Rules, Regs, Red Flags & RAC
Rules, Regs, Red Flags & RAC | Red Flags Rule, Neil Krugman, Waller Lansden Dortch & Davis, Bryant Witt, Ken Bryant, Miller & Martin, RAC, Recovery Audit Contractor, Tennessee Medical Association, TMA

Providers Prepare for Another Round of Regulatory Oversight

 Editor's Note: This is the first in a two-part series looking at some of the new regulations impacting healthcare providers. Next month, Medical News will delve deeper into both federal and private recoupment audits and what providers need to know about their rights and appeal options.
 
 
Shocking, but true … the federal government is preparing to unleash a new layer of federal regulations and oversight that will have a direct impact on healthcare providers.
 
After being delayed from a spring launch, the Red Flags Rule to help prevent identity theft is expected to go into effect August 1, impacting most every provider no matter how large or small the practice. New, federally appointed recovery audit contractors (RACs) were also scheduled to begin reviewing potential Medicare overpayments and underpayments in Tennessee on August 1. However, the Centers for Medicare and Medicaid have indicated implementation of the program will probably begin later in 2009.
 

Red Flags Rule

On April 30, 2009 –– the day before the Red Flags Rule was to go into effect –– the Federal Trade Commission announced it would delay enforcement until August 1. The reason given for the delay was to allow businesses impacted by the rules ample time to develop and implement a written program. A second reprieve is not expected.
 
Neil Krugman, partner at Waller Lansden Dortch & Davis with offices in Tennessee, Alabama and California, said instituting Red Flags Rules actually started in 2003 when Congress passed the Fair and Accurate Credit Transactions Act (FACTA), which required 'creditors' with covered accounts to create programming to detect and respond to possible occurrences of identity theft.
 
"The rules require many businesses and organizations to implement written identity theft prevention programs, and the purpose is to detect the warning signs of identity theft in day-to-day operations," he explained. "The rules basically apply to any business or entity that regularly extends or renews credit and includes all businesses that regularly permit deferred payments for goods or services."
 
That, he continued, includes physician practices that bill patients and allow for payment at a later date. "It's so broad that it would virtually apply to all medical and dental practices," he said of the language in the rule. Krugman added, "Many doctors and dentists have been surprised to find they are defined as creditors."
 
Although each business will have to evaluate their own risk threshold, it is anticipated that most medical and dental practices will be designated "low risk."
 
"One of the reasons for the delay in implementation was so they (the FTC) could develop and disseminate a template program for use by businesses at low risk for identity theft," said Krugman.
 
"As you go up the business scale to larger medical settings, then the threat goes up, and the program needs to be more sophisticated and elaborate," he added, noting emergency rooms would be an example of a medical site where physicians probably wouldn't personally know their patients so identity theft could be a bigger issue.
 
He said that on May 12, the FTC published an online program to help creditors determine whether or not they qualify as low risk. If they do, then the Web site contains an easy, "fill in the blank" program template to lessen the burden of compliance.
 
Krugman added some of the factors in determining risk level include personally recognizing and knowing clients, previous complaints of identity theft, and whether or not your type of business is commonly associated with identity theft.
 
The online template offers a step-by-step guide to setting up an acceptable program. To access the information go to www.ftc.gov; click on the Red Flags Rule icon on the right; then click the "get started" button. The four parts to an effective program are:
  • Identifying relevant red flags,
  • Detecting red flags,
  • Responding to red flags, and
  • Administering your program.

To properly administer a program, the written plan has to be approved by the board of directors … or if there is no board, then by a senior manager. A senior employee must also be designated to administer the program and to train staff. Krugman noted practices that outsource collections should ensure their service providers are compliant, too.
 
"If you don't comply, there's a possibility of fines or enforcement actions brought by the FTC," he pointed out. Although aggressive plan audits aren't anticipated, Krugman said if a negative event were to occur, there would certainly be the threat of investigation and civil penalties.
 
"In this day and age, it's probably a good idea for everyone to take some common sense precautions," he concluded. "It's good business."
 

Recovery Audit Contractor Program

Law firm Miller & Martin, which has offices in Nashville, Chattanooga and Atlanta, was concerned enough over the impact of recovery audit contractor reviews to form a specialized RAC legal appeals team.
 
Bryant Witt, co-chair of Miller & Martin's Healthcare Practice Group, noted, "There have been Medicare audit programs in the past that were internally run by fiscal intermediaries or MACs … but not on this sort of organized basis. The difference now is the RACs are outside contractors that the government has hired and incentivized by giving them a percentage of what they recover." He added, "It leads one to believe that there is going to be aggressive audit activity."
 
Ken Bryant, member at Miller & Martin, said CMS ran a RAC pilot program in six states between 2005 and 2008. As a result, the federal agency recovered $1.03 billion during the demonstration project, and the RAC recouped nearly $187 million in corporate fees.
 
The Relief and Health Care Act of 2006 mandated recovery audit services be implemented as a cost containment effort to reduce improper Medicare payments and as a means to identify process improvements to ensure future payments are accurate. Ostensibly, the program is to also highlight underpayments if a RAC finds CMS hasn't paid a provider enough. For Region C, which includes Tennessee, the contracted RAC is Connolly & Associates (www.connollyhealthcare.com).
 
Bryant said RACs would determine an amount of overpayment to be recouped if a medical records review uncovered improper payments over a period of time. "It's not like they send you a bill, they hold back your next Medicare payment," he pointed out, adding there are options to dispute an unfavorable audit and ways to delay having reimbursements withheld while moving through the appeals process. (The August issue of Medical News will more fully explore the process.)
 
With continuing concerns on Capitol Hill over how much healthcare costs the government, Bryant said, "It is unlikely the federal government is going to back off this program if it's successful. If anything, they are going to step up activity."
 
Witt added, "There are predictions out there of $19 billion (in recovered funds) in the first year this RAC program is up and running. No one knows for sure, but some predictions are trending that high."
 
He also pointed out that while correcting reimbursements are important to CMS, there are other issues beyond that. "Keep in mind RAC is just part of the picture. The federal government can come in after the RACs and review the process or the claims. If they can make a determination that these incorrect claims were made with intent, the penalties and consequences can be severe, including potential liability under the False Claims Act or even exclusion from the Medicare program."
 
In light of how other CMS audits have played out, Yarnell Beatty, general counsel for the Tennessee Medical Association, said his organization is fully cognizant of the apprehension its membership has over the pending RAC program.
 
"Physicians are very concerned about this," he said. "There are too many stories out there … too many anecdotal stories … about the PSC (Program Safeguard Contractor) audits where the PSC auditors have demanded hundreds of thousands of dollars back; yet when the appeals were all over, it's only a few hundred dollars owed."
 
Even when the medical practice ultimately prevailed, Beatty said physicians have been forced to pay thousands in legal fees to defend their case.
 
Phyllis Franklin, director of insurance affairs for TMA, said, "We have already started our efforts to prepare our members. We have a Medicare audit toolkit that is available to our membership, and it describes the different Medicare audits."
 
Once launched, audits could go back three years but cannot be conducted on billings prior to October 1, 2007. There is also a blackout period for the three months prior to and following September 1, 2009 due to the impending change in administrative contractors.
 
Franklin said there are steps providers should take up front to ensure they are prepared for an audit.
 
"First and foremost, they need to be cooperative if there is audit activity," she counseled. Before an auditor arrives, Franklin said a RAC team should be created internally consisting of the office manager, a coder, physician representative and others who might have pertinent information. "Have a written plan in place and make sure your patient records are documented properly."
 
Franklin said it is wise to do periodic self-checks to make sure everything is in order. These could be conducted by outside consultants or certified coders. She also said practices are well within their rights to ask for credentials if audited, and the TMA recommends members not leave auditors alone with records. It's also wise to get a list of all records the auditors wish to copy.
 
"In some cases," she continued, "it might be advisable to have an attorney on hand."
 
Beatty concurred, "Especially if it's an office visit audit. It's obviously more serious if the auditors show up in the office rather than sending the request in writing for the practice to send in records."
 
The very best defense is to make sure your practice hasn't committed any offenses.
 
"The main thing is just properly documenting your records for services rendered," concluded Franklin.