The Top 10 Areas for Medicaid Compliance Focus

Medicaid enforcement is a hot topic in Health and Human Services and the U.S. Department of Justice as they jointly issued Health Care Fraud and Abuse Control ("HCFAC") program annual report.
 
According to the HCFAC report, HHS-OIG investigations resulted in 849 criminal actions against individuals or entities that engaged in crimes related to Medicare and Medicaid. HHS-OIG also excluded 3,214 entities, 1,132 of which were due to convictions for crimes related to Medicare and Medicaid. This robust enforcement is despite the fact that the DOJ and HHS had $30.6 million sequestered from the HCFAC program in FY 2013. In FY 2013, the federal government won or negotiated approximately $4.33 billion in judgments and settlements, resulting in $576 million in federal medicaid money being transferred to the treasury.

 The Top 10 Areas for Medicaid Compliance Focus

The Affordable Care Act provided several additional tools to assist the government which have changed the landscape for enforcement and increased the risks providers and suppliers face. These new federal laws overlay state laws and rules which vary, sometimes widely, by state.

 It can sometimes seem difficult to design an effective Medicaid compliance program given the many potential sources for compliance requirements and many recent changes. Below we suggest 10 areas which can be a start in addressing efforts at Medicaid compliance.

 DRA Compliance

Effective since Jan. 1, 2013, any entity which receives at least $5 million annually from a Medicaid state plan must establish written policies for all employees that provide detailed information about the False Claims Act and state laws pertaining to civil penalties for false claims and statements, whistleblower protection laws and the role of these laws in preventing and detecting fraud, waste and abuse in federal health care programs.
Some states require that providers and suppliers complete and submit “Certification of Compliance with the Federal Deficit Reduction Act of 2005” forms that must be filed with the state to ensure compliance with the Deficit Reduction Act ("DRA").

In addition to assuring that necessary policies are in place, providers and suppliers should also be prepared to deal with a labor force that is more sophisticated about its opportunities for whistleblowing.

Provider Enrollment

For providers and suppliers, the enrollment process must be viewed as a high-priority, and compilation of supporting documents and the completion of lengthy enrollment forms, while more than somewhat tedious, must be assigned to competent personnel under high-level supervision. These enrollments are currently done separately by each state despite some earlier commentary from CMS about hopes to consolidate Medicare and Medicaid enrollment activities.

ACA Section 6401 required Medicaid state plans to enhance the scrutiny required for prospective provider and supplier program enrollments.

 •States must perform screenings of potential providers and suppliers. In certain circumstances, states must require criminal background checks and fingerprint scans.

•States are required to revalidate enrollments at least every five years.

•States must conduct site visits (pre- and post-enrollment) for providers who are in the designated categories of high or moderate risk, and must require providers to agree that CMS, the state and other entities may conduct unannounced site visits at any time at any and all provider locations.

•States must deny or terminate the enrollment of any provider that is terminated on or after Jan. 1, 2011, under Title XVIII of Medicare, under the Medicaid program or Children's Health Insurance Program ("CHIP") of any other state. This means that a sanction by another Medicaid program, such as an enrollment revocation or termination for cause, can have a reciprocal effect across all other Medicaid enrollments.

Moratoria on New Enrollments

Companies seeking to expand to new locations or lines of business should check at an early stage for any federal or state moratoria that may preclude or delay such a strategy. Under provisions added by the ACA, a state may impose temporary moratoria to preclude the enrollment of new providers or impose numerical caps or other limits on such enrollments.
For example, in October 2013, California’s Medi-Cal program imposed a temporary moratorium on the enrollment of clinical laboratories or the change or expansion of provider-of-service categories for an already existing laboratory, subject to certain exemptions.

 Application of Stark Law to Medicaid

The federal Stark Law prohibits Medicare payments for claims reflecting physician self-referrals for certain designated health services, a relatively simple concept which has been made exceedingly complex by federal regulations. Federal law further provides that federal Medicaid payments, called federal financial participation ("FFP"), should not be paid to a state for services which would be in violation of the Stark Law if payment were sought under Medicare.
Some recent court cases have reflected allegations that a provider can violate the federal False Claims Act by submitting Medicaid claims that would violate the Stark Law if submitted under Medicare and then falsely certify Medicaid compliance with the knowledge that the certification was false.

 While these theories continue to be challenged, providers should consider this as a potential business risk when structuring arrangements involving physicians. State law with similar provisions may also be applicable, some of which may also apply for commercial payers in addition to Medicaid.

Payment Suspensions Based Upon Credible Allegations of Fraud

For any entity under investigation, the possibility of an immediate cash flow crisis resulting from a payment suspension must be considered. Note that some Medicaid programs require a self-report to the Medicaid agency if a provider discovers it is under investigation.
Section 6402(h) of the ACA, amended by 42 U.S.C. Section 1396b(i)(2), provides payments to a provider or supplier that will be suspended pending investigation of credible allegations of fraud, and that there will be no FFP payments in such circumstances if payments are not suspended, unless the state determines there is good cause not to suspend the payments.

CMS has issued regulations applicable to Medicaid suspensions at 42 C.F.R. 455.23. "Credible allegation of fraud" is not defined in the statute, but is defined in 42 C.F.R. 455.2 to include allegations from such sources as fraud hotline complaints, data-mining claims and patterns identified through provider audits, civil false claims cases and law enforcement investigations. Although payment suspensions are temporary, no maximum period of Medicaid payment suspension is set by these federal regulations, in contrast to similar provisions applicable to Medicare payment suspensions.

In its recent FY 2013 MFCU Report, OIG-HHS noted that the Medicaid payment suspension rules put in place by the ACA have not been fully implemented by the states. State agencies have expressed difficulty with determining what constitutes a credible allegation of fraud, with the ability to make determinations in a timely manner and with what should be the standard for a “good cause” exception.

HHS-OIG indicates that it has undertaken additional reviews regarding these payment suspensions. Providers and suppliers should expect states to become more aggressive in their imposition of suspensions based on credible allegations of fraud in the near future once the noted challenges are addressed.

State Specific Provisions

Because each state’s Medicaid program is operated by the state — subject to certain parameters imposed by CMS — each state will have its own set of fraud, waste and abuse provisions which its providers and suppliers must comply with. These requirements are commonly found in statutes, regulations and provider manuals issued by the state, and often require a working understanding of state-specific peculiarities to navigate through their maze-like structure.

In some states, there may be other sources that also set forth requirements for participation. For example, in California, the Medi-Cal Provider Agreement, a document signed by the provider as a condition for participation, or continued participation, in Medi-Cal (i.e., California’s Medicaid program), sets forth the provider’s agreement to 41 different provisions.

These include acknowledgment that the provider is subject to several different types of payment suspensions; the provider’s express agreement to make available its records for inspection by the state agency, attorney general and the Secretary of HHS; and the acceptance of various time limits for submission of updates to its enrollment information.

The compliance challenge for providers and suppliers is to identify where to find the state requirements and how to keep up with them when they change.

 Excluded Provider Checks

In addition to the federal exclusion lists, exclusion or termination lists often exist at the state level. For example, in New York, if the Office of Medicaid Inspector General ("OMIG") finds good reason that a provider should no longer be eligible to participate, the provider is placed on a list of excluded providers. In California, Medi-Cal maintains a list of providers who are “ineligible and suspended.”
Those on a state list will not turn up on the federal list unless HHS-OIG has taken action to exclude them. Similarly, those who are terminated from Medicare participation by CMS will not show up on the HHS-OIG exclusion list.

Some states require that their lists be checked on a monthly basis. CMS and HHS-OIG have both recommended monthly checks of the HHS-OIG exclusion lists, but have not made that mandatory.

Medicaid RACs

Section 6411 of the ACA extended Medicare’s highly successful Recovery Audit Contractor ("RAC") program to the Medi-Cal program.

CMS required state agencies to enter into contracts with RACs to identify overpayments and underpayments. The RACs are paid on a contingent fee basis, just as Medicare RACs — now called “recovery auditors” — are paid.

In December 2011, CMS issued FAQs which further explained its expectations for state implementation, including that states were not required to include managed care claims in the RAC audits as of that time (only fee-for-service), but might revisit that limitation in the future.

 Providers should determine the identified areas for RAC review and review state-specific coverage and payment rules applicable to such items and services to assure their claims will be best-positioned so auditors will allow them.

60-Day Refund Rule

Effective with the ACA’s passage in 2010, Medicare and Medicaid providers, suppliers and plans are required to report and refund known overpayments no later then 60 days from the date the overpayment is identified or the date a corresponding cost report is due, if any. Failure to refund identified overpayments is grounds for imposition of federal civil monetary penalties and False Claims Act liability.

The FCA includes provisions which allow whistleblowers to share generously in the government’s recovery against a provider and, as discussed above, providers must maintain policies designed to educate their employees about the FCA to be compliant with the DRA.

Some states, such as New York, have provided comprehensive guidance as to how providers and suppliers should interpret these provisions and make necessary refunds.

Even in the absence of specific guidance from a state, however, the refund statute is in effect and providers and suppliers should establish policies for promptly identifying, disclosing and refunding any excess Medicaid payments.

Mandatory Compliance Plans

Prior to the ACA, adoption of compliance programs were largely voluntary even though the HHS-OIG strongly recommended the adoption of its compliance plan guidelines for several provider types.

The ACA transformed compliance plans into a requirement for “provider[s] of medical or other items or services or supplier within a particular industry sector or category” as a condition of enrollment in Medicare, Medicaid or CHIP.

HHS, in consultation with the OIG, was tasked with establishing core elements for the compliance plans for different industry sectors. These core elements include: (1) written policies and procedures, (2) compliance officer, compliance committee and high-level oversight, (3) effective training and education, (4) effective lines of communication, (5) well-publicized disciplinary standards, (6) effective system for routine monitoring and auditing and (7) prompt response to compliance issues.

While federal regulations have not yet been issued which provide further instructions, providers and suppliers should be prepared for these to be issued. State requirements should also be checked for compliance requirements. For example, in New York, the OMIG has already provided a “Compliance Program Review Assessment Form” and also has a form which permits a New York Medicaid provider to certify that its compliance program satisfactorily meets the requirements of pertinent state law.

Conclusion
As illustrated by the HHS-OIG and HCFAC reports, Medicaid enforcement is on the rise. The ACA introduced several new areas that create a need for providers to focus on Medicaid compliance efforts. Medicaid compliance will necessitate an understanding of both federal and state requirements.