Physical therapy services, individual vs. group therapy, and proper Medicare coding/billing review

NOT an expert report; case-specific application depends on dates of service, jurisdiction, and medical record support, CPT codes and other factors omitted from this summary.

Executive Summary

This draft summarizes generally accepted Medicare standards applicable to outpatient physical therapy review when counsel is evaluating physical therapy services, individual versus group therapy, and proper Medicare coding and billing. The central review question is whether the claim, the medical record, and the governing CMS/MAC guidance support the service billed.

At a high level, a defensible review compares claim line, CPT/HCPCS code, modifier, units, place of service or revenue code, plan of care, treatment note, timed minutes, medical necessity support, and applicable CMS/MAC guidance for the relevant dates of service.

Medicare coding and billing standards are generally specified in CMS claims manuals, CPT/HCPCS rules, NCCI edits, and MAC billing/coding articles. Coverage standards are generally specified in NCDs, LCDs, and related MAC coverage guidance.[1]

Core Findings

• Medicare coverage generally requires outpatient therapy to be skilled, medically reasonable, and necessary, furnished under an appropriate plan of care, supported by certification/recertification where required, and documented sufficiently to justify payment.[2]
• A physical therapy billing opinion should separate claims-processing questions (codes, units, modifiers, NCCI edits, and form/claim requirements) from coverage questions (benefit category, skilled need, medical necessity, and LCD/NCD/MAC policy).[3]
• Individual therapy generally requires direct one-on-one skilled contact. Group therapy generally applies when a therapist treats two or more patients at the same time and divides attention, provides intermittent contact, or gives common instructions to multiple patients.[4]
• Timed therapy unit reporting should be reconciled to documented timed-code minutes and total treatment minutes; untimed services should be billed according to the applicable code description.[5]
• An FCA or overpayment analysis should avoid shortcut assumptions. The expert review should distinguish coding/billing nonconformity, unsupported medical necessity, documentation insufficiency, extrapolation methodology, damages, and legal elements such as falsity, scienter, materiality, and causation.Medicare Physical Therapy Medical Coding and Billing
  

1. Governing Sources: Claims Manuals Versus Coverage Determinations

The first analytical step is to separate the sources of authority. Claims-processing standards address how the claim is coded and submitted: HCPCS/CPT reporting, timed and untimed units, revenue codes, discipline modifiers, therapy assistant modifiers, KX modifier attestations, NCCI edits, and other claim-level rules. Coverage standards address whether the service is within a Medicare benefit category and is reasonable and necessary for the diagnosis or treatment of illness or injury.

LCDs are local Medicare coverage determinations issued by Medicare contractors for their jurisdictions. As a practical matter, the MAC jurisdiction, date of service, LCD effective or retired status, associated article, and claim setting may materially affect the review.[6]

2. Core Coverage Standards for Physical Therapy

Covered outpatient therapy must be skilled therapy. Medicare guidance cautions that a service is not skilled merely because a therapist or therapy assistant furnished it; if a service can be safely and effectively furnished by an unskilled person, it generally is not treated as skilled therapy for Medicare coverage purposes.[7]

A plan of care is a central coverage and documentation anchor. The plan should identify the diagnosis, long-term treatment goals, and the type, amount, duration, and frequency of therapy services. The review should also consider required certification or recertification, provider qualifications, supervision, and whether the treatment remains reasonable and necessary over time.[8]

3. Documentation Standards

The medical record and claim form should consistently and accurately report the covered therapy services documented in the record. Documentation should be legible, relevant, and sufficient to justify the billed services. Expected records commonly include the evaluation and plan of care, certification or recertification when due, progress reports, treatment notes for each treatment day, and discharge notes when applicable.[9]

In individual-versus-group disputes, treatment notes are particularly important because they should identify the interventions or modalities provided and billed, total timed-code treatment minutes, total treatment time, and the therapist or assistant furnishing the service.

4. Individual Therapy Versus Group Therapy

The individual-versus-group distinction turns on the nature of therapist-patient contact. Individual therapy generally involves direct one-on-one skilled contact with one patient. Group therapy generally involves the treatment of two or more patients at the same time, with therapist attention divided, intermittent contact, or common instructions. A common review question is whether claimed one-on-one units are supported by identifiable direct skilled contact in the record.[10]

When group and individual therapy are billed for the same patient on the same day, the review should determine whether the services were distinct, independent, separately documented, and properly coded or modified under the applicable date-of-service rules.[11]

5. Coding and Billing Standards

Billing review should first separate timed services from untimed services. For timed 15-minute therapy procedure codes, the number of billed units should be reconciled to the documented timed-code minutes and the total treatment minutes for the day. The Medicare 8-minute methodology and the rule that total timed units are constrained by total treatment minutes are frequently important in therapy billing disputes.[12]

Modifier analysis is also central. Therapy claims may require discipline-specific therapy modifiers such as GP for services under a physical therapy plan of care. Depending on the date of service and facts, CQ/CO therapy assistant modifiers and KX modifier attestations may also be significant. KX use can matter because it operates as an attestation that the services are reasonable and necessary, require therapist skill, and are justified by medical-record documentation.[13]

6. Common FCA and Overpayment Review Issues

A defensible review compares claim-line data to clinical records and to the governing CMS/MAC guidance for the relevant dates of service. The review should also identify reasonable interpretations and inconsistencies in CMS manuals, LCDs, billing/coding articles, and claims-processing guidance.

7. Expert Qualifications and Fit for the Inquiry

The uploaded CV supports a general fit for the requested inquiry. It describes experience in medical coding, billing, electronic health records, Medicare fraud damages, Medicare coverage policies including LCDs, claims data analysis, and damages/reimbursement methods. It also identifies physical therapy within fraud data and documentation evaluations, and lists medical auditing training involving physical therapy, modifiers, and medical necessity, as well as coding and reimbursement for outpatient physical, occupational, and speech therapy.[14]

This draft also incorporates the client-provided statement that Michael F. Arrigo has reviewed more than 50 matters in which physical therapy was part of the prescribed recovery modality for injured patients. That statement should be confirmed against the final matter list before any formal expert disclosure.[15]

The primary expert lane described here is medical coding, billing, documentation, Medicare coverage, claims-data, reimbursement, and damages analysis. If the case requires clinical physical therapy standard-of-care opinions or hands-on treatment judgments, a licensed physical therapist, physiatrist, or other clinical expert may be complementary.

Selected Source List

• CMS Therapy Services
• CMS 11 Part B Billing Scenarios for PTs and OTs
• CMS Part B Billing Scenarios PDF
• CMS Medicare Benefit Policy Manual, Pub. 100-02, Chapter 15
• CMS Medicare Claims Processing Manual, Pub. 100-04, Chapter 5
• CMS Local Coverage Determinations

Related No World Borders Topics for WordPress Internal Linking

• Medical Billing Expert Witness
• Expert Witness Medicare Fraud Damages
• Medicare Local Coverage Determinations (LCDs): Coverage, Variations, and Expert Witness Role in Litigation
• Medicare LCD
• Medicare Coverage Requirements
• Search Medicare Local Coverage Determination
• Medical Billing Expert Witness Orthopedics
• Incident-To Decision Tree

Appendix: Infographic

[1] CMS Therapy Services; CMS 11 Part B Billing Scenarios for PTs and OTs; Medicare Claims Processing Manual Ch. 5; Medicare Benefit Policy Manual Ch. 15, sections 220 and 230.

[2] CMS Medicare Benefit Policy Manual, Pub. 100-02, Ch. 15, sections 220.1-220.3.

[3]CMS Claims Processing Manual, Pub. 100-04, Ch. 5; CMS Local Coverage Determinations.

[4]CMS 11 Part B Billing Scenarios PDF, individual versus group treatment scenarios.

[5]CMS Medicare Claims Processing Manual, Pub. 100-04, Ch. 5, sections 20 and 20.2.

[6]CMS Local Coverage Determinations, statutory LCD definition under Social Security Act section 1869(f)(2)(B); review also depends on MAC articles and effective dates.

[7]CMS Medicare Benefit Policy Manual, Pub. 100-02, Ch. 15, section 220.2.

[8]CMS Medicare Benefit Policy Manual, Pub. 100-02, Ch. 15, sections 220.1.2 and 220.1.3.

[9]CMS Medicare Benefit Policy Manual, Pub. 100-02, Ch. 15, section 220.3.

[10]CMS 11 Part B Billing Scenarios PDF, scenarios distinguishing direct one-on-one treatment from group treatment.

[11]CMS 11 Part B Billing Scenarios PDF, same-day individual and group therapy scenario; review NCCI and modifier requirements for date of service.

[12]CMS Medicare Claims Processing Manual, Pub. 100-04, Ch. 5, timed and untimed code unit reporting and 8-minute methodology.

[13]CMS Medicare Claims Processing Manual, Pub. 100-04, Ch. 5, GP/GN/GO therapy modifiers, CQ/CO assistant modifiers, and KX modifier documentation attestation.

[14]Michael F. Arrigo Curriculum Vitae and Supplemental Material, Apr. 15, 2026, Selected Legal Experience and CV Supplement 11.

[15]Client-provided experience statement for this draft: Michael F. Arrigo has reviewed more than 50 cases where physical therapy was part of the prescribed recovery modality for injured patients; confirm against final matter list before formal disclosure.

The post Medicare Physical Therapy Medical Coding and Billing appeared first on No World Borders - Experts in healthcare.

UnitedHealthcare’s 2026 Health Trends Report, based on claims incurred from November 2024 through October 2025 across UnitedHealthcare’s self-funded and fully insured book of business, presents a consistent picture: healthcare costs are rising faster than inflation, the drivers are concentrated in a small number of high-cost categories, and the levers available to employers are narrower than they were even three years ago.

The headline figures are striking. According to the report, catastrophic claims of $100,000 or more grew 12.9% from 2024 to 2025. Pharmacy costs rose 11%, with similar projections for 2026. Specialty medications account for roughly 55% of total pharmacy benefit spend despite representing less than 2% of utilization. Mental health costs have risen 117% since 2019. Cell, gene, and molecular therapies – single-administration treatments costing between $370,000 and $4 million each – are coming to market faster than many plans can build coverage, stop-loss, and audit policies around them.

These are not abstract trend lines. They are operational problems for employers, health plans, hospital systems, benefit consultants, counsel, and healthcare investors. They are also precisely the types of problems No World Borders has worked on for nearly two decades: healthcare data, regulatory governance, reimbursement economics, medical coding, benefit design, claims audit, and healthcare transaction diligence.

The pharmacy cost problem is a classification, coverage, and contracting problem

UnitedHealthcare identifies three top employer pharmacy concerns: overall pharmacy costs, the affordability of higher-cost drugs, and the use and implications of GLP-1 therapies. The deeper issue is concentration risk. When less than 2% of utilization drives roughly 55% of total pharmacy benefit spend, traditional formulary tools and rebate-driven pharmacy benefit manager contracts cannot carry the full burden of cost management.

Drug costs behave this way in part because drugs are classified, covered, and reimbursed through systems that were not designed for a world in which a single therapy can cost the equivalent of a multi-year insurance premium. NDCs, HCPCS J-codes, formulary tiers, Pharmacy and Therapeutics Committee decisions, 340B eligibility, specialty-vs.-retail channel rules, prior authorization protocols, and medical-benefit drug billing all interact. No World Borders has written on these issues in Drug Pricing Expert and Classification Systems, Pharmacy Benefit Manager Expert Witness, and Pharmacy Benefit Managers Drug Pricing and Appeals.

Operationalize specialty pharmacy governance by mapping NDC, GPI, RxNorm, and HCPCS drug identifiers to claims, formulary, prior-authorization, rebate, MAC/WAC, and medical-benefit billing data. Use that evidence to audit PBM contract performance, test UCR and reimbursement assumptions, identify spread-pricing or rebate leakage, and preserve clinically necessary access to high-cost therapies.

For employers and plan fiduciaries, the action item is clear: specialty pharmacy governance should include classification review, medical-benefit and pharmacy-benefit alignment, rebate and spread-pricing transparency, biosimilar and site-of-care strategy, GLP-1 coverage criteria, and audit rights that are specific enough to be enforced. Public data standards and reference systems such as the FDA National Drug Code Directory and NLM RxNorm illustrate why terminology, identifier mapping, and reimbursement logic must be managed together.

Catastrophic claims and gene therapies require defensible audit evidence

A 12.9% year-over-year increase in catastrophic claims is more than a trend. It is a structural shift. Cell and gene therapies, expanded oncology indications, complex neonatal care, and earlier-onset chronic conditions are pushing claims that used to be rare into the routine planning horizon for mid-sized and large employers.

Centers of Excellence, prior authorization, case management, and stop-loss coverage can mitigate this risk, but only when the underlying clinical evidence is defensible. A high-cost claim should be evaluated against the medical record, plan language, medical necessity criteria, applicable coverage policies, ICD-10-CM/PCS and CPT coding, drug and device identifiers, and any stop-loss notification or reimbursement conditions. The FDA’s cellular and gene therapy resources show how quickly this category continues to develop. Medicare coverage resources such as CMS Local Coverage Determinations and the CMS Medicare Coverage Database also underscore the importance of linking clinical indications, documentation, coding, and coverage rules.

No World Borders has provided expert opinions on more than $2 billion in medical reimbursements and has led investor diligence on more than $8 billion in healthcare mergers and acquisitions. Across that work, the pattern is consistent: the difference between a defensible high-cost claim and a recoverable or contestable one is often documentation quality, coding accuracy, medical necessity support, and contract language. Our firm provides specialized opinions on Usual, Customary, and Reasonable (UCR) charges for medical bills in personal injury and medical malpractice cases, as well as expert analysis of reasonable reimbursement rates in disputes between healthcare providers and health plans. Our claims, reimbursement, and coding work is reflected in resources such as Medical Billing Expert Witness, ICD-10 Consulting, and Solutions Across the Continuum of Care.

Mental health, maternity, and comorbidity require integrated benefit governance

UnitedHealthcare reports that mental health costs have risen 117% since 2019, maternity costs rose 11.7% from 2024 to 2025, and digestive disorders rose 10.5%, partly as a downstream effect of GLP-1 utilization. These categories should not be analyzed in isolation. They are signals of a workforce in which complex and chronic conditions are presenting earlier, clustering with one another, and interacting with access, affordability, and site-of-care decisions.

How No World Borders can help: Treat mental health, maternity, digestive disorders, and obesity-related spending as connected population-health analytics signals, not isolated benefit categories. No World Borders can help employers, health plans, providers, and investors integrate claims, EHR, pharmacy, and X12 transaction data; evaluate DSM-5, ICD-10, and behavioral-health coding alignment; and use data quality, analytics, and AI-enabled observability to identify comorbidity clusters, access gaps, site-of-care leakage, and opportunities for targeted micro-interventions before conditions become high-cost claims.  Consider observability-driven interventions in consumer-facing content.

My postgraduate work at Stanford Medical School in Biomedical Informatics and at Harvard Medical School in Clinical Bioethics, Risk Management, and Addiction Medicine has shaped how No World Borders approaches these categories. We have worked with behavioral health EHR vendors on DSM-5 and ICD-10 alignment, advised on prior authorization and coverage determinations, and consulted on the data and policy infrastructure needed to support population-health programs that move outcomes rather than simply move utilization.

ER overutilization and site-of-care decisions require data observability

UnitedHealthcare reports that emergency room visits rose 2.1% while virtual visits fell 16.1%, and that Gen Z relies on the ER more than any other generation while using primary care the least.

This is fundamentally a data observability and engagement problem. Employers and plans need to know whether claims, eligibility, provider directory, care navigation, virtual care, and EHR event data are complete, timely, mapped correctly, and actionable. Furthermore, it is incumbent on all trading partners across the healthcare ecosystem, including health plans such as UnitedHealthcare and healthcare providers, to ensure the accuracy and integrity of the data they exchange. Maintaining high standards for data quality is a shared responsibility that serves as the foundation for effective plan governance and improved member outcomes. AHRQ maintains emergency department research, data, and tools, while Telehealth.HHS.gov tracks telehealth trends, data, and research. Those resources reinforce the same point: the site-of-care strategy depends on usable information, not just member communications.

No World Borders applies data observability principles to claims, eligibility, EHR, and X12 transaction data, including 837, 835, 270, and 271 workflows. The five pillars of data observability – data quality monitoring, pipeline observability, infrastructure monitoring, user observability, and cost optimization – map directly onto the infrastructure plans and employers need to identify high-risk members, route them to appropriate care, and measure whether engagement programs are working. This work aligns with our broader Data Analytics for Healthcare, HIPAA Privacy, and HIPAA Privacy and Security capabilities.

Employer strategy is shifting from blunt cost-sharing to governed navigation

UnitedHealthcare’s data shows employers moving away from full-replacement HDHP/CDHP designs and toward copay-driven plan designs, Centers of Excellence, integrated benefits, and higher-level advocacy solutions. The shift is logical. When the most expensive categories are specialty drugs, catastrophic claims, complex comorbidities, and avoidable site-of-care decisions, a higher deductible alone does not solve the problem. It may simply move costs to members without improving clinical or financial outcomes.

The next generation of employer health plan strategy should combine benefit design with fiduciary oversight, vendor governance, data rights, claims audit rights, and measurable performance guarantees. The Department of Labor’s fiduciary responsibility resources and Form 5500 resources are important reminders that employee benefit plans are governance structures, not merely annual procurement exercises. No World Borders’ ERISA resources, including ERISA Expert Witness and Form 5500 under ERISA, address the same governance foundation.

For investors, the implication is equally important. A healthcare IT, payor, provider, specialty pharmacy, care navigation, or risk-bearing platform cannot be evaluated only on revenue growth. Diligence should examine claims integrity, coding risk, medical necessity workflows, PBM and specialty pharmacy exposure, privacy and security controls, risk adjustment methods, HEDIS and quality-measure infrastructure, and the degree to which reported savings are auditable. No World Borders has advised health plans, providers, healthcare IT companies, law firms, self-insured employers, and investors across these domains.

Where No World Borders fits

The UnitedHealthcare report is, in effect, a map of the cost-containment work that health plans, self-insured employers, hospital systems, healthcare vendors, and investors need to be doing in 2026 and 2027. At No World Borders, we have spent nearly two decades building the regulatory, data, and economic expertise needed to do that work across:

• ERISA plan administration, fiduciary oversight, service-provider governance, and Form 5500-related review;
• HIPAA Privacy and Security, HITECH safeguards, recognized cybersecurity practices, and healthcare data governance;
• Medicare Advantage risk adjustment, HEDIS quality measures, RADV and RAC audit defense, RAPS and encounter data analytics, and Medical Loss Ratio analytics;
• Specialty and prescription drug pricing, PBM contracting, formulary design, rebate and spread-pricing analysis, and 340B economics;
• Clinical documentation improvement, medical coding audits, medical necessity review, and revenue cycle analytics;
• Investor diligence on healthcare IT, payor, provider, revenue cycle, specialty pharmacy, and healthcare services transactions; and
• AI, data observability, claims analytics, EHR audits, and X12 transaction analysis.

If your organization is reading the 2026 Health Trends Report and recognizing that the strategies that worked in 2022 will not be sufficient for 2026 and 2027, the next step is to focus on the categories that drive the majority of spend: specialty pharmacy, catastrophic claims, comorbid behavioral and medical conditions, avoidable emergency department use, and vendor performance. These are the categories where better contracts, better data, and better documentation discipline can still bend the curve.

The post 2026 Medical Cost Report – Strategies for Employers, Health Plans, Providers and Healthcare Investors appeared first on No World Borders - Experts in healthcare.

Form 5500 (officially the Annual Return/Report of Employee Benefit Plan) is the primary annual reporting form required under the Employee Retirement Income Security Act of 1974 (ERISA). It is part of ERISA’s broader reporting and disclosure framework (primarily under Title I and Title IV) and the Internal Revenue Code.¹

The U.S. Department of Labor (DOL), Internal Revenue Service (IRS), and Pension Benefit Guaranty Corporation (PBGC) jointly developed the Form 5500 Series so that employee benefit plans can satisfy annual reporting obligations in a single filing.²

Purpose

The form serves three main roles:

• Compliance tool — It helps regulators verify that plans are operated and managed according to ERISA standards.
• Disclosure document — Plan participants and beneficiaries can access key information about their plan’s finances and operations.
• Research and data source — Federal agencies, Congress, and the private sector use the aggregated data to analyze employee benefit, tax, and economic trends.³

It reports the plan’s qualification status, financial condition, investments, operations, participant counts, and service-provider details.

Who Must File

Any administrator or sponsor of a pension or welfare benefit plan covered by ERISA generally must file, unless an exemption applies. Filing is typically required when the plan:

• Has 100 or more participants at the beginning of the plan year, or
• Holds assets in a trust (regardless of participant count).

Exemptions commonly apply to:

• Unfunded or fully insured welfare plans with fewer than 100 participants.
• Governmental, church, or certain foreign plans.
• One-participant (owner-only) plans in most cases.⁴

Variants in the Form 5500 Series

Additional schedules (e.g., Schedule H for finances, Schedule C for service providers, Schedule R for retirement plan info, actuarial schedules, etc.) are attached depending on the plan type.²

Filing Requirements and Deadlines

• Electronic filing only — All Form 5500, 5500-SF, and most 5500-EZ filings must be submitted through the DOL’s EFAST2 system (using approved software or the web-based iFile tool). Paper filing is generally not allowed.¹
• Deadline — The last day of the seventh month after the plan year ends (e.g., July 31 for a calendar-year plan). An extension can be requested using Form 5558.
• Public availability — Most filings are publicly viewable on the DOL’s EFAST2 website (except one-participant plans filed via EFAST2).

In short, Form 5500 is the cornerstone of ERISA’s transparency and oversight system. It ensures that employee benefit plans remain accountable to participants, regulators, and the public while providing valuable nationwide data on retirement and welfare benefits.

For expert analysis and deeper insights into ERISA compliance and related fiduciary matters, see the ERISA Expert Witness resources at noworldborders.com.⁵

Last updated reference: April 2026 official DOL/IRS guidance. Always consult the latest instructions on the DOL EFAST2 website or IRS.gov for your specific plan year.

The post Form 5500 under ERISA appeared first on No World Borders - Experts in healthcare.

Federal MHPAEA and ACA Standards, State-by-State Variations, and Medical Billing Implications for Behavioral Health and Substance Use Disorder Treatment

Intensive outpatient programs are designed to treat patients wtih behavioral health and substance use disorder (SUD).  The nuances of Intensive Outpatient Programs (IOPs) represent a critical “step-down” level of care that can prevent costly inpatient admissions—if billed correctly.

This article uses the comprehensive Nevada-specific analysis provided in the attached report as a framework, while expanding to federal standards under the Mental Health Parity and Addiction Equity Act (MHPAEA) and the Affordable Care Act (ACA). We also address state standards across all 50 states. Medical billers must master these rules to maximize clean claims, minimize denials, and support patient access to care.¹

What Are Intensive Outpatient Programs (IOPs)?

IOPs deliver structured, multidisciplinary treatment for behavioral health conditions (e.g., depression, anxiety, bipolar disorder) and substance use disorders (e.g., alcohol, opioids, stimulants) without 24-hour inpatient care. Programs typically involve 9–20 hours of weekly sessions, including therapy, counseling, medication management, and support groups, allowing participants to maintain work, school, or family responsibilities.²

Federal Standards Governing IOP Coverage

The cornerstone of IOP coverage is the Mental Health Parity and Addiction Equity Act (MHPAEA) of 2008, which requires that financial requirements (copays, coinsurance) and treatment limitations (visit caps, prior authorization) for mental health and SUD benefits be no more restrictive than those applied to substantially all medical/surgical benefits in the same classification (e.g., outpatient in-network).³

The Affordable Care Act (ACA) of 2010 further classifies mental health and SUD treatment as Essential Health Benefits (EHBs). All Marketplace (individual and small-group) plans must cover these services at parity with physical health benefits. IOPs are explicitly recognized as an intermediate level of care and cannot be subjected to more stringent limits than comparable services like outpatient surgery.⁴

Recent federal updates reinforce this: Medicare began covering IOP services in 2024 (9+ hours/week) in hospital outpatient departments, community mental health centers, and other settings—closing a prior gap and influencing commercial plan benchmarks.⁵

State Standards for IOP Coverage: Nevada Example and Variations Across All 50 States

While MHPAEA sets the federal floor, every U.S. state enforces parity through its Department of Insurance (DOI) or equivalent. All 50 states and the District of Columbia have enacted some form of mental health and SUD parity law. Thirty-eight states apply parity to all health insurance plans; the remainder apply it to certain markets (e.g., large-group only). Six states limit parity primarily to mental health without explicit SUD inclusion in all statutes.⁶

Nevada-Specific Regulations (Detailed Framework)
Nevada mirrors federal requirements and adds state mandates. Commercial plans must cover IOPs for behavioral health and SUD under NRS 689A.046. Coverage is subject to medical necessity review, prior authorization, step therapy, and in-network requirements. Urban areas (Las Vegas, Reno) enjoy robust networks (e.g., Spring Mountain Treatment Center, The Meadows Outpatient Center). Rural areas may face higher out-of-network costs. Deductibles, copays ($20–$50/session), and 20–30% coinsurance apply, but ACA subsidies via Nevada Health Link can reduce patient responsibility. Dual-diagnosis IOPs are covered with proper documentation. Telehealth IOPs expanded during the pandemic and remain widely accepted. Appeals for denials go through the insurer or the Nevada DOI, with external reviews available under ACA rules.⁷

Plans may exclude non-medically necessary or experimental services and luxury amenities. Employers often bundle IOP assessments into Employee Assistance Programs (EAPs).

Broader State Landscape (All 50 States)
Most states follow the Nevada model: they enforce MHPAEA through their DOI, require parity in commercial plans, and may add mandates for SUD treatment or specific IOP licensure. Variations exist in the scope of mandates, prior authorization rules, telehealth parity, and Medicaid alignment. A full state-by-state statute summary is available in the 2024 Legislative Analysis and Advocacy report (84 pages). Medical billers should always verify the specific DOI bulletin for the state of the member’s plan.⁸

Medical Billing & Reimbursement Challenges for IOP Services

From a medical billing perspective, successful IOP claims hinge on correct coding (HCPCS codes for IOP such as S9480, S9484, or revenue code 0905/0906), medical necessity documentation using ASAM criteria (for SUD) or DSM-5 (for mental health), parity compliance audits, and coordination of benefits. Insurers increasingly face DOI scrutiny—billers can leverage this in appeals. At No World Borders, we have recovered millions in underpaid IOP claims by identifying parity violations and improper non-quantitative treatment limitations (NQTLs).

Whether you operate in Nevada or any of the 50 states, staying current with DOI rules and documenting parity compliance is essential.

Conclusion: Why IOP Parity Matters for Providers and Billers

IOP coverage under federal MHPAEA/ACA standards and state parity laws promotes early intervention, reduces hospitalizations, and lowers long-term costs. As medical billing experts, our role is to ensure these protections translate into accurate reimbursement and fewer denials.

Need help auditing IOP claims, preparing for a DOI investigation, or expert testimony on behavioral health billing? Contact the team at No World Borders—we turn regulatory complexity into revenue recovery.

References

1. Coverage of Intensive Outpatient Treatment Services for Behavioral Health and Substance Abuse by Commercial Health Plans in Nevada. Internal report prepared for No World Borders medical billing analysis (2025). PDF attached.
2. The Mental Health Parity and Addiction Equity Act (MHPAEA). Centers for Medicare & Medicaid Services. https://www.cms.gov/marketplace/private-health-insurance/mental-health-parity-addiction-equity (accessed March 2026).
3. New Changes to Behavioral Health Intensive Outpatient Program Coverage. Center for Health Care Strategies (2024). https://www.chcs.org/resource/new-changes-to-intensive-outpatient-program-coverage/
4. Mental Health and Substance Use Disorder Insurance Parity: Summary of State Laws. Legislative Analysis and Advocacy, July 2024. https://legislativeanalysis.org/wp-content/uploads/2024/07/Mental-Health-and-Substance-Use-Disorder-Insurance-Parity-Summary-of-State-Laws-1.pdf
5. Mental Health Benefits: State Laws Mandating or Regulating. National Conference of State Legislatures (2025). https://www.ncsl.org/health/mental-health-benefits
6. Health Plan of Nevada Insurance Coverage for Rehab – American Addiction Centers. https://americanaddictioncenters.org/insurance-coverage/health-plan-of-nevada
7. Nevada Division of Insurance enforcement of MHPAEA and NRS 689A.046 (state mandates for substance abuse treatment).
8. State parity law variations drawn from the 2024 Legislative Analysis and Advocacy report (footnote 4 above).

The post Intensive Outpatient Programs, Medical Billing appeared first on No World Borders - Experts in healthcare.

The post Covenant Health Ransomware Breach Analysis appeared first on No World Borders - Experts in healthcare.

Bullet Point Summary – Hospice Medical Billing Expert Key Takeaways

• Patient encounter → Physician + Medical Director certification with individualized narrative.
• A face-to-face encounter is required before the 3rd period and every subsequent recertification.
• Objective decline evidence + LCD criteria + POC updated every 15 days.
• Part A: Bundled per-diem for all related services.
• Part B: modifier GW for unrelated; GV for independent attending physician.
• Dual eligible (Medicare + Medi-Cal): Medicare primary; Medi-Cal covers room & board.
• Unrelated conditions addendum mandatory since 2020.
• In California: Strict enforcement of AB 1280 (anti-kickback) and fraud red flags.
• A hospice medical billing expert provides defensible standards-of-care opinions and guides statistically valid sampling in audits and litigation.

California Hospice Fraud Context (2021–2026)

Hospice medical billing expert insight: California is aggressively tackling a surge in hospice fraud, revoking more than 280 licenses since 2021 following Governor Newsom’s moratorium on new hospice licenses. Fraudulent schemes commonly involve recruiting non-terminally ill patients (often healthy seniors), paying kickbacks to doctors and recruiters for false certifications, and billing Medicare and Medi-Cal millions of dollars per patient. Daily per-patient payments can exceed $1,000 under the bundled hospice benefit.

Recent enforcement includes a statewide task force that has investigated over 100 criminal enterprises, resulting in over 100 individuals charged. Many fraudulent providers are concentrated in Los Angeles County, where inspectors have identified hundreds of violations—including multiple agencies operating out of single rooms or virtual offices.

Scam Red Flags Include:

• Unsolicited enrollment or door-to-door recruitment promising free services.
• Offers of food, gift cards, or cash incentives for signing up.
• No documented terminal diagnosis or lack of health decline for over 6 months.
• Unprofessional, rushed staff or unusually long hospice stays without objective evidence of deterioration.

Key Legislation: Assembly Bill 1280 (2021) prohibits hospice providers from paying for referrals (patient brokering).

In other words, in this high-risk environment, a hospice medical billing expert is essential for ensuring compliant documentation, defending against audits, and mitigating False Claims Act exposure.

A hospice medical billing expert, an expert should provide detailed guidance on Medicare Part A & B and Medi-Cal documentation standards, episodic benefit periods, face-to-face requirements, and proper billing practices that protect providers while withstanding regulatory scrutiny in California’s aggressive fraud enforcement climate.

To illustrate, the infographic-style image shows the core hospice care process flow, including physician involvement, assessment, and eligibility determination — key foundations for compliant hospice medical billing under Medicare Part A.

Additional Supporting Visuals for Hospice Care & Billing Context

Compassionate hospice care delivery (nurse providing comfort to elderly patient at home — represents the core palliative services billed under the Medicare Part A per-diem rate):

Medicare hospice care is covered exclusively under Part A as a comprehensive, per-diem benefit for terminally ill beneficiaries with a life expectancy of 6 months or less if the illness runs its normal course. It is inherently episodic, structured around discrete benefit periods that require repeated certification and recertification, supported by rigorous clinical documentation. Hospice services related to the terminal illness and related conditions are bundled under Part A and paid to the Medicare-certified hospice provider. “Additional care” refers to services that fall outside the hospice bundle—primarily those unrelated to the terminal illness (billable under Part B) or professional services by an independent attending physician (also billable under Part B with specific modifiers).

Medicaid (Medi-Cal in California) coordination arises mainly for dually eligible beneficiaries. Below is a complete, multi-angle explanation drawn from official CMS regulations, manuals, and guidance, with emphasis on California’s heightened enforcement climate and the critical role of a hospice medical billing expert in compliance and defense.

1. Clinical Documentation Standards for Hospice Eligibility and Episodic Care (Medicare Part A)

Hospice eligibility and continuation across benefit periods rest on physician certification of terminal status plus comprehensive clinical records demonstrating disease progression and a prognosis of ≤6 months.¹²

Benefit Periods (the “episodic” structure)

• Initial period: 90 days
• Second period: 90 days
• Subsequent periods: Unlimited 60-day increments

Each new period requires timely certification/recertification. Documentation must justify why the prognosis remains ≤6 months at the start of each period.¹

Certification/Recertification Requirements (42 CFR 418.22 and Medicare Benefit Policy Manual Ch. 9)

Initial certification (no later than 2 calendar days after care begins): Oral or written statement from the attending physician (if any) and the hospice medical director (or hospice physician). Must include a brief individualized narrative explanation supporting the prognosis.

Face-to-Face Encounter Requirements

For the third benefit period and every subsequent 60-day recertification, a face-to-face (FTF) encounter by a hospice physician or hospice nurse practitioner (NP) is mandatory, no more than 30 days before the recertification date. The FTF must document clinical findings supporting continued eligibility and include a signed attestation. A hospice medical billing expert frequently identifies missing or untimely FTF documentation as a leading cause of claim denials and overpayment demands.

Clinical record must contain:

• All IDG assessments and notes.
• Objective evidence of decline (PPS, Karnofsky, laboratory trends, symptoms, comorbidities).
• Disease-specific LCD criteria (L34538) plus non-disease-specific decline indicators.
• Written plan of care (POC) updated every 15 days, signed by the IDG and attending physician. ³⁴

Key Documentation Nuances and Edge Cases

• Narratives must be patient-specific; boilerplate language fails audits.
• Stabilization is permissible only with clear documentation of the overall trajectory and comorbidities.
• Untimely FTF or recertification creates provider liability.
• In California, long stays without documented decline are a major red flag for fraud investigations.

2. Documentation Standards for Additional Care (Related vs. Unrelated Services)

Hospice Part A covers all reasonable and necessary services for palliation of the terminal illness and related conditions under the per-diem rate. Unrelated services require clear documentation and an election statement addendum. A hospice medical billing expert ensures proper separation to prevent improper bundling or duplicate billing.⁵

3. When It Is Permissible (and Required) to Bill Both Medicare Part A and Part B

A hospice medical billing expert routinely advises on the following permissible dual-billing scenarios:

• Unrelated services: Modifier GW (professional) or Condition Code 07 (institutional).
• Independent attending physician services: Modifier GV.
• Hospice-employed physician services are billed only under Part A.

These rules allow seamless coverage while maintaining compliance.⁶⁷

4. Medicaid Coordination and Permissible Billing with Medicare Part A/Part B

For dually eligible beneficiaries, Medicare Part A is primary for hospice services, while Medi-Cal covers nursing facility room-and-board. Proper documentation is required to delineate payer responsibility and avoid recovery actions.

5. The Role of a Hospice Medical Billing Expert in Audits, Medical Bill Review, and False Claims Act Cases

A qualified hospice medical billing expert bridges clinical documentation defects to financial and legal consequences. They provide objective opinions on whether documentation and billing meet generally accepted standards of care and industry custom and practice, without opining on legal conclusions or intent.

Core services include:

• Systematic chart audits for certification, FTF, and POC compliance.
• Statistical sampling and extrapolation of overpayments across Medicare Part A, Part B, and Medi-Cal claims.
• Guidance on the discovery of electronic claim data and federally mandated retention standards usinc a combination of expert specialized knowledge in the field and knowledge of the federal and state documentation standards, along with the ability to specify a statistically valid sample size with (as applicable) stratification approach, and finally the ability to extrapolate to a reasonable degree of certainty (civil) and “beyond a reasonable doubt (criminal).
• Support for defense or prosecution in FCA, overpayment, and criminal fraud matters.

In California’s intense enforcement environment, early involvement of a hospice medical billing expert can identify vulnerabilities, support self-disclosure, and significantly reduce exposure.

In summary, robust clinical documentation underpins every aspect of hospice episodic care and enables safe, compliant billing. In California’s aggressive fraud enforcement environment, the expertise of a hospice medical billing expert is indispensable for protecting providers, ensuring accurate Medicare and Medi-Cal billing, and defending against audits and False Claims Act allegations. Always consult the most current CMS manuals, the Medicare Administrative Contractor (MAC), the California Department of Public Health, and a qualified hospice medical billing expert for jurisdiction-specific advice.  Medicare Local Coverage Determinations (Medicare LCD) may be relevant as well.

References – Hospice Medical Billing Expert Insights

1. Medicare Benefit Policy Manual, Chapter 9 – Coverage of Hospice Services Under Hospital Insurance, Centers for Medicare & Medicaid Services (CMS).
2. 42 CFR § 418.22 – Certification of Terminal Illness, Electronic Code of Federal Regulations (eCFR).
3. Medicare Claims Processing Manual, Chapter 11 – Processing Hospice Claims, Centers for Medicare & Medicaid Services (CMS).
4. Local Coverage Determination (LCD) – Hospice Determining Terminal Status (L34538), Centers for Medicare & Medicaid Services (CMS).
5. CMS Model Examples of the Hospice Election Statement and Election Statement Addendum, Centers for Medicare & Medicaid Services (CMS).
6. Beneficiaries Dually Eligible for Medicare & Medicaid, Centers for Medicare & Medicaid Services (CMS).
7. Coding Guidelines: Hospice Modifiers GV and GW, Novitas Solutions / Palmetto GBA (MAC guidance aligned with CMS).
8. The Role of an Expert Witness in Healthcare Cases, VMG Health (June 18, 2025).
9. Use of Physician Experts to Prove False Claims (Post-AseraCare Analysis), Maine Hospice Council.
10. Hospice & Medicare Audit and Investigative Actions (2024), Liles Parker PLLC (Nov 20, 2023).
11. Hospice Care’s Adventures in Fraudland: “Battle of the Experts” & Proving Falsity Under the False Claims Act, Boston College Law Review (2021).
12. Medicare Hospice Provider Compliance Audit – Professional Healthcare at Home, LLC, HHS Office of Inspector General (June 2021).

The post Hospice Medical Billing Expert: Clinical Documentation Standards in California appeared first on No World Borders - Experts in healthcare.

Michael F. Arrigo

Managing Partner, No World Borders, Inc.
LinkedIn: linkedin.com/in/marrigo

Rising Healthcare Costs Driving Up Auto Insurance Premiums Don’t Stipulate to Medical Bills in Bodily Injury Litigation

While inflation and higher repair costs certainly play a role in some premium pressures, my 15 years of experience as an expert witness in usual, customary, and reasonable (UCR) charges for medical bills in personal-injury and auto-liability cases shows that systemic issues in how bodily-injury (BI) claims are valued and litigated are a far more significant driver of rising auto insurance premiums than general inflation.

In many states, 150-year-old precedents under the collateral-source rule and related doctrines prevent juries or arbitrators from hearing evidence of what health insurers or auto carriers actually reimburse for the same services. This leaves inflated “list prices” or “chargemaster” amounts unchallenged as the default valuation methodology. Compounding this, plaintiffs’ counsel in numerous jurisdictions routinely use medical billing liens or letters of protection (LOPs) to route care outside the patient’s health insurance entirely. Providers then bill at full rack rates rather than negotiated insurance rates—often 2–4× higher—knowing the lien will be satisfied from the tort settlement or verdict. These practices artificially inflate the “reasonable value” of medical bills presented at trial or mediation.

Additionally, I routinely see treatment for pre-existing, non-accident-related conditions (degenerative spine issues, prior orthopedic complaints, chronic pain syndromes, etc.) being attributed to the minor auto accident in question. When these unrelated services are bundled into the BI claim without clear causation documentation, the claimed damages balloon—sometimes by tens of thousands of dollars per case. Because these inflated bills become the anchor for settlement negotiations and jury awards, insurers’ loss ratios on BI coverage climb even as overall accident frequency may be stable or declining.

This dynamic—more than raw inflation—is what I see driving the upward trend in BI claims costs that insurers are reporting nationwide.¹ Objective research and industry analyses confirm that rising healthcare costs and medical claim severity are key contributors to higher auto insurance premiums nationwide.²

The result is higher premiums for all drivers, but especially urban, high-risk, and certain-state residents, where these litigation practices are most entrenched.

Both plaintiff and defense counsel serve their clients best when they obtain an independent UCR expert early. I am retained equally by plaintiffs’ firms (to document and defend the true market value of necessary care) and by defense carriers and counsel (to rebut inflated billing). Plaintiff attorneys absolutely have the right—and the duty—to advocate vigorously for their clients. Reasonable, medically necessary charges that are causally linked (based on testimony of medical professionals in an IME report, or others) to the accident and supported by proper documentation and reasonable charges (as assessed by a medical billing expert witness) may be fully recoverable. An objective UCR analysis simply ensures that the recoverable amount reflects what the community actually pays for the same services, rather than an artificial rack-rate figure shielded from market reality.

Particularly in jurisdictions such as New York, where the parties have previously stipulated to the reasonableness of medical bills, counsel on both sides may be leaving significant value on the table if the bills in question exceed $150,000. In those cases, retaining a qualified expert who can opine on the usual, customary, and reasonable (UCR) charges—without any reference to what insurance may pay, consistent with collateral-source rules—frequently demonstrates that the stipulated amounts substantially exceed true market norms. Plaintiffs’ counsel can use this to strengthen and defend a higher (but still evidence-based) demand; defense counsel can use it to negotiate more realistic settlements or prepare more effective cross-examination. Either way, the expert’s testimony stays fully compliant with the jurisdiction’s evidentiary limitations while delivering far greater precision than a blanket stipulation.

For more information on my services as a medical billing expert witness, visit our dedicated page.

Recent tort reform efforts, such as those in Florida, show how states are beginning to address inflated medical billing practices in auto cases.

Insurers can and should continue adjusting underwriting, but the long-term solution lies in greater transparency around medical-bill valuation. Until states modernize the rules of evidence to allow actual reimbursement data (where permissible) or encourage early expert involvement, BI severity will keep outpacing inflation and pushing auto insurance premiums higher into 2026 and beyond. I stand ready to assist counsel on either side in reaching fair, evidence-based resolutions.

Footnotes & Citations

1. Insurance Information Institute (III), Facts & Statistics: Auto insurance (2024 data showing bodily injury claim severity at $28,278).
2. Bankrate (2025), “Rising Healthcare Costs Are Driving Up Your Auto Insurance Rate,” citing CCC Intelligent Solutions data (35% increase in average BI claim payouts Q3 2023–Q1 2025); supported by III studies showing inflation added $76+ billion to personal auto liability losses 2014–2023 and NAIC 2022/2023 Auto Insurance Database Report (liability incurred losses up 9.4% to $120.5B).

The post Rising Healthcare Costs Driving Up Auto Insurance Premiums – Don’t Stipulate to Medical Bills in Bodily Injury Litigation appeared first on No World Borders - Experts in healthcare.

Last updated: March 2026. CPT® codes are copyrighted by the American Medical Association (AMA). This Lab CPT Codes 2026 Update provides an informational overview of commonly used laboratory CPT codes (Pathology & Laboratory section: 80047–89398, plus molecular and Proprietary Laboratory Analyses/PLA codes) as of 2026. It is not exhaustive and not a substitute for the official CPT® 2026 Professional Edition manual, your billing software, or payer-specific guidelines.

Always verify medical necessity, bundling rules (NCCI edits), CLIA status, and reimbursement with Medicare’s Clinical Laboratory Fee Schedule (CLFS) or your contracted payers. Incorrect coding can lead to claim denials or audits.¹² The AMA released the CPT 2026 code set with 288 new codes, 84 deletions, and 46 revisions overall. Laboratory and molecular/PLA codes represent a large portion of the updates (approximately 27% PLA alone), reflecting advances in genomics, infectious disease detection, and precision diagnostics.¹³

Commonly Used Laboratory CPT Codes (Stable / Longstanding)

These are the most frequently billed lab tests in outpatient and hospital settings and remain largely unchanged in the Lab CPT Codes 2026 Update unless noted below. They are marked Established (pre-2026).

Organ/Disease-Oriented Panels & Chemistry

Hematology, Coagulation & Urinalysis

Microbiology & Infectious Disease (Selected)

Note: Many older separate NAAT codes for Chlamydia/Gonorrhea have been consolidated in the Lab CPT Codes 2026 Update (see New Codes section).⁴

For more on related laboratory services, see our internal guides: Lab CPT Codes Overview, Genetic Test Local Coverage Determination, Medicare Coverage Determinations for Genetic Tests.

2026 New, Revised & Deleted Laboratory CPT Codes

These were admitted as new codes effective January 1, 2026 (or later quarterly for some PLA). Full details in the official CPT 2026 manual.

New Codes (Category I – Pathology & Laboratory)

Revised Codes (2026)

83015 – Heavy metal (e.g., antimony, arsenic…); qualitative, any number of analytes
83018 – Heavy metal…; quantitative, each, not elsewhere specified⁴

Deleted Codes (Effective 12/31/2025)

Certain PLA codes (e.g., 0450U & 0451U for specific LC-MS/MS multiple myeloma tests)⁴

Proprietary Laboratory Analyses (PLA) Codes – 2026 Updates

PLA codes (e.g., 0001U and higher, or recent series like 0524U+) are test-specific proprietary assays listed in Appendix O. They take precedence over other codes when applicable. Many added quarterly.⁵

Selected new PLA examples effective 2026 (Jan or Apr 1): 0524U – Obstetrics (preeclampsia), sFlt-1/PIGF ratio, immunoassay, utilizing serum or plasma, reported as a value
Various others for mitochondrial, oncology, dementia, etc. (e.g., 0575U–0613U series expansions)⁶

Tip: Check the latest AMA PLA list or your lab’s test menu—many are MAC-priced initially.

Billing Tips for the Lab CPT Codes 2026 Update

Panels vs. Components: Bill the panel code (e.g., 80053) only if all components are performed on the same date. Otherwise, bill individually.

Modifiers: -91 (repeat lab test same day), QW (CLIA-waived), 90 (reference lab), 59 (distinct procedure).

Medical Necessity: Link to appropriate ICD-10 code. Medicare CLFS data file available on CMS.gov.⁷

PAMA Payment Reductions: 15% cap begins for many non-ADLT tests in 2026–2028 (delayed/no reduction in 2026).⁸

Download the full current CLFS: CMS CLFS Files page

Resources & Further Reading: AMA CPT 2026 Code Set (official purchase)
CMS Clinical Laboratory Fee Schedule 2026 Annual Update (CR 14312)
Your lab’s charge master & billing software updates

Stay current! Bookmark this post and check back annually—new lab CPT codes are released every fall for January 1 implementation. Questions about specific codes or billing? Comment below.

Citations for Lab CPT Codes 2026 Update

• American Medical Association. “AMA releases CPT 2026 code set.” September 11, 2025. Read full press release
• CMS. “Clinical Laboratory Fee Schedule: 2026 Annual Update.” December 5, 2025. Download PDF
• APS Medical Billing. “2026 Pathology and Laboratory CPT Updates.” January 2026. View whitepaper
• AGS Health. “Current Procedural Terminology® 2026 Code Set Overview.” December 23, 2025. Read overview
• American Medical Association. “CPT® PLA Codes.” Updated January 26, 2026. AMA PLA Codes page
• MedCentral. “CPT 2026 Updates Expand Lab, Category III, and AI Codes.” 2026. Read full article
• CMS. “Clinical Laboratory Fee Schedule.” Accessed March 2026. CMS CLFS page
• CMS. Clinical Laboratory Fee Schedule & Laboratory Services Subject to Reasonable Charge Payment: April 2026 Update. February 20, 2026.
• Lab Testing Codes
• Reference Laboratory

The post Lab CPT Codes 2026 Update appeared first on No World Borders - Experts in healthcare.

Recent high-profile cyber attacks, such as the March 2026 wiper malware assault on Stryker Corporation by the Iran-linked “Handala” group, have underscored the escalating threats to American companies, particularly in healthcare.

What we know about how it happened indicates that the attackers likely gained access through phishing or

exploited vulnerabilities, then deployed wiper malware to permanently destroy data on over 200,000 systems, including servers and employee devices, rather than encrypting it for ransom. 2 This incident, which caused widespread network outages and operational disruptions, could have been prevented or mitigated through strategies like

• multi-factor authentication,
• regular vulnerability patching,
• employee training,
• proactive penetration testing. 8

While the Stryker attack involved destructive wiper malware—motivated by geopolitical retaliation for US-Iran conflicts—healthcare remains vulnerable to ransomware, as seen in prior incidents like the Covenant Health breach. 5

As cyber threats evolve rapidly in line with the 2026 U.S. Cyber Strategy’s focus on shaping adversary behavior, promoting common-sense regulation, and securing critical infrastructure, this post explores best practices to safeguard operations against both ransomware and wiper malware. With a prominent emphasis on penetration testing, we detail policies and procedures for IT system security, user training, and disaster planning. Whether you’re a business leader or a law firm advising clients, these insights offer actionable advice to fortify defenses and mitigate risks.

Implementing Multi-Factor Authentication (MFA)

One of the foundational strategies is to employ multi-factor authentication across all systems. MFA adds an extra layer of security by requiring multiple verification methods, significantly reducing the risk of unauthorized access. Companies should enforce MFA for email, cloud services, and internal networks to prevent initial breaches that often lead to wiper malware or ransomware deployment.

Regular Patching and Vulnerability Management

Maintaining up-to-date software is crucial. Automate patching for known vulnerabilities, particularly on perimeter devices like VPNs and firewalls. A comprehensive vulnerability management program involves regular scans and prioritization of patches based on risk, which could have mitigated the exploitation seen in attacks like Stryker’s. 5

Employee Training and Awareness Programs

Human error remains a top entry point for cyber attacks. Implement ongoing training programs that cover phishing recognition, safe internet practices, and the importance of reporting suspicious activities. Tailor training to different roles, ensuring that all users understand their part in maintaining security against threats like wiper malware.

Penetration Testing: A Prominent Defensive Measure

To explain, penetration testing, also known as ethical hacking, is a critical strategy that must be prominently featured in any cybersecurity plan. This involves simulating cyber attacks to identify weaknesses in systems, networks, and applications before malicious actors exploit them. American companies should conduct regular penetration tests, at least annually or after significant changes to the IT infrastructure. Engage certified third-party experts to perform these tests for an unbiased assessment. The results should inform immediate remediation efforts and long-term security enhancements. By proactively uncovering vulnerabilities through penetration testing, organizations can significantly reduce the risk of successful cyber attacks, including wiper malware and ransomware.

Policies and Procedures for Maintaining IT System Security

To maintain security with respect to IT systems, companies should develop and enforce comprehensive policies. These include:

• Access control policies based on the principle of least privilege, ensuring users have only the permissions necessary for their roles.
• Regular audits and monitoring of system logs to detect anomalies early.
• Adoption of Zero Trust architecture, where no entity is trusted by default, and continuous verification is required.
• Secure configuration management to harden systems against common exploits.

In other words, policies should be documented, regularly reviewed, and integrated into the company’s overall risk management framework.

Policies and Procedures for Training Users of IT Systems

Effective user training goes beyond one-time sessions. Establish procedures that mandate:

• Mandatory annual cybersecurity training for all employees.
• Specialized training for IT staff on emerging threats and best practices.
• Simulated phishing exercises to test and improve employee vigilance.
• Clear reporting procedures for suspected incidents, with no punitive measures for honest mistakes.

Incorporate training into onboarding processes and update content based on recent threat intelligence. For healthcare-related cybersecurity training, consider resources from experts like those at No World Borders, who specialize in HIPAA Privacy and Security.

Disaster Plans in the Event of a Cyber Attack or Wiper Malware Attack

Preparation for the worst is essential. Develop detailed disaster recovery and business continuity plans that include:

• Incident response teams with defined roles and communication protocols.
• Immutable, offline backups following the 3-2-1 rule (three copies, two media types, one offsite).
• Regular testing of recovery procedures through tabletop exercises and full simulations.
• Coordination with law enforcement and cyber insurance providers for post-attack support.
• Post-incident review processes to learn and improve from events.

These plans should be living documents, updated in response to new threats and organizational changes, especially considering the permanent data loss from wiper attacks like Stryker’s.

Special Considerations for Healthcare Companies

To elaborate, healthcare organizations face unique challenges due to the sensitive nature of electronic protected health information (ePHI). Compliance with the Health Insurance Portability and Accountability Act (HIPAA) Security Rule is mandatory, and the National Institute of Standards and Technology (NIST) provides the most important cybersecurity guidelines to support this. NIST publications can assist with implementing HIPAA Security Rule Standards with healthcare cybersecurity in mind; NIST offers practical guidance for safeguarding ePHI and understanding the Security Rule’s concepts.

Additionally, the NIST Cybersecurity Framework (CSF) aligns with HIPAA requirements through a crosswalk that maps CSF categories to HIPAA provisions, aiding in risk management, incident response, and data protection. Healthcare companies should integrate NIST CSF’s core functions—Identify, Protect, Detect, Respond, and Recover—into their security programs to enhance compliance and resilience against threats like ransomware and wiper malware. This approach not only meets regulatory demands but also addresses edge cases such as supply chain vulnerabilities and emerging AI-driven attacks. For specialized expertise, including HIPAA compliance assessments, visit No World Borders HIPAA Expert Witness.

By adopting NIST guidelines, healthcare entities can explore cybersecurity from multiple angles: regulatory compliance, operational efficiency, patient trust, and long-term risk implications. This comprehensive strategy covers nuances like privacy controls and continuous monitoring, ensuring a robust defense in a high-stakes environment, particularly relevant after incidents like the Stryker wiper attack.

Looking Ahead: The Future Importance of Data Observability and AI Agents

To put it another way, cyber threats continue to advance, the future of cybersecurity will increasingly rely on data observability and AI agents. Data observability provides real-time insights into data flows, quality, and lineage, enabling organizations to detect anomalies and potential breaches swiftly. This proactive monitoring is crucial for maintaining the integrity of vast datasets in an interconnected world.

AI agents, powered by machine learning and automation, will play a pivotal role in threat detection, response, and prediction. These intelligent systems can analyze patterns across massive volumes of data, identify emerging risks before they materialize, and automate remediation processes to minimize downtime. Together, data observability and AI agents will empower companies to not only react to attacks but also anticipate them, fostering a more resilient digital ecosystem. Investing in these technologies now will be essential for staying ahead of sophisticated adversaries in the years to come.

Additional Strategies: Supply Chain Security and Advanced Technologies

Beyond the core areas, companies should assess vendor risks through security questionnaires and require penetration testing results from suppliers. Leverage AI-powered threat detection and consider post-quantum cryptography for long-term protection.

By implementing these strategies, American companies can build resilience against cyber threats like wiper malware and ransomware. Remember, cybersecurity is an ongoing process requiring vigilance and adaptation. Share this article with your network to promote best practices and enhance collective security.

About the Author

Michael F. Arrigo (@marrigo) chairs a cybersecurity subcommittee for a healthcare company and advises his clients on HIPAA breach remediation, prevention, and litigation. For more insights or expert consultation, visit No World Borders.

Footnotes

1. Iran-Backed Hackers Claim Wiper Attack on Medtech Firm Stryker – Krebs on Security
2. Iran-linked hackers claim responsibility for attack on US medical device maker Stryker – Reuters
3. 200,000 Devices Erased? Pro-Iran Hackers Hit US Firm With Data-Wiping Attack – PCMag
4. The 2026 Iranian Cyber Escalation & Stryker Wiper Attack – CMIT Solutions
5. Stryker Cyberattack Adds to Fears of New Front in Iran War – The New York Times
6. The who, what, and why of the attack that has shut down Stryker – Ars Technica
7. Stryker Wiper Attack: What Security Teams Need to Know Now – 7AI
8. Iran-linked group says it hacked US company in retaliation for Minab school bombing – The Guardian
9. Iran-linked group claims wiper attack and takedown of medical device maker Stryker – SC Media
10. Stryker Cyberattack 2026: Lessons from a Global Wiper Incident – ProArch
11. Major Cyber Attacks, Data Breaches, Ransomware Attacks in January 2026 – CM Alliance
12. Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule: A Cybersecurity Resource Guide – NIST
13. NIST CSF and HIPAA: Crosswalk Explained – Censinet
14. How the NIST Cybersecurity Framework relates to HIPAA compliance – HIPAA Times
15. What is NIST HIPAA Compliance?
16. White House Announces The 2026 Cyber Strategy For America – Forrester
17. How to Protect Against Ransomware (2026 Guide) – Zero Networks
18. US Cyber Strategy 2026: Preventing Cyber Attacks – Everfox
19. The Top Cybersecurity Threats in 2026 and How To Mitigate Them
20. Attacks are Evolving: 3 Ways to Protect Your Business – The Hacker News
21. Ransomware Evolution in 2026: Protection Strategies
22. US Urges Telecoms to Improve Defences Against Ransomware – West Oahu
23. Cyber Threats in 2026: What Your Business Needs Now – IP Services
24. 15 Ways to Protect Your Business From a Cyber Attack – AZCOMP
25. New Ransomware Tactics to Watch Out For in 2026 – Recorded Future
26. How to Protect Your Business from Ransomware – Code of Entry

Related Posts

Healthcare Cybersecurity: NIST ARRA HITECH and HIPAA

HIPAA Expert Witness

Electronic Health Records Authentication

The post Is Your Business Vulnerable to Wiper Malware? Lessons from the Stryker Attack Prevention Strategies for 2026 appeared first on No World Borders - Experts in healthcare.

by Michael F Arrigo, with prior experience as a member of the Audit Committee of a public company (deemed as a “financial expert” in SEC disclosures under the Securities Exchange Act of 1934)

Introduction: The Role of a Medicare and Financial Expert

As a medical billing expert, expert witness in Medicare, medical coding, and medical billing, and deemed a financial expert under SEC rules, I bring a unique perspective to navigating the complexities of Medicare. My expertise allows me to interpret intricate Medicare coverage policies, including Local Coverage Determinations (LCDs), which dictate what services and devices are deemed medically necessary. This involves deep knowledge of medical coding systems like CPT (Current Procedural Terminology), HCPCS (Healthcare Common Procedure Coding System), and DRG (Diagnosis-Related Group) codes, ensuring accurate billing and coverage assessments.

From a financial standpoint, as someone recognized under the Securities Exchange Act of 1934, I can analyze the economic implications of Medicare premiums, deductions from Social Security, and surcharges like IRMAA (Income-Related Monthly Adjustment Amount). This dual expertise is invaluable for retirees facing surprise bills, premium disputes, or coverage denials. For instance, I can assist in contesting erroneous charges by reviewing medical records and bills, identifying coding errors, and providing testimony in legal or administrative proceedings. This helps ensure fair treatment, potential reductions or waivers of bills, and better financial planning to avoid penalties or overpayments. Whether advising on premium payment options, appealing IRMAA decisions, or explaining policy nuances, my background bridges healthcare and finance to empower informed decisions.

1. Most people assume they have a choice, but is it actually mandatory for Medicare premiums to be taken directly out of a Social Security check once you start receiving benefits?

No, it is not strictly mandatory in all cases, but for most people receiving Social Security benefits, Medicare Part B premiums (and often Part D if applicable) are automatically deducted from Social Security payments.

However, if you have reached age 65 and are still working, and therefore not yet receiving Social Security payments, you have a choice: (a) pay the Medicare Part B premium at Medicare.gov or via check, or (b) automatically have Medicare.gov charge an account of your choosing for the premium.

If you are retired, the default method is an automatic charge from your Social Security payments, and it is the most common method.¹ The law and standard process require automatic deduction from Social Security (or Railroad Retirement Board) benefits when you’re receiving them, as it’s designed for convenience and compliance.² However, if your Social Security benefit is too low to cover the premium or you’re not receiving those benefits, you’ll be billed directly by Medicare (e.g., quarterly).³ Alternatives like direct payment exist only if you’re not on Social Security or in specific, insufficient-benefit scenarios.⁴

2. For retirees who want their full Social Security check for living expenses, are there any ways to avoid having Medicare deducted, such as paying through a different account?

There are limited ways to avoid automatic deduction if you’re receiving Social Security benefits. Automatic deduction is the standard for Part B (and often Part D), and most sources indicate you cannot opt out to receive the full check while still enrolled in Part B.⁵ If your Social Security payment is insufficient to cover the premium, or if you’re not receiving Social Security at all, Medicare bills you directly (e.g., quarterly via check, credit card, or Medicare Easy Pay from a bank account).⁶ Some retirees delay or disenroll from Part B (if they have other coverage), but that’s not avoiding payment—it’s opting out of the coverage itself, which can lead to penalties later.⁷ For those with high incomes or specific situations, planning income to avoid surcharges (IRMAA) can reduce the deducted amount, but not eliminate the base deduction.⁸

3. What should a new retiree expect on their very first Social Security check—is it common to see multiple months of Medicare premiums deducted at once?

Yes, it’s common for the first Social Security retirement benefit check to have multiple months of Medicare premiums deducted at once. This happens because there can be a lag (up to 6-8 weeks or more) before automatic deductions fully start, so the initial payment may retroactively cover past due premiums or overlap periods.⁹ New enrollees might see deductions for 2+ months if there’s a transition from direct billing to automatic deduction, or due to retroactive benefits.¹⁰ If over-deducted (e.g., double-billed during transition), Social Security typically issues a refund or adjustment, often within 30 days. 11 Retirees should plan for a potentially smaller first check and contact SSA if it seems incorrect.

4. If the spouse passes away and the Social Security benefit changes, how does the Medicare payment transition work to ensure the survivor isn’t left with a massive unpaid bill or a sudden lapse in coverage?

When a spouse dies, the surviving spouse reports the death to the Social Security Administration (SSA), and their benefits typically switch to survivor benefits (up to 100% of the deceased’s amount at full retirement age).¹² Medicare premiums continue to be automatically deducted from the new survivor benefit amount if it’s sufficient—no lapse occurs automatically, as coverage continues based on eligibility.¹³ If the survivor was not previously on their own benefits or deductions change, SSA adjusts deductions accordingly. Medicare coverage ends on the date of death for the deceased, but any overpaid premiums (e.g., deducted after death) may be refunded to the estate or survivor.¹⁴ To avoid issues, promptly report the death to SSA; the transition prevents unpaid bills or lapses for the survivor, though they should monitor statements and contact SSA/Medicare if premiums seem mismatched.¹⁵

5. How does the IRMAA impact seniors?

IRMAA (Income-Related Monthly Adjustment Amount) is a surcharge added to Medicare Part B and Part D premiums for higher-income seniors, based on modified adjusted gross income (MAGI) from two years prior.¹⁶ For 2026, it applies if individual MAGI exceeds $109,000 (or $218,000 for joint filers), with surcharges increasing in tiers up to thousands extra per year.¹⁷ It impacts seniors by significantly raising premiums (e.g., Part B could rise from the standard ~$202.90 to over $600/month in top brackets), deducted from Social Security or billed directly.¹⁸ This can surprise retirees with income spikes (e.g., from Roth conversions or capital gains), and appeals are possible for life-changing events like retirement or income drops.¹⁹ Proactive income planning (e.g., managing withdrawals) can help minimize or avoid it.

6. Since Medicare bills quarterly (every three months) for seniors not on Social Security, what specific budgeting hacks can seniors use to manage a surprise bill exceeding $600 without draining their emergency savings?

For those billed quarterly (typically ~$600+ for standard Part B, more with IRMAA), set up Medicare Easy Pay for automatic monthly withdrawals from a checking/savings account to spread costs evenly instead of facing large lump sums.²⁰ Other hacks include:

• Create a dedicated monthly “healthcare sinking fund” by setting aside 1/3 of the quarterly amount each month in a high-yield savings account.²¹
• Pay online via Medicare.gov (or by phone/credit card) early to avoid late fees, and track due dates (25th of the bill month).²²
• Explore Medicare Savings Programs (MSPs) or Extra Help if income-qualified to reduce or cover premiums.²³
• Budget conservatively for the first bill (often higher due to retroactive amounts) and review annual notices for changes.²⁴

These prevent surprises without tapping emergency funds.

• You can also contest the surprise bill. As a patient, you have a right to see all of the medical records and medical billing, including any CPT codes, HCPCS codes, DRG codes, etc. Many health care providers are not well-equipped to provide this information, though they are required to do so. If you can’t receive the medical records and medical bills to substantiate the surprise bill, you are in a good position to contest the bill and get it reduced or waived. Medical billing can be complex; however, if you have a very large surprise bill consider retaining a medical billing expert.

7. How does Medicare document its policies for what it deems to be a medical service or device?

See our posts regarding Medicare Local Coverage Determinations (also known as “Medicare LCDs”) at Medicare LCD and Local Coverage Determinations and Local Coverage Determinations Medicare.

Citations

1. Medicare.gov – How to Pay Part A & Part B premiums
2. SSA.gov – Benefits Planner: Medicare Premiums
3. Medicare.gov – How to Pay Part A & Part B premiums
4. NARFE.org – Deduction of Medicare Premiums
5. Healthline.com – Are Medicare Premiums Deducted from Your Social Security Benefits?
6. Medicare.gov – How to Pay Part A & Part B premiums
7. RetireGuide.com – Medicare & Social Security Deductions
8. Various sources on IRMAA planning. IRMAA (Income-Related Monthly Adjusted Amount) planning involves strategies to manage your Modified Adjusted Gross Income (MAGI) to avoid or reduce Medicare Part B and D surcharges for high-income beneficiaries. It focuses on keeping income below thresholds using tax planning—such as tax-exempt investments, Roth conversions, or reducing taxable RMDs—based on the two-year look-back
9. Healthline.com – Are Medicare Premiums Deducted…
10. Quora/Reddit user experiences and SSA processes
11. JustAnswer/Reddit discussions on refunds
12. SSA.gov – Survivor benefits
13. MedicareResources.org – Do I need to report the death…
14. SSA POMS and related refund processes
15. MedicalNewsToday – Survivor benefits and Medicare
16. NerdWallet – IRMAA Brackets 2026
17. Humana.com – IRMAA for 2026
18. MedicareInteractive.org – Part B costs for higher incomes
19. SSA appeal processes
20. Medicare.gov – How to Pay… (Easy Pay)
21. General budgeting advice from NCOA.org and similar
22. Medicare.gov – Premium bills due dates
23. Medicare.gov – Help with costs
24. Medicare.gov – Medicare and You Handbook

Conclusion: Leveraging Expert Guidance for Medicare Challenges

In addition to the insights provided above, consulting an expert witness like myself—who combines Medicare expertise with financial acumen under SEC standards—can be transformative. For Medicare coverage, I can demystify policies through analysis of LCDs and NCDs (National Coverage Determinations), ensuring you understand what qualifies as a covered service or device. On premiums, I offer strategies to optimize deductions, appeal IRMAA surcharges, and manage billing transitions. In cases of disputes, my ability to scrutinize coding and billing accuracy can lead to successful contests, saving significant costs. This holistic approach not only clarifies complexities but also safeguards your financial health in retirement.

Related Articles

• Little Known Facts about Medicare
• Medicare Coverage Requirements
• Search for Medicare Local Coverage Determination
• Medicare LCD and Rule Making Modernization
• Medicare Advantage Hospice
• Medicare Beneficiary Identifier Required in 2020

The post Medicare Premiums and Social Security: Essential Insights for Retirees appeared first on No World Borders - Experts in healthcare.