Kusserow on Compliance: OIG cases involving sanctioned parties and tips to avoid violations

Compliance Officers must screen employees against the List of Excluded Individuals and Entities (LEIE). This is stressed in all of the OIG’s compliance guidance documents. CMS makes it a condition of participation and enrollment. The LEIE continues to change and grow with more than 3,000 exclusions added annually. Failure to screen employees, medical staff, contractors, and vendors results in a great risk. The OIG may consider claims that include work or products from a sanctioned party to be false and fraudulent. Violations can result in monetary penalties. Most cases that deal with this issue are brought to the OIG’s attention through the “Self-Disclosure Protocol.”  In all the recent cases posted, the OIG imposed penalties, but the penalties were mitigated by the fact the matters were self-disclosed—as a result, none of these cases resulted in a Corporate Integrity Agreement (CIA). The OIG posts a number of these cases on its website. The following are examples of recent actions against organizations that engaged individuals they knew or should have known were excluded from participation in the federal health care programs:

  • Southwest Trinity Management, LLC (STM), in Oklahoma paid $141,986.36 in settlement for employing an excluded licensed practical nurse that provided items or services that were billed to Federal health care programs.
  • Diamonds & Pearls Health Services, LLC (DPHS), Cleveland, Ohio paid $75,471.92 for employing an excluded individual who was a scheduling/staffing coordinator, provided items or services to DPHS patients that were billed to Federal health care programs.
  • Center for Ear, Nose Throat & Allergy, P.C. (CENTA) in Indiana, paid $51,564.14 for employing an excluded medical records file clerk, provided items or services to CENTA’s patients that were billed to Federal health care programs.
  • MHMR, Fort Worth, Texas, paid $97,869.78 for employing a program director who had been excluded to provide items or services to clients who were receiving services funded by a Medicaid waiver program.
  • Shawnee Health Services (Shawnee), Carterville, Illinois, paid $107,761.08 as result of employing an excluded individual as a case manager, provided items or services to clients that were receiving services under a Medicaid waiver program.
  • Arkansas Department of Health (ADH) paid $39,343.61 as result of employing an excluded hospice social worker that provided items or services to patients of a community based hospice operated by ADH.
  • Century Pharmacy (Century), Brooklyn, New York, paid $10,000 for an employed excluded individual, who assisted in filling prescriptions in addition to performing other clerical tasks, provided items or services to Century patients that were billed to Federal health care programs.
  • Sundance Behavioral Healthcare System (Sundance), Texas, paid $49,183.48 for an employed sanctioned licensed vocational nurse that provided items or services to patients that were billed to Federal health care programs.
  • ASAP Professional Home Health (ASAP), Houston, Texas, paid $21,797.76 for an employed excluded attendant, provided items or services to ASAP patients that were billed to Federal health care programs.

Practical Screening Tips

  1. Ensure periodic sanction screening of employees, medical staff, contractors, and vendors against the LEIE—best practice is monthly screening.
  2. Inasmuch as most states have developed their own exclusion database, with many states mandating monthly screenings, care should be taken to understand and meet state screening requirements.
  3. Inasmuch as most LEIE exclusions arise from another underlying court, state agency, or licensure board action, it is advisable to also conduct background checks and seek written assurances in applications that prospective employees, contractors, and vendors have not been subject to any prior court or licensure board actions.
  4. It is common for individuals that may be the subject of an investigation, but not yet sanctioned with final actions, to be under investigation for considerable time, therefore it is a best practice to require as a condition of employment, gaining staff privileges, or engagement for the applicant to attest that they have not been, nor are they now, the subject of an investigation by any duly authorized regulatory or enforcement agency. It is also advisable to add a condition that they must promptly report any notice of investigation that involves them.
  5. Educate and inform management and employees on their obligation to promptly report any notification of an adverse action by any duly authorized regulatory or enforcement agency.

Daniel Peake of the Compliance Resource Center (CRC) works with many organizations in ensuring proper sanction screening and from that experience offers a number of practical tips to avoid creating an actionable violation.  He can be reached at dpeake@strategicm.com or (703) 236-9850.

 

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2017 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: A definition of health care compliance

A good starting point for meeting the obligations of a compliance officer’s position is to define health care compliance. This can be useful in developing plans and objectives for the program, as well as explaining the meaning to executive leadership and the board.

  1. Health care compliance is defined as adhering to laws, rules, regulations, and program requirements, as well as the Codes of Conduct, policies, and procedures for the organization. Meeting this definition means identifying and meeting all applicable legal, regulatory, program requirements, and payment standards that vary considerably depending on type of organizations and the services they provide. To achieve this requires promoting not only compliance with rules, but ethical conduct and a culture that promotes prevention, detection, and resolution of conduct that does not conform to the established rules.
  2. Health care compliance can also be defined also as the ongoing process of meeting, or exceeding the legal, ethical, and professional standards applicable to a particular health care organization or provider. The HSS Office of Inspector General (OIG) has helped with the definition of health care compliance through its compliance guidance documents, which call for compliance efforts to be designed to establish a culture within organizations that promotes prevention, detection, and resolution of instances of conduct that do not conform to federal and state law; federal, state, and private payor health care program requirements; and ethical and business policies. The scope extends to many areas including patient care, billing, reimbursement, managed care contracting, research standards, Occupational Safety and Health Administration (OSHA) standards, the Joint Commission on Accreditation of Healthcare Organizations (JCAHO) standards, and the Health Insurance Portability and Accountability Act (HIPAA) privacy and security rules, to name a few. The biggest challenge for health care organizations and their compliance officers is keeping track of all these numerous requirements and regulations.

Meeting the definition for health care compliance means meeting all of the rules and requirements set forth and applicable to them across a broad range of criteria, including all applicable legal, regulatory, program requirements, and payment standards that vary considerably depending on type of organizations and the services they provide.  As one examines the meaning of health care compliance, it becomes clear that it embraces a great variety of things, including adhering to laws, rules, regulations, and program requirements, as well as organization Codes of Conduct, policies, and procedures governing the day to day operations. Because health care has become so complex in recent years, the industry is under constant scrutiny. Compliance programs promote not only compliance to rules, but to ethical conduct and the promotion of a culture that encourages prevention, detection, and resolution of conduct that does not conform to federal and state law; federal, state, and private payor health care program requirements; and the organization’s ethical and business policies. It is nearly impossible to define the extent or complexity of the ever changing healthcare compliance world. New laws and regulations come into play on a daily basis from all level of government.  Some of these have far ranging implications such as HIPAA and HITECH laws that are designed to protect the privacy of patient information.

 

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2018 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: HIPAA enforcement update

At the 2018 HCCA Compliance Institute HIPAA Policy and Enforcement Update, it was reported that since September 2009 through the end of 2017 there were 2178 reports filed with the HHS OCR involving breaches affecting 500 or more individuals. In addition to large breaches, there were over 300,000 reports of breaches of protected health information (PHI) affecting fewer than 500 individuals. Individuals affected by the large breaches were about 177 million. So far, OCR’s website has posted 38 breaches as of April 2018. In all, nearly one million patients may have had their PHI put at risk by these incidents with the number continuing to grow. The breakdown of type of large breaches includes:

  • Loss/Theft continues as the most often reported problem; nearly half of the cases.
  • Laptops and other portable storage devices represented one fourth of large breaches.
  • Hacking/IT Incidents account for about one in five reported incidents.
  • Paper records accounted for another fifth of the large breaches

10 largest 2018 incidents to date by number of patient records affected

  1. 582,174 – California Department of Developmental Services, 4/06/2018, Unauthorized Access/Disclosure Incident
  2. 279,865 – Oklahoma State University Center for Health Sciences, 1/05/2018, Hacking Incident
  3. 134,512 – St. Peter’s Ambulatory Surgery Center LLC- d/b/a St. Peter’s Surgery & Endoscopy Center, 2/28/2018, Hacking Incident
  4. 70,320 – Tufts Associated Health Maintenance Organization, Inc. reported on 2/16/2018 an Unauthorized Access/Disclosure Incident
  5. 63,551 – Middletown Medical P.C.,  3/29/201 an Unauthorized Access/Disclosure
  6. 53,173 – Onco360 and CareMed Specialty Pharmacy, 1/12/2018, Hacking Incident
  7. 36,305 – Triple-S Advantage, Inc., 2/02/2018, Unauthorized Access/Disclosure Incident
  8. 35,136 – ATI Holdings, LLC and its subsidiaries, 3/12/2018, Hacking Incident
  9. 34,637 – City of Houston Medical Plan reported on 3/22/2018 a Theft of Laptop Incident
  10. 30,799 – Mississippi State Department of Health, 3/26/2018, Unauthorized Access/Disclosure

Top 10 Recurring Compliance Issues

  1. Pattern of disclosure with sensitive paper PHI
  2. Business Associate Agreements
  3. Risk analysis issues
  4. Failure to manage identified risk, e.g. Encryption of data
  5. Lack of transmission security
  6. Lack of appropriate auditing
  7. No patching of software
  8. Insider threats from employees and contactors
  9. Improper disposal of data
  10. Insufficient data backup and contingency planning

HHS OCR calls for health care organizations to establish contingency plans to keep patient data secure and mandate that covered entities and business associates have such plans. In their March newsletter, OCR officials urged health care organizations to figure out which IT systems are critical, to understand how to function in a disaster, and to back up PHI so it can be retrieved if the original data are lost or taken offline. Once developed, the plan should be routinely tested to identify gaps and ensure updates for plan effectiveness and increase organizational awareness. The plan should be reviewed and updated on a regular basis when there are changes: technical, operational, or in personnel.

 

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2018 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: Human resources compliance—update on EEOC investigations

Most hotline complaints received relate to HR related issues, including harassment, discrimination, and unfair treatment, making this one of the most common compliance issue areas. Many employees go on to report their complaints to the Equal Employee Opportunity Commission (EEOC) that is responsible for addressing workplace harassment complaints. Media reports have focused on the long delays in resolving allegations of discrimination (1.5 years for federal employees and 500 days for the private sector). An increase of $15 million was authorized this year in the EEOCs budget, which may help with the backlog. The reason for the longer wait for federal employee complaints is that that a federal employee must first file a complaint with his or her agency’s equal employment office, which conducts an investigation. The employee may then file a lawsuit or request a hearing with an EEOC administrative judge.  The staffing level for the Commission is about 2,000, of which there are 549 investigators responding to allegations and complaints. For 2017, the Commission reported:

  • Resolution of 99,106 charges, an increase of 1,660 over 2016
  • Reduction of the inventory of pending charges by 16 percent to 61,621
  • Secured $484 million for victims of discrimination
  • 7,218 successful mediations resulting in over $163.7 million in benefits to charging parties
  • Resolution of 6,661 federal employee hearing requests with $73 million in their relief
  • Resolution of 4,284 appeals of agency decisions
  • Resolution of 85 percent of appeals over 500 days pending
  • $13.3 million in remedies secured
  • 4,500 individuals received monetary relief as a direct result of litigation resolutions
  • 184 lawsuits filed, including 124 suits on behalf of individuals

In most cases, the EEOC has found that there was not sufficient evidence to make a finding that discrimination occurred. Only about 3 percent of cases were found to have reasonable cause.  Also reported was an increase in the number of complaints being received that may be fueled in part by the emergence of the #MeToo movement.

 

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2018 Strategic Management Services, LLC. Published with permission.