Fraudsters Past and Present in CMS Crosshairs

Latest CMS effort is one of several new federal authorities. 

EDITOR’S NOTE: Former CMS career professional turned healthcare IT authority reported these developments Tuesday during Talk Ten Tuesday.

The Centers for Medicare & Medicaid Services (CMS) is taking a more proactive approach to reducing fraud and abuse in Medicare and other federal health programs. On Sept. 5, CMS issued a final rule, titled Program Integrity Enhancements to the Provider Enrollment Process (CMS-6058-FC). This rule strengthens the agency’s ability to stop fraud before it happens by keeping unscrupulous providers out of federal health insurance programs.

The rule creates several new authorities. A new “affiliations” authority in the rule allows CMS to identify individuals and organizations that pose an undue risk of fraud, waste, or abuse, based on their relationships with other previously sanctioned entities. For example, a currently enrolled or newly enrolling organization that has an owner/managing employee who is “affiliated” with another previously revoked organization can be denied enrollment in Medicare, Medicaid, and the Children’s Health Insurance Program (CHIP) – or, if already enrolled, it can have its enrollment revoked because of the problematic affiliation.  

Other authorities include the ability to deny enrollment if:

• A provider or supplier circumvents program rules by coming back into the program, or attempting to come back in, under a different name (e.g. the provider attempts to “reinvent” itself);
• A provider or supplier bills for services/items from non-compliant locations;
• A provider or supplier exhibits a pattern or practice of abusive ordering or certifying of Medicare Part A or Part B items, services, or drugs; or
• A provider or supplier has an outstanding debt to CMS from an overpayment that was referred to the U.S. Treasury Department.

These new authorities and restrictions are effective Nov. 4, 2019. 

As a reminder, a final rule “with comment” allows the rule to go into effect, but gives the public the opportunity to comment on the rule. The agency is under no obligation to respond to the comments or change the rule, but may do so if the comments warrant. In this case, the comments requested are for the section on affiliation and identifying provider affiliations. 

As part of CMS efforts to reduce fraud, abuse, and other claim errors, CMS has a Targeted Probe-and-Educate (TPE) program designed to help providers and suppliers reduce claim denials and appeals through one-on-one help. In this program, Medicare Administrative Contractors (MACs) use data analysis to identify providers and suppliers that have high claim error rates or unusual billing practices, and items and services that have high national error rates and are a financial risk to Medicare.

Providers whose claims are compliant with Medicare policy won’t be chosen for TPE. If chosen, providers have a small sample of claims reviewed, and if denials occur, then the provider is given one-on-one assistance to improve their billing. Some of the common errors include documentation not meeting medical necessity, incomplete certifications or recertifications, and encounter notes not supporting eligibility. 

And as a reminder during this hurricane season, as part of his declaration of a public health emergency (PHE), U.S. Department of Health and Human Services (HHS) Secretary Alex Azar has waived sanctions and penalties under certain provisions of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule that may otherwise apply to covered hospitals, including provisions that generally require covered entities to give patients the opportunity to agree or object to sharing information with family members or friends involved in the patient’s care. This waiver applies only to the emergency area and for the emergency period identified in the PHE declaration, and only to hospitals that have instituted a disaster protocol. Qualifying hospitals can take advantage of the waiver for up to 72 hours from the time the hospital implements its disaster protocol unless the PHE declaration terminates first.

Even without a waiver, the Privacy Rule allows patient information to be shared to assist in disaster relief efforts, and to assist patients in receiving the care they need. As explained in more detail in the Office for Civil Rights’ (OCR’s) Bulletin on Hurricane Dorian and HIPAA linked below, the Privacy Rule permits covered entities to share information for treatment purposes, public health activities, and to prevent or lessen a serious and imminent threat to health or safety. The Privacy Rule also allows the sharing of information with patients’ family, friends, and others involved in their care in emergency situations to ensure proper care and treatment.