Kusserow on Compliance: HIPAA enforcement update

At the 2018 HCCA Compliance Institute HIPAA Policy and Enforcement Update, it was reported that since September 2009 through the end of 2017 there were 2178 reports filed with the HHS OCR involving breaches affecting 500 or more individuals. In addition to large breaches, there were over 300,000 reports of breaches of protected health information (PHI) affecting fewer than 500 individuals. Individuals affected by the large breaches were about 177 million. So far, OCR’s website has posted 38 breaches as of April 2018. In all, nearly one million patients may have had their PHI put at risk by these incidents with the number continuing to grow. The breakdown of type of large breaches includes:

  • Loss/Theft continues as the most often reported problem; nearly half of the cases.
  • Laptops and other portable storage devices represented one fourth of large breaches.
  • Hacking/IT Incidents account for about one in five reported incidents.
  • Paper records accounted for another fifth of the large breaches

10 largest 2018 incidents to date by number of patient records affected

  1. 582,174 – California Department of Developmental Services, 4/06/2018, Unauthorized Access/Disclosure Incident
  2. 279,865 – Oklahoma State University Center for Health Sciences, 1/05/2018, Hacking Incident
  3. 134,512 – St. Peter’s Ambulatory Surgery Center LLC- d/b/a St. Peter’s Surgery & Endoscopy Center, 2/28/2018, Hacking Incident
  4. 70,320 – Tufts Associated Health Maintenance Organization, Inc. reported on 2/16/2018 an Unauthorized Access/Disclosure Incident
  5. 63,551 – Middletown Medical P.C.,  3/29/201 an Unauthorized Access/Disclosure
  6. 53,173 – Onco360 and CareMed Specialty Pharmacy, 1/12/2018, Hacking Incident
  7. 36,305 – Triple-S Advantage, Inc., 2/02/2018, Unauthorized Access/Disclosure Incident
  8. 35,136 – ATI Holdings, LLC and its subsidiaries, 3/12/2018, Hacking Incident
  9. 34,637 – City of Houston Medical Plan reported on 3/22/2018 a Theft of Laptop Incident
  10. 30,799 – Mississippi State Department of Health, 3/26/2018, Unauthorized Access/Disclosure

Top 10 Recurring Compliance Issues

  1. Pattern of disclosure with sensitive paper PHI
  2. Business Associate Agreements
  3. Risk analysis issues
  4. Failure to manage identified risk, e.g. Encryption of data
  5. Lack of transmission security
  6. Lack of appropriate auditing
  7. No patching of software
  8. Insider threats from employees and contactors
  9. Improper disposal of data
  10. Insufficient data backup and contingency planning

HHS OCR calls for health care organizations to establish contingency plans to keep patient data secure and mandate that covered entities and business associates have such plans. In their March newsletter, OCR officials urged health care organizations to figure out which IT systems are critical, to understand how to function in a disaster, and to back up PHI so it can be retrieved if the original data are lost or taken offline. Once developed, the plan should be routinely tested to identify gaps and ensure updates for plan effectiveness and increase organizational awareness. The plan should be reviewed and updated on a regular basis when there are changes: technical, operational, or in personnel.


Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2018 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: Using sanction-screening tools vs. outsourcing the entire process

In order to save time and costs, more and more health care organizations have been moving to outsource functions that are not core business activities. Compliance programs have been part of that trend: (1) 80 percent of compliance offices use vendors to provide hotline services, (2) 50 percent of compliance offices use vendors to provide policy development tools, and (3) two-thirds of compliance offices use vendors to provide E-learning tools. Included in the growing list of outsourced tasks has been the movement to address the rapidly growing cost and time commitment obligations related to sanction-screening. Two-thirds of compliance offices use a vendor search engine tools to assist in sanction-screening that saves an organization from downloading the sanction databases and developing a search engine. This is a trend driven by the rapid development of many new databases against which to screen employees, medical professionals, contractors, vendors, etc., including the following:

  • OIG List of Excluded Individuals and Entities (LEIE)
  • GSA Excluded Parties List System (EPLS)
  • 40 Medicaid states now have sanction data bases requiring monthly screening
  • Drug Enforcement Administration (DEA)
  • FDA

All this has increased the burden of sanction-screening exponentially, not only for the compliance office, but also human resource management for new hires and periodic screening of current employees and procurement with vendors and contractors. Medical credentialing is involved as result of having to screen physicians who are granted staff privileges. Using vendors has been a great help, but the most difficult part of the process is resolving “potential hits.” This can be a considerable effort and many organizations have to dedicate staff for investigation and resolution of these hits. It is complicated by the fact that most sanction data does not provide sufficient information to make positive identification. As a result of this heavy burden, many have moved beyond simply using a vendor tool to outsourcing the entire process to vendors. The following address selecting a sanction-screening vendor and outsourcing the process.


Tips for selecting sanction-screening vendor


Tips for outsourcing the sanction-screening process

  • Determine the cost of moving from use of a vendor search engine tool to outsourcing the screening, along with investigation and resolution of “potential hits.”
  • Inquire as to the methodology they follow in resolving potential “hits,” a critical part of any screening effort.
  • Ensure the vendor provides a certified report of the results that can be made part of the compliance office records.
  • Review an example of the type of reports they would provide to determine if it meets the documentary needs of the organization.


Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2017 Strategic Management Services, LLC. Published with permission.

Burden on submitter of quality data to verify successful transmittal

When a provider is required to submit data to CMS by entering data into a system that verifies the data and then transmits it to CMS, it is the provider’s duty to ensure that the data is actually transmitted to CMS. The Provider Reimbursement Review Board (PRRB) held that it is not enough to simply input information into the system when there are mechanisms in place to confirm that the data was successfully transmitted to CMS (Horizon Home Care & Hospice v. National Government Services, PRRB Hearing, Dec. No. 2018-D30, Case No. 16-0143, March 29, 2018).


A hospice provider submitted admission and discharge data files to CMS via the Quality Improvement Evaluation System (QIES) as required under the Social Security Act (the Act). After submitting the information, the system provided a message indicating that the submission file was being processed for errors and a Final Validation Report would be available in the CASPER Reporting application once the data was transmitted to CMS. The hospice provider assumed that the submission was accepted and never accessed the CASPER Reporting application to obtain a copy of the Final Validation report.

The Patient Protection and Affordable Care Act (ACA) (P.L. 111-148) ties submission of certain mandatory quality data to a provider’s eligibility for the annual Medicare hospice benefit increase or market basket update. It also mandates that a hospice’s market basket update be reduced by 2 percent if it failed to report the required quality data. Per this mandate, the Medicare contractor notified the hospice provider that its Annual Payment Update was being reduced by 2 percent.

After checking the CASPER system, the hospice provider discovered that the final validation report indicated that the data contained a facility identifier error and was never transmitted to CMS. The hospice provider requested that CMS reconsider its decision. CMS upheld its payment reduction and the hospice provider appealed the reconsideration decision to the Board.

QRP rule

The hospice provider argues that the plain language of the Quality Reporting Program (QRP) Rule requires that a hospice provider submit the data to CMS but does not require that the CASPER system receive the data from QIES. The Medicare contractor argues that the rule clearly states that the quality “data must be submitted in a form and manner, and at a time, as specified by the Secretary.” The Medicare contractor further argues that it is the provider’s duty to submit the data accurately, completely and timely.

The QIES system notified the hospice provider that it should obtain a validation report from the CASPER system. The Hospice Item Set manual and submission user’s guide both warn that if fatal errors are found, the record will be rejected and a validation report should be run to ensure the data was successfully transmitted. In the 2014 Guidance Manual, CMS warns that the system will provide fatal error and/or warning messages on the Final Validation Report for submitted data that does not meet the requirements.


The PRRB held that the provider is not required to review and printout its final validation report, however it is in the provider’s best interest to run the validation reports to confirm that the data was input correctly and transmitted from QIES to CASPER. The hospice provider did not perform the recommended steps prior to the submission deadline to assure that the quality data it entered into QIES was error free and transferred to CASPER. Therefore, the hospice provider did not submit the quality data in the form and manner and at the time required by the Act.

CY 2019 Medicare Part C and D policy changes and updates finalized

CMS has issued a Final rule making revisions to the Medicare Advantage (MA) (Part C) and prescription drug benefit (Part D) programs based on its continued experience in the administration of these programs and to implement certain provisions of the Comprehensive Addiction and Recovery Act of 2016 (CARA) (P.L. 114-198) and the 21st Century Cures Act (P.L. 114-255). The major provisions of the Final rule include: (1) the implementation of the CARA provisions governing the establishment of drug management programs, (2) revisions to timing and method of disclosure requirements for MA and Part D plans, and (3) preclusion list requirements for prescribers in Part D and individuals and entities in MA, cost plans, and Programs of All-Inclusive Care for the Elderly (PACE) (Final rule, 83 FR 16440, April 16, 2018).

On November 28, 2017, CMS published the Proposed rule (see Proposed CY 2019 Part C and D changes address opioid misuse and numerous other policy concerns, Health Law Daily, November 17, 2017). While this Final rule finalizes several of the provisions from the Proposed rule, there are a number of provisions from the Proposed rule that CMS intends to address later and a few that it does not intend to finalize. These provisions are discussed in the Final rule.

CARA provisions

CARA includes new authority for Part D plans to establish drug management programs effective on or after January 1, 2019. This Final rule establishes a framework under which Part D plan sponsors may establish a drug management program for beneficiaries at risk for prescription drug abuse or misuse, or “at-risk beneficiaries.” Specifically, under drug management programs, Part D plans will engage in case management of potential at-risk beneficiaries, through contact with their prescribers, when such beneficiary is found to be taking a specific dosage of opioids or obtaining them from multiple prescribers and multiple pharmacies who may not know about each other. Sponsors may then limit at-risk beneficiaries’ access to coverage of controlled substances that CMS determines are “frequently abused drugs” to a selected prescribers or network pharmacies after case management with the prescribers for the safety of the enrollee.

CMS also limits the use of the special enrollment period (SEP) for dually- or other low income subsidy (LIS)-eligible beneficiaries by those LIS-eligible beneficiaries who are identified as at-risk or potentially at-risk for prescription drug abuse under such a drug management program. Finally, these provisions will codify the current Part D Opioid Drug Utilization Review (DUR) Policy and Overutilization Monitoring System (OMS) by integrating this current policy with drug management program provisions.

The purpose of these CARA drug management program provisions is to create a lock-in status for certain at-risk beneficiaries. In addition to the benefits of preventing opioid and benzodiazepine dependency in beneficiaries, CMS estimates, in 2019, a reduction of $19 million in Trust Fund expenditures because of reduced opioid scripts. This $19 million reduction modestly increases to a $20 million reduction in 2023.

Timing and method of disclosure requirements

CMS is finalizing changes to align the MA and Part D regulations in authorizing CMS to set the manner of delivery for mandatory disclosures in both the MA and Part D programs. CMS will use this authority to allow MA plans to meet the disclosure and delivery requirements for certain documents by relying on notice of electronic posting and provision of the documents in hard copy when requested, when previously the documents, such as the Evidence of Coverage (EOC), had to be provided in hard copy. CMS is also changing the timeframe for delivery of the MA and Part D EOC to the first day of the Annual Election Period (AEP), rather than 15 days prior to that date.

Allowing MA and Part D plans to provide the EOC electronically will alleviate plan burden related to printing and mailing and reduce the number of paper documents that enrollees receive from plans. In addition, changing the date by which plans must provide the EOC to enrollees will (1) allow plans more time to finalize the formatting and ensure the accuracy of the information in the EOC, and (2) separate the mailing and receipt of the EOC from the Annual Notice of Change (ANOC), which describes the important changes in a patient’s plan from one year to the next.

CMS estimates that 67 percent of the current 47.8 million beneficiaries will prefer use of the internet versus hard copies. This will result in a savings to the industry of $54.7 million each year, 2019 through 2023, due to a reduction in printing and mailing costs.

Preclusion list requirements for prescribers and providers

The Final rule rescinds the current regulatory requirement that prescribers of Part D drugs and providers of MA services and items must enroll in Medicare in order for the drug, service, or item to be covered. Instead, a Part D plan sponsor will be required to reject, or require its pharmacy benefit manager to reject, a pharmacy claim for a Part D drug if the individual who prescribed the drug is included on the “preclusion list.” Similarly, an MA service or item will not be covered if the provider that furnished the service or item is on the preclusion list.

The preclusion list will consist of certain individuals and entities that are currently revoked from the Medicare program under 42 CFR sec. 424.535 and are under an active reenrollment bar, or have engaged in behavior for which CMS could have revoked the individual or entity to the extent applicable if they had been enrolled in Medicare, and CMS determines that the underlying conduct that led, or would have led, to the revocation is detrimental to the best interests of the Medicare program.

CMS estimates that for 2019, the preclusion list provision will save providers $34.4 million. For 2020 and future years, there will be no savings. The $34.4 million in savings to providers arises because of removal of the requirement of MA providers and suppliers and Part D prescribers to enroll in Medicare as a prerequisite for furnishing health care items and services. Part C providers and suppliers will save $24.1 million in reduced costs while Part D providers will save $10.3 million in reduced costs.