How Medicare Reporting and Returning of Overpayments Final Rule Changes the Landscape
CMS published a long awaited Final Rule for self-reporting and returning Medicare overpayments for Part A, Part B and durable medical equipment on 2/12/2016, almost four years to the date after publishing their Proposed Rule on 2/16/2012. Perhaps the most troubling part of the rule, however, hastens back to provisions in the Affordable Care Act, enacted in 2010, enabling increased enforcement of revenue integrity programs.
The Basis of this is not really “NEW”
The Affordable Care Act (ACA) requires that any overpayments be reported and returned by the later of (a) the date which is 60 days after the date on which the overpayment was identified, or (b) the date any corresponding cost report is due, if applicable. Since there are significant cases are now pending concerning when a payment has been “identified,” it is hoped that this new final rule will give some clarity to help avoid False Claims Act (FCA) liability for any alleged failure to identify and return an overpayment in a timely manner. Note the phrase, “it is hoped.” There are, nevertheless, many remaining concerns.
The proposed rule paraphrased the language of the FCA intent standard, stating that an overpayment was identified when a provider or supplier had actual knowledge of the overpayment or acted in reckless disregard or deliberate ignorance of the overpayment. In the final rule, however, CMS states that a person has identified an overpayment when the person has, or should have through the exercise of reasonable diligence, determined that the an overpayment had been received, and also quantified the amount of the overpayment. (See 42 CFR § 401.305(a)(2))
CMS believes the new standard provides bright line clarity to the provider community. I submit that believing something doesn’t necessarily make it so, or valid, or even believable to others, despite various oft repeated claims to the contrary (“Believe me…”)by certain Presidential Party Candidates.
How does CMS define “Identified”?
CMS states that they believed that Congress had originally meant for providers to do more self-audits, so the terms are more specifically defined in the final rule:
“…Congress’ use of the term ‘‘knowing’’ in the Affordable Care Act was intended to apply to determining when a provider or supplier has identified an overpayment. We also stated that defining ‘‘identification’’ in this way gives providers and suppliers an incentive to exercise reasonable diligence to determine whether an overpayment exists. Without such a definition, some providers and suppliers might avoid performing activities to determine whether an overpayment exists, such as self-audits, compliance checks, and other research.”
(from 42 CFR Parts 401 and 405 [CMS–6037–F], p.7659, col. 1)
Whence, the definition of “identification” of overpayments now includes the concept that a provider should have known, whether they did or not. (I’m actually surprised CMS did not suggest that the mere filing of a UB-04 or a Form-1500 is credible evidence of a potential overpayment, so if you filed it and its wrong, you should have known that when you filed it. But the night is young…)
How does CMS define “Overpayment”?
A primary definition for the rule is what exactly constitutes an “overpayment”. CMS lists the following examples as overpayments, which are fairly obvious:
- Medicare payments for non-covered services
- Medicare payments in excess of the allowable amount for identified service(s)
- Errors and non-reimbursable expenses in cost reports
- Duplicate amounts paid
- Receipt of Medicare payments when another payor had the primary responsibility for payments
- Estimated Medicare payments reconciliation showing overpayment(s)
- Refunds from the return of a product where credit will be issued
- Changes in dates of service for rental services causing an account adjustment to be required
- Errors in payment by a Medicare contractor leading to an excess payment
One should note that overpayments need not be caused by the provider or supplier and that the definition is is therefore very broad. In the eyes of CMS, any overpayment, regardless of cause, must be returned and reported; and all providers are responsible for their employees and agents, including third party billers. CMS also clarified that overpayments include any excess payments from so-called up-coding, regardless of whether the “up-coding” was intentional or not.
The next concern involves what a provider is doing to identify and prevent overpayments in general, or whether a provider is preforming “reasonable diligence” to do so.
How does CMS define“Reasonable Diligence”?
CMS has enacted a two-pronged definition of “reasonable diligence.” The definition includes performance of both proactive compliance activities, and reactive investigations – those performed after a provider receives “credible information” about a “potential” overpayment.
The message from CMS is clear: providers who do not employ proactive monitoring may be liable under the new rule, and perhaps even under the False Claims Act. CMS tried to clarify the exact language after comments about the original terms used in the proposed rule:
“We appreciate the comments and have revised the regulatory provision in the final rule by removing the terms ‘‘actual knowledge’’, ‘‘reckless disregard’’, and ‘‘deliberate ignorance’’. The final rule states that a person has identified an overpayment when the person has, or should have through the exercise of reasonable diligence, determined that the person has received an overpayment and quantified the amount of the overpayment. A person should have determined that the person received an overpayment if the person fails to exercise reasonable diligence and the person in fact received an overpayment.”
(from 42 CFR Parts 401 and 405 [CMS–6037–F], p.7661, col. 1)
To providers who do not currently engage in “active” compliance efforts, CMS stated that “[w]e believe that undertaking no or minimal compliance activities to monitor accuracy and appropriateness of a provider or supplier’s Medicare claims would expose providers or suppliers to liability under the identified standard articulated in this rule based on the failure to exercise reasonable diligence.”
CMS also stresses that performance of inquiries in said compliance efforts must be conducted by “qualified individuals.” That term, qualified individuals, is used throughout the preamble of the final rule, but the term itself is never defined. While RACs are required to conduct some of their reviews with “certified coders” one wonders if “certified auditors” might soon become more recognized as “qualified individuals”? Could CMS argue with such qualifications as part of your compliance program? Doubtful.
What are the time frames for all this?
There are also now two time frames involved, in such reasonable diligence: one involving the identification of an overpayment – 6 months; and one involving the reporting and returning of an overpayment – 60 days.
CMS indicates that a timely investigation may take up to 6 months, explaining that they wanted to provide a definite rather than indefinite time frame:
“We choose 6 months as the benchmark for timely investigation because we believe that providers and suppliers should prioritize these investigations and also to recognize that completing these investigations may require the devotion of resources and time. Receiving overpayments from Medicare is sufficiently important that providers and suppliers should devote appropriate attention to resolving these matters.”
(from 42 CFR Parts 401 and 405 [CMS–6037–F], p.7662, col. 2)
They also acknowledged that the time frame could be longer, under extraordinary circumstances:
“What constitutes extraordinary circumstances is a fact- specific question. Extraordinary circumstances may include unusually complex investigations that the provider or supplier reasonably anticipates will require more than six months to investigate, such as physician self- referral law violations that are referred to the CMS Voluntary Self-Referral Disclosure Protocol (SRDP). Specific examples of other types of extraordinary circumstances include natural disasters or a state of emergency.”
(from 42 CFR Parts 401 and 405 [CMS–6037–F], p.7662, col. 3)
As to the 60-day time frame, CMS notes that once a provider obtains “credible” evidence of a potential overpayment, the provider needs to undertake reasonable diligence to see if indeed there is an overpayment and quantify the amount.
“When a person obtains credible information concerning a potential overpayment, the person needs to undertake reasonable diligence to determine whether an overpayment has been received and to quantify the amount. The 60-day time period begins when either the reasonable diligence is completed or on the day the person received credible information of a potential overpayment if the person failed to conduct reasonable diligence and the person in fact received an overpayment.”
(from 42 CFR Parts 401 and 405 [CMS–6037–F], p.7661, col. 3)
How does CMS define “Quantify the amount”?
According to CMS, the overpayment amount can be quantified by the “common” use of probe sample audits and extrapolation. Specifically, such inquiry should be complete before returning a single overpaid claim:
“After finding a single overpaid claim, we believe it is appropriate to inquire further to determine whether there are more overpayments on the same issue before reporting and returning the single overpaid claim. …
“We understand that a common way to conduct an audit is to use a probe sample and then incorporate that probe sample into a larger full sample as the basis for determining an extrapolated overpayment amount. In the probe sample, it is not appropriate for a provider or supplier to only return a subset of claims identified as overpayments and not extrapolate the full amount of the overpayment. We believe that in most cases, the extrapolation can be done in a timely manner consistent with the identification requirements of this rule and that the provider or supplier should not report and return overpayments on specific claims from the probe sample until the full overpayment is identified.”
(42 CFR Parts 401 and 405 [CMS–6037–F], p.7661, col. 3, f.)
Notice that the rule does not exactly or specifically require the use of extrapolation, but it certainly leaves the impression, in no uncertain terms, that extrapolation would, in the eyes of CMS, be wholly appropriate.
The question arises, then, how far back should a provider look to “identify” similar overpayments? The proposed rule suggested 10 years. The final rule dropped that back to a mere six years from the date the overpayment was received.
“We revised the lookback period from 10 years to 6 years to specify that overpayments must be reported and returned only if a person identifies the overpayment within 6 years of the date the overpayment was received. We carefully considered all of the comments on the lookback period and concluded that a 6-year time period is the most appropriate time period.”
(42 CFR Parts 401 and 405 [CMS–6037–F], p.7680, col. 2)
No real explanation is offered, just that they thought about it. Perhaps there was, and perhaps there was not, a dart board involved. Who knows.
How much of a burden does all this impose on a provider?
The Paperwork Reduction Act stipulates that every federal agency must obtain approval from the Office of Management and Budget (OMB) before collecting the same or similar information from 10 or more members of the public. See this page for more details, if you like, but be sure to have some caffeine handy.
I only bring this up because it is interesting to note that CMS estimates that only 8.5% of providers will report overpayments under this rule, for only 3 to 5 overpayments each, and only spend 2.5 hours to complete the form and return an overpayment. (This is where you ask them how many suns are in the sky where they live.)
“For purposes of § 401.305 only, we estimated that approximately 125,000 providers and suppliers (or roughly 8.5 percent of the total number of Medicare providers and suppliers) would report and return overpayments in a typical year under our provisions. We estimated this based on the improper payment rate for the Medicare Fee-for-Service program, which was approximately 12 percent in FY 2014 and FY 2015,4and we expect that some number of improper payments will be identified by sources other than providers and suppliers themselves. We projected that each of these providers and suppliers would, on average, separately report and return approximately 3 to 5 overpayments. In addition, we estimated that it would take a provider or supplier approximately 2.5 hours to complete the applicable reporting form and return an overpayment.”
(42 CFR Parts 401 and 405 [CMS–6037–F], p.7680, col. 3)
Some comments also complained that CMS had not considered the necessity of employing more costly individuals, such as legal counsel and compliance consultants, to perform “reasonable diligence.” CMS disagreed:
“We believe only the rarest of circumstances (such as potential fraud or certain investigations of potential violations of the physician self-referral law) would necessitate more costly personnel, such as legal counsel, to comply with this final rule. In the overwhelming majority of cases, we expect overpayment identification and return to be sufficiently handled by accountants, auditors, and in-house administrative personnel.”
Right. After all, why involve legal counsel when you’re in line for an FCA violation?
Ultimately, however, CMS increased their “per report” hourly burden (for a total of 625,000 overpayments) to be a grand total of 6 hours, and the average hourly wage for the accountants and auditors, with overhead and burden, to be $53.72. Therefore, you will be happy to know that your estimated cost of identifying, investigating, calculating and returning overpayments each year is only $1,611.60 (5 overpayments X 6 hours X $53.72/hour). Or less, if you only identify, investigate, calculate and return 3 overpayments. In a year. According to CMS. (See 42 CFR Parts 401 and 405 [CMS–6037–F], p.7681, col. 3, and Table 1)
Now, it would appear that CMS is using calculators with low batteries or has forgotten that in FY2014, according to their own figures and report to Congress, the RACs alone filed 730,126 denials as overpayment determinations. And none of those denials involved investigations that looked back 6 years for other similar overpayments.
Perhaps the good news there is that “reasonable diligence” is estimated by CMS to involve only 6 man-hours, to perform an investigation, calculation and report – and neither includes, nor needs to include legal or compliance professionals.
Conclusion: It’s the documentation, stupid.
While the new rule provides some clarity, we are still left with some operational issues along a thorny path, if not a fog over quicksand.
Regardless, two things are pretty clear: first, hospitals had better review their compliance plans and make sure they can show that the plan is effective – by being able to show that they can identify, investigate and calculate overpayments over a 6 year period; and second, a hospital should examine their monitoring efforts and record keeping, to insure that their Denial Management group is not the only one paying attention.
The days of just accepting and paying off a denial are GONE. Even if you just plan on investing those 6 hours in an overpayment report, you simply cannot do it all – identify, investigate, calculate and report – inside a single department!
We’ve talked about it many times, and we’ll probably have to keep talking about it. All those “silos” have to be broken down. Perhaps this kind of regulation will actually help, in some way – forcing more departments to work together more than ever before.
The importance of documentation has now spilled over the damn and has flooded even the administrative plains of the compliance program. It is now more important than ever to be able to document efforts in identifying and quantifying overpayments and the “reasonable diligence” of those efforts.
HHS OIG: Voluntary Compliance Program Guidance Documents (1998 thru 2008)
HHS OIG: Hospital Compliance Programs (July 2013)
OIG Supplemental ComplianceProgram Guidance for Hospitals (January 2005)
OIG Podcast: Statistical Sampling in OIG Reviews (January 2015)
Relevant Blog posts:
Elements Of An Effective Compliance Program – Written Policies And Procedures – Blog post (February 2014)
Use A Benchmarking Survey To Assess Your Healthcare Compliance Program – Blog post (October 2015)