Thursday, August 29, 2013

Due Diligence: Your Greatest Ally in Healthcare Fraud Prevention

 Kameron Gifford, CPC

If you are practicing medicine today, you are at risk for allegations of fraud. What steps have you taken to minimize this risk? Does your clinic have a compliance plan? Does you compliance plan address coding and documentation risks and identify an actionable plan of oversight? When was the last time you had an independent review of your billing practices and office policies? What type of annual training is provided to your office staff and what type of assessments have been given?

If your practice can not answer these questions, you need to take action NOW.

Begin by creating a practical compliance plan. If you choose to buy a compliance plan off the shelf, remember this must be updated to reflect your office and your policies. Once you have a plan, use it. This is a common problem area for many practices.

Next review your clinic's billing policies and practices. If you don't have any, now is the time to create them. In the event of fraud allegations, this document proves your good intentions. Be sure to include specific steps to ensure compliance with local, state and federal regulations as well as contract level requirements

Plan an internal audit. Due diligence is your greatest ally in fraud prevention. If you are a physican who does their own coding or your office does not have a certified coder, I highly recommend an annual audit with a certified coder. The average primary care physican has a panel of 1200 patients. On average, the cost to audit 1% of your records annually would be $7,500. A small price to pay for peace of mind.

Educate everyone in your office.This is the single most important investment that you can make in your organization. Look for education providers that will come to your clinic and work to improve the entire team. A successful transition to ICD-10 will require extensive training and preparation. With the deadline less than a year away, what is your plan of action?

By following these simple steps, you will significantly reduce your chances of fraud allegations. ERM routinely works with physicians, clinics, hospitals and health plans to identify specific gaps in policies and practices, reduce error rates, and eliminate future defects. Don't wait until you recieve an audit notification. Act now.  

Mobile Doctors’ Chicago CEO and Doctor Arrested on Federal Health Care Fraud Charges

Offices Searched in Three Cities

U.S. Attorney’s OfficeAugust 27, 2013
  • Northern District of Illinois(312) 353-5300
CHICAGO—The chief executive officer of Chicago-based Mobile Doctors, which manages physicians who make house calls in six states, and one of its physicians in Chicago were arrested today on federal health care fraud charges. At the same time, federal agents executed search warrants at Mobile Doctors’ offices in Chicago, Detroit, and Indianapolis, as well as warrants to seize up to $2.568 million in alleged fraud proceeds from various bank accounts. The charges allege a scheme to fraudulently increase (also known as “upcoding”) Medicare bills for in-home patient visits that Mobile Doctors falsely claimed were more complicated and longer than they actually were. The charges also allege that Mobile Doctors’ physicians falsely certified that patients were confined to their homes, enabling home health care agencies to claim fees for additional services for patients who were not actually qualified to receive them.
Agents from the FBI, the U.S. Department of Health and Human Services Office of Inspector General, and other law enforcement agencies executed the arrest, search, and seizure warrants in connection with the charges and also a broader ongoing investigation that includes allegedly illegal billing practices for medically unnecessary tests and services not performed by a physician.
Arrested were Dike Ajiri, 42, of Wilmette, CEO of Mobile Doctors, which he has effectively owned since 1996, and Banio Koroma, 63, of Tinley Park, a physician who has worked for Mobile Doctors since approximately 2007. Mobile Doctors, located at 3319 N. Elston Ave., in Chicago, arranges patient home visits and contracts with doctors who perform the visits. The physicians assign their rights to bill and collect payment to Mobile Doctors in return for being paid directly by the company. Mobile Doctors’ website claims that its associated physicians have made more than 500,000 house calls since its inception. In addition to Chicago, the company has branches in Detroit and Flint, Michigan; San Antonio and Austin, Texas; Indianapolis; Kansas City; Phoenix; and St. Louis.
Ajiri was charged with health care fraud, and Koroma was charged with making false statements relating to health care benefits in a criminal complaint that was filed yesterday and unsealed today after the arrests. Both were scheduled to appear at 3 p.m. today before U.S. Magistrate Judge Mary Rowland in U.S. District Court.
The arrests and charges were announced by Gary S. Shapiro, United States Attorney for the Northern District of Illinois; Robert J. Shields, Jr., Acting Special Agent in Charge of the Chicago Office of the Federal Bureau of Investigation; and Lamont Pugh, III, Special Agent in Charge of the Chicago Regional Office of the HHS-OIG. The Railroad Retirement Board Office of Inspector General is also participating in the investigation.
According to a 75-page affidavit in support of the arrest, search, and seizure warrants, agents have interviewed several current and more than 25 former employees of Mobile Doctors, including some who reported allegedly fraudulent billing practices to Medicare before they were contacted by agents. Investigators have also reviewed e-mails and documents, claims data and patient files and have conducted interviews with patients of Mobile Doctors and their primary care physicians, whose statements contradict Mobile Doctors’ billing and patient records.
Mobile Doctors physicians do not perform tests such as echocardiograms but do order such tests, which are done on Mobile Doctors’ patients by employees of In Home Diagnostics, doing business as Ultrasound2You. According to Medicare records, Ajiri is a minority partner in In Home Diagnostics, which is located in the same building as Mobile Doctors, and Mobile Doctors bills the echocardiograms so that they appear to have been done by Mobile Doctors’ physicians.
The complaint affidavit states that Ajiri signed a personal financial statement on December 31, 2012, stating that he received $1.5 million in annual partnership income from a corporate entity, Mobile Doctors LLC, which has a complex ownership structure involving Ajiri and, over time, one or both of his parents. Between 2008 and January 2013, bank records show that approximately $4.365 million was transferred from Mobile Doctors to an account in the name of Ajiri and his wife.
Upcoding Patient Visits
According to interviews with former and current Mobile Doctors physicians, branch managers, clinical coordinators, employees, and patients, a typical visit that a Mobile Doctors physician has with an established patient lasts 10 to 30 minutes and is routine in nature. In contrast to those interviews, claims data shows that from 2006 through February 2013, approximately 99 percent of all established-patient visits by Mobile Doctors physicians were billed to Medicare using either of the two highest codes indicating the visits involved medical decision-making of moderate to high complexity, detailed or comprehensive interval histories or medical examinations, and/or visits that typically last at least 40 minutes.
In 2009 in Chicago, the local Medicare fee for a visit using the second-highest home visit code was approximately $122.82, while the fee for the highest code was approximately $171.25. According to a review of claims data for Railroad Retirement Board patients, every single established-patient visit Mobile Doctors billed to Medicare between January 2007 and June 2008 used the highest fee code. Between January 2007 and November 2012, approximately 93 percent of such visits were billed using the highest fee code.
The former manager of Mobile Doctors’ Chicago branch until she was terminated in 2008 told agents that Ajiri told her that the second-highest fee code was the default code for a patient visit so that it would be worth the gas and time spent. The manager said Ajiri told physicians, “I don’t pay for ones or twos,” referring to the two lower of the four applicable fee codes. At the end of one day, she said she saw Ajiri in his office “automatically” altering the billing codes and marking visits at the highest fee level on patient records submitted by physicians and assistants who accompanied them on home visits. A physician told agents that in late 2007, Ajiri did not respond to his concerns about Mobile Doctors’ billing practices and instead told the doctor that he could earn more money if he would order more tests such as electrocardiograms, according to the affidavit.
The complaint alleges that the vast majority of payments made on established-patient visit claims using the highest fee code were the result of fraudulent upcoding. From 2006 through 2012, Mobile Doctors received approximately $21.4 million in payments on claims using the second-highest code and approximately $12.6 million in Medicare payments on claims using the highest fee code.
Falsely Certifying Patients as Confined to Their Homes
The charges further allege that Mobile Doctors physicians, including Koroma, falsely certified patients as confined to their homes and requiring home health services when they were not home-bound and did not require such care. By referring patients to home health agencies that did not warrant Medicare payments, Mobile Doctors received more referrals from those agencies for services provided by its physicians. According to Medicare data, from August 2010 through July 2013, more than 200 home health agencies submitted Medicare claims for services allegedly rendered to patients for whom Koroma was identified as the referring physician. These home health agencies have been paid more than $10 million for services listing Koroma as the referring physician.
Between January 2006 and March 2013, Mobile Doctors physicians have certified or recertified for 60-day periods approximately 15,598 patients as confined to their homes and requiring home health services a total of approximately 83,133 times, many of which were allegedly false. Approximately 6,057 of these certifications were attributed since August 2007 to Koroma, with Mobile Doctors billing Medicare for approximately 17,439 patient visits he made during that time, more than any other Mobile Doctors physician.
The health care fraud count against Ajiri carries a maximum penalty of 10 years in prison and a $250,000 fine and restitution is mandatory. The false statements count against Koroma carries a maximum of five years in prison and a $250,000 fine. If convicted, the court must impose a reasonable sentence under federal statutes and the advisory United States Sentencing Guidelines.
The government is being represented by Assistant U.S. Attorney Stephen C. Lee and Catherine Dick, assistant chief in the Fraud Section of the Justice Department’s Criminal Division. The U.S. Attorney’s Offices in Detroit, Indianapolis, and Phoenix also have assisted in the investigation.
The public is reminded that a complaint is not evidence of guilt. The defendants are presumed innocent and are entitled to a fair trial at which the government has the burden of proving guilt beyond a reasonable doubt.
The Medicare Fraud Strike Force began operating in Chicago in February 2011 and consists of agents from the FBI and HHS-OIG working together with prosecutors from the U.S. Attorney’s Office and the Justice Department’s Fraud Section. The strike force is part of the Health Care Fraud Prevention and Enforcement Action Team (HEAT), a joint initiative announced in May 2009 between the Department of Justice and HHS to focus their efforts to prevent and deter fraud and enforce current anti-fraud laws around the country. Scores of defendants have been charged locally in health care fraud cases since the strike force began operating in Chicago.

Florida leads nation in another type of inappropriate Medicare billing

Florida health care firms have added a new category of inappropriate Medicare billing to lead the nation in: diabetes test strips.
South Florida was already notorious for nation-leading Medicare fraud in areas like durable medical equipment, mental health centers, prescription drugs, HIV infusion and home health. Now the drain on taxpayers has apparently expanded to another area.
The new report by the Department of Health and Human Services’ Office of Inspector General found a startling amount of the “inappropriate and questionable” Medicare billing in Florida by diabetes test strip (DTS) suppliers in 2010 and 2011.
The Port St. Lucie/Treasure Coast area led the nation with $115 million in questionable DTS billing, with South Florida in second at $113.1 million. They combined for 54 percent of the national total in questionable DTS billing.
After Nashville and New York, the Tampa Bay area placed fifth at $14.2 million.
In the Treasure Coast, 11 of the 79 total DTS suppliers had questionable billing. One provider on the Treasure Coast accounted for the majority of that, $114.7 million.
In South Florida, it was 222 of the 1,125 DTS suppliers who had questionable billing.
The OIG report didn’t identify any suppliers by name, but it gave a few interesting tidbits. One Miami DTS provider stood out for having over four types of questionable billings and $14 million in allowed claims. A Fort Lauderdale supplier ordered 14,741 DTS for store pickup for beneficiaries who lived more than 20 miles away, for a total of $2.3 million in Medicare claims.
Of the 10 suppliers with the highest amount of questionable DTS billing in the nation, the big one on the Treasure Coast tops the list and five from South Florida joined it, including the No. 2 supplier with $19.9 million in questionable billings. A Tampa-area DTS supplier also made the Top 10, giving Florida seven spots.
The OIG said it referred the problematic suppliers to regulators for further action.
Overall in 2011, Medicare paid $1.1 billion in claims for DTS for 4.6 million beneficiaries. Starting in 2011, Medicare put all mail-order DTS in a competitive bidding program in large metro areas, including South Florida. Store bought DTS are not in that program.
The OIG study found that Medicare paid $6 million in clearly unallowable DTS bills plus another $425 million in highly questionable bills. About 10 percent of DTS suppliers had a billing problem.
Reasons that the OIG study considered the DTS claims inappropriate or questionable include them being for a patient without a diagnosis for diabetes, overlapping with an inpatient hospital or nursing home stay, billing for an unusually high number of strips per patient, or billing patients who lived far away from the DTS store. In some cases, suppliers gave beneficiaries “free” DTS and billed Medicare for them, or mailed them DTS but billed Medicare for the more expensive store-bought service, the OIG reported.
The OIG report recommended that Medicare increase its monitoring of DTS suppliers.

Aetna pulls out of New York health insurance exchange

(Reuters) - Aetna Inc, the No. 3 U.S. health insurer, said on Thursday it has decided not to sell insurance on New York's individual health insurance exchange, part of the country's healthcare reform.
New York is the fifth state where Aetna has pulled its application to sell the plans that go on sale on October 1 and into effect on January 1, 2014. It has also reversed course in Maryland, Ohio, Georgia, and Connecticut, where it is based.
Aetna spokesman Cynthia Michener said it made the move after assessing its business strategy, following the acquisition of smaller insurer Coventry Healthcare in May. Coventry also filed applications to sell plans in more than 10 states.
"Our goal for 2014 is to participate in a limited number of state exchanges where we can be competitive and add the most value to the market," she said in an emailed statement.
She said the company will continue to serve small business and large business customers in New York and will offer individual products outside of the exchanges.
New York's market for individuals is currently only about 17,000 people, but the exchange is expected to bring in 1 million people during the first three years. The exchange announced insurance participants on August 20. Aetna was not on the list.
(Reporting by Caroline Humer; Editing by Jeffrey Benkoe)

HIPAA Can Be The Biggest Hurdle In Healthcare M&A

Tony Kong and Matt Sondag, September 2013

The importance of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) is undeniable – protecting an individual’s personal health information is a vital responsibility for any organisation in the healthcare space. Doctors and hospitals (‘covered entities’ in HIPAA lingo) have been doing this for decades, building a trust level with patients. But, for service providers that work with healthcare providers and payers, and especially private equity firms that invest in companies that serve healthcare providers and payers, HIPAA is overwhelmingly complex and, quite frankly, intimidating.

Understanding HIPAA

The Center for Medicaid and Medicare Services (CMS) and Health and Human Services (HHS) established the overall policy and governance for HIPAA. According to CMS, the definition of a Covered Entity (CE) is: (i) a healthcare provider that conducts certain transactions in electronic form (such as claims transactions, electronic prescriptions, and transmitting patient data electronically); and (ii) a healthcare clearinghouse (an organisation that serves and processes EDI transactions, such as claims transactions, eligibility verification, claims status, and remittance vouchers).
Providers and payers have been required to comply with HIPAA regulations since 1996, but in 2009 HIPAA compliance requirements were extended to organisations who are service providers to healthcare providers and payers (Covered Entities) as part of the American Recover and Reinvest Act’s (ARRA) electronic medical record (EMR) initiatives. This was done to provide additional security around patients’ Protected Health Information (PHI) as providers implement EMR systems.
Service providers to covered entities were mandated to sign BAA (Business Associate Agreements) in 2009, therefore making these companies liable under the same HIPAA compliance requirements, and subject to the same level of fines as a covered entity.

HIPAA has been around for years: what’s changed?

In 2012, the HIPAA governing body, HHS, spent $12m to hire a consulting firm to conduct ‘pilot’ compliance audits with covered entities. A year later, the HHS tripled its spend to $40m to audit a larger number of covered entities and business associates. The fines for violations discovered during the audits range from $50,000 up to $1.5m.
During the 2012 audits, one of the most common violations was a lack of encrypted laptops, desktops, tablets and smartphones. It’s an addressable requirement, which means you either have to do it or have a good reason for not doing it (and, therefore, have an equivalent, alternative protection in place). It’s a very low cost item and straightforward to implement, but often ignored.
In one recent case, an employee’s mobile device was stolen in a bar, which triggered an investigation and led to an initial fine of $25,000 due to: (i) failure to have adequate HIPAA compliance policies and procedures as administrative safeguards; (ii) failure to complete HIPAA security training for their staff; (iii) failure to implement access controls as physical safeguards; and (iv) failure to encrypt the information on the device or have an equivalent protection.
However, follow-up audits showed they continued to be out of compliance so the maximum fine of $1.5m was levied against the organisation. These fines are real and companies are feeling monetary pain.

Implement safeguards now to avoid costly penalties later

Private equity firms are, in a sense, two degrees removed from any patient interaction. And yet, if HIPAA isn’t top of mind, it can derail a deal or put your portfolio company in the red. So, how can private equity firms understand the intricacies of what constitutes protected health information, what safeguards need to be in place, and how to manage these controls on an ongoing basis? Without teams and compliance experts on staff, who takes ownership?
Smart private equity firms should implement simple safeguards to protect their investments, as outlined below.
Do your homework early.Conduct a thorough HIPAA due diligence and technical vulnerability scan analysis prior to a transaction to understand your target company’s HIPAA readiness in case of an audit. An initial investment in this readiness review can mitigate your risk and potential fines for gaps discovered during subsequent audits. Evaluate and select the right resources to address the administrative, physical and technical controls required and implement them effectively.

Put it in writingMake sure that HIPAA compliance policies are documented and communicated effectively.
Get everyone on the same page.Conduct training with staff so they understand the importance of HIPAA compliance, as well as the severe penalties associated with non-compliance.
Lock up your devices.Implement access controls for all systems that contain PHI; this includes encrypting all technology in case of loss or theft. With the growth and remote use of mobile devices, tablets, and laptops by employees, this is one of the biggest vulnerabilities to all companies regardless of size. In addition to ensuring encryption of these devices, CIOs, at a minimum, must: (i) have written device security policies and procedures; (ii) hold annual device training sessions with all employees; and (iii) implement system tools and procedures to enforce compliance with these policies and procedures.

Through our work with clients and work on M&A transactions, we have yet to encounter a single mid-market organisation that is fully confident it is ready for a random audit. The frequency of audits is increasing, as are the fines associated with violations, meaning that HIPAA HITECH compliance continues to be a thorn for many companies, especially those under $100m in revenue.
If you are evaluating a new deal or an existing portfolio company that is a business associate to covered entities, you should consider investing in a HIPAA readiness assessment and a technical vulnerability scan analysis.

This will determine the current state of the company’s HIPAA readiness, and serve as a preparatory exercise in the event of a random audit. Often, a readiness review acts as a catalyst for the company to spring into action and prioritize the work needed to address any gaps in administrative, physical and technical controls.