Preparing for the inevitable audit — and what to do if it happens to you.
by Wayne H. van Halem
Thursday, April 1, 2010

You might think you are prepared for a Medicare audit and that your documentation is strong and comprehensive. But in my experience, an overwhelming majority of small- to medium-size companies are not prepared and, when audited, have significant issues that result in large overpayments and additional scrutiny. The burden of being placed on prepayment review or appealing large overpayments is costly and overwhelming for most businesses, and can end up having a devastating impact. Many blame heavy-handed auditors or contractors, but the ugly truth is that most home medical equipment companies have done nothing to prepare themselves to avoid these issues.

Unfortunately, there are a few bad apples in this industry that have taken advantage of the Medicare program. The Centers for Medicare and Medicaid Services has implemented more complex coverage policies with significant documentation requirements to counter these abuses. However, doing so accomplishes little except making it more difficult for legitimate providers to get necessary equipment covered.

The system is set up to make providers rely on physicians to document services in a certain manner in their clinical records. But often, physicians are not familiar with the policy requirements. More important, they are not liable if they don't document in accordance with DMEPOS coverage policies.

Additionally, the criminals committing fraud do not care that CMS requires a physician to document testing frequency for their diabetic patients or that CMS wants the manufacturer name and model information of the battery for a power mobility device. Nevertheless, when you undergo an audit, your claims will be denied for reasons like this, regardless of whether the service is medically reasonable and necessary for that patient.

In all the years I have worked in the health care arena, there has never been a time when the government has been more intent on reducing improper payments in Medicare and Medicaid. Coupled with current health care reform initiatives, that has made auditing the providers that bill the federal government a primary focus.

That translates into increased funding for program integrity activities, including auditing. Specifically, the FY 2010 budget invests $311 million toward these functions, a 50 percent increase from 2009 funding. In any federal budget, that is a significant increase.

Essentially, this means that there will be more auditors conducting more audits. We are already seeing the effects with the expanded Recovery Audit Contractor (RAC) program and the transition to Zone Program Integrity Contractors (ZPICs).

All this being said, your best defense is offense.

It's obvious that the likelihood of being audited is increasing, so instead of trying to avoid an audit, providers should focus on preparing for one when it does happen. Implement elements that are consistent with a comprehensive and effective compliance program, including written policies, procedures and standards of conduct; effective training and education; and strong internal controls along with enforcement and corrective actions.

This is your livelihood and these are your federal tax dollars being spent. You must be responsible for making sure you are following Medicare policies, whether you agree with those policies or not.

Policies, Procedures and Standards of Conduct

The first step in preparing for an audit is developing internal policies and procedures that are specifically related to compliance issues. All HME providers should already have significant policies and procedures for normal day-to-day operations as a result of the accreditation requirement. There is no need to implement a whole new set of policies. Rather, review the policies you have in place to make sure they are current on compliance issues and that appropriate risk areas and vulnerabilities are addressed.

If not, you can draft new policies and procedures and implement them into your current information. If you already have well-developed policies pertaining to compliance, it is a good idea to review and update them accordingly. These policies and procedures should be shared with all employees and even subcontractors or agents that may be involved in patient care or billing (such as billing companies).

One of the most important aspects of these policies should be implementing specific and appropriate standards of conduct.

All HME companies, no matter how large or small, should draft very specific and tailored standards of conduct for all employees. (It's rare that I find a provider who actually has these.) It must be clear to everyone who reads these standards that the company has a very strong commitment to compliance. This must be evident from the top down.

No matter what size a company is, if management does not stress the importance of compliance to staff, then staff will not understand the importance themselves. On the contrary, if management is adamant about the significance of these policies, employees will adopt these same principles. Ultimately, this protects the individual employees, management and the facility as well as the government. In my opinion, a company that doesn't have appropriate standards to follow is negligent in the role as a provider that receives federal funds.

Risk Areas for DME

Written policies and procedures need to be drafted for areas in which providers are vulnerable to potential issues that could arise as a result of an audit. Each type of health care provider has similar risk areas like the Federal Anti-Kickback Statute, but many other vulnerabilities are relevant specifically to DME. Some of these include:

  • Billing for medically unnecessary services;
  • Billing for services without proper documentation or documentation with conflicting information;
  • Billing for services not provided;
  • Billing patients for denied charges without a signed notice;
  • Duplicate billing;
  • Billing for items or services without a prescription on file;
  • Upcoding;
  • Unbundling;
  • Billing for new equipment and providing used equipment;
  • Continuing to bill for rental items after they are no longer medically necessary or no longer being used;
  • Billing for substantially excessive amounts of items or supplies;
  • Billing for an item that does not meet the quality of the item claimed;
  • Capped rentals;
  • False information on the claim form, CMN, DIF and/or accompanying documentation;
  • Completing documentation reserved for completion only by the treating physician;
  • Altering medical records;
  • Manipulating the patient's diagnosis;
  • Inappropriate use of place of service codes;
  • Improper use of modifiers;
  • Routine waiver of deductibles and coinsurance;
  • Providing incentives to referral sources;
  • Non-compliance with supplier standards;
  • Providing false information on the supplier enrollment form;
  • Not notifying the NSC in a timely manner of changes; and
  • Knowing misuse of a supplier number.

You should review these potential risk areas and, depending on what types of products you provide, figure out if these pertain to your specific business. If they do, develop policies to educate employees and decrease your vulnerability. Your policies should include clear, concise, publicized and strict disciplinary actions for employees who do not follow the policies. I have seen too many providers assume they are in good standing regarding these issues without confirming it — and end up in trouble.

Training and Education

The next step in preparing your company for an audit is implementing a comprehensive and effective training program. Again, your accrediting body requires that you have an ongoing training program. Written policies and procedures are a necessity, but if you don't have a training program in place that educates your staff, then it renders them ineffective and inadequate.

A training program should be developed that covers every single staff member, from clerical and administrative personnel to billing to clinical staff. All too often, training programs are designed solely for clinical staff or just for billing staff. But the employees in all of these areas need to work together to assure the claims being filed are accurate. Almost every provider I have seen audited that has had significant issues identified has not had an effective training program in place.

There are several things that should be highlighted in your training program:

  • Your compliance program;
  • General fraud and abuse training;
  • Claims submission procedures; and
  • Medical necessity guidelines and documentation requirements.

Training should be conducted as quickly as possible when new staff is hired. That doesn't mean the training should stop there. We all know how fluid the Medicare program is and how often policies and procedures are changed — so often, in fact, that you must have someone in charge of monitoring policies and have procedures in place to assure that person is notified when changes occur.

There should be some mechanism in place for you to monitor more specific changes and disseminate that information to the individuals who may be affected. Your training program should be as fluid as the Medicare program and be consistently and accurately updated.

Physician Education and Documentation

The Medicare program is set up so that physicians are essentially the gatekeepers. Nothing can be billed to Medicare without proper authorization from a patient's physician, and DMEPOS policies rely heavily on physician documentation.

Without a doubt, physician documentation is the area where HME providers are most vulnerable. Reviewers and auditors are getting increasingly stringent in their reviews of medical documentation, most likely as a result of CMS guidance.

I know firsthand how difficult it is to get physicians to document in accordance with coverage policies. I can go on and on about how unfair it is to DMEPOS providers who rely on this documentation and are liable if it is not sufficient. But it would make no difference as these policies are written and in effect. The only thing you can do is to take a more active role in educating physicians on policies and requirements.

One way to accomplish this is by drafting cover letters to physicians who order DMEPOS. Section 5.3.2 of the Medicare Program Integrity Manual (PIM), Publication 100-8, specifically states:

Cover letters can be used by a supplier as a method of communication between the supplier and the physician. It is not CMS' intent to restrict necessary communication between the supplier and the physician. CMS does not require nor regulate the cover letter. The DME MACs, DME PSCs, and ZPICs should not take adverse action against suppliers that solely involve cover letters.

The PIM specifies that it is both the physician's and the supplier's responsibility to determine that the equipment ordered is medically necessary and ensure that the beneficiary's condition is correct and documented properly. It also encourages contractors to remind providers that they can include language in cover letters reminding physicians of their responsibilities.

Getting Documentation Up Front

Adding to the necessity of educating physicians is the need to be more proactive in obtaining documentation from physicians up front, before claims are files. Although many policies do not require you to do so, I highly recommend this whenever possible.

I understand the complexities as well as the administrative burden. However, there is no way for you to know in advance what the physician's documentation contains. If you are audited and the documentation is requested at that point, you'll be liable to payment of the services if the documentation is deemed insufficient.

If you implement these procedures in conjunction with educating physicians about what is required, you will hopefully — eventually — begin to see documentation that meets the coverage policies. These processes will only help you in the long run.

Internal Monitoring and Reporting

I cannot stress this point enough: Do not wait for Medicare contractors or government auditors to come to you and find a problem. If that does happen, you open yourself up to much bigger problems. For example, an auditor can do an extrapolated overpayment or place your facility on a prepayment review, which will have a major impact on your cash flow. I recently saw an actual overpayment of $12,763.83 extrapolated out to $1,408,169 for minor technical issues and insufficient documentation.

Also, if auditors find issues and identify overpayments, you will most likely have to go through the appeals process, which is time-consuming, frustrating and costly.

Many HME owners and managers feel they don't have the time, money or resources to conduct regular internal audits, but this is much more cost-effective than if Medicare determines you have issues. In other words, you cannot afford not to!

There is no way to avoid audits, especially in the current environment. Eventually it is going to happen, so you need to be prepared. Most issues identified by auditors could have easily been detected and corrected in advance. Perhaps you might identify claims that should not have been paid and should be refunded, but a voluntary refund of payments is much different than an overpayment demand in which additional scrutiny is likely.

Use available resources to get an idea of where to focus your internal audits. For example, the RAC and DME MAC Web sites identify the focus of widespread reviews. The HHS Office of Inspector General releases its work plan each year that clearly identifies areas of focus.

This year, for example, the OIG is looking at claims with KX modifiers as well as payments for power mobility devices, hospital beds and accessories, oxygen concentrators and parenteral/enteral nutrition. If you provide any of these services or file claims with KX modifiers (over 30 coverage policies now contain some reference to use of a KX modifier), then you may want to look at these claims to make sure they are valid and meet the policy requirements.

The HME industry faces a lot of challenges and scrutiny. Despite that, you provide a necessary service to the Medicare population.

Prior to his death a year ago this month, my father relied on power mobility and oxygen. His quality of life was significantly increased and prolonged as a result. I understand this. However, I urge all home medical equipment providers to take a more active role and make an expressed commitment to compliance with the strict coverage policies being implemented in this industry.

By preparing your HME company and reducing the chance that government auditors will identify issues with your claims, you will increase the likelihood that CMS and its contractors will focus their efforts on reducing legitimately fraudulent claims. Doing so is in the best interest of the DMEPOS industry and public in general.

You Can't Hide

"There is no way to avoid audits, especially in the current environment. Eventually it is going to happen, so you need to be prepared."

CERTComprehensive Error Rate Testing Contractors review random samples of claims in order to calculate a provider paid-claims error rate as well as a contractor error rate.

RACRecovery Audit Contractors are responsible for reviewing claims to determine whether they were overpaid or underpaid. RACs are looking for improper payments, which can include medical necessity issues, but they are not reviewing for fraud or abuse.

ZPICZone Program Integrity Contractors are replacing Program Safeguard Contractors and are reviewing claims to detect fraud, waste and abuse in the Medicare program.

Medical Review — These reviews are conducted by the DME MACs and are designed to determine that services are reasonable and necessary and billed in accordance with local and national coverage guidelines.

  • Read about ZPIC audit preparation, including what you should do when a ZPIC audit hits you and how to prepare for a ZPIC audit before it happens.

Author and consultant Wayne van Halem, president of The van Halem Group, Atlanta, has built a career interpreting and understanding the nation's preeminent health care entitlement programs. He has worked as a fraud analyst, Medicare fraud information specialist and senior investigator. An Accredited Healthcare Fraud Investigator and Certified Fraud Examiner, van Halem has also served as the appeals manager for Medicare Part B second-level statutory appeals nationally. Currently, he provides counsel to all entities involved in the participation, administration and oversight of public and private health care plans. A book he authored entitled Medicare Audits in Long-Term Care: A Guide to MACs, RACs, and ZPICs is being released this month. You can reach van Halem at 404/343-1815 or wayne@vanhalemgroup.com.

What Should You Do when a ZPIC Hits You?

If you receive a letter from the ZPIC requesting documentation on a number of claims, what should you do?

  • Begin compiling the documentation immediately.
  • The ZPICs expect you to provide clinical documentation to support the need for the items they are auditing. Most providers think that because the policies state that they are not required to have the documentation in their files that they are not required to submit them. This is wrong, as the policies state that the documentation must be provided if requested.
  • If you do not provide any clinical records, the claim will be denied as not medically necessary. You must contact the ordering physicians and request specific documentation related to why they prescribed the item in question.
  • It is very important to know that the clinical records must be dated prior to the date of service in question or else they will be deemed insufficient.
  • Utilize the physician documentation request letter drafted by the DME MAC medical directors to help in obtaining the documentation that you may not have on file.
  • Conduct a comprehensive review of the documentation prior to submitting them to the ZPIC.
  • If you identify issues in your review, notify the ZPIC immediately and prepare a corrective action plan to address those issues internally.
  • Retain exact duplicate copies of the documentation you submit to the ZPIC.
  • Even after you have submitted the documentation, continue working with referral sources to obtain as much clinical documentation as possible.
  • If the documentation dated prior to the date of service in question is lacking, you can ask the referring physician for more recent documentation or to document on his/her letterhead why the item was ordered, the patient's clinical history, and why the equipment is necessary. While this may not be sufficient for the audit, it could be considered at higher levels of appeal.
  • If you cannot meet the deadline imposed by the ZPIC (usually 30 days), then call and request an extension. Regulations provide that the ZPIC cannot render a decision on a claim for failure to respond until after the 45th day, so you will always be able to request an extension to 45 days at the minimum. They have the discretion to extend further if necessary.

You receive a letter from a ZPIC identifying an overpayment as a result of the audit. What happens next?

  • Within 30 days of the letter from the ZPIC, you will receive an actual overpayment demand letter from the DME MAC.
  • Review the specific denial reasons in the audit results letter from the ZPIC and begin attempting to get supporting documentation to counter the denials.
  • You technically have 120 days to file your appeal request; however, the contractor will begin collection proceedings on the 41st day. So, you should either:
  • Refund the overpayment in 30 days and then begin preparing your appeal;
  • Request a repayment plan within 30 days; or
  • Submit a valid request for Redetermination prior to the 41st day.
  • If you submit a valid request before the 41st day, the limitation on recoupment provisions apply, and the DME MAC cannot collect the overpayment while the appeal is pending. The same process applies for the second level of appeal (QIC, or Qualified Independent Contractor) as well. (Reconsideration requests must be received before the 61st day in order to stop collection of overpayment.) Keep in mind that interest will begin accruing on the 30th day from the identification of the overpayment.
  • If unsuccessful at Redetermination and Reconsideration, then request an a hearing by an Administrative Law Judge (ALJ), and if you have not satisfied the overpayment by this time, then refund the money or request a repayment plan.
  • Do not wait until you are being audited by a ZPIC before reviewing your files. It is much more cost-effective to review documentation and files in advance to determine whether you have any issues rather than waiting for the government to come in and audit a sample of your claims and extrapolate the overpayment.

How Do I Prepare for a ZPIC Audit Before it Happens?

  • Conduct an internal review of the primary services you provide and make sure your documentation is in order.
  • Review the "documentation requirements" section for each item you provide. When a ZPIC audits a claim, they are auditing to make sure the requirements outlined in the LCDs and related articles are met. Develop documentation checklists for your files to assure you always have all the necessary documentation.
  • Make sure your files are orderly and consistent.
  • Whenever possible, get as much clinical documentation up front for the services you provide. It is much easier to get the documentation you need at the time the service is ordered rather than having to go back if faced with one of these audits.
  • Make sure your referral sources know the guidelines and conditions for the items they order are covered.
  • Do not rely on supplier-generated forms to document medical necessity. They are not considered part of the medical record and actually discourage physicians from documenting the information in their own record.
  • Make sure all items are clearly listed on the orders prior to dispensing, and make sure your delivery documentation is very detailed and includes brand name, model and serial numbers.