“Compliance” often conjures up images of boring lectures, law enforcement, huge fines, scary “I’m from the government and I’m here to help” mentality, and worse. In reality, compliance is an integral part of the health field. And with health care reform and the Patient Protection and Affordable Care Act (ACA), compliance programs are mandatory.

Compliance is also inextricably linked to coding. With health care reform putting pressure on accurate documentation, coding, and billing, there are many benefits to having strong and accurate coding skills, a positive coding-compliance team, and an effective compliance program to ensure correct reimbursement. Having good partnerships may also strengthen an organization’s overall compliance program by increasing a hospital or medical practice’s revenue. Finally, coding and compliance working together can support audit or recoupment efforts and quality measurements; and cooperation can help meet electronic health record (EHR) meaningful use requirements.

Fraud. Waste. Abuse.

These three little words form the government’s mantra for audits and legal actions conducted by the Office of Inspector General (OIG), the U.S. Department of Justice (DOJ), the Office of Civil Rights (OCR), and the Centers for Medicare & Medicaid Services (CMS). As these government agencies look for ways to prevent fraud, waste, and abuse, there are four important federal laws that form the framework for an effective compliance program. Appropriate and effective coding is tied to each of them:

• False Claims Act (31 USC§3729).
  This Civil War era statute has been revised over the years to strengthen the legal underpinnings and penalties for any individual or entity that presents a false (i.e., inaccurate or wrong) claim to the government (i.e., Medicare or Medicaid or other federal health insurance program). When a submitted claim from a hospital is inaccurate, there is the potential that the False Claims Act is being violated.

• Anti-kickback Statute (42 USC§1320a). This law prohibits offering, paying, soliciting, or receiving anything of value to induce or reward referrals or generate federal health care program business. This law directly affects referrals from physicians to hospitals for services and patient care.
• Stark law (42 USC§1395) or the physician self-referral law. Stark law is named after the California congressman who spearheaded the massive legislation. This law prohibits a physician from referring Medicare patients for designated health services to an entity with which the physician (or an immediate family member) has a financial relationship. Given the breadth of this law, any hospital referrals from a physician who receives any form of compensation from that hospital need to be regulated and monitored. Because hospitals, clinics, and physicians are inextricably linked, it is critical to meet the safe harbors, or exceptions, provided in these comprehensive laws regulating provider-hospital relationships. Huge fines, penalties, Corporate Integrity Agreements (CIAs), exclusion from Medicare, and jail are consequences of violation. Although typically not directly involved in physician financial arrangements, coders should at a minimum have confidence that all physician/hospital financial arrangements are appropriate. Coders are often the first to see irregular patterns of referrals, elevated service levels, and inappropriate orders—all possible signs of violations. You can ask managers, compliance officers, and legal departments how physician financial arrangements are monitored. When necessary, question any inappropriate or excessive referrals from a particular provider.
• Health Insurance Portability and Accountability Act (HIPAA) (45 CFR Parts 160, 162, and 164). This law, familiar to all coders, governs the transmission of medical records containing important medical information. HIPAA—under the purview of the OCR—also regulates the disclosure of patient protected health information (PHI). Professional coders know the importance of adhering to strict confidentiality when dealing with the thousands of bits of private medical information coming across their desks each day. With implementation of EHRs, HIPAA kicks in with full force. The Health Information Technology for Economic and Clinical Health Act (HITECH) of 2009 increased regulations and requirements for preventing and reporting PHI breaches. For instance, a PHI breach affecting more than 500 patients in one geographical area requires notification to the U.S. Department of Health & Human Services (HHS), notification to affected patients within 60 days of learning about the breach, establishing a specific hotline number for patients to call, and other possible consequences. Data nationally indicates the cost for mitigating and responding to each breach is over $200 per record. Any misuse of patient PHI can cause the OCR to audit, investigate, and fine the perpetrator. The OCR has initiated over 100 HIPAA audits in 2012 to review practices of hospitals, clinics, and physicians across the United States. More HIPAA audits are probably on the horizon.

These four main laws, along with Medicare and Medicaid rules and regulations, and other state and federal laws, provide tools to guide effective compliance and coding practices. These laws also provide the leverage for the government to audit and review coding practices, patterns, and claims.

You Can’t Stick Your Head in the Sand

Historically, coders have said, “I just code what is given me; compliance is not my concern.” And in the past, perhaps, knowledge or awareness of some of the aforementioned compliance laws were not on the coder’s radar.

The landscape has changed. As these laws are revised and updated, deliberate knowledge is being removed as a requirement for violation. Laws now contain the verbiage “known or should have known.” For instance, the Anti-kickback Statute is an “intent-based” statute. This means that specific intent to violate the Anti-kickback Statute must be shown to prove a violation. Historically, however, federal courts have interpreted this statute broadly, ruling, for instance, that intent to violate this statute may be inferred from other circumstances.

Conversely, the Stark law is a “strict liability” law. This means that under Stark, lack of deliberate intent or knowledge is not an excuse and proof of intent is not necessary. If there is an improper or illegal physician financial arrangement in place, every referral from that physician is affected as long as the arrangement was noncompliant, and all claims coded and submitted by that physician are suspect.

The False Claims Act was modified in 2009 to make it clearly illegal—defining it as “fraud”—for a hospital or physician to knowingly keep overpayments or money paid to them due to a billing error or wrong payment (i.e., “credit balance”). Entities now have 60 days to repay an overpayment after they know, or should have known, about the improper payment.

In a nutshell: Ignorance of compliance in the changing health care landscape is not bliss. Compliance offices will need to work closely with coding and billing offices to ensure systems and practices are in place to adhere to strict law compliance.

The Government Is Watching

Hospitals and physician practices have seen an exponential increase in government audits and claim reviews. Coders will often be the front end of defense and offense when government auditors review and audit health claims.

The Recovery Audit Contractor (RAC) program is perhaps the most familiar these days, but Medicaid integrity contractors (MICs), Zone Program integrity contractors (ZPICs), Medicare administrative contractors (MACs), and the Comprehensive Error Rate Testing (CERT) program are closely related. All are designed to help the government discern fraud, waste, and abuse—and to recoup federal health care dollars that have been improperly paid.

The U.S. government has repeatedly reported that incorrect claims cost the taxpayers billions of dollars. Consequently, over the past several congressional sessions (both Republican and Democrat led), the OIG enforcement budget has increased dramatically. Government data shows that every dollar invested in compliance recoups anywhere from six to 10 dollars for the government.

The same holds true for third-party payers who have increased their scrutiny of claims, instigating their own independent reviews and audits. From a taxpayer viewpoint, RAC, MIC, MAC, ZPIC, OIG enforcement, etc. are all good ways to ensure Medicare/Medicaid dollars are being paid accurately. But from a hospital or physician practice viewpoint, these programs have added huge administrative burden and costs.

Good News for Coders

The “good news” for professional coders is that these governmental and third-party payer audits reinforce the importance of accurate coding, professional coding standards, and the involvement of coding in an entity’s overall compliance program.

One of the key seven elements of an effective compliance program, according to the OIG, is to have regular auditing and monitoring in place. The basis for most audits of claims is the medical documentation, underlying medical necessity, and then how that translates into the codes and the bill. Coders should increasingly be called upon to help review coding internally, set up effective coding practices, protocols, and procedures, and meet accurate coding benchmarks.

David Lane, PhD, CHC, CPC, CAPPM, is chief compliance and privacy officer at Hawaii Health Systems Corporation.

As Medicare-managed care health plans (Medicare Advantage (MA) plans) expand—especially in the past five years—providers are more regularly affected by “risk adjustment.” When done properly, the risk adjustment model has great potential to enhance the quality of patient care. Unfortunately, risk adjustment is also susceptible to fraud by the proverbial “bad apple.”

Risk Adjustment Basics

Risk adjustment is a modified version of the traditional capitation system. Under traditional capitation, a managed care organization or provider group is paid a fixed amount per member per month (PMPM) to pay for all services the member requires during that period. Traditional capitation sets the PMPM rate based on demographic factors such as the member’s age, gender, and geographic location.

Risk adjustment enhances traditional capitation by adding payments for patients who are being actively treated for certain diseases and conditions known to be expensive to treat. Risk adjustment classifies patient sickness using hierarchical condition categories (HCCs), which are groups of related diagnosis codes. HCCs are similar to diagnosis-related groups (DRGs) or ambulatory payment classifications (APCs) used for hospital reimbursement, but they are based on diagnosis codes rather than procedure codes. Individual patients may fall into multiple HCCs. For each additional HCC, the MA plan is paid an extra amount.

Unlike traditional managed care, where there is a strong financial incentive to seek out only healthy members, the risk adjustment model rewards managed care organizations and provider groups to care for sick members, as well. They can see a significant financial reward if they actively manage those sick members to reduce health care costs.

Risk Adjustment Fraud: “Upcoding” DxCodes

The current design of the risk adjustment system largely relies on MA plans to police themselves. MA plans are responsible for determining which diagnosis codes its members were treated for in the prior year, using a combination of traditional claims data and other medical documentation (such as the patients’ medical charts). The plan then submits the diagnosis codes to the Centers for Medicare & Medicaid Services (CMS) to get the increased risk adjustment capitation payments.

Unethical MA plans and vendors take advantage of the system’s structure to essentially “upcode” the diagnoses they submit to CMS. They do this by submitting a risk adjustment claim to CMS for a diagnosis the member either did not have or was not treated for in the year in question. In such cases, “risk adjustment” may be offered as an explanation for why patient medical records should be changed or “supplemented” (sometimes a year or more after the patient was treated). Or the MA plan, or its vendor, may suggest that a provider call a patient in for an office visit so certain diagnosis codes can be “captured” for “risk adjustment purposes” (regardless of whether the patient actually needed any medical treatment).

CMS rules are clear that a risk adjustment claim may be submitted only if the diagnosis meets ICD-9-CM standards and there is documentation in the medical record that the member was treated face-to-face by a qualified provider in the year questioned.

Common schemes used to upcode diagnoses for risk adjustment purposes include the following:

Coding from Problem Lists: CMS rules explicitly state that a “problem list” may be used only to code a diagnosis if it is “comprehensive and show[s] evaluation and treatment for each condition that relates to an ICD-9-CM code on the date of service.” It is improper to submit risk adjustment claims for diagnoses that are merely mentioned in the member’s problem list if the diagnoses were not treated or considered by the provider during that visit.

Improper Linkages: The risk adjustment system pays MA plans a higher capitation rate when certain conditions are “linked.” For example, a patient may have both diabetes and nephropathy. CMS will pay the MA plan more if the diabetes caused the nephropathy because diabetes with renal complications is generally significantly more severe than diabetes without complications. Diabetes without complications, which falls within HCC 19, has an average value of $1,500 per year. In contrast, diabetes with renal manifestations, which falls within HCC 15, is valued at over $4,500 per year.

For an MA plan to submit a linked diagnosis code to CMS, the provider must document the linkage between the two conditions in the medical record. It is improper for an MA plan or vendor to assume the two conditions are linked.

Coding from Test Results or Prescriptions: CMS prohibits the submission of risk adjustment claims based solely on laboratory or radiology test results, drug prescriptions associated with particular diagnoses, or durable medical equipment (DME) services. Nonetheless, certain MA plans and vendors include diagnosis codes in their risk adjustment submissions even though they appear only on those invalid sources of documentation.

Chronic Conditions: While it is true that some conditions (such as Parkinson’s) never go away, this does not mean that the diagnoses can be submitted to CMS every year. Risk adjustment rules explain that a condition may only be submitted for reimbursement if it is actively treated (or affects other treatment) in the year in question. It is not enough that the patient was diagnosed or treated for the condition at some point in the past.

Targeted Coding: Some organizations pressure coders to focus on identifying high-value diagnoses, rather than coding just what is in the medical record. Some common high-value targets include:

• Cachexia/Malnutrition (HCC 21) – value of $7,800 per year
• Old myocardial infarction (MI) (HCC 83) – $2,200 per year
• Diabetes with complications (HCC 15) – $4,600 per year
• Major depression (HCC 55) – $3,200 per year

Know the Red Flags

If a coder involved in chart reviews or an audit related to risk adjustment sees any of these activities, there is a strong likelihood the coder is dealing with fraud. If someone tells a coder to use a diagnosis code that doesn’t meet ICD-9-CM standards and says it is OK because “risk adjustment coding is different than regular coding,” that is a major red flag indicating the health plan or vendor is engaged in fraud.

At its core, risk adjustment coding is “regular coding,” but stricter. Even where a diagnosis meets traditional ICD-9-CM standards, it may not be submitted for risk adjustment purposes unless the diagnosis is: (1) documented by the provider in the medical record as having been treated or as affecting the patient’s treatment; (2) made during a face-to-face encounter; (3) submitted to the MA plan from a qualified provider type; and (4) made during the specified calendar year.

Risk Adjustment Fraud and the False Claims Act

At a May 31, 2012 MA compliance conference, federal prosecutor Robert Trusiak noted that MA fraud—in particular risk adjustment fraud—is a “hot button issue” for the Department of Justice (DOJ). Trusiak further noted that MA plans face potential liability under the federal False Claims Act (FCA) for false risk adjustment claims, even when the upcoding or other fraud was perpetrated by a vendor on the plan’s behalf.

The FCA says any person who submits a false or fraudulent claim to the United States or causes someone else to submit a false or fraudulent claim may be liable for three times the amount of the false claim, plus an additional penalty of up to $11,000 for each false claim. To encourage whistleblowers to report fraud, the FCA contains a qui tam provision awarding whistleblowers 15-30 percent of what the government recovers as a result of whistleblower lawsuits they file against individuals and entities committing fraud.

The government has already begun enforcement against unscrupulous MA plans attempting to game the risk adjustment system. In United States v. Janke, the government sued an MA plan under the FCA for submitting upcoded (or non-existent) diagnosis codes for risk adjustment payments. The DOJ settled with the MA plan and its owners for $22.6 million in November 2010.

Be Cautious and Speak Up

As Trusiak cautions, the FCA targets not only the person or organization submitting a false claim, but also anyone who “causes the submission” of a false claim. This means that MA plans are not the only ones who face potential liability under the FCA for false or fraudulent risk adjustment claims. Hospitals or physician groups could be liable, as well, if they submit false information about their MA patients’ diagnoses to MA plans and that false information is used to submit a false risk-adjustment claim to CMS.

To avoid this risk, you should ask to review rules used by vendors when those vendors are identifying “new” diagnoses. Don’t hesitate to speak up if the standards being used by an outside reviewer don’t line up with the established CMS coding rules your organizations are using. Providers should insist on reviewing any code submissions made for their patients—especially when an MA plan or vendor has reviewed the providers’ medical record and identified new diagnoses—to ensure the patient actually had that particular diagnosis and was treated for it during the visit. Coders, administrators, and providers can all take steps to prevent or stop risk-adjustment fraud.

Mary A. Inman, JD, and Timothy P. McCormack, JD, are partners at Phillips & Cohen LLP, a law firm representing whistleblowers (www.phillipsandcohen.com). Whistleblower cases brought by the firm involving Medicare and Medicaid fraud, and other types of fraud against the government, have returned more than $8.5 billion in civil settlements and related criminal fines to federal, state, and local governments.