Kusserow on Compliance: OCR has a record number of significant settlements so far in 2017

The HHS Office for Civil Rights (OCR) has posted about 2,000 major breaches and more than a quarter million small breaches since 2009. The common denominator for many of the cases in which there was a settlement was that the covered entity or business associate (BA) suffered one or more breaches affecting more than 500 individuals sometime between 2011 and 2013. The OCR has jumped off the 2017 year with a record number of significant settlements. The most recent is CardioNet, a wireless health services provider, who provides remote mobile monitoring of and rapid response to patients at risk for cardiac arrhythmias. The provider entered into a settlement for $2.5 million and implemented a corrective action plan for disclosure of unsecured ePHI on a laptop that was stolen from a parked car. CardioNet had an insufficient risk analysis and risk management processes in place at the time of the theft and their HIPAA Security Rule policies and procedures had not been implemented. The OCR has entered into a number of other significant settlements. Others who paid settlements for violating HIPAA requirements so far this year include Memorial Health Systems ($5.5 million); Children’s Medical Center in Dallas ($3.2 million); MAPFRE, a Puerto Rico life insurance company ($2.2 million); Presence Health in Chicago ($475,000); and Community Provider Network of Denver ($400,000). In all these cases, there was the requirement to take corrective actions.

2016 OCR Results

  • There were 329 Data Breaches greater than 500 Individuals (a new record).
  • 225 OCR Phase 2 of HIPAA compliance audits conducted of covered entities and BAs.
  • No onsite audits were conducted.
  • No findings or notifications from the audits have been made.
  • The OCR intends to use the results from these audits to prepare for a new and better tool in the future.
  • There was a large jump in fines imposed for HIPAA violations that totaled about $24 million (versus a little more than $6 and $8 million in for 2105 and 2014 respectively)

OCR in 2017

  • The OCR stated intention is to conduct only a few onsite audits in 2017.
  • To date the OCR has nearly achieved the level of 2016 in terms of penalties imposed.
  • To date about 100 data breaches impacting greater than 500 Individuals have been reported.
  • About a half million individuals have been impacted in reported data breaches so far this year.
  • Only a relatively few BAs were involved in any of the reported data breaches.

The enforcement actions most often come from the OCR when investigations into the root cause of the breach found systemic, often profound, failures of organizational programs to safeguard protected health information.  This includes the failure to perform an information security risk assessment or to have a risk management plan to address gaps in the safeguards for information systems, both required actions under the HIPAA Security Rule. Tied to this has been insufficient development of policies and procedures for HIPAA Compliance.  Other actionable problems that resulted in the OCR imposing HIPAA corrective action plans (CAP) included inappropriate delay in data breach reporting (reported after 60 days from the date of discovery); and inappropriate oversight into user set up and user management. There is also the continuing problem of organizations not implementing encryption technology on mobile devices.

Camella Boateng, a HIPAA consultant reminds everyone that the recently enacted 21st Century Cures Act amends the HITECH Act to extend an individual’s right to access their PHI to data held by business associates. As such, it is more important than ever that entities give a priority for engaging in a self-audit, so vulnerabilities can be detected and resolved before they come to the attention of the government. Furthermore, with a shifting focus toward BA, it is important to avoid any potential partner that will not commit to signing a BAA.

Strong HIPAA Compliance Program Evidence

  • HIPAA policies and procedures;
  • HIPAA requests forms for patient’s rights;
  • a complete notice of privacy practices;
  • established technical, physical, and administrative safeguards;
  • conducting a regular HIPAA risk analysis;
  • developed a risk management plan to address gaps in the safeguards for PHI;
  • strong workforce education;
  • effective user management and oversight into systems with PHI;
  • auditing practices for verification of compliance;
  • ongoing evaluation of current safeguards established by the organization;
  • strong oversight into user set up and user management;
  • implementing encryption technology on mobile devices; and
  • ensuring partners have signed BAAs.

 

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on
Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2017 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: OIG Work Plan now being updated monthly

The OIG announced that its work planning process is being modified to be more dynamic and to reflect the adjustments being made throughout the year in response to changing priorities and responding to new emerging issues. The OIG, as of June 15, 2017, will now adjust its Work Plan on a monthly basis, rather than semi-annually as has been done previously to ensure that it more closely aligns with the work planning process. The monthly updates will include the addition of newly initiated Work Plan items and the removal of completed items.

The Work Plan sets forth various audits and evaluations that are underway or planned during the fiscal year and beyond. Projects listed in the Work Plan span the Department and include CMS, public health agencies such as the Centers for Disease Control and Prevention (CDC) and National Institutes of Health (NIH), and human resources agencies such as Administration for Children and Families (ACF) and the Administration on Aging. The OIG also plans work related to issues that cut across departmental programs, including State and local governments’ use of Federal funds, as well as the functional areas of the Office of the HHS Secretary. In conducting its work, the OIG assesses relative risks in HHS programs and operations to identify those areas most in need of attention. In evaluating potential projects to undertake, the OIG considers a number of factors, including mandates set forth in laws, regulations, or other directives; requests by Congress, HHS management, or the Office of Management and Budget; top management and performance challenges facing HHS; work performed by other oversight organizations (e.g., GAO); management’s actions to implement OIG recommendations from previous reviews; and potential for positive impact.

New Projects Added

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2017 Strategic Management Services, LLC. Published with permission.

 

 

Billions in ‘transfers of value’ to physicians, hospitals by industry get DOJ attention

In calendar year (CY) 2015, over $7.5 billion in “transfers of value” were made by pharmaceutical companies to physicians and hospitals through the federal Open Payments program, which in turn has caused the Department of Justice (DOJ) to focus on this area while investigating fraud in the health care system. In an HCCA sponsored seminar titled “Sunshine, Open Payments, and Potential Conflicts of Interest,” Senior Compliance Executive C.J. Wolf, M.D., of Healthicity, noted that under the Open Payments program, CMS has now accumulated over 28 million records of transfer of value. Within this vast repository of data, CMS uses it to uncover outliers in payments, and as a result, industry and providers, alike, are very interested in how the open payment system affects their operations.

Open Payments

Under Section 6002 of the Affordable Care Act (ACA), manufacturers must disclose to CMS payments made to physicians and teaching hospitals. Manufacturers and group purchasing organizations must also report ownership and investment interests held by physicians. The HHS Office of Inspector General (OIG) included these aspects into its list of priorities in its 2017 Work Plan, with Medicare and Medicaid payments high on the list (see Focus remains on Medicare, Medicaid payments in 2017 OIG Work Plan, Health Law Daily, November 10, 2016).

The 2017 Work Plan also stressed that the OIG will also determine how much Medicare paid for drugs and durable medical equipment, prosthetics, orthotics, and supplies (DMEPOS) ordered by physicians who had financial relationships with manufacturers and group purchasing organizations.

Wolf noted the DOJ has taken a keen interest in this area of open payments, as evidenced by actions such as Teva Pharmaceuticals USA, Inc., and its subsidiary IVAX, LLC, agreeing to pay a total of $27.6 million to the federal government and the State of Illinois in a settlement regarding allegations of false billing practices under the False Claims Act (see Teva Pharmaceutical to pay federal and state government $27.6 million to resolve false billing allegations, Health Law Daily, March 11, 2014).

Conflicts of interest

There are 11 payment “categories” that must be reported under the Open Payments program: (1) consulting fees, (2) honoraria, (3) gift, (4) entertainment, (5) food and beverage, (6) travel and lodging, (7) education, (8) charitable contribution, (9) royalty or license, (10) grant, and (11) research.

As part of the transparency initiatives under the ACA, the dollars that physicians receive from industry is reported and documented. Physicians and providers should be aware that these categories touch upon even compensation for serving as faculty or as a speaker for a non-accredited and noncertified continuing education program.

Because the Open Payments program also includes ownership interests that physicians or their immediate family members have in various companies and the data is then made available to the public each year, reporting often is paramount.

Kusserow on Compliance: HHS OIG reports on identified improper payments

In its Semi-Annual Report for 2017, the OIG announced that improper payments reported in the HHS financial statements have demonstrated a steady increase over the last several years. In FY 2016, HHS reported estimated improper payments of more than $96 billion. During the first half of 2017, the OIG issued a number audits that identified improper payments for a variety of reasons.

Eligibility Determinations

  1. Express Lane Eligibility. Under the express lane eligibility option, which allows States to expedite and simplify enrollment in Medicaid and the Children’s Health Insurance Program (CHIP) by relying on findings from other agencies’ eligibility determinations, the OIG estimated that improper Medicaid payments on behalf of potentially ineligible beneficiaries totaled $284.1 million. CHIP payments for potentially ineligible beneficiaries totaled $10.6
  2. Payments after death. Medicare and Medicaid continued to make improper payments on behalf of beneficiaries who are deceased. During this reporting period, the OIG found that Florida did not always stop making capitation payments to Medicaid managed care organizations (MCOs) after a beneficiary’s death, resulting in more than $26 million in
  3. Incarcerated beneficiaries. The OIG continued its work reviewing inappropriate payments for incarcerated beneficiaries, recently reporting that CMS has not taken steps to recoup $34 million in potentially improper payments made on behalf of incarcerated

Improper Payments for Medical Devices and Services

  1. Chiropractic Services. Based on the OIG’s sample results, the agency estimated that $358.8 million (82 percent) of $438.1 million paid by Medicare for chiropractic services was
  2. Room and Board Costs Associated with HCBS Waiver Program Payments. State Agencies claimed at least $176 million in unallowable Medicaid reimbursements for services under the HCBS waiver
  3. Cochlear Devices. Medicare spent $2.7 million inappropriately for cochlear devices (hearing aid devices) that were replaced without cost to the hospital or

The OIG also reported that it has a body of work looking at situations where providers billed for goods and services at higher rates than allowed by program regulations. In this reporting period, the OIG looked at how a hospital’s reporting of inaccurate wage data affected Medicare payments for hospital services.

 

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2017 Strategic Management Services, LLC. Published with permission.