Kusserow on Compliance: GAO lambasts HHS/OCR failure to protect EHR security

The General Accountability Office (GAO) reported a 13-fold increase in reported cyber-attacks on federal government agencies between 2006 and 2015 that rose to more than 77,000 last year. They attributed this increase to failures on HHS and Office for Civil Rights (OCR) that has primary responsibility for setting standards for protecting Electronic Health Records (EHR) and for enforcing compliance with these standards, but have failed to address what is called for by other federal cyber-security guidance under the Health Insurance Portability and Accountability Act (HIPAA) (P.L. 104-191) for health plans and care providers. GAO reported that over 113 million health records were breached in 2015 alone, which represents more than half the U.S. population has had their medical records breached. Of those, just 221 breaches or 13.3%, were attributed to some form of a hacking incident, but many of those hacks were whoppers, contributing to 126 million records, or 75%, of those records exposed. These breaches can have serious adverse impacts such as identity theft, fraud, and disruption of health care services

Although EHR permits providers to more efficiently share information and give patients easier access to their health information, it must be protected. However this system for storing and transmitting this information in electronic form continues to be vulnerable to cyber-based threats. GAO cited the following examples of failures:

  • Failure to address how covered entities should tailor their implementations of key security controls identified by the National Institute of Standards and Technology to their specific needs, such as developing risk responses.
  • Covered entities and business associates must comply with HHS requirements for risk assessment and management, but without more comprehensive guidance, they may not be adequately protecting electronic health information from compromise.
  • Although HHS has established an oversight program for compliance with privacy and security regulations, they have not always fully verified that the regulations were implemented.
  • OCR has failed to establish benchmarks to assess the effectiveness of its audit program, which result in less assurance that loss or misuse of health information is being adequately addressed.
  • For OCR’s investigations, the technical assistance they provided was not pertinent to identified problems, and in other cases it did not always follow up to ensure that agreed-upon corrective actions were taken once investigative cases were closed.

GAO made five recommendations, including that HHS update its guidance for protecting electronic health information to address key security elements, improve technical assistance it provides to covered entities, follow up on corrective actions, and establish metrics for gauging the effectiveness of its audit program. HHS generally concurred with the recommendations and stated it would take actions to implement them.

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2016 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: GAO reported continued fraud vulnerability under the Affordable Care Act

The Government Accountability Office (GAO) issued a report that the Affordable Care Act (ACA) marketplaces remain “vulnerable to fraud,” after the agency successfully applied for coverage for multiple fake people, who hadn’t filed tax returns for 2014 but were still able to get tax credits to help pay their monthly premiums for 2016 coverage. The GAO engaged in testing by using undercover attempts to obtain health-plan coverage from the federal marketplace and selected state marketplaces for 2015. The tests found the federal marketplace and selected state marketplaces approved each of 10 fictitious application for subsidized health plans. All 10 were approved, even though eight of these 10 fictitious applications failed the initial online identity-checking process.

Four applications used Social Security numbers that were never been issued. Other applicants obtained duplicate enrollment or obtained coverage by claiming that their employer did not provide insurance that met minimum essential coverage. Three of GAO’s applications were approved for Medicaid, although GAO provided identity information that would not have matched Social Security. For two applications, the marketplace or state Medicaid agency directed the fictitious applicants to submit supporting documents, and GAO provided fake information that resulted in the applications were approved. A third marketplace did not seek supporting documentation, and the application was approved by phone. CMS, California, Kentucky, and North Dakota, advised the GAO that they are only inspecting for supporting documentation that has obviously been altered; otherwise documentation submitted would not be questioned for authenticity.

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2016 Strategic Management Services, LLC. Published with permission.

If enrolled in Medicaid, end marketplace coverage or lose subsidies, HHS warns

The government has run out of patience with individuals enrolled in both Medicaid and private coverage on the marketplaces paid for through federal subsidies established by the Patient Protection and Affordable Care Act (ACA) (P.L. 111-148). HHS Secretary Burwell authorized the federal exchange to notify consumers with someone in their household receiving duplicate coverage to immediately end coverage with premium tax credits. The existence of impermissible duplicate coverage was uncovered by a Government Accountability Office (GAO) investigation.

GAO investigation

The GAO investigated of the possibility of obtaining duplicate coverage in states that use the federal marketplace, and found that CMS did not appropriately control the risk of coverage gaps and duplicate coverage for those transitioning between Medicaid and marketplace coverage. The GAO identified two specific issues that materially contributed to the problem. The federal exchange is operated by federal officials, but the Medicaid programs are operated by state. The GAO found a vulnerability involving communications between the two, as records for Medicaid enrollees switching to exchange coverage were not transferred as closely to real time as possible. CMS indicated its belief that states transferred records at least daily, but this was not the case for one of the four states investigated out of the 34 that use the federal exchange. Additionally, CMS did not strive to detect duplicate coverage. Although CMS intended to implement periodic checks by the end of July 2015, it had not established the frequency of the checks or a mechanism for monitoring how effective the checks were.

Duplicate coverage situations

The GAO found that three different scenarios involving duplicate coverage were occurring, and only one was authorized by federal law. When individuals transition from exchange coverage to Medicaid coverage, the effective dates of coverage may overlap. Exchange coverage can only be ended with at least 14 days of advance notice, while Medicaid coverage is effective no later than the date an eligibility change is reported. The term of duplicate coverage might be extended in cases where a Medicaid eligibility determination takes a longer period of time than anticipated. Because this type of duplicate coverage is caused by program design, it is allowable.

Two other instances of duplicate coverage were discovered. In one state, the GAO found that 3,500 individuals were covered by both Medicaid and marketplace insurance in a six month period, and that many individuals failed to end subsidized coverage through the exchange after becoming eligible for Medicaid.  The GAO also found that the reverse was true, as Medicaid enrollees also enrolled in subsidized exchange coverage. CMS received recommendations to strengthen its controls.

Notifications

The notification letters indicate that CMS followed the GAO’s recommendations to identify those with duplicate coverage. The New York Times reported that the letters boldly warned that someone in the recipient’s household may lose their exchange subsidy. Anyone in the household that is enrolled in either Medicaid or the Children’s Health Insurance Program (CHIP) is instructed to immediately end subsidized coverage. Failure to do so will result in immediate cessation of any financial assistance for premiums, deductibles, and other costs. By taking these actions, the government is attempting to avoid paying its portion of Medicaid coverage, as well as offering tax credits for marketplace coverage.

Kusserow on Compliance: GAO issues report critical of Medicare appeals process

The Backlog Saga Continues

The Government Accountability Office (GAO) conducted a review of the appeals process for Medicare fee-for-service (FFS) claims and issued a report in June 2016 that was highly critical of the Medicare appeals process. The process consists of four administrative levels of review within HHS, and a fifth level in which appeals are reviewed by federal courts. Appeals are generally reviewed by each level sequentially, as appellants may appeal a decision to the next level depending on the prior outcome. Under the administrative process, separate appeals bodies review appeals and issue decisions under time limits established by law, which can vary by level. They have not been meeting those deadlines for years. In fact, they have 700,000 pending appeals that would take years to clear up, even if new appeals were not filed.

The GAO found that CMS and two other components within HHS that are part of the Medicare appeals process have not made available full-use data collected in three appeal data systems to monitor the Medicare appeals process. It also found variations in how appeals bodies record decisions across the three systems, including the use of different categories to track the type of Medicare service at issue in the appeal. Absent more complete and consistent appeals data, the ability to monitor emerging trends in appeals is limited and is inconsistent with federal internal control standards that require agencies to run and control agency operations using relevant, reliable, and timely information. The GAO recommended that HHS take four actions, including improving the completeness and consistency of the data used by HHS to monitor appeals and implementing a more efficient method of handling appeals associated with repetitious claims.

Following the release of this report Nancy Griswold, Chief Administrative Law Judge, Office of Medicare Hearings and Appeals (OMHA), and Constance B. Tobias, Chair, Departmental Appeals Board (DAB), reported submitting a Notice of Proposed Rulemaking (NPRM) on changes to the Medicare claims appeal process as part efforts to eliminate the backlog of appeals currently pending at the OMHA and the DAB. The proposed changes designed to reduce the number of pending appeals and streamline the Medicare appeals process. They also sought increases in the budget for FY 2017 to add resources to work on the backlog problem.

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2016 Strategic Management Services, LLC. Published with permission.