Liles Parker PLLC
(202) 298-8750 (800) 475-1906
Washington, DC | Houston, TX
San Antonio, TX | Baton Rouge, LA

We Defend Healthcare Providers Nationwide in Audits & Investigations

HIPAA Security Risk Assessments are Essential

Business Plan(September 29, 2014) In the last article, we discussed the importance of conducting HIPAA security risk assessments, as part of your obligations under the HIPAA Security rules. The importance of promptly conducting a risk analysis if it has not yet done cannot be overestimated, as the HHS Office for Civil Rights (OCR) has now announced that they intend to begin the next phase of audits in October 2014. When Covered Entity receives a data request letter from OCR, it will have only two weeks to respond, which will not be enough time to conduct a risk analysis at that point.

In this article we’ll discuss eight elements or considerations that OCR states must be addressed in a risk analysis.

I.  Scope of the Analysis:

In conducting a risk assessment, a health care provider must consider all of the potential risks to electronic protected health information (e-PHI). Covered Entities must consider how all e-PHI in their practice is created, used, stored, and transmitted. Thus, Covered Entities need to consider how they create, receive, access, and transmit e-PHI. This includes removable storage media such as floppy disks, CDs, flash or thumb drives, and smart phones. Covered Entities must also think about telephone calls, emails, faxes, and computer transmissions. Consider how many employees or personnel can access the data and whether those individuals are all on-site or if any are off-site.

II.  Document How Data is Collected, Stored, Maintained and Transmitted:

Covered Entities must identify and document where e-PHI is gathered, received, stored, maintained or transmitted. This can be done through interviews with staff members, a physical walk through of the office or practice location(s), or reviewing documentation.

III.  Identify and Document Potential Risks, Threats and Vulnerabilities:

Covered Entities must document the reasonably anticipated threats to e-PHI. Consider physical, environmental, natural, human and technological threats or risks. Environmental or natural threats should include natural disasters such as tornadoes, floods or earthquakes. Human threats are likely to be some of the greatest concern. These include current employees and contractors, ex-employees and contractors, visitors, and criminals such as thieves and hackers. Technological threats will include any known system vulnerabilities in the billing system or EMR/EHR, for example. Healthcare providers should contact the vendors of these systems to ask about any known vulnerabilities.

IV.  Identify and Evaluate Current Security Measures:

Covered Entities must document what security measures are already in place to guard e-PHI and whether those measures are installed, configured and used correctly. The level and extent of security measures will vary by the type and size of provider. As an example, list any anti-virus or firewall programs. Don’t forget to document physical security measures, such as security and alarm systems.

V.  Determine the Likelihood of the Occurrence of the Threats:

This element requires Covered Entities to consider the probability that the threats listed in step # 3 will occur. This can be done with a quantitative method (such as the percentage probability that a threat will occur) or a qualitative one (such as high, medium, low). A high probability of occurrence means that a threat is “reasonably anticipated” and thus will require a mitigation or protection against the threat occurring. For example, a healthcare provider may determine that there is a high probability of a break-in into the office or clinic. Thus, a mitigation such as an alarm or security system would be an example of a security measure that could be implemented pursuant to step # 4.

VI.  Determine the Potential Impact if a Threat Occurs:

Covered Entities must evaluate the impact that might result from a threat occurring. Again, this can be done using a quantitative or qualitative method. For example, a potential impact of a breach of a Covered Entity’s billing system might be loss of cash flow or cost to replace stolen computer equipment. This might be a high or severe impact. Another example could be unauthorized access to e-PHI by patients or visitors. This impact might be low or medium.

VII.  Determine the Level of Risk:

This step is accomplished by utilizing the data from steps 5 and 6. A very common method of documenting the level of risk is using a HIPAA risk assessment matrix (such as a 3 x 3 matrix) or “heat map”. Those threats or vulnerabilities with higher levels of risk are ones that a Covered Entity should focus on addressing or correcting sooner than those with lower levels of risk.

VIII.  Identify HIPAA Security Risk Assessment Measures and Document the Risk Analysis:

Once the Covered Entity has identified risks and assigned risk levels, it must identify tasks, actions or security measures to address those risks. In identifying security measures, the Covered Entity should consider factors such as effectiveness, requirements of the Covered Entity’ policies and procedures and other legislative or regulatory requirements (for example, state laws). If a Covered Entity identifies a security measure but decides not to implement it, the risk analysis should document why (for example, technologically not feasible, lack of knowledge or equipment, cost prohibitive, etc.)

The Security Rule also requires Covered Entities to document the risk analysis, but does not specify or require any particular format. Thus, the risk analysis can be documented via a report that lists elements # 1 through 7, summarizes the analysis, notes the results of each step, and identifies the security measures.

Two final very important comments. First, the Risk Analysis is NOT the process of implementing measures to address the risks identified. That is the risk management process under HIPAA, which is considered a separate activity. Second, the Risk Analysis is not a “do it once and forget about it” process. The Risk Analysis must be periodically revisited and reviewed to determine if the threats, vulnerabilities, impacts and potential security measures remain the same. A Covered Entity may bring new systems online, may open or close locations, or have major changes in personnel. The re-evaluation of a Covered Entity’s Risk Analysis ideally should occur on an annual basis. A very old and outdated Risk Analysis is basically equivalent to not having a Risk Analysis at all.

Heidi Kocher Healthcare AttorneyHeidi Kocher serves as Counsel for Liles Parker and represents health care providers and suppliers in the Dallas / Fort Worth metropolitan area.  Heidi is an experienced health lawyer and is skilled in assisting clients with transactional projects, compliance issues and in fraud and abuse counseling.  Should you have any questions regarding the HIPAA security risk assessment process, please give Heidi a call.  For a free consultation, call Heidi at: 1 (800) 475-1906.

Oncology Fraud: Michigan Oncologist Indicted

Oncologist prescription(August 29, 2014) The American Cancer Society has estimated that 43.92% of all males and 38.00% of all females in the United States will develop cancer at some point during their lifetime. While a number of clinical advances have been made over the last 25 years, chemotherapy remains one of the predominant tools used to fight cancer in many of its various forms. Depending on the type of cancer at issue, chemotherapy can be used as a primary or as an adjuvant therapy. While a number of drugs have been developed to address several of the adverse side effects normally associated with chemotherapy, this therapeutic approach is often still devastating on patients. How would you feel if you learned that your oncologist has put you or a loved one through an intensive course of chemotherapy, when it was not needed? According to federal investigators that is exactly what happened to the patients of one oncologist in Detroit, Michigan.

I. Background of this Oncology Fraud Case:

In August 2013, the government first alleged that a noted Michigan oncologist routinely prescribed chemotherapy and other drastic medical interventions for patients who were either healthy or ill but in need of alternate treatments. According to federal prosecutors, the oncologist

“submitted fraudulent claims to Medicare for medically unnecessary services, including chemotherapy treatments, positron emission tomograph (PET) scans, and a variety of cancer and hematology treatments for patients who did not need them.”

The government further alleged that the doctor engaged in this improper conduct to increase his own income. Records reflect that the doctor billed Medicare for approximately $150 million in services between August 2010 and July 2013.

II. Nature of the Allegations:

Essentially, the government has alleged that the defendant ordered chemotherapy for patients whose cancer was in remission. The defendant is also alleged to have ordered chemotherapy for all of the terminal patients under the physician’s care, even if the treatment would not improve or extend their lives. Further, the oncologist sometimes issued patients life-long prescriptions of drug treatment for low platelet conditions, without informing patients that surgery was a treatment alternative to years of drug therapy. Ultimately, it appears that the government believes that the defendant improperly ordered chemotherapy for monetary gain, rather than because the treatment regimen was medically necessary.

III. Origin of this Oncology Fraud Case:

While the August 2013 U.S. Attorney’s Office Press Release did not discuss how these concerns were first brought to the government’s attention, a segment by ABC News reported that the case was the result of complaints brought by an oncology nurse who worked with the defendant in 2010. According to the government, the fraud scheme put $35 million in the oncologist’s pocket.

IV. Current Status of this Oncology Fraud Case:

In May 2014, the defendant’s legal counsel moved for a change of venue, in an effort to have the trial transferred to another judicial district. The defendant’s motion was denied in June 2014 and the trial was originally scheduled to begin on August 12, 2014. It has been reset to begin in mid-October 2014. The defendant could face 10 years in prison and a $250,000 fine if convicted.

V. Why Should Our Oncology Practice Be Concerned About this Case?

Readers may ask, “Why is this case relevant to me – I am an honest provider?” Frankly, all oncologists should take note of this case. Issues of medical necessity can be extremely difficult to parse out, especially in cases where a patient is suffering from a potentially deadly illness. As earlier discussed, chemotherapy is used for a wide variety of purposes. Depending on the type of cancer involved, it may be administered as a patient’s primary treatment regimen. Other cancers may utilize radiation therapy as the primary treatment regimen yet still use chemotherapy as an adjuvant remedy. Finally, chemotherapy may be prescribed and used as a palliative measure in cases where a patient has already been diagnosed as terminal. The point is this – the utilization of chemotherapy as a course of treatment may be reasonable and appropriate, despite the fact that the clinical profile of one patient may be very different from that of another. Moreover, two independent, competent oncologists may have divergent views on whether chemotherapy is warranted in a particular case. Despite arguments to the contrary, medicine is also an “art,” not merely a “science.”

VI. Steps You Can Take to Reduce Risk:

It is essential that oncologists participating in Medicare review both their operational and documentation practices to ensure that entities processing and examining their patient treatment records can readily ascertain why certain care and treatment decisions were made. Several essential considerations to be taken into account include:

  • Coverage and Payment Requirements Medicare Administrative Contractors (MACs) working for the Centers for Medicare and Medicaid Services (CMS) are responsible for developing and administering coverage and payment guidance which delineates when it is appropriate to utilize one or more treatment options when caring for a cancer patient. MACs often publish guidance which specifies whether it is appropriate to administer a particular type of chemotherapy when treating a patient suffering from a particular type of cancer. Often, this information is set out in Local Coverage Determination (LCD) guidance maintained by the MAC. It is not uncommon to find that an LCD specifies the type of chemotherapy that is appropriate, and the frequency it may be used, when prescribing it to fight a particular type of cancer. Unfortunately, you may find that the government seems to sometimes confuse “coverage” with “medical necessity.” In other words, the government may allege that an order for chemotherapy was not medically necessary, when in fact, what the government is really saying is that the Medicare program does not cover the use of a certain type of chemotherapy when addressing a certain type of cancer.

  • Community Standard of Care Notably, the issue of whether or not a physician has acted reasonably in the medical decision-making process can vary from one region to another. As one source has noted, a physician is expected to provide care at:

“the level at which an ordinary, prudent professional with the same training and experience in good standing in a same or similar community would practice under the same or similar circumstances.”

The standard of care one would expect from a physician when treating a cancer patient may vary from one locale to another. For example, the standard would likely be higher in a large metropolitan area where clinical research on oncology issues is being conducted and state-of-the-art remedies are being applied than it would be in a small town in Texas or Alaska, where an oncologist is unlikely to be involved in oncology research studies and has fewer opportunities to further develop their treatment skills.

  • Patient and Family Wishes At the end of the day, every cancer patient must decide whether or not they intend to receive chemotherapy. We are aware of instances where an individual diagnosed with a treatable cancer chooses not to undergo such a regimen, despite the fact that such a decision may hasten their demise. Alternatively, a critical patient may actively seek to receive chemotherapy, even though it may not be recommended for individuals who has been diagnosed as terminal.

Although this case is a dramatic example of what can happen when an oncologist is alleged to have bilked Medicare, it provides a stark example of a situation where the defendant should have previously identified that their chemotherapy practices were different from those of their peer.

In light of the risks presented, we strongly recommend that oncology practices develop, implement and follow the rules and regulations set out in an effective Compliance Plan. Through the use of a GAP analysis, oncologists can identify potential documentation, medical necessity, coding and billing deficiencies in their practice. Once identified, these deficiencies can be carefully assessed so remedial action may be taken to address any overpayments or other improper claims practices that have been identified. When conducting a GAP analysis, we strongly recommend that you engage experienced legal counsel to assist you with this process.

Michael Troy Michael Troy serves as Counsel to the health care boutique law firm, Liles Parker, PLLC. Liles Parker has offices in Washington, DC, Baton Rouge LA, Houston TX and McAllen TX. Liles Parker provides nationwide representation and legal services to health care providers facing an audit or administrative review of claims by a Zone Program Integrity Contractor (ZPIC), a Recovery Audit Contractor (RAC), or a Medicaid Integrity Contractor (MIC) and Medicaid RAC overpayment determinations. Our attorneys also actively assist health care providers and suppliers in postpayment audits, prepayment reviews, suspension or termination actions. For more information, call today at 1-800-475-1906 for a free consultation.

A HIPAA Risk Assessment is Essential to Avoid Liability

Covered entities and business associates must perform a HIPAA risk assessment.(August 23, 2014):  Almost all health care providers and suppliers qualify as a covered entity under the Health Insurance Portability and Accountability Act of 1996 (HIPAA).  Together with the business associateswith whom they work, these entities are responsible for ensuring that any protected health information (PHI) under their control has been properly secured and remains confidential.  Let’s face it, the regulations governing a health care provider’s obligations under HIPAA are both extensive and complex.

Many small and mid-sized health care providers and suppliers have found it difficult to fully comply with their many statutory obligations under HIPAA’s privacy and security mandates.  Nevertheless, it is important to keep in mind that the government is actively investigating allegations of breach, regardless of the size of provider or supplier that may be involved.

I.   The Importance of Conducting a HIPAA Risk Assessment:

A recent federal criminal indictment of an individual for a HIPAA violation should serve as a reminder to all health care providers of the importance of fully complying with HIPAA’s security requirements.  While most health care providers and suppliers have diligently worked to comply with HIPAA’s privacy requirements, their compliance with HIPAA’s security and risk assessment mandates remains a challenge.  A recent case out of the U.S. Attorney’s Office for the Eastern District of Texas provides a stark reminder of why all health care providers must remain diligent in their efforts to secure and protect the medical records that have been entrusted to their care by their patients.

Last month, federal prosecutors announced that a former employee of an unnamed hospital in East Texas had been arrested in Georgia the previous year on charges unrelated to the theft of PHI.  At the time of his arrest, he was discovered to be in possession of patient medical records from Texas.  The subsequent investigation indicated that from December 1, 2012, through January 14, 2013, the individual had obtained PHI while he was employed at an East Texas hospital.  The defendant allegedly took the patient records with the intent to use the patient’s PHI for personal gain.  The defendant is currently in jail, awaiting trial.  If convicted, he could be sentenced to prison for up to 10 yearsThere are two main points that all covered entities and business associates should keep in mind:

1.  The theft of PHI is a serious crime.  Both federal and state prosecutors are actively pursing individuals who illegally steal or improperly use patient PHI for personal gain.  Under 18 U.S.C.A. § 1028A(a)(1), the federal “Aggravated-Identity-Theft” statute prohibits an individual’s knowing use of another person’s identifying information without a form of authorization recognized by law. 

2.  While the government’s Press Release does not discuss whether the East Texas hospital had previously conducted a proper HIPAA risk assessment, it would not be surprising to later learn that the Office of Civil Rights (OCR) has initiated its own audit of the organization to verify that it has, in fact, previously conducted a HIPAA risk assessment.    

II.  HIPAA’s Security Rule Requires that a Risk Assessment be Conducted:

While details regarding what security provisions and precautions the East Texas hospital may have implemented are not available, one wonders if the hospital conducted a risk analysis as required by HIPAA’s Security Rule provisions.  The Security Rule states that all covered entities must implement policies and procedures “to prevent, detect, contain, and correct security violations.” (45 C.F.R. § 164.308(a)(1).)   A risk analysis is one of four required implementation specifications in the Security Rule that actually provide instructions on how to implement the requirement.  Conducting a risk analysis would likely have revealed system vulnerabilities, perhaps even the one that failed to prevent the theft of patient PHI.  Certainly a risk analysis would have revealed the necessity of various audits, any of which could have revealed the fact that the defendant was improperly accessing and taking patient records.

Unfortunately, conducting a HIPAA risk assessment is still a problem for many health care providers.  A series of audits were conducted in 2012 by federal contractors working for OCR to assess whether health care providers, suppliers, health plans and clearinghouses have been complying with HIPAA’s Privacy, Security, and Breach Notification requirements.  A number of health care providers were included in these audits.  The results showed that 60% of the deficiencies reported were related to HIPAA security requirements.  In addition, 65% of the findings were for health care providers, in particular smaller providers.  Of the 59 providers, 58 had at least one finding relating to a Security Rule deficiency.   Nearly 80% of the healthcare providers had not completed a risk assessment.[1]  OCR concluded that driving compliance with the Security Rule aspects of HIPAA would be a likely focus in the future.

III.  Meaningful Use and Risk Assessments:

Conducting a risk analysis is also a core requirement under the Meaningful Use rules. [2]  In order to receive a meaningful use incentive, providers were required to certify that they conducted a risk assessment in accordance with the HIPAA Security Rule provisions.   Over 245,000 eligible professionals received payments for usage of electronic health records for 2011 and 2012.

Yet if the statistics from OCR’s admittedly small sample of healthcare providers in 2012 is true, this could mean that a very large majority of those healthcare providers who certified to having conducted a risk assessment as part of their meaningful use certifications did so falsely. The data on which providers, including names and NPI numbers, have received a meaningful use incentive payment is publicly available.   Thus it is highly likely that as part of the soon-to-be-restarted HIPAA audits, OCR will explicitly review whether providers falsely certified that they conducted a security risk analysis, when in fact they did not.  While the amount of money that a provider might have to return for a false certification is not large, the potential penalties for having falsely certified compliance with the regulations are much larger and more serious.

IV.  Final Remarks:

While overdue, if your organization has not already conducted a HIPAA security risk assessment, it is imperative that you do so immediately.   The window to take remedial action may be closing, especially if you have received payments under the meaningful use provisions.  Need help?  Give us a call.  In Part II of  this article, we will discuss several of the considerations you should take when engaging outside assistance to conduct a security risk assessment of your organization.

Heidi Kocher Healthcare Attorney

Heidi Kocher serves as Counsel for Liles Parker and represents health care providers and suppliers in the Dallas / Fort Worth metropolitan area.  Heidi is an experienced health lawyer and is skilled in assisting clients with transactional projects, compliance issues and in fraud and abuse counseling.  Should you have any questions regarding the HIPAA security risk assessment process, please give Heidi a call.  For a free consultation, call Heidi at: 1 (800) 475-1906.


[1] HIPAA Privacy, Security and Breach Notification Audits:  Program Overview & Initial Analysis, presentation by Verne Rinker JD, MP, at 2013 NIST / OCR Security Rule Conference, May 21-22, 2013, available at

[2] See the July 28, 2010 Final Rule Notice, 75 Fed.Reg. 44314 at 44369; 42 CFR 495.6(d)(15).

Novitas Reminds us of the Impending ICD-10 Transition Date: October 1, 2014

(February 7, 2014):  The upcoming ICD-10 transition is only a little more than six months away! Earlier today, Novitas Solutions, Inc. (Novitas) re-issued the Centers for Medicare and Medicaid Services’ (CMS’) article on “Medicare Fee-For-Services (FFS) Claims Processing Guidance for Implementing International Classification of Diseases, 10th Edition (ICD-10).” A copy may be found here. As most health care providers, suppliers, and billers are aware, effective October 1, 2014, all individuals and entities covered under the Health Insurance Portability and Accountability Act (HIPAA) are required to use the ICD-10 codes to code claims that fall under the ambit of HIPAA.

October 1, 2014 is a total transition date. That is, ICD-9 codes will no longer be accepted for any claims with dates of service or discharge on or after October 1, 2014. Notably, a claim cannot contain both ICD-9 and ICD-10 codes. Claims that continue to use ICD-9 codes for health care services rendered on or after October 1, 2014 will be returned to the respective provider as unprocessable. Until then, all claims for dates of service preceding October 1, 2014 must use ICD-9 codes, making the transition rather abrupt. All trials with ICD-10, therefore, must be worked out with internal teams and business trading partners in the interim.

Of course, the rules surrounding ICD-10 codes are very different and the codes are much more specific as compared to ICD-9. The concern for all those subject to HIPAA is how to quickly and smoothly make the transition from ICD-9 to ICD-10. CMS recognizes the daunting nature of this task and has prepared various educational materials for providers. CMS has also proffered recommendations, including the following:

  • Establish an ICD-10 transition team or project coordinator;
  • Develop a plan for making the ICD-10 transition;
  • Determine how the ICD-10 transition will affect your organization;
  • Review how ICD-10 will affect clinical documentation requirements and electronic health record (EHR) templates;
  • Communicate the plan, timeline, and new system changes and processes;
  • Secure a budget;
  • Talk with your payers, billing and IT staff;
  • Coordinate your ICD-10 transition plans; and
  • Talk to your trading partners about testing.

In regard to training, the American Health Information Management Association (AHIMA) recommends that training begin no more than six to nine months before the October 1, 2014 transition deadline. The time is now.

Healthcare LawyerLorraine Ater, Esq. is a health law attorney with the boutique firm, Liles Parker, Attorneys & Counselors at Law.  Liles Parker has offices in Washington DC, Houston TX, McAllen TX and Baton Rouge LA.  Our attorneys represent health care professionals around the country in connection with government audits of Medicaid and Medicare claims, licensure matters and transactional projects.  Need assistance?  For a free consultation, please call: 1 (800) 475-1906.



Hospitals are Seeing Dramatic Increases in RAC Audits

Know your rights in Debt Collection(November 26, 2013):  According to the latest American Hospital Association (AHA) RACTrac survey, Medicare’s Recovery Audit Contractors (RACs) are “dramatically increase[ing]” audits for hospital claims which will continue to impose an “immense administrative burden” on hospitals.  Over the third quarter of 2013, hospitals have seen a 28% increase in complex denials.  Since 2010, RACs have reviewed medical records documenting worth more than $10 billion in Medicare payments.  From this amount, RACs have denied almost $2.5 billion in payments.  In response, hospitals appealed 47% of all RAC denials, with a 67% success rate in getting the denial overturned.

I.  The Recovery Audit Contractor Program:

The Centers for Medicare & Medicaid Services (CMS) RAC program was implemented to identify and correct Medicare improper payments through the detection and collection of overpayments made on claims for health care services provided to Medicare beneficiaries.  RACs also identify underpayments to providers so that the CMS can implement actions that will prevent future improper payments throughout the United States.

RACs conduct automated reviews of Medicare payments to health care providers using computer software to detect improper payments.  As a result, no medical record is generally needed for these types of reviews.  Claims will also be denied through the automated process if the supporting documentation is not received on a timely basis.  In addition, RACs conduct complex reviews of provider payments using human review of medical records and other medical documentation to identify improper payments to providers.  An improper payment may include any one of the following:

  • Incorrect payment amounts, whether it is an overpayment or underpayment;
  • Incorrectly coded services;
  • Non-covered services, including those services that are not medically reasonable and necessary; and
  • Duplicate services.

Each RAC is responsible for identifying overpayments and underpayments in approximately one quarter of the country.  Moreover, each RAC jurisdiction matches the Durable Medical Equipment (DME) MAC jurisdictions.

II.  RACs Dramatically Increase Audits of Hospitals:

The AHA’s RACTrac survey collects data from hospitals on a quarterly basis to assess the impact of the RAC program on hospitals across the United States.  The latest survey covers the third quarter of 2013, a period that ended on September 30.  This survey collected reports from almost 1,300 hospitals.

From the outset, 93% of responding hospitals reported experiencing some form of RAC activity.  The majority of hospitals reporting RAC activity include general medical and surgical hospitals.  However, the survey reflects wide variation in the amount RAC activity across the four jurisdictions.  The greatest number of hospitals reporting RAC audits came from Jurisdiction C.  This jurisdiction includes the southern and southeastern part of the country, states such as West Virginia and Virginia, down to Florida and Louisiana, and across to Oklahoma, Colorado, and Texas.

Importantly, the third quarter survey reflects that hospitals are reporting dramatic increases in RAC audit activity.  In fact, just since the first quarter of this year, cumulative medical record requests have increased by 13%.  Moreover, the number of cumulative complex audit denials reported by the hospitals has increased by 28% over 2013.  From the hospitals participating in the latest survey, over $10 billion in Medicare payments were targeted for medical record requests during the third quarter.  From this figure, Medicare RACs denied almost $2.5 billion.

The survey also noted differences between complex and automated reviews.  Complex reviews denied 97% of the payments while automated denials made up the other 3%.  In terms of dollar amounts, the top service area for complex denials was inpatient care.  The most commonly cited reason for a complex denial was “short-stay medically unnecessary.”  In contrast for automated denials, outpatient care was the top service area.  While automated denials were being issued for a wide variety of problems, the most popular reasons were for outpatient billing or outpatient coding errors.

III.  The Appeals Process is Still Complicated:

Notable issues related to the appeals process was also revealed in the latest survey.   For 2013, the value of appealed claims is approaching $1.5 billion.  On average, hospitals reported appealed 309 claims each.  Nationwide, 47% of all denials were appealed, which included a 67% success rate in overturning the denial decision.  Moreover, 63% of hospitals with a RAC denial overturned had a denial reversed because the care was found to be medically necessary.

Unfortunately, hospitals are receiving many notices from Qualified Independent Contractors (QICs) stating that issuing a determination on a RAC appeal will take longer than the statutory maximum of 60 days.  Furthermore, 94% of the respondents have experienced at least one delay longer than the statutory limit of 90 days for an Administrative Law Judge (ALJ) determination to be issued.  In fact, 83% reported a delay of greater than 120 days.  For more than 40% of the claims appealed to an ALJ, the judge has taken longer than the statutory limit of 90 days to provide his or her determination to the hospital.  Overall, over 70% of all appealed claims are still sitting in the appeals process.

IV. Other Notable Findings from the Survey:

Some of the more notable findings of the survey also indicated that:

56% of medical records reviewed by RACs “did not contain an overpayment”;

 67% of hospitals indicated medical necessity denials were the most costly complex denials;

71% of all appealed claims are still sitting in the appeals process;

 64% of short-stay denials for medical necessity were because the care was provided in the wrong setting, not because the care was medically unnecessary;

 43% of participating hospitals reported having a RAC denial reversed through utilization of the discussion period; and

 70% of all hospitals filing a RAC appeal during the third quarter of 2013 reported appealing short-stay medically unnecessary denials. 

V.  RAC Audits Are Becoming a Financial and Administrative Burden:

The RACTrac survey noted that hospitals were incurring significant administrative costs in response to RAC audits.  Indeed, over half of all reporting hospitals noted that they had increased administrative costs due to the program.  These expenses include costs associated with training, software, additional hours from clinical staff, modifications for admission criteria, and implementing internal task forces to prevent negative audit findings.  The recent survey reflects that about 12% of hospitals are spending more than $100,000 managing the RAC audit process.  Almost half of the respondents stated that the spent more than $25,000.

According to Melissa Jackson, a senior associate director of policy for the AHA, “the data show that RACs continue to demonstrate a high level of inaccuracy when reviewing claims, which means that hospitals must spend funds that could be used for patient care in order to appeal inappropriate denials.”  In addition, Ms. Jackson says the RAC program “requires fundamental reform so that hospitals can avoid this immense administrative burden and focus on their mission to provide patient care.

VI.  Conclusion:

As the latest AHA RACTrac survey demonstrates, hospitals across the country are continuing to get hammered by Medicare’s RACs.  More than three-fourths of all hospitals, including teaching and non-teaching, rural, urban, and critical access hospitals were audited during the survey period.  While the greatest impact was felt by large hospitals, smaller and rural hospitals must still be aware that an audit may be coming their way.  It is vital that providers participating in the Medicare program review both their operational and documentation practices to ensure that a RAC examining their patient treatment records years from now can readily see why certain care and treatment decisions were made and that the services billed to the Medicare program were medically reasonable and necessary.

Healthcare AttorneyRobert Saltaformaggio, Esq., is a health lawyer with the boutique law firm, Liles Parker, Attorneys & Counselors at Law.  Liles Parker has offices in Washington DC, Houston TX, McAllen TX and Baton Rouge LA.  For a free consultation, call: 1 (800) 475-1906.

Is Your Dental Practice Prepared to Undergo a Medicaid Dental Audit?

November 25, 2013 by  
Filed under Dental Audits & Compliance

Your chances of undergoing a Medicaid dental audit are increasing.

Is Your Practice Ready for a Medicaid Dental Audit?

(November 25, 2013):  The link between oral health and overall health has been increasingly acknowledged over the years. Emphasis has been placed on children’s oral health in particular. In fact, the Children’s Health Insurance Program Re-authorization Act of 2009 (CHIPRA) mandates that “child health assistance provided to a targeted low-income child shall include coverage of dental services necessary to prevent disease and promote oral health, restore oral structures to health and function, and treat emergency conditions.”[1] The importance of good oral hygiene habits and preventive dental care cannot be overstated; yet, the federal government has not mandated even minimal dental benefits for low-income adult Americans through Medicaid. While dental coverage for low-income children is rather expansive, it is entirely up to states as to whether dental is covered for low-income adults at all. In any event, the likelihood that you will be subjected to a Medicaid dental audit by federal and / or state authorities has been increasing each year.  In this article, we discuss the current enforcement environment, along with steps you can take to reduce your dental practice’s level of risk.

I.  State Medicaid Dental Care Differs from Jurisdiction to Jurisdiction:

The range of approaches by states to low-income adult dental coverage is vast, including from no coverage to coverage of all service categories. Some states are expanding their coverage of low-income adult dental care to both reflect the increasingly recognized importance of quality dental care and the increasing costs of dental care. For example, Indiana raised its cap on adult dental services from $600 per calendar year to $1,000 per calendar year in 2011.[2] Of course, the nation’s fiscal crisis has also pushed states in the other direction, forcing states like Pennsylvania, Massachusetts, Illinois, California and Washington to cut “discretionary costs” from their Medicaid budgets, which has included dental coverage.[3]

II.  The Likelihood of Your Practice Being Subjected to a Medicaid Dental Audit:

Not surprisingly, the increased recognition of the importance of preventive and quality dental care has also led to the increased scrutiny of dental services paid for by federal-state health benefit programs. The criminal conviction of a Virginia dentist in 2008 on felony charges of racketeering, health care fraud, and structuring a financial transaction sent vibrations throughout the dental world. The Virginia dentist was a long time provider of dental services in his community (the poorest area of his state, in fact), having begun his practice in 1981. By 2008, his payor mix was 50-50 Medicaid-private pay.

An “anonymous” complaint triggered the investigation of his practice which led to his conviction, though he had also been audited by Medicaid several times prior to that. Nobody disputes that there were some mistakes in his practice’s documentation and record keeping, including the Virginia dentist himself.  Yet, as he stated in an interview:

“the government’s position was that these errors were not mistakes, but the errant claims were submitted to be paid for more than I was entitled.”

Both prior to serving his sentence and after his release, the Virginia dentist shared his story time and time again, stressing to his peers the importance of comprehensive documentation. As he stated in that same interview:

“If I can prevent this situation from happening to anyone else, airing my “dirty laundry” will have been worth the embarrassment. […] If you become a Medicaid provider, be very, very careful! Document, document, document; review, check, and recheck. Make no mistakes!”

As predicted, we’ve seen dentists across the nation come under increased scrutiny. Medicaid Integrity Contractors (MIC) in states such as Indiana and Texas have been particularly active. The MICs are requesting samples of medical documentation from as early as 2007, and are requesting the full ambit of documentation, from charts to billings.

III.  The Medicaid Documentation Quandary:

Dentists should be aware of and expect Medicaid dental audit letters from their local MICs, which are generally followed by a site-visit. Unfortunately, the letters are broad, giving dentists no real sense of what types of services, if any, are being reviewed. The lack of focus, we believe, is indicative of the contractors’ intent to review compliance with federal and state documentation guidelines in general. Many dentists document quite minimally, indicating the tooth at issue and the service that has been deemed medically necessary, with no indication or elaboration on the basis for that determination (e.g., treatment diagnosis, x-ray findings, etc.). We encourage our dental clients to ask themselves: would a peer be able to look at my documentation and come to the same conclusion as I did as to which service(s) was medically necessary? If not, the documentation is probably not sufficient for Medicaid standards. Remember that all of the dots need to be connected for the MIC reviewer in the documentation. The MIC reviewer will not make any inferences in your favor.

IV.  How Should a Dentist Respond to Medicaid Dental Audit?

In light of the increased scrutiny of dental services, dentists should review their forms and documentation procedures and update them accordingly if deficiencies are identified. Dentists should also apprise their staff of the current activity in the Medicaid dental world and establish a plan of action for how to respond in the event that the local MIC initiates an audit of their practice.

V.  Final Remarks:

Now, more than ever, it is essential that dentists participating in the Medicaid programs review both their operational and documentation practices to ensure that a third-party examining their patient treatment records years from now can readily see why certain care and treatment decisions were made and that the services billed to the Medicaid program were medically reasonable and necessary.

Healthcare LawyerLorraine Ater, Esq. is a health law attorney with the boutique firm, Liles Parker, Attorneys & Counselors at Law.  Liles Parker has offices in Washington DC, Houston TX, McAllen TX and Baton Rouge LA.  Our attorneys represent dentists, orthodontists and other health care professionals around the country in connection with government audits of Medicaid and Medicare claims, licensure matters and transactional projects.  Need assistance?  For a free consultation, please call: 1 (800) 475-1906.



[1] Title XXI of the Social Security Act, Section 2103(c)(5).
[2] On January 1, 2011, the cap on dental services for members age 21 and older was increased to $1,000 and included all covered dental services, including all emergency dental services.
[3] A more comprehensive discussion of the Medicaid dental budget cuts reflects the challenges faced by the states.

The Transition to ICD-10 is a Year Away. Will Your Practice be Ready?

The transition to ICD-10 is a year away. Is your practice ready?(November 22, 2013):  On October 1, 2014, the health care industry transitioned from ICD-9 to ICD-10 codes for diagnoses and hospital inpatient procedures. This means everyone covered by HIPAA must use ICD-10 codes for health care services provided after October 1, 2014.  ICD-10 allows more than 14,400 different codes and permits the tracking of many new diagnoses. The codes can be expanded to over 16,000 codes by using optional sub-classifications. The following is a list of topics a physician practice needs to address now to prepare your .

I.  When the Transition to ICD-10 Implementation Occurs, Will You be Able to Submit Claims?

If you use an electronic system for any of your payers, you need to contact the software vendor (if necessary) and ensure that your system can integrate ICD-10’s expanded codes. If your billing system has not been upgraded to Version 5010 for the current version of HIPAA claims standard you will not be able to submit claims. It is imperative that you verify whether your software system has been upgraded.  This step should be accomplished NOW.

II.  Will You be Able to Complete Medical Records?

If you utilize electronic health records (EHR), you need to verify that it is properly capturing ICD-10 codes. Look at how you enter ICD-9 codes (e.g., do you type them in or select from a drop down menu) and talk to your software vendor about your system’s ability to accurately implement ICD-10’s expanded code sets.

III.  Coding Your Claims Under ICD-10:

If you currently code by look up in ICD-9 books, we recommend that you purchase ICD-10 code books in early 2014. As you code services under ICD-9, try and code the same records using ICD-10’s expanded codes. Get familiar with the new ICD-10 codes you will likely be using on a daily basis.  Also, you may want to explore ICD-10 training options and determine if formal training is necessary.

IV.  Where Do You Use ICD-9 Codes? Have You Reviewed all of Your Forms?

Keep a log of everywhere you see and use an ICD-9 code as you do your job. If the code is on paper, you will need new forms (e.g., patient encounter form, superbill). If you see the code on your computer, check with your EHR or practice management system vendor to see when your system will be ready for ICD-10 codes.

V.  Are There Ways to Make Coding More Efficient?

For example, develop a list of your most commonly used ICD-9 codes and become familiar with the ICD-10 codes you will use in the future for the same case. Also, think about ways to make sure the new coding does not delay payments. Look at your most common non-visit services—do any sometimes trigger reviews or denials related to medical necessity? It is important to understand how to code these services correctly before the mandatory date of ICD-10 implementation arrives.

VI.  Final Remarks:

There’s no doubt about it, physician practices transitioning over to ICD-10 are likely to experience significant coding and billing delays when the change occurs.  In all likelihood, this will adversely impact your cash flow.  Are you prepared for these delays?  Ultimately, the best way to transition to ICD-10 is to prepare for this monumental change now, not a year from now.  Should you have questions, please feel free to call me.

Healthcare LawyerMichael Troy is a Partner at Liles Parker, Attorneys & Counselors at Law.  Michael represents health care providers around the country in audits by ZPICs and other CMS contractors.  For a free consultation, please give us a call at: 1 (800) 475-1906.


Liles Parker Receives a Nice “Shout-Out” in the Wall Street Journal in Connection with its Health Care Work

July 2, 2013 by  
Filed under Firm News

Nice "Shout Out" for Liles Parker in the Wall Street Journal

(July 2, 2013): In late June, the Wall Street Journal published an interesting article on the impact of Health Care Reform on the legal job market.  Titled – Want a Law Job? Learn the Health-Care Act,” the article discussed the increased regulatory responsibilities faced by health care providers due to the passage of the Affordable Care Act.  As the Wall Street Journal article stated:

“Even companies with robust in-house law departments are increasingly calling on outside lawyers who specialize in the most arcane corners of health-care law.”

It all adds up to big business for lawyers. Last year corporate clients spent $5.72 billion on legal advice for regulatory matters, including health care, and the market is projected to grow to $6 billion this year, according to a recent survey of corporate legal spending . . . 

. . . Some major law firms do have substantial health-care practices aimed at capturing lucrative work on key antitrust cases or major transactions. But cost-conscious clients often direct much of their legal work to more affordable lawyers from regional firms with lower overhead.

That is good news for attorneys such as Les Johnson, a partner at Liles Parker PLLC, a 17-lawyer boutique based in Washington, D.C. A self-described “Regulations Dork,” Mr. Johnson works out of the firm’s Baton Rouge, La., office. He started out representing small clinics and nursing homes, then developed a specialty in Medicare appeals that earned him a national client base.

“The more they tinker with the federal regulations, the more work we have,” said Mr. Johnson.”  (Wall Street Journal, June 17, 2013).

As the provisions of the Affordable Care Act are implemented, the need for “Regulations Dorks” like Les Johnson, Jennifer Papapanagiotou, Robert W. Liles and Michael H. Cook (along with the rest of Liles Parker’s dedicated cadre of health lawyers), will continue to increase. Liles Parker represents a wide range of health care providers around the country, including, but not limited to:

  • Nursing Homes.
  • Assisted Living Facilities.
  • Solo Physician Practices.
  • Group Physician Practices.
  • Pain Management Practices.
  • Home Health Agencies.
  • Hospices.
  • DME Companies.
  • Physical Therapy Practices.
  • Chiropractors.
  • Podiatrists.
  • Third-Party Billing Companies
  • Dentists.

Our senior attorneys have decades of experience advising clients on:

  • Responding to Zone Program Integrity Contractor (ZPIC) actions, such as:
    • Pre-Payments Audits.
    • Post-Payment Audits.
    • Unannounced Audits.
    • Suspension Actions.
    • Revocation Actions.
    • Referrals to Law Enforcement.
  • Responding to Recovery Audit Contractor (RAC) actions.
  • Transactional Matters.
  • Federal and State Anti-Kickback Statutes.
  • Prohibitions Against Improper Self-Referrals (Stark).
  • False Claims Act Actions.
  • Exclusion Actions.
  • Screening Responsibilities.
  • Responding to Medicare Suspension or Revocation Actions.
  • Voluntary Disclosure Actions.
  • Screening and Compliance issues. 

Moreover, as the Wall Street Journal suggests, Liles Parker’s overhead is kept at a minimum, thereby permitting us to keep our legal services reasonably-priced and affordable for solo practitioners and large provider groups alike..

Need assistance?  Call Liles Parker Managing Partner, Robert W. Liles He would be happy to discuss your health law or regulatory issue at no charge and you can determine if our firm is the right firm to address your needs.  Please call:  1 (800) 475-1906.


Liles Parker Says “Thank You” to America’s Veterans — God Bless America

November 12, 2012 by  
Filed under Firm News

Liles Parker Says "Thank You" to America's Veterans on this Veterans Day

Liles Parker Says “Thank You” to America’s Veterans

(November 12, 2012): On this Veterans Day, Liles Parker thanks all of our nation’s veterans for their tremendous service and sacrifice in the defense of the United States of America. Please join us in remembering our soldiers, marines, sailors, and airmen for their unparalleled courage and commitment to our country.

Liles Parker is a full service, health law boutique with offices in Washington, DC, Baton Rouge, LA, Houston, TX and San Antonio, Texas.  We represent health care providers around the country in transactional projects, Medicare / Medicaid prepayment reviews and postpayment audits, compliance issues and peer review proceedings. 

Are you a health care provider needing assistance? Call us for a free consultation.  We can be reached at: 1 (800) 475-1906.

Paralegal Edward Dickey Achieves Certified Medical Compliance Officer Status

April 9, 2011 by  
Filed under Firm News

Edward Dickey (April 9, 2011):   Liles Parker is pleased to announce that one of its staff members, Edward Dickey, has taken and passed the “Certified Medical Compliance Officer” course and examination offered by Practice Management Institute (PMI), one of the oldest and most recognized medical education suppliers in the country.   Unlike other courses, PMI’s Compliance Officer certification course is the only one focused on non-hospital medical office environments.   As Managing Partner David Parker stated:

“Liles Parker has always encouraged its staff to participate in continuing medical and legal education.  As a Certified Compliance Officer, Edward will be better able to understand our client’s business needs and assist our attorneys when we conduct GAP analyses of a client’s medical office or clinic.  We are proud of Edward and look forward to working with him on our compliance projects.”

Edward currently works as a Paralegal at Liles Parker.  He earned his Paralegal Certification from Boston University in 2009.  He chose to take the PMI Compliance Certification course in an effort to further expand his knowledge of the medical industry and claims coverage requirements.

Liles Parker and its staff have extensive experience working with health care providers around the country on a full range of compliance-related projects.  For a free consultation, please give us a call at: 1 (800) 475-1906.   

Next Page »