Kusserow on Compliance: OIG reports top unimplemented recommendations

The HHS Office of Inspector General (OIG) Top Unimplemented Recommendations: Solutions to Reduce Fraud, Waste, and Abuse in HHS Programs is an annual OIG publication. These recommendations, if implemented, are ones that would most positively impact HHS programs in terms of cost savings, program effectiveness and efficiency, and public health and safety. All were derived from audits and evaluations issued through December 31, 2019, which predated the COVID-19 public health emergency. Fourteen of the 25 were related to Medicare and Medicaid. The recommendations called for CMS to:

  1. Take actions to ensure that incidents of potential abuse or neglect of Medicare beneficiaries are identified and reported.
  2. Reevaluate the inpatient rehabilitation facility payment system, which could include seeking legislative authority to make any changes necessary to more closely align inpatient rehabilitation facility payment rates and costs.
  3. Seek legislative authority to comprehensively reform the hospital wage index system.
  4. Seek legislative authority to implement least costly alternative policies for Part B drugs under appropriate circumstances.
  5. Provide consumers with additional information about hospices’ performance via Hospice Compare.
  6. Continue to work with the Accredited Standards Committee X12 to ensure that medical device-specific information is included on claim forms and require hospitals to use certain condition codes for reporting device replacement procedures.
  7. Analyze the potential impacts of counting time spent as an outpatient toward the three-night requirement for skilled nursing facility (SNF) services so that beneficiaries receiving similar hospital care have similar access to these services.
  8. Provide targeted oversight of Medicare Advantage organizations (MAOs) that had risk adjusted payments resulting from unlinked chart reviews for beneficiaries who had no service records in the 2016 encounter data.
  9. Require MAOs to submit ordering and referring provider identifiers for applicable records in the encounter data.
  10. Develop and execute a strategy to ensure that Part D does not pay for drugs that should be covered by the Part A hospice benefit.
  11. Ensure that States’ reporting of national Medicaid data is complete, accurate, and timely.
  12. Collaborate with partners to develop strategies for improving rates of follow-up care for children treated for attention deficit hyperactivity disorder (ADHD).
  13. Develop policies and procedures to improve the timeliness of recovering Medicaid overpayments and recover uncollected amounts identified by OIG’s audits.
  14. Identify States that have limited availability of behavioral health services and develop strategies and share information to ensure that Medicaid managed care enrollees have timely access to these services.

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2020 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: OCR continues enforcement involving HIPAA breaches

 2020 Survey found 60 percent of health care organizations had recent OCR encounters

Lifespan to pay $1,040,000 to Settle Unencrypted Stolen Laptop Breach

Although many agencies have taken the Pandemic into consideration when pursuing enforcement actions, this does not mean they have stopped altogether. Everyone was reminded of this with the announcement that Lifespan Health System Affiliated Covered Entity has agreed to pay $1,040,000 to the HHS Office for Civil Rights (OCR) and to implement a corrective action plan with OCR monitoring for 2 years, in order to settle potential violations of the HIPAA Privacy and Security Rules related to the theft of an unencrypted hospital employee’s laptop containing electronic protected health information affecting 20,431 individuals. OCR’s investigation found:

  • Lack of policies and procedures to encrypt all devices used for work purposes.
  • Failure to encrypt ePHI on laptops
  • Lack of device and media controls
  • Failure to have a business associate agreement in place

Going forward, Lifespan must designate at least one individual to ensure that the organization enters into business associate agreements with its business associates. It must also develop a process for evaluating business relationships and determining which vendors should be considered business associates.

It is noteworthy that the 2020 Healthcare Compliance Benchmark Survey Report found respondents reporting more enforcement encounters with OCR than with the OIG or DOJ.  Nearly 60 percent of respondents reported having encounters with the OCR regarding HIPAA breaches in the last few years. The question is no longer whether there will be a HIPAA Breach problem that draws OCR attention, but when it will occur.  The Survey also found was that three quarters of compliance offices now had responsibility for HIPAA Privacy.  This lays the compliance challenge at the feet of Compliance Officers.

 

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2020 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: Medicare overpaid hospitals $267M for post-acute care transfers to home health

An HHS Office of Inspector General (OIG) audit identified 89,213 inpatient claims totaling $948 million at risk of overpayment because of hospital transfer policies to home health agencies for post-acute care. The OIG selected a stratified sample of 150 claims which was reviewed by an independent medical review contractor to assess the relatedness of the home health services to the hospital admission. The review found that Medicare improperly paid most inpatient claims subject to the transfer policy when beneficiaries resumed home health services within 3 days of discharge. Hospitals failed to code the inpatient claim as a discharge to home health services when the hospitals applied condition codes 42 (home health not related to inpatient stay) or 43 (home health not within 3 days of discharge). Of the 150 inpatient claims in the sample, Medicare properly paid for just three claims. As a result, CMS improperly paid for 147 claims, for a total of $722,288 in overpayments. Medicare should have paid these inpatient claims using a graduated per diem rate rather than the full payment. The OIG estimated that Medicare improperly paid $267 million during a 2-year period for hospital services that should have been paid a graduated per diem payment.

Prior OIG audits identified Medicare overpayments to hospitals that did not comply with Medicare’s post-acute-care transfer policy and in response CMS instituted new corrective actions into the system. The OIG later found the policies were still not properly designed. The result is that hospitals may be using condition codes to bypass CMS’s system edits to receive higher reimbursements for inpatients transferred to home health services. Compliance officers should consider this—the transfer of patients from hospital in-patient care to post-acute care at home health agencies—as a risk area warranting an internal review.

 

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2020 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: DOJ and HHS OIG issue annual Health Care Fraud and Abuse Control Program Report

The HHS OIG and DOJ issued their annual Health Care Fraud and Abuse Control Program Report. The report outlines efforts undertaken annually as a result of HIPAA, which established the program to “coordinate federal, state, and local law enforcement activities with respect to health care fraud and abuse.” For FY 2019 the reported recoveries were $3.6 billion, of which about $2.5 billion was returned to the Medicare trust fund. The recoveries included judgments and settlements from fraud causes brought in 2019 and in prior years. In addition, the DOJ reported opening 1,060 new criminal health care fraud investigations, which led to charges against 814 defendants. The DOJ Civil Division opened 1,112 new civil health care fraud investigations. Medicare and Medicaid fraud investigations by HHS’s Office of Inspector General resulted in 747 criminal actions and 684 civil actions against individuals and entities. In 2019, HHS also excluded 2,640 individuals from participation in the Medicare and Medicaid programs. The breakdown of exclusions included 1,194 based on criminal convictions related to Medicare and Medicaid, 335 for other health care programs, 238 for patient abuse or neglect, and 576 as a result of state health care licensure revocations.

The report also provided information on the return on investment (ROI) for the HCFAC program over the last three years (2017 – 2019) at $4.2 returned for every $1.00 expended. Results were reported as being in large measure due to the Health Care Fraud Prevention and Enforcement Action Team (HEAT) that was designed to coordinate enforcement efforts related health care fraud. These teams are comprised of top-level law enforcement agents, prosecutors, attorneys, auditors, evaluators, and other staff from DOJ and HHS and their operating divisions, and are dedicated to joint efforts across government to both prevent fraud and enforce current anti-fraud laws around the country. The Strike Force teams are a key component of HEAT.

 

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2020 Strategic Management Services, LLC. Published with permission.