Kusserow on Compliance: Board compliance experts and certifications under corporate integrity agreements

The HHS Office of Inspector General (OIG) now requires in its corporate integrity agreements (CIAs) the engagement of independent compliance experts to assist it in meeting its obligations of oversight of compliance programs. This trend has been part of a movement to hold members of governing boards more accountable for compliance program oversight.  Those engaged as compliance experts must create a compliance review work plan, perform the program review, and provide a compliance program review report.  The report has to describe the review performed, findings, and any recommendations for program improvement.  The board must review the report and act upon any findings and recommendations. A copy of the report must be sent to the OIG as part of each CIA annual report.   In addition, any materials provided by a compliance expert, as well as any minutes of meetings must be available to the OIG upon request

Carrie Kusserow has a long history as a compliance officer and as a compliance consultant working on compliance with CIAs.  She noted that the “real game changer” in CIAs has been the movement toward increased certifications by executives, compliance officers, and board members.  Board members now have the burden to adopt and sign a resolution for each CIA Reporting Period.  This is serious business, in that making false certifications could criminally violate federal law (18 U.S.C. §1001).  In order to hold boards fully accountable, the OIG mandates that they engage a compliance expert to assist them in carrying out their compliance program oversight and to assist them in being able to make their certification.  Selecting the right compliance expert is critical; once selected, they are likely to be doing this work for five years.  Kusserow also warns that time is not an ally when CIAs are signed.  The attorneys handling the litigation and settlement process often are working ahead of the organization and those who will have to implement the terms and conditions of the CIA. This means that many organizations find themselves in a race against time to do all that is required, including engaging independent review organizations (IROs) and compliance experts.   She advises organizations moving toward settlement to begin looking and evaluating potential parties to be engaged as outsider experts.

Tom Herrmann, J.D. has many years’ experience managing the CIA process with the OIG, as well as having been engaged by numerous organizations in meeting CIA obligations.  He believes that it is important to remember that moving from settlement to meeting obligations under a CIA is also moving from having parties advocating on behalf of the organization to parties  assisting in meeting the requirements that have been agreed to. He speaks from firsthand experience when he says that the OIG does not like parties trying to re-litigate a case, and any effort to do so will likely prove counter-productive.  This means that the compliance experts engaged must focus implementation on the terms of the agreement.  To do this, they must be free of any conflicts of interest if they are to meet the independence and objective standards required by the OIG.  The OIG wants to see organizations select true experts who will carry out their responsibilities with independence and integrity.  As such, Herrmann agrees that the more experience that parties have as experts under the CIA, the better known they are to the OIG and more credible will be their work.

Selecting compliance experts

Organizations selecting compliance experts should keep the following tips in mind:

  • An independent expert must be properly qualified to perform the work described in the CIA.
  • The work to be performed consists of operational reviews, not financial audits.
  • The focus is on compliance program expertise.
  • A CIA may require several different types of expert (e.g. IROs, compliance experts).
  • Those selected should be qualified and experienced in the industry sector covered by CIA.
  • Lack of expertise in the area for which the experts are engaged equals potential problems with OIG.
  • Sub-standard reports risk loss of compliance credibility.
  • Work performed by experts must be professionally independent and objective.
  • Compliance experts follow Government Accountability Office Government Audit Standards (GAGAS) standards for operational reviews.
  • Experts should certify to OIG professional standards.
  • Entities should ensure and seek certification that the experts have no conflicts of interest with the entities.

Steve Forman, CPA has been engaged as a compliance expert on behalf of several organizations. Based upon his experience, he offered tips on how to go about selecting an outside compliance expert. He believes it is very important engage parties with considerable experience doing this kind of work.   Using people inexperienced in compliance or using them as compliance experts is risky. Those lacking experience tend to be more costly, as they charge for their time in learning what needs to be done at the expense of those that have engaged them. The more experience they have doing this kind of work under a CIA, the better. As such, it is advisable to find experts who have been engaged by entities under CIAs on multiple occasions. It also permits reference checking on how well the experts did with organizations that used them. Forman also added that having served many years as a compliance officer, in addition to serving as a health care consultant, was critical in being able to deal with real and practical considerations in acting as a board compliance expert. He believes having that combination of experience provided those organizations using his services with the most efficient results.

Reference-checking questions

Appropriate reference-checking questions include:

  • Did the firm meet its obligations satisfactorily?
  • Were there any problems?
  • Did the OIG find a firm’s work satisfactory?
  • Did a firm perform services economically and efficiently?
  • Was a firm sensitive to the entity’s operations and needs?
  • Was a firm’s work professional, competent, and timely?

Last tip

One last piece of advice for compliance officers is that they educate their boards on this new trend, whether or not the organization may be involved in settlements with the government. What the OIG mandates is what it believes all organizations should do–that is, provide greater board oversight of the compliance program. As such, all boards should add members who are “compliance literate” and/or secure outside experts to advise them on the progress in development of an effective compliance program.

Kusserow on Compliance: GAO lambasts HHS/OCR failure to protect EHR security

The General Accountability Office (GAO) reported a 13-fold increase in reported cyber-attacks on federal government agencies between 2006 and 2015 that rose to more than 77,000 last year. They attributed this increase to failures on HHS and Office for Civil Rights (OCR) that has primary responsibility for setting standards for protecting Electronic Health Records (EHR) and for enforcing compliance with these standards, but have failed to address what is called for by other federal cyber-security guidance under the Health Insurance Portability and Accountability Act (HIPAA) (P.L. 104-191) for health plans and care providers. GAO reported that over 113 million health records were breached in 2015 alone, which represents more than half the U.S. population has had their medical records breached. Of those, just 221 breaches or 13.3%, were attributed to some form of a hacking incident, but many of those hacks were whoppers, contributing to 126 million records, or 75%, of those records exposed. These breaches can have serious adverse impacts such as identity theft, fraud, and disruption of health care services

Although EHR permits providers to more efficiently share information and give patients easier access to their health information, it must be protected. However this system for storing and transmitting this information in electronic form continues to be vulnerable to cyber-based threats. GAO cited the following examples of failures:

  • Failure to address how covered entities should tailor their implementations of key security controls identified by the National Institute of Standards and Technology to their specific needs, such as developing risk responses.
  • Covered entities and business associates must comply with HHS requirements for risk assessment and management, but without more comprehensive guidance, they may not be adequately protecting electronic health information from compromise.
  • Although HHS has established an oversight program for compliance with privacy and security regulations, they have not always fully verified that the regulations were implemented.
  • OCR has failed to establish benchmarks to assess the effectiveness of its audit program, which result in less assurance that loss or misuse of health information is being adequately addressed.
  • For OCR’s investigations, the technical assistance they provided was not pertinent to identified problems, and in other cases it did not always follow up to ensure that agreed-upon corrective actions were taken once investigative cases were closed.

GAO made five recommendations, including that HHS update its guidance for protecting electronic health information to address key security elements, improve technical assistance it provides to covered entities, follow up on corrective actions, and establish metrics for gauging the effectiveness of its audit program. HHS generally concurred with the recommendations and stated it would take actions to implement them.

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2016 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: GAO reported continued fraud vulnerability under the Affordable Care Act

The Government Accountability Office (GAO) issued a report that the Affordable Care Act (ACA) marketplaces remain “vulnerable to fraud,” after the agency successfully applied for coverage for multiple fake people, who hadn’t filed tax returns for 2014 but were still able to get tax credits to help pay their monthly premiums for 2016 coverage. The GAO engaged in testing by using undercover attempts to obtain health-plan coverage from the federal marketplace and selected state marketplaces for 2015. The tests found the federal marketplace and selected state marketplaces approved each of 10 fictitious application for subsidized health plans. All 10 were approved, even though eight of these 10 fictitious applications failed the initial online identity-checking process.

Four applications used Social Security numbers that were never been issued. Other applicants obtained duplicate enrollment or obtained coverage by claiming that their employer did not provide insurance that met minimum essential coverage. Three of GAO’s applications were approved for Medicaid, although GAO provided identity information that would not have matched Social Security. For two applications, the marketplace or state Medicaid agency directed the fictitious applicants to submit supporting documents, and GAO provided fake information that resulted in the applications were approved. A third marketplace did not seek supporting documentation, and the application was approved by phone. CMS, California, Kentucky, and North Dakota, advised the GAO that they are only inspecting for supporting documentation that has obviously been altered; otherwise documentation submitted would not be questioned for authenticity.

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2016 Strategic Management Services, LLC. Published with permission.

If enrolled in Medicaid, end marketplace coverage or lose subsidies, HHS warns

The government has run out of patience with individuals enrolled in both Medicaid and private coverage on the marketplaces paid for through federal subsidies established by the Patient Protection and Affordable Care Act (ACA) (P.L. 111-148). HHS Secretary Burwell authorized the federal exchange to notify consumers with someone in their household receiving duplicate coverage to immediately end coverage with premium tax credits. The existence of impermissible duplicate coverage was uncovered by a Government Accountability Office (GAO) investigation.

GAO investigation

The GAO investigated of the possibility of obtaining duplicate coverage in states that use the federal marketplace, and found that CMS did not appropriately control the risk of coverage gaps and duplicate coverage for those transitioning between Medicaid and marketplace coverage. The GAO identified two specific issues that materially contributed to the problem. The federal exchange is operated by federal officials, but the Medicaid programs are operated by state. The GAO found a vulnerability involving communications between the two, as records for Medicaid enrollees switching to exchange coverage were not transferred as closely to real time as possible. CMS indicated its belief that states transferred records at least daily, but this was not the case for one of the four states investigated out of the 34 that use the federal exchange. Additionally, CMS did not strive to detect duplicate coverage. Although CMS intended to implement periodic checks by the end of July 2015, it had not established the frequency of the checks or a mechanism for monitoring how effective the checks were.

Duplicate coverage situations

The GAO found that three different scenarios involving duplicate coverage were occurring, and only one was authorized by federal law. When individuals transition from exchange coverage to Medicaid coverage, the effective dates of coverage may overlap. Exchange coverage can only be ended with at least 14 days of advance notice, while Medicaid coverage is effective no later than the date an eligibility change is reported. The term of duplicate coverage might be extended in cases where a Medicaid eligibility determination takes a longer period of time than anticipated. Because this type of duplicate coverage is caused by program design, it is allowable.

Two other instances of duplicate coverage were discovered. In one state, the GAO found that 3,500 individuals were covered by both Medicaid and marketplace insurance in a six month period, and that many individuals failed to end subsidized coverage through the exchange after becoming eligible for Medicaid.  The GAO also found that the reverse was true, as Medicaid enrollees also enrolled in subsidized exchange coverage. CMS received recommendations to strengthen its controls.

Notifications

The notification letters indicate that CMS followed the GAO’s recommendations to identify those with duplicate coverage. The New York Times reported that the letters boldly warned that someone in the recipient’s household may lose their exchange subsidy. Anyone in the household that is enrolled in either Medicaid or the Children’s Health Insurance Program (CHIP) is instructed to immediately end subsidized coverage. Failure to do so will result in immediate cessation of any financial assistance for premiums, deductibles, and other costs. By taking these actions, the government is attempting to avoid paying its portion of Medicaid coverage, as well as offering tax credits for marketplace coverage.