Hospital appeals settlement recipients identified by CMS

More than 2,000 hospitals that received almost $1.5 billion in total settlement money from CMS for fee-for-service denials based on patient status reviews for admissions prior to October 1, 2013, were identified by name, provider number, total claims settled, and amount of money received. The settlement, which was paid in 2015 at 68 percent of the net allowable amount, gave providers a guaranteed timely payment in exchange for withdrawing pending appeals that were tied up waiting through a large administrative hearing backlog. Settled claims numbers ranged from one to almost 3,000, with amounts paid between $0 and almost $16 million.

The settlement was a one-time offer by CMS to alleviate the burdens on the Medicare appeals system. The agency only settled claims for patients admitted prior to October 1, 2013, because it believed that the two-midnight rule, which began on that date, would reduce future appeals volume (see CMS offers partial payments for certain Part A hospital claims under appeal, Health Law Daily, September 3, 2014; CMS pays $1.3B to settle hospital inpatient claims, Health Law Daily, June 15, 2015).

The administrative hearing backlog remains a problem for CMS, which last month proposed regulations to improve the efficiency of the Medicare appeals process and address the increasing number of backlogged appeals waiting for administrative adjudication (Proposed rule, 81 FR 43789, July 5, 2016). The settlement offer was made nine months after Nancy Griswold, Chief Administrative Law Judge for HHS’ Office of Medicare Hearings and Appeals (OMHA), said that there were 375,000 claims waiting for adjudication and suspended new requests for hearings before an administrative law judge. As of April 2016, however, OMHA had over 750,000 pending appeals. The two-midnight rule, which did not have the desired effect of reducing appeals, has also ended after hospital backlash (see 1.5 percent payment cut overshadows end of Two-Midnight, Health Law Daily, August 3, 2016).

Kusserow on Compliance: CMS program integrity reports saving $40B over two years

CMS issued its 2016 mandated annual program integrity report to Congress that addresses activities during fiscal years 2013 and 2014.  The agency reported that its program integrity activities saved Medicare over $39 billion, for a two-year return on investment of $12.4 to 1.  Over 70 percent in aggregate was the result of prevention of improper payments.  Recovery of overpayments represented only about one-fourth of the total savings with Reviews and Audit recoveries of about $5 billion, Recovery Auditor Collections of about $6 billion, and Law Enforcement Referrals of $230 million.  During the same period, CMS had about 1,000 active payment suspensions. Prevention of improper payments continues to increase as CMS proceeds with its proactive approach to program integrity.

The report also addressed the CMS Medicaid Integrity Program.  CMS directed the Audit Medicaid Integrity Contractors (MICs), which identified roughly $50 million in overpayments for recovery by states. Through Audit MIC activities, the states returned the federal share of $11 million to the Treasury. Through the State Medicaid Recovery Audit Programs, the states have recovered a total federal and state share combined amount of about $230 and returned the federal share of $140 million to the Treasury.

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2016 Strategic Management Services, LLC. Published with permission.

OCR thinks small to stop data breaches

Reports of breaches impacting the protected health information (PHI) of 500 or fewer individuals will be more widely investigated by the HHS Office for Civil Rights (OCR), beginning August 2016. Previously, the OCR’s regional offices investigated all breach reports involving the PHI of 500 or more individuals and only investigated smaller breaches when resources permitted the additional oversight. Under the new initiative, regional offices will retain discretion to investigate smaller breaches, but each office will increase investigative efforts to identify smaller breaches and obtain necessary corrective action.

Considerations

Covered entities (CEs) under the Health Insurance Portability and Accountability Act (HIPAA) (P.L. 104-191), are required to report breaches of PHI to affected individuals and the HHS Office for Civil Rights (OCR), consistent with the Breach Notification Rule; in instances of breaches involving at least 500 individuals, they must also notify the media. To decide which breach reports affecting fewer than 500 individuals will be investigated, the OCR plans to consider the following factors:

  • the size of the breach;
  • the presence of theft or improper disposal of unencrypted PHI;
  • unwanted intrusions into information technology IT systems (hacking); and
  • instances where numerous breach reports from a single entity raise similar issues.

Prior breaches

The OCR has already investigated some smaller breach reports, which have led to settlements. Those investigations include breaches resulting from a business associate’s failure to safeguard the PHI of skilled nursing facility residents, an insurance company’s failure to implement adequate PHI security measures, a medical center’s improper use of a data-sharing internet application, and the theft of two unencrypted laptops—one from a hospice provider and another from an employee’s car at a physical therapy center.

Other threats

Data breaches and cybersecurity threats of all kinds continue to plague the health care industry. For example, in July 2016, Banner Health experienced a breach of PHI and payment card data of 3.7 million patients, members, beneficiaries, and food and beverage outlet customers (see Banner Health breach potentially affects millions, Health Law Daily, August 4, 2016). Additionally, health systems are facing new threats, like ransomware, where hackers “kidnap” data and demand ransom payments for the data’s release (see Lawmakers, agencies raise specter of ransomware threats to cybersecurity, Health Law Daily, June 30, 2016).

HHS says sharing is preparing for cybersecurity threats

Cyber threat information sharing can help efforts to prevent, detect, and respond to cyber-attacks, according to the HHS Office of the National Coordinator for Health Information Technology (ONC) and the Assistant Secretary for Preparedness and Response (ASPR). Premised on the belief that health system preparedness requires knowledge of up-to-date threat information, the ONC and ASPR issued two funding opportunities to develop an Information Sharing and Analysis Organization (ISAO) for the health care sector.

Cyber Threats

As the health system becomes digital and health information takes on an increasingly electronic format, cyber threats have become a regular burden for health systems. Despite the growing threat, many components of the health care system lack the technological abilities to identify and protect themselves from cyber threats. Under the Cybersecurity Information Sharing Act (CISA) agencies, like HHS, were directed to develop tools that can help with the sharing of cybersecurity threat risks. Prior to the CISA, Executive Order 13691, signed on February 13, 2015, encouraged information sharing related to cyber threats between the government and private sector.

Recent Threats

Although some governmental efforts have focused on preparedness, data breaches continue to be a burden for the health care industry. This summer, Banner Health reported a cyberattack potentially affecting the protected health information (PHI) and payment card data of 3.7 million patients. The breach resulted from a hack of Banner’s point-of-sale systems, which may have been connected to its clinical systems. Such a lack of segmentation, may have contributed to the breach. Segmentation is the segregation of a network into areas that limits access to only those people, servers, and applications that need access, as a method of preventing hackers who enter part of a system from gaining complete control. However, the threat of cyber-attack reaches far beyond Banner Health. The scope of cyber threats is readily apparent from HHS’ “wall of shame,” which lists all of the breaches affecting 500 or more people that have been reported to the Office for Civil Rights (OCR).

ISAO

The idea behind the ISAO is to allow organizations with greater cyber threat knowledge share their understanding with less-equipped organizations. For example, with greater information sharing regarding the risks of segmentation, perhaps the scope of the Banner breach could have been mitigated. HHS hopes by sharing information between HHS and the health care and public health sector, the capacity to better prevent, detect and respond to cyber-attacks will improve. The funding directs an ISAO to:

  • provide cybersecurity information and education on cyber threats affecting the healthcare and public health sector,
  • expand outreach and education activities to assure that information about cybersecurity awareness is available to the entire healthcare and public health sector,
  • equip stakeholders to take action in response to cyber threat information, and
  • facilitate information sharing widely within the healthcare and public health sector regardless of the size of the organization.

HHS hopes its combined funding opportunities—$250,000 that can be renewed for up to five years—will help spread cyber threat information among industry stakeholders and federal partners.