Compliance & Risk: You Can’t Put the Genie Back in the Bottle

magic lamp with smoke coming out
By Nancy J. Beckley, MS, MBA

Health care enforcement is solidly amid a sea of change, particularly with respect to the ability of oversight authorities and payers to collect and analyze data for enforcement activities.

In the November 2021 Healthcare Compliance Enforcement Conference “data” was an underlying theme weaving throughout the three days of presentations. Perhaps most striking was the level of sophistication and detail laid out in a presentation by the data folks from the HHS Office of Inspector General (OIG). The OIG’s Division of Data Analytics (DDA) provides different ways for the OIG to find insights on risk across programs by developing predictive models for Medicare and Medicaid. There are currently nine models covering non-institutional providers, home health, hospice, pharmacies, general prescribers, and opioid prescribers. Their presentation described how these OIG models identify and triage investigative leads, using supervised random forest models with labels having similarity to past law enforcement cases. The models include a mix of fraud scheme and case mix indicators.1

I was fortunate to be an invited co-presenter for another session with an attorney from the Office of Council to the Inspector General (OCIG). This presentation drilled down on OIG data analytics in multiple fashions using OIG data tools: the presentation started with a view of the entire universe of therapy specific data set, then drilled down to utilization and trends over time by regions of the country, specific states, and, finally, single counties. The OIG has more data than one can imagine along with the analytical tools to detect aberrant patterns, outliers, and inliers. All this data, and robust analytical capabilities provide opportunities for audits and investigations, and/or to support audits and investigations.

The takeaway? If the OIG, CMS, and other payers have your data, your practice should be collecting, analyzing, and using data in your compliance program which is regularly reviewed by the compliance officer. Who in your organization reviews this information and where is it located? Is it easily accessible and what do you do with the data once you identify it? The genie is out of the bottle.


Outpatient physical therapy has been on the risk radar for a long time, both by CMS as well as by the OIG with a wave of Audit Reports beginning in the early 2000s. One specific 2010 OIG Report from the Office Evaluation and Inspections, focusing on Miami-Dade County in South Florida was the impetus for identifying physical therapists in private practice as a Medicare enrollment risk in the “moderate” category in the Patient Protection and Affordable Care Act (ACA).2 As a result, enrolling physical therapists and physical therapy group practices are subject to a site visit by a CMS Enrollment Validation Contractor and additional enrollment scrutiny.

The 2000s brought reviews, audits, and investigations from a variety of sources:

  • Recovery Audit Contractors (RAC), who could forget manual medical reviews for therapy over the $3,800 threshold?
  • Medicare Administrative Contractors (MAC) pre-payment, post-payment reviews, and “Targeted, Probe & Educate” (TPE) reviews
  • Multiple Comparative Billing Reports (CBR) issued to physical therapists
  • Supplemental Medical Review Contractor (SMRC) reviews of therapy for therapy over the $3,000 threshold and also for specific telehealth codes
  • Comprehensive Error Rate Testing (CERT) reviews
  • Zone Program Integrity Contractors (ZPIC), now Unified Program Integrity Contractors (UPIC) audit notifications to targeted therapists and/or group practices

In addition to reviews by CMS and its Program Integrity Contractors, there has been a variety of audits and investigations of physical therapy practices by enforcement agencies, including those initiated or brought forth by qui tam relators (whistleblowers), aberrant data analysis, or MAC referral:

  • Office of Inspector General (OIG)
  • Federal Bureau of Investigation (FBI)
  • Department of Justice (DOJ) and Offices of the United States Attorneys (94 Federal Districts)
  • State Medicaid Offices and Medicaid Fraud Control Units (MFCU)
  • Defense Criminal Investigative Service (DCIS)
  • Medicare Strike Force Initiatives

These types of reviews, audits, and investigations provide an insight into risk areas for data collection, internal review, and follow up at your practice. At the baseline there are common themes that emerge:

  • Billing for therapy as if it were 1:1, when in fact therapy was provided to multiple patients at the same time. (Hint: group therapy should have been billed, or 1:1 time apportioned to each patient.)
  • Plan of care not properly certified. These issues generally include, but are not limited to, signature requirements, time requirements, or lack of certification.
  • Therapy not medically necessary. Progress towards goals not noted, flow sheet shows repetitive exercises for each visit, skilled care not present.
  • Violation of supervision and delegation rules, either by practice act or payer policy.


As physical therapy practices changed course in response to the Public Health Emergency (PHE) in early 2020, enforcement authorities and oversight agencies also changed course. By late summer 2021, these authorities and agencies were rapidly sliding back into action on mission activities. The MACs resumed the Targeted Probe & Educate Program in August, and the Supplemental Medical Review Contractor initiated two CMS tasked reviews. A sampling of a few items:

  • SMRC Project 01-044: Therapy Reviews Notification of Medical Review for billing dates 1/1/2018 – 12/31/2018.3
  • SMRC Project 01-055: Audio Only Telehealth Services During the PHE Notification of Medical Review for billing dates 3/6/2020 – 6/21/2021.4
  • RAC Approved Topic 0060 Untimed Therapy: Excessive Units, ongoing since 9/6/2017.5

A few noteworthy items should be reviewed in the context of your compliance program, auditing and monitoring activities, policies and procedures, and annual compliance training and education.

OIG Enforcement Activities are routinely posted to their website and include provider self-disclosures, criminal and civil actions, Medicare Strike Force actions, State enforcement agency actions, civil monetary penalties and affirmative exclusions, as well as stipulated penalties and material breaches.6 It provides a treasure trove of information for compliance professionals to develop risk profiles to be analyzed in the context of a practice’s compliance risk assessment. A sampling of several enforcement actions from 2021:

  • OIG Self-Disclosure: A Physical Therapy practice agreed to pay a penalty for allegedly violating the Civil Monetary Penalties Law by paying remuneration in the form of waived copayments and submitting claims for services by unlicensed individuals.
  • OIG Self-Disclosure: A DME Provider agreed to pay a penalty for allegedly violating the Civil Monetary Penalties Law by submitting claims for DME at locations not enrolled in Medicare.
  • Criminal and Civil Actions: USAO District of Minnesota resolution of allegations of false claims for outpatient physical therapy services7
  • Criminal and Civil Actions: USAO Western District of Michigan resolution of alleged health care fraud with therapy provider and former office manager8
  • Criminal and Civil Actions: USAO Western District of Pennsylvania criminal indictment of therapy practice and 18 employees.9


Table 1 is a small sampling of risks in the headlines in the past year. While not exhaustive, it should give you a starting point. Following a review of MAC results, OIG audits results, and DOJ enforcement actions you’ll likely want to add more rows to the table!


This article provided a snapshot of review and enforcement activity of physical therapists and physical therapy practices over the past year. Hopefully you will be inspired to look at the data that is already in your practice, and ready to review. While this discussion does not constitute legal advice, it provides direction for practices to assess compliance risk and develop and audit and monitoring program to mitigate practice risk by looking through examination of your internal data. In the event a practice identifies an issue of concern, or an issue requiring a repayment and/or self-disclosure, the practice is advised to seek advice of a health care compliance attorney. 


1HHS OIG Division of Data Analytics. Providing Next Level Data Analytics to Support the OIG Mission. Healthcare Compliance Enforcement Conference. November 10, 2021.

2Questionable Billing for Medicare Outpatient Therapy Services, Office of Inspector General, #OEI-04-09-00540, December 2010.

3Noridian Healthcare Solutions, LLC. 01-044 Therapy Reviews Notification of Medical Review. Updated April 8, 2021.

4Noridian Healthcare Solutions, LLC. 01-055 Audio Only Telehealth Services During the PHE Notification of Medical Review. Updated October 29, 2021.

5U.S. Centers for Medicare & Medicaid Services. 0060 – Untimed Therapy: Excessive Units. Published September 6, 2017.

6Office of Inspector General. Enforcement Actions. Accessed December 10, 2021.

7US Department of Justice. Physical Therapy Provider to Pay $4 Million to Resolve Alleged False Claims Act Violations. Published October 28, 2021.

8US Department of Justice. Traverse City Physical Therapy And Home Health Practices Resolve Civil Liability For Alleged Healthcare Fraud Against The United States. Published November 3, 2021.

9US Department of Justice. Hertel & Brown Physical & Aquatic Therapy, Its Two Founders Aaron Hertel and Michael Brown, and 18 Employees Indicted on Fraud Charges. Published November 9, 2021.

10American Council on Aging. Medicaid By State: Alternative Names and Contact Information. Updated April 22, 2021.

11Office of Inspector General. LEIE Downloadable Databases. Updated December 9, 2021.

Nancy J. Beckley, MS, MBA

Nancy J. Beckley, MS, MBA, is a compliance consultant located in Milwaukee, Wisconsin. She can be reached at and @nancybeckley.

Copyright © 2018, Private Practice Section of the American Physical Therapy Association. All Rights Reserved.

Are you a PPS Member?
Please sign in to access site.
Enter Site!