Kusserow on Compliance: New OCR Guidelines

The HHS Office for Civil Rights (OCR) issued a new guidance which points out a list of 10 violations where Business Associates (BAs) can be held directly liable. The guidance points out that where BAs may not be liable, the covered entity (CE) may be still on the hook for violations of those violations. As such CEs should carefully review their BA Agreements (BAAs) to ensure that they cover requirements that don’t directly apply to BAs but are still enforceable against CEs.

The OCR also notes that large data breaches also continue to dominate the press. The OCR recently cited among recent notable breaches that an EMR and software services provider allowed hackers access to 3.5 million patient records. Touchstone Medical Imaging (TMI), agreed to pay $3 million for a breach involving one of its FTP servers that contained PHI for over 300,000 patients. LabCorp received notice from American Medical Collection Agency (AMCA), a collection firm working on its behalf, regarding unauthorized access of 7.7 million patients’ PHI stored by AMCA. This announcement followed a similar one from Quest Diagnostics, in which they reported that AMCA’s breach affected 11.9 million of its patients.

Updates on OCR enforcement actions can be found at https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/data/enforcement-highlights/index.html

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2019 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: OIG releases two reports questioning quality of hospice care

80% surveyed hospices had deficiencies

Many cases of harm to beneficiaries cited

The OIG released two reports which found hospices participating in Medicare had one or more deficiencies in the quality of care they provided to their patients. The OIG cited cases where beneficiaries were seriously harmed by poor care or facilities failed to act in cases of abuse. In its reports, the OIG made several recommendations to strengthen safeguards.

In one report—Hospice Deficiencies Pose Risks to Medicare Beneficiariesthe OIG identified significant vulnerabilities in the Medicare hospice benefit and found over 80 percent of these hospices had at least one deficiency. These included poor care planning, mismanagement of aide services, and inadequate assessments of beneficiaries. Over 20 percent of hospices had a serious “condition-level” deficiency, which means that “the hospice’s capacity to furnish adequate care is substantially limited or adversely affects the health and safety of patients.” The OIG called upon CMS to: (1) strengthen the survey process; (2) establish additional enforcement remedies; (3) provide more information to beneficiaries and their caregivers; (4) expand the deficiency data that accrediting organizations report to CMS to strengthen its oversight of hospices; (5) seek statutory authority to include information from accrediting organizations on Hospice Compare; (6) include on Hospice Compare the survey reports from State agencies; (7) include on Hospice Compare the survey reports from accrediting organizations, once authority is obtained; (8) educate hospices about common deficiencies and those that pose particular risks to beneficiaries; and (9) increase oversight of hospices with a history of serious deficiencies.

In its second report—Safeguards Must Be Strengthened To Protect Medicare Hospice Beneficiaries From Harm—the OIG described specific instances of harm to hospice beneficiaries and identified vulnerabilities in CMS’s efforts to prevent and address harm. Some instances of harm resulted from hospices providing poor care to beneficiaries and some resulted from abuse by caregivers or others and the hospice failing to act. Cases revealed vulnerabilities in beneficiary protections that CMS must address. The OIG called for CMS to: (1) seek statutory authority to establish additional, intermediate remedies for poor hospice performance; (2) strengthen requirements for hospices to report abuse, neglect, and other harm; (3) ensure that hospices are educating staff to recognize signs of abuse, neglect, and other harm; (4) strengthen guidance for surveyors to report crimes to local law enforcement; (5) monitor surveyors’ use of immediate jeopardy; and (6) improve and make user-friendly the process for beneficiaries and caregivers to make complaints.

 

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2019 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: Many states are not in compliance with mandates to conduct provider criminal background checks

CMS required all states to conduct criminal background checks on high-risk providers before allowing them to receive Medicaid payments by July 2018. CMS could consider as overpayments any payments made to high-risk providers in those states that have not undergone a criminal background check. Those providers must return to CMS the federal share of those overpayment. The OIG found that 18 states failed to comply with the requirement by a CMS deadline of July 2018 and 13 still had not complied as of January 1, 2019. States cited three reasons for not complying:

  1. A lack of authority:Three states said their Medicaid agencies did not have proper oversight power for these background checks, requiring legislative or executive action to do this.
  2. A lack of resources:One state reported it did not have the necessary staff to do the background checks.
  3. A lack of criteria to determine “high-risk providers”: One state said it was actively revising its criteria based on concerns from the provider community, delaying compliance.

The OIG recommended CMS to (1) ensure all States fully implement fingerprint based criminal background checks for high-risk Medicaid providers; (2) amend its guidance so that states cannot forgo conducting criminal background checks on high risk providers applying for Medicaid, unless Medicare has conducted the checks; (c) compare high risk Medicaid providers’ self-reported ownership information to Medicare’s provider ownership information to help states identify discrepancies. CMS concurred with the first recommendation.

 

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2019 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: Increased CMS Spotlight on Nursing Facilities

CMS and states visit nursing homes on a regular basis with “survey” or “inspection” teams to determine if the nursing homes are providing the quality of care that is required by Medicare and Medicaid, as well as to identify deficiencies in meeting CMS safety requirements. When deficiencies are identified, they must be corrected, and, if serious ones are not corrected, it may lead to termination from participation in Medicare and Medicaid.

Most facilities correct their problems within a reasonable period. However, some have significantly more problems that the norm with a pattern of serious problems persisting over three or more years. Although some facilities institute enough improvement that they are in substantial compliance on one survey, significant problems often resurface by the time of the next survey. Such facilities are referred to by CMS as a “yo-yo” or “in and out” compliance history. These facilities rarely address underlying systemic problems that are giving rise to repeated cycles of serious deficiencies. To address this problem CMS created the “Special Focus Facility” (SFF) initiative that is a listing of problematic nursing homes that have had a history of serious quality issues and are included in a special program to stimulate improvements in their quality of care.

Those on the SFF list are visited in person by survey teams twice as frequently as other nursing homes (about twice per year). The longer the problems persist, the more stringent the enforcement actions, including imposition of civil monetary penalties (“fines”) or termination from Medicare and Medicaid.  Within about 18 to 24 months after a facility is identified by CMS as an SFF nursing home, CMS expects: (1) improvement & graduation off the SFF; (2) termination from participation in Medicare/Medicaid programs; or (3) extension of time on SFF because of some progress or change of ownership. For more information check the CMS website that posts SFF Nursing Homes in five (5) categories:

  1. newly added to the SFF;
  2. failing to show significant improvement since being posted on the SFF;
  3. showing significant improvement by the most recent survey, and CMS is monitoring;
  4. graduating off the SFF because they not only improved, but they sustained significant improvement for about 12 months (through two standard surveys); and
  5. terminated by CMS from participation in Medicare and Medicaid within, or voluntarily chose not to continue such participation.

To assist in improving Nursing Home quality, CMS began rating all nursing homes using a Five-Star Quality Rating System that can be found at https://www.medicare.gov/NHCompare.

 

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2019 Strategic Management Services, LLC. Published with permission.