Breaking Compliance News Blog

OIG finds 61% therapy services error rate

Posted by Margaret Scavotto, JD, CHC on 5/23/18 7:02 AM


In March 2018, the OIG issued Report A-05-14-00041, Many Medicare Claim for Outpatient Physical Therapy Services Did Not Comply with Medicare Requirements

The OIG reviewed 300 random Medicare outpatient PT claims for services provided between July and December of 2013.

Based on its review, the OIG found:

  • 61% of outpatient Medicare PT services did not comply with Medicare requirements.
  • Medicare paid an estimated $367 million for these services.

The OIG identified three types of claims errors: medical necessity, coding, and documentation. Here is a breakdown of the errors by type:

Medical Necessity Errors (91 claims out of 300)

  • 98%: Services not reasonable
  • 33%: Services not effective
  • 31%: Services did not require the skills of a therapist
  • 29%: No expectation of significant improvement

Coding Errors (145 claims)

  • 59%: Timed units claimed did not match units in treatment notes
  • 54%: Missing modifiers
  • 41%: Incorrect codes

Documentation Errors (112 claims)

  • 71%: Plan-of-care deficiencies
  • 66%: Treatment note deficiencies
  • 8%:  Recertification deficiencies

Providers of outpatient physical therapy can expect increased claims monitoring by CMS, as well as more education from CMS.

Same song different tune?

 While this review focused on outpatient physical therapy provided in an office setting, the OIG has similar concerns about therapy provided in nursing homes.  A 2012 OIG report found errors involving coding, medical necessity, and documentation in SNFs.

In November 2012, the OIG released a report: Inappropriate Payments to Skilled Nursing Facilities Cost Medicare More than a Billion Dollars in 2009.    

The OIG found that 25% of all SNF Medicare claims were erroneous. The errors included:

  • 20.3%: Claims with an inaccurate RUG (upcoded). In 57% of these claims, SNFs provided more therapy on the MDS than was documented in the medical record; and 25% of these claims involved therapy listed in the medical record that was not reasonable and necessary
  • 2.5%: Claims with an inaccurate RUG (downcoded)
  • 2.1%: Claims that did not meet Medicare coverage requirements (e.g. no physician order)

The OIG also found that 47% of claims involved inaccurate MDS information. The primary reporting error was the amount of therapy received or needed, followed by special care, ADLs, oral/nutrition status, and skin conditions/treatment.

What you can do

The takeaway here is: whether you are providing outpatient therapy, skilled nursing therapy – or another Medicare service involving therapy – medical necessity, documentation and coding errors remain common errors of OIG concern. Incorporating these items into your regular compliance audits will help you find and correct errors internally and improve claims accuracy.

compliance risk assessment annual review

Read More

Topics: Auditing and Monitoring, Billing and Claims Submission, OIG compliance resources

What's in the box? HIPAA wants to know

Posted by Margaret Scavotto, JD, CHC on 5/17/18 7:00 AM

A Texas Health and Human Services Commission employee was fired for allegedly failing to secure protected health information as required by HIPAA. The employee denied the allegations 

A few weeks later, this former employee found two boxes on her doorstop. First, a box of personal items (not hers) such as shoes, pens and a coffee cup that were cleaned out from a desk she shared. Second, a box of state assistance applications that potentially include PHI: social security numbers, billing statements, and more – for hundreds of people.

The ex-employee called the authorities, and returned the boxes to the Texas Health and Human Services Commission.

We don’t know exactly what happened here. And we can’t be certain PHI was in the box. But, this news story leads to a few questions…

In your organization, who clears out an employee’s desk after termination? Was he or she trained on HIPAA? Clinical personnel aren’t the only individuals who need HIPAA training. All staff should be trained to recognize the risks of paper PHI, and this example shows us why.

Do any of your desks contain PHI? There is no such thing as “secure” paper PHI. I repeat: there is no secure paper PHI. Redaction does not count. [] To be secured, paper PHI must be 1) destroyed (i.e. shredded); or, converted to electronic PHI and encrypted – so the paper can then be destroyed. Paper PHI is an un-securable risk. Leaving paper PHI in a desk drawer is particularly risky.

If you have paper PHI, who can access it? Could someone put it in a box and send it to a former employee by mistake? Is it locked up? Do you need a key to get to it? If someone asked for the key, would they be questioned about why access is needed?

Because there is no such thing as secure paper PHI, healthcare providers should strive to go paperless. That might seem like a pie-in-the-sky goal now – but make a game plan to get to a point where all PHI is electronic and encrypted.  Until then, do everything you can to minimize paper PHI, and protect it with physical controls.

HIPAA on a budget:  Get HIPAA compliant with MPA's  HIPAA Tool Kit

Read More

Topics: HIPAA

Improper Sharing of Medical Files Results in a Criminal Violation of HIPAA

Posted by Scott Gima on 5/15/18 7:00 AM

On April 30, 2018, the U.S. Attorney’s Office in the District of Massachusetts reported the criminal conviction of Rita Luthra, M.D., a Springfield, Massachusetts gynecologist for one count of violation of the HIPAA Act and one count of obstruction of a criminal health care investigation. Sentencing has yet to be scheduled. The HIPAA criminal charges stemmed from the allegation that Dr. Luthra allowed a Warner Chilcott pharmaceutical sales representative to access her patients’ medical files.

October of 2015, Warner Chilcott entered a false claims settlement with the federal government.  Warner Chilcott agreed to pay $125 million to resolve its criminal and False Claims Act allegations related to the company’s drug marketing campaign. Warner Chilcott was charged with paying kickbacks to physicians to induce them to prescribe its drugs, and manipulating prior authorizations to get insurers to cover the drugs they would not normally cover.

Dr. Luthra was receiving “numerous” denials for a Warner Chilcott osteoporosis medication unless there was a prior authorization. To expedite the prior authorization process, the Warner Chilcott sales representative was given access to Dr. Luthra’s medical records in order to prepare the prior authorizations that would then be signed by Dr. Luthra.

Criminal convictions as a result of a HIPAA violation do happen occasionally. In addition to OCR fines and penalties, criminal charges and convictions can occur when covered entities “knowingly” obtain or disclose protected health information in violation of HIPAA. MPA recommends including examples of both civil and criminal HIPAA violations and penalties in your HIPAA training program.

HIPAA on a budget:  Get HIPAA compliant with MPA's  HIPAA Tool Kit

Read More

Topics: HIPAA, Kickbacks and Referrals

Why leading a compliance program is like going to the gym

Posted by Margaret Scavotto, JD, CHC on 5/10/18 7:00 AM

This month, HCCA's Compliance Today magazine included an a Blog Highlight written by Margaret Scavotto: Why leading a compliance program is like going to the gym.

Why Leading a Compliance Program Is Like Going to the Gym

Leading a compliance program is like going to the gym. You don't set up a gym in your basement, try out the treadmill, do ten sit ups, cross the gym off your list and never go back. To thrive, your body needs you to go to the gym regularly. You might modify your gym routine, but to be healthy, it takes continuous work. An Olympian who quits the gym and never goes back will become out of shape. 

Click here to read the rest of the Blog Highlight.

Read More

Topics: Culture of Compliance

2017 PEPPER Reports are here! Are you an outlier?

Posted by Margaret Scavotto, JD, CHC on 5/8/18 7:00 AM

2017 PEPPER Reports are here! Are you an outlier?

The latest PEPPER (Program for Evaluating Payment Patterns Electronic Report) reports have been released for SNF, LT, IRF, IPF, CAH and hospice providers. You can access your PEPPER online. Home health providers and partial hospitalization programs can expect their PEPPERs to arrive in July 2018.

This latest PEPPER uses statistics for October 1, 2016 through September 30, 2017, and will be available for download for approximately two years.

To download your PEPPER, the Compliance Officer, CEO, President or Administrator needs to:

  1. Visit the PEPPER Resources Portal
  2. Enter your information. You will need a Patient Control Number (form locator 03a on the UB04) or a Medical Record Number (form locator 03b) for a claim of a traditional fee-for-service (FFS) Medicare patient/beneficiary who was receiving services at this provider with a “From” or “Through” date between July 1 - 30, 2017).
  3. Download your PEPPER.

If you need help, review the Secure PEPPER Access Guide.

Why PEPPER matters

Your PEPPER report can help you compare your organization to other providers, and determine whether you have been identified as an outlier at risk for improper payments. PEPPER considers a provider to be an outlier if its Target Areas are at or above the 80th percentile, or at or below the 20th percentile, depending on the area. If your PEPPER shows you are an outlier, an internal audit should be conducted to identify any improper payments or non-compliant practices. CMS is quick to point out that variances from the national data do not necessarily mean billing irregularities have occurred. However, it would be wise to determine why the government has identified you as an outlier.

In other words, the government is mining your data and evaluating your claims—and so should you. By incorporating PEPPER data into your compliance auditing strategy, you can identify potential areas of non-compliance that could make you a government target. And of course, a "good" PEPPER should not give you false confidence about your claims – MPA recommends conducting documentation reviews to ensure claims are appropriate, even if you aren't an outlier.

Don’t wait

PEPPER comes once a year, but our attention to it should be ongoing. Don't wait for the report to be released in April. Work with your billing department to see what reports you can run internally to track the Target Areas as part of your compliance efforts. This way, there will be no surprises in April 2019.

Are you an outlier? Download  MPA's Guide to  PEPPER Reports  to find out

Read More

Topics: PEPPER

OIG Launches Compliance Resources Portal

Posted by Margaret Scavotto, JD, CHC on 5/1/18 6:58 AM

At the HCCA Compliance Institute held in Las Vegas April 15-18, Keynote Speaker and HHS Inspector General Dan Levinson announced the OIG's new Compliance Resources Portal.

Now, compliance officers can find all of the OIG’s compliance resources on one page.

The resources include:

  1. Toolkits
  2. Provider Compliance Resources and Training*
  3. Advisory Opinions
  4. Voluntary Compliance and Exclusions Resources
  5. Special Fraud Alerts, Other Guidance, and Safe Harbor Regulations
  6. Resources for Health Care Boards
  7. Resources for Physicians
  8. Accountable Care Organizations

 * Compliance Program Guidance is housed here.

 Soon, the OIG will be posting a new resource: the OIG Toolkit to Identify Patients at Risk of Opioid misuse.

 If you are looking for criminal, civil or state enforcement actions, civil monetary penalties, exclusions or corporate integrity agreement enforcement, those update are still located under the Fraud tab.


Read More

Topics: Compliance Basics, Penalties and Enforcement, OIG compliance resources

Is HIPAA Changing?

Posted by Margaret Scavotto, JD, CHC on 4/26/18 6:44 AM

 Last week, I heard Marissa Gordon-Nguyen, Senior Advisor for HIPAA Policy for the Office of Civil Rights (OCR), and Iliana Peters, formerly of the OCR and now with Polsinelli, speak about HIPAA enforcement. Here’s a summary of the tips they shared, as well as a few ways HIPAA might be changing.

Not encrypting? That’s “less and less persuasive”

Many providers struggle to decide whether to invest in encrypting electronic PHI. After all, encryption is addressable, but not required, under the HIPAA security rule. Iliana Peters advised that covered entities’ and business associates’ reasons for not encrypting “are becoming less and less persuasive” to the OCR. This is partly because encryption methods are increasingly available and affordable. And, encryption brings important security benefits to an increasingly high-risk environment.

New guidance!

The OCR is currently developing new guidance for covered entities and business associates, addressing:

  1. Social Media
  2. Texting
  3. Encryption

While there is not a timeline for releasing this guidance, MPA will let you know when it’s available.

New changes?

Ms. Gordon-Nguyen discussed three potential HIPAA changes that we might see soon:

Read More

Topics: HIPAA

Social Media Snafus May Lead to Policy Changes, Creative Training

Posted by Margaret Scavotto, JD, CHC on 3/15/18 6:22 AM

This month, HCCA's Report on Medicare Compliance published an article featuring Margaret Scavotto's comments on the HIPAA risks of social media for healthcare providers:

Read More

Topics: HIPAA, Social Media

Is your EHR ready for ransomware?

Posted by Scott Gima on 2/28/18 7:02 AM

In January 2018, EHR vendor Allscripts was a target of a ransomware attack that took down several of its applications, including its EHR and patient management/scheduling systems. FierceHealthcare reported the following notice from Allscripts: “While we cannot guarantee that the hosted Professional suite and hosted Allscripts PM service will be fully restored to all clients on Monday, Jan. 22, we do currently expect to return meaningful service to the majority of clients over the next 12-24 hours."

For example, a medical group was unable to use Allscripts’ e-prescribing system after the ransomware attack. Others could not access their EHR.

The use of cloud-based applications has increased providers’ reliance on EHR vendor security measures. A detailed contract that states standards for EHR data protection is a start. But it only provides the ability to seek legal and financial remedies if the EHR vendor fails to meet its contractual obligations. It does nothing to guarantee uninterrupted access to your data.

A copy of your EHR data that is saved to an on-site computer is the only way to ensure access. A mirror backup provides an exact copy of the data. The technology allows updates to the mirror backup every 15 minutes. When selecting an EHR vendor, the availability of a mirror backup must be a key selection criteria. A local copy of the EHR application is also needed. Without it, the data is useless.

Read More

Topics: HIPAA, records, data breach

What's In Your Dumpster? HIPAA Wants to Know

Posted by Margaret Scavotto, JD, CHC on 2/13/18 7:03 AM

dumpster snip.jpg

An Allentown, PA resident stumbled across garbage bags of OB/GYN medical records at the local recycling center – and reported the records to the city and the media.

A reporter visited the recycling center and found the records – un-shredded. The records contained both personal information and healthcare information, including sexually transmitted disease diagnoses.

Dumped, again

In Springfield, Ohio, another recycler was surprised to encounter lab records at the local recycling center on Thanksgiving Day: “There were thousands of records…social security numbers….This was a whole feast for total identity theft.”

Read More

Topics: HIPAA

Read the Breaking Compliance News Blog disclaimer here.