Skip to main content

Tag: audit

Findings Patterns Where None Exist

On August 16, 2016, the HHS Departmental Appeals Board (DAB) issued a decision related to CMS’ authority to revoke a Medicare supplier’s billing privileges.  The DAB is the fourth and final level of administrative appeal within the Department of Health and Human Services.

Factual Background

The case involved John P. McDonough III, Ph.D., a clinical psychologist residing in Florida, and two of his affiliated medical practices, Geriatric Psychological Specialists and Geriatric Psychological Specialists II.  In October 2014, First Coast Service Options, Inc., the Medicare Administrative Contractor for Florida, notified McDonough and both medical practices that their Medicare billing numbers were being revoked for alleged abuses of their billing privileges.  Specifically, First Coast indicated that data analysis had revealed that the three suppliers had submitted a total of 420 claims for deceased beneficiaries over an approximately two-year period.

McDonough and his two medical practices appealed for a reconsideration of the revocation of their billing privileges, which was denied in February 2015.   The suppliers then appealed for an ALJ hearing.  The suppliers conceded that they submitted more than 200 claims for beneficiaries that were deceased on the date of service.  However, they attributed these claims to data-entry errors and other clerical mistakes.  The suppliers argued that these were simple billing errors, representing a small percentage of the tens of thousands of claims they submitted during this period of time.   In December 2015, the ALJ issued his decision.  While the ALJ seemingly accepted the suppliers’ explanation that these were billing errors, and that there was no intent on the part of the suppliers’ to submit false claims, the ALJ nevertheless upheld the revocation of their billing privileges.  Citing previous DAB decisions, the ALJ held that the admitted submission of repeated claims for services to deceased beneficiaries due to “incorrect billing entries due to similar beneficiary names or Medicare numbers, and inadvertent typing errors” was not inconsistent with a finding that the suppliers’ had abused their billing privileges.

The suppliers’ then appealed to the DAB. In its decision, the DAB first noted that it has consistently rejected contentions that revocation required a finding that the supplier acted intentionally:

“The Board has long held that the regulation’s plain language does not require CMS to establish fraudulent or dishonest intent to revoke a supplier’s billing privileges under this section and that the regulatory language also does not provide any exception for inadvertent or accidental billing errors.”

The DAB then countered the suppliers’ argument that CMS never intended to revoke a supplier’s billing privileges for simple mistakes.  They cited language from the June 27, 2008 final rule, where CMS stated revocation “is not intended to be used for isolated occurrences or accidental billing errors.”  The DAB noted that CMS, in that same final rule, indicated that it would not consider the submission of three or more improper claims to be accidental.  The DAB also noted that the relatively small percentage of erroneous claims was irrelevant, as the regulation does not require CMS to establish any particular error rate or percentage of improper claims.

The DAB held that since the record established that the suppliers’ had submitted more than 3 claims for deceased beneficiaries, CMS had met the requisite legal standard for revocation.  Accordingly, the DAB upheld the revocation of the suppliers’ billing privileges.

Potential Impact on Ambulance Providers

The DAB’s decision effectively establishes a strict liability standard for revocations based on the submission of claims for deceased beneficiaries.  The submission of three or more such claims over any designated period of time could constitute legal grounds for CMS to revoke a supplier’s Medicare billing privileges. 

The implications of this decision should give every Medicare provider pause.  However, given the nature of our operations, our industry needs to pay particular attention.  The psychologist and therapists that were the subject of the above-referenced case saw patients on a scheduled basis, and spent many hours with each of their patients.  This gave them ample time to obtain insurance information from each of their patients, and to confirm the accuracy of that information.  Yet the suppliers’ still had more than 200 claims billed incorrectly.

EMS providers do not have that luxury.  We frequently encounter patients on the street or at their home.  Many of these patients do not have their insurance information on them at the time of transport.  Even when the patient had this information on their person, under the stress of an emergency medical situation, the paramedic or EMT may not record this information accurately.

As a result, our billing offices spend a good portion of their time trying to verify a patient’s insurance.  Unfortunately, some of the administrative “shortcuts” we have developed to address these problems create the potential to inadvertently submit claims for deceased patients.  While there is nothing at present that suggests that CMS intends to expand the use of its revocation authority, we probably want to rethink these shortcuts.

An example you say?

Consider a transport of an elderly woman to the hospital in an emergency.  The crew does not obtain the patient’s insurance information at the time of transport.  However, they do obtain the hospital face sheet, which lists the patient’s social security number.  To convert this social security number to a Medicare HIC#, we need to include a Medicare suffix.  How would you go about doing that?

One option would be to ping the patient’s name, date of birth and SSN against an eligibility database.  While effective, provider’s typically pay for these lookups.

Another option would be to simply guess what the applicable suffix might be, affix that to the SSN, and submit the claim.  If it goes through, the provider guessed correctly.  If it rejects as an invalid name and HIC# combination, the provider would know to try another suffix.  So let’s assume the provider elects to use this option.  Playing the percentages, the provider would likely add the “B” suffix, on the theory that, given her age, the woman likely qualified for Social Security Benefits (and therefore Medicare benefits) based on the work history of her spouse.  But what if the provider was wrong, and the woman was the primary wage earner in her family?  If that were the case, her suffix would likely be the “A.”  Now imagine that her husband shared the same Social Security numerics, and that his suffix was the “B.”  Further imagine that he has since passed, and the provider has now inadvertently submitted a claim for the dead husband.

Now imagine this happens three times in a year…

Another way we can inadvertently submit claims for dead patients is not using front-end verification.  Many providers submit claims based off the insurance information they received at the time of transport (or from the hospital, nursing home, etc.), without any attempt to confirm its accuracy.  These providers recognize that the insurance information will be correct more often than not.  They are making the calculated decision that it is easier to deal with any issues after they have been identified by the payer.  However, one reason an insurance can come back as invalid is because the crewmember recorded the HIC# incorrectly.  For example, they may transpose a few digits (i.e., they wrote “1243” rather than “1234”).  If the transposed HIC# relates to a deceased beneficiary, that would be captured by the data analytics used by the Medicare contractors.

The DAB’s decision is certainly troubling.  However, I do not believe that our industry needs to overreact.  Rather, I would encourage everyone to view the DAB’s decision as a starting point, and to re-examine their own billing and verification processes to see if there is anything they can do to reduce the likelihood of their organization every confronting this issue.

 


Have an issue you would like to see discussed in a future Talking Medicare blog? Please write to me at bwerfel@aol.com.

AAA Launches Medicare Audit Activity Survey

In an effort to better determine a pattern of Medicare audit issues facing our members, the AAA has launched a survey to identify the different types of audit activity. The AAA will use the survey to inform federal policymakers about problems identified with the audits and how best to address the issues to reduce the burden of the audits on AAA members. It is therefore critical that you complete the survey to help us determine what audit issues your operation is facing.

Start Survey

The survey is comprised of only 14 questions including contact, demographic and characteristic information about your organization and requests data about your claim denial and audit activity. The information will be kept confidential and privileged and will only be reported in the aggregate with no organization identifying information. Contact information will be used only to follow up should we have any questions.

Should you have any questions regarding the survey, please contact AAA Senior Vice President of Government Affairs Tristan North at tnorth@ambulance.org.

Thank you in advance for completing this important survey.

HHS Office of Civil Rights Announces Phase 2 HIPAA Audit Review Program

On March 21, 2016, the Office for Civil Rights of the Department of Health and Human Services announced Phase 2 of its HIPAA Audit Program.  The Health Information Technology for Economic and Clinical Health Act (HITECH) required HHS to perform periodic audits of covered entities and business associates to assess their compliance with the HIPAA Privacy, Security and Breach Notification Rules.  These rules are enforced by the HHS Office for Civil Rights (OCR).

Background on Phase 1

In 2011, OCR implemented a pilot audit program to assess the controls and processes covered entities have adopted to meet their HIPAA obligations.  The pilot audit program was conducted in three phases.  OCR first developed a set of audit protocols that it would use to evaluate covered entities’ compliance.  This protocol was then tested using a limited number of audits.   The final step involved using the revised audit protocols on a larger number of covered entities.  Ultimately, 115 covered entities were selected for review, and all audits were concluded by December 31, 2012.

Phase 2

Phase 2 of the HIPAA Audit Program will focus on the policies and procedures adopted and employed by entities to meet the requirements of the Privacy, Security, and Breach Notification Rules.  OCR has indicated that these audits will be conducted primary through desk audits (i.e., document submissions), although by a limited number of on-site audits will also be conducted.

Unlike Phase 1, which focused exclusively on covered entities, OCR is indicating that Phase 2 will involve audits of both covered entities and their business associates.

As with the initial pilot audit program, Phase 2 will consist of several stages.  The first stage involves verification of a covered entity’s or business associate’s address and contact information.  A sample address verification letter can be viewed by clicking here.  OCR has indicated that emails will be sent to entities requesting accurate contact information for the entity.  OCR will then transmit a “pre-audit questionnaire” to the entity.  These questionnaires will be used to gather data about the size, type, and operations of potential auditees.  Based on this data, OCR will create potential audit subject pools.

Note: OCR has indicated that if an entity fails to respond to OCR’s request to validate its contact information and/or fails to return the pre-audit questionnaire, OCR will use publicly available information about the entity to create its audit subject pool.  As a result, an entity that fails to respond may still be selected for audit and/or compliance review.  OCR is specifically reminding entities to check their email “junk” or “spam” folders for any communications from OCR.

Once OCR has developed its audit subject pools, it will randomly select auditees from these pools.  Auditees will then be notified by OCR of their participation.  OCR has indicated that the first set of audits will focus on covered entities, with a subsequent round of audits focused on business associates.  These audits will focus on compliance with specific requirements of the Privacy, Security, or Breach Notification Rules.  Auditees will be notified of the scope of their audit in a document request letter.  Both of these rounds will be desk audits.  OCR indicated that all desk audits will be completed by the end of December 2016.

A third round of on-site audits will take place after the completion of the desk audits, and will examine a broader scope of requirements under HIPAA.  OCR further indicated that desk auditees may also be subject to on-site audits.

If an entity is selected for audit, OCR will notify them by email.  The email will introduce the OCR audit team, explain the audit process, and discuss OCR’s expectations in greater detail.  The email notification letter will also include initial requests for documentation.  OCR has indicated that it will expect entities to respond to these documentation requests within ten (10) business days.  Documents will be submitted through a new secure online portal.  Once received, OCR’s auditors will review the submitted information and inform the entity of its draft findings.  The entity will then have ten (10) business days to respond with written comments, if any.  OCR will then review the entity’s comments and issue a final audit report within thirty (30) business days.

OCR has indicated that the audits are primarily intended as a compliance improvement activity.  OCR will use aggregated data to better understand compliance with respect to particular aspects of the HIPAA rules.  The goal being to understand what types of technical assistance and/or corrective actions would be most helpful.  In other words, OCR is indicating that the goal of these audits is to improve its understanding of the state of compliance, and not to penalize specific companies for violations.  However, OCR indicated that should an audit reveal a serious compliance issue, OCR may initiate a further compliance review of the company.

OCR indicated that it will not post a list of the audited entities, nor will its findings be available in a format that would clearly identify the audited entity.  However, OCR noted that audit notification letters and other information regarding these audits may be discoverable under the Freedom of Information Act (FOIA).

Additional information from OCR regarding the Phase 2 HIPAA Audit Program can be obtained by clicking here.

Stay In Touch!

By signing up, you agree to the AAA Privacy Policy & Terms of Use