarily mean that CMS will determine that an affiliation will “pose an undue risk of fraud, waste, or abuse.”[12] Before making a determination, CMS intends to carefully examine the specifics of each situation prior to deciding whether to exercise its discretion to deny an application for enrollment OR to revoke the participation of a currently enrolled provider.  When deciding whether a disclosed affiliation represents an undue risk, CMS will consider:

(1) The duration of the affiliation.
(2) Whether the affiliation still exists and, if not, how long ago it ended.
(3) The degree and extent of the affiliation.
(4) If applicable, the reason for the termination of the affiliation.
(5) Regarding the affiliated provider’s or supplier’s disclosable event, CMS will consider:

(i) The type of disclosable event.
(ii) When the disclosable event occurred or was imposed.
(iii) Whether the affiliation existed when the disclosable event occurred or was imposed.
(iv) If the disclosable event is an uncollected debt:

(A) The amount of the debt.
(B) Whether the affiliated provider or supplier is repaying the debt.
(C) To whom the debt is owed.

(v) If a denial, revocation, termination, exclusion, or payment suspension is involved, the reason for the disclosable event.

(6) Any other evidence that CMS deems relevant to its determination.

Depending on the particulars of each case, CMS may find that a disclosed affiliation does, in fact, pose an undue risk of fraud, waste, or abuse. Should this occur, CMS will deny a provider’s or supplier’s initial enrollment application under 42 CFR § 424.530(a)(13) OR revoke a currently participating provider’s or supplier’s Medicare enrollment under 42 CFR § 424.535(a)(19).

VI.  What Can Happen if a Provider or Supplier Fails to Report a Disclosable Affiliation?

When asked to do so by CMS, it will be essential that a provider or supplier ensure that any and all disclosable affiliations and other general business information is fully and completely reported.  If a provider or supplier fails to report a disclosable affiliation and “knew or should have known”[13] of the omitted information, CMS may choose to deny an applicant’s initial enrollment application (under 42 CFR § 424.530(a)(1) and, if applicable, 42 CFR § 424.530(a)(4)). Alternatively, if a currently participating provider or supplier fails to report a disclosable affiliation, CMS may choose to revoke the entity’s Medicare enrollment (under 42 CFR § 424.535(a)(1) and, if applicable, 42 CFR § 424.535(a)(4)).

VII.  What is an “Uncollected Debt”?

As set out under 42 CFR §?424.519(a)(1), if an applicant, or an applicant’s owner or managing employee is affiliated with another provider or supplier that has an “uncollected debt,” that is a disclosable event under 42 CFR §?424.502.  As previously discussed, an uncollected debt is only intended to include:

“(i) Medicare, Medicaid, or CHIP overpayments for which CMS or the state has sent notice of the debt to the affiliated provider or supplier.
(ii) Civil money penalties imposed under this title.
(iii) Assessments imposed under this title.”

(emphasis added).

Importantly, the phrase notice of the debt to the affiliated provider or supplier” does not include audit requests or routine denial letters where refunds are made through remittance advices or claims corrections.  In its response to comments from stakeholders, CMS expressly notes that “notice of the debt” would include something like a demand letter or other formal request for payment.

CMS has not established a minimum amount that would require the reporting of an uncollected debt.  Regardless of whether an alleged uncollected debt is $500 or $5 million, it would qualify as a reportable disclosable event under the Final Rule.  As CMS noted, “there could be isolated cases where a particular debt, though of a de minimis amount, presents an undue risk when all of the applicable factors are considered.”   CMS further states that even though a provider or supplier may currently be in the process of repaying a debt, the debt would still be a reportable disclosable event.

VIII.  Impact of Filing an Appeal in an Uncollected Debt or Enrollment-Related Action:

Throughout the Final Rule, multiple commenters urged CMS to view alleged debts and enrollment-related actions that are being appealed by a provider or supplier differently than those where no appeal has been filed.  After considering the points raised, CMS consistently declined to adopt such a position and has decided that even if an alleged debt is currently under appeal, the debt would still qualify as a disclosable event.  As CMS wrote:

“consistent with our obligation to protect the Medicare program and the Trust Funds, as well as with our authority under section 1866(j)(5) of the Act, we believe we should have the ability to determine whether the debt and the associated affiliation pose an undue risk regardless of whether the debt is being appealed.” (emphasis added).

Similarly, CMS held that under 42 CFR § 424.519, enrollment denial, revocation, and termination actions will still qualify as disclosable events even if they are under appeal.

IX.  Modification to the Enrollment Denial Reasons Under 42 CFR § 424.530:

As set out under 42 CFR § 424.530(a), CMS is authorized to deny a provider’s or supplier’s enrollment in the Medicare program for a number of reasons. Prior to the issuance of the Final Rule, the authorized reasons for denying enrollment in Medicare fell within the following broad categories:

(1) Noncompliance

(2) Provider or supplier conduct.

(3) Felonies

(4) False or misleading information.

(5) On-site review.

(6) Medicare debt.

(7) Payment suspension.

(8) Initial reserve operating funds.

(9) Application fee / hardship exception.

(10) Temporary moratorium.

(11) Prescribing authority.

Under the Final Rule, enrollment denials based on “Payment Suspension” (42 CFR § 424.530(a)(7)) have been expanded and may now be based on the following:

“(i) The provider or supplier, or any owning or managing employee or organization of the provider or supplier, is currently under a Medicare or Medicaid payment suspension as defined in §§ 405.370 through 405.372 or in § 455.23 of this chapter.

(ii) CMS may apply the provision in this paragraph (a)(7) to the provider or supplier under any of the provider’s, supplier’s, or owning or managing employee’s or organization’s current or former names, numerical identifiers, or business identities or to any of its existing enrollments.

(iii) In determining whether a denial is appropriate, CMS considers the following factors:

(A) The specific behavior in question.
(B) Whether the provider or supplier is the subject of other similar investigations.
(C) Any other information that CMS deems relevant to its determination.”

Prior to this expansion, the Payment Suspension basis for denying a provider’s or supplier’s Medicare enrollment was limited to situations where the current owner, physician, or non-physician practitioner had been placed on Medicare suspension.  CMS believed this did not allow them to deny enrollment to any provider or supplier type based on a payment suspension by the Medicare program, and did not encompass scenarios where a provider or supplier’s payments had been suspended by a state Medicaid payment but the Medicare program. Under the revised Final Rule, now all provider and supplier types can be denied enrollment if that provider or supplier is subject to a Medicare OR Medicaid payment suspension, or if the provider’s or supplier’s owners or managing employees or organizations are subject to such a suspension. Importantly, CMS will look at a provider’s or supplier’s owners and managing employee’s or organization’s current and former names, business identities and related numerical identifiers to identify any payment suspensions.

Additionally, the Final Rule has added several additional bases that may be relied on by CMS when deciding to deny a provider’s or supplier’s Medicare enrollment.  These new reasons for denial include:

(12) Revoked under different name, numerical identifier or business identity and the applicable re-enrollment bar has not expired.[14]
(13) Affiliation that poses undue risk.
(14) Other program termination or suspension.

Each of the fourteen reasons that may be relied on by CMS when denying a provider’s or supplier’s Medicare enrollment have specific requirements which must be met.  If you or your practice are denied Medicare enrollment, you should work with your legal counsel to determine whether the denial reason cited by CMS is accurate and consistent with the facts in your case.

X.  Introduction of a New “Reapplication Bar” Rule Under 42 CFR § 424.530(f):

As revised, the Medicare enrollment denial regulations now include a new “Reapplication Bar” rule.  As 42 CFR § 424.530(f) sets out, if a provider or supplier submitted false or misleading information on (or with) their Medicare enrollment application, CMS can choose to prohibit the prospective provider or supplier from enrolling in the Medicare program for up to three years.  Importantly, the scope of the reapplication bar rule set out under 42 CFR § 424.530(f)(1) and (f)(2) is quite broad:

“(1) The reapplication bar applies to the prospective provider or supplier under any of its current, former, or future names, numerical identifiers or business identities.

(2) CMS determines the bar’s length by considering the following factors:

(i) The materiality of the information in question.
(ii) Whether there is evidence to suggest that the provider or supplier purposely furnished false or misleading information or deliberately withheld information.
(iii) Whether the provider or supplier has any history of final adverse actions or Medicare or Medicaid payment suspensions.
(iv) Any other information that CMS deems relevant to its determination.

XI.  Modifications to the Medicare Enrollment Revocation Regulations Under 42 CFR § 424.535:

Prior to the issuance of the Final Rule, under 42 CFR § 424.535(a), CMS has long exercised the authority to revoke a currently-enrolled provider’s or supplier’s Medicare billing privileges (along with any related provider or supplier agreement).  Reasons for revocation have included:

  1. Noncompliance
  2. Provider or supplier conduct.
  3. Felonies
  4. False or misleading information.
  5. On-site review;
  6. Grounds related to provider or supplier screening requirements.
  7. Misuse of billing number.
  8. Abuse of billing privileges.
  9. Failure to report.
  10. Failure to document or provide CMS access to documentation.
  11. Initial reserve operating funds.
  12. Medicaid termination.
  13. Prescribing authority.
  14. Improper prescribing practices.

Under the Final Rule, the reasons for revocation under 42 CFR § 424.535(a)(9) and (a)(12) have been revised.  The revocation reason set out under 42 CFR § 424.535(a)(9) Failure to report, has been changed.  The basis for revocation has now been expanded to cover the following:

(9) Failure to report. The provider or supplier did not comply with the reporting requirements specified in § 424.516(d) or (e), § 410.33(g)(2) of this chapter, or § 424.57(c)(2). In determining whether a revocation under this paragraph (a)(9) is appropriate, CMS considers the following factors:

         (i) Whether the data in question was reported.
         (ii) If the data was reported, how belatedly.
         (iii) The materiality of the data in question.
        (iv) Any other information that CMS deems relevant to its determination.”

Similarly, the Final Rule expands the revocation basis set out under 42 CFR § 424.535(a)(12).  Rather than focus exclusively on the termination of a provider’s or supplier’s Medicaid billing privileges, under the Final Rule 42 CFR § 424.535(a)(12) the basis for revocation has been expanded to include not merely Medicaid but also adverse actions taken by any other Federal health care program.  As the regulation now reads:

“(12) Other program termination.

(i) The provider or supplier is terminated, revoked or otherwise barred from participation in a State Medicaid program or any other federal health care program. In determining whether a revocation under this paragraph (a)(12) is appropriate, CMS considers the following factors:

(A) The reason(s) for the termination or revocation.
(B) Whether the provider or supplier is currently terminated, revoked or otherwise barred from more than one program (for example, more than one State’s Medicaid program) or has been subject to any other sanctions during its participation in other programs.
(C) Any other information that CMS deems relevant to its determination.

 (ii) Medicare may not revoke unless and until a provider or supplier has exhausted all applicable appeal rights.
 (iii) CMS may apply paragraph (a)(12)(i) of this section to the provider or supplier under any of its current or former names, numerical identifiers or business identities.”

 The Final Rule has set aside slots for future bases for revocation at 42 CFR § 424.535(a)(15) and (a)(16).

Notably, a number of new bases for Medicare enrollment revocation have now been established under the Final Rule and are set out under 42 CFR § 424.535(a)(17) through (a)(20).  These new reasons for revocation include the following:

(17) Debt referred to the United States Department of Treasury. The provider or supplier has an existing debt that CMS appropriately refers to the United States Department of Treasury. In determining whether a revocation under this paragraph (a)(17) is appropriate, CMS considers the following factors:

(i) The reason(s) for the failure to fully repay the debt (to the extent this can be determined).
(ii) Whether the provider or supplier has attempted to repay the debt (to the extent this can be determined).
(iii) Whether the provider or supplier has responded to CMS’ requests for payment (to the extent this can be determined).
(iv) Whether the provider or supplier has any history of final adverse actions or Medicare or Medicaid payment suspensions.
(v) The amount of the debt. (vi) Any other evidence that CMS deems relevant to its determination.

(18) Revoked under different name, numerical identifier or business identity. The provider or supplier is currently revoked under a different name, numerical identifier, or business identity, and the applicable reenrollment bar period has not expired. In determining whether a provider or supplier is a currently revoked provider or supplier under a different name, numerical identifier, or business identity, CMS investigates the degree of commonality by considering the following factors:

(i) Owning and managing employees and organizations (regardless of whether they have been disclosed on the Form CMS–855 application).
(ii) Geographic location.
(iii) Provider or supplier type.
(iv) Business structure.
(v) Any evidence indicating that the two parties are similar or that the provider or supplier was created to circumvent the revocation or reenrollment bar

(19) Affiliation that poses an undue risk. CMS determines that the provider or supplier has or has had an affiliation under § 424.519 that poses an undue risk of fraud, waste, or abuse to the Medicare program.

(20) Billing from non-compliant location. CMS may revoke a provider’s or supplier’s Medicare enrollment or enrollments, even if all of the practice locations associated with a particular enrollment comply with Medicare enrollment requirements, if the provider or supplier billed for services performed at or items furnished from a location that it knew or should have known did not comply with Medicare enrollment requirements. In determining whether and how many of the provider’s or supplier’s enrollments, involving the non-compliant location or other locations, should be revoked, CMS considers the following factors:

(i) The reason(s) for and the specific facts behind the location’s noncompliance.
(ii) The number of additional locations involved.
(iii) Whether the provider or supplier has any history of final adverse actions or Medicare or Medicaid payment suspensions.
(iv) The degree of risk that the location’s continuance poses to the Medicare Trust Funds.
(v) The length of time that the noncompliant location was non-compliant.
(vi) The amount that was billed for services performed at or items furnished from the non-compliant location.
(vii) Any other evidence that CMS deems relevant to its determination.  

(21) Abusive ordering, certifying, referring, or prescribing of Part A or B services, items or drugs. The physician or eligible professional has a pattern or practice of ordering, certifying, referring, or prescribing Medicare Part A or B services, items, or drugs that are abusive, represents a threat to the health and safety of Medicare beneficiaries, or otherwise fails to meet Medicare requirements. In making its determination as to whether such a pattern or practice exists, CMS considers the following factors:

(i) Whether the physician’s or eligible professional’s diagnoses support the orders, certifications, referrals or prescriptions in question.
(ii) Whether there are instances where the necessary evaluation of the patient for whom the service, item or drug was ordered, certified, referred, or prescribed could not have occurred (for example, the patient was deceased or out of state at the time of the alleged office visit).
(iii) The number and type(s) of disciplinary actions taken against the physician or eligible professional by the licensing body or medical board for the state or states in which he or she practices, and the reason(s) for the action(s).
(iv) Whether the physician or eligible professional has any history of final adverse actions (as that term is defined in § 424.502).
(v) The length of time over which the pattern or practice has continued.
(vi) How long the physician or eligible professional has been enrolled in Medicare.
(vii) The number and type(s) of malpractice suits that have been filed against the physician or eligible professional related to ordering, certifying, referring or prescribing that have resulted in a final judgment against the physician or eligible professional or in which the physician or eligible professional has paid a settlement to the plaintiff(s) (to the extent this can be determined).
(viii) Whether any State Medicaid program or any other public or private health insurance program has restricted, suspended, revoked, or terminated the physician’s or eligible professional’s ability to practice medicine, and the reason(s) for any such restriction, suspension, revocation, or termination.
(ix) Any other information that CMS deems relevant to its determination.

Notably, under the Final Rule, 42 CFR § 424.535(c), the regulations setting out the rules for reapplying after a provider’s or supplier’s Medicare enrollment has been revoked, have been revised and enhanced. First, the maximum reenrollment bar for a first-time revocation has been extended to 10 years. 42 CFR § 424.535(c)(1)(i). Second, if a provider or supplier attempts to “circumvent its existing reenrollment bar by enrolling in Medicare under a different name, numerical identifier or business identity,” CMS can extend that provider’s or supplier’s existing reenrollment bar by 3 additional years.   See 42 CFR § 424.535(c)(2)(i).

Moreover, under 42 CFR § 424.535(c)(3), if a provider or supplier is being revoked from Medicare a second time, CMS may choose to impose a reenrollment bar of up to 20 years.  The factors to be considered by CMS when determining the proper length of a reenrollment bar are set out under 42 CFR § 424.535(c)(3), subsections (i) through (iii).

In an effort to further prevent improper attempts to reenroll in the Medicare program, 42 CFR § 424.535(c)(4) provides a reenrollment bar applies to a provider or supplier under any of its current, former or future names, numerical identifiers or business identities.”

XII.  Impact of the Final Rule on State Medicaid and CHIP Enrollment and Disclosure Practices:

Section 1902(kk)(3) of the Act,1 as amended by section 6401(b) of the Affordable Care Act, which mandates that states require providers and suppliers to comply with the same disclosure requirements established by the Secretary under section 1866(j)(5) of the Act. In other words, the increased disclosure requirements apply to providers and suppliers enrolling or revalidating in the Medicare or Medicaid programs. It also applies to changes of information that must be reported under the Final Rule.

As the Final Rule further notes, as long as they continue to work within the broad Federal framework, States have been delegated considerable flexibility in how they administer their Medicaid and CHIP programs.  Ultimately, the enrollment requirements established by a State must be consistent with section 1902(a)(23) of the Act and implementing regulations at 42 CFR § 431.51. As the Final Rule reflects, as long as a State meets its obligations under 42 CFR § 431.51, it is free to:

“. . . [S]et reasonable standards relating to the qualifications of providers but may not restrict the right of beneficiaries to obtain services from any person or entity that is both qualified and willing to furnish such services.”

XIII. Due Diligence and Credentialing Risks When Enrolling, Revalidating or Submitting a Change of Information:

The affiliation disclosure requirements set out in the Final Rule are anticipated to be gradually implemented by CMS over the next three years.  The agency contends that such an approach will better enable the provider and supplier communities to meet their affiliation, uncollected debt and adverse event reporting obligations. Unfortunately, the Final Rule imposes yet another unfunded obligation on participating providers and suppliers.  From a practical standpoint, the implementation of the Final Rule will have an enormous impact on the credentialing process.  Federal and State payors have historically used the credentialing process as their first line of defense with respect to program integrity. The disclosure obligations set out in the Final Rule are quite comprehensive. Third-party billing companies and credentialing companies handling these submissions on behalf of their provider and supplier clients will need to diligently work to better ensure that each submission is both accurate and complete before submitting the credentialing package to a Federal or State payor.  On the payor side of the credentialing equation, professional credentialing companies, (such as CredSimple), will likely see an exponential increase in the demand for their verification and screening services.  Moreover, we fully expect to see private payors, medical centers and hospital systems adopt program integrity safeguards similar to those outlined in the Final Rule as they take steps to protect their organizations from fraud, waste, and abuse.

XIV.  Final Thoughts:

As the Final Rule details, the Affordable Care Act imposed a number of enrollment and reenrollment disclosure obligations on Medicare, Medicaid, and CHIP providers and suppliers.  These revised reporting obligations are intended to prevent bad actors from circumventing the existing safeguards that had been implemented to guard against fraud, waste, and abuse.  CMS estimates that it will take at least several years for the agency to revise the various versions of its CMS Form 855 enrollment applications and fully implement the new reporting obligations.  The true enormity of these new obligations has yet to be realized.  Affiliations, disclosable events and uncollected debts will be carefully evaluated by CMS and weighed as the agency decides whether to deny an application for enrollment or revalidation or revoke an existing provider’s or supplier’s Medicare billing privileges.

Healthcare Attorney

Jennifer Papapanagiotou,
Click here for bio

Robert W. Liles Healthcare Attorney

Robert W. Liles,
Click here for bio

Now, more than ever before, it is important for providers and suppliers to effectively conduct due diligence before hiring managerial staff, purchasing or selling an entity, appealing an alleged overpayment and / or seeking relief in bankruptcy.  As the enrollment disclosure and reporting process moves towards full implementation, it will be essential for you to fully understand your obligations under the law.  The attorneys at Liles Parker have extensive experience representing providers and suppliers in the provider enrollment, revalidation, change of information and change of ownership process.  Our team has represented healthcare providers and suppliers around the country in the appeal of Medicare termination actions, enrollment denials, and the revocation of an entity’s billing privilegesQuestions?  Give Robert Liles or Jennifer Papapanagiotou a call.  For a free consultation, we can be reached at:  1 (800) 475-1906.

[1] 42 CFR § 424.516.

[2] CMS is the single largest health care insurance payor in the country.  Approximately 90 million individuals are currently covered by Medicare, Medicaid and / or the Children’s Health Insurance Program (CHIP) programs.

[3] 71 FR 20754.

[4] 76 FR 5861.

[5] 81 FR 10720.

[6] The Final Rule is effective on November 4, 2019.

[7] 84 FR 47794, 47797.

[8] 84 FR 47794, 47803.

[9] 84 FR47794, 47802.

[10] Under 42 CFR § 424.502, the term “managing employee” means:

a general manager, business manager, administrator, director, or other individual that exercises operational or managerial control over, or who directly or indirectly conducts, the day-to-day operation of the provider or supplier, either under contract or through some other arrangement, whether or not the individual is a W-2 employee of the provider or supplier.”

[11] 84 FR 47794, 47803, 47805.  In light of the concerns raised, CMS will be adopting a “phased-in” approach to complying with the requirements under 42 CFR §?424.519(b).  Under this phased-in approach, CMS will first be revised Form CMS-855 to cover the various disclosures required under the Final Rule.  Initially, providers and suppliers will not be required to disclose affiliations under 42 CFR §?424.519(b) unless CMS asks for this information.  While this approach will initially relieve providers and suppliers of the disclosure burden, CMS notes that this is not meant to be a permanent exemption.  Ultimately, providers and suppliers will be required to report any affiliations with one or more disclosable events.

[12] 84 FR 47794, 47807.

[13] CMS acknowledges in its response to comments in the Final Rule that the additional sub-regulatory guidance is needed to further clarify the “knew or should have known” standard.  See 84 FR 47794,47811.

[14] This is similar to CMS’ new expanded authority to deny enrollment if an owner or managing employee of a provider or supplier is under a payment suspension by Medicare or a state Medicaid program. Under this new denial authority, CMS will examine the degree of commonality between the applicant and other revoked providers and suppliers, looking specifically at the owning and managing employees and organizations of the applicant and a revoked provider or supplier, the applicant and revoked provider’s or supplier’s geographic location, provider or supplier type, business structures, and “any evidence indicating the two parties are similar or that the provider or supplier was created to circumvent the revocation or reenrollment bar.” 84 FR 47794, 47823.

HIPAA Security Risk Assessments are Essential

Download PDF

HIPAA Security Risk Assessment(September 29, 2014) In the last article, we discussed the importance of conducting HIPAA security risk assessments, as part of your obligations under the HIPAA Security rules. The importance of promptly conducting a risk analysis if it has not yet done cannot be overestimated, as the HHS Office for Civil Rights (OCR) has now announced that they intend to begin the next phase of audits in October 2014. When Covered Entity receives a data request letter from OCR, it will have only two weeks to respond, which will not be enough time to conduct a risk analysis at that point.

In this article we’ll discuss eight elements or considerations that OCR states must be addressed in a risk analysis.

I.  Scope of the Analysis:

In conducting a risk assessment, a health care provider must consider all of the potential risks to electronic protected health information (e-PHI). Covered Entities must consider how all e-PHI in their practice is created, used, stored, and transmitted. Thus, Covered Entities need to consider how they create, receive, access, and transmit e-PHI. This includes removable storage media such as floppy disks, CDs, flash or thumb drives, and smart phones. Covered Entities must also think about telephone calls, emails, faxes, and computer transmissions. Consider how many employees or personnel can access the data and whether those individuals are all on-site or if any are off-site.

II.  Document How Data is Collected, Stored, Maintained and Transmitted:

Covered Entities must identify and document where e-PHI is gathered, received, stored, maintained or transmitted. This can be done through interviews with staff members, a physical walk through of the office or practice location(s), or reviewing documentation.

III.  Identify and Document Potential Risks, Threats and Vulnerabilities:

Covered Entities must document the reasonably anticipated threats to e-PHI. Consider physical, environmental, natural, human and technological threats or risks. Environmental or natural threats should include natural disasters such as tornadoes, floods or earthquakes. Human threats are likely to be some of the greatest concern. These include current employees and contractors, ex-employees and contractors, visitors, and criminals such as thieves and hackers. Technological threats will include any known system vulnerabilities in the billing system or EMR/EHR, for example. Healthcare providers should contact the vendors of these systems to ask about any known vulnerabilities.

IV.  Identify and Evaluate Current Security Measures:

Covered Entities must document what security measures are already in place to guard e-PHI and whether those measures are installed, configured and used correctly. The level and extent of security measures will vary by the type and size of provider. As an example, list any anti-virus or firewall programs. Don’t forget to document physical security measures, such as security and alarm systems.

V.  Determine the Likelihood of the Occurrence of the Threats:

This element requires Covered Entities to consider the probability that the threats listed in step # 3 will occur. This can be done with a quantitative method (such as the percentage probability that a threat will occur) or a qualitative one (such as high, medium, low). A high probability of occurrence means that a threat is “reasonably anticipated” and thus will require a mitigation or protection against the threat occurring. For example, a healthcare provider may determine that there is a high probability of a break-in into the office or clinic. Thus, a mitigation such as an alarm or security system would be an example of a security measure that could be implemented pursuant to step # 4.

VI.  Determine the Potential Impact if a Threat Occurs:

Covered Entities must evaluate the impact that might result from a threat occurring. Again, this can be done using a quantitative or qualitative method. For example, a potential impact of a breach of a Covered Entity’s billing system might be loss of cash flow or cost to replace stolen computer equipment. This might be a high or severe impact. Another example could be unauthorized access to e-PHI by patients or visitors. This impact might be low or medium.

VII.  Determine the Level of Risk:

This step is accomplished by utilizing the data from steps 5 and 6. A very common method of documenting the level of risk is using a HIPAA risk assessment matrix (such as a 3 x 3 matrix) or “heat map”. Those threats or vulnerabilities with higher levels of risk are ones that a Covered Entity should focus on addressing or correcting sooner than those with lower levels of risk.

VIII.  Identify HIPAA Security Risk Assessment Measures and Document the Risk Analysis:

Once the Covered Entity has identified risks and assigned risk levels, it must identify tasks, actions or security measures to address those risks. In identifying security measures, the Covered Entity should consider factors such as effectiveness, requirements of the Covered Entity’ policies and procedures and other legislative or regulatory requirements (for example, state laws). If a Covered Entity identifies a security measure but decides not to implement it, the risk analysis should document why (for example, technologically not feasible, lack of knowledge or equipment, cost prohibitive, etc.)

The Security Rule also requires Covered Entities to document the risk analysis, but does not specify or require any particular format. Thus, the risk analysis can be documented via a report that lists elements # 1 through 7, summarizes the analysis, notes the results of each step, and identifies the security measures.

Two final very important comments. First, the Risk Analysis is NOT the process of implementing measures to address the risks identified. That is the risk management process under HIPAA, which is considered a separate activity. Second, the Risk Analysis is not a “do it once and forget about it” process. The Risk Analysis must be periodically revisited and reviewed to determine if the threats, vulnerabilities, impacts and potential security measures remain the same. A Covered Entity may bring new systems online, may open or close locations, or have major changes in personnel. The re-evaluation of a Covered Entity’s Risk Analysis ideally should occur on an annual basis. A very old and outdated Risk Analysis is basically equivalent to not having a Risk Analysis at all.

Heidi Kocher Healthcare AttorneyHeidi Kocher serves as Counsel for Liles Parker and represents health care providers and suppliers in the Dallas / Fort Worth metropolitan area.  Heidi is an experienced health lawyer and is skilled in assisting clients with transactional projects, compliance issues and in fraud and abuse counseling.  Should you have any questions regarding the HIPAA security risk assessment process, please give Heidi a call.  For a free consultation, call Heidi at: 1 (800) 475-1906.

Oncology Fraud: Michigan Oncologist Indicted

Download PDF

Oncology Fraud(August 29, 2014) The American Cancer Society has estimated that 43.92% of all males and 38.00% of all females in the United States will develop cancer at some point during their lifetime. While a number of clinical advances have been made over the last 25 years, chemotherapy remains one of the predominant tools used to fight cancer in many of its various forms. Depending on the type of cancer at issue, chemotherapy can be used as a primary or as an adjuvant therapy. While a number of drugs have been developed to address several of the adverse side effects normally associated with chemotherapy, this therapeutic approach is often still devastating on patients. How would you feel if you learned that your oncologist has put you or a loved one through an intensive course of chemotherapy, when it was not needed? According to federal investigators that is exactly what happened to the patients of one oncologist in Detroit, Michigan.

I. Background of this Oncology Fraud Case:

In August 2013, the government first alleged that a noted Michigan oncologist routinely prescribed chemotherapy and other drastic medical interventions for patients who were either healthy or ill but in need of alternate treatments. According to federal prosecutors, the oncologist

“submitted fraudulent claims to Medicare for medically unnecessary services, including chemotherapy treatments, positron emission tomograph (PET) scans, and a variety of cancer and hematology treatments for patients who did not need them.”

The government further alleged that the doctor engaged in this improper conduct to increase his own income. Records reflect that the doctor billed Medicare for approximately $150 million in services between August 2010 and July 2013.

II. Nature of the Allegations:

Essentially, the government has alleged that the defendant ordered chemotherapy for patients whose cancer was in remission. The defendant is also alleged to have ordered chemotherapy for all of the terminal patients under the physician’s care, even if the treatment would not improve or extend their lives. Further, the oncologist sometimes issued patients life-long prescriptions of drug treatment for low platelet conditions, without informing patients that surgery was a treatment alternative to years of drug therapy. Ultimately, it appears that the government believes that the defendant improperly ordered chemotherapy for monetary gain, rather than because the treatment regimen was medically necessary.

III. Origin of this Oncology Fraud Case:

While the August 2013 U.S. Attorney’s Office Press Release did not discuss how these concerns were first brought to the government’s attention, a segment by ABC News reported that the case was the result of complaints brought by an oncology nurse who worked with the defendant in 2010. According to the government, the Oncology fraud scheme put $35 million in the oncologist’s pocket.

IV. Current Status of this Oncology Fraud Case:

In May 2014, the defendant’s legal counsel moved for a change of venue, in an effort to have the trial transferred to another judicial district. The defendant’s motion was denied in June 2014 and the trial was originally scheduled to begin on August 12, 2014. It has been reset to begin in mid-October 2014. The defendant could face 10 years in prison and a $250,000 fine if convicted.

V. Why Should Our Oncology Practice Be Concerned About this Case?

Readers may ask, “Why is this case relevant to me – I am an honest provider?” Frankly, all oncologists should take note of this case. Issues of medical necessity can be extremely difficult to parse out, especially in cases where a patient is suffering from a potentially deadly illness. As earlier discussed, chemotherapy is used for a wide variety of purposes. Depending on the type of cancer involved, it may be administered as a patient’s primary treatment regimen. Other cancers may utilize radiation therapy as the primary treatment regimen yet still use chemotherapy as an adjuvant remedy. Finally, chemotherapy may be prescribed and used as a palliative measure in cases where a patient has already been diagnosed as terminal. The point is this – the utilization of chemotherapy as a course of treatment may be reasonable and appropriate, despite the fact that the clinical profile of one patient may be very different from that of another. Moreover, two independent, competent oncologists may have divergent views on whether chemotherapy is warranted in a particular case. Despite arguments to the contrary, medicine is also an “art,” not merely a “science.”

VI. Steps You Can Take to Reduce Risk:

It is essential that oncologists participating in Medicare review both their operational and documentation practices to ensure that entities processing and examining their patient treatment records can readily ascertain why certain care and treatment decisions were made. Several essential considerations to be taken into account include:

  • Coverage and Payment Requirements Medicare Administrative Contractors (MACs) working for the Centers for Medicare and Medicaid Services (CMS) are responsible for developing and administering coverage and payment guidance which delineates when it is appropriate to utilize one or more treatment options when caring for a cancer patient. MACs often publish guidance which specifies whether it is appropriate to administer a particular type of chemotherapy when treating a patient suffering from a particular type of cancer. Often, this information is set out in Local Coverage Determination (LCD) guidance maintained by the MAC. It is not uncommon to find that an LCD specifies the type of chemotherapy that is appropriate, and the frequency it may be used, when prescribing it to fight a particular type of cancer. Unfortunately, you may find that the government seems to sometimes confuse “coverage” with “medical necessity.” In other words, the government may allege that an order for chemotherapy was not medically necessary, when in fact, what the government is really saying is that the Medicare program does not cover the use of a certain type of chemotherapy when addressing a certain type of cancer.

  • Community Standard of Care Notably, the issue of whether or not a physician has acted reasonably in the medical decision-making process can vary from one region to another. As one source has noted, a physician is expected to provide care at:

“the level at which an ordinary, prudent professional with the same training and experience in good standing in a same or similar community would practice under the same or similar circumstances.”

The standard of care one would expect from a physician when treating a cancer patient may vary from one locale to another. For example, the standard would likely be higher in a large metropolitan area where clinical research on oncology issues is being conducted and state-of-the-art remedies are being applied than it would be in a small town in Texas or Alaska, where an oncologist is unlikely to be involved in oncology research studies and has fewer opportunities to further develop their treatment skills.

  • Patient and Family Wishes At the end of the day, every cancer patient must decide whether or not they intend to receive chemotherapy. We are aware of instances where an individual diagnosed with a treatable cancer chooses not to undergo such a regimen, despite the fact that such a decision may hasten their demise. Alternatively, a critical patient may actively seek to receive chemotherapy, even though it may not be recommended for individuals who has been diagnosed as terminal.

Although this case is a dramatic example of what can happen when an oncologist is alleged to have bilked Medicare, it provides a stark example of a situation where the defendant should have previously identified that their chemotherapy practices were different from those of their peer.

In light of the risks presented, we strongly recommend that oncology practices develop, implement and follow the rules and regulations set out in an effective Compliance Plan. Through the use of a GAP analysis, oncologists can identify potential documentation, medical necessity, coding and billing deficiencies in their practice. Once identified, these deficiencies can be carefully assessed so remedial action may be taken to address any overpayments or other improper claims practices that have been identified to avoid any possible Oncology fraud. When conducting a GAP analysis, we strongly recommend that you engage experienced legal counsel to assist you with this process.

Health care AttorneyMichael Troy serves as Counsel to the health care boutique law firm, Liles Parker, PLLC. Liles Parker has offices in Washington, DC, Baton Rouge LA, Houston TX and McAllen TX. Liles Parker provides nationwide representation and legal services to health care providers facing an audit or administrative review of claims by a Zone Program Integrity Contractor (ZPIC), a Recovery Audit Contractor (RAC), or a Medicaid Integrity Contractor (MIC) and Medicaid RAC overpayment determinations. Our attorneys also actively assist health care providers and suppliers in postpayment audits, Oncology Fraud, prepayment reviews, suspension or termination actions. For more information, call today at 1-800-475-1906 for a free consultation.

A HIPAA Risk Assessment is Essential to Avoid Liability

Download PDF

Covered entities and business associates must perform a HIPAA risk assessment.(August 23, 2014):  Almost all health care providers and suppliers qualify as a covered entity under the Health Insurance Portability and Accountability Act of 1996 (HIPAA).  Together with the business associateswith whom they work, these entities are responsible for ensuring that any protected health information (PHI) under their control has been properly secured and remains confidential.  Let’s face it, the regulations governing a health care provider’s obligations under HIPAA are both extensive and complex.

Many small and mid-sized health care providers and suppliers have found it difficult to fully comply with their many statutory obligations under HIPAA’s privacy and security mandates.  Nevertheless, it is important to keep in mind that the government is actively investigating allegations of breach, regardless of the size of provider or supplier that may be involved.

I.   The Importance of Conducting a HIPAA Risk Assessment:

A recent federal criminal indictment of an individual for a HIPAA violation should serve as a reminder to all health care providers of the importance of fully complying with HIPAA’s security requirements.  While most health care providers and suppliers have diligently worked to comply with HIPAA’s privacy requirements, their compliance with HIPAA’s security and risk assessment mandates remains a challenge.  A recent case out of the U.S. Attorney’s Office for the Eastern District of Texas provides a stark reminder of why all health care providers must remain diligent in their efforts to secure and protect the medical records that have been entrusted to their care by their patients.

Last month, federal prosecutors announced that a former employee of an unnamed hospital in East Texas had been arrested in Georgia the previous year on charges unrelated to the theft of PHI.  At the time of his arrest, he was discovered to be in possession of patient medical records from Texas.  The subsequent investigation indicated that from December 1, 2012, through January 14, 2013, the individual had obtained PHI while he was employed at an East Texas hospital.  The defendant allegedly took the patient records with the intent to use the patient’s PHI for personal gain.  The defendant is currently in jail, awaiting trial.  If convicted, he could be sentenced to prison for up to 10 yearsThere are two main points that all covered entities and business associates should keep in mind:

1.  The theft of PHI is a serious crime.  Both federal and state prosecutors are actively pursing individuals who illegally steal or improperly use patient PHI for personal gain.  Under 18 U.S.C.A. § 1028A(a)(1), the federal “Aggravated-Identity-Theft” statute prohibits an individual’s knowing use of another person’s identifying information without a form of authorization recognized by law. 

2.  While the government’s Press Release does not discuss whether the East Texas hospital had previously conducted a proper HIPAA risk assessment, it would not be surprising to later learn that the Office of Civil Rights (OCR) has initiated its own audit of the organization to verify that it has, in fact, previously conducted a HIPAA risk assessment.    

II.  HIPAA’s Security Rule Requires that a Risk Assessment be Conducted:

While details regarding what security provisions and precautions the East Texas hospital may have implemented are not available, one wonders if the hospital conducted a risk analysis as required by HIPAA’s Security Rule provisions.  The Security Rule states that all covered entities must implement policies and procedures “to prevent, detect, contain, and correct security violations.” (45 C.F.R. § 164.308(a)(1).)   A risk analysis is one of four required implementation specifications in the Security Rule that actually provide instructions on how to implement the requirement.  Conducting a risk analysis would likely have revealed system vulnerabilities, perhaps even the one that failed to prevent the theft of patient PHI.  Certainly a risk analysis would have revealed the necessity of various audits, any of which could have revealed the fact that the defendant was improperly accessing and taking patient records.

Unfortunately, conducting a HIPAA risk assessment is still a problem for many health care providers.  A series of audits were conducted in 2012 by federal contractors working for OCR to assess whether health care providers, suppliers, health plans and clearinghouses have been complying with HIPAA’s Privacy, Security, and Breach Notification requirements.  A number of health care providers were included in these audits.  The results showed that 60% of the deficiencies reported were related to HIPAA security requirements.  In addition, 65% of the findings were for health care providers, in particular smaller providers.  Of the 59 providers, 58 had at least one finding relating to a Security Rule deficiency.   Nearly 80% of the healthcare providers had not completed a risk assessment.[1]  OCR concluded that driving compliance with the Security Rule aspects of HIPAA would be a likely focus in the future.

III.  Meaningful Use and Risk Assessments:

Conducting a risk analysis is also a core requirement under the Meaningful Use rules. [2]  In order to receive a meaningful use incentive, providers were required to certify that they conducted a risk assessment in accordance with the HIPAA Security Rule provisions.   Over 245,000 eligible professionals received payments for usage of electronic health records for 2011 and 2012.

Yet if the statistics from OCR’s admittedly small sample of healthcare providers in 2012 is true, this could mean that a very large majority of those healthcare providers who certified to having conducted a risk assessment as part of their meaningful use certifications did so falsely. The data on which providers, including names and NPI numbers, have received a meaningful use incentive payment is publicly available.   Thus it is highly likely that as part of the soon-to-be-restarted HIPAA audits, OCR will explicitly review whether providers falsely certified that they conducted a security risk analysis, when in fact they did not.  While the amount of money that a provider might have to return for a false certification is not large, the potential penalties for having falsely certified compliance with the regulations are much larger and more serious.

IV.  Final Remarks:

While overdue, if your organization has not already conducted a HIPAA security risk assessment, it is imperative that you do so immediately.   The window to take remedial action may be closing, especially if you have received payments under the meaningful use provisions.  Need help?  Give us a call.  In Part II of  this article, we will discuss several of the considerations you should take when engaging outside assistance to conduct a security risk assessment of your organization.

Heidi Kocher Healthcare Attorney

Heidi Kocher serves as Counsel for Liles Parker and represents health care providers and suppliers in the Dallas / Fort Worth metropolitan area.  Heidi is an experienced health lawyer and is skilled in assisting clients with transactional projects, compliance issues and in fraud and abuse counseling.  Should you have any questions regarding the HIPAA security risk assessment process, please give Heidi a call.  For a free consultation, call Heidi at: 1 (800) 475-1906.


[1] HIPAA Privacy, Security and Breach Notification Audits:  Program Overview & Initial Analysis, presentation by Verne Rinker JD, MP, at 2013 NIST / OCR Security Rule Conference, May 21-22, 2013, available at http://csrc.nist.gov/news_events/hipaa-2013/presentations/day1/rinker_day1_215_hipaa_privacy_security_breach_audits.pdf

[2] See the July 28, 2010 Final Rule Notice, 75 Fed.Reg. 44314 at 44369; 42 CFR 495.6(d)(15).

Medicare Lifts Ban on Coverage for Sex Reassignment Surgery

Download PDF

(July 1, 2014):  On Monday, June 2, the Obama administration lifted its 33 year ban on Medicare coverage for Sex Reassignment Surgery (SRS). The decision is being hailed as a major victory for transgender rights. However, the decision does not necessarily mean that Medicare will pay for these operations – only that it could do so.

I.  Medicare Originally Considered Sex Reassignment Surgery to be “Experimental” and Therefore Not Covered:

In 1989, the Department of Health and Human Services (HHS) issued a blanket Medicare ban when it determined that SRS was an “experimental” surgery. This guidance was outlined under HHS’s National Coverage Determination[1] (NCD) titled “140.3, Transsexual Surgery.” Specifically,

Transsexual surgery for sex reassignment of transsexuals is controversial. Because of the lack of well controlled, long term studies of the safety and effectiveness of the surgical procedures and attendant therapies for transsexualism, the treatment is considered experimental. Moreover, there is a high rate of serious complications for these surgical procedures. For these reasons, transsexual surgery is not covered. 

The NCD language was based on a 1981 report from the National Center for Health Care Technology (NCHCT) of the HHS Public Health Service (PHS). The NCHCT forwarded its report to the officials of the Health Care Financing Administration (HCFA), now the Centers for Medicare & Medicaid Services (CMS), recommending “that transsexual surgery not be covered by Medicare at this time.”

II.  Challenging an NCD:

The Department Appeals Board (Board) may review any NCD “[u]pon the filing of a complaint by an aggrieved party.”[2] The aggrieved party must submit a statement “explaining why the NCD record is not complete, or not adequate to support the validity of the NCD under the reasonableness standard” and CMS may submit a response defending the NCD.[3]

The NCD record “consists of any document or material that CMS considered during the development of the NCD” including “medical evidence considered on or before the date the NCD was issued…”[4] The Board then “applies the reasonableness standard to determine whether the NCD record is complete and adequate to support the validity of the NCD.”[5]

If the Board determines that the record is complete and adequate to support the validity of the NCD, the Board will issue “a decision finding the record complete and adequate to support the validity of the NCD…”[6] The review process will then conclude. However, if the Board determines that the record is not complete and adequate to support the validity of the NCD, it will permit “discovery and the taking of evidence” and evaluate the NCD under applicable provisions[7], including conducting a hearing.[8] During an NCD review, the aggrieved party bears the burden of proof and the burden of persuasion for the issues raised in an NCD complaint, and the burden of persuasion is judged by a preponderance of the evidence.[9]

III.  NCD Complaint Filed to Overturn the Exclusion:

The aggrieved party included a 74-year old transgender woman and army veteran from Albuquerque, New Mexico. She filed her initial NCD complaint in March 2013. The following month, the Board notified CMS of this filing and then CMS submitted the NCD record[10] in May 2013. In June 2013, the aggrieved party submitted in a statement as to why the NCD record was not complete or adequate to support the validity of the NCD under the reasonableness standard.

The complaint contended that the bases for the NCD neither “reflect [n]or are supportable by the current state of medical science,” and that the NCD “is not reasonable in light of the current state of scientific and clinical evidence and current medical standards of care.” The complaint asserted that “in the intervening 32 years since PHS/NCHCT studied the issue” of coverage:

(a) dozens of new studies have been conducted that address the methodological limitations of earlier studies and confirm that sex reassignment surgery is a safe and extremely effective treatment for persons with severe gender dysphoria; (b) advancements in surgical techniques have dramatically reduced the risk of complications from sex reassignment surgery and the rates of serious complications from such surgeries are low, and (c) a robust medical consensus has developed among mainstream medical organizations which endorses the treatment standards established by the WPATH [World Professional Association for Transgender Health] Standards of Care [for the Health of Transsexual, Transgender, and Gender-Nonconforming People, Version 7, 13, Int’l J. Transgenderism 1 65 (2011)] and recognizes that sex reassignment surgery is a medically necessary treatment for persons with severe gender dysphoria.

The complaint was supported by the testimony of two expert witnesses – a clinical psychologist and a physician certified by the American Board of Obstetrics and Gynecology – as well as copies of two letters from two other physicians to an ALJ in the HHS Office of Medicare Hearings and Appeals. All of these health care professionals had substantial experience in treating persons with gender identity disorder (GID). In the case of the three physicians, this experience included years of performing some of the procedures involved in SRS. In addition, the clinical psychologist submitted copies of 32 journal publications and other writings cited in her two declarations.

Notably, CMS did not submit a response to these submissions. One could conclude that the agency had no reason to question the aggrieved party’s expert testimony or the experts’ descriptions of the medical and scientific literature submitted by the aggrieved party.

IV.  HHS Acknowledges that Sex Reassignment Surgery is Not Experimental:

HHS reviewed the complaint and made several conclusions. It determined that the record on which the safety concerns in the NCD were based was not complete and adequate. According to HHS, this appeared to stem, in part, from the substantial passage of time since publication of the sources on which the NCHCT relied in recommending that transsexual surgery be excluded. For example, surgical outcomes are far superior now than they were in at the time the NCD was published.

HHS also concluded that the declarations and supporting materials made the record on which the NCD was based was not complete or adequate to support the NCD’s determination that transsexual surgery has not been shown to be effective (i.e., that the surgery is experimental). Seemingly, the medical community today has reached consensus that transsexual or gender reassignment surgery is an effective treatment for persons with a sufficiently severe degree of gender identity disorder (GID) or gender dysphoria, the most common diagnoses for SRS.

HHS also noted that “long-term” follow-up studies published from 2002 to 2010 found that SRS was effective and had low complication rates based on assessing transsexual persons. Moreover, the complaint also cited decisions by US courts of appeals in seven circuits recognizing that GID or gender dysphoria was a serious medical condition.[11]

Based on this evidence, HHS concluded that the NCD record was not complete and adequate to support the validity of NCD 140.3, “Transsexual Surgery.” Therefore, HHS would now proceed to discovery and the taking of evidence.

V.  HHS’s Decision Meant that Sex Reassignment Surgery Could Be Covered Under Medicare:

HHS’ ruling here does not address the ultimate question of whether the NCD, as written, is valid under the reasonableness standard in the statute and regulations. The June 2, 2014 decision merely acknowledges that the procedures are not experimental and could be covered under the Medicare program.

What are some of the implications, at least thus far, of the HHS ruling? For one, Medicare may end up considering surgery as a medically necessary treatment for a diagnosis classified as a mental disorder. As noted above, gender dysphoria is the most common diagnosis given for SRS. Interestingly, it is listed as code 302.85 “Gender identity disorder in adolescents or adults” in ICD-9 and classified under “Neurotic Disorder, Personality Disorders, And Other Nonpsychotic Mental Disorders”. Its ICD 10 code will be F64.1 (with the same description) and is listed as a “Disorder of Adult Personality and Behavior”. If HHS determines that it will pay for surgeries for gender dysphoria, could this lead to coverage for payment for procedures for other mental conditions like Autism?

VI.  Final Remarks:

Again, the latest move by HHS does not necessarily mean that Medicare will pay for SRS procedures. Nevertheless, the fact that the Agency has removed the restriction on SRS as an “experimental” procedure is still a considerable step. Regardless of any restrictions that Medicare may place on SRS procedures, this could be seen as a substantial updated in CMS’s policies of considering mental health disorders as true diseases that may require surgery and not just counseling services or medication. For those interested, stand by to see if HHS eventually promulgates an actual NDC or coverage policy for SRS.

Health care lawyerRobert Saltaformaggio, Esq., serves as an Associate at Liles Parker, Attorneys & Counselors at Law.  Liles Parker attorneys represent health care providers and suppliers around the country in connection with Medicare audits by ZPICs and other CMS program integrity contractors.  The firm also represents health care providers in HIPAA Omnibus Rule risk assessments, privacy breach matters, State Medical Board inquiries and regulatory compliance reviews.  For a free consultation, call  1 (800) 475-1906.

[1] An NCD is “a determination by the Secretary [of HHS] with respect to whether or not a particular item or service is covered nationally under [title XVIII (Medicare)].” Social Security Act (the Act) § 1869(f)(1)(B) (42 U.S.C. § 1395ff(f)(1)(B)). NCDs are issued by CMS, apply nationally, and are binding at all levels of administrative review pf Medicare claims. 42 C.F.R. § 405.1060.

[2] Section 1869(f)(1) of the Act.

[3] 42 C.F.R. § 426.525(a), (b).

[4] 42 C.F.R. § 426.518(a).

[5] 42 C.F.R. § 426.525(c)(1).

[6] 42 C.F.R. § 426.525(c)(2).

[7] of 42 C.F.R. Part 426.

[8] 42 C.F.R. §§ 426.525(c)(3), 426.531(a).

[9] 42 C.F.R. § 426.330.

[10] The NCD record included: a May 6, 1981 NCHCT memorandum recommending “that transsexual surgery not be covered by Medicare at this time”; the 1981 NCHCT report; notes from a May 11, 1982 HCFA Physicians Panel meeting recommending against referring the American Civil Liberties Union (ACLU) submissions to PHS, where the ACLU disagreed with HCFA’s non-coverage policy, “on the basis that it does not contain information about new clinical studies or other medical and scientific evidence sufficiently substantive to justify reopening the previous PHS assessment.”; and a copy of the 1989 Federal Register notice publishing the NCD language (minus four pages) and an undated page from the HCFA coverage issues manual. 54 Fed. Reg. 34,555-612; NCD Record at 11, 76-129.

[11] See, e.g., De’lonta v. Johnson, 708 F.3d 520, 522-23 (4th Cir. 2013) (stating that sex or gender reassignment surgery is an accepted, effective, medically-indicated treatment for GID, and that the surgery is not experimental or cosmetic and that the WPATH Standards of Care “are the generally accepted protocols for the treatment of GID.”).

Is Your Dental Practice Prepared to Undergo a Medicaid Dental Audit?

Download PDF
Your chances of undergoing a Medicaid dental audit are increasing.

Is Your Practice Ready for a Medicaid Dental Audit?

(November 25, 2013):  The link between oral health and overall health has been increasingly acknowledged over the years. Emphasis has been placed on children’s oral health in particular. In fact, the Children’s Health Insurance Program Re-authorization Act of 2009 (CHIPRA) mandates that “child health assistance provided to a targeted low-income child shall include coverage of dental services necessary to prevent disease and promote oral health, restore oral structures to health and function, and treat emergency conditions.”[1] The importance of good oral hygiene habits and preventive dental care cannot be overstated; yet, the federal government has not mandated even minimal dental benefits for low-income adult Americans through Medicaid. While dental coverage for low-income children is rather expansive, it is entirely up to states as to whether dental is covered for low-income adults at all. In any event, the likelihood that you will be subjected to a Medicaid dental audit by federal and / or state authorities has been increasing each year.  In this article, we discuss the current enforcement environment, along with steps you can take to reduce your dental practice’s level of risk.

I.  State Medicaid Dental Care Differs from Jurisdiction to Jurisdiction:

The range of approaches by states to low-income adult dental coverage is vast, including from no coverage to coverage of all service categories. Some states are expanding their coverage of low-income adult dental care to both reflect the increasingly recognized importance of quality dental care and the increasing costs of dental care. For example, Indiana raised its cap on adult dental services from $600 per calendar year to $1,000 per calendar year in 2011.[2] Of course, the nation’s fiscal crisis has also pushed states in the other direction, forcing states like Pennsylvania, Massachusetts, Illinois, California and Washington to cut “discretionary costs” from their Medicaid budgets, which has included dental coverage.[3]

II.  The Likelihood of Your Practice Being Subjected to a Medicaid Dental Audit:

Not surprisingly, the increased recognition of the importance of preventive and quality dental care has also led to the increased scrutiny of dental services paid for by federal-state health benefit programs. The criminal conviction of a Virginia dentist in 2008 on felony charges of racketeering, health care fraud, and structuring a financial transaction sent vibrations throughout the dental world. The Virginia dentist was a long time provider of dental services in his community (the poorest area of his state, in fact), having begun his practice in 1981. By 2008, his payor mix was 50-50 Medicaid-private pay.

An “anonymous” complaint triggered the investigation of his practice which led to his conviction, though he had also been audited by Medicaid several times prior to that. Nobody disputes that there were some mistakes in his practice’s documentation and record keeping, including the Virginia dentist himself.  Yet, as he stated in an interview:

“the government’s position was that these errors were not mistakes, but the errant claims were submitted to be paid for more than I was entitled.”

Both prior to serving his sentence and after his release, the Virginia dentist shared his story time and time again, stressing to his peers the importance of comprehensive documentation. As he stated in that same interview:

“If I can prevent this situation from happening to anyone else, airing my “dirty laundry” will have been worth the embarrassment. […] If you become a Medicaid provider, be very, very careful! Document, document, document; review, check, and recheck. Make no mistakes!”

As predicted, we’ve seen dentists across the nation come under increased scrutiny. Medicaid Integrity Contractors (MIC) in states such as Indiana and Texas have been particularly active. The MICs are requesting samples of medical documentation from as early as 2007, and are requesting the full ambit of documentation, from charts to billings.

III.  The Medicaid Documentation Quandary:

Dentists should be aware of and expect Medicaid dental audit letters from their local MICs, which are generally followed by a site-visit. Unfortunately, the letters are broad, giving dentists no real sense of what types of services, if any, are being reviewed. The lack of focus, we believe, is indicative of the contractors’ intent to review compliance with federal and state documentation guidelines in general. Many dentists document quite minimally, indicating the tooth at issue and the service that has been deemed medically necessary, with no indication or elaboration on the basis for that determination (e.g., treatment diagnosis, x-ray findings, etc.). We encourage our dental clients to ask themselves: would a peer be able to look at my documentation and come to the same conclusion as I did as to which service(s) was medically necessary? If not, the documentation is probably not sufficient for Medicaid standards. Remember that all of the dots need to be connected for the MIC reviewer in the documentation. The MIC reviewer will not make any inferences in your favor.

IV.  How Should a Dentist Respond to Medicaid Dental Audit?

In light of the increased scrutiny of dental services, dentists should review their forms and documentation procedures and update them accordingly if deficiencies are identified. Dentists should also apprise their staff of the current activity in the Medicaid dental world and establish a plan of action for how to respond in the event that the local MIC initiates an audit of their practice.

V.  Final Remarks:

Now, more than ever, it is essential that dentists participating in the Medicaid programs review both their operational and documentation practices to ensure that a third-party examining their patient treatment records years from now can readily see why certain care and treatment decisions were made and that the services billed to the Medicaid program were medically reasonable and necessary.

Healthcare LawyerLorraine Ater, Esq. is a health law attorney with the boutique firm, Liles Parker, Attorneys & Counselors at Law.  Liles Parker has offices in Washington DC, Houston TX, McAllen TX and Baton Rouge LA.  Our attorneys represent dentists, orthodontists and other health care professionals around the country in connection with government audits of Medicaid and Medicare claims, licensure matters and transactional projects.  Need assistance?  For a free consultation, please call: 1 (800) 475-1906.



[1] Title XXI of the Social Security Act, Section 2103(c)(5).
[2] On January 1, 2011, the cap on dental services for members age 21 and older was increased to $1,000 and included all covered dental services, including all emergency dental services.
[3] A more comprehensive discussion of the Medicaid dental budget cuts reflects the challenges faced by the states.

Liles Parker Says “Thank You” to America’s Veterans — God Bless America

November 12, 2012 by  
Filed under Firm News

Download PDF
Liles Parker Says "Thank You" to America's Veterans on this Veterans Day

Liles Parker Says “Thank You” to America’s Veterans

(November 12, 2012): On this Veterans Day, Liles Parker thanks all of our nation’s veterans for their tremendous service and sacrifice in the defense of the United States of America. Please join us in remembering our soldiers, marines, sailors, and airmen for their unparalleled courage and commitment to our country.

Liles Parker is a full service, health law boutique with offices in Washington, DC, Baton Rouge, LA, Houston, TX and San Antonio, Texas.  We represent health care providers around the country in transactional projects, Medicare / Medicaid prepayment reviews and postpayment audits, compliance issues and peer review proceedings. 

Are you a health care provider needing assistance? Call us for a free consultation.  We can be reached at: 1 (800) 475-1906.

American Health Lawyers’ Scholarly Journal Publishes Michael Cook’s Health Care Reform

November 1, 2010 by  
Filed under Firm News

Download PDF

Michael Cook's Health Care Lawyer(November 1, 2010): Michael Cook has published a health care reform article in the October issue of the American Health Lawyers Association on the Independent Payment Advisory Board. The Abstract of the health care reform article is as follows:

“By creating the Independent Payment Advisory Board (IPAB) as part of the health care reform process, Congress attempted to impose fiscal discipline upon itself by creating limits on the amount of spending under the Medicare program, and by removing the process for meeting those targets from its domain. Each year beginning in 2013, the Chief Actuary of the Centers for Medicare and Medicaid Services will compare the projected average per capita increase in Medicare spending against a target. If the Chief Actuary finds that spending is projected to exceed the target, the IPAB – an independent board – is charged with developing a proposal that will be implemented automatically beginning in January 2015, unless Congress, through an expedited process and super majority vote, either overrides the process or votes in 2017 to disband the board in 2020. This article provides a detailed description and analysis of the provisions that create the IPAB, the process on how it will operate, and the implications of this extremely controversial body.” Michael H. Cook, Independent Payment Advisory Board: Part of the Solution for Bending the Cost Curve?, J. HEALTH & LIFE SCI. L., October 2101, at 102.

Because of copyright laws, we are not able to post copies of the article in full on this website. However, for this issue only, the AHLA is selling single copies of the October issue of the Journal. Readers can obtain information on purchasing the article at www.healthlawyers.org/JHLSL.

Anyone seeking additional information on the IPAB can review a short article on this website, and can contact Michael Cook at (202) 298-8750 or mcook@lilesparker.com for information on this and other aspects of the new health care reform legislation.  Mr. Cook is an attorney in Liles Parker’s Washington, DC office.  He has extensive experience working in practically every area of health law. 

Next Page »