Liles Parker PLLC
(202) 298-8750 (800) 475-1906
Washington, DC | Houston, TX
San Antonio, TX | Baton Rouge, LA

We Defend Healthcare Providers Nationwide in Audits & Investigations

Is ePHI Encryption Required? The Failure to Properly Protect ePHI Can be Quite Costly.

(June 27, 2018):  Violations of the Health Insurance Portability and Accountability Act (HIPAA), where a Covered Entity[3] has failed to utilize ePHI encryption can be quite costly. The loss of unencrypted electronic media containing Protected Health Information (PHI)[1] can result in big fines as one Texas medical center has recently learned the hard way.  As a case ruling issued earlier this month reflects, the University of Texas MD Anderson Cancer Center (MD Anderson) was fined $4.3 million for their loss of two unencrypted USB drives and theft of an unencrypted laptop.  This article examines this case in more detail and discusses your obligations to protect electronic PHI (ePHI) from improper disclosure or access by unauthorized persons.

I.  Is ePHI Encryption Required by Covered Entities?

The Department of Health and Human Services (HHS) oversees compliance and enforces HIPAA’s sanctions for noncompliance through its Office for Civil Rights (OCR).  In cases involving possible criminal conduct, the OCR works with the Department of Justice (DOJ).

The HIPAA Omnibus Rule has changed the enforcement provisions.[2] Previously, the agency had discretion in choosing whether to investigate complaints or potential violation in cases where the Agency’s preliminary review reveals a possible violation due to willful neglect.  Now, the agency is required to initiate a formal investigation when a party appears to have exhibited willful neglect.  If an investigation is performed, it may include a review of pertinent policies, procedures, or practices of the Covered Entity and the circumstances of the alleged violation.  Documentation and evidence of compliance are key to ensuring no penalties are assessed by OCR.

Notably, the HIPAA Omnibus Rule modified HIPAA’s Privacy, Security and Enforcement Rules in order to implement the statutory amendments set out under the Health Information Technology for Economic and Clinical Health Act (HITECH).  Under HITECH, a Covered Entity is required to conduct a comprehensive “security risk analysis” of the administrative, physical, technical and operational aspects of your organization.  For each category, the Security Rule establishes both required and addressable implementation specifications.

Implementation specifications that are identified as required must be fulfilled by a Covered Entity.  The failure to implement required specifications will be automatically deemed to be a failure to fully comply with the requirements of the HIPAA Security Rule.  In contrast, specifications that are identified as addressable must only be implemented if, after a risk assessment, the Covered Entity has concluded that compliance with the specification is a reasonable and appropriate security risk safeguard for handling PHI and ePHI.

Contrary to popular belief, Covered Entities are not mandated by law to encrypt ePHI.  As the security risk assessment implementation specification covering encryption is expressly noted as an addressable specification, it is not required.  As 45 C.F.R. §164.312(a)(2)(iv)[4] expressly provides:

 “(iv) Encryption and decryption (Addressable). Implement a mechanism to encrypt and decrypt electronic protected health information.”

Clear as mud?  If you are still confused as to your obligations, you aren’t alone.  Although you may determine that it would be reasonable for you to NOT encrypt a certain set of ePHI, you need to keep in mind that if there is a potential breach (through loss, theft, negligence, etc.) the OCR will be second-guessing your decision-making in this regard.

II.  The Encryption “Safe Harbor”:

Section 13402 of HITECH extended the privacy provisions of HIPAA by requiring that Covered Entities and their business associates notify affected individuals after discovering breaches of unsecured PHI.[5] Breach, in this case, means the unauthorized acquisition, access, use, or disclosure of PHI that compromises the security or privacy of the information.[6] Generally, incidents within the Covered Entity (between employees) or unintentional disclosure to a business associate are not breaches. Thus, if an employee sends an email inappropriately but in good faith containing PHI to a co-worker and neither employee shares it with others, it is not a breach. If the email goes to someone who is not an employee of the entity or a business associate, it may well be.

Furthermore, the breach notification requirements apply only to “unsecured PHI— meaning PHI that is not secured through the use of technology or methodology specified by the Secretary, such as encryption or destruction that renders the paper unusable, unreadable, or indecipherable.[7]  Therefore, if a Covered Entity encrypts information to comply with the Security Rule and subsequently discovers a breach of that information (through loss, theft, accidental delivery to the wrong person, etc.), the Covered Entity is not required to provide notice of the breach.  If the information is protected through a firewall or some other means not approved by the Secretary, then notification would be required for a breach.  To ensure encryption keys are not breached, they should be kept on a separate device from the data to which they apply.

III.  The MD Anderson Case:

In the MD Anderson case, the cancer center supposedly lost two unencrypted flash drives and experienced the theft of an unencrypted laptop.  Collectively, the devices were estimated to have contained the PHI of approximately 33,500 patients. The OCR alleged that the cancer center did not comply with regulatory requirements by:

“(1) failing to perform its self-imposed duty to encrypt electronic devices and data storage equipment; and (2) it allowed ePHI to be disclosed. “

Pursuant to 45 C.F.R. pt. 160 and 45 C.F.R. pt. 164, subpts. A, C, D, and E, Covered Entities are generally required to:

“ensure the confidentiality, integrity, and availability of all ePHI that the entities create, receive, maintain, or transmit; protect such information against any reasonably anticipated threats or hazards to its security; protect ePHI against any reasonably anticipated impermissible uses and disclosures; and ensure compliance with these requirements by their workforces.”

While the cancer center had policies and procedures for maintaining the safety of ePHI, it was alleged that they did not implement those as required by 45 C.F.R. § 164.312(a)(1).  MD Anderson argued that they satisfied this regulation because there were technically policies and procedures put in place to allow PHI to be encrypted.  MD Anderson’s procedures for protecting ePHI included:

  1. Password protection of all computers and portable computing devices accessing potentially confidential information;

  2. A requirement that confidential or protected data stored on portable computing devices must be encrypted and backed up to a network server in the event of a disaster or loss of information;

  3. Annual employee training event that provided its employees with training in areas that included ePHI transmission and proper disposal; a prohibition against password sharing; a discussion of password necessity and integrity; an explanation of authorized and proper use of information systems, and training about information security resources.

Unfortunately, MD Anderson’s policies and procedures in this regard were shown to be incompletely or ineffectively implemented. The laptop and two USB drives in question were not encrypted as required by the cancer center’s policies and procedures.  MD Anderson’s attempts to ensure implementation of its ePHI protection policies and procedures were characterized as “half-hearted” by the ALJ handling the case.  MD Anderson was found to have delayed the encryption of devices and, after years, only proceeded slowly with the implementation of the encryption policy claiming financial issues were to blame.

The laptop in question was being used by a telecommuting employee as work computer and it was neither encrypted nor password protected. The laptop was stolen from the home of the employee and the ePHI was vulnerable although no breeches in the security of the patients concerned in the PHI resulted.  The first USB concerned was lost by a trainee while on an employee shuttle bus. The second USB was lost by a visiting researcher.

The OCR considered the theft of the laptop and the losses of the USB flash drives to be unlawful disclosures of ePHI because these actions constituted the “release, transfer, provision of access to, or divulging in any manner of information outside the entity holding the information.”

IV.  Defenses Raised by MD Anderson:

In its defense, the cancer center raised a number of arguments before the ALJ, several of which are outlined below.

  • As a State Entity, MD Anderson is Not a “Person” as Defined Under HIPAA.  In addition to arguing that the Secretary, HHS had acted beyond the authority of the position, MD Anderson also argued that as an entity of the State of Texas, it did not constitute a “person” and was therefore not covered under HIPAA.  The ALJ disagreed.
  • The Penalties Assessed by the Secretary Were Excessive.  Secondly, MD Anderson argued that any penalties assessed should be capped at $100,000 per year.  The cancer center also cited 45 C.F.R. § 160.546(b) and asked that the ALJ reduce the assessed penalties to below the statutory cap.  Notably, the ALJ refused to lower the penalties imposed by the Secretary, HHS, claiming that doing so would “constitute an end run around the Secretary’s intent as expressed in the regulation.”[8] The ALJ also cited 45 CFR 160.408 which allows aggravating factors such as the general pursuit of justice to dictate fine amounts.  Additionally, MD Anderson also claimed that the high penalties imposed were a violation of the excessive fines provision outlined in the 8th Amendment.  Not surprisingly, the ALJ responded that it did not have the authority to consider the constitutionality of the ruling.  Each of MD Anderson’s arguments were addressed in the ALJ’s decision.
  • The Theft and Loss of Devices Do Not Constitute a “Disclosure” Under HIPAA. MD Anderson further argued that stolen or lost property cannot constitute a “disclosure” of sensitive material mainly because there is no evidence the PHI was viewed by anyone. However, the mere fact that the PHI was compromised and rendered vulnerable to viewing by an unauthorized person was deemed enough to constitute a disclosure in violation of HIPAA. Finally, the cancer center argued that the behavior of the individuals who lost USB drives was unsanctioned along with the actions of the thief.  Therefore, there was no basis to hold MD Anderson responsible for these unauthorized acts.  Not surprisingly, the ALJ disagreed, holding that although the employees may have disobeyed MD Anderson’s policies, the actions of transporting the data were within the scope of their official duties.
  • The OCR Has Failed to Apply HIPAA’s Regulations Consistently.  Among concern by the Texas Cancer Center that their key arguments were not seriously considered, there was also concern that the OCR’s enforcement of HIPAA regulations is not transparent or consistent[9]. With the Texas Cancer Center’s fine being the 4th largest ever upheld, there seems to be merit to the claim that regulations are not being consistently or fairly enforced. For example, in a 2010 case involving Rite Aid, the large national drug store chain agreed to pay $1 million to settle HIPAA privacy violations after several of its pharmacies were videotaped disposing of prescription pill bottle labels which contained identifying information into dumpsters with public access[10]. It seems odd when comparing the two cases that one of the nation’s largest drug store chains was fined less than one quarter of the amount of fines assessed against MD Anderson for the violations discussed above.

V.  Next Steps for MD Anderson:

MD Anderson Cancer Center has expressed plans to appeal the ALJ’s ruling[11]. The cancer center feels not only that the $4.3 million in fines is too much but that the ruling does not take into account the policy and procedure the center had already created. At the end of the day, however, it isn’t the availability of a mechanism to keep ePHI safe that matters but that strong efforts are made to ensure ePHI is actually being protected. Failing to carry out policy and procedure can bring serious fines.

VI.  Steps You Can Take to Comply with Your Obligations Under HIPAA and HITECH:

  • Compliance Officer. Appoint a Compliance Officer for your organization.
  • Breach Insurance. Review your options for purchasing insurance to cover any damages and penalties that may result from an unintentional breach or unauthorized disclosure.
  • Notice of Privacy Practices. Ensure that an updated Notice of Privacy Practices is in place.
  • Patient Consent Form. Ensure that an appropriate “Patient Consent Form” is in place.
  • Business Associate Agreements. Ensure that an appropriate “Business Associate Agreement” is in place with each of the outside entities with whom you use or disclose PHI. Additionally, check with your business associates and verify that they understand their obligations and will only provide any subcontractors access to your ePHI with your permission. Will you require that your business associate obtain breach insurance?
  • Policies and Procedures. Review and update all of your policies and procedures required to meet your obligations under HIPAA and HITECH to comply with the law and implement safeguards to protect the integrity of the individually identifiable health information under your control:
    • Privacy Rule;
    • Security Rule;
    • Enforcement Rule;
    • As mandated in connection with your Security Risk Analysis;
    • Other policies and procedures needed to address risks involving social media, using your own cell phones, telecommuting, etc.
  • ePHI Encryption. Review your operational practices to ensure that ePHI is encrypted to prevent improper use or disclosure. Although encryption may not be mandated, it is essential if you are trying to reduce your organization’s level of risk.
  • Backup Procedures.  Review your backup procedures and ensure that in the event of a disaster or other unforeseen event, a complete encrypted copy of your patient’s ePHI is safely maintained.
  • Security Risk Analysis. Perform / update the Security Risk Analysis of your organization and assess any outstanding specifications that still need to be met. Additionally, review the risks and vulnerabilities of a potential breach and / or the wrongful disclosure of ePHI.
  • Employee Training. Ensure that all of your staff is trained on their obligations to comply with HIPAA’s requirements under the law.  Furthermore, ensure that all new members of your staff are trained on their obligations under the law within 30 days of entering on duty.
  • Minimum Necessary. Review your use and disclosure practices to ensure that the minimum necessary standard is being met.
  • Breach Response Plan. Develop a breach response plan (including, but not limited to breach notification when needed, analysis of the cause of the breach, remedial steps and any additional staff training that may be needed), to better ensure that your organization can effectively respond to a breach incident.

Robert Liles represents health care providers in RAC and ZPIC appeals.Robert W. Liles serves as Managing Partner at Liles Parker, Attorneys & Counselors at Law.  Is your organization dealing with a potential HIPAA breach or unauthorized disclosure?  For a free initial consultation, contact Robert or one of the other attorneys at Liles Parker.  1 (800) 475-1906.


[1] The term “Protected Health Information” (PHI) covers individually identifiable health information that is transmitted by electronic media, maintained in electronic media or transmitted or maintained in any other form or medium. The rules do not include “de-identified information,” individually identifiable information where all 18 identifiers have been removed.  Such information can be used without restriction or patient authorization. The following table describes the identifiers that must be removed in order to qualify as de-identified information.

18 Individual Identifiers
1Names10Account numbers
2All geographic subdivisions smaller than a state, except for the initial three digits of a ZIP code if the geographic unit formed by combining all ZIP Codes with the same 3 digits contains more than 20,000 people. 


 Certificate or license numbers

All elements of dates, except year, and all ages over 89 or elements indicative of such age

12Vehicle identifiers or serial numbers, including license plates
4Telephone numbers13Device identifiers and serial numbers
5Fax numbers14URLs
6E-mail addresses15IP addresses
7Social Security numbers16Biometric identifiers, like voice and fingerprints
8Medical record numbers17Fullface photography or comparable images
9Health plan beneficiary numbers



Any other unique, identifying number, characteristic, or code, excepted as permitted for re-identification in the Privacy Rule

[2] 78 Fed. Reg 5566 (Jan. 25, 2013), available at (last accessed June 2018).

[3] A “Covered Entity” is a health plan, a health care clearinghouse, or a health care provider who transmits any health information in electronic form in connection with a standard transaction

[4] 45 C.F.R. §164.312(a)(2)(iv).

[5] For additional information, see the Breach Notification Final Rule Update, available at (last accessed April 2018).

[6] 45 C.F.R. § 164.404.

[7] 45 C.F.R. § 164.402.






An Overview of Administrative Rheumatology Audits / Adverse Actions AND Civil / Criminal Enforcement Actions

Rheumatology Audits are Increasing Around the Country.(May 20, 2018):  It’s been a rough week for at least one Texas rheumatologist.  Last Monday, the U.S. Attorney’s Office for the Southern District of Texas announced the indictment of a South Texas rheumatologist for multiple counts of health care fraud and one count of conspiracy to commit money laundering.  The magnitude of the alleged fraud is daunting — the government has estimated the size of the fraud at approximately $240 million Commenting on the case, John P. Cronan, Acting Assistant Attorney General for the Justice Department’s Criminal Division stated that the physician:

“. . . violated his oath to do no harm by administering unnecessary chemotherapy and other toxic medications to patients with serious diseases — including some of the most vulnerable victims imaginable — are almost beyond comprehension.”

The defendant is alleged to have “misdiagnosed” numerous patients, some of which were vulnerable individuals who were young, elderly or disabled.  Four of the five counts of health care fraud in the indictment are alleged to arise out of the defendant’s “False Diagnosis of Rheumatoid Arthritis.”  You may wonder, how does something like a false diagnosis happen?  Unfortunately, diagnosing a patient with rheumatoid arthritis isn’t as straight-forward as it may seem from reading the government’s indictment.  There isn’t a single test that can be run to determine whether a patient has this diagnosis.  Instead, a physician has to take into consideration a patient’s symptoms, blood and diagnostic test results (none of which are definitive on their own), and a patient’s family and prior medical history.  Taken collectively, a physician will typically use this information and apply industry-accepted diagnostic criteria.  Regardless of how this case ends up being resolved, rheumatologists around the country should take note of the concerns that the government has raised. While this case currently dominates the headlines, it is important to keep in mind that this isn’t the first time that law enforcement has focused its attention on rheumatologists.  Far from it.  This article provides an overview of cases that have been brought against these specialty practices and will cover a number of steps that a rheumatologist can take to reduce his / her level of risk.

I.  Overview of Administrative Adverse Actions and Rheumatology Audits Against Physicians and Rheumatology Practices:

Administrative adverse actions against rheumatologists can take a number of forms, including, but not limited to: licensure actions, exclusion actions, and administrative claims audits.

A.  Texas Medical Board Disciplinary Actions.

As illustrated in this first case, it is imperative that rheumatologists fully document their mental impressions and the reasoning behind diagnostic conclusions reached.    

  • Texas Physician Failed to Properly Document Objective Medical Evidence to Support a Rheumatology Diagnosis.

In this case, the Texas Medical Board (Board) entered into an Agreed Order[1] with a physician alleged to have violated the standard of care in a number of cases.  More specifically, the Board alleged that the physician provided treatment that was inappropriate and nontherapeutic. Additionally, the physician was alleged to have failed to perform adequate testing and document objective medical evidence to support his diagnosis for several patients.  Under the Agreed Order, the Board required that the physician submit the medical records of all of his rheumatology patients to a Board-approved rheumatologist for monitoring purposes for a set period of time.  The physician was also required to complete 24 hours of CME (four hours in medical record-keeping and 20 hours in rheumatology). How can you avoid committing these types of licensure violations? When documenting your medical decision-making process, Texas rheumatologists need to ensure that their medical records comply with both the applicable standard of care[2] AND fully meet the documentation mandates outlined in the Texas Administrative Code, Title 22, Part 9, Chapter 165. Medical Records §§165.1-165.6.[3]

B.  OIG Exclusion Actions.

As early as 1977, the Department of Health and Human Services (HHS) has been “excluding” individuals and entities from participation in Federal health benefits programs.  The HHS, Office of Inspector General (OIG) assumed responsibility for taking these administrative actions in 1981.[4]  What is an exclusion?  Simply put, if an individual is subjected to an adverse licensure action[5], is convicted of certain crimes, or has engaged in other specific enumerated conduct[6], he / she may be excluded from participation in Federal health benefits programs. It is important to keep in mind that an excluded party is not merely barred from participating in Medicare, Medicaid and other Federal health benefit programs.  Excluded parties may not even work for an organization that participates in these government health benefit programs.  There are two types of exclusion actions that are taken by the OIG.  “Mandatory” exclusion actions must be imposed by the OIG if an individual or entity is convicted of certain crimes.  In contrast, the OIG exercises the authority to impose or to waive certain exclusion actions that may be triggered by one or more other violations.  These types of exclusion actions are “Permissive” in nature.

As of April 2018, there are a total of 69,875 individuals and entities named in the List of Excluded Individuals and Entities (LEIE) maintained by the OIG.  The LEIE is one of 40 various databases that are supposed to be checked every 30 days[7] by providers in order to better ensure that no excluded parties have been hired. Of the 69,875 excluded individuals and entities currently on the LEIE, only five are specifically identified as physicians specializing in rheumatology.  Nevertheless, it is difficult to fully assess the number of physicians on the list that provide rheumatology services because of the limitations in the specificity of OIG’s database.  As we will see below, a number of the cases brought against rheumatologists for criminal conduct would undoubtedly require mandatory exclusion, in addition to any civil and criminal sanctions that may have been imposed.

C.  Administrative Rheumatology Audits by ZPICs and UPICs.

As a participating provider in Medicare’s Part B program, rheumatologists and their practices are subject to prepayment audit by a number of federal, state and private payor audit entities.  If your practice is placed on prepayment audit by a Medicare contractor, you may want to know how you ended up on the auditor’s radar.  We have repeatedly heard of instances where a Medicare contractor has told the practice that their placement on prepayment review was the result of a “random audit.”  Despite their assurances to the contrary, physicians should keep in mind that virtually NONE[8] of the Medicare audits we have seen are truly random.  The following Federal Register issuance included agency comments that confirm what we have all thought, CMS and its contractors do not conduct random prepayment audits of health care providers.  As CMS expressly set out in the Federal Register:

“Although section 934 of the MMA sets forth requirements for random prepayment review, our contractors currently do not perform random prepayment review. However, our contractors do perform non-random prepayment complex medical review. We are cognizant of the need for additional rulemaking should we wish our contractors to perform random review.”

How is a rheumatology practice targeted for an audit?  As the Centers for Medicare and Medicaid Services (CMS) has expressly noted in Chapter 2, Section 2.3 of the Medicare Program Integrity Manual (MPIM):

“Claims data is the primary source of information to target abuse activities.”

Utilizing this data, Medicare program integrity contractors employ predictive modeling and data mining to identify rheumatology care, treatment, coding and billing practices that would be considered “outliers” when compared to the utilization, coding and billing practices of their peers.  In the first quarter of 2018, we have already seen evidence that law enforcement, government agencies and their contractors are continuing to rely on data mining for targeting purposes.  How do your utilization, coding and billing practices compare to those of your peers?  No idea?  Now is the time to find out! Rheumatology audits are actively being conducted by Zone Program Integrity Contractors (ZPICs) and Uniform Program Integrity Contractors (UPICs) around the country.

Other sources of an audit include complaints by beneficiaries, overpayment data, referrals from other Medicare program integrity contractors, and reports published by OIG and Government Accounting Office (GAO) of specific improper coding and billing practices that they identified. Several of the specific issues identified in ZPIC and UPIC audits of rheumatology-related claims that we have defended have included:

  1. Failure to Document a Diagnosis of Arthritis. The alleged failure to document a diagnosis of arthritis has been cited as a basis for taking action in ZPIC and UPIC administrative audits, Texas Medical Board disciplinary actions, civil False Claims Act cases and criminal prosecutions of rheumatologists.  As discussed in more detail in our discussion of rheumatology audits, this denial reason is subject to considerable dispute.  Unfortunately, there isn’t a single “test” or “symptom” that can be relied on by a physician when diagnosing a patient with rheumatoid arthritis, ankylosing spondalytis or a host of other rheumatic diseases.  Instead, a physician often relies on his / her professional experience and knowledge when diagnosing a patient with one of the conditions.  This problem is further exacerbated by the fact that CMS and its contractors have not issued specific guidelines (in the form of National Coverage Determination (NCD) or Local Coverage Determination (LCD) guidance) that outlines precisely what the government expects to see in order for a diagnosis to be properly documented.  Ultimately, a physician will need to show that the diagnosis has been based on accepted criteria such as 2010 American College of Rheumatology / European League Against Rheumatism Classification Criteria for Rheumatoid Arthritis.”[9]

  2. Failure to Properly Document the Evaluation and Management (E/M) Level of the Visit. Despite the fact that specific guidance (1995 and 1997 E/M Guidance) on how Medicare E/M claims are supposed to be documented, coded and billed, many physicians still apply the less-specific, incorrect guidance set out in the AMA’s CPT Codebook.  When audited, Medicare program integrity contractors have often downcoded (or in some case, denied in their entirety) E/M claims.  (Although the AMA CPT Codebook is applicable when billing E/M services to private payors, the 1995 and 1997 E/M Guidance first issued by HCFA should be used as the proper measuring tool for Medicare claims).

  3. Failure to Fully Document a Patient’s Condition. ZPICs and UPICs are regularly denying claims on the basis that a physician’s physical examination of the patient does not document the specific joints where swelling has been identified, the extent a patient’s range of motion has been impacted, the level of pain cited by a patient, and the duration of the patient’s painful condition.

  4. Failure to Document the Medical Necessity of Biologics Used in Infusions. Not surprisingly, in large part due to its high cost, the medical necessity of infusions has been a favorite target of Medicare program integrity contractors and federal / state prosecutors.  Auditors often point out the fact that a physician has failed to document less invasive (and less expensive) treatment options that had been tried and failed to provide relief.

If a rheumatology practice is placed on prepayment review, it can be financially devastating for the organization.  Once put in place, it can take months to satisfy the Medicare contractor that it should be lifted.  Adding insult to injury, after a practice is placed on prepayment review, it is fairly common for a ZPIC or UPIC to then initiate a postpayment audit of the practice’s rheumatology claims.  While postpayment audits are not new, the number of these audits appears to be increasing.  Moreover, ZPICs and UPICs are frequently pulling a relatively small sample of 30 – 60 claims and then are extrapolating the alleged damaged based on the error rate that has been identified in the sample. In such case, we almost always work our own statistical experts to challenge the validity of the statistical sampling process and the resulting extrapolation of damages. Due to the high costs of biologics, it is fairly common for ZPICs and UPICs to seek alleged overpayments of millions of dollars.

II.  Overview of Civil and Criminal Fraud Cases Brought Against Physicians for Rheumatology-Related Care and Treatment Services: 

  • Rhode Island Remicade® Infusion Fraud Case.

In this Rhode Island case, a physician was indicted by a Federal Grand Jury for health care fraud, illegal distribution of controlled substances, and money laundering.  The 152-count indictment also sought the forfeiture of about $5.9 million, alleged to be the proceeds of the physician’s criminal activity.  Over a four-year period, the physician was alleged to have personally treated more than 4,800 patients. A significant portion of the physician’s practice was the administration of infusion therapy to treat the symptoms of such diseases as rheumatoid arthritis, various blood disorders, and certain cancers.  Among the many counts set out in the indictment, the physician is alleged to have administered Remicade® without substantiating that a number of patients had been properly diagnosed as having rheumatoid arthritis.  Notably, he also reportedly failed to treat patients with necessary ancillary drugs and failed to test patients for certain risks associated with Remicade®, such as tuberculosis.  Finally, the physician is also alleged to have recorded dosages of Remicade® that greatly exceeded the recommended maximum dosages.  Before he could be arrested, the physician fled the country and is a fugitive on the OIG’s “Most Wanted List” today.  He is thought to have fled to Lebanon.

  • Virginia Remicade® Infusion Fraud Case.

In this case, the Federal Bureau of Investigation (FBI) first began investigating a Virginia-based physician after receiving a report from a former patient that the physician had been overprescribing controlled substances.  Essentially, the former patient claimed that the physician prescribed the patient “whatever drugs she wanted” without performing a physical exam or medical tests.  As a result of the FBI’s investigation, the physician was indicted for the illegal distribution and for conspiring to distribute controlled substances. In the course of the investigation, the FBI interviewed two of the physician’s former employees.  In doing so, the FBI learned that the physician was also allegedly engaged in fraudulent conduct involving Remicade®.  After analyzing the physician’s billing practices, purchasing records and bank records, the government concluded that the physician had engaged in a number of fraudulent practices involving the billing of Remicade®.  The government’s concerns in this regard were later confirmed when the physician’s former assistant pleaded guilty to conspiring to distribute controlled substances.  The physician’s former assistant later testified at trial that the following four main fraudulent schemes were employed by the physician.  First, the physician was alleged to have billed for more Remicade® than the patients actually received.  Second, the physician billed for Remicade® infusions when the patients received a less expensive steroid medication.  Third, the physician supposedly billed for Remicade® infusions when the patients did not receive any infusions.  And, finally, the physician is alleged to have billed for Remicade paid for by other patients’ health care benefit programs.  Before the physician could be arrested, he fled the jurisdiction and is thought to have gone to Turkey.

  • Kentucky Remicade® Infusion Fraud Case. 

In a case out of the Western District of Kentucky, a Louisville physician and his practice were alleged to have falsely billed the Medicare program for infusions of infliximab, a drug used in the treatment of patients with rheumatoid arthritis.  The specific allegations were that the physician and practice were “splitting” vials of infliximab across the infusions of multiple patients but billed the Medicare program as if a whole vial were used for each Medicare beneficiary.  It was further alleged that this improper conduct took place over a period of three years. A former employee of the practice filed a whistleblower case against the physician and his practice under the civil False Claims Act. The case was later settled for $349,860.00.  The defendants also had to pay for the whistleblower’s attorney’s fees.

  • Oklahoma Remicade® Infusion Fraud Case.

In a case that was initially filed by a whistleblower under the civil False Claims Act, an Oklahoma physician in the Western District of Oklahoma was also later criminally charged with Medicare fraud. Through its investigation, the government claims that over a period of approximately 28 months, the practice billed Medicare for the infusion of 112,110 milligrams of Remicade.®  However, it was alleged that during this period the practice had only ordered approximately 49,600 milligrams from its suppliers. The government further alleged that the physician had falsified patient records and caused his staff to submit false claims to Medicare for payment.  The physician was sentenced to 33 months in prison and surrendered his state medical license.  A $1.5 million civil consent judgement was entered in the case.  The defendant was also ordered to pay $473,881.55 in restitution to Medicare and $69,685.26 in restitution to BlueCross BlueShield of Oklahoma. 

  • Texas Allergy / Arthritis / Pain Management Clinic Alleged to be a Pill Mill.

Law enforcement investigators have found that a significant number of rheumatology patients are being treated multidisciplinary practices.  In this case, a husband and wife (both physicians) ran a number of Texas clinics that provided care allergy, arthritis and pain management patients.  Government investigators carefully tracked the number of patients being seen by the physicians, noting that they went from seeing 50-60 patients per day to 279 patients per day over a seven-year period. Additionally, through data-mining and the intra-agency sharing of information, law enforcement also noted that one of the physicians allegedly prescribed 615,671 tablets of hydrocodone (Vicodan®), 66,000 tablets of alprazolam (Xanax®), and 26,000 tablets of diazepam (Valium®) over a nine-month period. In fact, one patient received 92 hydrocodone prescriptions, totaling 8,040 tablets over an eight-month period. After conducting search warrants of the couple’s two clinics, residence and safe deposit boxes, investigators found $700,000 at the residence and $816,000 in the safe deposit boxes (allegedly only accessible by one of the physicians).[10]  In addition to the improper prescription of controlled substances outside the scope of professional practice and not for a legitimate medical purpose, the couple was also alleged to have billed Medicare and Medicaid for a number of fraudulent interventional procedures.  Investigators alleged that the physicians would inject patients with a lidocaine / steroid combination that would provide patients with a temporary relief of various joint and muscle pain.  Despite the fact that these injections were superficial, the procedures were falsely billed to insurance companies as facet joint injections, paravertebral injections, sacroiliac nerve injections, sciatic nerve injections and various nerve block injections.[11] Nearly every patient was prescribed one or more controlled substances and put on a regimen of shots every two weeks. Initially, patients were required to sign the medical progress and procedure notes in their patient chart to prove they were at the clinic and received the shots. This subsequently changed and the physician had certain patients sign blank procedure/progress notes and then used those forms to generate a superbill in order to bill the insurance companies for injection procedures on days when the patient was not in the clinic.

  • New Jersey Rheumatologist Convicted of Investigational Research Fraud.

A New Jersey rheumatologist was sentenced to four years in prison after pleading guilty[12] to the falsification of clinical data.  The physician had been paid $1.86 million by drug companies to provide investigational new drug research nonsteroidal anti-inflammatory drugs (NSAIDS).  The physician failed to conduct the research as agreed. Instead, he fabricated lists of patients supposedly participating in the study.  He then is alleged to have falsified urine, stool and blood studies and forged the signatures of other clinicians.  The rheumatologist also failed to report the deaths of two patients supposedly included in the “study.”  Notably, the deaths were not related to the drugs being studied because they were never really in the study.

  • Ohio Rheumatologist Convicted of “Misbranding.”

In this case, an Ohio rheumatologist pleaded guilty to importing medications that had not been approved by the Federal Drug Administration (FDA). The physician admitted causing the shipment of misbranded[13] drugs, which is a misdemeanor violation of the Food, Drug and Cosmetic Act.  As a misdemeanor violation, the physician faces a statutory maximum of up to one year in prison and fines up to $100,000.

  • Kentucky Rheumatologist Convicted of “Misbranding.”

In this case, a Kentucky physician pleaded guilty to a misdemeanor criminal charge of treating patients with misbranded medications.  He was later sentenced to a term of one-year probation and was ordered to pay $176,915.55 in restitution.  The physician admitted to purchasing Rituxan®, Actemra®, Remicaid®, Aclasta®, Prolia®, and Synvisc® from foreign drug distributors based in the United Kingdom.  The drugs originated outside the United States and were never approved by the FDA for introduction into the United States. These misbranded medications were then administered to patients under the physician’s supervision.  Additionally, under a separate civil agreement, the physician agreed to pay $338,493.30 to settle certain claims brought against him by the OIG.

III.  Steps You Can Take to Reduce Your Level of Risk:

  • Fully Document Your Basis for Concluding that a Patient has a Specific Diagnosis.

As the administrative, civil and criminal cases above reflect, it is imperative that physicians providing rheumatology care and treatment services take a critical look at their documentation practices.  More than likely, there are a number of additional steps you can take to fully document the process you went through when diagnosing a patient with rheumatoid arthritis, ankylosing spondalytis or another rheumatic disease.  Moreover, you need to tie your evaluation to the applicable standard of care and industry recognized protocols for diagnosing the patient’s condition.   Have you fully documented a patient’s medical, family and present history?  Have you noted the results of your hands-on evaluation of the patient’s joints, range of motion, etc.?  Have you documented all of the prior treatment approaches that were tried and failed to address the patient’s painful condition? Have you ordered and documented the results of specific blood tests that should be considered in the course of reaching a diagnosis?  Have radiology test results been included your decision-making process?

Just to be clear, despite the fact that the government often heavily relies on “Industry Standards of Care” when assessing a provider’s case, it is important to keep in mind that diagnostic algorithms (such as those published by the American College of Rheumatology) are only part of the answer. As Jeffrey A. M.D., a Visiting Fellow at the Goldwater Institute and a Senior Fellow at the Cato Institute has noted:

“[P]racticing under the yoke of the algorithm discourages critical thinking. There is a tendency to surrender to the algorithm. This jeopardizes good patient care and can impact outcomes. There are times when a patient’s presentation and response to treatment do not follow the algorithm—their DNA did not get the memo about the guidelines. A physician must think “outside the box” to help that patient—an attribute that is discouraged and becomes a lost skill under the algorithmic regime.”

  • Your Infusion of Costly Biologics Will Undoubtedly be Audited at Some Point.

Is a rheumatology audit in your future? If your practice or clinic administers infusions, your claims will be audited by one or more Medicare program integrity contractors.  With this in mind, you need to carefully document the medical necessity of this treatment option.  Moreover, keep in mind that CMS and its MACs have issued NCDs, LCDs and other specific guidance governing the utilization of Remicade, Enbrel, and a number of other costly drugs.  When is the last time you have reviewed this guidance?

  • Develop, Implement and Comply with the Provisions Set Out in an Effective Compliance Program.

The government doesn’t expect you to be perfect.  Nevertheless, you do expect you to try your best to follow applicable rules and regulations governing the billing of claims to the Medicare program.  If you implement an effective Compliance Program and diligently work to comply with its requirements, you will significantly reduce your level of claims risks.  Remember, self-audits aren’t just encouraged, they are required by law under the Affordable Care Act and are especially important if your practice wants to be viewed as a good corporate citizen.  Through periodic auditing and monitoring your practice’s activities you can better avoid:

  1. The submission of false and fraudulent claims;

  2. Engaging in overbilling;

  3. Improperly using a provider’s number to bill for claims that were provided by a different individual;

  4. The improper solicitation of referrals;

  5. Engaging in medical identity theft;

  6. The improper billing for services by unlicensed individuals;

  7. The improper administration of infusion by unsupervised staff; and

  8. The employment of excluded individuals.

  • Avoid Engaging in Business Practices that Could Constitute (or be Misinterpreted to be) Kickbacks / Disguised Kickbacks and / or Bribes.

It isn’t sufficient to only focus on your documentation, medical necessity, coverage, coding and billing practices.  If you or your practice is ever investigated, federal and state prosecutors will systematically evaluate each and every one of your business arrangements.  Simply put, where do your referrals come from and where do you send referrals.  These business relationships will be exhaustively examined by the government.  Some of the risk areas identified have included:

  1. Be especially careful before your practice or clinic enters into any business arrangement with a compounding pharmacy.

  2. A continuing concern of the government involves lease arrangements with actual and / or potential referral sources.

  3. Situations where a physician serves as a medical director to a hospice, home health agency, or nursing home to whom you make patient referrals.

  4. Serving as a consultant or speaker to a pharmaceutical manufacturer, compounding pharmacy or durable medical equipment supplier whose products you prescribe.

  5. Participating in a sham loan arrangement with an entity to whom you make referrals or whose products you prescribe, order or recommend.

  6. Acquiring or having a financial interest in an entity to whom you send referrals (especially if the referral is for Designated Health Services which could implicate Stark).

  7. Accepting cash, gifts or other Items of value from a patient or other individual in exchange for a prescription for opioids or other controlled substances.

  8. Accepting or soliciting any type of remuneration (something of value), such as a gift card, sporting event tickets or liquor, from a pharmaceutical representative, compounding pharmacy or DME supplier whose products you order or prescribe (or could order or prescribe).

Prior to entering into a business arrangement, we strongly recommend that you contact an experienced health lawyer so that an assessment of the risks can be conducted and an evaluation of whether the arrangement may violate the False Claims Act, the Anti-Kickback Statute or Stark.

  • Keep in Mind that the Government is Actively Pursing Individuals for Their Role in the Commission of White Collar Fraud.

While culpable individual defendants have regularly been prosecuted, over the past decade, most DOJ prosecutors have focused on seeking large financial fines and penalties from corporations.  For example, how many individuals can you think of that went to jail when the banking sector almost collapsed?  On September 9, 2015, Deputy Attorney General Sally Quillian Yates issued a Memorandum entitled “Individual Accountability for Corporate Wrongdoing” (Yates Memo).  This historic document instructs DOJ prosecutors to stop resolving corporate cases that release individuals from personal liability, absent extraordinary circumstances. Throughout the rest of 2018, we expect to see an increase in parallel proceedings and prosecutions of physicians, managers, coders, billers and other non-clinical staff who are alleged to have violated the law. Your personal conduct, and your efforts to comply with applicable rules and regulations will be assessed by DOJ if there is ever a problem.

Robert W. Liles defends health care providers in Medicare audits

Robert W. Liles, J.D., M.B.A., M.S., serves as Managing Partner at Liles Parker, Attorneys & Counselors at Law.  Robert and other Liles Parker attorneys represent rheumatologists and rheumatology practices in connection with Medicare ZPIC and UPIC prepayment and postpayment audits, Medicaid investigations and audits, and private payor payment holds.  Is your practice being audited or under investigation?  Call Robert for a free initial consultation.  1 (800) 475-1906. 



[2] The American College of Rheumatology has prepared decision trees that can be used to diagnose (or rule out) certain type of rheumatic disease.  For example, the algorithm used to determine if a patient is suffering from rheumatoid arthritis is set out at the following link:



[5] Such as a licensure suspension or revocation.

[6] For instance, under Section of the Medicare Program Integrity Manual, if a provider is placed on prepayment review for an extended period of time and has not corrected their pattern or practice after receiving educational/warning letters, Zone Program Integrity Contractors (ZPICs) and Uniform Program Integrity Contractors (UPICs) are directed by the Centers for Medicare and Medicaid Services (CMS) to refer the provider to the OIG for possible “exclusion” action.

[7] For additional information on exclusions, and your obligation to check Federal and State databases every 30 days, see the articles published on the Exclusion Screening website.

[8] Please note, there is one narrow exception to this basic rule that I am aware of.  When a Comprehensive Error Rate Testing (CERT) audit is conducted, the CERT auditor is essentially auditing a specific previously-paid type of claim to determine whether a Medicare Administrative Contractor (MAC) was correct in allowing the claim to be paid.  To accomplish this, the CERT auditor pulls a sample of specific paid services submitted for payment in a MAC region.  Providers with claims in the sample universe are then randomly pulled by the CERT auditor.


[10] FBI Press Release, SDTX, June 24, 2009, “Husband and Wife Charged with Operating a Pill Mill,”

[11]U.S. Attorney’s Office, Southern District of Texas, Press Release. June 3, 2013.


[13] Section 502 of the Federal Food, Drug and Cosmetic Act (FFDCA) contains provisions on misbranding including some that relate to false or misleading labeling.  A device’s labeling misbrands the product if:

  • Its labeling is false or misleading in any particular;
  • It is in package form and its label fails to contain the name and place of business of the manufacturer, packer, or distributor and an accurate statement of the quantity of the contents in terms of weight, measure, or numerical count;
  • Any required wording is not prominently displayed as compared with other wording on the device, or is not clearly stated;
  • Its label does not bear adequate directions for use including warnings against use in certain pathological conditions or by children where its use may be dangerous in health or against unsafe dosage, or methods, or duration of administration or application;
  • It is dangerous to health when used in the dosage or manner or with the frequency or duration prescribed, recommended or suggested in the labeling; or
  • It does not comply with the color additives provisions listed under Section 706 of the FFDCA;
  • The device’s established name (if it has one), its name in an official compendium, or any common or usual name is not prominently printed in type at least half as large as that used for any proprietary name;
  • The establishment is not registered with FDA as required by Section 510 of the FFDCA and has not listed the device as required by Section 510(j) of the FFDCA or obtained applicable premarket notification clearance as required by Section 510(k) of the FFDCA;
  • The device is subject to a performance standard and it does not bear the labeling prescribed in that standard;
  • There is a failure or refusal to comply with any requirement related to notification and other remedies prescribed under Section 518 of the FFDCA, if there is a failure to furnish any materials or information required by, or requested by the Secretary pursuant to, Section 519 of the FFDCA, or if there is a failure to furnish materials or information relating to reports and records required by Section 522 of the FFDCA; or
  • There is any representation that creates an impression of official approval because of the possession by the firm of an FDA registration number.


Expect an Increase in Audits of Chiropractic Services!

Chiropractic Services(April 16, 2018): Chiropractors around the country are again finding their services and claims under intensive scrutiny from Medicare contractors and investigators, despite the fact that only three services even qualify for coverage and payment.  Several weeks ago, the Department of Health and Human Services (HHS), Office of the Inspector General (OIG) released its latest critical assessment of chiropractic services currently being billed to the Medicare program. The agency’s report, entitled “Medicare Needs Better Controls To Prevent Fraud, Waste, And Abuse Related To Chiropractic Services,”[i] reemphasizes the OIG’s prior findings that the Centers for Medicare and Medicaid Services (CMS) still lacks appropriate safeguards to prevent the submission and payment of improper, sometimes fraudulent claims for chiropractic services to the Medicare program.  This article is intended to highlight the government’s concerns and outline the steps that a provider should take to better ensure that any chiropractic services billed to Medicare qualify for coverage and payment.

I. Improper Chiropractic Claims Remain a Problem:

At the outset, it is important to recognize that in recent years, CMS and its program integrity contractors have taken a number of steps to elevate the level of scrutiny placed on questionable chiropractic claims billed to Medicare. Nevertheless, the OIG has taken the position that considerable work still needs to be done in order to better protect the Medicare program from fraudulent, wasteful and abusive chiropractic billings. For example, the average improper payment rate for Medicare Part B services has been estimated at between 9.9%-12.9%. For chiropractic services, the improper payment rate has been estimated to be between 43.9%-54.1%. About half of all chiropractic services covered by Medicare were not supposed to be covered.  The OIG has estimated that of the nearly $450 million spent by Medicare on chiropractic services every year, between $257 million and $304 million in improper payments are being made every year for chiropractic services.[ii] Over a six-year period, $2.9 billion was spent by Medicare on chiropractic services. Theoretically, this means that at least $1.27 billion was wasted over those six years.

  • Submit claims for services that never occurred.

  • Submit claims for services that were medically unnecessary.

  • Bill for services covered by Medicare but provided other services such as a massage or acupuncture.

  • Falsified patient medical records.

  • Provided services to beneficiaries without a valid license.

  • Offered incentives to patients to receive unnecessary services.

During this six-year period, 11[iii] of the chiropractors were incarcerated and over 500 chiropractors were excluded from participation in the Medicare and Medicaid programs by the OIG for various reasons. The OIG remains concerned that inadequate oversight is continuing to allow fraudulent chiropractors to hide their improper billings from regulators

II. What Solutions Has CMS Tried?

In an effort to spur more detailed documentation, CMS implemented the initial treatment date requirement for claims. This requirement has been more effective than the AT modifier requirement, as 7 out of 8 contractors do check to ensure this requirement is met. In that respect, this is a successfully implemented requirement. However, when audited, this requirement has largely failed due to inadequate documentation. Approximately 86% of all claims that included an initial treatment date did not adequately document the medical necessity of the services provided. Once again, it appears that chiropractors are aware that the initial date is necessary for payment and will include the date regardless of the quality of their documentation.

At the urging of the OIG, CMS has made significant efforts to better educate chiropractors on the importance of proper documentation and which chiropractic services are actually covered by Medicare Part B. CMS has create publications, seminars, and an educational video for chiropractors to learn about services that are covered under Medicare Part B and how to meet documentation standards. Unfortunately, either through lack of provider participation or because of difficulties in accessing the information, this initiative has largely failed.  Many chiropractors and beneficiaries remain ignorant with respect to the  medical necessity, documentation and coverage requirements of chiropractic services under Medicare Part B. For example, one of the educational videos created by CMS is supposed to educate chiropractors on how to meet documentation requirements. This video only received 8,898 views between December 2015 and January 2017. Even if we were to assume that every view was by a licensed chiropractor (which is highly unlikely), it only reached a fraction of the chiropractors participating in the Medicare program. CMS will likely need to implement more changes that may lead chiropractors to utilize educational resources and improve documentation.

III. Would A Medical Review Threshold or Service Limit Work?

Approximately 61% of private insurance plans that participate in the federal employee health benefits program (FEHBP) cover chiropractic services. Of the FEHBP private insurance plans that cover chiropractic services, there are limits between 10 and 60 services per year, with the average plan limiting patients to 21 chiropractic services per year. The concept of limiting the number of services a beneficiary has been proposed by the OIG in the past, but CMS did not agree with this solution.

A medical review threshold is a limit on the number or cost of services before a review of medical necessity must be completed to continue coverage of future services. CMS states that contractors may set thresholds for the number of services allowed before medical review, but may not limit the number of services provided. There is no CMS-level medical review threshold, but as mentioned earlier 2 of the 8 contractors have already set medical review thresholds. CMS-level medical review thresholds are already in place for out-patient therapy specialties such as physical therapy and speech-language pathology. The threshold for these two specialties is monetary, at $1,920. After a beneficiary reaches $3,700 in physical therapy or speech -language pathology services, a medical review s needed for the beneficiary to continue treatment.

The OIG conducted a nationwide review of the percentage of “unallowable payments” made for three groups of beneficiaries, divided by the number of services received in a calendar year. The first group received 1-12 chiropractic services in a year, 76% of which were unallowable payments. The second group received between 12-30 chiropractic services in a year, of which 95% were unallowable payments. The final group received more than 30 chiropractic services in a year, of which every single payment was unallowable. It is worth noting that the two contractors that had set a medical review threshold had no beneficiaries in the last category. Based on this assessment, HHS-OIG estimates that a threshold for medical review between 12-30 services would have saved Medicare between $95 million and $447 million between 2013-2015. Additionally, that same threshold would have saved beneficiaries between $24 million and $114 million in out-of-pocket expenses over the same period. 

IV. HHS-OIG Recommendations:

In addition to highlighting issue with the current system, OIG’s report provided a few recommendations for CMS to consider implementing:

  • Work with contractors to educate chiropractors on the training resources that CMS has already made available to them
  • Educate beneficiaries on which chiropractic services are and are not covered by Medicare Part B, and encourage beneficiaries to report chiropractors that are providing services that should not be covered by Medicare.
  • Identify chiropractors with high-service denial rates or aberrant billing practices, estimate the amount of overpayments made through a statistically significant sample, and recover the overpayments
  • Establish a threshold for the number of services that may be provide before a medical review is needed

V. Chiropractic Basics – Medicare Coverage Limitations: 

Chiropractors diagnose and treat subluxation disorders primarily through manual adjustment and manual manipulation of the spine.  CMS defines subluxation as “a motion segment, in which alignment, movement integrity, and/or physiological function of the spine are altered although contact between joint surfaces remains intact”[iv] More simply put, a spinal subluxation is a purported misalignment of the spinal column that can cause pain and other symptoms in patients suffering from this misalignment.  One question that regularly arises when documenting chiropractic services is:

“How does Medicare expect me to show that evidence of subluxation if present?”

In most instances, a Medicare contractor will review a provider’s documentation to determine if an x-ray has been used, or a physical examination was conducted to document subluxation. Each of these diagnostic methods are discussed below:

• Subluxation determination based on an x-ray. If a provider has determined that a subluxation is present based on an x-ray,[v] a Medicare contractor will likely take into consideration when the x-ray was taken and how much time has elapsed before a course of treatment was initiated. As discussed in Local Coverage Determination (LCD) L34009 published by Noridian Healthcare Solutions, LLC (Noridian), the contractor requires that an x-ray must have been taken at a time “reasonably proximate” to the start of care. Noridian considers an x-ray to be reasonably proximate to the initiation of care if it was taken no more than 12 months prior to or 3 months following the initiation of a course of chiropractic treatment. Understandably, Noridian will typically allow a chiropractor to base his / her subluxation determination on an older x-ray if a beneficiary’s medical records show that the patient has suffered from a chronic subluxation condition (such as scoliosis) for longer than 12 months AND there is a reasonable basis to believe that the chronic condition is permanent.

• Subluxation determination based on an a physical examination. If a provider has determined that a subluxation is present based on a physical examination that has been conducted, a CMS contractor is going to review the medical documentation to determine if two of the following four criteria have been identified during the examination of the patient’s musculoskeletal / nervous system, one of which must be either asymmetry / misalignment or range of motion abnormality. The four criteria examined include:

• Pain/tenderness evaluated in terms of location, quality, and intensity;
• Asymmetry/misalignment identified on a sectional or segmental level;
• Range of motion abnormality (changes in active, passive, and accessory joint movements resulting in an increase or a decrease of sectional or segmental mobility); and
• Tissue, tone changes in the characteristics of contiguous, or associated soft tissues, including skin, fascia, muscle, and ligament.

A limited scope of chiropractic services qualify for coverage under Medicare Part B if they are performed by a licensed, qualified chiropractor. Regrettably, CMS still takes the position that most of the various services offered by a chiropractor are “supportive” in nature rather than “corrective.”  In other words, CMS considers most chiropractic services to be “maintenance therapy,” which is not covered under Medicare Part B. As maintenance therapy, CMS does not consider most chiropractic services to be medically necessary.

So what chiropractic services ARE covered under Medicare Part B?  Frankly, not many. CMS specifically limits Medicare Part B coverage to hands-on manual manipulation of the spine for symptomatology associated with spinal subluxation. Additionally, qualifying hand-held manual devices (where the thrust of the force of the device is manually controlled) may also be used by chiropractors in performing manual manipulation of the spine. Notably, Medicare does not recognize any additional charges associated the use of such a hand-held device.

When documenting a covered service, a chiropractor must note the precise level of the subluxation. Depending on the number of spinal regions involved, one of three Current Procedural Terminology (CPT) codes can be billed:

• CPT Code 98940 (for treatment of one or two spinal regions);
• CPT Code 98941 (for treatment of three or four spinal regions); and
• CPT Code 98942 (for treatment of all five spinal regions).

The five regions of the, from the cervical area (neck) to the coccyx (tailbone) are illustrated below:

Chiropractic Services

When providing chiropractic services that are intended to provide active / corrective treatment, Medicare requires chiropractors to append the claim with an AT modifier.  The AT modifier is intended to denote the fact that “Acute Treatment” for subluxation was provided to the beneficiary.  If a chiropractor bills one of the three covered codes without an AT modifier, the service will be automatically denied as not medically necessary when the claim is processed by your Medicare Administrative Contractor (MAC).

In most instances, properly coded chiropractic services (limited to 98940, 98941 and 98942) will qualify for payment.  Having said that, both CMS contractors and OIG have repeatedly found that just because a claim has been appended with the AT modifier does not mean that the chiropractic services billed were in fact, medically necessary. In multiple audits conducted over the last decade, government reviewers have found that chiropractors have failed to properly document the medical need for services billed to Medicare.

Although Medicare has not placed a limit on the number of chiropractic services that a beneficiary can receive, providers who appear to be billing an excessive number of services will quickly be flagged for medical review by a MAC, a Zone Program Integrity Contractor (ZPIC) or a Uniform Program Integrity Contractor (UPIC). It is essential that you carefully document the medical necessity of any services billed. At present, pre-authorization to confirm the medical necessity of a treatment is only required by two MACs. One contractor sets its threshold for medical review as 12 services per month but no more than 30 services per year. The other sets a threshold of 25 chiropractic services per year.

VI. Documenting Chiropractic Services:

It is important to keep in mind that under Title XVIII of the Social Security Act, §1862(a)(1)(A), services must be medically reasonable and necessary in order to qualify for coverage and payment.  Similarly, Title XVIII of the Social Security Act, §1833(e) prohibits Medicare from paying for any claims that lacks the necessary information to process the claim.  Therefore, regardless of whether the determination of a subluxation has been based on an x-ray or a physical examination, a chiropractor must ensure that complete and accurate records of the encounter are taken.

Experience has shown that in the event of an audit by a CMS contractor, the MAC, ZPIC or UPIC auditing chiropractic services will primarily base claims on a provider’s failure to properly document the medical necessity of the services billed. It is therefore essential that you review and understand your documentation obligations when billing for chiropractic claims. As a first step, you need to review:

CMS Medicare Benefit Policy Manual, Pub. 100-2, Chapter 15, Sections 30.5 and 240.
• CMS Medicare Claims Processing Manual, Pub. 100-4 Chapter 12, Section 220.

Moreover, you should continue to periodically review any LCD guidance on chiropractic services that has been issued by your MAC.  Again using Noridian’s LCD guidance as an example, during an initial visit, the MAC expects a provider to document the following six categories of information when providing chiropractic services:

A. Documentation Requirements – Initial Visit. The following documentation requirements apply whether the subluxation is demonstrated by x-ray or by physical examination:

#1. Family History / Past Medical History.
• Symptoms causing patient to seek treatment;
• Family history if relevant;
• Past health history (general health, prior illness, injuries, or hospitalizations; medications; surgical history);
• Mechanism of trauma;
• Quality and character of symptoms/problem;
• Onset, duration, intensity, frequency, location and radiation of symptoms;
• Aggravating or relieving factors; and
• Prior interventions, treatments, medications, secondary complaints.

#2. Description of the Present Illness.
• Mechanism of trauma;
• Quality and character of symptoms/problem;
• Onset, duration, intensity, frequency, location, and radiation of symptoms;
• Aggravating or relieving factors;
• Prior interventions, treatments, medications, secondary complaints; and
• Symptoms causing patient to seek treatment.

Importantly, the “symptoms” covered in your description of the patient’s present illness are required to be directly related to the level of subluxation. When describing a patient’s symptoms:

• The symptoms should refer to the spine, muscle, bone, rib and / or joint and be reported as pain, inflammation, or as signs such as swelling, spasticity, etc.
• The symptoms documented must be related to the level of the subluxation that has been cited. A statement on a claim that there is “pain” is insufficient.

Finally, the location of a patient’s pain must be described and the symptoms documented must be related to the level of the subluxation that has been cited.  Noridian further requires that the location of pain must be described and whether the particular vertebra listed is capable of producing pain in the area determined.

#3. Evaluation of musculoskeletal/nervous system through physical examination.

#4. Diagnosis. The primary diagnosis must be subluxation, including the level of subluxation, either so stated or identified by a term descriptive of subluxation. Such terms may refer either to the condition of the spinal joint involved or to the direction of position assumed by the particular bone named.

#5. Treatment Plan. The treatment plan should include the following:
• Recommended level of care (duration and frequency of visits);
• Specific treatment goals; and
• Objective measures to evaluate treatment effectiveness.

#6. Date of the initial treatment.

B. Documentation Requirements: Subsequent Visits.  The following documentation requirements apply whether the subluxation is demonstrated by x-ray or by physical examination:

#1. History.
• Review of chief complaint;
• Changes since last visit;
• System review if relevant.

#2. Physical exam.
• Exam of area of spine involved in diagnosis;
• Assessment of change in patient condition since last visit;
• Evaluation of treatment effectiveness.

#3. Documentation of treatment given on day of visit.  The patient must have a significant health problem in the form of a neuromusculoskeletal condition necessitating treatment, and the manipulative services rendered must have a direct therapeutic relationship to the patient’s condition and provide reasonable expectation of recovery or improvement of function. The patient must have a subluxation of the spine demonstrated by x-ray or physical exam as described above.

VII.  Conclusion

It has been more than 20 years since the OIG first identified chiropractic billings as a potential fraud and abuse problem.  To their dismay, the AT modifier requirement, initial treatment date documentation requirement, and educational resources have failed to significantly remedy the level of improper claims for chiropractic services being billed to the Medicare program. In light of the OIG’s latest report, chiropractors should expect CMS and its MAC, ZPIC and UPIC contractors to increase their audits of chiropractic claims.  Providers should also expect to see oversight through education, medical review, limits to the number of services, and documentation requirements.

What should you do?  Get back to basicsWhen is the last time you compared your medical necessity, documentation, coding and billing practices to those outlined in your respective LCD and the Medicare Benefit Policy Manual.

Need help?  Give us a call.  Our attorneys are experienced in representing chiropractors in audits and investigations of their Medicaid and private payor claims.

Chiropractic ServicesRobert W. Liles, J.D., M.B.A., M.S., serves as Managing Partner at Liles Parker, Attorneys & Counselors at Law.  Liles Parker attorneys represent chiropractors and chiropractic practices around the country in connection with Medicare, Medicaid and private payors claims audits.  We also represent chiropractors in connection with complaints filed against our clients with the State Chiropractic Board.  For a complimentary review and discussion of your issues, you can call Robert at: (202) 298-8750.  


[i] Department of Health and Human Services, Office of Inspector General. Medicare Needs Better Controls To Prevent Fraud, Waste, And Abuse Related To Chiropractic. A-09-16-02042. February 2018.
[ii] CMS’s Supplementary Appendices for the Medicare Fee-for-Service Improper Payment Reports for 2010–2015.
[iii] In one case, when an audit was initiated against a chiropractic practice, the chiropractor supposedly falsely reported a robbery had taken place and that medical records were stolen from his car. This triggered a fraud investigation that led to a 63-month fraud conviction, over $1 million in restitution, and a 23-year exclusion for the chiropractor.
[iv] Medicare Benefit Policy Manual, Chapter 15, §240.1.2.
[v] Noridian will usually permit a previous CT scan MRI to be used as evidence if a subluxation of the spine is demonstrated.

CBRs for Spinal Orthoses (CBR201803): What Do You Need to Know?

CBR201803(April 12, 2018): The Centers for Medicare & Medicaid Services (CMS) utilizes a variety of private contractors to process Medicare claims and conduct both administrative and program integrity audits of claims submitted by healthcare providers and suppliers.  At the present time, CMS has contracted with eGlobalTech (eGT) to analyze data and prepare “Comparative Billing Reports (CBRs) of various services and claims billed to the Medicare program. eGT works directly with another CMS contractor, Palmetto GBA (Palmetto), to conduct the statistical work that is necessary to complete the CBR process. The latest report to be issued by eGT is CBR201803.

I.  eGT is Currently Distributing CBRs to Spinal Orthoses Suppliers:

The most recent CBR review initiated by eGT has been focused on Spinal Orthoses Suppliers. On April 2, 2018, eGlobalTech sent out letters to affected suppliers around the country advising them of the initiation of CBR201803: Spinal Orthoses Suppliers. This CBR is focused on orthotic suppliers that have billed the Medicare Part B program for both off-the-shelf and custom-fitted prefabricated spinal orthoses (commonly referred to as “braces”[1]) in claims with dates of service from October 1, 2016 to September 30, 2017.[2]  CBR201803 focuses on the following Healthcare Common Procedure Coding System (HCPCS) codes:

Prefabricated Custom-Fitted Spinal Orthoses.[3]

L0627: Lumbar orthosis, sagittal control, with rigid anterior and posterior panels

L0631: Lumbar-sacral orthosis, sagittal control, with rigid anterior and posterior panels

L0637: Lumbar-sacral orthosis, sagittal-coronal, with rigid anterior and posterior panels

Prefabricated Off-the-Shelf-Fitted Spinal Orthoses.[4]

L0642: Lumbar orthosis, sagittal control, with rigid anterior and posterior panels

L0648: Lumbar-sacral orthosis, sagittal control, with rigid anterior and posterior panels

L0650: Lumbar-sacral orthosis, sagittal-coronal, with rigid anterior and posterior panels

 II.  The Improper Billing of Medicare Claims for Spinal Orthoses Has Been a Long-Standing Problem for CMS:

The initiation of CBR201803 is merely the government’s most recent attempt to address long-standing problems that have repeatedly been identified in connection with the coverage, coding and billing of spinal orthoses by authorized Medicare suppliers.  As eGT has noted on its website (and in correspondence with affected suppliers), Lumbar-Sacral Orthoses have been on the government’s Durable Medical Equipment, Prosthetics, Orthotics, and Supplies (DMSPOS) list of “Top 20 Service Types with Highest Improper Payments” as far back as 2013. In fact, as set out in the most recent assessment of improper billing data by the Department of Health and Human Services (HHS), entitled “2017 Medicare Fee-for-Service Supplemental Improper Payment Data,” the estimated improper error rate for Lumbar-Sacral Orthoses was 52.5%. The magnitude of this problem is easily seen when compared with the overall improper payment rate for ALL Medicare claims which has been estimated at 9.5%.  Finally, it is worth noting that the HHS Office of Inspector General (OIG) identified concerns with the billing of orthotic braces in both its 2016 and 2017 Work Plans.[5]

III.  How Were Spinal Orthoses Suppliers Categorized this Review?

At last count, more than 6,000 qualified DME suppliers billed Medicare Part B for spinal orthoses under one of the six HCPCS codes outlined above.  In an effort to define peer groups for general comparison purposes, DMEPOS suppliers and physicians / non-physicians were assigned to a specialty peer group, based on their assigned Medicare Specialty Code and whether or not the provider / supplier was likely to have orthotist training The following categories were used by eGT:

 Peer Group#1:  DMEPOS Supplier Not Likely to Have Orthotist Training 
Medicare Specialty CodeMedicare Provider / Supplier Type Description
A6Medical Supply Co. with Respiratory Therapist
B1Oxygen Supplier
54Medical Supply Co. — Other
58Medical Supply Co. with Registered Pharmacist
63Portable X-Ray Supplier
87All Other Suppliers
 Peer Group#2:  DMEPOS Supplier Likely to Have Orthotist Training 
Medicare Specialty CodeMedicare Provider / Supplier Type Description
B3Medical Supply Co. with Pedorthic Personnel
51Medical Supply Co. with Certified[6] Orthotic Personnel
52Medical Supply Co. with Certified Prosthetic Personnel
53Medical Supply Co. with Prosthetic / Orthotic Personnel
 Peer Group#3:  Physician / Non-Physician Not Likely to Have Orthotist Training 
Medicare Specialty CodeMedicare Provider / Supplier Type Description
01General Practice
02General Surgery
08Family Practice
11Internal Medicine
16Obstetrics / Gynecology
19Oral Surgery (Dentists Only) (LLP)
30Diagnostic Radiology Head
40Hand Surgery
41Optometry (LLP)
48Podiatry (LLP)
84Preventative Medicine
93Emergency Medicine
94Interventional Radiology
99Unknown Physician Specialty
 Peer Group#4:  Physician / Non-Physician Likely to Have Orthotist Training 
Medicare Specialty CodeMedicare Provider / Supplier Type Description
B2Pedorthic Personnel
12Osteopathic Manipulative
20Orthopedic Surgery
23Sports Medicine
25Physical Medicine and Rehabilitation
35Chiropractic (LLP)
55Individual Orthotic Personnel
56Individual Prosthetic Personnel
57Individual Prosthetic / Orthotic Personnel
65Physical Therapist in Private Practice
67Occupational Therapist in Private Practice
70Single or Multispecialty Clinic or Group Practice
72Pain Management

CBR contractors (eGT and Palmetto) then calculated statistics for each of the separate peer groups.  As the categories reflect, the CBR contractors separated suppliers from providers and then further stratified the two primary groups by whether or not they were “likely” to have orthotist training.  While the CBR contractors expressly recognized that an individual may be specially trained to custom fit beneficiaries with a medically necessary orthosis, for the purposes of this review, they still ultimately categorized both suppliers and providers by Medicare specialty code based on the contractors’ assessment of whether a specific specialty was likely to have specialized orthotist training.[7] Unfortunately, there are likely a number of instances where eGT’s presumption of whether a supplier has orthotist training may be just plain wrong.

IV.  Why Was My DME Company Included in this Review?

A Comparison of Your Billing Percentages for Each of the Six HCPCS Categories of Spinal Orthoses.  As a first step, the CBR contractors compared each supplier’s billing patterns, by HCPCS code, with those of other suppliers in their peer specialty group.  To the extent that a supplier’s utilization ratios were aberrant when compared to the ratios of their peers, the supplier was more likely to be sent a CBR.

The Percentage of Allowed Services Defined as Custom-Fitted.  Another primary assessment conducted by the CBR contractors is whether the percentage of spinal orthoses submitted for payment by a supplier was billed as a “custom fitted” brace.  The percentage of custom-fitted braces billed by a specific supplier was compared to the percentage billed to their DME MAC contractor by other suppliers in their respective peer specialty group.  Each supplier’s percentage of custom-fitted brace billings were also compared to the national average.  If a specific supplier’s percentage was deemed to be “significantly higher” than one of these peer groups, it was one step closer to being sent a CBR.

The Percentage of Allowed Services Submitted without a Visit to the Referring Provider within 90 Days of the DMEPOS Service Date.  Another factor analyzed by the CBR contractors is whether a significant percentage of beneficiaries fitted (either custom-fitted or off-the-shelf) for a brace by a specific supplier had not been seen by their referring provider within 90 days of the DMEPOS service date (the date that the spinal orthosis order was filled by the DMEPOS supplier).  Simply stated, red flags are going to be raised if you fill a prescription / order for a brace and the patient hasn’t seen his / her referring provider within the previous 90 days.[8]  Once again, the CBR contractor compared each specific supplier’s percentage to the percentage billed to their DME MAC contractor by other suppliers in their respective peer specialty group.  Each supplier’s percentage of custom-fitted brace billings were also compared to the national average.

The Average Allowed Charges per Beneficiary for the One-Year Period.  The CBR contractors also examined the average allowed charges of each supplier billed to Medicare per beneficiary and compared this number to average allowed charges of other suppliers in their peer specialty group.  If a supplier’s average allowed charged were significantly higher than that of their peers, it was more likely to be issued a CBR.

V.  The Results of an Assessment by eGT:

After reviewing the utilization and billing practices of each spinal orthoses supplier, if a specific supplier’s measures were considered to be Significantly Higher than their peers in at least one of the three factors discussed above, the supplier was issued a CBR.

  1. Supplier is significantly higher than at least one of its peer groups on at least one of the measurements studied;

  2. Supplier is near or above the 45th percentile in allowed charges ($5,000); and

  3. Supplier had at least ten beneficiaries.

VI. Responding to a CBR:

If your company received a CBR, you likely noted the fact that eGT may expressly state in its reports that “no reply is necessary.”   While that may technically be the case, after handling CBRs for many years, our experience (and the collective experience of our associates) has been that your organization is much more likely to be audited if you do not respond and address any misconceptions or incorrect positions about your billing pattern stated by the contractor in its report.

To be clear, if you receive a CBR, you need to immediately take steps to validate or invalidate eGT’s findings.  If, in fact, your billing practices have been improper, you have an affirmative obligation to take steps to remedy any deficiencies. Additionally, the risk issues identified by eGT should be incorporated into your existing Compliance Program and should be taken into account when you perform periodic internal claim audits and monitoring functions.

VII.  Get Ready for Follow-Up Audits by ZPICs / UPICs!

Although your claims haven’t yet been audited, if you received one of these reports an audit of your claims may be right around the corner.  While it has been our experience that responding to a CBR is helpful, (and may reduce your chances of having a prepayment or postpayment Zone Program Integrity Contractor (ZPIC) or Uniform Program Integrity Contractor (UPIC) audit) if eGT has based its assessment on incorrect assumptions, there are no guarantees that a CMS program integrity contractor won’t still choose to initiate an audit of your claims for one or more braces billed to Medicare.

As a CBR recipient, you need to recognize that your organization has been identified as an outlier and there is significant likelihood that your spinal orthoses claims will be audited in the near future by a ZPIC or a UPIC, especially if you have not taken steps to identify and correct any misconceptions about your billing practices that the CBR contractor has made.

Now, more than ever, it is essential that suppliers review their documentation and ensure that they are fulling complying with all applicable requirements to show that each brace was medically necessary, fully documented, properly coded and billed.  For instance, as set forth under the Medicare Program Integrity Manual:

“All DMEPOS items…require detailed written orders prior to billing. Detailed written orders may take the form of a photocopy, facsimile image, electronically maintained, or original ‘pen-and-ink’ document. The written order must be sufficiently detailed, including all options or additional features that will be separately billed or that will require an upgraded code. The description can be either a narrative description (e.g., lightweight wheelchair base), or a brand name/model number. All orders must clearly specify the start date of the order.”

The failure to fully document the delivery of a brace is another significant risk faced by spinal orthoses suppliers.  ZPICs and UPICs routinely refuse payment citing this reason for denial.  As discussed in the Medicare Program Integrity Manual:

“Suppliers are required to maintain proof of delivery documentation in their files. Proof of delivery documentation must be maintained in the supplier’s files for 7 years (starting from the date of service).” 

Pursuant to 42 C.F.R. Sec. 424.57(c)(12), proof of delivery:

Must be responsible for the delivery of Medicare covered items to beneficiaries and maintain proof of delivery. (The supplier must document that it or another qualified party has at an appropriate time, provided beneficiaries with necessary information and instructions on how to use Medicare-covered items safely and effectively).”[9]

VIII.  Potential Liability for Non-Compliance:

After receiving a CBR, you may soon find that your supplier claims will be subject to  prepayment or postpayment audit by a ZPIC or UPIC. Alternatively, you may merely receive an “Additional Document Request” (ADR) from a CMS contractor.  ADRs aren’t uncommon and most suppliers have received multiple such requests since becoming a participating supplier in the Medicare program.  Nevertheless, in recent years, ADRs have taken on a new level of importance. ZPICs and UPICs aren’t hesitating to place a supplier on 100% prepayment review if the documentation submitted in response to an ADR results in the denial of one or more claims.

Similarly, if a supplier is placed on prepayment review and a significant percentage of your claims are denied when the associated supporting documentation is submitted, there is much higher risk that your claims will be subjected to a postpayment audit.  In some cases, a high error rate identified in a prepayment or postpayment audit has led to the suspension of Medicare supplier’s billing privileges. Unfortunately, this “snowball effect” of cumulative adverse administrative actions may not be over. In accordance with 42 C.F.R. Sec. 424.57(e), a CMS contractor may recommend to the agency that your billing privileges are “revoked” if a supplier is found not meet applicable conditions of payment:

“Failure to meet standards. CMS will revoke a supplier’s billing privileges if it is found not to meet the standards in paragraphs (b) and (c) of this section. (The revocation is effective 15 days after the entity is sent notice of the revocation, as specified in §405.874 of this subchapter.)” 

IX. Conclusion:

Despite what you may have been told, CBRs are far from benign.  If a provider or supplier has received a CBR (such as, but not limited to CBR201803), it may be a harbinger of future administrative audits or in more serious cases, a possible civil and / or criminal investigation of your billing practices.  While every case is different, if the CBR contractor’s CBR findings (as outlined in their letter to your organization) are incorrect, it is typically in your best interests to correct the record.  Our attorneys are experienced in assessing these matters and can assist your organization is putting its best foot forward when responding to a CBR, the receipt of an ADR, prepayment review or postpayment audit.  Give us a call for a free consultation.  1 (800) 475-1906.

CBR201803Robert W. Liles, J.D., M.B.A., M.S., serves as Managing Partner at the law firm of Liles Parker, Attorneys & Clients at Law.  Robert represents providers and suppliers around the country in ZPIC / UPIC audits, Medicare suspension actions and revocation cases.  For a complimentary consultation, please call: 1 (800) 475-1906.

[1] As set out in the Chapter 15, Section 130 of the Medicare Benefit Policy Manual, braces are “rigid and semi-rigid devices which are used for the purpose of supporting a weak or deformed body member or restricting or eliminating motion in a diseased or injured part of the body.”

[2] eGT’s analysis is based on a snapshot of claims in the Integrated Data Repository as of January 24, 2018.

[3] As set out in the Joint DME MAC Publication, a “Custom-Fitted Orthosis,” is defined as:

  • Devices that are prefabricated.
  • They may or may not be supplied as a kit that requires some assembly. Assembly of the item and/or installation of add-on components and/or the use of some basic materials in preparation of the item does not change classification from OTS to custom fitted.
  • Classification as custom fitted requires substantial modificationfor fitting at the time of delivery in order to provide an individualized fit, i.e., the item must be trimmed, bent, molded (with or without heat), or otherwise modified resulting in alterations beyond minimal self-adjustment.
  • This fitting at delivery does require expertise of a certified orthotist or an individual who has equivalent specialized training in the provision of orthosis to fit the item to the individual beneficiary.

[4] Off-the-shelf (OTS) orthotics are defined as:

  • Items that are prefabricated.
  • They may or may not be supplied as a kit that requires some assembly. Assembly of the item and/or installation of add-on components and/or the use of some basic materials in preparation of the item does not change classification from OTS to custom fitted.
  • OTS items require minimal self-adjustmentfor fitting at the time of delivery for appropriate use and do not require expertise in trimming, bending, molding, assembling, or customizing to fit an individual.
  • This fitting does not require expertise of a certified orthotist or an individual who has equivalent specialized training in the provision of orthoses to fit the item to the individual beneficiary.

[5] In both its 2016 and 2017 Work Plans, OIG noted that it would be reviewing the reasonableness of Medicare payments for orthotic braces when compared to the amounts paid by other non-Medicare payers..

[6]A “certified” individual is someone who is certified by either the American Board for Certification in Orthotics and Prosthetics, Inc., or the Board for Orthotist/Prosthetist Certification.

[7] As set out in Appendix C of the Durable Medical Equipment, Prosthetics, Orthotics and Supplies (DMEPOS) Quality Standards, “Individuals supplying the item(s) set out in this appendix must possess specialized education, training, and experience in fitting, and certification and/or licensing.”  While the CBR contractors expressly recognized that an individual specially trained to custom fit beneficiaries that have a medical need for an orthosis.

[8] To determine this, the CBR contractor checks to see if the referring provider billed for a Part B visit within 90 days of the service date of the DMEPOS claim.



The PSAVE Pilot Program: Should You Self-Audit Your Medicare Claims?

PSAVE Pilot Program(April 2, 2018):  Our nation’s demographics are changing.  In less than 20 years, it is estimated that for the first time in country’s history, the number of individuals over the age of 65 will exceed the number of children.[1] These increases are already being seen in our rapidly expanding Medicare healthcare benefit program.  At last estimate, Medicare Administrative Contractors (MACs) processed an estimated 1.2 billion claims on behalf of America’s seniors.[2]  As the Medicare program has grown, the Centers for Medicare and Medicaid Services (CMS) has employed a variety of different claims audit mechanisms to better ensure that the Medicare Trust Fund is protected from waste, fraud and abuse.  The Provider Self-Audit Validation and Extrapolation (PSAVE) pilot program is among the agency’s most recent efforts to protect the integrity of the Medicare program.  An overview of the PSAVE pilot program is set out below.

I. Providers and Suppliers Currently Subject to the PSAVE Pilot Program:

In November 2017, Noridian Healthcare Solutions LLC (Noridian), the MAC for Jurisdiction F, and CMS launched a pilot Medicare claims self-auditing program. Jurisdiction F is comprised of Alaska, Arizona, Idaho, Montana, North Dakota, Oregon, South Dakota, Utah, Washington, and Wyoming.[3] When announced, the program was touted as a way to provide long term educational benefits to Medicare providers, while also granting “immunity” from further audit of Medicare claims by both the provider’s MAC and from the Recovery Auditor (RA) contractor assigned to the provider. Is your practice likely to receive an “invitation” to conduct a self-audit of its claims?  Let examine the pilot program in more detail to find out:

II. Why Was Your Practice Invited to Participate in the PSAVE Pilot Program?

While Noridian claims that the PSAVE pilot program is open to almost any Medicare Part B healthcare provider, invitations to participate where not sent out to all of the Medicare participating providers in Jurisdiction F. Instead, data analytics were used to identify providers with abnormal billing or coding practices, based on the audit findings of  Comprehensive Error Rate Testing (CERT) postpayment review data.  Initially focusing on only a limited number of medical specialties, providers with irregular billing patterns  were first chosen by Noridian to “test” the PSAVE pilot self-auditing program. Primarily relying on sophisticated data mining techniques, Noridian has identified certain Part B providers with questionable billing practices and invited them to participate in the PSAVE pilot program.[4]  If your practice was invited to participate in this pilot self-auditing program, this practice is an outlier and will likely be subjected to an audit, whether it chooses to participate in the PSAVE pilot program or not.

III. How Does the PSAVE Pilot Program Work?

At the outset, it is important to keep in mind that if your practice was invited to participate in the PSAVE pilot program, your billing practices have been found to be aberrant by a CERT contractor.  As an outlier, your practice’s Medicare claims for reimbursement have been targeted for audit.

Potential PSAVE pilot program participants were sent (or will be sent as the program expands) a notification letter by Noridian which included a sample listing of claims that the MAC has identified for inclusion in your self-audit.  In addition to the claims listing, Noridian’s letter also specified the specific elements that it expected each provider to review in connection with the claims.  Importantly, Noridian’s notification letter also included an “Appeals Waiver” form that it required participating providers to sign prior to being admitted into the pilot program.

• In exchange for participating in the PSAVE pilot program, Noridian notes that any claims covered by the audit would be immune from subsequent review and audit by the MAC and / or a Recovery Auditor.

• If a provider agreed with the terms of the PSAVE process, the provider was required to return the executed Appeals Waiver form to Noridian and assemble all of the documentation related to the “Education Sample” of claims listed in the MAC’s letter. Importantly, the sample chosen by Noridian was meant to represent a statistically-relevant sample of the provider’s universe of claims previously paid by the Medicare contractor.

• Upon receipt of the signed Appeals Waiver form, a 90-day period for the provider to review the Medicare claims at issue began.

• Prior to conducting the self-audit, Noridian required that each provider participate in a webinar on how the Education Sample of claims was to be reviewed.

• Participating providers then conducted the self-audit. The provider’s findings (and the associated documentation) would then be submitted to Noridian for validation. It is important to note that the validation review may result in additional overpayments identified that may have been missed by the provider when the self-audit was conducted.

• After validating the self-audit findings, Noridian would then determine whether it was appropriate to extrapolate the identified overpayment to the universe OR merely base an overpayment on the sample of claims reviewed. It has our experience that Medicare contractors have the latitude not to extrapolate an overpayment if a provider’s overall error rate is below a certain level (typically less than 10%).

• After extrapolating the overpayment identified, Noridian would then send the provider a letter identifying the overall amount of any extrapolated overpayment that may be owed.

• The provider would then be required to repay the identified overpayment within a timeframe set out in Noridian’s notice letter.

IV. Benefits of Participation in the PSAVE Pilot Program:

Perhaps the greatest benefit of participating in the PSAVE pilot program is the fact that you are in charge and you are directly involved in the claims audit process.  As the audit progresses, you will be aware of any problems that may arise with your claims. In simplified terms, self-audits provide you with a significant degree of control over the process.  Nevertheless, just because you may exercise a significant degree of control over the audit process does not mean that you will be able to control the outcome of the audit. As with other self-audit / self-reporting programs administered by CMS and the Office of Inspector General (OIG), a provider’s voluntary participation in the PSAVE pilot program allows a provider to present its view of the claims in the best possible light while positioning itself as a “Good Corporate Citizen.”

 V. PSAVE Pilot Program Risk Issues:

While proponents of the PSAVE pilot program are quick to point out the educational value of participating in the program, a provider should exercise care before deciding to sigh-onto the program. For example, the Appeals Waiver signed can leave a provider vulnerable at the conclusion of the program, as there is no mechanism of contesting the overpayments that may be identified as owed by Noridian. To make matters worse, the validation review is a blind sample, meaning that the provider will not be fully aware of any potential claims errors until after the validation review has been completed by the MAC.   In some cases, Noridian may be willing to permit a provider to submit additional documentation before the MAC concludes its review of the documentation.  Since the right to file an administrative appeal of any Medicare overpayment has already been waived,  a provider is assuming a significant risk when participating in the PSAVE pilot program.

Additionally, PSAVE pilot program representations extolling the benefits of immunity from subsequent MAC and RAC audits (limited to the specific claims or extrapolated claims set  covered by the PSAVE audit) is somewhat misleading. The promised immunity from audit does not apply to Unified Program Integrity Contractor (UPIC) / Zone Program Integrity Contactor (ZPIC) audits, which are far more likely than MAC or RA audits for Medicare Part B providers. Moreover, neither CMS nor its contractors (such as Noridian) have the authority to waive liability on behalf of the OIG or the U.S. Department of Justice (DOJ).

VI. Risks Encountered When Opting-Out of the PSAVE Pilot Program:

Should you decide to decline Noridian’s invitation to participate in the PSAVE pilot program, you need to keep in mind that the likelihood of being subjected to a compulsory audit by Noridian, the UPIC / ZPIC or even OIG is quite high.  Your practice’s billing practices have already been identified as problematic.  If targeted in a future non-PSAVE audit, you will lose the ability to conduct a self-audit and any identified overpayment may still be subjected to extrapolation.  Nevertheless, should such an audit lead to unfavorable results, you will still retain the ability to avail yourself of Medicare’s administrative appeal process.  As we have found when appealing an alleged overpayment on behalf of a Part B provider, the ability of a Medicare contractor to correctly conduct a statistical extrapolation of an identified overpayment varies widely from contractor to contractor.  When challenging an overpayment that has been assessed, we regularly challenge the statistical methodology and numerous other errors made by the contractor when it calculated extrapolated damages estimates based on the sample of claims reviewed 

VII.  Conclusion: 

How should you proceed? If your practice is invited to participate in the PSAVE pilot program, you need to carefully consider the risks of choosing to participate in the initiative.  The PSAVE pilot program is merely one of the most recent efforts by CMS to educate providers on their medical necessity, documentation, coding and billing obligations. Although the PSAVE pilot program may advance the agency’s overall goal of reducing Medicare waste, fraud and abuse, there are other more effective, less invasive ways for your practice to integrate and encourage a culture of compliance in your organization.

Adherence to the requirements set out in a well-designed Compliance Program is perhaps a Part B provider’s best approach that can speed up and optimize the proper payment of claims, minimize billing mistakes, and reduce the chances that an audit will be deemed necessary by CMS or one of its program integrity contractors.  The “sampling” of one’s claims on a periodic basis to ensure that the services being billed to the Medicare program qualify for coverage and payment would squarely fall within the “Auditing and Monitoring”  element identified by OIG as one of the seven elements of a provider’s effective Compliance Program.  A “GAP Analysis” of your practice will make it easier to identify any weaknesses in the provision, documentation and submission of your claims for reimbursement by the Medicare program.  If you identify an error when reviewing your claims processes, promptly taking remedial action can often minimize the size and scope of any overpayment that is identified.  The prompt repayment of any overpayments you may have received can also prevent Federal and State auditors from disrupting your practice and conducting their own assessment of your Medicare claims.  Additional risk areas to be considered when reviewing your claims include, but are not limited to:

• What was the source of the referral for services provided by you or another member of your practice?

• Do you or another member of your practice provide something of value in exchange for referrals?

• Do you provide any gifts to patients?

• Are your employees, agents and / or contractors been screened against all Federal and State lists of excluded parties?

• Has the proper level of supervision been exercised in connection with each of the claims billed to Medicare?

PSAVE Pilot ProgramRobert W. Liles, M.B.A., M.S., J.D., serves as Managing Partner at Liles Parker, Attorneys & Counselors at Law.  Robert represents health care providers and suppliers around the country in connection with Medicare audits by UPICs, ZPICs, MACs, SMRCs and other CMS program integrity contractors.  Our firm also represents healthcare providers in connection with Medicare revocation, suspension and exclusion actions. For a free consultation, please call Robert at:  1 (800) 475-1906.






Personal Care Services Are Under the Government’s Microscope

January 22, 2018 by  
Filed under Home Health & Hospice

personal care services (January 22, 2018): The Department of Health and Human Services, Office of Inspector General (HHS-OIG) has conducted numerous audits, evaluations, and investigations involving the provision of “ personal care services ” to Medicaid beneficiaries.  In fact, from 2006 to 2012, HHS-OIG produced more than 20 audit and evaluation reports analyzing various program integrity risks presented when providing personal care services.  Much of this work was summarized in a November 2012 report entitled “Personal Care Services: Trends, Vulnerabilities, and Recommendations for Improvement.” [1] Additionally, last month, HHS-OIG published an Issue Brief highlighting the involvement of State Medicaid Fraud Control Units (MFCUs) in pursuing health care fraud and beneficiary abuse in personal care services programs.

In this article, we have taken the summary information assembled by HHS-OIG in the reports outlined above and combined this information with data collected from the 50 state MFCUs in order to provide an overview of state and federal investigations, indictments, convictions, and recoveries involving fraud, waste, abuse and patient neglect in Medicaid personal care services programs around the country.  Before examining this information, let’s go over a few basics.

I. What Are “Personal Care Services”?

The coverage and scope of a state’s specific personal care services benefit varies from one state’s Medicaid program to another.  Using Texas as an example, prior to 2006, personal care services under Medicaid were only provided to qualified minors with physical disabilities and other medical needs.  Notably, children with cognitive or behavioral disabilities did not qualify for this benefit.  As a result of a class action lawsuit settlement,[2] the Texas Medicaid State plan was amended to cover personal care services for children with disabilities and chronic health conditions enrolled in the state’s Medicaid program. Today, the Texas Department of State Health Services describes “personal care services” as:

“A Medicaid benefit that assists eligible clients who require assistance with activities of daily living (ADLs) and instrumental activities of daily living (IADLs) because of a physical, cognitive or behavioral limitation related to their disability, physical or mental illness, or chronic condition.”[3]

Examples of ADLs that are often provided under the personal care services benefit include bathing, eating, toileting, positioning and transferring, dressing and walking. IADLS provided under the benefit typically include doing laundry, performing light housework, shopping for groceries and preparing meals.  As these tasks and activities reflect, personal care services are non-skilled in nature.  Skilled services provided by nursing personnel do not qualify as personal care services, though they may qualify under some other benefit such as home health.

It is also important to remember that neither ADLs nor IADLs would qualify as covered personal care services if a beneficiary has the physical, behavioral and cognitive ability to perform these tasks and activities without adult supervision.

II. Who Qualifies for Medicaid-Covered Personal Care Services?

Like the service itself, whether a person qualifies for personal care services depends on the specific requirements of each state program. However, using Texas as an example, a beneficiary must:

  • Be 20 years or younger and be eligible for Medicaid.
  • Have a disability, physical or mental illness, or a health problem that lasts for a long time.
  • Have a Practitioner Statement of Need signed by a practitioner (physician, advanced practice nurse, or physician assistant) who has examined you in the last 12 months.
  • Need help with ADLs and IADLs based on the Personal Care Assessment Form (PCAF).
  • Provide a reason why your guardian cannot help you with ADLs and IADLs.[4]

III. Trends in Medicaid Personal Care Service and MFCUs: 

Between 2012 and 2015, Medicaid spending on personal care services jumped from $10.9 billion to $13.3 billion.[5] As a result, MFCUs have increasingly been tasked with investigating and prosecuting Medicaid provider fraud and patient abuse and neglect within healthcare facilities. Despite being only one of 80 types of providers regulated by MFCUs, personal care service providers constituted 38% of their indictments and 34% of their convictions. During this period indictments and convictions related to fraud by personal care service providers increased 56% and 33% respectively. In the year 2015, cases of fraud by personal care service providers constituted 12% of all MFCU investigations. Overall these trends indicate that MFCUs are concerned with the vulnerability of Medicaid beneficiaries and are more aggressively targeting personal care service providers.

IV. Current Systemic Weaknesses Facilitate Fraud, Abuse, and Neglect:

Throughout last month’s report, HHS-OIG highlighted many of the weaknesses of the current model of Medicaid personal care service oversight. Presently, there are no federal training or educational requirements for personal care service attendants so the quality of personal care services provided from one caregiver to another can vary greatly.  Additionally, thorough background checks are not consistently required.  As a result, there have been a number of instances where habitual offenders have been found to have exploited beneficiaries under their care.

Another issue of concern is that thorough documentation is not required for Medicaid personal care services, leading to the ability of an attendant to charge for services that did not occur or for time in which the attendant and beneficiary where not even in the same location. Aside from creating a window of opportunity for fraud, this also allows for personal care service attendants to neglect their beneficiaries. In the past, this scenario has led to the death of a beneficiary.  Lack of oversight also shifts the burden to report on to the beneficiary. Thus, mental and physical handicaps of beneficiaries leave them vulnerable as reporting may be rather difficult. Due to federal regulations, MFCUs are also unable to investigate or prosecute cases of abuse or neglect by in-home/community personal care service providers.

As a consequence of these systemic issues, despite being the best equipped agency to take on this task, MCFUs do not receive funding for this and are forced to refer such cases to other agencies that may be less effective in investigating and prosecuting these cases. Overall, the current model is vulnerable to fraud and leaves beneficiaries vulnerable to abuse and neglect.

V. Improper Payments to Personal Care Service Providers Will Lead to Investigations:

An improper payment is any payment that is made that, according to federal and/or state laws, should not have been made. The inconsistency in state rules and the lack of depth of federal rules complicates the generalization of improper payments. According to an audit of state Medicaid programs by HHS-OIG, the most common types of improper personal care service payments are:

  • Claims paid without supporting documentation.
  • Services provided and billed that are ineligible for Medicaid reimbursement.
  • Services provided without required supervision.
  • Services provided by an unqualified attendant.
  • Services provided by an attendant without proper verification of required qualifications.
  • Payments made for care while the Medicaid beneficiary was in an institution.

It is important to note that improper payment is not the same as fraud. Improper payments are considered a result of error and a personal care service provider is required to return the overpayment as soon as the improper payment is discovered and may face further consequences. While self-disclosure of improper payments is considered an act of good faith, the nature of the improper payment may lead into an investigation into potential waste, fraud, and/or abuse.[6]

VI. What is Personal Care Services Fraud?

The vulnerability of the current personal care services system to fraud has made these services a significant concern for MCFUs around the country. Many of the fraud cases brought in recent years have involved instances of billing for services not rendered to a Medicaid beneficiary.  Examples of this type of improper conduct has included instances when:

  • A Medicaid beneficiary was on a vacation.
  • A Medicaid beneficiary was in an institution.
  • A Medicaid beneficiary was documented to be without the personal care attendant by another healthcare provider.
  • The personal care aide or attendant was documented to be working elsewhere at the time.
  • The Medicaid beneficiary was deceased at the time personal care services were billed.

Often, wrongdoers have committed this type of fraud by having a Medicaid beneficiary sign off on blank time sheets in advance of services that are to be provided. While the Medicaid beneficiary is typically unaware of the fraudulent intentions of the personal care attendant, there have been cases where the personal care services attendant has made an agreement to share profits with the beneficiary or a family member of the beneficiary in order to obtain a signed blank time sheet.

While fraud is often committed by individual personal care aides or attendants, a personal care services agency can be held accountable if it is aware of the attendant’s fraudulent billing practices. One investigation in Alaska led to the criminal prosecution of over 40 individuals for fraud.[7] In that case, the personal care services agency was aware that employees were submitting falsified timesheets in addition to charging Medicaid for services rendered by excluded individuals.

VII. Personal Care Services Fraud Investigations:

Personal care services fraud has been an increasing concern of MCFUs. As expected, the amount of criminal investigation into personal care services fraud has risen over the 2015 and 2016 fiscal years, with a total of 1,929 individual personal care services attendants and 250 personal care services agencies being investigated for fraud at the end of 2016.[8] Convictions have risen slightly over those 2 years, with 464 individual personal care aides and attendants and 36 personal care services agencies convicted of criminal fraud charges in 2016. Overall, personal care service fraud appears to more commonly perpetrated by individual personal care service attendants, though agencies are certainly being held responsible for their role in personal care services fraud.

personal care services fraud

Table 1: The number of open investigations into personal care services fraud by agencies and attendants at the close of the 2015 and 2016 fiscal years.

personal care services fraud

Table 2: The number of criminal convictions and civil court settlements/judgements for personal care services fraud in the 2015 and 2016 fiscal years.

VIII. Recoveries from PCS Fraud Cases:

Despite an increase in civil settlements and judgements, the total amount recovered through settlements decreased substantially for both PCS attendants and PCS agencies. The result of criminal convictions has been markedly different. In the fiscal year 2016, a total of 464 PCS attendants were convicted of PCS fraud compared to only 36 agencies.[11] While personal care attendants constitute the overwhelming majority of convictions, approximately 45.8% of the amount recovered in 2016 came from personal care service Agencies. From fiscal year 2015 to 2015, the amount of PCS agencies convicted increased by 63.6%, from 22 to 36. In the same period, the amount recovered from criminal convictions of PCS agencies more than doubled, from $1,718,223 to $4,108,575. Thus, it is evident that PCS agencies are increasingly being held responsible for their role in PCS fraud.

personal care services fraud

Table 3: The amount of money recovered in personal care services fraud cases in the 2015 and 2016 fiscal years.

 IX. What is Abuse or Neglect of a Beneficiary?

The current system leaves beneficiaries vulnerable to abuse. Abuse has cases revolve around incidents in which a personal care services attendant causes physical harm to the beneficiary. In a case in Florida, a personal care attendant was fired and later charged with elderly abuse after repeatedly striking, pinching, and pulling at an elderly individual and leaving bruises on the individual.[13] However, abuse is not always physical. Abuse also includes harm done by theft, in which personal care service attendants take advantage of their beneficiaries and steal valuable items from them. In one case, a personal care service attendant at an assisted living facility stole nearly $10,000 from beneficiaries.[14] In another, an attendant stole two guitars from a beneficiary and sold the guitars to a local music shop.[15] When the attendant became aware of the beneficiary’s intent to contact authorities, the attendant returned the items. In the end, the attendant was still charged with fourth degree larceny.

Drug diversion is a serious abuse prevalent in personal care service that goes beyond theft and extends into physical harm as well. In addition to the monetary loss, the beneficiary is losing the treatment they require. For many, especially in hospice care, the use of opioids is used to manage pain. When attendants take these medications, they leave the beneficiaries suffering. In one case, an attendant began to switch a beneficiary’s hydrocodone with acetaminophen, leaving the patient suffering until the attendant’s drug diversion was discovered. In addition to leaving patients suffering, the use of substitute substances and potentially unsterile equipment puts the beneficiary at risk of serious harm or death.

Neglect is defined as “the failure or omission on the part of a caregiver to provide the care, supervision, and services necessary to maintain the physical and mental health of a disabled adult or elderly person that a prudent person would deem essential for the  well-being of the patient.” Neglect is serious, as the lack of adequate care or supervision of vulnerable individuals can be fatal. In one case, a personal care service attendant did not provide the services that were billed for an entire week, leaving the beneficiary hospitalized due to malnourishment and dehydration.[16] In another case, a personal care service attendant took a mentally handicap person to a crowded shopping area and lost the individual on a winter day in Philadelphia. The attendant did not immediately seek out the beneficiary nor did the attendant contact authorities in a prompt manner. The beneficiary was later found dead due to hypothermia. Neglect can also stem from fraud. In one case in Arkansas, a personal care service attendant billed Medicaid for services rendered to a beneficiary while frequenting Casino.[17] The attendant’s neglect led to malnourishment and dehydration, eventually leading to the death of the beneficiary.

X. Investigating Abuse or Neglect of a Beneficiary:

Despite the desire of MCFUs to investigate abuse or neglect, allegations are not investigated as often and extensively as they would like due to a lack of federal and state funding to do so. From the close of the 2015 fiscal year to the close of the 2016 fiscal year, open investigations into Abuse or neglect of a beneficiary decreased marginally from 254 to 252 investigations.[18] This marginal decline indicates the limitations placed on MCFUs ability to investigate abuse or neglect of beneficiaries. All of these investigations were criminal. In the same period, criminal convictions for abuse or neglect raised from 44 in 2015 to 52 in 2016. In 2015, there was one civil court settlement for abuse or neglect by a personal care service attendant. Overall it appears that MCFUs are becoming increasingly serious about addressing abuse or neglect by personal care service attendants and will continue to do what they can within their means to address the issues.

personal care service abuse

Table 4: The number of open investigations into abuse or neglect by personal care service attendants at the close of the 2015 and 2016 fiscal years.

personal care service abuse

Table 5: The number of criminal convictions and civil court settlements/judgements for personal care service abuse or neglect cases in the 2015 and 2016 fiscal years.

 XI. Recoveries from Abuse or Neglect Cases:

As can be expected by the findings of the recent HHS-OIG issue brief, convictions of abuse or neglect of a beneficiary only increased by 8 convictions in 2016, an 18% increase from the 2015 fiscal year. This again highlights the limitations placed of MFCUs in addressing abuse or neglect of beneficiaries. However, the total amount recovered in these cases more than tripled from the 2015 to the 2016 fiscal year, from $71,817 in 2015 to $247,972 in 2016. This substantial increase in recoveries again suggests that MFCUs are increasingly serious about addressing abuse or neglect of beneficiaries.

personal care service abuse

Table 6: The amount of money recovered in personal care service abuse or neglect cases in the 2015 and 2016 fiscal years.

XII.  HHS-OIG Recommendations:

The recommendations made by HHS-OIG are aimed at creating greater state oversight of personal care services provided by aides and attendants to Medicaid beneficiaries. These recommendations include measures such as:

  • Creating an enrollment or registration process for attendants.
  • Requiring comprehensive background checks for personal care service attendants
  • Mandating greater documentation requirements for personal care service attendants, including details such as time of service and services provided.
  • Requiring beneficiary case managers to conduct more in-home/community supervisory visits.
  • Establishing mandatory training or educational standards for personal care service attendants.
  • Cross-referencing personal care service attendant and beneficiary locations to prevent fraudulent billing.
  • Federal funding for investigations and prosecutions of abuse or neglect by in-home/community personal care service agencies.

The current model provides too much opportunity for fraudulent, negligent, and abusive behavior by agency providers to be overlooked. These reforms could effectively deter personal care service providers from engaging in fraudulent, abusive, or negligent behavior by making them aware of the consequences of such behavior. In addition, these reforms would make it easier for MFCUs to effectively hold all personal care service providers accountable for their actions.

XIII.  Conclusion:

At present, despite efforts from personal care agencies to better screen their staff, Medicaid beneficiaries are still finding themselves subject to fraud, abuse and / or neglect by a significant number of individual personal care service aides and attendants each year. Unfortunately, fraud, abuse and / or neglect by personal care service aides and attendants will likely continue to be a major concern until the further safeguards are taken by both personal care agencies and regulators to better protect Medicaid beneficiaries.

In addition to conducting standard due diligence, as an owner of a personal care services agency, it is especially important that you screen your applicants (before hire), employees, vendors and contractors, against all Federal and State exclusion databases, every 30 days.  We recommend that you contact the folks at Exclusion Screening to get this accomplished.  They can be reached at

Robert W. Liles is a health care attorney experienced in handling prepayment reviews and audits.Robert W. Liles, J.D., M.B.A., M.S., serves as Managing Partner at Liles Parker, PLLC.  Liles Parker is a health law firm representing personal care agencies and other health care providers around the country in connection with Medicare, Medicaid and private payor audits.  For a complimentary consultation, give Robert a call at: (202) 298-8750.

[1] As mandated by Public Law 95-452, HHS-OIG’s mission is to “protect the integrity of the Department of Health and Human Services (HHS) programs, as well as the health and welfare of beneficiaries served by those programs.”  HHS-OIG’s report entitled “Personal Care Services: Trends, Vulnerabilities, and Recommendations for Improvement” (OIG-12-12-01).

[2] Alberto N. et al. v. Hawkins. (No. 6:99-cv-00459) May 19, 2005.  EDTX, Tyler Division.




[6] “Waste” occurs when unnecessary services are provided that lead to a waste of resources, such as when more hours of services are rendered than are necessary. “Fraud” is defined at 42 C.F.R. §433.304 as “(in accordance with §455.2) . . . an intentional deception or misrepresentation made by a person with knowledge that the deception could result in some unauthorized benefit to himself or some other person. This includes any act that constitutes fraud under applicable Federal of State law.” “Abuse” is defined is defined at 42 C.F.R. §455.2 as “provider practices that are inconsistent with sound fiscal, business, or medical practices, and result in an unnecessary cost to the Medicaid program, or in reimbursement for services that are not medically necessary or that fail to meet professionally recognized standards for health care. It also includes beneficiary practices that result in unnecessary cost to the Medicaid program.”



[9] Ibid.

[10] Ibid.

[11] Ibid.

[12] Ibid.







[19] Ibid.

[20] Ibid.

[21] Ibid.

Dental Claims Audits are on the Rise

December 18, 2017 by  
Filed under Dental Audits & Compliance

Dentists are under the regulatory microscope.

Both Medicaid and private payor dental claims audits are increasing around the country.

(December 18, 2017):  As you may recall, in July 2017, the Department of Justice (DOJ) and the Department of Health and Human Services, Office of Inspector General (HHS-OIG), conducted the largest ever health care fraud enforcement action ever held on a single day. Two of the health care professionals arrested during this national “Takedown” were Michigan dentists, both of whom were alleged to have billed Medicaid for services not rendered. Unfortunately, as we will discuss in this article, examples of dental claims audits, investigations and prosecutions have become quite common.

In October 2017, Michigan’s Attorney General announced that his office had successfully apprehended a fugitive dentist that had been convicted in May 2017 of twenty counts of Medicaid fraud, six counts of health care fraud, and one count of racketeering.  These incidents of fraud first arose after the dentist was “excluded” from participation in the Medicaid program in 2006. To get around the exclusion, he allegedly provided dental services to Medicaid beneficiaries and billed for his services under the identifying information of another dentist.  Before he could be taken into custody, the defendant apparently fled to the Dominican Republic.  He was captured by officials of the U.S. Marshal’s Service last October.

If you think that this is an isolated story about a sensational dental fraud case, think again. Just last week, the local news in Anchorage, Alaska spotlighted the fact that a local dentist who had been charged with Medicaid fraud was back in court.  As the television anchor reminded her audience, this story first made national headlines after a video surfaced which showed the dentist allegedly performing a dental procedure on a sedated patient,[1] while on a hoverboard.

Has there been a change in law enforcement’s focus with respect to dental providers?  Is your practice now more at risk of a dental claims audit than ever before?  These are the questions we will look at in this article.

I. Background – Insurance Coverage of Dental Services.

The Centers for Medicare and Medicaid Services (CMS) estimates that in 2016, health care spending increased 4.3% and cost approximately $3.3 trillion.  Notably, approximately 4% of this $3.3 trillion was spent on dental services. The amount of money spent on dental services is more than what is spent on home health services and more than twice what is spent on durable medical equipment each year.

Based on spending alone, you would think that law enforcement would have dedicated significant investigation and prosecution resources to this specialty area long ago.  In years past that hasn’t been the case, likely due to the fact that most dental services are not covered under Medicare. As Section 1862 (a)(12) of the Social Security Act provides:

“(a) Notwithstanding any other provision of this title, no payment may be made under part A or part B for any expenses incurred for items or services

(12) where such expenses are for services in connection with the care, treatment, filling, removal, or replacement of teeth or structures directly supporting teeth, except that payment may be made under part A in the case of inpatient hospital services in connection with the provision of such dental services if the individual, because of his underlying medical condition and clinical status or because of the severity of the dental procedure, requires hospitalization in connection with the provision of such services.” (emphasis added).

While eligible Medicaid beneficiaries do, in fact, generally qualify for certain dental program services, both the individuals who qualify for coverage and the types of dental services under each program vary from state to state.  Although the government-funded dental programs in each of these states may have unique coverage provisions, both law enforcement and Special Investigative Units (SIUs) working for private payors have successfully identified a number of common improper practices and schemes conducted by dental professionals.

II.  Recent Dental Improper Billing Practices Pursued by the Government.

To begin, what is “Fraud”? Importantly, it is defined by regulation.  As 42 C.F.R. §433.304 provides, Fraud is “(in accordance with §455.2) . . . an intentional deception or misrepresentation made by a person with knowledge that the deception could result in some unauthorized benefit to himself or some other person. This includes any act that constitutes fraud under applicable Federal of State law.”

In contrast, Abuse is defined at 42 C.F.R. §455.2 as “provider practices that are inconsistent with sound fiscal, business, or medical practices, and result in an unnecessary cost to the Medicaid program, or in reimbursement for services that are not medically necessary or that fail to meet professionally recognized standards for health care. It also includes beneficiary practices that result in unnecessary cost to the Medicaid program.”

Collectively, both fraudulent and abusive billing dental care practices are illegal and may subject a dental provider to administrative, civil and / or criminal sanctions, fines, penalties and damages.  The level of exposure faced is very fact-specific and will vary, depending on the specific dental program that has been defrauded, the conduct alleged and types of damages incurred by the payors and the beneficiaries.

When reviewing the various “schemes” used when committing fraud, it is important to keep in mind that most health care providers, including dental professionals, who engage in wrongdoing, do not merely employ only a single improper billing practice.  As the Government Accounting Office (GAO) found in its study on common Federal health care fraud schemes:

“About 68 percent of the cases included more than one scheme with 61 percent including two to four schemes and 7 percent including five or more schemes.”

Why is this important to know?  Well, when your dental claims are audited (and at some point in the future, your practice will be subjected to a dental claims audit), you need to keep in mind that the reviewers will be taking a broad look at your business referrals, quality of care, documentation, coding, billing and licensure practices.  Each of these areas are likely to be audited even though your audit may have been triggered by a patient complaint regarding a specific service or because you were an outlier with respect to the number of CDT D0210 – Intraoral Complete Film Series procedures you billed to a payor.  Although not by any means all-inclusive, a number of the improper billing practices we have recently seen in government and / or private payor dental audits and investigations have included the following:

1.  Billing for dental services not rendered. While the vast majority of dental professionals work hard to ensure that their billing practices are both fair and accurate, when fraudulent billing does occur, this is often one of the forms it takes. Unfortunately, this type of dental fraud is still relatively common in cases prosecuted by both Federal and State law enforcement authorities.  Moreover, private payor SIUs have routinely identified this in cases they have brought against dental providers.  From a provider standpoint, at first glance, it may appear to be easy to successfully “get away” with this type of fraud.  Frankly, how many patients have any idea what dental procedures have been performed in their mouths? Many patients are sedated when the work is performed.  Even if they are awake, it is highly unlikely that they will know the difference between a costly dental procedure and one that is much less costly.  For a dentist to adopt this attitude would be a serious mistake.  It is essential to keep in mind that there are no more secrets.  What do I mean by this? Your actual dental practices can be determined in a variety of ways:

A.  Audits based on data-mining. The level of coordination and communication between Federal law enforcement investigators, State Medicaid Fraud Control Units (MFCUs) and private payors’ SIUs has grown to the point that they are now extraordinarily effective at sharing information regarding ongoing provider investigations, provider utilization practices, and emerging fraud schemes. Through data mining, they can tell with a high degree of accuracy how long it should take for you to perform all of the dental services you billed in a single day. They will also compare your billing patterns to those of your peers.  If any of your billing practices or patterns appear to be irregular, they will initiate an audit.

B.  Complaints. If you are billing the Medicaid program for services not rendered, you are placing both your financial livelihood in jeopardy and your personal liberty at risk. Under the provisions of the Affordable Care Act (ACA), if you fail to report and return an overpayment within 60 days, you are liable for damages and penalties under the Civil False Claims Act (FCA).  The FCA has special “whistleblower” provisions that allow an individual to essentially step into the shoes of the government and file a case under seal against a wrongdoer. If the government intervenes and there is a settlement, the whistleblower can receive between 15% and 25% of the recovery.  Essentially, this statute makes virtually every one of your employees a potential whistleblower.  If you engage in improper Medicaid billing practices, one of them will eventually identify the wrongful conduct.  Do you want to take risk?  To make matters worse, the government is not restricted to only pursuing such a case under the civil False Claims Act.  Depending on the facts, the government could also pursue the case criminally under 18 U.S.C. §1347 – Health Care Fraud or under 18 U.S.C. §669 – Theft of Embezzlement in Connection with Health Care.

Before moving on to the next category, it is worth noting that some incidents of “billing for services not rendered” may be inadvertent.  For instance, if a patient comes in for a dental service that requires the performance of a multi-stage procedure (such as a crown, dentures or a root canal), most dental plans will not allow you to bill for the procedure until the date that the final stage of the multi-stage procedure is completed.  It is important that you train your billing staff to check each payor plan prior to billing so that multi-stage procedures are billed in accordance with the requirements of each particular payor.  If you aren’t sure how a payor treats such a situation, call the payor prior to billing the procedure or fully disclose the status of the stage of the procedure when you submit the claim.

2.  Misrepresentation of a non-covered service. In some respects, this improper practice is nothing more than another form of “billing for services not rendered.” Simply put, in the cases we have seen where this has occurred, a dentist or dental practice has either purposely or erroneously characterized a non-covered dental service as a covered service. Keep in mind, the definition of a non-covered service varies from policy to policy. Additionally, the list of non-covered services under a specific policy may change from year-to-year.  In any event, it is important that you regularly check to ensure that the services you are providing a patient qualify for coverage and payment.

This is especially critical when a dental provider intends to bill a Medicaid beneficiary for non-covered services. Every Medicaid dental payor plan is different.  You should carefully review your Provider Resource Manual prior to billing a Medicaid beneficiary for a non-covered service.  Most Medicaid payors require that certain admonitions be provided to the patient and that a specific form be completed by the patient. A portion of the form used by Liberty Dental Plan, the administrator for the Medicaid dental plan in Nevada, expressly requires the following notice:

3.  Misrepresentation of the provider of the dental service. This type of billing error is still commonly found in both dental and medical practices around the country. In the cases we have seen, “fraud” wasn’t the reason for the underlying misrepresentation on the ADA Claims form. In most instances, it was a merely a matter of a credentialing delay. In other cases, dental practices appeared to believe that they were permitted to bill for the services under a concept similar to Medicare’s “Incident-To” rule.  We will address each of these misconceptions.

A.  Credentialing delays. Once again, it is essential that you understand the specific requirements under your payor agreement.  For example, you are credentialed by PAYOR A, but you decide to hire another dentist. Until the new dentist completes the credentialing paperwork for PAYOR A, turns it in, and is accepted as a credentialed provider, more than likely you can cannot bill for his services a treating provider.    

Billing Dentist Versus Treating Dentist

As the ADA Dental Claim Form above reflects, there are separate sections for the “Billing Dentist” and the “Treating Dentist.”  The section titled Billing Dentist is meant to provide the individual dentist’s name or the name of the group practice that is responsible for billing. In contrast, the section titled Treating Dentist is meant to provide the name of the dentist who actually provided the dental services to the beneficiary, within the scope of his / her state licensure.

Unfortunately, we have seen situations where billing staff in offices were unaware of these rules.  Since the actual treating dentist was not credentialed by a payor, they billed the services under the name and number of a dentist that was, in fact, credentialed by the payor.  As you can imagine, with only a rudimentary review of a dentist’s services in a data-mining review, an auditor is likely to quickly determine that a problem exists.  Depending on the payor and the specific facts in the case, a dental practice may be terminated from participation in the plan and may have to repay a significant overpayment to the payor.  Both dentists involved in the misrepresentation may be referred to the State Dental Board for unprofessional conduct.

Although we have not seen a dental misrepresentation case of this type referred for criminal prosecution, it is important to remember that the ADA Dental Claims form is being electronically submitted to the health plan for payment.  Depending on the facts, an aggressive prosecutor could argue that such conduct constitutes wire fraud. 18 U.S.C. §1343.

B.  “Incident-To” billing. Many medical practices have a distinct billing advantage over dental practices when it comes to the billing of a newly-hired physician’s services. Although every payor’s rules are different, many payors (including Medicare) recognize a billing concept known as “Incident-To.”  If a payor recognizes incident-to, then it would be permissible bill the services of a newly hired physician under the number of an already credentialed supervising physician, as long as certain conditions are met. For instance, if “Direct Supervision” is required, this level of supervision has been defined by regulation to mean that:

42 CFR 410.32(3)(ii) Direct supervision in the office setting means the physician must be present in the office suite and immediately available to furnish assistance and direction throughout the performance of the procedure. It does not mean that the physician must be present in the room when the procedure is performed.”From a practical standpoint, there is no reason why this concept wouldn’t work in a dental practice setting.  However, we have not found a similar provision incorporated in State Medicaid regulations or in State Medicaid Provider Manuals.   Nor have we found it to be permitted by private payor dental plans.  Therefore, we strongly recommend that you do not bill incident-to in the absence of express guidance from your payor that it is permissible to do so.  Instead, take steps to ensure that your dentists and auxiliary staff are credentialed as soon as possible after entering on duty with your practice.

4.  Waiving or Failing to Collect Co-Payments and Deductibles. At the outset, it is worth noting that the ADA Principles of Ethics and Code of Professional Conduct specifically addresses the waiver of co-payment issue in its November 2016 edition:

“5.B.1. WAIVER OF COPAYMENT. A dentist who accepts a third party payment under a copayment plan as payment in full without disclosing to the third party that the patient’s payment portion will not be collected, is engaged in overbilling. The essence of this ethical impropriety is deception and misrepresentation; an overbilling dentist makes it appear to the third party that the charge to the patient for services rendered is higher than it actually is.”

The ADA guidance does not make a distinction between whether a dental provider is an in-network or out-of-network participating provider.  If your practice is a participating provider, your improper waiver of a patient’s co-payment or deductible would also constitute a breach of contract.

Under appropriate circumstances, a health care provider may waive a Medicare co-payment or deductible if a patient can show a bona fide financial hardship.[2]  However, care must be taken when waiving these amounts. The improper waiver of a Medicare co-payment or deductible could constitute a violation of the Federal Medicare / Medicaid Anti-Kickback Statute, and expose you and your practice to potential criminal liability. (See HHS-OIG’s 1994 Fraud Alert).

5.  Unlicensed individuals found to have performed dental procedures. Generally speaking, we have seen two categories of cases where this has occurred, one which is truly egregious and one that was the result of an administrative error.  Each of these situations are discussed below:

A.  Allowing unlicensed staff to provide care. Perhaps the quickest way to get into trouble with both law enforcement and your State Dental Board is to allow non-licensed individuals provide dental care that may only be administered by qualified, licensed personnel. Earlier this year, the New York Attorney General’s Office announced the indictment, arrest and arraignment of a dentist and four unlicensed individuals that the dentist was permitting to perform dental procedures on 110 Medicaid recipients. As the Attorney General was quoted as saying “New York has strong licensing requirements for healthcare, and those who think they can skirt these important safety rules will be held accountable.”

Unfortunately, this is a common occurrence, despite the fact that virtually every state Dental Practice Act has strict requirements governing both the level of supervision that must be exercised over subordinate staff and which tasks may not be delegated to unlicensed personnel.

B.  Unlicensed personnel providing care as a result of an administrative error. This typically occurs when a licensee fails to pay their annual licensing fees in a timely fashion or fails to complete mandatory Continuing Dental Education (CDE) required by their State Dental Board. If you are performing dental procedures and your license has been administratively suspended, a reviewer will still deny each of the claims where you are listed as the treating dentist.

6. Unbundling. Fundamentally, when a health a care provider engages in “unbundling,” he / she takes a global code and breaks it down into its fundamental parts for billing purposes.  The billing of the separate components then yields more than the billing of the single global code.  For instance, in some States, the Medicaid dental coverage and payment rules in place require that cleanings, x-rays, and examinations be billed as part of a single visit.  Similarly, some State Medicaid dental coverage payment rules require that x-rays, oral / facial images, and pre-orthodontic visits be billed as part of a comprehensive orthodontic code.[3]

7. Upcoding. Billing for a dental service or procedure at a higher level than was actually provided is known as “upcoding.” An example of upcoding is illustrated by the August 2017 prosecution of a dentist out of Charleston, West Virginia who pleaded guilty to upcoding. According to the government, the defendant falsely billed Medicaid and its Managed Care Organizations (MCOs) for complex dental procedures (such as the extraction of impacted teeth), when in fact, he actually performed simple extractions.  As a result of this false reporting, Medicaid and its MCOs paid the defendant dentist $172 per extraction of each tooth, rather than $80 per tooth for a simple extraction. The dentist further admitted that he falsely upcoded at least 7,490 tooth extractions, billing more than $1.3 million for those procedures. He further admitted that if those extractions were medically necessary, and if had actually performed the procedures he claimed, then he should have been paid only $599,200.

III.  Don’t Wait Until You Are Facing a Dental Claims Audits – Review Your Practices Now!

Do you have an effective compliance program in place?  How would respond to the following questions?

  • When was the last time you conducted an internal dental claims audit and examined whether the services you are providing fully reflect medical necessity requirements, are documented to meet the requirements of the payor, and are properly coded and billed? What did you find?  Who conducted the audit, someone from your dental practice, or an outside dental consultant?  Be sure and engage any outside dental consultant through legal counsel.  Keep in mind, this is not a paper exercise.  If legal counsel is not fully engaged and is not supervising the work, it is doubtful that the result of any review will be privileged.  As a final point in this regard, keep in mind that any overpayments identified must be paid back, regardless of whether the results of the dental claims audit qualify as privileged.
  • When was the last time you conducted an audit of your dental business practices? Are your practices free of any possible violations of the False Claims Act or Anti-Kickback Statutes?
  • Have you fully implemented each of your obligations under HIPAA and HITECH? If subjected to an unannounced audit by the Office of Civil Rights or one of its contractors (yes, this can occur), will you be able to show that you are in compliance with all required security, privacy and technical mandates under HIPAA / HITECH?
  • Do you have an effective anonymous compliance reporting mechanism in place? Have you advised and trained your dental practice staff on their obligations to report improper billings or conduct to your practice’s Compliance Officer?
  • Are you screening your dental practice employees, contractors, vendors and contractors through all Federal and State exclusion databases?

Working through these steps (and others), can greatly reduce your overall level of regulatory risk and can assist your practice in implementing an effective compliance program. Need help?  Give us a call.  Our attorneys represent dental practices in both Medicaid and private payor dental audits.  Moreover, we can assist you in assessing your current level of compliance so that you will be better prepared if your practice is audited in the future.

Robert W. Liles defends dentists around the country in Medicaid and dental claims audits.Robert W. Liles serves as Managing Partner at the health care law firm Liles Parker, PLLC.  Our attorneys represent dentists and dental practices around the country in connection with Medicaid audits, private payor audits and State Dental Board actions.  For a complimentary consultation, please give us a call.  We can be reached at: 1 (800) 475-1906.


[1] As the reported notes, the defendant allegedly took in 31% of the state’s total Medicaid payments for IV sedation in 2016. Although not discussed, this very well may be how he was identified as a potential target – through data mining.

[2] A copayment waiver based on financial hardship is prohibited if it is not supported by a “good faith” assessment of the individual beneficiary’s financial need. Special Fraud Alert, 59 Fed. Reg. 65372-01, at 65375; 42 U.S.C. § 1320a-7a(i)(6); 42 C.F.R. § 1003.101. The “[r]outine use of ‘Financial hardship’ forms which state that the beneficiary is unable to pay the coinsurance” is insufficient. Special Fraud Alert, 59 Fed. Reg. 65372-01, at 65375.; A copayment waiver based on a failure to collect is prohibited if it is not preceded by a “good faith” collection effort. Special Fraud Alert, 59 Fed. Reg. 65372-01, at 65375; 42 U.S.C. § 1320a-7a(i)(6); 42 C.F.R. § 1003.101. The collection effort must be more than “token” and must be similar to efforts made to collect comparable amounts from non-Medicare patients. Medicare Claims Processing Manual, Ch. 23, § 80.8.1.

[3] Medicaid Compliance for the Dental Professional – Presentation

Revocation of Your Medicare Billing Privileges.

Revocation of Your Medicare Billing Privileges

The revocation of your Medicare billing privileges can subject your practice to financial ruin!

(December 14, 2017):  The Centers for Medicare and Medicaid Services (CMS) has engaged various types of outside contracting entities to perform program integrity functions on behalf of the Medicare program.  At the present time, Uniform Program Integrity Contractors (UPICs) and Zone Program Integrity Contractors (ZPICs) are very aggressive when it comes to referring evidence of potential fraud to federal law enforcement agencies, primarily the Department of Health and Human Services, Office of Inspector General (HHS-OIG) and the U.S. Department of Justice (DOJ).  In matters where fraud is not apparent but it appears that other improper conduct has occurred, UPICs and ZPICs are actively recommending to CMS that adverse administrative actions (such as the revocation of your Medicare billing privileges), be taken.  As the General Accounting Office (GAO) noted in its August 2017 report entitled “CMS Fraud Prevention System Uses Claims Analysis to Address Fraud,  the administrative actions[1] recommended by these program integrity contractors typically range from prepayment review to revocation.[2]


I. Background:

To participate in the Medicare program, a provider must typically complete either a CMS-855A, CMS-855B, CMS-855I or CMS-855S[3] enrollment application, each of which requires that the provider disclose their practice or office address.[4] Notably, a provider may also  provide documentation of its “practice location” with its enrollment application.[5] Once a provider has enrolled in the Medicare program, any changes to the provider’s enrollment information must be reported within a strict timeframe.  For example, a change in practice location must be reported within 30 days.[6]

Among their various duties, Medicare Administrative Contractors (MACs), UPICs and ZPICs are required to periodically perform site visits in order to verify that a provider is operational, that the provider’s enrollment information is accurate, and that the provider is in compliance with applicable Medicare enrollment requirements.[7] To accomplish this, the CMS contractor will normally inspect the  “qualified physical practice location” given by the provider or supplier that is currently in file with the MAC. See, e.g., JIB Enterprises, LLC, DAB CR3010, at 9 (2013).

II. Failure to Meet Provider Requirement to Maintain Active Enrollment Status:

Over the past year, our firm has represented more physicians, home health agencies and other providers than ever before in challenging proposed Medicare revocation actions.  As we indicated in an article on ZPIC audits last March, program integrity contractors are aggressively conducting site visits of enrolled providers. Approximately one-third of these revocation actions have been based on a Medicare contractor’s assertion that they were unable to verify a provider’s operational status. In many cases, this has occurred because a provider has moved its office or clinic without properly reporting the relocation to Medicare in a timely manner. GAO’s December 2017 report on the status of CMS fraud efforts illustrates how frequently this particular category of revocation action has been occurring. As GAO noted with respect to Florida:

“According to a 2016 report, from July 1, 2015, through September 30, 2016, a contractor covering Florida had conducted 9,891 site visits to verify providers’ and suppliers’ operational status, deactivated 422 practice locations, and revoked or denied 1,157 providers.[8]

III.  What Occurs if a Medicare Contractor Believes that a Provider is Not Operational?

What does it mean for a provider’s practice or office to be “operational”?  As set out under 42 C.F.R. § 424.502, the term operational:

“means the provider or supplier has a qualified physical practice location, is open to the public for the purpose of providing health care related services, is prepared to submit valid Medicare claims, and is properly staffed, equipped, and stocked (as applicable, based on the type of facility or organization, provider or supplier specialty, or the services or items being rendered), to furnish these items or services.”

Therefore, if a UPIC or ZPIC were to visit the location of your practice (as then listed in Medicare’s records) and were to find that the practice or office were closed, the contractor would likely take the position that your organization is not operational.

Neither UPICs nor ZPICs exercise independent authority to issue a revocation letter or otherwise revoke your Medicare billing privileges.  These contractors must first obtain prior approval from CMS’ Provider Enrollment & Oversight Group (PEOG).  When seeking approval to initiate a revocation action, the contractor is required to cite the specific regulatory basis upon which this adverse action is being based.  In most cases, obtaining CMS approval to initiate a revocation action is a perfunctory step in the process. Once approval is obtained, the provider’s Medicare billing privileges are normally revoked, retroactive to the date that the CMS contractor determined that the provider was not operational.[9]  As set out in the Federal Register:

“Moreover, we maintain that when CMS or our contractor determines that a provider or supplier, including a DMEPOS supplier, is no longer operating at the practice location provided to Medicare on a paper or electronic Medicare enrollment application that the revocation should be effective with the date that CMS or our contractor determines that the provider or supplier is no longer operating at the practice location.”[10]

ANon-Operational Due to Change in Location Without Proper Notice.

 We have handled practically every permutation of this scenario that you can imagine.  The most common facts have involved a provider or supplier who moved offices and failed to notify their MAC.  As luck would have it, a UPIC or ZPIC contractor conducted a site visit, found that the practice location on file was closed or empty, and concluded that it was not operational.  The contractor then recommended to CMS that a revocation action be pursued.

In several instances, the provider and / or the provider’s office manager was willing to swear that written notice of the change in location was, in fact, sent to the MAC.  Unfortunately, unless the provider can provide proof that notice was given by Certified Mail, Return Receipt Requested or other trackable mail service, these cases have been an uphill battle in the administrative appeals process.

In other cases, a provider has been able to show that written notice was given, in a timely fashion, to state regulatory authorities.  In at least one case, a provider argued that the MAC was provided proper notice through the Cost Report process.  Unfortunately, proof of such notice was not provided to the Administrative Law Judge so no ruling as to adequacy was issued.

The bottom line with respect to notice is fairly straight forward, timely notice of a change in practice location must be provided to the MAC, on the proper form and within the proscribed time limits.  Moreover, as with all communications to a CMS contractor, it is imperative that proof of submission and receipt be maintained.

B.  Non-Operational Due to Closed or Non-Staffed at the Time of the Site Visit.

From a practical standpoint, a provider doesn’t necessarily have to change its practice or office location to be found non-operational.  We have handled multiple cases where a ZPIC contractor conducted a site visit at the provider’s address listed on the CMS-855, but for one reason or another, the office was locked and was not staffed at the time of the visit, thereby giving rise to a revocation action.

IV.  A Look at the Regulatory Bases for Revocation:

As reflected under 42 CFR §424.535(a)(1)-(14), there are fourteen regulatory bases for revocation that may be relied upon by the government.  This article focuses on only one of these reasons for revocation – a provider’s failure to notify Medicare of a change in its practice location.  Notably, there are several regulatory bases that may be cited when revoking a provider’s billing privileges for this infraction, each of which are briefly discussed below.

A.  42 C.F.R. §424.535(a)(1), “Non-Compliance.”

Under 42 C.F.R. §424.535(a)(1), a revocation may be pursued if:

“The provider or supplier is determined to not be in compliance with the enrollment requirements described in this subpart P or in the enrollment application applicable for its provider or supplier type, and has not submitted a plan of corrective action as outlined in part 488 of this chapter. The provider or supplier may also be determined not to be in compliance if it has failed to pay any user fees as assessed under part 488 of this chapter.

(i) CMS may request additional documentation from the provider or supplier to determine compliance if adverse information is received or otherwise found concerning the provider or supplier.

(ii) Requested additional documentation must be submitted within 60 calendar days of request.”

Under this basis for revocation, CMS or one of its contractors typically alleges that a provider has violated an enrollment requirement listed on the enrollment application or currently in Medicare’s electronic records system.  Although most revocation actions pursued under this regulatory provision are based on a licensure-related violation, the scope of the provision is broad enough to cover situations where a provider has failed to meet its obligations to report a change in practice location in a timely fashion.

B.  42 C.F.R. §424.535(a)(5), “On-Site Review.”

Under 42 C.F.R. §424.535(a)(5), a revocation action may be pursued if:

“Upon on-site review or other reliable evidence, CMS determines that the provider or supplier is either of the following:

 (i) No longer operational to furnish Medicare-covered items or services.

(ii) Otherwise fails to satisfy any Medicare enrollment requirement.”

As previously indicated, both CMS contractors are actively conducting site-visits of Medicare providers and suppliers in an efforts to better ensure the program integrity of the Medicare Trust Fund.  These site-visits are expected to intensify, not subside in 2018.  It is therefore essential that you understand your obligations under the regulations to qualify as an “operational” entity and to properly notify Medicare of any changes to your enrollment status.

C.  42 C.F.R. §424.535(a)(9), “Failure to Report.”

Under 42 C.F.R. §424.535(a)(9) a revocation action may be pursued if:

The provider or supplier did not comply with the reporting requirements specified in § 424.516(d)(1)(ii) and (iii) of this subpart.”

As 42 C.F.R. §516(d)(1)(ii) and (iii) describes, physicians, nonphysician practitioners, and their organizations must report any adverse legal action or change in practice location to their Medicare contractor within 30 days. If a provider that has failed to meet this reporting requirement is subject to having their Medicare billing privileges revoked under 42 C.F.R. §424.535(a)(9).

V.  Impact of a Medicare Revocation Action:

Simply put, if your Medicare billing privileges are revoked, you will be barred from participating in the Medicare program from the date of the revocation until the end of the re-enrollment bar that has been identified in the revocation letter.  The re-enrollment bar lasts from 1 – 3 years. [11]  The length of the re-enrollment bar depends on the severity of the reason for the underlying revocation. The re-enrollment period begins 30 days after the provider receives the notice of revocation letter from CMS.

Under 15.1.1 of the MPIM, the definition of the term “Final Adverse Action” includes a Medicare-imposed revocation of any Medicare billing privileges.”  More than likely, each of your private payor participating agreements includes a requirement that you notify the payor within 30 days of any adverse action.  If for some reason your particular contract does not include this requirement, it is important to remember that all licensing boards, payors and hospitals have access to the NPDB and regularly submit queries on their staff or licensees.  Depending on the reason for revocation, these organization may choose to pursue a reciprocal action.

VI.  Appealing a Medicare Revocation Action:

As reflected in Section IV above, the business impact of a revocation action on your practice can be devastating.  If you are facing a revocation action, we strongly recommend that you engage experienced health law counsel to represent you in the process. Unlike the traditional Medicare administrative appeals process, the Medicare revocation appeals process has abbreviated timeframes and is highly restrictive with respect to the introduction of evidence and arguments.  Having said that, our attorneys have been very successful in working directly with CMS to resolve many of these revocation actions to the satisfaction of our clients and achieve a result that likely would be unavailable through the traditional revocation appeals process.

Generally, the Medicare revocation appeals process is set out under 42 C.F.R. § 405.803, “Appeal Rights.” As this provision outlines, a provider is entitled to challenge the revocation of its Medicare billing privileges an may appeal an initial determination made by CMS or its contractor by following the procedures specified in Chapter 498.  A brief overview of these provisions is outlined below:

Preliminary Appeal Determination: Can We File a Corrective Action Plan (CAP)?  In limited circumstances, if a provider’s Medicare billing number has been revoked, it may be afforded an opportunity by CMS to take remedial action to correct the deficiencies that were the basis for the revocation action.   After the effectuation of the December 2014 Final Rule, only provider’s whose Medicare billing privileges have been revoked due to non-compliance under 42 CFR 424.535(a)(1) are entitled to submit a CAP. The other thirteen regulatory bases for revocation are not eligible for CAP remediation.  To the extent that your revocation action falls within category, the CAP must be submitted within 30 days of the date of the revocation notice and must provide evidence that the provider is now in full compliance with its applicable obligations.  If the provider can demonstrate compliance, CMS will reinstate the provider’s billing privileges.  If the CAP is denied, the provider can still exercise its appeal rights under Part 498.  Importantly, the submission of a CAP does not “stay” your appeal deadlines.  More than likely, you will therefore pursue a dual-track approach is challenging the revocation action.

Appeal Level I:  Reconsideration.  The first level of appeal for a provider to contest the evocation of its Medicare billing privileges is known as the “Reconsideration” level. A reconsideration request must be submitted within 60 days from receipt of the notice of initial determination. Take care, some appeals will be filed with the CMS-PEOG while others must be filed with MAC. Any documentary evidence a provider wants considered by the hearing officer assigned to their case must be submitted at this level of appeal. If a provider later wants to submit documentary evidence into the record, an Administrative Law Judge (ALJ) will require that the provider show “Good Cause” exists for the late submission of the evidence. “Good Cause” is rarely found to exist absent evidence of an Act of God that prevented earlier submission.

Appeal Level II: Administrative Law Judge (ALJ) Hearing. Should you not prevail at the reconsideration level of appeal, you can seek a hearing before an ALJ of the HHS Departmental Appeals Board, Civil Remedies Division. Requests for an ALJ hearing must be submitted within 60 days from the date of the reconsideration decision.  The ALJ hearing is like a “mini-trial.”  The government will be represented by an attorney assigned by your HHS Regional Office of General Counsel.  If the facts in the case are contested, both sides will typically submit briefs, introduce evidence and present witness and / or expert testimony.  If both sides agree as to the basic facts in the case, the ALJ will often issue his / her ruling based on the written record.

Appeal Level III: Departmental Appeals Board (DAB) Hearing.   Both the provider and CMS may contest a decision of the ALJ. Should a party choose to do so, they must request review of the ALJ’s decision by the Departmental Appeals Board, Appellate Division within 60 days of the date of the ALJ’s decision.  Importantly, this is the end of the proverbial line administratively.  If a provider is dissatisfied with the DAB’s ruling, it must seek judicial review.

Appeal Level IV:  Judicial Review  If a provider wishes to challenge the decision of the DAB, it must file a civil action in U.S. District Court within 60 days of the date of the DAB decision.  If a provider can show “Good Cause,” the DAB is permitted to extend the civil action filing deadline.

VII.  Conclusion:

The revocation of a provider’s Medicare billing number often comes as a shock.  It is never expected and few providers are prepared to effectively respond to the challenges presented by the hyper-strict requirements of the revocation appeals process.  It is important to keep in mind that the appeals process isn’t meant to provide a level playing field for a provider to argue its case.  Unfortunately, the rules are skewed in favor of CMS from the very start.  It is therefore essential that you take steps to challenge the revocation of your Medicare billing privileges.  Unless you are skilled in responding to these types of adverse actions, it is likely in your best interests to engaged experienced health law counsel.

Healthcare AtorneyRobert W. Liles, J.D., M.B.A., M.S., is a former Federal prosecutor and an experienced health lawyer.  Robert and the other lawyers at Liles Parker, PLLC, represent health care providers and suppliers around the country in connection with Medicare revocation actions.  If you or your practice have been had their Medicare billing privileges revoked, please give Robert a call for a complimentary consultation:  Please call:  1 (800) 475-1906.    


[1] Importantly, this list of administrative adverse actions is not all-inclusive.  For instance, as set out in Section of the Medicare Program Integrity Manual (MPIM), UPICs and ZPICs are also required to  review and evaluate cases to determine if they warrant exclusion action.  If so, they are to make a recommendation to OIG for exclusion. One of the examples cases suitable for exclusion listed in the MPIM includes:

“Providers who are the subject of prepayment review for an extended period of time (longer than 6 months) who have not corrected their pattern of practice after receiving educational/warning letters.”

[2] As defined under 15.1.1 of the MPIM, the term “Revocation” means that the provider or supplier’s billing privileges are terminated.

[3] CMS-855A – Medicare Enrollment Application for Institutional Providers; CMS-855B – Medicare Enrollment Application for Clinics, Group Practices, and Certain Other Suppliers; CMS-855I – Medicare Enrollment Application for Physicians and Non-Physician Practitioners; CMS-855S – for DME suppliers.

[4] 42 C.F.R. § 424.510(a).

[5] 42 C.F.R. § 424.510(d)(2)(ii).

[6] See 42 C.F.R. § 424.516(d)(1)(iii).

[7] 42 C.F.R. §§ 424.510(d)(8), 424.515(c), 424.517(a).

[8] GAO-18-88. “CMS Needs to Fully Align Its Antifraud Efforts with the Fraud Risk Framework,” December 2017.  See footnote 62.

[9]42 C.F.R. §§ 405.800(b)(2); 424.535(a)(5)(i), (g).

[10] 73 Fed. Reg. 69,725, 69,865 (Nov. 18, 2008) (emphasis added).

[11] 42 CFR §424.535(c)

[12] If a revocation actions is based on an “Abuse of Billing Privileges” under 42 CFR 424.535(a)(8), the initial level of appeal (Reconsideration) will be filed directly with CMS rather than with the provider’s MAC.

Dental Fraud: Dentist Faces 3,974 Years in Prison if Convicted!

November 30, 2017 by  
Filed under Dental Audits & Compliance

Dental Fraud(November 30, 2017):  Earlier this year, Attorney General Jeff Sessions announced the largest ever health care fraud enforcement action by the government’s Medicare Fraud Strike Force.  The fraud “take down” charged 412 defendants across 41 federal districts, including 115 doctors, nurses and other licensed medical professionals, for their alleged participation in health care fraud schemes involving approximately $1.3 billion in false billings. Of those charged, over 120 defendants were charged for their roles in prescribing and distributing opioids and other dangerous narcotics. The charges aggressively targeted schemes billing Medicare, Medicaid, and TRICARE for medically unnecessary prescription drugs and compounded medications that often were never even purchased and / or distributed to beneficiaries. The charges also involved individuals contributing to the opioid epidemic, with a particular focus on medical professionals involved in the unlawful distribution of opioids and other prescription narcotics.  While most of the medical professionals charged with controlled substance violations have traditionally been physicians, nurse practitioners and physician assistants, both state and federal law enforcement authorities are also including dental professionals in their audits of opioid and controlled substance prescribing practices. A recent dental fraud case out of the State of Pennsylvania investigated by agents of the Federal Bureau of Investigation and the Drug Enforcement Administration illustrates how serious federal law enforcement agents and prosecutors are viewing these cases.

I.  Dental Fraud Indictment Charging Pittsburg Dentist:

In early November 2017, the U.S. Attorney’s Office for the Western District of Pennsylvania announced that a federal grand jury had issued a superseding dental fraud indictment charging a Pittsburgh dentist on a variety of controlled substance and related charges. As the superseding dental fraud indictment reflects, the government charged the dentist with:

  • Distribution of Hydrocodone and Oxycodone, Schedule II and III controlled substances, outside the usual course of professional practice;
  • Using or Maintaining a Drug-Involved Premises;
  • Health Care Fraud; and
  • Omitting Material Information from Required Reports, Records, and Other Documents.

II.  Overview of the Dental Fraud Charges Allegedly Committed:

According to the 200-count superseding dental fraud indictment, from 2012 through 2015, the dentist allegedly distributed Hydrocodone and/or Oxycodone, Schedule II and III controlled substances, on 196 occasions, “outside the usual course of professional practice and not for a legitimate medical purpose.” The superseding indictment also alleges that the defendant “knowingly and intentionally used and maintained his dental office for the purpose of unlawfully distributing controlled substances.”  Finally, the superseding indictment alleges that the defendant committed health care fraud (in this case, dental fraud), and supposedly omitted material information from an application for a Drug Enforcement Agency registration number.

Unlike most dentists, the defendant was a participating provider in the Medicare program.[1], [2] The alleged dental fraud supposedly resulted in improper billings and losses to the Medicare, Medicaid, and the managed care organizations associated with each program.  The wrongful conduct also resulted in improper billings and losses to UPMC’s health plan.

III.  Potential Sentence and Fine the Dentist Now Faces:

Here’s where the case appears to leave the rails.  According to the Press Release issued by the U.S. Attorney’s Office, if the defendant is convicted of the charges, the law provides for:

  • A maximum total sentence on all counts of incarceration of up to 3,974 years;[3]
  • A fine of $197,500,000; and
  • A term of supervised release of 598 years, or all.

Yes, that’s right, the government is seeking up to 4,000 years of prison time for this dentist. Notably, 4,000 years ago, Stonehenge was founded and the Bronze Age was just beginning in China.  One can only imagine what the world will be like 4,000 years from now, but one thing is for sure – we will all be long gone!

IV.  What are the Requirements for Prescribing and Documenting Controlled Substances?

A.  Prescribing, Administering and Dispensing Controlled Substances in Pennsylvania.

Over the last six months, a significant portion of the criminal health care fraud cases brought against providers have been based, at least in part, on improper opioid prescribing practices.  A vast majority of these opioid cases have alleged that one or more defendants wrote Prescriptions of oxycodone that were outside of usual medical practice and without a legitimate medical purpose.”  While every case is different, one point we have repeatedly noted is that dental records often fail to comply with applicable State Dental Practice Act requirements.

For instance, in Pennsylvania, under Subchapter C, Section 33.207, when prescribing, administering or dispensing controlled substances, a dentist is required to comply with the following minimum standards under Section 33.207(a)(1):

“(1) Scope of authority. A dentist may prescribe, administer or dispense a controlled   substance only:

         (i)   In good faith in the course of the dentist’s professional practice.

          (ii)  Within the scope of the dentist-patient relationship.

(iii) In accordance with treatment principles accepted by a responsible segment of the profession.”

Before a dentist initially prescribes, administers or dispenses a controlled substance to a patient, a proper dental examination and medical history of the patient must be conducted and documented.  As set out under Section 33.207(a)(2), the dental examination and medical history conducted must be sufficiently thorough “to justify the prescription, administration or dispensation of the controlled substance.”  Applicable regulations require that:

“the examination shall focus on the patient’s dental problems, and the resulting diagnosis shall relate to the patient’s specific complaint. The patient’s dental record shall contain written evidence of the examination and medical history.”

Pursuant to Section 33.207(a)(3), Pennsylvania licensed dentists are required to keep the following records when prescribing, administering or dispensing a controlled substance to a patient that include an entry in the patient’s dental record that contains:

           “(A)   The name, quantity and strength of the controlled substance.

            (B)   The directions for use.

            (C)   The date of issuance.

            (D)   The condition for which the controlled substance was issued.”  

See Section 33.207(a)(3)(i).

Pennsylvania regulations further require that a patient’s dental record contains entries related to the to the issuance of controlled substances, “they shall be retained by the dentist for a minimum of 5 years following the date of the last entry of any kind in the record.” Section 33.207(a)(3)(ii). 

B.  Preparing, Maintaining and Retaining Patient Dental Records in Pennsylvania.

While specific record-keeping requirements are expressly specified by regulation when dealing with controlled substances, that does not absolve a Pennsylvania from his or her basic record-keeping obligations under Section 33.209.  Pennsylvania regulations require the following:

“(a) A dentist shall maintain a dental record for each patient which accurately, legibly and completely reflects the evaluation and treatment of the patient. A patient dental record shall be prepared and maintained regardless of whether treatment is actually rendered or whether a fee is charged. The record shall include, at a minimum, the following:

(1)  The name and address of the patient and, if the patient is a minor, the name of the patient’s parents or legal guardian.

(2)  The date of each patient visit.

(3)  A description of the patient’s complaint, symptoms and diagnosis.

(4)  A description of the treatment or service rendered at each visit and the identity of the person rendering it.

(5)  Information as required in §33.208 (relating to prescribing, administering and dispensing medications) and this section with regard to controlled substances or other medications prescribed, administered or dispensed.

(6)  The date and type of radiographs taken and orthodontic models made, as well as the radiographs and models themselves. Notwithstanding this requirement, the dentist may release orthodontic models to the patient. This transaction shall be memorialized on a form which is signed by the patient. The signed form shall become part of the patient’s record.

(7)  Information with regard to the administration of local anesthesia, nitrous oxide/oxygen analgesia, conscious sedation, deep sedation or general anesthesia. This shall include results of the preanesthesia physical evaluation, medical history and anesthesia procedures utilized.

(8)  The date of each entry into the record and the identity of the person providing the service if not the dentist of record-for example, dental hygienist, expanded function dental assistant, dental assistant, and the like.

(b)  A patient dental record shall be retained by a dentist for a minimum of 5 years from the date of the last dental entry.

(c)  Within 30 days of receipt of a written request from a patient or a patient’s parents or legal guardian if the patient is a minor, an exact copy of the patient’s written dental record, along with copies of radiographs and orthodontic models, if requested, shall be furnished to the patient or to the patient’s new dentist. This service shall be provided either gratuitously or for a fee reflecting the cost of reproduction.

(d)  The obligation to transfer records under subsection (c) exists irrespective of a patient’s unpaid balance for dental services or for the cost of reproducing the record.

(e)  Dentists shall provide for the disposition of patient records in the event of the dentist’s withdrawal from practice, incapacity or death in a manner that will ensure their availability under subsection (c).

(f)  The components of a patient dental record that are prepared by a dentist or an agent and retained by a health care facility regulated by the Department of Health or the Department of Public Welfare shall be considered a part of the patient dental record required to be maintained by a dentist, but shall otherwise be exempt from subsections (a)—(e). The components of a patient dental record shall contain information required by applicable Department of Health and Department of Public Welfare regulations—see, for example, 28 Pa. Code § 141.26 (relating to patient dental records)—and health care facility bylaws.

(g)  This section does not restrict or limit the applicability of recordkeeping requirements in §§ 33.207 and 33.208 (relating to prescribing, administering and dispensing controlled substances; and prescribing, administering and dispensing medications).

(h)  A dentist’s failure to comply with this section will be considered unprofessional conduct and will subject the noncomplying dentist to disciplinary action as authorized in section 4.1(a)(8) of the act (63 P. S. § 123.1(a)(8)).”

Importantly, this is merely a partial listing of the applicable requirements that must be met by a licensed, qualified dentist when prescribing controlled substances.  When is the last time you have reviewed your internal operations and documentation practices?  An essential first step to achieving compliance is to conduct a “GAP Analysis” of your business, clinical, coding and billing practices.  For additional information on the GAP Analysis process, I recommend you review my article covering this issue.

V.  Conclusion:

Importantly, the case against the Pittsburgh dentist discussed in this article is likely a harbinger of future opioid prosecutions and related dental fraud cases that we will be seeing around the country (although I doubt the government will likely tout the potential period of incarceration as they did in this case).

In any event, dentists and oral surgeons around the country need to keep in mind that both state and federal law enforcement and health care regulatory agencies are actively investigating and prosecuting opioid related crimes. In fact, as you may recall, last August, Attorney General Sessions announced the establishment of a new Department of Justice (DOJ) section known as the “Opioid Fraud and Abuse Detection Unit” that is dedicated to accomplishing this goal.  As the government continues to tighten up its monitoring activities of opioid prescription practices in an effort to cut down on instances of perceived fraud and abuse, the scrutiny placed on your dental practice’s documentation, medical necessity, coding and billing practices will undoubtedly grow.  Does your dental practice have an effective Compliance Plan in place? If not, we strongly recommend that you get one! The implementation of an effective Compliance Plan, along with the performance of a GAP Analysis can greatly assist you in identifying possible areas of vulnerability where improvements are needed.

Robert W. Liles defends dentists in claims audits.Robert W. Liles, JD, MS, MBA serves as Managing Partner at Liles Parker, Attorneys and Counselors at Law. Robert represents dental professionals of all sizes around the country in connection with a full range of Medicare, Medicaid and private payor audits, investigations and dental fraud cases.  He also represents dentists in state board actions. For a complimentary consultation, please call Robert at: 1 (800) 475-1906.

[1] Under Section 1862 (a)(12) of the Social Security Act states, “where such expenses are for services in connection with the care, treatment, filling, removal, or replacement of teeth or structures directly supporting teeth, except that payment may be made under part A in the case of inpatient hospital services in connection with the provision of such dental services if the individual, because of his underlying medical condition and clinical status or because of the severity of the dental procedure, requires hospitalization in connection with the provision of such services.”

[2] As noted on the website of the Centers for Medicare and Medicaid Services (CMS), “Medicare will pay for dental services that are an integral part either of a covered procedure (e.g., reconstruction of the jaw following accidental injury), or for extractions done in preparation for radiation treatment for neoplastic diseases involving the jaw. Medicare will also make payment for oral examinations, but not treatment, preceding kidney transplantation or heart valve replacement, under certain circumstances. Such examination would be covered under Part A if performed by a dentist on the hospital’s staff or under Part B if performed by a physician.

[3] The government does point out under the Federal Sentencing Guidelines, the actual sentence imposed would be based upon the seriousness of the offenses and the prior criminal history, if any, of the defendant.


UPIC / ZPIC Referrals to State Boards, Societies, Surveyors and QIOs

ZPIC referrals(November 29, 2017):  The Medicare and Medicaid programs are managed by the Centers for Medicare and Medicaid Services (CMS). CMS has engaged Unified Program Integrity Contractors (UPICs) and Zone Program Integrity Contractors (ZPICs), among others, to provide program integrity support. In the course of their duties, UPICs and ZPICs may initiate a prepayment review, postpayment audit, suspension or revocation action.  These CMS contractors are less known for their referrals to state licensing boards, professional medical societies, state survey agencies and quality improvement organizations. Nevertheless, in recent years, we have seen a significant increase in the number of UPIC / ZPIC referrals to state regulatory enforcement agencies.

This article examines the various directives governing UPIC / ZPICs that are currently generating a significant number of inter-agency referrals.[1]

I.  ZPIC Referrals to State Licensing Authorities Due to Improper Conduct:

Over the years, a number of fundamental changes have been made by the Centers for Medicare and Medicaid Services (CMS) to Chapter 4 of the Medicare Program Integrity Manual (MPIM).  Many of these changes were designed to facilitate the sharing of adverse case findings between federal and state regulatory agencies.

Pursuant to Chapter 4, Sec. 4.18.2 of the MPIM, ZPICs are required to make a referral to a provider’s state licensure board if it finds that the provider engaged in unethical or improper practices or unprofessional conduct.”  We have handled several cases that resulted from ZPIC referrals to state licensure boards.  Situations we have seen where a ZPIC has made a referral to the responsible state licensing authority include:

  • Referral to State Medical Board: Failure to exercise proper level of supervision over a Nurse Practitioner.
  • Referral to State Nursing Board: Performing certain patient care services without the requisite level of physician supervision in place.
  • Referral to State Nursing Board: Inappropriately prescribing controlled substances to one or more patients.

II.  ZPIC Referrals to State Licensing Boards Based on Data Mining:

It is important to keep in mind that ZPIC referrals to state licensure boards are not limited to merely those situations where the contractor has alleged that a provider has engaged in improper or unprofessional conduct.   We have seen at least one referral based solely on conclusions reached through data mining, where no actual audit of the provider’s medical records had been conducted.

III.  ZPIC Referrals to Professional Societies:        

Historically, professional societies have only infrequently taken disciplinary actions against their members.  When actions have been taken they have often been in response to adverse action taken by state licensure boards. That may no longer be the case in the future.  ZPICs are required under Sec. 4.18.2 of the MPIM to refer instances of apparent unethical / improper practices or unprofessional conduct to professional societies for possible disciplinary action.

IV.  ZPIC Referrals Based on Evidence of Potential Poor Quality Care or Potential Patient Harm:

Under Chapter 4, Sec., of the MPIM, ZPICs are required to maintain effective lines of communication with other entities. As this section provides:

“The ZPIC shall establish and maintain formal and informal communication with state survey agencies, the OIG, the DOJ, state Medicaid agency, other Medicare contractors, other ZPICs, and other organizations as applicable to determine information that is available and that should be exchanged to enhance program integrity activities.

If the ZPIC identifies a potential quality problem with a provider or practitioner in its area, it shall refer such cases to the appropriate entity, be it the QIO, state medical board, state licensing agency, etc. Any provider-specific information shall be handled as confidential information.” (emphasis added).

Sec. 4.18.3 of the MPIM further requires that ZPICs make a referral to the Medicare Quality Improvement Organization (QIO) if a situation involves potential patient harm.  As the regulations state:

If potential patient harm is discovered during the course of screening a lead or through the investigation process, the ZPIC shall refer those instances to the QIO, state medical board, or state licensing agency. In addition to making the appropriate referrals, the ZPIC shall notify the COR and IAG BFL within two (2) business days once the potential patient harm issue is discovered. (emphasis added).

If the ZPIC refers a provider to the State licensing agency or medical society (i.e., those referrals that need immediate response from the State licensing agency), the ZPIC shall also send a copy of the referral to the QIO.” (emphasis added).

V.  NBI MEDIC Referrals to State Licensure Boards:

Since 2016, both state and federal authorities have been aggressively reviewing the care and treatment practices of physicians, nurse practitioners, physician assistants, dentists and others who are alleged to have engaged in improper opioid and high-risk drug prescription practices.  To accomplish this task, CMS awarded a nationwide contract known as the “National Benefit Integrity Medicare Drug Integrity Contract” (NBI MEDIC) to “Health Integrity, LLC.”  As you may recall, Health Integrity also serves as ZPIC for Zone 4.

In its role as NBI MEDIC, Health Integrity is responsible for monitoring and auditing the prescription of opioids under the Medicare Part D program.  As in its ZPIC capacity, Health Integrity is required to employ predictive analytics and other investigative tools in order to identify physicians, nurse practitioners and others whose opioid prescriptive practices appear to be aberrant.  When this occurs, two actions are normally taken:  First, a referral is typically made to the prescriber’s state licensing authorities so that they may conduct a review of the provider’s practices.  Second, the NBI MEDIC may make a referral to the responsible ZPIC so that an medical review of the provider’s Medicare claims can be conducted.

VI.  ZPIC Referrals to OIG for “Exclusion” Consideration:

More than likely, most of you had no idea that CMS has tasked ZPICs with making referrals of unethical / improper practices or unprofessional conduct to state regulatory bodies and private, professional societies.  If that’s the case, you will likely find Paul Weidenfeld’s article entitled Is Your Practice Being Audited by a ZPIC? Did You Know it Can Lead to an OIG Exclusion?” fascinating.  Believe it or not, CMS requires ZPICs to make appropriate referrals to the Office of Inspector General (OIG) if it believes that “exclusion” action is warranted.  Check out Paul’s article at

VII.  Conclusion:

Regrettably, the number of complaints filed with state licensure boards will likely continue to increase as long as CMS contractors are required under the terms of their contract to make referrals for the types of conduct outlined above.  If you are facing a board complaint or potential disciplinary action by a professional society, it is essential that you understand the basis for the underlying referral by the UPIC or ZPIC.  We have identified a number of instances where the ZPIC basis of referral was either factually incorrect or was based on a flawed interpretation of the data.  Your ability to effectively respond to the basis for the referral can greatly impact the ultimate direction of a board action.

ZPIC referralsRobert W. Liles, JD, MBA, MS, is Managing Partner at the law firm Liles Parker.  He represents health care providers around the country in UPIC and ZPIC audits, and State Medical Board and State Nursing Board actions.  For a complimentary consultation, please give him a call.  He can be reached at: (202) 298-8750.

[1] As set out in Chapter 4, Sec. 4.1 of the Medicare Program Integrity Manual (MPIM), all references to ZPICs also apply to Unified Program Integrity Contractors (UPICs).


« Previous PageNext Page »