As the use of artificial intelligence (AI) in the administration of health care increases this year, compliance officers should keep an eye out for its evil twin. AI may make it easier for threat actors to evade some of the protections against cyberattacks even as it promises to improve efficiency and compensate for staff shortages.
The thrills and chills of AI will be a focus of 2024, experts say. There’s been a lot of movement in the use of AI platforms to power medical coding, and “2024 will be a watershed moment,” said attorney Kyle Gotchy, with King & Spalding in Sacramento. “A lot of compliance and legal considerations are wrapped up in that.”
At the same time, cybercriminals will increasingly exploit AI to make it harder for health care organizations to thwart phishing, said Barry Mathis, a principal at PYA. “Generative AI will be getting into the cybersecurity world,” he predicts. “2024 will be the year of ‘don’t trust anything and verify it twice.’” Threat actors will use deep fakes to mess with everyone’s heads. “As much as we are thrilled to pull up our phone and say, ‘Write me a country song about missing my wife,’ bad actors are using AI to create email that looks like it comes from the CEO asking for information from your W2,” Mathis said.
Although AI and cyberattacks are two of the more theatrical events on the horizon, many others will unfold (or continue) this year, according to compliance officers, attorneys and consultants. In 2024, the HHS Office of Inspector General (OIG) is expected to start releasing industry-specific compliance program content for various providers and suppliers on the heels of General Compliance Program Guidance (GCPG) it unveiled Nov. 6.[1] Hospitals are laser focused on whether there will be a material improvement in Medicare Advantage (MA) payments, processes and audits now that CMS’s rule on MA policy and technical changes took effect Jan. 1.[2] They also anticipate ongoing audits of post-acute care, cardiac procedures and other high-dollar areas. New price transparency rules took effect and more may be coming because of pending legislation, while the end of 2024 will close out certain telehealth flexibilities.
How much flex CMS will have in the future depends on a forthcoming decision from the U.S. Supreme Court about the fate of so-called Chevron deference. The way it stands, courts generally defer to agencies like CMS when a statute is ambiguous, but that’s being challenged in Loper Bright Enterprises vs. Raimondo, said attorney Andy Ruskin, with K&L Gates in Washington, D.C.[3] “The Supreme Court won’t throw out Chevron deference, but they may say, ‘We no longer should tell you that if a statute is not clear, any rationale an agency puts forward will be upheld as long as it’s not laughable,’” he explained. “The Loper case could really reach down to all interactions with CMS and regulated parties because it will go to what they can do through regulations or guidance. It’s really significant.”
In the enforcement arena, the knives are out for private equity and other investment funds involved in health care companies, experts said. Other targets include MA plans and remote monitoring, but the overarching FCA enforcement picture may be affected by a dissent in a U.S. Supreme Court decision (see story, p. 1).[4]
AI: Are Compliance and Legal at the Table?
To dig deeper into an aspect of AI, Gotchy said there’s been an advance in AI’s use to power medical coding. But he’s worried compliance and legal people may not be at the table when organizations are making AI purchasing and implementation decisions.
“AI-powered technology is already radically changing one of the most costly parts of the revenue cycle, and there are a number of tailwinds propelling the adoption of this technology,” Gotchy said. First, administrative waste weighs down the system. Second, “we are in the midst of a coding staffing crisis.” The transition is also driven by new coding demands, including the shift from ICD-9 (13,000 codes) to ICD-10 (68,000 codes). “The upshot is leaders think AI can be part of the solutions to intractable problems because they have the ability to improve accuracy, create new efficiencies, and generate cost savings and revenue capture for these organizations,” Gotchy said.
There are two main varieties. First is computer-assisted coding, which suggests codes for humans to use, and they may accept, reject or modify the recommendation, Gotchy said. The second is fully autonomous coding, which reduces or eliminates the need for human coders. “It takes unstructured data in electronic health records, automatically codes most of the claims and sends those claims directly to billing,” Gotchy said. A caveat: fully autonomous coding may not be ready yet for some providers and use cases. Although it’s the ultimate goal, “there are questions that compliance and legal stakeholders should be considering.” Here are a few of them (boiled down):
-
What level of coding accuracy is sufficient? Is AI subject to a different accuracy level than human coders?
-
How does the use of fully autonomous coding affect an organization’s certification on UB-04 and 1500 Medicare claim forms that all the information is true, accurate and complete?
-
Is the AI ready for your specialty use case?
-
What policy should an organization adopt to guide a coder’s deviation from a computer-assisted coding recommendation?
-
How will the AI adjust to changes in coding standards?
-
How are vendors using patient data to train their AI? “All these AI products are highly reliant on their access to high-quality training data in the specialty they are targeting,” Gotchy said.
-
How are you educating providers about adopting this technology?
-
Are there potential landmines with AI products for risk-adjustment (RA) diagnosis coding? “They’re coming at a time when MA plans and providers are facing increased scrutiny from the government for their efforts to increase their RA scores,” Gotchy said.
‘I Think They’ll Comply’
On other hot topics in the compliance world, CMS’s 2024 rule on policy and technical changes to MA, which took effect Jan. 1, is expected to be one of the game-changers of the year. The rule states that MA plans aren’t allowed to be more restrictive than traditional Medicare, which means they must follow the two-midnight rule, its case-by-case exception and the inpatient-only list, and their use of internal coverage criteria and prior authorization is restricted. Experts are skeptical MA plans will abide by the new rule, but Ronald Hirsch, M.D., vice president of R1 RCM, is optimistic. “I’m hopeful MA plans have properly trained their staff to understand the many nuances of the two-midnight rule,” he said. “There’s significant subjectivity in determining the need for hospital care. I’m hoping there will be patience and understanding on both sides as we work through the first months of this rule. We’re hearing all kinds of rumors, but I think they’ll comply.” But given their “slow pay/no pay issues” and negotiated rates far below traditional Medicare, Martie Ross, a consulting principal at PYA, predicts the crackdown on MA plans to heat up.
CMS will be looking over their shoulder this year. According to a Dec. 19 memo, CMS is planning routine and focused audits of MA plans to evaluate their compliance with the new rule.[5] Hirsch thinks it’s a big deal the memo stated that, among other things, the MA plans “are only using physicians (or other appropriate health care professionals) with appropriate expertise in the field of medicine for the service at issue when issuing adverse medical necessity decisions.” It’s unclear how MA plans will “operationalize” this requirement, but he’s happy to see it.
Elsewhere on the audit front, compliance officers and other experts report a variety of audit targets.
For one thing, unified program integrity contractors (UPICs), a type of CMS program integrity contractor, have been doing “niche audits,” said Andrei Costantino, vice president of integrity and compliance at Trinity Health in Livonia, Michigan. One target: transcatheter aortic valve replacement (TAVR), with the focus on medical necessity based on clinical parameters, degree of calcification, pressure gradients and valve opening area, among other things. The Medicare supplemental medical review contractor (SMRC) also will keep going strong. “They do a lot with post-acute care,” Costantino said.
Between the UPIC and SMRC, “we have quite a lot going on, and that doesn’t even count Medicaid,” Costantino said. Trinity has ministries (hospitals and related entities) in other states, including New York and Connecticut, where Medicaid audits have been very aggressive (e.g., Connecticut is big with audits of ambulance billing). “We have a robust program, and if we find something, we do a payback,” Costantino noted. He has a repayment log dating back to 2000. “I think that’s important,” he said. It was living proof of the effectiveness of Trinity Health’s program and helped the health system avoid a corporate integrity agreement when it settled an FCA case in 2022.
Telehealth services will be a SMRC target this year. In December, the SMRC announced on its website that it will launch phase two of its post-payment review of Part B telehealth services.[6] Phase 1 included claims billed with dates of service (DOS) of Jan. 1, 2022, through June 30, 2023, and Phase 2 will include claims with DOS of Jan. 1 through June 30, 2024. The SMRC will review multiple types of telehealth services, including psychotherapy, new and established patient office visits, telephone medical discussions and telephone consultations.
Sleeper Risk: Carotid Artery Stents
Internally, the compliance team at UNC Health in North Carolina will continue to watch over lower extremity procedures, angiograms, angiographies and other cardiac interventions for medical necessity “because they are high dollar and because coverage requirements are pretty complex,” said Patrick Kennedy, executive system director of hospital compliance. Hospitals must ensure compliance with the relevant local coverage determination, local coverage article or national coverage determination (NCD), which is easier said than done at health systems with hospitals in multiple states and high staff turnover, he said. New employees don’t come with an NCD chip in their brain. “At a couple of hospitals with staff turnover, we found nurses and managers in the departments aren’t aware of or as familiar with the regulations,” Kennedy said. “In one instance, they didn’t even know they were out there.” Ordering physicians also may not check the regulations. As always, it takes a combination of education and auditing to improve compliance, he noted.
In the same ballpark, CMS changed the NCD for carotid artery stenting, Hirsch said.[7] It removed the requirement for hospitals to register the site with CMS but added a requirement for shared patient decision-making, he said. The limiting factor: there’s no tool available for shared decision-making with carotid artery stents, he noted. Hospitals that already have an approved process to perform these stents now must ensure they’re engaged in shared decision-making like they do for cardiac defibrillators. “Hospitals can’t hand physicians a tool. They have to count on physicians to address all appropriate shared decision issues, including risks, benefits, alternatives and the patient’s decision and document that in the medical record or it’s an easy denial,” Hirsch explained.
An audit of inpatient rehabilitation facilities (IRFs) will be released this year, but it’s not the usual kind of audit. OIG plans to figure out whether there are any payment criteria that CMS could clarify because OIG and the comprehensive error rate testing contractor have found strikingly high rates.[8] “IRFs are getting hammered,” Gotchy said. “They are performing poorly against ticky-tacky regulatory requirements.” For example, CMS requires weekly interdisciplinary meetings attended by the rehab physician, a registered nurse, a social worker or case manager, and therapists, but if one of them misses a single meeting, “the auditor will take the position that the claim for the entire admission is improper and the payment is an overpayment,” he said. “It’s mind blowing. This has gone on for way too long,” Gotchy said, but 2024 may be the beginning of relief—“especially if the government modified its way of looking at risk areas.”
The Last Year for Telehealth Flexibilities, Maybe
In the payment arena, 2024 means providers operate under a new definition of “substantive portion” of split/shared services (CPT’s definition) and are finally able to use the complexity add-on code (G2211) for office/outpatient evaluation and management services (CPT 99202-99205 and 99211-99215). The complexity add-on code “is a compliance officer’s nightmare because CMS has not provided definitive guidance on the proper use of the code,” Ross said. Claims for associated services will be denied if G2211 is reported with modifier 25 for the same patient by the same practitioner, and providers aren’t permitted to bill G2211 “with one-and-done visits, like second opinions and urgent care visits. There must be at least an expectation of an ongoing relationship between the patient and the practitioner,” Ross explained. “Given the 3.34% cut to the conversion factor, providers need to be billing the add-on code when appropriate to make up lost revenue.”
Also new to Medicare payment are the social determinants of health (SDOH). For example, in 2024 for the first time Medicare will treat the Z code for homelessness (Z59.0) as a complication and comorbidity (CC), which potentially increases the reimbursement of an MS-DRG it’s attached to. And hospitals for the first time must report on their commitment to health equity through an attestation they make annually in the portal for inpatient quality reporting. But while the reporting is mandatory, there’s no penalty yet if hospitals perform poorly, said Tiffany Ferguson, CEO of Phoenix Medical Management. “It’s not pay for performance until 2026.”
This will be the first full year without the COVID-19 public health emergency (PHE). Although many waivers and flexibilities ended with the May 11 expiration of the PHE, some were extended by CMS or Congress. Notably, the 2023 Consolidated Appropriations Act allows telehealth flexibilities through Dec. 31, 2024. For example, the law removes rural area requirements and expands originating sites, which means Medicare continues to pay for certain covered telehealth services everywhere in the country and in patient homes, preserves coverage of audio-only telehealth services, and delays the in-person visit requirement for telebehavioral health services. This all goes away in less than a year unless Congress intervenes.
Ross predicts Acute Care Hospital at Home will be extended beyond 2024, and future patients will be admitted directly there from the emergency department or an inpatient bed. She also foresees a version of the program for patients with skilled nursing facility needs.
Still to come are final rules on remote prescribing of controlled substances under the Ryan Haight Act, Gotchy said. The Drug Enforcement Agency “is forecasting a final rule by the fall of 2024, and it has huge effects for telehealth providers,” he said. Under a temporary rule, physicians are permitted to prescribe controlled substances without first seeing the patient in person through 2024, a waiver that originated with the COVID-19 PHE.[9] Whether to extend it and related flexibilities are under consideration.
There are other big-picture changes from the PHE. “The COVID-19 pandemic saw a sharp rise in people of all ages seeking mental and behavioral health treatment,” said attorney Robert Trusiak, with Trusiak Law in Buffalo, New York. “As a result, primary care is now also mental health care.”
‘It’s Starting to Lift All of the Mystery’
Hospital price transparency will loom even larger in 2024 for two reasons. First, because of CMS changes in the 2024 outpatient prospective payment system (OPPS) rule and, second, because of bipartisan legislation, according to Ruskin and Ross.[10] The OPPS rule revised price transparency requirements, such as requiring hospitals to display their standard charge information by using a CMS template layout and submit an affirmation the data is true, accurate and complete, and beefed up its enforcement capacity. What’s proving useful about price transparency is hospitals get to peek behind the curtain at what their competitors are paid by commercial payers—normally an antitrust law violation, Ross said. “It’s starting to lift all of this mystery around the commercial payer rate. It’s useful now in contract negotiations.”
Second, the House of Representatives in December passed the Lower Costs, More Transparency Act (H.R. 5378), which would codify what CMS has only done with regulations, Ruskin said.[11] “It’s bipartisan passage of that bill so there’s a pretty good chance the Senate will pass something similar,” he said. Although hospital price transparency was mandated in a 2010 law—the Affordable Care Act—it was vague, and Ruskin said CMS regulations exploded the requirements far beyond the statute. The net effect of grounding price transparency in a statute: “It becomes a clear Medicare compliance issue by virtue of being placed in the Medicare statute,” Ruskin explained. The bill also would expand price transparency requirements to ambulatory surgery centers and diagnostic imaging centers.
With all the risk areas, compliance officers have their work (plan) cut out for them. Against that backdrop is their responsibility to operate the rest of the compliance program and evaluate it against OIG’s GCPG.
“The updated OIG guidance can potentially put the job in an enhanced direction,” Kennedy said. For example, it recommends shifting the risk assessment to the compliance committee and emphasizes the importance of the compliance department’s independence. That squares with UNC’s approach because compliance reports directly to the CEO and the board and doesn’t report to legal. “I think the OIG is reiterating the importance of compliance’s independence from legal or other operational leaders,” Kennedy said. “Corporate integrity agreements require this independence as well. We know some institutions, large and small, have compliance reporting up through legal, so we’ll see how it all plays out.”
Stand-Up Comedy and Compliance Apparently Mix
Shifting gears to cybersecurity, 2024 will be a scary time, Mathis said.
For example, Mathis warns that threat actors will use the information blocking and interoperability rules—which make it easier for patients or providers to access health information—for their own villainy. “All that’s coming together, and AI will get in the middle of it,” he said. Another heads up: The cloud isn’t a safe haven because data doesn’t just sit there, Mathis noted. It comes out of electronic medical records. “Data is most vulnerable when it’s being transported, moved, stored and analyzed outside that electronic medical record,” Mathis said. Consider the cyberattack on the file transfer software MOVEit. He urges health care organizations to have a plan to respond to a cybersecurity event and use tabletop exercise for preparation. The Cybersecurity and Infrastructure Security Agency (CISA) provides free tools on its website.
Also this year, look for regulations on the Cyber Incident Reporting for Critical Infrastructure, a 2022 law designed to bring out in the open the people paying ransom “under a shroud,” Mathis said. The law requires covered entities, including health care and public health entities, to report data breaches and security incidents to CISA within 72 hours.
There’s more to come in many areas this year. If all this seems overwhelming, you might want to take on a sideline like Costantino’s, the Trinity Health compliance professional. He’s a stand-up comedian and made it to the Detroit2LA semifinals in November at Mark Ridley’s Comedy Castle in Michigan. “If you think being a compliance officer is stressful, try getting on stage in front of 300 people who have been waiting 30 minutes to get their drinks and cheesy popcorn,” Costantino said.
Contact Costantino at costanta@trinity-health.org, Gotchy at kgotchy@kslaw.com, Hirsch at rhirsch@r1rcm.com, Kennedy at patrick.kennedy@unchealth.unc.edu, Mathis at bmathis@pyapc.com, Ruskin at andrew.ruskin@klgates.com, Ross at mross@pyapc.com, Ferguson at tferguson@phoenixmed.net and Trusiak at robert@trusiaklaw.com.