|Medicare Auditing for Over- and Under-Payments |
CMS says to expect RAC medical record demand letters to start late May.
The Centers for Medicare & Medicaid Services (CMS) announced that medical group practices should expect letters from Recovery Audit Contractors (RACs) demanding medical records as soon as late May. The purposes of the RACs are to identify overpayments and underpayments made by CMS to Medicare providers. Michigan is in the first group of states to begin the audit process.
The RAC audit and recovery program came about because of legislation passed in 2003. For several years, CMS conducted trial audits in several states and deemed them highly successful because they determined Medicare overpaid many more claims than they underpaid. With the prospect of recovering hundreds of millions of dollars, CMS made the RAC program permanent and expanded it to all 50 states.
IPC clients should prepare for these intrusive RAC audits. You will be required to provide copies of records that will be reviewed to determine if your documentation supports the level of services billed. This year, CMS will be able to review claims going back to October 1, 2007. In the future, the look-back period will be limited to three (3) years.
The number of records reviewed could be substantial. The 2009 limits are:
- 10 medical records per 45-day period for solo practitioners;
- 20 medical records per 45-day period for offices with two to five providers;
- 30 medical records per 45-day period for groups of six to 15 providers; and
- 50 medical records per 45-day period for groups of 16 or more providers.
Medicare has subcontracted the audits to different contractors. For Michigan, the RAC contractor is CGI Technologies and Solutions Inc. Please let us know if you are being audited and if you receive a demand to return payments.
|Red Flag Rules
A "Red Flag" is a pattern, practice or specific activity that could indicate identity theft. Not only should IPC clients adopt a risk based program that identifies red flags for both financial identity theft and medical identity theft, you must identify how you will respond to them. Although we're all familiar with identity theft as it applies to credit cards and other financial fraud, medical identity theft is when a person uses another person's name, social security number and/or insurance information to obtain medical services or to obtain money by falsifying medical claims or records.
Medical billing records often contain a wealth of information for identity thieves, such as credit card numbers, Social Security Numbers, patients' contact information and copies of personal checks. The FTC expects you to do a risk assessment and formulate a prevention and detection plan. The plan needs to be adopted by your Board of Directors and your staff needs to be trained by May 1, 2009. Will you be ready?
If you don't have your Red Flag plan in place yet, where should you start? A good overview of the legislation can be found on The World Privacy Forum's site: World Privacy Organization Possible Red Flags for medical providers can be found on pages 5-6 and 10-12 of this document. For example, what do you do if:
- the patient presents a drivers license and the photo does not appear to be the person standing before you?
- the patient never produces an insurance card even though you've seen them multiple times?
- a patient complains that they received a bill from your office but denies ever being seen on that date?
Please remember that - much like HIPAA - you are responsible if a patient's identity information is misused by an employee of yours. Take time to brainstorm how your plan will handle such events. The rules require that you will respond appropriately and help victims recover from this crime. This is especially important in medical identity theft when erroneous information is reported to insurance companies, employers and others.
A word of caution from The World Privacy Forum: "patient identity proofing is one small aspect of preventing this crime. Improper collection, handling and storage of patient identity documents such as drivers' licenses and biometrics can increase rather than decrease patient and provider risk, depending on the system." If your office sends us copies of patients' drivers licenses to ease demographic entry, please note that we scan all charge and payment documents we receive. If you do not want these items scanned with the rest of your charge entry information, please notify us and we will shred these documents.
Non-compliance can result in penalties of up to $2,500 for each individual violation, as well as civil liability to the patient for violations. The good news is that your Identity Theft Program is "scalable." That means you will not be expected to have as detailed a plan as a large hospital. Each of you should tailor your plan to your practice. Use sample plans only as a guide. Like all compliance plans, regular staff monitoring and training is needed.
--- IPC has a sample Red Flag Rule that you may wish to use as a guide. It was created by MGMA and the American Health Lawyers Association. Click here to request
|About Us |
|If you have any questions regarding this newsletter, you can contact us at:
Mary Ellen Duffy firstname.lastname@example.org Patricia Nevala email@example.com call us at 616-459-6867 or 800-606-1455
Please feel free to forward this newsletter to your staff and peers.
Innovative Practice Concepts, LLC -- A full service medical billing company
Your Bottom Line is our Top Priority!