Kusserow on Compliance: Tips on information security from the FTC

The health care sector is so focused on Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security related issues under the watchful eyes of CMS and the Office of Civil Rights (OCR) that it often forgotten that there are a host of other laws and regulations related to data security. The Federal Trade Commission (FTC) released “Start with Security: A Guide for Business,” a report concerning data security that has application to all business sectors, including health care. The FTC noted that the report draws upon “lessons learned from more than 50 law enforcement actions.” The guide provides a treasure trove of tips and best practices for protecting sensitive information and associated risks.

The FTC begins with the recognition that sensitive information and data, including personnel information, customers/patients records and credit information, pervades every part of business and every part of any business is impacted by sensitive information. In turn, it is a challenge for businesses to manage confidential information. Betta Sherman, a health care consultant specializing in HIPAA Privacy and Security issues, notes “although this report applies to all business sectors, it is particularly relevant to the health care sector, which has the responsibility to safeguard protected health information (PHI).”

The report states that the starting point is establishing security policy and procedures. It is also important to think through about the kind of information you collect, how long you keep it, and who can access it. If so, risk of a data compromise down the road can be reduced. Dr. Cornelia Dorfschmid, a recognized compliance expert states that “security postures and threats change all the time. For health care organizations it is critical to test their own information security knowledge as well as current security architecture by occasionally engaging independent experts to conduct security risk assessments. Formal security assessments are expected under the HIPAA Security Rule and also required for compliance with meaningful use criteria. Not conducting such risk assessments regularly is foolish.”

Tips and best practices highlighted by the FTC

  • Avoid data security risks by only collecting needed sensitive information.
  • Hold on to information only as long as there is a legitimate business need for it.
  • Periodically review data and decide what needs to be kept and what is no longer necessary.
  • The longer the information is kept, the greater the risk that it may be misused or leaked.
  • Restrict access to sensitive data to only those that have a “need to know.”
  • Limit those with system-wide administrative access to data.
  • Establish strong authentication procedures, including passwords.
  • Require complex and unique passwords.
  • Store passwords securely to prevent unauthorized persons from obtaining access.
  • Guard against hackers by limiting the number of unsuccessful login attempts.
  • Periodically test for common vulnerabilities and security flaws.
  • Use strong cryptography to secure maintenance and transmission of sensitive data.
  • Keep sensitive information secure throughout its lifecycle.
  • Once information is transmitted and decrypted, it still must be protected.
  • Use industry-tested and accepted methods to safeguard and encrypt information.
  • Encryption must be configured and controlled properly to protect sensitive information.
  • Set up and monitor firewalls to limit access between computers on the network and the Internet.
  • Establish intrusion detection and prevention systems (IDS/IPS) for unwanted activity.
  • Install require antivirus and antispyware programs for remote users using the network.
  • Place limits on third-party access to the network.
  • Ensure design changes and changes in management decisions do not permit vulnerabilities.
  • Use readily available secure communications tools pre-installed on mobile devices.
  • If software offers a privacy or security feature, verify that it works as advertised.
  • Test for vulnerabilities in systems as many commonly-known, reasonably foreseeable ways as possible.
  • Take care to select service providers able to implement appropriate security measures.
  • Require service providers to adopt reasonable security precautions.
  •  Verify that the information collection program is consistent with privacy and security policies.
  • When using third-party software, apply security updates as they are issued.
  • Update and patch third-party software regularly to minimize security risks.
  • Have an effective process in place to receive and address security vulnerability reports.
  • Monitor usage and encryption of hard drives, laptops, flash drives, and disks.
  • Implement policies for secure document and data storage and retrieval.
  • Dispose of documents in a secure manner.
  • Protect devices that process personal information.
  • Secure sensitive information when it is outside the office.
  • Acknowledge that lost or stolen laptops, external drives, and mobile devices are a major cause of lost data.
  • Ensure files, drives, disks, etc. sent via ground mail or services are tracked and delivered.
  • Limit instances when employees need to carry sensitive data.
  • When traveling, confidential information should be kept out of sight.
  • Devices with confidential information should be under lock and key when out of sight.
  • No longer needed paperwork should be shredded, burned, or pulverized to be unreadable.
  • Old hard drives and media with sensitive information should be professionally wiped clean.
  • Have periodic independent risk assessments to keep data, reputation, and business information safe.

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2015 Strategic Management Services, LLC. Published with permission.




Kusserow on Compliance: OIG found Medicare continues to overpay for selected drugs

In a number of blog articles, I have reported on the ongoing interest of the HHS Office of Inspector General (OIG) in drug related issues, particularly diversion and abuse. Much of this focus has been as result of Medicare Part D drug benefits. The most recent report issued by the OIG on this subject found Medicare contractors in 13 jurisdictions overpaid providers $35.8 million for selected outpatient drugs during a three year audit period. Nearly 90 percent of the overpayments were as a result of providers billing either incorrect units of service or a combination of incorrect units of service and incorrect Healthcare Common Procedure Coding System (HCPCS) codes.

The OIG also found that the Medicare claims processing systems did not have sufficient prepayment edits in place to prevent these overpayments and cited a notable example of the Medically Unlikely Edits (MUEs), which did not address many of the HCPCS codes associated with the outpatient drugs. Additional potential overpayments were identified for outpatient drugs that were billed after the period of the audit review that could result in an additional $11.5 million in overpayments. The OIG recommended that CMS:

  • ensure Medicare contractors collect remaining overpayments identified in the reviews;
  • continue to educate providers on correct billing of outpatient drugs;
  • instruct Medicare contractors to review payments to providers for outpatient drugs billed subsequent to the period of the audit; and
  • continue to implement line item and date-of-service MUEs for additional outpatient drugs.

CMS and the Medicare contractors concurred with all of the recommendations and provided information on actions that it has taken or planned to take to address the recommendations. CMS also highlighted actions taken during and after the audit period to prevent overpayments to providers incorrectly billing for outpatient drugs. This included steps taken to educate providers on avoiding common Medicare billing errors through published articles and newsletters, as well requiring Medicare contractors to implement line item MUEs for identified HCPCS codes related to outpatient drugs. CMS also began converting some line item MUEs to date-of-service MUEs. If the Medicare contractors had these line item and date-of-service MUEs in place during the entire audit period, $23.7 million, or 66 percent, of the $35.8 million in total overpayments could have been prevented. CMS also reported that as of May 4, 2015, Medicare contractors had already recovered 63 percent of the $35.8 million in overpayments, and 10 of the 13 Medicare contractors had used the results of the OIG audit for ongoing provider education activities.

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2015 Strategic Management Services, LLC. Published with permission.


Highlight on Massachusetts: Rethinking coordination and care for mental health

The state of Massachusetts could be doing more to coordinate care, acquire data, raise quality, and lower costs for individuals with behavioral health needs, according to a  health care cost trends report from Massachusetts Attorney General Maura Healey. The report indicates that due to a lack of coordination between insurers and health care providers, patient access to behavioral care and information about payment levels for that care are compromised.

Mental Health Needs

Mental health needs are significant in Massachusetts and across the country, with 19 percent of adults suffering from a mental health condition between 2012 and 2013. On top of those numbers, the report cited data suggesting that the prevalence of mental health issues is growing. The report was designed to examine approaches to management of behavioral health benefits and payment for behavioral health services by commercial and government payers.


The report focused on the fact that while health plans generally pay providers directly for delivering non-behavioral health care services, most Massachusetts health plans “carve out” behavioral health and subcontract the management and administration of behavioral health benefits to specialized companies called managed behavioral health organizations (MBHOs).  As a result, consumers covered by these plans have to deal with separate entities for behavioral health and medical benefits. According to the report, the division of responsibility created by the separate systems makes it difficult to determine what is being spent on behavioral care, is a disincentive to coordination between mental health and medical care providers, and makes it harder for patients to access the care they need.


The parallel system complicates patient experiences. In circumstances where patients suffer from a chronic medical condition, care coordination is already complex. The report uses a hypothetical example of a patient with  high blood pressure and low back pain who is hospitalized for evaluation of a possible heart attack. Throughout the patient’s care experience, the patient meets with multiple different providers—specialist, chiropractor, emergency department, primary care provider. The report explains that care in such a scenario is complex and requires challenging care coordination between the various providers. However, the report explains that when the same patient, with the same symptoms, is also burdened by a behavioral health or substance abuse problem, the patient’s care becomes considerably more complex. In the hypothetical example, the addition of an opioid abuse problem could add several providers to the list of those involved, including: an addiction counselor, an inpatient substance abuse unit, and an outpatient addiction program.

Financial Incentives

In addition to the administrative hurdles, the report indicates that medical and behavioral health service providers are not financially incentivized to coordinate care. Because many global budget health plans simply exclude behavioral care from the global budget and place the responsibility for the behavioral costs on MBHOs, the report indicates that MBHOs are not encouraged to engage in integration efforts across the behavioral and medical health barrier. The report recommends that global health budgets be modified to account for the “indivisible nature of patients’ medical and behavioral health needs.”

Reimbursement Rates

The report also addresses the problem of historically low behavioral health reimbursement rates. It suggests that one reason for the low reimbursement levels is the prevalence of financial arrangements that transfer of some or all of the risk of behavioral service costs onto MBHOs. Additionally, the report cautions that consistent losses on behavioral health business discourage investment in behavioral health care, which impacts consumer access to these important services.


The report acknowledges that reporting on behavioral health utilization, price, spending, and quality varies significantly among behavioral health providers. However, reporting on utilization, price, spending, and quality of behavioral care lags behind reporting of the same information for medical care. Massachusetts should give the same importance to data collection and reporting for behavioral health services as it gives to medical services. Without such data, the state cannot meaningfully invest in behavioral health care or understand spending trends.

Fee-for-all: FDA issues FY 2016 user fee rates

Eight notices regarding fiscal year (FY) 2016 user fees, rates, and payment procedures for prescription drugs, animal drugs, biosimilars, foods, medical devices, and human drug compounding outsourcing facilities were issued by the FDA. Under the federal Food, Drug, and Cosmetic Act (FDC Act), the FDA is authorized to set fees and schedules for these regulated areas. User fee programs provide revenue in support of the FDA’s efforts to oversee public safety, as well as foster industry innovation, in these regulated areas. The fees are effective October 1, 2015, and will remain in effect through September 30, 2016.

Prescription drugs

The FDC Act as amended by the Prescription Drug User Fee Amendments of 2012 (PDUFA V), authorizes the FDA to collect user fees for certain applications for the review of human drug and biological products, on establishments where the products are made, and on such products (Notice, 80 FR 46028, August 3, 2015).

The fees were based on a net of 485 fee-paying establishments for FY 2016. At the beginning of FY 2015, the establishment fee was based on an estimate that 509 establishments would be subject to and would pay fees. With additional data, the FDA revised its numbers and estimated that 516 establishments will have been billed for establishment fees, before all decisions on requests for waivers or reductions are made by the end of FY 2015.

The FY 2016 fee for an application requiring clinical data is set at $2,374,200; for an application not requiring clinical data or a supplement requiring clinical data the FY 2016 is set at $1,187,100. In addition, establishment fees (based on estimated 485 establishments) are $585,200 per establishment. Product fees were set at $114,450 per product, based on an estimate of 2,480 products for FY 2016. Applications and supplements that are submitted on or after October 1, 2015, will use the new fee schedule; invoices for establishment and product fees for FY 2016 will be issued in August 2015 using the new fee schedule.

Generic drugs

Based on granted authority by the Generic Drug User Fee Amendments of 2012 (GDUFA), effective October 1, 2015, through September 30, 2016, fees for abbreviated new drug applications (ANDA), prior approval supplements to an approved ANDA (PAS), and drug master files (DMF) will increase in FY 2016 over the corresponding FY 2015 fees because of a drop in the number of submissions in each of those three categories (Notice, 80 FR 46015, August 3, 2015). For FY 2016, the generic drug fee rates for these three classes are as follows: $76,030 for ANDAs; $38,020 for PAS; and $42,170 for DMF.

For active pharmaceutical ingredient (API) facilities, FY user fees are set at $40,867 for domestic facilities and $55,867 for foreign facilities. Similarly finished dosage form (FDF) fees are lower for domestic facilities versus foreign facilities, with the former set at $243,905 and the latter at $258,905.

Animal drugs

Section 740 of the FDC Act establishes four different types of user fees: (1) fees for certain types of animal drug applications and supplements; (2) annual fees for certain animal drug products; (3) annual fees for certain establishments where such products are made; and (4) annual fees for certain sponsors of animal drug applications and/or investigational animal drug submissions.

For FY 2016, the animal drug user fee rates are: $351,100 for an animal drug application; $175,550 for a supplemental animal drug application for which safety or effectiveness data are required and for an animal drug application subject to the criteria set forth in Section 512(d)(4) of the FDC Act; $7,790 for an annual product fee; $105,950 for an annual establishment fee; and $101,000 for an annual sponsor fee.

Under authority by the Animal Drug User Fee Amendments of 2013 (ADUFA III), the FDA determined the fee revenue to be generated by animal drug establishment fees in FY 2016 on an estimation that 12 percent of establishments invoiced will not pay fees in FY 2016 because of waivers or reductions. Based on historical data of the last five completed years prior to FY 2016 the will result in 56 establishments subject to fees in FY 2016.

Generic animal drugs

The FDC Act, as amended by the Animal Generic Drug User Fee Amendments of 2013 (AGDUFA II), authorizes FDA to collect user fees for certain abbreviated applications for generic new animal drugs, for certain generic new animal drug products, and for certain sponsors of such abbreviated applications for generic new animal drugs and/or investigational submissions for generic new animal drugs.

For FY 2016, the generic new animal drug user fee rates are: $233,300 for each abbreviated application for a generic new animal drug other than those subject to the criteria in Section 512(d)(4) of the FDC Act; $116,650 for each abbreviated application for a generic new animal drug subject to the criteria in Section 512(d)(4); $8,705 for each generic new animal drug product; $83,800 for each generic new animal drug sponsor paying 100 percent of the sponsor fee; $62,850 for each generic new animal drug sponsor paying 75 percent of the sponsor fee; and $41,900 for each generic new animal drug sponsor paying 50 percent of the sponsor fee.

The FDA will issue invoices for FY 2016 product and sponsor fees by December 31, 2015; the fees are due January 31, 2016.


The Biosimilar User Fee Act of 2012 (BsUFA), authorizes the FDA to assess and collect user fees for certain activities in connection with biosimilar biological product development (BPD), certain applications and supplements for approval of biosimilars, establishments where approved biosimilars are made, and a biosimilar fee for each biosimilar approved in a biosimilar application.

The FY 2016 fee for a biosimilar application requiring clinical data equals the PDUFA fee for an application requiring clinical data is $2,374,200; for biosimilars not requiring clinical data the rate is halved to $1,187,100 (Notice, 80 FR 46005, August 3, 2015). However, under Section 744H(a)(2)(A) of the FDC Act, if a sponsor submitting a biosimilar application has previously paid an initial BPD fee, annual BPD fee(s), and/or reactivation fee(s) for the product that is the subject of the application, the fee for the application is reduced by the cumulative amount of these previously paid fees. Biosimilar supplement with clinical data fees are also set at $1,187,100. Establishment fees are set at $585,200, and product fees are $114,450.

The initial BPD fee for a product is due when the sponsor submits an investigation new drug application that FDA determines is intended to support a biosimilar application for the product or within 5 calendar days after FDA grants the first BPD meeting for the product, whichever occurs first. Sponsors who have discontinued participation in the BPD program must pay the reactivation fee.

Food Safety Modernization Act

For FY 2016 fee rates authorized by the FDC Act, as amended by the FDA Food Safety Modernization Act (FSMA) (P.L. 111-353) were established for certain domestic and foreign facility reinspections, failures to comply with a recall order, and importer reinspections (Notice, 80 FR 46020, August 3, 2015). Section 107 of FSMA added Section 743 to the FDC Act to provide the FDA with the authority to assess and collect fees from, in part: (1) the responsible party for each domestic facility and the U.S. agent for each foreign facility subject to a reinspection, to cover reinspection-related costs; (2) the responsible party for a domestic facility and an importer who does not comply with a recall order, to cover food recall activities associated with such order; and (3) each importer subject to a reinspection to cover reinspection-related costs.

Fees of $221 per paid hour and $315 per paid hour will be incurred for domestic inspection travel and foreign inspection travel, respectively. Types of activities could include conducting recall audit checks, reviewing periodic status reports, analyzing the status reports and the results of the audit checks, conducting inspections, traveling to and from locations, and monitoring product disposition.

Medical devices

Section 738 of the FDC Act establishes fees for certain medical device applications, submissions, supplements, and notices (collectively known as submissions). The fee rate for each type of submission is set at a specified percentage of the standard fee for a premarket application, which is a premarket approval application (PMA), a product development protocol (PDP), or a biologics license application (BLA). The base fee for a premarket application for FY 2016, which apply from October 1, 2015, through September 30, 2016, is set as $263,180 (Notice, 80 FR 46033, August 3, 2015). The annual fee for establishment registration, after adjustment, is set at $3,845 for FY 2016. There is no small business rate for the annual establishment registration fee; all establishments pay the same fee.

Businesses with gross receipts or sales of no more than $100 million for the most recent tax year may qualify for reduced small business fees. Businesses with gross sales or receipts of no more than $30 million may also qualify for a waiver of the fee for the first premarket application (PMA, PDP, or BLA) or premarket report. All businesses must include the gross receipts or sales of all affiliates along with own gross receipts or sales when determining whether the $100 million or $30 million threshold is met.

Compounding facilities

The FY 2016 fees related to human drug compounding outsourcing facilities electing to register under Section 503B of the FDC Act are: $5,203 for small business establishments; $16,465 for non-small business establishments; and $15,610 for reinspection of a facility.

Outsourcing facilities that registered in FY 2015 and wish to maintain their status as an outsourcing facility in FY 2016 must register during the annual registration period that lasts from October 1, 2015, to December 31, 2015.