OIG reviews MassHealth and its Medicaid data and information system safeguards

MassHealth failed to adequately safeguard data and information systems through its Medicaid Management Information System (MMIS) according to an audit by the HHS’ Office of Inspector General (OIG) undertaken to determine whether Massachusetts safeguarded MMIS data as required under federal requirements.

What is MMIS?

The MMIS is “an integrated group of procedures and computer processing operations (subsystems) developed at the general design level to meet principal objectives” which are: Title XIX program control and administrative costs; service to recipients, providers and inquiries; operations of claims control and computer capabilities; and management reporting for planning and control. States receive 90 percent federal financial participation (FFP) for design, development, or installation of MMIS and 75 percent FFP for operation of state mechanized claims processing and information retrieval systems.

MassHealth MMIS

The Massachusetts Executive Office of Health and Human Services is responsible for administering the state Medicaid program, commonly known as MassHealth, and information technology architecture, maintenance, and support is provided by the Massachusetts Office of Information Technology. Application support is provided through a contract with Hewlett-Packard.

The audit

Audits of information security controls are performed routinely on states’ computer systems used to administer HHS-funded programs and states are required to implement computer system security requirements and review them biennially. The OIG’s audit of MassHealth’s MMIS included MassHealth’s websites, databases, and other supporting information systems. The review was limited to security control areas and controls in place at the time of the visit. Specifically, the OIG looked at MassHealth’s implementation of federal requirements and National Institute of Standards and Technology guidelines regarding: system security plan, risk assessment, data encryption, web applications, vulnerability management, and database applications. Preliminary findings were communicated directly to MassHealth prior to the report’s issuance.

OIG’s findings

The OIG found MassHealth did not safeguard MMIS data and supporting systems as required by federal requirements. Vulnerabilities were discovered related to security management, configuration management, system software controls, and website and database vulnerability scans. Should exploitation of the vulnerabilities have occurred (and there was no evidence that it had), sensitive information could have been accessed and disclosed and operations of MassHealth could have been disrupted. Sufficient controls must be implemented over MassHealth Medicaid data and information systems.

Specific vulnerabilities uncovered were not detailed in the report because of the sensitive nature of the information. However, specific details were provided to MassHealth so it may address the issues. In response to the report, MassHealth described corrective actions it had taken or planned to take in response to the vulnerabilities.

Home health owner/operator pleads guilty to Texas-sized Medicaid fraud

Billed as the largest provider attendant services (PAS) fraud in Texas history, the owner/operator of five Houston-area home health agencies pleaded guilty in a $17 million fraud conspiracy case, the last conspirator in the scheme to plead guilty. The owner/operator pleaded guilty to two counts of conspiring to defraud Medicare and the Texas Medicaid-funded home and community-based service and primary home care programs and one count of conspiring to launder money. His sentencing is scheduled for June 22, 2017.

The owner/operator, whose co-conspirators included his daughter and other family members, admitted to the following:

1. obtaining patients for the home health agencies by paying illegal kickbacks to patient recruiters and office employees;
2. paying cash, checks, Western Union, and Moneygram funds to Medicare and Medicaid patients for receiving services from the home health agencies in exchange for using their Medicare and Medicaid numbers to bill for home health and PAS services;
3. paying patients for recruiting other Medicaid and Medicaid patients to the home health agencies;
4. paying physicians illegal kickbacks for referring and certifying Medicare and Medicaid patients for home health and PAS services; and
5. using fraudulently-obtained money from Medicare and Medicaid to pay the illegal kickbacks to promote the conspiracies and to ensure that they would continue.

Over $17 million in fraudulent claims were submitted to Medicare and Medicaid and the conspirators received approximately $16 million in payments from the programs.

Results from patient-centered medical homes study ‘significant’

Little evidence exists supporting the case for patient-centered medical homes (PCMHs), leaving decision-makers’ opinions on their use mixed. A recent study, the paper for which appeared in the March issue of Health Affairs, looked at the findings from 11 major PCMH evaluations in eight states to provide estimates of PCMH impact on utilization, cost and quality. The results were “significant.”

What is a PCMH?

Also referred to as a primary care medical home, advanced primary care, or a healthcare home, the patient-centered medical home model aims to reduce spending and improve quality while emphasizing coordinated, patient-centered care. HHS’ Agency for Healthcare Research and Quality (AHRQ) provides five functions or attributes of a PCMH:

1. Comprehensive care: The PCMH must meet the needs of the large majority of a patient’s physical and mental health needs, i.e., prevention and wellness, acute care, and chronic care.
2. Patient-centered: Health care must be relationship-based with an orientation toward treating the whole person, supporting patients and their families managing and organizing their own care.
3. Coordinated care: Care must be coordinated across the broader health care system, encompassing specialty care, hospitals, home health care, and community services and supports, particularly important during transitions between sites of care.
4. Accessible services: A medical home must deliver shorter wait times for urgent needs, better in-person hours, around-the-clock access (telephone or electronic) access to a care team member, and alternative methods of communication.
5. Quality and safety: Medical homes must show a commitment to quality and quality improvement, use evidence-based medical and clinical decision-support tools to share decision-making with patients and families, engage in performance measurement and improvement, measuring and responding to patient experiences and satisfaction, and practice population health management.

The Medicare Access and CHIP Reauthorization Act of 2015 (MACRA) (P.L. 114-2) calls for “increased quality, efficiency, and clinical practice metrics that existing models such as the PCMH support,” according to letter to then-Acting Administrator of CMS, Andy Slavitt, when the American Academy of Family Physicians and other organizations requested that CMS affirm PCMHs as an eligible alternative payment model (APM). The study authors point to PCMHs being one of the APMs under MACRA, and specifically that MACRA’s Comprehensive Primary Care Initiative (CPCI) “will become a core feature of the Medicare payment system.”

Findings of the study

The study found that PCMH evaluations varied significantly across the 11 major evaluations studies. PCMH resulted in reduced spending (4.2 percent reduction) and improvements in breast cancer screening rates for high-needs patients (1.4 percent increase), lower use of specialist visits (1.5 percent reduction), and increased cervical screening for all patients (1.2 percent increase). The results of this study, combined with mixed results from earlier studies, the study authors note, show that how a PCMH is implemented is critical to achieving the desired impact on primary care. “PCMH initiatives are not ‘one size fits all.’”

The study authors note that while there are a wide variety of approaches to PCMH implementation today, under the CPCI, practices operating a PCMH will share a single payment models and other standard features, so there will be fewer differences. The study authors noted that “identification of the components of PCMHs likely to improve outcomes is critical to decisions about investing resources in primary care.”

Find a friendly format to ensure compliance guidance is followed

Modify the HHS Office of Inspector General (OIG) Compliance Program Guidance (CPG) documents so they make more sense and will be followed by the organization, according to Frank Ruelas, Facility Compliance Professional at St. Joseph’s Hospital and Medical Center/Dignity Health, during a webinar hosted by the Health Care Compliance Association (HCCA).CPGs, particularly for hospitals, provide valuable guidance for compliance professionals to follow in assessing their compliance programs and can be used by compliance officers of all types of facilities. The key is to make sure some sort of guidance is being followed and that assessments are verifiable.

Making use of the CPG

CPGs provide valuable information but few people read them and follow them, according to Ruelas. The problem is often that the original format of the OIG CPGs, from the Federal Register, is hard to read and navigate. Ruelas suggests taking the “text” format document from the Federal Register website and reformatting it into a “friendlier” format to help drive effectiveness. The revised format could contain a table of contents (to act as an inventory or checklist), hyperlinks to resources, headings, and anything else that would make the document more useable to perform an assessment of the organization’s compliance program.

When it comes to using the reformatted document to perform an assessment, Ruelas suggests going through and highlighting each action item contained in the CPG in one of three colors: green (acceptable demonstrated compliance), yellow (some demonstrated compliance), or red/pink (no demonstrated compliance. This will demonstrate the level of compliance and will easily show which items need additional attention. Ruelas stressed the importance of self-assessments being verifiable. Compliance officers must be able to show how he or she reached their assessment, right down to each item.

Just how many elements are there?

Ruelas warns that depending on which guidance you are following, the elements may vary slightly. The OIG has seven elements in a compliance program. The Affordable Care Act (ACA) (P.L. 111-148) and the Federal Sentencing Guidelines have eight and nine elements, respectively, but most elements overlap. All guidances are applicable, and no matter which framework you use—there is no established framework—it provides instructions on how to move forward to make your compliance program more effective, Ruelas noted.

How to get started

Ruelas stressed the importance of a supportive mindset when assessing an organization’s level of compliance. It could be that a compliance officer is coming into an already established program, so it is important to expect challenges. Then, Ruelas says to use the “plain, simple, old school” tried-and-true “5W1H Model”—start by identifying Who, What, When, Where, Why, and How regarding the compliance program, down to each item. If those are not identifiable, start with the compliance officer requirements of a compliance program, Ruelas noted, because that forces the compliance officer to focus on his or her own role and responsibilities. It also provides an opportunity to optimize the compliance officer’s job description and to meet with organization leadership.