Top Ten Health Care Compliance Risks for 2011.
January 1, 2011 by Lorraine Ater
Filed under Featured, UPIC Audits
(December 31, 2010): In case you missed it, Congress, President Obama and the healthcare regulators had a banner year with respect to regulatory activism in 2010. Over the next several weeks we will be releasing a series of articles on our website addressing these dramatic changes and the compliance risks they present for your practice, clinic or health care business in 2011:
Compliance Risk Number 1: Increased “HEAT” Activity and Enforcement: Perhaps the greatest risk to consider in 2011 is the increase in targeted health care fraud enforcement efforts by the government’s Health Care Fraud Prevention and Enforcement Action Team (HEAT). These teams are comprised of top level law enforcement and professional staff from the U.S. Department of Justice (DOJ), the Department of Health and Human Services (HHS), and their various operating divisions. HEAT team initiatives have been extraordinarily successful in coordinating multi-agency efforts to both prevent health care fraud and enforce current anti-fraud initiatives.
As DOJ noted in September 2010, over the previous Fiscal Year, DOJ (including its 94 U.S. Attorneys’ Offices), HHS’ Office of Inspector General (HHS-OIG), and the Centers for Medicare and Medicaid Services (CMS), jointly accomplished the following:
- Filed charges against more than 800 defendants.
- Obtained 583 criminal convictions.
- Opened 886 new civil health care fraud matters.
- Obtained 337 civil administrative actions against parties committing health care fraud.
- Through these efforts, more than $2.5 billion was recovered as a result of the criminal, civil and administrative actions handled by these joint agencies.
President Obama’s FY 2011 budget request includes an additional $60.2 million in funding for the HEAT program.These funds will be used to establish additional teams and further fund existing investigations. Now, more than ever, it is imperative that you ensure that your Compliance Plan is both up-to-date and fully implemented. Medicare providers are obligated to adhere to statutory and regulatory requirements and the government’s HEAT teams are aggressively investigating providers who fail to comply with the law.
Compliance Risk Number 2: Zone Program Integrity Contractor (ZPIC) / Program SafeGuard Contractor (PSC) / Recovery Audit Contractor (RAC) Audits of Medicare Claims: As you already know, private contractor reviews of Medicare claims are big business – one ZPIC was awarded a five-year contract worth over $100 million. In 2011, we should expect to see:
- The number of ZPIC / PSC / RAC audits of Physician Practices, Home Health Agencies, Hospice Companies, DME Suppliers and Chiropractic Clinics will greatly increase in 2011.
- The reliance of both contractors and the government on data mining will continue to grow. Providers targeted will likely be based on utilization rates, prescribing practices and billing / coding profiles.
- An increase in the number of Administrative Law Judge (ALJ) hearings in where ZPIC representatives choose to attend the hearing as a “participant.” In these hearings, the ZPIC representative will likely aggressively oppose any arguments in support of payment that you present.
Are you ready for an unannounced / unanticipated site visit or audit? When is the last time that you have conducted an internal review of your billing / coding practices? Are you aware of the hidden dangers when conducting these reviews? In 2011, your Compliance Officer may very well be your most important non-clinical staff member. Physicians and other providers should work with their Compliance Officer to better prepare for the unexpected audit or investigation.
Compliance Risk Number 3: Electronic Medical Records: Unfortunately, some early adopters of Electronic Medical Records (EMR) software are now having to respond to “cloning” and / or “carry over” concerns raised by ZPICs and Program SafeGuard Contractors (PSCs). In a number of cases, these audits appear to be the result (at least in part) of inadequately designed software programs which generate progress notes and other types of medical records that do not adequately require the provider to document individualized observations. Instead, the information gathered is often sparse and similar for each of the patients treated. Take care before converting your practice or clinic to an EMR system. Include your Compliance Officer in the selection and review process.
Compliance Risk Number 4: Physician Quality Reporting Initiative (PQRI) Issues: Under the Health Care Reform legislation passed last March. PQRI was changed from a voluntary “bonus” program to one in which penalties will be assessed if a provider does not properly participate. As of 2015, the penalty will be 1.5% and will increase to 2.0% in 2016 and subsequent years. Additionally, questions about the use of PQRI date in “Program Integrity” targeting remain unanswered. Once again, it is essential that your Compliance Officer provide guidance to your staff regarding this program and its potential impact.
Compliance Risk Number 5: Medicaid Integrity Contractors (MICs) and Medicaid Recovery Audit Contractors (MDRACs): In recent months, we have seen a marked increase in the number of MIC inquiries and audits initiated in southern States. Notably, the information and documentation requested has often been substantial. Medicaid providers must now also contend with MDRACs. As a result of health care reform, MDRACs are now mandatory in every State and are may initiate reviews and audits as soon as March 2011. Compliance Officers should review their current risk areas and ensure that Medicaid coding and billing activities are actively monitored to better ensure statutory / regulatory adhereance.
Compliance Risk Number 6: HIPAA / HITECH Privacy Violations: Failure to comply with HIPAA can result in civil and / or criminal penalties. (42 USC § 1320d-5).
- Civil Penalties – A large retail drug store company was recently fined $2.25 million for failure to properly dispose of protected information.
- Criminal Penalties – Earlier this year, a physician in Los Angeles, CA, was sentenced to four months in prison after admitting he improperly accessed individual health information.
As of mid-2010, there had been 93 breaches affecting 500 or more individuals. The total number of individuals whose information was disclosed as a result of these breaches was estimated at over 2.5 million. Out of the 93 breaches, 87 involved breach of hard copy or electronic protected health information (about 1/4 involved paper records and 3/4 involved electronic records. The vast majority of the 93 breaches involved theft or loss of the records. Many of these thefts could have been avoided with appropriate security. The government is serious about privacy and your practice, and in 2011 you will likely see increased HIPAA / HITECH enforcement. Your clinic or health care business must take appropriate steps to prevent improper disclosures of health information.
Compliance Risk Number 7: Increased Number of Qui Tams Based on Overpayments: Section 6402 of the recent Health Care Reform legislation requires that all Medicare providers, (a) return and report any Medicare overpayment, and (b) explain, in writing, the reason for the overpayment.
This law creates a minefield for physicians and other Medicare providers. First, providers have only 60 days to comply with the reporting and refund requirement from the date on which the overpayment was identified or, if applicable, the date any corresponding cost report is due, whichever is later. Of course, the legislation does not actually explain what it means to “identify” an overpayment.
From a “risk” standpoint, this change is enormous. Disgruntled employees try to file a Qui Tam (“whistleblower”) lawsuit based on a provider’s failure to return one or more Medicare overpayments to the program in a timely fashion. While the government may ultimately choose not to intervene in a False Claims Act case based on such allegations, a provider could spend a significant amount defending the case. Providers should ensure that billing personnel understand the importance of returning any overpayments identified as quickly as possible.
Compliance Risk Number 8: Third-Party Payor Actions: Third-party (non-Federal) payors are participating in Health Care Fraud Working Group meetings with DOJ and other Federal agents. Over the last year, we have seen an increase in the number of “copycat” audits initiated by third-party payor “Special Investigative Units” (SIUs). Once the government has announced the results of a significant audit, the third-party payor considers the services at issue and reviews whether it may have also been wrongly billed for such services. If so, their SIU opens a new investigation against the provider.
Compliance Risk Number 9: Employee Screening: With the expansion of the permissive exclusion authorities, more and more individuals will ultimately be excluded from Medicare. As we have seen, HHS-OIG is actively reviewing whether Medicare providers have employed individuals who have been excluded. In one recent case, HHS-OIG announced that it had assessed significant civil monetary penalties against a health care provider that employed seven individuals who the provider “knew or should have known” had been excluded from participation in Federal health care programs. These individuals were alleged to have furnished items and services for which the provider was paid by Federal health care programs. All providers should periodically screen their staff against the HHS-OIG and GSA databases to ensure that their employees have not been excluded from participation in Federal Health Benefits Programs.
Compliance Risk Number 10: Payment Suspension Actions: Last, but not least, we expect the number of payment suspension actions to increase in 2011. In late 2010, Medicare contractors recommended to CMS that this extraordinary step be taken against providers in connection with a wide variety of alleged infractions. Reasons given for suspending a provider’s Medicare number included, but were not limited to: (1) the provider failed to properly notify Medicare of a change in location, (2) the provider allegedly engaged in improper billing practices, and (3) the provider failed to fully cooperate during a site visit.
As each of these compliance risks reflect, health care providers are expected to fully comply with a wide myriad of Medicare and Medicaid statutory and regulatory requirements. Moreover, the failure to meet these obligations can subject a provider to penalties ranging from suspension from the program to criminal prosecution. Providers must take compliance seriously if they hope to thrive in 2011.
Liles Parker attorneys provide health law guidance and advice to health care providers around the country. Our attorneys have extensive experience working on compliance related matters and defending providers in connection with Medicare audits and investigations. Should you have questions regarding these and other issues, give us a call for a free consultation. We can be reached at 1 (800) 475-1906.
Medicare Exclusion Screening of Your Staff is Essential.
December 11, 2010 by Lorraine Ater
Filed under Featured, Medicare Audits
(December 11, 2010): Earlier this week, HHS-OIG announced that it had assessed significant civil monetary penalties (CMPs) against a health care provider that employed seven individuals who the provider “knew or should have known” had been excluded from participation in Federal health care programs. These individuals were alleged to have furnished items and services for which the provider was paid by Federal health care programs. Medicare exclusion screening is essential.
I. The Failure to Conduct Proper Medicare Exclusion Screening Activities Can Result in Significant CMPs.
The provider paid $376,432 to resolve these allegations. As Lewis Morris, Chief Counsel to the Office of Inspector General stated:
“Providers self-disclosing such violations will ultimately pay lower settlement amounts. . . But in cases initiated by the government — such as this one — providers will, as a matter of course, be required to pay more to resolve the matter.’
As Mr. Morris further noted:
“This case illustrates yet again that OIG will pursue CMPs when providers have employed an excluded person for the furnishing of items or services paid for by Federal health care programs,”
Notably, this matter was referred to HHS-OIG for investigation by the State Medicaid Fraud Control Unit (MFCU).
II. Lessons to be Learned.
This case illustrates a number of important lessons for all health care providers who participate in Federal Health Benefits Program, regardless of size. These lessons include:
Medicare exclusion screening of your employees is easy and quick: It takes very little effort for a provider to screen current and prospective employees against HHS-OIG list of excluded parties and GSA’ s list of parties who have been debarred from participation in Federal contracts. Notably, the failure to screen employees can be quite costly.
No mention of actual fraud or overpayment was mentioned in this case. Nevertheless, the employment of excluded individuals was found to be quite serious by HHS-OIG: HHS-OIG won’t hesitate to pursue civil monetary penalties against a provider who employs excluded individuals, despite the fact that no mention is made of any wrongful billings. Regular screenings of your employees should be made to ensure that none of your employees have been excluded from participation.
The government is serious about self-disclosing problems: HHS-OIG’s Chief Counsel went out of his way to point out that provider’s who self-disclose will ultimately pay a lower amount of damages to the government. While we recognize the government’s preference in this regard, should you identify a problem, you should contact legal counsel before making a self-disclosure. HHS-OIG’s voluntary disclosure protocol has a number of requirements that should be fully assessed prior to deciding to make a disclosure under the program. To be clear, if you owe money to the government, you must pay it back. The issue to be resolved is how to go about returning any monies to which you are not entitled. Depending on the circumstances, a provider may be better off working with their Medicare Administrative Contractor to resolve a problem. In other cases, HHS-OIG’s protocol may be the best option. Every situation is different and should be carefully assessed before action is taken.
Federal and State law enforcement teams are coordinating their actions and findings: Notably, these violations were first identified by a State MFCU who then contacted HHS-OIG. Similarly, we are seeing State Medical Boards advising ZPICs of actions they are taking against licensed health care providers. In several cases, the State Medical Board found that the provider was either not providing adequate supervision over subordinate Nurse Practitioners and Physician Assistants. The ZPIC has then used this as a basis to argue that the claims did not qualify for Medicare coverage.
In summary, health care providers should continually be reviewing their compliance efforts to ensure that basic mistakes such as the ones in this case (failure to properly conduct Medicare exclusion screening procedures of employees) do not occur.
Robert W. Liles serves as Managing Partner at Liles Parker. Robert and our other health law attorneys represent health care providers around the country in connection with compliance and other health law issues. Should you have questions about a health law issue, feel free to call us for a free consultation. We can be reached at: 1 (800) 475-1906.
Home Health Agency “Patient Recruiter” Sentenced to 63 Months in Prison for Allegedly Committing Health Care Fraud
October 18, 2010 by
Filed under HEAT Enforcement
(October 18, 2010): The U.S. Attorney’s Office for the Eastern District of Michigan, working with the FBI and HHS-OIG has announced the sentencing of yet another defendant convicted of home health fraud. As the Department of Justice’s Press Release reflects, the defendant, a nurse who worked as a “patient recruiter“ and operator of a Detroit-area home health agency, allegedly solicited Medicare beneficiaries for the home health agency where he worked and “offered them cash kickbacks in exchange for their Medicare patient information and signatures on medical documents.” The defendant also allegedly:
“admitted that he knew the beneficiaries he recruited were neither homebound nor in need of physical therapy services.” Finally, the defendant allegedly “admitted in court papers that he knew [the home health agency] used the beneficiaries’ Medicare information to bill Medicare for physical therapy that was medically unnecessary and / or never performed.” (emphasis added).
As a result, it was estimated that $6.96 million in “false or fraudulent claims [were submitted] to the Medicare program.” In this case, the defendant was sentenced to 63 months in prison for his actions.
Commentary: Over the last few months, a number of criminal prosecutions have been brought against “patient recruiters” working for home health agencies who have allegedly been involved in wrongdoing. In most cases, the defendants have been alleged to have improperly used the Medicare information of these patients to improperly bill for services that were not medically necessary and / or were not rendered. In light of these cases, it is recommended that home health agencies carefully review their marketing practices to verify that the conduct of their employees or contractors does not violate applicable statutory and regulatory requirements. It is also recommended that home health agency Compliance Officers work with outside counsel to engage outside billing / coding personnel to conduct periodic home health claims reviews so that the propriety of the skilled nursing services billed can be properly verified.
Liles Parker attorneys represent home health agencies and their officers in Medicare audits and investigations. Please call 1 (800) 475-1906 for a free consultation.
President Obama’s 2011 Funding Request Provides for Expansion of the HEAT Program to Additional Cities
October 4, 2010 by
Filed under HEAT Enforcement
(October 4, 2010): As DOJ has recently noted in its own blog, over the last Fiscal Year, DOJ (including its 94 U.S. Attorneys’ Offices), HHS’ Office of Inspector General (HHS-OIG), and the Centers for Medicare and Medicaid Services (CMS), have been extraordinarily active in jointly pursuing health care providers allegedly engaging in fraud as part of the HEAT program. As DOJ notes, the mission of the HEAT program is:
- To marshal significant resources across government to prevent waste, fraud and abuse in the Medicare and Medicaid programs and crack down on the fraud perpetrators who are abusing the system and costing us all billions of dollars.
- To reduce skyrocketing health care costs and improve quality of care by ridding the system of perpetrators who are preying on Medicare and Medicaid beneficiaries.
- To highlight best practices by providers and public sector employees who are dedicated to ending waste, fraud and abuse in Medicare.
- To build upon existing partnerships that already exist between the two agencies, including our Medicare Fraud Strike Forces to reduce fraud and recover taxpayer dollars.
Together, DOJ, HHS-OIG and CMS have accomplished the following over the last Fiscal Year:
- Filed charges against more than 800 defendants.
- Obtained 583 criminal convictions.
- Opened 886 new civil health care fraud matters.
- Obtained 337 civil administrative actions against parties committing health care fraud.
Through these coordinated efforts, more than $2.5 billion was recovered. Importantly, these successes have not gone unnoticed. President Obama’s FY 2011 budget request includes an additional $60.2 million in funding for the HEAT program initiative.
Commentary: In light of the government’s continuing efforts, we strongly recommend that our clients review their current compliance efforts to ensure that they take into account any and all risk areas that have been identified or associated with their areas of practice. Providers should work to ensure that their operations and billing activitivies fully comply with applicable statutory and regulatory billing and coding requirements.
Should you have questions, please give us a call for a complimentary consultation. We can be reached at 1 (800) 475-1906.
Counsel for HHS-OIG Discusses the Impact of Health Care Reform on Enforcement with Congress
June 22, 2010 by
Filed under Medicare Audits
(June 22, 2010): In his testimony last week before the Health and Oversight Subcommittees of the House Committee on Ways and Means, Lewis Morris, Chief Counsel to the Inspector General (OIG) of Health and Human Services (HHS), emphasized the increasing speed and intensity of HHS-OIG’s multi-pronged health care fraud enforcement efforts. Morris’ testimony reinforces the need for Medicare providers and suppliers to aggressively prepare for a knock on the door from HHS-OIG or one of its many enforcement partners.
Morris highlighted numerous new enforcement tools available under the Patient Protection and Affordable Care Act (PPACA), paying particular attention to innovations in data access and use. These measures include consolidating and sharing data across agencies, as well as deploying new technology that allows “investigators to complete in a matter of days analysis that used to take months with traditional investigative tools.”
He further praised the enhanced accountability measures contained in PPACA, such as HHS-OIG’s ability to impose civil monetary penalties for “failing to grant [upon reasonable request] timely access to HHS-OIG for investigations, audits, or evaluations.” Notably, PPACA Section 6408 provides for a penalty of $15,000 for each day for failure to grant access.
Morris’ testimony also reminded the health care community that:
- PPACA allows the HHS Secretary to suspend payments to providers or suppliers based on credible evidence of fraud. At the same time, it expands the types of conduct constituting Federal health care fraud offenses under Title 18.
- HHS-OIG has improved access to information from entities directly or indirectly involved in providing medical items or services payable by any Federal program.
Perhaps most significantly:
- Medicare and Medicaid program integrity contractors (i.e., ZPICs and PSCs) are required to provide performance statistics, “including the number and amount of overpayments recovered, number of fraud referrals, and the return on investment of such activities.” (emphasis added).
While not surprising, it is nonetheless disconcerting that ZPICs and PSCs are essentially being “graded” based on the “amount of overpayments recovered,” along with the number of enforcement actions handled and referred to law enforcement. Based on these performance measures, is there any real difference between ZPICs and RACs? While RACs may be compensated directly based on the amount of overpayments collected (and ZPICs are not), it is crystal clear that the government’s expectations of ZPICs are quite similar. Now, more than ever before, it is essential that providers implement effective compliance measures to cover their practices and clinics.
Should you have any questions regarding these issues, don’t hesitate to contact us. For a complementary consultation, you may call Robert W. Liles or one of our other attorneys at 1 (800) 475-1906.