Identifying ‘60-day rule’ overpayments during routine auditing

The need to identify, report, and return Medicare and Medicaid overpayments to CMS under the “60-day rule” and the ability to understand and prepare for the risks posed by routine auditing are essential for all medical providers. At a recent Health Care Compliance Association (HCCA) webinar, Jean Acevedo, LHRM, CPC, CHC, CENTC, Senior Consultant, Acevedo Consulting, Inc., and Lester J. Perling, Esq., CHC, partner, Broad and Cassel LLP, discussed these topics and offered their recommendations.

The 60-day rule

Section 6402(a) of the Patient Protection and Affordable Care Act (ACA) (P.L. 111-148) established new section 1128J of the Social Security Act, which requires providers and suppliers who submit claims to Medicare and Medicaid to report and return “identified” overpayments to CMS within 60-days or face potential liability under the federal False Claims Act. These requirements were implemented by CMS in a February 12, 2016 Final rule (81 FR 7653) (see CMS finally codifies the 60-day Parts A and B overpayment return rule, February 12, 2016; and Comments, questions, concerns? Weighing in on the 60-day overpayment Final rule, March 2, 2016).

According to Perling, the Final rule sets forth the following parameters for understanding the 60-day overpayment requirement:

  • Definition of an “identified” overpayment. Providers are responsible for overpayments that they “know or should have known”about through the exercise of “reasonable diligence.” Providers that deliberately choose not to investigate when they are made aware of the existence of potential overpayments, would be held liable under the FCA.
  • Exercising “reasonable diligence”. Reasonable diligence requires that providers (1) implement proactive compliance activities to monitor for the receipt of overpayments; and (2) undertake investigations “in a timely manner” in response to obtaining “credible information” of a potential overpayment.
  • “Timely” defined. CMS considers a “timely” investigation to be at the most six months from receipt of the credible information, except in extraordinary circumstances.
  • When does the 60-day period begin? The 60-day period does not begin to run until the provider has had a chance to undertake follow-up activities and quantify the amount of the overpayment.
  • Lookback period. The 60-day rule applies to overpayments identified within six years after they were received.
  • Repayment options. Providers may use claims adjustment, credit balance, the HHS Office of Inspector General’s (OIG) Self-Disclosure Protocol, or other appropriate processes to report or return overpayments. Regardless of the process used, the refund should include an explanation or the statistical sampling methodology used if the overpayment was extrapolated.

Routine baseline audit

Acevedo next discussed the annual baseline audit performed as part of the organization’s compliance program. She recommended that it be done under the attorney/client and work/product privileges in order to help insulate the organization from exposure.

Physical therapy case study

Acevedo next presented an audit case study of a physical therapy department. She stressed the need for the auditor (whether in-house or an outside contractor) to examine the three critical physical therapy documents: (1) the initial evaluation and plan of treatment; (2) the treatment notes; and (3) the clinician’s progress report.

In preforming the audit, she recommended that the auditor take note of the fact that health care professionals are creatures of habit and that, for example, they will either include all necessary elements in the plan of treatment, the treatment notes, and the progress report, or not (i.e., they are usually consistently good, or consistently bad at recordkeeping). She also cautioned that while this document audit may be time consuming, and it is important that the auditor be thorough and not just review the most recent treatment notes and progress reports.

If the auditor finds that therapy documents are deficient or erroneous, Acevedo suggested that the auditor STOP and do two things: (1) consider the possibility that an overpayment situation exists and the timeline that may kick in under the 60-day rule; and (2) alert the attorney and the owner of the practice. She cautioned, however, about jumping to conclusions and leaving a paper trail of written concerns that may amount to “breadcrumbs” for a government investigator or a whistleblower to follow.

Prospective v. retrospective audits

Perling stressed that whether the audit is prospective (i.e., occurs prior to submission of a claim) or retrospective (post claim submission) it does not matter as the finding of negative result or high error rate in either would potentially activate the 60-day rule requirements.

Issues to consider when auditing

Perling suggested taking the necessary steps prior to audit to create an attorney/client privilege that will be recognized and respected by any government investigator.

Perling also discussed whether the standards the auditor is relying on are authoritative or merely guidance. Perling believes that statutes and regulations are clearly authoritative, but that “not everything CMS publishes is authoritative.” For example, while CMS Manuals and Local Coverage Determinations are binding on the Medicare contractor, they are not binding on an administrative law judge. The real question, according to Perling, is “whether the Department of Justice or a whistleblower will think a standard is authoritative.”

Final thoughts

In closing, Perling and Acevedo offered three reminders: (1) educate before auditing; (2) the routine annual audit should review current compliance with standards, not past deficiencies; and (3) audits are still required for effective compliance programs. The danger, according to Acevedo, “is putting your head in the sand.”

Don’t ignore biosafety when planning a compliance program

Compliance professionals sometimes avoid auditing institutional biosafety programs because they do not fully understand them, but that is detrimental, warned Bret S. Bissey, MBA, FACHE, CHC, CMPE, Senior vice president of Compliance Services at MediTract. Speaking at a Health Care Compliance Association (HCCA) webinar titled, “Performing a Compliance Assessment of the Institutional Biosafety Program,” Bissey and Joan M. Robbins, Ph.D., Senior Vice President of Biosafety & Gene Therapy at WIRB Copernicus Group, warned attendees of the need for strong biosafety programs to combat increased biological risks. Biosafety programs should be viewed as investments, rather than expenses, according to Bissey; a compliance professional should not feel comfortable at an institution where a biosafety assessment discussion is not part of the work plan.

Biosafety measures are required for the safe handling and containment of infectious or potentially infectious biological materials, which may occur in both laboratories and clinical settings, such as a hospital where a clinical trial is occurring. To be effective, they require a fundamental understanding of the particular biological material or agent at issue. They also require an agent-specific risk assessment and a risk group classification, rather than general safety measures. Facilities should institute standard microbiological practices and ensure that appropriate safety equipment is used and appropriate safeguards are put in place. Unlike basic infection prevention control, which protects the patient, effective biosafety protects workers, the environment, and the community.

Institutions should generally perform two types of biosafety reviews: document reviews and facilities reviews. Documents reviewed should include exposure control plans, biosafety policies, environmental health and safety policies, and training plans. Employees should be trained in agent-specific safety polices, rather than mere general policies. For example, certain biologicals can affect the eyes, and employees must understand the need to wear eye shields when dealing with them. Protocols must be in place regarding actions that employees should take if they are exposed to biologicals, for example, through an infected needle.

Auditors should review all sites where a biological will be received, stored, manipulated, administered, or disposed of. Lax access controls over administration and storage are a huge issue. Only those people who need to access certain areas, including refrigerators and freezers should be able to access them; employee lunches should never be stored in the same refrigerator as biological materials. Cabinets, floors, and other surfaces must not only be clean at the time of review, but be easy to clean to ensure that the condition can be maintained. It is typically easier to implement effective biosafety in a laboratory, which may handle biosafety levels 1 and 2 on a regular basis, compared to a clinical setting, which may not deal with the issue as frequently.

Failure to implement biosafety is costly beyond the obvious risks to health and safety. A lack of biosafety can result in delayed research and a diminished public support; they can also result in monetary settlements, such as a hospital’s settlement with a nurse resulting from her exposure in Ebola in the hospital setting. Nurses at that particular institution reportedly were given protective equipment, but not trained it its use.

Compliance officers should ensure that biosafety is addressed at their institution. A biosafety officer will likely have greater understanding of the details and more direct oversight over the program, but compliance officials need to ensure that the program is in place and is working as it should. As Bissey said, it is up to the compliance department to act proactively, rather than retroactively, when it comes to biosafety.