Kusserow on Compliance: OIG’s planned work for home health agencies

Home Health Agencies (HHAs) remain one of the top enforcement priorities for the DOJ and HHS Office of Inspector General (OIG). Considerable OIG investigative resources are devoted to HHA fraud. However, the OIG auditors and evaluators are also focusing on HHA waste and abuse. For example, in May 2019, the OIG released several audit reports related to HHAs, including those for EHS Home Health, Excella Home Care, Great Lakes Home Health, and Metropolitan Jewish Home Care. The OIG found a number of deficiencies, including beneficiaries who were not homebound that were able to ambulate without assistance and perform home exercises, or had only a partial episode (wound healed). In addition, in many cases, documentation was not provided or did not support services. To continue its efforts in this area, the OIG has added several planned audits and evaluations related to HHAs, including the following:

  1. OIG will review supporting documentation to determine whether home health claims with 5 to 10 skilled visits in a payment episode, in which the beneficiary was discharged home, met the conditions for coverage and were adequately supported as required by federal guidance.

 

  1. Recent OIG reports disclosed high error rates at individual HHAs, consisting primarily of beneficiaries who were not homebound or who did not require skilled services. So, the OIG will continue its efforts regarding whether home health claims were paid in accordance with federal requirements.

 

  1. Using data from the CMS’s Comprehensive Error Rate Testing (CERT), the OIG plans to identify the common characteristics of “at risk” HHA providers that could be used to target pre- and post-payment review of claims.

 

  1. The OIG will review Medicare Part A payments to HHAs to determine whether claims billed to Medicare Part B for items and services were allowable and in accord with federal regulations. Generally, certain items, supplies, and services furnished to patients are covered under Part A and should not be separately billable to Part B. the OIG has previously found noncompliance with these Medicare billing requirements.

 

  1. The OIG will compare HHA survey documents to Medicare claims data to look for evidence of patients omitted from HHA-supplied patient information from select recertification surveys using Medicare claims data.

 

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2019 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: New OCR Guidelines

The HHS Office for Civil Rights (OCR) issued a new guidance which points out a list of 10 violations where Business Associates (BAs) can be held directly liable. The guidance points out that where BAs may not be liable, the covered entity (CE) may be still on the hook for violations of those violations. As such CEs should carefully review their BA Agreements (BAAs) to ensure that they cover requirements that don’t directly apply to BAs but are still enforceable against CEs.

The OCR also notes that large data breaches also continue to dominate the press. The OCR recently cited among recent notable breaches that an EMR and software services provider allowed hackers access to 3.5 million patient records. Touchstone Medical Imaging (TMI), agreed to pay $3 million for a breach involving one of its FTP servers that contained PHI for over 300,000 patients. LabCorp received notice from American Medical Collection Agency (AMCA), a collection firm working on its behalf, regarding unauthorized access of 7.7 million patients’ PHI stored by AMCA. This announcement followed a similar one from Quest Diagnostics, in which they reported that AMCA’s breach affected 11.9 million of its patients.

Updates on OCR enforcement actions can be found at https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/data/enforcement-highlights/index.html

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2019 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: Many states are not in compliance with mandates to conduct provider criminal background checks

CMS required all states to conduct criminal background checks on high-risk providers before allowing them to receive Medicaid payments by July 2018. CMS could consider as overpayments any payments made to high-risk providers in those states that have not undergone a criminal background check. Those providers must return to CMS the federal share of those overpayment. The OIG found that 18 states failed to comply with the requirement by a CMS deadline of July 2018 and 13 still had not complied as of January 1, 2019. States cited three reasons for not complying:

  1. A lack of authority:Three states said their Medicaid agencies did not have proper oversight power for these background checks, requiring legislative or executive action to do this.
  2. A lack of resources:One state reported it did not have the necessary staff to do the background checks.
  3. A lack of criteria to determine “high-risk providers”: One state said it was actively revising its criteria based on concerns from the provider community, delaying compliance.

The OIG recommended CMS to (1) ensure all States fully implement fingerprint based criminal background checks for high-risk Medicaid providers; (2) amend its guidance so that states cannot forgo conducting criminal background checks on high risk providers applying for Medicaid, unless Medicare has conducted the checks; (c) compare high risk Medicaid providers’ self-reported ownership information to Medicare’s provider ownership information to help states identify discrepancies. CMS concurred with the first recommendation.

 

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2019 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: Compliance officers cite HIPAA as their highest priority

The 2019 Compliance Benchmark Survey respondents reported that compliance officers are finding dealing with data breaches as their highest-ranked priority, with two-thirds of respondents citing HIPAA Security/Cyber-security and over half for HIPAA Privacy as their number one concern. This represented the biggest change since last year’s survey. Coupled with this finding was that nearly 75 percent of respondents reported the compliance office has assumed responsibility for HIPAA Privacy and nearly one-third assumed responsibility for HIPAA Security. So far this year, OCR has reportedly received upwards of a quarter million HIPAA privacy complaints.

The Survey did not focus on privacy laws and regulations emerging on the state level, nor did it provide much understanding on how organizations and compliance offices were responding to the challenges. As such, a separate 2019 survey has been designed to gather that information along with a variety of other issues.  It is designed to provide a general understanding of levels and nature of current commitment to this area.  Those who wish to participate in the 2019 HIPAA Compliance Survey can do so by clicking on the following hyperlink.

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2019 Strategic Management Services, LLC. Published with permission.