Articles Posted in Compliance

Published on:

Members of the United States House Energy and Commerce Committee sent a request on June 26, 2012 to the Government Accountability Office (GAO) requesting a study of redundancy in Centers for Medicare and Medicaid Services (CMS) contractor audits. The request included four specific questions that, at a minimum, the committee wants studied:

1. What process does CMS use to determine whether the contractors’ audit criteria and methodologies are valid, clear, and consistent?

2. How does CMS coordinate among these contractors to ensure that their interactions with providers are not duplicative? Is there any evidence of providers being subjected to multiple overlapping audits on the same topic? If so, how frequently does this occur? Is there any justification for a single provider being audited by multiple contractors at the same time?

3. What are the reasons for requesting that similar information be submitted to multiple contractors? Are there steps CMS is taking to limit duplicative audits, while still ensuring contractors have the tools necessary to pursue program integrity efforts?

4. Does CMS have a strategic plan to coordinate and oversee all of its audit activities and, if so, how is that plan implemented and overseen?

The request asks that all Centers for Medicare and Medicaid Services contractors be studied, including Medicare Administrative Contractors (MACs), Recovery Audit Contractors (RACs), Zone Program Integrity Contractors (ZPICs), Program Safeguard Contractors (PSCs), and Comprehensive Error Rate Testing Review contractors (CERTs).

The request asks that the GAO, “undertake a study that focuses on coordination among contractor efforts and CMS efforts to oversee these contractors to ensure that they are working efficiently and effectively while guaranteeing that beneficiaries are receiving care to which they are entitled.”
Continue reading

Published on:

The United States Department of Justice (“DOJ”) announced yesterday that a Detroit-area resident, Louisa Thompson, plead guilty on June 20, 2012, to one count of criminal conspiracy to commit health care fraud in the Eastern District of Michigan federal court.

The Health Care Fraud Prevention and Enforcement Action Team (HEAT) task force, a DOJ and U.S. Department of Health and Human Services (HHS) multi-agency joint venture, headed the investigation of Ms. Thompson. The HEAT task force, which is an initiative of the federal Medicare Fraud Strike Force, uses data analysis and community policing to detect health care fraud perpetrators who steal billions of dollars from the federal government.

The task force discovered that since 2006, Ms. Thompson had billed Medicare for psychotherapy services through two companies, TGW Medical Inc. and Caldwell Thompson Manor Inc., despite these services having never been performed, or performed by unlicensed staff. Ms. Thompson has yet to be sentenced in the case, and faces up to 10 years imprisonment and a $250,000 fine.

Based on recent Medicare Fraud Task Force activity, it appears the HEAT task force is targeting psychological and psychotherapy service providers aggressively, both for criminal prosecution as well as for civil actions to recover money that Medicare and Medicaid has paid. The government’s most-used tool in civil health care cases is the False Claims Act.

The False Claims Act (FCA) was drafted in1893 and was originally intended to prohibit and prevent fraudulent claims against the government during the Civil War. Its purpose was to force government contractors to deliver promised materials, hold them accountable if they did not, and deter fraudulent activity. Under the FCA a qui tam relator (whistleblower) could bring suit on behalf of the United States, and be rewarded with a percentage of the government’s recovery.

In the late-1980s the federal government began using the FCA to pursue fraud in the federal health care programs. In recent years the government has relied on the FCA to combat fraud and abuse in the healthcare arena for conduct that did not reach the standards for criminal prosecution. The penalties for violation of the FCA can be up to $11,000 per false claim as well as three times the damage to the government.
Continue reading

Published on:

On June 8, 2012, Robert Vito, Regional Inspector General for Evaluation and Inspections at the U.S. Department of Health and Human Services (HHS), Office of Inspector General (OIG), testified before the House Energy and Commerce Committee: Subcommittee on Oversight and Investigations. The testimony focused on the current OIG assessment of Medicare contractors’ efforts to counteract fraud at present and in the near future. The testimony focused on Zone Program Integrity Coordinators (ZPIC), who audit and investigate claims and providers enrolled in Medicare Part A and B, and Medicare Drug Integrity Contractors (MEDIC), who focus on Medicare Part C and D.

The testimony revealed that OIG reviews over the last 10 years have found recurring issues with Medicare contractor performance–issues that continue to persist. These issues include:

• Limited results from proactive data analysis.
• Difficulties in obtaining the data needed to detect fraud.
• Inaccurate and inconsistent data reported by contractors.
• Limited use by CMS of contractor-reported fraud and abuse activity data in evaluating contractor performance and investigating variability across contractors.
• Lack of program vulnerability identification and resolution.

One major area for concern for the OIG is proactive data analysis. Medicare contractors, like ZPICs and MEDICs, have continued to pursue a “pay and chase” model of benefit integrity activity, rather than the proactive approach that HHS would like to implement. Proactive analysis would potentially identify fraudulent or otherwise inappropriate claims before they are paid rather than after. Proactive and early identification of fraud and inappropriate payments accounted for only 7 percent of ZPIC investigations, according to a 2011 OIG report. The vast majority of ZPIC and MEDIC audit and investigative activity is based upon “reactive methods” like complaints from other sources.

Vito’s testimony also indicated inaccuracies and lack of uniformity in ZPIC and MEDIC data. System issues, reporting errors, and differing interpretations of fraud terms and definitions have caused drastically different reporting results from different Medicare contractors. In one case, one ZPIC reported 7 times more investigations originating from external sources than the other. This inconsistency prevented OIG from making a conclusive assessment of ZPIC and MEDIC activities.

OIG review found that despite the requirement that Medicare benefit integrity contractors identify and report systemic vulnerabilities in the Medicare program, some contractors are not reporting any vulnerabilities. Vulnerabilities are defined by CMS as fraud, waste, or abuse identified through analysis of Medicare data. In 2009 a total of 62 program vulnerabilities were reported to CMS. Only 21 vulnerabilities included an estimated monetary impact as required. These 21 vulnerabilities totaled an estimated monetary impact of $1.2 billion. As of January 2011, CMS had taken no action on 75% of the vulnerabilities reported in 2009.

The testimony recommended the following continuing actions to improve benefit integrity contractor performance:

• Oversee proactive identification of fraud.
• Provide timely data access.
• Improve accuracy of contractor-reported fraud activity data.
• Assess variability in performance across contractors.
• Ensure program vulnerability identification and resolution.
• Improve overpayment identification and collection.

The OIG will also continue to review Medicare benefit integrity issues, which include continuing evaluations of overpayments and Medicare debt collection, and examining the activities of MACs and RACs. Reviews of new enrollment procedures and prepayment identification of inappropriate claims will also begin.
Continue reading

Published on:

On May 29, 2012 the United States District Court for the Eastern District of North Carolina overturned the Medicare Appeals Counsel’s (MAC’s) decision regarding one evaluation and management (E/M) service claim.

Six years earlier, a CMS Program Safeguard Contractor audited Dr. Ojebuoboh. It was determined that the government had overpaid Dr. Ojebuoboh approximately $179,000. Dr. Ojebuoboh contested the overpayment through the five-step Medicare appeals process. Before the matter reached federal district court, the physician had managed to reduce the overpayment amount to $12,000.

On appeal to federal district court, Dr. Ojebuoboh argued, among other things, that the MAC reached the wrong decision as to services provided for three beneficiaries: WB, MT, and OW. At this stage, Dr. Ojebuoboh had the right to judicial review of specific claims, however; in order to overturn the prior holding he had to prove that the MAC’s decision was arbitrary and capricious. This is a difficult standard to prove as it presumes that the MAC’s decision is correct. The federal district court determined that the MAC must explain its reasons for denying the claims, yet; it need not thoroughly detail every element of every component.
Continue reading

Published on:

On May 31, 2012, Department of Health and Human Services (HHS) Director of the Office of Civil Rights Leon Rodriguez issued a memo to consumers regarding those consumers’ right to access their protected health information and medical records. In this memo, Rodriguez stressed that it is important for consumers and providers to remember that the Health Insurance Portability and Accountability Act (HIPAA) not only provides protection for personal health information, but also provides consumers with the right to view and obtain copies of health records.

Many providers, when dealing with HIPAA compliance, tend to focus on safeguarding protected health information, but fail to recognize the importance of patient rights including the right to access. Under HIPAA, patients have the right to view their health records from most providers, pharmacies, and health plans. Patients also have the right to obtain copies of those records in the form they choose, be it electronic or on paper, if the provider is able to do so.

Providers can charge patients a reasonable amount for the copies of health records the patient receives, and any cost for mailing the records. This amount is statutorily regulated in most states. It is important to note that a provider cannot charge a fee for searching for and retrieving records, and providers cannot withhold access to records because a patient has not paid for services received.
Continue reading

Published on:

The Office of Civil Rights (OCR) announced yesterday that its Health Insurance Portability and Accountability Act (HIPAA) Enforcement Training tools would be available to the general public today, June 5, 2012.

Since 2009, as part of the Health Information Technology for Clinical and Economic Health (HITECH) Act, State Attorneys General (SAGs) were given the authority to bring civil suit for HIPAA violations on behalf of the aggrieved patients. To assist SAGs, the OCR developed a wide range of HIPAA Privacy and Security Rules compliance, enforcement, and training tools.

Included in the materials are computer-based modules, and videos and slides from in-person training sessions covering the following topics:

  • General Introduction to the HIPAA Privacy and Security Rules
  • Analysis of the impact of the HITECH Act on the HIPAA Privacy and Security Rules
  • Investigative techniques for identifying and prosecuting potential violations
  • A review of HIPAA and State Law
  • OCR’s role in enforcing the HIPAA Privacy and Security Rules
  • SAG roles and responsibilities under HIPAA and the HITECH Act
  • Resources for SAG in pursuing alleged HIPAA violations
  • HIPAA Enforcement Support and Results

These materials may be a helpful training tool for health care providers and privacy officers. The materials highlight to whom, what, where, when, and how HIPAA Rules will be enforced and provide basic summaries of the HIPAA Privacy and Security Rule requirements.
Continue reading

Published on:

On May 10, 2012 the United States Court of Appeals for the Ninth District decided that criminal charges under the Health Insurance Portability and Accountability Act (HIPAA) do not require that an individual have knowledge that their actions are illegal. The case, United States of America v. Zhou, is the first such case to establish that the knowledge requirements of a criminal HIPAA violation apply only to the fact that the information accessed was protected health information, and not that obtaining the information was in violation of HIPAA.

Under the statute, HIPAA provides that a criminal penalty applies to a person who knowingly and in violation of the statute, uses, obtains, or discloses protected health information. Zhou argued that the statute requires knowledge that the information obtained was protected health information, as well as knowledge that obtaining it was illegal. The court rejected the argument and determined that the language of HIPAA is plain. The court found that the word “and” unambiguously indicates that there are two elements of a violation, and that knowingly applies only to obtaining the protected health information, and not to the fact that obtaining the protected health information was illegal.

The statute at issue in the decision is 42 U.S.C §1320d-6a, which reads as follows:

(a) Offense A person who knowingly and in violation of this part–

(1) uses or causes to be used a unique health identifier;

(2) obtains individually identifiable health information relating to an individual; or

(3) discloses individually identifiable health information to another person,
shall be punished as provided in subsection (b) of this section. For purposes of the previous sentence, a person (including an employee or other individual) shall be considered to have obtained or disclosed individually identifiable health information in violation of this part if the information is maintained by a covered entity (as defined in the HIPAA privacy regulation described in section 1320d-9 (b)(3) of this title) and the individual obtained or disclosed such information without authorization.

Penalties for violations of the statute can include fines of up to $250,000, imprisonment for up to 10 years, or both.
Continue reading

Published on:

As part of healthcare reform, Section 6401(a) of the Affordable Care Act requires all providers and suppliers who enrolled in the Medicare program prior to March 25, 2011 to revalidate their provider enrollment under the new screening criteria. Providers and suppliers who enrolled after March 25, 2011 do not need to revalidate at this time as they have already been screened.

Medicare Administrative Contractors (MACs) will be sending revalidation notices to individual providers and suppliers between now and March 23, 2015. Providers and suppliers must complete the enrollment forms within 60 days of receiving the request from the MACs. If a provider fails to submit the provider enrollment forms after receiving the request, it may lead to a suspension of the provider’s Medicare billing privileges.

Providers and suppliers may not revalidate their provider enrollment until they have received a revalidation notice from their MAC. The CMS website provides a list of all the providers and suppliers to whom revalidation notices have been sent (See “download” section). The notices are listed according to the month in which the revalidation notice has been sent, and CMS updates these lists on a bimonthly basis. In case a revalidation notice has been sent but never received, every provider is encouraged to check the list to determine whether or not they are currently expected to revalidate. If you are listed, but have not received the request, you should contact your Medicare contractor.
Continue reading

Published on:

On May 3, 2012, the Centers for Medicare and Medicaid Services (CMS) announced, via the CMS blog, that CMS will not require data collection by applicable manufacturers and group purchasing organizations under the Physician Payments Sunshine Act (PPSA) before January 1, 2013. The announcement indicates that the final rule will be released later this year and that the additional time will allow CMS to address operational and implementation issues and provide time for organizations to prepare for data submission.

The PPSA was a section of the Affordable Care Act of 2010 intended to provide transparency in requiring reporting of payments or gifts to physicians, and physician ownership and investment interests. The proposed rule implementing the PPSA was released December 19, 2011, and the announced delay is partly a result of the comments received from stakeholders during the 60 day comment period. The final rule was originally scheduled to be released for implementation on January 1, 2012.

The proposed rule requires that applicable manufacturers that sell or distribute a covered drug, device, biological, or medical supply disclose certain payments or other transfers of value to covered recipients. A covered recipient is a physician, other than a physician who is an employee of the applicable manufacturer, or a teaching hospital. The rule also requires the disclosure of payments or transfers of value to the immediate families of covered recipients.
Continue reading

Published on:

On April 27, 2012 the Centers for Medicare and Medicaid Services (CMS) published a final rule that states new provider and supplier requirements. The final rule requires all providers and suppliers that qualify for a National Provider Identifier (NPI) to include their NPI on all enrollment applications for Medicare or Medicaid, and on all claims submitted for payment. The rule further states that any claim submitted without the appropriate NPIs will be denied. The final rule also requires that all prescriptions under Medicare Part D include an NPI for the prescribing physician. The rule is intended to help more efficiently and accurately detect fraud, and is estimated to save taxpayers an estimated $1.59 billion over ten years.

In a press release, CMS announced that the rule “ensures that only qualified, identifiable providers and suppliers can order or certify certain medical services, equipment, and supplies for people with Medicare.”

Additionally, the rule also requires that physicians and other professionals who are permitted to order and certify covered items and services for Medicare beneficiaries be enrolled in Medicare. In an effort to further track and monitor claims, Part B items and services ordered or referred by a physician or eligible professional can only be submitted if the physician or eligible professional has an approved enrollment record, or a valid opt out record in the Medicare Provider Enrollment, Chain, and Ownership System (PECOS).

Finally, the rule mandates document retention requirements for providers and suppliers that order and certify items and services for Medicare beneficiaries. Under the final rule providers and suppliers must maintain ordering and referring documentation, including the NPI, received from a physician or eligible non physician practitioner for seven years from the date of service. Further, failure to comply with the documentation retention requirements is reason for revocation.
Continue reading

Contact Information