Liles Parker PLLC
(202) 298-8750 (800) 475-1906
Washington, DC | Houston, TX
San Antonio, TX | Baton Rouge, LA

We Defend Healthcare Providers Nationwide in Audits & Investigations

Medicare, Medicaid and CHIP Enrollment Revocation and Denial Authorities Have Expanded.  What Steps are You Taking to Reduce Your Level of Risk?

Medicare Enrollment

Big Changes to CMS Form 855 are on the Horizon

(September 18, 2019):  On September 10, 2019, the Department of Health and Human Services (HHS) and Centers for Medicare and Medicaid Services (CMS) published a Final Rule in the Federal Register entitled, “Medicare, Medicaid, and Children’s Health Insurance Programs; Program Integrity Enhancements to the Provider Enrollment Process.” Issuance of the Final Rule is necessary in order to implement sections 1866(j)(5) and 1902(kk)(3) of the Social Security Act (as amended by the Affordable Care Act), which require that providers and suppliers fully disclose information related to affiliations, uncollected debts and certain adverse actions that may impact the program integrity of the affected government health plan.  As discussed below, the impact of the Final Rule on the Medicare enrollment disclosure requirements of providers and suppliers has been significantly enhanced.  Moreover, the authority of CMS to revoke or deny the enrollment of a participating provider or supplier has been greatly expanded.  Under the Final Rule, the reporting obligations of Medicare, Medicaid, and CHIP providers and suppliers will dramatically increase when they file a new enrollment application, revalidate their enrollment, need to file a change of information, or need to notify the agency of a change in ownership .[1]  This article is intended to take a “first look” at the impact of the Final Rule on the obligations  faced by providers and suppliers. Additionally this article reviews CMS’ new revocation and denial authority, and it explores a number of the challenges that you or other providers may face, as a result.

I.  Background – Medicare Enrollment and Revalidation Program Integrity Measures:

Approximately, 54 million individuals are enrolled in the Medicare program.[2]  In order to qualify to provide care and treatment services to these beneficiaries, a health care provider or supplier must meet a number of administrative, regulatory, and statutory requirements that are meant to protect both the patient and the financial integrity of the Medicare program.  The Medicare enrollment process effectively serves as one of the agency’s primary ways to protect patients and the Medicare Trust Fund from the actions of providers and suppliers whose participation would represent a significant risk of fraud or abuse.

When enrolling in the Medicare program, an applicant provider or supplier must complete and submit an appropriate enrollment application (i.e., a Form CMS-855) to their assigned Medicare contractor.  The enrollment application can be submitted by paper or electronically through the agency’s Provider Enrollment, Chain, and Ownership System (PECOS).  Several of the previous rules promulgated by CMS to strengthen the overall effectiveness and program integrity of the enrollment process have included:

  • April 21, 2006: CMS published a Final Rule entitled “Medicare Program; Requirements for Providers and Suppliers to Establish and Maintain Medicare Enrollment.”[3] This Final Rule laid out a number of requirements that must be met by providers and suppliers in order to maintain their Medicare billing privileges.
  • February 2, 2011: CMS published a Final Rule entitled “Medicare, Medicaid, and Children’s Health Insurance Programs; Additional Screening Requirements, Application Fees, Temporary Enrollment Moratoria, Payment Suspensions and Compliance Plans for Providers and Suppliers.”[4]  This Final Rule established a number of new provider enrollment screening requirements.
  • March 1, 2016: CMS published a Proposed Rule entitled “Medicare, Medicaid, and Children’s Health Insurance Programs; Program Integrity Enhancements to the Provider Enrollment Process.” This Proposed Rule set out the enrollment revocation and denial changes CMS planned to implement in an effort to address long-standing program integrity risks that have previously been exploited in the past.[5]

A little more than three years after the issuance of the March 2016 Proposed Rule, CMS has now issued its much-anticipated Final Rule entitled, “Medicare, Medicaid, and Children’s Health Insurance Programs; Program Integrity Enhancements to the Provider Enrollment Process.” [6]  With the implementation of this Final Rule,  CMS will now have expanded authority to deny the enrollment and / or revalidation of a provider or supplier if it determines that an “affiliation” presents an undue risk of fraud risk or abuse.  The Final Rule will also make it much easier to revoke the enrollment of existing providers and suppliers whose continued participation in the Medicare, Medicaid, or CHIP programs is determined to represent a program integrity risk.

II.  Why Has CMS Tightened Up the Medicare Enrollment and Revalidation Process?

Despite past efforts to strengthen the Medicare provider enrollment process, existing Medicare, Medicaid, and CHIP systems haven’t been fully effective in identifying direct owners, managing employees, and close affiliates of provider and supplier applicants with a history of certain adverse  events.  As representatives of the Office of Inspector General (OIG) have testified before Congress, health care providers and suppliers engaging in wrongful billing practices have often been found to have relied on networks of affiliations with other fraudulent providers and suppliers. For example, in south Florida, law enforcement has previously found that some Medicare providers and suppliers have taken steps to hide their ownership through the use of straw owners.  The real owners (who are likely prohibited from participating or likely to be denied participation in Federal health care programs) are then free to engage in improper billing practices.[7]

The issuance of the new Final Rule requires that as part of the enrollment and revalidation process, providers and suppliers must disclose any business affiliations that may pose an undue risk of fraud, waste and / or abuse to the Medicare, Medicaid and CHIP programs. CMS will be phasing the new affiliation reporting requirements in over a period of years. First, the agency will update and issue new provider enrollment Form CMS-855 applications, and then it will require reporting of certain affiliations “upon request.”[8] At least initially, only those providers or suppliers who are asked to report affiliations on the new enrollment forms will be required to do so. CMS states in the new Final Rule that it will publish further rulemaking to expand this reporting requirement after assessing the progress of its initial phased-in approach.

Notably, CMS estimates that the new disclosure requirements and revocation authorities implemented by the Final Rule will result in approximately 2,600 new revocations each year and will save the affected government health programs an estimated $4.16 billion over the next 10 years.

III.  Reporting Affiliations:

Under the Final Rule, the “affiliations” that a provider or supplier may have to disclose upon request by CMS include the following:

The term “affiliation” is defined under 42 CFR §424.519 as meaning any of the following:

  • A 5 percent or greater direct or indirect ownership interest that an individual or entity has in another organization.
  • A general or limited partnership interest (regardless of the percentage) that an individual or entity has in another organization.
  • A 5 percent or greater direct or indirect ownership interest that an individual or entity has in another organization.
  • An interest in which an individual or entity exercises operational or managerial control over, or directly or indirectly conducts, the day-to-day operations of another organization (including, for purposes of § 424.519 only, sole proprietorships), either under contract or through some other arrangement, regardless of whether or not the managing individual or entity is a W–2 employee of the organization.
  • An interest in which an individual is acting as an officer or director of a corporation.
  • Any reassignment relationship under 42 CFR § 424.80.”

The new affiliation provisions are intended to identify individuals and entities that have an ownership interest or exercise managerial control in multiple Medicare program providers or suppliers. Both OIG and CMS have repeatedly identified situations where providers and suppliers whose Medicare billing privileges have been revoked for fraud and / or other improper conduct have managed to surreptitiously re-enter the program using a nominee owner to disguise their true ownership or through other deceptive means.  As the agency has noted, the broad definition of affiliation that has been adopted, is needed so that providers and suppliers fully disclose any prior or current relationships that could pose risks of fraud, waste or abuse to the Medicare program.  CMS has estimated that if the new affiliation provisions had been in place over the previous five years, it could have prevented $51.9 billion from being paid to 2,097 entities with affiliations with a previously-revoked individual or entity.

IV.  Disclosable Events Under 42 CFR § 424.519:

When initially enrolling or revalidating with the Medicare program, the new regulations will require that a provider or supplier disclose whether it or any of its owning or managing employees or organizations (consistent with the terms ‘‘owner’’ and ‘‘managing employee’’ as defined in 42 CFR § 424.502) has or, within the previous 5 years, has had an affiliation with a currently or formerly enrolled Medicare, Medicaid, or CHIP provider or supplier that has had any “disclosable events.”[9] Importantly, the term, “disclosable event“ is defined in the new regulation as an affiliation with a currently or formerly enrolled Medicare, Medicaid or CHIP provider or supplier that:

“(1) Currently has an uncollected debt to Medicare, Medicaid, or CHIP, regardless of – (i) The amount of the debt; (ii) Whether the debt is currently being repaid (for example, as part of a repayment plan); or (iii) Whether the debt is currently being appealed;

(2) Has been or is subject to a payment suspension under a federal health care program (as that latter term is defined in section 1128B(f) of the Act), regardless of when the payment suspension occurred or was imposed;

(3) Has been or is excluded by the OIG from participation in Medicare, Medicaid, or CHIP, regardless of whether the exclusion is currently being appealed or when the exclusion occurred or was imposed; or

(4) Has had its Medicare, Medicaid, or CHIP enrollment denied, revoked, or terminated, regardless of— (i) The reason for the denial, revocation, or termination; (ii) Whether the denial, revocation, or termination is currently being appealed; or (iii) When the denial, revocation, or termination occurred or was imposed.”

Responding to comments submitted in connection with the Proposed Rule, CMS clarified who must be reported as an owner or managing employee of a provider or supplier, and likewise, who the organization must collect information from to identify all “affiliations” and “disclosable events.” CMS commented that the following situations would (1) require disclosure of a person or organization as an owner or managing employee, and (2) require disclosure of those persons or organizations “affiliations” if there has been a disclosable event:

      • Does a “Physician Director” or “Director of Nursing” have to be reported as part of the enrollment process? Yes, if the Physician Director or the Director of Nursing fall within the definition of “managing employee”[10] under 42 CFR § 424.502, he or she would have to be reported [on the Form CMS-855 application as a managing employee]. Moreover, if the Physician Director or the Director of Nursing was previously a managing employee of another provider or supplier with a “disclosable event,” the Physician Director or Director of Nursing would have to be reported.
      • Do the members of the Board of Trustees of a tax-exempt entity have to be reported as part of the enrollment process? Yes, as set out in CMS Publication 100-08, Program Integrity Manual (PIM), Chapter 15, Section 15.5.5 (Owning and Managing Organizations) members of a Board of Trustees are considered to be Corporate Directors and must be reported on CMS Form 855.  As an aside, CMS takes the position that non-profit entities and offices would fall under the affiliation definition to the same extent as for-profit entities and officials.
      • Does an entity with a 5% or greater mortgage or security interest have to be reportedConsistent with the PIM, Chapter 15, Section 15.5.5:  “All entities with at least a 5 percent mortgage, deed of trust or other security interest in the provider must be reported in section 5. This frequently will include banks, other financial institutions, and investment firms.”
      • Does a billing agency or a collection agency have to be reported? Yes, if the billing agency or collection agency meets the definition of a managing employee (as it applied to organizations), then they would have to be reported on the CMS Form 855.
      • Does a public company that owns 5% of more of an enrolling or reenrolling company have to be reported?   CMS takes the position that public companies fall within the purview of 42 CFR §424.519.
      • Does an affiliated managing individual have to be reported in CMS Form 855 even if he or she has no responsibilities concerning payment for services? The definition of managing employee under 42 CFR §?424.502 includes all persons who directly or indirectly conduct a provider’s or supplier’s day-to-day operations. There is no requirement that these individuals must have responsibilities related to payment for services.

In short, the above individuals must be disclosed in the owner and managing employee sections of the Form CMS-855 applications (or their counterpart in PECOS), and if those owners or managing employees have affiliations that have disclosable events, then those must be reported as well. As we stated earlier, in response to the many comments and concerns submitted by providers and suppliers, for now, CMS is not requiring that providers and suppliers disclose affiliations with disclosable events under 42 CFR §?424.519 unless CMS specifically requests that they do so.[11]  Moreover, CMS does not intend to request these disclosures until it has updated CMS Form-855.  However, as CMS further noted:

“Although we will initially be implementing a more targeted approach to the disclosure requirement, we recognize that section 1866(j)(5) of the Act requires every provider and supplier (regardless of the relative risk they may pose) to disclose affiliations upon initial enrollment and revalidation. While section 1866(j)(5) of the Act does give the Secretary some discretion in applying this provision in terms of form, manner, and timing, it does not permanently exempt any provider or supplier from its applicability . . . Consequently, CMS must eventually secure affiliation data from all initially enrolling and revalidating providers.” (emphasis added).

Therefore, at this time, providers and suppliers are not required to report disclosable affiliations until CMS has an opportunity to update its Form CMS-855 applications so that this data can be collected.  Furthermore, CMS will be issuing additional sub-regulatory guidance regarding the affiliation disclosure process.  This sub-regulatory guidance is expected to set out the agency’s expectations with respect to the level of effort that is required of a provider or supplier to research and secure an owner or managing employees relevant affiliation information.

V.  When Will a Disclosed Affiliation be Found to “Pose an Undue Risk of Fraud, Waste or Abuse”?

The Final Rule makes it clear that just because an affiliation must be disclosed, does not necessarily mean that CMS will determine that an affiliation will “pose an undue risk of fraud, waste, or abuse.”[12] Before making a determination, CMS intends to carefully examine the specifics of each situation prior to deciding whether to exercise its discretion to deny an application for enrollment OR to revoke the participation of a currently enrolled provider.  When deciding whether a disclosed affiliation represents an undue risk, CMS will consider:

(1) The duration of the affiliation.
(2) Whether the affiliation still exists and, if not, how long ago it ended.
(3) The degree and extent of the affiliation.
(4) If applicable, the reason for the termination of the affiliation.
(5) Regarding the affiliated provider’s or supplier’s disclosable event, CMS will consider:

(i) The type of disclosable event.
(ii) When the disclosable event occurred or was imposed.
(iii) Whether the affiliation existed when the disclosable event occurred or was imposed.
(iv) If the disclosable event is an uncollected debt:

(A) The amount of the debt.
(B) Whether the affiliated provider or supplier is repaying the debt.
(C) To whom the debt is owed.

(v) If a denial, revocation, termination, exclusion, or payment suspension is involved, the reason for the disclosable event.

(6) Any other evidence that CMS deems relevant to its determination.

Depending on the particulars of each case, CMS may find that a disclosed affiliation does, in fact, pose an undue risk of fraud, waste, or abuse. Should this occur, CMS will deny a provider’s or supplier’s initial enrollment application under 42 CFR § 424.530(a)(13) OR revoke a currently participating provider’s or supplier’s Medicare enrollment under 42 CFR § 424.535(a)(19).

VI.  What Can Happen if a Provider or Supplier Fails to Report a Disclosable Affiliation?

When asked to do so by CMS, it will be essential that a provider or supplier ensure that any and all disclosable affiliations and other general business information is fully and completely reported.  If a provider or supplier fails to report a disclosable affiliation and “knew or should have known”[13] of the omitted information, CMS may choose to deny an applicant’s initial enrollment application (under 42 CFR § 424.530(a)(1) and, if applicable, 42 CFR § 424.530(a)(4)). Alternatively, if a currently participating provider or supplier fails to report a disclosable affiliation, CMS may choose to revoke the entity’s Medicare enrollment (under 42 CFR § 424.535(a)(1) and, if applicable, 42 CFR § 424.535(a)(4)).

VII.  What is an “Uncollected Debt”?

As set out under 42 CFR §?424.519(a)(1), if an applicant, or an applicant’s owner or managing employee is affiliated with another provider or supplier that has an “uncollected debt,” that is a disclosable event under 42 CFR §?424.502.  As previously discussed, an uncollected debt is only intended to include:

“(i) Medicare, Medicaid, or CHIP overpayments for which CMS or the state has sent notice of the debt to the affiliated provider or supplier.
(ii) Civil money penalties imposed under this title.
(iii) Assessments imposed under this title.”

(emphasis added).

Importantly, the phrase notice of the debt to the affiliated provider or supplier” does not include audit requests or routine denial letters where refunds are made through remittance advices or claims corrections.  In its response to comments from stakeholders, CMS expressly notes that “notice of the debt” would include something like a demand letter or other formal request for payment.

CMS has not established a minimum amount that would require the reporting of an uncollected debt.  Regardless of whether an alleged uncollected debt is $500 or $5 million, it would qualify as a reportable disclosable event under the Final Rule.  As CMS noted, “there could be isolated cases where a particular debt, though of a de minimis amount, presents an undue risk when all of the applicable factors are considered.”   CMS further states that even though a provider or supplier may currently be in the process of repaying a debt, the debt would still be a reportable disclosable event.

VIII.  Impact of Filing an Appeal in an Uncollected Debt or Enrollment-Related Action:

Throughout the Final Rule, multiple commenters urged CMS to view alleged debts and enrollment-related actions that are being appealed by a provider or supplier differently than those where no appeal has been filed.  After considering the points raised, CMS consistently declined to adopt such a position and has decided that even if an alleged debt is currently under appeal, the debt would still qualify as a disclosable event.  As CMS wrote:

“consistent with our obligation to protect the Medicare program and the Trust Funds, as well as with our authority under section 1866(j)(5) of the Act, we believe we should have the ability to determine whether the debt and the associated affiliation pose an undue risk regardless of whether the debt is being appealed.” (emphasis added).

Similarly, CMS held that under 42 CFR § 424.519, enrollment denial, revocation, and termination actions will still qualify as disclosable events even if they are under appeal.

IX.  Modification to the Enrollment Denial Reasons Under 42 CFR § 424.530:

As set out under 42 CFR § 424.530(a), CMS is authorized to deny a provider’s or supplier’s enrollment in the Medicare program for a number of reasons. Prior to the issuance of the Final Rule, the authorized reasons for denying enrollment in Medicare fell within the following broad categories:

(1) Noncompliance

(2) Provider or supplier conduct.

(3) Felonies

(4) False or misleading information.

(5) On-site review.

(6) Medicare debt.

(7) Payment suspension.

(8) Initial reserve operating funds.

(9) Application fee / hardship exception.

(10) Temporary moratorium.

(11) Prescribing authority.

Under the Final Rule, enrollment denials based on “Payment Suspension” (42 CFR § 424.530(a)(7)) have been expanded and may now be based on the following:

“(i) The provider or supplier, or any owning or managing employee or organization of the provider or supplier, is currently under a Medicare or Medicaid payment suspension as defined in §§ 405.370 through 405.372 or in § 455.23 of this chapter.

(ii) CMS may apply the provision in this paragraph (a)(7) to the provider or supplier under any of the provider’s, supplier’s, or owning or managing employee’s or organization’s current or former names, numerical identifiers, or business identities or to any of its existing enrollments.

(iii) In determining whether a denial is appropriate, CMS considers the following factors:

(A) The specific behavior in question.
(B) Whether the provider or supplier is the subject of other similar investigations.
(C) Any other information that CMS deems relevant to its determination.”

Prior to this expansion, the Payment Suspension basis for denying a provider’s or supplier’s Medicare enrollment was limited to situations where the current owner, physician, or non-physician practitioner had been placed on Medicare suspension.  CMS believed this did not allow them to deny enrollment to any provider or supplier type based on a payment suspension by the Medicare program, and did not encompass scenarios where a provider or supplier’s payments had been suspended by a state Medicaid payment but the Medicare program. Under the revised Final Rule, now all provider and supplier types can be denied enrollment if that provider or supplier is subject to a Medicare OR Medicaid payment suspension, or if the provider’s or supplier’s owners or managing employees or organizations are subject to such a suspension. Importantly, CMS will look at a provider’s or supplier’s owners and managing employee’s or organization’s current and former names, business identities and related numerical identifiers to identify any payment suspensions.

Additionally, the Final Rule has added several additional bases that may be relied on by CMS when deciding to deny a provider’s or supplier’s Medicare enrollment.  These new reasons for denial include:

(12) Revoked under different name, numerical identifier or business identity and the applicable re-enrollment bar has not expired.[14]
(13) Affiliation that poses undue risk.
(14) Other program termination or suspension.

Each of the fourteen reasons that may be relied on by CMS when denying a provider’s or supplier’s Medicare enrollment have specific requirements which must be met.  If you or your practice are denied Medicare enrollment, you should work with your legal counsel to determine whether the denial reason cited by CMS is accurate and consistent with the facts in your case.

X.  Introduction of a New “Reapplication Bar” Rule Under 42 CFR § 424.530(f):

As revised, the Medicare enrollment denial regulations now include a new “Reapplication Bar” rule.  As 42 CFR § 424.530(f) sets out, if a provider or supplier submitted false or misleading information on (or with) their Medicare enrollment application, CMS can choose to prohibit the prospective provider or supplier from enrolling in the Medicare program for up to three years.  Importantly, the scope of the reapplication bar rule set out under 42 CFR § 424.530(f)(1) and (f)(2) is quite broad:

“(1) The reapplication bar applies to the prospective provider or supplier under any of its current, former, or future names, numerical identifiers or business identities.

(2) CMS determines the bar’s length by considering the following factors:

(i) The materiality of the information in question.
(ii) Whether there is evidence to suggest that the provider or supplier purposely furnished false or misleading information or deliberately withheld information.
(iii) Whether the provider or supplier has any history of final adverse actions or Medicare or Medicaid payment suspensions.
(iv) Any other information that CMS deems relevant to its determination.

XI.  Modifications to the Medicare Enrollment Revocation Regulations Under 42 CFR § 424.535:

Prior to the issuance of the Final Rule, under 42 CFR § 424.535(a), CMS has long exercised the authority to revoke a currently-enrolled provider’s or supplier’s Medicare billing privileges (along with any related provider or supplier agreement).  Reasons for revocation have included:

  1. Noncompliance
  2. Provider or supplier conduct.
  3. Felonies
  4. False or misleading information.
  5. On-site review;
  6. Grounds related to provider or supplier screening requirements.
  7. Misuse of billing number.
  8. Abuse of billing privileges.
  9. Failure to report.
  10. Failure to document or provide CMS access to documentation.
  11. Initial reserve operating funds.
  12. Medicaid termination.
  13. Prescribing authority.
  14. Improper prescribing practices.

Under the Final Rule, the reasons for revocation under 42 CFR § 424.535(a)(9) and (a)(12) have been revised.  The revocation reason set out under 42 CFR § 424.535(a)(9) Failure to report, has been changed.  The basis for revocation has now been expanded to cover the following:

(9) Failure to report. The provider or supplier did not comply with the reporting requirements specified in § 424.516(d) or (e), § 410.33(g)(2) of this chapter, or § 424.57(c)(2). In determining whether a revocation under this paragraph (a)(9) is appropriate, CMS considers the following factors:

         (i) Whether the data in question was reported.
         (ii) If the data was reported, how belatedly.
         (iii) The materiality of the data in question.
        (iv) Any other information that CMS deems relevant to its determination.”

Similarly, the Final Rule expands the revocation basis set out under 42 CFR § 424.535(a)(12).  Rather than focus exclusively on the termination of a provider’s or supplier’s Medicaid billing privileges, under the Final Rule 42 CFR § 424.535(a)(12) the basis for revocation has been expanded to include not merely Medicaid but also adverse actions taken by any other Federal health care program.  As the regulation now reads:

“(12) Other program termination.

(i) The provider or supplier is terminated, revoked or otherwise barred from participation in a State Medicaid program or any other federal health care program. In determining whether a revocation under this paragraph (a)(12) is appropriate, CMS considers the following factors:

(A) The reason(s) for the termination or revocation.
(B) Whether the provider or supplier is currently terminated, revoked or otherwise barred from more than one program (for example, more than one State’s Medicaid program) or has been subject to any other sanctions during its participation in other programs.
(C) Any other information that CMS deems relevant to its determination.

 (ii) Medicare may not revoke unless and until a provider or supplier has exhausted all applicable appeal rights.
 (iii) CMS may apply paragraph (a)(12)(i) of this section to the provider or supplier under any of its current or former names, numerical identifiers or business identities.”

 The Final Rule has set aside slots for future bases for revocation at 42 CFR § 424.535(a)(15) and (a)(16).

Notably, a number of new bases for Medicare enrollment revocation have now been established under the Final Rule and are set out under 42 CFR § 424.535(a)(17) through (a)(20).  These new reasons for revocation include the following:

(17) Debt referred to the United States Department of Treasury. The provider or supplier has an existing debt that CMS appropriately refers to the United States Department of Treasury. In determining whether a revocation under this paragraph (a)(17) is appropriate, CMS considers the following factors:

(i) The reason(s) for the failure to fully repay the debt (to the extent this can be determined).
(ii) Whether the provider or supplier has attempted to repay the debt (to the extent this can be determined).
(iii) Whether the provider or supplier has responded to CMS’ requests for payment (to the extent this can be determined).
(iv) Whether the provider or supplier has any history of final adverse actions or Medicare or Medicaid payment suspensions.
(v) The amount of the debt. (vi) Any other evidence that CMS deems relevant to its determination.

(18) Revoked under different name, numerical identifier or business identity. The provider or supplier is currently revoked under a different name, numerical identifier, or business identity, and the applicable reenrollment bar period has not expired. In determining whether a provider or supplier is a currently revoked provider or supplier under a different name, numerical identifier, or business identity, CMS investigates the degree of commonality by considering the following factors:

(i) Owning and managing employees and organizations (regardless of whether they have been disclosed on the Form CMS–855 application).
(ii) Geographic location.
(iii) Provider or supplier type.
(iv) Business structure.
(v) Any evidence indicating that the two parties are similar or that the provider or supplier was created to circumvent the revocation or reenrollment bar

(19) Affiliation that poses an undue risk. CMS determines that the provider or supplier has or has had an affiliation under § 424.519 that poses an undue risk of fraud, waste, or abuse to the Medicare program.

(20) Billing from non-compliant location. CMS may revoke a provider’s or supplier’s Medicare enrollment or enrollments, even if all of the practice locations associated with a particular enrollment comply with Medicare enrollment requirements, if the provider or supplier billed for services performed at or items furnished from a location that it knew or should have known did not comply with Medicare enrollment requirements. In determining whether and how many of the provider’s or supplier’s enrollments, involving the non-compliant location or other locations, should be revoked, CMS considers the following factors:

(i) The reason(s) for and the specific facts behind the location’s noncompliance.
(ii) The number of additional locations involved.
(iii) Whether the provider or supplier has any history of final adverse actions or Medicare or Medicaid payment suspensions.
(iv) The degree of risk that the location’s continuance poses to the Medicare Trust Funds.
(v) The length of time that the noncompliant location was non-compliant.
(vi) The amount that was billed for services performed at or items furnished from the non-compliant location.
(vii) Any other evidence that CMS deems relevant to its determination.  

(21) Abusive ordering, certifying, referring, or prescribing of Part A or B services, items or drugs. The physician or eligible professional has a pattern or practice of ordering, certifying, referring, or prescribing Medicare Part A or B services, items, or drugs that are abusive, represents a threat to the health and safety of Medicare beneficiaries, or otherwise fails to meet Medicare requirements. In making its determination as to whether such a pattern or practice exists, CMS considers the following factors:

(i) Whether the physician’s or eligible professional’s diagnoses support the orders, certifications, referrals or prescriptions in question.
(ii) Whether there are instances where the necessary evaluation of the patient for whom the service, item or drug was ordered, certified, referred, or prescribed could not have occurred (for example, the patient was deceased or out of state at the time of the alleged office visit).
(iii) The number and type(s) of disciplinary actions taken against the physician or eligible professional by the licensing body or medical board for the state or states in which he or she practices, and the reason(s) for the action(s).
(iv) Whether the physician or eligible professional has any history of final adverse actions (as that term is defined in § 424.502).
(v) The length of time over which the pattern or practice has continued.
(vi) How long the physician or eligible professional has been enrolled in Medicare.
(vii) The number and type(s) of malpractice suits that have been filed against the physician or eligible professional related to ordering, certifying, referring or prescribing that have resulted in a final judgment against the physician or eligible professional or in which the physician or eligible professional has paid a settlement to the plaintiff(s) (to the extent this can be determined).
(viii) Whether any State Medicaid program or any other public or private health insurance program has restricted, suspended, revoked, or terminated the physician’s or eligible professional’s ability to practice medicine, and the reason(s) for any such restriction, suspension, revocation, or termination.
(ix) Any other information that CMS deems relevant to its determination.

Notably, under the Final Rule, 42 CFR § 424.535(c), the regulations setting out the rules for reapplying after a provider’s or supplier’s Medicare enrollment has been revoked, have been revised and enhanced. First, the maximum reenrollment bar for a first-time revocation has been extended to 10 years. 42 CFR § 424.535(c)(1)(i). Second, if a provider or supplier attempts to “circumvent its existing reenrollment bar by enrolling in Medicare under a different name, numerical identifier or business identity,” CMS can extend that provider’s or supplier’s existing reenrollment bar by 3 additional years.   See 42 CFR § 424.535(c)(2)(i).

Moreover, under 42 CFR § 424.535(c)(3), if a provider or supplier is being revoked from Medicare a second time, CMS may choose to impose a reenrollment bar of up to 20 years.  The factors to be considered by CMS when determining the proper length of a reenrollment bar are set out under 42 CFR § 424.535(c)(3), subsections (i) through (iii).

In an effort to further prevent improper attempts to reenroll in the Medicare program, 42 CFR § 424.535(c)(4) provides a reenrollment bar applies to a provider or supplier under any of its current, former or future names, numerical identifiers or business identities.”

XII.  Impact of the Final Rule on State Medicaid and CHIP Enrollment and Disclosure Practices:

Section 1902(kk)(3) of the Act,1 as amended by section 6401(b) of the Affordable Care Act, which mandates that states require providers and suppliers to comply with the same disclosure requirements established by the Secretary under section 1866(j)(5) of the Act. In other words, the increased disclosure requirements apply to providers and suppliers enrolling or revalidating in the Medicare or Medicaid programs. It also applies to changes of information that must be reported under the Final Rule.

As the Final Rule further notes, as long as they continue to work within the broad Federal framework, States have been delegated considerable flexibility in how they administer their Medicaid and CHIP programs.  Ultimately, the enrollment requirements established by a State must be consistent with section 1902(a)(23) of the Act and implementing regulations at 42 CFR § 431.51. As the Final Rule reflects, as long as a State meets its obligations under 42 CFR § 431.51, it is free to:

“. . . [S]et reasonable standards relating to the qualifications of providers but may not restrict the right of beneficiaries to obtain services from any person or entity that is both qualified and willing to furnish such services.”

XIII. Due Diligence and Credentialing Risks When Enrolling, Revalidating or Submitting a Change of Information:

The affiliation disclosure requirements set out in the Final Rule are anticipated to be gradually implemented by CMS over the next three years.  The agency contends that such an approach will better enable the provider and supplier communities to meet their affiliation, uncollected debt and adverse event reporting obligations. Unfortunately, the Final Rule imposes yet another unfunded obligation on participating providers and suppliers.  From a practical standpoint, the implementation of the Final Rule will have an enormous impact on the credentialing process.  Federal and State payors have historically used the credentialing process as their first line of defense with respect to program integrity. The disclosure obligations set out in the Final Rule are quite comprehensive. Third-party billing companies and credentialing companies handling these submissions on behalf of their provider and supplier clients will need to diligently work to better ensure that each submission is both accurate and complete before submitting the credentialing package to a Federal or State payor.  On the payor side of the credentialing equation, professional credentialing companies, (such as CredSimple), will likely see an exponential increase in the demand for their verification and screening services.  Moreover, we fully expect to see private payors, medical centers and hospital systems adopt program integrity safeguards similar to those outlined in the Final Rule as they take steps to protect their organizations from fraud, waste, and abuse.

XIV.  Final Thoughts:

As the Final Rule details, the Affordable Care Act imposed a number of enrollment and reenrollment disclosure obligations on Medicare, Medicaid, and CHIP providers and suppliers.  These revised reporting obligations are intended to prevent bad actors from circumventing the existing safeguards that had been implemented to guard against fraud, waste, and abuse.  CMS estimates that it will take at least several years for the agency to revise the various versions of its CMS Form 855 enrollment applications and fully implement the new reporting obligations.  The true enormity of these new obligations has yet to be realized.  Affiliations, disclosable events and uncollected debts will be carefully evaluated by CMS and weighed as the agency decides whether to deny an application for enrollment or revalidation or revoke an existing provider’s or supplier’s Medicare billing privileges.

Healthcare Attorney

Jennifer Papapanagiotou,
Click here for bio

Robert W. Liles Healthcare Attorney

Robert W. Liles,
Click here for bio

Now, more than ever before, it is important for providers and suppliers to effectively conduct due diligence before hiring managerial staff, purchasing or selling an entity, appealing an alleged overpayment and / or seeking relief in bankruptcy.  As the enrollment disclosure and reporting process moves towards full implementation, it will be essential for you to fully understand your obligations under the law.  The attorneys at Liles Parker have extensive experience representing providers and suppliers in the provider enrollment, revalidation, change of information and change of ownership process.  Our team has represented healthcare providers and suppliers around the country in the appeal of Medicare termination actions, enrollment denials, and the revocation of an entity’s billing privilegesQuestions?  Give Robert Liles or Jennifer Papapanagiotou a call.  For a free consultation, we can be reached at:  1 (800) 475-1906.

[1] 42 CFR § 424.516.

[2] CMS is the single largest health care insurance payor in the country.  Approximately 90 million individuals are currently covered by Medicare, Medicaid and / or the Children’s Health Insurance Program (CHIP) programs.

[3] 71 FR 20754.

[4] 76 FR 5861.

[5] 81 FR 10720.

[6] The Final Rule is effective on November 4, 2019.

[7] 84 FR 47794, 47797.

[8] 84 FR 47794, 47803.

[9] 84 FR47794, 47802.

[10] Under 42 CFR § 424.502, the term “managing employee” means:

a general manager, business manager, administrator, director, or other individual that exercises operational or managerial control over, or who directly or indirectly conducts, the day-to-day operation of the provider or supplier, either under contract or through some other arrangement, whether or not the individual is a W-2 employee of the provider or supplier.”

[11] 84 FR 47794, 47803, 47805.  In light of the concerns raised, CMS will be adopting a “phased-in” approach to complying with the requirements under 42 CFR §?424.519(b).  Under this phased-in approach, CMS will first be revised Form CMS-855 to cover the various disclosures required under the Final Rule.  Initially, providers and suppliers will not be required to disclose affiliations under 42 CFR §?424.519(b) unless CMS asks for this information.  While this approach will initially relieve providers and suppliers of the disclosure burden, CMS notes that this is not meant to be a permanent exemption.  Ultimately, providers and suppliers will be required to report any affiliations with one or more disclosable events.

[12] 84 FR 47794, 47807.

[13] CMS acknowledges in its response to comments in the Final Rule that the additional sub-regulatory guidance is needed to further clarify the “knew or should have known” standard.  See 84 FR 47794,47811.

[14] This is similar to CMS’ new expanded authority to deny enrollment if an owner or managing employee of a provider or supplier is under a payment suspension by Medicare or a state Medicaid program. Under this new denial authority, CMS will examine the degree of commonality between the applicant and other revoked providers and suppliers, looking specifically at the owning and managing employees and organizations of the applicant and a revoked provider or supplier, the applicant and revoked provider’s or supplier’s geographic location, provider or supplier type, business structures, and “any evidence indicating the two parties are similar or that the provider or supplier was created to circumvent the revocation or reenrollment bar.” 84 FR 47794, 47823.

HIPAA Security Risk Assessments are Essential

HIPAA Security Risk Assessment(September 29, 2014) In the last article, we discussed the importance of conducting HIPAA security risk assessments, as part of your obligations under the HIPAA Security rules. The importance of promptly conducting a risk analysis if it has not yet done cannot be overestimated, as the HHS Office for Civil Rights (OCR) has now announced that they intend to begin the next phase of audits in October 2014. When Covered Entity receives a data request letter from OCR, it will have only two weeks to respond, which will not be enough time to conduct a risk analysis at that point.

In this article we’ll discuss eight elements or considerations that OCR states must be addressed in a risk analysis.

I.  Scope of the Analysis:

In conducting a risk assessment, a health care provider must consider all of the potential risks to electronic protected health information (e-PHI). Covered Entities must consider how all e-PHI in their practice is created, used, stored, and transmitted. Thus, Covered Entities need to consider how they create, receive, access, and transmit e-PHI. This includes removable storage media such as floppy disks, CDs, flash or thumb drives, and smart phones. Covered Entities must also think about telephone calls, emails, faxes, and computer transmissions. Consider how many employees or personnel can access the data and whether those individuals are all on-site or if any are off-site.

II.  Document How Data is Collected, Stored, Maintained and Transmitted:

Covered Entities must identify and document where e-PHI is gathered, received, stored, maintained or transmitted. This can be done through interviews with staff members, a physical walk through of the office or practice location(s), or reviewing documentation.

III.  Identify and Document Potential Risks, Threats and Vulnerabilities:

Covered Entities must document the reasonably anticipated threats to e-PHI. Consider physical, environmental, natural, human and technological threats or risks. Environmental or natural threats should include natural disasters such as tornadoes, floods or earthquakes. Human threats are likely to be some of the greatest concern. These include current employees and contractors, ex-employees and contractors, visitors, and criminals such as thieves and hackers. Technological threats will include any known system vulnerabilities in the billing system or EMR/EHR, for example. Healthcare providers should contact the vendors of these systems to ask about any known vulnerabilities.

IV.  Identify and Evaluate Current Security Measures:

Covered Entities must document what security measures are already in place to guard e-PHI and whether those measures are installed, configured and used correctly. The level and extent of security measures will vary by the type and size of provider. As an example, list any anti-virus or firewall programs. Don’t forget to document physical security measures, such as security and alarm systems.

V.  Determine the Likelihood of the Occurrence of the Threats:

This element requires Covered Entities to consider the probability that the threats listed in step # 3 will occur. This can be done with a quantitative method (such as the percentage probability that a threat will occur) or a qualitative one (such as high, medium, low). A high probability of occurrence means that a threat is “reasonably anticipated” and thus will require a mitigation or protection against the threat occurring. For example, a healthcare provider may determine that there is a high probability of a break-in into the office or clinic. Thus, a mitigation such as an alarm or security system would be an example of a security measure that could be implemented pursuant to step # 4.

VI.  Determine the Potential Impact if a Threat Occurs:

Covered Entities must evaluate the impact that might result from a threat occurring. Again, this can be done using a quantitative or qualitative method. For example, a potential impact of a breach of a Covered Entity’s billing system might be loss of cash flow or cost to replace stolen computer equipment. This might be a high or severe impact. Another example could be unauthorized access to e-PHI by patients or visitors. This impact might be low or medium.

VII.  Determine the Level of Risk:

This step is accomplished by utilizing the data from steps 5 and 6. A very common method of documenting the level of risk is using a HIPAA risk assessment matrix (such as a 3 x 3 matrix) or “heat map”. Those threats or vulnerabilities with higher levels of risk are ones that a Covered Entity should focus on addressing or correcting sooner than those with lower levels of risk.

VIII.  Identify HIPAA Security Risk Assessment Measures and Document the Risk Analysis:

Once the Covered Entity has identified risks and assigned risk levels, it must identify tasks, actions or security measures to address those risks. In identifying security measures, the Covered Entity should consider factors such as effectiveness, requirements of the Covered Entity’ policies and procedures and other legislative or regulatory requirements (for example, state laws). If a Covered Entity identifies a security measure but decides not to implement it, the risk analysis should document why (for example, technologically not feasible, lack of knowledge or equipment, cost prohibitive, etc.)

The Security Rule also requires Covered Entities to document the risk analysis, but does not specify or require any particular format. Thus, the risk analysis can be documented via a report that lists elements # 1 through 7, summarizes the analysis, notes the results of each step, and identifies the security measures.

Two final very important comments. First, the Risk Analysis is NOT the process of implementing measures to address the risks identified. That is the risk management process under HIPAA, which is considered a separate activity. Second, the Risk Analysis is not a “do it once and forget about it” process. The Risk Analysis must be periodically revisited and reviewed to determine if the threats, vulnerabilities, impacts and potential security measures remain the same. A Covered Entity may bring new systems online, may open or close locations, or have major changes in personnel. The re-evaluation of a Covered Entity’s Risk Analysis ideally should occur on an annual basis. A very old and outdated Risk Analysis is basically equivalent to not having a Risk Analysis at all.

Heidi Kocher Healthcare AttorneyHeidi Kocher serves as Counsel for Liles Parker and represents health care providers and suppliers in the Dallas / Fort Worth metropolitan area.  Heidi is an experienced health lawyer and is skilled in assisting clients with transactional projects, compliance issues and in fraud and abuse counseling.  Should you have any questions regarding the HIPAA security risk assessment process, please give Heidi a call.  For a free consultation, call Heidi at: 1 (800) 475-1906.

Oncology Fraud: Michigan Oncologist Indicted

Oncology Fraud(August 29, 2014) The American Cancer Society has estimated that 43.92% of all males and 38.00% of all females in the United States will develop cancer at some point during their lifetime. While a number of clinical advances have been made over the last 25 years, chemotherapy remains one of the predominant tools used to fight cancer in many of its various forms. Depending on the type of cancer at issue, chemotherapy can be used as a primary or as an adjuvant therapy. While a number of drugs have been developed to address several of the adverse side effects normally associated with chemotherapy, this therapeutic approach is often still devastating on patients. How would you feel if you learned that your oncologist has put you or a loved one through an intensive course of chemotherapy, when it was not needed? According to federal investigators that is exactly what happened to the patients of one oncologist in Detroit, Michigan.

I. Background of this Oncology Fraud Case:

In August 2013, the government first alleged that a noted Michigan oncologist routinely prescribed chemotherapy and other drastic medical interventions for patients who were either healthy or ill but in need of alternate treatments. According to federal prosecutors, the oncologist

“submitted fraudulent claims to Medicare for medically unnecessary services, including chemotherapy treatments, positron emission tomograph (PET) scans, and a variety of cancer and hematology treatments for patients who did not need them.”

The government further alleged that the doctor engaged in this improper conduct to increase his own income. Records reflect that the doctor billed Medicare for approximately $150 million in services between August 2010 and July 2013.

II. Nature of the Allegations:

Essentially, the government has alleged that the defendant ordered chemotherapy for patients whose cancer was in remission. The defendant is also alleged to have ordered chemotherapy for all of the terminal patients under the physician’s care, even if the treatment would not improve or extend their lives. Further, the oncologist sometimes issued patients life-long prescriptions of drug treatment for low platelet conditions, without informing patients that surgery was a treatment alternative to years of drug therapy. Ultimately, it appears that the government believes that the defendant improperly ordered chemotherapy for monetary gain, rather than because the treatment regimen was medically necessary.

III. Origin of this Oncology Fraud Case:

While the August 2013 U.S. Attorney’s Office Press Release did not discuss how these concerns were first brought to the government’s attention, a segment by ABC News reported that the case was the result of complaints brought by an oncology nurse who worked with the defendant in 2010. According to the government, the Oncology fraud scheme put $35 million in the oncologist’s pocket.

IV. Current Status of this Oncology Fraud Case:

In May 2014, the defendant’s legal counsel moved for a change of venue, in an effort to have the trial transferred to another judicial district. The defendant’s motion was denied in June 2014 and the trial was originally scheduled to begin on August 12, 2014. It has been reset to begin in mid-October 2014. The defendant could face 10 years in prison and a $250,000 fine if convicted.

V. Why Should Our Oncology Practice Be Concerned About this Case?

Readers may ask, “Why is this case relevant to me – I am an honest provider?” Frankly, all oncologists should take note of this case. Issues of medical necessity can be extremely difficult to parse out, especially in cases where a patient is suffering from a potentially deadly illness. As earlier discussed, chemotherapy is used for a wide variety of purposes. Depending on the type of cancer involved, it may be administered as a patient’s primary treatment regimen. Other cancers may utilize radiation therapy as the primary treatment regimen yet still use chemotherapy as an adjuvant remedy. Finally, chemotherapy may be prescribed and used as a palliative measure in cases where a patient has already been diagnosed as terminal. The point is this – the utilization of chemotherapy as a course of treatment may be reasonable and appropriate, despite the fact that the clinical profile of one patient may be very different from that of another. Moreover, two independent, competent oncologists may have divergent views on whether chemotherapy is warranted in a particular case. Despite arguments to the contrary, medicine is also an “art,” not merely a “science.”

VI. Steps You Can Take to Reduce Risk:

It is essential that oncologists participating in Medicare review both their operational and documentation practices to ensure that entities processing and examining their patient treatment records can readily ascertain why certain care and treatment decisions were made. Several essential considerations to be taken into account include:

  • Coverage and Payment Requirements Medicare Administrative Contractors (MACs) working for the Centers for Medicare and Medicaid Services (CMS) are responsible for developing and administering coverage and payment guidance which delineates when it is appropriate to utilize one or more treatment options when caring for a cancer patient. MACs often publish guidance which specifies whether it is appropriate to administer a particular type of chemotherapy when treating a patient suffering from a particular type of cancer. Often, this information is set out in Local Coverage Determination (LCD) guidance maintained by the MAC. It is not uncommon to find that an LCD specifies the type of chemotherapy that is appropriate, and the frequency it may be used, when prescribing it to fight a particular type of cancer. Unfortunately, you may find that the government seems to sometimes confuse “coverage” with “medical necessity.” In other words, the government may allege that an order for chemotherapy was not medically necessary, when in fact, what the government is really saying is that the Medicare program does not cover the use of a certain type of chemotherapy when addressing a certain type of cancer.

  • Community Standard of Care Notably, the issue of whether or not a physician has acted reasonably in the medical decision-making process can vary from one region to another. As one source has noted, a physician is expected to provide care at:

“the level at which an ordinary, prudent professional with the same training and experience in good standing in a same or similar community would practice under the same or similar circumstances.”

The standard of care one would expect from a physician when treating a cancer patient may vary from one locale to another. For example, the standard would likely be higher in a large metropolitan area where clinical research on oncology issues is being conducted and state-of-the-art remedies are being applied than it would be in a small town in Texas or Alaska, where an oncologist is unlikely to be involved in oncology research studies and has fewer opportunities to further develop their treatment skills.

  • Patient and Family Wishes At the end of the day, every cancer patient must decide whether or not they intend to receive chemotherapy. We are aware of instances where an individual diagnosed with a treatable cancer chooses not to undergo such a regimen, despite the fact that such a decision may hasten their demise. Alternatively, a critical patient may actively seek to receive chemotherapy, even though it may not be recommended for individuals who has been diagnosed as terminal.

Although this case is a dramatic example of what can happen when an oncologist is alleged to have bilked Medicare, it provides a stark example of a situation where the defendant should have previously identified that their chemotherapy practices were different from those of their peer.

In light of the risks presented, we strongly recommend that oncology practices develop, implement and follow the rules and regulations set out in an effective Compliance Plan. Through the use of a GAP analysis, oncologists can identify potential documentation, medical necessity, coding and billing deficiencies in their practice. Once identified, these deficiencies can be carefully assessed so remedial action may be taken to address any overpayments or other improper claims practices that have been identified to avoid any possible Oncology fraud. When conducting a GAP analysis, we strongly recommend that you engage experienced legal counsel to assist you with this process.

Health care AttorneyMichael Troy serves as Counsel to the health care boutique law firm, Liles Parker, PLLC. Liles Parker has offices in Washington, DC, Baton Rouge LA, Houston TX and McAllen TX. Liles Parker provides nationwide representation and legal services to health care providers facing an audit or administrative review of claims by a Zone Program Integrity Contractor (ZPIC), a Recovery Audit Contractor (RAC), or a Medicaid Integrity Contractor (MIC) and Medicaid RAC overpayment determinations. Our attorneys also actively assist health care providers and suppliers in postpayment audits, Oncology Fraud, prepayment reviews, suspension or termination actions. For more information, call today at 1-800-475-1906 for a free consultation.

A HIPAA Risk Assessment is Essential to Avoid Liability

Covered entities and business associates must perform a HIPAA risk assessment.(August 23, 2014):  Almost all health care providers and suppliers qualify as a covered entity under the Health Insurance Portability and Accountability Act of 1996 (HIPAA).  Together with the business associateswith whom they work, these entities are responsible for ensuring that any protected health information (PHI) under their control has been properly secured and remains confidential.  Let’s face it, the regulations governing a health care provider’s obligations under HIPAA are both extensive and complex.

Many small and mid-sized health care providers and suppliers have found it difficult to fully comply with their many statutory obligations under HIPAA’s privacy and security mandates.  Nevertheless, it is important to keep in mind that the government is actively investigating allegations of breach, regardless of the size of provider or supplier that may be involved.

I.   The Importance of Conducting a HIPAA Risk Assessment:

A recent federal criminal indictment of an individual for a HIPAA violation should serve as a reminder to all health care providers of the importance of fully complying with HIPAA’s security requirements.  While most health care providers and suppliers have diligently worked to comply with HIPAA’s privacy requirements, their compliance with HIPAA’s security and risk assessment mandates remains a challenge.  A recent case out of the U.S. Attorney’s Office for the Eastern District of Texas provides a stark reminder of why all health care providers must remain diligent in their efforts to secure and protect the medical records that have been entrusted to their care by their patients.

Last month, federal prosecutors announced that a former employee of an unnamed hospital in East Texas had been arrested in Georgia the previous year on charges unrelated to the theft of PHI.  At the time of his arrest, he was discovered to be in possession of patient medical records from Texas.  The subsequent investigation indicated that from December 1, 2012, through January 14, 2013, the individual had obtained PHI while he was employed at an East Texas hospital.  The defendant allegedly took the patient records with the intent to use the patient’s PHI for personal gain.  The defendant is currently in jail, awaiting trial.  If convicted, he could be sentenced to prison for up to 10 yearsThere are two main points that all covered entities and business associates should keep in mind:

1.  The theft of PHI is a serious crime.  Both federal and state prosecutors are actively pursing individuals who illegally steal or improperly use patient PHI for personal gain.  Under 18 U.S.C.A. § 1028A(a)(1), the federal “Aggravated-Identity-Theft” statute prohibits an individual’s knowing use of another person’s identifying information without a form of authorization recognized by law. 

2.  While the government’s Press Release does not discuss whether the East Texas hospital had previously conducted a proper HIPAA risk assessment, it would not be surprising to later learn that the Office of Civil Rights (OCR) has initiated its own audit of the organization to verify that it has, in fact, previously conducted a HIPAA risk assessment.    

II.  HIPAA’s Security Rule Requires that a Risk Assessment be Conducted:

While details regarding what security provisions and precautions the East Texas hospital may have implemented are not available, one wonders if the hospital conducted a risk analysis as required by HIPAA’s Security Rule provisions.  The Security Rule states that all covered entities must implement policies and procedures “to prevent, detect, contain, and correct security violations.” (45 C.F.R. § 164.308(a)(1).)   A risk analysis is one of four required implementation specifications in the Security Rule that actually provide instructions on how to implement the requirement.  Conducting a risk analysis would likely have revealed system vulnerabilities, perhaps even the one that failed to prevent the theft of patient PHI.  Certainly a risk analysis would have revealed the necessity of various audits, any of which could have revealed the fact that the defendant was improperly accessing and taking patient records.

Unfortunately, conducting a HIPAA risk assessment is still a problem for many health care providers.  A series of audits were conducted in 2012 by federal contractors working for OCR to assess whether health care providers, suppliers, health plans and clearinghouses have been complying with HIPAA’s Privacy, Security, and Breach Notification requirements.  A number of health care providers were included in these audits.  The results showed that 60% of the deficiencies reported were related to HIPAA security requirements.  In addition, 65% of the findings were for health care providers, in particular smaller providers.  Of the 59 providers, 58 had at least one finding relating to a Security Rule deficiency.   Nearly 80% of the healthcare providers had not completed a risk assessment.[1]  OCR concluded that driving compliance with the Security Rule aspects of HIPAA would be a likely focus in the future.

III.  Meaningful Use and Risk Assessments:

Conducting a risk analysis is also a core requirement under the Meaningful Use rules. [2]  In order to receive a meaningful use incentive, providers were required to certify that they conducted a risk assessment in accordance with the HIPAA Security Rule provisions.   Over 245,000 eligible professionals received payments for usage of electronic health records for 2011 and 2012.

Yet if the statistics from OCR’s admittedly small sample of healthcare providers in 2012 is true, this could mean that a very large majority of those healthcare providers who certified to having conducted a risk assessment as part of their meaningful use certifications did so falsely. The data on which providers, including names and NPI numbers, have received a meaningful use incentive payment is publicly available.   Thus it is highly likely that as part of the soon-to-be-restarted HIPAA audits, OCR will explicitly review whether providers falsely certified that they conducted a security risk analysis, when in fact they did not.  While the amount of money that a provider might have to return for a false certification is not large, the potential penalties for having falsely certified compliance with the regulations are much larger and more serious.

IV.  Final Remarks:

While overdue, if your organization has not already conducted a HIPAA security risk assessment, it is imperative that you do so immediately.   The window to take remedial action may be closing, especially if you have received payments under the meaningful use provisions.  Need help?  Give us a call.  In Part II of  this article, we will discuss several of the considerations you should take when engaging outside assistance to conduct a security risk assessment of your organization.

Heidi Kocher Healthcare Attorney

Heidi Kocher serves as Counsel for Liles Parker and represents health care providers and suppliers in the Dallas / Fort Worth metropolitan area.  Heidi is an experienced health lawyer and is skilled in assisting clients with transactional projects, compliance issues and in fraud and abuse counseling.  Should you have any questions regarding the HIPAA security risk assessment process, please give Heidi a call.  For a free consultation, call Heidi at: 1 (800) 475-1906.

 

[1] HIPAA Privacy, Security and Breach Notification Audits:  Program Overview & Initial Analysis, presentation by Verne Rinker JD, MP, at 2013 NIST / OCR Security Rule Conference, May 21-22, 2013, available at http://csrc.nist.gov/news_events/hipaa-2013/presentations/day1/rinker_day1_215_hipaa_privacy_security_breach_audits.pdf

[2] See the July 28, 2010 Final Rule Notice, 75 Fed.Reg. 44314 at 44369; 42 CFR 495.6(d)(15).

Is Your Dental Practice Prepared to Undergo a Medicaid Dental Audit?

November 25, 2013 by  
Filed under Dental Audits & Compliance

Your chances of undergoing a Medicaid dental audit are increasing.

Is Your Practice Ready for a Medicaid Dental Audit?

(November 25, 2013):  The link between oral health and overall health has been increasingly acknowledged over the years. Emphasis has been placed on children’s oral health in particular. In fact, the Children’s Health Insurance Program Re-authorization Act of 2009 (CHIPRA) mandates that “child health assistance provided to a targeted low-income child shall include coverage of dental services necessary to prevent disease and promote oral health, restore oral structures to health and function, and treat emergency conditions.”[1] The importance of good oral hygiene habits and preventive dental care cannot be overstated; yet, the federal government has not mandated even minimal dental benefits for low-income adult Americans through Medicaid. While dental coverage for low-income children is rather expansive, it is entirely up to states as to whether dental is covered for low-income adults at all. In any event, the likelihood that you will be subjected to a Medicaid dental audit by federal and / or state authorities has been increasing each year.  In this article, we discuss the current enforcement environment, along with steps you can take to reduce your dental practice’s level of risk.

I.  State Medicaid Dental Care Differs from Jurisdiction to Jurisdiction:

The range of approaches by states to low-income adult dental coverage is vast, including from no coverage to coverage of all service categories. Some states are expanding their coverage of low-income adult dental care to both reflect the increasingly recognized importance of quality dental care and the increasing costs of dental care. For example, Indiana raised its cap on adult dental services from $600 per calendar year to $1,000 per calendar year in 2011.[2] Of course, the nation’s fiscal crisis has also pushed states in the other direction, forcing states like Pennsylvania, Massachusetts, Illinois, California and Washington to cut “discretionary costs” from their Medicaid budgets, which has included dental coverage.[3]

II.  The Likelihood of Your Practice Being Subjected to a Medicaid Dental Audit:

Not surprisingly, the increased recognition of the importance of preventive and quality dental care has also led to the increased scrutiny of dental services paid for by federal-state health benefit programs. The criminal conviction of a Virginia dentist in 2008 on felony charges of racketeering, health care fraud, and structuring a financial transaction sent vibrations throughout the dental world. The Virginia dentist was a long time provider of dental services in his community (the poorest area of his state, in fact), having begun his practice in 1981. By 2008, his payor mix was 50-50 Medicaid-private pay.

An “anonymous” complaint triggered the investigation of his practice which led to his conviction, though he had also been audited by Medicaid several times prior to that. Nobody disputes that there were some mistakes in his practice’s documentation and record keeping, including the Virginia dentist himself.  Yet, as he stated in an interview:

“the government’s position was that these errors were not mistakes, but the errant claims were submitted to be paid for more than I was entitled.”

Both prior to serving his sentence and after his release, the Virginia dentist shared his story time and time again, stressing to his peers the importance of comprehensive documentation. As he stated in that same interview:

“If I can prevent this situation from happening to anyone else, airing my “dirty laundry” will have been worth the embarrassment. […] If you become a Medicaid provider, be very, very careful! Document, document, document; review, check, and recheck. Make no mistakes!”

As predicted, we’ve seen dentists across the nation come under increased scrutiny. Medicaid Integrity Contractors (MIC) in states such as Indiana and Texas have been particularly active. The MICs are requesting samples of medical documentation from as early as 2007, and are requesting the full ambit of documentation, from charts to billings.

III.  The Medicaid Documentation Quandary:

Dentists should be aware of and expect Medicaid dental audit letters from their local MICs, which are generally followed by a site-visit. Unfortunately, the letters are broad, giving dentists no real sense of what types of services, if any, are being reviewed. The lack of focus, we believe, is indicative of the contractors’ intent to review compliance with federal and state documentation guidelines in general. Many dentists document quite minimally, indicating the tooth at issue and the service that has been deemed medically necessary, with no indication or elaboration on the basis for that determination (e.g., treatment diagnosis, x-ray findings, etc.). We encourage our dental clients to ask themselves: would a peer be able to look at my documentation and come to the same conclusion as I did as to which service(s) was medically necessary? If not, the documentation is probably not sufficient for Medicaid standards. Remember that all of the dots need to be connected for the MIC reviewer in the documentation. The MIC reviewer will not make any inferences in your favor.

IV.  How Should a Dentist Respond to Medicaid Dental Audit?

In light of the increased scrutiny of dental services, dentists should review their forms and documentation procedures and update them accordingly if deficiencies are identified. Dentists should also apprise their staff of the current activity in the Medicaid dental world and establish a plan of action for how to respond in the event that the local MIC initiates an audit of their practice.

V.  Final Remarks:

Now, more than ever, it is essential that dentists participating in the Medicaid programs review both their operational and documentation practices to ensure that a third-party examining their patient treatment records years from now can readily see why certain care and treatment decisions were made and that the services billed to the Medicaid program were medically reasonable and necessary.

Healthcare LawyerLorraine Ater, Esq. is a health law attorney with the boutique firm, Liles Parker, Attorneys & Counselors at Law.  Liles Parker has offices in Washington DC, Houston TX, McAllen TX and Baton Rouge LA.  Our attorneys represent dentists, orthodontists and other health care professionals around the country in connection with government audits of Medicaid and Medicare claims, licensure matters and transactional projects.  Need assistance?  For a free consultation, please call: 1 (800) 475-1906.

 

 


[1] Title XXI of the Social Security Act, Section 2103(c)(5).
[2] On January 1, 2011, the cap on dental services for members age 21 and older was increased to $1,000 and included all covered dental services, including all emergency dental services.
[3] A more comprehensive discussion of the Medicaid dental budget cuts reflects the challenges faced by the states.

Liles Parker Says “Thank You” to America’s Veterans — God Bless America

November 12, 2012 by  
Filed under Firm News

Liles Parker Says "Thank You" to America's Veterans on this Veterans Day

Liles Parker Says “Thank You” to America’s Veterans

(November 12, 2012): On this Veterans Day, Liles Parker thanks all of our nation’s veterans for their tremendous service and sacrifice in the defense of the United States of America. Please join us in remembering our soldiers, marines, sailors, and airmen for their unparalleled courage and commitment to our country.

Liles Parker is a full service, health law boutique with offices in Washington, DC, Baton Rouge, LA, Houston, TX and San Antonio, Texas.  We represent health care providers around the country in transactional projects, Medicare / Medicaid prepayment reviews and postpayment audits, compliance issues and peer review proceedings. 

Are you a health care provider needing assistance? Call us for a free consultation.  We can be reached at: 1 (800) 475-1906.

American Health Lawyers’ Scholarly Journal Publishes Michael Cook’s Health Care Reform

November 1, 2010 by  
Filed under Firm News

Michael Cook's Health Care Lawyer(November 1, 2010): Michael Cook has published a health care reform article in the October issue of the American Health Lawyers Association on the Independent Payment Advisory Board. The Abstract of the health care reform article is as follows:

“By creating the Independent Payment Advisory Board (IPAB) as part of the health care reform process, Congress attempted to impose fiscal discipline upon itself by creating limits on the amount of spending under the Medicare program, and by removing the process for meeting those targets from its domain. Each year beginning in 2013, the Chief Actuary of the Centers for Medicare and Medicaid Services will compare the projected average per capita increase in Medicare spending against a target. If the Chief Actuary finds that spending is projected to exceed the target, the IPAB – an independent board – is charged with developing a proposal that will be implemented automatically beginning in January 2015, unless Congress, through an expedited process and super majority vote, either overrides the process or votes in 2017 to disband the board in 2020. This article provides a detailed description and analysis of the provisions that create the IPAB, the process on how it will operate, and the implications of this extremely controversial body.” Michael H. Cook, Independent Payment Advisory Board: Part of the Solution for Bending the Cost Curve?, J. HEALTH & LIFE SCI. L., October 2101, at 102.

Because of copyright laws, we are not able to post copies of the article in full on this website. However, for this issue only, the AHLA is selling single copies of the October issue of the Journal. Readers can obtain information on purchasing the article at www.healthlawyers.org/JHLSL.

Anyone seeking additional information on the IPAB can review a short article on this website, and can contact Michael Cook at (202) 298-8750 or mcook@lilesparker.com for information on this and other aspects of the new health care reform legislation.  Mr. Cook is an attorney in Liles Parker’s Washington, DC office.  He has extensive experience working in practically every area of health law. 

City Attorney Leonard Schneider, J.D., Wins Pivotal Lawsuit on Behalf of the City of Huntsville, TX

October 29, 2010 by  
Filed under Firm News

Leonard Schneider, J.D. has won a pivotal case on behalf of the City of Huntsville(October 29, 2010): Leonard Schneider, J.D., serving as outside legal counsel and “City Attorney” for the City of Huntsville, Texas, has been successful in obtaining jury verdict on October 22, 2010 against Huntsville-Walker Chamber of Commerce for breach of fiduciary duty and breach of contract in the administration and management of Hotel Occupancy Tax Funds.  After a two-week trial, a Leon County jury returned a verdict against the Chamber and former President of the Chamber in the amount of $324,578.00 for breach of fiduciary duty and the same amount against the Chamber individually for breach of contract along with $125,000.00 in attorney fees.  The City of Huntsville, Texas asserted the Chamber and its leadership failed to adequately account for expenditures of HOT Funds, improperly used HOT funds, and failed to notify the City of HOT funds that were left over after each budget year.   Schneider was assisted by local counsel,  Bennie Rush of Walker County and of Counsel to Liles Parker,  Anastasia Cunningham-Thomas.

Healthcare AttorneyLiles Parker attorneys represent individuals, corporations and municipalities around the county in both transactional projects and matters involving litigation.  Leonard Schneider, J.D., is an excellent litigator and can be contacted for a complimentary consultation.  He can be reached at: 1 (800) 475-1906.

Robert W. Liles Invited to Speak at the WDTX DOJ Working Group for Health Care Fraud Meeting

September 12, 2010 by  
Filed under Firm News

Robert Liles has been asked to speak at the WDTX DOJ Working Group meeting(September 12, 2010):  Robert W. Liles, Managing Partner at Liles Parker, has been asked to serve as the main speaker at the quarterly DOJ Working Group conference sponsored by the U.S. Attorney’s Office for the Western District of Texas.  The Working Group consists of Federal civil and criminal Prosecutors, FBI agents, HHS-OIG agents and investigators, MFCU agents and investigators, ZPIC auditors and Investigators and representatives of the MAC responsible for processing Part A, Part B and DME Medicare claims.  The session will focus on changes to the False Claims Act, the Federal Anti-Kickback Statute and the Health Care Fraud Statute as a result of the recent enactment of the Health Care Reform Act last March.   Mr. Liles will also discuss the concerns of health care providers with current enforcement initiatives.

Since 2001, Mr. Liles has worked in private practice, representing the interests of health care providers in administrative actions (such as ZPIC audits of Medicare claims), civil cases (such as False Claims Act cases), and criminal matters (such as Anti-Kickback allegations).  Prior to entering private practice, Mr. Liles worked as an Assistant U.S. Attorney in the Southern District of Texas.  In early 1997, he was selected to serve as the nation’s first National Health Care Fraud Coordinator for the Executive Office of United States Attorneys in Washington, D.C.

Prior to entering law, Mr. Liles worked for many years in the health care industry.  He received a Master’s in Health Care Administration from Trinity University in 1985.  Trinity is recognized as one of the foremost universities in the country for educating and training future hospital administrators.  In addition to an M.H.A., Mr. Liles also holds an M.B.A.

Mr. Liles’ varied background provides a unique perspective of both the health care industry and the needs and concerns of health providers.

Liles Parker has an office in San Antonio, Texas.  Our attorney in San Antonio is Rebecca Reed.  Ms. Reed is a former Bexar County prosecutor.  Should your practice or clinic have questions regarding a ZPIC audit, RAC audit, False Claims Act allegations or a possible criminal case, please give us a call for a free consultation at 1 (800) 475-1906.

Rebecca Reed Has Been Appointed Assistant Judge in Bexar County

August 5, 2010 by  
Filed under Firm News

Rebecca Reed has been appointed Assistant Judge(August 5, 2010): Liles Parker is pleased to announce that Rebecca Reed, the firm’s San Antonio-based Counsel, has been named as an Assistant Judge in Bexar County, Texas.  Ms. Reed will be serving as Judge on a part-time basis and will be handling cases assigned to the Mental Health Docket, helping to adjudicate these issues involving cases out of 52 counties in West and South Texas.

 

 

As Robert W. Liles, Managing Partner for the firm stated:

“This is a distinct honor for Ms. Reed and we congratulate her on this achievement.  She is a talented lawyer and has served as trusted counsel to the firm’s health care clients over the years.  Her dedication to community service is to be admired.  We are thrilled to hear of her appointment to the bench and look forward to working with her in the future.”

Since joining Liles Parker, Ms. Reed has significantly expanded the scope of Liles Parker’s presence in South Texas. Consistent with her background as a former Bexar County prosecutor, Ms. Reed has handled a wide variety of criminal defense matters.  Ms. Reed’s experience as a litigator is quite impressive. She has tried well over 200 trials as First Chair.  Her reputation as a litigator is well known by both prosecutors and the judiciary. This experience is especially helpful when faced with complex business litigation cases.  Along with this appointment to be Bench, she will continue to serve as Counsel for Liles Parker, representing parties in a wide variety of heath care and complex business cases.

For assistance in health law matters, call the attorneys at Liles Parker:  1 (800) 475-1906.

Next Page »