Kusserow on Compliance: OCR has a record number of significant settlements so far in 2017

The HHS Office for Civil Rights (OCR) has posted about 2,000 major breaches and more than a quarter million small breaches since 2009. The common denominator for many of the cases in which there was a settlement was that the covered entity or business associate (BA) suffered one or more breaches affecting more than 500 individuals sometime between 2011 and 2013. The OCR has jumped off the 2017 year with a record number of significant settlements. The most recent is CardioNet, a wireless health services provider, who provides remote mobile monitoring of and rapid response to patients at risk for cardiac arrhythmias. The provider entered into a settlement for $2.5 million and implemented a corrective action plan for disclosure of unsecured ePHI on a laptop that was stolen from a parked car. CardioNet had an insufficient risk analysis and risk management processes in place at the time of the theft and their HIPAA Security Rule policies and procedures had not been implemented. The OCR has entered into a number of other significant settlements. Others who paid settlements for violating HIPAA requirements so far this year include Memorial Health Systems ($5.5 million); Children’s Medical Center in Dallas ($3.2 million); MAPFRE, a Puerto Rico life insurance company ($2.2 million); Presence Health in Chicago ($475,000); and Community Provider Network of Denver ($400,000). In all these cases, there was the requirement to take corrective actions.

2016 OCR Results

  • There were 329 Data Breaches greater than 500 Individuals (a new record).
  • 225 OCR Phase 2 of HIPAA compliance audits conducted of covered entities and BAs.
  • No onsite audits were conducted.
  • No findings or notifications from the audits have been made.
  • The OCR intends to use the results from these audits to prepare for a new and better tool in the future.
  • There was a large jump in fines imposed for HIPAA violations that totaled about $24 million (versus a little more than $6 and $8 million in for 2105 and 2014 respectively)

OCR in 2017

  • The OCR stated intention is to conduct only a few onsite audits in 2017.
  • To date the OCR has nearly achieved the level of 2016 in terms of penalties imposed.
  • To date about 100 data breaches impacting greater than 500 Individuals have been reported.
  • About a half million individuals have been impacted in reported data breaches so far this year.
  • Only a relatively few BAs were involved in any of the reported data breaches.

The enforcement actions most often come from the OCR when investigations into the root cause of the breach found systemic, often profound, failures of organizational programs to safeguard protected health information.  This includes the failure to perform an information security risk assessment or to have a risk management plan to address gaps in the safeguards for information systems, both required actions under the HIPAA Security Rule. Tied to this has been insufficient development of policies and procedures for HIPAA Compliance.  Other actionable problems that resulted in the OCR imposing HIPAA corrective action plans (CAP) included inappropriate delay in data breach reporting (reported after 60 days from the date of discovery); and inappropriate oversight into user set up and user management. There is also the continuing problem of organizations not implementing encryption technology on mobile devices.

Camella Boateng, a HIPAA consultant reminds everyone that the recently enacted 21st Century Cures Act amends the HITECH Act to extend an individual’s right to access their PHI to data held by business associates. As such, it is more important than ever that entities give a priority for engaging in a self-audit, so vulnerabilities can be detected and resolved before they come to the attention of the government. Furthermore, with a shifting focus toward BA, it is important to avoid any potential partner that will not commit to signing a BAA.

Strong HIPAA Compliance Program Evidence

  • HIPAA policies and procedures;
  • HIPAA requests forms for patient’s rights;
  • a complete notice of privacy practices;
  • established technical, physical, and administrative safeguards;
  • conducting a regular HIPAA risk analysis;
  • developed a risk management plan to address gaps in the safeguards for PHI;
  • strong workforce education;
  • effective user management and oversight into systems with PHI;
  • auditing practices for verification of compliance;
  • ongoing evaluation of current safeguards established by the organization;
  • strong oversight into user set up and user management;
  • implementing encryption technology on mobile devices; and
  • ensuring partners have signed BAAs.

 

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on
Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2017 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: Summary of OIG fraud and abuse actions first half of 2017

The HHS OIG issued their Semi-Annual report for first half of fiscal year (FY) 2017 and summarized key accomplishments, significant problems, abuses, deficiencies, and investigative outcomes relating to the administration of HHS programs and operations that were disclosed during the reporting period. The following summarizes reported statistical accomplishments.

Criminal Actions (468). OIG reported 468 criminal actions against individuals or entities that engaged in crimes against HHS programs and 461 civil actions, which include false claims and unjust-enrichment lawsuits filed in Federal district court, civil monetary penalties (CMP) settlements, and administrative recoveries related to provider self-disclosure matters.  During the first half of FY 2017, OIG reported expected investigative recoveries of over $2.04 billion.

Health Care Strike Force (152 Criminal Actions). The Health Care Fraud Strike Force teams brought charges against 45 individuals or entities, 152 criminal actions, and $267 million in recoveries through investigations.

State Medicaid Fraud Control Units (MFCUs) (1,564 Criminal Actions).  The OIG has oversight responsibility for MFCUs and administers grants that provide federal funding for their operations. There are 50 MFCUs (in 49 States and the District of Columbia) totaled almost $259 million. The MFCUs employed 1,965 individuals. MFCUs reported 18,730 investigations, of which 15,509 were related to Medicaid fraud and 3,221 were related to patient abuse and neglect, including misappropriation of patients’ private funds. The cases resulted in criminal charges or indictments involving 1,721 individuals, including 1,249 for fraud and 472 for patient abuse and neglect. In total, 1,564 convictions were reported in FY 2016, of which 1,160 were related to Medicaid fraud and 404 were related to patient abuse and neglect. Civil judgments and settlements for FY 2016 totaled 998, and monetary recoveries in civil cases totaled over $1.5 billion. During this reporting period, OIG special agents partnered with MFCUs in conducting joint investigations on 714 criminal cases.

Program Exclusions (1,422). During this semiannual reporting period, OIG excluded 1,422 individuals and entities from Medicare, Medicaid, and other federal health care programs. Most of the exclusions resulted from convictions for crimes relating to Medicare or Medicaid, for patient abuse or neglect, or as a result of license revocation. OIG is also responsible for reinstating providers who apply and have met the requirements of their exclusions.

Sanction Authorities and Other Administrative Actions (1,504).  OIG sanctions include the exclusion of individuals and entities from federal health care programs and the imposition of CMPs for submitting false and fraudulent claims to a federal health care program or for violating the Anti-kickback statute, the Stark law, or the Emergency Medical Treatment and Labor Act (EMTALA), also known as the patient dumping statute. During this semiannual reporting period, OIG imposed 1,504 administrative sanctions in the form of program exclusions or administrative actions for alleged fraud or abuse or other activities that posed a risk to federal health care programs and their beneficiaries.

Civil Monetary Penalties Law (CMPL) ($26 million0. The CMPL authorizes OIG to impose administrative penalties on and assessments against a person who, among other things, submits, or causes to be submitted, claims to a federal health care program that the person knows, or should know, are false or fraudulent. In addition to administrative penalties and assessments, OIG can also exclude individuals for engaging in conduct prohibited by the CMPL. During this semiannual reporting period, OIG concluded cases involving more than $26.3 million in CMPs and assessments.

Self-Disclosure Programs ($23 million). Health care providers, suppliers, or other individuals or entities subject to CMPs can apply for acceptance into the Provider Self-Disclosure Protocol, a program created in 1998, to voluntarily disclose self-discovered evidence of potential fraud. During this semiannual reporting period, self-disclosure cases resulted in more than $23 million in HHS receivables.

 

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2017 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: Tips for getting the most from your CIA

This was the title of a section in a presentation by Laura Ellis, HHS Office of Inspector General (OIG) Senior Counsel, at the recent Health Care Compliance Association (HCCA) Compliance Institute, where she explained that the settlement process is very lengthy, and that compliance officers should spend that time period preparing for what is to come. Even before matters are referred to the OIG for settlement negotiations, the matter will have been with the Department of Justice (DOJ) for a long time.  It is only after the DOJ turns matters over to the OIG that the agency determines whether or not a corporate integrity agreement (CIA) is necessary, and if so, what terms and condition should be included in the agreement.  Ellis stated that negotiations with the OIG may take up to a year before a CIA emerges.   It is during this rather long lead-up period that the compliance officer should be very busy preparing for what is to come.  Ellis offered a number of suggestions for the compliance officer to follow while this process is underway, including:

Thomas Herrmann, J.D., was previously responsible for negotiating CIAs on behalf of the OIG and in providing monitors with a number of years’ consulting experience, working with more than a dozen clients with CIAs and as an Independent Review Organization (IRO). He agreed with the Ellis statement about the long lead time before a CIA is signed, and that the compliance officer should not waste that valuable time.  Once executed, the clock begins ticking and a lot has to be accomplished in a relatively short time.   Among the most important tasks needing immediate attention is finding and vetting potential outside experts to be the IRO and, in some cases, compliance experts for the Board and quality monitors. The responsibility for selecting these experts lies with the organization, not the OIG.  This may take a lot of time and warrants serious consideration as in all likelihood, the organization will have them for five years.  A mistake in selection will come back to haunt the organization and may aggravate matters with the OIG.  The compliance officer should be very much involved in finding and selecting the right experts with the right expertise.   The more experience the firm selected has in performing this type of work, the less likely there will be problems.  An experienced firm won’t have the learning curve of an inexpert firm that oftentimes adds cost to the engagement and results in poor reports to the OIG.  For an organization that is already in hot water with the DOJ and OIG, this kind of complicating matter is not wanted.

Carrie Kusserow has over 15 years’ compliance officer and consultant experience, and was brought in to be the compliance officer to an organization under a CIA while Laura Ellis was the monitor. Kusserow echoes Ellis’ advice to organizations to take steps to “get the most out of the money” expended on these resources. The more expert they are in the health care sector, the better.  The more experience the individuals assigned to do the work have, particularly experience with the OIG, the better.   The one thing to avoid is hiring an IRO and then paying it to learn about the type of work being done by the organization or how to interact with the OIG. Having top-notch experts can impart considerable added value from prior experience of doing this kind of work. She also pointed out that once these outside experts are engaged, there is another lag period before they begin their work and again when they present reports on the results of their work.  It is a huge mistake to allow these gap periods to elapse without doing serious preparation work.  It is important to begin planning at the earliest date for what is needed to meet CIA terms and conditions, which will assist in this effort, and development of a project plan for execution.   The planning process and timelines for meeting CIA requirements will have to take into account when reports by the IRO, and possibly the compliance expert, are due to the OIG.

Steve Forman, CPA, has over 35 years’ experience, having served as both as a compliance officer and as an IRO many times, and as a compliance expert four times under a CIA. He advises compliance officers that one step that cannot be undertaken too soon is getting the Executive/Management Compliance Committee and Board Compliance Committee involved. They need to understand fully in practical and operational terms their personal obligations, along with what is needed from them to meet CIA obligations.   He also strongly recommends at the first indication that a CIA may be in the future to begin reviewing posted agreements on the OIG website, especially those that involve similar types of organizations.   One point of caution is that the OIG has been changing CIAs significantly as to new requirements, conditions, and certifications by board members and executives. Information derived from these reviews should be translated into a plan of action to ensure the organization is in tune with what the OIG will expect.  He strongly suggests that compliance officers consider engage compliance experts to do two things:

  1. Have the compliance program conduct an independent evaluation and act on findings and recommendations. Having such a report with evidence of correcting any deficiencies can be invaluable evidence to the OIG in making a determination as to whether a CIA is necessary and, if so, mitigating terms and conditions. It will be looking for this evidence.
  2. Once a CIA is executed, immediately engage experts to conduct a mock audit to test the terms and conditions that must be met under the CIA and to have them addressed before the IRO or compliance expert under the CIA begins work.

Taking these two steps can avoid a lot of problems, expenditures and complications under a CIA. The OIG takes evidence of independent experts serious. That is why they rely upon them as IROs, Compliance Experts, and Quality Monitors.

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on
Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2017 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: Drifting into corporate integrity agreements is dangerous

Compliance Officers are well aware of impending Corporate Integrity Agreements (CIAs) as cases move through investigations and settlements with the Department of Justice (DOJ) and HHS Office of Inspector General (OIG).  This lead time permits time to prepare for meeting obligations. Consultants with extensive experience in this area offer some thoughts and suggestions to avoid making costly mistakes, or failing to meet CIA deadlines.

  • Suzanne Castaldo, J.D., has assisted many organizations in meeting CIA terms and makes the point that, “When a matter falls into an investigation by the DOJ and OIG, legal counsel takes over to resolve the matter. After the case is settled with the DOJ, they continue to work with the OIG on terms and conditions for the CIA.  The result often catches the organization and their Compliance Officers, executive leadership, and Board about the full scope of what needs to be done in the 120 days following agreement.”
  • Tom Herrmann, J.D., had a number of years at the OIG coordinating with the DOJ, developing settlement agreements, and appointing monitors, as well as working as an Independent Review Organization (IRO) with more than a dozen organizations. He urges “Compliance Officers or organizations moving to DOJ settlement and OIG to not sit back and wait for an agreement to be negotiated.   They should be in communication with their legal counsel to understand what is being discussed in terms of timing and obligations and begin maneuvering with plans to meet the obligations that will be in the CIA.”
  • Carrie Kusserow, who worked as both a Compliance Officer and a consultant in meeting corporate integrity agreement (CIA) obligations, agrees, in that, “When CIAs are signed, most Compliance Officers and their executive leadership are often surprised by the implications of what has been agreed; and ill prepared to meet the terms and stringent timelines that are included in them. They wake up and begin to focus on the real scope of what has been agreed in the CIA.  Suddenly they find they begin to understand the scope of their commitment and begin racing the clock to accomplish all that to which they have agreed.  Frequently this leads to mistakes and delays in trying to do all that is required within strict timeframes established that include securing the Independent Review Organization, as well as Compliance Experts for the Board.  All this is the backdrop to preparing the first report to the OIG.  The last thing any organization needs is to fail in meeting obligations at the outset of a CIA.”
  • Steve Forman, CPA, who also has extensive experience both in leading IRO teams as well as being a Board appointed Compliance Expert for three organizations, observed that “There is little by way of excuse for Compliance Officers, leadership and the Board not being adequately prepared for what is coming in terms of a CIA. Compliance Officer should, at the first sign that there will be a settlement with the government begin their homework and preparation, by reviewing recent CIAs posted on the OIG website.   CIAs follow a pattern, granted that terms and conditions evolve, it does so slowly.  All a Compliance Officer needs to do is find a CIA with factual similarity to their situation; and then read the terms and apply them to their own organization.  By doing this, they will know how much time they will have to do certain things.”
  • Al Bassett, J.D., who has more than 20 years’ experience in providing compliance advisory services, adds, “Many of the tasks that will be required under a CIA can and should be undertaken well in advance of an agreement. It is foolish to wait until a CIA is signed.  The race is on once a case is moving to the DOJ, not OIG.  In many cases this provides a year or more of advance preparation to meet what will likely be included in the CIA in terms of being able to evidence compliance program effectiveness. It is important that organizations realize that CIAs are no longer just focused upon substantive issues that led to the problem that are monitored by an IRO.  Recent CIAs have turned their attention to compliance and certifications.  Compliance standards are set forth and there are mandated certifications by the executive leadership, including the Compliance Officer, along with members of the Board.  Board certifications have also led to mandates to engage in addition to an IRO, a Compliance Expert to assist and give advice to boards to prepare them to personally certify the compliance program.  Knowing this, the Compliance Officer should be working in overdrive, before any settlement, in preparing to meet what is needed to evidence compliance program effectiveness.”
  • All of the experts agreed that it is strongly advisable for Compliance Officers to begin looking for qualified experts to fill the roles of an IRO and Compliance Expert. They underscore this as a very serious responsibility, for once selected, they are likely to have that role for up to five years.  Although there are many who would like to fill those roles, finding the right qualified experts will take some time and weeding.  Far too many organizations find themselves rushed on finding the right experts and are forced to settle on lesser qualified parties.  A bad selection can result in many additional unnecessary burdens, higher costs, and increased problems with the OIG.  The best advice given is to find an organization with experience in these roles with many CIAs.  They will know what needs to be done and not learn on the engagement at the expense of the organization.  They also will be known by, and have experience and credibility with, the OIG.

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2016 Strategic Management Services, LLC. Published with permission.