Kusserow on Compliance: The OIG on Health IT security

Many are not aware of the fact that the HHS OIG boasts having an A-class team that focuses on IT controls and engages in what they refer to as penetration testing or “hacking” into IT systems and networks. With 100 million health care records already compromised and medical records serving as a top target for hackers, healthcare related cybersecurity has become a high priority for the OIG. Health IT offers some unique challenges, in that health records are for a lifetime, whereas credit cards may have a shelf life, if they’re compromised, of just a day or two. This makes them very valuable for criminals that can often realize 60 times more than what a stolen credit card can yield on the dark web. Compromised health information could have wide-ranging consequences, including affecting credit and even someone filing a false tax return with the information. In addition to people’s personal information, there is concern about health care provider and managed care proprietary information.

The OIG IT audits begin with setting an audit objective, which varies according to what they are trying to accomplish. The OIG desires to provide transparent and objective assessments of the security posture of the systems within HHS and those that receive funding from HHS. The OIG engages in penetration testing, as a means to help strengthen IT vulnerabilities. By engaging in penetration testing or “hacking into” IT networks, the OIG is able to provide chief information officers, and sometimes CFOs, with information regarding particular vulnerabilities. Among the common testing of IT systems is determining whether passwords are being changed periodically.  The OIG stated guiding philosophy is that “what gets checked gets done.” By identifying vulnerabilities, they draw management attention to addressing them and raising their awareness to cybersecurity.

The OIG wants to ensure that funds for cybersecurity, and ultimate for technology, are being used judiciously, and overall the OIG is working every day to protect sensitive personal and proprietary data. The OIG is using its resources to enhance awareness around cybersecurity.  The OIG focuses much of its resources on IT controls for the Medicare enrollment database; however the OIG does not confine its work to the Medicare and Medicaid space. The OIG is also looking at IT security at NIH, Indian health hospitals throughout the country, and FDA information on drugs and medical devices. The OIG typically addresses reports to senior level personnel, such as the CEO and Chief Information Officer, and often addresses reports to state administrators for Medicare and Medicaid.

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2017 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: Measuring compliance program effectiveness using validated and reliable knowledge surveys

The OIG from its earliest compliance guidance documents has recommended the use of “[q]uestionnaires developed to solicit impressions of a broad cross section” of the workforce. Evaluating effectiveness through the use of questionnaires or surveys can measure the compliance culture and/or knowledge of the organization. Such surveying of employees are one of the two methods suggested for evidencing compliance program effectiveness by the HHS OIG in its Compliance Guidance for Hospitals and Supplemental Guidance for Hospitals. The agency noted that “as part of the review process, the compliance officer or reviewers should consider techniques such as…using questionnaires developed to solicit impressions of a broad cross-section of the hospital’s employees and staff.” It further reinforced this by stating it “recommends that organizations should evaluate all elements of a compliance program through “employee surveys.”   The OIG also stated that “[t]he existence of benchmarks that demonstrate implementation and achievements are essential to any effective compliance program.”

Steve Forman, CPA, has 35 years experience as a compliance officer and health care compliance consultant. He has used compliance surveys for over 20 years to measure program effectiveness and has found them to be an extremely inexpensive method to provide great insight into the compliance program’s effectiveness. However, he notes that it is critical that the survey being used has been professional developed, as well as validated and tested over many organizations. In addition, it is necessary for employees to have confidence in the fact that their scoring will not be attached to them. This means that the survey needs to be independently administered that ensures the confidentiality and anonymity of participants. It is very useful for organizations gaining feedback from employees by querying them on their knowledge of the compliance program elements drawn from their general observations and personal experiences. Results from a survey can evidence employees’ knowledge; awareness and understanding of the compliance program are used to identify positives and weaknesses of the compliance program.  It can provide empirical evidence of the advancement of program knowledge, understanding, and effectiveness.

Jillian Bower has been overseeing administration of knowledge surveys with health care organizations for more than 6 years at the Compliance Resource Center (CRC). The CRC has been employing compliance surveys since 1993.  The most popular survey for Compliance Officers is the Compliance Knowledge Survey© that tests the knowledge of the compliance program’s structure and operations, including the understanding of the role of the Compliance Officer, how the hotline functions, etc. It specifically focuses on the OIG’s seven elements of an effective compliance program and uses simple closed-ended questions with “Yes and “No” answers choices that requires no more than 20 to 30 minutes to complete. Reports from this survey runs 30 pages or more that includes tips for addressing weaknesses and benchmarks results against the universe of those who have used the same survey three ways; (a) overall results, (b) by topic, and (c) individual questions. The biggest benefit of the Compliance Knowledge Survey© is being able to benchmark the results of an organization with the universe of those that have used the same survey by overall results, topical areas, and by question.

Carrie Kusserow with 15 years experience as a compliance officer and consultant has found that reports of survey results can evidence both strengths in the compliance program, as well as areas opportunities for improvements in the Compliance Program. It is one way that compliance program effectiveness can be objectively measured with credible metric evidence. Using the same survey over time, permits measurements that can benchmark progress in Compliance Program development and in tracking improvements.

Al Bassett, JD, has assisted in building and evaluating compliance program effectiveness more than just about anyone in the country over the last 20 years. He has routinely employed employee surveys as a tool to obtain the most out of a compliance effectiveness review. He has found that a compliance knowledge survey parallels and reinforces his findings from document reviews, observation of program operations, and interviews of key staff. In addition, he has surveys administered to provide the foundation for focus group meetings. Findings from a survey can identify potential weakness, but does explain the “why” for the issue. He cautions that for reliable and credible result, the survey should be professionally developed and administers.  From experience he notes that internally developed questionnaires naturally raise employee suspicion that the questions are being designed to bias the results in favor of the organization.  There is also the concern that if administered internally, anonymity in responding to questions would be lost. Another issue is that the credibility of the results is not likely to provide convincing evidence to any outside authorities. A properly developed survey will also address a response-set bias, where respondents may always answering the questions as “yes” or “no”. It is therefore important to have a few reverse scored questions included.

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on
Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2017 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: Oncology remains high federal enforcement priority

Oncology continues to be a high enforcement priority for the DOJ, OIG, FBI, and CMS.  The latest fraud investigation by the DOJ involves CCS Oncology, large and prominent providers of cancer care. The reported question being investigated relates to possible billing irregularities involving Medicare and Medicaid. As with most cases related to oncology irregularities, the predication was by a “whistleblower.” The complaint alleges CCS billed for more expensive procedures than were actually performed, billed for procedures that never were performed, and performed medically unnecessary procedures on patients, among other violations, according to the source. The stream of cases is long enough to outline key factors that have led to settlements with the DOJ and OIG. Compliance Officers, whose portfolio of responsibilities include oncology services may wish to review the following to ensure none of these factors are at work in a manner that may trigger investigation.

Common Oncology Enforcement Issues

  1. Employees knowingly submitted false records to Medicare and Medicaid to increase revenue
  2. Claims submitted for services performed without required physician supervision
  3. Offering unnecessary treatments and services to patients
  4. Recruitment and treatment of terminal patients that should have been referred to hospice care
  5. Re-treatment of patients in excess of prescribed dosage limits
  6. Claims for services when physician reviews had not taken place
  7. Claims where treatment occurred without prior required IGRT scan
  8. Physicians allowed registered nurses to fill out prescriptions for medications
  9. Offering inducements (“kickbacks”) to patients by waiving their co-pays
  10. Conducting not necessary fluorescence in situ hybridization (FISH) tests for bladder cancer
  11. Filing payment claims for GAMMA functions by improperly trained physicians and staff
  12. Seeking payments for tests whose results doctors had not reviewed
  13. Billing E&M services on the same day as a related procedure
  14. Double and over-billing Medicare for services that lacked supporting documentation
  15. Improperly billing for radiation treatment without proper physician supervision
  16. Submitting false claims for magnetic resonance imaging (MRI) services
  17. Billing for services that were not documented in the patients’ medical records
  18. Billing twice for the same services
  19. Misrepresentation of the level of a service provided to increase reimbursement
  20. Routinely waived patient copayments as an inducement, then billing Medicare for them.
  21. Claims for services not performed, medically necessary, and/or properly documented
  22. Claims for services rendered to patients referred by physicians benefiting from referral
  23. Purchasing cancer treatments from unlicensed sources for oncology practice
  24. Diluting patients’ chemotherapy treatments and delivering in a manner designed to extend period of treatment time
  25. Claims for medically unnecessary or properly documented intensity-modulated radiation therapy (IMRT)
  26. Unsupported add-on claims for “special treatment procedures” and “specialty physics consults”
  27. Violating the Stark Laws and Anti-Kickback statute by rewarding referring physicians

 

Kusserow on Compliance: OIG reports on the Senior Medicare Patrol (SMP) program

The OIG issued a report on the 2016 performance data for the Senior Medicare Patrol (SMP) program. It is a little known program for many people designed to empower and assist Medicare beneficiaries, their families, and caregivers to prevent, detect, and report health care fraud, errors, and abuse through outreach, counseling, and education. SMPs are grant-funded projects of HHS, U.S. Administration for Community Living (ACL). They play a unique role in the fight against Medicare errors, fraud, and abuse. SMP volunteers and staff are viewed as “eyes and ears” in their communities, educating beneficiaries to be the first line of defense; a sort of ‘neighborhood watch” team. Their work involves conducting presentations to groups, exhibit at events, and work one-on-one with Medicare beneficiaries; engaging volunteers to protect elderly person’s health, finances, and medical identity while saving precious Medicare dollars is a cause that attracts civic-minded Americans; and receiving beneficiary complaints and determining whether it may involve fraud, errors, or abuse. When fraud or abuse is suspected, they make referrals to the appropriate state and federal agencies for further investigation.

The OIG used five performance measures pertaining to recoveries, savings, and cost avoidance; and another five performance measures relating to volunteer and outreach activities.  In 2016, there were 53 SMP projects that had a total of 6,126 total active team members who conducted a total of 26,220 group outreach and education events that reached an estimated 1.5 million people.   The projects also had 195,386 individual interactions with, or on behalf of, a Medicare beneficiary.  The projects reported $163,904 in cost avoidance on behalf of Medicare, Medicaid, beneficiaries, and others. Savings to beneficiaries and others totaled $53,449. Expected Medicare recoveries totaled $2,672. Further, two projects provided information to federal prosecutors that resulted in settlements totaling an additional $9.2 million in expected Medicare recoveries. There were no expected Medicaid recoveries.

Compared to 2015, the projects reported much higher amounts for cost avoidance ($163,904, up from $21,533) and somewhat higher amounts of savings to beneficiaries and others ($53,449, up from $35,059). However, the projects reported significantly lower expected Medicare recoveries ($2,672, down from $2.5 million). The projects reported no Medicaid recoveries in either year. Some common examples of suspected Medicare fraud or abuse identified by the SMP include:

  • Billing for services or supplies that were not provided
  • Providing unsolicited supplies to beneficiaries
  • Misrepresenting a diagnosis, beneficiary’s identity, service provided, or other facts
  • Prescribing or providing excessive or unnecessary tests and services
  • Violating the participating provider agreement with Medicare by refusing to bill Medicare for covered services or items and billing the beneficiary instead
  • Offering or receiving a kickback (bribe) in exchange for a beneficiary’s Medicare number
  • Requesting Medicare numbers at an educational presentation or in an unsolicited phone call
  • Routinely waiving co-insurance or deductibles

The OIG noted that the projects may not be receiving full credit for recoveries, savings, and cost avoidance attributable to their work. It is not always possible to track referrals to Medicare contractors or law enforcement from beneficiaries who have learned to detect fraud, waste, and abuse from the projects. In addition, the projects are unable to track the potentially substantial savings derived from a sentinel effect, whereby Medicare beneficiaries’ scrutiny of their bills reduces fraud and errors.

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2017 Strategic Management Services, LLC. Published with permission.