Personal service care fraud; a growing problem for Medicaid

Medicaid personal care service (PCS) fraud cases made up a “substantial and growing” portion of cases investigated by the Medicaid Fraud Control Units (MCFUs) and greater oversight is recommended by the HHS Office of the Inspector General (OIG). In a report covering the PCS work of MFCUs over fiscal years 2012-2015, the OIG found that these cases comprised over 12 percent of the total investigations and accounted for 34 percent of the convictions (OIG Report, OEI-12-16-00500, December 6, 2017).

Background

Personal care services are those services that support consist daily living activities, including bathing and dressing, meal preparation, and transportation. PCS providers assist the elderly, people with disabilities, and individuals with chronic or temporary health conditions, allowing these persons to remain living in their homes and communities. PCS are typically delivered through either an agency-directed PCS or a self-directed PCS, through which beneficiaries hire and supervise their own provider. PCS are offered either as an optional benefit through a Medicaid State plan or through demonstration projects and waiver programs. States are required to develop their requirement and qualification standards for PCS providers, resulting in widely varying requirements across the country.

Growing percentage

The OIG found that during the three-year review period, PCS fraud cases made up a substantial and increasing number of MFCU cases and outcomes. In FY 2015, such cases made up 12 percent of total investigations and over the review period, they made up 38 percent of indictments, and 34 percent of convictions. Furthermore, during the review period, indictments increased 56 percent and convictions increased 33 percent. Payments to PCS providers represented $13 billion out of $524 billion total Medicaid expenditures during FY 2015.

Recommendations and challenges

MCFUs have recommended that State Medicaid either enroll PCS attendants as Medicaid providers, or include PCS attendants in a provider registry. This would allow for the assignment of unique provider identification number to PCS attendants to include on claims for reimbursement. Some form of enrollment or registration is needed, as the inability to identify individual PCS attendants restricts the ability to identify fraudulent providers. MCFUs have suggested that enrolling PCS attendants in Medicaid would better inform them about Medicaid procedures and requirements.

MCFUs have also recommended the use of background checks for attendants. They found that the current, minimal, background check requirements could put vulnerable beneficiaries at risk. For example, a PCS attendant in Arizona pleaded guilty to theft and financial exploitation of a vulnerable adult, after having stolen checkbooks, cash, credit cards, and personal items belonging to the beneficiaries. The PCS agency checked for felony arrests and found none; the attendant had, however, numerous misdemeanor convictions and had previously lost her nursing assistant license.

The MCFUs have also recommended using additional documentation requirements, such as requiring require PCS attendants to provide detailed or standardized timesheets and to show the start and stop times for the services. The currently minimal PCS documentation means that PCS claims data may not contain the identity of the PCS attendant, the number of hours worked, or the time of day during which the services were provided.

Lastly, the MCFUs recommended that State Medicaid agencies implement a variety of controls regarding oversight of PCS providers and their services. These controls include more frequent in-home supervisory visits, training for PCS attendants and cross-reference attendant and beneficiary location. For a variety of reasons, beneficiaries may be reluctant to report abuses and more frequent in-home visits could curtail fraud.

Funding issues

The units reported that their efforts to protect beneficiaries are hamstrung by their ineligibility to receive Federal funding to investigate and prosecute complaints in nonfacility settings. Such complaints are often referred to other agencies. Those agencies often do not receive the same level of training on patient abuse and neglect that MCFU staff receives and may have severely strained resources.

Conclusions

The report found that the volume and increase of MFCU investigations and prosecutions indicates that PCS remain vulnerable to fraud. The report noted that the recommendations are similar to those made in previous reports and states that it is crucial that federal funding authority be expanded to allow MFCUs to investigate and prosecute cases of patient abuse and neglect in nonfacility settings.

Kusserow on Compliance: OIG report on research compliance through OHRP

The OIG conducted a study of the Office of Human Research Protection (OHRP) at HHS in response to Congressional requests that raised questions about its independence. The request was for the OIG to review OHRP procedures and make recommendations to strengthen protections for human subjects and ensure OHRP’s independence. OHRP enforces compliance with HHS regulations for protecting human subjects. Its mission is to protect the rights of human subjects-individuals who volunteer to participate in research conducted or supported by the HHS. The OIG conducted a survey of research institutions that were the primary subjects of the compliance evaluations about their experiences with the OHRP. The OIG also reviewed documents from eight compliance evaluations that had been closed; and interviewed OHRP staff, other HHS officials, and individuals with expertise in protections for human subjects.

OIG findings regarding OHRP

The OIG found that OHRP:

  • evidenced carrying out its compliance activities independently from agencies funding the research and the institutions conducting the research;
  • made decisions on how to use resources, resulting in fewer compliance evaluations, while increasing its use of other mechanisms in response to allegations;
  • determined the scope of its evaluations and what methods to employ;
  • was able to access the information it needed to conduct its compliance evaluations;
  • maintained documentation on its determinations;
  • may be limited in its ability to act independently due to its role, placement within HHS, and the way its budget is set may limit; and
  • may have the appearance of limited oversight and independence due to the practice of not reporting publicly on all of its compliance activities.

OIG Recommendations to HHS

The OIG recommended that HHS:

  1. issue guidance that clarifies OHRP’s role;
  2. re-evaluate OHRP’s position within HHS;
  3. evaluate sufficiency of OHRP’s resources;
  4. consider ways to elevate the prominence of OHRP’s budget (e.g. having a separate line item in the President’s budget);
  5. foster a shared understanding for OHRP’s independence by considering seeking statutory authority for OHRP’s independence; and
  6. post on OHRP’s website: (a) a description of its approach to oversight and (b) data (in aggregate) regarding its compliance activities.

 

 

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2017 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: Questions Boards should be asking their compliance officer

Effective compliance programs require top-down commitment beginning at the Board level to oversee and support its implementation and operations.  The Board should have a committee to do this. The OIG compliance guidance calls for a Board level committee to oversee the Compliance Program (CP). The HHS Inspector General, General Dan Levinson has noted that the best boards as those that are active, questioning, and exercise (constructive) skepticism in their oversight. He further stated that Boards have a duty to ask probing questions about the operation of the Compliance Program, including how the compliance reporting system works and what reports they can expect on the reporting of compliance issues. They have a duty to ask probing questions about the goals and objective of the compliance program. The problem for most Boards is to know what type of questions they should be asking. Compliance Officers should assist them with this problem; however they in turn should be prepared to provide full and complete answers to them. The OIG and American Health Lawyers Association developed specific suggested questions that Board’s should be asking about the compliance program that the compliance officer should be prepared to provide proper responses to them. They jointly produced “Corporate Responsibility and Corporate Compliance: A Resource for Health Care Boards of Directors” and “Corporate Responsibility and Health Care Quality (2007): A Resource for Health Care Boards of Directors.” The following are drawn from these advisory documents:

  1. Does the compliance officer have sufficient authority to implement the program?
  2. What are the resources necessary to properly implement operate the program?
  3. Has compliance officer been given the sufficient resources to carry out the mission?
  4. Have compliance-related responsibilities been delegated across all levels of management?
  5. What evidence is there that all employees held equally accountable for compliance?
  6. How has the code been incorporated into corporate policies across the organization?
  7. What evidence is there that the code is understood and accepted across organization?
  8. Has management widely publicized importance of the code to all of its employees?
  9. Are there compliance-related policies that address operational compliance risk areas?
  10. Are there policies/procedures for the compliance program operation?
  11. How often are compliance-related policies reviewed and updated?
  12. What is the scope of compliance-related education and training?
  13. What evidence is there of the effectiveness of compliance training is effective?
  14. What measures are taken to enforce training mandates?
  15. What evidence that employees understand what is expected of them regarding compliance?
  16. How is compliance risks identified?
  17. What is the evidence that identified compliance risks are being addressed?
  18. How is the compliance program structured to address such risks?
  19. Does the compliance program undergo periodical independent effectiveness evaluation?
  20. What is the process for the evaluation and responding to suspected compliance violations?
  21. What kind of training is provided to those who conduct investigation of reported violations?
  22. How does Compliance, HRM & Legal Counsel coordinate resolving compliance issues?
  23. What are the policies to ensure preservation of relevant compliance program documents and information?
  24. What policies address protection of “whistleblowers” and those accused of misconduct?
  25. What are the results of ongoing compliance monitoring by all program managers?
  26. How is ongoing compliance auditing being performed and by whom?
  27. How often is sanction-screening conducted with what results?
  28. What are the results from sanction-screening and are they certified by responsible parties?
  29. Has the compliance program been evaluated for effectiveness by a qualified independent reviewer?
  30. What evidence is there concerning hotline operation and follow-up investigations?
  31. What are the metrics being used to evidence compliance program effectiveness?
  32. What are the results of an independent review and assessment of the compliance program?

 

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2017 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: The OIG on Health IT security

Many are not aware of the fact that the HHS OIG boasts having an A-class team that focuses on IT controls and engages in what they refer to as penetration testing or “hacking” into IT systems and networks. With 100 million health care records already compromised and medical records serving as a top target for hackers, healthcare related cybersecurity has become a high priority for the OIG. Health IT offers some unique challenges, in that health records are for a lifetime, whereas credit cards may have a shelf life, if they’re compromised, of just a day or two. This makes them very valuable for criminals that can often realize 60 times more than what a stolen credit card can yield on the dark web. Compromised health information could have wide-ranging consequences, including affecting credit and even someone filing a false tax return with the information. In addition to people’s personal information, there is concern about health care provider and managed care proprietary information.

The OIG IT audits begin with setting an audit objective, which varies according to what they are trying to accomplish. The OIG desires to provide transparent and objective assessments of the security posture of the systems within HHS and those that receive funding from HHS. The OIG engages in penetration testing, as a means to help strengthen IT vulnerabilities. By engaging in penetration testing or “hacking into” IT networks, the OIG is able to provide chief information officers, and sometimes CFOs, with information regarding particular vulnerabilities. Among the common testing of IT systems is determining whether passwords are being changed periodically.  The OIG stated guiding philosophy is that “what gets checked gets done.” By identifying vulnerabilities, they draw management attention to addressing them and raising their awareness to cybersecurity.

The OIG wants to ensure that funds for cybersecurity, and ultimate for technology, are being used judiciously, and overall the OIG is working every day to protect sensitive personal and proprietary data. The OIG is using its resources to enhance awareness around cybersecurity.  The OIG focuses much of its resources on IT controls for the Medicare enrollment database; however the OIG does not confine its work to the Medicare and Medicaid space. The OIG is also looking at IT security at NIH, Indian health hospitals throughout the country, and FDA information on drugs and medical devices. The OIG typically addresses reports to senior level personnel, such as the CEO and Chief Information Officer, and often addresses reports to state administrators for Medicare and Medicaid.

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2017 Strategic Management Services, LLC. Published with permission.