Kusserow on Compliance: Recap of the OCR’s 2017 HIPAA enforcement

The HHS Office for Civil Rights (OCR) HIPAA Privacy Rule enforcement has been steadily increasing since it began the effort in 2003. Over the years, OCR has received over 175,000 HIPAA complaints and initiated nearly 1,000 compliance reviews. OCR investigations have resolved nearly 30,000 cases by requiring changes in privacy practices, taking corrective actions, or providing technical assistance to HIPAA covered entities and their business associates. OCR has been enforcing the HIPAA Rules where an investigation indicates noncompliance by the covered entity or their business associate. OCR investigations have ranged widely and included national pharmacy chains, major medical centers, group health plans, hospital chains, and small provider offices. To date, OCR has settled or imposed a civil money penalty in about 60 cases resulting in a total dollar amount of about $75,000,000. The average of enforcement penalties has been about $1.5 million per case. In another 12,000 cases, no violations were found. In another 25,000 cases, OCR intervened early and provided technical assistance to HIPAA covered entities, their business associates, and individuals exercising their rights under the Privacy Rule, without the need for an investigation. In the balance of over 100,000 cases, OCR determined that the complaint did not present an eligible case for enforcement, because of lack of jurisdiction; complaints were untimely or withdrawn by the filer; or the activity described didn’t violate HIPAA;

 

Cases that OCR closes fall into five categories:

 

  1. Resolved without investigation. OCR closes these cases after determining that OCR lacks jurisdiction, or that the complaint, referral, breach report, news report, or other instigating event will not be investigated. These include situations where the organization is not a covered entity or business associate and/or no protected health information (PHI) is involved; the behavior does not implicate the HIPAA Rules; the complainant refuses to provide consent for his/her information to be disclosed as part of the investigation; or OCR otherwise decides not to investigate the allegations.

 

  1. Technical assistance only. OCR provides technical assistance to the covered entity, business associate, and complainant through early intervention by investigators located in headquarters or a regional office.

 

  1. Investigation determines no violation. OCR investigates and does not find any violations of the HIPAA rules.

 

  1. Investigation results corrective action obtained. OCR investigates and provides technical assistance to or requires the covered entity or business associate to make changes regarding HIPAA-related privacy and security policies, procedures, training, or safeguards. Corrective action closures include those cases in which OCR enters into a settlement agreement with a covered entity or business associate.

 

  1. Other. OCR may investigate a case if (1) DOJ is investigating the matter; (b) it was as result of a natural disaster; (c) it was investigated, prosecuted, and resolved by state authorities; or (d) the covered entity or business associate has taken adequate steps to comply with the HIPAA Rules, not warranting deploying additional resources.

 

Order of frequency of issues investigated

 

  • Impermissible uses and disclosures of protected health information;
  • Lack of safeguards of protected health information;
  • Lack of patient access to their protected health information;
  • Use or disclosure of more than the minimum necessary protected health information; and
  • Lack of administrative safeguards of electronic protected health information.

 

Most common types of entities resulting in corrective actions

 

  • General hospitals;
  • Private practices and physicians;
  • Outpatient facilities;
  • Pharmacies; and
  • Health plans (group health plans and health insurance issuers).

 

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2017 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: Using experts to staff gaps in the compliance office

It is becoming increasingly common for changes in compliance programs to lead to “gaps” that can leave an organization without day to day management or support. This can result in serious problems and potential liability, especially at a time when mandatory compliance requirements are under development and there are increasing expectations for compliance by the Department of Justice (DOJ), HHS Office of Inspector General (OIG), and CMS. With the heightened enforcement environment, leaving such a gap can be risky. All this makes the problem of finding a suitable replacement of someone properly qualified in a timely manner a relatively high priority, but not an easy task. In many cases, the gap is not with the chief compliance officer, but compliance managers or other professionals in the office. In any case, the effort that goes into finding and hiring a properly experience and qualified person may be difficult and time consuming. The quick fix of designating someone internally to do the work, until a permanent replacement can be recruited, is unwise and may be downright dangerous. For smaller organizations, it is not likely there is anyone who is sufficiently qualified to carry out all the duties. It is also not good for someone to take on those duties temporarily and make decisions that may haunt them when they return to their old job. Also, making some decisions, when not properly trained or qualified, may create a potential problem for the organization. What is worse is selecting someone to take on the role of compliance officer as a temporary set of secondary duties to their current job. This will always lead the individual to continue giving priority to their regular job and do as little as possible in compliance. As such, it is not surprising that many turn to engaging temporary experts to fill the gap until suitable replacement can be found.

A properly qualified outside expert acting in a temporary capacity has a lot of advantages. They bring the experience of having served in other organizations and dealing with many of the same issues already addressed by prior jobs. Important also is that they have not be invested in any prior decisions, nor have they been aligned with any parties in the organization. Most importantly, they bring “fresh eyes” to the program. They can provide a lot of added benefits, such as:

  • Offering suggestions and giving guidance for improvements
  • Providing an independent assessment of the status of the compliance program
  • Making an assessment of high-risk areas that warrant attention
  • Giving ideas on building a firmer foundation for the compliance program
  • Reviewing adequacy of the existing code, compliance policies, and other guidance
  • Evaluating the quality and effectiveness of compliance training
  • Developing a “road map” for the incoming compliance officer to follow
  • Assisting in identifying and evaluating candidates for the permanent position
  • Assessing resources needed to effectively operate the compliance program
  • Identifying or building metrics that evidence compliance program effectiveness
  • Developing comprehensive briefings for management and board on the state of the program

 

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2017 Strategic Management Services, LLC. Published with permission.

Report shows management of CMS payment program shows vulnerabilities

While CMS has made some progress towards addressing problems with the Quality Payment Program (QPP), a new report shows vulnerabilities remain regarding technical assistance for clinicians and the potential for fraud and improper payments. The HHS Office of the Inspector General (OIG) report noted that if CMS fails to sufficiently address these issues, clinicians may struggle to success under the QPP or choose not to participate. The report also found that CMS needs to put systems in place to effectively prevent, detect, and address fraud and improper payments.

CMS is implementing core provisions of the Medicare Access and CHIP Reauthorization Act of 2015 (MACRA) (P.L. 114-10) as the QPP, a set of clinician payment reforms designed to put increased focus on the quality and value of care. The QPP is a significant shift in how Medicare calculates payment for clinicians and requires CMS to develop a complex system for measuring, reporting, and scoring the value and quality of care.

Technical assistance

The report shows that if clinicians do not receive sufficient technical assistance, they may struggle to succeed under the QPP or choose not to participate. Clinician feedback collected by CMS demonstrates widespread basic awareness of the QPP, but also indicates uncertainty regarding details of participation such as who must report and how to submit data. CMS contractors have focused largely on general education initiatives, with fewer resources devoted to more customized, practice-specific technical assistance. CMS has established a Service Center to answer questions about the QPP by phone or email. Service Center data indicate that clinicians continue to have questions about both eligibility and scoring criteria, and that small practices, in particular, need information and assistance. Small practices and clinicians in rural or medically underserved areas, who may have fewer administrative resources and less experience with prior CMS quality programs, should be prioritized for assistance. The report stated, “Clinician feedback collected by CMS demonstrates widespread awareness of the QPP, but also uncertainty about eligibility, data submission, and other key elements of the program.”

Fraud

The report also found that if CMS does not develop and implement a comprehensive QPP program integrity plan, the program will be at greater risk of fraud and improper payments. To ensure that the QPP succeeds, CMS must effectively prevent, detect, and address fraud and improper payments. QPP payment adjustments are intended to reward high-value, high-quality care. Safeguarding the validity of Merit-based Incentive Payment System (MIPS) data and the accuracy of QPP payment adjustments is critical to ensure that these payments are based on clinicians’ actual performance. Appropriate oversight is critical to prevent fraud and improper payment adjustments. CMS needs to clearly designate leadership responsibility for QPP program integrity. CMS also needs to develop a comprehensive program-integrity plan for the GPP to ensure the accuracy of MIPS data submitted by clinicians. CMS said that it “is currently in the early stages of developing an oversight plan to QPP data.”

Kusserow on Compliance: OIG November 2017 Work Plan update

This year, the OIG is updating its annual Work Plan during the year, rather than annually. The OIG’s Work Plan sets forth various audits and evaluations that are underway or planned during the fiscal year and beyond. The updates will include the addition of newly initiated Work Plan items; removal of completed items. In conducting its work, the OIG assesses relative risks in HHS programs and operations to identify those areas most in need of attention. In evaluating potential projects to undertake, the OIG considers a number of factors, including mandates set forth in laws, regulations, or other directives; requests by Congress, HHS management, or the Office of Management and Budget; top management and performance challenges facing HHS; work performed by other oversight organizations (e.g., GAO); management’s actions to implement OIG recommendations from previous reviews; and potential for positive impact. In addition to working on projects that often result in audits, reviews, and reports, the OIG also engages in a number of legal and investigative activities that are separately reported.

New projects

  1. Use of Funds by Medicaid Managed Care Organizations (MCOs). In 2015, Federal Medicaid managed care payments were approximately $161.8 billion, which was more than 40 percent of the $349.8 billion in total Federal expenditures for Medicaid. States continue to expand their use of managed care. To deliver services to Medicaid managed care enrollees, states contract with MCOs and make monthly capitation payments to those plans to provide enrollees with Medicaid-covered services. Appropriately set capitation rates help to ensure that adequate payments are made to provide services to beneficiaries. OIG auditors plan to examine how Medicaid funds received by MCOs are used to provide services to enrollees with results reported in 2019.

 

  1. Opioids in Medicaid: Concerns about Extreme Use and Questionable Prescribing in Selected States. The OIG Office of Evaluation and Inspection will focus on the problem of opioid abuse and overdose deaths that have reached crisis levels in the United States, with more than 33,000 Americans dying from it annually. These issues are of particular concern for Medicaid beneficiaries because they are more likely to have chronic conditions and comorbidities that require pain relief. Especially affected are beneficiaries who qualify through a disability. The OIG plans to identify beneficiaries who received extreme amounts of opioids through Medicaid and those cases that appear to involve doctor shopping or pharmacy shopping, as well as prescribers associated with these beneficiaries. This review will provide baseline data about beneficiaries receiving extreme amounts of opioids and prescribers with questionable patterns for opioids in Medicaid.

 

  1. Medicaid Services Delivered Using Telecommunication Systems. Medicaid pays for telemedicine, telehealth, and telemonitoring services delivered through a range of interactive video, audio or data transmission (telecommunications). Medicaid programs are seeing a significant increase in claims for these services and expect this trend to continue. OIG auditors will over the next year or two determine whether selected states’ Medicaid payments for services delivered using telecommunication systems were allowable in accord with Medicaid requirements.

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2017 Strategic Management Services, LLC. Published with permission.