Archives for April 2013

Comment Period Extended for Two Proposed Rules and One Risk Assessment Relating to Food Safety

The FDA has extended the comment period on two proposed rules and one draft risk assessment, all published in the Federal Register on January 16, 2013. The proposed rules and draft guidance covered various food safety issues. The proposed rules’ original comment deadline of May 16, 2013, has been extended to September 16, 2013. The comment period for the draft risk assessment originally closed on February 15, 2013, was reopened on March 13, 2013, and will now remain open until September 16, 2013. The deadlines were extended based on requests from the industry for more time. The corresponding information collection provisions are also extended.

The first proposed rule, titled “Standards for the Growing, Harvesting, Packing, and Holding of Produce for Human Consumption” would establish regulations on: (1) worker training and health hygiene; (2) agricultural water; (3) biological soil amendments; (4) domesticated and wild animal access to growing areas; (5) equipment, tools, buildings; and (5) sprouts. The second proposed rule, titled “Current Good Manufacturing Practice and Hazard Analysis and Risk-Based Preventive Controls for Human Food” would put requirements on facilities to establish and implement hazard and risk-based preventative controls. Facilities that manufacture, process, pack, or hold food and are required to register under section 415 of the Federal Food, Drug and Cosmetic Act (FD&CAct) would be required to comply with these regulations, unless they were exempt.

The corresponding draft risk assessment, titled “Draft Qualitative Risk Assessment of Risk of Activity/Food Combinations for Activities (Outside the Farm Definition) Conducted in a Facility Co-Located on a Farm” is intended to provide a science-based risk analysis of activity and food combinations that would be considered low risk. The FDA is seeking comments that can be used to improve: (1) the approach used; (2) the assumptions made; (3) the data used; and (4) the transparency of the draft risk assessment.

OCR Reports on Enforcement of HIPAA Rules at HCCA Compliance Institute

From 2008 through December 31, 2012, the HHS Office of Civil Rights (OCR) imposed $14.9 million in civil money penalties (CMPs) as part of its enforcement of the Health Insurance Portability and Accountability Act (HIPAA) privacy, security, and breach notification rules, according to David Holtzman, Senior Health Information Technology & Privacy Specialist. From September 2009 through March 20, 2013, the OCR received 556 reports of breaches involving over 500 individuals (large breaches) and over 78,000 reports involving under 500 individuals (small breaches). Holtzman presented the update of the OCR’s HIPAA rule enforcement activities on April 22, 2013, at the Health Care Compliance Association’s (HCCA’s) annual Compliance Institute held at the Gaylord Resort & Convention Center in National Harbor, Maryland.

According to Holtzman, to understand the scope and type of breaches, the OCR has identified the areas to be reviewed.  For complaints related to breaches of the privacy rule, the OCR most frequently reviews whether the organization: (1) engaged in impermissible uses and disclosures of protected health information (PHI), (2) has appropriate safeguards to protect health information, (3) has policies and procedures in place related to access to health record; (4) restricts access to PHI to employees who need the information to perform their jobs (the “minimum necessary rule”); and (5) has policies and procedures related to notice of privacy practice.  For complaints related to the security rule, OCR reviews the organization’s policies and procedures related to (1) routinely conducting  risk analyses, (2) security incident response and reporting, (3) security awareness and training, (4) access controls, and (5) encryption and decryption. Holtzman stressed that risk analysis is the foundation to demonstrate compliance with the HIPAA rules. Risks analysis identifies weaknesses in the system, for which the organization can develop and implement controls for mitigation, he added.

Holtzman reported that the number of large breaches reported annually hasn’t changed and that the focus should be on small breaches. The top types of large breaches involved theft, unauthorized access or disclosure, or loss of data located in laptop, paper records, desktop computers, or a portable electronic device. The largest breaches in 2012 involved hacking a network server and hacking a database stored on a network server; backup tapes stored at a hospital could not be found and are presumed lost, theft of a laptop from an employee’s vehicle, and unauthorized access to electronic PHI stored  in a database. Smaller breaches were more likely to involve access to paper rather than electronic records. Holzman noted that although hacking has not impacted health care on a large scale, it has increased and, currently, is more of a problem in other industries. He also pointed out the mobile devices are not protected. Office of the National Coordinator for Health Information Technology (ONC) and OCR have developed a Mobile Device Program Instructional Video Series  that explores mobile device risks and discusses privacy and security safeguards providers and professionals can put in place to mitigate risks, covering topics such as securing a mobile device, protecting PHI when using a public WI FI network, and using a mobile device at work.

A pilot audit program, which was mandated by Sec. 13411 of the Health Information Technology for Economic and Clinical Health Act (HITECH Act) to conduct periodic audits to ensure covered entities and business associates comply with HIPAA and HITECH requirements, resulted in 979 audit findings and observations of noncompliance with the HIPAA rules as follows: 203 privacy, 592 security, and 94 breach notifications. Notably, smaller entities had the most difficulty and struggled with all three areas.

Holzman also addressed the provisions of the Omnibus Final Rule, which was published in the Federal Register on January 25, 2013. The Final Rule expanded the liability of business associates (BAs), requiring BAs to comply with use and disclosure requirement in the privacy rule as well as the technical, administrative, and physical safeguard requirements of the Security Rule. The Final rule also amended the definition of BA.  Under the enforcement provisions, CMPs have been adopted from the interim final rule, the term reasonable cause has been modified,  and intentional wrongful disclosures may be subject to civil rather than criminal penalties. Absent willful neglect, HHS will seek compliance through informal voluntary action.

From the Contributor’s Corner: Medicaid Sanction Screening

“To obtain/maintain active enrollment status, providers may not employ or contract with individuals/entities excluded from participation in any federal health care program or debarred by the GSA from any other executive branch program or activity”.[1]

This means that Medicare and Medicaid payments are prohibited for all items and services furnished by excluded persons and entities.  In order for providers to enroll or maintain active enrollment status, they may not employ or contract with individuals/entities excluded from participation in any federal health care program or debarred by the GSA.

State Medicaid agencies must report final actions against providers that affect their participation in the Medicaid program promptly to Office of Inspector General (OIG). The OIG then determines whether to exclude the provider based on federal criteria for exclusion and includes the individual/entity on the OIG List of Excluded Individuals and Entities (LEIE).  Unfortunately all parties excluded by states may not appear on the LEIE.  In a study of state reporting conducted by the OIG, the office found that many were not sending their sanction information to the OIG.   The OIG noted that two-thirds of providers with final actions imposed by state agencies were not included on the LEIE. The majority of states even had a match rate of less than twenty-five percent.  The response from most of the states was that this was due to uncertainty about when to notify the OIG of such final actions and what kind of information to provide. I believe this is just an excuse.

Meanwhile the Centers for Medicare & Medicaid Services (CMS) has been taking action to ensure providers and programs are screening for Medicaid exclusions.  Beginning in 2008, they have been sending letters to the State Medicaid Directors to give them guidance on their interpretation of the regulations as they relate to sanctioned and excluded individuals/entities.   It called for State Medicaid Directors to mandate monthly checking of their enrolled providers for exclusions.  CMS also stated the states should advise providers upon enrollment and re-enrollment of their obligation to screen all employees and contractors against the OIG LEIE monthly and explicitly require providers to agree to comply with this obligation as a condition of enrollment.

At this urging by CMS, states are moving to develop and maintain their own Medicaid exclusion lists, followed by mandates for providers to screen against them on a monthly basis.  This movement has been slow and steady.

In response to CMS, nearly half of the states have moved to develop their own sanction and exclusion databases, along with statutes and regulations mandating monthly screening.[2]  It is reasonable to assume that this trend will continue and that eventually all states will be doing this.  In addition to the development of state Medicaid exclusion lists, more and more states are also following the CMS guidance that calls for monthly screening of the database. Most of those that have gone this route have published those lists on their websites, but not all.  As such, it may be necessary to contact the state Medicaid agency or health department directly in order to access the necessary information.

The following are suggestions and best practices for providers when it comes to meeting sanction screening obligations:

  1. It is mandatory to screen against the LEIE; therefore, screen in advance of hiring or engaging any individual or entity, as well as granting staff privilege to physicians.  Thereafter it is advisable to screen all affected parties at least annually, but if possible monthly.
  2. Check with the state jurisdictions where a provider does business for any Medicaid sanction screening mandates.  Note that states are moving to follow CMS guidance for monthly screening.
  3. If the state requires monthly screening, then it is advisable to consider screening against the LEIE as often.
  4. The OIG suggests also screening affected parties against the GSA debarment list, formerly called the EPLS, now SAM.  CMS more directly says this should be done.  However, neither the OIG nor CMS state the frequency with which this should be done.  I strongly recommend doing this only at the time of engagement of a vendor, contractor, physician, or employee and thereafter only annually.  GSA’s debarment list program has been fraught with technical deficiencies, flaws, and security breaches. In my opinion, screening more often is unnecessary and a waste of time and resources.

[1] (42 CFR 424.516)

[2]Alabama, Arkansas, California, Connecticut, Florida, Hawaii, Idaho, Illinois, Kentucky, Maine, Maryland, Michigan, Mississippi, Nebraska, Nevada, New Jersey, New York, South Carolina, Texas, and West Virginia

Richard P. Kusserow served 11 years as the DHHS Inspector General and currently is CEO of the Compliance Resource Center (CRC).  CRC includes Sanction Screening Services (S³), which provides sanction screening tools and also provides full outsourcing of sanction screening. For more information, he can be contacted at

Connect with Richard Kusserow on Google+ or LinkedIn.

Copyright © 2013 Strategic Management Services, LLC.  Published with permission.

CMS to Maintain Existing Plan for Pioneer ACO Payments for 2013

CMS has informed health care organizations participating in the Pioneer Accountable Care Organization (ACO) Model that it will not change the way it determines pay-for-performance benchmarks for quality measures in 2013. The 32 Pioneer ACOs sent a letter to CMS in February expressing concern about how the ACOs payments would be determined this year.

Pioneer ACOs

First, some background. As part of the Patient Protection and Affordable Care Act (P.L. 111-148) (PPACA) Congress created the Medicare Shared Savings Program to encourage groups of doctors, hospitals, and other health care providers to organize into ACOs to provide coordinated health care to Medicare beneficiaries. The idea behind ACOs is that a group of providers could design more innovative and efficient ways of providing health care than traditional fee-for-service Medicare, and these providers could be rewarded for the quality of the health care they provide, and not the quantity of services. If ACOs provide care that costs less than what traditional Medicare would pay, the ACO will share in the savings.

PPACA also established the Pioneer ACO Model for organizations who already had experience offering coordinated, patient-centered care, and operating in ACO-like arrangements. The idea behind the Pioneer ACOs was that these organizations could move quicker than newer organizations to provide coordinated care to Medicare beneficiaries. CMS created a list of 33 quality measures for which participating ACOs would have to provide data and also meet specified benchmarks in order to receive payments.

CMS signed agreements with 32 health care organizations spread around the country to participate in the Pioneer ACO program. The program runs from January 2012 until the end of 2014. In 2012, Pioneers received payments just for reporting data on the 33 quality measures. Starting in 2013, Pioneers will be paid based on the actual care they provide. And how this is measured is what has Pioneers concerned.

February Letter

In February, the Pioneer ACOs sent a letter to CMS expressing concern that at least 19 of the quality measures did not have sufficient data on which to base “empirical benchmarks,” basically flat percentages of different types of care that the ACOs would have to show they provided. The Pioneers also noted that “the proposed benchmarks are higher than standards set in commercial contracts and Medicaid.” The Pioneers suggested “that using the ACO database to determine best in class performance for the [quality] measures will help set and scale percentiles accordingly.” The Pioneers also expressed concern with the use of data from Medicare Advantage plans in setting benchmarks. “We believe there are fundamental differences between the experience of non-managed and managed populations that warrant consideration when establishing pay-related benchmarks,” according to the letter.

CMS Letter

In an April 23, 2013, letter to all Pioneer ACOs, CMS said it will continue to use “actual Medicare fee-for-service (FFS) and Medicare Advantage (MA) performance data in establishing ACO quality performance benchmarks.” CMS noted that it was using flat percentage benchmarks in part because of lack of national data. CMS added, however, that “over 200 organizations recently completed submitting data through the Physician Quality Reporting System (PQRS) and ACO Group Practice Reporting Option (GPRO) reporting processes,” and that this new data would also be used to set benchmarks for 2013.

CMS also noted that it will soon issue proposals on how it will include 2012 data submitted by ACOs to establish benchmarks for the shared savings program in 2014; these benchmarks will also apply to Pioneer ACOs in 2014.