Kusserow on Compliance: EHR incentive program attestation is serious business

The American Recovery and Reinvestment Act of 2009 (ARRA) (P.L. 111-5) authorized providing incentive payments to eligible health care professionals, hospitals, and Medicare Advantage Organizations (“MAOs”) to promote the adoption and “meaningful use” of health information technology and electronic health record (“EHR”) systems. CMS established the Medicare and Medicaid Electronic Health Record Incentive Programs (EHR Incentive Programs) to make incentive payments to health care professionals and providers that meet specified requirements for the meaningful use of certified EHR technology (CEHRT). The EHR Incentive Programs are intended to bring about improved clinical outcomes and population outcomes, increase transparency and efficiency in health care, empower individuals to make decisions regarding their care, and generate additional research data on health systems. Program participants must report on their performance pertaining to certain clinical quality measures (CQMs) and objectives to CMS (for Medicare) or the authorized state agency (for Medicaid) through an attestation process. Since 2011, the EHR Incentive Programs have made incentive payments to numerous eligible professionals, eligible hospitals, and critical access hospitals (CAHs) that qualify as “meaningful users” by meeting the objectives and CQMs outlined in the various stages of the applicable programs.

Annual attestations required

Eligible providers must annually attest to meeting the specified objectives and measures in order to receive incentive payments under the EHR Incentive Programs. Once they have attested to meeting the identified objectives and measures, they are deemed to be meaningful users and eligible for incentive payments.  CMS, its contractor, and state Medicaid agencies conduct both random and targeted audits to detect inaccuracies in eligibility, reporting, and receipt of payment with respect to the EHR Incentive Programs.  Eligible hospitals may be selected for pre- or post-payment audits. CMS has required that eligible hospitals retain all supporting documentation used in completing the Attestation Module responses in either paper or electronic format for six years post-attestation. Eligible hospitals are responsible for maintaining documentation that fully supports the meaningful use and CQM data submitted during attestation. Those hospitals undergoing pre-payment audits will be required to provide supporting documentation to validate submitted attestation data before receiving payment.

Unsupported and false attestations

Making false statements, including attestations to the federal government, could implicate federal law (18 U.S.C. § 1001), which generally prohibits knowingly and willfully making false or fraudulent statements or concealing information. Although eligible hospitals receiving incentive payments under the Medicare and Medicaid EHR Incentive Programs are not required to follow any particular parameters when spending the payments, they must annually attest to meeting the relevant measures and objectives in order to be entitled to incentive payments. It is critical that eligible hospitals maintain documentation that supports their attestations.  Supporting documentation needs to make clear that the hospital is meeting the terms and conditions of the EHR Incentive Program. A checklist document by itself would be insufficient as supporting documentation. Failure to maintain such supporting documentation creates potential liability. Although no significant enforcement activity has taken place, compliance officers are advised to verify that proper supporting documentation is maintained.  In fact, the responsible program manager should be maintaining documentation as part of ongoing monitoring. As part of ongoing auditing, the compliance office should ensure that monitoring is conducted and validate that it is adequately meeting regulatory requirements.

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on
Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2017 Strategic Management Services, LLC. Published with permission.

 

 

Kusserow on Compliance: OCR has a record number of significant settlements so far in 2017

The HHS Office for Civil Rights (OCR) has posted about 2,000 major breaches and more than a quarter million small breaches since 2009. The common denominator for many of the cases in which there was a settlement was that the covered entity or business associate (BA) suffered one or more breaches affecting more than 500 individuals sometime between 2011 and 2013. The OCR has jumped off the 2017 year with a record number of significant settlements. The most recent is CardioNet, a wireless health services provider, who provides remote mobile monitoring of and rapid response to patients at risk for cardiac arrhythmias. The provider entered into a settlement for $2.5 million and implemented a corrective action plan for disclosure of unsecured ePHI on a laptop that was stolen from a parked car. CardioNet had an insufficient risk analysis and risk management processes in place at the time of the theft and their HIPAA Security Rule policies and procedures had not been implemented. The OCR has entered into a number of other significant settlements. Others who paid settlements for violating HIPAA requirements so far this year include Memorial Health Systems ($5.5 million); Children’s Medical Center in Dallas ($3.2 million); MAPFRE, a Puerto Rico life insurance company ($2.2 million); Presence Health in Chicago ($475,000); and Community Provider Network of Denver ($400,000). In all these cases, there was the requirement to take corrective actions.

2016 OCR Results

  • There were 329 Data Breaches greater than 500 Individuals (a new record).
  • 225 OCR Phase 2 of HIPAA compliance audits conducted of covered entities and BAs.
  • No onsite audits were conducted.
  • No findings or notifications from the audits have been made.
  • The OCR intends to use the results from these audits to prepare for a new and better tool in the future.
  • There was a large jump in fines imposed for HIPAA violations that totaled about $24 million (versus a little more than $6 and $8 million in for 2105 and 2014 respectively)

OCR in 2017

  • The OCR stated intention is to conduct only a few onsite audits in 2017.
  • To date the OCR has nearly achieved the level of 2016 in terms of penalties imposed.
  • To date about 100 data breaches impacting greater than 500 Individuals have been reported.
  • About a half million individuals have been impacted in reported data breaches so far this year.
  • Only a relatively few BAs were involved in any of the reported data breaches.

The enforcement actions most often come from the OCR when investigations into the root cause of the breach found systemic, often profound, failures of organizational programs to safeguard protected health information.  This includes the failure to perform an information security risk assessment or to have a risk management plan to address gaps in the safeguards for information systems, both required actions under the HIPAA Security Rule. Tied to this has been insufficient development of policies and procedures for HIPAA Compliance.  Other actionable problems that resulted in the OCR imposing HIPAA corrective action plans (CAP) included inappropriate delay in data breach reporting (reported after 60 days from the date of discovery); and inappropriate oversight into user set up and user management. There is also the continuing problem of organizations not implementing encryption technology on mobile devices.

Camella Boateng, a HIPAA consultant reminds everyone that the recently enacted 21st Century Cures Act amends the HITECH Act to extend an individual’s right to access their PHI to data held by business associates. As such, it is more important than ever that entities give a priority for engaging in a self-audit, so vulnerabilities can be detected and resolved before they come to the attention of the government. Furthermore, with a shifting focus toward BA, it is important to avoid any potential partner that will not commit to signing a BAA.

Strong HIPAA Compliance Program Evidence

  • HIPAA policies and procedures;
  • HIPAA requests forms for patient’s rights;
  • a complete notice of privacy practices;
  • established technical, physical, and administrative safeguards;
  • conducting a regular HIPAA risk analysis;
  • developed a risk management plan to address gaps in the safeguards for PHI;
  • strong workforce education;
  • effective user management and oversight into systems with PHI;
  • auditing practices for verification of compliance;
  • ongoing evaluation of current safeguards established by the organization;
  • strong oversight into user set up and user management;
  • implementing encryption technology on mobile devices; and
  • ensuring partners have signed BAAs.

 

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on
Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2017 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: Filling a staffing gap in compliance

In this day and age with such a rapidly evolving regulatory and enforcement environment, health care organizations cannot afford to take the chance on having a gap in the compliance office.  Every healthcare organization will from time to time find they have a gap in their compliance program staffing, as result of someone retiring or moving on to another opportunity. Few organizations can afford the risk of a loss in day-to-day compliance direction; and when a break occurs, as result of a loss of a compliance officer or key compliance staff, for whatever reason, quick degeneration of the program may occur. Acting on a gap may take 3–5 months to resolve and designating someone internally to do the work until a new person can be recruited is very risky. Missing any information concerning regulatory or legal violation from the hotline or internal review processes can lead to serious consequences, especially since both the OIG and DOJ have a 60 day rule from identification of a potential violation to disclosure. In the case of a potential false claims matter, failure to meet the deadline may result in DOJ considering that to be a “reverse false claim” and actionable. Furthermore, the seeds of a regulatory or legal problem and resulting liabilities can grow fast if not addressed promptly. There are two choices when there is a interruption in compliance staffing; (a) designate someone internally to act until a replacement can be found, or (b) engaging an outside expert to act as interim compliance officer.

Suzanne Castaldo, JD, Vice President of Strategic Management Services, is responsible for providing compliance staffing assistance to clients. She notes that designating someone internally, as a secondary duty, until replacement is not a good option. They will tend to give priority to their regular job, they know; and doing as little as possible in compliance which they don’t know. They can’t be expected to address problems in a timely and professional manner, especially in the absence of the full authority of the office. She believes it is highly advisable to have someone experienced and knowledgeable in compliance to fill a gap as an interim compliance professional, during a time of transition. For some smaller organizations, it may make sense to just outsource the whole program to a part time Designated Compliance Officer, rather than hire a full time employee for the job. This approach is recognized by the OIG as an effective alternative for organizations with limited resources. An expert Designated Compliance Officer can develop, implement, manage, and provide compliance advisory services in a manner scalable to the organization’s needs. Furthermore, an outside expert can bring a much wider range of experience and expertise.

Castaldo noted that over the last 25 years, her firm has worked with over 3,000 health care organizations in evaluating, managing, and building compliance programs. This provides a unique level of knowledge and expertise that has been used by clients, ranging from large health care systems to skilled nursing facilities, physician practices, DME companies, clinical and imaging centers, third party billers, etc. All the consultants used in staffing compliance programs have served as compliance or HIPAA privacy officers.  She believes the combine experience of the firm provides a depth of resources that can be leveraged on behalf of clients in a great variety of settings.  For more information, she can be reached at (703) 683-9600, or go to online contact form.

 

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2017 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: OIG issues detailed report on state Medicaid Fraud Control Units

1,564 Criminal Convictions

1,000 Civil Settlements

Almost $2 billion in recoveries

The OIG Office of Evaluation and Inspection (OEI) issued a more detailed analysis of statistical results from the State Medicaid Fraud Control Units (MFCUs) for 2016. The OIG is the designated Federal agency that oversees them and has been instrumental in establishing the Units.  As Inspector General, I worked to establish a number of these MFCUs that currently operate in 49 States and the District of Columbia (States). Once established the OIG administers a grant to each of the units that provides 75 percent of their funding and set performance standards, reviews each state’s program, provides technical assistance identify best practices, and collect and analyze statistics. The mission of MFCUs is to investigate and prosecute, under State law, Medicaid provider fraud and patient abuse or neglect. In FY 2016, the OIG reported 1,564 convictions, over one-third of which involved personal care services attendants. The OIG reported nearly 1,000 civil settlements and judgments, with settlements with pharmaceutical manufacturers making up almost half of settlements; along with almost $1.9 billion in criminal and civil recoveries. The OIG works often with the MFCUs and in 2016 the OIG Medicaid cases resulted in 312 indictments, 348 criminal actions, and 222 civil actions. These Medicaid cases—some of which also involved Medicare—resulted in almost $3 billion dollars in expected recoveries. However, in most cases the MFCUs work their own cases without assistance from other agencies.

It is noteworthy that current funding for Medicaid fraud control is at a higher level than for the federally funded and administered Medicare program. Medicaid annual expenditures exceed $500 billion dollars and funding for the MFCUs was also at a high level of $258,698,147 in 2016.  The staffing level of investigators, auditors, and attorneys was 1,965. Those entities investigated 15,505 fraud cases and another 3,221 abuse and neglect cases. The largest category of convictions involved personal care services (PCS) (35 percent). Nursing care came in second (11 percent) and involved of licensed practical nurses (LPN), registered nurses (RN), physician assistants (PA), or nurse practitioners (NP). Convictions of nurse-aides represented the third largest category (10 percent).

In this report, the OIG provided a detailed breakdown of the types of cases and trending data. Statistical results by state are included in the OIG Report.  Comparison of results to the prior year can be made by referring to the OIG issued report for 2015 that noted MFCUs achieving 1,553 convictions, 731 civil settlements and judgments, and $744 million in criminal and civil recoveries.

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on
Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2017 Strategic Management Services, LLC. Published with permission.