Liles Parker PLLC
(202) 298-8750 (800) 475-1906
Washington, DC | Houston, TX
San Antonio, TX | Baton Rouge, LA

We Defend Healthcare Providers Nationwide in Audits & Investigations

TSBDE Update: Texas State Board of Dental Examiners

November 11, 2013 by  
Filed under Dental Audits & Compliance

Download PDF

The TSBDE is investigating complaints against dentists and dental professionals. (November 11, 2013): TSBDE Update – The Texas Legislature first provided for licensure of dentists in 1897, whereby district judges were empowered to appoint a Board for their districts consisting of three practicing dentists living in the district. In 1905, Senate Bill 84 created the Texas State Board of Dental Examiners (TSBDE or Board). The Board consisted of six practicing dentists to serve the entire state. Between 1905 and the present, various amendments to the Dental Practice Act have been enacted.

Today, the Board consists of 15 members appointed by the Governor.  The stated mission of the Board is to safeguard the dental health of Texas by developing and maintain program to:

1. Ensure that only qualified persons are licensed to provide dental care; and

2. Ensure that violators of laws and rules regulating dentistry are sanctioned as appropriate.

The TSBDE is divided into five program functions/divisions: Executive; Administration; Licensing; Enforcement; and Legal. Each division is closely related to and depends on ready and efficient access to information from the others to assure that functions are carried out in a manner consistent with statutory requirements to ensure the dental health and safety of the public. Information about program services is shared among the divisions of the TSBDE.

I.  Introduction — Sanctions Imposed by the TSBDE:

The TSBDE has the authority to sanction dentists for inappropriate conduct.  Examples of such conduct include violations of the standard of care, impermissible delegation, dishonorable or unprofessional conduct and criminal offenses and the failure to use proper diligence in practice or the failure to safeguard patients against avoidable infections.

II.  Alleged Violation — Standard of Care Breaches:

Standard of care violations include:

  • Practice below minimum standard with a risk of harm.
  • Failure to advise patient before beginning treatment.
  • Failure to make, maintain and keep adequate dental records.
  • Misleading a patient as to the gravity, or lack thereof, of their dental needs.
  • Failure to maintain appropriate life support training.
  • Abandonment of patient.
  • Failure to report patient death or injury requiring hospitalization.
  • Act or omission that demonstrates level of incompetence such that the person should not practice without remediation and subsequent demonstration of competency.
  • Negligence in treatment.
  • Any intentional act or omission that risks or results in serious harm.
  • Failure to properly document compliance with health and sanitation requirements.
  • Office premises are not maintained in compliance with health and sanitation requirements.
  • Barrier techniques, disinfection, or sterilization techniques do not comply with health and sanitation requirements.
  • Failure to document controlled substance inventories or prescription records.
  • Failure to use reasonable diligence in preventing unauthorized persons from utilizing DEA or DPS permit privileges.

Other types of standard of care violations include a situation where the Licensee is negligent in performing dental services and that negligence causes injury or damage to a dental patient and when the Licensee is physically or mentally incapable of practicing in a manner that is safe for the person’s dental patients.

Another type of violation is impermissible delegation.  Impermissible delegation is when the Licensee holds a dental license and employs, permits, or has permitted a person not licensed to practice dentistry to practice dentistry in an office of the dentist that is under the dentist’s control or management.

III.  Alleged Violation — Dishonorable Conduct:

If a Licensee practices dentistry or dental hygiene in a manner that constitutes dishonorable conduct the activity will violate the Texas Code. These violations include:

  • Isolated dishonorable conduct resulting in no adverse patient effects.
  • Repeated acts of dishonorable conduct which impairs a person’s ability to treat a patient according to the standard of care.
  • Dispensing, administering, prescribing, or distributing drugs for a non-dental purpose.
  • Failure to meet duty of fair dealing in advising, treating, or billing a patient.
  • Diagnosis of dental disease, prescription of medication, or performance of impermissible acts by a dental hygienist.
  • Practicing dental hygiene without required supervision.
  • Sex or sexualized conduct with a patient.
  • Financial exploitation or dishonorable conduct resulting in a material or financial loss to a patient.

IV.  Alleged Violation — Criminal Behavior:

The TSBDE considers criminal behavior to be highly relevant to an individual’s fitness to engage in the practice of dentistry and will institute disciplinary actions for such conduct.  Relevant behavior can include:

  • Criminal offenses relating to the regulation of dentists, dental hygienists, or dental assistants committed in the practice of or connected to dentistry, dental hygiene or dental assistance.
  • Criminal offenses relating to the regulation of a plan to provide, arrange for, or reimburse any part of the cost of dental care services or the regulation of the business of insurance.

V.  Alleged Violation — Improper Drug Usage:

Furthermore, violations relating to chemical dependency or improper possession or distribution of drugs are also in the purview of the TSBDE’s sanctioning authority.  Specifically a violation will be found where the Licensee is addicted to or habitually intemperate in the use of alcoholic beverages or drugs or has improperly obtained possessed, used or distributed habit-forming drugs or narcotics.  Violations include:

  • Misuse of drugs or alcohol without patient interaction and no risk of patient harm or adverse patient effects.
  • Improperly distributing habit-forming drugs or narcotics.
  • Prescribing or dispensing a controlled substance for a non-dental purpose.
  • Prescribing or dispensing a controlled substance to a person who is not a dental patient, or to a patient without adequate diagnosis of the need for prescription.
  • Misuse of drugs or alcohol with a risk of patient harm or adverse patient effects.
  • Misuse of drugs or alcohol with a significant physical injury or death of a patient or a risk of significant physical injury or death.

VI.  Alleged Violation — Fraud or Misrepresentation:

The TSBDE considers fraud or misrepresentation a violation.  Infractions involving fraud or misrepresentation include instances where a licensee obtains a license by fraud or misrepresentation or engages in deception or misrepresentation in soliciting or obtaining patronage.  Specific violations include:

  • Failure to honestly and accurately provide information that may have affected the Board’s determination of whether to grant or renew a license.
  • Making an intentional misrepresentation of previous licensure, education, or professional character, including failure to disclose criminal convictions.
  • Engaging in false advertising.
  • Creating unjustified expectation.
  • Engaging in false, misleading or deceptive referral schemes.
  • Failing to comply with requirements relating to professional signs.
  • Failure to list at least one dentist practicing under a trade name in an advertisement.
  • Falsely advertising as a specialist in one of the ADA recognized specialties or advertising as a specialist in an area not recognized by the ADA.

VII.  Alleged Violation — Any Law Relating to the Regulation of Dentists or Dental Hygienists:

A violation of any law relating to the regulation of dentists or dental hygienists is also considered a violation of the Dental Practice Act.  This occurs when a Licensee violates or refuses to comply with a law relating to the regulation of dentists or dental hygienists.  Examples include:

  • Isolated failure to make, maintain and keep adequate dental records not resulting in patient harm.
  • Failure to notify patients that complaints concerning dental services can be directed to the Board.
  • Failure to post names of, degrees received by, and schools attended by each dentist practicing in office. Failure to properly exclude names of dentists not practicing in office.
  • Failure to place identifying mark on a removable prosthetic device.
  • Failure to notify the Board of maintenance of records agreement.
  • Failure to make, maintain and keep adequate dental records resulting in potential for patient harm.
  • Failure to obtain written, signed informed consent.
  • Failure to provide full dental records to the Board upon request.
  • Failure to maintain an appropriate permit for a mobile dental facility.
  • Perform treatment outside licensee’s scope of practice not resulting in patient harm.
  • Prescription of controlled substance while DPS or DEA permit is expired.
  • Failure to make, maintain and keep adequate dental records resulting in actual patient harm.
  • Violation of stipulation in a prior Board Order.
  • Perform treatment outside licensee’s scope of practice resulting in patient harm or potential for patient harm.
  • Prescription of controlled substance without DPS or DEA permit.

VIII.  Conclusion:

In recent years, the TSBDE has been particularly active.  As the number of complaints against dentists has increased, the number of disciplinary actions has also grown.  Notably, many of the complaints now handled by the TSBDE are collateral referrals from state and / or federal law enforcement agencies.  Are your dental practices fully compliant?  Call the health lawyers at Liles Parker for assistance in responding to a Dental Board investigation or a Medicaid or private payor audit.

Healthcare LawyerRobert W. Liles, J.D. serves as Managing Partner at Liles Parker, Attorneys & Counselors at Law.  Robert represents dentists and dental practices around the country in State Dental Board investigations and in Medicaid and private payor audits of dental claims / dental services.  For a free consultation, call Robert at:  1 (800) 475-1906.

 

Medicare Dental Audits are Being Conducted by ZPICs. Is Your Specialty Dental Practice Ready?

January 18, 2013 by  
Filed under Dental Audits & Compliance

Download PDF

Medicare Dental Audits are Being Conducted by ZPICs(January 18, 2013): Specialty dental practices around the country are receiving audit letters from “Zone Program Integrity Contractors” (ZPICs), contractors working for the Centers for Medicare and Medicaid Services (CMS). This latest audit focus by ZPICs is rather surprising in light of the fact that very few dental procedures qualify for Medicare coverage and payment.  The purpose of this article is to examine this occurrence and discuss how a dentist should respond if his specialty dental practice is audited by a ZPIC.

 

I.  Dental Coverage Under Medicare – Background:

Historically, Congress has affirmatively included specific language designed to limit the types of dental services that would qualify for coverage and payment under the Social Security Act (Act).  As Section 1862 (a)(12) of the Act states:

“where such expenses are for services in connection with the care, treatment, filling, removal, or replacement of teeth or structures directly supporting teeth, except that payment may be made under Part A in the case of inpatient hospital services in connection with the provision of such dental services if the individual, because of his underlying medical condition and clinical status or because of the severity of the dental procedure, requires hospitalization in connection with the provision of such services.” (emphasis added).[1]

Notably, the exclusion of dental services from Medicare is nothing new.  Dental services were carved out of coverage when Medicare was first passed.  Moreover, the exclusion was extraordinarily broad – it was not merely limited to “routine dental services.”  It was not until 1980 that Congress decided to make an exception for inpatient hospital services which were required as a result of serious dental needs which required hospitalization.  At present, Medicare covered dental services are essentially limited to cases where the dental services are:

“. . . an integral part either of a covered procedure (e.g., reconstruction of the jaw following accidental injury), or for extractions done in preparation for radiation treatment for neoplastic diseases involving the jaw. Medicare will also make payment for oral examinations, but not treatment, preceding kidney transplantation or heart valve replacement, under certain circumstances.”  (emphasis added).[2]

II.  A Brief Overview of the Creation of ZPICs:

On August 21, 1996, Congress passed the Health Insurance Portability and Accountability Act (HIPAA).  While most health care providers think of “privacy” when HIPAA is mentioned, the legislation was historic in its scope, greatly expanding the government’s investigative and enforcement authorities and providing ongoing funding for the future.  HIPAA’s overall purpose was to protect the financial integrity of the Medicare Trust Fund and the statute has greatly facilitated the government’s efforts in this regard.

One of HIPAA’s most important provisions established the Medicare Integrity Program (MIP). MIP.  The purpose of MIP was to strengthen CMS’ ongoing efforts to identify, pursue and prosecute health care fraud.  Additionally, the statute was intended to deter potential future fraud. As part of this program, CMS established a new type of contractor, known as “Program Safeguard Contractors” (PSCs). These new contractors essentially assumed many of the program integrity functions previously handled by Carriers (Part B) and Fiscal Intermediaries (Part A).  

Over the next decade (prior to their replacement by ZPICs), PSCs aggressively pursued alleged Medicare overpayments from physicians, home health agencies, hospice companies, behavioral health centers, and other health care providers around the country.

On December 8, 2003, Congress passed and the President signed the Medicare Modernization Act (MMA) into law. Section 911 of the MMA provided for significant reform of the existing  Medicare Fee-For-Service contracting program. Among its many changes, the Carrier / Fiscal Intermediary system was replaced with a consolidated new type of administrative contractor known as a “Medicare Administrative Contractor” (MAC).  Seven program integrity zones were created and MACs were selected to administer most Part A and Part B programs for these zones.

The MMA also created new program integrity contractors to perform the audit and review functions in these seven zones.  Zone Program Integrity Contractors (ZPICs) were established to handle program integrity functions in these zones for Medicare Parts A, B, Durable Medical Equipment Prosthetics, Orthotics, and Supplies, Home Health and Hospice and Medicare-Medicaid data matching.  In recent years, ZPICs have largely replaced most of the PSCs around the country.  Any work being performed by PSCs (if any are still operating) will eventually be replaced by ZPICs.

Medicare Part C and D program integrity efforts are handled separately.  A single national contractor (at this time, Health Integrity) was selected to serve as the “Medicare Drug Integrity Contractor” (MEDIC).  CMS remains responsible for all aspects of the Medicare program and manages these private contractors, overseeing the work that they perform on the government’s behalf. The following zones are currently being handled as indicated below:

  • Zone 1      SafeGuard Services: CA, NV, American Samoa, Guam, HI and the Mariana Islands.
  • Zone 2      AdvanceMed: AK, WA, OR, MT, ID, WY, UT, AZ, ND, SD, NE, KS, IA, MO.
  • Zone 3       Cahaba: MN, WI, IL, IN, MI, OH and KY.
  • Zone 4 –      Health Integrity: CO,      NM, OK, TX.
  • Zone 5      AdvanceMed: AL, AR, GA, LA, MS, NC,      SC, TN, VA and WV.
  • Zone 6 –      Under Protest: PA, NY, MD, DC, DE and ME, MA, NJ, CT, RI, NH and VT.
  • Zone 7      SafeGuard Services: FL, PR and VI.

III.  Are Practices Prepared for Medicare Dental Audits?

Unfortunately, very few dental practices have developed and implemented an effective Compliance Plan or Compliance Program.  Is one needed?  We believe that every dental practice should have an effective Compliance in place.  Notably, when issuing compliance guidance to individual and small physician practice groups, the Department of Health and Human Services, Office of Inspector General (OIG) wrote that the guidance was not merely intended to cover medical doctors, but also a wide variety of other clinical professionals.  As the OIG wrote:

“[f]or the purpose of this guidance, the term ‘‘physician’’ is defined as: (1) a doctor of medicine or osteopathy; (2) a doctor of dental surgery or of dental medicine; (3) a podiatrist; (4) an optometrist; or (5) a chiropractor, all of whom must be appropriately licensed by the State.” [3] Furthermore, the OIG has stated that “[m]uch of this guidance can also apply to other independent practitioners, such as psychologists, physical therapists, speech language pathologists, and occupational therapists.”[4] (emphasis added).

It is important to keep in mind that a Compliance Plan or Program is far more extensive that merely policies and procedures covering health information privacy (HIPAA) and OSHA requirements.  Every dental practice must also have effective procedures in place to guard against the commission of fraud or abuse against public payors, private payors and patients.  Moreover, your staff must be trained to identify potential problems so that remedial steps can be taken to correct a potential or actual problem.

IV.  How Will a ZPIC Auditor Look at Your Dental Claims for Services?

It is essential to keep in mind that the viewpoint of an auditor, when reviewing the medical records supporting a certain dental claim, is not the same as that of the treating dentist.  An auditor’s perspective is that of someone who is trying to determine:  Was the dental service really needed? Was it provided?  Should we cover it?  As you can see, the viewpoint of the auditor when assessing the sufficiency of medical documentation may be very different from that of the treating dentist.

In assessing the appropriateness of a claim and its associated documentation, we have developed a checklist that we refer to as “The Seven Elements of a Payable Claim.”  In auditing your dental services, a ZPIC auditor will likely apply a similar approach.  Here are the seven elements:

Element #1Medical Necessity of Dental Services Provided. An auditor will likely start by deciding whether a particular service was medically necessary.  To avoid having a ZPIC auditor deny one or more of your dental services based on an alleged lack of medical necessity, your documentation must clearly show that the services were reasonable and necessary for the diagnosis or treatment of illness or injury or to improve the functioning of a malformed body member.”[5]  Sound simple?  Not really. This is often an issue in dispute upon appeal, especially since the auditor is likely not a licensed dentist.

Element #2: Were the Dental Services Actually Provided.  While dental services may be found to be medically necessary based on the clinical needs of the patient, your documentation still needs to show that the services were, in fact, rendered.  This can be especially problematic when dealing with the few complex dental services that are covered under Medicare.  Regardless of whether the patient is sedated, he / she likely has only a basic idea of what you are doing in their mouth.  When they receive their Explanation of Benefits (EOB) form, outlining the services charged to Medicare, they are unlikely to recognize half of the charges.  As you can imagine, this confusion can lead to complaints to Medicare and an audit of your records.

Element #3Were the Dental Services “Tainted” for Any Reason?  In other words, are the dental services problematic because of a violation of law, such as the Anti-Kickback Statute, False Claims Act or other statutory provision.

Element #4 Do the Dental Services Qualify for Coverage?  Despite the fact that the dental services provided may be medically necessary, they still may not qualify for coverage and payment.  Coverage is a “standalone” element.  It can change from year to year and from payor to payor.

Element #5 Is Your Documentation of the Dental Services Complete? Be sure and pull all of the regulations and any other guidance issued by CMS, the MAC handling your zone and any other statutory guidance which may set out the documentation requirements associated with a particular dental service or claim.  Remember, ZPIC reviewers take the position that “If it isn’t documented, it didn’t happen.”   As a participating provider in the Medicare program, you are required to fully meet Medicare’s documentation requirements.

Element #6: Are your Dental Services Properly Coded?  Importantly, even if all of the foregoing requirements have been met, it is still quite simple for a dentist to make a coding mistake, thereby possibly invalidating the claim for dental services. Have your staff members been trained on dental coding requirements?  As the American Dental Association (ADA) notes:

“Accurate recording and reporting dental treatment is supported by a set of codes that have a consistent format and are at the appropriate level of specificity to adequately encompass commonly accepted dental procedures. These needs are supported by the Code on Dental Procedures and Nomenclature (Code). The Code is periodically reviewed and revised to reflect the dynamic changes in dental procedures that are recognized by organized dentistry and the dental community as a whole” (emphasis added).

The Code on Dental Procedures and Nomenclature is commonly referred to as the “CDT” code book.  Like its medical cousin, the Current Procedural Technology (CPT), which is published by the American Medical Association (AMA), the CDT code book provides a dynamic set of coding guidelines to be followed by dental administrative personnel.  Regular training of your staff is essential to help ensure accuracy and consistency in high qualify coding.

Element #7: Did You Bill for the Dental Services Rendered Correctly? The seventh and last element is “billing.”  Assuming that each of the previous elements have been correctly addressed and met, has your staff correctly billed for the dental services rendered to the patient, private payor or public payor responsible for payment? r Billing Practices – Were the services rendered correctly billed to Medicare?  None of are perfect.  Mistakes occur.  Your biller may accidentally double-bill a payor for a service.  Alternatively, your biller may accidentally bill for the wrong code. When faced with an overpayment remember:  If it doesn’t belong to you, give it back.”  Virtually NO overpayments belong to a dentist or a dental practice.  Any unclaimed overpayments which are either refused by a private payor (sounds odd but it occurs), or cannot be returned for other reasons (perhaps the patient to whom the refund was owed has died), is likely required to be turned over to your state’s “escheat” fund.  Failure to turn over unclaimed monies in a prompt fashion can subject a dental practice to fines.  In some states, it can even result in criminal action.

V.  Final Remarks Regarding Medicare Dental Audits:

In conclusion, it is important for dentists and other health care providers to recognize and accept the fact that full “compliance” with government rules, regulations and requirements isn’t necessarily something that comes naturally. When documenting a certain procedure, a specialty dentist is likely to include any and all information in the record which (in his or her professional opinion) should be documented to fully account for the patient’s clinical profile or condition, the reason for their visit and services you provided (along with a possible discussion of your decision process).  As set out above the perspective of a ZPIC auditor is likely to be much more comprehensive.

Is your practice ready for a ZPIC audit?  Do you have an effective Compliance Plan in place? Call Liles Parker for assistance in preparing for a ZPIC audit or responding to a ZPIC audit of your dental services.  We can also assist you in the development and implementation of an effective Compliance Plan.

Healthcare LawyerRobert W. Liles, Esq., is Managing Partner at the health law firm, Liles Parker, PLLC.  With offices in Washington, DC, Houston, TX, San Antonio, TX and Baton Rouge, LA, our attorneys represent home health agencies, physicians and other health care providers around the country in connection with Medicare / Medicaid prepayment reviews, post-payment audits, Compliance Plan reviews and state peer review actions.  Should you have any questions, please call us for a free consultation.  Robert can be reached at: 1 (800) 475-1906.  


[1]http://www.cms.gov/Medicare/Coverage/MedicareDentalCoverage/index.html?redirect=/MedicareDentalCoverage/

[2] Ibid.

[3] Id.; see also 42 U.S.C. 1395x(r).

[4] Id.

[5] Section 1862 (a) (1) (A) of the Social Security Act

A Credible Allegation of Fraud Related to Medicare or Medicaid Services Will Result in Your Dental Practice Being Placed on “Suspension” or “Payment Hold.”

December 31, 2012 by  
Filed under Dental Audits & Compliance

Download PDF

(December 31, 2012):  Over the last year, many dentists, orthodontists and oral surgeons around the country who participate in federal health care benefits programs such as Medicare and Medicaid have found themselves accused of a “credible allegation of fraud,” levied by federal / state investigators or agents contracted to audit dental providers on behalf of the government.  As these dental professionals have learned, regulatory compliance is essential. Unlike physicians, hospitals, DME suppliers and other health care providers who are constantly under regulatory scrutiny, the dental community has largely been left alone by the government.  In past years, Medicaid audits have occasionally occurred but the cases pursued have been infrequent and typically appeared to involve egregious improper conduct.  Similarly, Medicare audits and investigations of the few dental services which qualify for coverage and payment have been relatively rare.       As many dental providers are now finding, both law enforcement and government contractors are actively relying on sophisticated data mining and other targeting tools to identify and audit providers who may appear to be outliers, either in their coding, billing or utilization practices.  Now, more than ever before, it is essential that dental providers examine each aspect of their business to better ensure that their actions fully comply with applicable statutory and regulatory requirements.

II. Under the ACA, if a “Credible Allegation of Fraud” is Raised Against a Dental Provider, the Provider’s Participation Status in Medicare May be “Suspended” and its Medicaid Payments May be “Placed on Payment Hold.”

With the passage of the Affordable Care Act (ACA) in March 2011, the Medicare Program (covered in Title XVIII of the Social Security Act (the Act)) was amended in a number of important ways. One of its more significant changes permitted the Secretary, Department of Health and Human Services (HHS) to:

“. . . suspend payments to a provider or supplier pending an investigation of a credible allegation of fraud unless the Secretary determines that there is good cause not to suspend payments.”[1] (emphasis added). 

When exercising this option, the Secretary is first required to consult with the Office of Inspector General (HHS-OIG) to determine whether a “credible allegation of fraud” against a provider or supplier is present.  Importantly, the phrase “credible allegation of fraud,’’ has been expressly defined by HHS-OIG to include:

“. . . an allegation from any source, including but not limited to fraud hotline complaints, claims data mining, patterns identified through provider audits, civil False Claims Act, and law enforcement investigations.” 

Over the past year, a number of Medicare providers have found themselves facing suspension based on an alleged “credible allegation of fraud” arising out of an anonymous complaint.  This complaint may have been filed by a patient, a disgruntled former employee or possibly even a vindictive competitor.  Alternatively, the suspension action may have been generated based on the provider’s billing patterns or the provider’s possible over-utilization of certain services.  Importantly, the decision to suspend a provider from the Medicare program remains discretionary with CMS and HHS-OIG.  In contrast, no such discretion exists in similarly situated Medicaid cases.

III.  If a “Credible Allegation of Fraud” is Present, States Must Suspend Medicaid Payments:     

A payment hold action is a “temporary denial of reimbursement under the Medicaid or other HHS program for items or services furnished” by a dental professional.[2]  Medicaid payment holds are initiated by the Texas Health and Human Services Commission, Office of Inspector General (HHSC-OIG). This type of administrative remedy effectively freezes a dental provider’s cash flow.  Payment hold actions are intended to stay in place until the dispute is resolved between the dental professional and HHSC-OIG.

If a credible allegation of fraud has been levied against a Texas provider of Medicaid dental services, the state must suspend all Medicaid payments to the dental provider.  (See to 42 CFR § 455.23 (2011). In further support of such an action, the Texas Government Code section 531.102(g)(2), allows the state to place a Medicaid provider on payment hold “on receipt of reliable evidence that the circumstances giving rise to the hold on payment involve fraud or willful misrepresentation under the state Medicaid program in accordance with 42 C.F.R. 455.23, as applicable.”  The bottom line is clear – if a credible allegation of fraud has been alleged against a Texas dental provider of Medicaid reimbursed services, the provider will in all likelihood be placed on payment hold – an action that is tantamount to a suspension from the program.

IV.  Exceptions to the Suspension / Credible Allegations of Fraud Rule.

To date, HHSC-OIG has been reluctant to exercise its authority to waive a payment hold / suspension action in cases where a credible allegation of fraud has been alleged against a Texas dental provider of Medicaid services.  Nevertheless, under the Affordable Care Act (ACA), if the state determines that “good cause” exists not to suspend payments, the government may waive its right to place a provider on payment hold and suspend payments. The following reasons have been cited as possibly constituting “good cause”:

“Upon a specific request by a law enforcement agency; (for example, when a suspension might alert a violator at a critical stage of an undercover investigation or compromise the identity of an informant);

If the state determines that another remedy could more effectively protect Medicaid funds (for example, through an injunction or court intervention);

If the state determines that the suspension is not in the best interests of the Medicaid program; and

If the state determines that a suspension will have an adverse effect on beneficiaries’ access to care.”[3]

             Finally, HHSC-OIG may also decide to discontinue a payment hold / suspension action if a law enforcement agency declines to certify that a matter is still under investigation.

V.  Final Remarks:

Unfortunately, very few dental professionals participating in either Medicare or Medicaid have developed and implemented an effective Compliance Plan.  To the extent that portions of a program have been prepared, in most instances these sections have focused almost exclusively on HIPAA privacy and OSHA requirements.  It is imperative that dental professionals examine their current practices and compare those practices with applicable documentation, medical necessity and coverage mandates.  The number of claims audits currently underway by Medicare and Medicaid contractors is significant and is expected to continue to grow.  Now, more than ever, it is essential that you examine your practice, identify and potential deficiencies, promptly pay back any overpayments and implement remedial measures to help ensure that these types of problems do not reoccur.

Healthcare LawyerRobert W. Liles is Managing Partner at the health law firm, Liles Parker, PLLC.  With offices in Washington, DC, Houston, TX, McAllen, TX and Baton Rouge, LA, our attorneys represent dental professionals around the country in connection with Medicare / Medicaid audits, Compliance Plan reviews and state peer review actions.  Should you have any questions, please call us for a free consultation.  Robert can be reached at: 1 (800) 475-1906.   


[1] 5928 Federal Register / Vol. 76, No. 22 / Wednesday, February 2, 2011.

[2] http://oig.hhsc.state.tx.us/OIGPortal/tabid/86/ShowArticle/mid/25/Default.aspx?TabID=85

[3] https://oig.hhsc.state.tx.us/Reports/CAF_FAQs-2012-09-19.pdf

Dental Cloud Computing Options Must be Carefully Analyzed Before Moving Your Data to the “Cloud.”

December 31, 2012 by  
Filed under Dental Audits & Compliance

Download PDF

Dental Cloud Computing(December 30, 2012): Generally speaking, from the standpoint of a dental practice, “Cloud Computing” involves the use of an offsite server to store and access medical records, maintain patient information and or practice business records (such as coding and billing information).  Cloud Service Providers (CSP) offer various services to dental practices.  In most instances, the information stored is encrypted.  Depending on the nature of the information maintained, dental professionals, their staff and / or their patients may have various levels of access to the information maintained by a CSP.

 

I.  Introduction:  Overview of Dental Cloud Computing Options

Over the past year, Dentists, Orthodontists, Oral/Maxillofacial Surgeons and Periodontists around the country have been increasingly gravitating towards cloud based records and billing systems. While dental professionals have moved in this direction more slowly than many other health care provider groups (such as physician practices and hospitals),  many are finding that the financial and convenience benefits achieved with cloud computing are too tempting to resist implementing for their dental practices.  The purpose of this article is to point out a number of risks that are often overlooked by dental professionals choosing to move one or more of their business systems to the cloud.

At the outset, it is important to keep in mind that dental cloud computing options can take many forms.  For the sake of simplicity, we have categorized these systems into three groups:

A.    Public Cloud:  A “public cloud” is an offsite server maintained by a third-party CSP which allows members of the public to have full access to information and computing applications created and maintained by a dental practice.  In most instances, the dental practice would require that individuals desiring access “register” with the provider prior to allowing access. The information maintained by the dental practice on a public cloud is not typically encrypted and Protected Health Information (PHI) or other sensitive information is not stored on this server.  In most instances, this type of cloud based system would be intended to serve as an information resource for the public, covering various aspects of dental care and treatment.

B.    Private Cloud:  The term “private cloud” generally refers to an offsite server maintained by a third-party CSP who limits access to the information maintained on its system to only authorized staff of the dental practice. The information is almost always encrypted (in various ways and in varying levels of security) and may be  marketed by the CSP as being “HIPAA Compliant.”  Access is carefully protected by a firewall and is continuously monitored and maintained by professionals working for the third-party CSP.

C.    Hybrid Cloud The term “hybrid cloud” incorporates the properties of both a public cloud and a private cloud.  Although a portion of the information on the CSP’s server is readily accessible to the public, PHI and other sensitive information (such as billing records and health care provider financial data) is encrypted and may only be accessed by authorized dental practice personnel.

D.    Mixed Cloud: A “mixed cloud” would include a scenario where highly sensitive information (such as patient dental records and / or coding or billing records) is kept on local servers and less sensitive (but non-public) information is kept on encrypted cloud servers.

While no studies of only dental professionals have recently been conducted, a recent survey[1] by IT News found that 33 percent of all health care providers responding to the survey have already moved their information to the cloud.  Moreover, the survey found that 48 percent are ultimately planning to make cloud computing part of their organization’s technology infrastructure.  Notably, at the time of this survey, only 19 percent of all health care provider respondents were not planning on moving all or part of their data to the cloud.

II. Benefits to Dental Practices Choosing to Adopt a Cloud Based System

Advocates of cloud computing can point to number of significant benefits achieved by moving a health care provider’s information to a CSP.  Two of the greatest benefits include:

A.    Cost Savings: Many dental practices and other health care providers have cited “cost” as a primary reason for moving all or part of their records systems to the cloud.  The savings from using a CSP can be significant.  Employing a CSP to maintain a dental professional’s medical records and / or billing systems can alleviate a provider’s ongoing need to purchase, maintain and update expensive IT computer equipment and software.  It also reduces the need for a dental practice to set aside space to house server resources and greatly alleviates the need for outside IT consultants.

B.    AccessCloud-computing systems allow dental professionals (and often their patients) to obtain access to a wide variety of information from anywhere in the world, over the Internet.  Access is typically restricted and the information is encrypted to prevent unauthorized persons from logging in to the system.  CSPs often point to the fact that their security systems are continuously updated and maintained, thereby preventing hackers from gaining access to their systems.  In contrast, dental professionals choosing to maintain their information on local server systems are often much more lax in their efforts to guard against the latest recent threats to IT security.

Although only a portion of dental professionals participate in Medicaid and / or Medicare, as reimbursements continue to fall and the likelihood of post-payment audits increases, the cost of maintaining a server in-house will become increasingly important.  As this occurs, we anticipate that dental practitioners participating in federal / state health care programs will be looking at new ways to reduce their infrastructure costs.  The number of dental professionals utilizing cloud based systems is likely to increase as reimbursements decline.

III.  Concerns When Moving Over to a Dental Cloud Computing Environment:

While only time will tell whether CSPs are able to properly safeguard a dental professional’s patient medical records, coding / billing data or other sensitive business information, it is worth noting that almost all server “break-ins” are caused by someone “inside the company with keys to the castle.”[2]  Notably, this security risk can include both employees of a dental practice (over whom you supervise) and employees of a CSP (over whom you have no control whatsoever).  Unfortunately, dental professionals have no real way of knowing if CSP staff is reliable or trustworthy.  If a disgruntled CSP employee accesses or steals sensitive data, there is little, if any, way that a health care provider can take remedial steps to quickly address the problem.  Other security concerns to take into account include, but are not limited to:

A.    A Dental Professional’s Obligation to Ensure that PHI is Secured Cannot is DelegatedThe security of PHI and other sensitive information entrusted to you by patients is paramount – it cannot be ignored or delegated to a third-party, such as CSP that has completed a valid Business Associate Agreement.  Although your particular contract with a CSP may provide a variety of promises and other assurances (such as an “indemnification” provision intended to reimburse you if their negligence or error results in you being fined, sued, etc.), it is important to keep in mind that your dental practice remains ultimately responsible for any information it entrusts with a CSP.  Any agreements between your practice and a CSP may essentially provide a level of “cold comfort” but will not shield your practice from state or federal causes of action resulting from a breach.  Moreover, many states now provide for a “private cause of action” to be brought against your practice directly by an individual whose PHI or other covered sensitive information has been breached.

B.    Federal and State Laws and Regulations Lay Out Your Obligations to Secure PHI Placed Under Your ControlAs a Covered Entity, your dental practice must adhere to a myriad of federal and state laws and regulations under HIPAA, HITECH and various state laws which might be implicated.  For example, the state of Texas recently passed HB 300, which imposes a number of new privacy obligations on dental professionals and other health care providers.

C.    The Weakest Link to the Security of PHI Under Your Control May be in Your PocketOne of the most important benefits of cloud computing is that it may be accessed through the Internet.  Dental professionals are able to access the cloud from their smart phones, IPADs, and from their computer laptop.  Our law firm recently conducted a survey of health care providers who listed “other” (as opposed to in-house server breach, stolen laptop or lost documents) as the cause of a PHI breach when reporting the incident to the Office of Civil Rights. Interestingly, a number of the health care providers we spoke with reported that “other” referred to a smart phone that was lost or stolen. Symantec, a computer security company, recently conducted a test in which it “loaded” 50 smart phones with sensitive information and then “lost” the in public places (elevators, food courts, transit stops, etc.), in five metropolitan cities around the country.  Prior to dropping the phones, remote tracking software was installed so that their locations could be monitored.  This software reported that 96 percent of the phones were found and that the sensitive information was accessed on 70 percent of the phones.  Notably, less than half of the finders of the lost phones attempted to contact their owners to return the device.[3]  In an informal survey of individuals by our firm, a significant portion of health care providers admitted to keeping log in information (including their user name and password) in the contacts folder on their smart phone. Once lost, this information could be used to access a dental practice’s supposedly secure information on a cloud server.

D.    Software Licensure Concerns:  When using a CSP, a dental practice may be required to use a non-licensed software application without its knowledge. Is there potential third-party liability?  Possibly so.

E.     CSP Financial Stability: Is the cloud provider financially sound?  If the CSP were to declare bankruptcy, what would happen to the servers (and most importantly, your information)?  Who really owns this information?  How can you ensure that your information is erased or destroyed from the CSP’s server if the company goes out of business?

F.     Contracts of Adhesion:  Check out your agreement with the CSP – is your contract with the cloud provider a “contract of adhesion”?  Adhesion contracts ultimately leave you with no bargaining power and allow the cloud provider to do practically anything with your data. Be careful.  The agreement may initially appear to safeguard your information when in reality it allows the cloud provider to moves its servers, transfer your information to other data storage devices and make changes to the applications on their system.

G.    You Can Never Really be Sure that the Relationship is “Terminated”:  After a while, you may choose to “terminate” the agreement and move your data to either an in-house server or to another CSP. How can you ever be sure that your information is not backed-up on the cloud provider’s server or storage system? Once information leaves the control of your dental practice, it is gone forever!

IV. Cloud Platforms Aren’t Good Enough for the Government (Yet), So Why Are Dental Professionals Flocking to the Cloud?

The federal government is aggressively encouraging its agencies to adopt cloud-based information systems.  In fact, on December 9, 2010, the Office of Management and Budget (OMB) released a formal plan outlining the government’s intent to utilize cloud-based solutions in an effort to increase the public’s access to information in the government’s possession.  To that end, OMB has encouraged agencies to use cloud-based solutions whenever a secure, reliable, cost-effective cloud option exists.

As part of this approach, OMB established the Federal Risk and Authorization Management Program (Fed RAMP) in early 2011 to provide a cost-effective, risk-based approach for the adoption and use of cloud services.  As part of its responsibilities, Fed RAMP has been tasked with setting up a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.  Based on the standards identified, it is notable that to date:

No CSPs have formally met Fed RAMP requirements or have been granted a Fed RAMP Provisional Authorization.[4]

The mere fact that no CSPs have been found to meet Fed Ramp’s requirements is extraordinarily important.  Health care providers choosing to maintain and access their sensitive information on a cloud platform may ultimately find that their trust in a CSP’s security systems has been misplaced.

In consideration of the concerns outlined above, we recommend that health care providers exercise considerable caution before choosing to move PHI and other types of sensitive information to an off-site cloud provider.  As we have repeatedly noted, once PHI and other sensitive leaves your control, you essentially have no way of safeguarding the data.  While maintaining in-house servers is likely more expensive than moving your data to a cloud provider, it’s the only true way to ensure that your patient’s PHI is protected in accordance with HIPAA’s Privacy and Security Rules. In addition, you should consider conducting an internal HIPAA audit of your physical security, administrative safeguards, and electronic transmissions. Importantly, this audit should be done through counsel, so that any concerns may be reasonable covered by the attorney-client privilege.

As a final point, Apple co-founder Steve Wozniak recently said, “the more we transfer everything onto the web, onto the cloud, the less we’re going to have control over it.”[5]  And that’s exactly right. Health care providers need to seriously asses the risks of placing PHI in the hands of CSPs, particularly in light of HIPAA and its counterpart, HITECH.

The bottom line is relatively simple – the safest way to store sensitive information used or maintained by your dental practice is to place it on a local server and ensure that it is encrypted. Should you choose to use a CSP, you must conduct due diligence in selecting a secure provider.  As the above concerns reflect, there will always be a number of inherit risks when utilizing the services of a CSP.

Healthcare LawyerRobert W. Liles is Managing Partner at Liles Parker.  He represents dental professionals in connection with audits and investigations by federal and state authorities (and their contractors).  Mr. Liles also works with dental practices to help ensure that they have implemented an effective Compliance Program, including systems to help prevent the likelihood of a privacy breach.  Should you have questions regarding cloud computing or other dental practice compliance issues, please give Mr. Liles a call for a complimentary consultation.  He can be reached at:  1 (800) 475-1906.


[1] The survey was conducted April 9, 2012 through April 12, 2012.  The article can be found at: http://www.healthcareitnews.com/survey-analysis-cloud-use-health-it

[2] Mobile devices bring cloud storage — and security risks – to Work; June 8, 2012, quoting Dion Hinchcliffe, executive vice president of strategy at Dachis Group, an IT consultancy.  The article may be found at: http://www.computerworld.com/s/article/9227888/Mobile_devices_bring_cloud_storage_and_security_risks_to_work

[3] Honey Stick Project” Exposes Risk from Lost Smartphones; March 12, 2012.  The article discussing this survey may be found at: http://www.securityweek.com/symantecs-honey-stick-experiment-shows-what-happens-lost-smartphones

[4] The government’s FedRAMP program is described at: http://www.gsa.gov/portal/content/131931

[5]  Robert MacPherson, Apple co-founder Wozniak sees trouble in the cloud (Aug. 5, 2012).

« Previous Page