Two audit letters that came across her desk from the Medicare administrative contractor (MAC) in late August raised red flags for Vera Phillips, compliance specialist at Olympic Medical Center in Port Angeles, Washington. Because these are strange times as it is, between the COVID-19 pandemic generally and subsequent regulatory and audit changes, her antennae are up more than usual, and Phillips decided not to produce the requested records without additional due diligence.
For one thing, the audit letters from the MAC, Noridian Healthcare Solutions, were written by a department she’d never heard from before: the Benefit Protection Team. For another, although they requested the usual stuff, including medical records, the MAC letters also wanted something that made Phillips uncomfortable: a copy of the driver’s license and Medicare card of the two patients whose services are the subject of the audits.
Her first thought was, “With all the fraud and COVID-19 fraud, is this letter legit? I’m not sending that unless I find out.” The letters also were a little vague, simply saying, “Due to an audit of Medicare files, we are requesting additional information regarding services provided to the following Medicare patient …” The pressure was on for an answer, because the letters gave the hospital 15 days to send the records back, which is half the time providers usually have in Medicare audits.
Phillips contacted Noridian and confirmed the letters did, in fact, come from the MAC. She has asked for more details about the purpose of the Benefit Protection Team and awaits an answer. The letters leave unanswered questions about the nature of the audit and are a reminder for hospitals to think about their obligations under HIPAA and state privacy laws.
“This is weird,” said Steve Gillis, director of compliance coding, billing and audit at Partners HealthCare in Boston. Documentation requests usually explain the purpose of the audit. “This kind of inquiry with no explanation of why would not be administrative simplification. [CMS doesn’t] allow recovery audit contractors to just audit anything, and Targeted Probe and Educate is targeted, but this has no explanation at all. You can’t request medical records with no explanation,” Gillis said. The MAC for his jurisdiction doesn’t have a Benefit Protection Team, and he doesn’t recall a documentation request for the beneficiary’s Medicare card and/or license.
‘The Bills Were Clean, and They Were Paid Clean’
The two letters sent to Olympic Medical Center asked for medical records, orders, progress notes, advance beneficiary notices, any forms signed by the patients, patient billing/financial records/account information, and “any other documentation that would support the items billed to Medicare for the following patient with the date(s) of service in question,” as well as the driver’s licenses and Medicare cards.
There’s no apparent reason for the MAC to be interested in services provided to the two patients, Phillips said. Both services were performed in physician offices that are provider-based departments of the hospital. One was an office visit with a lab test and the other an office visit with a pulmonary function test. “There was nothing unusual about these claims,” Phillips noted. There were no advance beneficiary notices required, so it seems unlikely the audit request was prompted by a patient complaint. “Medicare processed the payments. The bills were clean, and they were paid clean.”
A CMS spokesperson said only that “Medicare contractors conduct routine audits of hospitals and can request information to support Medicare payments. CMS does not comment on active audit protocols or why a particular hospital may be undergoing a particular audit.”
Gillis speculated that maybe the beneficiaries had complained to the MAC that they were the victims of identity theft, and that explains why the Benefit Protection Team asked the hospital for copies of their Medicare cards and driver’s license.
HIPAA Allows Disclosures; ‘It’s OK to Push Back’
It makes sense for health care organizations to pause when they get requests for sensitive patient information, which is protected health information under HIPAA and personally identifiable information under state law, said attorney Jennifer Urban Rathburn, with Foley & Lardner in Milwaukee, Wisconsin. They should verify the identity of the government agency or proxy (e.g., auditor) requesting the information, and question why they’re asking for the information and whether it’s the minimum amount necessary.
“Hospitals always want to meet their audit and compliance duties, but it’s OK to push back and find out more information and protect privacy in accordance with laws, as long as it’s done in a respectful manner,” Rathburn said. HIPAA makes allowances for covered entities to turn the information over to auditors under certain circumstances.
Under HIPAA, “a covered entity (or a business associate (BA) acting on its behalf) may disclose PHI [protected health information] to a health oversight agency for oversight activities authorized by law, including audits; civil, administrative, or criminal investigations; inspections; licensure or disciplinary actions; civil, administrative, or criminal proceedings or actions; or other activities necessary for oversight of the health care system, government benefit programs where health information is relevant to eligibility, or regulatory or civil rights law compliance where health information is necessary for determining such compliance” (45 C.F.R. § 164.512(f)), HHS explained.