HEALTH INDUSTRY ONLINE - From Medicare Billing Changes to Red Flags – Compliance Requires Health Care Entities to Stay on Their Toes

Historically, physicians, non-physician practitioners (“NPPs”), and their organizations were permitted to bill retroactively for Medicare services provided up to 27 months prior to being enrolled in the Medicare program. CMS, however, has now implemented new provider enrollment rules in response to concerns that practitioners or organizations may submit bills, and receive payment, for services provided prior to meeting the Medicare program enrollment requirements.

Pursuant to Medicare Change Request 6310, physicians, NPPs, and their organizations will no longer establish retrospective Medicare effective billing dates. As of April 1, 2009, the effective billing dates for physicians, physician assistants, nurse practitioners, clinical nurse specialists, certified registered nurse anesthetists, certified nurse-midwives; clinical social workers; clinical psychologists; registered dietitians or nutrition professionals; and physician and NPP organizations (e.g., group practices) will be established by Carriers and Part A and Part B Medicare Administrative Contractors.

Under the new rule, the effective date of Medicare billing privileges for physicians, NPPs, and their organizations will be the later of: (i) the filing date of a subsequently approved Medicare enrollment application; or (ii) the date the practitioner/organization first began furnishing services at a new practice location.¹

Accordingly, the new rule permits physicians, NPPs, and their organizations to bill retrospectively for services only up to 30 days prior to their effective date of billing when they have met all program requirements (including state licensure requirements) and can demonstrate that “circumstances precluded enrollment in advance of providing services to Medicare beneficiaries.”² Thus, physicians, NPPs, and their organizations are limited to receive reimbursement for a maximum of 30 days prior to filing a subsequently approved Medicare enrollment application.

In light of this change, Medicare providers should carefully consider the impact that this new rule may have on their practice or organization before considering new hiring arrangements or establishing a new practice location.³

Reporting of Provider Changes

In addition to the retrospective billing changes, CMS has implemented a rule requiring physicians, NPPs, and their respective organizations to notify their applicable Medicare contractor of certain reportable events within 30 days of their occurrence. Failure to comply with such reporting requirements may result in revocation of Medicare billing privileges and the determination that payments received after the change are Medicare overpayments.

Under this new reporting rule, physicians, physician assistants, nurse practitioners, clinical nurse specialists, certified registered nurse anesthetists, certified nurse-midwives; clinical social workers; clinical psychologists; registered dietitians or nutrition professionals; and organizations (e.g., group practices) consisting of such individuals must report the following activities within 30 days of their occurrence:

A change of ownership;
A final adverse action;⁴ or
A change in practice location.⁵

Specifically, physician and NPP organizations and individual practitioners that fail to report a final adverse action or a change in practice location may be assessed an overpayment from the date of the reportable event.⁶

According to CMS, a final adverse action may preclude payment under Medicare, and as a result, providers should not be allowed to retain reimbursements received after the date of the adverse action. Similarly, if CMS determines that a change of practice location was not reported within the 30-day time period, CMS may assess any applicable overpayment for the difference in payment rates retroactive to the date the change occurred. Moreover, failure to comply with the reporting requirements may result in the revocation of Medicare billing privileges for a minimum of one year.

CMS views these additional requirements as just one more report to file—in the same way practitioners and organizations routinely notify entities such as the U.S. Post Office, suppliers, vendors, and state medical associations of changes in practice location. In light of the new reporting requirements, and the penalties that may result from noncompliance, it is essential that physicians, NPPs, and their organizations also notify their designated Medicare contractor of reportable events within 30 days to ensure they remain eligible for payment.

Red Flags Rule – Compliance Required by May 1, 2009

Another imminent change that will impact certain health care providers and organizations involves the Red Flags Rule.⁷ The Red Flags Rule requires additional protections for financial information (even in the health care industry) in an effort to prevent identity theft. The Red Flags Rule became effective as of January 1, 2008, but the Federal Trade Commission (FTC) delayed implementation until May 1, 2009, which is just around the corner.

In the most general terms, the Red Flags Rule requires many businesses and organizations to implement a written Identity Theft Prevention Program in an effort to detect the warning signs (or “red flags”) of identity theft. This requirement applies to “financial institutions” and “creditors” who provide “covered accounts.”

Most health care providers do not qualify as “financial institutions,” but they may qualify as a “creditor” if they offer customers or patients a consumer account that involves or is designed to permit multiple payments or transactions and for which there is a reasonably foreseeable risk of identity theft. Because most health care providers balance bill customers after payments are received from third-party payors (or allow patients to pay outstanding balances over time), they will likely be considered a creditor for the purposes of the Red Flags Rule.

In order to comply, an entity must develop and implement a written program that is designed to detect, prevent, and mitigate the potential damage of identity theft with respect to covered accounts. Such a program must be tailored to each business or organization’s specific activities and capabilities, and the rule requires that the written program include policies and procedures that: (i) identify relevant “red flags”; (ii) detect “red flags”; (iii) respond to “red flags”; and (iv) periodically evaluate and update the program to address the new risks or threats presented by identity thieves.

For most health care organizations, a Red Flags Program will be very similar to the policies and procedures that have been put in place to comply with the Privacy Rule and, more importantly, the Security Rule under HIPAA. However, privacy and security policies and procedures will not likely fully comply because the Red Flags Program is meant to protect individuals from identity theft, not the improper use or disclosure of health information. Therefore, the organization must determine the types of “red flags” that it encounters in its day-to-day operations, how it can detect and respond when those “red flags” arise, and how it will train its workforce to recognize the “red flags” and to prevent identity theft from occurring.

¹ 42 C.F.R. § 424.520.

² See 42 C.F.R. § 424.521. Practitioners and organizations may retrospectively bill for 90 days prior to their effective date if a Presidentially-declared disaster under the Robert T. Stafford Disaster Relief and Emergency Assistance Act, 42 U.S.C. §§ 5121-5206 (Stafford Act) precluded enrollment in advance of providing services to Medicare beneficiaries.

³ In order to reduce the time required to enroll in the Medicare program or to make a change in providers’ Medicare enrollment records, CMS encourages providers to utilize the internet-based enrollment process known as the Provider Enrollment, Chain and Ownership System (PECOS) to submit enrollment applications. CMS expects that most complete Internet-based PECOS enrollment applications will be processed within 30 to 45 calendar days compared to 60 to 90 calendar days in the current paper-based enrollment process.

⁴ 42 C.F.R. § 424.502. A “final adverse action” means one or more of the following actions: (i) A Medicare-imposed revocation of any Medicare billing privileges; (ii) Suspension or revocation of a license to provide health care by any state licensing authority; (iii) Revocation or suspension by an accreditation organization; (iv) A conviction of a federal or state felony offense within the last 10 years preceding enrollment, revalidation, or re-enrollment; or (v) An exclusion or debarment from participation in a federal or state health care program.

⁵ 42 C.F.R. § 424.516(d). All other enrollment changes involving the providers listed must be reported within 90 days.

⁶ 42 C.F.R. § 424.565.

⁷ See 16 C.F.R. § 681.2. The Red Flags Rule was published in 2007 pursuant to Section 114 of the Fair and Accurate Credit Transaction Act of 2003 (FACT Act; Pub. L. 108-159 (2003)). The full text of the Red Flags Rule can be found at: www.ftc.gov/os/fedreg/2007/november/071109redflags.pdf.