Home Health & Hospice Week

And any PHI breaches from novice billing contractors are on you, MAC stresses.

Fraudsters looking to game the financial techni­calities of Medicare and Medicaid are in the feds’ crosshairs, according to a new OIG Work Plan item and Justice Department case.

The HHS Office of Inspector General has added “Securing Medicaid and Medicare Payments to Providers” to its OIG Work Plan.

Background: “Federal and State Governments reimburse health care providers and facilities electronically for providing health care services,” the OIG explains. “Sometimes a provider or facility may change financial institutions to receive payment by using an electronic funds transfer (EFT) authorization request,” it says.

“Since at least 2020 OIG has investigated schemes that have allegedly exploited vulnerabilities in EFT authorization forms to redirect provider reimbursements to their own bank accounts. Many State Medicaid agencies and Medicare Administrative Contractors (MACs) have been victims of this type of fraud over the past 3 years,” the OIG says.

For example: Last November, authorities charged 10 defendants in multiple states “in connection with multiple business email compromise (BEC), money laundering, and wire fraud schemes that targeted Medicare, state Medicaid programs, private health insurers, and numerous other victims and resulted in more than $11.1 million in total losses,” the Department of Justice says in a release.

The charges relate to schemes in which “fraudulent emails from accounts resembling those associated with actual hospitals were allegedly sent to public and private health insurance programs requesting that future reimbursements be sent to new bank accounts that did not belong to the hospitals. Unwittingly, five state Medicaid programs, two Medicare Administrative Contractors, and two private health insurers allegedly were deceived into making payments to the defendants and their co-conspirators instead of depositing the reimbursement payments into bank accounts belonging to the hospitals,” the DOJ recounts. “The defendants and their co-conspirators allegedly laundered the proceeds fraudulently obtained from these health care benefit plans and from other victims by, among other things, withdrawing large amounts of cash, layering them through other accounts they or their co-conspirators opened in the names of false and stolen identities and shell companies, transferring them overseas, and purchasing luxury goods and exotic automobiles,” the release says.

“Millions of American citizens rely on Medicaid, Medicare, and other health care systems for their health care needs. These subjects utilized complex financial schemes … to defraud and undermine health care systems across the United States,” Assistant Director Luis Quesada of the FBI’s Criminal Investigative Division says in the release.

Under the new OIG Work Plan task, the agency “will collect information from States and MACs about EFT vulnerabilities and assess the feasibility of possible solutions to strengthen EFT fraud prevention efforts,” it says. And “we will collect information about any actions taken by CMS to address EFT fraud and assess the feasibility of CMS systems playing a role in fraud prevention efforts.”

CMS appears to be taking steps already.

“A provider/supplier may only have one EFT account and one special payment address (SPA) per enrollment,” says a new update to the Medicare Program Integrity Manual. “Multiple EFT accounts or SPAs within an existing enrollment will remain in effect only until the provider/ supplier submits any update to its EFT information or SPA data, respectively, for any of these accounts or addresses. At that time, the EFT account or SPA for which the provider/ supplier submitted the update will become the lone EFT account or SPA (as applicable) for that enrollment,” say the revised instructions included in Change Request 12880 issued Nov. 4, 2022.

Plus: At least one HHH MAC is beefing up its security around claims.

“To protect the privacy of Medicare beneficiaries and providers, Medicare Administrative Contractors (MACs), like CGS, are required to authenticate certain elements before releasing beneficiary-specific information,” the MAC says in a new post to its website. “Claim-specific/eligibility questions require you to authenticate … elements using our Computer Telephony Integration (CTI) system.”

Those elements include items like the provider’s National Provider Identifier (NPI) number, the last five digits of the provider’s Tax ID Number, and the patient’s Medicare Beneficiary Identifier number, CGS offers.

“Beginning May 1, 2023, claim- and eligibility-specific calls received in the Provider Contact Center (PCC) that are not properly authenticated will be transferred back to the CTI line to complete this required step,” CGS warns.

Trust But Verify Your Contract Billers

Of course, those changes also may have to do with nuisance calls from third-party billers lacking basic claims system know-how.

“Recently, we have noticed an increase in inquiries from billing companies and outsourced agencies, where some are failing and/or refusing to use the IVR or myCGS” systems, CGS notes in a message to providers. “Additionally, some of these individuals are not familiar with basic Medicare coverage or billing requirements. A pattern we also recognize is generic, scripted questions that are asked repeatedly with the same exact response each time, and questions that can easily be answered by reviewing the Remittance Advice, using myCGS, the IVR and/or our website.”

CGS isn’t going to let this fly, it implies. When the MAC recognizes such a pattern, “CGS may contact the billing provider to discuss these activities, as they tie up the PCC phone lines unnecessarily by increasing the amount of time our staff spends on a call,” it says.

“Remember — you contract with these companies, and they represent” you, CGS stresses. “If you use a billing company or outsourced agency, you can help by making sure that you provide them with access to the Medicare remittance notices and other notifications (e.g., appeals letters, requests for additional documentation, etc.) for services and claims they work.”

Your billing reps also need to employ “staff that have knowledge of the Medicare program, are aware of and follow Medicare rules and regulations, [and] have access to and understand how to use the IVR and/or myCGS to verify patient eligibility and check claims status,” CGS tells providers.

Plus: “The responsibility to guard Medicare beneficiary Protected Health Information (PHI) lies with the provider and not with the billing company or outsourcing agency,” CGS reminds. “If a PHI disclosure were to occur, the provider would be held liable for any financial penalties related to that disclosure. It is important that you verify adequate processes are in place to ensure PHI is protected,” the MAC warns.