Self-Audit Results Found Sufficient to Sustain False Claims Act Complaint

by Baker Donelson

District Court Finds That Medical Group’s Failure to Further Investigate Audit Results May Violate Requirement to Return Overpayments


Internal audits of third-party payment claims – frequently referred to as “self-audits” – have been recognized as an effective way for health care providers to identify and to correct non-compliant billing practices. The Department of Health & Human Services, Office of Inspector General (OIG) recommends review of bills and medical records for compliance with applicable coding, billing and documentation requirements in its compliance guidance for individual physicians and small physician group practices. OIG compliance guidance for clinical laboratories also urges the use of compliance audits.

More recently, issues related to self-audits have been raised in connection with statutory provisions added by the Patient Protection and Affordable Care Act (Pub. L. 111-148), as amended by the Health Care Education Reconciliation Act of 2010 (Pub. L. 111-152), collectively known as the Affordable Care Act (ACA). These provisions require providers to report and return any Medicare or Medicaid overpayment within 60 days of identification of the overpayment, or face administrative sanctions and potential liability under the False Claims Act (FCA).1 In a proposed rule that would implement these statutory provisions with respect to Medicare overpayments, the Centers for Medicare & Medicaid Services (CMS) indicated that when a Medicare provider or supplier “performs an internal audit and discovers that overpayments exist,” an overpayment has been identified, triggering the obligation to report and return the overpayment within 60 days. CMS, Medicare Program; Reporting and Return of Overpayments, 77 Fed. Reg. 9179, 9182 (proposed Feb. 16, 2012).

U.S. and State of Wisconsin, ex rel. Keltner v. Lakeshore Medical Clinic, Ltd.

A recent court decision demonstrates that self-audit results can have important compliance and provider liability implications, including under the statutory requirement that health care providers return overpayments within 60-days of their identification. In U.S. and Wisconsin, ex rel. Keltner v. Lakeshore Med. Clinic, Ltd., Case No. 11-cv-00892, 2013 WL 1307013, at *1 (E.D. Wis. Mar. 28, 2013), a former employee of a large multi-specialty medical group sued the medical group under the FCA’s qui tam provisions and related state law, claiming that the medical group had filed fraudulent payment claims with Medicare and Medicaid. The employee alleged, among other things, that it overbilled Medicare and Medicaid for evaluation and management (E/M) services. She claimed that an annual internal audit of 25 claims per physician demonstrated that two physicians had each upcoded more than 10% of his claims. The employee alleged that although the medical group returned overpayments related to their specific claims that were found to have been upcoded, the physicians’ non-audited claims were not reviewed. The employee asserted that the medical group subsequently stopped reviewing E/M service codes, leaving its physicians free to upcode claims without being discovered. Id. at *3. Both the United States and the state of Wisconsin declined to intervene in the action; however, the employee continued to pursue her claim.

The medical group filed a motion to dismiss the complaint, including claims related to E/M services, asserting that it did not state a valid cause of action and that it did not include information necessary to support a fraud claim. The employee asserted, however, that under the circumstances described above, it could be “plausibly inferred” that the medical group submitted fraudulent claims for E/M services. Id.

The court agreed, finding that the employee’s allegations were sufficient to withstand the medical group’s motion to dismiss. The court stated that “[a]lthough [the employee] does not allege that [the medical group] knew that specific requests for reimbursement for E/M services were false, she claims that [it] ignored audits disclosing a high rate of upcoding and ultimately eliminated audits altogether.” Id. According to the court, “[t]hese allegations plausibly suggests that [the medical group] acted with reckless disregard for the truth and submitted some false claims.” Id.

The court also rejected the medical group’s assertion that coding decisions were subjective and that most of the alleged errors involved a one-level coding difference only. According to the court, “[w]hile a one-level coding difference might reflect a legitimate difference of opinion as to the value of the services provided, it could also result from wrongful upcoding and from [the medical group’s] failure to review bills that it had reason to believe contained errors.” Id. Similarly, the court rejected the medical group’s assertion that the alleged miscoding could have reflected only “an absence of medical documentation,” rather than a failure to provide the services billed. The court stated that while FCA liability requires proof that the medical group did not actually provide the services reflected on its claim for payment, “[a]n absence of medical documentation is sufficient to support a plausible claim of fraud.” Id.

The court stated that the employee had also stated “a plausible claim for relief under the amended reverse false claim provision of the FCA for overpayments withheld after May 20, 2009.”2 According to the court, “[i]f the government overpaid [the medical group] for E/M services and [it] intentionally refused to investigate the possibility that it was overpaid, it may have unlawfully avoided an obligation to pay money to the government.” Id.

The court’s decision will allow the employee to proceed with her FCA claims, both as to claims that were submitted after the self-audit was completed and as to the medical group’s failure to return overpayments that had been received previously. It is not, however, the final decision in this matter; the medical group may very well prevail in its defense of her fraud claims.

Analysis of Impact of Self-Audit Findings

The court’s decision in Lakeshore Med. Clinic demonstrates certain vulnerabilities to qui tam lawsuits resulting from self-audits. Additionally, although the employee did not rely on statutory provisions that require return of an overpayment within 60 days of identification, the decision provides a context for analyzing issues related to this requirement.

If the employee’s allegations in Lakeshore Med. Clinic are taken as both true and complete, the medical group performed self-audits to identify potential non-compliant payment claims. However, it did not use the audit results, except to return overpayments related to particular claims that were within the audit sample and which related to the two physicians who had been determined to have overcoded E/M services significantly. This resulted in the medical group’s potential liability for both claims submitted after the results of the self-audit were known and for claims for which payment had already been received. Each type of claim is discussed below.

Subsequent Claims

The Lakeshore Med. Clinic court appears to have determined that the employee alleged a valid cause of action related to payment claims submitted after the medical group’s receipt of the audit results because it took no action in response to the audit findings, and, in fact, stopped performing self-audits. According to the court, this was sufficient for it to infer that (1) false claims were subsequently submitted and (2) the medical group acted in reckless disregard of those claims (sufficient to establish “knowing” conduct under the FCA).

Ober|Kaler’s Comments: Given that the FCA provides for significant penalties for false claims if the claimant acted “in deliberate ignorance of the truth” or “in reckless disregard of the truth,” a health care provider whose self-audit indicates that sampled claims have been overpaid should determine whether further action is required to avoid recurrence of such incorrect claims. Lakeshore Med. Clinic demonstrates that failure to take reasonable actions to prevent recurrence of improper claims of the same type identified in the self-audit could support an assertion that the health care provider acted in reckless disregard for the truth of its subsequently submitted payment claims. Documentation demonstrating that the health care provider employed reasonable good faith efforts to correct any improper billing procedures may offer substantial protection against FCA allegations if it is determined to have subsequently submitted incorrect claims for payment.

Claims for Which Payment Had Been Previously Received

The medical group’s alleged failure to take further action in connection with claims for which it had previously received payment, particularly claims that were not part of the two 25-claim samples, raised issues under the statutory provisions requiring return of overpayments. Although the court in Lakeshore Med. Clinic was not required to follow CMS interpretations of these provisions as reflected in its proposed rule, its application to the facts alleged in that matter may be instructive.

As discussed previously, CMS stated in the proposed rule that an overpayment could be deemed to have been identified from an internal audit. The agency, however, did not state that the audit served to identify overpayments related to claims that had not been specifically reviewed. Similarly, there is nothing in CMS’ discussion of government audit results that indicates specifically that any such finding applied to claims that had not been reviewed by the agency. CMS stated that when a government agency informs a provider or supplier that its audit had discovered a “potential overpayment,” the provider or supplier was required to make a “reasonable inquiry” to determine if it received an overpayment; its failure to do so could cause it to have knowingly retained an overpayment in violation of the law because it would have then acted in reckless disregard or deliberate ignorance of whether it received an overpayment. 77 Fed. Reg. at 9182.

According to CMS, receipt of information concerning a potential overpayment could “create[ ] an obligation to make a reasonable inquiry to determine whether an overpayment exists.” Id. Therefore, under the proposed rule, further analysis of claims may be required if self-audit results are sufficient to raise concerns that overpayments had been received regarding claims that had not been reviewed. Under the facts raised in Lakeshore Med. Clinic, the question would be whether the determination that two physicians had overcoded more than 10% of their E/M services required the medical group to analyze additional non-audited claims for E/M services that these physicians had furnished.

Ober|Kaler’s Comments: The proposed rule does not provide specific advice as to how to determine whether the results of a self-audit are sufficient to create an obligation to investigate whether an overpayment existed in connection with unaudited claims. In the absence of any specific guidance, it would appear reasonable for a health care provider to review the totality of circumstances to determine whether the incorrect payment claims that were identified as part of the self-audit reflect isolated mistakes or omissions, such as the failure to document a particular service that had been provided, or whether they reflect a general practice or misunderstanding of payment requirements that would routinely affect payment claims. The former would be less likely to require analysis of additional claims than the latter.

Similarly, the proposed rule did not suggest whether there was a threshold of improper claims that was required to be exceeded before an obligation to analyze additional claims was triggered. For purposes of claims review generally required under a Corporate Integrity Agreement, the OIG has required further analysis only if the “net financial error rate” from an initial 50-sample unit equals or exceeds 5%. The calculated error rate used by the OIG reflects both the percentage of improper claims and the amounts involved; it is computed based on the dollar difference between the total amount that was paid and the total amount that should have been paid, divided by the total dollar value of the sample. As part of the calculation required by the OIG, any underpayments are offset from overpayments received; CMS’ proposed rule, however, does not indicate that underpayments are relevant. While this may be a reasonable approach in determining whether further analysis of previously paid claims is necessary, CMS has not recommended its use for this purpose (or even acknowledged that any level of payment discrepancies reflected in a self-audit is considered de minimus and can be disregarded). Health care providers are therefore left with little guidance as to their legal obligations upon receipt of self-audit results reflecting any overpayment for services that were provided.


Ober|Kaler Comments: For sure, the lack of guidance from CMS regarding application of the 60 day overpayment return requirement places health care providers in a difficult position. Nonetheless, if a self-audit reflects excessive payment for services, they will be required to make important decisions regarding what, if any, action is required. This includes determining whether further action is required in connection with claims for which payment has already been received and, if so, determining what procedures are appropriate to identify related overpayments. These determinations, including the basis on which they were made, should be carefully documented even if it is determined that no further action is required. Such documentation may assist a health care provider prove that it did not know of the existence of an overpayment or act in reckless disregard or deliberate ignorance of its existence, should a claim of failure to return overpayments be asserted.

In the absence of final regulations, some health care providers may be inclined not to take any action when a self-audit reveals a potential overpayment. A provider may believe that the proposed rule’s requirement that it exercise “reasonable diligence” or make a “reasonable inquiry” when there is information to suggest that an overpayment may exist goes beyond what the statute requires. Alternatively, it may believe that because the agency has not issued a final rule specifying related requirements, the federal government would not pursue violations of the 60-day repayment rule in this type of situation. They may or may not be correct. However, health care providers that fail to review results of internal audits and to take any action to identify and return overpayments that is appropriate under the particular circumstances may be at significant legal risk. The lack of specific agency guidance may not dissuade potential qui tam relators from pursuing claims against health care providers.

How to determine whether there is a sufficient basis to require a health care provider to investigate whether it received overpayments is only one of many important issues related to the statutory obligation to return overpayments about which there is no clear guidance available. Providers of health care services and their legal counsel will need to remain alert for subsequent developments, particularly final regulations addressing CMS’ implementation of the statutory requirement.


1 Claims under the FCA for failure to repay monies owed to the government are referred to frequently as “reverse false claims.”

Under statutes that are currently in effect, a person who has received a Medicare or Medicaid overpayment is required to report and return the overpayment within 60 days after the date on which the overpayment is identified (overpayments related to cost reports must be reported and returned when the cost report is due). 42 U.S.C. § 1320a-7k. Failure to do so can result in civil money penalties and related assessments and exclusion from Federal health care programs. 42 U.S.C. § 1320a-7a. Additionally, an overpayment that is not repaid within 60 days becomes an “obligation” under the FCA. 42 U.S.C. § 1320a-7k(d)(3). Under the FCA, a person who knowingly and improperly avoids or decreases an obligation to pay or transmit money to the government is subject to substantial monetary damages. 31 U.S.C. § 3729(a)(1)(G).

2 The date referred to by the court reflects enactment of the Fraud Enforcement Recovery Act of 2009 (FERA), Pub. L. 111-21, which defined “obligation” for purposes of the FCA to include “an established duty... arising from the retention of an overpayment.” This new definition effectively provided for a cause of action under the FCA based on failure to return an overpayment received from the government. The 60-day deadline for return of overpayments was provided for in subsequent ACA legislation, which became effective on May 22, 2010. See generally, U.S. ex rel. Stone v. Omnicare, Inc., No. 0904319, 2011 WL 2669659, *3 (N.D. Ill. July 7, 2011). In Lakeshore Med. Clinic, the employee did not rely on the 60-day requirement provided for in current statutes.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Baker Donelson | Attorney Advertising

Written by:

Baker Donelson

Baker Donelson on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.


JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at:

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.