Health Care Compliance Watch : New York Health Care Compliance Lawyer & Attorney : Ilana Sable : NY Physician Representation Law

While it is impossible to pinpoint the exact areas that Recovery Audit Contractors (“RACs") will target when reviewing medical bills sent to Medicare, each regional RAC is required to post its current “issues under review” and disclose to the public the specific codes and/or procedures currently being audited by automated reviews (where no medical record is involved in the review). 

For instance, the “issues under review” identified by Region A - Diversified Collection Services (which audits New York and New Jersey, among other states) are:

•         IV Hydration

•         Bronchoscopy services

•         Blood transfusions

•         Untimed Codes

•         Neulasta: J2505; injection, Pegfilgrastim, 6mg

•         Once In A Lifetime codes

•         Newborn/Pediatric codes (i.e. newborn pediatric codes Billed for patients exceeding age limits)

•         New patient visits

•         Duplicate claims - Part B only

•         Global billing of radiology or diagnostic tests in the facility setting

•         Add-on codes

If your medical practice provides services that are identified as “issues under review,” the first step in any internal review and self-audit is to have the practices medical biller(s) and performing physician(s) review: (a) the applicable local coverage determinations (“LCDs”) and (b) the “issue description” and “issue references” disclosed with the specific “issue under review.” In most cases, the practice can easily correct the “issue” being audited by using an alternate code, submitting claims that are more detailed and/or limiting the services to allowable: beneficiaries, duration, frequency or levels.

• Email This
• Print
• Comments
• Trackbacks

On July 29, 2009, the Federal Trade Commission ("FTC") announced that it would redouble its efforts to educate small business (including most health care providers) about compliance with the "Red Flags" Rule by providing additional resources and guidance to clarify whether businesses are covered by the Rule, and what they must do to comply. In the spirit of this effort, the FTC has decided to further delay enforcement of the Rule until November 1, 2009.   

I suspect that many health care providers subject to the Red Flag's Rule would not have been in compliance on the original August 1, 2009 enforcement date, and therefore still need to put together a compliance program.  The good news is that compliance is relatively easy and will take very little time to complete.  I recommend reviewing the FTC's newly added Red Flag's Rule: "Frequently Asked Questions" section to determine if your business is subject to compliance under the Rule.  If so, see the FTC's compliance template (pdf) for businesses at low risk for identity theft.  It is short, straightforward and simple to use.

• Email This
• Print
• Comments
• Trackbacks

The FTC has posted a compliance template (pdf) for businesses at low risk for identity theft, such as most health care providers.  The template allows business owners to design their own Identity Theft Prevention Program in accordance with the FTC Red Flags Rule, and consists of two relatively easy to use parts. 

Part A helps users determine if their business is at low risk, and Part B helps users design a written Identity Theft Prevention Program if their business is in a low risk category.

However, like any other compliance regulation, the purpose of the Red Flags Rule is not to inflict more paperwork on affected businesses; its purpose is to foster meaningful use of effective identity theft prevention programs.  At minimum, health care providers must actually adhere to the programs that they develop, and train their employees accordingly.

Remember, the implementation date for the Red Flags Rule is August 1, 2009!
 

• Email This
• Print
• Comments
• Trackbacks

The “Red Flags” Rule, enforced by the Federal Trade Commission (“FTC”), requires many businesses and organizations to implement a written Identity Theft Prevention Program designed to detect the warning signs – or “red flags” – of identity theft in their day-to-day operations, take steps to prevent the crime, and mitigate the damage it inflicts.

The Red Flags Rule applies to financial institutions and creditors. The determination of whether your business or organization is covered by the Red Flags Rule is not based on your industry or sector, but rather on whether your activities fall within the relevant definitions.

The definition of “creditor” is broad and includes businesses or organizations that regularly defer payment for goods or services or provide goods or services and bill customers later. Health care providers are among the entities that may fall within this definition, depending on how and when they collect payment for their services.

For instance, health care providers become third party creditors, like credit card companies, when they extend their services (give value) to patients and then wait to receive payment from their patients’ health insurance carriers. While the health care provider is waiting to receive payment, he or she has “credited” the service to the patient with the expectation of reimbursement from the insurer at some future time.

Another example is health care providers who offer payment plans to their patients. This is often the case with very expensive, and frequently uninsured, dental work, where the health care provider offers the patient a payment plan that the patient pays off over the course of the treatment. Again, the health care provider credits the patient with the service and waits for full reimbursement from the patient.

On April 30, 2009, the FTC announced that it is postponing implementation of its Red Flags Rule until August 1, 2009. For more information of the Red Flags rule – and how it applied to your practice – please see the FTC’s guide on Fighting Fraud with the Red Flags Rule: A How-To Guide for Business (pdf).
 

• Email This
• Print
• Comments
• Trackbacks

After spending a few days absorbing the newly issued Office of the Medicaid Inspector General (“OMIG”) regulations regarding NY State provider compliance programs, I am wondering what the term “Medicaid Providers …” includes.

It is clear that providers who meet the $500,000 minimum simply by billing directly to Medicaid are subject to the regulations, but what about those providers who devote a significant portion of their practice to patients enrolled in Medicaid managed care programs. Most Medicaid eligible people residing in mandatory counties are required to join a managed care health plan, and are therefore utilizing Medicaid benefits through an alternative means. However, the problem is that often times providers cannot distinguish which of their managed care patients are Medicaid recipients.

For example, in Kings County, New York, Medicaid managed care plans are available through managed care providers such as:

• GHI HMO
• Metroplus Health Plan
• Neighborhood Health Providers
• United Healthcare of New York

These managed care plans offer coverage to the general public, as well as Medicaid recipients, thereby making it very difficult for providers to determine when they are providing services to Medicaid recipients.

Furthermore, managed care generally covers most of the benefits recipients will use, including all preventative and primary care, inpatient care, and eye care. Therefore, it is likely that many New York State providers will fall into a category where they meet the $500,000 minimum set by the OMIG simply by providing services to patients enrolled in Medicaid managed care programs. New York State providers are strongly encouraged to further investigate, and prepare for, this possibility.

Whether or not a provider falls into a category of “Medicaid Provider,” as defined by the OMIG, it is highly advisable for all providers to draft and implement a comprehensive compliance program for their practices. At minimum, these programs will ward off potential privacy breaches, detect and prevent improper billing, and educate and train employees in regulatory compliance. The reward will certainly outweigh any investment of time, money and personnel.
 

• Email This
• Print
• Comments
• Trackbacks

On January 14, 2009, the New York State Office of the Medicaid Inspector General (“OMIG”) adopted regulations stating that New York State providers of care, services and supplies for which the Medicaid program constitutes a substantial portion of their business operations are required to adopt and implement effective compliance plans.

The OMIG defines “substantial portion” of business operations to mean any of the following:

1. a person, provider or an affiliate of the provider claims or orders, or has claimed or has         ordered, or should be reasonably expected to claim or order at least $500,000 in a consecutive twelve-month period from the medical assistance program;
2. a person, provider or an affiliate of the provider receives or has received, or should be reasonably expected to receive at least $500,000 in any consecutive twelve-month period directly or indirectly from the medical assistance program; or
3. a person, provider or an affiliate of the provider who submits or has submitted claims for care, services, or supplies to the medical assistance program on behalf of another person or persons in the aggregate of at least $500,000 in a consecutive twelve-month period.

The OMIG regulations also state that the mandatory compliance programs shall be applicable to:

• billings;
• payments;
• medical necessity and quality of care;
• governance;
• mandatory reporting;
• credentialing; and
• other risk areas that are or should with due diligence be identified by the provider.

The OMIG regulations are in line with previous compliance guidance offered by agencies such as the Department of Health and Human Services. Specifically, the OMIG requires that required providers’ compliance programs shall include the following elements:

1. written policies and procedures;
2. designation of a compliance officer;
3. training and education of all affected employees and persons associated with the provider;
4. communication lines to the compliance officer;
5. disciplinary policies to encourage good faith participation in the compliance program;
6. a system of routine identification of compliance risk areas;
7. a system for responding to compliance issues as they are raised; and
8. a policy for non-intimidation and non-retaliation for good faith participation in the compliance program

In the future, the OMIG is expected to issue specific compliance program guidelines for certain types of required providers.

• Email This
• Print
• Comments
• Trackbacks (1)

This post goes out to all those private medical practices that are under the impression that they are too small or too insignificant to draft and implement a comprehensive compliance program. You know who you are.

What are you doing to protect your patients medical records from inappropriate examination or theft? How do you ensure that your practice is consistently billing and coding “clean claims”? How will your prove that your employees are trained in handling protected health information?

Auditors, attorneys and inspectors will not be amused when they ask to see your compliance manual and you, in turn, point to the “employees only” sign on your wall.  Every single private medical practice is subject to the rules and regulations of powerhouses such as HIPAA, and is thereby encouraged to have a formal corporate compliance program. And I am not talking about a 1,000 page binder that would take an entire week to read. To the contrary, a comprehensive compliance program consists of seven fundamental elements:

1. Implement written policies, procedures and standards of conduct
2. Designate a compliance officer to be responsible for execution of the compliance program
3. Conduct effective and consistent employee training and education
4. Develop lines of communication for employees, patients and private citizens
5. Enforce compliance standards through well-publicized disciplinary guidelines
6. Conduct regular internal monitoring and auditing
7. Respond promptly to detected offenses and develop a strategy for corrective action

The trick is to take these seven elements, transform them into a simple set of written guidelines that are tailored to meet the needs of the individual practice, and then incorporate them into the practice's daily routine.

• Email This
• Print
• Comments
• Trackbacks