Knowledge Base Category -

 Protection Assessment
MMP Logo no Words or Tag
June 2022 PAR Pro Tips: A Month of Celebrations
Published on Jul 20, 2022

MMP’s Protection Assessment Report (P.A.R.) combines current Medicare Fee-for-Service review targets (i.e., MAC, RAC, OIG) with hospital specific paid claims data made possible through a collaboration with RealTime Medicare Data (RTMD). In general, this monthly article spotlights current review activities. However, this month in keeping with the Hallmark Channel’s Christmas in July celebration, MMP would like to recognize the OIG’s Health Care Fraud and Abuse Control Program’s 25th year of operation and celebrate Medicare’s 57th birthday!

Health Care Fraud and Abuse Control Program Celebrates its 25th Year of Operation

On July 5, 2022, The Office of Inspector General (OIG) released the Department of Health and Human Services and The Department of Justice’s Health Care Fraud and Abuse Control (HCFAC) Program Report for Fiscal Year 2021 (link). The OIG’s notice of this report’s release indicated the HCFAC “Program is celebrating its 25th year of operation and continued success in identifying and prosecuting the most egregious instances of health care fraud, preventing future fraud and abuse, and protecting program beneficiaries.”

HCFAC Report OIG and CMS Highlights
  • In its 25th year of operation, the Secretary and the Attorney General certified $321.6 million in mandatory funding necessary for the Program. In addition, Congress appropriate $807.0 million in discretionary fundings.
    • The OIG was allocated just over $300 million, and the Centers for Medicare and Medicaid Services was allocated almost $600 million.
  • During FY 2021, the Federal Government won or negotiated more than $5.0 billion in healthcare fraud judgments and settlements.
  • The HCFAC Program’s return on investment (ROI) over the last three years (2019-2021) is $4.00 returned for every $1.00 expended. Note, “this ROI relies on actual recoveries and collections, and does not represent the effect of preventing future fraudulent payments.”
OIG Efforts
  • The OIG is the leading oversight agency specializing in health care fraud and “employs a multi-disciplinary approach and uses data-driven decision-making to produce outcome-focused results.”
  • The OIG’s priority outcome areas fall into two broad categories:
    • Minimize risk to beneficiaries, and
    • Safeguard programs from improper payments and fraud.
  • In FY 2021, the OIG issued 162 audit reports and 46 evaluations, resulting in 506 new recommendations issued to HHS operating divisions, HHS grantees and other entities. Out of 506 recommendations made in FY 2021, 432 were implemented in FY 2021.
CMS Efforts
  • “CMS defines program integrity very simply, “pay it right.” Program integrity focuses on paying the right amount, to legitimate providers and suppliers, for covered, reasonable and necessary services provided to eligible beneficiaries, while concurrently taking aggressive actions to eliminate fraud, waste, and abuse. Federal health programs are quickly evolving; therefore, CMS’s program integrity strategy must keep pace to address emerging challenges.”
  • Unified Program Integrity Contractors (UPICs) medical reviews “are uniquely focused on fraud detection and investigation. Currently, UPICs are carrying out program integrity activities in all five geographic jurisdictions: Midwest, Northeast, West, Southeast, and Southwest.
  • CMS used the Medical Review Accuracy Contractor (MRAC) to conduct medical review of claim determinations made by Medicare Medical Review Contractors including MACs, UPICs, the Supplemental Medicare Review Contractor (SMRC) and in 2021 the RACs while procurement for the RAC Validation Contractor (RVC) was underway.

Happy 57th Birthday Medicare!

On July 30, 1965, President Lyndon B. Johnson signed into law the bill that led to the Medicare and Medicaid. President and First Lady Truman were the first Medicare Beneficiaries.

Did You Know?

In the CMS 2021 Edition of Medicare Beneficiaries at a Glance (link), in 2019:

  • 61.5 million people were enrolled in Medicare,
  • 3.8 million of these people were new enrollees,
  • 49% of enrollees were between the ages of 65 and 74,
  • 63% of enrollees were enrolled in the traditional Medicare Fee-for-Service plan, and
  • The top five chronic conditions were high blood pressure, high cholesterol, arthritis, diabetes, and heart disease.

In honor of Medicare’s birthday and in keeping with our monthly focus on Medicare Contractors, following is a list of useful resources provided by the CMS for our readers:

Beth Cobb

June 2022 PAR Pro Tips
Published on Jun 15, 2022

MMP’s Protection Assessment Report (P.A.R.) combines current Medicare Fee-for-Service review targets (i.e., MAC, RAC, OIG) with hospital specific paid claims data made possible through a collaboration with RealTime Medicare Data (RTMD). In general, this article spotlights current review activities. This month’s focus is on medical review activity accomplishments touted in recently released Government Accountability Office (GAO) and Office of Inspector General (OIG) reports, a new OIG Work Plan Item and a new Supplemental Medical Review Contractor (SMRC) project.

GAO Report: Priority Open Recommendations: Department of Health and Human Services


(GAO-22-105646) published May 26, 2022, and publicly released June 2, 2022.

In May 2022, the GAO added five new priority recommendations for HHS bringing the total to fifty-six open priority recommendations. According to the GAO, priority open recommendations warrant priority attention from heads of key departments or agencies because implementation could save substantial amounts of money; improve congressional or executive branch decision-making on major issues; eliminate mismanagement, fraud, and abuse; or ensure that programs comply with laws and that funds are legally spent. The fifty-six recommendations fall into one of eight areas:

  • COVID-19 response and other public health emergency preparedness,
  • Public health and human services program oversight,
  • FDA oversight,
  • Improper payments in Medicare and Medicaid,
  • Medicaid program,
  • Medicare programs,
  • Health information technology and cybersecurity, and
  • Health insurance premium tax credit payment integrity.

Specific to improper payments, the GAO notes estimates of improper payments in the Medicare and Medicaid programs continue to be unacceptably high totaling about $148 billion in fiscal year 2021. They identified the following six priority recommendations that they believe if implemented could reduce improper payments by assessing documentation requirements, minimizing program risks, and conducting prepayment claim reviews, among other things:

  1. Recommendation: The Administrator of CMS should institute a process to routinely assess, and take steps to ensure, as appropriate, that Medicare and Medicaid documentation requirements are necessary and effective at demonstrating compliance with coverage policies while appropriately addressing program risks.
  2. Recommendation: The Administrator of CMS should complete a comprehensive, national risk assessment and take steps, as needed, to assure that resources to oversee expenditures reported by states are adequate and allocated based on areas of highest risk.
  3. Recommendation: The Administrator of CMS should eliminate impediments to collaborative audits in managed care conducted by audit contractors and states, by ensuring that managed care audits are conducted regardless of which entity—the state or the managed care organization (MCO)—recoups any identified overpayments.
  4. Recommendation: The Administrator of CMS should consider and take steps to mitigate the program risks that are not measured in the Payment Error Rate Measurement (PERM), such as overpayments and unallowable costs; such an effort could include actions such as revising the PERM methodology or focusing additional audit resources on managed care.
  5. Recommendation: To better ensure proper Medicare payments and protect Medicare funds, CMS should seek legislative authority to allow the recovery auditors (RA) to conduct prepayment claim reviews.
  6. Recommendation: As CMS continues to implement and refine the contract-level risk adjustment data validation (RADV) audit process to improve the efficiency and effectiveness of reducing and recovering improper payments, the Administrator should enhance the timeliness of CMS’s contract-level RADV process.

I encourage you to read the report to see HHS’ response to these recommendations.

OIG Spring 2022 Semiannual Report to Congress (SAR):

This OIG’s Semiannual Report to Congress (link) details work performed to identify significant risks, problems, abuses, deficient, remedies, and investigative outcomes related to the administration of HHS programs during the reporting period October 1, 2021 through March 31, 2022. Following are examples of three completed audits:

  • An estimate that during 2016 and 2017, providers received $636 million in unallowable Medicare payments associated with neurostimulator implantation surgeries, and beneficiaries paid $54 million in related unnecessary copays and deductibles.
  • The OIG found that Medicare could have saved approximately $993 million in 2017 and 2018 if the transfer payment policy to early discharges to home health care was expanded to inpatient rehabilitation facilities (IRFs).
  • The OIG published four reports where they identified Medicare Advantage plans submitting diagnosis codes for use in CMS’s risk adjustment program that did not comply with Federal requirements. Collectively, the OIG estimated that the four Medicare Advantage plans audited received just over $15.8 million net overpayments for high-risk diagnosis codes.

May 2022 OIG Work Plan Item: Follow-up Review of Inpatient Claims Under the Post-Acute Care Transfer Policy (PACT)

For certain MS-DRGs under the PACT policy, Medicare pays hospitals a per diem rate when an inpatient is transferred to specific post-acute care settings. You can read more about this policy in a related MMP article (link). The OIG notes that in a prior review they identified overpayments to hospitals that did not comply with the policy. This follow-up audit is to determine whether CMS’s Common Working File (CWF) edits are working properly in detecting inpatient claims under the PACT policy and are automatically recovering overpayments, and whether MACs are receiving the automatic notifications and acting to recover overpayments.

New SMRC Reviews: SNF 3 Day Stay Waiver PHE Notification of Medical Review

On June 7, 2022, the SMRC added Project 01-056 (link) to their list of Current Projects (link). In response to the COVID-19 Public Health Emergency (PHE), CMS enacted 1135 blanket waivers, one of which waived the long-standing requirement for a beneficiary to have a medically necessary 3-day hospital stay prior to admission to Skilled Nursing Facility (SNF).

Data analysis done by the SMRC, and CMS has identified this to be an area of potential vulnerability. The SMRC has been tasked with performing medical review on SNF claims with zero hospital days prior to admission for SNF claims from March 1, 2020, through December 31, 2021. As a reminder, in general, COVID-19 blanket waivers are in effect until the end of the PHE.

Beth Cobb

June 2021 PAR Focus: OIG Workplan
Published on Jun 16, 2021

Prior to 2017, the Office of Inspector General’s (OIG) Work Plan was published on an annual and sometimes semi-annual basis. The OIG began updating the Work Plan on a monthly basis effective June 15, 2017. The change was made as the OIG acknowledged that the “work planning process is dynamic, and adjustments are made throughout the year to meet priorities and to anticipate and respond to emerging issues with the resources available.” The Work Plan includes items for several agencies (i.e., Centers for Medicare & Medicaid Services (CMS), Administration for Children and Families, Office of Civil Rights (OCR)). There are two recent additions to the Work Plan that I would like to share with you.

Active Work Plan Item: Impact of Expanding the Hospital Transfer Payment Policy for Early Discharges to Post-acute Care

This item (link) was added to the Work Plan in May 2021. The OIG plans to determine the impact for Medicare and hospitals if the Post-Acute Care (PAC) MS-DRG list was expanded to include all MS-DRGs. In the detail of this Work Plan item, the OIG notes that “Analysis of Medicare claims data demonstrates significant occurrences of early discharges from hospitals to PAC facilities for MS-DRGs that are not currently subject to the PAC transfer payment policy. Medicare pays a full prospective payment system (PPS) rate to hospitals for these early discharges.”

The Post-Acute Care Transfer (PACT) Policy was implemented to prevent Medicare from paying for the same care twice. This policy currently reduces reimbursement to a hospital when:

  • A hospitalization codes to an MS-DRG designated as a Transfer MS-DRG,
  • The patient’s length of stay (LOS) is at least 1 day less than the geometric mean length of stay (GMLOS) for the MS-DRG, and
  • The patient is discharged to one of the “qualified discharges” (03-Skilled Nursing Facility (SNF), 05-Children’s Hospital or Designated Cancer Center, 06-Home with Home Health within 3 days of discharge, 50-Discharges/Transferred to Hospice Home, 51-Discharged/Transferred to Hospice, General Inpatient Care or Inpatient Respite, 62-Inpatient Rehabilitation Facilities & Units, 63-Long Term Care Hospitals, and 65-Psychiatric Hospitals & Units)

Annually, CMS publishes a list of MS-DRGs subject to the PACT policy in Table 5 of the applicable Fiscal Year IPPS Final Rule. For FY 2021 there are 765 MS-DRGs and 280 (36.6%) have been designated a PACT MS-DRG.

Discharge Dispositions hospice home (50) and hospice general inpatient care/respite (51) were added to this policy in FY 2019 as required by the Bipartisan Budget Act of 2018. At that time, CMS actuaries estimated that the change would “generate an annual savings of approximately $240 million in Medicare payments in FY 2019, and up to $540 million annually by FY 2028.” With these estimates it is no wonder the OIG has added this item to their Work Plan. The OIG has an expected issue date for a report in FY 2022.

Active Work Plan Item: Audit of the Effectiveness of HHS’s Governance to Ensure Hospitals Implement Measures to Prevent, Detect, and Recover from Cyberattacks

This item (link) was also added to the Work Plan in May 2021. As an active member of MMP’s HIPAA/HITECH Privacy Committee, I felt it was important to make our readers aware of this item. If you listen to the news, this is a very timely item as hospitals are constantly under threat of the theft of electronic protected health information (ePHI) by ransomware, malware, insider threats, and even honest mistakes.

“In October 2020, the Cybersecurity and Infrastructure Security Agency, Federal Bureau of Investigation, and Department of Health and Human Services (HHS) issued a joint cybersecurity advisory (link) regarding ransomware activity targeting the health care and public health sector. The advisory stated that threat actors have continued to develop new functionality and tools, thereby increasing the ease, speed, and profitability of ransomware attacks.”

OIG Audit Plan
  • “Audit HHS's governance over its programs to determine whether HHS's Office of Civil Rights (OCR) has performed periodic audits of hospitals to assess compliance with Health Insurance Portability and Accountability Act (HIPAA) Security, Privacy, and Breach Notification rules and determine whether these audits effectively assessed ePHI protections.”
  • “Determine whether CMS's certification process for participation in the Medicare program requires hospitals participating in the Medicare program to implement minimum security safeguards to prevent and detect cyberattacks, ensure continuity of patient care, and protect beneficiary data.”
  • Conduct security assessments at 10 U.S. hospitals to determine whether they have adequately implemented HIPAA security requirements or effective cybersecurity measures to prevent, detect, and recover from cyberattacks.”

The OIG has an expected issue date for a report in FY 2022.

2016-2017 OCR HIPAA Audits Industry Report

As mentioned above, the OIG plans to determine if the OCR has performed periodic audits of hospitals. On December 17, 2020, the Office for Civil Rights (OCR) released its 2016-2017 HIPAA Audits Industry Report. The Health Information Technology for Economic and Clinical Health (HITECH) Act requires HHS to periodically audit covered entities (CEs) and business associates (BAs) for compliance with the HIPAA Rules. This Industry Report was published to share overall findings from audits conducted with 166 CEs and 41 BAs. To provide insight into what was included in the audit, following is the summary of audit findings from the December HHS Press Release (link):

  • Most covered entities met the timeliness requirements for providing breach notification to individuals,
  • Most covered entities that maintained a website about their customer services or benefits satisfied the requirement to prominently post their Notice of Privacy Practices on their website,
  • Most covered entities failed to provide all the required content for a Notice of Privacy Practices,
  • Most covered entities failed to provide all the required content for breach notification to individuals,
  • Most covered entities failed to properly implement the individual right of access requirements such as timely action within 30 days and charging a reasonable cost-based fee,
  • Most covered entities and business associates failed to implement the HIPAA Security Rule requirements for risk analysis and risk management.

The HHS Press Release ended with the following statement from OCR Director Roger Severino, “The audit results confirm the wisdom of OCR’s increased enforcement focus on hacking and OCR’s Right of Access initiative…We will continue our HIPAA enforcement initiatives until health care entities get serious about identifying security risks to health information in their custody and fulfilling their duty to provide patients with timely and reasonable, cost-based access to their medical records.”

Beth Cobb

June 2021 PAR Pro Tips
Published on Jun 16, 2021

As described in the Welcome to the PAR article, MMP Associates monitor websites monthly to identify new Medicare Fee-for-Service review targets and review results. Invariably, we will come across useful “Did You Know” information that we will be sharing in this monthly PAR Pro Tips article.

Pro Tip: MACs Post-Payment Reviews Expanded

In 2020, in response to the COVID-19 Public Health Emergency (PHE), CMS put a halt to the Medicare Administrative Contractor (MAC) Targeted Probe and Education (TPE) Program. In August 2020, CMS advised MACs to resume post-payment reviews with dates of service before March 2020. Most recently, CMS announced in the Thursday June 3, 2021 MLN Connects (link), that MACs can now begin conducting post-payment reviews for claims after March 2020.

Pro Tip: New April 2021 Medicare Quarterly Provider Compliance Newsletter

Also, in the June 3rd MLN Connects newsletter, CMS announced the release of the April 2021 Medicare Quarterly Provider Compliance Newsletter. Per the introduction of this newsletter, it aims to “help health care professionals to understand the latest findings identified by MACs and other contractors such as Recovery Auditors and the Comprehensive Error Rate Testing (CERT) review contractor, in addition to other governmental organizations as the Office of Inspector General (OIG).” Two RAC Issues detailed in the newsletter includes acute care hospitals claims review

Recovery Auditor (RAC Issue 0067): Inpatient Psychiatric Facility Services: Medical Necessity and Documentation Requirements

RAC Issue 0067 (link) was approved by CMS for the RACs to review on September 1, 2018 for provider types Inpatient Hospital and Inpatient Psychiatric Facility (IPF). The April newsletter includes a discussion of the problem, background information and guidance, and resources to assist providers in meeting medical necessity and documentation requirements for providing psychiatric services.

Did You Know?
  • Palmetto JJ, Palmetto JM, and WPS J5 are currently conducting post-payment reviews of MS-DRG 885 (Psychoses) claims,
  • Six of the twelve MACs have published a Local Coverage Determination (LCD) and Local Coverage Article (LCA) specific to psychiatric services, and
  • MS-DRG 885 claims have been a focus by the CERT review contractor since 2011. The annual improper payment rate reported by the CERT for this MS-DRG has been as high as 14.4% with the lowest rate being 2.9% in 2020.
Recovery Auditor (RAC Issue 0074): Drugs and Biologicals: Incorrect Units Billed (Single-Dose Vials)

RAC Issue 0067 RAC Issue 0074 (link) was approved by CMS for the RACs to review on December 21, 2017 for provider types Outpatient Hospital and Professional Services.

The RACs performed “complex reviews for single dose vials to assure compliance with Medicare policy. They reviewed claims to determine the actual amount administered and the correct number of billable/payable units.” You can find case examples in CMS’ newsletter.

Pro Tip: Q2 2021 Medicare Fee-for-Service Payments Integrity Scorecard (link) is an official website of the U.S. government. This website is “a gateway to ensuring federal funds reach the right recipients, preventing improper payments, and reducing fraud, waste, and abuse.” You will find “Program Scorecards”, “The Numbers” and “Resources” on this website.

The most recent Medicare Fee-for-Service Scorecard available is Q2 2021 (link). The Scorecard shares three HHS accomplishments in Reducing Monetary Loss:

  • HHS continued the process of adding two additional services (cervical fusion with disc removal and implanted spinal neurostimulator) to the Prior Authorization for Certain Hospital Outpatient Department Services Program effective July 1, 2021. You can read more about this in a related MMP article (link),
  • HHS continued RAC and MAC post-payment reviews based on data analysis and the CERT findings, and
  • HHS continued to use the Supplemental Medical Review Contractor (SMRC) to complete projects in relation to the Public Health Emergency, recent OIG reports, and CERT findings.
SMRC Project 01-043: DRG COVID 20% Add-On Payment

Specific to the PHE, the SMRC is conducting post-payment reviews of Medicare Part A COVID-19 inpatient claims with dates of service from April 1, 2020, through August 30, 2020. In general, in the inpatient setting, a diagnosis code documented at the time of discharge as being “possible”, “probable”, “suspected”, “likely”, “questionable”, or “still to be ruled out”, is coded as if the condition existed.

One exception to this guidance is coding for COVID-19. The ICD-10-CM Official Coding Guidelines (link) for COVID-19 advises coders to code only confirmed cases “as documented by the provider, documentation of a positive COVID-19 test, result, or a presumptive positive COVID-19 test result.”

While beyond the dates of service of the SMRC Project, it is worth noting that in August 2020, CMS revised MLN article SE20015 (link) by adding guidance “to address potential Medicare program integrity risks, effective with admissions occurring on or after September 1, 2020, claims eligible for the 20 percent increase in the MS-DRG weighting factor will also be required to have a positive COVID-19 laboratory test documented in the patient’s medical record. Positive tests must be demonstrated using only the results of viral testing (i.e., molecular or antigen), consistent with CDC guidelines. The test may be performed either during the hospital admission or prior to the hospital admission.”

One last reminder, the add-on payment for COVID-19 claims will end when the COVID-19 PHE ends. While the Biden Administration has indicated the PHE will likely be in place until December 31, 2021, the current PHE declaration will expire in July.

Beth Cobb

Welcome to the PAR
Published on Jun 16, 2021
Steps to a Successful PAR

In a game of golf, a par 3 course usually consists of only par 3 holes. In theory, golfers are able to reach the green on their first stroke and then take two putts to get the ball in the hole. No matter the course, most professional golfers will always use a tee to prevent grass from getting between the ball and the club.

In January of 2017, the OIG, in collaboration with a group of compliance professionals, released a Resource Guide (link) to measure the effectiveness of compliance programs. Items 5.27-5.36 emphasize that a Risk Assessment is key to developing an effective Compliance audit/work plan. Identifying current Medicare review targets to consider when developing your Risk Assessment can be time consuming and overwhelming.

MMP’s PAR Tee’s the Ball

Being sensitive to our client’s already over-tasked day, MMP collaborated with RealTime Medicare Data (RTMD), to develop a proprietary Protection Assessment Report (PAR). MMP’s PAR tees the ball by compiling Medicare Fee-for-Service review targets being conducted by:

  • Office of Inspector General (OIG),
  • Medicare Administrative Contractors (MACs) – all 12 Jurisdictions,
  • Recovery Auditors – all 4 Regions,
  • Supplemental Medical Review Contractor (SMRC), and
  • Comprehensive Error Rate Testing (CERT) Program.

Additional features of the PAR:

  • Inpatient reviews targets that are included in the Program for Evaluating Payment Patterns Electronic Report (PEPPER) are highlighted in the PAR,
  • The PAR details all Medicare Contractors that may be focused on one specific review target (i.e., total knee arthroplasty).
  • Monthly, MMP Associates monitor websites for the entities listed above. Specifically, monitoring is for new review targets, review results, and new or changes to current coverage policies.
  • For review targets with an applicable National Coverage Determination (NCD), Local Coverage Determination (LCD), or Local Coverage Article (LCA), the PAR also includes this information.
Successful Shot Selection

One step to improving your golf game is picking a target to use as a reference for setting up your shot. MMP’s PAR aids in your successful review target selection. This is accomplished by “dropping in” your hospital specific Medicare Fee-for-Service paid claims data (volume, charges and payments), provided by RTMD, for target areas included in the report. Sorting by volume and or payments helps you take aim on what is important for your hospital.

Third Wednesday of the Month PAR Focus

Moving forward, the third Wednesday@One of each month will include insights from our ongoing monitoring of external auditor’s websites. If you are interested in learning more about the PAR, you can contact us by completing the form below this article.

Beth Cobb

No Results Found!

Yes! Help me improve my Medicare FFS business.

Please, no soliciting.

Thank you! Someone will contact you soon.
Oops! Something went wrong while submitting the form.
Thank you for subscribing!
Oops! Something went wrong while submitting the form.