House Committee urged to extend funding for federal safety net programs

Extend funding for the Children’s Health Insurance Program (CHIP) to ensure continuity of coverage for children, particularly in light of the current uncertainty surrounding other sources of health coverage in the U.S., witnesses urged at a House Committee on Energy and Commerce hearing titled “Examining the Extension of Safety Net Health Programs.” The purpose of the hearing was to examine the extension of funding for two federal safety net health programs that provide health care and coverage for low-income adults and children, CHIP and the Community Health Center Fund (CHCF).

CHIP

CHIP is a program that provides health coverage to targeted low-income children and pregnant women in families that have annual income above Medicaid eligibility levels but have no health insurance. It is jointly financed by the federal government and states, and the states are responsible for administering the program. A memo from the committee majority staff states that in fiscal year (FY) 2015, 8.4 million children received CHIP-funded coverage.

Section 2101 of the Patient Protection and Affordable Care Act (ACA) (P.L. 111-148) increased the CHIP enhanced federal medical assistance percentage (E-FMAP), which varies by state, by 23 percent from October 1, 2013 through September 30, 2019. Since the ACA did not include additional or extended funding for CHIP, MACRA extended funding through September 30, 2017. The Medicaid and CHIP Express Lane Option, Child Enrollment Contingency Fund, CHIP Qualifying State Option, and CHIP Outreach and Enrollment Grants also expire September 30, 2017.

At the hearing, Cindy Mann, partner at Manatt, Phelps & Phillips, touted the success of CHIP, which covers 8.9 million children nationwide. She stated that Congress must consider the overall level of funding for CHIP, in addition to the E-FMAP funds, which “are now fully integrated into states’ budgets and a key source of funding for sustaining CHIP.” She said that Congressional action is needed as soon as possible to ensure program continuity, budget certainty for states, and stable coverage for children, particularly those with special health care needs. She urged a five-year extension instead of two to provide needed stability (see Extend CHIP, protect DSH payments, MACPAC tells Congress, March 16, 2017).

Jami Snyder, Director of the Medicaid and CHIP programs for the state of Texas, noted that a decision to not reauthorize the CHIP program would result in a loss of over $1 billion in annual funding to the state of Texas and a loss of coverage for more than 380,000 Texas children.

Health Center Program

The Health Resources and Services Administration’s (HRSA) Health Center Program, authorized under Section 330 of the Public Health Service Act, awards grants to federally qualified health centers (FQHCs). The program is supported by discretionary appropriations and the CHCF, a mandatory multibillion-dollar fund established by Section 10503 of the ACA. The Medicare Access and CHIP Reauthorization Act of 2015 (MACRA) (P.L. 114-10) extended funding through fiscal year 2017. According to the staff memo, the CHCF represents over 70 percent of the Health Center Program’s FY 2016 funding.

Michael Holmes, the chief executive officer of Cook Area Health Services, an FQHC in Minnesota, testified that as a result of CHCF investments new FQHC were added in more than 1,100 communities. With the extension nearing its expiration date, he “strongly urged” Congress to renew funding for at least five years to allow FQHCs to provide a stable and reliable source of access to patients and recruit and retain a comprehensive health care workforce.

Kusserow on Compliance: EHR incentive program attestation is serious business

The American Recovery and Reinvestment Act of 2009 (ARRA) (P.L. 111-5) authorized providing incentive payments to eligible health care professionals, hospitals, and Medicare Advantage Organizations (“MAOs”) to promote the adoption and “meaningful use” of health information technology and electronic health record (“EHR”) systems. CMS established the Medicare and Medicaid Electronic Health Record Incentive Programs (EHR Incentive Programs) to make incentive payments to health care professionals and providers that meet specified requirements for the meaningful use of certified EHR technology (CEHRT). The EHR Incentive Programs are intended to bring about improved clinical outcomes and population outcomes, increase transparency and efficiency in health care, empower individuals to make decisions regarding their care, and generate additional research data on health systems. Program participants must report on their performance pertaining to certain clinical quality measures (CQMs) and objectives to CMS (for Medicare) or the authorized state agency (for Medicaid) through an attestation process. Since 2011, the EHR Incentive Programs have made incentive payments to numerous eligible professionals, eligible hospitals, and critical access hospitals (CAHs) that qualify as “meaningful users” by meeting the objectives and CQMs outlined in the various stages of the applicable programs.

Annual attestations required

Eligible providers must annually attest to meeting the specified objectives and measures in order to receive incentive payments under the EHR Incentive Programs. Once they have attested to meeting the identified objectives and measures, they are deemed to be meaningful users and eligible for incentive payments.  CMS, its contractor, and state Medicaid agencies conduct both random and targeted audits to detect inaccuracies in eligibility, reporting, and receipt of payment with respect to the EHR Incentive Programs.  Eligible hospitals may be selected for pre- or post-payment audits. CMS has required that eligible hospitals retain all supporting documentation used in completing the Attestation Module responses in either paper or electronic format for six years post-attestation. Eligible hospitals are responsible for maintaining documentation that fully supports the meaningful use and CQM data submitted during attestation. Those hospitals undergoing pre-payment audits will be required to provide supporting documentation to validate submitted attestation data before receiving payment.

Unsupported and false attestations

Making false statements, including attestations to the federal government, could implicate federal law (18 U.S.C. § 1001), which generally prohibits knowingly and willfully making false or fraudulent statements or concealing information. Although eligible hospitals receiving incentive payments under the Medicare and Medicaid EHR Incentive Programs are not required to follow any particular parameters when spending the payments, they must annually attest to meeting the relevant measures and objectives in order to be entitled to incentive payments. It is critical that eligible hospitals maintain documentation that supports their attestations.  Supporting documentation needs to make clear that the hospital is meeting the terms and conditions of the EHR Incentive Program. A checklist document by itself would be insufficient as supporting documentation. Failure to maintain such supporting documentation creates potential liability. Although no significant enforcement activity has taken place, compliance officers are advised to verify that proper supporting documentation is maintained.  In fact, the responsible program manager should be maintaining documentation as part of ongoing monitoring. As part of ongoing auditing, the compliance office should ensure that monitoring is conducted and validate that it is adequately meeting regulatory requirements.

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on
Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2017 Strategic Management Services, LLC. Published with permission.

 

 

340B a small program with tricky compliance field

Although drug spending under the 340B program is a small fraction of drug spending in the country overall, compliance remains important for all entities involved: hospitals, pharmacies, and manufacturers. In a Health Care Compliance Association webinar entitled “340B Program: Finding Clarity in Uncertain Times,” presenters Karolyn Woo and Tony Lesser, both from Deloitte & Touche LLP, advised listeners to allocate the necessary resources to ensure compliance in light of increased audit activity.

340B program

Created by section 340B of the Public Health Service Act (PHSA), the program requires drug manufacturers participating in the Medicaid program to provide outpatient drugs to participating health care organizations at reduced prices. These discounts allow providers to save between 25-50 percent on outpatient drug costs. However, for perspective, 340B spending only accounted for just over $12 billion of the $310 billion spent on drugs in 2015.

Oversight and audits

Despite the program’s relatively small size, Woo and Lesser underscored the necessity of compliance, noting the Health Resources and Services Administration’s (HRSA) increased oversight activity. The agency has recently contracted experienced auditors, who focus on eligibility, drug diversion, duplicate discounts, and billing accuracy. If issues are found during the audit, the HRSA Office of Pharmacy Affairs (OPA) will review these issues, present a corrective action plan to HRSA, and finalize its report. Drug diversion is the most common issue, and repayment to manufacturers was required in over half of the completed audits in fiscal years (FYs) 2015 and 2016. Although there has been no uptick in the number of manufacturer audits recently, HRSA may contact an entity to request certain information outside of an audit, which should be presented as clearly as possible. In addition, specialty pharmacies, which often represent a high percentage of a manufacturer’s 340B revenue, may fall under particular scrutiny.

Compliance plan

Repayment requires that the covered entity and the manufacturer work out a financial remedy in good faith. The process is hampered by outdated OPA information, lack of deadline guidance, and differing repayment calculations. To avoid being placed in this situation, covered entities should create a compliance plan that ensures close oversight of 340B activity, starting with educating staff and reviewing 340B policies and procedures. Entities should perform internal audits to find areas of non-compliance, and learn how to prevent and detect identified issues. When areas of non-compliance are found, they should be reported to manufacturers, HRSA, or other entities as required.

Kusserow on Compliance: OCR has a record number of significant settlements so far in 2017

The HHS Office for Civil Rights (OCR) has posted about 2,000 major breaches and more than a quarter million small breaches since 2009. The common denominator for many of the cases in which there was a settlement was that the covered entity or business associate (BA) suffered one or more breaches affecting more than 500 individuals sometime between 2011 and 2013. The OCR has jumped off the 2017 year with a record number of significant settlements. The most recent is CardioNet, a wireless health services provider, who provides remote mobile monitoring of and rapid response to patients at risk for cardiac arrhythmias. The provider entered into a settlement for $2.5 million and implemented a corrective action plan for disclosure of unsecured ePHI on a laptop that was stolen from a parked car. CardioNet had an insufficient risk analysis and risk management processes in place at the time of the theft and their HIPAA Security Rule policies and procedures had not been implemented. The OCR has entered into a number of other significant settlements. Others who paid settlements for violating HIPAA requirements so far this year include Memorial Health Systems ($5.5 million); Children’s Medical Center in Dallas ($3.2 million); MAPFRE, a Puerto Rico life insurance company ($2.2 million); Presence Health in Chicago ($475,000); and Community Provider Network of Denver ($400,000). In all these cases, there was the requirement to take corrective actions.

2016 OCR Results

  • There were 329 Data Breaches greater than 500 Individuals (a new record).
  • 225 OCR Phase 2 of HIPAA compliance audits conducted of covered entities and BAs.
  • No onsite audits were conducted.
  • No findings or notifications from the audits have been made.
  • The OCR intends to use the results from these audits to prepare for a new and better tool in the future.
  • There was a large jump in fines imposed for HIPAA violations that totaled about $24 million (versus a little more than $6 and $8 million in for 2105 and 2014 respectively)

OCR in 2017

  • The OCR stated intention is to conduct only a few onsite audits in 2017.
  • To date the OCR has nearly achieved the level of 2016 in terms of penalties imposed.
  • To date about 100 data breaches impacting greater than 500 Individuals have been reported.
  • About a half million individuals have been impacted in reported data breaches so far this year.
  • Only a relatively few BAs were involved in any of the reported data breaches.

The enforcement actions most often come from the OCR when investigations into the root cause of the breach found systemic, often profound, failures of organizational programs to safeguard protected health information.  This includes the failure to perform an information security risk assessment or to have a risk management plan to address gaps in the safeguards for information systems, both required actions under the HIPAA Security Rule. Tied to this has been insufficient development of policies and procedures for HIPAA Compliance.  Other actionable problems that resulted in the OCR imposing HIPAA corrective action plans (CAP) included inappropriate delay in data breach reporting (reported after 60 days from the date of discovery); and inappropriate oversight into user set up and user management. There is also the continuing problem of organizations not implementing encryption technology on mobile devices.

Camella Boateng, a HIPAA consultant reminds everyone that the recently enacted 21st Century Cures Act amends the HITECH Act to extend an individual’s right to access their PHI to data held by business associates. As such, it is more important than ever that entities give a priority for engaging in a self-audit, so vulnerabilities can be detected and resolved before they come to the attention of the government. Furthermore, with a shifting focus toward BA, it is important to avoid any potential partner that will not commit to signing a BAA.

Strong HIPAA Compliance Program Evidence

  • HIPAA policies and procedures;
  • HIPAA requests forms for patient’s rights;
  • a complete notice of privacy practices;
  • established technical, physical, and administrative safeguards;
  • conducting a regular HIPAA risk analysis;
  • developed a risk management plan to address gaps in the safeguards for PHI;
  • strong workforce education;
  • effective user management and oversight into systems with PHI;
  • auditing practices for verification of compliance;
  • ongoing evaluation of current safeguards established by the organization;
  • strong oversight into user set up and user management;
  • implementing encryption technology on mobile devices; and
  • ensuring partners have signed BAAs.

 

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on
Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2017 Strategic Management Services, LLC. Published with permission.