(December 31, 2010): In case you missed it, Congress, President Obama and the healthcare regulators had a banner year with respect to regulatory activism in 2010. Over the next several weeks we will be releasing a series of articles on our website addressing these dramatic changes and the compliance risks they present for your practice, clinic or health care business in 2011:
Compliance Risk Number 1: Increased “HEAT” Activity and Enforcement: Perhaps the greatest risk to consider in 2011 is the increase in targeted health care fraud enforcement efforts by the government’s Health Care Fraud Prevention and Enforcement Action Team (HEAT). These teams are comprised of top level law enforcement and professional staff from the U.S. Department of Justice (DOJ), the Department of Health and Human Services (HHS), and their various operating divisions. HEAT team initiatives have been extraordinarily successful in coordinating multi-agency efforts to both prevent health care fraud and enforce current anti-fraud initiatives.
As DOJ noted in September 2010, over the previous Fiscal Year, DOJ (including its 94 U.S. Attorneys’ Offices), HHS’ Office of Inspector General (HHS-OIG), and the Centers for Medicare and Medicaid Services (CMS), jointly accomplished the following:
- Filed charges against more than 800 defendants.
- Obtained 583 criminal convictions.
- Opened 886 new civil health care fraud matters.
- Obtained 337 civil administrative actions against parties committing health care fraud.
- Through these efforts, more than $2.5 billion was recovered as a result of the criminal, civil and administrative actions handled by these joint agencies.
President Obama’s FY 2011 budget request includes an additional $60.2 million in funding for the HEAT program.These funds will be used to establish additional teams and further fund existing investigations. Now, more than ever, it is imperative that you ensure that your Compliance Plan is both up-to-date and fully implemented. Medicare providers are obligated to adhere to statutory and regulatory requirements and the government’s HEAT teams are aggressively investigating providers who fail to comply with the law.
Compliance Risk Number 2: Zone Program Integrity Contractor (ZPIC) / Program SafeGuard Contractor (PSC) / Recovery Audit Contractor (RAC) Audits of Medicare Claims: As you already know, private contractor reviews of Medicare claims are big business – one ZPIC was awarded a five-year contract worth over $100 million. In 2011, we should expect to see:
- The number of ZPIC / PSC / RAC audits of Physician Practices, Home Health Agencies, Hospice Companies, DME Suppliers and Chiropractic Clinics will greatly increase in 2011.
- The reliance of both contractors and the government on data mining will continue to grow. Providers targeted will likely be based on utilization rates, prescribing practices and billing / coding profiles.
- An increase in the number of Administrative Law Judge (ALJ) hearings in where ZPIC representatives choose to attend the hearing as a “participant.” In these hearings, the ZPIC representative will likely aggressively oppose any arguments in support of payment that you present.
Are you ready for an unannounced / unanticipated site visit or audit? When is the last time that you have conducted an internal review of your billing / coding practices? Are you aware of the hidden dangers when conducting these reviews? In 2011, your Compliance Officer may very well be your most important non-clinical staff member. Physicians and other providers should work with their Compliance Officer to better prepare for the unexpected audit or investigation.
Compliance Risk Number 3: Electronic Medical Records: Unfortunately, some early adopters of Electronic Medical Records (EMR) software are now having to respond to “cloning” and / or “carry over” concerns raised by ZPICs and Program SafeGuard Contractors (PSCs). In a number of cases, these audits appear to be the result (at least in part) of inadequately designed software programs which generate progress notes and other types of medical records that do not adequately require the provider to document individualized observations. Instead, the information gathered is often sparse and similar for each of the patients treated. Take care before converting your practice or clinic to an EMR system. Include your Compliance Officer in the selection and review process.
Compliance Risk Number 4: Physician Quality Reporting Initiative (PQRI) Issues: Under the Health Care Reform legislation passed last March. PQRI was changed from a voluntary “bonus” program to one in which penalties will be assessed if a provider does not properly participate. As of 2015, the penalty will be 1.5% and will increase to 2.0% in 2016 and subsequent years. Additionally, questions about the use of PQRI date in “Program Integrity” targeting remain unanswered. Once again, it is essential that your Compliance Officer provide guidance to your staff regarding this program and its potential impact.
Compliance Risk Number 5: Medicaid Integrity Contractors (MICs) and Medicaid Recovery Audit Contractors (MDRACs): In recent months, we have seen a marked increase in the number of MIC inquiries and audits initiated in southern States. Notably, the information and documentation requested has often been substantial. Medicaid providers must now also contend with MDRACs. As a result of health care reform, MDRACs are now mandatory in every State and are may initiate reviews and audits as soon as March 2011. Compliance Officers should review their current risk areas and ensure that Medicaid coding and billing activities are actively monitored to better ensure statutory / regulatory adhereance.
Compliance Risk Number 6: HIPAA / HITECH Privacy Violations: Failure to comply with HIPAA can result in civil and / or criminal penalties. (42 USC § 1320d-5).
- Civil Penalties – A large retail drug store company was recently fined $2.25 million for failure to properly dispose of protected information.
- Criminal Penalties – Earlier this year, a physician in Los Angeles, CA, was sentenced to four months in prison after admitting he improperly accessed individual health information.
As of mid-2010, there had been 93 breaches affecting 500 or more individuals. The total number of individuals whose information was disclosed as a result of these breaches was estimated at over 2.5 million. Out of the 93 breaches, 87 involved breach of hard copy or electronic protected health information (about 1/4 involved paper records and 3/4 involved electronic records. The vast majority of the 93 breaches involved theft or loss of the records. Many of these thefts could have been avoided with appropriate security. The government is serious about privacy and your practice, and in 2011 you will likely see increased HIPAA / HITECH enforcement. Your clinic or health care business must take appropriate steps to prevent improper disclosures of health information.
Compliance Risk Number 7: Increased Number of Qui Tams Based on Overpayments: Section 6402 of the recent Health Care Reform legislation requires that all Medicare providers, (a) return and report any Medicare overpayment, and (b) explain, in writing, the reason for the overpayment.
This law creates a minefield for physicians and other Medicare providers. First, providers have only 60 days to comply with the reporting and refund requirement from the date on which the overpayment was identified or, if applicable, the date any corresponding cost report is due, whichever is later. Of course, the legislation does not actually explain what it means to “identify” an overpayment.
From a “risk” standpoint, this change is enormous. Disgruntled employees try to file a Qui Tam (“whistleblower”) lawsuit based on a provider’s failure to return one or more Medicare overpayments to the program in a timely fashion. While the government may ultimately choose not to intervene in a False Claims Act case based on such allegations, a provider could spend a significant amount defending the case. Providers should ensure that billing personnel understand the importance of returning any overpayments identified as quickly as possible.
Compliance Risk Number 8: Third-Party Payor Actions: Third-party (non-Federal) payors are participating in Health Care Fraud Working Group meetings with DOJ and other Federal agents. Over the last year, we have seen an increase in the number of “copycat” audits initiated by third-party payor “Special Investigative Units” (SIUs). Once the government has announced the results of a significant audit, the third-party payor considers the services at issue and reviews whether it may have also been wrongly billed for such services. If so, their SIU opens a new investigation against the provider.
Compliance Risk Number 9: Employee Screening: With the expansion of the permissive exclusion authorities, more and more individuals will ultimately be excluded from Medicare. As we have seen, HHS-OIG is actively reviewing whether Medicare providers have employed individuals who have been excluded. In one recent case, HHS-OIG announced that it had assessed significant civil monetary penalties against a health care provider that employed seven individuals who the provider “knew or should have known” had been excluded from participation in Federal health care programs. These individuals were alleged to have furnished items and services for which the provider was paid by Federal health care programs. All providers should periodically screen their staff against the HHS-OIG and GSA databases to ensure that their employees have not been excluded from participation in Federal Health Benefits Programs.
Compliance Risk Number 10: Payment Suspension Actions: Last, but not least, we expect the number of payment suspension actions to increase in 2011. In late 2010, Medicare contractors recommended to CMS that this extraordinary step be taken against providers in connection with a wide variety of alleged infractions. Reasons given for suspending a provider’s Medicare number included, but were not limited to: (1) the provider failed to properly notify Medicare of a change in location, (2) the provider allegedly engaged in improper billing practices, and (3) the provider failed to fully cooperate during a site visit.
As each of these compliance risks reflect, health care providers are expected to fully comply with a wide myriad of Medicare and Medicaid statutory and regulatory requirements. Moreover, the failure to meet these obligations can subject a provider to penalties ranging from suspension from the program to criminal prosecution. Providers must take compliance seriously if they hope to thrive in 2011.
Liles Parker attorneys provide health law guidance and advice to health care providers around the country. Our attorneys have extensive experience working on compliance related matters and defending providers in connection with Medicare audits and investigations. Should you have questions regarding these and other issues, give us a call for a free consultation. We can be reached at 1 (800) 475-1906.