Liles Parker PLLC
(202) 298-8750 (800) 475-1906
Washington, DC | Houston, TX
San Antonio, TX | Baton Rouge, LA

We Defend Healthcare Providers Nationwide in Audits & Investigations

The PSAVE Pilot Program: Should You Self-Audit Your Medicare Claims?

PSAVE Pilot Program(April 2, 2018):  Our nation’s demographics are changing.  In less than 20 years, it is estimated that for the first time in country’s history, the number of individuals over the age of 65 will exceed the number of children.[1] These increases are already being seen in our rapidly expanding Medicare healthcare benefit program.  At last estimate, Medicare Administrative Contractors (MACs) processed an estimated 1.2 billion claims on behalf of America’s seniors.[2]  As the Medicare program has grown, the Centers for Medicare and Medicaid Services (CMS) has employed a variety of different claims audit mechanisms to better ensure that the Medicare Trust Fund is protected from waste, fraud and abuse.  The Provider Self-Audit Validation and Extrapolation (PSAVE) pilot program is among the agency’s most recent efforts to protect the integrity of the Medicare program.  An overview of the PSAVE pilot program is set out below.

I. Providers and Suppliers Currently Subject to the PSAVE Pilot Program:

In November 2017, Noridian Healthcare Solutions LLC (Noridian), the MAC for Jurisdiction F, and CMS launched a pilot Medicare claims self-auditing program. Jurisdiction F is comprised of Alaska, Arizona, Idaho, Montana, North Dakota, Oregon, South Dakota, Utah, Washington, and Wyoming.[3] When announced, the program was touted as a way to provide long term educational benefits to Medicare providers, while also granting “immunity” from further audit of Medicare claims by both the provider’s MAC and from the Recovery Auditor (RA) contractor assigned to the provider. Is your practice likely to receive an “invitation” to conduct a self-audit of its claims?  Let examine the pilot program in more detail to find out:

II. Why Was Your Practice Invited to Participate in the PSAVE Pilot Program?

While Noridian claims that the PSAVE pilot program is open to almost any Medicare Part B healthcare provider, invitations to participate where not sent out to all of the Medicare participating providers in Jurisdiction F. Instead, data analytics were used to identify providers with abnormal billing or coding practices, based on the audit findings of  Comprehensive Error Rate Testing (CERT) postpayment review data.  Initially focusing on only a limited number of medical specialties, providers with irregular billing patterns  were first chosen by Noridian to “test” the PSAVE pilot self-auditing program. Primarily relying on sophisticated data mining techniques, Noridian has identified certain Part B providers with questionable billing practices and invited them to participate in the PSAVE pilot program.[4]  If your practice was invited to participate in this pilot self-auditing program, this practice is an outlier and will likely be subjected to an audit, whether it chooses to participate in the PSAVE pilot program or not.

III. How Does the PSAVE Pilot Program Work?

At the outset, it is important to keep in mind that if your practice was invited to participate in the PSAVE pilot program, your billing practices have been found to be aberrant by a CERT contractor.  As an outlier, your practice’s Medicare claims for reimbursement have been targeted for audit.

Potential PSAVE pilot program participants were sent (or will be sent as the program expands) a notification letter by Noridian which included a sample listing of claims that the MAC has identified for inclusion in your self-audit.  In addition to the claims listing, Noridian’s letter also specified the specific elements that it expected each provider to review in connection with the claims.  Importantly, Noridian’s notification letter also included an “Appeals Waiver” form that it required participating providers to sign prior to being admitted into the pilot program.

• In exchange for participating in the PSAVE pilot program, Noridian notes that any claims covered by the audit would be immune from subsequent review and audit by the MAC and / or a Recovery Auditor.

• If a provider agreed with the terms of the PSAVE process, the provider was required to return the executed Appeals Waiver form to Noridian and assemble all of the documentation related to the “Education Sample” of claims listed in the MAC’s letter. Importantly, the sample chosen by Noridian was meant to represent a statistically-relevant sample of the provider’s universe of claims previously paid by the Medicare contractor.

• Upon receipt of the signed Appeals Waiver form, a 90-day period for the provider to review the Medicare claims at issue began.

• Prior to conducting the self-audit, Noridian required that each provider participate in a webinar on how the Education Sample of claims was to be reviewed.

• Participating providers then conducted the self-audit. The provider’s findings (and the associated documentation) would then be submitted to Noridian for validation. It is important to note that the validation review may result in additional overpayments identified that may have been missed by the provider when the self-audit was conducted.

• After validating the self-audit findings, Noridian would then determine whether it was appropriate to extrapolate the identified overpayment to the universe OR merely base an overpayment on the sample of claims reviewed. It has our experience that Medicare contractors have the latitude not to extrapolate an overpayment if a provider’s overall error rate is below a certain level (typically less than 10%).

• After extrapolating the overpayment identified, Noridian would then send the provider a letter identifying the overall amount of any extrapolated overpayment that may be owed.

• The provider would then be required to repay the identified overpayment within a timeframe set out in Noridian’s notice letter.

IV. Benefits of Participation in the PSAVE Pilot Program:

Perhaps the greatest benefit of participating in the PSAVE pilot program is the fact that you are in charge and you are directly involved in the claims audit process.  As the audit progresses, you will be aware of any problems that may arise with your claims. In simplified terms, self-audits provide you with a significant degree of control over the process.  Nevertheless, just because you may exercise a significant degree of control over the audit process does not mean that you will be able to control the outcome of the audit. As with other self-audit / self-reporting programs administered by CMS and the Office of Inspector General (OIG), a provider’s voluntary participation in the PSAVE pilot program allows a provider to present its view of the claims in the best possible light while positioning itself as a “Good Corporate Citizen.”

 V. PSAVE Pilot Program Risk Issues:

While proponents of the PSAVE pilot program are quick to point out the educational value of participating in the program, a provider should exercise care before deciding to sigh-onto the program. For example, the Appeals Waiver signed can leave a provider vulnerable at the conclusion of the program, as there is no mechanism of contesting the overpayments that may be identified as owed by Noridian. To make matters worse, the validation review is a blind sample, meaning that the provider will not be fully aware of any potential claims errors until after the validation review has been completed by the MAC.   In some cases, Noridian may be willing to permit a provider to submit additional documentation before the MAC concludes its review of the documentation.  Since the right to file an administrative appeal of any Medicare overpayment has already been waived,  a provider is assuming a significant risk when participating in the PSAVE pilot program.

Additionally, PSAVE pilot program representations extolling the benefits of immunity from subsequent MAC and RAC audits (limited to the specific claims or extrapolated claims set  covered by the PSAVE audit) is somewhat misleading. The promised immunity from audit does not apply to Unified Program Integrity Contractor (UPIC) / Zone Program Integrity Contactor (ZPIC) audits, which are far more likely than MAC or RA audits for Medicare Part B providers. Moreover, neither CMS nor its contractors (such as Noridian) have the authority to waive liability on behalf of the OIG or the U.S. Department of Justice (DOJ).

VI. Risks Encountered When Opting-Out of the PSAVE Pilot Program:

Should you decide to decline Noridian’s invitation to participate in the PSAVE pilot program, you need to keep in mind that the likelihood of being subjected to a compulsory audit by Noridian, the UPIC / ZPIC or even OIG is quite high.  Your practice’s billing practices have already been identified as problematic.  If targeted in a future non-PSAVE audit, you will lose the ability to conduct a self-audit and any identified overpayment may still be subjected to extrapolation.  Nevertheless, should such an audit lead to unfavorable results, you will still retain the ability to avail yourself of Medicare’s administrative appeal process.  As we have found when appealing an alleged overpayment on behalf of a Part B provider, the ability of a Medicare contractor to correctly conduct a statistical extrapolation of an identified overpayment varies widely from contractor to contractor.  When challenging an overpayment that has been assessed, we regularly challenge the statistical methodology and numerous other errors made by the contractor when it calculated extrapolated damages estimates based on the sample of claims reviewed 

VII.  Conclusion: 

How should you proceed? If your practice is invited to participate in the PSAVE pilot program, you need to carefully consider the risks of choosing to participate in the initiative.  The PSAVE pilot program is merely one of the most recent efforts by CMS to educate providers on their medical necessity, documentation, coding and billing obligations. Although the PSAVE pilot program may advance the agency’s overall goal of reducing Medicare waste, fraud and abuse, there are other more effective, less invasive ways for your practice to integrate and encourage a culture of compliance in your organization.

Adherence to the requirements set out in a well-designed Compliance Program is perhaps a Part B provider’s best approach that can speed up and optimize the proper payment of claims, minimize billing mistakes, and reduce the chances that an audit will be deemed necessary by CMS or one of its program integrity contractors.  The “sampling” of one’s claims on a periodic basis to ensure that the services being billed to the Medicare program qualify for coverage and payment would squarely fall within the “Auditing and Monitoring”  element identified by OIG as one of the seven elements of a provider’s effective Compliance Program.  A “GAP Analysis” of your practice will make it easier to identify any weaknesses in the provision, documentation and submission of your claims for reimbursement by the Medicare program.  If you identify an error when reviewing your claims processes, promptly taking remedial action can often minimize the size and scope of any overpayment that is identified.  The prompt repayment of any overpayments you may have received can also prevent Federal and State auditors from disrupting your practice and conducting their own assessment of your Medicare claims.  Additional risk areas to be considered when reviewing your claims include, but are not limited to:

  • What was the source of the referral for services provided by you or another member of your practice?
  • Do you or another member of your practice provide something of value in exchange for referrals?
  • Do you provide any gifts to patients?
  • Are your employees, agents and / or contractors been screened against all Federal and State lists of excluded parties?
  • Has the proper level of supervision been exercised in connection with each of the claims billed to Medicare?

Robert W. LilesRobert W. Liles Healthcare Attorney, M.B.A., M.S., J.D., serves as Managing Partner at Liles Parker, Attorneys & Counselors at Law.  Robert represents health care providers and suppliers around the country in connection with Medicare audits by UPICs, ZPICs, MACs, SMRCs and other CMS program integrity contractors.  Our firm also represents healthcare providers in connection with Medicare revocation, suspension and exclusion actions. For a free consultation, please call Robert at:  1 (800) 475-1906






HIPAA Security Risk Assessments are Essential

HIPAA Security Risk Assessment(September 29, 2014) In the last article, we discussed the importance of conducting HIPAA security risk assessments, as part of your obligations under the HIPAA Security rules. The importance of promptly conducting a risk analysis if it has not yet done cannot be overestimated, as the HHS Office for Civil Rights (OCR) has now announced that they intend to begin the next phase of audits in October 2014. When Covered Entity receives a data request letter from OCR, it will have only two weeks to respond, which will not be enough time to conduct a risk analysis at that point.

In this article we’ll discuss eight elements or considerations that OCR states must be addressed in a risk analysis.

I.  Scope of the Analysis:

In conducting a risk assessment, a health care provider must consider all of the potential risks to electronic protected health information (e-PHI). Covered Entities must consider how all e-PHI in their practice is created, used, stored, and transmitted. Thus, Covered Entities need to consider how they create, receive, access, and transmit e-PHI. This includes removable storage media such as floppy disks, CDs, flash or thumb drives, and smart phones. Covered Entities must also think about telephone calls, emails, faxes, and computer transmissions. Consider how many employees or personnel can access the data and whether those individuals are all on-site or if any are off-site.

II.  Document How Data is Collected, Stored, Maintained and Transmitted:

Covered Entities must identify and document where e-PHI is gathered, received, stored, maintained or transmitted. This can be done through interviews with staff members, a physical walk through of the office or practice location(s), or reviewing documentation.

III.  Identify and Document Potential Risks, Threats and Vulnerabilities:

Covered Entities must document the reasonably anticipated threats to e-PHI. Consider physical, environmental, natural, human and technological threats or risks. Environmental or natural threats should include natural disasters such as tornadoes, floods or earthquakes. Human threats are likely to be some of the greatest concern. These include current employees and contractors, ex-employees and contractors, visitors, and criminals such as thieves and hackers. Technological threats will include any known system vulnerabilities in the billing system or EMR/EHR, for example. Healthcare providers should contact the vendors of these systems to ask about any known vulnerabilities.

IV.  Identify and Evaluate Current Security Measures:

Covered Entities must document what security measures are already in place to guard e-PHI and whether those measures are installed, configured and used correctly. The level and extent of security measures will vary by the type and size of provider. As an example, list any anti-virus or firewall programs. Don’t forget to document physical security measures, such as security and alarm systems.

V.  Determine the Likelihood of the Occurrence of the Threats:

This element requires Covered Entities to consider the probability that the threats listed in step # 3 will occur. This can be done with a quantitative method (such as the percentage probability that a threat will occur) or a qualitative one (such as high, medium, low). A high probability of occurrence means that a threat is “reasonably anticipated” and thus will require a mitigation or protection against the threat occurring. For example, a healthcare provider may determine that there is a high probability of a break-in into the office or clinic. Thus, a mitigation such as an alarm or security system would be an example of a security measure that could be implemented pursuant to step # 4.

VI.  Determine the Potential Impact if a Threat Occurs:

Covered Entities must evaluate the impact that might result from a threat occurring. Again, this can be done using a quantitative or qualitative method. For example, a potential impact of a breach of a Covered Entity’s billing system might be loss of cash flow or cost to replace stolen computer equipment. This might be a high or severe impact. Another example could be unauthorized access to e-PHI by patients or visitors. This impact might be low or medium.

VII.  Determine the Level of Risk:

This step is accomplished by utilizing the data from steps 5 and 6. A very common method of documenting the level of risk is using a HIPAA risk assessment matrix (such as a 3 x 3 matrix) or “heat map”. Those threats or vulnerabilities with higher levels of risk are ones that a Covered Entity should focus on addressing or correcting sooner than those with lower levels of risk.

VIII.  Identify HIPAA Security Risk Assessment Measures and Document the Risk Analysis:

Once the Covered Entity has identified risks and assigned risk levels, it must identify tasks, actions or security measures to address those risks. In identifying security measures, the Covered Entity should consider factors such as effectiveness, requirements of the Covered Entity’ policies and procedures and other legislative or regulatory requirements (for example, state laws). If a Covered Entity identifies a security measure but decides not to implement it, the risk analysis should document why (for example, technologically not feasible, lack of knowledge or equipment, cost prohibitive, etc.)

The Security Rule also requires Covered Entities to document the risk analysis, but does not specify or require any particular format. Thus, the risk analysis can be documented via a report that lists elements # 1 through 7, summarizes the analysis, notes the results of each step, and identifies the security measures.

Two final very important comments. First, the Risk Analysis is NOT the process of implementing measures to address the risks identified. That is the risk management process under HIPAA, which is considered a separate activity. Second, the Risk Analysis is not a “do it once and forget about it” process. The Risk Analysis must be periodically revisited and reviewed to determine if the threats, vulnerabilities, impacts and potential security measures remain the same. A Covered Entity may bring new systems online, may open or close locations, or have major changes in personnel. The re-evaluation of a Covered Entity’s Risk Analysis ideally should occur on an annual basis. A very old and outdated Risk Analysis is basically equivalent to not having a Risk Analysis at all.

Heidi Kocher Healthcare AttorneyHeidi Kocher serves as Counsel for Liles Parker and represents health care providers and suppliers in the Dallas / Fort Worth metropolitan area.  Heidi is an experienced health lawyer and is skilled in assisting clients with transactional projects, compliance issues and in fraud and abuse counseling.  Should you have any questions regarding the HIPAA security risk assessment process, please give Heidi a call.  For a free consultation, call Heidi at: 1 (800) 475-1906.

Medicare Revocation Action: Steps for Avoiding and Appealing

A Medicare Revocation Action Can Financially Ruin a Practice(September 16, 2014): Consider the following scenario. You own a durable medical equipment (DME) company that you run out of a leased location in a local office building. Your customers are a mix of privately insured and Medicare/Medicaid beneficiaries. You’ve been in business for about 10 years, but money is tight and you need to reduce expenses. You decide to move your business to your home for the time being. You make all the arrangements to move, and prepare a CMS-Form 855S informing the National Supplier Clearinghouse (NSC) that you are relocating in 10 days. No one helps you fill out the form, no one reviews it for you, and no one goes with you when you take the signed CMS-Form 855S to the local post office in a manila envelope that you have hand addressed to the NSC. Because it’s only a few dollars, you pay for first-class postage for the envelope with the $5 bill you had in your pocket, hand the envelope to the postal clerk and leave.

Fast-forward six weeks…you receive an envelope from the NSC that is forwarded to you from your old business address. The letter inside informs you that Medicare revocation action has been initiated.  Your Medicare DME supplier number is being revoked because a site inspector visited your old address 5 days after you relocated and found the location empty. You frantically call the NSC and ask why you’ve received this letter. They confirm what the letter says. You ask the representative to confirm what the NSC has on file as your location, and the customer service representative reads back your old address. You ask if the NSC has any record of receiving the CMS-Form 855S you sent 10 days before you moved and the representative says it does not.  Cue full on panic…

I.  Appealing a Medicare Revocation Action:

What are your options at this point? The Medicare revocation notice letter says you have the right to seek reconsideration of the termination of your participation. Surely you can send a letter to the appeal address explaining what happened and they’ll stop the termination? Surely they’ll believe you when you say you sent the CMS-Form 855S notifying the NSC of your address change well before it was due (which was within 30 days after you moved since you are a DME provider), and they’ll let you resend it? Surely the NSC will be reasonable?  Sadly, that’s not how Medicare’s rules work. You have to appeal, and you have to do it quickly…within 60 days, or you’ll lose your right to do so. There are two steps to consider at this point…one is optional, and one is mandatory if you want to maintain your appeal rights.

II.  Corrective Action Plans to Address a Medicare Revocation Action:

First, consider filing a corrective action plan (CAP). Federal regulations give most providers the opportunity to do so within 30 days of receiving notice of Medicare revocation. It’s optional, but can sometimes result in a reversal of a termination much quicker than a request for reconsideration. Be forewarned, however, that filing a CAP is NOT the same as filing a request for reconsideration and WON’T preserve your appeal rights.

III. Challenging a Medicare Revocation Action — Reconsideration Requests.

Second, to maintain your appeal rights, you must file an official request for reconsideration within 60 days of receiving a revocation notice letter. Many of our clients elect to file a CAP, and if they don’t receive a decision before the 60 day reconsideration deadline, file the reconsideration also. The good news is that, when we prepare a CAP, it can serve as the foundation for the reconsideration request so that any duplication of effort is minimized.

IV.  Things to Know about CAPs and Reconsideration Requests.

First, a few notes on CAPs. They really aren’t what they sound like in the context of a Medicare revocation appeal. You can’t use a CAP to fix a problem that existed on the effective date of termination. For example, if you moved and didn’t file the necessary CMS Form-855 to tell the Medicare program on time, and were then terminated because a site inspector visited your old location and found you weren’t in business, you can’t use the CAP to fix the fact that you didn’t send the necessary forms on time. CAPs are most effective when a site inspector obviously made a mistake when they visited a location of record, or you can prove with objective evidence that you submitted required paperwork on time.

Let me illustrate…consider a home health agency client that received a revocation letter after a site inspector visited what they were told was the agency’s current practice location. The agency had concrete proof in the form of correspondence from the Medicare contractor that the contractor’s provider enrollment department had its correct address, but for some reason, the database used by the site inspector did not. The agency submitted a CAP that explained the apparent mismatch between the agency’s CMS provider enrollment record and the site inspector’s records and successfully reversed the revocation without ever having to file a request for reconsideration.  Another example might also be useful here. Many providers that receive revocation notices tell us they submitted necessary CMS-Form 855 updates on time, but they can’t provide any proof of delivery to the Medicare enrollment contractor such as Federal Express, UPS or USPS Priority Mail or Certified Mail tracking information. CMS and the provider community have long disagreed about exactly what a provider must do to satisfy its “duty to report” changes to its provider enrollment record. The relevant regulation applicable to our DME provider case described above is found at 42 CFR §424.57(c)(2); that regulation states in part that “. . . [t]he supplier must provide complete and accurate information in response to questions on its application for billing privileges. The supplier must report to CMS any changes in information supplied on the application within 30 days of the change.” (Emphasis added.)

A similar “duty to report” changes in enrollment information exists and is applicable to other providers. Physicians, non-physician practitioners and their organizations are required to report changes of ownership, adverse legal actions and changes in practice location within 30 days, and all other changes to information on their enrollment forms within 90 days. See 42 C.F.R. § 424.516(d). All other providers must report a change of ownership or control, a change of authorized or delegated official, or the revocation or suspension of a Federal or State license or certification within 30 days, and all other changes, including a change in practice location within 90 days. See id. at § 424.516(e).So the question remains…is proof of mailing to the correct Medicare enrollment contractor address enough to meet a provider’s or supplier’s duty to report under the above regulations, or do you also have to prove delivery? Is testimony that something was mailed enough to convince a hearing officer or administrative law judge that the duty to report was met, or must the provider have objective proof of delivery also? The regulations and the accompanying federal register notices promulgating them are silent on what “report” actually means. See, e.g., Potomac Medical Equipment, Inc. v. Centers for Medicare & Medicaid Services, DAB Decision CR3268, p. 8-9 (June 20, 2014). In spite of provider arguments to the contrary and the fact that the regulation does not require providers to submit enrollment applications via trackable mail, recent CMS Departmental Appeals Board decisions have interpreted the duty to report to require objective evidence that an application was delivered to the NSC. See id. In the Potomac case, the ALJ admitted that CMS regulations “do not required providers and suppliers [to] send documents by certified mail . . . .” Id. at p. 9. In the same sentence, the ALJ then states the following: “. . . however, if they fail to do so, they will be deprived of evidence they need to prove NSC received those documents.” Id. In spite of all arguments to the contrary and the admitted ambiguity in the regulations, the decision makers in Medicare revocation appeal cases seem to have found the duty to report to require objective proof of delivery.Based on the above, we all providers should do the following:

  • Send all initial applications and time-sensitive, required updates to your Medicare provider enrollment contractor using a tracked delivery services.  If you have proof of delivery from one of these services, it is much likelier that we will be able to reverse a revocation with a CAP than if you don’t have this proof.
  • Always make a complete copy of everything you submit, along with the outside of the envelope showing the address information or a copy of the completed shipping label.
  • Don’t wait to the last minute. Send your provider enrollment update forms to the contractor early enough so that if they don’t arrive at the contractor’s location when they should, you’ll have the time to re-send them before your deadline expires.
  • Use the buddy system. Have someone on your staff or even a friend review an application with you before you send it, verify that it is signed and dated, watch you make a copy and put the original application in the mailing envelope, review any shipping invoice or mailing envelope for accuracy, and watch you deliver the finished envelope to the mailing service. We know it sounds over the top, but if called on to testify to what happened, having a buddy with a clear and complete recollection of your actions to submit an application or update will go a long way toward convincing a hearing officer or ALJ that what you say happened actually did.

Also, providers should be aware of the evidentiary rules for reconsideration requests and the next level of appeal. A provider can send almost anything along with a written request for reconsideration…documents, photos, witness affidavits, etc. The reconsideration process is intended to allow the provider to make their case to the reconsideration hearing officer in whatever fashion they’d like. Be aware, however, that the rules are entirely different if a provider loses at reconsideration and moves on to the next appeal level.

If a provider loses at reconsideration, they have the option to appeal the decision to an Administrative Law Judge (ALJ) with the Department of Health & Human Services, Departmental Appeals Board (DAB). DAB appeals have specific procedural and evidentiary regulations, one of which states that a provider will not be permitted to submit new documentary evidence at the DAB level of appeal absent a showing of good cause. See 42 C.F.R. § 498.56(e). What this rule means is that a provider can submit all the testimony they like with a DAB appeal, but they generally won’t be permitted to submit any new documents that they didn’t submit at reconsideration. For this reason, it is very important that providers carefully and thoroughly collect and submit all the documents that they think are relevant to their case with their reconsideration request. Assistance for experienced legal counsel with identifying those documents that might be helpful and developing legal arguments that may help your reconsideration request be successful can be invaluable at this stage. Having handled a number of both reconsideration requests and DAB appeals, our Firm is well-equipped to assist providers with identifying critical documents and other evidence and developing effective legal arguments to submit with a reconsideration request.

V.   Revocation and Reimbursement.

When a provider receives a revocation letter, the effective date of revocation may be a few days or weeks later, or may even pre-date it.  Providers need to understand that they won’t receive payment for any services provided to Medicare beneficiaries after the revocation effective date unless they are successful in an appeal.  This can mean a 60 day disruption in payment, a 4 month disruption, a 12 month disruption or a two or three year period where the provider can’t participate in the Medicare program. That can be very challenging to downright impossible for some providers to survive.

When considering your appeal options, keep in mind that CAPs typically are processed in 30 to 60 days after they are submitted. Reconsideration appeal decisions similarly take somewhere between 30 to 60 days after all documents are submitted to the hearing officer by the provider. Finally, DAB appeals typically take 180 days from the date of filing to receive a decision. If a provider were to pursue an appeal all the way through the DAB stage, it is not uncommon for the entire multi-level appeal process to take a year. If successful, the provider’s billing rights are typically reinstated back to the date of revocation.  Be aware, however, that the reinstatement process can often take a month or more.

If a provider chooses not to appeal, they will ordinarily be subjected to a re-enrollment bar of between 1 and 3 years, depending on the reason or reasons for the Medicare revocation action. It is important to take these time frames and the nature of a provider’s business, payor mix, overhead costs, reserves, chances of success and other factors into consideration when deciding whether a CAP, a reconsideration, and if necessary, a DAB appeal makes sense. Because we have handled a number of these cases, Liles Parker can help you weigh your options and make the best decision for your business.

VI.  We Can Help.

The attorneys at Liles Parker have extensive experience handling Medicare revocation appeals at all levels.  If you have received a revocation notice and want help, please contact us. Our goal is to help our clients have the best possible chance of success in any appeal.

Jennifer Papapanagiotou Healthcare AttorneyJennifer Papapanagiotou is a Partner at Liles Parker.  Jennifer has extensive experience representing health care providers and suppliers around the country in Medicare revocation matters and cases.  Should you have any questions regarding these complex issues, please give her a call.  For a free initial consultation, please call Jennifer at:  1(800) 475-1906.

Responding to a Texas Medical Board Complaint

Texas Medical Board complaints are filed against physicians every day.(July 7, 2014): The Texas Medical Board (Board) investigates complaints against physicians, physician assistants, acupuncturists and surgical assistants. A Texas Medical Board complaint can be filed by a patient, a patient’s family or a health care provider. On the average, the Board receives and evaluates over 7,000 complaints each year. The kinds of violations the Texas Medical Board finds from these complaints include inappropriate prescribing, incorrect diagnosis, and medical errors that may have resulted in patient injury.


I.  Is There Jurisdiction Over a Specific Texas Medical Board Complaint?

A Texas Medical Board investigation starts when the Board receives a complaint. After a complaint is received, staff analysts first determine whether the complaint is “jurisdictional,” (whether or not the Board has jurisdiction over the complaint). The Texas Medical Board has jurisdiction over anyone with a Board-issued physician’s license and violations which fall under the Medical Practice Act. Complaints that are non-jurisdictional may be referred to another agency.

II.  Informal Settlement Conference:

If the Texas Medical Board has jurisdiction, an investigation of the complaint begins to see if there is evidence sufficient to support a violation of the Medical Practice Act or the Board’s rules. At this point, the Board generally requests records and information from the physician and checks to see if there are any past complaints against him. A physician should consult with an attorney prior to responding to a notification of a complaint against him and should not respond to a request for records until obtaining legal advice.

If the Board finds there is sufficient evidence of a violation, the case goes to Board’s litigation section for an Informal Settlement Conference (ISC). The ISC process gives the physician an opportunity to respond to the complaint and show that his actions were proper. Prior to the actual conference, the physician is given notice of the allegations and the supporting facts. He may be asked to respond to written questions and is given the opportunity to submit information and evidence to the Board panel for consideration. He will also have the choice to either have the ISC determined solely by way of written information or by making a personal appearance before the Board panel. It is critical that the physician only responds after seeking legal counsel. An attorney may make the request that the conference be determined by written information and can manage further correspondence.

At the conclusion of the ISC, the panel either recommends dismissal of the complaint or finds that a violation occurred. If a violation is found, the panel recommends punishment and/or remedial action. The physician can accept the Texas Medical Board’s findings and proposed actions or request the Board to file a complaint with the State Office of Administrative Hearings.

VII.     Final Remarks:

A Texas Medical Board investigation is a very serious matter that should be dealt with immediately upon notice. If a violation is found, the subject of the complaint faces risks including loss of his license. The process generally takes a long time, and knowing which documents to produce may be challenging. It is highly recommended that an attorney be retained to help. In addition to the investigation and gathering of evidence, counsel can advise the subject of the risks and benefits of a personal appearance ISC as opposed to an ISC based on written submission. This is one of those matters where absence of counsel has an adverse impact on the sanctions imposed in the event of a violation.

Healthcare Attorney

Robert W. Liles, Esq., serves as Managing Partner at Liles Parker, Attorneys & Counselors at Law. Our Firm’s attorneys represent health care providers around the country in connection with both regulatory and transactional legal projects. For a free consultation, call Robert at: 1 (800) 475-1906.

Medicare Lifts Ban on Coverage for Sex Reassignment Surgery

(July 1, 2014):  On Monday, June 2, the Obama administration lifted its 33 year ban on Medicare coverage for Sex Reassignment Surgery (SRS). The decision is being hailed as a major victory for transgender rights. However, the decision does not necessarily mean that Medicare will pay for these operations – only that it could do so.

I.  Medicare Originally Considered Sex Reassignment Surgery to be “Experimental” and Therefore Not Covered:

In 1989, the Department of Health and Human Services (HHS) issued a blanket Medicare ban when it determined that SRS was an “experimental” surgery. This guidance was outlined under HHS’s National Coverage Determination[1] (NCD) titled “140.3, Transsexual Surgery.” Specifically,

Transsexual surgery for sex reassignment of transsexuals is controversial. Because of the lack of well controlled, long term studies of the safety and effectiveness of the surgical procedures and attendant therapies for transsexualism, the treatment is considered experimental. Moreover, there is a high rate of serious complications for these surgical procedures. For these reasons, transsexual surgery is not covered. 

The NCD language was based on a 1981 report from the National Center for Health Care Technology (NCHCT) of the HHS Public Health Service (PHS). The NCHCT forwarded its report to the officials of the Health Care Financing Administration (HCFA), now the Centers for Medicare & Medicaid Services (CMS), recommending “that transsexual surgery not be covered by Medicare at this time.”

II.  Challenging an NCD:

The Department Appeals Board (Board) may review any NCD “[u]pon the filing of a complaint by an aggrieved party.”[2] The aggrieved party must submit a statement “explaining why the NCD record is not complete, or not adequate to support the validity of the NCD under the reasonableness standard” and CMS may submit a response defending the NCD.[3]

The NCD record “consists of any document or material that CMS considered during the development of the NCD” including “medical evidence considered on or before the date the NCD was issued…”[4] The Board then “applies the reasonableness standard to determine whether the NCD record is complete and adequate to support the validity of the NCD.”[5]

If the Board determines that the record is complete and adequate to support the validity of the NCD, the Board will issue “a decision finding the record complete and adequate to support the validity of the NCD…”[6] The review process will then conclude. However, if the Board determines that the record is not complete and adequate to support the validity of the NCD, it will permit “discovery and the taking of evidence” and evaluate the NCD under applicable provisions[7], including conducting a hearing.[8] During an NCD review, the aggrieved party bears the burden of proof and the burden of persuasion for the issues raised in an NCD complaint, and the burden of persuasion is judged by a preponderance of the evidence.[9]

III.  NCD Complaint Filed to Overturn the Exclusion:

The aggrieved party included a 74-year old transgender woman and army veteran from Albuquerque, New Mexico. She filed her initial NCD complaint in March 2013. The following month, the Board notified CMS of this filing and then CMS submitted the NCD record[10] in May 2013. In June 2013, the aggrieved party submitted in a statement as to why the NCD record was not complete or adequate to support the validity of the NCD under the reasonableness standard.

The complaint contended that the bases for the NCD neither “reflect [n]or are supportable by the current state of medical science,” and that the NCD “is not reasonable in light of the current state of scientific and clinical evidence and current medical standards of care.” The complaint asserted that “in the intervening 32 years since PHS/NCHCT studied the issue” of coverage:

(a) dozens of new studies have been conducted that address the methodological limitations of earlier studies and confirm that sex reassignment surgery is a safe and extremely effective treatment for persons with severe gender dysphoria; (b) advancements in surgical techniques have dramatically reduced the risk of complications from sex reassignment surgery and the rates of serious complications from such surgeries are low, and (c) a robust medical consensus has developed among mainstream medical organizations which endorses the treatment standards established by the WPATH [World Professional Association for Transgender Health] Standards of Care [for the Health of Transsexual, Transgender, and Gender-Nonconforming People, Version 7, 13, Int’l J. Transgenderism 1 65 (2011)] and recognizes that sex reassignment surgery is a medically necessary treatment for persons with severe gender dysphoria.

The complaint was supported by the testimony of two expert witnesses – a clinical psychologist and a physician certified by the American Board of Obstetrics and Gynecology – as well as copies of two letters from two other physicians to an ALJ in the HHS Office of Medicare Hearings and Appeals. All of these health care professionals had substantial experience in treating persons with gender identity disorder (GID). In the case of the three physicians, this experience included years of performing some of the procedures involved in SRS. In addition, the clinical psychologist submitted copies of 32 journal publications and other writings cited in her two declarations.

Notably, CMS did not submit a response to these submissions. One could conclude that the agency had no reason to question the aggrieved party’s expert testimony or the experts’ descriptions of the medical and scientific literature submitted by the aggrieved party.

IV.  HHS Acknowledges that Sex Reassignment Surgery is Not Experimental:

HHS reviewed the complaint and made several conclusions. It determined that the record on which the safety concerns in the NCD were based was not complete and adequate. According to HHS, this appeared to stem, in part, from the substantial passage of time since publication of the sources on which the NCHCT relied in recommending that transsexual surgery be excluded. For example, surgical outcomes are far superior now than they were in at the time the NCD was published.

HHS also concluded that the declarations and supporting materials made the record on which the NCD was based was not complete or adequate to support the NCD’s determination that transsexual surgery has not been shown to be effective (i.e., that the surgery is experimental). Seemingly, the medical community today has reached consensus that transsexual or gender reassignment surgery is an effective treatment for persons with a sufficiently severe degree of gender identity disorder (GID) or gender dysphoria, the most common diagnoses for SRS.

HHS also noted that “long-term” follow-up studies published from 2002 to 2010 found that SRS was effective and had low complication rates based on assessing transsexual persons. Moreover, the complaint also cited decisions by US courts of appeals in seven circuits recognizing that GID or gender dysphoria was a serious medical condition.[11]

Based on this evidence, HHS concluded that the NCD record was not complete and adequate to support the validity of NCD 140.3, “Transsexual Surgery.” Therefore, HHS would now proceed to discovery and the taking of evidence.

V.  HHS’s Decision Meant that Sex Reassignment Surgery Could Be Covered Under Medicare:

HHS’ ruling here does not address the ultimate question of whether the NCD, as written, is valid under the reasonableness standard in the statute and regulations. The June 2, 2014 decision merely acknowledges that the procedures are not experimental and could be covered under the Medicare program.

What are some of the implications, at least thus far, of the HHS ruling? For one, Medicare may end up considering surgery as a medically necessary treatment for a diagnosis classified as a mental disorder. As noted above, gender dysphoria is the most common diagnosis given for SRS. Interestingly, it is listed as code 302.85 “Gender identity disorder in adolescents or adults” in ICD-9 and classified under “Neurotic Disorder, Personality Disorders, And Other Nonpsychotic Mental Disorders”. Its ICD 10 code will be F64.1 (with the same description) and is listed as a “Disorder of Adult Personality and Behavior”. If HHS determines that it will pay for surgeries for gender dysphoria, could this lead to coverage for payment for procedures for other mental conditions like Autism?

VI.  Final Remarks:

Again, the latest move by HHS does not necessarily mean that Medicare will pay for SRS procedures. Nevertheless, the fact that the Agency has removed the restriction on SRS as an “experimental” procedure is still a considerable step. Regardless of any restrictions that Medicare may place on SRS procedures, this could be seen as a substantial updated in CMS’s policies of considering mental health disorders as true diseases that may require surgery and not just counseling services or medication. For those interested, stand by to see if HHS eventually promulgates an actual NDC or coverage policy for SRS.

Health care lawyerRobert Saltaformaggio, Esq., serves as an Associate at Liles Parker, Attorneys & Counselors at Law.  Liles Parker attorneys represent health care providers and suppliers around the country in connection with Medicare audits by ZPICs and other CMS program integrity contractors.  The firm also represents health care providers in HIPAA Omnibus Rule risk assessments, privacy breach matters, State Medical Board inquiries and regulatory compliance reviews.  For a free consultation, call  1 (800) 475-1906.

[1] An NCD is “a determination by the Secretary [of HHS] with respect to whether or not a particular item or service is covered nationally under [title XVIII (Medicare)].” Social Security Act (the Act) § 1869(f)(1)(B) (42 U.S.C. § 1395ff(f)(1)(B)). NCDs are issued by CMS, apply nationally, and are binding at all levels of administrative review pf Medicare claims. 42 C.F.R. § 405.1060.

[2] Section 1869(f)(1) of the Act.

[3] 42 C.F.R. § 426.525(a), (b).

[4] 42 C.F.R. § 426.518(a).

[5] 42 C.F.R. § 426.525(c)(1).

[6] 42 C.F.R. § 426.525(c)(2).

[7] of 42 C.F.R. Part 426.

[8] 42 C.F.R. §§ 426.525(c)(3), 426.531(a).

[9] 42 C.F.R. § 426.330.

[10] The NCD record included: a May 6, 1981 NCHCT memorandum recommending “that transsexual surgery not be covered by Medicare at this time”; the 1981 NCHCT report; notes from a May 11, 1982 HCFA Physicians Panel meeting recommending against referring the American Civil Liberties Union (ACLU) submissions to PHS, where the ACLU disagreed with HCFA’s non-coverage policy, “on the basis that it does not contain information about new clinical studies or other medical and scientific evidence sufficiently substantive to justify reopening the previous PHS assessment.”; and a copy of the 1989 Federal Register notice publishing the NCD language (minus four pages) and an undated page from the HCFA coverage issues manual. 54 Fed. Reg. 34,555-612; NCD Record at 11, 76-129.

[11] See, e.g., De’lonta v. Johnson, 708 F.3d 520, 522-23 (4th Cir. 2013) (stating that sex or gender reassignment surgery is an accepted, effective, medically-indicated treatment for GID, and that the surgery is not experimental or cosmetic and that the WPATH Standards of Care “are the generally accepted protocols for the treatment of GID.”).

Texas H.B.300 Imposes a Number of New Medical Privacy Requirements

(June 30, 2014): The federal Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH) work in conjunction to safeguard the privacy of patient health information. Concerned that HIPAA and HITECH did not provide enough safeguards for protected health information (PHI), the Texas legislature passed the Texas Medical Records Privacy Act, H.B.300, which went into effect on September 1, 2012. This law contains more stringent regulation than HIPAA and HITECH because it has a more expansive definition of what constitutes a “covered entity.” It also mandates more frequent employee training and increased penalties for violations.

I.  What is a Covered Entity Under Texas Law — H.B. 300:

Generally, HIPAA considers health care plans and health care providers to be “covered entities.” HITECH expanded the definition of a covered entity to include business associates of a health care provider. Under H.B.300, a covered entity is any individual, business, or organization that:

  1. Engages in the practice of assembling, analyzing, using, collecting, evaluating, storing or transmitting PHI;
  2. Comes into possession of PHI;
  3. Obtains or stores PHI; or
  4. Is an employee, agent, or contractor of a person or entity described in numbers 1-3 above if they create, receive, obtain, maintain, use, or transmit PHI.

Additionally under H.B.300, out-of-state companies that use or disclose PHI in Texas are also considered covered entities. This potentially expands covered entity status to law firms, record storage and disposal companies, accounting firms, auditors, and anyone else who comes into contact with PHI.

II.  More Frequent Employee Training Requirement:

Under HIPAA, employee training regarding protection of PHI is only required within a reasonable amount of time after hiring and when there are any material changes in privacy policies. Under the Texas law, each new employee must complete training regarding both federal and state law related to the protection of PHI within 60 days after his hire date, and the training must be repeated at least once every two years.

III.  Electronic Medical Records Requirement:

H.B.300 requires that covered entities provide patients with electronic copies of their electronic health records within 15 business days of the patient’s written request. Under HIPAA, records must be provided within 30 days of a request.

H.B.300 also prohibits the sale of PHI and requires notice to patients regarding the electronic disclosure of PHI.

IV.  Increased Penalties Under H.B.300:

Covered entities that wrongfully disclose a patient’s PHI will face increased civil penalties under H.B.300, in addition to any penalties for violating federal laws. The Texas law allows for penalties ranging from $5,000 to $1.5 million per year. To determine the penalty amount, H.B.300 lists five factors a court may consider: 1) the seriousness of the violation; 2) the entity’s compliance history; 3) the risks of harm to the patient; 4) the amount necessary to deter future violations; and 5) efforts made to correct the violation.

In addition to fines, a licensed Texas individual’s or facility’s violation is subject to investigation and disciplinary proceedings. If there is evidence that the violations of H.B.300 constitute a pattern or practice, the licensing agency the individual or facility operates under may revoke the individual’s or facility’s license.

H.B.300 also increases criminal penalties for identity theft involving PHI. Previously, a person who accessed, read, scanned, stored, or transferred PHI without the consent of an authorized user was subject to a Class B misdemeanor. Now a person committing this same act to access PHI will be subject to a state jail felony.

V.   Final Remarks:

Texas covered entities should take immediate steps to ensure compliance with both federal and state privacy requirements. They can do so by providing customized employee training on state and federal privacy and security requirements and reviewing and updating policies to incorporate the Texas statutory requirements.

Health care LawyerRobert W. Liles, Esq., serves as Managing Partner at Liles Parker, Attorneys & Counselors at Law.  Liles Parker attorneys represent health care providers in HIPAA Omnibus Rule risk assessments, privacy breach matters, State Medical Board inquiries and regulatory compliance reviews. The firm also represents health care providers and suppliers around the country in connection with Medicare audits by ZPICs and other CMS program integrity contractors.  For a free consultation, call Robert at: 1 (800) 475-1906.

Miscoded Evaluation and Management Services Cost Medicare $6.7 Billion

Evaluation and Management Services (June 25, 2014)  Officials at the Department of Health and Human Services, Office of Inspector General (OIG) recently examined medical records from 2010 for claims related to evaluation and management services (E/M services). The results are astounding. OIG determined that Medicare inappropriately paid $6.7 BILLION for E/M services that year due to claims that were incorrectly coded and/or lacking the necessary documentation. In total, over half of the claims for E/M services submitted in 2010 had incorrect codes or lacked the necessary documentation.


I. Coding and Documentation Requirements for Evaluation and Management Services:

E/M services are visits performed by physicians and nonphysician practitioners to assess and manage a beneficiary’s health. These services are divided into different categories known as “visit types” that reflect the type of service, the place of service, and the patient’s status. Most visit types are further divided into three to five levels, which correspond to the complexity of a visit and the Current Procedural Terminology (CPT) codes for billing purposes.

The level of an E/M service for CPT coding is determined by seven components: patient history, physical examination, medical decision-making, counseling, coordination of care, the nature of the patient’s presenting problem(s), and time. The first three components are important in determining the correct code for the E/M service. Higher level codes for a visit type indicates increased complexity of the E/M service. More importantly, it corresponds to higher reimbursement rates.

In order to be reimbursed for E/M services, the services must be medically reasonable and necessary. The services must also meet the individual requirements of the CPT code that is used on the claim. However, if services are billed at a higher level than were actually performed, the medical necessity requirement is not met. Providers must therefore ensure that the claims they submit to Medicare accurately reflect the E/M services provided and are billed at the appropriate level.

Physicians’ documentation is also an important part of the reimbursement process. The documentation must support the medical necessity and appropriateness, as well as the level, of the E/M service. In order to accurately reflect this, the medical record documentation must be clear and concise. The records should reflect the care the patient received as well as the relevant facts, findings, and observations about the patient’s history. Moreover, Medicare requires that the services be authenticated, either through a handwritten or electronic signature. If the medical record fails to include a proper attestation, CMS concludes that the claim is insufficiently documented.

II. Physicians Increase their Billing of High Level Codes, Leading to Higher Payment Amounts:

In 2012, an OIG report analyzed E/M services (all visit types) from 2001 to 2010 and noted that physicians had been increasing their billing of higher level codes. This process would obviously yield higher reimbursement amounts. Additionally, the Centers for Medicare and Medicaid (CMS) has determined that E/M services are 50% more likely to be incorrectly paid compared to other Part B services. These improper payments are more likely to result from errors in coding and/or insufficient documentation.

OIG then conducted a medical record review of a random sample of Part B claims for E/M services from 2010. In this review, OIG stratified claims from physicians who consistently billed higher level codes for E/M services and claims from other physicians. The first group of claims came from “high-coding physicians”. They comprised a sample from 828,646 claims billed by physicians with a history of high-coded claims. These high-coding physicians represented the top 1% of their primary specialties and billed at the two highest level codes (4 and 5) for E/M services at least 95% of the time. The second and larger group – claims from other physicians – included nearly 369 million claims from doctors without a history of high coding.  OIG then had certified professional coders review the claims determine whether the E/M service documented in the medical record for each sample claim was correctly coded and/or sufficiently documented.

III. Medicare Inappropriately Paid $6.7 Billion for Evaluation and Management Claims that were Incorrectly Coded and/or Lacked Necessary Documentation:

The results of OIG’s report are disturbing. Notably, Medicare paid approximately $32.3 billion for E/M services in 2010. However, 21% of this figure corresponded to claims for E/M services that were improperly paid. In total, OIG found that Medicare inappropriately paid $6.7 billion for claims for E/M services in 2010 that were incorrectly coded and/or lacking documentation.

Specifically, OIG determined that 42% of claims for E/M services in 2010 were incorrectly coded, whether the claims were upcoded or downcoded . The upcoded claims represented $4.6 billion in overpayments whereas Medicare underpaid providers approximately $1.8 billion in downcoded claims.  Furthermore, 19% of E/M claims lacked the necessary documentation. This includes 12% of the claims that were insufficiently documented, whereby Medicare made $2.6 billion in overpayments. On the other hand, 7% of the claims were undocumented and these represented $2 billion in overpayments.

Overall, OIG found that 55% of claims for E/M services were incorrectly coded or lacked the necessary documentation for reimbursement.
Additionally, OIG determined that claims from high-coding physicians were more likely to be incorrectly coded or insufficiently documented than claims from other physicians.

IV. Recommendations:

OIG recognized that its findings highlight errors associated with E/M services that must be addressed to properly safeguard the federal Medicare program. Based on the results of its study, OIG made three notable recommendations for CMS:

1. Education physicians on coding and documentation requirements for E/M services;
2. Continue to encourage contractors to review E/M services billed for by high-coding physicians; and
3. Follow-up on claims for E/M services that were paid for in error.

Interestingly, CMS only concurred with the first recommendation. It partially concurred with the third recommendation but did not concur with the second recommendation.

V.  Final Remarks:

The results of this latest OIG report are particularly troublesome. Problems associated with incorrect coding and improper documentation is clearly a widespread problem for E/M claims. In this case, over half of the claims for E/M services were incorrectly coded (whether upcoded or downcoded) or lacked necessary documentation. That is a significant percentage of the $32.3 billion Medicare paid out for E/M services in 2010. Furthermore, the report indicates that the “high-coding physicians” – those with a history of high coding and who are in the top 1% of their primary specialties – are the most likely providers to upcode their claims.

If you are a Medicare provider performing E/M services – especially if you fall into the “high-coding physician” category – what should you do? The most important action you can take is to ensure that your claims accurately reflect the medical necessity requirements for Medicare reimbursement. This includes ensuring that the claims you submit to Medicare accurately reflect the E/M services provided and the billing levels appropriately correspond to those services.

Providers must also confirm that the documentation accurately supports the medical necessity and appropriateness, as well as the level, of the E/M service. The medical records should reflect clear and concise documentation. Physicians must document the care a patient receives, as well as the pertinent facts, findings, and observations about the patient’s history. The record should be complete and legible. It should also include the date and a legible identity of the physician who furnished the E/M service. Moreover, the provider must ensure that the services are authenticated by the author of the record. This may be in the form of a handwritten or electronic signature.

As CMS increases the intensity of its fraud fighting capabilities, providers must be ready for an audit of their claims and medical record documentation. While you may not fall into the “high-coding physician” category, this does not necessarily protect you from an audit. If – and when – you find yourself subject to an audit of your E/M claims, one of the best ways to fight for your reimbursements is through proper legal representation. Please feel free to give us a call today at 1 (800) 475-1906.

Saltaformaggio, RobertRobert Saltaformaggio, Esq., serves as an Associate at Liles Parker, Attorneys & Counselors at Law.  Liles Parker attorneys represent health care providers and suppliers around the country in connection with Medicare audits by ZPICs and other CMS program integrity contractors.  The firm also represents health care providers in HIPAA Omnibus Rule risk assessments, privacy breach matters, State Medical Board inquiries and regulatory compliance reviews.  For a free consultation, call 1 (800) 475-1906.

Consequences of HIPAA Non-Compliance

The penalties of HIPAA non-compliance can be substantial. (June 16, 2014): It has been over a year since the effective date of the Department of Health and Human Services (HHS) Office of Civil Rights (OCR) comprehensive modifications to the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, Enforcement and Breach Notification Rules, commonly referred to as the Omnibus Rule. Covered entities were given until September 23, 2013, 180 days from the effective date, to come into compliance with most of the Rule’s requirements. Halfway through the new-year, many covered health care providers still have not met these requirements and are worried about becoming subject to the consequences of HIPAA non-compliance.


I.   HIPAA Modifications:

HHS issued modifications to the HIPAA Privacy, Security, and Enforcement and Breach Notification Rules to strengthen the privacy and security protection for individuals’ health information. Modifications include:

  • Making business associates of covered entities directly liable for compliance with certain HIPAA Privacy and Security Rules’ requirements;
  • Strengthening the limitations on the use and disclosure of protected health information for marketing and fundraising purposes, and prohibiting the sale of protected health information without individual authorization;
  • Expanding individual’s rights to receive electronic copies of their health information and restricting disclosures to a health plan concerning treatment for which an individual has paid out-of-pocket in full;
  • Requiring modifications to, and redistribution of, a covered entity’s notice of privacy practices;
  • Modifying the individual authorization and other requirements to facilitate research and disclosure of child immunization proof of schools, and to enable access to decedent information by family members or others; and
  • Incorporating the increased and tiered civil money penalty structure provided by the Health Information Technology for Economic and Clinical Health (HITECH) Act.

II.  Consequences of HIPAA Non-Compliance:

How violations are counted for purposes of calculating a civil money penalty depends on the section violated and the circumstances surrounding the noncompliance. Where multiple individuals are affected by an impermissible use or disclosure, such as in the case of a breach of unsecured protected health information, the number of identical violations of the Privacy Rule standard regarding permissible uses and disclosures would be counted by the number of individuals affected. With respect to continuing violations, such as lack of appropriate safeguards against breaches of unsecured protected health information for a period of time, the number of identical violations of the safeguard standard would be counted on a per day basis. In many breach cases, there will be both an impermissible use or disclosure and a safeguards violation, for each of which HHS may calculate a separate civil penalty.

The tiered penalty structure has penalties ranging from $100 to $50,000 per violation, depending on the level of culpability, with a $1.5 million cap per calendar year for multiple violations. Even where there is merely a possibility of a violation due to willful neglect, HHS can impose civil monetary penalties without exhausting informal resolution options. Criminal penalties range up to 10 years imprisonment.

III.  Examples of Penalties Resulting from HIPAA Non-Compliance:

A large health services company and health plan have collectively paid the HHS OCR $1,975,220 to resolve potential violations of HIPAA Rules.  The settlements were a result of significant risks to the security of electronic protected health information. The risks arose from unencrypted laptop computers and other mobile devices. In addition to payment of fines, the health services company agreed to adopt a corrective action plan to show how they will avoid such risks in the future. The health plan agreed to additionally provide HHS with an updated risk analysis, a corresponding risk management plan, and it is also required to retrain its workforce and document its ongoing compliance efforts.

In another recent case, two New York hospitals collectively paid $4.8 million to the HHS OCR to settle charges of violating the HIPAA Rules. In addition to the fine, both are also required to implement a corrective action plan. The organizations submitted a joint breach report to OCR after learning that protected health information on 6,800 patients was accessible on Google and other internet search engines. The compromised data included patient status, vital signs, medications and lab reports.

IV.   Final Remarks:

The fines and accompanying requirements are steep, and the modifications move HIPAA enforcement away from the previous voluntary compliance framework and toward a penalty-based system. If covered entities have not come in to compliance with the HIPAA modifications and established adequate safeguards, it is important that they do so as expeditiously as possible. Based on the rule modifications, covered entities have until September 22, 2014 to bring all of their Business Associate Agreements and Subcontractor Agreements into compliance with the Rules.

Healthcare LawyerRobert W. Liles, Esq., serves as Managing Partner at Liles Parker, Attorneys & Counselors at Law.  Liles Parker attorneys represent health care providers in HIPAA Omnibus Rule risk assessments, HIPAA Non-Compliance cases, privacy breach matters, State Medical Board inquiries and regulatory compliance reviews. The firm also represents health care providers and suppliers around the country in connection with Medicare audits by ZPICs and other CMS program integrity contractors.  For a free consultation, call Robert at: 1 (800) 475-1906.

Medicare ALJ Appeals of Denied Home Health Claims

February 11, 2014 by  
Filed under Home Health & Hospice

Denied home health claims can be appealed through the Medicare appeals process.(February 11, 2014):  Has a Zone Program Integrity Contractor (ZPIC) denied your home health claims?  If you believe that these denials are unwarranted, your home health agency (HHA) may challenge the denials through Medicare’s administrative appeals process.  Medicare’s appeals process provides five levels of appeal. The first four levels of appeal are before different administrative bodies.  The fifth level of appeal requires that an aggrieved provider file suit in federal court. The levels include: Redetermination (conducted by the Medicare Administrative Contractor); Reconsideration (conducted by a Qualified Independent Contractor, or QIC); after reconsideration, a dissatisfied provider may file for ALJ appeal; next, a provider may seek review by the Medicare Appeals Council; and finally, an appeal to federal court. The purpose of this article is to describe certain considerations peculiar to the ALJ review process from the point of view of a Home Health Agency (HHA), or its legal representative.  The article focuses on the initial steps to be taken before an ALJ hearing and how to proceed during the hearing. 

I. Engaging a Qualified Expert to Challenge an Extrapolation of Damages Related to Home Health Claims:

The extrapolation of alleged overpayment amounts using an error rate calculated by statistical sampling is one of the most powerful weapons a ZPIC can bring to bear against a home health provider. In our experience, it is often difficult for Medicare contractors to properly conduct sampling in the statistically-valid manner required by law.[1] Where extrapolation is used in Medicare enforcement audits, long-standing CMS program materials and Federal caselaw require that the sample in which the error rate is determined to be from established in a statistically valid manner. See HCFA Ruling 86-1 at 4, and Ratansen v. California 11 F.3d 1467 at 1471 (CA 9 1993).

If alleged overpayment amount in your case is large enough to justify it, a home health agency should engage a statistician familiar with Medicare’s processes to examine and critique any extrapolation that have been applied by a ZPIC.  If significant flaws are identified, the home health agency may be able to have the extrapolation reversed by the ALJ. In order to assess and critique the extrapolation, the expert must be able to review the statistical data and methodology used in the sampling.[2] The home health agency’s representative should communicate in writing with the ZPIC or other audit contractor to request in all of the statistical sampling data and records used by the ZPIC when calculating the extrapolation of damages.  If the requisite data is not forthcoming, your attorney should extend its requests to all administrative and appeals contractors who enter into the audit or appeals process. Although reversals of extrapolations are infrequent at the redetermination and reconsideration levels of appeal, they are possible.  Our firm has succeeded in getting extrapolations thrown out at every level of administrative appeal.

Occasionally the Medicare contractors involved in an audit and a subsequent appeal will refuse or merely fail to provide the extrapolation sampling data sufficiently for an expert to evaluate and challenge the extrapolation. When this happens, a home health agency has an argument for the reversal of the extrapolation entirely independent from issues of statistical validity. The contractors inevitably supply claim-line and similar spreadsheets which, while irrelevant to statistical sampling, can bear a superficial similarity to sampling data. The provider must therefore never assume that the absence of extrapolation and sampling data from the documents produced by the contractors will be conceded by the CMS parties, and must be prepared to prove that absence in its appeal just like any other disputed fact.

With this in mind, in any case where the full set of necessary data is given to the provider in an untimely manner or not at all, the statistical expert should examine all data provided by the contractors, and report in writing on its sufficiency for determination for determining statistical validity. The expert should be ready to testify about sufficiency in these cases, and his reports and testimony must be kept separate from those addressing the merits of statistical validity.

II. Engage a Skilled Nurse Expert to Report & Testify on Clinical Issues:

Unless the dollars at issue are small, or the issues in an appeal are exclusively legal in nature, a home health agency can benefit from engaging a skilled nurse as an expert witness.  The nurse expert can provide written reports on clinical issues for submission to the ALJ, and testify at the hearing. If the home health agency has a skilled nurse on staff, he / she may be able to perform these tasks. Otherwise, forensic nurses can be engaged for this purpose who are familiar with home health Medicare claims. In any case, the nurse expert should have education, other training and work experience sufficient to survive a challenge of their qualifications at the hearing.

Because the ALJ’s review in an appeal is a determination de novo of all legal and clinical issues of payability of each claim appealed,[3]the nurse expert’s written report should address all clinical issues in each claim, not just those cited as a grounds for denial in the decision being appealed. Accordingly, the nurse expert’s report should address the homebound status of the beneficiary, and the medical necessity of the services billed to Medicare.

In her testimony at the hearing, however, the nurse should avoid mention of clinical issues that aren’t being argued. The home health agency’s attorney or other representative conducting the hearing must communicate in advance so the nurse expert knows what clinical issues he expects to argue about, can organize her testimony to be concise and effective on those issues, and avoid other topics. The balance of the nurse expert’s report will be in the record if a contractor or the ALJ strays off into clinical issues not addressed by the QIC. If that happens, of course, she should be ready to give verbal testimony on the additional issues as well.

Often during an ALJ hearing, questions will arise about the real-world practices of a home health agency. The nurse expert can be useful to offer advice and explanations in such cases to the ALJ. This boosts the judge’s trust and confidence in the nurse, and tends to enhance her credibility on clinical issues.

 III. Preparation For Hearing: Planning a Method to Streamline the Hearing of Clinical Issues:

Home health cases appealed to the ALJ level typically involve a large number of home health claims.  Most ZPIC overpayment audits employ statistical sampling, where a sample of home health claims is audited, and the resulting error rate (as determined by the ZPIC), is applied to all billings by the home health agency over a multi-year period. To constitute a statistically valid random sample, the sample usually consists of 30-90 individual home health claims. Although individual home health claims may be relatively small, it may not appear to be cost-effective to file an appeal.  We recommend you challenge single claim denials if you believe that the services qualify for coverage and payment.  This can help keep your overall error rate low and reduce the likelihood of future audits and reviews.

Medicare ALJs strive to conclude all appeal hearings in a single day; and every hearing will require at least two hours of arguments on procedural, statistical and legal issues of general application to all claims. Meaningful oral arguments on medical necessity of a single home health claim denial will consume 10-20 minutes. So an actual hearing of oral arguments on medical necessity issues in 30 or more individual claims would simply be too time-consuming to be feasible. Accordingly, most ALJs will seek to establish a method early in the hearing by which separate oral arguments on each claim at issue can be avoided.  Working with your attorney, a home health agency may be able to formulate a method of grouping its claims into a small number of categories, so that representative claims in each category can be argued exhaustively. The separate written arguments on the various claims will remain for separate consideration by the ALJ, but in this way a favorable impression in a stronger claim can be extended to a weaker one.

Meritless arguments run the risk of getting noticed here, in which case they will harm a home health agency’s credibility on the stronger claims. There is little chance a meritless argument will prevail, and having them present hurts the persuasiveness of a home health agency’s other arguments.

An appeal to the ALJ is, strictly speaking, an appeal of the denial reason cited by the QIC in its reconsideration decision.  Nevertheless, since the ALJ level of appeal is a de novo review, you must be prepared to address the alleged errors identified by the ZPIC and the MAC if requested to do so by the judge.

IV. The ALJ’s Record — Consider Citing Risk of Change Factors in Prior Episodes of Care:

Where a home health agency is supporting the medical necessity of skilled nursing services for Observation and Assessment by pointing to factors in the medical record which show a “likelihood of change” as defined in Medicare Program Benefit Manual Ch. 7, §, dangerous and unstable medical conditions evident in the Beneficiary’s medical record are often cited. If the episode in question is a follow-on episode, it is more convincing to point to dangerous and unstable conditions in earlier episodes. This is because medical necessity must be determined as of the date of the physician’s order for the skilled care in question.[4]Conditions which were already documented in the record at the time of the order will be more persuasive in establishing the reasonableness of the physician’s judgment.

To do this, obviously the records of the prior episodes must be available for review and submission to the appeal record; but the need for this sort of argument won’t normally be evident at the start of the case when medical records are being gathered. So for this and for other reasons, it is wise to gather the records of all episodes of care for the Beneficiaries in the appeal, not just the episodes at issue.

The handling of medical records by contractors in Medicare enforcement audits and appeals is notoriously sloppy. Although audit denials are generally based on an audit contractor’s review of medical records it receives from a provider or seizes, and CMS regulations require each contractor handling an appeal to turn over its entire file to the provider upon request,[5]contractors evidently find it impossible to comply. For this reason, providers appealing an overpayment determination must include a full set of all medical and billing records at issue, provided separately with each redetermination, reconsideration, and ALJ appeal filing.

A home health agency should therefore collect all medical billing and other records pertaining to all beneficiaries in the relevant audit sample, “Bates Label” them at the start of the appeal, and include the Bates labeled set with each appeal filing .  The same labeling must be used at every level of appeal. Efforts to organize each set of records in a logical and consistent manner will pay off later as well. The nurse expert and statistical expert must use Bates references for all document identification in their reports and live testimony. Judges always appreciate this, as it vastly speeds and simplifies testimony on any records.

V.  Keep Your Experts’ Live Testimony Short and Concise:

The live hearing before the ALJ is no place for a verbose treatment of a technical subject. Make sure each expert handles his written report, which can and should be a complete coverage of all issues, very differently from his verbal testimony which will be most effective if short. Complex subjects can seldom be communicated exhaustively in a 1-day hearing, and the expert will quickly lose the ALJ if he insists on trying to do that. Make sure your experts plan their testimonies accordingly.

CMS contractors can and do participate in ALJ hearings, but they can do so only as non-parties. Medicare regulations require non-parties to give notice of their intent to participate within 10 days of an ALJ’s notice of a hearing date.[6] When contractors give late notice, or appear at a hearing without notice, your legal representative may choose to object on the record at the start of the hearing. These objections will be more successful if the representative can plausibly argue that he would have prepared differently for the hearing if timely notice had been given. 

A sizable appeal to an ALJ may involve submissions to the judge after the filing of the initial appeal. In any case, evidence submitted subsequent to the issuance of the reconsideration decision can be admitted to the ALJ record only on a motion and showing of good cause.[7  Keep in mind, it is getting more difficult each year to show the requisite requirement of “good cause.”  Therefore, every effort should be made to submit relevant evidence into the record BEFORE the QIC has issued its reconsideration decision.

A seldom-addressed issue in Medicare enforcement audits is non-physicians being allowed to challenge, years after the fact, the medical judgment of physicians who saw the patients and have cared for them. Ostensibly, payment denials for lack of medical necessity are based on “lack of adequate record,” but in practice Medicare audits involve just this sort of second-guessing. The provider’s representative should try to make this point occasionally during the hearing, and not let the ALJ forget that the treating physician’s medical judgment is reflected in the medical records he is reviewing.

A recognized goal of home health care is keeping beneficiaries out of nursing homes and other long-term care facilities; and Medicare Benefit Policy Manual Ch. 7, §30.5.2 expressly provides that the number of re-certification periods for Home Health Care is unlimited as long as the beneficiary remains qualified. CMS contractors however often look askance at successive recertification periods, and suggest they are disfavored[8]. Providers’ representatives should not allow a suggestion along those lines at an ALJ hearing to go unchallenged, and be prepared to explain why and by what authority home health care is not limited to any specific time period.

Healthcare LawyerDavid Parker practices in the business transaction and healthcare areas. In the health law area, Mr. Parker represents providers in Medicare, Medicaid, and private payor administrative proceedings involving overpayment, revocation and other audit matters, and buyers and sellers in healthcare related transactions. He also gives advice on False Claims Act, Stark, and Anti-Kickback Statute issues.  For a free consultation, call:  1 (800) 475-1906.

[2]. Medicare Program Integrity Manual Ch. 8, § lists the extrapolation statistical data which the contractor must preserve in its files and make available to the provider.

[3]. 42 CFR 405.1032(a).  The ALJ cannot however re-open claims in an audit which are not appealed to him.

[5]. See Medicare Claims Processing Manual Ch. 29, §300.3

[6]. See 42 CFR §405.1010(b)

[7]. See 42 CFR §405.1018 & 1028

[8]. Several CMS contractors disseminate program materials which state, without citing any authority, that Home Health Care should be provided only for short periods. For example, one enforcement contractor in the Southwest includes in its standard form Educational Letter on Medicare HHC the statement “We must preserve …HHC services [for] people who, for a short period of time, are too… infirm to leave their homes…to receive physician…services.”


Individual Liability for Medicare Overpayment Claims

(October 19, 2012): This article addresses the case where an individual or “natural person” owns an interest in a Medicare health care provider which is incorporated[1] under the laws of a state, as a corporation, limited liability company, limited partnership, or  another type of legal person. The individual may be a shareholder, member, limited partner, or some corresponding term for an owner of the company, but in all these cases the common factor is limitation of liability of owners.  Owners of providers facing ZPIC or other Medicare contractor audits or appealing an overpayment demand often ask what risk they face of being held personally liable for the overpayment claims, or otherwise punished personally, if their appeals are unsuccessful.

I.  Hypothetical Case:

The hypothetical situation addressed here is a common one, namely a provider organized as a corporation or LLC (the “Company”) with one or more individual owners (i.e. individual shareholders or members) is enrolled with Medicare, has provided services to Medicare beneficiaries over a substantial period of time, and has received payments from one or more Medicare contractors. Then, a ZPIC or similar contractor selects the Company for post-payment audit. After reviewing a sample of records, the contractor determines that overpayments have occurred and issues an audit results letter assessing an amount claimed to be overpaid in the sample, and an extrapolated (much larger) amount deemed to be overpaid in all of the Company’s Medicare receipts during the period under review. The Medicare Administrative Contractor (the “MAC”) then makes a written formal demand for refund by the Company of the extrapolated amount.

Our hypothetical assumes the Company either fails to appeal the above overpayment determination (referred to as an “Initial Determination”), or appeals and loses. Either way the Company owes the full extrapolated amount to CMS, plus interest from the date of the formal demand by the MAC. Assume further that this sum amounts to several years’ gross revenues for the Company; and it has no means to repay it. The MAC begins recoupment from payments of new Medicare billings by the Company, and the Company shuts down as it exhausts its funds available to cover payroll and operating expenses. Finally, assume (as is commonly the case) that the Company has no significant assets which CMS can seize and liquidate to satisfy the overpayment.

Given the above, the question presented is whether the individual owner or owners of the Company are on the hook for the unpaid amount of the CMS overpayment claim? Are other provider entities owned by the same individuals on the hook? Phrased another way, under what circumstances can CMS or its contractors lawfully collect the above overpayment from the individual owners or their other provider companies? And what other sanctions can the Government apply against the individuals and affiliates in such a case?

II. Concept of Limited Liability:

In the US and most Western legal systems the concept of incorporation of a business is available to shield its owners from claims for the business’s debts. This is the concept of limited liability, meaning the owners’ personal liability for the debts of the business is usually limited to the amount of the capital they have invested in it. If the business owes money to a creditor, the creditor will have recourse to the business, meaning the money and other assets the business itself owns. In this way, the creditor can collect the capital the owner has bound up in the business; but the creditor has no right to make the owner pay from his own assets.

III. Threshold Rule of Limited Liability; Exceptions and “Piercing the Corporate Veil”:

The general rule of limited liability applies to CMS and its contractors when dealing with shareholders of incorporated health care providers, just as it does to other creditors. No statute or case law makes owners of incorporated Medicare health care providers personally liable for their companies’ debts to CMS, except in certain very narrow circumstances which apply to all debtors and creditors. And nothing about the health care industry makes these circumstances more likely to arise than in other industries.

The principal exceptions to the rule of limited liability of shareholders are collectively known as piercing the corporate veil. Under certain circumstances, courts will allow creditors of an insolvent corporation, LLC or other legal entity to reach through the corporate structure and collect their debts from shareholders or similar owners. Numerous factors have been cited by courts to justify imposing liability of shareholders for corporate debts, and an exhaustive discussion of this topic is beyond the scope of this article; but common examples of circumstances which can justify veil piercing are as follow:

(a) Defective Incorporation. Failure to meet legal the statutory requirements for organizing the corporation or LLC can and will result in shareholders being liable for corporate debts. A better statement of this rule is that, without compliance with the requirements for incorporation, no corporation ever exists in the first place to shield the shareholders from liability.

(b) Ignoring the Separateness of the Corporation. Entering into contracts and otherwise transacting business variously in a corporate name and an individual name can justify piercing the corporate veil. Likewise, commingling corporate and individual assets, or transferring assets without formalities between company and owner, or company and sister company, can give the same result.

(c) Significant Undercapitalization. A requirement of incorporation is injecting money or other capital into the new company reasonably sufficient to pay its expected debts. Failure to do this is called undercapitalization, and is grounds to impose liability on the shareholders. The adequacy of capital, however, is judged at the time it is injected, not when the liability arises, and courts tend to defer to any good-faith estimate of how much capital will be needed, so undercapitalization is normally difficult to prove.

(d) Excessive Dividends or Other Payments to Shareholders. When owners are actually working for a corporation they can in most cases pay themselves whatever compensation is even remotely fair, as long as it is clearly characterized as salary or wages. Dividends and other non-compensation distributions, however, are judged very differently, and can safely be taken out by shareholders only to the extent of profits. When shareholders take non-compensation distributions in excess of profits, they constitute a return of capital and can give rise to an undercapitalization claim by any corporate creditor who is subsequently not paid[2]. If such distributions are made when the corporation is actually insolvent, the creditors’ claims against the shareholders will be almost impossible to defend.

(e) Misrepresentation and other Unfair Dealings with Creditors. Dishonesty and false statements to corporate creditors, asset concealment and other deceptive practices, can make shareholders liable for corporate debts.

(f) Absence or Inaccuracy of Records. If corporate records go missing or prove to be inaccurate, they can form a basis to pierce the corporate veil, especially if they hinder a creditor’s collection efforts against the corporation.

(g) Failure to Maintain Ongoing Legal Requirements. Each state’s statutes impose annual franchise fees and various report-filing requirements on corporations and similar entities. Although these have generous grace periods and cure provisions, if they are neglected long enough, the corporation or LLC will legally cease to exist and shareholder liability will result[3].

Given any of the above fact circumstances, CMS and its Medicare contractors can seek to pierce the Company’s corporate veil and collect the overpayment from the Company’s owners in our hypothetical. These circumstances however are not typical for health care providers, and are easily avoided. Veil piercing depends on facts which by their nature are difficult to prove in a court of law, often involve subjective judgments, and in most cases are subject to dispute. The burden of proving the facts is always on the creditor. Correspondingly, courts tend to disfavor veil-piercing claims and narrowly construe the applicable law, so veil piercing has a reputation as a difficult remedy to invoke successfully.

IV.  Rules in Bankruptcy:  

While CMS does enjoy certain advantages and unique rights under US Bankruptcy laws, this doesn’t include any advantage over other creditors in reaching the pockets of shareholders of a bankrupt company.  A basic rule in Bankruptcy is that filing a petition automatically halts or “stays” all acts by creditors to collect debts which pre-date the petition[4]. Since 2005, this “automatic stay” has been ruled not to impair CMS’s right to exclude providers from its programs[5]. Additionally, Federal case law appears to hold that the automatic stay does not prevent CMS and its contractors from recoupment against new Medicare billings by a provider in bankruptcy[6]. But no bankruptcy law gives Government health care programs special debt collection rights against shareholders of providers, so CMS and its contractors, like other creditors, can collect Medicare overpayments from shareholders and other owners of a bankrupt entity only in the Veil Piercing circumstances described above, which are narrowly-drawn and strictly interpreted against the creditor.

V.  Federal Agency Practice on Pursuing Individual Liability: 

Federal agencies are not as a rule aggressive in collection of their debt claims, and CMS is no exception.  For example, in government loan programs where shareholders are required personally to guarantee the debt, once corporate assets are exhausted in default cases, Federal agencies rarely pursue the guarantors’ personal credit, and discourage their contractors and even private holders of Government-guaranteed loans from doing so. With this in mind, it should be no surprise that most Federal agencies seldom if ever seek to pierce any corporate veil[7]. As was noted, veil-piercing involves lots of gray areas and disputed facts and is hard to do successfully; and Government agencies are reluctant to risk the time and money required. Government agencies also fear the adverse publicity that regularly arises from collection efforts against individuals. While Federal authorities could be moved to pursue such remedies in an extreme case or under the glare of unusual publicity, they are otherwise unlikely to do so. In 30+ years of representing participants in Federal programs, I have never been involved in any case where such a remedy was sought against a client or any other individual.

VI. Successor Liability:

In our hypothetical, the individual owners won’t be able to continue in the health care industry using the Company itself as a practice vehicle. They may wish to organize and capitalize another entity to provide the same or a similar type of services. In what circumstances can new entities organized by the owners after the Company’s demise be held liable for the Company’s overpayment obligation? This area of the law is referred to as successor liability, and it provides remedies which do indeed allow creditors to pursue the new entity in some cases. Like veil piercing, this remedy is an exception to the general rule of limited liability of corporate owners, is available to creditors generally in certain narrow circumstances, and is not specific to Government creditors or health care provider debtors.

Simply stated, successor liability flows from state statutes and state court case rulings which allow the creditors of a debtor company to collect their debt claims from another company to which one or more assets of the debtor have been transferred, if it is a successor to the original debtor. The exact circumstances which make the other company a successor vary from state to state. In most states the law gives a list of elements which can establish successor status, but uses a balancing test, meaning there is no hard and fast rule of which or how many elements have to be present to prove the claim. The creditor sues the transferee company to initiate such a claim, and the court hearing the case decides not only which elements are present, but also whether they are enough to make the defendant a successor[8]. But if a creditor can prove enough of them, it can make the transferee pay the debt.

Elements commonly listed to impose liability on the transferee of a debtor’s assets include, (i) common ownership (whole or part) between the original debtor and the separate company; (ii) the transferee was established to hinder the creditors of the debtor; (iii) the original debtor and the transferee company provide the same goods or services; (iv) the same or recognizably similar company name or DBA; (v) same business location; (vi) same customers or customer sources; (vii) same officers or managers; (viii) same employees; and (ix) the transferee pays other debts of the original debtor, or states that it will do so. In most cases, one or two elements alone will usually be insufficient to establish liability[9].

Successor liability is not as uniformly disfavored in courts as is veil piercing, but remains uncommon in practice. Like veil piercing, it is rarely if ever used by Federal agencies and contractors. Whether any specific circumstances will make a transferee company liable as a successor to another is beyond the scope of this article; but asset transfers between commonly-owned companies occur frequently, and many not easily be identifiable as such to a non-lawyer. In our hypothetical, the Company’s owners may be sorely tempted to use the same business location or same employees or managers in the new provider as in the Company, and may wish to have the new entity collect unpaid receiveables. Any of these steps could subject the new entity to the overpayment, or to any other creditor claim. Successor liability can be invoked against pre-existing entities under common ownership with the Company as well. Owners of health care providers having other companies which are subject to any Medicare contractor collection action need to avoid any such transfers scrupulously, and bear in mind that they can make their other provider liable in common for an overpayment claim.

VII.  Other Government Sanctions Against Owners and Affiliates for Non-payment by an Incorporated Provider:

 Pursuing owners personally for repayment of a provider’s overpayment liability isn’t the only sanction CMS and its contractors might logically seek to apply to punish non-payment. Excluding related persons and companies from health care program participation comes to mind. This could take at least 3 forms, each of which we will examine in turn.

(a) Exclusion of Individual Owners. The authority for HHS to exclude both companies and individuals from involvement in its health care programs has been established at the statute, regulation, and policy manual levels.  The basic authority for exclusion is granted to the Secretary of HHS under Sections 1128 and 1156 of the Social Security Act.[10]  These sections list all the grounds for which a party may be excluded[11]. Most of these sections are written so that if an entity commits acts which are grounds for exclusion, the owners are likewise at risk[12]. Most of the grounds for exclusion are not relevant here, such as conviction for felonies, or health care related misdemeanors. Three grounds for exclusion however are listed which relate to providers’ services, namely submitting charges to any Federal health care program in excess of the provider’s usual charges, furnishing services in excess of the needs of patients, and furnishing services of a quality not meeting recognized professional standards[13]. The lack of medical necessity grounds for denial which appear in most overpayment cases, corresponds to the furnishing services in excess of the needs of patients grounds for exclusion. So the question is whether lack of medical necessity of our Company’s services is, in and of itself, valid grounds to exclude it, and therefore also exclude its owners?  These service-related grounds for exclusion are addressed in the Medicare Program Integrity Manual (the “PIM”) in Chapter 4, Sec. 4.19. This section states that in order to prove such cases, the PSC and the ZPIC BI unit shall document a long-standing pattern of care where educational contacts have failed to change the abusive pattern. Isolated instances and statistical samples are not actionable. Medical doctors must be willing to testify.[14]  Only this service-related grounds for exclusion could plausibly be applied to the facts of our overpayment hypothetical, without serious wrongdoing being present beyond simple failure to repay. The contractor documentation in a typical post-payment audit would not appear to satisfy the PIM requirement of “document[ing] a long-standing pattern of care where educational contacts have failed to change the abusive pattern”.  No practitioner at this health care law firm has seen exclusion attempted or threatened against the provider or its owners in a simple overpayment case. Accordingly, exclusion of the provider and its individual owner does not appear to be a substantial risk in our hypothetical situation.

(b)  Bars to Subsequent Applications.  In our hypothetical, the individual owners won’t be able to continue in the health care industry using the Company itself as a practice vehicle. They may wish to organize and capitalize another entity to provide the same or a similar type of services.  If our hypothetical is extended to such a case, what are the risks that CMS and its contractors might punish the Company’s failure to satisfy its proven overpayment demand, by barring the enrollment application of the owner’s new provider entity? In order to bar a new provider owned or controlled by owners of our hypothetical defaulting provider, however, CMS and its contractors must be aware of the relationship between the 2 companies. So our initial inquiry must be whether the new-provider enrollment process will itself call the attention of CMS or its contractors to the relationship between the non-paying Company and the new applicant. This process is largely embodied in the enrollment application document. The current form of Medicare enrollment application for most incorporated providers, CMS-855A (07/11)[15] requires disclosure of any “Adverse Legal Actions/Convictions” of individuals with ownership or control of the entity (in Sec. 6), and so would clearly be required for the Company’s owners in our hypothetical. The listing of adverse adjudications which constitute Adverse Legal Actions/Convictions is at page 16 in the CMS-855A, and includes most criminal convictions, state license and Government program revocations, suspensions, exclusions and debarments, and also 4. Any current[16] Medicare payment suspension under any Medicare billing number.

This form does not require the new applicant’s owner to disclose the problems of the Company in our hypothetical, or even mention its existence, for 2 reasons. First, “payment suspension” is a very specific Medicare sanction, and usually not present in an overpayment demand case. Second, the disclosure is explicitly directed at the individual owner, and its wording does not extend it to other entities under the owner’s ownership or control. The operative text at Section 6 is:

1. Has the individual in Section 6A, under any current or former name or business identity, ever had a final adverse legal action listed on page 16 of this application imposed against him/her?

New program developments in Medicare, however, may change the above situation and extend required disclosures to entities under common ownership or control with new applicants. In the HHS OIG Work Plan for FY 2012, under Part IV: Legal and Investigative Activities Related to Medicare and Medicaid, there is an item captioned Providers and Suppliers with Currently Not Collectible Debt.

VIII.  Conclusion:

In sum, the established legal rule of limited liability of owners of incorporated businesses appears to be alive and well in the Medicare service provider area, and Federal agencies and their contractors by and large respect it. The separateness of legally-distinct incorporated businesses under common ownership also remains in effect. These rules however have significant exceptions.

Owners of incorporated health care provider entities, absent some written agreement to the contrary, are insulated from personal liability for overpayment obligations owed by their companies to Federal health care authorities by the same state laws which insulate them from their companies’ other debts. Generally, Federal health care laws do not change these rules. If your company’s assets are insufficient to satisfy its debts, procedures exist for Federal claimants (like other creditors) to try to reach through your company and pursue your personal credit to satisfy their claims. But this requires a lawsuit to be filed against you personally; and the laws of the states specify only certain narrow circumstances where they can be successful. Accordingly, creditors rarely try to “pierce the corporate veil”, and this is probably more true of Federal creditors than private ones.

The most likely situation where an insolvent provider’s creditor can successfully reach the personal credit of the owner is when the owner has taken dividends and other sums from the company which cannot be characterized as salary or compensation for employment, at times when the debtor company was already insolvent. Likewise, the most likely way a new provider company being organized by an existing provider’s owner can become liable to its creditors is for assets to be transferred from the old provider to the new. Owners of multiple providers should consult legal counsel to examine all dealings between them for successor liability and similar issues whenever one provider becomes liable for overpayments, because many risk-creating activities will not be recognizable as such without legal training.

Apart from debt collection risks, procedures exist for HHS to exclude owners of providers from Federal programs, which will operate to exclude other provider entities under common ownership. The available grounds for exclusion, however, do not normally arise in an overpayment case. Similarly, HHS regulations provide for the revocation of the enrollment of health care providers in certain cases. The grounds for revocation do not include a defaulted overpayment by a separate provider under common control.

The main area of risk for the affiliates of a defaulting provider subject to an overpayment appears to be the enrollment application by a new provider entity under common ownership. While the strict wording of the current enrollment application forms does not compel disclosure of the overpayment situation in our hypothetical, and  overpayment by a commonly-owned provider is not currently a listed basis for denial of the new enrollment, in practice the existence of a defaulted overpayment obligation poses a substantial risk to any related party’s enrollment. Initiatives are under way inside HHS which could change these risks to certainties.

Healthcare LawyerDavid Parker is an attorney practicing at Liles Parker PLLC, a health care and business law firm in Washington D.C. Mr. Parker was formerly a partner at Dickstein Shapiro in Washington, DC. Before entering private practice, Mr. Parker served for 16 years as the in-house general counsel of Allied Capital, a publicly-traded group of mezzanine finance companies headquartered in Washington. For more information, contact David at (202) 298-8750.

[1] The term incorporated will be used here to refer to the legal process of creating any form of legal entity providing limited liability to its owners (e.g. limited partnerships and LLCs) not just to the creation of a corporation.

[2] This practice is harder to defend than a claim for initial undercapitalization, because in this case there is evidence that at the time of organization, the owners believed the capital later taken out was needed in the business.

[3] Failure to hold annual meetings, and failure to keep corporate minutes have seldom been the basis for shareholder liability.

[4]. 11 U.S.C. §362.

[5]  11 USC §362(b)(28)

[6]  See In re Slater Health Center, Inc. 398 F.3d 98 (C.A. 1 2005). The US Bankruptcy Code does not explicitly address recoupment, and the Slater ruling may not apply in all circumstances. Among other things, its application turns on the overpayment and the new billing being part of the “same transaction.” Otherwise, the contractor’s claim against the new billing is a setoff which is specifically addressed in the Code and is generally halted in bankruptcy by the automatic stay. See for example In re University Medical Center 973 F.2d 1065 (C.A.3 1992).

[7] The notable exception to this rule is the Internal Revenue Service’s pursuit of shareholders to collect corporate tax liability. The IRS has in recent years successfully pierced the corporate veil in a number of well-publicized cases.

[8] See e.g. Cab-Tek v. E.B.M. Inc. 153 Vt. 432 (Vt. 1990).

[9] Typical statements of states’ successor liability rules can be found in Marks v. Minn Mining & Mfg. Co 187 Cal. App. 3d 1429 (Cal. Ct. App. 1986) and Sweatland v. Park Corp 587 NYS 2d 54 (App. Div. 1992).

[10] Codified in 42 USC §§1320a-7 and 1320c-5

[11] A convenient chart provided by HHS summarizing the various grounds on which exclusion from Federal health care programs may be based, can be found here.

[12] The recurring text appears, for example, in 42 USC §1320a-7(b)(6). That section provides that the Secretary of HHS may exclude “Any individual or entity that the Secretary determines… has furnished or caused to be furnished … items or services to patients substantially in excess of the needs of such patients….” Since owners of a provider entity are normally in control of it, if the entity has done the described act, the owner can be said to have caused the act, and is therefore subject to the same grounds for exclusion [emphasis added].

[13] 42 USC §1320a-7(b)6)

[14]  PIM Ch. 4 Sec. 4.19.2. Similar procedural requirements for exclusion appear at and

[15] Other versions of CMS-855 (used for other types of providers and entities) contain sections corresponding to Sections 6, page 16 and Section 15 of CMS-855A, discussed herein.

[16] Sec. 15 of CMS-855A extends the required disclosure to all subsequent periods, effectively making it an Evergreen requirement.

[17] For example, CMS-855 program application forms have long required owners of all applicants to be identified by name and Social Security Number. A simple cross-checking of these identifiers against identifiers of owners from the CMS-855 of defaulting debtors could easily be implemented.

[18] Grounds for denial of enrollment are repeated, but not expanded, in the Medicare Program Integrity Manual in Chapter 15.8.

[19] 42 CFR §424.530(2).

[20] 42 CFR §424.530(6). The regulation defining the term owner includes holders of 5% and greater ownership interests. Grounds for denial of enrollment based on payment suspension are set forth in nearly identical language in §424.530(7)

[21] See 42 CFR §424.535. Note that this revocation regulation includes a grounds for revocation corresponding to §424.530(a)(2) [felony conviction, debarment or suspension by the provide, its owner or key personnel] but no grounds for revocation corresponding to §424.530(a)(6) [existing overpayment by the provider or its owner].