Kusserow on Compliance: CMS Round 2 process for inpatient claims settlements

CMS announced Round 2 of the settlement process for inpatient claims denied on the basis of patient status. CMS contends that hospitals should have billed the denied inpatient claims as outpatient claims. In September 2014, CMS offered hospitals the opportunity to settle the denied inpatient claims for a timely partial payment equal to 68 percent of the net allowable amount. CMS believes that the changes in their Final rule 1599-F (78 FR 50496, August 19, 2013) will not only reduce improper payments under Medicare Part A, but will also reduce the administrative costs of appeals for both hospitals and the Medicare program.

During Round 1, Medicare Administrative Contractors (MACs) reviewed denied inpatient claims submitted by participating hospitals and created a contractor eligible claims list. For all denied inpatient claims that matched the contractor eligible claims list, CMS will countersign and settle with each hospital according to the original Round 1 administrative agreement. Where MACs disagreed with particular claims submitted by hospitals during Round 1, MACs will issue a disagreement spreadsheet of ineligible claims to each provider. The Round 2 process will allow hospitals to further resolve the eligibility of denied inpatient claims through the submission of further evidence and through direct work with CMS and MACs. Once a MAC issues a disagreement spreadsheet, a provider has 14 calendar days to review and submit comments to the spreadsheet as well as submit a new administrative agreement to CMS. Once hospitals and MACs come to an agreement during Round 2, CMS will issue a secondary settlement payment for inclusion of those claims in the settlement process.

The deadline for hospitals to request settlement was October 31, 2014. CMS encouraged hospitals with inpatient status claims currently in the appeals process or within the timeframe to request an appeal to make use of this administrative agreement mechanism to alleviate the administrative burden of current appeals on both the hospital and Medicare system.

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2015 Strategic Management Services, LLC. Published with permission.


ONC offers 7 steps to HIPAA security

Covered entities (CEs) concerned about compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) (P.L. 104-191) Security Rule should consider following a seven-step compliance approach recommended by the Office of the National Coordinator for Health Information Technology (ONC).  In its recently published Guide to Privacy and Security of Electronic Health Information, the ONC provided valuable information to CEs, including information specifically targeted at eligible professionals (EPs) from smaller organizations enrolled in the Medicare and Medicaid Electronic Health Record (EHR) Incentive Programs, regarding the integration into their practices of federal health information privacy and security requirements.  The HIPAA Security Rule requires CEs and their business associates (BAs) to assess and manage risks to any electronic protected health information (ePHI) that they create, receive, maintain, or transmit. The suggested seven-step procedure for implementing a security management process is intended to help CEs fulfill their compliance responsibilities.

1. Lead your culture, select your team, and learn

The ONC  urges organizations to:

  • designate a security officer to develop and maintain security practices, even if it is a person who will perform a dual role, being sure to record the assignment in a HIPAA compliance documentation file;
  • discuss HIPAA security requirements with EHR developers and be sure to sign a Business Associate Agreement (BAA) that reflects the entity’s expectations;
  • consider hiring a qualified professional to assist with the security risk analysis.  The ONC cautions, however, that the CE is still responsible for the overall analysis and that CEs should only deal with professionals with experience tailoring and performing risk analyses for similarly situated entities;
  • use tools to preview the security risk analysis; and
  • refresh their knowledge of HIPAA rules to promote a culture of protecting patient privacy and securing patient information.

2. Document your process, findings, and actions

The guidance provides examples of records that should be retained under HIPAA, including:

  • completed security checklists;
  • a security risk analysis report;
  • EHR audit logs; and
  • a risk management action plan.

The records will be “essential” for responding to HIPAA and EHR compliance audits.

3. Review existing security of ePHI by performing a security risk analysis

Failure to perform a security risk analysis is a significant problem among entities audited for both HIPAA and EHR program compliance. Failure to perform an effective analysis is also a pervasive issue among CEs.  The ONC urges practices to tailor the risk analysis to their specific situation.  Entities should identify:

  • where ePHI exists;
  • potential threats and vulnerabilities to ePHI, including, human, natural, and environmental threats; and
  • risks and their associated levels.

The Guide provides a useful table of examples of risks that are specific to office-based EHRs–such as older security features–versus internet-hosted (cloud-based) EHRs–such as data stored in countries with different health information privacy and security laws.

4. Develop an action plan

Action plans should incorporate HIPAA’s administrative, physical, and technical safeguards, as well as organizational standards and policies and procedures.  The guide contains a table listing examples of vulnerabilities and mitigation strategies for each component.  The ONC suggests that simple safeguards can be highly effective, such as randomly monitoring staff access (a policy), checking EHR servers for viruses and malware (a technical safeguard), and refusing to allow staff to take home laptops with unencrypted information (an administrative safeguard).  Unencryption is responsible for a significant portion of data breaches.  Former HHS regulator Adam Greene recently suggested that the government is “losing patience” with data breaches resulting from loss of ePHI from unencrypted laptops and believes it will start fining entities heavily for such violations.

5. Manage and mitigate risks

Mitigation is crucial to HIPAA compliance. The HHS Office for Civil Rights (OCR) has fined entities, including Concentra Health Services, heavily when breaches resulted after entities failed to act on known risks.  Among other issues, written policies and procedures should establish protocols for security components, create “incident response” or “breach notification and management” plans, detail a sanction policy for violations of the Security Rule, as well as for the HIPAA Privacy and Breach Notification Rules, and list enforcement procedures.  Entities should:

  • consistently apply policies and procedures if unauthorized ePHI access occurs;
  • review policies and procedures periodically and update them when changes creating new risks occur;
  •  retain all policies and procedures for at least six years after updating or replacing them, although state laws may be more stringent;
  • train new employees in security policies upon hiring, and train the entire workforce once every year and any time changes in the organization occur, including those affecting policies or procedures;
  • be proactive in providing patients with information regarding EHR benefits and access to PHI and ePHI.  The EHR programs have strict requirements regarding responses to patients’ requests for records; and
  • update BAAs.

6. Attest for meaningful use security-related objective

In order to attest to meaningful use in the EHR incentive programs, users must have fulfilled the security risk analysis requirement.  This means that users must not only have executed the analysis or reassessment, but must also have corrected deficiencies that were identified.  Failure to do so can prevent entities from receiving incentive payments or result in requiring them to return incentive payments.  Notably, the ONC suggested in its Guide that attesting to meaningful use prior to meeting the security requirement could subject an entity to liability under the False Claims Act (31 U.S.C. §3729).

7. Monitor, audit, and update security on an ongoing basis

Entities should be prepared to “audit” the effectiveness of their security systems by performing in-house audits or using an information security consultant.  They should also prepare for audits by government agencies.  EHR users should maintain audit logs, which contain retrospective documentation on the manner in which all ePHI has been accessed.  Audit controls should be scaled to practice size.


With entities potentially facing both HIPAA compliance audits from the OCR and meaningful use audits from CMS and the HHS Office of Inspector General (OIG), there has never been a better time for organizations to be sure that patients’ ePHI is secure.

Kusserow on Compliance: Enrollment moratoria for new ambulance suppliers and home health agencies in several states

Over the last two years, I have been reporting on a large number of enforcement actions by the Department of Justice (DOJ) led Medicare Strike Force in eight target cities relating to cases involved home health agencies and ambulance services that many consider to be among the most vulnerable to fraud in health care. The OIG has issued a number of reports related to this problem. Going back to July 2013, CMS made their initial use of authority under the Patient Protection and Affordable Care Act (P.L. 111-148) to use temporary enrollment moratoria to prevent fraud where they have found that certain trends warranted such a moratorium on home health providers and ambulance suppliers in these geographic areas. Once again, they have issued a notice extending the temporary moratoria on the enrollment of new ambulance suppliers and home health agencies (HHAs) in specific locations within metropolitan areas in Florida, Illinois, Michigan, Texas, Pennsylvania, and New Jersey. CMS also placed temporary moratoria on the enrollment of ground ambulance suppliers in Harris County, Texas and other surrounding counties and in Philadelphia, Pennsylvania and surrounding counties. CMS had previously extended all of the above-mentioned moratoria through February 2, 2015. The programs affected by the CMS decision is especially vulnerable to fraud are those that allow the Medicaid recipient to control the selection and payment of personal care attendants.

In determining to extend the moratoria again, CMS considered factors suggesting a high risk of fraud, waste, or abuse by relying on law enforcement’s experience with fraud trends and activities through investigations and prosecutions. CMS then confirmed a high risk of fraud, waste, or abuse in these provider and supplier types through data analysis. The resulting extended moratoria lasts for a period of six months.

Kusserow on Compliance: U.S. Court of Appeals invalidated a portion of the new RAC contract

The U.S. Court of Appeals for the Federal Circuit invalidated a provision of the new 2014 Recovery Audit Contractor (RAC) contracts with CMS that were scheduled to be awarded last year but were delayed pending outcome of the Court’s decision. This resulted in the original RAC contracts from 2008 being extended.

The RAC contractor, CGI Federal Inc., initiated the lawsuit in the U.S. Court of Federal Claims against the government in April 2014 asserting that a payment provision of the 2014 Recovery Audit Program contracts violates federal law. Under the invalidated provision, CMS payment of contingency fees to RACs would occur at the second level of appeal rather than the first level of appeal. Consequently, CMS’ timeframe for payment to RACs would potentially increase from approximately 120 days to more than 400 days.

The Court held that the revised payment terms violated the federal acquisition regulations’ prohibition against including contract terms inconsistent with customary commercial practice. Under current RAC contracts, CMS pays RACs after issuance of an overpayment determination. As part of the Court’s decision, CMS will either have to issue a new request for quotes that will omit the payment terms or seek a waiver to include the payment terms.

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2015 Strategic Management Services, LLC. Published with permission.