Highlight on Mississippi: OIG finds a big ‘Miss’ in state’s Medicaid reimbursement

The Mississippi state Medicaid agency claimed over $21 million in unallowable school-based administrative costs over a three-year period, according to an OIG review of the state’s school-based and community-based administrative costs. The improper reimbursement request arose from inadequate documentation and sampling.

Administrative Costs

For Fiscal Years 2010 through 2012, Mississippi claimed school-based administrative costs, which are considered public assistance costs, totaling nearly $42.4 million. The OIG conducted a review of the state’s administrative costs because of the significant amount claimed and the fact that the state had not submitted a cost allocation plan (CAP). School-based Medicaid administrative costs are reimbursable when the costs are for activities that directly support identifying and enrolling potentially eligible children in Medicaid.

Not Reimbursable

The OIG determined that the state Medicaid agency claimed costs in violation of federal requirements. Specifically, the state agency used statistically invalid random moment sampling (RMS) to allocate its Medicaid costs and did not maintain adequate support to validate its sample results and related extrapolations. When evaluating the legitimacy of the RMS, the OIG found duplications on participant lists, improperly documented employee schedules, and sampling that included improper days like holidays. Additionally, sample data was not properly stored and could not be duplicated to ensure accuracy.

Additionally, under 45 C.F.R. Sec. 95.507(a), states must submit to the division of cost allocation (DCA) a CAP that follows federal requirements. The state submitted $42,399,301 ($21,199,651 in FFP) in school-based Medicaid administrative costs without promptly submitting all of the necessary information to DCA.

Recommendations

The OIG recommended the state agency:

  • refund $21,199,651 to the Federal Government;
  • revise its implementation plan and amend its CAP to both address the statistical validity issues identified and incorporate CMS’s sampling documentation requirements;
  • implement policies and procedures to ensure that its RMS complies with Federal requirements for statistical validity;
  • maintain adequate support, including all information necessary to reproduce and verify its sample results, for school-based administrative costs allocated to Medicaid;
  • promptly submit to DCA for review and approval its future CAP amendments describing its procedures for identifying, measuring, and allocating costs to Medicaid; and
  • review school-based Medicaid administrative costs claimed after the audit period and refund unallowable amounts.

Response

The State agency disagreed with the OIG’s comments but did not address the recommendations. The state agency disagreed that its RMS was statistically invalid and asserted that it was, instead, properly documented.

Highlight on Wisconsin: As opioid overdose and deaths rise, state seeks $15.7 million in SAMHSA support

The rate of opioid overdose deaths in Wisconsin has risen approximately 81 percent from 2006 through 2015, according to a new Wisconsin Department of Health Services (DHS) report, titled “Select Opioid-Related Morbidity and Mortality Data for Wisconsin.” In response, the Wisconsin DHS has submitted an application for up to $15.7 million in federal funding to boost the state’s response to the growing misuse and abuse of opioids from the Substance Abuse and Mental Health Services Administration (SAMHSA). The amount of the grant is based on the unmet need for opioid-related treatment and the number of opioid-related deaths in the state. Wisconsin is eligible to receive up to $7,636,938 each year for the next two years under the 21st Century Cures Act.

The DHS report provides statewide and county-level data on opioid-related deaths and hospital visits, neonatal abstinence syndrome (NAS) (in which an infant is born with withdrawal symptoms from substances taken by the mother), and data on ambulance runs in which naloxone (a medication used to reverse opioid overdose) was administered. The report includes these data highlights:

  • The rate of opioid overdose deaths increased from 5.9 deaths/100,000 residents in 2006 to 10.7 deaths/100,000 in 2015.
  • Rates of drug overdose deaths involving opioids were higher among counties in the southeastern region of the state (Milwaukee area), and higher among men compared with women.
  • Drug overdose deaths involving opioids were highest among young men aged 25-34, and among women aged 35-54.
  • Hospital visits involving opioid acute poisoning (including overdose) increased from 25.3 to 52.0 per 100,000 between 2006 and 2014.
  • The rate of ambulance runs in which naloxone was administered rose from 51.2 to 67 per 100,000 from 2011 to 2015.
  • The rate of NAS increased from 2.0 to 8.7 per 1,000 live births from 2006 to 2014, a rate increase of 335 percent.

In 2016, DHS issued a Public Health Advisory due to the opioid epidemic. In 2017, Governor Scott Walker called for a special session of the legislature to consider recommendations presented by the Governor’s Task Force on Opioid Abuse. New legislative proposals will build on efforts already underway under the HOPE (Heroin, Opioid Prevention and Education) agenda, which includes 17 bills aimed at prevention and treatment of opioid addiction and overdose.

Pending approval from SAMHSA, the funds will be used to:

  • Support community coalitions focused on reducing the nonmedical use of opioids among people age 12 to 25.
  • Establish a hotline to provide information on treatment services and recovery supports.
  • Expand access to treatment for uninsured and underinsured individuals.
  • Establish new opioid-specific treatment programs to reduce the distance people have to travel for these services.
  • Establish a network of individuals in long-term recovery from the misuse and abuse of opioids trained to coach people through the treatment and recovery process.
  • Develop training for professionals on proven intervention and treatment strategies for opioid misuse and abuse.

 

Highlight on Florida: Prison for administrator involved in home health Medicare fraud conspiracy

Medicare was scammed of $2.5 million in false and fraudulent claims and another of the conspirators is heading to prison. A home health administrator was sentenced to 126 months in prison for his role in the scheme after a two-week jury trial convicted him in December 2016 of one count of conspiracy to commit health care fraud and wire fraud and one count to defraud the U.S. and pay and receive health care bribes and kickbacks.

While the administrator was the manager of Mercy Home Care Inc. and a billing employee for D&D&D Home Health Care Inc. in Miami-Dade County, Florida, he and others submitted false claims through the companies to Medicare between October 2014 and June 2015, based on services that were (1) not medically necessary, (2) not provided, and (3) for patients brought to the companies through payment of illegal kickbacks to providers and recruiters. The claims the administrator submitted to Medicare were based on forged prescriptions and falsified medical documentation, backdated so services were supposedly provided in prior years, and for beneficiaries who were coached to say they needed services when they were not homebound. According to evidence from trial, he also destroyed evidence prior to his arrest. Medicare paid approximately $2.5 million for false and fraudulent claims submitted by Mercy and D&D&D.

Ten other co-conspirators previously pleaded guilty or were convicted by the Southern District of Florida, including the owner and president of Nerey Professional Services, Inc. That co-conspirator was convicted of one count of receiving kickbacks in connection with a federal health care program and one count of conspiracy to defraud the U.S. and pay health care kickbacks and sentenced to 60 months in prison on May 27, 2016. According to evidence from trial, the co-conspirator was involved in the conspiracy to accept kickbacks in return for referring Medicare beneficiaries to Mercy and D&D&D to serve as patients, even those who did not qualify for home health care services, between October 2014 and September 2015.

Highlight on New York: Insurers subject to first-in-nation cybersecurity regulations affecting financial institutions

The nation’s first cybersecurity regulations governing financial institutions–including insurers–take effect March 1, 2017 in New York state. Noting that  “New York is the financial capital of the world,” Governor Andrew Cuomo (D) stressed the necessity of protecting consumers and financial systems from cyberattacks. The regulations require institutions to implement a cybersecurity program that includes regular assessments of information systems and the use of effective controls, requires compliance by third party vendors, and includes more stringent governmental reporting requirements than the Health Insurance Portability and Accountability Act (HIPAA) (P.L. 104-191).

The regulations apply to anyone operating under the Banking Law, Insurance Law, or Financial Services Law and specifically pertain to “nonpublic information.” Only electronic information qualifies as nonpublic information, which can be protected health information (PHI) as it is understood under HIPAA; business-related information that could materially and adversely impact the entity’s business, operations, or security; or any information concerning an individual that, when combined with specific data elements, including but not limited to Social Security and drivers’ license numbers, could identify the individual.

The regulations require covered entities to maintain a cybersecurity program based upon a required risk assessment. Risk assessments must be conducted on a “periodic” basis and “updated as reasonably necessary.” Entities must implement and maintain written cybersecurity policies, including policies governing vendor and third party service provider management and recurrent assessments and policies that allow for secure and periodic disposal of nonpublic information that is no longer necessary for business operations or other legitimate business purposes. They must also designate a chief information security officer (CISO) who is employed by the entity, an affiliate, or a third party service provider, and who will provide a written report to the covered entity’s board of directors at least annually.

While HIPAA does not require penetration testing, the New York regulations require annual testing and biannual vulnerability assessments, unless covered entities have in effect some other type of continuous monitoring or other system to detect changes in information systems that could create or suggest vulnerabilities. The regulations specifically require entities to limit user access privileges to nonpublic information and to periodically review those privileges. They also require multi-factor authentication whenever an individual accesses the entity’s internal network from an external network, unless the CISO has approved controls in writing that are at least reasonably equivalent. Encryption is required for all nonpublic information held or transmitted by the entity; if encryption is not feasible, the CISO must review and approve “alternative compensating controls” and review them at least annually.

Certain requirements do not apply to entities with fewer than 10 employees, less than $5 million in gross annual revenue in each of the last three fiscal years from New York business operations, or less than $10 million in year-end total assets.

The regulations define a “cybersecurity event” as an act or attempt, successful or not, to gain unauthorized access to, or to disrupt or misuse an information system or the information stored in the system. Written incident response plans to cybersecurity events must detail the response process and its goals, including “the definition of clear roles, responsibilities and levels of decision-making authority.” Requirements for reporting to government entities are much stricter than those under HIPAA Breach Notification Rule, which requires entities to report breaches affecting 500 or more individuals to the HHS Secretary “without unreasonable delay,” but no more than 60 days since discovery of a breach, or, if affecting fewer than 500 individuals, within 60 days of the end of the calendar year in which the breach occurred.  The New York regulations, in contrast, require entities that are otherwise required to provide notice to the government or other self-regulatory agency or supervisory body, or who believe that a cybersecurity event is reasonably likely to materially harm the entity’s normal operations, to notify the Superintendent of the New York Department of Financial Services as soon as possible, but no more than 72 hours after determining that the event occurred.