Kusserow on Compliance: OIG adds six new projects in December to its Work Plan

In 2017, the HHS OIG moved to regularly update updating its Work Plan. In December, the OIG added six new projects that set forth various audits and evaluations that are underway or planned in the current fiscal year and beyond. In conducting its work, the OIG assesses relative risks in HHS programs and operations to identify those areas most in need of attention. In evaluating potential projects to undertake, the OIG considers a number of factors, including mandates set forth in laws, regulations, or other directives; requests by Congress, HHS management, or the Office of Management and Budget; top management and performance challenges facing HHS; work performed by other oversight organizations (e.g., GAO); management’s actions to implement OIG recommendations from previous reviews; and potential for positive impact. In addition to working on projects that often result in audits, reviews, and reports, the OIG also engages in a number of legal and investigative activities that are separately reported.

New Projects Added

  1. Status Update on States’ Efforts on Medicaid-Provider Enrollment. Provider enrollment is the gateway to billing in the Medicaid program. If this gateway is not guarded, Medicaid is at risk of fraud, waste, and abuse. Prior OIG work found many states had yet to complete fingerprint-based criminal background checks and site visits. CMS agreed with this and moved ahead to assist, however, CMS continues to extend the deadline for completion of fingerprint-based criminal background checks, indicating that states are still working on provider enrollment. The OIG plans to determine the extent to which states have completed fingerprint-based criminal background checks and site visits. For those not completing these steps, the OIG will inquire about challenges preventing them from completing this effort.

 

  1. Review of CMS Systems Used to Pay Medicare Advantage Organizations. CMS has designed its Medicare Part C systems to capture the necessary data in order to make increased hierarchical condition categories (HCC) payments to MA organizations. CMS is transitioning to a new data system to make these payments. The OIG will review the continuity of data maintained on current Medicare Part C systems, specifically instances in which CMS made an increased payment to an MA organization for a HCC and determine whether CMS’s systems properly contained a requisite diagnosis code that mapped to that HCC.

 

  1. State Compliance With Requirements for Reporting and Monitoring Critical Incidents. CMS requires states to implement an incident reporting system to protect the health and welfare of the Medicaid beneficiaries who receive services in community-based settings or nursing facilities. OIG previously found that some states did not always comply with federal and state requirements for reporting and monitoring critical incidents such as abuse and neglect. The OIG will review additional state Medicaid agencies to determine whether the selected states are in compliance with the requirements for reporting and monitoring critical incidents. The work will focus on beneficiaries residing in both community-based settings and nursing facilities.

 

  1. Paper Check Medicaid Payments Made to Mailbox-Rental Store Addresses. The CMS Medicaid Manual sets forth general federal requirements for adequate documentation of Medicaid claims. Potential providers are required to submit an application to bill for Medicaid services, and potential providers can choose to be paid by an electronic funds transfer (EFT) or a paper check. They must also list their practice and correspondence addresses. Because of theft, forgery, or alteration, the issuance of paper checks to providers carries more risk than using an EFT. The GAO reported identifying potential issues with Medicare-provider addresses and revealed that payments made to a provider with a mailbox-rental store, vacant, or invalid practice address increase the potential risk of fraud, waste, or abuse. The OIG will assess whether similar problems exist with the Medicaid program. Specifically, the OIG will determine if Medicaid payments issued by paper checks and sent to providers with mailbox-rental locations were for unallowable services.

 

  1. Prescription Opioid Drug Abuse and Misuse Prevention – Prescription Drug Monitoring Programs. Opioid abuse and related overdoses is a national epidemic and according to the Centers for Disease Control and Prevention (CDC), more than 33,000 people died in 2015 from overdoses involving opioids. HHS, through the CDC and the Substance Abuse and Mental Health Services Administration (SAMHSA), provides funding to States to prevent opioid abuse and misuse. Funding is provided by the CDC’s Prescription Drug Overdose: Prevention for States program and SAMHSA’s Strategic Prevention Framework for Prescription Drugs program. The OIG intends to identify actions state agencies have taken using federal funds for enhancing prescription drug monitoring programs (PDMPs) to achieve program goals—improving safe prescribing practices and preventing prescription drug abuse and misuse—and in doing so determine whether they complied with federal requirements. This series of audits will include states that have had a high number of overdose deaths, have a significant increase in the rate of drug overdose deaths, or received HHS funding to enhance their PDMPs.

 

  1. Impact of the Indian Health Service (IHS) Delivery of Information Technology/Information Security Services and Opioid Prescribing Practices. IHS has a decentralized management structure that is separated into two major categories: Headquarters and 12 Area Offices. The Area Offices are responsible for overseeing 26 hospitals, 59 health centers, and 32 health stations, some of which are located in remote locations. The OIG found that hospitals with limited cybersecurity resources struggle to implement information technology improvements and update the IHS electronic heath record system. The OIG will analyze and compare information technology/information security (IT/IS) operations and opioid prescribing practices at five IHS hospitals to determine whether (1) IHS’s decentralized management structure has affected its ability to deliver adequate IT/IS services in accordance with federal requirements and (2) hospitals prescribed and dispensed opioids in accordance with IHS policies and procedures.

 

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2017 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: DOJ reports more than two-thirds of $4B civil fraud recoveries in 2017 from health sector

In an end of the year report, the Department of Justice (DOJ) Civil Division announced that it recovered over $3.7 billion from civil False Claims Act (FCA) cases for the fiscal year. Significantly, nearly two thirds of the total settlements and judgments involved the health care industry, including drug companies, hospitals, pharmacies, laboratories, and physicians. What is really noteworthy is the fact that ninety-three percent of the total came from qui tam relators (whistleblower) cases, whose rewards amounted to almost $400 million. There were 491 new such health care cases filed during the year at a rate of about ten per week. The great majority of civil fraud cases implicated the Anti-Kickback Statute. Also most major settlements with DOJ are referred to the HHS Office of Inspector General (OIG) for Corporate Integrity Agreements.

It is noted that settlements for 2017 were $1 billion less than 2016. This is the eighth consecutive year that the department’s civil health care fraud settlements and judgments have been the leading area of settlements and judgments, exceeding $2 billion. The recoveries reported reflect only federal losses and they were instrumental in recovering additional millions of dollars for state Medicaid programs. The largest recoveries involving the health care industry this past year came from Shire Pharmaceuticals LLC which paid $350 million; drug manufacturer Mylan Inc. which paid approximately $465 million; Life Care Centers of America Inc. and its owner which agreed to pay $145 million; and eClinicalWorks (ECW) and certain of its employees which paid $155 million.

In second place in terms of industry recoveries was $543 million from housing and mortgage fraud cases, which was only about twenty percent of the level for the health care sector. In third place was the Defense arena which had cases that resulted in $220 million in settlements and recoveries, which is only about one tenth the level of the health care sector.

The “Yates Memo” emphasized DOJ’s intent to focus on “individual accountability for corporate wrongdoing” through civil and criminal enforcement actions. This emphasis on singling out individual recoveries was in evidence this last year with DOJ recovering $60 million directly from individuals, without joint and several liability with any corporate entity. The DOJ identified several individual owners and executives of private corporations agreed to be held jointly and severally liable for settlement payments.

The DOJ obtained more than $3.7 billion in settlements and judgments from civil cases involving fraud and false claims against the government in the fiscal year ending September 2017.

Recoveries since 1986, when Congress substantially strengthened the FCA, now total more than $56 billion.

 

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2017 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: Recap of the OCR’s 2017 HIPAA enforcement

The HHS Office for Civil Rights (OCR) HIPAA Privacy Rule enforcement has been steadily increasing since it began the effort in 2003. Over the years, OCR has received over 175,000 HIPAA complaints and initiated nearly 1,000 compliance reviews. OCR investigations have resolved nearly 30,000 cases by requiring changes in privacy practices, taking corrective actions, or providing technical assistance to HIPAA covered entities and their business associates. OCR has been enforcing the HIPAA Rules where an investigation indicates noncompliance by the covered entity or their business associate. OCR investigations have ranged widely and included national pharmacy chains, major medical centers, group health plans, hospital chains, and small provider offices. To date, OCR has settled or imposed a civil money penalty in about 60 cases resulting in a total dollar amount of about $75,000,000. The average of enforcement penalties has been about $1.5 million per case. In another 12,000 cases, no violations were found. In another 25,000 cases, OCR intervened early and provided technical assistance to HIPAA covered entities, their business associates, and individuals exercising their rights under the Privacy Rule, without the need for an investigation. In the balance of over 100,000 cases, OCR determined that the complaint did not present an eligible case for enforcement, because of lack of jurisdiction; complaints were untimely or withdrawn by the filer; or the activity described didn’t violate HIPAA;

 

Cases that OCR closes fall into five categories:

 

  1. Resolved without investigation. OCR closes these cases after determining that OCR lacks jurisdiction, or that the complaint, referral, breach report, news report, or other instigating event will not be investigated. These include situations where the organization is not a covered entity or business associate and/or no protected health information (PHI) is involved; the behavior does not implicate the HIPAA Rules; the complainant refuses to provide consent for his/her information to be disclosed as part of the investigation; or OCR otherwise decides not to investigate the allegations.

 

  1. Technical assistance only. OCR provides technical assistance to the covered entity, business associate, and complainant through early intervention by investigators located in headquarters or a regional office.

 

  1. Investigation determines no violation. OCR investigates and does not find any violations of the HIPAA rules.

 

  1. Investigation results corrective action obtained. OCR investigates and provides technical assistance to or requires the covered entity or business associate to make changes regarding HIPAA-related privacy and security policies, procedures, training, or safeguards. Corrective action closures include those cases in which OCR enters into a settlement agreement with a covered entity or business associate.

 

  1. Other. OCR may investigate a case if (1) DOJ is investigating the matter; (b) it was as result of a natural disaster; (c) it was investigated, prosecuted, and resolved by state authorities; or (d) the covered entity or business associate has taken adequate steps to comply with the HIPAA Rules, not warranting deploying additional resources.

 

Order of frequency of issues investigated

 

  • Impermissible uses and disclosures of protected health information;
  • Lack of safeguards of protected health information;
  • Lack of patient access to their protected health information;
  • Use or disclosure of more than the minimum necessary protected health information; and
  • Lack of administrative safeguards of electronic protected health information.

 

Most common types of entities resulting in corrective actions

 

  • General hospitals;
  • Private practices and physicians;
  • Outpatient facilities;
  • Pharmacies; and
  • Health plans (group health plans and health insurance issuers).

 

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2017 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: OIG November 2017 Work Plan update

This year, the OIG is updating its annual Work Plan during the year, rather than annually. The OIG’s Work Plan sets forth various audits and evaluations that are underway or planned during the fiscal year and beyond. The updates will include the addition of newly initiated Work Plan items; removal of completed items. In conducting its work, the OIG assesses relative risks in HHS programs and operations to identify those areas most in need of attention. In evaluating potential projects to undertake, the OIG considers a number of factors, including mandates set forth in laws, regulations, or other directives; requests by Congress, HHS management, or the Office of Management and Budget; top management and performance challenges facing HHS; work performed by other oversight organizations (e.g., GAO); management’s actions to implement OIG recommendations from previous reviews; and potential for positive impact. In addition to working on projects that often result in audits, reviews, and reports, the OIG also engages in a number of legal and investigative activities that are separately reported.

New projects

  1. Use of Funds by Medicaid Managed Care Organizations (MCOs). In 2015, Federal Medicaid managed care payments were approximately $161.8 billion, which was more than 40 percent of the $349.8 billion in total Federal expenditures for Medicaid. States continue to expand their use of managed care. To deliver services to Medicaid managed care enrollees, states contract with MCOs and make monthly capitation payments to those plans to provide enrollees with Medicaid-covered services. Appropriately set capitation rates help to ensure that adequate payments are made to provide services to beneficiaries. OIG auditors plan to examine how Medicaid funds received by MCOs are used to provide services to enrollees with results reported in 2019.

 

  1. Opioids in Medicaid: Concerns about Extreme Use and Questionable Prescribing in Selected States. The OIG Office of Evaluation and Inspection will focus on the problem of opioid abuse and overdose deaths that have reached crisis levels in the United States, with more than 33,000 Americans dying from it annually. These issues are of particular concern for Medicaid beneficiaries because they are more likely to have chronic conditions and comorbidities that require pain relief. Especially affected are beneficiaries who qualify through a disability. The OIG plans to identify beneficiaries who received extreme amounts of opioids through Medicaid and those cases that appear to involve doctor shopping or pharmacy shopping, as well as prescribers associated with these beneficiaries. This review will provide baseline data about beneficiaries receiving extreme amounts of opioids and prescribers with questionable patterns for opioids in Medicaid.

 

  1. Medicaid Services Delivered Using Telecommunication Systems. Medicaid pays for telemedicine, telehealth, and telemonitoring services delivered through a range of interactive video, audio or data transmission (telecommunications). Medicaid programs are seeing a significant increase in claims for these services and expect this trend to continue. OIG auditors will over the next year or two determine whether selected states’ Medicaid payments for services delivered using telecommunication systems were allowable in accord with Medicaid requirements.

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2017 Strategic Management Services, LLC. Published with permission.