How Home Health Agencies Can Prepare for a Medicare or Medicaid Audit
This article was originally published by Much Shelist, P.C. Read it on the Much website.
Fenton Jurkowitz has closed its operations. Benjamin Fenton, Nick Jurkowitz, Henry Fenton, Herbert Weinberg, Nishka Khanna, and Anne Schneider are now attorneys at Much. As we enter this exciting chapter, we thank our clients and friends for their support. Our attorneys continue to represent health care companies in matters ranging from complex litigation and compliance to license defense and transactions, now with the full-service capabilities of the Much platform.
Federal and state regulators have intensified oversight of home health services in recent years. With Medicare and Medicaid fraud estimated to cost taxpayers over $300 billion each year.
Agencies and individual healthcare workers are experiencing heightened scrutiny from the Centers for Medicare & Medicaid Services (CMS) and the Office of Inspector General (OIG). As a result, preparing for a potential audit is no longer optional. It’s essential risk management.
Our law firm represents healthcare workers and home health professionals facing regulatory investigations, audits, licensing matters, and allegations of improper billing. The guidance below highlights major audit risk areas and practical steps agencies and clinicians can take to protect themselves.
Key Areas of Audit Focus
The OIG’s Compliance Program Guidance for Home Health Agencies emphasizes common issues that often lead to audits or enforcement actions, including:
- Billing for services or items not provided
- Billing for medically unnecessary services
- Duplicate claims
- Offering incentives to referral sources
- Billing for patients who are not homebound
- Over- or under-utilization of services
- Documentation that does not support reimbursement
- Improper patient solicitation
- Poor oversight of subcontractors leading to inaccurate billing
A strong, well-maintained compliance program is the most effective protection against these risks.
How To Build a Compliance Program
A comprehensive compliance program must be regularly reviewed, updated, and documented. Home health owners and administrators must create processes that support legal and ethical behavior. They also need to ensure compliance.
Key elements include:
- Accurate, timely documentation
- Consistent billing practices
- Adherence to privacy and security requirements
- Ongoing training for clinical and administrative staff
- Internal monitoring and corrective action procedures
Most Common Home Health Audit Types
1. Medical Necessity and Homebound Status
The most common home health audit involves determining whether services were reasonable, necessary, and compliant with Medicare rules.
Auditors routinely examine:
- Whether the patient’s care needs meet homebound criteria
- Whether a physician ordered and certified medical services
- Whether documentation clearly supports the level of care provided
- Whether the plan of care was routinely evaluated and followed
Insufficient documentation does not just lead to claim denials. It can result in:
- Repayment demands
- Lengthy appeals
- Potential civil penalties under the False Claims Act
For healthcare workers, inadequate documentation can also expose clinicians to disciplinary complaints or employment consequences. Thorough and consistent charting is the best defense.
2. Improper Referral Relationships
Federal and state law strictly regulate financial and referral relationships in home health. Agencies and healthcare workers must be cautious about how they interact with physicians, facilities, and other referral partners.
Key laws include:
- Stark Law: Prohibits physicians from referring Medicare/Medicaid patients to entities in which they have a financial interest.
- Anti-Kickback Statute (AKS): Prohibits offering or receiving any payments for referrals of federal healthcare program beneficiaries.
- Civil Monetary Penalties Law: Restricts giving beneficiaries gifts valued over $15.
Improper arrangements can cause serious penalties and may also result in exclusion from federal programs. Examples include:
- Medical directorships as referral incentives
- Free services to facilities
- Gifts to providers
If you are unsure whether a relationship is legally compliant, seek guidance from a qualified healthcare attorney before proceeding.
3. Protecting Patient Privacy and Securing PHI
The home health industry is moving towards mobile technology and remote access. Because of this, regulators are paying more attention to HIPAA and HITECH compliance. Home health workers often access sensitive data outside traditional clinical settings, increasing risk.
Common vulnerabilities include:
- Unsecured mobile devices
- Weak password protection
- Lack of encryption
- Improper storage or transfer of PHI
- Unauthorized sharing of patient information
HIPAA violations, even unintentional ones, can result in significant fines and mandatory reporting obligations. Agencies should train clinicians on proper PHI handling and implement technical safeguards.
Audit-Ready Compliance Checklist
Below is a practical compliance checklist that agencies and their staff can use to prepare for potential audits:
Clinical & Documentation Compliance
- Train and re-train staff on homebound criteria and medical necessity requirements.
- Conduct pre-billing chart reviews to confirm documentation supports all services billed.
- Perform routine internal audits or engage an outside consultant.
- Ensure frequent physician review and updating of the plan of care.
Referral & Financial Relationship Compliance
- Maintain written agreements for all referral-related financial arrangements.
- Limit who can enter into financial or contractual relationships on behalf of the agency.
- Keep a log of any gifts provided to referral sources or clients.
- Consult a healthcare attorney before entering any questionable arrangement.
HIPAA, Security & Technology Practices
- Require two-factor authentication for all devices accessing PHI.
- Provide encrypted, agency-managed devices where possible.
- Implement a written Bring Your Own Device (BYOD) policy if personal devices are permitted.
- Discourage storing passwords in unencrypted browser-based managers.
- Require immediate reporting of lost or stolen devices.
- Designate a Privacy and Security Officer responsible for HIPAA oversight.
Organizational Culture & Reporting
- Encourage staff to report potential compliance issues without consequence.
- Foster a culture of transparency and accountability across all levels of the agency.
When to Contact a Healthcare Law Firm
Whether you are an agency owner, administrator, nurse, therapist, or biller, legal guidance from an experienced healthcare firm is crucial if you receive:
- An audit notification
- A documentation request
- A suspected overpayment letter
- A visit from surveyors
- Allegations of improper billing or referrals
Consult California Healthcare Attorneys
Because of the complexities and variations associated with home care, it is often difficult to keep track of regulations. A good home healthcare lawyer will carefully review your organization and help ensure that all regulations and compliance requirements are met.
As one of the nation’s leading healthcare firms, Fenton Jurkowitz Law Group regularly develops preventative and proactive legal strategies for any transactional, litigation, compliance, and regulatory defense needs. If you are a practitioner or director of a home care facility in need of legal guidance, speak with one of our California healthcare attorneys today.