I guess there is no rest for the weary. Just as we start seeing some relief from the worst of the pandemic, the OIG starts adding more items to their Work Plan. And in the second quarter of this year, they’ve added more items than I can remember. In fact, given the enormous expenditures the federal government laid out during the pandemic, I think it is safe to say we will continue to see an increase in oversight and enforcement activity for some time.
To get you up to speed, let’s take a closer look at some of the Work Plan items added over the past three months.
HHS's Governance to Ensure Hospitals Implement Measures to Prevent, Detect, and Recover from Cyber Attacks
If you read the news, you’ve no doubt heard of the recent wave of cyber attacks in America. They have taken down food processors, oil and gas pipelines, and other critical infrastructure companies. And there are plenty of malicious actors out there that want medical information and electronic protected health information (ePHI). Ransomware, destructive malware, insider threats, and even honest mistakes are examples of ever-present threats to U.S. hospital operations and the security of ePHI.
The OIG stated that “in October 2020, the Cybersecurity and Infrastructure Security Agency, Federal Bureau of Investigation, and Department of Health and Human Services (HHS) issued a joint cybersecurity advisory regarding ransomware activity targeting the health care and public health sector. The advisory stated that threat actors have continued to develop new functionality and tools, thereby increasing the ease, speed, and profitability of ransomware attacks.”
The OIG will audit HHS's governance over its programs to determine whether HHS's Office of Civil Rights (OCR) has performed periodic audits of hospitals, to assess compliance with Health Insurance Portability and Accountability Act (HIPAA) Security, Privacy, and Breach Notification rules to determine whether these audits effectively assessed ePHI protections. The OIG will not just be checking up on HHS’s governance of these issues. They will also conduct security assessments at 10 U.S. hospitals to determine whether they have adequately implemented HIPAA security requirements and/or effective cybersecurity measures to prevent, detect, and recover from cyber attacks.
Skilled Nursing Facility Reimbursement
Anyone working in the skilled nursing facility (SNF) space is well aware of the numerous government settlements that have taken place regarding SNF reimbursement. Frequently, these settlements have to do with the skilled nursing care and rehabilitation services such as physical, speech, and occupational therapy that SNFs provide to beneficiaries who need assistance after hospitalization.
According to the OIG, “in October 2019, the Centers for Medicare & Medicaid Services (CMS) implemented a new payment system for determining Medicare Part A payments to SNFs. Specifically, CMS implemented the Patient Driven Payment Model (PDPM), a new case-mix classification system for classifying SNF patients in a Medicare Part A covered stay into payments groups under the SNF Prospective Payment System.” The PDPM system makes payments based on factoring a combination of six payment components. Five of the components are case-mix adjusted, and include a physical therapy component, an occupational therapy component, a speech-language pathology component, a non-therapy ancillary services component, and a nursing component. Additionally, there is a non-case-mix adjusted component to cover utilization of SNF resources that do not vary according to patient characteristics. The OIG plans to determine whether Medicare payments to SNFs under PDPM complied with Medicare requirements.
Duplicate Medicare Professional Fee Billing by Both the Critical Access Hospital and the Health Care Practitioner to Medicare Part B
Critical Access Hospitals (CAHs) can elect to be paid under the Optional Elective Payment Method. When it elects this method, it bills the Part B Medicare Administrative Contractor (MAC) for both Medicare Part B facility services and Medicare Part B professional services for its outpatients. If a physician or other practitioner reassigns his or her Medicare Part B billing rights and agrees to be included under a CAH's Optional Elective Payment Method, he or she must not bill the MAC for any outpatient professional services furnished at the CAH once the reassignment becomes effective. Each practitioner must sign an attestation that clearly states that he or she will not bill Medicare Part B for any services furnished in the CAH outpatient department once the reassignment has been given to the CAH. The OIG plans to determine whether both the CAH and physician billed were paid by the MAC for the same outpatient professional services.
Audit of CARES Act Provider Relief Funds: Payments to Health Care Providers that Applied for General Distribution Under Phases 1, 2, and 3
As expected, the OIG is focusing a lot of their efforts on following the money. The Provider Relief Fund (PRF) is a $178 billion program that provides funds to hospitals and other healthcare providers for healthcare-related expenses, or lost revenue attributable to COVID-19.
HHS distributed funds in three phases:
- $50 billion during Phase 1 for Medicare providers.
- $18 billion during Phase 2 for Medicaid and Children's Health Insurance Program providers, dental providers, certain Medicare providers, and assisted living facilities.
- $24 billion during Phase 3 for certain behavioral health providers and newly practicing providers, and providers that received a payment under a previous phase.
Of course, all federal money comes with strings attached. In the case of the PRF, providers must meet certain requirements, such as submitting revenue information and supporting documentation to the Health Resources and Services Administration, which uses this information to determine eligibility and payments.
The OIG is going to perform a series of audits of the funds related to the three phases to determine whether payments were: (A) correctly calculated for providers that applied for these payments, (B) supported by appropriate and reasonable documentation, and (C) made to eligible providers.
Modifier 25, Minor Procedures, and E/M Usage in Dermatology Practices
Medicare’s default approach is to include in the payment for minor procedures any E/M services that are provided on the same day.
The OIG plans to look specifically at dermatology minor procedures performed on the same day as E/M services. In fact, the OIG has stated, “In 2019, about 56 percent of dermatologists' claims with an E/M service also included minor surgical procedures (such as lesion removals, destructions, and biopsies) on the same day. This may indicate abuse whereby the provider used modifier 25 to bill Medicare for a significant and separately identifiable E/M service when only a minor surgical procedure and related preoperative and postoperative services are supported by the beneficiary's medical record.”
Modifier 25 is only supposed to be used when a significant and separately identifiable E/M procedure has been performed that is above and beyond the normal pre-operative care associated with the procedure. This is because Medicare’s payments for global surgery procedures includes payments for pre- and post-operative care associated with the procedures. That work does not constitute a significant, separately identifiable E/M service that warrants additional reimbursement.
OIG states that even “the decision to perform a minor surgical procedure is included in the payment for a minor surgical procedure and must not be reported separately as an E/M service.” They continue by saying, “An E/M service should be billed only on the same day if a surgeon performs a significant and separately identifiable E/M service that is unrelated to the decision to perform a minor surgical procedure.” Minor dermatology procedures are typically of the type where the decision to perform a biopsy or lesion removal/destruction is made during the same encounter. The OIG plans to determine whether dermatologists' claims for E/M services on the same day of service as a minor surgical procedure complied with Medicare requirements.
Medicare Payments for Spinal Pain Management Services
Facet joint injections, facet joint denervation sessions, lumbar epidural injections, and trigger point injections are all types of spinal pain management covered by Medicare Part B. Sedation administered during these procedures are also covered.
The OIG will audit to determine whether Medicare payments for spinal pain management services billed by physicians complied with Federal requirements.
These are just some of the newly added OIG Work Plan items we’ve seen in Q2. As always I recommend you review their latest updates (insert link: https://oig.hhs.gov/reports-and-publications/workplan/index.asp) to identify items that may directly impact your organization, and your compliance program. So, in addition to the above items, be sure you keep your finger on the pulse and that of the resulting reports they publish. I find these items to be incredibly useful when creating a work plan for your own compliance program.
And of course, we’ll keep publishing and sharing the items we find to be of most interest to you.
To download this blog as a PDF, click the button below.