Compliance & Risk: You Can’t Put the Genie Back in the Bottle

magic lamp with smoke coming out

By Nancy J. Beckley, MS, MBA

Health care enforcement is solidly amid a sea of change, particularly with respect to the ability of oversight
authorities and payers to collect and analyze data for enforcement activities.

In the November 2021 Healthcare Compliance Enforcement Conference “data” was an underlying theme weaving throughout the
three days of presentations. Perhaps most striking was the level of sophistication and detail laid out in a presentation
by the data folks from the HHS Office of Inspector General (OIG). The OIG’s Division of Data Analytics (DDA) provides
different ways for the OIG to find insights on risk across programs by developing predictive models for Medicare and
Medicaid. There are currently nine models covering non-institutional providers, home health, hospice, pharmacies,
general prescribers, and opioid prescribers. Their presentation described how these OIG models identify and triage
investigative leads, using supervised random forest models with labels having similarity to past law enforcement cases.
The models include a mix of fraud scheme and case mix indicators.1

I was fortunate to be an invited co-presenter for another session with an attorney from the Office of Council to the
Inspector General (OCIG). This presentation drilled down on OIG data analytics in multiple fashions using OIG data
tools: the presentation started with a view of the entire universe of therapy specific data set, then drilled down to
utilization and trends over time by regions of the country, specific states, and, finally, single counties. The OIG has
more data than one can imagine along with the analytical tools to detect aberrant patterns, outliers, and inliers. All
this data, and robust analytical capabilities provide opportunities for audits and investigations, and/or to support
audits and investigations.

The takeaway? If the OIG, CMS, and other payers have your data, your practice should be collecting, analyzing, and using
data in your compliance program which is regularly reviewed by the compliance officer. Who in your organization reviews
this information and where is it located? Is it easily accessible and what do you do with the data once you identify it?
The genie is out of the bottle.


Outpatient physical therapy has been on the risk radar for a long time, both by CMS as well as by the OIG with a wave of
Audit Reports beginning in the early 2000s. One specific 2010 OIG Report from the Office Evaluation and Inspections,
focusing on Miami-Dade County in South Florida was the impetus for identifying physical therapists in private practice
as a Medicare enrollment risk in the “moderate” category in the Patient Protection and Affordable Care Act (ACA).2 As a
result, enrolling physical therapists and physical therapy group practices are subject to a site visit by a CMS
Enrollment Validation Contractor and additional enrollment scrutiny.

The 2000s brought reviews, audits, and investigations from a variety of sources:

  • Recovery Audit Contractors (RAC), who could forget manual medical reviews for therapy over the $3,800 threshold?
  • Medicare Administrative Contractors (MAC) pre-payment, post-payment reviews, and “Targeted, Probe & Educate” (TPE)
  • Multiple Comparative Billing Reports (CBR) issued to physical therapists
  • Supplemental Medical Review Contractor (SMRC) reviews of therapy for therapy over the $3,000 threshold and also for
    specific telehealth codes
  • Comprehensive Error Rate Testing (CERT) reviews
  • Zone Program Integrity Contractors (ZPIC), now Unified Program Integrity Contractors (UPIC) audit notifications to
    targeted therapists and/or group practices

In addition to reviews by CMS and its Program Integrity Contractors, there has been a variety of audits and
investigations of physical therapy practices by enforcement agencies, including those initiated or brought forth by qui
tam relators (whistleblowers), aberrant data analysis, or MAC referral:

  • Office of Inspector General (OIG)
  • Federal Bureau of Investigation (FBI)
  • Department of Justice (DOJ) and Offices of the United States Attorneys (94 Federal Districts)
  • State Medicaid Offices and Medicaid Fraud Control Units (MFCU)
  • Defense Criminal Investigative Service (DCIS)
  • Medicare Strike Force Initiatives

These types of reviews, audits, and investigations provide an insight into risk areas for data collection, internal
review, and follow up at your practice. At the baseline there are common themes that emerge:

  • Billing for therapy as if it were 1:1, when in fact therapy was provided to multiple patients at the same time. (Hint:
    group therapy should have been billed, or 1:1 time apportioned to each patient.)
  • Plan of care not properly certified. These issues generally include, but are not limited to, signature requirements,
    time requirements, or lack of certification.
  • Therapy not medically necessary. Progress towards goals not noted, flow sheet shows repetitive exercises for each
    visit, skilled care not present.
  • Violation of supervision and delegation rules, either by practice act or payer policy.


As physical therapy practices changed course in response to the Public Health Emergency (PHE) in early 2020, enforcement
authorities and oversight agencies also changed course. By late summer 2021, these authorities and agencies were rapidly
sliding back into action on mission activities. The MACs resumed the Targeted Probe & Educate Program in August, and the
Supplemental Medical Review Contractor initiated two CMS tasked reviews. A sampling of a few items:

  • SMRC Project 01-044: Therapy Reviews Notification of Medical Review for billing dates 1/1/2018 – 12/31/2018.3
  • SMRC Project 01-055: Audio Only Telehealth Services During the PHE Notification of Medical Review for billing dates
    3/6/2020 – 6/21/2021.4
  • RAC Approved Topic 0060 Untimed Therapy: Excessive Units, ongoing since 9/6/2017.5

A few noteworthy items should be reviewed in the context of your compliance program, auditing and monitoring activities,
policies and procedures, and annual compliance training and education.

OIG Enforcement Activities are routinely posted to their website and include provider self-disclosures, criminal and
civil actions, Medicare Strike Force actions, State enforcement agency actions, civil monetary penalties and affirmative
exclusions, as well as stipulated penalties and material breaches.6 It provides a treasure trove of information for
compliance professionals to develop risk profiles to be analyzed in the context of a practice’s compliance risk
assessment. A sampling of several enforcement actions from 2021:

  • OIG Self-Disclosure: A Physical Therapy practice agreed to pay a penalty for allegedly violating the Civil Monetary
    Penalties Law by paying remuneration in the form of waived copayments and submitting claims for services by unlicensed
  • OIG Self-Disclosure: A DME Provider agreed to pay a penalty for allegedly violating the Civil Monetary Penalties Law
    by submitting claims for DME at locations not enrolled in Medicare.
  • Criminal and Civil Actions: USAO District of Minnesota resolution of allegations of false claims for outpatient
    physical therapy services7
  • Criminal and Civil Actions: USAO Western District of Michigan resolution of alleged health care fraud with therapy
    provider and former office manager8
  • Criminal and Civil Actions: USAO Western District of Pennsylvania criminal indictment of therapy practice and 18


Table 1 is a small sampling of risks in the headlines in the past year. While not exhaustive, it should give you a
starting point. Following a review of MAC results, OIG audits results, and DOJ enforcement actions you’ll likely want to
add more rows to the table!


This article provided a snapshot of review and enforcement activity of physical therapists and physical therapy
practices over the past year. Hopefully you will be inspired to look at the data that is already in your practice, and
ready to review. While this discussion does not constitute legal advice, it provides direction for practices to assess
compliance risk and develop and audit and monitoring program to mitigate practice risk by looking through examination of
your internal data. In the event a practice identifies an issue of concern, or an issue requiring a repayment and/or
self-disclosure, the practice is advised to seek advice of a health care compliance attorney. 


1HHS OIG Division of Data Analytics. Providing Next Level Data Analytics to Support the OIG Mission.
Healthcare Compliance Enforcement Conference. November 10, 2021.

2Questionable Billing for Medicare Outpatient Therapy Services, Office of Inspector General,
#OEI-04-09-00540, December 2010.

3Noridian Healthcare Solutions, LLC. 01-044 Therapy Reviews Notification of Medical Review.
https://www.noridiansmrc.com/current-projects/01-044/. Updated April 8, 2021.

4Noridian Healthcare Solutions, LLC. 01-055 Audio Only Telehealth Services During the PHE Notification
of Medical Review. https://www.noridiansmrc.com/current-projects/01-055/. Updated October 29, 2021.

5U.S. Centers for Medicare & Medicaid Services. 0060 – Untimed Therapy: Excessive Units.
Published September 6, 2017.

6Office of Inspector General. Enforcement Actions. https://oig.hhs.gov/fraud/enforcement/. Accessed
December 10, 2021.

7US Department of Justice. Physical Therapy Provider to Pay $4 Million to Resolve Alleged False Claims
Act Violations.
Published October 28, 2021.

8US Department of Justice. Traverse City Physical Therapy And Home Health Practices Resolve Civil
Liability For Alleged Healthcare Fraud Against The United States.
https://www.justice.gov/Usao-wdmi/pr/2021_1103_Harvey. Published November 3, 2021.

9US Department of Justice. Hertel & Brown Physical & Aquatic Therapy, Its Two Founders Aaron Hertel and
Michael Brown, and 18 Employees Indicted on Fraud Charges.
Published November 9, 2021.

10American Council on Aging. Medicaid By State: Alternative Names and Contact Information.
https://www.medicaidplanningassistance.org/state-medicaid-resources/. Updated April 22, 2021.

11Office of Inspector General. LEIE Downloadable Databases.
https://oig.hhs.gov/exclusions/exclusions_list.asp. Updated December 9, 2021.

Nancy J. Beckley, MS, MBA

Nancy J. Beckley, MS, MBA, is a compliance consultant located in Milwaukee, Wisconsin. She can be reached at
nancy@nancybeckley.com and @nancybeckley.