Knowledge Base Category -

 Protection Assessment
MMP Logo no Words or Tag
June 2021 PAR Focus: OIG Workplan
Published on Jun 16, 2021
20210616

Prior to 2017, the Office of Inspector General’s (OIG) Work Plan was published on an annual and sometimes semi-annual basis. The OIG began updating the Work Plan on a monthly basis effective June 15, 2017. The change was made as the OIG acknowledged that the “work planning process is dynamic, and adjustments are made throughout the year to meet priorities and to anticipate and respond to emerging issues with the resources available.” The Work Plan includes items for several agencies (i.e., Centers for Medicare & Medicaid Services (CMS), Administration for Children and Families, Office of Civil Rights (OCR)). There are two recent additions to the Work Plan that I would like to share with you.

Active Work Plan Item: Impact of Expanding the Hospital Transfer Payment Policy for Early Discharges to Post-acute Care

This item (link) was added to the Work Plan in May 2021. The OIG plans to determine the impact for Medicare and hospitals if the Post-Acute Care (PAC) MS-DRG list was expanded to include all MS-DRGs. In the detail of this Work Plan item, the OIG notes that “Analysis of Medicare claims data demonstrates significant occurrences of early discharges from hospitals to PAC facilities for MS-DRGs that are not currently subject to the PAC transfer payment policy. Medicare pays a full prospective payment system (PPS) rate to hospitals for these early discharges.”

The Post-Acute Care Transfer (PACT) Policy was implemented to prevent Medicare from paying for the same care twice. This policy currently reduces reimbursement to a hospital when:

  • A hospitalization codes to an MS-DRG designated as a Transfer MS-DRG,
  • The patient’s length of stay (LOS) is at least 1 day less than the geometric mean length of stay (GMLOS) for the MS-DRG, and
  • The patient is discharged to one of the “qualified discharges” (03-Skilled Nursing Facility (SNF), 05-Children’s Hospital or Designated Cancer Center, 06-Home with Home Health within 3 days of discharge, 50-Discharges/Transferred to Hospice Home, 51-Discharged/Transferred to Hospice, General Inpatient Care or Inpatient Respite, 62-Inpatient Rehabilitation Facilities & Units, 63-Long Term Care Hospitals, and 65-Psychiatric Hospitals & Units)

Annually, CMS publishes a list of MS-DRGs subject to the PACT policy in Table 5 of the applicable Fiscal Year IPPS Final Rule. For FY 2021 there are 765 MS-DRGs and 280 (36.6%) have been designated a PACT MS-DRG.

Discharge Dispositions hospice home (50) and hospice general inpatient care/respite (51) were added to this policy in FY 2019 as required by the Bipartisan Budget Act of 2018. At that time, CMS actuaries estimated that the change would “generate an annual savings of approximately $240 million in Medicare payments in FY 2019, and up to $540 million annually by FY 2028.” With these estimates it is no wonder the OIG has added this item to their Work Plan. The OIG has an expected issue date for a report in FY 2022.

Active Work Plan Item: Audit of the Effectiveness of HHS’s Governance to Ensure Hospitals Implement Measures to Prevent, Detect, and Recover from Cyberattacks

This item (link) was also added to the Work Plan in May 2021. As an active member of MMP’s HIPAA/HITECH Privacy Committee, I felt it was important to make our readers aware of this item. If you listen to the news, this is a very timely item as hospitals are constantly under threat of the theft of electronic protected health information (ePHI) by ransomware, malware, insider threats, and even honest mistakes.

“In October 2020, the Cybersecurity and Infrastructure Security Agency, Federal Bureau of Investigation, and Department of Health and Human Services (HHS) issued a joint cybersecurity advisory (link) regarding ransomware activity targeting the health care and public health sector. The advisory stated that threat actors have continued to develop new functionality and tools, thereby increasing the ease, speed, and profitability of ransomware attacks.”

OIG Audit Plan
  • “Audit HHS's governance over its programs to determine whether HHS's Office of Civil Rights (OCR) has performed periodic audits of hospitals to assess compliance with Health Insurance Portability and Accountability Act (HIPAA) Security, Privacy, and Breach Notification rules and determine whether these audits effectively assessed ePHI protections.”
  • “Determine whether CMS's certification process for participation in the Medicare program requires hospitals participating in the Medicare program to implement minimum security safeguards to prevent and detect cyberattacks, ensure continuity of patient care, and protect beneficiary data.”
  • Conduct security assessments at 10 U.S. hospitals to determine whether they have adequately implemented HIPAA security requirements or effective cybersecurity measures to prevent, detect, and recover from cyberattacks.”

The OIG has an expected issue date for a report in FY 2022.

2016-2017 OCR HIPAA Audits Industry Report

As mentioned above, the OIG plans to determine if the OCR has performed periodic audits of hospitals. On December 17, 2020, the Office for Civil Rights (OCR) released its 2016-2017 HIPAA Audits Industry Report. The Health Information Technology for Economic and Clinical Health (HITECH) Act requires HHS to periodically audit covered entities (CEs) and business associates (BAs) for compliance with the HIPAA Rules. This Industry Report was published to share overall findings from audits conducted with 166 CEs and 41 BAs. To provide insight into what was included in the audit, following is the summary of audit findings from the December HHS Press Release (link):

  • Most covered entities met the timeliness requirements for providing breach notification to individuals,
  • Most covered entities that maintained a website about their customer services or benefits satisfied the requirement to prominently post their Notice of Privacy Practices on their website,
  • Most covered entities failed to provide all the required content for a Notice of Privacy Practices,
  • Most covered entities failed to provide all the required content for breach notification to individuals,
  • Most covered entities failed to properly implement the individual right of access requirements such as timely action within 30 days and charging a reasonable cost-based fee,
  • Most covered entities and business associates failed to implement the HIPAA Security Rule requirements for risk analysis and risk management.

The HHS Press Release ended with the following statement from OCR Director Roger Severino, “The audit results confirm the wisdom of OCR’s increased enforcement focus on hacking and OCR’s Right of Access initiative…We will continue our HIPAA enforcement initiatives until health care entities get serious about identifying security risks to health information in their custody and fulfilling their duty to provide patients with timely and reasonable, cost-based access to their medical records.”

Beth Cobb

June 2021 PAR Pro Tips
Published on Jun 16, 2021
20210616

As described in the Welcome to the PAR article, MMP Associates monitor websites monthly to identify new Medicare Fee-for-Service review targets and review results. Invariably, we will come across useful “Did You Know” information that we will be sharing in this monthly PAR Pro Tips article.

Pro Tip: MACs Post-Payment Reviews Expanded

In 2020, in response to the COVID-19 Public Health Emergency (PHE), CMS put a halt to the Medicare Administrative Contractor (MAC) Targeted Probe and Education (TPE) Program. In August 2020, CMS advised MACs to resume post-payment reviews with dates of service before March 2020. Most recently, CMS announced in the Thursday June 3, 2021 MLN Connects (link), that MACs can now begin conducting post-payment reviews for claims after March 2020.

Pro Tip: New April 2021 Medicare Quarterly Provider Compliance Newsletter

Also, in the June 3rd MLN Connects newsletter, CMS announced the release of the April 2021 Medicare Quarterly Provider Compliance Newsletter. Per the introduction of this newsletter, it aims to “help health care professionals to understand the latest findings identified by MACs and other contractors such as Recovery Auditors and the Comprehensive Error Rate Testing (CERT) review contractor, in addition to other governmental organizations as the Office of Inspector General (OIG).” Two RAC Issues detailed in the newsletter includes acute care hospitals claims review

Recovery Auditor (RAC Issue 0067): Inpatient Psychiatric Facility Services: Medical Necessity and Documentation Requirements

RAC Issue 0067 (link) was approved by CMS for the RACs to review on September 1, 2018 for provider types Inpatient Hospital and Inpatient Psychiatric Facility (IPF). The April newsletter includes a discussion of the problem, background information and guidance, and resources to assist providers in meeting medical necessity and documentation requirements for providing psychiatric services.

Did You Know?
  • Palmetto JJ, Palmetto JM, and WPS J5 are currently conducting post-payment reviews of MS-DRG 885 (Psychoses) claims,
  • Six of the twelve MACs have published a Local Coverage Determination (LCD) and Local Coverage Article (LCA) specific to psychiatric services, and
  • MS-DRG 885 claims have been a focus by the CERT review contractor since 2011. The annual improper payment rate reported by the CERT for this MS-DRG has been as high as 14.4% with the lowest rate being 2.9% in 2020.
Recovery Auditor (RAC Issue 0074): Drugs and Biologicals: Incorrect Units Billed (Single-Dose Vials)

RAC Issue 0067 RAC Issue 0074 (link) was approved by CMS for the RACs to review on December 21, 2017 for provider types Outpatient Hospital and Professional Services.

The RACs performed “complex reviews for single dose vials to assure compliance with Medicare policy. They reviewed claims to determine the actual amount administered and the correct number of billable/payable units.” You can find case examples in CMS’ newsletter.

Pro Tip: Q2 2021 Medicare Fee-for-Service Payments Integrity Scorecard

PaymentAccuracy.gov (link) is an official website of the U.S. government. This website is “a gateway to ensuring federal funds reach the right recipients, preventing improper payments, and reducing fraud, waste, and abuse.” You will find “Program Scorecards”, “The Numbers” and “Resources” on this website.

The most recent Medicare Fee-for-Service Scorecard available is Q2 2021 (link). The Scorecard shares three HHS accomplishments in Reducing Monetary Loss:

  • HHS continued the process of adding two additional services (cervical fusion with disc removal and implanted spinal neurostimulator) to the Prior Authorization for Certain Hospital Outpatient Department Services Program effective July 1, 2021. You can read more about this in a related MMP article (link),
  • HHS continued RAC and MAC post-payment reviews based on data analysis and the CERT findings, and
  • HHS continued to use the Supplemental Medical Review Contractor (SMRC) to complete projects in relation to the Public Health Emergency, recent OIG reports, and CERT findings.
SMRC Project 01-043: DRG COVID 20% Add-On Payment

Specific to the PHE, the SMRC is conducting post-payment reviews of Medicare Part A COVID-19 inpatient claims with dates of service from April 1, 2020, through August 30, 2020. In general, in the inpatient setting, a diagnosis code documented at the time of discharge as being “possible”, “probable”, “suspected”, “likely”, “questionable”, or “still to be ruled out”, is coded as if the condition existed.

One exception to this guidance is coding for COVID-19. The ICD-10-CM Official Coding Guidelines (link) for COVID-19 advises coders to code only confirmed cases “as documented by the provider, documentation of a positive COVID-19 test, result, or a presumptive positive COVID-19 test result.”

While beyond the dates of service of the SMRC Project, it is worth noting that in August 2020, CMS revised MLN article SE20015 (link) by adding guidance “to address potential Medicare program integrity risks, effective with admissions occurring on or after September 1, 2020, claims eligible for the 20 percent increase in the MS-DRG weighting factor will also be required to have a positive COVID-19 laboratory test documented in the patient’s medical record. Positive tests must be demonstrated using only the results of viral testing (i.e., molecular or antigen), consistent with CDC guidelines. The test may be performed either during the hospital admission or prior to the hospital admission.”

One last reminder, the add-on payment for COVID-19 claims will end when the COVID-19 PHE ends. While the Biden Administration has indicated the PHE will likely be in place until December 31, 2021, the current PHE declaration will expire in July.

Beth Cobb

Welcome to the PAR
Published on Jun 16, 2021
20210616
Steps to a Successful PAR

In a game of golf, a par 3 course usually consists of only par 3 holes. In theory, golfers are able to reach the green on their first stroke and then take two putts to get the ball in the hole. No matter the course, most professional golfers will always use a tee to prevent grass from getting between the ball and the club.

In January of 2017, the OIG, in collaboration with a group of compliance professionals, released a Resource Guide (link) to measure the effectiveness of compliance programs. Items 5.27-5.36 emphasize that a Risk Assessment is key to developing an effective Compliance audit/work plan. Identifying current Medicare review targets to consider when developing your Risk Assessment can be time consuming and overwhelming.

MMP’s PAR Tee’s the Ball

Being sensitive to our client’s already over-tasked day, MMP collaborated with RealTime Medicare Data (RTMD), to develop a proprietary Protection Assessment Report (PAR). MMP’s PAR tees the ball by compiling Medicare Fee-for-Service review targets being conducted by:

  • Office of Inspector General (OIG),
  • Medicare Administrative Contractors (MACs) – all 12 Jurisdictions,
  • Recovery Auditors – all 4 Regions,
  • Supplemental Medical Review Contractor (SMRC), and
  • Comprehensive Error Rate Testing (CERT) Program.

Additional features of the PAR:

  • Inpatient reviews targets that are included in the Program for Evaluating Payment Patterns Electronic Report (PEPPER) are highlighted in the PAR,
  • The PAR details all Medicare Contractors that may be focused on one specific review target (i.e., total knee arthroplasty).
  • Monthly, MMP Associates monitor websites for the entities listed above. Specifically, monitoring is for new review targets, review results, and new or changes to current coverage policies.
  • For review targets with an applicable National Coverage Determination (NCD), Local Coverage Determination (LCD), or Local Coverage Article (LCA), the PAR also includes this information.
Successful Shot Selection

One step to improving your golf game is picking a target to use as a reference for setting up your shot. MMP’s PAR aids in your successful review target selection. This is accomplished by “dropping in” your hospital specific Medicare Fee-for-Service paid claims data (volume, charges and payments), provided by RTMD, for target areas included in the report. Sorting by volume and or payments helps you take aim on what is important for your hospital.

Third Wednesday of the Month PAR Focus

Moving forward, the third Wednesday@One of each month will include insights from our ongoing monitoring of external auditor’s websites. If you are interested in learning more about the PAR, you can contact us by completing the form below this article.

Beth Cobb

No Results Found!

Yes! Help me improve my Medicare FFS business.

Thank you! Someone will contact you soon.
Oops! Something went wrong while submitting the form.
Thank you for subscribing!
Oops! Something went wrong while submitting the form.