Compliance Issues: Self-Disclosure, RAC Audits and Red Flags

Transcription

1 Compliance Issues: Self-Disclosure, RAC Audits and Red Flags Kimberly A. Licata Presented to GE Centricity Group Management Southeast User Group Winter Conference February 11-12, 2010 These materials have been prepared by Poyner Spruill LLP for informational purposes only and are not legal advice. This information is not intended to create, and receipt of it does not constitute, a lawyer-client relationship.

2 Self-Disclosure Voluntarily telling the government your potential legal problems before the government comes looking for you. 2

3 OIG Provider Self-Disclosure Protocol (SDP) The Office of Inspector General (OIG) of the federal Department of Health and Human Services started this program in 1998 and it is open to all providers and suppliers. SDP applies to any matter that potentially violates federal criminal, civil, or administrative laws or regulations. SDP does not apply to overpayments or mere billing errors not implicating violations of the law. See carrier or FI for these issues directly. Intent or reckless conduct is usually required except when the potential violation falls under the Stark law. Approximately 500 disclosures have been made under the SDP. 3

4 OIG Provider SDP Requirements: Submitted in writing including specified basic information (names, IDs, ownership, organizational description, contact information for a designated representative). Describe the matter fully (type of claim, transaction or other conduct giving rise to the matter; names of entities and individuals involved and relative roles; time frame involved; type of provider involved and associated billing numbers, etc.). Why the disclosing provider believes a law or regulation has been violated. Certification that the submission contains truthful information and is based on good faith. Cooperation is required throughout the process. 4

5 Potential Risks Associated with Retention of Overpayments Knowing retention of an overpayment can lead to inferences of bad faith and intent potentially leading to serious problems for a provider. Various laws could be violated by conduct. Are you flagged for life as a problem provider? Substantial penalties: Civil Monetary Penalties (CMPs) can be high. Corporate Integrity Agreements (CIAs) can be burdensome and time-consuming, not to mention difficult for PR and business development. False Claims Act liability and treble damages. Program exclusion or suspension. Jail time. Federal and state criminal laws may be implicated by provider s conduct. 5

6 Potential Risks of Self-Disclosure Providers will be making a repayment. Cost and uncertainty of investigation prior to and during disclosure. Increased scrutiny of compliance efforts by government. No guarantees in self-disclosure; the government can still do anything it wants to a disclosing provider. Cost and uncertainty associated with post-disclosure resolution and implementation of any required processes or programs. 6

7 Potential Benefits of Self-Disclosure Win brownie points with government for good faith efforts to identify and resolve problems. Criminal penalties may be taken off the plate. Reduction of penalties or fines in lines with factors identified in the U.S. Sentencing Guidelines and reduction of multipliers of damages (i.e., False Claims Act). Less restrictive CIA if a CIA is required at all. Provider gets to tell its story without the government having prior knowledge or perceptions of provider/situation. Never underestimate the vengeance nor the power of unhappy current or former employees or any whistleblower in the shaping of a story told to the government. Cast the bad facts in the best light possible and be proactive. 7

8 April 24, 2006 Open Letter to Health Care Providers First letter issued by the OIG on Self-Disclosure Protocol. Remains a vital guidance on the SDP, particularly as it relates to CIAs and other enforcement tools. Makes several key points as to self-disclosure: Highlights that the SDP is limited to matters that involve conduct potentially violating the anti-kickback statute and the Stark law. Notes provider liability falls along a continuum and the degree of provider s cooperation will be considered when determining the appropriate remedies and settlement amount. The OIG will work with the Department of Justice (DOJ), but the DOJ will not be bound by the OIG. 8

9 April 15, 2008 Open Letter to Health Care Providers Second letter issued by the OIG on SDP. Makes several key points as to self-disclosure: If you self-disclose, the OIG is generally committed to settling any liability under the OIG s authorities for an amount near the lower end of the damages continuum. The OIG has streamlined procedures and recognizes the need for prompt and certain resolution of matter under the SDP. Providers must respond promptly to OIG inquiries and disclose in good faith or risk being removed from the SDP by the OIG. SDP is not intended to be used for mere billing errors, which should be reported directly to contractors. 9

10 April 15, 2008 Open Letter to Health Care Providers Requires initial submissions to include elements of Internal Investigation Guidelines. Complete disclosure of the conduct being disclosed; Description of internal investigation or a commitment regarding when it will be completed; Estimate of program damages, and methodology used to calculate that figure or a commitment regarding when the provider will complete such estimate; and Statement of laws potentially violated by the conduct. 10

11 March 24, 2009 Open Letter to Health Care Providers Narrows the scope of the SDP. No longer accepting disclosure of a matter relating solely to a potential Stark violation. Urges providers not to read into this. The government will continue enforcement efforts against Stark violations. States that providers with colorable anti-kickback claims will be accepted into the SDP whether or not colorable selfreferral claims also exist. Establishes a minimum settlement amount of $50,000 to better allocate provider and OIG resources in addressing kickback issues through the SDP. 11

12 Self-Disclosure Thoughts Providers should consider the risks and benefits of any potential self-disclosure. Ask if your risks are being reduced by going to the OIG? and Whether your benefits are being increased? For example, if self-disclosure fixes the repayment at a more manageable amount or avoids a complicated and difficult CIA, it may the way to go. On the other hand, if self-disclosure is unlikely to reduce a potential payment or permits a more thorough investigation of the enterprise than the provider has conducted, the risk may be increased, not reduced. 12

13 Self-Disclosure Resources OIG s Provider SDP, 63 Fed. Reg (Oct. 30, 1998). OIG Website, includes letters to providers, settlements, CIAs, other information on disclosure and fraud efforts in general: 13

14 RAC Audits The Government s Hired Guns Are Coming; What You Need to Know

15 Recovery Audit Contractors (RACs) RACs are government-approved bounty hunters. They are private firms under contract with CMS on a region by region basis. The RAC Program started as a demonstration project, but was made permanent by law in Goals: detect and collect overpayments, identify and pay underpayments, and implement corrective action as needed. Applies to all fee-for-service providers (but not Part C or D). RACs are paid on a contingency basis. 15

16 Types of RAC Reviews CMS posted a number of FAQs related to RAC reviews. Automated Reviews for black and white issues not requiring a medical record review. CMS has stated an automated review is only appropriate if there is certainty of an overpayment based on: A clear policy (a statute, regulation, National Coverage Determination, coverage provision in an interpretive manual, or Local Coverage Determination that specifies the circumstances under which a service will always be considered an overpayment). A medically unbelievable service. No timely response is received in response to a medical record request letter. [45 days to respond to a request, can be extended]. Complex Reviews requires medical record review, high probability, but no certainty of an overpayment. 16

17 Examples of Each Type of Review Automated Reviews: Identifying duplicate procedures on claims performed on a patient on the same day at the same facility. Once in a life time procedures. Don t have these twice! Blood transfusion units. IV hydration units. Identifying erroneous discharge status codes. Complex Reviews: Verifying the diagnosis code on a claim matches the diagnosis described in the medical record. DRG payment review if only one complication or comorbidity. Verifying medical necessity for the setting where the service was rendered based on a review of the beneficiary s condition. 17

18 RAC Facts During the three year demonstration project period, RACs found over $1 billion in improper payments with 96% of these being overpayments. Of the overpayments found, 95% were hospital claims with the vast majority of those relating to inpatient care. Overpayments were based on: 8% 17% 40% Medically unnecessary or furnished in the wrong setting Incorrectly coded services Documentation (none or too little) 35% Other (e.g., duplicate claims or payments) 18

19 More RAC Facts Overpayments were most commonly found with: Hospital Inpatient Wrong setting for surgeries (inpatient v. outpatient) (med. unnecessary) Wrong setting for defibrillator implants or treatment for heart failure and shock (med. unnecessary) Excisional debridement (improperly coded) Respiratory system diagnoses with vent support (improperly coded) Hospital Outpatient Neulasta (prescription to reduce risk of infection, chemo) (med. unnecessary or improperly coded) Speech therapy, PT and OT (med. unnecessary) Infusion services (med. unnecessary) Inpatient Rehab Services post-joint replacement (med. unnecessary) Services for miscellaneous services (med. unnecessary) 19

20 RAC Jurisdictions Region A Region D Region B Initiation Dates for RAC Audits March 1, 2009 March 1, 2009 August 1, 2009 Region C 20 3

21 21 Roles of Medicare Improper Payment Review Entities (CMS resource)

22 RAC Review Process Basics RACs review claims on a postpayment basis. RACs use the same Medicare policies as Fiscal Intermediaries (FIs), Carriers and Medicare Administrative Contractors (MACs) (NCDs, LCDs & CMS manuals). RAC reviews will be either: Automated (no medical record needed) Complex (medical record required) CMS approval required for review in excess of 10 medical records. No review of claims paid prior to Oct. 1, RACs are able to look back three years from the date of payment subject to this Oct. 1, 2007 bar. RACs must employ a staff consisting of nurses, therapists, certified coders & a physician CMD. 22

23 How to Prepare for a RAC Audit Conduct a pre-audit risk assessment. Identify and educate key operational personnel throughout the organization. Be aware of and use the resources available to organizations (from CMS, AHA, AHIMA, the RACs, etc.). Develop and implement policies and procedures for handling RAC record requests (will likely differ for an automated versus a complex review). This includes assigning roles and responsibilities (along with appropriate timeframes for completion) to tasks associated with each review. This includes having a means of tracking and documenting the process. By RAC request, by outcome. This is essential for an organization to be able to implement improvements based on lessons learned. Have an appeals strategy in place. There are well-defined (and short) timeframes for appealing an adverse RAC determination. Be informed! 23

24 RAC Appeals About a fifth of RAC overpayment determinations have been appealed. Off this number, a third of the determinations were reversed on appeal. A provider s appeal rights are explained in the Demand Letter. To assess a provider s chances at appeal: Review the RAC findings. Ensure proper Medicare coverage and payment policies were applied. Review supporting documentation. Determine next step repayment or appeal. 24

25 RAC Appeals Rebuttal/Discussion with the RAC: first step requesting the RAC to re-evaluate its initial determination. Filed within 15 calendar days of the date of the Demand Letter. Does not stop the recoupment process nor stay the timeframe for filing an appeal. Five levels of RAC appeals: Redetermination Reconsideration Administrative Law Judge Medicare Appeals Council/ Departmental Appeals Board Federal District Court 25

26 RAC Appeals Specific timelines for appeals are explained in the Demand Letter. If an appeal (for redetermination) is filed within 30 days of the Demand Letter, the recoupment process is stopped. FI/Carrier/MAC has 60 days to render a decision. Otherwise, providers have 120 days from the Demand Letter to file an appeal. Second level of appeal must be filed within 180 days of the redetermination with a qualified independent contractor (QIC). It is essential to submit all documentation at this level. 26

27 RAC Appeals Third level of appeal with the ALJ must be filed within 60 days of the QIC decision for claims at least $120 or more. A decision must be issued by the ALJ within 90 days. Fourth level of appeal with the MAC or DAB (independent review agency of HHS) must be filed within 60 days of the ALJ decision. No new evidence is allowed. Must sure your record is complete BEFORE this stage. Decision must be rendered within 90 days. Final level of appeal with a federal district court, filed within 60 days of the DAB decision with an amount in controversy of $1,180 or more. 27

28 RAC Resources CMS on RACs: Connolly Healthcare (Region C RAC): _Program.aspx American Hospital Association (AHA) resources: American Health Information Management Association (AHIMA) toolkit: NAL.pdf 28

29 Red Flag Rules: The FTC Joins the Federal Agencies Overseeing Health Care 29

30 30

31 Overview of the Red Flag Rules Red flags are a pattern, practice or specific activity that indicates identity theft. Regulations issued by the Federal Trade Commission (FTC) that require companies to develop and implement written identity theft prevention programs designed to detect, prevent and litigate identity theft (including medical identity theft). Applicable to creditors offering covered accounts. Any entity that allows deferred payment for services that are utilized by an individual for personal, household or family purposes. Financial institutions are a focus of the regulations, but they have been determined to apply to health care providers. Compliance deadline delayed until June 1,

32 How Health Care Providers Fall Under the Rules Health care providers are specifically identified by the FTC in the final rule. (see 72 Fed. Reg. at 63727). Several industry attempts to challenge the rule s applicability to health care providers have failed. A health care provider would be a creditor if the health care provider does not regularly demand payment in full for services or supplies at the time of service and maintains covered accounts of its patients. Collecting a co-pay or deductible at the time of service, then collecting from third party payors, then collecting remaining balances from the patient may be a provider a creditor. Payment plans make a provider a creditor. 32

33 Complying with the Red Flag Rules: A Process for Implementation Identify relevant red flags for the organization. Red Flags are those events that should alert the organization of a risk of identity theft. FTC suggests some red flags in the rule and the appendix and an organization can review its own history of identity theft. Identify potential triggers to cause the organization to take action under a red flag policy. Detect and monitor for red flags with new and existing accounts. Prevent and mitigate identity theft, including a process to escalate respond to detected triggers. No response could be a proper response, but whatever response will be reviewed for appropriateness. Update the program as needed. 33

34 Categories of Possible Red Flags Alerts, notifications or warnings from a consumer reporting agency, patients, others. Suspicious documents Any forged document or falsified health insurance card. Photo not matching appearance of patient. Suspicious personal identifying information Variance between SSN and date of birth or other information that is inconsistent with other personal information provided by the patient. Unusual or suspicious account activity Changes in payment practices or spending habits. 34

35 Implementation of the Process Organizational approval of the final identity theft program. Board of Directors, appropriate committee or subcommittee, etc. Management oversight of the identity theft program must be maintained. Training and education of staff and employees. Should include procedure for supervising any service provider who has access to covered accounts (i.e., billing companies or collection agencies). Can be part of an existing compliance program, no need to re-train personnel already trained on fraud/identity theft. Develop schedule for periodic refresher training. Reporting of identified incidents and the effectiveness of the Program (including recommendations for material changes). 35

36 Changes to the Program Must be approved by the organization. Changes may be appropriate if: New experiences with identity theft. Changes in identity theft methods. Changes in detection, prevention, mitigation of identity theft. Changes in covered accounts offered to patients. Organizational changes in the health care provider (i.e., merger, acquisition, or alliance). Remember to refresh training with changes! 36

37 Potential Liability for Noncompliance FTC has the authority to seek a civil penalty of up to $2,500 per violation. States may sue to stop a violation and seek damages on behalf of residents (up to $1,000 per violation). Individuals do not have the right to sue an organization for violating the rules, but may be able to sue an organization for violating the related address discrepancy rules. The Address Discrepancy Rules are only applicable to providers who are users of consumer reports and are triggered when a user receives a notice of an address discrepancy from a consumer reporting agency. 37

38 Red Flag Resources FTC on the rules: AMA on the rules: American Institute of CPAs (AICPA) on the rules (not health care-focused, but useful resources): al+state+and+other+professional+regulations/r ed+flags+rule+guidance.htm 38

39 Contact Information Kimberly Licata Poyner Spruill LLP 301 Fayetteville St., Ste Raleigh, NC Direct Dial: (919) Fax: (919)

40 40 Questions?