Compliance Issues:Self-Disclosure, RAC Auditsand Red Flags

Kimberly A. LicataKimberly A. LicataPresented toGE Centricity Group Management SoutheastUser Group Winter ConferenceFebruary 11-12, 2010

These materials have been prepared by Poyner Spruill LLP for informational purposes only and are not legal advice. This information is not intended to create, and receipt of it does not constitute, a lawyer-client relationship.

2

Self-Disclosure

Voluntarily telling the government your potential legal problems before the government comes looking for you.

3

OIG Provider Self-Disclosure Protocol (SDP)

• The Office of Inspector General (OIG) of the federal Department of Health and Human Services started this program in 1998 and it is open to all providers and suppliers.

• SDP applies to any matter that potentially violatesfederal criminal, civil, or administrative laws or regulations.– SDP does not apply to overpayments or mere billing

errors not implicating violations of the law.• See carrier or FI for these issues directly.

– Intent or reckless conduct is usually required except when the potential violation falls under the Stark law.

• Approximately 500 disclosures have been made under the SDP.

4

OIG Provider SDP• Requirements:

– Submitted in writing including specified “basic” information (names, IDs, ownership, organizational description, contact information for a designated representative).

– Describe the matter fully (type of claim, transaction or other conduct giving rise to the matter; names of entities and individuals involved and relative roles; time frame involved; type of provider involved and associated billing numbers, etc.).

– Why the disclosing provider believes a law or regulation has been violated.

– Certification that the submission contains truthful information and is based on good faith.

– Cooperation is required throughout the process.

5

Potential Risks Associated with Retentionof Overpayments• Knowing retention of an overpayment can lead to

inferences of bad faith and intent potentially leading to serious problems for a provider.

• Various laws could be violated by conduct.• Are you flagged for life as a problem provider?• Substantial penalties:

– Civil Monetary Penalties (CMPs) can be high.– Corporate Integrity Agreements (CIAs) can be burdensome and

time-consuming, not to mention difficult for PR and business development.

– False Claims Act liability and treble damages.– Program exclusion or suspension.– Jail time. Federal and state criminal laws may be implicated by

provider’s conduct.

6

Potential Risks of Self-Disclosure

• Providers will be making a repayment.• Cost and uncertainty of investigation prior to and during

disclosure.• Increased scrutiny of compliance efforts by government.• No guarantees in self-disclosure; the government can still

do anything it wants to a disclosing provider.• Cost and uncertainty associated with post-disclosure

resolution and implementation of any required processes or programs.

7

Potential Benefits of Self-Disclosure• Win brownie points with government for good faith efforts

to identify and resolve problems.• Criminal penalties may be taken off the plate.• Reduction of penalties or fines in lines with factors

identified in the U.S. Sentencing Guidelines and reduction of multipliers of damages (i.e., False Claims Act).

• Less restrictive CIA if a CIA is required at all.• Provider gets to tell its story without the government

having prior knowledge or perceptions of provider/situation.

– Never underestimate the vengeance nor the power of unhappy current or former employees or any whistleblower in the shaping of a story told to the government.

– Cast the bad facts in the best light possible and be proactive.

8

April 24, 2006 Open Letter to Health Care Providers

• First letter issued by the OIG on Self-Disclosure Protocol.

• Remains a vital guidance on the SDP, particularly as it relates to CIAs and other enforcement tools.

• Makes several key points as to self-disclosure:– Highlights that the SDP is limited to matters that involve

conduct potentially violating the anti-kickback statute and the Stark law.

– Notes provider liability falls along a continuum and the degree of provider’s cooperation will be considered when determining the appropriate remedies and settlement amount.

– The OIG will work with the Department of Justice (DOJ), but the DOJ will not be bound by the OIG.

9

April 15, 2008 Open Letter to Health Care Providers

• Second letter issued by the OIG on SDP.• Makes several key points as to self-disclosure:

– If you self-disclose, the OIG is generally committed to settling any liability under the OIG’s authorities “for an amount near the lower end of the damages continuum.”

– The OIG has streamlined procedures and recognizes the need for prompt and certain resolution of matter under the SDP.

– Providers must respond promptly to OIG inquiries and disclose in good faith or risk being removed from the SDP by the OIG.

– SDP is not intended to be used for mere billing errors, which should be reported directly to contractors.

10

April 15, 2008 Open Letter to Health Care Providers

• Requires initial submissions to include elements of Internal Investigation Guidelines.– Complete disclosure of the conduct being disclosed;– Description of internal investigation or a commitment

regarding when it will be completed;– Estimate of program damages, and methodology used to

calculate that figure or a commitment regarding when the provider will complete such estimate; and

– Statement of laws potentially violated by the conduct.

11

March 24, 2009 Open Letter to Health Care Providers

• Narrows the scope of the SDP. No longer accepting disclosure of a matter relating solely to a potential Stark violation.– Urges providers not to read into this. The government will

continue enforcement efforts against Stark violations.– States that providers with colorable anti-kickback claims will

be accepted into the SDP whether or not colorable self-referral claims also exist.

• Establishes a minimum settlement amount of $50,000 to “better allocate provider and OIG resources in addressing kickback issues through the SDP.”

12

Self-Disclosure Thoughts• Providers should consider the risks and benefits of any

potential self-disclosure.– Ask if your risks are being reduced by going to the OIG?

and– Whether your benefits are being increased?

• For example, if self-disclosure fixes the repayment at a more manageable amount or avoids a complicated and difficult CIA, it may the way to go.

• On the other hand, if self-disclosure is unlikely to reduce a potential payment or permits a more thorough investigation of the enterprise than the provider has conducted, the risk may be increased, not reduced.

13

Self-Disclosure Resources• OIG’s Provider SDP, 63 Fed. Reg. 58399 (Oct.

30, 1998).• OIG Website, includes letters to providers,

settlements, CIAs, other information on disclosure and fraud efforts in general: http://www.oig.hhs.gov/fraud/selfdisclosure.asp

RAC AuditsThe Government’s Hired Guns Are Coming; What You Need to Know

15

Recovery Audit Contractors (RACs)• RACs are government-approved

bounty hunters.• They are private firms under

contract with CMS on a region by region basis.

• The RAC Program started as a demonstration project, but was made permanent by law in 2006.

– Goals: detect and collect overpayments, identify and pay underpayments, and implement corrective action as needed.

• Applies to all fee-for-service providers (but not Part C or D).

• RACs are paid on a contingency basis.

16

Types of RAC Reviews• CMS posted a number of FAQs related to RAC reviews.• Automated Reviews – for black and white issues not requiring a

medical record review. CMS has stated an automated review is only appropriate if there is certainty of an overpayment based on:– A clear policy (a statute, regulation, National Coverage

Determination, coverage provision in an interpretive manual, or Local Coverage Determination that specifies the circumstances under which a service will always be considered an overpayment).

– A medically unbelievable service.– No timely response is received in response to a medical record

request letter. [45 days to respond to a request, can be extended].• Complex Reviews –requires medical record review, high

probability, but no certainty of an overpayment.

17

Examples of Each Type of Review• Automated Reviews:

– Identifying duplicate procedures on claims performed on a patient on the same day at the same facility.• Once in a life time procedures. Don’t have these twice!• Blood transfusion units.• IV hydration units.

– Identifying erroneous discharge status codes.• Complex Reviews:

– Verifying the diagnosis code on a claim matches the diagnosis described in the medical record.• DRG payment review if only one complication or comorbidity.

– Verifying medical necessity for the setting where the service was rendered based on a review of the beneficiary’s condition.

18

RAC Facts• During the three year demonstration project period, RACs

found over $1 billion in improper payments with 96% of these being overpayments.

• Of the overpayments found, 95% were hospital claims with the vast majority of those relating to inpatient care.

• Overpayments were based on:

40%

35%

8%

17%Medically unnecessary or furnished inthe wrong setting

Incorrectly coded services

Documentation (none or too little)

Other (e.g., duplicate claims orpayments)

19

More RAC Facts• Overpayments were most commonly found with:

– Hospital Inpatient• Wrong setting for surgeries (inpatient v. outpatient) (med.

unnecessary)• Wrong setting for defibrillator implants or treatment for heart failure

and shock (med. unnecessary)• Excisional debridement (improperly coded)• Respiratory system diagnoses with vent support (improperly coded)

– Hospital Outpatient• Neulasta (prescription to reduce risk of infection, chemo) (med.

unnecessary or improperly coded)• Speech therapy, PT and OT (med. unnecessary)• Infusion services (med. unnecessary)

– Inpatient Rehab• Services post-joint replacement (med. unnecessary)• Services for miscellaneous services (med. unnecessary)

20

RegionD

RegionC

RegionB

RegionA

RAC Jurisdictions

March 1, 2009

March 1, 2009

August 1, 2009

3

Initiation Dates forRAC Audits

21

Roles of Medicare Improper Payment Review Entities(CMS resource)

22

RAC Review Process Basics• RACs review claims on a postpayment basis.• RACs use the same Medicare policies as Fiscal Intermediaries (FIs),

Carriers and Medicare Administrative Contractors (MACs) (NCDs, LCDs & CMS manuals).

• RAC reviews will be either:– Automated (no medical record needed) – Complex (medical record required)CMS approval required for review in excess of 10 medical records.

• No review of claims paid prior to Oct. 1, 2007. RACs are able to “look back” three years from the date of payment subject to this Oct. 1, 2007 bar.

• RACs must employ a staff consisting of nurses, therapists, certified coders & a physician CMD.

23

How to Prepare for a RAC Audit• Conduct a pre-audit risk assessment.• Identify and educate key operational personnel throughout the

organization.• Be aware of and use the resources available to organizations (from

CMS, AHA, AHIMA, the RACs, etc.).• Develop and implement policies and procedures for handling RAC

record requests (will likely differ for an automated versus a complex review).

– This includes assigning roles and responsibilities (along with appropriate timeframes for completion) to tasks associated with each review.

– This includes having a means of tracking and documenting the process.• By RAC request, by outcome.• This is essential for an organization to be able to implement improvements based

on lessons learned.• Have an appeals strategy in place. There are well-defined (and short)

timeframes for appealing an adverse RAC determination. Be informed!

24

RAC Appeals• About a fifth of RAC overpayment determinations

have been appealed. Off this number, a third of the determinations were reversed on appeal.

• A provider’s appeal rights are explained in the Demand Letter.

• To assess a provider’s chances at appeal:– Review the RAC findings.– Ensure proper Medicare coverage and payment policies were

applied.– Review supporting documentation.– Determine next step – repayment or appeal.

25

• Rebuttal/Discussion with the RAC: first step requesting the RAC to re-evaluate its initial determination. Filed within 15 calendar days of the date of the Demand Letter. Does not stop the recoupment process nor stay the timeframe for filing an appeal.

• Five levels of RAC appeals:

Administrative Law Judge

RAC Appeals

Medicare Appeals Council/Departmental Appeals Board Federal District Court

ReconsiderationRedetermination

26

RAC Appeals• Specific timelines for appeals are explained in the

Demand Letter.• If an appeal (for redetermination) is filed within 30

days of the Demand Letter, the recoupment process is stopped. – FI/Carrier/MAC has 60 days to render a decision.– Otherwise, providers have 120 days from the Demand Letter

to file an appeal.

• Second level of appeal must be filed within 180 days of the redetermination with a qualified independent contractor (QIC). – It is essential to submit all documentation at this level.

27

RAC Appeals• Third level of appeal with the ALJ must be filed within 60

days of the QIC decision for claims at least $120 or more.– A decision must be issued by the ALJ within 90 days.

• Fourth level of appeal with the MAC or DAB (independent review agency of HHS) must be filed within 60 days of the ALJ decision.– No new evidence is allowed. Must sure your record is complete

BEFORE this stage.– Decision must be rendered within 90 days.

• Final level of appeal with a federal district court, filed within 60 days of the DAB decision with an amount in controversy of $1,180 or more.

28

RAC Resources

• CMS on RACs: www.cms.hhs.gov/RAC/• Connolly Healthcare (Region C RAC):

http://www.connollyhealthcare.com/RAC/pages/cms_RAC_Program.aspx

• American Hospital Association (AHA) resources: http://www.aha.org/aha/issues/RAC/index.html

• American Health Information Management Association (AHIMA) toolkit: http://www.ahima.org/infocenter/documents/RACToolkitFINAL.pdf

29

Red Flag Rules: The FTC Joins the Federal Agencies Overseeing Health Care

30

31

Overview of the Red Flag Rules• “Red flags” are a pattern, practice or specific activity that

indicates identity theft.• Regulations issued by the Federal Trade Commission (FTC) that

require companies to develop and implement written identity theft prevention programs designed to detect, prevent and litigate identity theft (including medical identity theft).

• Applicable to “creditors” offering “covered accounts”.– Any entity that allows deferred payment for services that are utilized

by an individual for personal, household or family purposes.• Financial institutions are a focus of the regulations, but they have

been determined to apply to health care providers. • Compliance deadline delayed until June 1, 2010.

32

How Health Care Providers Fall Under the Rules

• Health care providers are specifically identified by the FTC in the final rule. (see 72 Fed. Reg. at 63727).

• Several industry attempts to challenge the rule’s applicability to health care providers have failed.

• A health care provider would be a “creditor” if the health care provider does not regularly demand payment in full for services or supplies at the time of service and maintains covered accounts of its patients.– Collecting a co-pay or deductible at the time of service, then

collecting from third party payors, then collecting remaining balances from the patient may be a provider a “creditor.”

– Payment plans make a provider a “creditor.”

33

Complying with the Red Flag Rules:A Process for Implementation• Identify relevant red flags for the organization.

– “Red Flags” are those events that should alert the organization of a risk of identity theft.

– FTC suggests some red flags in the rule and the appendix and anorganization can review its own history of identity theft.

– Identify potential triggers to cause the organization to take action under a red flag policy.

• Detect and monitor for red flags with new and existing accounts.• Prevent and mitigate identity theft, including a process to escalate

respond to detected triggers.– “No response” could be a proper response, but whatever response will be

reviewed for appropriateness.• Update the program as needed.

34

Categories of Possible Red Flags

• Alerts, notifications or warnings from a consumer reporting agency, patients, others.

• Suspicious documents– Any forged document or falsified health insurance card.– Photo not matching appearance of patient.

• Suspicious personal identifying information– Variance between SSN and date of birth or other information

that is inconsistent with other personal information provided by the patient.

• Unusual or suspicious account activity– Changes in payment practices or spending habits.

35

Implementation of the Process

• Organizational approval of the final identity theft program.– Board of Directors, appropriate committee or subcommittee, etc.– Management oversight of the identity theft program must be maintained.

• Training and education of staff and employees.– Should include procedure for supervising any service provider who has

access to covered accounts (i.e., billing companies or collection agencies).

– Can be part of an existing compliance program, no need to re-train personnel already trained on fraud/identity theft.

– Develop schedule for periodic refresher training.• Reporting of identified incidents and the effectiveness of the Program

(including recommendations for material changes).

36

Changes to the Program

• Must be approved by the organization.• Changes may be appropriate if:

– New experiences with identity theft.– Changes in identity theft methods.– Changes in detection, prevention, mitigation of identity

theft.– Changes in covered accounts offered to patients.– Organizational changes in the health care provider (i.e.,

merger, acquisition, or alliance).

• Remember to refresh training with changes!

37

Potential Liability for Noncompliance

• FTC has the authority to seek a civil penalty of up to $2,500 per violation.

• States may sue to stop a violation and seek damages on behalf of residents (up to $1,000 per violation).

• Individuals do not have the right to sue an organization for violating the rules, but may be able to sue an organization for violating the related address discrepancy rules.– The Address Discrepancy Rules are only applicable to providers

who are users of consumer reports and are triggered when a user receives a notice of an address discrepancy from a consumer reporting agency.

38

Red Flag Resources

• FTC on the rules: http://www.ftc.gov/redflagsrule• AMA on the rules: http://www.ama-

assn.org/ama/no-index/physician-resources/red-flags-rule.shtml

• American Institute of CPAs (AICPA) on the rules (not health care-focused, but useful resources): http://infotech.aicpa.org/Resources/Privacy/Federal+State+and+Other+Professional+Regulations/Red+Flags+Rule+Guidance.htm

Contact Information

Kimberly LicataKimberly LicataPoyner Spruill LLP301 Fayetteville St., Ste. 1900Raleigh, NC 27601

Direct Dial: (919) 783-2949Fax: (919) 783-1075Email: klicata@poynerspruill.com

40

Questions?