Billing Under Another Provider’s Number Can Land Physicians in Hot Water

By Emma Cecil, JD, October 31, 2017

2018 Alliance sponsor feature article courtesy of MagMutual

An Oklahoma physician agreed last August to pay the government $580,000 to resolve allegations that he violated the False Claims Act (“FCA”) by causing false claims to be submitted to Medicare for services he did not provide or supervise. According to the government, the physician allowed a company that employed him and in which he had an ownership interest to use his national provider identification (NPI) numbers to bill Medicare for physical therapy evaluation and management services furnished by other providers.

This case is merely another example of government enforcement action against providers who submit or cause to be submitted claims for services using the name and NPI of a physician who did not personally furnish the services. Back in 2011, the University of North Texas Health Science Center paid the government $859,500 to resolve allegations it had for submitted claims for physicians’ services provided to Medicare and Medicaid beneficiaries using the NPI numbers of physicians who neither provided nor personally supervised the services rendered. Other examples include Towson University Speech Language & Hearing Center, which paid $10,000 for submitting claims for audiology services with an NPI that did not correctly identify the provider who actually rendered those services; a family practice physician who paid $133,880 for submitting claims to Medicare for nurse practitioner services as though he had personally performed the services; a hospital that paid $706,090 in penalties for submitting claims for physicians’ services provided by a doctor to Medicare beneficiaries using the provider identification numbers of another doctor who did not furnish the services; and a medical school practice that paid $138,321 after it submitted claims for services provided by physicians to Medicare beneficiaries using the provider identification numbers of two physicians who did not furnish the services.

As a reminder, services generally must be billed under the name and NPI of the provider who actually performed the services. Billing under one provider’s name and NPI for services that are furnished by another provider may be fraudulent if the identity of the person performing the service would be material to the government’s decision to pay the claim.

The government does, however, permit the services of one provider to be billed under the name and NPI of another provider in certain limited circumstances, including where the services of auxiliary personnel (including both physicians and non-physician practitioners) are billed “incident-to” the professional services of a physician, and where the services of a substitute physician are billed under the regular, but unavailable, physician’s name and NPI on a temporary basis (“locum tenens” and “reciprocal billing” arrangements). These billing practices have very specific and stringent requirements, and failure to strictly comply with those requirements could subject providers to significant liability under the False Claims Act.

Importantly, the incident to, locum tenens, and reciprocal billing rules are Medicare rules and may not apply in the context of private payor billing. Many commercial plans specifically prohibit billing the services of one provider under the name and NPI of another provider and explicitly require that all services be billed under the name of the rendering provider. Providers billing private payors must therefore review their provider contracts and health plan rules to determine whether billing the services of one provider under the name and NPI of another provider is ever allowed, and if so, under what circumstances. If prohibited, knowingly billing under another provider’s name and NPI could potentially lead to criminal liability under the federal health care fraud statute, which makes it a crime to knowingly and willfully obtain by means of false or fraudulent representations money or property owned by any health care benefit program in connection with the delivery of or payment for health care services.

Key Takeaway

Before submitting bills for services furnished by one provider under the name and NPI of another provider, practices must be intimately familiar with the rules under which such billing is appropriate and allowed. Although practices that are under pressure to pay non-credentialed physicians may be able to bill the non-credentialed physician’s services under a credentialed physician’s NPI pursuant to Medicare incident to rules, such billing may be prohibited by commercial payors. Commercial payors also may not recognize locum tenens or reciprocal billing arrangements. In sum, billing under another provider’s name and NPI without strictly complying with CMS’s stringent incident-to or reciprocal billing rules, or in violation of private payor contracts, can spell big trouble, including treble damages under False Claims Act where claims are submitted to the government, and even criminal liability under the federal health care fraud statute.

Regulatory Alert: Share your concerns in MGMA’s 2018 Regulatory Relief Survey

Originally printed in the September 10th issue of MGMA’s Washington Connection. Reprinted by permission from MGMA.

MGMA’s 2018 Regulatory Relief Survey is your chance to voice your thoughts on the impact of federal government rules and requirements on your practice. As a practice leader, you know the most challenging regulations facing your practice, and we want to hear from you. The findings of this survey will help guide MGMA advocacy efforts in Washington to reduce those burdensome regulations on group practices.

Survey results will be shared at MGMA’s Annual Conference in Boston during the Regulatory Relief Forum. Don’t miss this chance to make an impact on the policies that matter to you most.

Questions?

Contact MGMA Government Affairs by e-mailing govaff@mgma.org or calling 202-293-3450 or toll free 877-275-6462.

 

HIPAA Compliance and Information Technology

2018 Alliance sponsor article courtesy of HitsTech

The HIPAA Security Rule, in force since April 21, 2005, established three safeguards:

  • Administrative policies and procedures designed to clearly show how the entity will comply with the act.
  • Physical measures that control access to data storage areas.
  • Technical methods securing “protected health Information” (PHI) that, when transmitted electronically over open networks, is known as ePHI.

The first two safeguards take time and effort but most healthcare providers have staff who can read the manuals, apply the guidelines and develop a compliant infrastructure.

The technical safeguard provision is entirely different!

HIPAA IT skills are not easily mastered. It requires the ability to understand the rules and regulations, envision a network (along with the ePHI flowing through it), and spot vulnerabilities. This must usually be done with a limited budget and with a minimum disruption of provider efficiency.

Deciding how to protect your information is a critical decision. The financial penalties resulting from data breaches along with the colossal costs of issuing breach notifications, providing credit monitoring services, and conducting damage mitigation makes investment in the protection of PHI extraordinarily cost-effective .

If you decide to handle HIPAA technical issues by hiring an in-house IT professional or contract with a Managed Services Provider (MSP) who specializes in healthcare, how do you make the right decision?

Most importantly, your applicant must present a plan that addresses four issues:

    1. The protection of the entire volume of PHI and ePHI you process. This includes:
      • Patient names, pictures, biometric data, addresses, contact numbers, insurance information, and any identifying numbers or data.
      • Health insurance plan beneficiary numbers.
      • Vehicle identifiers and serial numbers including license plates.
      • Device identifiers and serial numbers.
      • Web URLs and Internet protocol (IP) addresses.
    2. The ability to defend against known and anticipated threats. Failure to use current generation OS software and protection and tardiness in the implementation of published fixes and patches makes you 40 times more likely to be hacked.
    3. Compliance by other “Covered entities,” “business associates” and third-party service providers who might access your PHI. This includes items sometimes overlooked such as x-rays, physician appointment schedules, dictated notes, conversations, and information placed in patient portals.
    4. Security network components that are affordable and operationally feasible. The following diagrams identifies these components.2

 

Diagram

2Prevention Data Breaches Diagram used with permission of the HIPAA Journal 2017

There are specific HIPAA standards for servers, hosted environments, cloud utilization VPN architecture, workstations and network components. Your staff or MSP must provide evidence that the components they intend to deploy meet these specifications.

The technical defense you deploy must compensate for common human failings by using:

  • Password best practices. Passwords cannot be used by a group, must not be assigned to a position and must be changed every 90 days. Passwords must be sophisticated using letters, symbols, differing case and numbers.
  • Screen protectors that limit a third party’s ability to view a protected screen. These are commercially available.
  • Automatic controls that close a computer when it is left unattended.
  • Auditing techniques that ensure business associate networks are compliant. Remember you remain responsible for ePHI even when it leaves your network for another.
  • Restricted use of mobile devices such as flash drives that are not encrypted or are left in unprotected locations.
  • Technology that locks misplaced mobile devices.
  • Tracking that identifies attempted hacks and determines if data has been compromised.
  • An automatic restoration protocol that frequently backs up data so that if you are successfully attacked, it will disable the threat and immediately return your network to its last safe status.
  • Disposal procedures that ensure that any device to be disposed of is wiped completely before release from the protected environment.

While I hope this synopsis is helpful, I highly recommend you look at the 2017 edition of the HIPAA Journal’s “HIPAA Compliance Guide”. It provides a detailed analysis of the points made in this paper.

Armed with “Compliance Guide” expertise, explain your goals to your IT staff or MSP and leave the driving to them.

Sandra Loftin
Chief Executive Officer
HitsTech

Tell Your Congressperson to Co-sign CMS Med Advantage Prior Authorization Guidance Letter

Prior authorization in Medicare Advantage plans continue to burden medical practices with unnecessary paperwork and place barriers to care for Medicare patients. This issue has gotten the attention of two physician members of congress, Reps. David Roe, MD (R-TN) and Ami Bera, MD (D-CA), who have drafted the attached letter to provide guidance and support to CMS for improving the system of prior authorization used by Medicare Advantage plans.

The MGMA Government Affairs office is encouraging you to contact the district offices of your representatives to request that they co-sign this letter. Time should be given to helping representatives, and importantly their staff, understand the pain points surrounding prior authorization for medical groups. As such, here are some helpful talking points that you could use when speaking to staff (but real life, concrete examples on how this issue impacts your practice are best!):

  • As a medical practice leader, I regularly see the real-world impact on patients who encounter barriers to timely care that are caused by onerous and often unnecessary prior authorization requirements. Not only do these requirements delay care, they are often approved because Medicare Advantage plans are ultimately required to provide equivalent coverage to fee-for-service Medicare, which generally does not require pre-approval for services. Therefore, plans are precluded from using prior authorization to inhibit access to services.
  • As a member of the Medical Group Management Association, and one of your constituents, I urge you sign-on to this letter and show support for reducing needless prior authorization requirements that interfere with a patient’s care.

The attached letter is planned to be delivered to CMS in September and it is paramount that it be delivered with wide support. Please also remember to make use of the Legislative Liaison Member Community to continue this advocacy discussion. As always, I and the rest of the MGMA Government Affairs team are happy to discuss more with you the contents of the letter and the issue of prior authorization within Medicare Advantage. Please do not hesitate to reach out at any time with questions.

Warmly,

Mollie Gelburg
Associate Director, Government Affairs
MGMA
1717 Pennsylvania Ave NW #600
Washington, DC 20006
202.293.3450
mgelburd@mgma.org

Takeaways from the August 9th DHHS Stakeholder Call with Mandy Cohen, M.D.

By Leah, Paraschiv, NCMGMA Board Member

On Thursday, August 9th, the NC Department of Health and Human Services (DHHS) held a stakeholder call led by DHHS Secretary Mandy Cohen, M.D. The call addressed DHHS’s upcoming issuance of the Request for Proposal for Prepaid Health Plans (PHP) in Medicaid Managed Care.

In short, DHHS has issued an official RFP for managed care carriers. They will accept proposals until October and announce their final selections in February. Managed care will officially begin in the fall of 2019.

Here are the most important takeaways from the call:

  • PHPs cannot refuse to contract with you.
  • Physicians and physician extenders are guaranteed payment at current rates.
  • DHHS has worked to mitigate administrative burden for clinicians.
  • PHPs will have real accountability and rigorous oversight.
  • You will receive education and support during and after the transition to managed care.

Anticipated Timeline:

  • Now and ongoing — PHPs may start to reach out to initiate contract discussions with clinicians.
  • February 2019 — DHHS will announce which health plans will be PHPs in managed care.
  • Summer 2019 — PHPs must have contracted with enough care providers to meet DHHS network standards.
  • July 2019 — PHPs must have all call centers operational and all relevant staff located in North Carolina.
  • July – September 2019 — Managed care will start in two phases. For regions of the state in Phase 1, this will be the window in which beneficiaries select a PHP.
  • November 2019 — Medicaid Managed Care program will launch in regions in Phase 1.
  • October – December 2019 — For regions of the state in Phase 2, this will be the window in which beneficiaries select a PHP.
  • February 2020 — Medicaid Managed Care will launch in regions in Phase 2.

For additional information on Prepaid Health Plans in Medicaid Managed Care, there is a two page fact sheet available on the NC DHHS website which contains more details specific to the provider community, with even more information for all stakeholders on the full website.

Blue Cross Blue Shield of North Carolina Product Changes and FYIs

The NCMGMA BCBS Committee would like to draw your attention to recent changes, and likely more change in the future, to certain BCBS products. The links noted will provide more detail and the committee suggests you keep a close watch on http://www.bcbsnc.com.

State Health Plan Changes

  • North Carolina State Health Plan Board of Trustees voted to end the provider designation program at the end of 2018
    • Between 10/1/18 and 12/31/18, SHP members will no longer see two designations: one for the current year and one for the next year on the Provider Directory, they will only see the current year’s designation.
    • Effective 1/1/19, there will not be any Provider Specialty or Facility Designations on the Provider Directory

     

  • More information should come out this Fall regarding potential plan changes. To stay informed, check The Board of Trustees meeting materials page for full details: https://www.shpnc.org/about-us/board-trustees-meeting-materials
  • Blue Cross and Blue Shield will send out notifications regarding any fee schedule, reimbursement, or contract changes per the State’s requirements after the Board approves any changes to the plan

Blue Local Changes

  • Triangle market – Blue Local product eliminated for 2019. Members will be moved to Blue Value unless they opt for a different plan
  • Charlotte market – a Blue Local product remains for 2019

Blue Value Changes

  • Triangle market – UNC Health Alliance will be the exclusive in-network provider for Blue Cross ACA (Blue Value) plans in the Triangle in 2019

Question: What if my practice is in network for Blue Value, but NOT for UNC Health Alliance?

Answer from BCBS: We are not removing any providers from Blue Value in the Triangle. For 2019, Blue Value non-UNC Health Alliance providers can continue to see ACA members in the Triangle. Providers can always check their participation status by reviewing their current BCBSNC participation agreements or calling their local Provider Relations consultant.

https://www.bluecrossnc.com/sites/default/files/document/attachment/providers/public/pdfs/news-and-information/news/2019%20ACA%20Rate%20Release_FINAL.pdf

UNC Health Alliance: https://www.unchealthcare.org/health-alliance/for-providers/

As the NCMGMA BCBS Committee is made aware of changes we will keep you informed.

Issue Spotlight: Proposed Changes to Medicare E&M Visits

Originally published in the July 18, 2018 issue of MGMA’s Washington Connection
Reprinted with permission from MGMA

The Centers for Medicare & Medicaid Services (CMS) released the 2019 Medicare Physician Fee Schedule proposed rule that would affect Medicare physician reimbursement policies beginning in 2019. Among other changes, CMS proposes to:

  • Collapse evaluation and management (E&M) Levels 2-5 into one level for new patients and another for established patients. The average national payment would be $135 for new patients and $93 for established patients.
  • Allow clinicians to choose to document office and outpatient E&M visits using medical decision-making or time or continue using the current 1995 or 1997 E&M documentation guidelines.
  • Create a minimum documentation standard so clinicians would only need to meet requirements currently associated with a level 2 visit for history, exam, or medical-decision making (except when using time to document the service).

To help MGMA evaluate the impact of these proposed changes and advocate on behalf of medical group practices, please share your feedback on these proposals by filling out this brief comment form.