CMS announced on June 17 that it will deploy predictive modeling technology to pre-screen claims. The goal is to identify fraudulent claims before they are paid.

Medicare has typically paid whatever claims a participating provider submits, and then sought to recover erroneous claims through retrospective review. This “pay and chase” approach is good for providers and keeps the cost of participating in Medicare at reasonable levels. It can be bad for taxpayers though because fraudulent claims will be paid just as quickly as valid claims.

Predictive modeling technology is widely used in private industry. It is used by credit card companies to detect fraud, insurers to evaluate risk, and financial analysts to evaluate business scenarios, among other things.

CMS has contracted with Northrop Grumman to develop the technology:

Northrop Grumman will deploy algorithms and an analytical process that looks at CMS claims – by beneficiary, provider, service origin or other patterns — to identify potential problems and assign an “alert” and assign “risk scores” for those claims. These problem alerts will be further reviewed to allow CMS to both prioritize claims for additional review and assess the need for investigative or other enforcement actions.

Northrup Gruman has a number of software development contracts with CMS, including the contract to develop and maintain the National Level Repository for use in assessing whether a provider has met the meaningful use standard.

If the new technology works, it could be good for providers and taxpayers by detecting truly fraudulent claims and eliminating criminal abusers. If it does not work and yields too many false positives, providers could become bogged down in justifying valid claims that should be paid without any question.

The Centers for Medicare and Medicaid Services (“CMS”) published a final rule on May 5, 2011, that implements a new credentialing and privileging process for physicians and other practitioners providing telemedicine services. The final rule modifies the Medicare conditions of participation to permit hospitals to rely on the credentialing and privileging determinations of another hospital or telemedicine entity, rather than make an individualized decision based on the practitioner’s credentials and record.

The goal is to remove “unnecessary barriers” to the use of telemedicine and “enable patients to receive medically necessary interventions in a more timely manner.”

The hospital that is providing telemedicine services to its patients must have an agreement with the distant site hospital or distant site telemedicine entity and require that the distant site meet the existing Medicare conditions of participation for credentialing and privileging decisions. The hospital must ensure that:

• The distant site entity is either a Medicare participating hospital, or its credentialing and privileging process and standards meet those in the Medicare conditions of participation;
• The physician or practitioner is privileged at the distant site;
• The physician or practitioner holds a license issued or recognized by the state in which the hospital’s patients are receiving the telemedicine services; and
• It reviews the exercise of telemedicine privileges at the hospital and provides this quality assurance/performance improvement information to the distant site for use in its periodic appraisal of the physician or practitioner.

CMS will need assistance from state regulators to meet the goal of improving access to telemedicine services. Under New York law, a hospital is required to conduct certain due diligence before it grants privileges to a physician. For example, the hospital must collect information regarding the physician’s malpractice history and the exercise of privileges at other hospitals.

Thus, a New York hospital wishing to grant telemedicine privileges to a physician must ensure that it has the required information in its credentialing file. This could be an issue when relying on a distant site’s credentialing process. If the distant site is outside New York, the file may not contain all the required information. If the distant site is located in New York, the information in the file must be updated before it can be relied on by the hospital wishing to grant telemedicine privileges. To meet these requirements, either the credentialing hospital or the distant site hospital must update the credentialing information.

If New York regulators want to improve access to telemedicine services in underserved areas of New York by adopting the same approach as CMS, they will need to convince the New York Sate legislature to amend existing statutes to permit reliance on the past credentialing decisions of the distant site. The New York State legislature is likely to agree to this approach only if the hospital is located in New York and subject to New York regulation and oversight.

I recently registered as a new patient with a local practice. They asked me to complete an on-line registration form. Although I probably should not have been, I was surprised when I was asked to provide not only my social security number (SSN) and driver’s license number, but those of my husband as well because we get our health insurance through his employer. I declined to do so.

Healthcare providers used to routinely collect the SSN and driver’s license number of each patient. Hospitals and other large healthcare providers have stopped asking patients for this information, but this is still a common practice in physician practices. If your practice is routinely collecting this information, you should reconsider unless you have proper policies and procedures in place to ensure that it is protected.

Including an SSN or driver’s license number in a patient’s computerized file makes the file subject to New York’s Information Security Statute, which requires notification of a breach of an organization’s computer system when the system contains private information.

Collecting SSN data and including it, or any number derived from the SSN, in a patient’s file also subjects your practice to penalties under New York’s Social Security Number Protection Law. Firms that collect SSN data have to take steps to prevent its unauthorized disclosure and must limit access to those employees who need it for legitimate business purposes. Violations of the statute are subject to civil penalties in proceedings instituted by the Attorney General’s office. These protections cannot be waived by the consumer.

So, if you are collecting SSNs (or even part of an SSN) and drivers’ license numbers, make sure that you need to do so for legitimate reasons. Avoid requesting the SSN or driver’s license number at registration for every patient. SSN data is often needed to verify third-party payor information, but there is no reason to collect a patient’s driver’s license number or make a copy of the driver’s license.

You should not use the patient’s SSN or any part of the SSN as a patient identifier. Using the SSN as a patient identifier gives all your employees access to such data and violates the requirement to ensure that reasonable measures are taken to avoid unnecessary disclosure of this information.
Design your systems in a way that avoids the collection and storage of this data. It will save you money in the long run.

The Center for Medicare and Medicaid Services issued its Voluntary Self-Referral Disclosure Protocol (“SRDP”) on September 23, 2010. I outlined the problems with the SRDP and summarized the guidance provided by CMS representatives for making a submission in prior posts. The purpose of the SRDP is to self-report that an entity received payments from Medicare in violation of the Stark statute.

One issue that an entity making a self-disclosure will encounter is how far back it should go when determining the period of non-compliance. The Stark law was first effective in 1989, and initially prohibited physicians from making referrals for clinical laboratory services. This is commonly referred to as Stark I. The list of designated health services was expanded to ten (now 12) in 1993. This is commonly referred to as Stark II. Stark II was effective January 1, 1995, but the Stark II, Phase I regulations were not effective until January 4, 2002. Thus, from January 1, 1995 to January 4, 2002, the only legal basis for prohibiting claims for designated health services other than clinical laboratory services is the statute itself.

An argument can be made that the earliest date for reporting that a claim was submitted to Medicare in violation of Stark II is January 4, 2002. Prior to that date, although the statute was in effect, the obligation in 42 C.F.R. §411.353(d) to refund any payments made by Medicare pursuant to a prohibited referral did not apply to the other designated health services, including hospital inpatient and outpatient services. This obligation is not found in the statute, which requires that providers make refunds to individuals on a timely basis. CMS acknowledges in the SRDP that this obligation is distinct from the obligation to refund payments made by Medicare and cannot be compromised.

Keep in mind also that payments made to physician groups (a professional corporation or limited liability company) would not constitute a financial relationship with the individual referring physicians in the group unless the arrangement met the definition of an indirect compensation arrangement prior to the Stark II, Phase III regulations implementing the “stand-in-the shoes” rule.

Therefore, if the financial relationship was between the entity and a physician group and the referring physicians in the group did not receive compensation from the group that varied with the volume or value of referrals to the entity, the earliest date of the potential disallowance period would be December 4, 2007, which is the effective date of the Stark II, Phase III regulations.

As originally proposed, any physician in the group would stand in the shoes of his or her group. The stand-in-the shoes rule was later modified effective October 1, 2008 so that only physicians who have an ownership or investment interest in the physician group would stand in the shoes of the group, and other physicians may stand in the shoes.

It would make sense for CMS to apply the stand-in-shoes rules only to the owners of the physician group as of December 4, 2007, and not require that all physicians who were employees or independent contractors in the group between December 4, 2007 and October 1, 2008 stand in the shoes of the group. Determining which physicians had employment or independent contractor arrangements with a particular group could be burdensome, whereas information regarding the owners of a physician group is publicly available, at least in New York.