Articles on Compliance Strategies

Featured Health Business Daily Story January 22, 2009

Compliance Officers Urged to Get Back to Basics in 2009 as Enforcers Focus on Big-Picture Risks

Reprinted from REPORT ON MEDICARE COMPLIANCE, the nation's leading source of news and strategic information on false claims, overpayments, compliance programs, billing errors and other Medicare compliance issues.

By Nina Youngstrom, Managing Editor, (nyoungstrom@aispub.com)

Five areas — provider enrollment, physician relationships, conditions of participation (CoP), provider-based status and public transparency — are ripe for intensified compliance education and monitoring in 2009. They have attracted the attention of Medicare watchdogs and are now the subject of audits, CMS transmittals and surveys.

The regulators and auditors' interest in these core areas means it's time for hospitals to get back to compliance basics, says Cheryl Rice, corporate director for corporate responsibility at Catholic Healthcare Partners, a 30-hospital system based in Ohio. "Whenever there are financial difficulties, you tend to see the government going back to basics — double-checking the basics because that's where the foundation is," she says. "Health systems might lose their sense of this as they focus on the latest and greatest."

Rice determined that the five areas have a high potential for error partly by using a risk analysis tool developed by CMS. She focused on the fact that some or all of the following factors applied to each risk area: (1) There were significant changes in laws or regulations or special requirements or instructions affecting the risk area; (2) there's an absence of well-documented policy/procedure or guidance in this area; (3) new accounting or regulatory guidance governs the risk area; and (4) it's the focus of varied interpretations or restructuring of guidance.

Here are some details on the five risk areas:

• Provider enrollment: Enrollment applications are foundational documents and critical program integrity tools. CMS and its contractors use data from enrollment forms (national provider identifier, tax ID, affiliation of owners) to crosscheck claims and provider relationships, so if the information isn't accurate, a provider invites trouble. CMS revamped the 855 enrollment form over the past year, but two new Medicare transmittals indicate a new level of scrutiny and suspicion, Rice says. The transmittals, released Dec. 19, make changes to the enrollment-oversight process. Transmittal 276 (Change Request 6194) directs Medicare contractors to validate when the owner of an entity dies so Medicare doesn't pay dead providers, a rip-off that was aired before Congress in 2008.

Transmittal 277 (Change Request 6097) creates new program-integrity procedures and additional enrollment verification. "The purpose of these instructions is to ensure that the Medicare billing privileges of physicians, nonphysician practitioners and organizational providers/suppliers are protected and [to ensure] that Medicare only pays qualified individuals and organizations," CMS states.

Tranmittal 277 is surprisingly specific in terms of steps that contractors must take before processing providers' enrollment information changes, including changes in practice addresses, changes in banking information for payment purpose and reassignment of benefits. For example, when providers submit a change in practice address, contractors are instructed to compare the signature on the new form against the one on the original enrollment form. If they don't match, contractors must use other means to verify the applicant's authenticity (e.g., driver's license photo). Contractors also must contact the old practice to verify that the provider is no longer located there. CMS says that if any of the verification activities raise red flags about identity theft or fraud, contractors must refer the case to a program safeguard contractor or zone program integrity contractor.

Contractors Should Do Background Checks

An additional level of scrutiny is applied to physicians. The transmittal directs contractors to do the equivalent of monthly background checks. The contractor must check the licensing boards in all the states in its jurisdiction every month to determine if the licenses of any physicians enrolled in Medicare were suspended, revoked or inactivated. CMS also wants this done when physicians relocate to another state, open an office in another state or resume practice after a hiatus. "That's pretty strong. CMS has no language like this anywhere else," Rice says. "Something underlying has happened to cause such an increased level of scrutiny."

• Physician relationships: A number of developments have converged to push physician relationships to the top of the risk-area list. Nonprofits must disclose financial relationships on the revised IRS form 990. A series of changes to the Stark physician self-referral ban were finalized in different regulations in 2008, and they either just took effect or will take effect in 2009. And CMS is expected to move forward with its Disclosure of Financial Relationships Report (DFRR) this year now that it has updated its plans pursuant to the Paperwork Reduction Act. DFRR will force affected hospitals to reveal their physician contracts to the government.
• Provider-based status: CMS has cracked down on physician supervision at provider-based entities — most recently with Transmittal 100, issued Dec. 31 — and the OIG Work Plan includes two different provider-based audits for 2009. After CMS published standards for provider-based entities in 2003, many freestanding centers jumped on the provider-based bandwagon to capture the payment bump for services provided in what's essentially a hospital outpatient department. "Nationally, a lot of freestanding [centers] have switched to provider based. They are doing it for reimbursement purposes without fully understanding what it means — that you walk and talk like the hospital, give up some autonomy, follow hospital policies and procedures," among other requirements, Rice says. Hospitals also might have become lax about compliance with the requirement because they only have to sign an attestation that an entity is provider based; there's no CMS approval process. "Most physicians have no understanding of the [provider-based] requirement," Rice says. "It has been resting on the shoulders of the hospital staff to explain provider-based status and perform due diligence as they set up new satellites or off-campus practices."

Recently, CMS heightened physician supervision requirements. In the latest transmittal (Change Request 6320), an update to the hospital outpatient prospective payment system, CMS emphasizes the need for physician supervision of therapeutic services provided incident to a physician's services, regardless of whether the provider-based entity is 30 miles away or the outpatient department is inside the hospital. As CMS states in new language in Sect. 20.5, "the services and supplies must be furnished under the order of a physician or other practitioner practicing within the extent of the Act, the Code of Federal Regulations, and State law, furnished by hospital personnel and under the direct supervision of a physician or clinical psychologist."

Off-Campus Entities Could Be Targets

Rice thinks OIG and CMS will first target off-campus provider-based entities because they have the most exposure for lack of physician supervision while holding themselves out to the community as a unit of the hospital. She is recommending to hospitals in her system that they review compliance with the provider-based requirements in the following order: (1) off-site entities within 35 miles of the hospital; (2) on-campus entities that are provider based but not in the hospital (e.g., a medical arts building within 250 yards of the hospital); and (3) then entities within the hospital that were added after 2003.

The OIG Work Plan takes aim at provider-based entities, with two different types of audits planned. One audit focuses on provider-based status of inpatient and outpatient facilities to determine whether they comply with Medicare requirements; the other audit addresses hospital-owned physician practices with and without provider-based designation.

• Conditions of participation: CMS recently modified sections of the hospital CoP, and now OIG is "circling around and saying 'We are coming back with the expectation that you have mastered these changes,'" Rice says. For example, CMS cracked down on the use of restraints and seclusion; disclosure of injuries and deaths is now required. CMS changed hospital documentation requirements (e.g., a final 2006 regulation gives physicians 30 days before an admission and 24 hours after admission to complete a history and physical and requires authentication of verbal orders, which means the physician who gave the verbal order must note the date and time and sign the order within 48 hours unless state law has a different deadline). CMS also revised EMTALA last year (see survey and certification letter 08-15, issued March 21, 2008) and addressed EMTALA's application to provider-based off-campus emergency departments and freestanding ED hospitals (see the survey and certification letter issued Jan. 1, 2008). CMS also expanded the CoP for ambulatory surgery centers. Hospitals should have safeguards in place to detect and address CoP shortcomings, Rice says.
• CoP compliance is critical from two perspectives: CMS can rescind Medicare certification if it determines a hospital has violated the CoP, and CoP noncompliance is emerging as a vehicle for a False Claims Act lawsuit under certain circumstances, such as patient restraint abuse.
• Public transparency: The link between payment and quality data "raises the stakes for compliance, and it raises the temptation for unscrupulous providers to fudge data to maintain payments," Rice says. Between CMS's inpatient and outpatient health quality reporting, the IRS 990, the 855 enrollment form, DFRR and other disclosures, hospitals are reporting a boatload of data — with more demands to come. Catholic Healthcare Partners is in the process of analyzing how it can ensure that its data are accurate and accommodate a process to double check data before submission, and establish checks and balances (i.e., not all data power is vested in one person).

"As the government belt tightens, it will say, 'If I am paying you, I better get what I am paying for," Rice says. "This is an emerging area of interest that the compliance committee, revenue cycle, financial and quality folks across the country are discussing." The challenge lies in ensuring the integrity of data and internal validation to ensure appropriate and accurate submission.

Advertise With AIS

Privacy

Site Map