Mitigating Risks and Preparing for Home Health Audits in 2023

In recent years, the Centers for Medicare and Medicaid Services (CMS) has focused on combating waste and abuse in home health. Experts estimate that Medicare and Medicaid fraud costs taxpayers more than $300 billion annually. So it’s no surprise that federal watchdogs like the Office of Inspector General (OIG) have increased audit activity.

Following a brief respite from the pandemic, the OIG, CMS, and government contractors have intensified scrutiny of home health billing practices. Industry experts have suggested that providers should expect more home health audits over the next year. Meanwhile, the Department of Justice and the Federal Bureau of Investigation continue investigating fraud in-home care.

So what can agencies do to prepare for home health audits?

This article helps leaders understand the top focus areas for home health auditors. We’ve also compiled a checklist to help improve your agency’s compliance plan. Here’s what home health owners need to know to prepare for audits in 2023.

Top Focus Areas for Home Health Audits According to the OIG

The OIG’s Compliance Program Guidance for Home Health Agencies outlines these areas of concern.

• Billing for services or items not rendered
• Billing for medically unnecessary services
• Duplicate billing
• Incentives to actual or potential referral sources
• Billing for services to patients who are not homebound
• Billing for patients who are not confined to their residence
• Over- and under-utilization
• Insufficient documentation to evidence that services support reimbursement
• Improper patient solicitation
• Inadequate management of subcontractors resulting in improper billing

A compliance plan must be put in place to monitor and address issues that could lead to trouble in a home health audit.

Compliance Tips for Home Health Agencies

A strong compliance program is the greatest strategy for preparing for audits or inspections by regulatory agencies.

Home health owners must review their compliance policies and procedures regularly to ensure compliance with current regulations. This includes documentation, billing practices, and privacy policies.

Moreover, documentation is key in compliance programs. Therefore, administrators should record all of the agency’s efforts.  Make the best use of your agency’s home health software for documentation. Evaluate internal policies and procedures and implement process changes when needed. Agency owners and executives are responsible for providing leadership and putting proper processes in place “to support ethical and lawful conduct.” There are three areas where home health agencies often fall short.

Medical necessity and homebound status

The most common type of home health audit that home health agencies face is a claims review. Most often contractors audit claims for medical necessity and homebound status.

It’s widely understood that home health services must be ordered and certified by a physician to be covered by Medicare. The patient must also be homebound, and treatments must be reasonable and necessary to treat the patient’s illness, injury, disease, or condition. Still, auditors look for inadequate justification in the medical record. Patient records must clearly reflect all of the criteria.

Home health agencies must have sufficient documentation to show the patient’s needs. In addition, the certifying physician’s plan of care must be evaluated regularly. Medicare payers, the OIG, and audit contractors are looking to see if the billed services meet these requirements. As a result, failure to satisfy these criteria puts home health agencies at risk. Failure to meet the standards or provide insufficient documentation is costly. Agencies have to pay back or repay overpayments. Administrative time and consulting fees associated with appealing audit determinations add up quickly. Furthermore, agencies may face civil fines under the False Claims Act.

Keep reading for best practices to ensure your claims meet the standards for providing home health care.

Improper referral arrangements

Like any other business, home health agencies make connections and partnerships to increase growth and revenue. Relationships with the right referral sources give agencies a competitive edge. In the past, agencies have been creative. They’ve used medical directorships, free services to senior facilities, and gifts to referring providers to start or maintain relationships.

Today, agencies must be careful. These arrangements are risky because state and federal laws regulate relationships between home care companies and those who refer patients. The OIG’s Compliance Guide details important rules for home health agencies.

• The Physician Self-Referral Law (Stark Law) prohibits doctors from referring patients to businesses with which they have financial ties.
• The Anti-Kickback Statute makes it unlawful for any person or business to solicit or pay for Medicare or Medicaid clients.
• The Civil Monetary Penalties Act forbids companies from giving patients cash, products, or services worth more than $15.

Providing clients with free medical supplies, equipment, or transportation could lead to serious consequences.

Keep in mind that these improper relationships can lead to overutilization, increased care costs, and corrupt medical decision-making. Consequently, regulatory authorities watch for compliance issues in this area.

Security and privacy of patient information

Although billing and claims reviews are the most well-known types of home health audits, it is important to mention a newer regulatory focus. Increased reliance on technology has spurred an uptick in cyberattacks in the healthcare sector. Security and privacy violations may be uncovered during a compliance audit.

The Health Insurance Portability and Accountability Act (HIPAA) protects patient information. The Health Information Technology for Economic and Clinical Health (HITECH) Act expanded HIPAA rules and provided guidelines for stricter enforcement. Both were passed to safeguard the security and privacy of protected health information (PHI). It requires healthcare providers to protect PHI and imposes serious penalties on organizations that fail or improperly share patient information.

The decentralized structure of many home care businesses puts home healthcare providers at increased risk of HIPAA violations. Home health professionals work in a variety of settings and frequently have remote access to confidential medical data. Many home care workers use mobile-ready home health software as well as personal mobile electronic devices to view and store sensitive information.

The bottom line is that only patients can authorize their PHI’s release, which must be done in writing. Home health agency owners and managers must be diligent in safeguarding patient information at all times.

Here are some practical tips for improving regulatory compliance to be ready for a home health audit.

Audit-Ready Compliance Checklist for 2023

• Train (and routinely re-train) employees on the definition of homebound and requirements for acceptable and medically necessary home health services.
• Consider performing pre-billing chart reviews to assess compliance with agency, state, and federal standards.
• Perform random, periodic audits of patient records. Use internal resources or hire outside consultants to review your practices around homebound status and medical necessity.
• Track all financial arrangements with referral sources. Also, verify that formal contracts are in place, signed, and maintained per the terms of the agreement.
• If you have any doubts about the legality of a referral arrangement, consult with a health law professional.
• Keep a record of any gifts you distribute to referral sources or clients.
• Limit who can enter into contracts, leases, or other financial agreements on behalf of the business.
• Stick to pre-authorized contract forms that the leadership team has reviewed.
• Require staff to use two-factor log-in access for devices to secure them in case of theft.
• Provide computers and devices for staff that use encryption and secure access.
• If your agency allows staff to use personal devices, have a written “BYOD” Bring Your Own Device policy in place. It should include guidelines for using a VPN. The Society for Human Resource Management provides a sample policy template here.
• Discourage the use of unencrypted browser password managers.
• Make sure employees report lost or stolen devices holding PHI immediately.
• Designate a Privacy and Security Officer to oversee organizational compliance with HIPAA laws.
• Encourage employee reporting of potential violations without fear of retribution. Promote a company culture of transparency and accountability.

The Take Away

Get ready, stay ready!

The aforementioned home health compliance best practices outlined in this blog can help ensure that agencies comply with Medicare requirements and are ready to respond to any regulatory audit that comes their way.

Other regulatory blogs you might find helpful:

1. Home Health Certification Training – The key to abundant & exceptional caregiving staff
2. Non-medical homecare trends in 2023
3. Home Health agency challenges for executives
4. Is it time for a policy update in your home health agency?
5. Success with PDGM in 2023