Compliance

HHS OIG Report Highlights 25 Unimplemented Recommendations to Reduce FWA

The Office of Inspector General (OIG) within the U.S. Department of Health and Human Services (HHS) recently released their list of top unimplemented recommendations. The HHS OIG recommendations are based on the department’s observations culled from conducting their auditing and enforcement function to protect the integrity of government health care programs.

Unimplemented HHS OIG recommendations that if implemented by CMS would most directly impact healthcare provider financial, operations, and compliance programs includes:

  • The HHS OIG has found persistent confusion exists regarding time counted toward 3-day hospital admission requirement among SNF providers. CMS should reanalyze the potential impacts of counting time spent as an outpatient toward the 3-night requirement for SNF Medicare coverage.

  • Based on audit recoveries, the HHS OIG recommends TCMS should implement the statutory requirement for $50,000 surety bonds for Home Health Agencies enrolled as Medicare providers and consider doing the same for other provider types.

  • The HHS OIG has observed there are limited options to sanction hospice providers with serious deficiencies and recommends CMS should seek statutory authority to establish additional remedies for hospices with poor performance.

  • Due to payment incentives that have resulted in admissions that did not meet medical necessity requirements, the HHS OIG recommends CMS should reevaluate the IRF payment system, which could include seeking legislative authority to make any changes necessary to more closely align IRF payment rates and costs.

OIG Work Plan Updates: September 2018

The September 2018 additions to the HHS OIG Work Plan were limited to two, both somewhat esoteric and unlikely to impact the majority of healthcare providers.

  1. Review of Opioid Use in Indian Health Service: Consistent with prior OIG work plan items regarding Medicare Part D and Medicaid, this work plan addition will seek to “determine the extent to which beneficiaries are receiving extreme amounts of opioids through Indian Health Service (IHS), as well as IHS-employed prescribers and IHS-run pharmacies that have questionable prescribing or dispensing patterns. This review will also determine how IHS prevents and detects opioid misuse or abuse, as well as how it enforces its opioid-related policies.”

  2. Follow-up Review of Head Start Grantee: Pertains to one specific entity, not applicable to wider constituencies at this time.

New additions to the work plan of import added in August 2018 during the height of vacation season that slipped by VantagePoint scrutiny included:

  1. Physician Billing for Critical Care Evaluation & Management Services: As an exclusively time-based service, physicians must clearly document the time spent evaluating, providing direct care and managing the patient in order to qualify for reimbursement of a critical care E/M visit, per the OIG “This review will determine whether Medicare payments for critical care are appropriate and paid in accordance with Medicare requirements.”

  2. Hospitals' Compliance with Medicare's Transfer Policy With the Resumption of Home Health Services and the Use of Condition Codes: Hospitals transferring a patient to another facility or home health service are subject to a reduction in DRG payment. The OIG seeks to “determine whether Medicare appropriately paid hospitals' inpatient claims subject to the postacute care transfer policy when (1) patients resumed home health services after discharge or (2) hospitals applied condition codes to claims to receive a full DRG payment.”

VantagePoint's Take: Physician Fee Schedule Proposed Rule Listening Session

VantagePoint HealthCare Advisors consultants have been monitoring the various CMS announcements, propaganda, and industry reactions to CMS proposed changes to Evaluation & Management (E/M) documentation standards, coding and reimbursement since first announced  in late Spring by CMS Administrator Seema Verma.

 On Wednesday, August 22, 2018, The CMS Administrator opened up the Physician Fee Schedule Proposed Rule: Understanding 3 Key Topics Listening Session with much of the same ballyhoo that has accompanied the rollout of the Patients Over Paperwork initiative and then CMS staffers got down to explaining the details to the industry audience on the call. CMS promotes the E/M and related fee schedule changes as "focused on reducing administrative burden while improving care coordination, health outcomes and patients’ ability to make decisions about their own care." and address concerns of physicians who "struggle with excessive regulatory requirements and unnecessary paperwork that steal time from patient care." (Medicare Learning Network Listening Session Handout, 8/22/2018).

Two concerns standout, among many, regarding the CMS proposal. Firstly, in one breath, the CMS presenters stated that clear and concise medical record documentation is critical to providing quality care and is required for reimbursement, and on the other hand, are suggesting a minimum documentation standard that arguably will not promote the use of the patient medical record for substantiating quality, let alone tell the patient story. While VantagePoint consultants concur that the 1995 and 1997 documentation guidelines for E/M visits bear some updating, we also know from our experience auditing client records that more robust and detailed documentation is needed to tell the patient story, not less.

The other concern, shared by VantagePoint, is one that seemed to dominate the comments and questions from those selected to speak during the listening session - the fee schedule and new add-on codes. In the proposed fee schedule world, providers who currently provide the majority of their services at E/M level 1 - 3 might win, and those with high numbers of complex patients on their panels or E/M level visits of 4-5 will lose or need to justify the gamut of add-on codes to get up to the same par level. Our quick math using the charts provided in the handouts, including the various (and confusing) add-on payments, including the murky multiple procedure payment adjustment, did little to change the opinion of some of our consultants that the initiative is more about wrapping up a fee reduction in a patient-friendly wrapper than reducing provider stress.

The transcript of the listening session should be available online in a week to ten days and there is still time for stakeholders to submit formal comments, but not much time. The deadline is September 10, 2018 [Comment Here: https://www.federalregister.gov/documents/2018/07/27/2018-14985/medicare-program-revisions-to-payment-policies-under-the-physician-fee-schedule-and-other-revisions ]

Updates to the OIG Work Plan: August 2018 Highlights

VantagePoint monitors the monthly updates to the Office of Inspector General (OIG) work plan. The month of August is proving to be somewhat light in comparison to July with only one item posted to the Recently Updated items page (linked to the title of this post).

The August 2018 sole updated relates to the OIG's planned review focusing on the "care and well-being of all children residing in ORR-funded facilities, including the subset of children who were separated and deemed ineligible for reunification." The OIG also plans to focus on the effectiveness of the Office of Refuge Resettlement efforts to unify separated children with their parents.

Updates to the OIG Work Plan: July 2018 Highlights

Back in June 2017, the Office of the Inspector General (OIG) announced they would begin posting monthly updates to their work plan. Keeping tabs on the OIG Work Plan is a best practice for compliance and revenue cycle professionals. The items may at times appear esoteric, but the appearance of a new initiative is akin to the proverbial canary in a coal mine.

The additions posted in July 2018 include:

  • New review of CMS payment policy in respect to 3-D radiation therapy planning services. Medicare policy prohibits payments for separately billed radiation planning services when the services are billed on a different date of service. The review by the OIG is designed to determine if the prohibition had been extended to 3-D radiation therapy.
  • The HHS OIG will perform a series of audits to assess cybersecurity vulnerabilities at HHS.
  • OIG assess the effectiveness of the Health Resources and Services Administration (HRSA) oversight of the Access Increases in Mental Health and Substance Abuse Services (AIMS) grants.
  • OIG working on a report discussing the describing the impact  of additional Medicare outlier payments in balancing the reduction in DRG, DSH, and IME payments of transfer claims. This is one for hospital revenue cycle compliance folks to watch!
  • Another CMS focused audit by the OIG was added in respect to post-operative services provided in the global surgery payment period and whether global surgery fees reflected the actual number of post-operative services provided.
  • The final item added in July is a series of audits of the Substance Abuse and Mental Health Services Administration's process and oversight in respect to SAMHSA-approved accrediting bodies that have accredited Opioid Treatment Programs (OTP).

Patients Over Paperwork? Or just part of an agenda to reduce costs?

The Center for Medicare and Medicaid Services (CMS) has started the annual roll-out of proposed changes to the physician and other fee schedules. Wrapped up in the 2019 proposals, and opened for comment from the public and stakeholders, is a proposal regarding evaluation and management codes (E&M). The proposal is shrouded in the idea that it puts patients over paperwork by reducing the clinical visit documentation requirements for physicians, but ignores the reasons why there is a higher standard of documentation associated with the E&M codes that are reimbursed at higher levels because of the time and effort required to treat and evaluate the patient.

Under the proposal, all E&M visits (ie: most outpatient office visits) will be reimbursed at the same dollar amount, regardless of the level assigned to the visit and without needing to meet the current documentation standards for the level; however, providers must still code the level of the visit accurately. Beyond the concerns that we are taking a step backwards as an industry in respect to encouraging quality, detailed patient care documentation that truly tells the patient story, and that lowering documentation standards does little to support value-based care initiatives, physicians treating complex patients are financially penalized under this proposal.

Fresh Tactics - Getting new providers to supply information required for credentialing and enrollment

On Wednesday, June 20, 2018, VantagePoint HealthCare Advisors President and COO Susan Prior, CHC and Senior Consultant Regina K. Alexander, FACHE, CHC presented a live webinar, The Unknown-Unknowns of Credentialing, Privileging, and Enrollment for the Health Care Compliance Association (HCCA). The webinar drew a diverse audience, including attendees from hospitals, health systems, health plans, post-acute care, law and consulting firms. During the Q&A portion of the event, we responded to many questions; however, time ran out with questions still pending in the queue. HCCA has provided VantagePoint with the list of unanswered questions. We'll base some of our upcoming posts on these questions.

Our first unanswered question from the webinar centers on tactics to gather the data and documents necessary to credential and enroll new providers. The attendee queried, "Do you think a robust credentialing process is as manageable as we would like it? Despite changing around the wording of my welcome letters for providers they tend to miss many data points I need to properly credential and to pass along this info to eventually enroll with health plans."

Yeah. This one is tough! The questioner has already attempted to streamline his/her process by revising the welcome letter sent to new providers. While revising the letter is an approach is absolutely on VantagePoint's to-do list, and electronic applications are available to help with tracking, we'd suggest taking another look at the letter and consider the following:

  •  How long is the letter? This is the time to be succinct to avoid losing the new provider's attention or muddling the message.
  • Avoid over-explaining. The letter should open with a welcoming sentence followed by a statement regarding items required to credential/enroll. Consider a polite, yet to the point sentence explaining the most compelling reason for timely and complete submissions of the information requested.
  • Consider an even shorter letter per the previous bullet point with a checklist attached. People generally like the feeling they get from checking items off a long to-do list, so this may motivate the provider toward completion. The checklist should include all items needed to complete the credentialing & enrollment process, perhaps a brief description or specific requirements statement for each item if potentially confusing, include a box to check-off the items (like a shopping list), a box for the provider to write comments and a place for the provider to sign-off/date that all items requested are enclosed.
  • Provide an email address and phone number for questions. Welcome questions from providers during the process and be ready to explain the 'why' we need all this stuff types of questions.

One step closer to aligning 42 CFR Part 2 with HIPAA

The Overdose Prevention and Patient Safety Act was passed by the U.S. House of Representatives and is on it's way to consideration by the U.S. Senate. Among other provisions,  H.R. 6082 allows the health records of substance abuse disorder patients to be disclosed without specific written consent from patients for the purposes of treatment, payment, and healthcare operations (TPO).  Currently, the only exception to the specific consent requirement of Part 2 is a bona fide medical emergency. If passed by the Senate and signed into law, the one sticking point for most medical providers who are either Part 2 programs or lawful holders of Part 2 protected information will be unstuck because of the alignment with the HIPAA Privacy Rule. 

When it comes to claims and compliance, be payer agnostic

On Wednesday, June 20, 2018, VantagePoint HealthCare Advisors President and COO Susan Prior, CHC and Senior Consultant Regina K. Alexander, FACHE, CHC presented a live webinar, The Unknown-Unknowns of Credentialing, Privileging, and Enrollment for the Health Care Compliance Association (HCCA). The webinar drew a diverse audience, including attendees from hospitals, health systems, health plans, post-acute care, law and consulting firms. During the Q&A portion of the event, Susan and Regina responded to questions about use of locums, primary source verification for allied health professionals, and multiple questions regarding submitting claims when services have been rendered by a provider not yet enrolled.

A memorable question that bears follow-up and focus pertained to what was allowable when filing claims with commercial payers. The attendee acknowledged understanding it would not be allowable to substitute the name and NPI of a participating, enrolled provider in the 'rendering provider' box on the claim for a non-participating (or not yet enrolled) provider in respect to a claim submission to a government payer, and then asked if the same scenario is allowable with a private payer. The short answer provided on the webinar was a 'no', but the question itself reveals a more universal misunderstanding that healthcare providers can play by a different set of rules in their approach to private, commercial payers.

When it comes to claims and compliance, healthcare organizations should be payer agnostic in their attitude and approach to the basics, like the information reported on claim forms. While it's true that the Lincoln Law (False Claims Act) is enforced in respect to Medicare and Medicaid claims, the Health Care Fraud Statute (18 U.S.C. § 1347) applies to obtaining payment under false pretenses from both government AND private payers. Another consideration ancillary to submitting accurate claims is the claim as a secondary medical record. Medical records are legal documents and purposely altering the content of a claim in a manner that does not reflect the services as documented in the primary medical record could have implications under state laws. Lastly, commercial health plans build benefit structures to consider specific member-cost sharing in respect to out-of-network care. Provider groups and healthcare organizations can not only run afoul of contractual obligations by misrepresenting non-par provider services as rendered by a participating provider, if the plan is employer-sponsored, enforcement remedies are available under the  Employee Retirement Income Security Act of 1974 (ERISA).

 

Conditions of Participation

Ordinarily, the loss of Medicare or Medicaid billing privileges is connected to allegations of Fraud or Abuse. Make no mistake, the fear of being placed on pre-payment review alone or having reimbursement suspended during an investigation is enough for many hospitals to justify their compliance efforts.

The case of Overland Park, Kansas-based Blue Valley Hospital is a bit different. Under Medicare rules for acute care hospitals, a facility must have an average of 2 inpatient admissions per day with an average 2-day length of stay in order to maintain status as an inpatient hospital for purposes of reimbursement. Blue Valley Hospital asserts that the requirements are arbitrary. The hospital performed outpatient surgeries at a ratio of 2:1 over inpatient surgeries in the period examined per Ellison (2018, June 12) and of the inpatient surgeries performed, patient were often discharged prior to the 2 day standard.

Business Associate Agreements: Don't Set it and Forget it!

There is more to HIPAA compliance than privacy and security safeguards. An oft overlooked requirement is the Business Associate Agreement (BAA), and even when covered entities do have a BAA in place with a vendor, there is inconsistent follow-up regarding reviewing and if necessary, updating those agreements concurrent to contract renewals.

According to a HIPAA News report posted June 1, 2018 regarding multiple breaches at Dignity Health, one incident involved a vendor with an outdated BAA. Per the author, " The contractor in question had been used for ten years and a valid business associate agreement had been in place earlier; however, that document has no longer valid and data continued to be shared with the contractor due to a clerical mistake." Clerical errors happen; however, policies and procedures are often not in place. BAA audits is a  good item for compliance professionals to consider for when formulating annual work plans and the Dignity case is a good, public example of the 'why'.

According to Cofense, 91% of cyber attacks begin with a phishing email

Domain-based Message Authentication, Reporting and Conformance (DMARC) is a standard healthcare organizations can implement to reduce their susceptibility to cyber attacks by reducing vulnerabilities associated with spoofing. Spoofing occurs when a hacker attempts to impersonate the legitimate domain by making an email appear to come from within the organization. Despite training regarding phishing, staff still may be fooled by emails that look like they come from a legitimate domain. DMARC can be set-up to monitor email traffic and send alerts (most permissive setting) or in the most aggressive setting, block incoming emails.

Per HIPAA News (2018, May 26) "For the study, Valimail reviewed the domains of 928 healthcare companies around the globe with annual revenues over $300 million, including hospitals, medical equipment suppliers, pharmacies, physicians and health practitioners. Just 121 of those firms (13%) have adopted DMARC to secure their domains and stop email spoofing."

HIPAA Covered Entities Should Start Saving for a Rainy Day (aka Big Breach)

A provision of the HITECH Act of 2009 that has yet to be implemented is establishing a mechanism for the victims of a HIPAA related breach to share in any settlement or monetary penalties assessed. The Office of Civil Rights (OCR) plans to issue notice of proposed rule making in November 2018 in an effort to satisfy this HITECH requirement. In the meantime, HIPAA covered entities may want to consider revisiting their internal efforts to comply with the Privacy and Security rules to mitigate future risk as well as consider planning for a reserve commensurate with the potential exposure if a major breach were to occur.

New Flavor of Fraud? Hospice hastening death for financial gain.

According to Kuruvilla (2018, May 18), "A former health care executive in Texas has admitted to playing a role in an alleged $60 million Medicare fraud scheme that included disturbing practices such as overdosing hospice patients to “hasten their deaths” and maximize company profits."

Medicare reimburses hospice services on a per diem basis, meaning, the longer a patient is on hospice, the more overall reimbursement an agency will receive. Even on days where hospice staff do not visit a patient, the agency can bill Routine Home Care (RHC). More intense, skilled services, must meet criteria and are subsequently reimbursed at the higher Continuous Home Care (CHC) level. The allegations of hastening hospice patients' death via overdose is counter-intuitive on its face for those of us that follow hospice-related Medicare fraud cases. Ordinarily, Hospice providers encounter challenges in justifying the length of time a patient is on-service, the documentation supporting terminal illness, and correctly calculating the hours associated with the CHC level of care. If the Medicare Hospice Payment System is unfamiliar, a primer can be found here: https://www.cms.gov/Outreach-and-Education/Medicare-Learning-Network-MLN/MLNProducts/downloads/hospice_pay_sys_fs.pdf

The Unknown-Unknowns of Credentialing, Privileging, and Enrollment

Are you a healthcare compliance, revenue cycle, or operations leader who would like to learn more about credentialing, enrollment and privileging? Consider joining VantagePoint HealthCare Advisors COO Susan Prior, CHC and Senior Consultant Regina Alexander, FACHE, CHC, HCS-H on June 20, 2018 for an Health Care Compliance Association (HCCA) sponsored web conference. Sue and Regina will Review the basics of privileging, credentialing, and enrollment processes, including key regulatory and payer requirements. The conference content will also explore commonly overlooked ‘unknowns’ and identify strategies to mitigate compliance risks, financial impact, and barriers to care created by inefficient or siloed credentialing and enrollment processes. Compliance professionals will take away tips for asking the ‘right’ questions about the credentialing, privileging, and enrollment processes within their own organization.

The HIPAA Privacy Rule 15th Anniversary - Blast from the Past & Hybrid Entities

In April 2003, sports drama ‘42’ was a hit at the box office, hip hop hit ‘In da Club’ by 50 Cent topped the Billboard charts, and the Human Genome Project was completed with 99% of the human genome sequenced to an accuracy of 99.99%. The date also marked the end of years of preparation for healthcare providers and most payers to comply with the HIPAA Privacy Rule.

Fifteenth anniversaries are traditionally symbolized with roses, rubies, or crystal. Throughout the month of April, VantagePoint is highlighting the 15th anniversary of the compliance date for the HIPAA Privacy Rule with special informational posts regarding HIPAA compliance and some of the lesser known (or understood) provisions.

An example of provisions that cause confusion include how HIPAA works for entities that have healthcare and non-healthcare related components. An example of an organization type that often experiences confusion regarding compliance with HIPAA is a college or university that offers on-site health services for students.  The Family Educational Rights and Privacy Act of 1974 (FERPA) applies to the health records maintained on students at the campus health clinics of postsecondary schools.  Entities subject to FERPA classify records as either education or treatment records, both of which are excluded from coverage under the HIPAA Privacy Rule (with some exceptions) even if the school is a HIPAA covered entity.  A school becomes a hybrid entity, subject to HIPAA, by segregating healthcare related activities into a separate component of operations.

Supreme Court may revisit a False Claims Act decision

The Supreme Court may revisit a a key False Claims Act decision and the results may impact pending and new cases. According to an article published today in McKnight's Long Term Care News,  "At issue is whether a False Claims allegation automatically fails when the government continues to approve services or pay for products after learning of alleged infractions. "

Any healthcare revenue cycle professional knows that allegations or initial audit results alone don't put a stop to payment of claims by Medicare or Medicaid. If that were the case, providers who ultimately prevail in their disputes and found innocent of wrong-doing could have a hollow victory if the process ultimately bankrupted their organization. Claims payment is automated, very few claims are reviewed by an actual person before payment unless an organization is on the rare pre-payment review or the claim fails for a technical or coding reason. The operational realities of how claims are paid mitigates the effectiveness of the argument that any claim paid by the Federal or a State government after an investigation is initiated or allegations are put forth is 'approval' of the misdeed.