Medicare Audits & Appeals

Over the past decade, CMS (the Centers for Medicare & Medicaid Services) has ramped up efforts to insure that healthcare providers are solely paid for services rendered that (1) meet requirements as originally established within the Social Security Act and subsequent regulations, (2) meet Medicare provider contractual obligations (Conditions of Participation) and (3) meet CMS payment criteria or Medicare coverage criteria.

CMS is investing millions of dollars in dozens of separate – but coordinated – enforcement efforts to force providers to adhere to Medicare rules & regulations. Unfortunately, although the vast majority of providers support the aggressive pursuit of fraud & abuse, wide ranging challenges face those same providers when striving to achieve 100% compliance with Medicare coverage criteria.

Top 5 Barriers to Medicare Compliance

Ok, let’s be honest. While the barriers to Medicare compliance are too numerous to address in the body of this discussion, the following would be generally considered as the TOP 5:

1) First and foremost, the Medicare regulatory environment is so dynamic that even the most highly trained and skilled professionals struggle with day-to-day updates. Decentralized and potentially conflicting guidance from 100s of CMS contractors, continually changing regulations and disparate CMS payment criteria / Medicare coverage criteria resources are just a few major focus areas.

Today, the nation’s leading source of CMS Payment Criteria / Medicare coverage criteria is the CMS PI Warehouse. Simply put, the Warehouse is a “game changer” for healthcare providers seeking the absolute best guidance and insight to CMS documentation, billing, payment and medical necessity related issues.

2) Providers nationwide are making documentation, coding & billing decisions based upon an array of information and insight from sources other than CMS. While these sources may provide an important advisory role they don’t have authority over Medicare payments. Some of these include consultants, professional associations, commercial admission screening or “medical necessity” criteria, peers, lawyers, certification organizations, physician advisors and software vendors.

3) Making changes isn’t nearly as easy as it sounds. With a 10% unemployment rate and potential fraud implications associated with Medicare billing practices, it can be very difficult to gain buy-in from key decision-makers. No one wants to be the messenger when it can mean major repayments and reduced cash flow for the foreseeable future.

4) The nation’s best attorneys – like Robert Benvenuti, the former Inspector General of Kentucky – are advising clients to make every effort to adhere to Medicare coverage criteria. However, arguing vague notions of “medical necessity” can be a boon for unscrupulous attorneys and consultants. There are far too many consultants and other attorneys looking to tap into provider emotions and cash-in on provider retainers.

5) Discussions and education of medical staff can be very stressful and is often avoided for political (or personal survival) reasons.

Overcoming the Barriers to Medicare Compliance

No real magic here – simply, embrace CMS Payment Criteria / Medicare Coverage Criteria as the core foundation of your financial infrastructure. Put another way, don’t let anything – other than documented CMS & CMS contractor guidance – be the foundation for your decisions relating to potential Medicare beneficiary coverage & payment.

Sound simple? It’s really not. In order to “embrace” Medicare coverage criteria, you first have to know what it is. In order to know what it is, you have to find it, evaluate it, understand it, synthesize it and then do something with it. Oh yeah, you also have to convince everyone around you that it is the right thing to do and hope that the coverage criteria doesn’t change before you can get it implemented.

This is where the CMS PI Warehouse comes into play – it is the game changer. The Warehouse is the ultimate source for providers looking to understand and integrate real-time CMS Payment Criteria / Medicare Coverage Criteria at the heart of their organizations. The Warehouse does the heavy lifting for you. Backed by over 25,000 hours of industry-leading expert analyses, the Warehouse is the ultimate solution to overcoming Medicare compliance barriers.

CMS PI Warehouse – What is it?

It really is the game changer. The Warehouse is your one-on-one, real time connection to the nation’s leading Medicare professional compliance resources. We’ve taken the best and brightest Medicare coverage experts and invested over 25,000 hours in identifying, evaluating, analyzing and synthesizing Medicare coverage criteria from 10,000+ CMS and CMS contractor documents. We’ve packaged the outcomes in a web-based, security conscious solution that is truly unmatched in the industry.

• Dedicated CMS Internal Audit Functionality

• CMS Targeted Audit Focus Areas

• 10,000+ CMS Document Library

• CMS Payment Criteria / Medicare Coverage Criteria Modules

• Easily Modified Continuing Education Program Templates

• On-line CMS Appeals Processing

• Management Reporting, Work Queues and much, much more…

Tim Johnson Executive
Director Jackson
Davis HealthCare

Too many companies and organizations are *reactive* rather than *proactive* in identifying and mitigating risks.  It amazes me how businesses fail to learn the lessons they see in the news every day.

When the Nigerian would-be terrorist tried to blow up a plane on Christmas Day 2009 with explosives stashed in his underwear, I, like many others, wondered how TSA/Homeland Security could have missed that.  There are explosives-detecting machines in many airports – the devices the size of a phone booth that blows air at you – but they’re not in *all* airports.  I don’t know whether the airport at which he boarded had those devices, but even if they didn’t, I’ll bet they made him take off his shoes.

It’s been nearly ten years since the Shoe Bomber tried to blow up a plane.  Perhaps the lesson at that time was not, “Hey, you can blow up planes with explosives hidden in your shoes,” but “You can blow them up with explosives hidden *anywhere* in your clothing.”  Now that we’ve figured out what WMD one’s Fruit-Of-The-Looms can be, we should take this a step further and remember the lessons learned back in the 1970s when people tried to smuggle drugs internationally by swallowing packets of heroin.  See where I’m going with this?  Bring on the full body scan machines, which we should have brought on after the Shoe Bomber, but make sure they can look deep enough.  Don’t wait for someone to blow up a plane with swallowed explosives.  You can bet someone’s working out that angle in a cave in Afghanistan right now.

Now you can’t bring liquids onto a plane, or if you do, they can’t be more than three ounces and must be stored in a Ziploc bag.  (What, to make it more inconvenient for the terrorist to have to remove it first?)  How does TSA *know* the liquid inside isn’t dangerous?  They never check *mine*.  It could be acid, poison, nitroglycerine, who knows.  Do we have to wait for someone to create havoc with a TSA-approved hand lotion travel bottle?

I don’t mean to pick on TSA/Homeland Security particularly (or to angle for a spot on the no-fly list – that’s shampoo, really!  When no one can wash their hair the terrorists have won!) but it’s one example of many that I see in the news headlines of organizations that spend more time closing the barn door rather than making sure the horse doesn’t escape to begin with.

Every day I speak with people all over North America who say they don’t have an interest in ERM or doing regular risk assessments, or senior management doesn’t think it’s necessary, or they lost the budget again for it, or they just don’t see the value.  Because volcanoes, underwater oil gushers, terrorists and mysteriously faulty brakes happen to *other* companies, right?

By: Nicole Chardenet, Inside Sales

When identifying risks, the question often asked is “What keeps you up at night?”. Let me explain why this is a, well… risky question to ask.

Consider that the principle goal of risk management is to ensure that an organization performs as expected. In other words, it achieves its objectives. Therefore the risks that you identify need to be directly related to your organizations objectives. Risks not related to the achievement of corporate goals are off strategy – a distraction.

“What keeps you up at night?” is a disembodied question that will result in both relevant and irrelevant risks. Here is the question to ask…

“Considering the objective to… (describe a key objective), what events may prevent the organization from achieving this objective?”.

The result will be risk events that are well aligned with management’s goals. Feel free to present your interviewee with a list of potential risk internal and external risk categories to refer to when answering the question. For example, economic, competitive, strategic, HR, financial, technology, information, and corporate integrity are some of the major categories. There are up to 100 subcategories that fall under these major categories as well (business is complex!).

This objectives-focused question will ensure that your risk management process is strategic and focused on corporate performance.

by Richard Wilson
BPS Resolver Risk Advisory Practice Leader

I was talking to a client recently about the bigger risks that could seriously harm their company. He cited a recent example where a newly acquired small entity almost caused the parent company to be delisted from their exchange. The acquired company refused to share some of their financial information with the parent and as a result they weren’t able to file quarterly reports until the subsidiary was sold. They came within a inch of being delisted.

Every company has hidden liabilities such as this. Some are obvious such as having too much reliance on a single customer for revenue, or too much reliance on a single supplier for goods or services. In other cases the problem is equally risky but not as obvious. An effective way to get visibility on ALL of these major risks is to combine business continuity planning (BCP) with risk management.

Risk management tries to determine the likelihood of uncertain events occurring, while BCP assumes these uncertain events occur and plans alternate routes and recoveries. During your risk identification process you will inquire about events that may prevent your company from achieving its objectives. Try reverse engineering this process to say, “assume that this objective fails – what events could cause this to happen?”. The answers you receive will include catastrophic risks that no one assumes will happen.

For example, asking about risks related to loosing a big revenue stream may result in a limited list of risks due to optimism about how the company is operating. However, assuming that the big revenue stream just disappeared, and asking for potential causes, will uncover new potential risks. The optimism that blinds you to potential risk will be replaced by creative thinking about previously unconsidered risks.

A case in point is the recent volcanic eruption in Iceland that grounded entire fleets of planes. If you asked what risks would ground an entire fleet, volcanoes may not have been identified. But assuming the entire fleet has just been grounded, and asking for potential reasons why, will prompt potentially uncreative people to think more broadly.

by Richard Wilson
BPS Resolver Risk Advisory Practice Leader
richard.wilson@bpsresolver.com

In 2010 it’s not uncommon for a Board to give their management team a mandate to implement a risk management capability.  I’m seeing it more and more.  In this situation the internal or external consulting team engaged to implement the mandate will need to approach the management team in a very specific way.

Firstly, expect that the CEO or CFO may not fully understand the benefits of risk management and may interpret this as a challenge to their corporate governance.  It is important to communicate the benefits of an ongoing risk management process upfront.  Clarifying to management that this is a value sustaining or value creation activity is critical. Here are several key benefits:

• Increase the likelihood that your organization will achieve its objectives (by integrating risk management with the strategic plan)
• Lowering business volatility by increasing visibility on events that can derail your performance
• Treating risk as “neutral” so that opportunities can also be identified and pursued
• Creating a centralized view or risks and creating efficiencies in risk identification and treatment
• Closing the gap between risk management and capital allocation
• Etc…

Secondly, position it as a process, as opposed to a project.  Processes get dedicated resources, projects don’t!

Thirdly, demonstrate how a well run risk management program creates a culture of accountability across the organization for identifying and managing risk.  This will result in higher product/service quality, fewer incidents, and better planning overall.

Finally, show your CEO how the market rewards companies with sound risk management practices.  Ratings agencies, capital markets, and creditors are all starting to differentiate risk-informed companies from the rest of the competition.

These are just some of the tangible benefits that you should communicate to your management team to ensure they are supportive of your risk management program.

by Richard Wilson

BPS Resolver Risk Advisory Practice Leader

Richard.wilson@bpsresolver.com

One of the greatest risk management challenges I have seen over the years is wording risks properly. It sounds simple enough (and it is!). So why is there such inconsistency in wording risks? The first reason is that there is no universal standard to follow. The second is that there are too many interpretations about what risk is. Finally, risk carries a negative connotation in many organizations, (sadly), so people try to describe their risks in a positive way to position them more favourably.

Well worded risks are a cornerstone to a successful risk management program. If people across your organization end up with multiple interpretations about your risks, the credibility around your risk scores will fall. Getting the wording right is pretty important.

Allow me to suggest an easy and reliable way to word your risks. To begin with, remember that a risk is an event. Secondly, it is an event that may prevent you from achieving your objectives. Therefore, the simplest way to word your risk is” X may happen”. For example, “Sr. executives may leave the company”, or “Production at the plant may fall by 20%”, or “Interest rates may rise above 5%”. All of these risks are clear, and since they are worded in the future, should not be threatening to newly emerging risk management cultures.

Follow each risk with “context bullet-points”. These are the data points about the risk that people should consider. For example:

Production at the plant may fall by 20%

• our packaging supplier is in financial trouble
• our competitors are trying to hire away plant staff
• our plant wages are not competitive
• unpredictable weather patterns in that region are expected
• etc…

Here is a test to see if your current set of risks need rewording:

• Do any of your risks begin with “A lack of…”, or “The inability to…”? (If so, they are describing situations within which a risk may occur and not the event itself.)
• Do any of your risks contain the words “and”, or “or”? (If so, you have combined two events which will be difficult to score.)
• Are your risks worded as objectives in the positive? For example, “Retain our senior executives”. It’s a great objective but doesn’t describe the effect of uncertainty on objectives.
• Is the risk tied to one or more objectives so that it is clear where the challenge to the organization lies?
• Do your risks have contextual data points attached to them?

Following this approach will clarify your risks and heighten the likelihood of a common interpretation. It’s really that simple!

by Richard Wilson

BPS Resolver Risk Advisory Practice Leader

Richard.wilson@bpsresolver.com

The Governance, Risk and Compliance (GRC) technology landscape is large and diverse. A truly complete GRC solution would be comprised of many modules including risk modeling, risk assessment, policy management, helpline/whistleblower, access controls management, incident capture and management, investigations management, controls monitoring and management, root cause analysis, audit management and more. While many Governance, Risk and Compliance (GRC) vendors claim to have a complete solution, the reality is that GRC is too big for any one vendor to meet every need. No one vendor today actually has a complete solution. Depending what you include as GRC, it’s likely no one vendor will ever have it. Even amongst those vendors who can tick many of the GRC boxes, each has different strengths and weaknesses that might limit which GRC modules a company might purchase.

Today’s reality is that any complete solution will be comprised of multiple vendors (for example BPS Resolver for ERM, Compliance and Audit and SymSure for Continuous Controls Monitoring). Looking at the market, many vendors, including us, have created partnerships and alliances to bring a more complete solution to clients. However, this approach is somewhat limiting and clients can’t really mix and match a solution from any vendor they choose without custom projects. Custom integration projects are required because there is no industry standard common GRC interface or language that would allow GRC systems to consume and publish data.

Enter GRC XBRL. XBRL stands for Extensible Business Reporting Language and is an open standard based on XML to define a common language for business reporting. GRC XBRL (sometimes called GRC XML) is a GRC specific definition built on the foundation of XBRL by the Open Ethics and Compliance Group (OCEG), including members from Approva, Thomson Reuters, Fujitsu, and PricewaterhouseCoopers. The alpha version of the standard was released to peer-review in October 2009 and should be published for widespread consumption in 2010.

Currently, no technology vendor reads or writes data to this open standard. The benefits of all GRC vendors adopting GRC XBRL as a common language would be enormous. To date, all systems integration has been customized and proprietary. If all GRC vendors adopt GRC XML and provide standard interfaces to publish and consume this data, the GRC market would enter a new era of plug and play components. Clients could choose a GRC backbone platform and add specialized components or modules from other vendors that best suit their business needs.

Another interesting opportunity from GRC XBRL is that it provides a common language across companies and industries to share and compare GRC data. In the future, GRC XBRL could be a mechanism for companies to benchmark their progress and practices against their peers in industry and geography.

In the same way that XBRL is transforming the business reporting landscape, GRC XML will soon have a large impact on GRC applications. All vendors with GRC related applications should move to support this new standard.

As a subject area Governance, Risk and Compliance (GRC) is broad and all encompassing. It includes legislative compliance, risk management, policy and procedure management, incident management, control monitoring and audit. The scope can be overwhelming. It can be a nightmare for those trying to manage it. Governance, Risk and Compliance (GRC) applications are meant to manage these complex interactions, but too often they make it more complicated.

According to Michael Rasmussen, Microsoft Excel (in concert with SharePoint and Word) is the most widely used Governance, Risk and Compliance (GRC) software. This approach certainly has many shortcomings, including security, data consistency and integrity, ease of reporting and version management. Most users of spreadsheet based approach recognize the need for a true GRC backbone platform. However, Microsoft Excel has some valuable lessons that Governance, Risk and Compliance applications could learn.

1. Simple but Powerful

The concepts behind a spreadsheet are simple yet incredibly powerful. Users can enter almost any kind of information, create functions and relate information. And spreadsheets don’t require a lot of configuration; users can just open a workbook and begin. GRC systems should also be flexible enough to capture any sort of information, provide facilities to calculate or rollup information and allow multiple relationship modeling. All this should be presented in an interface that is obvious and familiar to the user, perhaps in an interactive table similar to Excel.

2. Ubiquitous

It is very rare to find a business desktop that does not have MS Excel installed or a user who does not know how to use it. This application is so pervasive and well known that it is second nature to users. GRC systems should be the same way. They should be deployed on every users’ workstation in the company. Users should employ them as part of their daily life. GRC should become a ubiquitous part of their work experience and ingrained in the deep in the roots of daily activities.

3. Flexible

The spreadsheet was one of the first “killer apps” for the computer. This visible calculator unleashed the power of the pc and its incredible flexibility gave rise an almost infinite amount of uses. GRC platforms must also be flexible and adaptable. The GRC environment is a rapidly changing and evolving and backbone applications must have powerful modeling capabilities to match. This modeling ability must be easy to configure by end users who can take ownership of the system and keep it up to date.

4. Intuitive

Spreadsheets make sense. Generally, users look at them and know exactly what to do. They are accustomed to the table format that allows them to see and interact with large quantities of data at the same time. GRC platforms must also be intuitive to end users. As roles change in an organization, users will come and go and must be able to quickly learn and use GRC platforms as they relate to their duties. GRC platforms must be intuitive, easy to learn and present information in a fashion that users are accustomed to.

5. Unobtrusive

Excel is a normal part of knowledge workers everyday existence. It is an essential tool used in everyday activities. Users don’t think of it as another application they have to learn. It is just part of their life and routine. GRC platforms must also become unnoticeable to end users. They should not inconvenience users or put them out of their normal routine. This is essential if GRC platforms are to have widespread usage and adoption within an organization.

The US Securities and Exchange Commission (SEC) recently approved “new rules to enhance the information provided to shareholders so they are better able to evaluate the leadership of public companies.”  Their focus is on corporate governance, compensation, and risk.  While the SEC has made progress creating transparency for governance and compensation, they are still struggling to properly reveal a company’s risk management profile.
 
The SEC is striving to make corporate leaders act in an ethical, accountable manner.  They are effective at legislating corporate transparency, disclosure, and exposing conflicts of interest.  However, regulating a company to disclose how it manages risk is trickier.  Highly effective risk management identifies and manages risks that can prevent an organization from achieving its key objectives.  Therefore disclosing your key risks will also disclose your strategic secrets.  Publishing your detailed corporate objectives would be tantamount to competitive suicide, hence the SEC’s challenge.
 
The SEC’s approach as a result remains limited to revealing the board’s role in the risk oversight of the company.   It’s an arm’s length view of the company’s risk profile.  Understanding the Board’s role in risk oversight is a long way from understanding how much risk a company is adopting or how it is addressing its risks.  The SEC is now distinguishing between good ethics, and sound strategic risk management.  The former is appropriately disclosable, the latter is not. 
 
The SEC is only one oversight body who is trying to increase risk management in companies.  For example, Standard and Poor’s is beginning to apply high level risk management analysis to the companies it covers.  But ultimately, risk management is about ensuring corporate performance,  and maintaining stakeholder confidence in your company.  Don’t rely on third parties to manage public expectations about your company’s risk management program.  Use your website and other corporate communications to instill confidence that you are effectively managing risk.

Written by: Richard Wilson