Tag Archives: msp

5 Questions That Thwart Ransomware

This past summer was something of a perfect storm for small businesses, which weathered an increase in ransomware attacks, which in many cases started with an IT vendor or managed service provider (MSP).

Ransomware incidents reported to our company were up 37% in the third quarter when compared with the first three months of the year, and 24% were confirmed to be caused by a vendor or MSP.

Those statistics are bad news for small businesses that manage their IT resources with the help of a MSP and worse news for small businesses that outsource their entire IT operation to the MSP, which includes everything from building the network and managing applications to servicing any and all IT requests.

In fact, in the first nine months of last year, 63% of all the ransomware incidents reported to our breach response unit came from small businesses, many of which rely on an MSP. Why is that figure so high? MSPs make ripe targets for ransomware attacks.

They have to balance, on the one hand, a need for speed and convenience when it comes to being able to respond to clients and, on the other hand, the need to have the right security controls in place. Too often, speed and convenience win out over security controls.

For example, in many cases, MSPs have reused credentials across clients so that MSP employees can service multiple clients more quickly. Similarly, MSPs might not enable multi-factor authentication (MFA) on the remote access point they use to pivot to client environments.

See also: How Municipalities Avoid Ransomware  

In many incidents in the third quarter, attackers exploited the remote management application that connects the MSP to the client. The same MSP user account would log into multiple client environments and install ransomware. If the MSP had set up individual user accounts for each of its clients, it is more likely that the exploitation of the single set of credentials would have only enabled unauthorized access to a single client’s environment, diminishing the risk to their clients.

Further, an MSP user account often has to have full administrative access to assist with regular IT functions, so, when credentials were compromised, the attackers had full administrative access to clients’ environments.

So, why the increase in MSP ransomware attacks this summer? According to Bill Siegel, CEO and co-founder of ransomware response platform Coveware, hackers have found a way to magnify the attacks on MSPs. Specifically, developers of Sodinokibi ransomware are now using techniques employed originally by GandCrab ransomware to make the attacks on MSPs more profitable.

These MSP ransomware attacks over the summer exposed incident response challenges. For small businesses that completely rely on outsourced IT, a massive ransomware attack across clients draws on the MSP’s resources and inevitably leaves many businesses in the dark. Small business owners without a technical background struggle to understand and assist the external legal and forensics vendors who are hired to help them respond to the attack.

The response is further complicated when the MSP itself is also infected with ransomware. Where an attack group knows it has hit an MSP, and infected downstream clients, the group may refuse to negotiate with the end clients and instead only respond to the MSP to increase ransom demands. This tactic can also leave clients with little to no control over their data software recovery.

For all of these reasons, we urge small businesses to ask the following important questions when vetting a potential MSP:

  1. Is there a security program in place, including periodic risk assessments to identify areas for improvement?
  2. Is there continuing security awareness training across the organization?
  3. Is there a SSAE 18 SOC 2 Type II report or similar type of report available to customers, attesting to security control environment?
  4. If access to personally identifiable information or protected health information is necessary, how is this protected at the vendor (e.g. encryption, secure remote connections, restricted access, logging and monitoring)?
  5. Are security and availability requirements enforced in master service agreement contracts (e.g. sensitive data protection, up-time guarantee/service level agreements, security incident reporting/coordination, regulatory compliance requirements)?

Our third-quarter statistics clearly show that small businesses and MSPs are big targets for hackers. It is absolutely critical that small businesses are working hand-in-hand with all their IT vendors to prevent ransomware attacks from happening in the first place.

3 Ways to an Easier Digital Transformation

Across industries, digital transformation and cloud migration are forces to be reckoned with. Insurance is no exception.

As an industry accustomed to operating on legacy technology, insurers should approach the cloud migration process judiciously. But they should also know that moving all workloads to the cloud – even if incrementally – is necessary to keep up with evolving customer expectations.

The industry at large is receiving this message. Nearly 70% of insurers report they are somewhere along the journey to digitally transform their infrastructure, according to a report from Ensono and Forrester.

But the jump from mainframe to cloud shouldn’t take place overnight. By taking a methodical approach and prioritizing the right workloads, insurance technology teams can achieve a hybrid IT infrastructure that allows for improved operations at manageable costs. Here are three guidelines to follow as your insurance organization adopts a hybrid cloud strategy:

Prioritize which applications to move first

46% of insurers surveyed in the Ensono/Forrester study cited improving application performance as the most important IT change their company could make to augment customer engagement. But according to IBM, nine out of 10 of the world’s largest insurance companies still run on mainframes. Leaning on legacy technology alone makes it challenging to keep pace with application upgrades and customer expectations for speed and experience. Organizations that remain within a stand-alone legacy environment will have to rely on workarounds to keep upgrading their app performance, and these workarounds will only become more frequent and costly.

See also: Digital Transformation: How the CEO Thinks

However, moving all operations to the cloud and scaling up overnight isn’t a realistic ask of traditional insurers, either. The transition is expensive and takes months of planning and testing. Instead, insurance organizations should take things slower by prioritizing the applications that require the highest levels of performance as well as most external and third-party connectivity. The basic rule of thumb: Apps that are customer-facing should be at the top of your list.

Set yourself up with premium analytics

Quality data is central to understanding the needs of agents and customers, but legacy technology doesn’t allow for the best insights. Turning to a cloud or hybrid strategy increases an insurer’s ability to access top-notch, real-time data and analytics, as well as expand into emerging cloud offerings.

According to Ensono and Forrester, almost half of insurance decision makers use cloud platforms for advanced data analytics, and about 40% believe it’s important to expand their use of emerging cloud technologies like mobile or internet of things (IoT) and increase reliance on public cloud platforms for systems of engagement. Those systems of engagement need to connect seamless to systems of record.

Find the right partners

Data analytics clearly play a huge role in the benefits insurers can reap from a hybrid cloud strategy. But a full 100% of insurers admitted to facing data-related security issues, according to Ensono’s study. Whether this is due to outdated IT infrastructure or a lack of expertise, it’s unacceptable to put any data at risk, especially customer data.

The right partners can help keep your organization’s data secure while optimizing the right applications for cloud. Mainframes – a true foundation of the insurance business – aren’t going away in this process, but they won’t bear the whole burden any more, either. Legacy systems do have their perks, such as security and expense, but ultimately insurers need to ensure they have access to the expertise needed to help their businesses thrive in the cloud.

See also: 4 Rules for Digital Transformation

The transition to a hybrid IT environment requires re-engineered IT infrastructure, the use of real-time data and insights and the right talent – the kind that can create a flexible and competent IT strategy with a custom balance of legacy platforms and cloud environment. Partners like managed service providers (MSPs), migration services and consultants can make the process much smoother. Accessing third-party support also allows your organization to skip the stressful experience of hiring for internal tech experts in a talent economy suffering from an IT skills gap.

The push from customers for faster, better service in insurance continues. But dated infrastructure and an IT talent shortage is holding the insurance industry back. Digital transformation is the only way to achieve growing expectations, cloud migration being the core driver behind the progress. Insurers must thoughtfully design an infrastructure migration plan associated with their application strategy and seek the needed resources to help carry it out, thus ensuring a stabler as well as growing customer-backed future.

MSP Compliance Is Out of Control

This paper discusses the current state of Medicare secondary payer (MSP) compliance within the property and casualty (P&C) industry. Our payer survey findings show payers view MSP compliance as unmanaged and out of control. MSP compliance is excessively costly. The time has come for a data-driven or analytic-powered approach to compliance that leaders of the future will embrace. An analytic-powered approach uses high-quality data and strong algorithms to augment human decision-making in the process.

Medicare Secondary Payer

Medicare was born in 1966 as the primary payer for medical claims involving Medicare beneficiaries not covered by workers’ compensation (WC), federal black lung, or veteran’s administration benefits. In 1980, In an attempt to collect as much money for the Medicare trust fund through rule-making, Congress enacted the Medicare secondary payer act expanding Medicare’s recovery to; group health and non-group health plans or self-insurance for liability, automobile and no-fault. Including all plans under those P&C lines that paid for any medical or personal injury, sweeping in travel insurance, medical payments coverages under commercial and personal property plans as well as plans that typically do not pay for a bodily injury such as treatment for medical professional liability, director and officer and errors and omission policies. Medicare has a right to both reimbursement for Medicare dollars paid, and recovery of payments Medicare might make in the future, where another primary plan exists.

Primary Payer Survey

We randomly and confidentially surveyed 35 non-group health primary payers, including carriers, third-party administrators, state funds and self-insured entities, to learn about their MSP compliance programs. The table presents the results.

Companies surveyed agree 100% that MSP compliance delays or interferes with claims settlements. However, few have a formal monitoring process (4%), a fragmented vendor panel is used (71%), and few (30%) have a centralized program, such as an internal department or individual responsible for the oversight of MSP compliance. Most compelling is that 92% of companies surveyed do not have any confidence that their adjusters’ or claim handlers are capable enough to identify the risk or execute on MSP compliance at the time of settlement. These results clearly reveal a clear absence of risk management or quality measures for identifying, controlling or monitoring MSP compliance. Further, most payers do not establish internal best practices, relying heavily instead on external MSA vendor suggested best practice.

See also: How Medicare Can Heal Workers’ Comp  

Discussion

Why do primary payers remain uncomfortable with MSP after 15 years of experience? To answer this question, let’s look at some background.

On July 23, 2001, Medicare released a memo to all regional administrators to answer questions raised as to how to evaluate Medicare’s future interests for WC settlements. The memo did not detail any specific methodology for forecasting future medical care.

Following the release of this memo, the first Medicare Set Aside (MSA) companies emerged to produce formalized MSA reports. These early companies cobbled together a mix of approaches used in the practice of Life Care Planning as used for the valuation of future medical costs for litigated claims. This untested, short-cut approach was sold as a solution to non-group health plans and third party administrators to satisfy Medicare’s requirements for MSAs. Thus, a small cottage industry established claims best practices for MSAs. Vendors have defined the requirement to not only prepare, but to submit MSAs to Medicare for review and approval, a voluntary process under the Act, that has become a WC claims best practice.

While conventional MSA methodology may have offered a solution fifteen years ago, it is time to re-assess the industry’s approach. MSP compliance, as it has evolved, has outgrown existing models. Primary payers deserve to have much greater confidence and control. Primary payers can and should develop internal best practices for Medicare Secondary Payer. We believe a data-driven approach will increase payer confidence, create transparency in the MSP process and lower costs.

Data is Power! An Analytic-Powered Approach to MSP

Analytic-powered or data-driven decision management (DDDM) is an approach to governance, using data that has been appropriately gathered and verified to make business decisions. The technique has been around since the early days of the computer in the 1950’s when data was first mined and extracted for analysis. Today, business intelligence has advanced to offer technology based dashboards that display data, in an organized form, for analysis and decision making. These tools no longer require an expensive IT staff to gather and analyze information. The quality of the data and effectiveness of the analysis are the foundations for a successful data driven solution. Using data intelligence, primary payers can identify, manage and control MSP exposure and make decisions about managing MSP compliance risks.

The table below compares the analytic-powered approach to the conventional approach.

The difference between an analytic-powered and a conventional approach to Medicare Set Asides is dramatic. An analytic-powered approach relies upon a robust claims data warehouse of real medical transactions for bodily injuries over time. A standardized digital platform with algorithms and tables is applied. Given the same exact set of medical claim variables, an outcome will be the same every time. It offers tighter security standards, HIPAA (PHI/PII) protection with fewer hands touching the files. It remains in the hands of a payer’s internal professionals and can stay within the confines of its IT structure.

Case Study Comparison

We analyzed the experience of a primary payer who sent the same set of medical records, for a given claim involving a Medicare beneficiary, to 5 different MSA preparers. The primary payer received five different MSA forecasts as follows:

Conventional methods are subjective, non-standardization, and therefore variable in nature and lack transparency. The same medical variables or medical claims record information can be reviewed by five different people and interpreted differently by each person; the same variables are not reproducible or consistent. Today’s conventional methods increase the complexity of future care analysis and vendor dependency.

An analytic-powered approach offers exceptional return on investment of time and redeployment of labor. When one compares an analytic-powered MSA report to conventional methods for an identical case, the analytic- powered method used one thirty-sixth (1/36) the amount of human time and completed the report within 15 minutes. These reports are not submitted to CMS for review and approval because of the strength of the data and CMS guidelines that supports the proposal are irrefutable.

A data-driven approach will not only drastically improve the quality, reliability and validity of an MSP program. It will provide the platform for a company’s internal program, offering transparency and control that will cut the overall total cost of MSP compliance by 50% or more.

“Non-Group Health Plans and self- insureds are frustrated by the world of Medicare Set-Asides. This frustration has led to attempts to change the policy guidance in Congress, numerous meetings with CMS, and searches for new solutions. Some of the “Best in Class” have determined that the only way to secure superior outcomes is to control the process, bringing it inside their organizations and using data to secure superior results, thereby affording themselves an advantage in the marketplace.” Peter R. Foley C.P.C.U., C.I.C, Principal at C.L.A.I.M.S, LLC and former Vice President, Claims Administration, American Insurance Association.

See also: Urgency of Rising Medicare Fraud  

Conclusion

Our survey of 35 companies exposes the failure of the current state of MSP compliance and highlights the need for disruptive and revolutionary change. As future guidance for MSP compliance is released, there is a real risk of greater complexity in the execution of a solution for primary payers and third party administrators who rely on conventional practices. The time has come for primary payers to own and develop their internal best practices for MSP compliance establishing alignment between the obligation to protect Medicare and close claims. The future is here for a data-driven solution that is streamlined, efficient and compliant with the intent of the MSP Act.

An Unprecedented Work Comp Ruling

The March 2016 opinion  in Negron v. Progressive Casualty Insurance by a federal district court was an unprecedented ruling against Progressive for filing a false or fraudulent claim under the Medicare Secondary Payor Act (MSP) and causing a governmental agency (Medicare) to wrongfully pay for benefits. The decision raises a broad issue for workers’ compensation.

Before MSP, Medicare and other federal programs paid for medical services even if the beneficiary was covered by another program. With increased longevity and escalating medical costs, though, the federal government could not continue to pay for medical costs that were already covered by other plans. Therefore, in 1980, Congress enacted MSP to bar Medicare payments where payment has been made or is reasonably expected to be made promptly by a primary plan. MSP also requires that certain claims-specific information be reported by liability insurance (including self-insurance), no-fault insurance and workers’ compensation insurance.

The connection to workers’ compensation comes because it allows an injured worker to potentially be  entitled to receive future medical benefits. Settlement of workers’ compensation claims is either by stipulation (future medical treatment is typically left open) or by compromise and release (where future medical issues are paid out). But if Medicare pays for a work-related condition covered by future medical payments that have been settled through workers’ comp, this could constitute fraudulently inducing a Medicare payment and be subject to the False Claims Act, a federal law that imposes liability on persons and companies that defraud governmental programs.

See also: Whistleblower Suits: Emerging Risk on MSP

Under the False Claims Act, private individuals may bring a lawsuit on behalf of the government in exchange for the right to retain a portion of any resulting damages award. Therefore an injured employee who is a Medicare recipient may bring an action against the responsible party if there was payment by Medicare for a work-related injury, and the worker would receive part of the recovery. This may seem far-fetched, but it could happen, so employers need to be prepared.

See also: The Search For True Healthcare Transparency

It would reduce potential overlap and complications if an employer needs pays only for conditions and treatment  that arise out of the course and scope of employment. The best approach to this is to have objective information as to what the employee’s physical condition was before an injury so he can be returned to pre-injury status.

An EFA-STM program can provide that baseline for musculoskeletal disorder (MSD) claims, a leading cost driver in worker’s compensation. MSD claims are often difficult to diagnose and treat, and oftentimes the individual does not receive appropriate care. The EFA-STM program evaluates either new or existing employees with a customized evaluation that is consistent with  the job. The baseline evaluation is not read until there is reason to think a work-related MSD might have happened. At that time, a second test is conducted to not only determine if there is a change in condition but to ensure that the employee receives the appropriate care for any work-related injury.

Whistleblower Suits: Emerging Risk on MSP

There is an emerging area of risk associated with Medicare Secondary Payer 1 (MSP) compliance. Workers’ compensation, liability, and no-fault insurance, including self-insurance plans, are exposed to penalties and conditional payments, and there may be violations of the False Claims Act (31 U.S.C. §§3729 – 3733) (FCA) that could lead to fines plus treble damages.

The risk stems from lawsuits commonly known as qui tam actions that are being brought by private citizens known as relators, who are bringing these lawsuits. Relators could recover anywhere from 15% to 30% of the damages in the suits, plus attorney’s fees and costs.

The success of such lawsuits largely depends on whether the U.S. intervenes as plaintiff. Companies and insurance carriers that are responsible reporting entities (RREs) must exercise caution on what data on settlements, judgments, awards and other payments is sent to the U.S. and ensure the data is consistent with the Centers for Medicare & Medicaid Services (CMS) guidelines, policies and regulations. A solid reporting solution is a critical step for protection, but must also integrate business intelligence to eliminate the submission of false claims and allow the appropriate reporting of claims.

Background

The FCA was enacted in 1863 by a Congress concerned over the quality of goods being supplied to the Union Army during the Civil War.  Commonly referred to as “Lincoln’s Law,” the rule depended on the private citizen to help the government identify fraud against it. This private citizen, or relator, was rewarded if the government won a judgment. During World War II, the law changed and made it harder for private citizens to assist. When their incentive disappeared, the government’s ability to identify fraud slowed to a trickle even as government contracts surged because of the war. After decades of defense contractor abuse, President Reagan, working with a bipartisan Congress, changed the law in 1986. Fines rose  from a minimum penalty of $2,000 to a range of $5,000 to $10,0002 per violation; recoverable damages went from double to treble; and, most importantly, private citizens again had incentives to coordinate with government to prosecute fraud.

Today, more than 80% of FCA actions are qui tam driven, and recoveries exceeded $4.9 billion in the fiscal year that ended Sept. 30, 2012.  Such actions are predicted to increase into the foreseeable future.

A qui tam, or whistleblower, claim starts with an individual being aware of a possible fraud being perpetuated against the U.S. Typically, a whistleblower works for the organization that is alleged to be perpetuating the fraud, raises a concern and then suffers an adverse employment action for doing so. The results can be costly to the organization.

Consider a quality-control expert at Hunt Valve in Ohio3. Her company made valves for nuclear attack submarines and reactors. The valves were never inspected, and paperwork was fabricated. When she raised concerns, she was fired and forced to move out of town. The responsible parties, Northrup Grumman Newport News, General Dynamics Electric Boat and three other defendants, paid a $13.2 million settlement to the U.S.

Also consider a pharmacist who was treated similarly by his new employer, Omnicare4. He had previously owned a “mom and pop” drugstore outside of Chicago and was a seasoned pharmacist. He discovered widespread drug switching for profit, and, when he notified his bosses, he was fired and forced to work as a temp at other pharmacies that engaged in the same bad practices. He then brought an action and secured a $120 million settlement.

A third example is rare in that the relator was the CEO of a laboratory company5. He realized that a competitor was producing a particular testing product that was defective and caused dialysis patients to be overdosed with expensive and harmful drugs that Medicare paid for. He brought the test results to the competitor’s attention but was rebuffed. He filed under FCA and recovered $302 million for the government.

Certain private citizens are barred from being a relator. If someone was convicted of criminal conduct arising from his or her role, the citizen is not allowed to sue6. If another qui tam concerning the same conduct has already been filed, known as the first bar rule, no suit is allowed7. Where the government is already a party to a civil or administrative money proceeding concerning the same conduct, the action is also barred8. Finally, if the information was already disclosed to the public (and the relator is not the source), the matter is barred under the “public disclosure” rule9.

If allowed, a qui tam complaint is filed under seal for 60 days. During this period, the government is required to investigate the allegations to determine if it will intervene. The government can extend this period under seal if it needs further time to investigate, and typically does so. Sometimes, the government may take a year or more to decide. If the government does intervene, it has primary responsibility to prosecute and pay for it10. When the government declines to intervene, the relator can proceed on his or her own, paying the costs, and the seal is lifted. The cost to prosecute can be prohibitive, and many FCA actions fail if the government declines to intervene. However, the law does increase the relator’s share of the damages from a floor of 15% of the damages to a minimum of 25% as compensation for the additional risk.

To win, the relator must prove that the defendant’s conduct, or lack of conduct, meets one of the statutory requirements under 31 U.S.C. §3729(a). The areas where most of the conduct or lack of conduct fall are: 1) knowingly submitting a false claim or record to the government for payment11; 2) knowingly avoiding the submission of a claim or record to the government to avoid the payment of money to the government12; and 3) liability for those who conspire to violate the FCA13.

A prima facie case of prosecutable FCA conduct in any of the three areas would require the relator to establish: 1) the submission of a false claim/record, or avoiding the filing of a required claim/record to the government; and 2)  knowledge of the falsity itself.  31 U.S.C. §3729(b)(1) sets forth how knowledge of the false information for the claim or record can be defined. It can be (1) actual knowledge; (2) deliberate ignorance of the truth or falsity of the information; or (3) reckless disregard of the truth or falsity of the information. The fact finder will require concrete evidence to uphold the FCA violation. The relator will also be focused on the applicable regulations, rules and policy memoranda from the government.

The Trends

After 1986, contractors for the Department of Defense were the primary focus of the government concerning FCA because of unbridled fraud. When the law changed, both government and private citizens unleashed prosecutions against contractors such as United Technologies ($150 million), Boeing ($75 million), Teledyne ($85 million) and Litton ($82 million). As lawsuits were filed, and the substantial recoveries publicized, the industry responded with increased compliance and vigilance to the point that FCA actions are rare in this area today.

Next FCA were lawsuits involving the big pharmaceutical companies. Glaxo Smith Kline paid $1.2 billion for the unlawful promotion of Paxill, Wellburtin, Advair, Lamictal and Zofran for uses not approved by the Food and Drug Administration. Johnson & Johnson paid $2.2 billion for similar off-label use promotion. These highly publicized settlements, and changes in how drug companies may interact with providers, has seen a tapering of such cases and left the FCA qui tam industry on the search for the next area of fraud, waste and abuse against the government.

One method to determine the next industry trend for FCA actions is to follow the focus of certain government enforcement agencies.  The Office of Inspector General (OIG) is one such Agency to monitor enforcement actions.   The OIG has focused recovery efforts on big pharmaceutical companies, and recent focus has been on Providers for Medicare & Medicaid items and services.    FCAs have been equally as active against these Providers.  As a result, the OIG had a particularly effective year in recovering over $4.3 billion in 2013 against Providers, returning $8 for every $1 spent by the Agency.

The OIG is also responsible for MSP compliance enforcement.  An example of OIG activity is the recent settlement late last year by a Texas health system for $3.67 million14.   In that situation, the Relator alleged that Baptist Health Care billed Medicare for items and services it provided to beneficiaries that were covered by other payers such as workers’ compensation, liability and no-fault insurance (Plans).  Under MSP law Medicare is allowed to pay for such items and services, when no payment has been made, or payment is not reasonably expected to be made.  If that is the situation then Medicare pays, but on the condition it be reimbursed for items and services if payment is ever made by the Plan.   That is what happened here.  The Plans made payment to the Provider, but no reimbursement occurred, and when the oversight was brought to the attention by the Relator, he was ignored.  Correction to the Program was made, but past errors were not corrected.  The Provider therefore recognized the falsity of its information, and easily satisfied the criteria for the Relator when it did not reimburse for historical errors after it was brought to their attention.  The FCA community is therefore aware of MSP violations and how it can implicate the FCA.

An area that may be subject to FCA is the Medicare & Medicaid SCHIP Extension Act of 2007 (MMSEA).  This law modified the MSP to require data reporting by RREs.  To encourage participation, the government included a penalty provision for non-compliance of up to $1,000 per day, per claim for failure to report15.  The OIG has adjusted its work plan for 2013 and 2014 to look at the MMSEA and the associated penalties that arise from non-reporting of data.  OIG involvement typically precedes FCA qui tam actions.  It is this area where the greatest potential for FCA actions are likely to begin to take root.

An example of a matter that nearly received government backing was the recent seal that was lifted on March 20, 2014 with respect to a U.S. District Court case filed in the Western District of New York.  The government did not choose to intervene, and the Relator is a personal injury attorney who has filed against well over 50 insurance carriers and a few trucking companies that self-insure.  The main cause of action alleged was that these companies shifted MSP risk to the United States government through the use of a general release16.  Whether there will be success under the FCA remains to be seen as the root cause appears to be brought under a FCA conspiracy theory.  The Relator will have to prove a false claim, or avoidance of filing a claim, knowledge thereof the falsity, and the impact to the government.  It is unclear, based on present allegations, if the lawsuit will pass the procedural stages, but it does demonstrate that the FCA qui tam industry is taking a serious look at the MSP area for recovery.

Concerns for the RRE in this area are potentially significant.  Only recently has MMSEA data been accepted by CMS for reporting by the RRE.   As of 1/1/2010, CMS received quarterly downloads from RREs’ workers’ compensation and no-fault plans that involve cases where Ongoing Responsibility for Medical (ORM) was determined.  Pursuant to the CMS User Guides, Regulations, and Memoranda, these RREs must monitor all claims, no matter the case status that were open on 1/1/2010, re-opened or newly reported after that date.  Once identified, ORM status is to be reported, but it can be immediately terminated if certain established CMS criteria is met.

On October 1, 2010, CMS started to accept the second MMSEA data element from RREs’ workers’ compensation and liability plans regarding the Total Payment Obligation to Claimant (TPOC) meeting certain value thresholds.  These TPOCS, or settlements with Medicare beneficiaries, were collected typically the quarter before reporting, and then submitted during an assigned window period set up by CMS for the RRE.

The reporting requirement under the MMSEA provides a relatively straightforward way to establish a claim/record being submitted to the government under the FCA.   Whether or not it is false would depend on the Regulations, Rules, Policies (User Guides) and Memoranda from the government about what and when to report.    FCA criteria can be easily met, as it is simple to determine from the data when a claim/record was submitted or if it was missed.  Determining whether it is false would be harder, but how claim systems manage information based upon the regulations, rules, and policies could be probative on that point.  This exact issue came up in an older FCA case involving a Medicare fiscal intermediary, known as Highmark17.  This entity served two roles with Medicare, one as a Medicare contractor processing payment claims, and the other as a private provider of services.    An FCA action was brought against Highmark for inconsistent claim processes and the court found basis to sustain the FCA complaint based on the fact that the claims processing system did not properly line up with Medicare requirements.  Consistent with that ruling, the CMS User Guides and related policy memoranda would be similarly construed and therefore whether an RRE had a case to report as a TPOC or ORM would be based on how those rules would apply.

An RRE’s exposure to an FCA action is mitigated if the RRE utilizes an MMSEA reporting system that is tested.  Most MMSEA reporting systems are compliant with the technical aspects of the CMS User Guides; however, they lack the processes that integrate the CMS regulations, policies and user guide rules to allow the end-user to enter the appropriate data.  Most reporting systems lack a MMSEA solution with built-in business intelligence to allow the right information to be entered at the right time.  The adjuster responsible to enter the data at the critical points needs to be guided to ensure correct submission of data to the government.

Franco Signor LLC processes over 2M records each month to the government for RREs.  We have audited over 1,900 RREs and have drawn the conclusion that the MMSEA reporting systems are sound, but the data being populated by the front-lines is not consistent with known rules, regulations and policies of Medicare.  We have recommended business intelligence methodology to guide the adjuster to avoid the potential MSP exposure, as well as the emerging risk of associated FCA exposure.  The cost is minimal to secure a base line on MSP compliance performance.  Integration of business intelligence takes time, but must be accomplished before MSP penalties become fully enforceable.  Do not be the RRE whose MMSEA reporting system and methodology is tested by an FCA or qui tam action.

[1] 42 U.S.C. §1395y(b)

[2] Today the FCA penalty range is set at $5,500 to $11,000 based on auto triggers within the legislation

[3] Gonter v. Hunt Valve Co. 510 F.3d 610 (2007)

[4] http://www.quarles.com/omnicare-settles-more-allegations-2013

[5] http://www.phillipsandcohen.com/Success-for-Clients/P-C-s-Successful-Whistleblower-Cases.shtml[6] 31 U.S.C. §3730(d)(3)

[7] 31 U.S.C. §3730(b)(5)

[8] 31 U.S.C. §3730(e)(3)

[9] 31 U.S.C. §3730(e)(4)(A)

[10] 31 U.S.C. §3730(c)(1)

[11] 31 U.S.C. §§3729(a)(1)(A) and (B)

[12] 31 U.S.C. §3729(a)(1)(G)

[13] 31 U.S.C. §3729(a)(1)(C)

[14] http://www.francosignor.com/blog/medicare-jurisdiction/medicare-secondary-payer-act-implicated-in-false-act-claim-against-hospital

[15] 42 U.S.C §1395y(b)(8)

[16] U.S. v. Allstate Insurance Company, et al., Case #cv-01015-WMS, U.S. Dist. Court for the Western District of New York.

[17] http://www.paed.uscourts.gov/documents/opinions/04D0039P.pdf