Kusserow on Compliance: Emerging government enforcement priorities for 2018

At the HCCA conference in April, there were several presentations regarding the government’s enforcement priorities. There were a number of emerging issues that were the subject of considerable attention: the opioid crisis, electronic health record (EHR) fraud, and telehealth/telemedicine. By far, the area given the most attention was the opioid crisis.  More than a dozen presenters included comments in their presentations on this subject, including presenters from the DOJ, OIG, CMS, and the OCR. This is not surprising in that last October the President declared this to be a national public health care crisis and marshaled regulatory and enforcement agencies to actively focus on steps to alleviate it. Other agencies not present at the HCCA are included in this effort, such as the FDA, FCC, CDC, Indian Health Service, Veterans Administration, Department of Defense TRICARE program, and others. At the federal and state level, there is increased legislative, regulatory, and enforcement actions activity related to substance abuse and behavioral health services. In January, the Attorney General announced the DEA was increasing its focus on pharmacies and prescribers who dispense unusual or disproportionate amount of such drugs. He also has created the Prescription Interdiction and Litigation (PIL) task force to aggressively deploy and coordinate all available criminal and civil law enforcement tools to address the crisis. Both DOJ and OIG presenters noted the July 2017 “take down” of 412 defendants in 41 different judicial districts. The defendants included over 100 doctors, nurses, and other medical license professionals. Together these individuals were responsible for over $1.3 billion in false billings.

The second most reported topic concerned cyber and IT security of Protected Health Information (PHI). This was a main topic in the presentation by OCR, but was alluded to in seven other presentations on cybersecurity and threats and complying with HIPAA Privacy and Security standards. The OCR reported that since 2009, there have been 2178 reports of breaches over 500 files with more than 300,000 cases of breaches affecting fewer than 500 files. The OCR has responded to over 170,000 complaints that resulted in over 25,000 cases being resolved with corrective action measures.  The OCR expects about 17,000 new complaints this year.  The top 10 recurring issues involve: (1) disclosure of sensitive paper information, (2) business associate agreements, (3) risk analysis, (4) failure to manage risks, such as with encryption, (5) lack of transmission security, (6) failure of ongoing auditing, (7) no patching of software, (8) insider threats, (9) improper disposal of records, and (10) insufficient backup of information and contingency planning.

Several sessions focused on physician arrangements and how they could implicate the Anti-Kickback Statute and Stark Laws.  Statistics from DOJ indicated the continuing trend of increased number of qui tam cases that has grown from 426 in 2015 to around 500 in 2017 with annual settlements averaging about $2.5 billion per year.

New cases involving Meaningful Use Fraud were reported with the promise that more new cases were under development.  Another area getting a lot of enforcement attention by the DOJ and OIG relate to telehealth and telemedicine. Cases surfacing now are focusing on claims arising from billings for these areas that did not qualify as such.  Only certain telehealth services are covered by Medicare and providers should take care to follow CMS guidance on what qualifies.

It is interesting to compare these priorities with results for the 2018 Compliance Benchmark Survey of compliance officers. There was no mention of the opioid crisis, as it was just an emerging national issue at the time the survey was taken. HIPAA security/cyber-security was the highest priority. It is troubling that corrupt arrangements with referral sources remains the number one regulatory and enforcement priority for the OIG and DOJ but is ranked fifth in priority to respondents. The other major and continuing enforcement priority related to claims submissions and that ranked third in priority by compliance officers.  A complementary webinar relating to this survey will be presented on May 9th.

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2018 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: Tips on what to expect from hotline vendors

The U.S. Sentencing Commission and HHS Office of Inspector General (OIG) make it clear that for any compliance program to be effective, it must have active compliance communication channels that meet defined capabilities. Translated, this means organizations must have an employee hotline that permits reporting sensitive matters outside the normal supervisory channels. The failure to establish a credible internal compliance reporting channels often drives individuals to report externally to the OIG and DOJ as “Whistlblowers.”  Internally operated and managed hotlines are generally a bad idea because they are extremely inefficient, costly, and seldom meet any minimum standards. Internal hotlines raise the question of whether anonymity is truly offered and whether employees will ever sufficiently trust calling an employee. It is therefore not surprising that 80 percent of organizations participating in the 2018 Compliance Benchmark Survey Study reported using a hotline vendor. Hotline vendors have the training and experience to handle complainants. However, determining who can provide the best service at the right price is a challenge.

 

What to Expect from Hotline Vendors

    1. Two levels of service are needed: (a) live operator answered calls and (b) a web-based reporting system which prompts individual complainants. Over the last decade there has been a marked trend towards reporting via the web—today web-based reporting almost equals operator answered calls. Organizations should pass on any vendor that does not provide both services.

     

    1. Avoid start up hotline services and ask for a statement of their experience. The more a service knows about hotline operations, the less likely they are to encounter problems or mishandle information.

     

    1. Use only vendors knowledgeable with issues, concerns, and regulatory issues unique to the health care sector. Also, ensure they recognize and ask the right questions about high risk areas identified by the HHS OIG, including those related to the Stark Law and the Anti-Kickback Statute.

     

    1. Avoid any vendor contract that won’t permit cancellations without cause with a simple 30-day written notice. Hotline vendors should hold clients by good service not by contracts. In any contract with a vendor, look to see if cancellation of service is restricted. If so, consider finding a way out of the arrangement and in obtaining service elsewhere.

     

    1. Vendor contracts should include a provision requiring a full written report within the same day of receipt of a call. Urgent matters should be reported immediately via phone.

     

    1. The hotline must provide an option for The U.S. Sentencing Commission, DOJ, and OIG call for anonymity in their guidelines. In the health care sector, nearly two-thirds of all hotline reporters request anonymity. Anonymity is generally in the best interest of the organization as there is no burden of protecting identity if it is unknown. The hotline vendor should have as part of their service a means of communication between the compliance officer and an anonymous reporter. Insist on having that included in the service.

     

    1. Avoid any vendor that provides reports by facsimile or email, as they are not secure and where PHI may be involved could be a complicating HIPAA privacy factor. Web-based reporting is the most secure with notification of a report being provided via email.

     

    1. Compare costs of service, keeping in mind that a vendor should be able to provide their services at a set fee that can be used for comparison purposes. A good rule of thumb is that the cost of a hotline service should not be more than $1 per employee per year. Periodically, compare costs of the vendor being used against other vendors. It may prove to be an opportunity to save money.

     

    1. Look for any inclusive vendor services, such as providing operating protocols for following up on allegations and complaints received through the hotline, as well as other related policies. More reputable firms also provide newsletters or report updates to keep clients up to date on issues relating to their hotline function. Find out what they offer.

     

    1. Look for a vendor that will provide personalized service and is easily accessible and responsible for any and all issues that arise under the contract. Avoid the frustration of interactive voice response (IVR) phone systems, which move callers from one office to another before reaching a stranger who may or may not be able to answer questions.

     

    1. Like any other vendor, the company should have at least one- to three-million dollars liability coverage.

     

    Richard Kusserow will be available to answer any questions related to hotlines at booth 412 at the Las Vegas HCCA Conference.

     

     

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2017 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: Recap of the OCR’s 2017 HIPAA enforcement

The HHS Office for Civil Rights (OCR) HIPAA Privacy Rule enforcement has been steadily increasing since it began the effort in 2003. Over the years, OCR has received over 175,000 HIPAA complaints and initiated nearly 1,000 compliance reviews. OCR investigations have resolved nearly 30,000 cases by requiring changes in privacy practices, taking corrective actions, or providing technical assistance to HIPAA covered entities and their business associates. OCR has been enforcing the HIPAA Rules where an investigation indicates noncompliance by the covered entity or their business associate. OCR investigations have ranged widely and included national pharmacy chains, major medical centers, group health plans, hospital chains, and small provider offices. To date, OCR has settled or imposed a civil money penalty in about 60 cases resulting in a total dollar amount of about $75,000,000. The average of enforcement penalties has been about $1.5 million per case. In another 12,000 cases, no violations were found. In another 25,000 cases, OCR intervened early and provided technical assistance to HIPAA covered entities, their business associates, and individuals exercising their rights under the Privacy Rule, without the need for an investigation. In the balance of over 100,000 cases, OCR determined that the complaint did not present an eligible case for enforcement, because of lack of jurisdiction; complaints were untimely or withdrawn by the filer; or the activity described didn’t violate HIPAA;

 

Cases that OCR closes fall into five categories:

 

  1. Resolved without investigation. OCR closes these cases after determining that OCR lacks jurisdiction, or that the complaint, referral, breach report, news report, or other instigating event will not be investigated. These include situations where the organization is not a covered entity or business associate and/or no protected health information (PHI) is involved; the behavior does not implicate the HIPAA Rules; the complainant refuses to provide consent for his/her information to be disclosed as part of the investigation; or OCR otherwise decides not to investigate the allegations.

 

  1. Technical assistance only. OCR provides technical assistance to the covered entity, business associate, and complainant through early intervention by investigators located in headquarters or a regional office.

 

  1. Investigation determines no violation. OCR investigates and does not find any violations of the HIPAA rules.

 

  1. Investigation results corrective action obtained. OCR investigates and provides technical assistance to or requires the covered entity or business associate to make changes regarding HIPAA-related privacy and security policies, procedures, training, or safeguards. Corrective action closures include those cases in which OCR enters into a settlement agreement with a covered entity or business associate.

 

  1. Other. OCR may investigate a case if (1) DOJ is investigating the matter; (b) it was as result of a natural disaster; (c) it was investigated, prosecuted, and resolved by state authorities; or (d) the covered entity or business associate has taken adequate steps to comply with the HIPAA Rules, not warranting deploying additional resources.

 

Order of frequency of issues investigated

 

  • Impermissible uses and disclosures of protected health information;
  • Lack of safeguards of protected health information;
  • Lack of patient access to their protected health information;
  • Use or disclosure of more than the minimum necessary protected health information; and
  • Lack of administrative safeguards of electronic protected health information.

 

Most common types of entities resulting in corrective actions

 

  • General hospitals;
  • Private practices and physicians;
  • Outpatient facilities;
  • Pharmacies; and
  • Health plans (group health plans and health insurance issuers).

 

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2017 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: Extending and economizing compliance programs—tools, services and tips

Compliance officers are confronted with a host of ever increasing external regulatory and internal demands with most having inadequate resources to meet all the challenges.  Furthermore, it is becoming increasingly common to add responsibility for HIPAA Privacy to the portfolio of compliance officers’ duties. All of this results in ongoing efforts to find ways to extend capabilities, while being sensitive to limited available resources. There are finite options available. Of course, the preference is to handle all this with internal staff. However, unfortunately for most compliance officers, limitations on increased office staffing limits this option. In some cases, organizations turn to Out-Sourcing their compliance program. This is most often done as a measure to temporarily fill gaps with an Interim Compliance Officer (ICO) when an incumbent leaves, or smaller organizations contracting the function out to an individual or firm to assume responsibility by providing a Designated Compliance Officer (DCO). Co-Sourcing is a third option and “middle ground” between hiring new staff (In-Sourcing) and Out-Sourcing and may prove to be the best strategy available for compliance officers to take huge pressures away, if implemented correctly. It involves using limited vendor services and tools to address key elements in the compliance program.

Co-Sourcing Compliance Services/Tools

The key factor that separates Out-Sourcing from Co-Sourcing is the maintaining control and direction under the compliance officer. It involves using a third-party on an ongoing basis to supplement limited staff resources by carrying part of the workload. It can help bridge the gap without compromising the ability to easily return to a structure where the compliance officer reassumes full operation when staffing issues are resolved. This approach is also recognized by the OIG as a useful solution to where an organization is limited in-house compliance expertise and resources. Compliance Officers are increasingly employing this as a means as a practical solution when confronted with a staffing shortage and offers the advantage of using limited, rather than full time services. It also may permit gaining access to a range of specialist without having them full time on payroll.

Common Types of Co-Sourcing Tools/Services

Co-Sourcing Expert Services

There are a number of advantages of engaging outside experts for limited scope of work, especially to address staff shortage or obtaining technical skills that do not exist in-house. Careful use of vendors to supplement the Compliance Office can not only gain access to experts not available in-house, but can save time, money, and effort; while maintaining flexibility to end an arrangement at anytime, when no longer needed. The following are common examples of Co-Sourced services:

Co-Sourcing Tips

  1. Clearly define duties, tasks, responsibilities, and methodology for vendor to follow.
  2. Ensure the agreement is flexible to expand or contract levels of service as needed.
  3. Look for providers that have industry specific expertise.
  4. Check experience and seek references of the firm.
  5. Ensure individuals provided have the needed skills, experience, and expertise.
  6. Bigger is not always better, as smaller niche firms are more likely to provide better, less expensive services.
  7. If planning to Co-Source for multiple tools and services, consider seeking discounts for a “bundling” arrangement.

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2017 Strategic Management Services, LLC. Published with permission.