AUDITS: You or Them?

Posted on in Billing/Reimbursement

By Pam Felkins Colbert, The van Halem Group Unavoidable – Taxes, Death and Audits By now we all know that some sort of audit by some agency is as inevitable and unavoidable as taxes and death. With this realization, the only question now is: who do you want to perform an audit and determine if you have problems in your claims submissions? Hopefully, the answer is YOU rather than THEM – CMS, OIG, RAC, DOJ, SIU, etc. If the answer is YOU, then hopefully you have already addressed another “Unavoidable”: a Compliance Program that includes Internal Auditing and Monitoring. In the late 1990s, the OIG began issuing Compliance Program Guidelines for “voluntary” Compliance Programs for numerous provider types: Hospitals, Laboratories, Home Health, Third Party Billers and DMEPOS. The OIG believed that with “the development of these types of compliance program guidances … a health care provider can efficiently use internal controls to monitor adherence to applicable statutes, regulations and program requirements.”[1] Each and every compliance program incorporates the same seven (7) fundamental elements:

  1. Written Policies and Procedures, and Standard (Code) of Conduct
  2. Designated Compliance Officer and Compliance Committee
  3. Conduct Effective Training and Education
  4. Conduct Internal Monitoring and Auditing
  5. Develop Effective Lines of Communication
  6. Responding Promptly to Detected Offenses and Develop Corrective Action.
Every provider or supplier that has been through Accreditation is familiar with the fundamental Compliance Program and elements. But not every provider or supplier has an “effective” Compliance Program that actually implements regular internal auditing and monitoring. Why do I need to perform Internal Auditing? Do you have regular internal audits to determine if your claims are accurate? Do you have the supporting documentation? Do you file duplicate claims? Did you use the correct code or modifier? Do you have an overpayment? Did you bill claims more than three months after a beneficiary’s death? Did you find problem claims? IF your answer is “no,” then you do NOT have an “effective” Compliance Program. IF your answer is “yes,” then we must ask if an error was identified and if so, did you correct it; refund the overpayment; educate your staff to avoid it from occurring again; create a Corrective Action Plan? All of these actions are fundamental to an effective Compliance Program which, as noted by the OIG in 1999, is designed to help you efficiently adhere to applicable statutes, regulations and program requirements. If you don’t have an active, regular internal auditing and monitoring process you have no idea of your risks. Time to worry – CMS does know your risks. CMS recently centralized ALL Medicare and Medicaid claims data and in November 2014 created the Office of Enterprise Data and Analytics (OEDA). CMS’ Center for Program Integrity (CPI) has several divisions that work with OEDA to identify, investigate and address integrity, fraud and abuse issues in Medicare, Medicaid and CHIP. The CPI divisions include Program Enrollment, Data Analytics, Investigations & Audits, and Data Sharing and Partnership Group, among other divisions. So let’s connect the dots: CMS has all your data (as well as everyone else’s data to compare you with) which is updated daily in their Enterprise Data Warehouse. The CPI Group analyzes all your data seeking aberrant billing, duplicate claims, billing beyond three months after death and any other identified risks or trends. Identified providers are referred to the ZPIC (soon to be UPIC) for investigations and audits. CPI shares the identified concerns with other “stakeholders,” which include OIG, DOJ, private payers’ special investigation units, etc. They also track these concerns and the provider numbers associated with the risks. What are the consequences if I don’t Audit or have a Compliance Program? Keeping all the above information in mind, it is important to know that in December 2014, CMS issued a Final Rule under authority of the Affordable Care Act, for “new safeguards to reduce Medicare fraud.” This new rule “improves CMS’ ability to deny or revoke the enrollment of entities and individuals that pose a program integrity risk to Medicare.” CMS now has the authority and ability to:
  1. Deny enrollment of providers, supplier, and owners affiliated with an entity that has unpaid Medicare debt.…
  2. Deny or revoke billing privileges of a provider or supplier if a managing employee has been convicted of certain felony offenses….
  3. Revoke billing privileges of providers and suppliers that have a pattern or practice of billing for services that do not meet Medicare requirements. This is intended to address providers and suppliers that regularly submit improper claims in such a way that it poses a risk to the Medicare program. [emphasis added]
  4. Make the effective date of billing privileges consistent across certain provider and supplier types… Putting these puzzle pieces together, we see that:
  • OIG and CMS have for decades indicated that providers and suppliers should implement internal auditing and monitoring as part of an effective Compliance Program
  • CMS now has centralized national data of all providers and suppliers in an Enterprise Data Center which is analyzed and provided to the CPI (Center for Program Integrity) and its contractors (ZPIC, MEDIC, etc) to identify providers who “pose a risk to Medicare”
  • The CPI group provides identified providers that “pose a risk to Medicare” to its Provider Enrollment and Oversight Group
  • CMS’ new Final Rule authorizes CMS to REVOKE your billing privileges if you have a “pattern or practice of billing for services that do not meet Medicare requirements.” If you “regularly submit improper claims in such a way that it poses a risk to the Medicare program,” your billing privileges can and will be REVOKED.
The bottom line for audits – it is critically important that YOU perform internal audits and monitoring before THEY audit you. It is critically important that you identify and correct errors in your claims. It is critically important to not “regularly submit improper claims” or “have a pattern and practice of billing for services that do not meet Medicare requirements” and pose a risk to the Medicare program. Otherwise, you are at great risk of having CMS revoke your billing privileges. The new Final Rule does not define “pattern and practice” or “regularly submit” and you don’t want to be the case example for the definition. The power of CMS has become greater and more immediate in stopping fraud or abuse. CMS is no longer waiting on the OIG to investigate, or the DOJ to prosecute, or have providers excluded and added to the OIG’s List of Excluded Individuals and Entities (LEIE). If YOU fail to audit yourself, rest assured CMS will do it for you – and it could be at great cost to YOU. The days of “voluntary” Compliance Programs have shifted under the Affordable Care Act and are now “mandatory” Compliance Programs. Provider enrollment is directly tied to Compliance Programs, as noted in the new CMS Final Rule and in section 6401(a) of the Affordable Care Act (which requires a compliance program as a condition of enrollment in Medicare, Medicaid and Children’s Health Insurance Program [CHIP]).[2] The bottom line is, don’t wait and hope THEY don’t audit you. Implement an effective Compliance Program and ensure YOU perform Internal Auditing and Monitoring on a regular basis. [1] 64 FR 36368, (July 6 1999).