Tag: audit

Free MossAdams Webinar | Health Care Accounting & Auditing

Health Care Accounting and Auditing: Fall 2020 Update from MossAdams

October 13, 2020 1:00 PM ET

Join us for a webcast covering the most critical developments in auditing and accounting standards that impact health care organizations, including the following:

  • Accounting implications of the ongoing pandemic and economic environment
  • Emerging reporting and audit requirements for provider relief funds
  • New and updated generally accepted accounting principles (GAAP) standards for private, not-for-profit, and government health care entities

Register Free

New I-9 Form Required

New Form I9 Effective January 22, 2017

All employers are required to begin using the new Form I9 starting on January 22, 2017. The new form can be found on the US Citizenship and Immigration Services (USCIS) website. To ensure that you are utilizing the correct form, an expiration date of August 31, 2019 is in the top right hand corner of the form.

Last year we were aware of several ambulance providers who were the subject of Form I9 audits by the USCIS which resulted in technical violations for failing to complete the form correctly. The Form I9 is the document all U.S. employers are required to have completed when hiring a new employee to assure that they are legally eligible to work in the United States. While there has been a reduction in Form I9 Audits from USCIS in 2015, employers should be prepared as the five year trend is on the rise and I am aware of several ambulance providers currently dealing with audits.

The Law

The Immigration Reform and Control Act (IRCA) of 1986 requires employers to examine documentation from each newly hired employee to prove his or her identity and eligibility to work in the United States. The IRCA led to the Form I-9 Employment Eligibility Verification, which requires employees to attest to their work eligibility, and employers to certify that the individual presented documents to the employer that appeared to for the individual and genuine. The form has very specific rules regarding when the certain section of the form must be completed, which documents the employee can proffer as proof of eligibility, and how information must be present in the different sections of the Form I9.

While most employers understand that they must obtain certain information from every newly hired employee, they are often not aware of the specific dates upon which the different sections of this form must be completed. This is where the greatest number of compliance issues arise.

The Form’s Timing

Section 1 of Form I9 is the Employee Information and Attestation section and must be completed by the employee by the close of business on the employee’s first day of employment. This section consists several mandatory fields of the personal information of the new employee and two optional fields. It includes the employee’s full name, date of birth, address, and social security number, email address (optional), telephone number (optional).  In addition, the employee must attest that they are a citizen of United States, a Non-Citizen National, a Lawful Permanent Resident, or an Alien Authorized to Work in the US. The employee must provide an Alien Registration Number or USCIS Number if they check that they are a lawful permanent resident. If they are an Alien Authorized to Work, they must provide the date their authorization expires and their Alien Registration Number. The employee must sign the document and date it. If there is a translator or preparer, they must complete the certification at the end of Section 1.

Section 2 is the Employer or Authorized Representative Review and Verification section and must be completed by the close of business on the third day of employment. This section is where many make a very simple error. First, there is a place at the top of this section where the employer must list the employee’s full name. This frequently gets left blank. Next, the employer must identify the document(s) that the employee is presenting as proof of identity and employment authorization. In Column A, there is a list of acceptable documents, typically a Passport, Permanent Resident Card, or Employment Authorization Document. One or more of these documents can be sufficient. Alternatively, the employee can present one document from each List B and C. These are typically a driver’s license and a birth certificate. These documents don’t have to be copied, but if they are, they must be kept with the Form I9.

It is critical that the employer complete the Certification section of Section 2. This is another area where employers frequently make mistakes. In the Certification, there is a section to mark the date of the employee’s first day of employment. I often find this section blank or find that the employer mistakenly enters the date that they viewed the employee’s documents. The employer needs to complete the Certification section and date it, entering the employer’s business name and address. Failure to complete any of these sections can lead to a Substantive or Technical Violation and fines.

Section 3 of the Form I9 is completed by the employer when re-verifying that an employee is authorized to work or when rehiring an employee within three years of the date on the original Form I9. It is important that employer develop a mechanism for identifying and ensuring any expiring document(s) that requires re-verification. Of course, an employer can always complete a new Form I9 for a returning employee.

Penalties

Title 8 of the Code of Federal Regulations Section 27a.10 established a fine range from $110 to $1,100 per violation.  Fines can be for either a Technical violation, one where an employer fails to ensure that the employee provided all of the personal information, name, DOB, address, etc. or a Substantive violation, where the employer fails to review and verify the required documents or when someone is working without authorization.  These fines can be issued for each individual violation and can be substantial.

Other common errors that carry fines include not documenting the title of the document that the employee presented as proof (example, US Passport, State Driver’s License and Social Security Card).  Not initialing corrections made to the form when corrections are necessary.  Not re-verifying those work authorization documents that require re-verification.

Solution

All of the fines are avoidable by ensuring that you clean up the Form I9 process within your organization. First, services should ensure that only individuals trained and knowledgeable in completing the Form I9 are involved in this process. For training, the USCIS provides great Form I9 training for free on their website. In addition, USCIS has great instructions that accompany the Form I9 and provide for video instruction on their website.  Following these instructions carefully will be the best guarantee that you will complete the form correctly.

In addition, every ambulance service should conduct an audit of their Form I9 processes within their organization. I would have one individual, who is knowledgeable about the rules, conduct a review of all Form I9s for current employees and for any employees who were terminated within the last five years. Under the Regulations, employers can purge any Form I9 documents for employees who are terminated after one year from termination or three years after the date of hire, whichever date is later. However, employers should have Form I9 documents on all employees who are currently on your payroll.

For purposes of record keeping, it is best to keep all Form I9s in one location so that they can be easily provided in the event of an audit. Employers are not required to make copies of the documents an employee provides to the employer as proof of authorization. However, if the employer does copy the documents, they should be kept with the Form I9. I recommend employers make copies of those documents, store them with the Form I9, and be kept in a secure location. If those documents are stored electronically, it is critical that there are sufficient systems in place to ensure the integrity and security of the documents including an electronic audit trail.

Many employers utilize e-Verify, the online system hosted by the USCIS in partnership with Social Security Administration (SSA) that allows employers to search the linked federal databases to ensure that employees are eligible to work in the US and verifies the employee’s Social Security Number. e-Verify is free to employers and is voluntary throughout the country. However, you should check you state law as many states have passed legislation requiring the use of e-Verify. It is easy to enroll and is a necessary part of any I9 compliance plan.

I can tell you that all of the providers that I have questioned about this issue assured me that they have adequate processes in place to ensure compliance. However, after we discussed the timing and information required for the different sections of the Form I9 that were identified in many of the audits I am aware of, it quickly became apparent that most did not really have safeguards in place.

Have an HR Question?  Ask Scott!

Findings Patterns Where None Exist

On August 16, 2016, the HHS Departmental Appeals Board (DAB) issued a decision related to CMS’ authority to revoke a Medicare supplier’s billing privileges.  The DAB is the fourth and final level of administrative appeal within the Department of Health and Human Services.

Factual Background

The case involved John P. McDonough III, Ph.D., a clinical psychologist residing in Florida, and two of his affiliated medical practices, Geriatric Psychological Specialists and Geriatric Psychological Specialists II.  In October 2014, First Coast Service Options, Inc., the Medicare Administrative Contractor for Florida, notified McDonough and both medical practices that their Medicare billing numbers were being revoked for alleged abuses of their billing privileges.  Specifically, First Coast indicated that data analysis had revealed that the three suppliers had submitted a total of 420 claims for deceased beneficiaries over an approximately two-year period.

McDonough and his two medical practices appealed for a reconsideration of the revocation of their billing privileges, which was denied in February 2015.   The suppliers then appealed for an ALJ hearing.  The suppliers conceded that they submitted more than 200 claims for beneficiaries that were deceased on the date of service.  However, they attributed these claims to data-entry errors and other clerical mistakes.  The suppliers argued that these were simple billing errors, representing a small percentage of the tens of thousands of claims they submitted during this period of time.   In December 2015, the ALJ issued his decision.  While the ALJ seemingly accepted the suppliers’ explanation that these were billing errors, and that there was no intent on the part of the suppliers’ to submit false claims, the ALJ nevertheless upheld the revocation of their billing privileges.  Citing previous DAB decisions, the ALJ held that the admitted submission of repeated claims for services to deceased beneficiaries due to “incorrect billing entries due to similar beneficiary names or Medicare numbers, and inadvertent typing errors” was not inconsistent with a finding that the suppliers’ had abused their billing privileges.

The suppliers’ then appealed to the DAB. In its decision, the DAB first noted that it has consistently rejected contentions that revocation required a finding that the supplier acted intentionally:

“The Board has long held that the regulation’s plain language does not require CMS to establish fraudulent or dishonest intent to revoke a supplier’s billing privileges under this section and that the regulatory language also does not provide any exception for inadvertent or accidental billing errors.”

The DAB then countered the suppliers’ argument that CMS never intended to revoke a supplier’s billing privileges for simple mistakes.  They cited language from the June 27, 2008 final rule, where CMS stated revocation “is not intended to be used for isolated occurrences or accidental billing errors.”  The DAB noted that CMS, in that same final rule, indicated that it would not consider the submission of three or more improper claims to be accidental.  The DAB also noted that the relatively small percentage of erroneous claims was irrelevant, as the regulation does not require CMS to establish any particular error rate or percentage of improper claims.

The DAB held that since the record established that the suppliers’ had submitted more than 3 claims for deceased beneficiaries, CMS had met the requisite legal standard for revocation.  Accordingly, the DAB upheld the revocation of the suppliers’ billing privileges.

Potential Impact on Ambulance Providers

The DAB’s decision effectively establishes a strict liability standard for revocations based on the submission of claims for deceased beneficiaries.  The submission of three or more such claims over any designated period of time could constitute legal grounds for CMS to revoke a supplier’s Medicare billing privileges. 

The implications of this decision should give every Medicare provider pause.  However, given the nature of our operations, our industry needs to pay particular attention.  The psychologist and therapists that were the subject of the above-referenced case saw patients on a scheduled basis, and spent many hours with each of their patients.  This gave them ample time to obtain insurance information from each of their patients, and to confirm the accuracy of that information.  Yet the suppliers’ still had more than 200 claims billed incorrectly.

EMS providers do not have that luxury.  We frequently encounter patients on the street or at their home.  Many of these patients do not have their insurance information on them at the time of transport.  Even when the patient had this information on their person, under the stress of an emergency medical situation, the paramedic or EMT may not record this information accurately.

As a result, our billing offices spend a good portion of their time trying to verify a patient’s insurance.  Unfortunately, some of the administrative “shortcuts” we have developed to address these problems create the potential to inadvertently submit claims for deceased patients.  While there is nothing at present that suggests that CMS intends to expand the use of its revocation authority, we probably want to rethink these shortcuts.

An example you say?

Consider a transport of an elderly woman to the hospital in an emergency.  The crew does not obtain the patient’s insurance information at the time of transport.  However, they do obtain the hospital face sheet, which lists the patient’s social security number.  To convert this social security number to a Medicare HIC#, we need to include a Medicare suffix.  How would you go about doing that?

One option would be to ping the patient’s name, date of birth and SSN against an eligibility database.  While effective, provider’s typically pay for these lookups.

Another option would be to simply guess what the applicable suffix might be, affix that to the SSN, and submit the claim.  If it goes through, the provider guessed correctly.  If it rejects as an invalid name and HIC# combination, the provider would know to try another suffix.  So let’s assume the provider elects to use this option.  Playing the percentages, the provider would likely add the “B” suffix, on the theory that, given her age, the woman likely qualified for Social Security Benefits (and therefore Medicare benefits) based on the work history of her spouse.  But what if the provider was wrong, and the woman was the primary wage earner in her family?  If that were the case, her suffix would likely be the “A.”  Now imagine that her husband shared the same Social Security numerics, and that his suffix was the “B.”  Further imagine that he has since passed, and the provider has now inadvertently submitted a claim for the dead husband.

Now imagine this happens three times in a year…

Another way we can inadvertently submit claims for dead patients is not using front-end verification.  Many providers submit claims based off the insurance information they received at the time of transport (or from the hospital, nursing home, etc.), without any attempt to confirm its accuracy.  These providers recognize that the insurance information will be correct more often than not.  They are making the calculated decision that it is easier to deal with any issues after they have been identified by the payer.  However, one reason an insurance can come back as invalid is because the crewmember recorded the HIC# incorrectly.  For example, they may transpose a few digits (i.e., they wrote “1243” rather than “1234”).  If the transposed HIC# relates to a deceased beneficiary, that would be captured by the data analytics used by the Medicare contractors.

The DAB’s decision is certainly troubling.  However, I do not believe that our industry needs to overreact.  Rather, I would encourage everyone to view the DAB’s decision as a starting point, and to re-examine their own billing and verification processes to see if there is anything they can do to reduce the likelihood of their organization every confronting this issue.

 


Have an issue you would like to see discussed in a future Talking Medicare blog? Please write to me at bwerfel@aol.com.

AAA Launches Medicare Audit Activity Survey

In an effort to better determine a pattern of Medicare audit issues facing our members, the AAA has launched a survey to identify the different types of audit activity. The AAA will use the survey to inform federal policymakers about problems identified with the audits and how best to address the issues to reduce the burden of the audits on AAA members. It is therefore critical that you complete the survey to help us determine what audit issues your operation is facing.

Start Survey

The survey is comprised of only 14 questions including contact, demographic and characteristic information about your organization and requests data about your claim denial and audit activity. The information will be kept confidential and privileged and will only be reported in the aggregate with no organization identifying information. Contact information will be used only to follow up should we have any questions.

Should you have any questions regarding the survey, please contact AAA Senior Vice President of Government Affairs Tristan North at tnorth@ambulance.org.

Thank you in advance for completing this important survey.

HHS Office of Civil Rights Announces Phase 2 HIPAA Audit Review Program

On March 21, 2016, the Office for Civil Rights of the Department of Health and Human Services announced Phase 2 of its HIPAA Audit Program.  The Health Information Technology for Economic and Clinical Health Act (HITECH) required HHS to perform periodic audits of covered entities and business associates to assess their compliance with the HIPAA Privacy, Security and Breach Notification Rules.  These rules are enforced by the HHS Office for Civil Rights (OCR).

Background on Phase 1

In 2011, OCR implemented a pilot audit program to assess the controls and processes covered entities have adopted to meet their HIPAA obligations.  The pilot audit program was conducted in three phases.  OCR first developed a set of audit protocols that it would use to evaluate covered entities’ compliance.  This protocol was then tested using a limited number of audits.   The final step involved using the revised audit protocols on a larger number of covered entities.  Ultimately, 115 covered entities were selected for review, and all audits were concluded by December 31, 2012.

Phase 2

Phase 2 of the HIPAA Audit Program will focus on the policies and procedures adopted and employed by entities to meet the requirements of the Privacy, Security, and Breach Notification Rules.  OCR has indicated that these audits will be conducted primary through desk audits (i.e., document submissions), although by a limited number of on-site audits will also be conducted.

Unlike Phase 1, which focused exclusively on covered entities, OCR is indicating that Phase 2 will involve audits of both covered entities and their business associates.

As with the initial pilot audit program, Phase 2 will consist of several stages.  The first stage involves verification of a covered entity’s or business associate’s address and contact information.  A sample address verification letter can be viewed by clicking here.  OCR has indicated that emails will be sent to entities requesting accurate contact information for the entity.  OCR will then transmit a “pre-audit questionnaire” to the entity.  These questionnaires will be used to gather data about the size, type, and operations of potential auditees.  Based on this data, OCR will create potential audit subject pools.

Note: OCR has indicated that if an entity fails to respond to OCR’s request to validate its contact information and/or fails to return the pre-audit questionnaire, OCR will use publicly available information about the entity to create its audit subject pool.  As a result, an entity that fails to respond may still be selected for audit and/or compliance review.  OCR is specifically reminding entities to check their email “junk” or “spam” folders for any communications from OCR.

Once OCR has developed its audit subject pools, it will randomly select auditees from these pools.  Auditees will then be notified by OCR of their participation.  OCR has indicated that the first set of audits will focus on covered entities, with a subsequent round of audits focused on business associates.  These audits will focus on compliance with specific requirements of the Privacy, Security, or Breach Notification Rules.  Auditees will be notified of the scope of their audit in a document request letter.  Both of these rounds will be desk audits.  OCR indicated that all desk audits will be completed by the end of December 2016.

A third round of on-site audits will take place after the completion of the desk audits, and will examine a broader scope of requirements under HIPAA.  OCR further indicated that desk auditees may also be subject to on-site audits.

If an entity is selected for audit, OCR will notify them by email.  The email will introduce the OCR audit team, explain the audit process, and discuss OCR’s expectations in greater detail.  The email notification letter will also include initial requests for documentation.  OCR has indicated that it will expect entities to respond to these documentation requests within ten (10) business days.  Documents will be submitted through a new secure online portal.  Once received, OCR’s auditors will review the submitted information and inform the entity of its draft findings.  The entity will then have ten (10) business days to respond with written comments, if any.  OCR will then review the entity’s comments and issue a final audit report within thirty (30) business days.

OCR has indicated that the audits are primarily intended as a compliance improvement activity.  OCR will use aggregated data to better understand compliance with respect to particular aspects of the HIPAA rules.  The goal being to understand what types of technical assistance and/or corrective actions would be most helpful.  In other words, OCR is indicating that the goal of these audits is to improve its understanding of the state of compliance, and not to penalize specific companies for violations.  However, OCR indicated that should an audit reveal a serious compliance issue, OCR may initiate a further compliance review of the company.

OCR indicated that it will not post a list of the audited entities, nor will its findings be available in a format that would clearly identify the audited entity.  However, OCR noted that audit notification letters and other information regarding these audits may be discoverable under the Freedom of Information Act (FOIA).

Additional information from OCR regarding the Phase 2 HIPAA Audit Program can be obtained by clicking here.

Audit Alert! USCIS Form I9

One of the most commonly misunderstood compliance issues for any employer is the US Citizenship and Immigration Services (USCIS) Form I9. Form I9 is the document all US employers are required to have completed when hiring a new employee to assure that they are legally eligible to work in the United States. While there has been a reduction in Form I9 Audits from USCIS in 2015, employers should be prepared as the five year trend is on the rise. In fact, I am aware of several ambulance providers currently dealing with audits.

The Law

The Immigration Reform and Control Act (IRCA) of 1986 requires employers to examine documentation from each newly hired employee to prove his or her identity and eligibility to work in the United States. The IRCA led to the Form I-9 Employment Eligibility Verification, which requires employees to attest to their work eligibility, and employers to certify that the individual presented documents to the employer that appeared to for the individual and genuine. The form has very specific rules regarding when the certain section of the form must be completed, which documents the employee can proffer as proof of eligibility, and how information must be present in the different sections of the Form I9.

I believe that most employers understand that they must obtain certain information from every newly hired employee. However, with the Form I9, there are very specific dates upon which the different sections of this form must be completed. This is where the greatest number of compliance issues arise when dealing with I9 Audits.

The Form’s Timing

Section 1 of Form I9 is the Employee Information and Attestation section and must be completed by the employee by the close of business on the employee’s first day of employment. This section consists several mandatory fields of the personal information of the new employee and two optional fields. It includes the employee’s full name, date of birth, address, and social security number, email address (optional), telephone number (optional). In addition, the employee must attest that they are a citizen of United States, a Non-Citizen National, a Lawful Permanent Resident, or an Alien Authorized to Work in the US. The employee must provide an Alien Registration Number or USCIS Number if they check that they are a lawful permanent resident. If they are an Alien Authorized to Work, they must provide the date their authorization expires and their Alien Registration Number. The employee must sign the document and date it. If there is a translator or preparer, they must complete the certification at the end of Section 1.

Section 2 is the Employer or Authorized Representative Review and Verification section and must be completed by the close of business on the third day of employment. This section is where many make a very simple error. First, there is a place at the top of this section where the employer must list the employee’s full name. This frequently gets left blank. Next, the employer must identify the document(s) that the employee is presenting as proof of identity and employment authorization. In Column A, there is a list of acceptable documents, typically a Passport, Permanent Resident Card, or Employment Authorization Document. One or more of these documents can be sufficient. Alternatively, the employee can present one document from each List B and C. These are typically a driver’s license and a birth certificate. These documents don’t have to be copied, but if they are, they must be kept with the Form I9.

It is critical that the employer complete the Certification section of Section 2. This is another area where employers frequently make mistakes. In the Certification, there is a section to mark the date of the employee’s first day of employment. I often find this section blank or find that the employer mistakenly enters the date that they viewed the employee’s documents. The employer needs to complete the Certification section and date it, entering the employer’s business name and address. Failure to complete any of these sections can lead to a Substantive or Technical Violation and fines.

Section 3 of the Form I9 is completed by the employer when re-verifying that an employee is authorized to work or when rehiring an employee within three years of the date on the original Form I9. It is important that employer develop a mechanism for identifying and ensuring any expiring document(s) that requires re-verification. Of course, an employer can always complete a new Form I9 for a returning employee.

Penalties

Title 8 of the Code of Federal Regulations Section 27a.10 established a fine range from $110 to $1,100 per violation. Fines can be for either a Technical violation, one where an employer fails to ensure that the employee provided all of the personal information, name, DOB, address, etc. or a Substantive violation, where the employer fails to review and verify the required documents or when someone is working without authorization. These fines can be issued for each individual violation and can be substantial.

Other common errors that carry fines include not documenting the title of the document that the employee presented as proof (example, US Passport, State Driver’s License and Social Security Card). Not initialing corrections made to the form when corrections are necessary. Not re-verifying those work authorization documents that require re-verification.

Solution

All of the fines are avoidable by ensuring that you clean up the Form I9 process within your organization. First, services should ensure that only individuals trained and knowledgeable in completing the Form I9 are involved in this process.  The USCIS provides great Form I9 training for free on their website. In addition, USCIS has great instructions that accompany the Form I9 and provide for video instruction on their website. Following these instructions carefully will be the best guarantee that you will complete the form correctly.

In addition, every ambulance service should conduct an audit of their Form I9 processes within their organization. I would have one individual, who is knowledgeable about the rules, conduct a review of all Form I9s for current employees and for any employees who were terminated within the last five years. Employers can purge any Form I9 documents for employees who are terminated after one year from termination or three years after the date of hire, whichever date is later. However, employers should have Form I9 documents on all employees who are currently on your payroll.

For purposes of record keeping, it is best to keep all Form I9s in one location so that they can be easily provided in the event of an audit. Employers are not required to make copies of the documents an employee provides to the employer as proof of authorization. However, if the employer does copy the documents, they should be kept with the Form I9. I recommend employers make copies of those documents, store them with the Form I9, and be kept in a secure location. If those documents are stored electronically, it is critical that there are sufficient systems in place to ensure the integrity and security of the documents including an electronic audit trail.

Many employers utilize e-Verify, the online system hosted by the USCIS in partnership with Social Security Administration (SSA) that allows employers to search the linked federal databases to ensure that employees are eligible to work in the US and verifies the employee’s Social Security Number. e-Verify is free to employers and is voluntary throughout the country. However, you should check you state law as many states have passed legislation requiring the use of e-Verify. It is easy to enroll and is a necessary part of any I9 compliance plan.

I can tell you that all of the providers that I have questioned about this issue assured me that they have adequate processes in place to ensure compliance. However, after we discussed the timing and information required for the different sections of the Form I9 that were identified in many of the audits I am aware of, it quickly became apparent that most did not really have safeguards in place.