Medicaid & Medicare Audits
An Emerging Threat to Providers
Article Date: Thursday, July 26, 2012
Written By: Renee J. Montgomery, Robert A. Leandro & Matthew W. Wolfe
Audits mean big potential recoupments for the government and big headaches for providers. Before the advent of electronic payments, healthcare providers looked forward to checking their mail. Now, with the explosion of audit activity, checking the mail for a provider is a scary proposition. Instead of payments, provider mailboxes may contain requests for documentation, notices of overpayment, and appeal decisions.
As a condition of receiving reimbursement under the Medicare and Medicaid programs, providers agree that they will only provide medically necessary services, will only bill for services provided, and will document the services provided. Frequently, the government does not confirm the provider’s compliance with these requirements prior to payment. Instead, the government pays the provider for the services billed but reserves the right to review the provider’s records later in a postpayment audit or review. This system is commonly referred to as “pay and chase.”
Although the government’s ability to perform postpayment audits may seem reasonable, often the government’s recoupment efforts can leave a provider bewildered and distraught. With a stringent focus on documentation requirements, many of which do not actually address medical necessity or whether the service was actually provided, and the growing use of sampling and extrapolation to increase the overpayment amounts, audits have become a growing concern for healthcare providers.
Healthcare attorneys are increasingly being asked to assist clients in preparing for these audits and then appealing the results. Additionally, attorneys are critical in assisting providers when the government seeks to impose sanctions, including payment suspension and prepayment review, before the provider has had the opportunity to challenge the audit.
This article examines the political and economic context for this increase in audit activity and describes the types of audits being conducted and the various appeal procedures. This article concludes with a discussion of how healthcare attorneys can assist their clients in preparing for audits and appealing adverse results.
Background
Healthcare audits are not new. Providers are accustomed to opening their doors and providing records for review by governmental entities and their contractors. Compliance reviews and licensure surveys have been commonplace. Traditionally, when a specific concern about fraud or abuse has been raised, providers have become subject to investigation and further scrutiny. However, the latest waves of audits are unique because often they are focused on maximizing recovery of alleged “overpayments” and not on investigating fraud and abuse or providing education to the provider on clinical issues.
Why is this happening? Federal and state governments are in fiscal crises. Therefore, governments are looking under every rock for spending cuts to balance their budgets. Providers have seen their rates frozen and slashed, the scope of services reduced, and prior authorizations added—all in the name of saving money. Another favored source of budget balancing is the recoupment of overpayments. The logic is appealing: this is money the government paid in the past that, from the auditor’s perspective, the government never should have paid—the government is simply asking for it back.
The Patient Protection and Affordable Care Act (“PPACA” or the “Act”), Pub. L. No. 111-148, 124 Stat. 119 (2010), has received much attention—positive and negative—for its individual mandate, its expansion of the Medicaid program, and other topics. The Act’s provisions dealing with provider fraud, abuse, and waste are often overlooked. PPACA includes enhanced screening requirements, promotion of sharing data across agencies, and increased penalties for healthcare providers, including tougher sentences for healthcare fraud. The Act also includes $350 million in new funding to fight fraud and abuse over the next 10 years.
Too often the phrase “fraud and abuse” gives the impression that all overpayments are the same. There is a real and legal difference between someone billing for services that were never provided and someone billing for services that were provided but that may not have been perfectly documented. Many findings in recent audits focus extensively on the latter.
For alleged fraud, “HEAT” teams, U.S. Attorneys’ Offices, and state Medicaid Fraud Control Units engage in long and costly investigations that sometimes result in prison sentences and headline-grabbing multi-million dollar settlements. For alleged program “abuse,” various federal and state agencies and contractors audit provider documentation to determine if there were any “overpayments.” There may be no immediate threat of prison, but the repayment demands are often as costly. For small and mid-size providers, the demands may force them out of business.
Different Audits, Different Auditors
Not all audits are created equal. There is a veritable alphabet soup of entities conducting these audits—each with their own catchy and intimidating acronym. They can be distinguished along at least five axes: (1) Who does the auditor work for? (2) How did the auditor select the provider? (3) What services is the auditor reviewing? (4) How is the auditor reviewing the services? and (5) What opportunities will the provider have to challenge the results?
The two main government payor sources are Medicare and Medicaid. The Medicare program largely uses contractors to conduct its audit activities. Different auditors focus on different issues and with varying scrutiny. There are Zone Program Integrity Contractors (“ZPICs”), Medicare Recovery Audit Contractors (“RACs”), and Medicare Administrative Contractors (“MACs”). Medicaid, as a federal-state program, has auditors on both the federal and state levels. Federal auditors include the Provider Error Rate Measurement (“PERM”) program and Medicaid Integrity Contractors (“MICs”). In North Carolina, the auditors include the Division of Medical Assistance (“DMA”) Audit Section, the DMA Program Integrity Section, and DMA’s contractor, the Public Consulting Group, Inc. (“PCG”). PCG is also North Carolina’s designated Medicaid Recovery Audit Contractor—another result of PPACA.
Historically, providers were audited when the government learned of some problem with the provider’s practices. This referral may have come from a patient, a former employee, or another provider. These targeted audits were based on specific reports of abuse, and thus, the audit typically focused on those specific issues.
In the data-laden world in which providers now operate, an auditor does not necessarily need to receive a report of abuse before asking to review files. Instead, the government now contracts with companies that utilize data-mining software with complex algorithms that can detect utilization patterns that differ from historical trends or that make a provider an outlier from its peers. The computer program thereby “refers” a provider for further audit. Sometimes, a provider is not targeted for audit because of any referral. Instead, the provider is randomly selected from a group of providers that provide similar healthcare services.
Once the auditor selects the provider, the auditor typically notifies the provider that it is being audited. This notice does not always include specific details on the reason for the audit or the scope of the audit. This notice may come in the form of a phone call or letter requesting documentation. The auditor’s actual review may be done in person or via a documentation request. The level of scrutiny used in each audit also varies. Some audits focus only on ensuring that providers used the proper billing codes. Others employ clinicians to conduct a documentation review and may even attempt to overturn the treating practitioner’s decision that the service was medically necessary.
Once the audit is concluded, the auditor will notify the provider of the results and likely demand that the provider repay funds it previously received for services rendered. As mentioned above, the overpayment amount may be based on extrapolation. Using this extrapolation technique, the auditors may review only a small sample of records. But the auditor will then apply the audit results to all of the records, even ones that were never reviewed. For example, the time period of the audit may include a total of 10,000 records representing $1 million in paid claims. The auditor may review only 50 of the 10,000 records. Of these 50 records actually reviewed, the auditor may allege that there was a problem with 10 of the records—or 20 percent of the sample. The error rate is then extrapolated to the entire population of claims ($1 million), resulting in a $200,000 overpayment demand.
This extrapolation technique is causing huge recoupment demands. Extrapolation gives states and their contractors the ability to seek larger recoveries with fewer resources. In other words, an auditor can now do 20 claims worth of work and get the equivalent of 1,000 claims worth of recovery. For some audit types, there is a financial incentive for recovery. For example, North Carolina’s Medicaid Recovery Audit Contractor, PCG, earns 7.75 percent of all the overpayments the state collects. Given these financial incentives, it is reasonable to assume that auditors are likely to use any potential documentation mistake, no matter how insignificant, to justify an overpayment finding.
Appeals Process
The appeals processes are unique to the audit types. Medicare and Medicaid audits have different appeal procedures with different appeal timelines. Providers are permitted to be represented by legal counsel. At the initial stages, providers’ challenges typically focus on the validity of the findings themselves. Because the initial notice provided by the auditor may contain very little information, it is important to request a detailed accounting of the findings and copies of the documents and other audit tools used by the auditors in making their decisions. It is not uncommon for auditors to use audit guidelines that incorrectly restate agency policy and regulatory requirements. Auditors also may have failed to request, or may have overlooked, documentation that directly refutes findings in the audit.
At the later stages of appeal, providers also may challenge the statistical sampling and extrapolation. Different auditors use different statistical techniques to derive the sample size. This sample size dictates how many records the auditors will review. The auditor should “randomly” select the records. After the auditor reviews the records and determines the error rate, the auditor uses a formula to project the expected overpayment as if all of the claims in the population had been reviewed.
Although the complexity of the statistics may cause attorneys to shy away from analyzing the extrapolation, any strong audit challenge needs to include scrutiny of the extrapolation methodology. Frequently, auditors base their samples on assumptions that may turn out to be false. The result is the extrapolation is not statistically valid. Auditors also may make data collection and computation errors, which may prove fatal to the extrapolation. Attorneys should consider engaging statistical consultants to conduct this analysis and to advise them on issues with the sampling and extrapolation.
In challenging an audit, counsel should also consider whether the auditor complied with statutory and regulatory procedural requirements and whether the audit complied with due process safeguards. For example, in North Carolina Medicaid and Health Choice audits, the North Carolina Department of Health and Human Services (the “Department”) is required to demonstrate and inform the provider that (i) the provider failed to substantially comply with the requirements of state or federal law or regulation or (ii) the Department has a credible allegation of fraud concerning the provider before the audit can use extrapolation. N.C.G.S.§ 108C-5(i). The Department must credential auditors that perform audits resulting in extrapolation. Id. § 108C-5(j). Before the audit, the Department is also required to inform the provider of the matters to be reviewed and specifically list the clinical, including, but not limited to, assessment of medical necessity, coding, authorization, or other matters reviewed and the time periods reviewed. Id. § 108C-5(k). An auditor’s failure to follow these steps could result in the recoupment being overturned.
Risk Mitigation
Although there is no way to immunize a provider from audits and potential recoupment actions, solid document retention policies and strong quality assurance programs are critical to minimizing the risk. When a provider is being audited, the provider must understand that, although an auditor may seem friendly and helpful, the auditor’s job is to find evidence to support an overpayment notice. Although it is not always possible, providers should attempt to determine which types of records the auditors needs for the matters under review. Providers should document their contacts with auditors and maintain copies of all documentation provided to the auditor. Providers should also make sure that they are aware of submissions and appeal deadlines.
The growth of healthcare audits is likely to continue. Providers need to understand the significant risks that these audits pose. Healthcare attorneys should advise their provider clients on these risks and help them develop prevention and mitigation strategies to deal with these waves of audits. Finally, providers should understand the complexity of the administrative appeals procedures. Although counsel is not required at the initial stages of most appeals, early involvement by legal counsel can help alleviate bigger problems down the road. Legal counsel experienced in challenging these audits can analyze the findings and the underlying documentation, evaluate the presence of any procedural defects with the audit process, ensure that the provider preserves legal defenses, and mount a challenge to the extrapolation of audit findings. With this multi-pronged attack, overpayment amounts can be substantially reduced or even eliminated. •
The authors are attorneys with Parker Poe Adams & Bernstein LLP’s Healthcare Team. The Healthcare Team provides representation and counsel to healthcare providers in a wide variety of regulatory, transactional, and litigation matters. The authors represent a variety of healthcare providers in connection with Medicare and Medicaid audits and other regulatory and administrative matters. Montgomery and Leandro regularly represent providers in Certificate of Need matters. Wolfe is also a member of Parker Poe’s Government Relations Team. Montgomery is a past president of the North Carolina Society of Health Care Attorneys and has served on the council of the Health Law Section.
Views and opinions expressed in articles published herein are the authors' only and are not to be attributed to this newsletter, the section, or the NCBA unless expressly stated. Authors are responsible for the accuracy of all citations and quotations.