Medical Review Audits Suspended

Reliant has worked closely with the National Association for the Support of Long Term Care (NASL) to raise awareness of the activity associated with Medicare’s medical review process during this pandemic, including pre-pay targeted probe and educate (TPE) activity and post-pay recovery audit contractor (RAC) reviews. At this time, Novitas, First Coast and CGS have suspended TPE activity until further notice. Our contacts indicate current pre-pay TPEs will be released and paid in the coming weeks.

According to an FAQ released on 3/30/2020, CMS indicates suspension of most Medicare Fee-For-Service (FFS) medical reviews during the emergency period due to the COVID-19 pandemic. The FAQ states that both pre-payment medical reviews such as the reviews for TPE and post-payment reviews conducted by the MACs, Supplemental Medical Review Contractors (SMRCs) and Recovery Audit Contractors (RACs) are suspended for the duration of the Public Health Emergency (PHE).

The FAQ also notes that “no additional documentation requests will be issued for the duration of the PHE for the COVID-19 pandemic.” Current post-payment review by the MACs, SMRCs, and RACs will be suspended and released from review as well. CMS is suspending these medical review activities for the duration of the PHE, but could conduct medical reviews “during or after the PHE if there is an indication of potential fraud.”

Medicare Advantage Plans Prior Authorization Suspended

In response to the COVID-19 pandemic, Medicare Advantage plans are issuing temporary suspensions in prior authorization requirements for post-acute settings and revising policies to improve patient access to care.

UnitedHealthcare (UHC) is suspending prior authorization requirements for post-acute settings through May 31, 2020, with the waiver applying to skilled nursing facilities (SNFs), long-term care facilities (LTCFs), and acute inpatient rehabilitation (AIR).  In addition, UHC will reimburse physical, occupational and speech therapy telehealth services provided by qualified health care professionals when rendered using interactive audio/video technology, emphasizing state laws and regulations apply.

Cigna has indicated a similar suspension for commercial and Medicare Advantage plans, noting it will make it easier for hospitals to transfer patients to long-term acute-care hospitals (LTACHs) and other sub-acute facilities to help manage the demands of increasingly high volumes of COVID-19 patients

Medicare Accelerated and Advanced Payments Now Available

On March 28, 2020, the Centers for Medicare & Medicaid Services (CMS) expanded the current Accelerated and Advance Payment Program to a broader group of Medicare Part A providers and Part B suppliers. This program expansion, which includes changes from the recently enacted Coronavirus Aid, Relief and the Economic Security (CARES) Act, is one way CMS is working to lessen the financial hardships of providers facing extraordinary challenges related to the COVID-19 pandemic and ensures the nation’s providers can focus on patient care.

Eligibility qualifications state the provider/supplier must:

  • Have billed Medicare for claims within 180 days immediately prior to the date of signature on the provider’s/supplier’s request form
  • Not be in bankruptcy
  • Not be under active medical review or program integrity investigation
  • Not have any outstanding delinquent Medicare overpayments

Medicare will start accepting and processing the Accelerated/Advance Payment Requests immediately. CMS anticipates that the payments will be issued within seven days of the provider’s request.   

Access CMS’ step by step guide for eligibility and processes here.

COVID-19 Medicare Waivers

CMS is empowered to take proactive steps through 1135 waivers and rapidly expand the Administration’s aggressive efforts against COVID-19. As a result, the following blanket waivers are available: 

  • Three-Day Stay Waiver: CMS is waiving the requirement at Section 1812(f) of the Social Security Act for a 3-day prior hospitalization for coverage of a skilled nursing facility (SNF) stay, providing temporary emergency coverage of SNF services without a qualifying hospital stay for those who need to be transferred as a result of the effect of a disaster or emergency.
  • SNF Part A 100-Day Benefit Waiver: For certain beneficiaries who recently exhausted their SNF benefits, it authorizes renewed SNF coverage without first having to start a new benefit period.
  • MDS Completion and Submission Waiver: CMS is waiving 42 CFR 483.20 to provide relief to SNFs on the timeframe requirements for Minimum Data Set assessments and transmission.

Read the Coronavirus 1812(f) waiver.

New Targeted Plan for Healthcare Facility Inspections

On March 23, 2020 CMS released guidance to state survey agencies further prioritizing and suspending most federal and state surveys and delaying revisit surveys for the next three weeks beginning March 20.

CMS has released this survey tool to review infection prevention and control practices. Providers are encouraged to perform a self-assessment utilizing this same tool. Surveyors will review for:

  • Overall effectiveness of the Infection Prevention and Control Program (IPCP) including policies and procedures
  • Standard and transmission-based precautions (with the understanding that certain essential supplies are scarce, and facilities should not be penalized for not having certain supplies if they are unable to obtain them)
  • Quality of resident care practices, including those with COVID-19 (laboratory-positive cases), if applicable
  • Surveillance plan
  • Visitor entry and facility screening practices
  • Education, monitoring and screening practices of staff
  • Facility policies and procedures to address staffing issues during emergencies, such as transmission of COVID-19

Click here for the Survey Prioritization Fact Sheet.

PPE Guidance from CDC and CMS

The CDC issued guidance for optimizing the PPE supply, specifically facemasks, gowns and eye protection, including suggestions on what to do in case of shortages.

CMS recommends reaching out to a health care coalition (HCC) in your area for emergency response assistance. Click here for an interactive map with contact information.

Additionally, AHCA has warned providers to beware of COVID-19 scams selling PPE or other supplies. To aid in differentiation between legitimate businesses and scams, the Federal Trade Commission (FTC) has provided general guidance on COVID-19-related scams.

March Clinical Appeals

Denial Reason Code W7020- NCCI Edit Update

In February, CMS rescinded the National Correct Coding Initiative (NCCI) Edits which restricted the billing of CPT codes 97530 and 97150 on the same day as billing of PT/OT evaluation codes (97161, 97162, 97163, 97164, 97165, 97166) retroactively to January 1, 2020. Nonetheless, many providers have experienced line item denials due to the edit enacted for the short duration. These line item denials are reflected by reason code W7020. To resolve, CMS will be correcting the NCCI edit, beginning April 6, 2020. Medicare Administrative Contractors (MACs) will automatically reprocess claims, without provider action.  When reconciling payments,

  • Review Part B line items for denial of HCPCs 97530 and 97150, in the presence of evaluation codes 97161, 97162, 97163, 97164, 97165, 97166.
  • If line item denials are identified, determine if reason code W7070 is appended.
  • If confirmed, flag impacted claims for review for automatic reprocessing following CMS correction of the edit, beginning April 6, 2020.
  • CMS has indicated provider action is not required.
  • Follow up with your MAC should reprocessing not occur or occur with errors.

SNF Claims Incorrectly Cancelled

From January 26 through February 16, 2020, a software issue caused SNF claims to be incorrectly cancelled with a message that there was no three-day qualifying hospital stay. This issue has been corrected. If your claims were incorrectly cancelled, re-bill them in sequential order to receive payment.

  • Claims need to process in date of service order for each stay for the Variable Per Diem (VPD) to calculate correctly.
  • Submit claims in sequence and wait at least 2 weeks before billing subsequent claims.
  • Some of the affected claims with older dates of service will require a timely filing exception; enter “Resubmission due to non-qualifying stay” in the remarks field.

Click here for more information.

HIPAA Privacy & COVID-19

In this unprecedented time with worldwide infection of COVID-19, there are provisions within the HIPAA Privacy Rule to address use and disclosure of patient information in a public health emergency to aid in prevention and control of the spread of disease. While this provision addresses use and disclosure to authorized public health authorities, Covered Entities and Business Associates must continue to safeguard patient information from impermissible uses and disclosures.

Refer to the bulletin released by the Office of Civil Rights (OCR) in February 2020 at this link OCR HIPAA Privacy and COVID-19 for more information regarding HIPAA Privacy Rule relating to infectious disease control.

HIPAA Privacy Rule Refresher

Refresh your memory with some of the Privacy Rule points below:

  • HIPAA’s Privacy Rule goal is to protect the confidentiality of patient/resident healthcare information.
  • Protected Health Information (PHI) is individually identifiable health information collected from an individual and created or received by a health care provider, health plan, or health care clearing house relating to past, present, or future physical or mental health conditions of an individual.
  • Information is “individually identifiable” when any of the 18 types of identifiers can be used to identify an individual (e.g. name, address, dates such as birth date, account number etc.).
  • The HIPAA Privacy Rule applies to healthcare organizations, healthcare plans, healthcare clearinghouses, and business associates with access to PHI.
  • PHI can be in paper or electronic form, as well as in verbal communications. 
  • Photos and videos of patients/residents are PHI and require documented authorization to take and use.
  • Access to PHI must be restricted to the minimum access needed to accomplish the intended objective.
  • PHI cannot be used or disclosed without documented patient authorization unless it is for any of the following purposes or situations:
    • Use or disclosure to the patient
    • Use or disclosure for treatment, payment, or general healthcare operations
    • Use or disclosure if the individual can agree or object to a disclosure such as a patient bringing a family with them when discussing care with a physician
  • Covered Entities (CE) are required to provide residents/patients with a Notice of Privacy Practices (NPP) to tell how the CE may use and share their health information.
  • Disposal of documents containing PHI must be rendered unreadable.  Shredding is the most common method of disposal.  Before disposal, be sure to follow your organization’s data retention policies.

For more information regarding HIPAA Privacy, visit www.hhs.gov.

Appeals Demonstration and How it Continues to Evolve

Effective May 1, 2019, CMS expanded C2C Innovative Solution’s QIC Telephone Discussion and Reopening Process Demonstration to include providers/suppliers within certain MAC jurisdictions. Under the Demonstration, providers have the opportunity to participate in a recorded telephone discussion that will be included and considered as part of the appeals case file, prior to C2C’s reconsideration decision. In addition, the QIC has the authority to conduct reopenings on previously adjudicated unfavorable claims that are currently pending Administrative Law Judge (ALJ) assignment and/or unfavorable reconsiderations that have been decided by the QIC, but not yet appealed to OMHA.  Participation in the Telephone Discussion Demonstration is voluntary.

C2C will issue a form letter notifying the appellant that the claim has been selected to participate in the Telephone Discussion Demonstration. Participants will be allowed 14 calendar days from the date of the notification letter to respond by returning the forms with the enclosed letter and indicate a desire whether or not participate in this voluntary Telephone Discussion Demonstration.

If the provider concurs with the request to participate in the Telephone Discussion Demonstration, C2C will conduct the telephone discussions and shall be specific in clarifying Medicare policies and requirements, educating the provider/supplier, and identifying any materials, evidence, and/or documentation that would yield a favorable outcome as part of the reconsideration process. Following the telephone discussion, a reconsideration professional at the QIC will conduct the medical or technical review, considering and applying any additional information or supporting documentation that was provided as a result of the telephone discussion. After reviewing all documentation available, the reconsideration professional will issue a decision on the case.

Click here to read on for more information from C2C.

Email and Protected Health Information

Business Email Compromise (BEC) is a type of attack on company email systems where the hacker’s goal is to gain access to an email system and search for data that can be used to commit fraud.

In the healthcare industry, fraudsters are committing BEC to steal protected health information (PHI). Why? Because PHI has many use cases unlike credit card and account data which is only useful until the victim cancels the credit cards and accounts. PHI such as a “Face Sheet” typically contains a treasure trove of information that can be used to commit medical services theft, Medicare/Medicaid fraud, fraudulent insurance billing, and income tax fraud to name a few.

Healthcare companies and their employees are required by HIPAA to protect PHI. You can do your part to protect PHI from BEC by taking the following actions:
• deleting emails containing PHI as soon as they are no longer necessary to retain,
• never sharing your password with anyone,
• changing your password regularly using strong passwords, and
• before clicking any link – STOP. LOOK. THINK.

Ten Simple HIPAA Tips

  1. Ensure discussion of PHI (protected health information) is where you cannot be easily overheard. 
  2. ePHI should not be saved on unencrypted devices such as laptops, desktops, servers, USB drives, etc.
  3. When leaving your workstation unattended, logoff or manually lock your workstation.
  4. Computer equipment should not be left unsecured such as in an unattended vehicle or hotel room.
  5. PHI should not be left on a copier or scanner unattended.
  6. Paper PHI should be disposed of properly by shredding.
  7. Keep passwords safe. Do not write down or share your password.
  8. Double check fax numbers and email addresses to ensure you have the correct information before faxing or emailing PHI.
  9. Patient photos or stories require a signed authorization prior to taking or using. Authorization forms can be obtained on the Reliant portal.  
  10. Report suspected HIPAA violations to your supervisor or the company privacy officer.  Reliant employees may contact their Privacy and Information Security Officer at privacy@reliant-rehab.com.

HIPAA Happenings: Holiday Phishing

Cyber criminals take advantage of the holidays to disguise their phishing campaigns and malware as seasonally accepted email. Requests for donations to fraudulent organizations, bogus holiday advertisements, and posing as package delivery services are common this time of year.
Click here to view a real example of a phishing email impersonating Federal Express.

What to Do If You Suspect You Are a Victim of Phishing:

  • Change your password immediately.
  • Contact your IT Department.
  • For Reliant employees contact support@reliant-rehab.com or call 225-767-7670.

CMS’ FY 2020 SNF PPS Final Rule Released

Yesterday, the Centers for Medicare and Medicaid Services (CMS) issued the FY 2020 Skilled Nursing Facility (SNF) Prospective Payment System (PPS) Final Rule, which will take effect on October 1, 2019. 

This final rule updates the payment rates used under the prospective payment system (PPS) for skilled nursing facilities (SNFs) for fiscal year (FY) 2020. CMS has also made minor revisions to the regulation text to reflect the revised assessment schedule under the Patient Driven Payment Model (PDPM). Additionally, CMS revised the definition of group therapy under the SNF PPS, and implemented a subregulatory process for updating the code lists ICD-10 used under PDPM. Finally, the final rule updated requirements for the SNF Quality Reporting Program (QRP) and the SNF Value-Based Purchasing (VBP) Program.

Below are a few highlights from the final rule: 

  • The federal rates in this final rule reflect an update to the rates that CMS published in the FY 2019 SNF PPS final rule, which reflects the SNF market basket update, as adjusted by the multifactor productivity (MFP) adjustment, for FY 2020.
  • The SNF market basket percentage is 2.4 percent for FY 2020, which is an increase in payments of $851 million compared to FY 2019. This estimated increase is attributable to a 2.8 percent market basket increase factor with a 0.4 percentage point reduction for the multifactor productivity adjustment. This is a decrease from the proposed update of 2.5 percent and $887 million.
  • Effective October 1, 2019, group therapy will be defined as “a qualified rehabilitation therapist or therapy assistant treating two to six patients at the same time who are performing the same or similar activities.”
  • CMS is not finalizing its proposal to expand data collection for SNF QRP quality measures to all SNF residents, regardless of their payer. 
  • CMS is finalizing as proposed, without modification, the process for updating the ICD-10 code mappings and lists associated with PDPM. As proposed, the subregulatory process for updating the ICD-10 codes used under PDPM will take effect beginning with the updates for FY 2020.   
  • The Final Rule updates requirements for the SNF QRP, including the adoption of two Transfer of Health Information quality measures and standardized patient assessment data elements that SNFs would be required to begin reporting with respect to admissions and discharges that occur on or after October 1, 2020. 
  • CMS is finalizing its proposal to exclude baseline nursing home residents from the Discharge to Community Measure.
  • CMS is finalizing its proposal to publicly display the quality measure, Drug Regimen Review Conducted with Follow-Up for Identified Issues, under the SNF Quality Reporting Program.
  • CMS is replacing the terminology for the “5-Day Assessment” with “Initial Medicare Assessment”.

Common HIPAA Violations Employees May Not Realize

Have you ever or do you routinely email Protected Health Information (PHI) to your personal email account so you can catch up on work outside of the facility?  With the many demands of the job to get the work done, it can be tempting.  This commonly results in a HIPAA violation as the information is not properly protected and more easily breached!  Although your intentions may be good, this is not an appropriate practice. Your company may have a policy directly relating to PHI. Reliant employees should refer to Policy 8.3 – Use of E-Mail and Text Messaging for full policy information.

The same caution applies to taking paper patient information outside of the facility.   Removing protected health information from a healthcare facility places that information at risk of exposure.  Without appropriate measures in place to safeguard this information in transport and outside of the facility, it is in violation of HIPAA Rules.  Reliant employees should refer to Policy 3.14 – IT Equipment Protection & Physical Access Controls for full policy information.

CMS Improvements to Recovery Audit Process

The size of the Medicare program is astronomical – the system processes over one billion claims a year. CMS uses several types of contractors to verify that Medicare Fee for Service (FFS) claims are paid based on Medicare requirements. One type of contractor is a Recovery Audit Contractor (RAC). The Medicare FFS RAC Program is one of many tools used to prevent and reduce improper payments. RACs identify and correct overpayments made on claims for health care services provided to beneficiaries, identify underpayments to providers, and provide information that allows CMS to prevent future improper payments.

However, in the past there were numerous complaints about the RAC program. Providers found the audits time-consuming, necessitating high administrative expenses, and often requiring lengthy appeals. CMS listened to what providers were telling them and made meaningful changes. That input informed their thinking as they re-examined all aspects of the RAC process. They identified areas where they could reduce provider burden and appeals, and increase program transparency, while enhancing program oversight and effectiveness.

On May 3rd, CMS Administrator Seema Verma, outlined the key improvements and enhancements that were made to the program including:

  • Better Oversite of RACs:
    • Accountable for maintaining a 95% accuracy score.
    • Maintain an overturn rate of less than 10%.
    • Contingency fee will be delayed until after the second level of appeal is exhausted.
  • Reducing Provider Burden and Appeals:
    • Must audit proportionally to the types of claims a provider submits.
    • Conduct fewer audits for providers with low claims denial rates.
    • Allow more time to submit additional documentation before needing to repay a claim.
  • Increasing Program Transparency:
    • Regularly seeking public comment on proposed RAC areas for review.
    • Required enhancements to provider portals for claim status understanding.

While the audits can become cumbersome and overwhelming at times, ensuring that the care being provided is the most appropriate for each individual patient will only continue to assist in getting the health system where it needs to be. The improvements outlined above have helped and will to continue to help make patient care, not paperwork compliance, the main focus of providers.

CMS’ blog regarding recovery audit improvements:

https://www.cms.gov/blog/recovery-audits-improvements-protect-taxpayer-dollars-and-put-patients-over- paperwork

More information on the Medicare FFS Recovery Audit Program can be found at: https://www.cms.gov/Research-Statistics-Data-and-Systems/Monitoring-Programs/Medicare-FFS- Compliance-Programs/Recovery-Audit-Program/

Indictment of Anthem Breach Hackers

Do you remember hearing about the Anthem breach in 2015? Hackers infiltrated Anthem’s network and breached the personal health information of 78.8 million patients. This was one of the worst data breaches in US history if not the worst. There is some good news being reported. The Department of Justice has indicted two China-based hackers for the Anthem hack and breach.

How did the hackers do it?

The hackers allegedly used methods to hack including spear-phishing emails sent to employees embedded with links. After the employee clicked on the link, the malicious malware was installed to infect and compromise the system. Once inside the system, the hackers installed what is called a “backdoor” which in this case was undetected by the organization infected. This “backdoor” allows the hackers to come and go as they please. Although the hack was discovered in 2015, it began in 2014 with the hackers coming through the back door and conducting reconnaissance to identify information of interest.

What is the Lesson Learned?

Be on the lookout for “phishy” emails. Here are a few tips to assist in identifying Phishing emails.

  1. Does the email invoke a sense of urgency, fear, or curiosity?
  2. Does it ask you to click a link, open an attachment or provide your user Id/password or other sensitive information?
  3. Do you know the person that sent the message and were you expecting it? Hackers can “spoof” messages meaning they make it look like it is coming from a known sender when it is not. If you know the sender but were not expecting it, contact the sender by a means other than email to confirm.

What to do when you suspect a phishing email?

For Reliant employees who use Reliant’s email, a “Phish Alert Button” was recently implemented within the email system. This button is easily accessible within the user’s email and allows the suspicious email to be reported at the click of a button. After clicking this button, it alerts the Reliant support team and allows security measures to be quickly added to prevent others from clicking on similar malicious e-mails.

Customers who don’t have a similar “Phish Alert Button” in place, should report suspicious emails to their support team through established reporting processes.

March 2019 Healthcare Data Breaches

The Health and Human Services Office of Civil Rights (OCR) is responsible for enforcing civil right laws. Covered Entities such as Skilled Nursing Facilities and Business Associates must comply with HIPAA regulations which includes reporting breaches of Protected Health Information (PHI). Breaches affecting 500 or more individuals are posted by OCR on a public website. Breaches affecting less than 500 individuals are also required to be reported but are not posted for public viewing.

To give you an idea of the information available on the public site using March 2019 data, there were 32 breaches reported with 500 or more individuals involving 951,252 individuals. Of these 32 breaches, there were 22 Healthcare Providers, 4 Health Plans, and 6 Business Associates involved.

The types of breaches consisted of

  • 20 – Hacking/IT Incidents
  • 8 – Unauthorized Access/Disclosure
  • 4 – Thefts

Breaches involving email and network servers accounted for 893,502 of the impacted individuals (see chart below). This is why security awareness training, good password management practices, and virus protection are so important.

For a list of the names of companies impacted and other information, visit the OCR portal at https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf

FY2020 Skilled Nursing Facility (SNF) PPS Proposed Rule

On Friday, April 19, 2019, CMS released the FY2020 skilled nursing facility (SNF) proposed rule for public inspection and comment.

There is estimated to be a 2.5% market basket increase for FY2020 aggregate payments as calculated through a 3.0% market basket increase and a 0.5% multifactor productivity adjustment resulting in an $887 million annual increase.

The proposed rule includes three proposed changes related to the Patient Driven Payment Model (PDPM). First, CMS proposes changing the definition of group therapy in a SNF setting to match the definition in the IRF setting. Specifically, CMS proposes defining group therapy in the SNF Part A setting as “a qualified rehabilitation therapist or therapy assistant treating two to six patients at the same time who are performing the same or similar activities.”

Second, CMS proposes using a subregulatory process to provide non-substantive updates to ICD-10 codes used in PDPM through the PDPM website, while substantive changes will still be made through the traditional notice and rulemaking process. Non-substantive updates are those made to maintain consistency with the most recent ICD-10 code set. CMS is proposing that this take effect with the start of PDPM on October 1, 2019.

The third and final proposed change is to update the regulation text to reflect changes in the assessment schedule under PDPM which were already finalized in the FY2019 final rule. These changes are to reflect the policy taking effect under PDPM on October 1, 2019. For the initial patient assessment, the proposed regulation changes would state that “the assessment schedule must include performance of an initial patient assessment no later than the 8th day of post-hospital SNF care.” Additional proposed changes to regulation text would reflect the optional interim payment assessment.

SNF Quality Reporting Program

This rule proposes to update the SNF QRP effective October 1, 2020 to include:

  • Expansion of data collection for the SNF QRP quality measures to all skilled nursing facility residents, regardless of their payer.
  • The addition of two Transfer of Health Information quality measures.
  • Exclusion of baseline nursing home residents from the Discharge to Community Measure.
  • Public display of the quality measure, Drug Regimen Review Conducted with Follow-Up for Identified Issues.

Request for information (RFI) on the importance, relevance, appropriateness, and applicability measures of standardized patient assessment data elements (SPADEs) for future years in the SNF QRP.

SNF Value Based Purchasing Program

The SNF VBP Program is proposing to change the name of the program’s measure to the “Skilled Nursing Facility Potentially Preventable Readmissions after Hospital Discharge” measure. The measure will retain its previous abbreviation (SNFPPR).

The proposed rule also includes an update to the public reporting requirements to ensure that CMS publishes accurate performance information for low-volume SNFs.

CMS encourages comments from stakeholders. The comment period is open until June 18, 2019.

Download the proposed rule from the Federal Register. Download the CMS fact sheet.

To learn more about Reliant’s preparedness for PDPM, visit our website today.