Kusserow on Compliance: New OCR Guidelines

The HHS Office for Civil Rights (OCR) issued a new guidance which points out a list of 10 violations where Business Associates (BAs) can be held directly liable. The guidance points out that where BAs may not be liable, the covered entity (CE) may be still on the hook for violations of those violations. As such CEs should carefully review their BA Agreements (BAAs) to ensure that they cover requirements that don’t directly apply to BAs but are still enforceable against CEs.

The OCR also notes that large data breaches also continue to dominate the press. The OCR recently cited among recent notable breaches that an EMR and software services provider allowed hackers access to 3.5 million patient records. Touchstone Medical Imaging (TMI), agreed to pay $3 million for a breach involving one of its FTP servers that contained PHI for over 300,000 patients. LabCorp received notice from American Medical Collection Agency (AMCA), a collection firm working on its behalf, regarding unauthorized access of 7.7 million patients’ PHI stored by AMCA. This announcement followed a similar one from Quest Diagnostics, in which they reported that AMCA’s breach affected 11.9 million of its patients.

Updates on OCR enforcement actions can be found at https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/data/enforcement-highlights/index.html

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2019 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: OIG releases two reports questioning quality of hospice care

80% surveyed hospices had deficiencies

Many cases of harm to beneficiaries cited

The OIG released two reports which found hospices participating in Medicare had one or more deficiencies in the quality of care they provided to their patients. The OIG cited cases where beneficiaries were seriously harmed by poor care or facilities failed to act in cases of abuse. In its reports, the OIG made several recommendations to strengthen safeguards.

In one report—Hospice Deficiencies Pose Risks to Medicare Beneficiariesthe OIG identified significant vulnerabilities in the Medicare hospice benefit and found over 80 percent of these hospices had at least one deficiency. These included poor care planning, mismanagement of aide services, and inadequate assessments of beneficiaries. Over 20 percent of hospices had a serious “condition-level” deficiency, which means that “the hospice’s capacity to furnish adequate care is substantially limited or adversely affects the health and safety of patients.” The OIG called upon CMS to: (1) strengthen the survey process; (2) establish additional enforcement remedies; (3) provide more information to beneficiaries and their caregivers; (4) expand the deficiency data that accrediting organizations report to CMS to strengthen its oversight of hospices; (5) seek statutory authority to include information from accrediting organizations on Hospice Compare; (6) include on Hospice Compare the survey reports from State agencies; (7) include on Hospice Compare the survey reports from accrediting organizations, once authority is obtained; (8) educate hospices about common deficiencies and those that pose particular risks to beneficiaries; and (9) increase oversight of hospices with a history of serious deficiencies.

In its second report—Safeguards Must Be Strengthened To Protect Medicare Hospice Beneficiaries From Harm—the OIG described specific instances of harm to hospice beneficiaries and identified vulnerabilities in CMS’s efforts to prevent and address harm. Some instances of harm resulted from hospices providing poor care to beneficiaries and some resulted from abuse by caregivers or others and the hospice failing to act. Cases revealed vulnerabilities in beneficiary protections that CMS must address. The OIG called for CMS to: (1) seek statutory authority to establish additional, intermediate remedies for poor hospice performance; (2) strengthen requirements for hospices to report abuse, neglect, and other harm; (3) ensure that hospices are educating staff to recognize signs of abuse, neglect, and other harm; (4) strengthen guidance for surveyors to report crimes to local law enforcement; (5) monitor surveyors’ use of immediate jeopardy; and (6) improve and make user-friendly the process for beneficiaries and caregivers to make complaints.

 

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2019 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: CMS ‘guts’ SNF/LTC compliance program mandates

– CMS “bows” to industry pressure

– Objective standards replaced by subjective ones

– Designated compliance officer not to be required

– No contact person to whom “people may report suspected violations”

 

A new CMS proposed rule—“Medicare & Medicaid Programs; Requirements for Long-Term Care Facilities: Regulatory Provisions to Promote Efficiency and Transparency”—proposes to roll back and remove many compliance program related requirements for long term care facilities (LTC) participating in Medicare/Medicaid. The Proposed modifications include removing many of the compliance program requirements adopted in 2016 on the basis that they are not expressly required by statute. The stated purpose of the proposed changes is to reduce administrative burdens. This flies in the face of increased identification by CMS, OIG, GAO, DOJ, and Congress of legal and regulatory compliance violations by LTC facilities.

Enhanced compliance programs were a way of addressing these ongoing problems. Among the requirements removed were (1) designation of a compliance officer; (2) designation of a compliance liaison for operating organizations with five or more facilities; (3) annual reviews of the compliance program; (4) having an identified person to whom individuals may report suspected violations.

CMS now proposes that a LTC organization develop, implement, and maintain an effective compliance and ethics program most appropriate for size and type of the organization. This should include written compliance standards, policies, and procedures that are reasonably capable of reducing the prospect of criminal, civil, and administrative violations. The new standards are far less objective and rely more on subjective concepts that are vague and difficult to substantiate, using terms like “reasonable” and “sufficient.”  Other CMS expectations for facilities include:

  1. Providing sufficient resources for operation of the compliance program.
  2. Designating a high-level person for overall compliance program responsibility with appropriate authority to assure compliance with the regulations.
  3. Taking reasonable steps to achieve compliance with program’s standards, policies, procedures, including monitoring and auditing that is reasonably designed to detect criminal, civil, and administrative violations.
  4. Having in place and publicizing a reporting system whereby anyone could report violations by others within the organization without fear of retribution.
  5. Ensuring consistent enforcement and discipline of standards, policies, and procedures.
  6. Effectively communicating compliance standards, policies, and procedures in compliance mandatory training.
  7. Taking reasonable steps to respond detected violations and to prevent similar violations in the future.

The new CMS proposed compliance program standards are significantly different from standards issued by the U.S. Department of Justice in April 2019—new DOJ evaluation of corporate compliance program guidelineswhich are designed to be used in making prosecutorial decisions and in determining penalty guidelines. Before CMS proposed to rescind many of its previously published standards for compliance programs, the DOJ and CMS standards were consistent.

 

 

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2019 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: Many states are not in compliance with mandates to conduct provider criminal background checks

CMS required all states to conduct criminal background checks on high-risk providers before allowing them to receive Medicaid payments by July 2018. CMS could consider as overpayments any payments made to high-risk providers in those states that have not undergone a criminal background check. Those providers must return to CMS the federal share of those overpayment. The OIG found that 18 states failed to comply with the requirement by a CMS deadline of July 2018 and 13 still had not complied as of January 1, 2019. States cited three reasons for not complying:

  1. A lack of authority:Three states said their Medicaid agencies did not have proper oversight power for these background checks, requiring legislative or executive action to do this.
  2. A lack of resources:One state reported it did not have the necessary staff to do the background checks.
  3. A lack of criteria to determine “high-risk providers”: One state said it was actively revising its criteria based on concerns from the provider community, delaying compliance.

The OIG recommended CMS to (1) ensure all States fully implement fingerprint based criminal background checks for high-risk Medicaid providers; (2) amend its guidance so that states cannot forgo conducting criminal background checks on high risk providers applying for Medicaid, unless Medicare has conducted the checks; (c) compare high risk Medicaid providers’ self-reported ownership information to Medicare’s provider ownership information to help states identify discrepancies. CMS concurred with the first recommendation.

 

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2019 Strategic Management Services, LLC. Published with permission.