Articles Posted in Compliance

Published on:

In response to the unprecedented challenges created by the COVID-19 pandemic, the Coronavirus Aid, Relief, and Economic Security (CARES) Act established the Provider Relief Fund (PRF) as an effort to financially support the nation’s healthcare providers as they grappled with COVID-19. To achieve this goal, the Health Resources & Services Administration (HRSA) was tasked with administering the PRF program, and distributed hundreds of thousands of payments from the program’s $178 billion fund to healthcare providers of all types. However, even though providers may have used the PRF funds for permitted COVID-related purposes, many providers are increasingly being demanded to return the money, and being given little to no notice or information as to why.

In the early days of the COVID-19 pandemic, the first batch of disbursements under the PRF program were unsolicited and were deposited directly into providers’ bank accounts without prior application or notice. Providers had to quickly decide whether to return the funds, or to keep the money and agree to abide by the terms and conditions of the PRF program, despite not knowing at the time precisely what those terms were. Many providers that are being subjected to the current rash of repayment demands received PRF funds during the earliest distribution phases.

The repayment demands themselves and the processes available to dispute such demands present an entirely new set of complications and may often give the impression that a provider is being unfairly targeted for performing valuable healthcare services during a public health emergency. As the administrator of the PRF program, HRSA is supposed to initially notify providers of any alleged non-compliance with the PRF program terms and conditions. Usually, this is due to HRSA’s claim that a provider has not submitted the required reporting before the appropriate deadline or within the late reporting timeframe. Notably, providers are increasingly commenting that they are not receiving any notices regarding compliance with the PRF program or reporting requirements, or further, that they are later discovering such notices were sent to the wrong address.

Published on:

Late last year, the Michigan State Medical Society (MSMS) published a letter to the Michigan Attorney General (AG) voicing concerns about the influence of private equity on the practice of medicine and what MSMS referred to as widespread violations on Michigan’s prohibition on the corporate practice of medicine (CPOM). MSMS asked the AG to promptly investigate its concerns.

CPOM refers to the practice of medicine by a corporate entity, rather than an individual practitioner. That is, a corporate entity employs physicians and maintains the control that comes with employment. Many states prohibit the corporate practice of medicine or otherwise regulate what types of entities may employ physicians. The rationale is often a desire that medical decision-making remain with the physician and should not be influenced by a non-physician employer or by profit-driven investors. These regulations are the reasons that physician “employment” is often organized into physician groups or profession corporations.

In Michigan, with a few specific exceptions, entities that provide medical services generally must be organized as professional corporations (PCs) or professional limited liability companies (PLLCs) and must be owned by licensed professionals. A common business model is for a PC or PLLC to contract with an outside management services organization (MSO), which is not physician-owned, but may have financial resources or management expertise that the licensed owners of the PC do not have.

Published on:

In the Medicare Advantage (MA) program, overseen by the Centers for Medicare & Medicaid Services (CMS), Medicare Advantage Organizations (MAOs) – typically private insurers – receive monthly payments from CMS. The MAOs then contract with healthcare providers and suppliers to provide services pursuant to multiple MA plans offered by the MAOs. With the rise of artificial intelligence (AI), many providers have expressed concern that MAOs are using AI tools to review claims, make coverage determinations, deny claims, and conduct audits with little to no human oversight.

CMS recently released its 2024 MA Final Rule and a set of accompanying frequently asked questions (FAQs). In these, CMS cautioned MAOs that, while an algorithm or software tool can be used to assist MA plans in making coverage determinations, it remains the responsibility of the MAO to ensure that the algorithm or AI complies with all applicable rules for how coverage determinations by MA organizations are made. CMS emphasized that this included that MAOs make medical necessity determinations based on the circumstances of each specific individual including the patient’s medical history, physician recommendations, and clinical notes; and in line with all fully established Traditional Medicare coverage criteria (including established criteria in applicable Medicare statutes, regulations, National Coverage Determinations (NCDs), or Local Coverage Determinations (LCDs)), or with publicly accessible internal coverage criteria that are based on current evidence in widely used treatment guidelines or clinical literature.

CMS gave several examples of non-compliant use of AI by MAOs, mostly due to a lack of human, clinical oversight of the AI-driven tool and the implementation of its outputs. In an example involving a decision to terminate post-acute care services, CMS noted that an algorithm or software tool can be used to assist providers or MA plans in predicting a potential length of stay, but that prediction alone cannot be used as the basis to terminate post-acute care services. For those services to be terminated in accordance with MA regulations, the patient must no longer meet the level of care requirements needed for the post-acute care at the time the services are being terminated, which can only be determined by re-assessing the individual patient’s condition prior to issuing the notice of termination of services. Additionally, for inpatient admissions, CMS noted that algorithms or AI alone cannot be used as the basis to deny admission or downgrade to an observation stay; the patient’s individual circumstances must be considered against the permissible applicable coverage criteria.

Published on:

Among the plethora of different contractors used by the Centers for Medicare & Medicaid Services (CMS) to administer the Medicare program is the Supplemental Medical Review Contractor, or SMRC. Like the Medicare Administrative Contractors (MACs), Recovery Audit Contractors (RACs), Unified Program Integrity Contractors (UPICs), and others, the SMRC – of which there is only one at any given time – also audits the claims submitted for reimbursement by Medicare providers and suppliers and issues allegations that providers have received overpayments. Noridian Healthcare Solutions, which is also a MAC, was selected as the SMRC in 2018 and remains the current SMRC.

SMRC audits generally begin with an Additional Documentation Request (ADR), usually in a distinctive green envelope with the Noridian SMRC letterhead or logo. After the provider submits the requested records, the SMRC conducts the review based on the analysis of national claims data, statutory and regulatory coverage, and coding, payment, and billing requirements. The SMRC should eventually issue a Review Results Letter. Providers should be aware that a SMRC review can sometimes last for several months with no intervening correspondence or status updates from the SMRC. Providers who expect, but have not received, a SMRC response should consider carefully checking their Medicare EOBs for activity their MAC may have taken based on the SMRC audit and note any appeal deadlines. Also, providers should be aware that the SMRC is a regional contractor who is allowed to conduct audits nationwide and thus may misunderstand local rules, state laws, or LCDs. SMRC audit findings should generally be carefully scrutinized.

SMRC audit findings also have an additional appeal mechanism available to them. Where the SMRC denies claims, the provider generally has a right to appeal the findings directly to the SMRC and can sometimes request a discussion and education session directly with the SMRC. If the SMRC denies the appeal, it will refer the case to the provider’s local MAC to collect the alleged overpayment or to other government agencies for further action. Where the MAC demands that the provider return an overpayment based on the SMRC’s findings, that demand is subject to the standard Medicare claims appeal process.

Published on:

The integration of Artificial Intelligence (AI) into healthcare represents a frontier of innovation, offering transformative potential for patient care, diagnostic accuracy, and operational efficiency. However, as healthcare providers and technology companies rapidly adopt AI solutions, navigating the complex landscape of regulatory compliance becomes increasingly crucial. This landscape is defined by focuses on patient safety, data privacy, and ethical standards, making regulatory compliance as critical as the technological advancements themselves.

At the heart of healthcare regulation is the imperative to ensure patient safety and efficacy of care. Regulatory bodies like the U.S. Food and Drug Administration (FDA) have been active in establishing frameworks for the approval and use of AI-driven medical devices and software. While FDA generally has authority to regulate medical devices, there are important limits on its authority. Users of AI tools that assist practitioners in analyzing a patient’s symptomology and rendering a diagnosis may want to explore whether the tool constitutes a Clinical Decision Support tool, which are generally beyond the scope of FDA regulation.

While AI can provide powerful tools to assist licensed healthcare practitioners, there may be significant implications where an AI tool attempts to replace a licensed healthcare practitioner. These implications include both ethical considerations for the licensed practitioner and compliance consideration for the unlicensed user of an AI-driven tool. Every state issues licenses to practice within a certain scope of practice and limits conduct within that scope of practice to holders of a license. For example, generally only licensed medical doctors may practice medicine. A licensed medical practitioner who allows an AI-driven tool to dictate patient care and fails to exercise independent medical judgement may have violated ethical and legal obligations under their applicable license. On the other hand, the unlicensed user of an AI-driven tool may face accusations of authorized practice where the tool is performing activities that are limited only to licensed physicians, nurses, etc.

Published on:

When structuring healthcare arrangements, three major compliance challenges frequently emerge: the Stark Law (officially the Physician Self-Referral Law), the Anti-Kickback Statute (AKS), and the Eliminating Kickbacks in Recovery Act (EKRA). These laws govern referrals to or from a healthcare provider or supplier and carry the risk of severe, sometimes criminal, penalties. Yet, each also offers several exceptions or safe harbors that certain business models might meet. Even a simple arrangement with a healthcare entity can involve complex analysis regarding these three statutes.

The Stark Law (42 U.S.C. 1395nn) prohibits doctors from referring patients to entities providing “designated health services” covered by Medicare or Medicaid if there is a financial relationship between the physician (or their immediate family) and the entity, except under specific exceptions. Financial relationships subject to the Stark Law encompass both compensation and investment interests. Covered services range from clinical labs to physical and occupational therapy, durable medical equipment, certain imaging services, and more. Common exceptions include provisions for in-office ancillary services, fair market value compensation, and legitimate employment relationships. Recently, CMS introduced additional exceptions for value-based arrangements to accommodate evolving healthcare delivery models.

Similarly, the AKS (42 U.S.C. 1320a-7b(b)) criminalizes the exchange of “remuneration” to influence patient referrals or generate business for services billed to federal healthcare programs. “Remuneration” is broadly defined to include any item of value, not just cash. Nonetheless, where conduct implicates the AKS, it may still be lawful if the conduct fits within one of the statute’s “safe harbors,” which cover certain investments, rental agreements, and personal service contracts, among others. Recent updates have also added safe harbors for value-based healthcare arrangements, reflecting the industry’s shift towards this model.

Published on:

Nearly 4 years after the beginning of the COVID-19 pandemic, healthcare providers continue to see payor audits and demands for repayment for services provided during the pandemic, primarily COVID-19 testing and vaccinations. While these services were an essential public function during the pandemic, constantly changing and often unclear rules and regulations governing the coverage of these services have created fertile ground for payors to allege after-the-fact that provider were not entitled to payment.

The issues asserted by payors tend to be systemic; that is, related to the process used by the provider rather than issues related to any unique characteristics of any specific claim. Therefore, these allegations often lead to demands that the provider pay back a significant portion of reimbursements for their COVID-19 services, often in the hundreds of thousands or millions of dollars.

COVID-19 audits tend to focus on a few common issues. Payors may audit providers based on the requirement for an “individualized clinical assessment,” including whether the ordering provider was authorized, whether the order for testing was within the scope of state law, whether the assessment was conducted by telemedicine or by a questionnaire, whether the ordering provider used a standing order, and what rules apply where a state does not or did not require an order for COVID-19 testing. The use of standing orders has become a particular point of contention, especially in cases where the practitioner who issued the standing order did not personally examine patients, was located offsite, or was under contract with and receiving reimbursement from the entity billing for the services.

Published on:

Both the Centers for Medicare & Medicaid Services (CMS) and its plethora of contractors rely on the mail to notify providers and suppliers of document requests, audit findings, disciplinary actions, and many other important items. Providers should be careful that their mailing addresses on file with Medicare are current and accurate. Failure to do so can result in the provider not receiving an important piece of correspondence and inadvertently causing significant consequences for the provider.

The Medicare Provider Enrollment, Chain, and Ownership System (PECOS) is the online Medicare enrollment management system. It allows individuals and entities to enroll as Medicare providers or suppliers. When a provider or supplier enrolls in Medicare, it must provide a series of addresses, including a correspondence address, medical review address, and payment address. Whether a provider enrolls online or uses a paper application, once the provider is enrolled, these addresses are stored in PECOS. In PECOS, a provider can check and edit their listed addresses. When CMS or a contractor needs to mail correspondence to the provider, they will look to PECOS for the address to use. As there are multiple address types listed in PECOS, which may list different addresses, the address selected may relate to the purpose of the correspondence, or a contractor may simply choose an address seemingly at random.

Items that may be sent to a provider’s address or addresses listed in PECOS may be Additional Documentation Requests (ADRs), notices of audits, notices of audit findings with appeal rights, and notices of disciplinary proceedings such as Medicare suspensions, revocations, and exclusions. A provider that does not receive one of these because of an incorrect address listed in PECOS may inadvertently fail to provide records, miss an appeal deadline, or otherwise miss the chance to address some action that Medicare takes against them. In general, where correspondence is sent to the address in PECOS, Medicare will assume that it was received and shift the responsibility to the provider to keep PECOS updated. Not receiving such mail can have devastating consequences for the provider and make subsequent appeal or remedials actions much more difficult.

Published on:

Medicare providers who use skin substitutes, allografts, and similar products for wound care are seeing a sharp increase in audits by Medicare contractors. These products often carry high reimbursement rates and require frequent reapplication. Therefore, they are seen by the Medicare program as high risk for improper payments or outright fraud. Providers who use these products or who are subjected to audit should know the consequences of an audit and that there are avenues to respond.

Many of these audits are conducted by Unified Program Integrity Contractors (UPICs), such as CoventBridge group. UPICs are Medicare contractors tasked with auditing providers for suspected fraud in claims submitted to the Medicare or Medicaid programs. Notably, UPICs are quick to deny claims and allege that the provider has committed fraud for any perceived noncompliance with documentation requirements, no matter how minor. A UPIC’s allegation of fraud can nonetheless have serious consequences for a provider, especially when not rebutted, but such allegations may be addressed through the timely appeal of claims denied by the UPIC.

Denial reasons in wound care audits generally include: the specific product was investigational or experimental, conservative treatment was not documented prior to application of the product, there is no documentation regarding why one product was chosen over another product or another course of treatment, the product was reapplied too many times or over too long a period, the patient did not show significant enough improvement to justify continued use, and that the product was not used for a “homologous use.” “Homologous use” is defined by statutes and regulations governing FDA approval for a product and generally means that tissue is used by the patient in the same manner as it was used by the donor. For example, auditors often claim that placental-derived products can only be used as a “wound covering” because the placenta “covers” the fetus, and that “wound healing” is a separate, inappropriate use. Each of these denial reason can be addressed in the claims appeal process.

Published on:

The Food and Drug Administration (FDA) and the Centers for Medicare and Medicaid Services (CMS) recently released a joint statement suggesting that the FDA is about to end its decades-long policy of declining to regulate lab-developed tests (LDTs). The statement casts the policy as outdated and suggests that the FDA is about to impose regulation to treat LDTs with the same approach as all other laboratory tests.

Testing by clinical laboratories is regulated by both the FDA and by the Clinical Laboratory Improvement Amendments (CLIA), as administered by CMS. The FDA regulates medical devices, including in vitro diagnostic products (“IVDs”). The FDA considers LDTs to be IVDs that are intended for clinical use and are designed, manufactured, and used within a single laboratory. CLIA, on the other hand, regulates the laboratory itself and classifies LDTs as “high complexity tests,” with corresponding standards imposed on the laboratory. Importantly, regarding the LDT itself, CLIA generally requires only analytical validation, which can occur after testing has already begun. LDTs may also be subject to more stringent state and private sector oversight.

Historically, the FDA had exercised enforcement discretion and not regulated LTDs, but this began to change in recent decades and accelerated during the COVID-19 pandemic. The pandemic caused an explosion in the need for quick, accurate, and cost-effective means to detect the virus that causes COVID-19. Many clinical labs responded by developing LDTs to detect COVID-19. As LDTs, labs were quickly able to innovate and begin bringing tests for COVID-19 to market. FDA responded by muddying the waters and adding regulatory burden. Initially, the Department of Health and Human Services (HHS), then under the Trump administration, released guidance that, during the public health emergency (PHE), LDTs for COVID-19 would not require pre-market approval. FDA then, in seeming contradiction of HHS, determined that the at-home collection kit of a COVID-19 LDT was distinct from the test itself and subject to FDA regulation. Later in the pandemic, HHS, now under the Biden administration, changed policy again and allowed the FDA to regulate all COVID-19 LDTs.

Contact Information