Transcranial Magnetic Stimulation Claims Audits by Medicare MACs and UPICs are Underway. Are Your CPT 90868 Claims Compliant?

(July 16, 2018):  Do you provide Transcranial Magnetic Stimulation care and treatment services?  If so, you need to ensure that your medical necessity, documentation, coding and billing practices fully comply with applicable statutory, regulatory and administrative guidelines. In recent weeks, a flurry of prepayment review letters from Medicare Administrative Contractors (MACs) have been sent to physicians and health care entities seeking copies of the medical records and related documentation associated with transcranial magnetic stimulation services (also commonly referred to as TMS services).  Billed as CPT 90868, transcranial magnetic stimulation services are merely the latest risk area being examined by MACs and the associated Uniform Program Integrity Contractor (UPIC) assigned to a specific jurisdiction of the country.

I.  Why Are My Transcranial Stimulation Services Being Audited?

If you received notice of a prepayment or audit of your claims from a MAC or UPIC contractor working for the Centers for Medicare and Medicaid Services, you may have contacted the contractor to find out why your claims were selected for audit.  Although the CMS contractor may have advised you that your claims were “randomly” chosen for audit, nothing could be further from the truth.  At this time, CMS has not authorized its contractors to conduct random audits of provider claims.  As set out in the Federal Register:

“Although section 934 of the MMA sets forth requirements for random prepayment review, our contractors currently do not perform random prepayment review. However, our contractors do perform non-random prepayment complex medical review. We are cognizant of the need for additional rulemaking should we wish our contractors to perform random review.”[1]

If your claims were not audited as a result of a random review, then why were your claims selected for prepayment or postpayment review?  As set out in the Medicare Program Integrity Manual, Chapter 2, Section 2.4, Subsections A-C,  CMS processing and program integrity contractors have been directed to utilize data analyses as their primary tool to identify outliers and other providers that may be engaging in improper, fraudulent, wasteful and / or abusive coding and billing practices.  UPICs and other program integrity contractors have more than a dozen various utilization, coding and billing databases at their disposal in this regard.  Simply put, your claims were likely chosen for prepayment review because of a specific concern with respect to a type of service or because your utilization of one or more claims differed from that of your peers.

II. Overview of Transcranial Magnetic Stimulation Services:

Transcranial magnetic stimulation involves the noninvasive use of magnetic pulses to stimulate the brain. This treatment protocol involves the positioning of an electromagnetic coil on a patient’s scalp.  Once properly placed, an electric current is intermittently run through the electromagnetic coil, thereby producing brief magnetic pulses that painlessly pass through a patient’s brain. Transcranial magnetic stimulation services are normally conducted in an outpatient setting and do not require anesthesia or analgesia.  Although a number of proponents have consistently pressured Medicare to expand its current scope of coverage, at this time, only adults who have a confirmed diagnosis of Major Depressive Disorder, and meet a number of other requirements, qualify for transcranial magnetic stimulation under Medicare’s strict medical necessity requirements.

III.  Transcranial Magnetic Stimulation Claims Audits:

• MAC prepayment targeting of transcranial magnetic stimulation claims.

Among its many functions, National Government Services (NGS) and other MACs around the country are required to conduct medical reviews of provider claims on a prepayment basis, to better ensure compliance with Medicare’s coverage and payment rules.[2]  The fact that NGS and other MACs are currently auditing transcranial magnetic stimulation (CPT Code 90868) claims, is significant because MACs are only required to initiate targeted provider-specific prepayment reviews “when there is the likelihood of a sustained or high level of improper payments.”[3]  It is also worth noting that providers are being directed to submit their supporting documentation directly to the Uniform Program Integrity Contractor (UPIC) assigned to their jurisdiction.

•  UPIC reviews of transcranial magnetic stimulation claims.

UPICs are private, for-profit companies that awarded contracts to provide program integrity services for the Centers for Medicare and Medicaid Services (CMS).  UPICs are tasked with investigating instances of suspected fraud, waste, and abuse in the Medicare and Medicaid programs. Should the UPIC identify possible overpayments, the results of their audits will be sent back to the MAC for recoupment action. However, if evidence of possible fraud is identified, a UPIC may forward their findings to law enforcement for review, investigation and possible prosecution.[4]

IV.  Transcranial Magnetic Stimulation Audit Risk Issues (Partial Listing):

If you are providing transcranial stimulation services and billing them to Medicare, you need to keep in mind that the failure to meet the following requirements can quickly lead to an audit of your CPT Code 90868 claims:

• Is the transcranial magnetic stimulation device approved by the Food and Drug Administration (FDA)?  In most instances, if a treatment device has not been approved by the FDA, CMS and its contractors will consider the device to be “experimental.”  As such, any transcranial magnetic stimulation treatment services performed will not be covered by Medicare.
• Does the patient have a “confirmed” diagnosis of major depressive disorder?   For Medicare, this is a deal-breaker. Although a number of studies have been conducted examining the use of this treatment modality in connection with other diagnoses, none of these additional diagnoses are currently covered and will be considered “experimental” by CMS and its contractors.  A few examples of diagnoses that will be denied include schizophrenia, schizoaffective disorder epilepsy, cerebrovascular disease, and dementia.  Finally, it is important to keep in mind that UPIC auditors will be examining each case carefully to ensure that the diagnosis of major depressive disorder has been fully documented and validated (or otherwise confirmed).  UPIC auditors will be looking for assessments of the patient’s condition using standardized rating scales (such as the Beck Depression Scale or the Montgomery-Asberg Depression Rating Scale) that have been found to reliably measure the intensity of a patient’s depressive symptoms.  Merely concluding that a patient suffers from major depressive disorder without the test results to support your diagnosis is insufficient to support medical necessity.  Finally, under the LCD guidance issued by NGA, once transcranial magnetic stimulation treatment has been initiated, the provider is required to monitor the patient’s treatment response using the standardized rating scales discussed above (or a similar, widely accepted rating scale).
• Transcranial magnetic stimulation treatment sessions must be ordered and supervised by a qualified individual. As LCD L33398 reflects, in order for transcranial magnetic stimulation therapy to be ordered (or reordered), the ordering physician must issue the order in writing.  Moreover, the ordering physician must have examined the patient, reviewed the record AND must have experience in administering transcranial magnetic stimulation therapy services.  As a final point, the treatment must be given under the direct supervision of the ordering physician.  In other words, the physician must be in the area and be immediately available.
• Does your practice also bill for CPT Code 90836 claims? We have seen a higher likelihood of audit if you are also billing CPT Code 90836[4] claims along with your billing of transcranial magnetic stimulation services (CPT Code 90868). It is important to keep in mind that the billing of this “add-on” code may trigger an audit even in the absence of CPT Code 908686 billings. For example, in a September 2016 Medicaid case brought under Connecticut’s False Claims Act, it was alleged that the defendant was billing this “add-on” code for psychotherapy sessions when in fact, she instead provided medication management services, or a brief meeting with the patient for drug change/dosage adjustment.
• Does your practice also bill for CPT Code 99214 claims? Audits of transcranial magnetic stimulation claims have also sometimes included a concurrent review of the provider’s CPT Code 99214[6] claims.  Since at least 2012 the Department of Health and Human Services (HHS), Office of Inspector General (OIG) has expressed its concerns with respect to the unsupported, improper billing of this Evaluation and Management (E/M) code.

V.  When Are Transcranial Magnetic Stimulation Services Covered by Medicare?

• “Indications” — a confirmed diagnosis of Major Depressive Disorder is required for coverage.

Medicare has adopted strict requirements on the coverage and payment of transcranial magnetic services.  As set out in the Local Coverage Determination[7] (LCD) guidance published by NGS (LCD L33398)[8], transcranial magnetic stimulation services are only considered medically necessary “in adults who have a confirmed diagnosis of major depressive disorder (MDD), single or recurrent episode.”  Additionally, in order for the care to qualify for coverage and payment, the record must show:

In addition to having a diagnosis of “Major Depressive Disorder,” one of the above four conditions must be fully documented in the patient’s medical records.

These requirements must be met in order to qualify for coverage under the “Limitations” section of LCD L33398.

• Limitations to be considered.

As discussed in LCD L33398, providers must carefully assess the benefits to be derived from the use of transcranial magnetic stimulation. The benefits of TMS use must be carefully considered against the risk of potential side effect in patients with any of the following:

• Transcranial magnetic stimulation is NOT considered reasonable and necessary in any of the following situations.

• Documentation requirements.

UPIC audits are focusing on your compliance with the LCD’s documentation requirements. Are your Transcranial Magnetic Stimulation services fully documented?

• Utilization guidelines.

VI.  How Can You Reduce Your Level of Regulatory Risk?

As discussed above, if your transcranial magnetic stimulation claims are targeted by a UPIC, the OIG or DOJ, the types of enforcement actions that can be pursued vary widely, depending the facts in your particular case. Unfortunately, since data mining is one of the primary ways that a potential target is identified for review, the first time that you know find out that your claims utilization practices are being assessed could be when you receive notice that your practice has been placed on prepayment review.  In more serious cases, you may receive a OIG subpoena for records or a Civil Investigative Demand for records from the DOJ.

As a first step, if you have not already done so, you need to develop and implement an effective Compliance Program.  Assuming that you already have such a program in place, take the time now, before you have a problem, to assess your care and treatment practices.  Does your documentation meet applicable requirements?  Have you documented that the care and treatment decisions made were medically necessary and appropriate?  Were the services properly coded and billed?

VII.  Responding to an Audit of Your Transcranial Magnetic Stimulation Claims:

• Learning of a prepayment or postpayment audit.

If your practice is placed on prepayment review, you will likely learn of the action through the electronic claims status system maintained by your MAC.  Providers are normally given 45 days to submit the requested supporting documentation to their UPIC.  Should you fail to submit the requested documentation to the UPIC in a timely fashion, the very least that will happen is that your claims will be denied.  As set out under the Section 1815(a) of the Social Security Act:

“…no such payments shall be made to any provider unless it has furnished such information as the Secretary may request in order to determine the amounts due such provider under this part for the period with respect to which the amounts are being paid or any prior period.”

• Don’t turn an administrative audit into a civil or criminal case.

In cases where a provider repeatedly ignores a request for records (or fails to submit the supporting documentation within the allotted time period), a UPIC will likely make a referral to the OIG for investigation and review.  Unfortunately, such a referral significantly raises the level of risk that a provider may face.  Depending on the OIG’s findings, a provider may be assessed Civil Monetary Penalties or even be excluded[9] from participation in Federal and State health benefits programs.  Additionally, if evidence of fraud or other improper conduct is identified, the case may be referred to the DOJ for civil action and / or criminal prosecution.

Moreover, once a problem has been discovered, a physician can significantly complicate matters by concealing the problem, destroying evidence or falsifying records.  Under various Federal obstruction statutes, a physician may be charged with obstruction of justice for willfully engaging in activities that obstruct, mislead, deceive, or impede a health care fraud investigation.

• Engage qualified, experienced health law counsel.

Unfortunately, the days when a practice could feel comfortable directly handling a medium to large-sized audit, without assistance from legal counsel are becoming fewer and fewer each year.  There are a number of strategies that legal counsel may employ in an effort to minimize a physician’s possible exposure and liability.  Call an experienced health lawyer and ask him or her to walk you through the process. If the attorney hasn’t handled these cases on a regular and repeated basis, talk to another firm.

Robert W. Liles serves as Managing Partner at the health law firm, Liles Parker, Attorneys and Counselors at Law.  Liles Parker attorneys represent health care providers and suppliers around the country in connection with UPIC audits, ZPIC audits, OIG audits and DOJ investigations.  Are your transcranial magnetic stimulation claims being audited?  We can help.  For a free initial consultation regarding your situation, call Robert at:  1 (800) 475-1906.

[1] For additional information on how your claims may have been targeted for audit, please see the following related article, please see Physicians Being Placed on Non-Random Prepayment Review in Unprecedented Numbers. Are You Ready for an Audit?

[2] Medicare Program Integrity Manual, Chapter 3 – Verifying Potential Errors and Taking Corrective Actions. Section 3.4 Prepayment Review of Claims.

[3] See MPIM Section 3.4.A.

[4] Referrals to law enforcement are typically made to the Department of Health and Human Services, Office of Inspector General (OIG) and / or the U.S. Department of Justice (DOJ).

[5] CPT Code 90836 is an add-on code for individual psychotherapy, insight oriented, behavior modifying and/or supportive, 45 minutes with the patient and/or family member (time range 38-52 minutes) when performed with an evaluation and management service.

[6] This Evaluation and Management (E/M) code is used when billing for an “office or other outpatient visit for the evaluation and management of an established patient, which requires at least two of these three key components: a detailed history, a detailed examination and medical decision making of moderate complexity.”

[7] As set out in Medicare’s program integrity guidance, “An LCD is a decision by a Medicare administrative contractor (MAC) whether to cover a particular item or service on a MAC-wide basis in accordance with Section 1862(a)(1)(A) of the Social Security Act (i.e., a determination as to whether the item or service is reasonable and necessary).”  See MPIM 13.1.3. an issuance published by a MAC setting out coverage parameters for a particular service.  The LCD only applies to providers in states included in the MAC’s jurisdiction.  Having said that, if a particular jurisdiction does not have an LCD addressing a certain service, LCD guidance published by other MACs is often cited as persuasive (but not binding) authority.  The requirements set out in an LCD must be consistent with all applicable laws, regulations, and national policies for coverage, payment, and coding.  LCDs may address a specific clinical topic using procedure codes to define one or more treatments and using diagnostic codes to describe the clinical indications that would make the treatment(s) reasonable and Social Security Act § 1862(a)(1)(A), 42 U.S.C. § 1395y(a)(1)(A). necessary. For example, an LCD may limit coverage of an item or service to specific diagnoses, or it may prohibit coverage of an item or service completely. The coverage policy created by an LCD is applicable only in States within a contractor’s jurisdiction.

[8] NGS’s LCD guidance for Transcranial Magnetic Stimulation services is covered in LCD L33398.  This guidance applies to all services performed on or after June 15, 2018.

[9] For instance, under 42 USC §1320a-7(b)(6), an individual or entity can be excluded for a minimum of a year if found have submitted claims for excessive charges, unnecessary services or services which fail to meet professionally recognized standards of care.

Is Your Urogynecology, OB/GYN or Multidisciplinary Practice Prepared for a Medicare Biofeedback Claims Audit or a Pelvic Floor Therapy Claims Audit?

(July 12, 2018):  While no medical specialty has completely avoided the scrutiny of law enforcement and government contractors, for the most part, OB/GYNs and Urogynecologists have managed to stay out of the limelight of auditors and investigators tasked with identifying improper billing practices.  Unfortunately, those days appear to be over. Working closely with the staff at the Consolidated Data Analysis Center (CDAC), auditors and investigators at the Department of Health and Human Services (HHS), Office of Inspector General (OIG), have conducted sophisticated data analyses to identify outliers whose billing practices may be an indication of improper billing or fraud.  In recent years, CDAC-supported analyses have led to the successful pursuit of several high-profile Medicare fraud cases against urogynecologist providers and practices for the wrongful billing of biofeedback[1] related claims.  Most recently, the OIG confirmed at the March 2018 Health Care Compliance Association Annual Meeting that biofeedback / pelvic floor therapy claims are currently under review and are an agency enforcement initiative. This article examines the cases that have been brought against providers for the improper billing / fraudulent submission of biofeedback claims for payment, along with steps that your practice should take if your claims are subjected to an audit.

I.  Overview of Biofeedback Therapy:

At the outset, it is important to recognize that the coverage of biofeedback therapy services varies from payor to payor.  Many payors have limited the coverage of biofeedback therapy services to specific conditions and diagnoses.[2]  Generally speaking, biofeedback qualifies for coverage and payment by Medicare when it is used to treat stress and urge incontinence in cognitively intact patients, AS LONG AS the medical documentation shows that “pelvic muscle exercise” training has been attempted and has failed.

Two procedural codes (CPT Code 90901 and CPT Code 90911), are primarily used to code for biofeedback therapy. CPT Code 90901 is a non-specific code that can be used for any modality of biofeedback therapy.  In contrast, CPT Code 90911 is used to bill for Pelvic Floor Therapy training for the treatment of incontinence.

II.  Overview of Pelvic Floor Therapy Training for Urinary Incontinence:

As discussed above, Medicare will only cover biofeedback for the treatment of urinary incontinence when the medical records document that a trial of pelvic muscle exercise training was previously tried and failed.[3]  The Centers for Medicare and Medicaid Services (CMS) has issued National Coverage Determination (NCD) guidance titled “Biofeedback Therapy for the Treatment of Urinary Incontinence (30.1.1).[4]” As the guidance notes, biofeedback-assisted pelvic muscle exercise training incorporates the use of an electronic or mechanical device to convey feedback (visual and / or auditory) regarding the muscle tone of a patient’s pelvic floor.  This feedback assists patients with their performance of muscle tone and pelvic muscle exercises.  Notably, CMS has delegated the authority to decide whether or not to cover biofeedback as an initial treatment modality to its contractors.

III.  Recent Pelvic Floor Therapy Claims Enforcement Cases:

• On July 2, 2018, a Florida-based network of urogynecology practitioners agreed to pay the government $7 million to resolve allegations that network physicians violated the False Claims Act by knowingly billing the Medicare program for services that were inflated or were not provided. More specifically, the government alleged that network physicians performed and improperly billed for lavage treatments and pelvic floor therapy services that were incorrectly appended with a Modifier -25.  A Modifier -25 is intended to reflect the fact that a significant, separately identifiable E/M services was provided by the same physician on the same day as the other procedure at issue (in this case, the lavage and / or pelvic floor therapy services).
• In June 2018, a California urogynecology practice and its Board-Certified physician entered into a $419,578 settlement agreement with the OIG. The settlement resolves allegations that the physician submitted claims to Medicare for items or services that he “knew or should have known were not provided as claimed or were false or fraudulent.”
• In February 2018, the Department of Health and Human Services (HHS), Office of Inspector General (OIG) announced an $877,474 settlement with an Arizona practice accused of submitting false and fraudulent pelvic floor therapy claims to the Medicare program for payment.
• In December 2017, a Virginia-based urogynecology clinic and its Board-Certified physician owner, settled a case with the OIG for $4 million in Civil Monetary Penalties. The OIG also required that the clinic enter into a 3-year Corporate Integrity Agreement which requires that the practice fully comply with a comprehensive set of compliance and regulatory requirements in order to avoid exclusion from the Medicare program.
• In November 2016, a New Jersey OB/GYN agreed to be excluded from participating in Federal health benefits programs for 20 years as part of his settlement with government. The OB/GYN was also required to pay $25 million to settle False Claims Act allegations.  It was alleged that the OB/GYN submitted thousands of claims for pelvic floor therapy training services to the Medicare and Medicaid programs that were either never provided, or were otherwise false or fraudulent.

IV.  Steps to Take Before Your Practice is Audited:

When is the last time you conducted an internal audit of the medical necessity of your claims, the completeness of your documentation and / or the accuracy of your coding and billing practices?  What did you find?

A well-designed Compliance Program can benefit Urogynecology and OB/GYN practices by speeding up and optimizing the proper payment of claims, minimizing billing mistakes, and reducing the chances that an audit will be conducted by law enforcement or one of the many private contractors now working for CMS. The following seven elements that should be addressed in your Compliance Program include:

1. Implementing written policies, procedures and standards of conduct;

2. Compliance program administration;

3. Screening and evaluation of employees, physicians, etc.;

4. Communication, education and training on compliance;

5. Monitoring, auditing and internal reporting systems;

6. Enforcing standards through well-publicized disciplinary guidelines;

7. Responding promptly to detected offenses and undertaking corrective action;

Urogynecology and OB/GYN practices should also conduct an organization-specific review in order to identify and address any regulatory risks that may be present.  This baseline audit (also commonly referred to as a “GAP Analysis”) can be utilized to identify problems in need of correction and any potential risk areas that should be incorporated into your Compliance Program. As you review your documentation, try and imagine how it would appear to an outside reviewer.  Can a reviewer fully appreciate the patient’s clinical status and the medical necessity of any biofeedback-related therapy services that you have provided?  Compare your E/M services to the 1995 or 1997 E/M Guidelines – have you fully and completely documented the services at issue?

To be clear, both law enforcement and CMS contractors recognize that a provider’s care and treatment practices may differ in one aspect or another from those of their peers. Moreover, those differences can result in billing practices which might make a provider appear to be an “outlier.”  Just because a provider’s coding and billing practices differ from those of their peers (in the same specialty area), does not necessarily mean that the provider’s practices are improper.  Nevertheless, if your utilization or coding / billing practices result in your clinic being identified as outlier, there is higher likelihood that your claims will be audited.

Be sure and engage any outside reviewers through legal counsel.  Keep in mind, this is not a paper exercise.  If legal counsel is not fully engaged and is not supervising the work, it is doubtful that the result of any review will be privileged.  As a final point in this regard, keep in mind that any overpayments identified must be paid back, regardless of whether the results of the internal audit qualify as privileged.

V.  What Are the Risks You Face if Your Biofeedback / Pelvic Floor Therapy Claims are Audited?

Despite any assertions that a Medicare auditor may state to the contrary — there is no such thing as a “Routine Audit.”[5]   

You never realize how bad your documentation is until your urogynecology or OB/GYN claims are audited. Unfortunately, a physician’s documentation practices often become more relaxed as time goes on – especially when the physician’s claims have not been audited for an extended period of time.  In such situations, both physicians and their staff may fail to fully document the services provided. Specific risk issues identified in recent cases brought by the OIG and, in some cases, the Department of Justice (DOJ) against urogynecology, OB/GYN, and multidisciplinary practices providing biofeedback-related pelvic floor therapy training services include:

• Upcoding involving the inappropriate appending of Modifier -25 to a claim payment for a medically unnecessary E/M services.   Urogynecologists, OB/GYNs and multidisciplinary physicians should exercise caution when utilizing Modifier -25.  It is important to remember that Modifier -25 has a long and controversial history with respect to Medicare audits and investigations. [6].  In a recent False Claims Act brought by the government, the government alleged that the provider billed the Medicare program for a significant, separately identifiable E/M service, supposedly provided  by the same physician on the same day as lavage and / or pelvic floor therapy services.  The bottom line is simple, if you are billing Modifier -25 in connection with your claims, you should expect to be audited!
• Failure to provide and document failed pelvic muscle exercise training. Multiple cases brought by the government have denied CPT Code 90911 claims because there was no evidence that prior to trying pelvic floor therapy training, the patient had received a four-week course of failed pelvic muscle exercise training, and the exercise training had failed to remedy the patient’s incontinence issues. CPT Code 90911 audits have regularly found that the required predicate exercise training was not conducted.
• Failure to properly supervise anorectal manometry diagnostic services. It was alleged that the physician failed to personally supervise the performance of anorectal manometry procedures performed by his medical assistants. Anorectal manometry (CPT Code 91122) testing procedures are used as a diagnostic tool to measure a patient’s anal sphincter pressures. The testing is also used to provide an assessment of a patient’s rectal sensation, rectoanal reflexes, and rectal compliance. When supervising the provision of these services, all of the supervision requirements set forth in 42 C.F.R. § 410.32 regarding diagnostic tests apply.  When billing for services covered by CPT Code 91122, the required Supervision Level is “2.”  In other words, direct supervision requirements apply to services billed under this code. Moreover, under 42 C.F.R. § 410.32, “these diagnostic testing services must be ordered by the physician / nonphysician practitioner who is treating the patient, that is, the physician / nonphysician practitioner who furnishes a consultation or treats a patient for a specific medical problem and who uses the results in the management of the patient’s specific medical problem. Tests not ordered by the physician / nonphysician practitioner who is treating the patient are not reasonable and necessary.”[7]  As a final point, providers should take care to ensure that CPT Code 91122 is not confused with CPT Code 90911.  As LCD 33263 further reflects, “diagnostic testing is not a medically necessary part of physical therapy, rehabilitation, biofeedback, or [an] exercise program.”
• Billing for services not rendered. There have been multiple instances where law enforcement has alleged that biofeedback / pelvic floor therapy claims were billed to Medicare, when in fact the services were not provided.
• Billing for therapy services provided by unlicensed and unqualified individuals. The basis for denial is increasingly being cited in audits around the country. It is essential that practices review the applicable LCD requirements to ensure that individuals providing the therapy services meet the qualifications set out in the guidance.  For example, several cases brought by law enforcement have alleged that urogynecology, OB/GYN, and multidisciplinary practices improperly billed for pelvic floor physical therapy services that were provided by an unqualified individual.
• Failure to properly supervise pelvic floor therapy training services. In one recent case, it was alleged that the physician failed to personally perform or directly supervise pelvic floor therapy services during time periods when he was out of the state or out of the country. Although now superseded, LCD 33631[8] sets out:

“Medicare billable therapy services may be provided by any of the following within their scope of practice and consistent with state and local law: Physician; Non-physician practitioner (NPP) (physician assistants, nurse practitioners, clinical nurse specialists); Qualified physical and occupational therapists, speech language pathologists (for CPT codes G0515 and 97533), and assistants working under the supervision of a qualified therapist; Qualified personnel, with or without a license to practice therapy, who have been educated and trained as therapists and qualify to furnish therapy services only under direct supervision incident to a physician or NPP.” (Emphasis added).

• Failure to properly document the services provided. Although this reason for denial is among the most frequent we have seen cited in administrative audits, it has also been a component of both Civil Monetary Penalty assessments and False Claims Act cases against urogynecology, OB/GYN, and multidisciplinary practices. Government contractors, the OIG and DOJ often use this deficiency to support their claims that the services billed were not medically necessary.
• Billing for medically unnecessary services. In multiple instances, defendants were alleged to have provided and billed for diagnostic services that were not reasonable and necessary.
• Submitted claims for diagnostic services when therapeutic services were provided. For example, in at least one case, the defendants were alleged to have improperly submitted claims for diagnostic electromyography (CPT Code 51784) and diagnostic anorectal manometry (CPT Code 91122) when therapeutic, not diagnostic, services had been provided.
• Billing for Evaluation & Management services that were never provided.

It is important to keep in mind that if your clinic is audited, the results of the government’s review can lead to:

          An assessment of Civil Monetary Penalties by the OIG;

          Allegations of violations of the False Claims Act by either DOJ or by a whistleblower; and

          Allegations of violations of criminal law.

If your claims are audited, it is essential that you assess your documentation before turning it over to the government.  We typically assess the date of service / claim at issue and submit a comprehensive analysis of the documentation to ascertain whether the claim qualifies for coverage and payment.

VI.  Responding to an Audit:

Should you receive notice of an audit or investigation from a CMS contractor, the OIG or the Department of Justice (DOJ), we strongly recommend that you contact a qualified health care regulatory lawyer before responding to the request.  To be clear, not every CMS contractor audit requires the services of an attorney.  Nevertheless, it is in your best interests to first consult with your attorney.  Every case is different.  The approach you take when responding to an audit will depend, in part, on the claims at issue, the entity conducting the audit and the scope of review.  When we are engaged to handle these audits, several of the steps we take include:

Legal counsel should contact the CMS contractor, the OIG or DOJ and attempt to obtain any additional information regarding the nature and scope of the audit. All requests for medical records and other information must be taken seriously.  You can’t  take the position that a request from a CMS contractor (such as Zone Program Integrity Contractor (ZPIC) or a Uniform Program Integrity Contractor (UPIC)) can be taken less seriously.  Both ZPICs and UPICs are program integrity contractors and will not hesitate to make a referral to OIG or DOJ if evidence of improper billing or fraud is identified.  

We strongly recommend that you limit any direct communications between you and the auditors. Remember, everything you say is evidence.  A quick review of high-profile cases now in the news will confirm that the government won’t hesitate to pursue prosecutions based on obstruction, false statements and similar legal violations other than those based on the substantive claims under review.

Qualified legal counsel should immediately conduct its own assessment of the claims at issue. For instance, in our firm, the attorneys working on your case are also likely to be “Certified Medical Reimbursement Specialist” and / or a “Certified Medical Compliance Officer.”  Make sure that your legal counsel is experienced in assessing the medical necessity, documentation, coding and billing issues in your case.

Work through your counsel to properly and fully respond to a request for documentation.  Always keep a copy of any information shared with the government or its contractors.  Most of the time, you will submit a copy of the medical records requested when responding to the request.  However, in limited instances, a subpoena may require that you turn over the original documents (or send over a mirror image of the electronic records).  If that is the case, be sure and keep a copy!

Legal counsel will try to “get in front of the case.” You need to know about, and prepare to respond to potential problems that the government may raise after reviewing your claims.

VII.  Conclusion:

Don’t wait until you are being audited to review your medical necessity, documentation, coding and billing practices! Urogynecology, OB/GYN, and multidisciplinary practices should take steps now to ensure that an effective Compliance Program is in place and that you and your staff are fully complying with applicable statutory and regulatory requirements.

Robert W. Liles serves as Managing Partner at the health law firm, Liles Parker, Attorneys and Counselors at Law.  Liles Parker attorneys represent health care providers and suppliers around the country in connection with ZPIC audits, UPIC audits, OIG audits and DOJ investigations.  For a free initial consultation regarding your situation, call Robert at:  1 (800) 475-1906.

[1] Biofeedback is a mind–body technique that can be used to train individuals how to modify their physiology for the purpose of improving physical, mental, emotional health. Clinical biofeedback can be assist in managing a patient’s symptoms through stress management training and can assist in the re-education of muscles to help address urinary incontinence. For additional information, see Ment Health Fam Med. 2010 Jun; 7(2): 85–91.

[2] In order to qualify for coverage, biofeedback must be rendered by a qualified practitioner in an office or other facility setting. The Centers for Medicare and Medicaid Services (CMS) has reaffirmed its existing national noncoverage policy for home biofeedback devices in the treatment of urinary incontinence.  For additional information in this regard, please see CMS’s guidance dated March 1, 2002, titled “Coverage Decision Memorandum for Home Biofeedback for Urinary Incontinence.”  

[3] A failed trial of pelvic muscle exercise training is defined as “no clinically significant improvement in urinary incontinence after completing 4 weeks of an ordered plan of pelvic muscle exercises to increase periurethral muscle strength.”

[4] National Coverage Determination (NCD) for “Biofeedback Therapy for the Treatment of Urinary Incontinence (30.1.1),”  (effective July 1, 2001).

[5] Comprehensive Error Rate Testing (CERT) audits are a limited exception to this general rule.  Pursuant to the Improper Payments Information Act of 2002, CMS is required to estimate the improper Medicare fee-for-service payments made to health care providers each year by Medicare Administrative Contractors (MACs). Consistent with this mandate, CMS utilizes the CERT program to estimate the error rate.  Essentially, the purpose of a CERT audit is to verify whether a Medicare Administrative Contractor is properly paying Medicare claims and has effective edits in place to deny (or place in suspense) claims that for one reason or another may not qualify for coverage and payment.

[6] Use of Modifier 25;

[7] This example of the supervision requirements governing CPT Code 91122 services is set out the Local Coverage Determination guidance issued by First Coast Service Options sets out the supervision requirements See “Anorectoral Manometry and EMG of the Urinary and Anal Sphincters” (L33263).  Applies to services performed on or after October 1, 2016.

[8] For example, the supervision requirements governing these services is set out the Local Coverage Determination guidance issued by National Government Services, Inc. See “Outpatient Physical and Occupational Therapy Services,” (L33631). Applies to services performed on or after January 1, 2018.

UPIC Dental Audits (Such as Qlarant Dental Audits) Have Been Initiated. Is Your Practice Ready for its Medicare Dental Claims or Medicaid Dental Claims to be Audited?

(July 3, 2018):  While a number of Medicare Advantage Plans now offer supplemental coverage for preventive, basic, and major dental services, only a narrow category of dental services qualify for coverage and payment under standard Medicare Part A (pursuant to Section 1862(a)(12) of the Social Security Act).  Presently, only qualifying Medicaid beneficiaries are likely to have dental services coverage.  With this in mind, last week’s Press Release by the Centers for Medicare and Medicaid Services (CMS) is especially pertinent.  As CMS announced, the agency is implementing “new and enhanced initiatives designed to improve Medicaid program integrity through greater transparency and accountability, strengthened data, and innovative and robust analytic tools.”  What does this mean for dentists and dental practices participating in the Medicaid program? Simply put, it means more dental audits and a much closer scrutiny of your assessment of medical necessity, documentation of the dental services provided, utilization practices and any business arrangements in which you participate.  This will become especially apparent as Unified Program Integrity Contractors (UPICs) transition into their new roles as program integrity contractors of both Medicare and Medicaid claims.  Over the last few months, we have noted that dentists and dental practices around the country are increasingly being targeted by UPICs in connection with government-paid claims. This article examines the history and direction of the CMS’s Fraud Prevention efforts and provides a thorough discussion of UPICs, highlighting their purpose, jurisdiction, and functions.

I.  What is a UPIC?

Although UPICs are free to audit both Medicare and Medicaid dental claims in their jurisdiction, this article is primarily focused on the UPIC’s targeting of Medicaid dental claims.  As set out in Section 1.2 of the CMS Medicaid Program Integrity Manual:

“Unified Program Integrity Contractors (UPICs) are contracted entities with CMS that conduct investigations and audits related to activities in an effort to reduce fraud, waste, and abuse in both the Medicare and Medicaid programs. The UPICs operate in geographic areas or “jurisdictions” defined by individual Task Orders.  The UPICs Perform numerous functions to detect, prevent, and deter specific risks and broader vulnerabilities to the integrity of the Medicare and Medicaid programs including, but not limited to:

• Proactively identify incidents of potential fraud, waste, and abuse that exist within its service area and take appropriate action on each case;
• Investigate allegations of fraud made by beneficiaries, providers/suppliers, CMS, Health & Human Services Office of Inspector General (OIG), and other sources;
• Explore all available sources of fraud leads, including the state Medicaid agency (SMA) and the Medicaid Fraud Control Unit (MFCU);
• Refer and/or recommend appropriate Medicaid administrative actions to state Medicaid agencies where there is reliable evidence of fraud, including, but not limited to, overpayments, payment suspensions and terminations;
• Refer cases to the OIG/Office of Investigations (OI) for consideration of civil and criminal prosecution and/or application of administrative sanctions;
• Partner with state Medicaid Program Integrity Units to perform the above activities for the Medi-Medi program and Medicaid-only investigations; and
• Work closely with CMS on joint projects, investigations and other proactive, anti-fraud activities. The UPICs utilize a variety of techniques to address any potentially fraudulent, wasteful, or abusive billing practices based on the various leads they receive. The UPICs Integrate the program integrity functions for audits and investigations across Medicare and Medicaid, and assure that CMS’s National priorities for both Medicare and Medicaid are executed and supported at the state level or within the UPIC jurisdiction.”  (emphasis added).

II.  Purpose of the UPIC Program:

The purpose of the UPIC program has been to consolidate the work currently being performed by various Medicare and Medicaid program integrity contractors under a single private sector contractor.  Each UPIC is responsible for handling federal level program integrity audits for both Medicare and Medicaid within a defined geographic area (typically comprised of multiple states).  The following private sector contractors have been awarded UPIC contracts:

• Qlarant (Previously known as “Health Integrity, LLC”) (Western Jurisdiction)
• AdvanceMed Corporation (Midwestern Jurisdiction)
• IntegriGuard, LLC, dba HMS Federal (Indefinite Delivery, Indefinite Quantity[1])
• Noridian Healthcare Solutions, LLC (Indefinite Delivery, Indefinite Quantity)
• Safeguard Services LLC (North Eastern Jurisdiction)
• StrategicHealthSolutions, LLC (Indefinite Delivery, Indefinite Quantity)
• TriCenturion, Inc. (Indefinite Delivery, Indefinite Quantity)

Recognize a few familiar names?  You should.  Virtually all of these private sector companies have previously been awarded one or more prior CMS audit contracts.  In any event, it has taken a while for CMS to wind-down existing program integrity contracts with Zone Program Integrity Contractors (ZPICs), responsible for auditing Medicare claims and Medicaid Integrity Contracts (MICs), responsible for auditing Medicaid claims.  Those efforts are still ongoing in several areas of the country. 

III.  UPIC Dental Audits:

A number of dentists and dental practices around the country are currently receiving audit letters from Qlarant[2], the UPIC responsible for conducting both Medicare and Medicaid program integrity audits in the Western Jurisdiction.  While dental audits are nothing new, the initiation of UPIC audits of Medicaid, and in some cases, Medicare dental audits, has significantly raised the level of risk faced by participating dental providers.  Like their ZPIC predecessors, UPICs are actively looking for evidence of fraud and will not hesitate to make a referral to federal and / or state prosecutors if potentially criminal conduct is identified.[3]

Over the last few months, a number of Medicaid dental providers have called our office and asked, “Why on earth is my dental practice being targeted by a UPIC.” Simply speaking, as occurrences of dental claims fraud and improper billing practices have increased over the course of the last few years, so has the likelihood of potential dental claims audits. CMS’s reasoning becomes more apparent when you consider the fact that Medicaid spending has increased from $456 billion in 2013 to an estimated $576 billion in 2016.  In consideration of these factors, CMS has determined that there are significant Medicaid dental program integrity risks that must be addressed.  Not surprisingly, UPICs such as Qlarant are now actively auditing Medicaid dental claims.  When auditing Medicaid dental claims, UPIC auditors will undoubtedly address the following factors:

• Whether the Medicaid dental services billed were actually rendered;[4]
• Whether the Medicaid dental services rendered were medically necessary;[5]
• Assuming that the Medicaid dental services were, in fact, medically necessary, do they qualify for coverage under the payor’s contract?[6]
• Whether the documentation maintained meets applicable State Dental Practice Act requirements AND any required documentation requirements mandated under your State Medicaid Provider Agreement, AND (if applicable to a particular claim), any other requirements that may be set out under your contract with a Medicaid Advantage Plan.[7]
• Whether one or more other statutes (such as the Anti-Kickback Statute) were violated which effectively renders one or more Medicaid dental claims non-payable;[8]
• Whether the dental services rendered were properly coded[9]; and
• Whether the dental services rendered were properly billed.[10]

IV.  What you can Expect in UPIC Dental Audit of Your Medicare Dental Services or Medicaid Dental Services?

Although UPIC dental claims audits can be generated in a wide variety of ways, most are the result of claims data mining assessments, complaints by patients (or in some cases, competitors), or referrals from another government contractor.[12]  Through data mining, UPIC auditors can tell with a high degree of accuracy how long it should take for you to perform all of the dental services you billed in a single day. They will also compare your dental claims billing patterns to those of other dental providers.  If any of your billing practices or patterns appear to be irregular, they will initiate an audit of your dental claims.  Regardless of the reason your dental claims have been targeted, if a UPIC initiates an audit of your dental practice you can expect several things. For instance, if your Medicare / Medicaid dental claims are audited by Qlarant or another UPIC, you will likely be asked to provide the following documentation for each date of service under review:

• Hospital history and physical;
• Hospital records;
• Medical diagnosis;
• Medical imaging, laboratory studies, radiology studies;
• Dental exam with dental chart;
• Health history
• Referrals
• Consultations
• Consents for treatment and anesthesia
• Proposed treatment plan or plan of care
• Complete dental record and treatment plan including ADA CPT procedure codes, tooth number and surface for each tooth that received treatment
• Pre-operative exam notes
• Dental imaging, radiology, panoramic x-rays (pre and post procedure)
• Comorbidities
• Progress notes
• Operative/procedure notes
• Anesthesia record
• Post-operative status
• Complications
• Post-operative call record
• Medications and/or anesthesia administered
• Medications ordered
• Discharge instructions
• Follow up appointments
• Dental claim form
• Appointment history report
• Itemized ledger report
• Statement of billing
• Remittance advice
• Any other documentation to support the billed claim

You may also be subjected to an “unannounced visit” by a UPIC auditor.  These unexpected face-to-face visits have become quite common.  If this occurs, the UPIC auditor will typically provide you with a list of claims to be reviewed but will also want to obtain a sample of the associated medical records before they leave the practice.  As part of the site visit, the UPIC auditor may also request to interview your personnel.  This is where it can get quite complicated.  As a participating provider, you have an affirmative obligation to cooperate with the UPIC’s requests.  Unfortunately, the interview of you and your staff could possibly lead to admissions against interest.  Call your attorney if a UPIC pays an unexpected visit your practice.  We can usually negotiate a time with the auditor so that you (and members of your staff) can be represented by legal counsel.

Often, your first notice of an audit will be the receipt of a letter outlining a UPIC’s dental records request. As a participating provider in the Medicare and / or Medicaid programs, you are required to furnish and submit sufficient information to justify payment as a basic condition of our participation.  UPIC audit letter typically require that you submit the appropriate records and information within 30 calendars days (from your date of receipt of the UPIC’s letter).  Should you fail to comply with a request for dental records, the UPIC may:

• Issue a determination that an overpayment has been made.
• Allege that the claims request was a Statistically Valid Random Sample (this depends on the size and nature of the initial claims audit). If eligible, the UPIC may then project your error rate to the universe of claims processed during the particular time frame of your audit.
• Request that CMS suspend your Medicaid payments.
• Recommend to the HHS, Office of the Inspector General (OIG) that you and / or your dental practice be excluded from participation in federal and state health benefit programs (including, but not limited to Medicaid) in accordance with § 1128(b)(11) of the Social Security Act.

 V.  UPIC Dental Audits – Worst Case Scenario:

It is important to keep in mind that UPICs view themselves as an arm of law enforcement. Whether you agree with the UPIC’s view of their role or not, the fact remains that UPICs are always on the lookout for evidence of wrongdoing, improper conduct or fraudulent acts that go beyond what is typically associated with a mere overpayment. When potentially-fraudulent conduct is identified, referrals to federal or state law enforcement and / or licensure agencies may be made.  In addition to facing administrative sanctions such as revocation, suspension and / or exclusion, these referrals may also lead to one or more of the following actions:

• Revocation of a dentist’s DEA permit.
• Referral to the State Dental Board for investigation and possible disciplinary action.
• The assessment of Civil Monetary Penalties (CMPs) by OIG.
• Referral to the U.S. Department of Justice (DOJ) for possible civil prosecution of False Claims Act violations.
• Referral to the DOJ for criminal prosecution. These cases have typically involved violations of the Anti-Kickback Statute, Health Care Fraud and / or other criminal laws.  Examples of conduct that has led to criminal prosecution include billing Medicaid for unnecessary procedures and / or billing Medicaid for procedures that were never performed.
  • In one case, a single dentist and his former employer were unable to produce medical records to support 335 claims totaling $26,657 that were sampled at his practice.
  • In another case, a dentist was audited because it was virtually impossible for him to complete all of the services he billed for in a single day. When asked about the billings, he reportedly stated that he could complete a filling procedure in 30 seconds.  As you can imagine, the government didn’t believe the dentist.
  • One government audit found that two dentists billed for four or more fillings on one tooth or for two types of fillings on the same surface of the same tooth.
• Billing Medicaid for substandard work.
• Submitting claims for reimbursement under another dentist’s Medicaid provider number.
• Too many or too few X-rays. In some cases, the x-rays have been taken incorrectly, taken by employees not licensed to operate the x-ray machine, and/or unreadable or even blank.

VI.  Preparing for a Dental Claims Audit:

Dental providers must realize that they are responsible for any and all claims submitted by their practice, whether or not they even have direct knowledge of the claim.  You are liable for all of the information recorded on the Dental Claim Form.

• Do you have an effective Compliance Program in place? It is required under the Affordable Care Act.  Moreover, most state Medicaid programs require that a such a plan be in place.  Finally, all Medicaid Advantage plans require that participating dental providers have a Compliance Program.
• Have you and your staff reviewed necessary information regarding specific codes for billing Medicaid dental claims? Have you paid special attention to federal / state regulatory requirements, State Dental Practice obligations, and your contractual mandates?
• When was the last time you conducted an internal dental claims audit and examined whether the services you are providing fully reflect medical necessity requirements, are documented to meet the requirements of the payor, and are properly coded and billed?
• When was the last time you conducted an audit of your dental business practices? Are your practices free of any possible violations of the False Claims Act or Anti-Kickback Statutes?
• Have you fully implemented each of your obligations under HIPAA and HITECH?
• Do you have an effective anonymous compliance reporting mechanism in place? Have you advised and trained your dental practice staff on their obligations to report improper billings or conduct to your practice’s Compliance Officer?
• Are you screening your dental practice employees, contractors, vendors and contractors through all Federal and State exclusion databases?

Being able to answer these questions can significantly reduce your exposure to outside audits and can help you in setting up (if you have not already done so), and maintaining an effective Compliance Program. It is our recommendation that you engage a suitable, qualified entity to help you. In this regard, Liles Parker can provide you with the advice and counsel you need. Our attorneys represent dental practices in both Medicaid and private payor dental audits. Moreover, we can assist you in assessing your current level of compliance so that you will be better prepared if your practice faces a UPIC audit in the future.

Robert W. Liles, J.D., M.B.A., M.S., serves as Managing Partner at the law firm Liles Parker, Attorneys & Counselors at Law.  Liles Parker attorneys represent dentists and dental practices around the country in connection with Medicaid claims audits and audits by private payors.  For a free initial consultation, give us a call at: 1 (800) 475-1906.

[1] What does it mean if a contractor has been awarded a UPIC contract but it is designated as “Indefinite Delivery, Indefinite Quantity?”  This is a term that is used by the General Services Administration (GSA) when the agency is not yet in a position to determine, above a specified minimum, the precise quantities of supplies or services that the government will require during a contract period. Essentially, it means that the ZPIC contracts in the remaining jurisdictions remain in place and are winding down.  As those contracts terminate, the new UPIC contracts will be implemented.

[2] Qlarant was formally known as “Health Integrity, LLC” when it operated as a ZPIC for Zone 4.

[3] In contrast to their ZPIC predecessors (which are only responsible for auditing Medicare claims), UPICs are responsible for conducting program integrity audits of both Medicare AND Medicaid claims.

[4] For example, in 2017, the U.S. Attorney’s Office for the District of Nebraska unsealed an Indictment against a Nebraska-licensed dentist alleging that the dentist submitted approximately 129 claims to the Nebraska Medicaid program for dental services that the government alleges were never performed.  The defendant dentist has been charged with violations of Health Care Fraud, 18 U.S.C. §1347.

[5] In its earlier incarnation as a ZPIC, it was our experience that Health Integrity auditors sometimes conflated “medical necessity” with “coverage.”  This often resulted in audit findings proclaiming that one or more services rendered were allegedly not medically necessary, when in fact the services were medically necessary, they just didn’t qualify for coverage under the payor’s contract.

[6] See Footnote #5.

[7] In our review of dental claims, the lack of adequate documentation has been identified as the primary reason cited by auditors when denying payment.  Dentists and dental professionals MUST review federal and state regulatory requirements, along with applicable contractual obligations to ensure that their documentation practices are fully compliant with coverage and payment rules.

[8] For example, in November 2017, the U.S. Attorney’s Office for the Southern District of New York unsealed a Complaint against a New York licensed dentist and a non-licensed individual performing unauthorized dental services.  As the Complaint reflects, some of the Medicaid claims billed were associated with patients who had been recruited to the dental practice and paid kickbacks of $25 to undergo minimal dental procedures.

[9] Improper coding practices can take a wide variety of forms.  While “upcoding” and “billing for services not rendered” are perhaps the most common violations cited by dental claims auditors.  We have also seen instances where dentists or dental practices have rendered non-covered services but have miscoded the services so that they would qualify for coverage and payment.

[10] While every dental practice is different, a common billing error that we have identified in our compliance reviews has been that dental practices often fail to credential new dentists with one or more payors in a timely fashion.  Instead, the practices improperly bills for the dental services rendered by a non-credentialed provider under the number of a credentialed provider.  We have found this problem when auditing both Medicaid and private payor dental claims.  This improper practice can lead to the repayment of overpayments, referral to one’s State Dental Board, liability under the civil False Claims Act, and, in more serious cases, in criminal prosecution.

[11] https://www.medicaid.gov/medicaid/cost-sharing/out-of-pocket-costs/index.html

[12] For a more detailed discussion of how UPIC audits are generated, please see: Medicare Program Integrity Manual, Chapter 2, §2.3.  The sources utilized by UPICs are the same as those relied on by ZPICs.

Is ePHI Encryption Required? The Failure to Properly Protect ePHI Can be Quite Costly.

(June 27, 2018):  Violations of the Health Insurance Portability and Accountability Act (HIPAA), where a Covered Entity[3] has failed to utilize ePHI encryption can be quite costly. The loss of unencrypted electronic media containing Protected Health Information (PHI)[1] can result in big fines as one Texas medical center has recently learned the hard way.  As a case ruling issued earlier this month reflects, the University of Texas MD Anderson Cancer Center (MD Anderson) was fined $4.3 million for their loss of two unencrypted USB drives and theft of an unencrypted laptop.  This article examines this case in more detail and discusses your obligations to protect electronic PHI (ePHI) from improper disclosure or access by unauthorized persons.

I.  Is ePHI Encryption Required by Covered Entities?

The Department of Health and Human Services (HHS) oversees compliance and enforces HIPAA’s sanctions for noncompliance through its Office for Civil Rights (OCR).  In cases involving possible criminal conduct, the OCR works with the Department of Justice (DOJ).

The HIPAA Omnibus Rule has changed the enforcement provisions.^[2] Previously, the agency had discretion in choosing whether to investigate complaints or potential violation in cases where the Agency’s preliminary review reveals a possible violation due to willful neglect.  Now, the agency is required to initiate a formal investigation when a party appears to have exhibited willful neglect.  If an investigation is performed, it may include a review of pertinent policies, procedures, or practices of the Covered Entity and the circumstances of the alleged violation.  Documentation and evidence of compliance are key to ensuring no penalties are assessed by OCR.

Notably, the HIPAA Omnibus Rule modified HIPAA’s Privacy, Security and Enforcement Rules in order to implement the statutory amendments set out under the Health Information Technology for Economic and Clinical Health Act (HITECH).  Under HITECH, a Covered Entity is required to conduct a comprehensive “security risk analysis” of the administrative, physical, technical and operational aspects of your organization.  For each category, the Security Rule establishes both required and addressable implementation specifications.

Implementation specifications that are identified as required must be fulfilled by a Covered Entity.  The failure to implement required specifications will be automatically deemed to be a failure to fully comply with the requirements of the HIPAA Security Rule.  In contrast, specifications that are identified as addressable must only be implemented if, after a risk assessment, the Covered Entity has concluded that compliance with the specification is a reasonable and appropriate security risk safeguard for handling PHI and ePHI.

Contrary to popular belief, Covered Entities are not mandated by law to encrypt ePHI.  As the security risk assessment implementation specification covering encryption is expressly noted as an addressable specification, it is not required.  As 45 C.F.R. §164.312(a)(2)(iv)[4] expressly provides:

 “(iv) Encryption and decryption (Addressable). Implement a mechanism to encrypt and decrypt electronic protected health information.”

Clear as mud?  If you are still confused as to your obligations, you aren’t alone.  Although you may determine that it would be reasonable for you to NOT encrypt a certain set of ePHI, you need to keep in mind that if there is a potential breach (through loss, theft, negligence, etc.) the OCR will be second-guessing your decision-making in this regard.

II.  The Encryption “Safe Harbor”:

Section 13402 of HITECH extended the privacy provisions of HIPAA by requiring that Covered Entities and their business associates notify affected individuals after discovering breaches of unsecured PHI.^[5] Breach, in this case, means the unauthorized acquisition, access, use, or disclosure of PHI that compromises the security or privacy of the information.^[6] Generally, incidents within the Covered Entity (between employees) or unintentional disclosure to a business associate are not breaches. Thus, if an employee sends an email inappropriately but in good faith containing PHI to a co-worker and neither employee shares it with others, it is not a breach. If the email goes to someone who is not an employee of the entity or a business associate, it may well be.

Furthermore, the breach notification requirements apply only to “unsecured PHI”— meaning PHI that is not secured through the use of technology or methodology specified by the Secretary, such as encryption or destruction that renders the paper unusable, unreadable, or indecipherable.^[7]  Therefore, if a Covered Entity encrypts information to comply with the Security Rule and subsequently discovers a breach of that information (through loss, theft, accidental delivery to the wrong person, etc.), the Covered Entity is not required to provide notice of the breach.  If the information is protected through a firewall or some other means not approved by the Secretary, then notification would be required for a breach.  To ensure encryption keys are not breached, they should be kept on a separate device from the data to which they apply.

III.  The MD Anderson Case:

In the MD Anderson case, the cancer center supposedly lost two unencrypted flash drives and experienced the theft of an unencrypted laptop.  Collectively, the devices were estimated to have contained the PHI of approximately 33,500 patients. The OCR alleged that the cancer center did not comply with regulatory requirements by:

“(1) failing to perform its self-imposed duty to encrypt electronic devices and data storage equipment; and (2) it allowed ePHI to be disclosed. “

Pursuant to 45 C.F.R. pt. 160 and 45 C.F.R. pt. 164, subpts. A, C, D, and E, Covered Entities are generally required to:

“ensure the confidentiality, integrity, and availability of all ePHI that the entities create, receive, maintain, or transmit; protect such information against any reasonably anticipated threats or hazards to its security; protect ePHI against any reasonably anticipated impermissible uses and disclosures; and ensure compliance with these requirements by their workforces.”

While the cancer center had policies and procedures for maintaining the safety of ePHI, it was alleged that they did not implement those as required by 45 C.F.R. § 164.312(a)(1).  MD Anderson argued that they satisfied this regulation because there were technically policies and procedures put in place to allow PHI to be encrypted.  MD Anderson’s procedures for protecting ePHI included:

1. Password protection of all computers and portable computing devices accessing potentially confidential information;

2. A requirement that confidential or protected data stored on portable computing devices must be encrypted and backed up to a network server in the event of a disaster or loss of information;

3. Annual employee training event that provided its employees with training in areas that included ePHI transmission and proper disposal; a prohibition against password sharing; a discussion of password necessity and integrity; an explanation of authorized and proper use of information systems, and training about information security resources.

Unfortunately, MD Anderson’s policies and procedures in this regard were shown to be incompletely or ineffectively implemented. The laptop and two USB drives in question were not encrypted as required by the cancer center’s policies and procedures.  MD Anderson’s attempts to ensure implementation of its ePHI protection policies and procedures were characterized as “half-hearted” by the ALJ handling the case.  MD Anderson was found to have delayed the encryption of devices and, after years, only proceeded slowly with the implementation of the encryption policy claiming financial issues were to blame.

The laptop in question was being used by a telecommuting employee as work computer and it was neither encrypted nor password protected. The laptop was stolen from the home of the employee and the ePHI was vulnerable although no breeches in the security of the patients concerned in the PHI resulted.  The first USB concerned was lost by a trainee while on an employee shuttle bus. The second USB was lost by a visiting researcher.

The OCR considered the theft of the laptop and the losses of the USB flash drives to be unlawful disclosures of ePHI because these actions constituted the “release, transfer, provision of access to, or divulging in any manner of information outside the entity holding the information.”

IV.  Defenses Raised by MD Anderson:

In its defense, the cancer center raised a number of arguments before the ALJ, several of which are outlined below.

• As a State Entity, MD Anderson is Not a “Person” as Defined Under HIPAA.  In addition to arguing that the Secretary, HHS had acted beyond the authority of the position, MD Anderson also argued that as an entity of the State of Texas, it did not constitute a “person” and was therefore not covered under HIPAA.  The ALJ disagreed.

• The Penalties Assessed by the Secretary Were Excessive.  Secondly, MD Anderson argued that any penalties assessed should be capped at $100,000 per year.  The cancer center also cited 45 C.F.R. § 160.546(b) and asked that the ALJ reduce the assessed penalties to below the statutory cap.  Notably, the ALJ refused to lower the penalties imposed by the Secretary, HHS, claiming that doing so would “constitute an end run around the Secretary’s intent as expressed in the regulation.”[8] The ALJ also cited 45 CFR 160.408 which allows aggravating factors such as the general pursuit of justice to dictate fine amounts.  Additionally, MD Anderson also claimed that the high penalties imposed were a violation of the excessive fines provision outlined in the 8^th Amendment.  Not surprisingly, the ALJ responded that it did not have the authority to consider the constitutionality of the ruling.  Each of MD Anderson’s arguments were addressed in the ALJ’s decision.

• The Theft and Loss of Devices Do Not Constitute a “Disclosure” Under HIPAA. MD Anderson further argued that stolen or lost property cannot constitute a “disclosure” of sensitive material mainly because there is no evidence the PHI was viewed by anyone. However, the mere fact that the PHI was compromised and rendered vulnerable to viewing by an unauthorized person was deemed enough to constitute a disclosure in violation of HIPAA. Finally, the cancer center argued that the behavior of the individuals who lost USB drives was unsanctioned along with the actions of the thief.  Therefore, there was no basis to hold MD Anderson responsible for these unauthorized acts.  Not surprisingly, the ALJ disagreed, holding that although the employees may have disobeyed MD Anderson’s policies, the actions of transporting the data were within the scope of their official duties.

• The OCR Has Failed to Apply HIPAA’s Regulations Consistently.  Among concern by the Texas Cancer Center that their key arguments were not seriously considered, there was also concern that the OCR’s enforcement of HIPAA regulations is not transparent or consistent[9]. With the Texas Cancer Center’s fine being the 4^th largest ever upheld, there seems to be merit to the claim that regulations are not being consistently or fairly enforced. For example, in a 2010 case involving Rite Aid, the large national drug store chain agreed to pay $1 million to settle HIPAA privacy violations after several of its pharmacies were videotaped disposing of prescription pill bottle labels which contained identifying information into dumpsters with public access[10]. It seems odd when comparing the two cases that one of the nation’s largest drug store chains was fined less than one quarter of the amount of fines assessed against MD Anderson for the violations discussed above.

V.  Next Steps for MD Anderson:

MD Anderson Cancer Center has expressed plans to appeal the ALJ’s ruling[11]. The cancer center feels not only that the $4.3 million in fines is too much but that the ruling does not take into account the policy and procedure the center had already created. At the end of the day, however, it isn’t the availability of a mechanism to keep ePHI safe that matters but that strong efforts are made to ensure ePHI is actually being protected. Failing to carry out policy and procedure can bring serious fines.

VI.  Steps You Can Take to Comply with Your Obligations Under HIPAA and HITECH:

• Compliance Officer. Appoint a Compliance Officer for your organization.
• Breach Insurance. Review your options for purchasing insurance to cover any damages and penalties that may result from an unintentional breach or unauthorized disclosure.
• Notice of Privacy Practices. Ensure that an updated Notice of Privacy Practices is in place.
• Patient Consent Form. Ensure that an appropriate “Patient Consent Form” is in place.
• Business Associate Agreements. Ensure that an appropriate “Business Associate Agreement” is in place with each of the outside entities with whom you use or disclose PHI. Additionally, check with your business associates and verify that they understand their obligations and will only provide any subcontractors access to your ePHI with your permission. Will you require that your business associate obtain breach insurance?
• Policies and Procedures. Review and update all of your policies and procedures required to meet your obligations under HIPAA and HITECH to comply with the law and implement safeguards to protect the integrity of the individually identifiable health information under your control:
  • Privacy Rule;
  • Security Rule;
  • Enforcement Rule;
  • As mandated in connection with your Security Risk Analysis;
  • Other policies and procedures needed to address risks involving social media, using your own cell phones, telecommuting, etc.
• ePHI Encryption. Review your operational practices to ensure that ePHI is encrypted to prevent improper use or disclosure. Although encryption may not be mandated, it is essential if you are trying to reduce your organization’s level of risk.
• Backup Procedures.  Review your backup procedures and ensure that in the event of a disaster or other unforeseen event, a complete encrypted copy of your patient’s ePHI is safely maintained.
• Security Risk Analysis. Perform / update the Security Risk Analysis of your organization and assess any outstanding specifications that still need to be met. Additionally, review the risks and vulnerabilities of a potential breach and / or the wrongful disclosure of ePHI.
• Employee Training. Ensure that all of your staff is trained on their obligations to comply with HIPAA’s requirements under the law.  Furthermore, ensure that all new members of your staff are trained on their obligations under the law within 30 days of entering on duty.
• Minimum Necessary. Review your use and disclosure practices to ensure that the minimum necessary standard is being met.
• Breach Response Plan. Develop a breach response plan (including, but not limited to breach notification when needed, analysis of the cause of the breach, remedial steps and any additional staff training that may be needed), to better ensure that your organization can effectively respond to a breach incident.

Robert W. Liles serves as Managing Partner at Liles Parker, Attorneys & Counselors at Law.  Is your organization dealing with a potential HIPAA breach or unauthorized disclosure?  For a free initial consultation, contact Robert or one of the other attorneys at Liles Parker.  1 (800) 475-1906.

[1] The term “Protected Health Information” (PHI) covers individually identifiable health information that is transmitted by electronic media, maintained in electronic media or transmitted or maintained in any other form or medium. The rules do not include “de-identified information,” individually identifiable information where all 18 identifiers have been removed.  Such information can be used without restriction or patient authorization. The following table describes the identifiers that must be removed in order to qualify as de-identified information.

[2] 78 Fed. Reg 5566 (Jan. 25, 2013), available at https://www.gpo.gov/fdsys/pkg/FR-2013-01-25/pdf/2013-01073.pdf (last accessed June 2018).

[3] A “Covered Entity” is a health plan, a health care clearinghouse, or a health care provider who transmits any health information in electronic form in connection with a standard transaction

[4] 45 C.F.R. §164.312(a)(2)(iv). https://www.gpo.gov/fdsys/pkg/CFR-2010-title45-vol1/pdf/CFR-2010-title45-vol1-sec164-312.pdf

[5] For additional information, see the Breach Notification Final Rule Update, available at

http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/finalruleupdate.html (last accessed April 2018).

[6] 45 C.F.R. § 164.404.

[7] 45 C.F.R. § 164.402.

[8] https://www.hhs.gov/sites/default/files/alj-cr5111.pdf

[9] https://www.beckershospitalreview.com/cybersecurity/md-anderson-slapped-with-4-3m-penalty-for-hipaa-violations.html

[10] https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/examples/rite-aid/index.html

[11] http://www.modernhealthcare.com/article/20180619/NEWS/180619897

An Overview of Administrative Rheumatology Audits / Adverse Actions AND Civil / Criminal Enforcement Actions

(May 20, 2018):  It’s been a rough week for at least one Texas rheumatologist.  Last Monday, the U.S. Attorney’s Office for the Southern District of Texas announced the indictment of a South Texas rheumatologist for multiple counts of health care fraud and one count of conspiracy to commit money laundering.  The magnitude of the alleged fraud is daunting — the government has estimated the size of the fraud at approximately $240 million.  Commenting on the case, John P. Cronan, Acting Assistant Attorney General for the Justice Department’s Criminal Division stated that the physician:

“. . . violated his oath to do no harm by administering unnecessary chemotherapy and other toxic medications to patients with serious diseases — including some of the most vulnerable victims imaginable — are almost beyond comprehension.”

The defendant is alleged to have “misdiagnosed” numerous patients, some of which were vulnerable individuals who were young, elderly or disabled.  Four of the five counts of health care fraud in the indictment are alleged to arise out of the defendant’s “False Diagnosis of Rheumatoid Arthritis.”  You may wonder, how does something like a false diagnosis happen?  Unfortunately, diagnosing a patient with rheumatoid arthritis isn’t as straight-forward as it may seem from reading the government’s indictment.  There isn’t a single test that can be run to determine whether a patient has this diagnosis.  Instead, a physician has to take into consideration a patient’s symptoms, blood and diagnostic test results (none of which are definitive on their own), and a patient’s family and prior medical history.  Taken collectively, a physician will typically use this information and apply industry-accepted diagnostic criteria.  Regardless of how this case ends up being resolved, rheumatologists around the country should take note of the concerns that the government has raised. While this case currently dominates the headlines, it is important to keep in mind that this isn’t the first time that law enforcement has focused its attention on rheumatologists.  Far from it.  This article provides an overview of cases that have been brought against these specialty practices and will cover a number of steps that a rheumatologist can take to reduce his / her level of risk.

I.  Overview of Administrative Adverse Actions and Rheumatology Audits Against Physicians and Rheumatology Practices:

Administrative adverse actions against rheumatologists can take a number of forms, including, but not limited to: licensure actions, exclusion actions, and administrative claims audits.

A.  Texas Medical Board Disciplinary Actions.

As illustrated in this first case, it is imperative that rheumatologists fully document their mental impressions and the reasoning behind diagnostic conclusions reached.    

• Texas Physician Failed to Properly Document Objective Medical Evidence to Support a Rheumatology Diagnosis.

In this case, the Texas Medical Board (Board) entered into an Agreed Order[1] with a physician alleged to have violated the standard of care in a number of cases.  More specifically, the Board alleged that the physician provided treatment that was inappropriate and nontherapeutic. Additionally, the physician was alleged to have failed to perform adequate testing and document objective medical evidence to support his diagnosis for several patients.  Under the Agreed Order, the Board required that the physician submit the medical records of all of his rheumatology patients to a Board-approved rheumatologist for monitoring purposes for a set period of time.  The physician was also required to complete 24 hours of CME (four hours in medical record-keeping and 20 hours in rheumatology). How can you avoid committing these types of licensure violations? When documenting your medical decision-making process, Texas rheumatologists need to ensure that their medical records comply with both the applicable standard of care[2] AND fully meet the documentation mandates outlined in the Texas Administrative Code, Title 22, Part 9, Chapter 165. Medical Records §§165.1-165.6.[3]

B.  OIG Exclusion Actions.

As early as 1977, the Department of Health and Human Services (HHS) has been “excluding” individuals and entities from participation in Federal health benefits programs.  The HHS, Office of Inspector General (OIG) assumed responsibility for taking these administrative actions in 1981.[4]  What is an exclusion?  Simply put, if an individual is subjected to an adverse licensure action[5], is convicted of certain crimes, or has engaged in other specific enumerated conduct[6], he / she may be excluded from participation in Federal health benefits programs. It is important to keep in mind that an excluded party is not merely barred from participating in Medicare, Medicaid and other Federal health benefit programs.  Excluded parties may not even work for an organization that participates in these government health benefit programs.  There are two types of exclusion actions that are taken by the OIG.  “Mandatory” exclusion actions must be imposed by the OIG if an individual or entity is convicted of certain crimes.  In contrast, the OIG exercises the authority to impose or to waive certain exclusion actions that may be triggered by one or more other violations.  These types of exclusion actions are “Permissive” in nature.

As of April 2018, there are a total of 69,875 individuals and entities named in the List of Excluded Individuals and Entities (LEIE) maintained by the OIG.  The LEIE is one of 40 various databases that are supposed to be checked every 30 days[7] by providers in order to better ensure that no excluded parties have been hired. Of the 69,875 excluded individuals and entities currently on the LEIE, only five are specifically identified as physicians specializing in rheumatology.  Nevertheless, it is difficult to fully assess the number of physicians on the list that provide rheumatology services because of the limitations in the specificity of OIG’s database.  As we will see below, a number of the cases brought against rheumatologists for criminal conduct would undoubtedly require mandatory exclusion, in addition to any civil and criminal sanctions that may have been imposed.

C.  Administrative Rheumatology Audits by ZPICs and UPICs.

As a participating provider in Medicare’s Part B program, rheumatologists and their practices are subject to prepayment audit by a number of federal, state and private payor audit entities.  If your practice is placed on prepayment audit by a Medicare contractor, you may want to know how you ended up on the auditor’s radar.  We have repeatedly heard of instances where a Medicare contractor has told the practice that their placement on prepayment review was the result of a “random audit.”  Despite their assurances to the contrary, physicians should keep in mind that virtually NONE[8] of the Medicare audits we have seen are truly random.  The following Federal Register issuance included agency comments that confirm what we have all thought, CMS and its contractors do not conduct random prepayment audits of health care providers.  As CMS expressly set out in the Federal Register:

“Although section 934 of the MMA sets forth requirements for random prepayment review, our contractors currently do not perform random prepayment review. However, our contractors do perform non-random prepayment complex medical review. We are cognizant of the need for additional rulemaking should we wish our contractors to perform random review.”

How is a rheumatology practice targeted for an audit?  As the Centers for Medicare and Medicaid Services (CMS) has expressly noted in Chapter 2, Section 2.3 of the Medicare Program Integrity Manual (MPIM):

“Claims data is the primary source of information to target abuse activities.”

Utilizing this data, Medicare program integrity contractors employ predictive modeling and data mining to identify rheumatology care, treatment, coding and billing practices that would be considered “outliers” when compared to the utilization, coding and billing practices of their peers.  In the first quarter of 2018, we have already seen evidence that law enforcement, government agencies and their contractors are continuing to rely on data mining for targeting purposes.  How do your utilization, coding and billing practices compare to those of your peers?  No idea?  Now is the time to find out! Rheumatology audits are actively being conducted by Zone Program Integrity Contractors (ZPICs) and Uniform Program Integrity Contractors (UPICs) around the country.

Other sources of an audit include complaints by beneficiaries, overpayment data, referrals from other Medicare program integrity contractors, and reports published by OIG and Government Accounting Office (GAO) of specific improper coding and billing practices that they identified. Several of the specific issues identified in ZPIC and UPIC audits of rheumatology-related claims that we have defended have included:

1. Failure to Document a Diagnosis of Arthritis. The alleged failure to document a diagnosis of arthritis has been cited as a basis for taking action in ZPIC and UPIC administrative audits, Texas Medical Board disciplinary actions, civil False Claims Act cases and criminal prosecutions of rheumatologists.  As discussed in more detail in our discussion of rheumatology audits, this denial reason is subject to considerable dispute.  Unfortunately, there isn’t a single “test” or “symptom” that can be relied on by a physician when diagnosing a patient with rheumatoid arthritis, ankylosing spondalytis or a host of other rheumatic diseases.  Instead, a physician often relies on his / her professional experience and knowledge when diagnosing a patient with one of the conditions.  This problem is further exacerbated by the fact that CMS and its contractors have not issued specific guidelines (in the form of National Coverage Determination (NCD) or Local Coverage Determination (LCD) guidance) that outlines precisely what the government expects to see in order for a diagnosis to be properly documented.  Ultimately, a physician will need to show that the diagnosis has been based on accepted criteria such as “2010 American College of Rheumatology / European League Against Rheumatism Classification Criteria for Rheumatoid Arthritis.”[9]

2. Failure to Properly Document the Evaluation and Management (E/M) Level of the Visit. Despite the fact that specific guidance (1995 and 1997 E/M Guidance) on how Medicare E/M claims are supposed to be documented, coded and billed, many physicians still apply the less-specific, incorrect guidance set out in the AMA’s CPT Codebook.  When audited, Medicare program integrity contractors have often downcoded (or in some case, denied in their entirety) E/M claims.  (Although the AMA CPT Codebook is applicable when billing E/M services to private payors, the 1995 and 1997 E/M Guidance first issued by HCFA should be used as the proper measuring tool for Medicare claims).

3. Failure to Fully Document a Patient’s Condition. ZPICs and UPICs are regularly denying claims on the basis that a physician’s physical examination of the patient does not document the specific joints where swelling has been identified, the extent a patient’s range of motion has been impacted, the level of pain cited by a patient, and the duration of the patient’s painful condition.

4. Failure to Document the Medical Necessity of Biologics Used in Infusions. Not surprisingly, in large part due to its high cost, the medical necessity of infusions has been a favorite target of Medicare program integrity contractors and federal / state prosecutors.  Auditors often point out the fact that a physician has failed to document less invasive (and less expensive) treatment options that had been tried and failed to provide relief.

If a rheumatology practice is placed on prepayment review, it can be financially devastating for the organization.  Once put in place, it can take months to satisfy the Medicare contractor that it should be lifted.  Adding insult to injury, after a practice is placed on prepayment review, it is fairly common for a ZPIC or UPIC to then initiate a postpayment audit of the practice’s rheumatology claims.  While postpayment audits are not new, the number of these audits appears to be increasing.  Moreover, ZPICs and UPICs are frequently pulling a relatively small sample of 30 – 60 claims and then are extrapolating the alleged damaged based on the error rate that has been identified in the sample. In such case, we almost always work our own statistical experts to challenge the validity of the statistical sampling process and the resulting extrapolation of damages. Due to the high costs of biologics, it is fairly common for ZPICs and UPICs to seek alleged overpayments of millions of dollars.

II.  Overview of Civil and Criminal Fraud Cases Brought Against Physicians for Rheumatology-Related Care and Treatment Services: 

• Rhode Island Remicade® Infusion Fraud Case.

In this Rhode Island case, a physician was indicted by a Federal Grand Jury for health care fraud, illegal distribution of controlled substances, and money laundering.  The 152-count indictment also sought the forfeiture of about $5.9 million, alleged to be the proceeds of the physician’s criminal activity.  Over a four-year period, the physician was alleged to have personally treated more than 4,800 patients. A significant portion of the physician’s practice was the administration of infusion therapy to treat the symptoms of such diseases as rheumatoid arthritis, various blood disorders, and certain cancers.  Among the many counts set out in the indictment, the physician is alleged to have administered Remicade® without substantiating that a number of patients had been properly diagnosed as having rheumatoid arthritis.  Notably, he also reportedly failed to treat patients with necessary ancillary drugs and failed to test patients for certain risks associated with Remicade®, such as tuberculosis.  Finally, the physician is also alleged to have recorded dosages of Remicade® that greatly exceeded the recommended maximum dosages.  Before he could be arrested, the physician fled the country and is a fugitive on the OIG’s “Most Wanted List” today.  He is thought to have fled to Lebanon.

• Virginia Remicade® Infusion Fraud Case.

In this case, the Federal Bureau of Investigation (FBI) first began investigating a Virginia-based physician after receiving a report from a former patient that the physician had been overprescribing controlled substances.  Essentially, the former patient claimed that the physician prescribed the patient “whatever drugs she wanted” without performing a physical exam or medical tests.  As a result of the FBI’s investigation, the physician was indicted for the illegal distribution and for conspiring to distribute controlled substances. In the course of the investigation, the FBI interviewed two of the physician’s former employees.  In doing so, the FBI learned that the physician was also allegedly engaged in fraudulent conduct involving Remicade®.  After analyzing the physician’s billing practices, purchasing records and bank records, the government concluded that the physician had engaged in a number of fraudulent practices involving the billing of Remicade®.  The government’s concerns in this regard were later confirmed when the physician’s former assistant pleaded guilty to conspiring to distribute controlled substances.  The physician’s former assistant later testified at trial that the following four main fraudulent schemes were employed by the physician.  First, the physician was alleged to have billed for more Remicade® than the patients actually received.  Second, the physician billed for Remicade® infusions when the patients received a less expensive steroid medication.  Third, the physician supposedly billed for Remicade® infusions when the patients did not receive any infusions.  And, finally, the physician is alleged to have billed for Remicade paid for by other patients’ health care benefit programs.  Before the physician could be arrested, he fled the jurisdiction and is thought to have gone to Turkey.

• Kentucky Remicade® Infusion Fraud Case. 

In a case out of the Western District of Kentucky, a Louisville physician and his practice were alleged to have falsely billed the Medicare program for infusions of infliximab, a drug used in the treatment of patients with rheumatoid arthritis.  The specific allegations were that the physician and practice were “splitting” vials of infliximab across the infusions of multiple patients but billed the Medicare program as if a whole vial were used for each Medicare beneficiary.  It was further alleged that this improper conduct took place over a period of three years. A former employee of the practice filed a whistleblower case against the physician and his practice under the civil False Claims Act. The case was later settled for $349,860.00.  The defendants also had to pay for the whistleblower’s attorney’s fees.

• Oklahoma Remicade® Infusion Fraud Case.

In a case that was initially filed by a whistleblower under the civil False Claims Act, an Oklahoma physician in the Western District of Oklahoma was also later criminally charged with Medicare fraud. Through its investigation, the government claims that over a period of approximately 28 months, the practice billed Medicare for the infusion of 112,110 milligrams of Remicade.®  However, it was alleged that during this period the practice had only ordered approximately 49,600 milligrams from its suppliers. The government further alleged that the physician had falsified patient records and caused his staff to submit false claims to Medicare for payment.  The physician was sentenced to 33 months in prison and surrendered his state medical license.  A $1.5 million civil consent judgement was entered in the case.  The defendant was also ordered to pay $473,881.55 in restitution to Medicare and $69,685.26 in restitution to BlueCross BlueShield of Oklahoma. 

• Texas Allergy / Arthritis / Pain Management Clinic Alleged to be a Pill Mill.

Law enforcement investigators have found that a significant number of rheumatology patients are being treated multidisciplinary practices.  In this case, a husband and wife (both physicians) ran a number of Texas clinics that provided care allergy, arthritis and pain management patients.  Government investigators carefully tracked the number of patients being seen by the physicians, noting that they went from seeing 50-60 patients per day to 279 patients per day over a seven-year period. Additionally, through data-mining and the intra-agency sharing of information, law enforcement also noted that one of the physicians allegedly prescribed 615,671 tablets of hydrocodone (Vicodan®), 66,000 tablets of alprazolam (Xanax®), and 26,000 tablets of diazepam (Valium®) over a nine-month period. In fact, one patient received 92 hydrocodone prescriptions, totaling 8,040 tablets over an eight-month period. After conducting search warrants of the couple’s two clinics, residence and safe deposit boxes, investigators found $700,000 at the residence and $816,000 in the safe deposit boxes (allegedly only accessible by one of the physicians).[10]  In addition to the improper prescription of controlled substances outside the scope of professional practice and not for a legitimate medical purpose, the couple was also alleged to have billed Medicare and Medicaid for a number of fraudulent interventional procedures.  Investigators alleged that the physicians would inject patients with a lidocaine / steroid combination that would provide patients with a temporary relief of various joint and muscle pain.  Despite the fact that these injections were superficial, the procedures were falsely billed to insurance companies as facet joint injections, paravertebral injections, sacroiliac nerve injections, sciatic nerve injections and various nerve block injections.[11] Nearly every patient was prescribed one or more controlled substances and put on a regimen of shots every two weeks. Initially, patients were required to sign the medical progress and procedure notes in their patient chart to prove they were at the clinic and received the shots. This subsequently changed and the physician had certain patients sign blank procedure/progress notes and then used those forms to generate a superbill in order to bill the insurance companies for injection procedures on days when the patient was not in the clinic.

• New Jersey Rheumatologist Convicted of Investigational Research Fraud.

A New Jersey rheumatologist was sentenced to four years in prison after pleading guilty[12] to the falsification of clinical data.  The physician had been paid $1.86 million by drug companies to provide investigational new drug research nonsteroidal anti-inflammatory drugs (NSAIDS).  The physician failed to conduct the research as agreed. Instead, he fabricated lists of patients supposedly participating in the study.  He then is alleged to have falsified urine, stool and blood studies and forged the signatures of other clinicians.  The rheumatologist also failed to report the deaths of two patients supposedly included in the “study.”  Notably, the deaths were not related to the drugs being studied because they were never really in the study.

• Ohio Rheumatologist Convicted of “Misbranding.”

In this case, an Ohio rheumatologist pleaded guilty to importing medications that had not been approved by the Federal Drug Administration (FDA). The physician admitted causing the shipment of misbranded[13] drugs, which is a misdemeanor violation of the Food, Drug and Cosmetic Act.  As a misdemeanor violation, the physician faces a statutory maximum of up to one year in prison and fines up to $100,000.

• Kentucky Rheumatologist Convicted of “Misbranding.”

In this case, a Kentucky physician pleaded guilty to a misdemeanor criminal charge of treating patients with misbranded medications.  He was later sentenced to a term of one-year probation and was ordered to pay $176,915.55 in restitution.  The physician admitted to purchasing Rituxan®, Actemra®, Remicaid®, Aclasta®, Prolia®, and Synvisc® from foreign drug distributors based in the United Kingdom.  The drugs originated outside the United States and were never approved by the FDA for introduction into the United States. These misbranded medications were then administered to patients under the physician’s supervision.  Additionally, under a separate civil agreement, the physician agreed to pay $338,493.30 to settle certain claims brought against him by the OIG.

III.  Steps You Can Take to Reduce Your Level of Risk:

• Fully Document Your Basis for Concluding that a Patient has a Specific Diagnosis.

As the administrative, civil and criminal cases above reflect, it is imperative that physicians providing rheumatology care and treatment services take a critical look at their documentation practices.  More than likely, there are a number of additional steps you can take to fully document the process you went through when diagnosing a patient with rheumatoid arthritis, ankylosing spondalytis or another rheumatic disease.  Moreover, you need to tie your evaluation to the applicable standard of care and industry recognized protocols for diagnosing the patient’s condition.   Have you fully documented a patient’s medical, family and present history?  Have you noted the results of your hands-on evaluation of the patient’s joints, range of motion, etc.?  Have you documented all of the prior treatment approaches that were tried and failed to address the patient’s painful condition? Have you ordered and documented the results of specific blood tests that should be considered in the course of reaching a diagnosis?  Have radiology test results been included your decision-making process?

Just to be clear, despite the fact that the government often heavily relies on “Industry Standards of Care” when assessing a provider’s case, it is important to keep in mind that diagnostic algorithms (such as those published by the American College of Rheumatology) are only part of the answer. As Jeffrey A. M.D., a Visiting Fellow at the Goldwater Institute and a Senior Fellow at the Cato Institute has noted:

“[P]racticing under the yoke of the algorithm discourages critical thinking. There is a tendency to surrender to the algorithm. This jeopardizes good patient care and can impact outcomes. There are times when a patient’s presentation and response to treatment do not follow the algorithm—their DNA did not get the memo about the guidelines. A physician must think “outside the box” to help that patient—an attribute that is discouraged and becomes a lost skill under the algorithmic regime.”

• Your Infusion of Costly Biologics Will Undoubtedly be Audited at Some Point.

Is a rheumatology audit in your future? If your practice or clinic administers infusions, your claims will be audited by one or more Medicare program integrity contractors.  With this in mind, you need to carefully document the medical necessity of this treatment option.  Moreover, keep in mind that CMS and its MACs have issued NCDs, LCDs and other specific guidance governing the utilization of Remicade, Enbrel, and a number of other costly drugs.  When is the last time you have reviewed this guidance?

• Develop, Implement and Comply with the Provisions Set Out in an Effective Compliance Program.

The government doesn’t expect you to be perfect.  Nevertheless, you do expect you to try your best to follow applicable rules and regulations governing the billing of claims to the Medicare program.  If you implement an effective Compliance Program and diligently work to comply with its requirements, you will significantly reduce your level of claims risks.  Remember, self-audits aren’t just encouraged, they are required by law under the Affordable Care Act and are especially important if your practice wants to be viewed as a good corporate citizen.  Through periodic auditing and monitoring your practice’s activities you can better avoid:

1. The submission of false and fraudulent claims;

2. Engaging in overbilling;

3. Improperly using a provider’s number to bill for claims that were provided by a different individual;

4. The improper solicitation of referrals;

5. Engaging in medical identity theft;

6. The improper billing for services by unlicensed individuals;

7. The improper administration of infusion by unsupervised staff; and

8. The employment of excluded individuals.

• Avoid Engaging in Business Practices that Could Constitute (or be Misinterpreted to be) Kickbacks / Disguised Kickbacks and / or Bribes.

It isn’t sufficient to only focus on your documentation, medical necessity, coverage, coding and billing practices.  If you or your practice is ever investigated, federal and state prosecutors will systematically evaluate each and every one of your business arrangements.  Simply put, where do your referrals come from and where do you send referrals.  These business relationships will be exhaustively examined by the government.  Some of the risk areas identified have included:

1. Be especially careful before your practice or clinic enters into any business arrangement with a compounding pharmacy.

2. A continuing concern of the government involves lease arrangements with actual and / or potential referral sources.

3. Situations where a physician serves as a medical director to a hospice, home health agency, or nursing home to whom you make patient referrals.

4. Serving as a consultant or speaker to a pharmaceutical manufacturer, compounding pharmacy or durable medical equipment supplier whose products you prescribe.

5. Participating in a sham loan arrangement with an entity to whom you make referrals or whose products you prescribe, order or recommend.

6. Acquiring or having a financial interest in an entity to whom you send referrals (especially if the referral is for Designated Health Services which could implicate Stark).

7. Accepting cash, gifts or other Items of value from a patient or other individual in exchange for a prescription for opioids or other controlled substances.

8. Accepting or soliciting any type of remuneration (something of value), such as a gift card, sporting event tickets or liquor, from a pharmaceutical representative, compounding pharmacy or DME supplier whose products you order or prescribe (or could order or prescribe).

Prior to entering into a business arrangement, we strongly recommend that you contact an experienced health lawyer so that an assessment of the risks can be conducted and an evaluation of whether the arrangement may violate the False Claims Act, the Anti-Kickback Statute or Stark.

• Keep in Mind that the Government is Actively Pursing Individuals for Their Role in the Commission of White Collar Fraud.

While culpable individual defendants have regularly been prosecuted, over the past decade, most DOJ prosecutors have focused on seeking large financial fines and penalties from corporations.  For example, how many individuals can you think of that went to jail when the banking sector almost collapsed?  On September 9, 2015, Deputy Attorney General Sally Quillian Yates issued a Memorandum entitled “Individual Accountability for Corporate Wrongdoing” (Yates Memo).  This historic document instructs DOJ prosecutors to stop resolving corporate cases that release individuals from personal liability, absent extraordinary circumstances. Throughout the rest of 2018, we expect to see an increase in parallel proceedings and prosecutions of physicians, managers, coders, billers and other non-clinical staff who are alleged to have violated the law. Your personal conduct, and your efforts to comply with applicable rules and regulations will be assessed by DOJ if there is ever a problem.

Robert W. Liles, J.D., M.B.A., M.S., serves as Managing Partner at Liles Parker, Attorneys & Counselors at Law.  Robert and other Liles Parker attorneys represent rheumatologists and rheumatology practices in connection with Medicare ZPIC and UPIC prepayment and postpayment audits, Medicaid investigations and audits, and private payor payment holds.  Is your practice being audited or under investigation?  Call Robert for a free initial consultation.  1 (800) 475-1906. 

[1]http://reg.tmb.state.tx.us/OnLineVerif/Phys_ReportVerif_new.asp

[2] The American College of Rheumatology has prepared decision trees that can be used to diagnose (or rule out) certain type of rheumatic disease.  For example, the algorithm used to determine if a patient is suffering from rheumatoid arthritis is set out at the following link: https://www.rheumatology.org/Portals/0/Files/2010%20RA%20Classification%20Tree_Tree%20Format%202010.pdf

[3] http://www.tmb.state.tx.us/idl/3E399486-3B51-843A-AAD2-E67B31810FB0

[4] https://oig.hhs.gov/faqs/exclusions-faq.asp

[5] Such as a licensure suspension or revocation.

[6] For instance, under Section 4.19.2.2 of the Medicare Program Integrity Manual, if a provider is placed on prepayment review for an extended period of time and has not corrected their pattern or practice after receiving educational/warning letters, Zone Program Integrity Contractors (ZPICs) and Uniform Program Integrity Contractors (UPICs) are directed by the Centers for Medicare and Medicaid Services (CMS) to refer the provider to the OIG for possible “exclusion” action.

[7] For additional information on exclusions, and your obligation to check Federal and State databases every 30 days, see the articles published on the Exclusion Screening website.  www.exclusionscreening.com

[8] Please note, there is one narrow exception to this basic rule that I am aware of.  When a Comprehensive Error Rate Testing (CERT) audit is conducted, the CERT auditor is essentially auditing a specific previously-paid type of claim to determine whether a Medicare Administrative Contractor (MAC) was correct in allowing the claim to be paid.  To accomplish this, the CERT auditor pulls a sample of specific paid services submitted for payment in a MAC region.  Providers with claims in the sample universe are then randomly pulled by the CERT auditor.

[9] https://www.aafp.org/afp/2011/1201/p1245.html#afp20111201p1245-t1

[10] FBI Press Release, SDTX, June 24, 2009, “Husband and Wife Charged with Operating a Pill Mill,” https://archives.fbi.gov/archives/houston/press-releases/2009/ho062409.htm

[11]U.S. Attorney’s Office, Southern District of Texas, Press Release. June 3, 2013.

https://www.justice.gov/usao-sdtx/pr/local-physicians-sentenced-again-must-pay-more-37-million-restitution

[12] https://pink.pharmaintelligence.informa.com/PS015210/NSAID-INVESTIGATOR-ORDERED-TO-REPAY-DRUG-FIRMS–186-MIL

[13] Section 502 of the Federal Food, Drug and Cosmetic Act (FFDCA) contains provisions on misbranding including some that relate to false or misleading labeling.  A device’s labeling misbrands the product if:

• Its labeling is false or misleading in any particular;
• It is in package form and its label fails to contain the name and place of business of the manufacturer, packer, or distributor and an accurate statement of the quantity of the contents in terms of weight, measure, or numerical count;
• Any required wording is not prominently displayed as compared with other wording on the device, or is not clearly stated;
• Its label does not bear adequate directions for use including warnings against use in certain pathological conditions or by children where its use may be dangerous in health or against unsafe dosage, or methods, or duration of administration or application;
• It is dangerous to health when used in the dosage or manner or with the frequency or duration prescribed, recommended or suggested in the labeling; or
• It does not comply with the color additives provisions listed under Section 706 of the FFDCA;
• The device’s established name (if it has one), its name in an official compendium, or any common or usual name is not prominently printed in type at least half as large as that used for any proprietary name;
• The establishment is not registered with FDA as required by Section 510 of the FFDCA and has not listed the device as required by Section 510(j) of the FFDCA or obtained applicable premarket notification clearance as required by Section 510(k) of the FFDCA;
• The device is subject to a performance standard and it does not bear the labeling prescribed in that standard;
• There is a failure or refusal to comply with any requirement related to notification and other remedies prescribed under Section 518 of the FFDCA, if there is a failure to furnish any materials or information required by, or requested by the Secretary pursuant to, Section 519 of the FFDCA, or if there is a failure to furnish materials or information relating to reports and records required by Section 522 of the FFDCA; or
• There is any representation that creates an impression of official approval because of the possession by the firm of an FDA registration number.

Expect an Increase in Audits of Chiropractic Services!

(April 16, 2018): Chiropractors around the country are again finding their services and claims under intensive scrutiny from Medicare contractors and investigators, despite the fact that only three services even qualify for coverage and payment.  Several weeks ago, the Department of Health and Human Services (HHS), Office of the Inspector General (OIG) released its latest critical assessment of chiropractic services currently being billed to the Medicare program. The agency’s report, entitled “Medicare Needs Better Controls To Prevent Fraud, Waste, And Abuse Related To Chiropractic Services,”[i] reemphasizes the OIG’s prior findings that the Centers for Medicare and Medicaid Services (CMS) still lacks appropriate safeguards to prevent the submission and payment of improper, sometimes fraudulent claims for chiropractic services to the Medicare program.  This article is intended to highlight the government’s concerns and outline the steps that a provider should take to better ensure that any chiropractic services billed to Medicare qualify for coverage and payment.

I. Improper Chiropractic Claims Remain a Problem:

At the outset, it is important to recognize that in recent years, CMS and its program integrity contractors have taken a number of steps to elevate the level of scrutiny placed on questionable chiropractic claims billed to Medicare. Nevertheless, the OIG has taken the position that considerable work still needs to be done in order to better protect the Medicare program from fraudulent, wasteful and abusive chiropractic billings. For example, the average improper payment rate for Medicare Part B services has been estimated at between 9.9%-12.9%. For chiropractic services, the improper payment rate has been estimated to be between 43.9%-54.1%. About half of all chiropractic services covered by Medicare were not supposed to be covered.  The OIG has estimated that of the nearly $450 million spent by Medicare on chiropractic services every year, between $257 million and $304 million in improper payments are being made every year for chiropractic services.[ii] Over a six-year period, $2.9 billion was spent by Medicare on chiropractic services. Theoretically, this means that at least $1.27 billion was wasted over those six years.

• Submit claims for services that never occurred.

• Submit claims for services that were medically unnecessary.

• Bill for services covered by Medicare but provided other services such as a massage or acupuncture.

• Falsified patient medical records.

• Provided services to beneficiaries without a valid license.

• Offered incentives to patients to receive unnecessary services.

During this six-year period, 11[iii] of the chiropractors were incarcerated and over 500 chiropractors were excluded from participation in the Medicare and Medicaid programs by the OIG for various reasons. The OIG remains concerned that inadequate oversight is continuing to allow fraudulent chiropractors to hide their improper billings from regulators

II. What Solutions Has CMS Tried?

In an effort to spur more detailed documentation, CMS implemented the initial treatment date requirement for claims. This requirement has been more effective than the AT modifier requirement, as 7 out of 8 contractors do check to ensure this requirement is met. In that respect, this is a successfully implemented requirement. However, when audited, this requirement has largely failed due to inadequate documentation. Approximately 86% of all claims that included an initial treatment date did not adequately document the medical necessity of the services provided. Once again, it appears that chiropractors are aware that the initial date is necessary for payment and will include the date regardless of the quality of their documentation.

At the urging of the OIG, CMS has made significant efforts to better educate chiropractors on the importance of proper documentation and which chiropractic services are actually covered by Medicare Part B. CMS has create publications, seminars, and an educational video for chiropractors to learn about services that are covered under Medicare Part B and how to meet documentation standards. Unfortunately, either through lack of provider participation or because of difficulties in accessing the information, this initiative has largely failed.  Many chiropractors and beneficiaries remain ignorant with respect to the  medical necessity, documentation and coverage requirements of chiropractic services under Medicare Part B. For example, one of the educational videos created by CMS is supposed to educate chiropractors on how to meet documentation requirements. This video only received 8,898 views between December 2015 and January 2017. Even if we were to assume that every view was by a licensed chiropractor (which is highly unlikely), it only reached a fraction of the chiropractors participating in the Medicare program. CMS will likely need to implement more changes that may lead chiropractors to utilize educational resources and improve documentation.

III. Would A Medical Review Threshold or Service Limit Work?

Approximately 61% of private insurance plans that participate in the federal employee health benefits program (FEHBP) cover chiropractic services. Of the FEHBP private insurance plans that cover chiropractic services, there are limits between 10 and 60 services per year, with the average plan limiting patients to 21 chiropractic services per year. The concept of limiting the number of services a beneficiary has been proposed by the OIG in the past, but CMS did not agree with this solution.

A medical review threshold is a limit on the number or cost of services before a review of medical necessity must be completed to continue coverage of future services. CMS states that contractors may set thresholds for the number of services allowed before medical review, but may not limit the number of services provided. There is no CMS-level medical review threshold, but as mentioned earlier 2 of the 8 contractors have already set medical review thresholds. CMS-level medical review thresholds are already in place for out-patient therapy specialties such as physical therapy and speech-language pathology. The threshold for these two specialties is monetary, at $1,920. After a beneficiary reaches $3,700 in physical therapy or speech -language pathology services, a medical review s needed for the beneficiary to continue treatment.

The OIG conducted a nationwide review of the percentage of “unallowable payments” made for three groups of beneficiaries, divided by the number of services received in a calendar year. The first group received 1-12 chiropractic services in a year, 76% of which were unallowable payments. The second group received between 12-30 chiropractic services in a year, of which 95% were unallowable payments. The final group received more than 30 chiropractic services in a year, of which every single payment was unallowable. It is worth noting that the two contractors that had set a medical review threshold had no beneficiaries in the last category. Based on this assessment, HHS-OIG estimates that a threshold for medical review between 12-30 services would have saved Medicare between $95 million and $447 million between 2013-2015. Additionally, that same threshold would have saved beneficiaries between $24 million and $114 million in out-of-pocket expenses over the same period. 

IV. HHS-OIG Recommendations:

In addition to highlighting issue with the current system, OIG’s report provided a few recommendations for CMS to consider implementing:

• Work with contractors to educate chiropractors on the training resources that CMS has already made available to them
• Educate beneficiaries on which chiropractic services are and are not covered by Medicare Part B, and encourage beneficiaries to report chiropractors that are providing services that should not be covered by Medicare.
• Identify chiropractors with high-service denial rates or aberrant billing practices, estimate the amount of overpayments made through a statistically significant sample, and recover the overpayments
• Establish a threshold for the number of services that may be provide before a medical review is needed

V. Chiropractic Basics – Medicare Coverage Limitations: 

Chiropractors diagnose and treat subluxation disorders primarily through manual adjustment and manual manipulation of the spine.  CMS defines subluxation as “a motion segment, in which alignment, movement integrity, and/or physiological function of the spine are altered although contact between joint surfaces remains intact”[iv] More simply put, a spinal subluxation is a purported misalignment of the spinal column that can cause pain and other symptoms in patients suffering from this misalignment.  One question that regularly arises when documenting chiropractic services is:

“How does Medicare expect me to show that evidence of subluxation if present?”

In most instances, a Medicare contractor will review a provider’s documentation to determine if an x-ray has been used, or a physical examination was conducted to document subluxation. Each of these diagnostic methods are discussed below:

• Subluxation determination based on an x-ray. If a provider has determined that a subluxation is present based on an x-ray,[v] a Medicare contractor will likely take into consideration when the x-ray was taken and how much time has elapsed before a course of treatment was initiated. As discussed in Local Coverage Determination (LCD) L34009 published by Noridian Healthcare Solutions, LLC (Noridian), the contractor requires that an x-ray must have been taken at a time “reasonably proximate” to the start of care. Noridian considers an x-ray to be reasonably proximate to the initiation of care if it was taken no more than 12 months prior to or 3 months following the initiation of a course of chiropractic treatment. Understandably, Noridian will typically allow a chiropractor to base his / her subluxation determination on an older x-ray if a beneficiary’s medical records show that the patient has suffered from a chronic subluxation condition (such as scoliosis) for longer than 12 months AND there is a reasonable basis to believe that the chronic condition is permanent.

• Subluxation determination based on an a physical examination. If a provider has determined that a subluxation is present based on a physical examination that has been conducted, a CMS contractor is going to review the medical documentation to determine if two of the following four criteria have been identified during the examination of the patient’s musculoskeletal / nervous system, one of which must be either asymmetry / misalignment or range of motion abnormality. The four criteria examined include:

• Pain/tenderness evaluated in terms of location, quality, and intensity;
• Asymmetry/misalignment identified on a sectional or segmental level;
• Range of motion abnormality (changes in active, passive, and accessory joint movements resulting in an increase or a decrease of sectional or segmental mobility); and
• Tissue, tone changes in the characteristics of contiguous, or associated soft tissues, including skin, fascia, muscle, and ligament.

A limited scope of chiropractic services qualify for coverage under Medicare Part B if they are performed by a licensed, qualified chiropractor. Regrettably, CMS still takes the position that most of the various services offered by a chiropractor are “supportive” in nature rather than “corrective.”  In other words, CMS considers most chiropractic services to be “maintenance therapy,” which is not covered under Medicare Part B. As maintenance therapy, CMS does not consider most chiropractic services to be medically necessary.

So what chiropractic services ARE covered under Medicare Part B?  Frankly, not many. CMS specifically limits Medicare Part B coverage to hands-on manual manipulation of the spine for symptomatology associated with spinal subluxation. Additionally, qualifying hand-held manual devices (where the thrust of the force of the device is manually controlled) may also be used by chiropractors in performing manual manipulation of the spine. Notably, Medicare does not recognize any additional charges associated the use of such a hand-held device.

When documenting a covered service, a chiropractor must note the precise level of the subluxation. Depending on the number of spinal regions involved, one of three Current Procedural Terminology (CPT) codes can be billed:

• CPT Code 98940 (for treatment of one or two spinal regions);
• CPT Code 98941 (for treatment of three or four spinal regions); and
• CPT Code 98942 (for treatment of all five spinal regions).

The five regions of the, from the cervical area (neck) to the coccyx (tailbone) are illustrated below:

When providing chiropractic services that are intended to provide active / corrective treatment, Medicare requires chiropractors to append the claim with an AT modifier.  The AT modifier is intended to denote the fact that “Acute Treatment” for subluxation was provided to the beneficiary.  If a chiropractor bills one of the three covered codes without an AT modifier, the service will be automatically denied as not medically necessary when the claim is processed by your Medicare Administrative Contractor (MAC).

In most instances, properly coded chiropractic services (limited to 98940, 98941 and 98942) will qualify for payment.  Having said that, both CMS contractors and OIG have repeatedly found that just because a claim has been appended with the AT modifier does not mean that the chiropractic services billed were in fact, medically necessary. In multiple audits conducted over the last decade, government reviewers have found that chiropractors have failed to properly document the medical need for services billed to Medicare.

Although Medicare has not placed a limit on the number of chiropractic services that a beneficiary can receive, providers who appear to be billing an excessive number of services will quickly be flagged for medical review by a MAC, a Zone Program Integrity Contractor (ZPIC) or a Uniform Program Integrity Contractor (UPIC). It is essential that you carefully document the medical necessity of any services billed. At present, pre-authorization to confirm the medical necessity of a treatment is only required by two MACs. One contractor sets its threshold for medical review as 12 services per month but no more than 30 services per year. The other sets a threshold of 25 chiropractic services per year.

VI. Documenting Chiropractic Services:

It is important to keep in mind that under Title XVIII of the Social Security Act, §1862(a)(1)(A), services must be medically reasonable and necessary in order to qualify for coverage and payment.  Similarly, Title XVIII of the Social Security Act, §1833(e) prohibits Medicare from paying for any claims that lacks the necessary information to process the claim.  Therefore, regardless of whether the determination of a subluxation has been based on an x-ray or a physical examination, a chiropractor must ensure that complete and accurate records of the encounter are taken.

Experience has shown that in the event of an audit by a CMS contractor, the MAC, ZPIC or UPIC auditing chiropractic services will primarily base claims on a provider’s failure to properly document the medical necessity of the services billed. It is therefore essential that you review and understand your documentation obligations when billing for chiropractic claims. As a first step, you need to review:

• CMS Medicare Benefit Policy Manual, Pub. 100-2, Chapter 15, Sections 30.5 and 240.
• CMS Medicare Claims Processing Manual, Pub. 100-4 Chapter 12, Section 220.

Moreover, you should continue to periodically review any LCD guidance on chiropractic services that has been issued by your MAC.  Again using Noridian’s LCD guidance as an example, during an initial visit, the MAC expects a provider to document the following six categories of information when providing chiropractic services:

A. Documentation Requirements – Initial Visit. The following documentation requirements apply whether the subluxation is demonstrated by x-ray or by physical examination:

#1. Family History / Past Medical History.
• Symptoms causing patient to seek treatment;
• Family history if relevant;
• Past health history (general health, prior illness, injuries, or hospitalizations; medications; surgical history);
• Mechanism of trauma;
• Quality and character of symptoms/problem;
• Onset, duration, intensity, frequency, location and radiation of symptoms;
• Aggravating or relieving factors; and
• Prior interventions, treatments, medications, secondary complaints.

#2. Description of the Present Illness.
• Mechanism of trauma;
• Quality and character of symptoms/problem;
• Onset, duration, intensity, frequency, location, and radiation of symptoms;
• Aggravating or relieving factors;
• Prior interventions, treatments, medications, secondary complaints; and
• Symptoms causing patient to seek treatment.

Importantly, the “symptoms” covered in your description of the patient’s present illness are required to be directly related to the level of subluxation. When describing a patient’s symptoms:

• The symptoms should refer to the spine, muscle, bone, rib and / or joint and be reported as pain, inflammation, or as signs such as swelling, spasticity, etc.
• The symptoms documented must be related to the level of the subluxation that has been cited. A statement on a claim that there is “pain” is insufficient.

Finally, the location of a patient’s pain must be described and the symptoms documented must be related to the level of the subluxation that has been cited.  Noridian further requires that the location of pain must be described and whether the particular vertebra listed is capable of producing pain in the area determined.

#3. Evaluation of musculoskeletal/nervous system through physical examination.

#4. Diagnosis. The primary diagnosis must be subluxation, including the level of subluxation, either so stated or identified by a term descriptive of subluxation. Such terms may refer either to the condition of the spinal joint involved or to the direction of position assumed by the particular bone named.

#5. Treatment Plan. The treatment plan should include the following:
• Recommended level of care (duration and frequency of visits);
• Specific treatment goals; and
• Objective measures to evaluate treatment effectiveness.

#6. Date of the initial treatment.

B. Documentation Requirements: Subsequent Visits.  The following documentation requirements apply whether the subluxation is demonstrated by x-ray or by physical examination:

#1. History.
• Review of chief complaint;
• Changes since last visit;
• System review if relevant.

#2. Physical exam.
• Exam of area of spine involved in diagnosis;
• Assessment of change in patient condition since last visit;
• Evaluation of treatment effectiveness.

#3. Documentation of treatment given on day of visit.  The patient must have a significant health problem in the form of a neuromusculoskeletal condition necessitating treatment, and the manipulative services rendered must have a direct therapeutic relationship to the patient’s condition and provide reasonable expectation of recovery or improvement of function. The patient must have a subluxation of the spine demonstrated by x-ray or physical exam as described above.

VII.  Conclusion

It has been more than 20 years since the OIG first identified chiropractic billings as a potential fraud and abuse problem.  To their dismay, the AT modifier requirement, initial treatment date documentation requirement, and educational resources have failed to significantly remedy the level of improper claims for chiropractic services being billed to the Medicare program. In light of the OIG’s latest report, chiropractors should expect CMS and its MAC, ZPIC and UPIC contractors to increase their audits of chiropractic claims.  Providers should also expect to see oversight through education, medical review, limits to the number of services, and documentation requirements.

What should you do?  Get back to basics.  When is the last time you compared your medical necessity, documentation, coding and billing practices to those outlined in your respective LCD and the Medicare Benefit Policy Manual.

Need help?  Give us a call.  Our attorneys are experienced in representing chiropractors in audits and investigations of their Medicaid and private payor claims.

Robert W. Liles, J.D., M.B.A., M.S., serves as Managing Partner at Liles Parker, Attorneys & Counselors at Law.  Liles Parker attorneys represent chiropractors and chiropractic practices around the country in connection with Medicare, Medicaid and private payors claims audits.  We also represent chiropractors in connection with complaints filed against our clients with the State Chiropractic Board.  For a complimentary review and discussion of your issues, you can call Robert at: (202) 298-8750.  

[i] Department of Health and Human Services, Office of Inspector General. Medicare Needs Better Controls To Prevent Fraud, Waste, And Abuse Related To Chiropractic. A-09-16-02042. February 2018.
[ii] CMS’s Supplementary Appendices for the Medicare Fee-for-Service Improper Payment Reports for 2010–2015.
[iii] In one case, when an audit was initiated against a chiropractic practice, the chiropractor supposedly falsely reported a robbery had taken place and that medical records were stolen from his car. This triggered a fraud investigation that led to a 63-month fraud conviction, over $1 million in restitution, and a 23-year exclusion for the chiropractor.
[iv] Medicare Benefit Policy Manual, Chapter 15, §240.1.2.
[v] Noridian will usually permit a previous CT scan MRI to be used as evidence if a subluxation of the spine is demonstrated.

CBRs for Spinal Orthoses (CBR201803): What Do You Need to Know?

(April 12, 2018): The Centers for Medicare & Medicaid Services (CMS) utilizes a variety of private contractors to process Medicare claims and conduct both administrative and program integrity audits of claims submitted by healthcare providers and suppliers.  At the present time, CMS has contracted with eGlobalTech (eGT) to analyze data and prepare “Comparative Billing Reports” (CBRs) of various services and claims billed to the Medicare program. eGT works directly with another CMS contractor, Palmetto GBA (Palmetto), to conduct the statistical work that is necessary to complete the CBR process. The latest report to be issued by eGT is CBR201803.

I.  eGT is Currently Distributing CBRs to Spinal Orthoses Suppliers:

The most recent CBR review initiated by eGT has been focused on Spinal Orthoses Suppliers. On April 2, 2018, eGlobalTech sent out letters to affected suppliers around the country advising them of the initiation of CBR201803: Spinal Orthoses Suppliers. This CBR is focused on orthotic suppliers that have billed the Medicare Part B program for both off-the-shelf and custom-fitted prefabricated spinal orthoses (commonly referred to as “braces”[1]) in claims with dates of service from October 1, 2016 to September 30, 2017.[2]  CBR201803 focuses on the following Healthcare Common Procedure Coding System (HCPCS) codes:

Prefabricated Custom-Fitted Spinal Orthoses.[3]

L0627: Lumbar orthosis, sagittal control, with rigid anterior and posterior panels

L0631: Lumbar-sacral orthosis, sagittal control, with rigid anterior and posterior panels

L0637: Lumbar-sacral orthosis, sagittal-coronal, with rigid anterior and posterior panels

Prefabricated Off-the-Shelf-Fitted Spinal Orthoses.[4]

L0642: Lumbar orthosis, sagittal control, with rigid anterior and posterior panels

L0648: Lumbar-sacral orthosis, sagittal control, with rigid anterior and posterior panels

L0650: Lumbar-sacral orthosis, sagittal-coronal, with rigid anterior and posterior panels

 II.  The Improper Billing of Medicare Claims for Spinal Orthoses Has Been a Long-Standing Problem for CMS:

The initiation of CBR201803 is merely the government’s most recent attempt to address long-standing problems that have repeatedly been identified in connection with the coverage, coding and billing of spinal orthoses by authorized Medicare suppliers.  As eGT has noted on its website (and in correspondence with affected suppliers), Lumbar-Sacral Orthoses have been on the government’s Durable Medical Equipment, Prosthetics, Orthotics, and Supplies (DMSPOS) list of “Top 20 Service Types with Highest Improper Payments” as far back as 2013. In fact, as set out in the most recent assessment of improper billing data by the Department of Health and Human Services (HHS), entitled “2017 Medicare Fee-for-Service Supplemental Improper Payment Data,” the estimated improper error rate for Lumbar-Sacral Orthoses was 52.5%. The magnitude of this problem is easily seen when compared with the overall improper payment rate for ALL Medicare claims which has been estimated at 9.5%.  Finally, it is worth noting that the HHS Office of Inspector General (OIG) identified concerns with the billing of orthotic braces in both its 2016 and 2017 Work Plans.[5]

III.  How Were Spinal Orthoses Suppliers Categorized this Review?

At last count, more than 6,000 qualified DME suppliers billed Medicare Part B for spinal orthoses under one of the six HCPCS codes outlined above.  In an effort to define peer groups for general comparison purposes, DMEPOS suppliers and physicians / non-physicians were assigned to a specialty peer group, based on their assigned Medicare Specialty Code and whether or not the provider / supplier was likely to have orthotist training.   The following categories were used by eGT:

CBR contractors (eGT and Palmetto) then calculated statistics for each of the separate peer groups.  As the categories reflect, the CBR contractors separated suppliers from providers and then further stratified the two primary groups by whether or not they were “likely” to have orthotist training.  While the CBR contractors expressly recognized that an individual may be specially trained to custom fit beneficiaries with a medically necessary orthosis, for the purposes of this review, they still ultimately categorized both suppliers and providers by Medicare specialty code based on the contractors’ assessment of whether a specific specialty was likely to have specialized orthotist training.[7] Unfortunately, there are likely a number of instances where eGT’s presumption of whether a supplier has orthotist training may be just plain wrong.

IV.  Why Was My DME Company Included in this Review?

A Comparison of Your Billing Percentages for Each of the Six HCPCS Categories of Spinal Orthoses.  As a first step, the CBR contractors compared each supplier’s billing patterns, by HCPCS code, with those of other suppliers in their peer specialty group.  To the extent that a supplier’s utilization ratios were aberrant when compared to the ratios of their peers, the supplier was more likely to be sent a CBR.

The Percentage of Allowed Services Defined as Custom-Fitted.  Another primary assessment conducted by the CBR contractors is whether the percentage of spinal orthoses submitted for payment by a supplier was billed as a “custom fitted” brace.  The percentage of custom-fitted braces billed by a specific supplier was compared to the percentage billed to their DME MAC contractor by other suppliers in their respective peer specialty group.  Each supplier’s percentage of custom-fitted brace billings were also compared to the national average.  If a specific supplier’s percentage was deemed to be “significantly higher” than one of these peer groups, it was one step closer to being sent a CBR.

The Percentage of Allowed Services Submitted without a Visit to the Referring Provider within 90 Days of the DMEPOS Service Date.  Another factor analyzed by the CBR contractors is whether a significant percentage of beneficiaries fitted (either custom-fitted or off-the-shelf) for a brace by a specific supplier had not been seen by their referring provider within 90 days of the DMEPOS service date (the date that the spinal orthosis order was filled by the DMEPOS supplier).  Simply stated, red flags are going to be raised if you fill a prescription / order for a brace and the patient hasn’t seen his / her referring provider within the previous 90 days.[8]  Once again, the CBR contractor compared each specific supplier’s percentage to the percentage billed to their DME MAC contractor by other suppliers in their respective peer specialty group.  Each supplier’s percentage of custom-fitted brace billings were also compared to the national average.

The Average Allowed Charges per Beneficiary for the One-Year Period.  The CBR contractors also examined the average allowed charges of each supplier billed to Medicare per beneficiary and compared this number to average allowed charges of other suppliers in their peer specialty group.  If a supplier’s average allowed charged were significantly higher than that of their peers, it was more likely to be issued a CBR.

V.  The Results of an Assessment by eGT:

After reviewing the utilization and billing practices of each spinal orthoses supplier, if a specific supplier’s measures were considered to be Significantly Higher than their peers in at least one of the three factors discussed above, the supplier was issued a CBR.

1. Supplier is significantly higher than at least one of its peer groups on at least one of the measurements studied;

2. Supplier is near or above the 45^th percentile in allowed charges ($5,000); and

3. Supplier had at least ten beneficiaries.

VI. Responding to a CBR:

If your company received a CBR, you likely noted the fact that eGT may expressly state in its reports that “no reply is necessary.”   While that may technically be the case, after handling CBRs for many years, our experience (and the collective experience of our associates) has been that your organization is much more likely to be audited if you do not respond and address any misconceptions or incorrect positions about your billing pattern stated by the contractor in its report.

To be clear, if you receive a CBR, you need to immediately take steps to validate or invalidate eGT’s findings.  If, in fact, your billing practices have been improper, you have an affirmative obligation to take steps to remedy any deficiencies. Additionally, the risk issues identified by eGT should be incorporated into your existing Compliance Program and should be taken into account when you perform periodic internal claim audits and monitoring functions.

VII.  Get Ready for Follow-Up Audits by ZPICs / UPICs!

Although your claims haven’t yet been audited, if you received one of these reports an audit of your claims may be right around the corner.  While it has been our experience that responding to a CBR is helpful, (and may reduce your chances of having a prepayment or postpayment Zone Program Integrity Contractor (ZPIC) or Uniform Program Integrity Contractor (UPIC) audit) if eGT has based its assessment on incorrect assumptions, there are no guarantees that a CMS program integrity contractor won’t still choose to initiate an audit of your claims for one or more braces billed to Medicare.

As a CBR recipient, you need to recognize that your organization has been identified as an outlier and there is significant likelihood that your spinal orthoses claims will be audited in the near future by a ZPIC or a UPIC, especially if you have not taken steps to identify and correct any misconceptions about your billing practices that the CBR contractor has made.

Now, more than ever, it is essential that suppliers review their documentation and ensure that they are fulling complying with all applicable requirements to show that each brace was medically necessary, fully documented, properly coded and billed.  For instance, as set forth under the Medicare Program Integrity Manual:

“All DMEPOS items…require detailed written orders prior to billing. Detailed written orders may take the form of a photocopy, facsimile image, electronically maintained, or original ‘pen-and-ink’ document. The written order must be sufficiently detailed, including all options or additional features that will be separately billed or that will require an upgraded code. The description can be either a narrative description (e.g., lightweight wheelchair base), or a brand name/model number. All orders must clearly specify the start date of the order.”

The failure to fully document the delivery of a brace is another significant risk faced by spinal orthoses suppliers.  ZPICs and UPICs routinely refuse payment citing this reason for denial.  As discussed in the Medicare Program Integrity Manual:

“Suppliers are required to maintain proof of delivery documentation in their files. Proof of delivery documentation must be maintained in the supplier’s files for 7 years (starting from the date of service).” 

Pursuant to 42 C.F.R. Sec. 424.57(c)(12), proof of delivery:

“Must be responsible for the delivery of Medicare covered items to beneficiaries and maintain proof of delivery. (The supplier must document that it or another qualified party has at an appropriate time, provided beneficiaries with necessary information and instructions on how to use Medicare-covered items safely and effectively).”[9]

VIII.  Potential Liability for Non-Compliance:

After receiving a CBR, you may soon find that your supplier claims will be subject to  prepayment or postpayment audit by a ZPIC or UPIC. Alternatively, you may merely receive an “Additional Document Request” (ADR) from a CMS contractor.  ADRs aren’t uncommon and most suppliers have received multiple such requests since becoming a participating supplier in the Medicare program.  Nevertheless, in recent years, ADRs have taken on a new level of importance. ZPICs and UPICs aren’t hesitating to place a supplier on 100% prepayment review if the documentation submitted in response to an ADR results in the denial of one or more claims.

Similarly, if a supplier is placed on prepayment review and a significant percentage of your claims are denied when the associated supporting documentation is submitted, there is much higher risk that your claims will be subjected to a postpayment audit.  In some cases, a high error rate identified in a prepayment or postpayment audit has led to the suspension of Medicare supplier’s billing privileges. Unfortunately, this “snowball effect” of cumulative adverse administrative actions may not be over. In accordance with 42 C.F.R. Sec. 424.57(e), a CMS contractor may recommend to the agency that your billing privileges are “revoked” if a supplier is found not meet applicable conditions of payment:

“Failure to meet standards. CMS will revoke a supplier’s billing privileges if it is found not to meet the standards in paragraphs (b) and (c) of this section. (The revocation is effective 15 days after the entity is sent notice of the revocation, as specified in §405.874 of this subchapter.)” 

IX. Conclusion:

Despite what you may have been told, CBRs are far from benign.  If a provider or supplier has received a CBR (such as, but not limited to CBR201803), it may be a harbinger of future administrative audits or in more serious cases, a possible civil and / or criminal investigation of your billing practices.  While every case is different, if the CBR contractor’s CBR findings (as outlined in their letter to your organization) are incorrect, it is typically in your best interests to correct the record.  Our attorneys are experienced in assessing these matters and can assist your organization is putting its best foot forward when responding to a CBR, the receipt of an ADR, prepayment review or postpayment audit.  Give us a call for a free consultation.  1 (800) 475-1906.

Robert W. Liles, J.D., M.B.A., M.S., serves as Managing Partner at the law firm of Liles Parker, Attorneys & Clients at Law.  Robert represents providers and suppliers around the country in ZPIC / UPIC audits, Medicare suspension actions and revocation cases.  For a complimentary consultation, please call: 1 (800) 475-1906.

[1] As set out in the Chapter 15, Section 130 of the Medicare Benefit Policy Manual, braces are “rigid and semi-rigid devices which are used for the purpose of supporting a weak or deformed body member or restricting or eliminating motion in a diseased or injured part of the body.”

[2] eGT’s analysis is based on a snapshot of claims in the Integrated Data Repository as of January 24, 2018.

[3] As set out in the Joint DME MAC Publication, a “Custom-Fitted Orthosis,” is defined as:

• Devices that are prefabricated.
• They may or may not be supplied as a kit that requires some assembly. Assembly of the item and/or installation of add-on components and/or the use of some basic materials in preparation of the item does not change classification from OTS to custom fitted.
• Classification as custom fitted requires substantial modificationfor fitting at the time of delivery in order to provide an individualized fit, i.e., the item must be trimmed, bent, molded (with or without heat), or otherwise modified resulting in alterations beyond minimal self-adjustment.
• This fitting at delivery does require expertise of a certified orthotist or an individual who has equivalent specialized training in the provision of orthosis to fit the item to the individual beneficiary.

[4] Off-the-shelf (OTS) orthotics are defined as:

• Items that are prefabricated.
• They may or may not be supplied as a kit that requires some assembly. Assembly of the item and/or installation of add-on components and/or the use of some basic materials in preparation of the item does not change classification from OTS to custom fitted.
• OTS items require minimal self-adjustmentfor fitting at the time of delivery for appropriate use and do not require expertise in trimming, bending, molding, assembling, or customizing to fit an individual.
• This fitting does not require expertise of a certified orthotist or an individual who has equivalent specialized training in the provision of orthoses to fit the item to the individual beneficiary.

[5] In both its 2016 and 2017 Work Plans, OIG noted that it would be reviewing the reasonableness of Medicare payments for orthotic braces when compared to the amounts paid by other non-Medicare payers..

[6]A “certified” individual is someone who is certified by either the American Board for Certification in Orthotics and Prosthetics, Inc., or the Board for Orthotist/Prosthetist Certification.

[7] As set out in Appendix C of the Durable Medical Equipment, Prosthetics, Orthotics and Supplies (DMEPOS) Quality Standards, “Individuals supplying the item(s) set out in this appendix must possess specialized education, training, and experience in fitting, and certification and/or licensing.”  While the CBR contractors expressly recognized that an individual specially trained to custom fit beneficiaries that have a medical need for an orthosis.

[8] To determine this, the CBR contractor checks to see if the referring provider billed for a Part B visit within 90 days of the service date of the DMEPOS claim.

[9] https://www.gpo.gov/fdsys/pkg/CFR-2005-title42-vol2/pdf/CFR-2005-title42-vol2-sec424-57.pdf

The PSAVE Pilot Program: Should You Self-Audit Your Medicare Claims?

(April 2, 2018):  Our nation’s demographics are changing.  In less than 20 years, it is estimated that for the first time in country’s history, the number of individuals over the age of 65 will exceed the number of children.[1] These increases are already being seen in our rapidly expanding Medicare healthcare benefit program.  At last estimate, Medicare Administrative Contractors (MACs) processed an estimated 1.2 billion claims on behalf of America’s seniors.[2]  As the Medicare program has grown, the Centers for Medicare and Medicaid Services (CMS) has employed a variety of different claims audit mechanisms to better ensure that the Medicare Trust Fund is protected from waste, fraud and abuse.  The Provider Self-Audit Validation and Extrapolation (PSAVE) pilot program is among the agency’s most recent efforts to protect the integrity of the Medicare program.  An overview of the PSAVE pilot program is set out below.

I. Providers and Suppliers Currently Subject to the PSAVE Pilot Program:

In November 2017, Noridian Healthcare Solutions LLC (Noridian), the MAC for Jurisdiction F, and CMS launched a pilot Medicare claims self-auditing program. Jurisdiction F is comprised of Alaska, Arizona, Idaho, Montana, North Dakota, Oregon, South Dakota, Utah, Washington, and Wyoming.[3] When announced, the program was touted as a way to provide long term educational benefits to Medicare providers, while also granting “immunity” from further audit of Medicare claims by both the provider’s MAC and from the Recovery Auditor (RA) contractor assigned to the provider. Is your practice likely to receive an “invitation” to conduct a self-audit of its claims?  Let examine the pilot program in more detail to find out:

II. Why Was Your Practice Invited to Participate in the PSAVE Pilot Program?

While Noridian claims that the PSAVE pilot program is open to almost any Medicare Part B healthcare provider, invitations to participate where not sent out to all of the Medicare participating providers in Jurisdiction F. Instead, data analytics were used to identify providers with abnormal billing or coding practices, based on the audit findings of  Comprehensive Error Rate Testing (CERT) postpayment review data.  Initially focusing on only a limited number of medical specialties, providers with irregular billing patterns  were first chosen by Noridian to “test” the PSAVE pilot self-auditing program. Primarily relying on sophisticated data mining techniques, Noridian has identified certain Part B providers with questionable billing practices and invited them to participate in the PSAVE pilot program.[4]  If your practice was invited to participate in this pilot self-auditing program, this practice is an outlier and will likely be subjected to an audit, whether it chooses to participate in the PSAVE pilot program or not.

III. How Does the PSAVE Pilot Program Work?

At the outset, it is important to keep in mind that if your practice was invited to participate in the PSAVE pilot program, your billing practices have been found to be aberrant by a CERT contractor.  As an outlier, your practice’s Medicare claims for reimbursement have been targeted for audit.

Potential PSAVE pilot program participants were sent (or will be sent as the program expands) a notification letter by Noridian which included a sample listing of claims that the MAC has identified for inclusion in your self-audit.  In addition to the claims listing, Noridian’s letter also specified the specific elements that it expected each provider to review in connection with the claims.  Importantly, Noridian’s notification letter also included an “Appeals Waiver” form that it required participating providers to sign prior to being admitted into the pilot program.

• In exchange for participating in the PSAVE pilot program, Noridian notes that any claims covered by the audit would be immune from subsequent review and audit by the MAC and / or a Recovery Auditor.

• If a provider agreed with the terms of the PSAVE process, the provider was required to return the executed Appeals Waiver form to Noridian and assemble all of the documentation related to the “Education Sample” of claims listed in the MAC’s letter. Importantly, the sample chosen by Noridian was meant to represent a statistically-relevant sample of the provider’s universe of claims previously paid by the Medicare contractor.

• Upon receipt of the signed Appeals Waiver form, a 90-day period for the provider to review the Medicare claims at issue began.

• Prior to conducting the self-audit, Noridian required that each provider participate in a webinar on how the Education Sample of claims was to be reviewed.

• Participating providers then conducted the self-audit. The provider’s findings (and the associated documentation) would then be submitted to Noridian for validation. It is important to note that the validation review may result in additional overpayments identified that may have been missed by the provider when the self-audit was conducted.

• After validating the self-audit findings, Noridian would then determine whether it was appropriate to extrapolate the identified overpayment to the universe OR merely base an overpayment on the sample of claims reviewed. It has our experience that Medicare contractors have the latitude not to extrapolate an overpayment if a provider’s overall error rate is below a certain level (typically less than 10%).

• After extrapolating the overpayment identified, Noridian would then send the provider a letter identifying the overall amount of any extrapolated overpayment that may be owed.

• The provider would then be required to repay the identified overpayment within a timeframe set out in Noridian’s notice letter.

IV. Benefits of Participation in the PSAVE Pilot Program:

Perhaps the greatest benefit of participating in the PSAVE pilot program is the fact that you are in charge and you are directly involved in the claims audit process.  As the audit progresses, you will be aware of any problems that may arise with your claims. In simplified terms, self-audits provide you with a significant degree of control over the process.  Nevertheless, just because you may exercise a significant degree of control over the audit process does not mean that you will be able to control the outcome of the audit. As with other self-audit / self-reporting programs administered by CMS and the Office of Inspector General (OIG), a provider’s voluntary participation in the PSAVE pilot program allows a provider to present its view of the claims in the best possible light while positioning itself as a “Good Corporate Citizen.”

 V. PSAVE Pilot Program Risk Issues:

While proponents of the PSAVE pilot program are quick to point out the educational value of participating in the program, a provider should exercise care before deciding to sigh-onto the program. For example, the Appeals Waiver signed can leave a provider vulnerable at the conclusion of the program, as there is no mechanism of contesting the overpayments that may be identified as owed by Noridian. To make matters worse, the validation review is a blind sample, meaning that the provider will not be fully aware of any potential claims errors until after the validation review has been completed by the MAC.   In some cases, Noridian may be willing to permit a provider to submit additional documentation before the MAC concludes its review of the documentation.  Since the right to file an administrative appeal of any Medicare overpayment has already been waived,  a provider is assuming a significant risk when participating in the PSAVE pilot program.

Additionally, PSAVE pilot program representations extolling the benefits of immunity from subsequent MAC and RAC audits (limited to the specific claims or extrapolated claims set  covered by the PSAVE audit) is somewhat misleading. The promised immunity from audit does not apply to Unified Program Integrity Contractor (UPIC) / Zone Program Integrity Contactor (ZPIC) audits, which are far more likely than MAC or RA audits for Medicare Part B providers. Moreover, neither CMS nor its contractors (such as Noridian) have the authority to waive liability on behalf of the OIG or the U.S. Department of Justice (DOJ).

VI. Risks Encountered When Opting-Out of the PSAVE Pilot Program:

Should you decide to decline Noridian’s invitation to participate in the PSAVE pilot program, you need to keep in mind that the likelihood of being subjected to a compulsory audit by Noridian, the UPIC / ZPIC or even OIG is quite high.  Your practice’s billing practices have already been identified as problematic.  If targeted in a future non-PSAVE audit, you will lose the ability to conduct a self-audit and any identified overpayment may still be subjected to extrapolation.  Nevertheless, should such an audit lead to unfavorable results, you will still retain the ability to avail yourself of Medicare’s administrative appeal process.  As we have found when appealing an alleged overpayment on behalf of a Part B provider, the ability of a Medicare contractor to correctly conduct a statistical extrapolation of an identified overpayment varies widely from contractor to contractor.  When challenging an overpayment that has been assessed, we regularly challenge the statistical methodology and numerous other errors made by the contractor when it calculated extrapolated damages estimates based on the sample of claims reviewed 

VII.  Conclusion: 

How should you proceed? If your practice is invited to participate in the PSAVE pilot program, you need to carefully consider the risks of choosing to participate in the initiative.  The PSAVE pilot program is merely one of the most recent efforts by CMS to educate providers on their medical necessity, documentation, coding and billing obligations. Although the PSAVE pilot program may advance the agency’s overall goal of reducing Medicare waste, fraud and abuse, there are other more effective, less invasive ways for your practice to integrate and encourage a culture of compliance in your organization.

Adherence to the requirements set out in a well-designed Compliance Program is perhaps a Part B provider’s best approach that can speed up and optimize the proper payment of claims, minimize billing mistakes, and reduce the chances that an audit will be deemed necessary by CMS or one of its program integrity contractors.  The “sampling” of one’s claims on a periodic basis to ensure that the services being billed to the Medicare program qualify for coverage and payment would squarely fall within the “Auditing and Monitoring”  element identified by OIG as one of the seven elements of a provider’s effective Compliance Program.  A “GAP Analysis” of your practice will make it easier to identify any weaknesses in the provision, documentation and submission of your claims for reimbursement by the Medicare program.  If you identify an error when reviewing your claims processes, promptly taking remedial action can often minimize the size and scope of any overpayment that is identified.  The prompt repayment of any overpayments you may have received can also prevent Federal and State auditors from disrupting your practice and conducting their own assessment of your Medicare claims.  Additional risk areas to be considered when reviewing your claims include, but are not limited to:

• What was the source of the referral for services provided by you or another member of your practice?

• Do you or another member of your practice provide something of value in exchange for referrals?

• Do you provide any gifts to patients?

• Are your employees, agents and / or contractors been screened against all Federal and State lists of excluded parties?

• Has the proper level of supervision been exercised in connection with each of the claims billed to Medicare?

Robert W. Liles, M.B.A., M.S., J.D., serves as Managing Partner at Liles Parker, Attorneys & Counselors at Law.  Robert represents health care providers and suppliers around the country in connection with Medicare audits by UPICs, ZPICs, MACs, SMERCs and other CMS program integrity contractors.  Our firm also represents healthcare providers in connection with Medicare revocation, suspension and exclusion actions. For a free consultation, please call Robert at:  1 (800) 475-1906.

[1] https://www.census.gov/library/stories/2018/03/graying-america.html

[2] https://www.hhs.gov/sites/default/files/dab/medicare-appeals-backlog.pdf

[3] https://www.cms.gov/Medicare/Medicare-Contracting/Medicare-Administrative-Contractors/Who-are-the-MACs-A-B-MAC-Jurisdiction-F-JF.html

[4] https://www.csmonitor.com/USA/Society/2017/0530/How-data-crunching-is-cutting-down-on-massive-health-care-fraud

Personal Care Services Are Under the Government’s Microscope

(January 22, 2018): The Department of Health and Human Services, Office of Inspector General (HHS-OIG) has conducted numerous audits, evaluations, and investigations involving the provision of “ personal care services ” to Medicaid beneficiaries.  In fact, from 2006 to 2012, HHS-OIG produced more than 20 audit and evaluation reports analyzing various program integrity risks presented when providing personal care services.  Much of this work was summarized in a November 2012 report entitled “Personal Care Services: Trends, Vulnerabilities, and Recommendations for Improvement.” [1] Additionally, last month, HHS-OIG published an Issue Brief highlighting the involvement of State Medicaid Fraud Control Units (MFCUs) in pursuing health care fraud and beneficiary abuse in personal care services programs.

In this article, we have taken the summary information assembled by HHS-OIG in the reports outlined above and combined this information with data collected from the 50 state MFCUs in order to provide an overview of state and federal investigations, indictments, convictions, and recoveries involving fraud, waste, abuse and patient neglect in Medicaid personal care services programs around the country.  Before examining this information, let’s go over a few basics.

I. What Are “Personal Care Services”?

The coverage and scope of a state’s specific personal care services benefit varies from one state’s Medicaid program to another.  Using Texas as an example, prior to 2006, personal care services under Medicaid were only provided to qualified minors with physical disabilities and other medical needs.  Notably, children with cognitive or behavioral disabilities did not qualify for this benefit.  As a result of a class action lawsuit settlement,[2] the Texas Medicaid State plan was amended to cover personal care services for children with disabilities and chronic health conditions enrolled in the state’s Medicaid program. Today, the Texas Department of State Health Services describes “personal care services” as:

“A Medicaid benefit that assists eligible clients who require assistance with activities of daily living (ADLs) and instrumental activities of daily living (IADLs) because of a physical, cognitive or behavioral limitation related to their disability, physical or mental illness, or chronic condition.”[3]

Examples of ADLs that are often provided under the personal care services benefit include bathing, eating, toileting, positioning and transferring, dressing and walking. IADLS provided under the benefit typically include doing laundry, performing light housework, shopping for groceries and preparing meals.  As these tasks and activities reflect, personal care services are non-skilled in nature.  Skilled services provided by nursing personnel do not qualify as personal care services, though they may qualify under some other benefit such as home health.

It is also important to remember that neither ADLs nor IADLs would qualify as covered personal care services if a beneficiary has the physical, behavioral and cognitive ability to perform these tasks and activities without adult supervision.

II. Who Qualifies for Medicaid-Covered Personal Care Services?

Like the service itself, whether a person qualifies for personal care services depends on the specific requirements of each state program. However, using Texas as an example, a beneficiary must:

• Be 20 years or younger and be eligible for Medicaid.
• Have a disability, physical or mental illness, or a health problem that lasts for a long time.
• Have a Practitioner Statement of Need signed by a practitioner (physician, advanced practice nurse, or physician assistant) who has examined you in the last 12 months.
• Need help with ADLs and IADLs based on the Personal Care Assessment Form (PCAF).
• Provide a reason why your guardian cannot help you with ADLs and IADLs.[4]

III. Trends in Medicaid Personal Care Service and MFCUs: 

Between 2012 and 2015, Medicaid spending on personal care services jumped from $10.9 billion to $13.3 billion.[5] As a result, MFCUs have increasingly been tasked with investigating and prosecuting Medicaid provider fraud and patient abuse and neglect within healthcare facilities. Despite being only one of 80 types of providers regulated by MFCUs, personal care service providers constituted 38% of their indictments and 34% of their convictions. During this period indictments and convictions related to fraud by personal care service providers increased 56% and 33% respectively. In the year 2015, cases of fraud by personal care service providers constituted 12% of all MFCU investigations. Overall these trends indicate that MFCUs are concerned with the vulnerability of Medicaid beneficiaries and are more aggressively targeting personal care service providers.

IV. Current Systemic Weaknesses Facilitate Fraud, Abuse, and Neglect:

Throughout last month’s report, HHS-OIG highlighted many of the weaknesses of the current model of Medicaid personal care service oversight. Presently, there are no federal training or educational requirements for personal care service attendants so the quality of personal care services provided from one caregiver to another can vary greatly.  Additionally, thorough background checks are not consistently required.  As a result, there have been a number of instances where habitual offenders have been found to have exploited beneficiaries under their care.

Another issue of concern is that thorough documentation is not required for Medicaid personal care services, leading to the ability of an attendant to charge for services that did not occur or for time in which the attendant and beneficiary where not even in the same location. Aside from creating a window of opportunity for fraud, this also allows for personal care service attendants to neglect their beneficiaries. In the past, this scenario has led to the death of a beneficiary.  Lack of oversight also shifts the burden to report on to the beneficiary. Thus, mental and physical handicaps of beneficiaries leave them vulnerable as reporting may be rather difficult. Due to federal regulations, MFCUs are also unable to investigate or prosecute cases of abuse or neglect by in-home/community personal care service providers.

As a consequence of these systemic issues, despite being the best equipped agency to take on this task, MCFUs do not receive funding for this and are forced to refer such cases to other agencies that may be less effective in investigating and prosecuting these cases. Overall, the current model is vulnerable to fraud and leaves beneficiaries vulnerable to abuse and neglect.

V. Improper Payments to Personal Care Service Providers Will Lead to Investigations:

An improper payment is any payment that is made that, according to federal and/or state laws, should not have been made. The inconsistency in state rules and the lack of depth of federal rules complicates the generalization of improper payments. According to an audit of state Medicaid programs by HHS-OIG, the most common types of improper personal care service payments are:

• Claims paid without supporting documentation.
• Services provided and billed that are ineligible for Medicaid reimbursement.
• Services provided without required supervision.
• Services provided by an unqualified attendant.
• Services provided by an attendant without proper verification of required qualifications.
• Payments made for care while the Medicaid beneficiary was in an institution.

It is important to note that improper payment is not the same as fraud. Improper payments are considered a result of error and a personal care service provider is required to return the overpayment as soon as the improper payment is discovered and may face further consequences. While self-disclosure of improper payments is considered an act of good faith, the nature of the improper payment may lead into an investigation into potential waste, fraud, and/or abuse.[6]

VI. What is Personal Care Services Fraud?

The vulnerability of the current personal care services system to fraud has made these services a significant concern for MCFUs around the country. Many of the fraud cases brought in recent years have involved instances of billing for services not rendered to a Medicaid beneficiary.  Examples of this type of improper conduct has included instances when:

• A Medicaid beneficiary was on a vacation.
• A Medicaid beneficiary was in an institution.
• A Medicaid beneficiary was documented to be without the personal care attendant by another healthcare provider.
• The personal care aide or attendant was documented to be working elsewhere at the time.
• The Medicaid beneficiary was deceased at the time personal care services were billed.

Often, wrongdoers have committed this type of fraud by having a Medicaid beneficiary sign off on blank time sheets in advance of services that are to be provided. While the Medicaid beneficiary is typically unaware of the fraudulent intentions of the personal care attendant, there have been cases where the personal care services attendant has made an agreement to share profits with the beneficiary or a family member of the beneficiary in order to obtain a signed blank time sheet.

While fraud is often committed by individual personal care aides or attendants, a personal care services agency can be held accountable if it is aware of the attendant’s fraudulent billing practices. One investigation in Alaska led to the criminal prosecution of over 40 individuals for fraud.[7] In that case, the personal care services agency was aware that employees were submitting falsified timesheets in addition to charging Medicaid for services rendered by excluded individuals.

VII. Personal Care Services Fraud Investigations:

Personal care services fraud has been an increasing concern of MCFUs. As expected, the amount of criminal investigation into personal care services fraud has risen over the 2015 and 2016 fiscal years, with a total of 1,929 individual personal care services attendants and 250 personal care services agencies being investigated for fraud at the end of 2016.[8] Convictions have risen slightly over those 2 years, with 464 individual personal care aides and attendants and 36 personal care services agencies convicted of criminal fraud charges in 2016. Overall, personal care service fraud appears to more commonly perpetrated by individual personal care service attendants, though agencies are certainly being held responsible for their role in personal care services fraud.

Table 1: The number of open investigations into personal care services fraud by agencies and attendants at the close of the 2015 and 2016 fiscal years.

Table 2: The number of criminal convictions and civil court settlements/judgements for personal care services fraud in the 2015 and 2016 fiscal years.

VIII. Recoveries from PCS Fraud Cases:

Despite an increase in civil settlements and judgements, the total amount recovered through settlements decreased substantially for both PCS attendants and PCS agencies. The result of criminal convictions has been markedly different. In the fiscal year 2016, a total of 464 PCS attendants were convicted of PCS fraud compared to only 36 agencies.[11] While personal care attendants constitute the overwhelming majority of convictions, approximately 45.8% of the amount recovered in 2016 came from personal care service Agencies. From fiscal year 2015 to 2015, the amount of PCS agencies convicted increased by 63.6%, from 22 to 36. In the same period, the amount recovered from criminal convictions of PCS agencies more than doubled, from $1,718,223 to $4,108,575. Thus, it is evident that PCS agencies are increasingly being held responsible for their role in PCS fraud.

Table 3: The amount of money recovered in personal care services fraud cases in the 2015 and 2016 fiscal years.

 IX. What is Abuse or Neglect of a Beneficiary?

The current system leaves beneficiaries vulnerable to abuse. Abuse has cases revolve around incidents in which a personal care services attendant causes physical harm to the beneficiary. In a case in Florida, a personal care attendant was fired and later charged with elderly abuse after repeatedly striking, pinching, and pulling at an elderly individual and leaving bruises on the individual.[13] However, abuse is not always physical. Abuse also includes harm done by theft, in which personal care service attendants take advantage of their beneficiaries and steal valuable items from them. In one case, a personal care service attendant at an assisted living facility stole nearly $10,000 from beneficiaries.[14] In another, an attendant stole two guitars from a beneficiary and sold the guitars to a local music shop.[15] When the attendant became aware of the beneficiary’s intent to contact authorities, the attendant returned the items. In the end, the attendant was still charged with fourth degree larceny.

Drug diversion is a serious abuse prevalent in personal care service that goes beyond theft and extends into physical harm as well. In addition to the monetary loss, the beneficiary is losing the treatment they require. For many, especially in hospice care, the use of opioids is used to manage pain. When attendants take these medications, they leave the beneficiaries suffering. In one case, an attendant began to switch a beneficiary’s hydrocodone with acetaminophen, leaving the patient suffering until the attendant’s drug diversion was discovered. In addition to leaving patients suffering, the use of substitute substances and potentially unsterile equipment puts the beneficiary at risk of serious harm or death.

Neglect is defined as “the failure or omission on the part of a caregiver to provide the care, supervision, and services necessary to maintain the physical and mental health of a disabled adult or elderly person that a prudent person would deem essential for the  well-being of the patient.” Neglect is serious, as the lack of adequate care or supervision of vulnerable individuals can be fatal. In one case, a personal care service attendant did not provide the services that were billed for an entire week, leaving the beneficiary hospitalized due to malnourishment and dehydration.[16] In another case, a personal care service attendant took a mentally handicap person to a crowded shopping area and lost the individual on a winter day in Philadelphia. The attendant did not immediately seek out the beneficiary nor did the attendant contact authorities in a prompt manner. The beneficiary was later found dead due to hypothermia. Neglect can also stem from fraud. In one case in Arkansas, a personal care service attendant billed Medicaid for services rendered to a beneficiary while frequenting Casino.[17] The attendant’s neglect led to malnourishment and dehydration, eventually leading to the death of the beneficiary.

X. Investigating Abuse or Neglect of a Beneficiary:

Despite the desire of MCFUs to investigate abuse or neglect, allegations are not investigated as often and extensively as they would like due to a lack of federal and state funding to do so. From the close of the 2015 fiscal year to the close of the 2016 fiscal year, open investigations into Abuse or neglect of a beneficiary decreased marginally from 254 to 252 investigations.[18] This marginal decline indicates the limitations placed on MCFUs ability to investigate abuse or neglect of beneficiaries. All of these investigations were criminal. In the same period, criminal convictions for abuse or neglect raised from 44 in 2015 to 52 in 2016. In 2015, there was one civil court settlement for abuse or neglect by a personal care service attendant. Overall it appears that MCFUs are becoming increasingly serious about addressing abuse or neglect by personal care service attendants and will continue to do what they can within their means to address the issues.

Table 4: The number of open investigations into abuse or neglect by personal care service attendants at the close of the 2015 and 2016 fiscal years.

Table 5: The number of criminal convictions and civil court settlements/judgements for personal care service abuse or neglect cases in the 2015 and 2016 fiscal years.

 XI. Recoveries from Abuse or Neglect Cases:

As can be expected by the findings of the recent HHS-OIG issue brief, convictions of abuse or neglect of a beneficiary only increased by 8 convictions in 2016, an 18% increase from the 2015 fiscal year. This again highlights the limitations placed of MFCUs in addressing abuse or neglect of beneficiaries. However, the total amount recovered in these cases more than tripled from the 2015 to the 2016 fiscal year, from $71,817 in 2015 to $247,972 in 2016. This substantial increase in recoveries again suggests that MFCUs are increasingly serious about addressing abuse or neglect of beneficiaries.

Table 6: The amount of money recovered in personal care service abuse or neglect cases in the 2015 and 2016 fiscal years.

XII.  HHS-OIG Recommendations:

The recommendations made by HHS-OIG are aimed at creating greater state oversight of personal care services provided by aides and attendants to Medicaid beneficiaries. These recommendations include measures such as:

• Creating an enrollment or registration process for attendants.
• Requiring comprehensive background checks for personal care service attendants
• Mandating greater documentation requirements for personal care service attendants, including details such as time of service and services provided.
• Requiring beneficiary case managers to conduct more in-home/community supervisory visits.
• Establishing mandatory training or educational standards for personal care service attendants.
• Cross-referencing personal care service attendant and beneficiary locations to prevent fraudulent billing.
• Federal funding for investigations and prosecutions of abuse or neglect by in-home/community personal care service agencies.

The current model provides too much opportunity for fraudulent, negligent, and abusive behavior by agency providers to be overlooked. These reforms could effectively deter personal care service providers from engaging in fraudulent, abusive, or negligent behavior by making them aware of the consequences of such behavior. In addition, these reforms would make it easier for MFCUs to effectively hold all personal care service providers accountable for their actions.

XIII.  Conclusion:

At present, despite efforts from personal care agencies to better screen their staff, Medicaid beneficiaries are still finding themselves subject to fraud, abuse and / or neglect by a significant number of individual personal care service aides and attendants each year. Unfortunately, fraud, abuse and / or neglect by personal care service aides and attendants will likely continue to be a major concern until the further safeguards are taken by both personal care agencies and regulators to better protect Medicaid beneficiaries.

In addition to conducting standard due diligence, as an owner of a personal care services agency, it is especially important that you screen your applicants (before hire), employees, vendors and contractors, against all Federal and State exclusion databases, every 30 days.  We recommend that you contact the folks at Exclusion Screening to get this accomplished.  They can be reached at www.exclusionscreening.com

Robert W. Liles, J.D., M.B.A., M.S., serves as Managing Partner at Liles Parker, PLLC.  Liles Parker is a health law firm representing personal care agencies and other health care providers around the country in connection with Medicare, Medicaid and private payor audits.  For a complimentary consultation, give Robert a call at: (202) 298-8750.

[1] As mandated by Public Law 95-452, HHS-OIG’s mission is to “protect the integrity of the Department of Health and Human Services (HHS) programs, as well as the health and welfare of beneficiaries served by those programs.”  HHS-OIG’s report entitled “Personal Care Services: Trends, Vulnerabilities, and Recommendations for Improvement” (OIG-12-12-01).

[2] Alberto N. et al. v. Hawkins. (No. 6:99-cv-00459) May 19, 2005.  EDTX, Tyler Division.

[3] https://www.dshs.texas.gov/region1/documents/tmp-personalCareservices.pdf

[4] https://www.dshs.texas.gov/caseman/pcs.shtm

[5] https://oig.hhs.gov/oei/reports/oei-12-16-00500.pdf

[6] “Waste” occurs when unnecessary services are provided that lead to a waste of resources, such as when more hours of services are rendered than are necessary. “Fraud” is defined at 42 C.F.R. §433.304 as “(in accordance with §455.2) . . . an intentional deception or misrepresentation made by a person with knowledge that the deception could result in some unauthorized benefit to himself or some other person. This includes any act that constitutes fraud under applicable Federal of State law.” “Abuse” is defined is defined at 42 C.F.R. §455.2 as “provider practices that are inconsistent with sound fiscal, business, or medical practices, and result in an unnecessary cost to the Medicaid program, or in reimbursement for services that are not medically necessary or that fail to meet professionally recognized standards for health care. It also includes beneficiary practices that result in unnecessary cost to the Medicaid program.”

[7] https://oig.hhs.gov/reports-and-publications/portfolio/ia-mpcs2016.pdf

[8] https://oig.hhs.gov/oei/reports/oei-09-17-00210.pdf

https://oig.hhs.gov/oei/reports/oei-07-16-00050.pdf

[9] Ibid.

[10] Ibid.

[11] Ibid.

[12] Ibid.

[13]http://www.myfloridalegal.com/newsrel.nsf/newsreleases/8A86BFE3E705BD60852580D5006CC686

[14] http://www.fox9.com/news/caregiver-admits-to-stealing-thousands-in-cash-jewelry-from-elderly-patients

[15] https://www.nbcconnecticut.com/news/local/Personal-Care-Attendant-Accused-of-Stealing-Guitars-from-Client-in-Southington-464400253.html

[16] https://oig.hhs.gov/reports-and-publications/portfolio/ia-mpcs2016.pdf

[17] http://www.swtimes.com/news/caretaker-arrested-fort-smith-man-s-death?start=6

[18] https://oig.hhs.gov/oei/reports/oei-09-17-00210.pdf

https://oig.hhs.gov/oei/reports/oei-07-16-00050.pdf

[19] Ibid.

[20] Ibid.

[21] Ibid.

Michael Cook appointed to serve on Virginia’s Medicaid Policy Council

(January 2, 2018):  Congratulations to our very own Michael Cook who has been appointed to serve on the Virginia Medicaid Policy Council for Health and Human Resources. In this role, The Council’s role is to provide recommendations on policy issues involving the programs operated by the Department of Health and Human Resources as part of the transition.

Next Page »