March 2012 Archives

March 23, 2012

CMS Releases ACO Eligibility Memo

The Centers for Medicare and Medicaid Services (CMS) issued a memo to Medicare Shared Savings Program (MSSP) applicants on March 16, 2012, in response to questions from Accountable Care Organization (ACO) applicants. The memo clarified and provided guidance on some of the requirements ACO applicants to the MSSP will have to attest to should they choose to sign a participation agreement for the MSSP.

The memo provides definitions for "ACO participant" and "ACO provider/supplier" according to federal regulations. An ACO participant is an individual or group of ACO providers/suppliers that is identified by a Medicare-enrolled Taxpayer Identification Number (TIN) that alone or together with one or more other ACO participants comprises the ACO. An ACO provider/supplier is a provider or supplier enrolled in Medicare that bills for items and services furnished to Medicare fee-for-service beneficiaries under a Medicare billing number assigned to the TIN of an ACO participant. An ACO participant is identified by its Medicare-enrolled TIN number. The memo highlights the point that an ACO participant is identified by its Medicare-enrolled TIN. The key point of this section of the memo is that an ACO participant is not eligible to participate in an ACO unless all ACO providers/suppliers associated with the ACO participant TIN have agreed to comply with the program regulations. More simply stated, an ACO participant is not eligible for an ACO unless all providers and suppliers billing under its TIN have agreed to participate.

Further, all agreements between or among an ACO, ACO participant, and ACO provider/supplier must be executed before the ACO submits its application. The application process requires that an applying ACO provide a list of the ACO participants and associated providers/suppliers. Agreements to participate in the program must be executed by all of these parties prior to submission of the application.

The memo also specifies minimum content for an agreement or contract between an ACO and ACO participant. Agreements must contain an explicit requirement that the ACO participant agrees to participate in and comply with the requirements of the MSSP. Agreements must also contain the rights and obligations of ACO participants and ACO providers/suppliers, as well as give authority to the ACO to terminate the rights of an ACO participant for non-compliance. Furthermore, ACOs cannot require that beneficiaries be referred to ACO participants or providers/suppliers except as expressly permitted by regulation.

The final topic the memo covers is the eligibility requirement pertaining to the ACO's governing body. Federal regulations require that an ACO have an identifiable governing body with the authority to execute the functions of the ACO. In cases where the ACO is comprised of multiple, otherwise independent ACO participants, the ACO must have a legal entity and governing body that is distinct and separate from each of them. The governing body must have oversight of, and responsibility for, strategic direction. The governing body must also have management which is accountable for the ACO's activities, and governing body members who have a fiduciary duty to the ACO.

Continue reading "CMS Releases ACO Eligibility Memo" »

March 20, 2012

CMS Adopts Final Rule for DMEPOS Standards

The Centers for Medicare and Medicaid Services (CMS) has published a final rule for standards regarding Durable Medical Equipment, Prosthetics, Orthotics, and Supplies (DMEPOS) suppliers. The rule, published March 14, 2012 in the Federal Register, revises and specifies the definition of "direct solicitation" as it applies to DMEPOS suppliers. The rule also eliminates the requirement that DMEPOS suppliers comply with local zoning ordinances. In the official comments, CMS indicated that all zoning issues are better left to the states.

The rule limits the contact a DMEPOS supplier can make with a beneficiary. Previously, "direct solicitation" had been broadly defined as telephonic contact. The August 27, 2010 final rule broadened the definition of "direct solicitation" to include not only telephonic contact, but also in-person contact, email, and instant messaging. The new adopted rule, which will be effective April 13, 2012, eliminates the prohibition on "direct solicitation" and only restricts direct contact with the beneficiary by telephone. The new adopted rule further requires that a DMEPOS supplier must have written permission from the beneficiary to contact the beneficiary by telephone.

The new rule also allows DMEPOS suppliers to contract with a third party to provide licensed services, provided the third party is appropriately licensed under applicable state laws. The prior rule prohibited DMEPOS suppliers from contracting licensed services.

Continue reading "CMS Adopts Final Rule for DMEPOS Standards" »

March 16, 2012

HHS Settles First Breach Notification Case

The first enforcement action from a breach report required by the Health Information Technology for Economic and Clinical Health (HITECH) Act Breach Notification Rule has resulted in an agreement by Blue Cross Blue Shield of Tennessee (BCBST) to pay the Department of Health and Human Services (HHS) $1.5 million.

BCBST reported that unencrypted hard drives had been stolen from a leased storage facility in Tennessee. The hard drives contained personal health information of more than one million people, and included information such as social security numbers and dates of birth. An investigation discovered BCBST failed to ensure the facility had proper security measures in place as required by HIPAA rules. The settlement also requires BCBST to establish a corrective action plan to revise its security policies and conduct training.

The HITECH Breach Notification Rule requires HIPAA covered entities to promptly make notifications in the event of a breach that affects more than 500 individuals. The entity must notify each individual affected, the HHS Secretary, and the media. A breach of information affecting fewer than 500 individuals need only be reported to the HHS Secretary on an annual basis.

More information on the HITECH Breach Notification Rule can be found on the Department of Health and Human Services website.

HIPAA Privacy and Security Rules are enforced by the Health Human Services (HHS) Office for Civil Rights. HIPAA Security Rules establish requirements for how entities must secure and protect electronic health information, and ensure that it remains secure and protected.

More information on the HHS Office for Civil Rights can be found on their website.

Continue reading "HHS Settles First Breach Notification Case" »

March 6, 2012

CMS Proposes Regulations to Implement the Law Regarding Reporting and Returning Overpayments

Having compliance plans and procedures in place is becoming increasingly important for Medicare providers and suppliers. On February 16, 2012, CMS released a proposed rule to implement Section 128(d) of the Social Security Act ("Act") which was added by the Affordable Care Act ("ACA") and deals with the reporting and returning of overpayments. The proposed rule is significant in that it includes a ten year look back period and proposes a definition for when an overpayment is "identified" which includes a duty for providers and suppliers to make reasonable inquiries when an overpayment is suspected.

The ACA created Section 1128(d) of the Act to detail the requirements for reporting and returning overpayments. Overpayments are defined in Part 4(B) of the law as "any funds that a person receives or retains under title XVIII or XIX [42 USCS Section 1395 et seq. or 1396 et seq.] to which the person, after applicable reconciliation, is not entitled under such title." Part 2 requires an overpayment be reported and returned by the later of 60 days from the date on which the overpayment is "identified" or the date any corresponding cost report is due. The statute itself does not define "identification" however, the proposed implementing regulation, 401.305(a)(2) defines "identification" as being when "the person has actual knowledge of the existence of the overpayment or acts in reckless disregard or deliberate ignorance of the overpayment." (77 Fed. Reg. 9179, 9182, February 16, 2012). CMS believes that this will provide an incentive to providers and suppliers to exercise reasonable diligence to determine whether an overpayment exists. CMS goes on in the proposed rule to suggest that without such a definition, a provider or supplier might avoid activities which can be done to determine an overpayment such as "self-audits, compliance checks, and other additional research."

CMS provides a nonexhaustive list of examples of when an overpayment is identified and the provider or supplier should make a "reasonable inquiry with all deliberate speed" to determine if an overpayment exists, including:

  • when a provider receives an anonymous compliance hotline telephone complaint about a potential overpayment;

  • when a provider or supplier reviews billing or payment records and learns it incorrectly coded certain services resulting in increased payment;

  • when a provider or supplier learns that a patient death occurred prior to the date of service on a claim submitted for service;

  • when a provider or supplier learns that services were provided by an unlicensed or excluded individual on its behalf;

  • when a provider or supplier performs an internal audit and discovers overpayments;

  • when a provider or supplier is informed by a government agency of an audit that discovered a potential overpayment and the provider or supplier fails to make a reasonable inquiry;

  • when a provider or supplier experiences a significant increase in Medicare revenue with no apparent reason for the increase.
While this list is not exhaustive, it should give providers and suppliers pause and reason to evaluate and update compliance plans. If a provider or supplier acts in reckless disregard or deliberate ignorance of whether it received an overpayment, then it could be found to have knowingly retained an overpayment. And, if an overpayment is retained after the deadline, it becomes an obligation under the False Claims Act, the provider or supplier may have liability under the Civil Monetary Penalties Law, and the provider or supplier could be excluded from participation in Federal Health Care programs.

Continue reading "CMS Proposes Regulations to Implement the Law Regarding Reporting and Returning Overpayments " »

March 6, 2012

CMS Provides List of Providers Sent Notices to Revalidate Their Medicare Enrollment

As part of healthcare reform, Section 6401(a) of the Affordable Care Act requires all providers and suppliers who enrolled in the Medicare program prior to March 25, 2011 to revalidate their provider enrollment under the new screening criteria. Providers and suppliers who enrolled after March 25, 2011 do not need to revalidate at this time as they have already been screened.

Medicare Administrative Contractors (MACs) will be sending revalidation notices to individual providers and suppliers between now and March 23, 2015. Providers and suppliers must complete the enrollment forms within 60 days of receiving the request from the MACs. If a provider fails to submit the provider enrollment forms after receiving the request, it may lead to a suspension of the provider's Medicare billing privileges.

Providers and suppliers may not revalidate their provider enrollment until they have received a revalidation notice from their MAC. The CMS website provides a list of all the providers and suppliers to whom revalidation notices have been sent (See "download" section). In case a revalidation notice has been sent but never received, every provider is encouraged to check the list to determine whether or not they are currently expected to revalidate. If you are listed, but have not received the request, you should contact your Medicare contractor.

Continue reading "CMS Provides List of Providers Sent Notices to Revalidate Their Medicare Enrollment" »