Do We Have to Return Plan Overpayments?

The short answer is, yes. Did your mother teach you nothing? Of course, you must return money that isn’t yours. In fact, to be compliant with Medicare and most commercial payers, once you discover an overpayment, you’ve got to refund it within 60 days.

Sadly, I still speak with physicians who believe it’s okay to keep the money in the bank until the payer requests a refund. One large practice I work with told me they hadn’t run the credit balance report in nearly a year. When I suggested they do so, the Medicare credit balances alone totaled more than $300,000.

This is not the time to invoke “finders keepers, losers weepers.” Much as you might like to keep the cash as a way to balance out years of reduced reimbursement, when you don’t refund overpayments in a timely manner you expose the practice to collection and other risks. Plus, credit balances offset the accounts receivable report, making it appear as if the practice is owed more money than is truly the case.

Here’s how to keep your credit balances, and your practice, in the clear.


  1. Understand and follow CMS rules.

Failing to refund Medicare and other Federal program overpayments puts your practice at risk for non-compliance. Let’s review the basics of Medicare’s rules. Review CMS’ Fact Sheet for more detail.

The CMS rule is that, once identified, Medicare overpayments must be refunded within 60 days. This rule applies to overpayments that occur for a variety of reasons – insufficient documentation, medical necessity errors, duplicate payments, and administrative and processing errors among them.

Further, Medicare’s look-back period is six years. The client that identified $300,000+ in Medicare overpayments a had to mobilize quickly to review and prepare refunds for overpayments that dated back six years. It wasn’t pretty.

These days, CMS’s processes are qyite proactive. When the payer identifies a Medicare overpayment of $25 or more, the Medicare Administrative Contractor (MAC) will initiate a recovery process by sending an initial demand for repayment. The MAC letter will explain:

  • the reason for the overpayment
  • that interest will accrue if overpayment in full is not received within 30 days
  • options to request immediate recoupment
  • options to request an extended repayment schedule
  • your rebuttal and appeal rights

In response, a practice may either make immediate payment, request immediate recoupment, submit a rebuttal, or request a redetermination to appeal the overpayment. With immediate recoupment, Medicare recovers the overpayment by offsetting future payments for other services. As any billing staff will tell you, this is a huge pain in the you-know-what when it comes to properly posting the amounts.

If the overpayment is not repaid in full, you will receive an Intent to Refer letter 60 to 90 days after the initial demand letter. This document advises that unless payment is made or a plan is established for repayment, the MAC will refer the overpayment to the U.S. Treasury for collection.


  1. Understand private and third-party payer requirements.

Must practices refund overpayments to private payers even if they don’t request the money? Again, the short answer is yes. Once your team discovers an overpayment, your practice must refund it, even if the payer does not request it.

Most managed care contracts include a clause that requires this, along with a specified time period during which the practice must make the refund. And whereas CMS requires repayment within 60 days, commercial carriers can have their own timeframe. In fact, some of them want repayment within 30 days. Others may try to recover the overpayment through remittance adjustment on future claims or other recovery actions.

Read your contracts to understand what you’ve agreed to.

Once you know the timeframe, gather the payback procedures from the plans your practice is contracted with. Most make this easy by supplying the rules and processes on their Web sites. For example, Anthem Blue Cross provides these Refund/Recoup Reminders and Tips. Aetna also provides clear instructions on its web site. In most cases, a simple Google search will get you to the correct page on each payer’s web site.


  1. Develop a refund policy and procedure.

Generally speaking, the policy should state that your practice processes overpayment refunds within 30 days of identification, and follow the guidelines for repayment established by the payer. Once you understand the compliance requirements from CMS and have completed research for plan overpayment guidelines, your team will have the details needed to develop a procedure they can follow systematically.

Procedures vary by practice but essentially you should validate that the overpayment amount is accurate and put a refund request into the accounts payable queue to be paid in the next check run or electronic payables cycle.


  1. Run the credit report regularly.

Even with best efforts to process refunds as they are identified, people get busy and things fall through the cracks. Running the credit report provides a list of any oustanding balances for the team to process. How frequently you generate this report will depend on your policy, but I recommend it be done at least quarterly and in large practices, monthly. Ideally, the balance should be $0, or close to it.

If, like my client, you haven’t generated this report in a while, you might find the amounts total more than $0. If that’s the case, consult an attorney for assistance on how to address the overpayments – especially if you have some that are more than 60 days old. Those refunds may put your practice risk because they don’t comply with CMS guidelines, and most likely other payor rules as well. Check with legal counsel before you being mailing refund checks.

The bottomline is that overpayments are not “found money” for the practice. They are monies due to payors who overpaid for services. Develop a refund repayment policy that includes processing refunds regularly, generate the credit balance report monthly or quarterly to identify overpayments that may have gotten overlooked, and seek guidance from your attorney if you believe your practice is out of compliance with federal and commercial payer overpayment compliance guidelines.

Test Your Knowledge About Passwords

Did you know that more than 60% of all confirmed data breaches involve the leveraging of weak, stolen, or default passwords?

One of your practice’s frontline defenses for avoiding the phishing  attacks and other cybercriminal schemes is effective password management. How well are you managing yours? Take this short (and fun) quiz to find out.

  1.  Strong passwords are too complicated to remember. It’s fine to use passwords that are short and easy.

           True or False?

 Answer: False

Easy passwords are easy to crack. Believe it or not, the most popular passwords in the United States are still “password” and “12345.” These weak passwords offer little security and are simply dangerous. Instruct your team to create strong passwords that contain a mix of letters, cases, and symbols. If you’re concerned about not remembering passwords, uses a password-management program like LastPass, which saves passwords securely and provides access to them on any device.

Another option to use a passphrase, using a combination of letters and symbols. For example, “Fido” is an insecure password and easy to guess if it’s your pet’s name. But My1$tPetWasFid0 follows strong password guidelines and is more secure.

2.   Putting a sticky note on your computer or desk as a reminder of your password:

             A. Is a really bad idea.

             B. Is essential to getting any work done if you are over 40.

             C. Is a nice way to help new employees get to know you.

 Answer: A

I still see sticky notes regularly in the practices I visit. And there is always at least one staff member’s desk with multiple, colored, sticky notes containing his or her password in plain sight. This is not good cyber hygiene. Conduct a walk around the office and remove all sticky notes and other evidence of passwords in plain sight. Do it today; we’ll both sleep better tonight.

3.   Sharing passwords is ok because:

    A. Sharing is caring.

    B. If you forget the password, your coworker can remind you.

    C. It’s never ok to share passwords.

 Answer: C

When it comes to data security, sharing is never ok. A practice in the East used only passwords for the entire team: “doctor” and “nurse.” Although this is an extreme case, passwords are shared with some regularity in many practices. Beyond the cybersecurity concerns, sharing passwords has professional liability issues because they render electronic medical record (EMR) audit trails useless. It’s impossible to identify the person who reviewed or entered information if passwords are shared.

Compliance issues are also triggered by password sharing. There’s no sure way to determine whether patient privacy is maintained if it’s unclear which user is accessing them.

The bottom line is  passwords are like underwear…don’t share them and change them often. Anyone caught sharing passwords should be disciplined.

4.  When should a practice disable the passwords of employees who leave?

   A. By the end of the week after the employee is gone.

   B. When my kid is home from college; he handles stuff like that in our computer system.

   C. Immediately after you have terminated the employee, or the employee has left the premises on good terms.

   D. We’re supposed to disable passwords?

 Answer: C

Staff turnover is a given. So have a plan for terminating user IDs and passwords in all systems immediately after the employee leaves. Often, this step is delayed or forgotten, leaving passwords active for potential access. Put credential disabling at the top of your employee-departure checklist.

5.  If you aren’t using a password manager, the best way way to remember a complicated strong password is to use the same one for multiple accounts.

True or False?

Answer: False

Humans are creatures of habit. According to a survey by LastPass and Lab42, 59% of us “mostly” or “always” use the same password for everything.

And only 55% said they would change their password if their account was hacked. Startling, but true.

Make sure you and your team are not part of the 55%. Insist on strong passwords. Store them in a password manager. And don’t use the same password for every account.