CMS Audits: The Dam Has Burst

Providers have found themselves in a torrent of pre- and post-payment audits. What can they do?

Remember the story of the little Dutch boy who stuck his finger in a failing dike and saved the day? Well, that little Dutch boy never met the Centers for Medicare and Medicaid Services.

Recently, CMS has ramped up its “program integrity” budget, slowly building up a vast reservoir of auditing resources, and virtually nothing standing between providers and a sea of pre- and post-payment review. In the fiscal year of 2010,  $311 million was invested for program integrity; a 50 percent increase from 2009’s outlay. Well, the dam has finally burst and now providers are drowning in a torrent of audits that seek to recoup payment for past claims and are heavily delaying current claims.

“I’ve been doing this about 15 years and I don’t think there’s been a time when the audit entities have been more aggressive in their auditing techniques,” says Wayne van Halem, CFE, AHFI, president of The van Halem Group, LLC. “They’re really, really aggressive at this point.”

Van Halem and most of his staff are former Medicare contracted auditors or clinicians that help providers prepare for audits or implement corrective actions after being audited. (The van Halem Group also recently acquired HC Comply to create a compliance division; read more in “News, Trends & Analysis,” page 8.)

“The issue is only getting more serious,” says Ron Bendell, president of VGM & Associates. “The government has allocated more money in 2011 to fight fraud, and ZPICs and RACs are the contractors who have been tasked with that duty on behalf of Medicare.”

VGM has entered into a consulting agreement with Edward Vishnevetsky, Esq., an associate with the Munsch Hardt Health Care group, who provides HMEs with counsel on audit management preparation, assistance and appeals

Why is CMS opening the audit floodgates? Approximately $3 billion was recovered last year due to fraud, according to Bendell, who adds that the government estimates it will recover $10.4 billion this year.

Moreover, van Halem notes that, beside the fact that anywhere between $68 billion and $226 billion each year is associated with improper healthcare payments, the Federal Bureau of Investigations and Health and Human Services Office of Inspector General estimate the loss due to fraudulent healthcare payments is as high as 10 percent. With healthcare expenditures projected to increase from  $2.24 trillion in 2007 to $4.35 trillion in 2018, that 10 percent amounts to a whole lot. To put things in perspective, $224 billion is higher than the gross domestic product of 138 countries, including Denmark, Ireland, and New Zealand, van Halem notes.

Drowning in Alphabet Soup
There are three main types of audits that are at the center of this tempest: RAC, CERT and ZPIC. Let’s take a moment to decode this alphabet soup.

CERT stands for Comprehensive Error Rate Testing. These are post-payment audits conduced by the conducted by CERT contractor (AdvanceMed). These audits randomly select a sample of approximately 120,000 submitted claims, and request medical records from providers who submitted the claims. The claims and medical records are reviewed for compliance with Medicare coverage, coding and billing rules.

These audits came about in 2006 after the HHS OIG discovered an error rate of 28.9 percent when CMS had reported an error rate of 7.5 percent. So a CERT contractor was hired to review all the documentation in provider claims. Key areas of focus for the CERT audits are diabetic test strips, power mobility and oxygen, according to van Halem.

RAC stands for Recovery Audit Contractors. The mission of these post-payment audits is to  detect overpayments and underpayments, and to implement actions that will prevent future improper payments. RACs randomly select claims and reviews result from data analysis; they can’t audit claims simply because they represent a high dollar amount.

These audits can go back three years from the date the claim was made, but can’t go past Oct. 1, 2007. These audits combine what is called “automated” reviews conducted by software systems, and “complex” reviews, which are conducted by auditing staff. Current focus areas for the RACs are pharmacy  supply and dispensing fees billed by a DME supplier; wheelchair bundling; and urological bundling, van Halem says.

ZPIC stands for Zone Program Integrity Contractors. This is part of CMS’s Benefit Integrity Audits, and was originally conducted by Program Safeguard Contractors, but has transitioned to the ZPICs. These are proactive, pre-payment audits that  aim to identify and prevent fraud, waste, and abuse of incoming claims.

These are very aggressive, specified audits that even result in the ZPIC auditors referring some instances to law enforcement agencies. The ZPICs also maintain a list of providers that require future monitoring based on past history, van Halem explains.

There are seven ZPIC zones covering all geographies served by Medicare, from Guam to the Virgin Islands and all points in between, but so far two ZPIC zones have been awarded to contractors, Bendell notes: Zone 4, which covers Colorado, New Mexico, Oklahoma and Texas was awarded to Health Integrity; and Zone 7, which covers Florida, Puerto Rico and Virgin Islands, was awarded to SafeGuard Services.

Pick Your Poison
The first part of trying to handle a problem is to take stock of it. In that regard, the industry is still sizing up which audits pose the biggest threat and how to address them.

“Everyone always talks about the CERT audits, but honestly the CERT audits concern me the least because they’re totally random,” van Halem says. “The CERT contractor just has to choose I think 120,000 claims a year to review  to do randomly. The ZPICs and the RACs are probably, right now, the biggest concern.”

The central issue with RAC audits is that they are performed on a contingency basis, which means that the auditors are being offered an incentive ranging from 9 percent to 12.5 percent, depending on the RAC (they each negotiated their own rates). So, these contractors are reimbursed a percentage of the overpayment or underpayment that they have identified. Obviously, this could “taint their view,” van Halem explains.

“While RACs get paid on a contingency of what they recover and ZPICs get paid on a contractual basis, the net effect is the same: if the auditor wants to stay in business for any extended period of time, the auditor must find new ways to discover fraud or improper billing practices,” Bendell says. “The more money recovered, the better the auditor looks in the eyes of the government, and the more likely that their contract will be extended.”

Also RAC auditors are moving to complex reviews, unlike their previous method of performing automated, “system” reviews. Now the RAC auditors conduct deeper, investigative reviews of medical records, which van Halem says is a concern, too. But how accurate are their audits?

“Now, one thing that was corrected from the pilot program to the final program was that if a overpayment that was identified and was overturned at any level of appeal, then that money is offset from future payments to the RAC,” he notes. “So that’s good news because at least providers still have the ability to go through the appeals process.”

Astoundingly, a significant portion of RAC audits are overturned at appeal. There’s no solid statistic, but interviews for this story quoted figures ringing in anywhere from 50 to 90 percent. Add in the fact that CMS is paying not only hundreds of millions to audit entities, but also paying appeal contractors to conduct appeals, and the costs become phenomenal — and almost ludicrous given the number of audits being overturned.

“The whole system, to me, is a very broken system right now,” van Halem says. “We had one client with a $1.5 million overpayment and we went through the appeals process and whittled it down and whittled it down, until our final level when it was overturned was zero.

“But probably the ones that are more concerning and most damaging would be the ZPIC audits,” he continues, adding that this is particularly the case in areas that CMS has identified as “high risk” areas, such as Miami, Dallas, Houston, New York, Detroit and Los Angeles.

In those areas CMS has requested a more aggressive audit response and putting some providers in those areas on a 100 percent pre-payment review. That means every claim those providers make will be suspended in audit limbo while they are vetted before payment — not exactly ideal from a cash-flow standpoint, especially when the auditor makes multiple requests for documentation on each audited claim.

“It’s not uncommon for providers to receive hundreds of requests for documentation in one day,” van Halem says. “You’re looking at what amounts to a 90-day payment suspension for each claim.”

“Meanwhile, the provider continues to provide equipment to new beneficiaries without getting paid,” Bendell adds. “This can result in a loss of thousands of dollars to hundreds of thousands of dollars in cash flow. If the provider’s product mix does not include a healthy portion of non-Medicare business, they may not be able to survive the time that it takes for the audit to be completed, and will have to shut their doors.”

The bottom line lesson? Be prepared. 

“We’ve seen it over and over again, where companies aren’t prepared; they’re not getting documentation up front,” van Halem says. “So when they’re hit with one of these reviews they’re in a significant hole that they have to dig themselves out of. It’s not uncommon for companies that have been hit a ZPIC review to have to lay off employees and begin borrowing money and working on credit in order to keep their doors open.”

Learning to Swim
So how does a provider prepare for audits? Obviously, providers must implement measures that can help them keep their heads above the audit waters, and that starts by simply acknowledging that ignoring the audits won’t make them go away. They will get hit.

“Providers who are not proactively preparing for these audits are going to be in trouble,” van Halem outlines. “The ones who are working as ‘business as usual’ are the once having the most issues now.”

And this includes providers of all sizes. Any classic, “mom and pop” HME hoping to dodge a bullet should consider shopping for a bullet-proof vest.

“They’re hitting small, medium and large providers across the board,” van Halem says, adding that it’s not uncommon for a company that is put on 100 percent pre-payment audit to encounter a 100 percent denial rate during the initial stages of an audit. “Especially if they’re not getting documentation up front, or reviewing documentation.”

And therein lies a central problem. In general, much of the HME industry’s approach to ensuring adequate documentation has been plagued by corner cutting and assuming backup documentation will be accessible if need be. That’s a huge mistake, says Kelly Riley, CRT, RCP, the director of the  National Respiratory Network for the MED Group. An example of that attitude is the application of the KX modifier to various claims.

“In order to bill many of the Medicare covered products, many claims have to have a KX modifier attached to the claim,” Riley explains. “And people know that, so they go out and put the KX modifier on the claim without fully understanding the implication of that KX modifier.

“The KX modifier basically means that you are standing before the court, hand held high, taking the oath, and saying ‘I hereby swear to you that I have all the documentations that the LCD specified I must have in my records to prove that I have medical necessity,’” she continues. “Too many of us in this industry are used to not necessarily having the actual documentation in-hand, but being able to get it if needed.”

Those days are long gone, and if the provider doesn’t have that documentation in its records, chances are it will never be able to get it.

“Three years later you’re trying to get it from the physician … and they’re not going to have it,” she says. “Who’s fault is that? It’s yours.”

And that could spell trouble, Riley says. Another example: a claim with a certificate of medical necessity completed by the physician’s office that says the patient’s oxygen saturation level is 88 percent. However, on audit, an auditor contacts the doctor’s office and requests the CMN for the date when the HME says the oxygen was ordered, and the doctor’s office sends a medical record instead shows a saturation of 92 percent. Having the correct documentation would help the HME resolve that situation.

“I’ve had many an HME company ask me, ‘Who’s fault is that? The doctor’s office fraudulently completed this record,’” Riley says. “And I’ll say, ‘You’re not going to want to hear this, but it’s yours.’ Because you ultimately have to prove that what you’re being told verbally exists in writing in the medical record.”

HMEs that don’t properly cover themselves run the risk of having years of claims for patients from that referral partner being recouped in an audit.

“Which is very frustrating because generally it is seen as being outside of the control of the HME provider, but they are the ones being held liable,” van Halem adds. “If [providers] are not working with their referral sources and getting documentation, then they’re the ones that are going to have the issues when these audits occur.”

New Procedures
So a shift is required. Providers must become downright draconian when it comes to requesting and assuring documentation, and they must educate their referral sources in advance regarding what information needs to be in the documentation in order for it to pass muster.

Of course, herein lies the problem: providers asking for better documentation that meets specific requirements usually receive something else from their physician partners — pushback. That needs to change.

“The industry as a whole doesn’t hold the physician liable,” van Halem explains. “Long term, if you want to file a claim to the government and know that you will be able to keep that reimbursement, then you will get documentation up front and review it to make sure it addresses the need for the equipment.

Ultimately, the goal is to create a business model that puts documentation procedures and policies and conducts regular internal audits to minimize the nightmare that audits

Another thing to keep in mind is that some audits are very process driven, and attuned to looking for red flags. So the first thing in implementing procedures for dealing with audits is to ensure that those red flags aren’t flying. For instance, ZPIC contractors SafeGuard Services is a Hewlett-Packard company and AdvanceMed is owned by Computer Science Corp., two very large, powerful organization with significant data mining and analysis muscle, van Halem notes.

“I would say 90 percent of the audits the government is conducting are as the result of data analysis, and claims data is what they analyze,” he explains. “So, for example, if you’re always billing the maximum allowed amount for a certain product … then you’re likely going to be the focus of an audit.”

Or, another example would be product categories. For product categories with multiple codes, providers can expect that audits will concentrated on the codes with the highest reimbursement rates from Medicare.

Also, the auditing firms are conducting cross-claims analysis to ensure a claim is coming from a patient that has related claims from other healthcare providers that are also typically associated with his or her DME claim. Or, if 90 percent of a provider’s claims are coming from a single referring physician NPI, that would qualify as a red flag.

So providers not only need to ensure they have the right documentation, but need to take stock of their claims and see if they contain these sorts of red flags that might result in an audit, and become even more rigorous with their documentation processes for those areas of their business.

“Have someone who has been through this process, or knows it,” van Halem advises. “Look through your files, because you’d be surprised how many providers think their files look good, and they don’t. Even if you’re conducting an audit internally, make sure that the individual conducting it is doing it in comparison with the LCDs and is unbiased — and strict. You really need that because that’s they way government auditors are looking at things now.

“Don’t think it’s not going to happen to you — it will,” he continues.

“Whether or it’s random or a focused review, everyone is going to get an audit at some point and you have to be prepared for it.”

Of course, implementing the correct procedures going forward is one thing, but for post-payment audits, trying to retrieve claims that are poised to be recouped because of missing documentation turns into the paper chase from hell.

“Often times it’s not there,” van Halem says. “You’re only option is to submit what’s there.”

In these cases, the provider can work with the patient’s physician at the time of the claim and attach an addendum that is dated currently, but references the patient’s condition and need at the time of the claim. But, a lot of doctors might not be willing to do that if it was two years prior, he explains.

In those cases the provider’s main option is to go through the appeals process to get the claim overturned after obtaining as much medical record as possible from various sources, such as home health agencies, hospitals, nurses and other entities that could help document the patient’s need for the equipment.

Rx Stat: A Case in Point
One example of a provider that demonstrates how putting solid documentation procedures in place can help an HME survive even the toughest audits is Florida respiratory provider Rx Stat Inc., which endured a ZPIC audit, and somehow came out the other side.

“As far as I’m aware of, I’m the only company that’s come out  of a ZPIC audit,” says Sam Jarczynski, president of Rx Stat. “I haven’t heard of anyone else that’s actually made it out of a ZPIC.”

Undergoing a ZPIC audit was unexpected Jarczynski says. The notification came out of nowhere.

“You get a letter in the mail; you don’t get any prior notice,” he says. “Your claims start denying and then the letters come later. If you’re not really on top of your billing, you wouldn’t even notice until you get the letter.

The letter notifies the provider that it is undergoing a ZPIC audit and needs to provide specific documentation within 30 days.

“If you don’t send the documentation in, you run the 99.9 percent risk that you’ll go to a 100 percent pre-pay audit on everything that you do,” Jarczynski warns. “Providers that don’t respond to audits open themselves to more audits.”

But even if the provider is fast to provide the necessary documentation, it still must undergo the three-month wait for the ZPIC to review the submitted paperwork and provide an update. Depending on the provider’s denial rate, the ZPIC will either release the HME from the audit with a letter of recommendation of how to address the issues the ZPIC identified, or, if the provider has a high denial rate, it goes onto 100 percent pre-pay audit, Jarczynski explains.

“So instead of just targeting two or three specific HCPCS codes, they’re looking at everything you do — walkers, wheelchairs, hospital beds — anything that you might be billing for,” he says. “Everything is audited, and [provider] companies just don’t have the cash flow to survive that kind of audit.”

Jarczynski says that one of the key tools that helped his business escape 100 percent pre-pay review was document imaging. All of its claims documentation are digitized and electronically stored.

“We can pull everything up very, very quickly as far as charts and CMNs and everything we need very quickly,” he says. “We’ve always been hardcore sticklers for documentation.”

While Rx Stat tried to keep perfect documentation and ran internal audits, it did run into one hitch universal to all providers:

“Our charts were perfect in our eyes,” he says. “The only sticking point was chart notes from the physicians, and that’s where the auditors want to see continued use and need of the equipment, no matter what it is. So it goes back to the physician.”

So the Sunshine State HME will request those chart notes for six months prior to the date of service being audited, and if the physician hasn’t charted properly, the claim will be denied.

The requirement to ask for chart notes has always been in the policy, but it’s only now that providers are being put in a position where they really need to insure they live up to it. This can make things tricky when it comes to dealing with referral partners.

And providing a form for the position to sign won’t cut it, Jarczynski says. The continued use and need must be in the physician’s chart notes.

“We have an education program to the physicians,” Jarczynski says, which developed methods for obtaining the right documentation for its sleep and infusion businesses. “We say [to the physician], ‘Look, this is what Medicare is looking for, this is what we want when you prescribe oxygen, and this is why we want it.’”

And, Jarczynski says it’s important to make it clear to physicians that it is in their best interest to provide the required documentation, because they don’t want to run the risk of being audited, if the auditors ever start looking at physicians.

“So we try to team up with the physician and offer education sessions and one-on-one meetings with the physician to say, ‘Let me show you how to chart better; let me show you how to do this the right way,’” he explains. “And at the same time we’re saying, ‘This will make your office more efficient. If you can send the stuff over one time on the initial order, then we won’t have to ask you for it 10 times.’”

A free lesson in increased efficiency with audit protection to boot is hard to ignore. That’s the sort of thing that establishes the provider as an expert resource that is invested in their success, and that in turn helps cement long-term referral relationships.

“We went through the same thing with sleep patients a couple years ago,” Jarczynski says. “We were the first guys on the street asking for the chart notes and documentation, and after the fact [the physicians] said, ‘You know, we’ve come to find out you guys were right; everybody’s asking for that stuff now.’ It’s the same thing with oxygen orders now.”

And, if worse comes to worse, a provider has to be able to say “no” and cut off a referral partner that simply refuses to comply. That’s a tough prospect when it means writing off a patient’s equipment, but it’s better than being put on 100 percent pre-pay audit.

“We’ve cut off several doctors because they won’t provide the documentation we need,” Jarczynski says. “I’m not going to get paid on [that business] so why bother to take it?”

Turning Back the Tide
Surviving the current audit onslaught is one thing, but it is an untenable situation. Providers can put in solid business processes, but given the various inconsistencies with the current audit process, something needs to change. The industry more than likely has yet another fight to be fought in Washington.

Also, there are legal issues to post-payment audits that VGM’s Bendell outlines.

“With RAC audits, we [VGM] think there is a due process and estoppel issue associated with the RAC being able to go back three years to recoup costs,” he explains. “Specifically, if the RAC previously allowed a provider to do ‘x’ or bill for ‘x’ for the past three years, and now wants to come back and recoup that money, we believe that the RAC either ratified the action or tacitly approved it. 

“It’s similar to a person who has driven 60 mph in a 55 mph zone for two years,” Bendell continues. “He was never caught, but three years later, he receives 2,000 tickets. That’s fundamentally unfair and a violation of due process. We think that same issue applies here.”

To that end, Bendell says that VGM partner Edward Vishnevetsky reported that, for one client, they had been asked to pose our due process and estoppel arguments at the administrative law judge (ALJ) level and beyond (potentially to federal court). 

“Regarding ZPICs, one thing we can do is to request the contracts between the government and the auditors to see if the auditors are following their contracts (i.e. hiring people with experience, etc),” Vishnevetsky states. “If the government refuses to provide said contracts, sue in federal court. We are ready to sue on behalf of two clients, but they were recently taken off of prepayment audit and don’t want to rock the boat. 

“So we are stuck without funding or a representative plaintiff,” Vishnevetsky continues. “Also, we tried to sue one ZPIC in Texas using a Rule 202 pre-suit deposition strategy. We were winning the pre-lawsuit, but the client ran out of money to pursue the issue. Incidentally, the client was released from audit quickly. We should … push the issue on why it takes the ZPIC auditors so long to respond to claims when providers are required to respond in 30 days. This is a due process issue, as well.”

While the legal issues are being sorted out, several industry experts and organizations are pooling their time, talent and expertise to try and stem CMS’s increasing audit flow. The hope is to convince CMS that it needs to implement more consistent and fair auditing techniques.

“The current contractors are working very inconsistently,” van Halem explains. “Something that might be fine in one are is not fine in another. They’re requesting documentation that’s not required in [CMS] policy, and all kinds of things.

“So there are several organizations trying to work with CMS to at least develop public and consistent audit requests and techniques because that is not currently happening,” he says.

To that end, a special task force was set up by The American Association for Homecare’s Regulatory Council and it has been collecting specific examples that show the inconsistencies in the audit contractors’ requests for additional documentation. Specifically, the task force is collecting from providers the additional documentation request (ADR) letters sent from audit contractors for audits as proof that they are  inconsistent and go beyond the coverage policies.  

“We want to take those requests and show the people at CMS that are partnering with us to try and get resolution to this that, ‘Look, this is what they’re asking for, and this is inconsistent with what the policy says we need to have in order to be paid,’” Riley says.

To help focus that effort, Riley says the task force is narrowing its efforts to collect those inconsistent requests the most problematic areas that we are seeing right now: Oxygen, CPAP, enteral nutrition, diabetic supplies, power mobility devices and nebulizers.

“If we can show the hard copy examples of where [the auditors] have asked for something totally ludicrous, we can make an impact,” Riley says. “That’s what we need. We don’t need stories; we need documents. We can’t go up the Hill with anecdotal information. It has to be data.”

This article originally appeared in the June 2011 issue of HME Business.

HME Business Podcast