Medicare and Medicaid audits and investigations: Digging into the details

The media regularly report about how health care costs are rising at an unsustainable rate. Well, here are some of the numbers. According to the federal government’s estimates, health care expenditures in the United States are approaching or exceeding $4 trillion per year and account for more than 18% of gross domestic product. In 2019, Medicare spending was $800 billion, and Medicaid accounted for more than $613 billion. In New York state, Medicaid expenditures for fiscal year 2021 are projected to hit more than $80 billion.

Payments by government programs, insurers and managed care plans, self-insured benefit programs, and other payors flow to all segments of the industry: hospitals; nursing homes; clinics and other institutional providers; clinical laboratories; physicians and other medical professionals; pharmacies; drug and medical device companies; and so on. Yet compared to total expenditures, the amount of auditing of these expenditures is miniscule. As a result, problems ranging from simple billing errors to outright fraud are rampant and often go undetected, adding unnecessary costs to what is by far the world’s most expensive health care system.

Related: Fraud, waste and abuse in health care claims: A bad situation worsened by the pandemic

The federal and state governments have been allocating more resources to efforts to combat fraud and abuse in the Medicare and Medicaid programs. Private health insurers have also increased their reviews of bills submitted for medical care and medical equipment, often at the behest of state regulators, but also in an effort to contain their own escalating premium costs.

Providers such as hospitals, nursing homes, outpatient clinics, home health agencies, physician groups, clinical laboratories, imaging centers, medical equipment suppliers, and so on, account for the largest share of payments by the Medicare and Medicaid programs. As such, providers should be prepared to handle audits or investigations as more of them occur. This column is the first of two that discuss who conducts Medicare and Medicaid inquires, what can trigger them, how they are conducted, and some of the steps that providers should consider taking to protect themselves if they find themselves under audit or investigation.

Agencies/contractors

The federal and state governments have both the right and the obligation to assure that payments from government health benefit programs for any services or items furnished to program beneficiaries are justified. Thus, an audit or investigation of Medicare claim can be commenced by any one of a number of federal government agencies. These include the Centers for Medicare and Medicaid Services (CMS); the Office of Inspector General of the U.S. Department of Health & Human Services; the Federal Bureau of Investigation; and the U.S. Department of Justice (DOJ) and U.S. Attorneys’ offices.

Audits of Medicare payments are also conducted by private insurers that serve as Medicare fiscal intermediaries or carriers under contracts with CMS. For example, there is the national Recovery Audit Contractor (RAC) program, whereby CMS hires private companies to conduct focused and intensive audits into entities and individuals whose Medicare billings are higher than the majority of providers and suppliers in their areas.

State agencies have primary though not exclusive responsibility for audits of and investigations into Medicaid expenditures. Consequently, a provider with a significant number of Medicaid patients could hear from multiple agencies in New York: the Attorney General’s Medicaid Fraud Control Unit (MFCU); the Office of Medicaid Inspector General; the Department of Health; the State Controller’s Office; local district attorneys; county controllers; and county departments of social services. The MFCU and district attorneys have the authority to pursue criminal charges in fraud cases. The DOJ also has jurisdiction in Medicaid fraud cases, since the federal government pays up to 50% or more of the costs of state Medicaid programs. However, the DOJ frequently defers to state auditors and prosecutors, unless a provider has also engaged in significant fraud on the Medicare program.

Questions

The inquiries that these agencies and contractors can conduct include a wide variety of questions that include, but are not limited to, the following:

• Was the bill that was submitted and paid accurate?
• Was the patient accurately diagnosed?
• Was the care or item billed for actually provided to the patient?
• Was the care or item billed for medically necessary and appropriate?
• Was the care or item billed for eligible for Medicare or Medicaid reimbursement?
• Was the need for the care or item properly documented in the patient’s medical record?
• Were prescription drugs or medical equipment properly prescribed by a physician or other authorized medical professionals?
• Was the care or item billed for of acceptable quality, and provided on a timely basis?
• Were the medical services provided by appropriate professionals with current licenses who are in good standing with the Medicare and Medicaid programs?
• Was other health benefit coverage exhausted before Medicaid was billed?
• Was the patient billed for any applicable co-insurance or deductible?
• Were the institutional cost reports that were filed by the provider accurate in all respects?
• Were any of the provider’s business arrangements, patient referrals, etc. violative of any fraud and abuse statutes?
• Have any medical, billing or business records been altered?

Approach

An audit or investigation can be commenced in a number of ways. It can be a simple letter from a Medicare carrier or intermediary requesting information and a copy of portions of a medical record so that a bill for patient services can be reviewed. It can be one or two investigators who show up at a facility, flash their badges (they love to do that) and ask to see records or to interview employees immediately. Or, it can be the arrival of a team of auditors at a facility for a wholesale review of the records of Medicare or Medicaid patients, or the facility’s contracts, business arrangements, cost reports, and other records.

An investigation can begin with the service of a subpoena demanding production of anything ranging from the record of a single patient, to a broad range of books, records, contracts, documents, logs, and so on. At its most dramatic, it can be the arrival of law enforcement personnel armed with search warrants (often with the media in tow) who proceed to seize and carry off computers, boxes of records, and other items in the course of a criminal investigation. Since some investigative agencies (e.g., Department of Justice, MFCU) can obtain search warrants, and use eavesdropping and undercover agents and informants, it is possible that a provider engaged in illegality may not even know it is under investigation until it’s too late.

Triggers

Audits of providers can be triggered in many ways. They can be part of a random sampling of particular types of providers, such as nursing homes. For example, the Medicare program is required to make random audits of 10% of all Medicare providers on an ongoing basis.

An audit or investigation can result from complaints by patients about the quality or appropriateness of the care they received, or how they were billed for their care. They can be initiated as a result of information from a whistleblowing employee about improper billings, or from a competitor with information about illegal business arrangements. A private insurer or managed care plan that becomes aware of billing irregularities in the course of reviewing and rejecting a provider’s claims for payment can also tip off Medicare and Medicaid authorities about potential problems.

A provider with a very high volume of Medicare and/or Medicaid patients has an increased chance of an eventual audit. Government agencies have complex clinical, demographic and statistical databases and highly sophisticated algorithms that track and pick up patterns of unusually high utilization. For example, the Medicare program regularly selects particular billing codes for focused post-payment reviews, and runs statistics to determine a median number for those codes. Thus, a physician who performs unusually high numbers of expensive procedures on Medicare patients has an increased risk of being audited.

Scope of audit

Providers undergoing audits or investigations often ask about the extent of the records that they have to provide to the government or its contracted auditors. The simple answer is that when a provider agrees to service the medical needs of a Medicare or Medicaid beneficiary, it opens up a broad range of the provider’s books and records to potential review.

Auditors and investigators “follow the money.” Not only are they authorized to check the accuracy of each bill that was submitted for payment to a government program, but they can review business arrangements with referring physicians or vendors to determine whether illegal kickbacks are being paid; check medical records and interview patients and staff to determine if the medical services billed for were actually provided; dig into cost reports to see if costs have been properly included and allocated; and inquire into any or all of the areas mentioned earlier.

Moreover, either during or after their review of a provider’s records, auditors and investigators can and do ask to interview a wide variety of individuals. These can include employees and executives, physicians, vendors, and even the provider’s outside auditing firm. For example, in auditing medical records in connection with a provider’s unusually high utilization of particular Medicare billing codes, auditors or investigators may want to interview the physicians and other medical professionals who treated the patients and whose names appear in patient charts; the coding personnel who reviewed the patients’ records and assigned the billing codes, and/or their supervisors; the finance or billing personnel who have responsibility for the provider’s billing policies and procedures; utilization reviewers; and so on. The same applies to the personnel of any outside billing companies used by the provider if this function is outsourced.

Depending upon the amount of money or the billing practices at issue, the inquiry may go up the chain of command to the provider’s director of reimbursement, chief financial officer, director of compliance, or even the chief executive. The same would apply to questions about potentially improper business arrangements, such as kickbacks to vendors, patient referrals that may be in violation of the Stark anti-referral law, and so on. The inquiry can rise not only to the executive suite, but also to the governing body.

Conclusion

It is important for every provider to understand that there is no such thing as an “informal” audit or a “routine” investigation. Any requests from or visits by auditors or investigators from any of the agencies or contractors mentioned earlier must be taken very seriously. They have the right to review documents and obtain information relevant to their inquiries, but the provider also has certain rights, and can and should take steps to protect itself. In the second part of this article, we will offer some guidelines for providers who find themselves targeted for audit or investigation.

Francis J. Serbaroli is a shareholder in Greenberg Traurig and the former vice chair of The New York State Public Health Council.

Read more: 

• Telehealth growth comes with concerns about fraud, patient safety
• How AI can streamline health care claims processing and benefit payers
• Medical providers score billion-dollar win in insurance recovery claims case