The U.S. government has expanded its investigation and prosecution of Medicare fraud beyond acute care hospitals and throughout the healthcare industry. The stakes are high, with recent Medicare fraud settlements totaling tens of millions of dollars. Healthcare organizations can take proactive steps to reduce the risk of being investigated by using publicly available data, such as cost report data from the Healthcare Cost Report Information System, to screen themselves and make sure billing practices do not fall outside the mainstream.
The entire U.S. healthcare industry is finding out what acute care hospitals figured out long ago — overcharging Medicare and Medicaid can be costly in the long run. Standard penalties for Medicare and Medicaid fraud under the False Claims Act not only compel the healthcare provider to reimburse the government for any overpayments, but also tack on penalties amounting to three times the amount that was overpaid plus $5,500 to $11,000 in punitive fines per claim.
These charges can add up fast. In 2012, annual healthcare fraud recoveries by the Department of Justice (DOJ) reached the highest level ever — surpassing $3 billion for the first time.
In the past, most of the government scrutiny into alleged Medicare fraud focused on acute care hospitals. More recently, this attention has spread throughout the healthcare industry to inpatient rehabilitation facilities, skilled nursing facilities (SNF), home healthcare providers, hospices and outpatient facilities.
Other investigations by the DOJ and the Office of the Inspector General (OIG) at the Department of Health and Human Services (HHS) already have led to major settlements. Over the past few years, settlements for Medicare fraud and overbilling in the skilled nursing facility, inpatient rehabilitation facility and home healthcare sectors have reached the $40 million-$65 million range.
The Nail That Sticks Out Gets Hammered Down
These settlements represent just a small slice of DOJ enforcement efforts. In recent years, the HHS and the DOJ have increased the number of operational Medicare Fraud Strike Force teams. The HHS says these teams use advanced data analysis techniques as a key tool in unearthing potentially fraudulent activities.
Beyond the increased attention from the DOJ and the OIG, healthcare providers face additional risks as the Centers for Medicare & Medicaid Services (CMS) expands the scope of its Recovery Audit Contractor (RAC) reviews. For example, recent changes allow RACs — looking for irregularities at skilled nursing facilities — to request records and conduct test audits of up to 10 test claims. Since RACs retain a percentage of the overpayments they identify, these auditors typically are aggressive in identifying potential irregularities, even if a certain percentage of the alleged overpayments end up being overturned on appeal. RACs already have been quite active investigating short-stay hospital providers during the past few years, but now are expanding activities to other health-care sectors. The results of these test audits could lead to the inclusion of Ultra High Resource Utilization Group (RUG) claims on RAC-approved issue lists.
Given the government’s ramped up enforcement efforts and the high costs of False Claims Act settlements, healthcare providers of all stripes have strong incentives to take proactive steps in order to make sure they are complying with CMS rules.
Replicating the advanced data analysis techniques employed by HHS teams is an effective way for providers to assess their compliance risks. Providers have access to much of the information they need to perform these analyses using publicly available cost report and claims data. These data-sets allow providers to monitor their use of high-reimbursement Medicare codes relative to the industry and similar peer groups. By proactively performing this type of data analysis, providers can efficiently identify areas of potential risk and enable auditing of high-risk areas to determine root causes.
Looking Under the RUGs
Much of the government’s scrutiny focuses on whether the setting, intensity and duration of medical treatment provided to patients are reasonable and necessary. The setting, intensity and duration of care are represented by the various HIPPS (Health Insurance Prospective Payment System) rate codes that providers submit to Medicare.
In the skilled nursing facility area, these HIPPS codes are represented by RUG codes that providers use to tell Medicare the intensity and duration of care they needed to provide to each payment. There are five levels of RUGs: Low, Medium, High, Very High and Ultra High. Within each level, there are subvariations depending on a patient’s level of dependence on providers to perform basic activities of daily living (ADL) such as eating, using the toilet or moving from a bed to a chair.
Many of the DOJ investigations and prosecutions allege that providers used Ultra High RUG codes in circumstances where the patient’s condition and medical needs did not warrant such a RUG designation. For instance, in a court filing for its Medicare fraud suit against nursing home operator Life Care Centers of America, the U.S. government alleged that Life Care “engaged in a systematic scheme to maximize the number of days it billed to Medicare and TRICARE at the Ultra High level.” The government claims Life Care accomplished this goal “by setting aggressive Ultra High-related targets that were completely unrelated to its beneficiaries’ actual conditions, diagnoses, or needs.”
Rather than waiting to see if aggressive government enforcement turns up any RUG irregularities or other improper practices, healthcare providers should take proactive steps to self-screen their own Medicare-related data in order to examine and correct any problems they uncover.
There can be significant financial and reputational advantages to flagging a problem oneself rather than being caught red-handed. Self-reported problems generally are far less publicized than settlements resulting from OIG/ DOJ investigations. The self-disclosure program gives providers a 60-90 day window to determine the scope of the problem and put corrective actions in place to make sure the issue does not reoccur. These actions can range from internal educational campaigns to information technology-based controls that can identify specific compliance concerns. In some cases, a physician reviewer may be asked to provide a second or third opinion on the merits of an atypical admission or coding decision. From a financial perspective, the OIG’s April 2013 update on its Provider Self-Disclosure Protocol (SDP) stated that organizations using the SDP and cooperating with the OIG “deserve to pay a lower multiplier on single damages than would normally be required” to resolve a government-initiated investigation.
How to Self-Screen Effectively
A sloppy self-screening can give providers a false sense of security while still leaving them exposed to painful lawsuits and settlements. The key to an efficient and cost-effective self-screening is to pinpoint the most high-risk areas. These elements will vary across the healthcare industry. In the skilled nursing facility sector, for example, the OIG tends to focus its attention on three primary factors:
All Medicare-certified SNFs are required to submit annual cost reports that include facility characteristics and utilization data. Once the reports have been processed, CMS makes the cost report data available to the public through the Healthcare Cost Report Information System. This database enables an individual SNF to evaluate its own performance against the three metrics listed above and to compare its performance against any peer group of SNFs.
Follow the Data
As with RUGs in the SNF sector, there are similar red flags that the OIG and the DOJ scrutinize in other healthcare sectors. For example, in the home health sector, Medicare payments involve both a base rate per patient and a variable rate that changes depending on the number of therapy visits provided. This variable rate is configured so that there are key intervals where payment rates increase. In home health episodes where therapy is supplied, providers receive the base rate for providing up to five therapy visits; then the Medicare payment increases by 20 percent to 30 percent at the sixth visit. There are similar stepped payment increases at the 14th visit, and the 20th visit. Investigators may take notice if the data analysis shows a disproportionate percentage of patients with therapy visits right at or above the levels that would trigger higher Medicare payments. Home health providers can use such data analysis to identify red flags, investigate anomalies and make sure the underlying patient care is being driven by medical needs.
Every healthcare sector has its own particular metrics that are likely to draw OIG and DOJ attention. When it comes to inpatient hospital providers, investigators look at the percentage of hospital stays lasting one day or less. They recognize that individual admission decisions can be complicated, but investigators grow suspicious if data analysis shows that an unusually high percentage (e.g., above the 75th percentile or above one standard deviation) of the hospital’s patients were admitted and discharged the same day. To investigators, such activity appears as if the inpatient care provider is trying to boost its Medicare payments by admitting low-acuity patients who could have been safely treated in a less acute setting.
Auditors also may take notice if a company’s performance on certain metrics falls below industry norms. For instance, in the inpatient rehabilitation facility sector, an unusual prevalence of short lengths of stay might raise regulator concerns that patients with comparatively low rehabilitation needs had been admitted unnecessarily.
Technology can play an important role in helping providers implement better procedures to reduce the risk of overbilling. In the home health sector, for instance, many of the nurses and therapists who enter patient homes rely on handheld computers with which they record notes from their visit. Some providers have edited the software on these computers so that the nurses and therapists are required to make certain regulatory-related assessments before they can conclude their visit, such as assessing the patient’s homebound status.
By using these types of technologies and engaging proactively in high-level data analyses, healthcare facilities can assess their compliance risks, strengthen internal controls and policies, and self-correct issues identified during the process. The ability to use vast amounts of publicly available data allows providers to replicate the type of screening procedures employed by government agencies in highlighting potential areas for further inquiry, which enables providers to identify and correct any issues that otherwise could attract unwanted attention from regulators and law enforcement.