The best defense is a good offense. Arm yourself with knowledge on what new federal healthcare fraud and abuse measures mean for your practice.
CMS is stepping up its fraud and abuse efforts, and looking closely at physicians and their practices. To mitigate the very real risks facing your practice, you should sit down with your administrative team and review all facets of your compliance plan. Ask the difficult questions, dig deep - far better that your practice finds deficiencies than Uncle Sam. While it may seem like a Herculean task, when broken down, it is a manageable process. Here are the key components to defending your practice against fraud and abuse findings.
1. The OIG work plan
The Office of Inspector General (OIG) is the financial watchdog for the federal government; charged with ensuring our tax dollars are spent wisely and properly; don't laugh. OIG is required by law to publish an annual work plan that identifies all existing and planned federal fraud, waste, and abuse initiatives.
Some of the areas being scrutinized include:
• The medical necessity of sleep studies
• A review of 2010 E&M coding and documentation to assess the presence of EHR cloning
• Non-compliance with assignment of benefit guidelines
•The medical necessity of electro-diagnostic testing
• High cumulative Part B payments
• Same-day readmissions
The OIG Work Plan will seem intimidating at first download, but it is organized rather well and has a good table of contents. Review the table of contents and probe deeper into facets that could affect your practice.
2. Medical necessity
There are several agencies that publish medical necessity guidelines with which you should be familiar. First, there is the aforementioned OIG Work Plan. Second, Medicare provides medical necessity guidance via National Carrier Determinations. Medicare also provides medical necessity guidance at the state level via Local Coverage Determinations.
Finally, there are payer- and specialty-specific guidelines regarding medical necessity, such as the ABIM Foundation's "Choosing Wisely" campaign. It is too much to take in and keep track of, but I encourage you at a minimum to understand the medical necessity guidelines for any service being targeted by OIG.
3. Recovery Audit Contractors
Recovery Audit Contractors, or RACs, are Medicare contractors charged with finding improper payments. They target incorrect payments, noncovered services (including services that are not reasonable and necessary), incorrectly coded services, and duplicate services. RACs are paid on a commission, ranging from 9 percent to 12.5 percent. The more they find in "improper" payments, the more money they make. They are on course to find $3 billion in improper payments this year and make commissions exceeding $300 million. That is not a typo, sadly.
There are four RACs, Performant,CGI, Connolly, HealthDataInsights, and each is required to publish a list of approved work issues (aka targets) on their websites. As I noted, each RAC is required to publish a list of the areas where they will focus their energies. Their lists are long and cumbersome, but it is prudent for each practice to know of any exposures they may have. It takes only 10 minutes to 15 minutes to review your RAC's list of approved issues.
4. Coding and documentation
Medicare's scrutiny of E&M coding is on the rise, with a particular emphasis on the 99214 follow-up office visit. Why? According to a study by the Office of Inspector General, "Coding Trends of Medicare Evaluation and Management Services," use of 99214 increased 15 percent between 2001 and 2010, while use of 99212 and 99213 fell by - you guessed it - 15 percent.
Medicare pays 47 percent more for a 99214 than a 99213, and 143 percent more for a 99214 than a 99212 (these are national averages). The increased utilization of 99214 is costing Medicare a lot of money. Remember, the Medicare "fraud police" take the position that you are guilty until proven innocent and assume you are intentionally upcoding.
What can you do? First, conduct a bell curve analysis of the E&M coding of each of your providers relative to Medicare averages for your specialty. Such analyses can identify outliers (i.e., probable audit targets) relative to the average Medicare physician in your specialty. These analyses also identify internal inconsistencies in the coding of your providers that may raise red flags to Medicare.
Second, conduct periodic coding and documentation audits. Even if you employ a certified professional coder who routinely audits coding and documentation, I strongly recommend having a qualified third-party company conduct audits at least annually.
Remember, Medicare saved over $300,000 in reviewing 8,659 chart notes coded as 99214. With well over 60,000,000 annual Medicare claims coded as 99214, Medicare's potential savings from this single code could exceed $2 billion. You can bet E&M coding is on their radar.
5. HIPAA privacy and security
The HIPAA Privacy Rules went into effect in April 2003. These rules not only told us what we needed to protect- protected health information (PHI) - but also gave us the Notice of Privacy Practices to clutter our waiting rooms and created large HIPAA binders on which to collect dust. The HIPAA Security Rules followed in 2005 and 2006 and told us how we must keep PHI protected. In March of 2006, HHS enacted enforcement rules that dictated all sorts of mean and nasty punishments and fines for those who did not follow the privacy and security rules.
In the ensuing years, very little enforcement has occurred. That is changingnow. HHS engaged KPMG to conduct a small pilot audit of 115 large providers, clearinghouses, and payers in 2012. Based upon the preliminary findings of this pilot, HHS is making this a permanent program and has charged the Office of Civil Rights (OCR) with proactively conducting audits to identify noncompliance. Future audits will include providers, clearinghouses, payers, and - for the first time - business associates.
Here's what you can and should be doing. First, find your HIPAA plan; it is likely a large black binder with a lot of dust. Second, review your plan for outdated information (e.g., is your designated privacy officer still with the practice?), and update it to reflect new changes to the rules. Third, ensure that all new employees and providers receive initial HIPAA training, and for current employees make sure they receive HIPAA refresher training at least annually. All such training must be documented and retained at the practice so that it is accessible in case of an audit.
6. Compliance plans
A compliance plan is a document that sets forth the standards a business will follow in conducting its operations. Back in 2000, OIG issued guidelines for compliance plans for medical practices and encouraged practices to adopt them. In the ensuing years, many practices established compliance plans that delineated the steps they would follow to ensure they abided by OSHA, HIPAA, and correct-billing guidelines. These compliance plans fell into disuse in many practices because there was not active punitive enforcement by OIG.
An outdated or unused compliance plan sitting on a shelf is an accident waiting to happen. Suppose an auditor comes into your office and finds a compliance plan that states - incorrectly - every member of your billing staff will receive three hours of Medicare fraud and abuse training every year; suppose your compliance plan lists committees whose members have left the practice years ago; you are suddenly quite vulnerable.
My advice for an out-of-date compliance plan is similar to that for your HIPAA manual: Find it, update it, get your training up to date, document all training, and stay current. Your practice might prefer to simply discard its outdated compliance plan, but that decision should only be made in conjunction with your legal counsel. While compliance plans are not mandatory, they can be useful vehicles to guide and protect practices.
Medical practices are in an unfortunate era of increased oversight and scrutiny. By reviewing practice policies and guidelines, conducting internal audits, and bringing in outside consultants if necessary, your practice can rest easy that it has met its full responsibility for accurate coding and billing, and securing protected health information. While it is unfortunate that physicians no longer can simply practice medicine and take care of their patients, don't put your practice at risk. Be prepared.
Lucien W. Roberts, III, MHA, FACMPE, is a Virginia-based consultant. For the past twenty years, he has worked in and consulted with physician practices in areas such as compliance, physician compensation, negotiations, strategic planning, and billing/collections. He may be reached at Lucien.firstname.lastname@example.org.