​Program Integrity: Post and
Prepayment Reviews

Program Integrity Reviews

The Department of Human Services is committed to preventing, identifying, and combating fraud and abuse within the Medical Assistance Program. To that end, the Office of Administration's Bureau of Program Integrity conducts post-payment or prepayment reviews to determine if services were provided and billed in accordance with applicable regulations. Providers are selected for review based on complaints, referrals, calls to the Medical Assistance Provider Compliance Hotline, or through the use of fraud and abuse detection technology. All providers are at risk of review. These reviews may include, but are not limited to, one or more of the following activities:

• Claims profile reviews to identify those providers/recipients whose billing/service patterns indicate overutilization or underutilization of services;
• On-site visits to observe the treatment setting, interview staff and providers regarding record-keeping and billing procedures and/or to obtain records for review;
• Recipient evaluations or interviews at centralized locations, or home visits to evaluate services rendered in comparison to services billed;
• Record reviews by medical professionals, including peer review, to determine if records are properly maintained, reflect services rendered, services meet required standards of practice, and services are billed appropriately.

Results of Reviews:

As a result of a review, DHS may take one or more of the following actions:

• Issue discrepancy letters;
• Recover improperly paid funds, with or without penalty;
• Terminate a provider's provider agreement and preclude a provider's direct and indirect participation in the Medical Assistance Program;
• Refer a case to the Attorney General's Medicaid Fraud Control Section (provider fraud), State Office of Inspector General (recipient fraud), or other appropriate criminal law enforcement agency;
• Refer a case to an appropriate civil agency (e.g. licensing bodies);
• Seek a civil monetary penalty amounting to twice the overpaid amount plus interest;
• Request a corrective action plan or compliance plan;
• Request a provider perform a self audit.

Note: The Bureau of Program Integrity may take administrative action against all providers, including those that participate in the HealthChoices managed care delivery system. Although providers may be under contract with a managed care organization, they are also providers in the MA Program. Therefore, they are required to comply with applicable regulations.

FACT SHEET
Bureau of Program Integrity and the HIPAA Privacy Rule

This fact sheet is to address your concerns about the release of protected health information for the purpose of the Department of Human Services, Bureau Program Integrity review activities.

The Standards for Privacy of Individually Identified Health Information, otherwise known as the Health Insurance Portability and Accountability Act (HIPAA) and its attendant regulations, or the HIPAA Privacy Rule (45 CFR Parts 160 and 164), guarantee certain privacy rights to individuals.  The HIPAA Privacy Rule provides that protected health information may be used and disclosed without the authorization of the subject of that information to the extent a law requires the production of that information (See 45 CFR 164.512(a)).  The HIPAA Privacy Rule also provides that protected health information may be used and disclosed without the authorization of the subject of that information for oversight or TPO (treatment, payment and operations) activities. The DHS Bureau of Program Integrity activities fall within this category. 

Bureau of Program Integrity RIGHT TO ACCESS RECORDS

Health Insurance Portability and Accountability Act (HIPAA) Privacy regulations do not supercede the 55 Pa. Code Chapter 1101.51(e), which sets forth that "Providers shall make those records (medical and fiscal) readily available for review and copying by state and federal officials or their authorized agents."  Bureau of Program Integrity operations will limit its uses and disclosure of protected health information to the minimum necessary to accomplish the program's regulatory purpose. 

HIPAA PRIVACY - USE AND DISCLOSURE THAT DO NOT REQUIRE  AUTHORIZATION OR AN OPPORTUNITY TO AGREE OR OBJECT

164.512 Uses and disclosures for which an authorization or opportunity to agree or object is not required.

A covered entity may use or disclose protected health information without the written authorization of the individual, as described in 164.508, or the opportunity for the individual to agree or object as described in 164.510, in the situations covered by this section, subject to the applicable requirements of this section.

(a) Standard:  uses and disclosures required by law.  (1) A covered entity may use or disclose protected health information to the extent that such use or disclosure is required by law and the use or disclosure complies with and is limited to relevant requirements of such laws.

(d) Standard:  uses and disclosures for health oversight activities.  (1) Permitted disclosures.  A covered entity may disclose protected health information to a health oversight agency for oversight activities authorized by law, including audits; civil, administrative, or criminal investigations; inspections; licensure or disciplinary actions; civil, administrative, or criminal proceedings or actions; or other activities necessary for appropriate oversight of:  (i) The health care system; (ii) Government benefit programs for which health information is relevant to beneficiary eligibility; (iii) Entities subject to government regulatory programs for which health information is necessary for determining compliance with program standards; or (iv) Entities subject to civil rights laws for which health information is necessary for determining compliance. 

Consequently, Medical Assistance providers do not need an authorization prior to releasing the necessary PHI to BPI. 

NOTE:  DHS staff is trained about the requirements of the HIPAA Privacy Rule.