Kusserow on Compliance: GAO calls for strengthening oversight of Managed Care organizations

Medicaid is a major commitment of federal and state budgets, with total estimated expenditures of $596 billion in fiscal year 2017—expenditures that rival the budget of the Department of Defense. States are permitted wide latitude in the design and implementation of their program. The resulting diversity of the program and its size make the program particularly challenging to oversee at the federal level. The Government Accountability Office (GAO), in testimony before Congress, reported last year that they estimated about $37 billion in improper payments that accounted for about 26 percent of government-wide improper payments. The GAO testimony called for increased oversight of Medicaid providers and managed-care plans, and was critical of the Obama administration’s lax auditing of Medicaid insurers as millions joined the rolls through expansion. During the same hearing, the CMS Administrator responded by reporting the structure of expansion with the 90 percent match and an open-ended entitlement is an incentive for the states to spend more and more.

 

Highlights of GAO recommendations to CMS

  1. Add to clearly establish approval criteria and review processes to ensure supplemental payments of around $50 billion a year are identified and accounted for by states when setting future payment rates.
  2. Ensure demonstrations do not increase federal costs and properly conduct evaluations to increase significant savings and better informed policy decisions.
  3. Improve the Transformed Medicaid Statistical Information System to improve program oversight and collect complete and comparable data from all states.
  4. Conduct a fraud risk assessment and implement a risk-based antifraud strategy for Medicaid.
  5. Increased collaboration with the states is needed to help reduce improper payments.

 

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2018 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: CMS increases audits to address Medicaid fraud and abuse

In efforts to prevent Medicaid fraud and reduce improper payments, CMS is in the process of implementing eight “new or enhanced” program integrity initiatives and strategies to address reported billions in improper Medicaid payments. These initiatives include target auditing of selected state programs and known vulnerabilities. The stated aim is to promote transparency and accountability. The CMS announcement noted that Medicaid spending has risen more than 26 percent in the three years leading up to 2017, from $456 to $576 billion. A significant part of the increase was as result of states expanding their Medicaid programs under the Patient Protection and Affordable Care Act (ACA). Most of this increase was covered by the federal government, with its share rising 38 percent, from $263 billion to $363 billion, over the same three-year period. CMS efforts include evaluating the impact of this expansion on program integrity. The announced new initiatives followed a Senate hearing that lambasted CMS, reporting that Medicaid pays out $37 billion a year of improper payments, an increase of 157 percent since 2013.  The new initiatives will be designed to address previously identified activities that harmed Medicaid’s program integrity, and address problems identified by the GAO and OIG and include:

  1. Targeted audits of certain state MCOs. CMS will review financial reports from MCOs in targeted states to ensure they match actual claims experience.
  2. New audits of beneficiary eligibility. States that had OIG reviews of Medicaid beneficiary eligibility will have follow-up determinations reviewed by CMS.
  3. Claims and provider data optimization. CMS will validate the quality and completeness of state-provided data in the Transformed Medicaid Statistical Information System (TMSIS) using data analytics and other techniques to improve data quality and to flag potential problems that require further investigation.
  4. Data analytics pilots. CMS will use analytics and other IT tools on state-provided data to optimize state data to identify areas that need additional investigation.
  5. Provider screening on an opt-in basis. CMS will pilot a plan to screen Medicaid providers on behalf of states, in the belief that centralizing this process will improve efficiency and coordination across Medicare and Medicaid. This, in turn, should reduce state and provider burden, and address one of the biggest sources of error as measured by the Payment Error Rate Measurement (PERM) program.
  6. State-federal data sharing and collaboration. CMS is giving states access to the SSA’s master file of death records to help with managing provider enrollment.
  7. Publicly report state performance. The Medicaid scorecard will indicate how well states perform on certain measures pertaining to their Medicaid programs. This scorecard will include the state’s “integrity performance measures,” such as PERM.
  8. Provider education to reduce improper payments. CMS will bolster education efforts for Medicaid providers to reduce billing errors, including targeting comparative billing reports and provider-facing tools currently in development.

 

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2018 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: Stark law to undergo interagency review

The CMS Administrator announced plans to convene an inter-agency group to focus on how to minimize the regulatory barriers created by Stark law, which was established in 1989 and underwent expansion in the 1990s. Providers have raised concerns from the beginning of the implementation of the Stark law. The agencies involved in the review will include CMS, OIG, HHS General Counsel, and the DOJ. The Stark law prohibits doctors from referring Medicare patients to hospitals, labs and colleagues with whom they have financial relationships unless they fall under certain exceptions. It also prevents hospitals from paying providers more when they meet certain quality measures, such as reducing hospital-acquired infections, while paying less to those who miss the goals. The result is the law is viewed as making it difficult for physicians to enter innovative payment arrangements because they are not susceptible to fair market value assessment—a Stark requirement. These prohibitions are seen as interfering with key factors related to value-based care. Unlike the Anti-Kickback Statute, which is enforced by the OIG, the Stark law is considered regulatory and falls under CMS jurisdiction. From a regulatory standpoint, there is only so much that CMS can do to make substantive changes. Any real changes in the law will have to come from Congress.

This is not the first time the CMS has tried to move the easing of rules concerning the Stark law.  In 2015, CMS published a Proposed rule relaxing aspects of the Stark law, including easing of some of the strict liability features of the law and CMS’ burden in dealing with the interpretation of key terms, requirements, and other issues. After reviewing an enormous amount of self-disclosures, CMS realized that a large part of the docket involved arrangements that may technically violate the statute but do not actually pose significant risks of abuse. Therefore, it appears that CMS seeks to reduce the number of self-disclosures reported. However, the proposed update is also intended to account for recent changes relating to health care reform and advancements in patient care and payment methodologies. CMS wanted to ensure that Stark does not inhibit Patient Protection and Affordable Care Act (ACA) (P.L. 111-148) reforms and these are the same concerns driving the latest initiative.

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2018 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: OCR releases new guidelines on software vulnerabilities and patching

The HHS Office for Civil Rights (OCR) recently released a report focuses on software bugs and patches designed to reduce the vulnerability of computer systems that put electronic personal health information (ePHI) at risk. The OCR noted that last year researchers discovered a widespread vulnerability in computer processors that were sold over the previous decade. These vulnerabilities, known as Spectre and Meltdown, allow “malware” to bypass data access controls and potentially access sensitive data. This security flaw has been present in nearly all processors produced in the last 10 years and affects millions of devices. Upon discovery of these defects, vendors scrambled to release patches that addressed this problem. Managing patches plays an important role in maintaining HIPAA Security Rule compliance and without them vulnerabilities will not be fixed. The health care sector relies on software to manage ePHI and organizations are required under the HIPAA Security Rule to use appropriate technical safeguards to ensure the security of ePHI, including the evaluation of software vulnerabilities, the assessment of potential risks, and the implementation of solutions to keep risk at a reasonable minimum. The OCR suggested the following for effective patch management:

  • Evaluate patches to determine if they apply to your software/systems.
  • Test patches on an isolated system for any unwanted side effects.
  • Once patches have been evaluated and tested, approve them for
  • Deploy patch installation on live systems.
  • Test and verify to ensure correct patch installation and no unforeseen side effects

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2018 Strategic Management Services, LLC. Published with permission.