Kusserow on Compliance: OIG reports on the Senior Medicare Patrol (SMP) program

The OIG issued a report on the 2016 performance data for the Senior Medicare Patrol (SMP) program. It is a little known program for many people designed to empower and assist Medicare beneficiaries, their families, and caregivers to prevent, detect, and report health care fraud, errors, and abuse through outreach, counseling, and education. SMPs are grant-funded projects of HHS, U.S. Administration for Community Living (ACL). They play a unique role in the fight against Medicare errors, fraud, and abuse. SMP volunteers and staff are viewed as “eyes and ears” in their communities, educating beneficiaries to be the first line of defense; a sort of ‘neighborhood watch” team. Their work involves conducting presentations to groups, exhibit at events, and work one-on-one with Medicare beneficiaries; engaging volunteers to protect elderly person’s health, finances, and medical identity while saving precious Medicare dollars is a cause that attracts civic-minded Americans; and receiving beneficiary complaints and determining whether it may involve fraud, errors, or abuse. When fraud or abuse is suspected, they make referrals to the appropriate state and federal agencies for further investigation.

The OIG used five performance measures pertaining to recoveries, savings, and cost avoidance; and another five performance measures relating to volunteer and outreach activities.  In 2016, there were 53 SMP projects that had a total of 6,126 total active team members who conducted a total of 26,220 group outreach and education events that reached an estimated 1.5 million people.   The projects also had 195,386 individual interactions with, or on behalf of, a Medicare beneficiary.  The projects reported $163,904 in cost avoidance on behalf of Medicare, Medicaid, beneficiaries, and others. Savings to beneficiaries and others totaled $53,449. Expected Medicare recoveries totaled $2,672. Further, two projects provided information to federal prosecutors that resulted in settlements totaling an additional $9.2 million in expected Medicare recoveries. There were no expected Medicaid recoveries.

Compared to 2015, the projects reported much higher amounts for cost avoidance ($163,904, up from $21,533) and somewhat higher amounts of savings to beneficiaries and others ($53,449, up from $35,059). However, the projects reported significantly lower expected Medicare recoveries ($2,672, down from $2.5 million). The projects reported no Medicaid recoveries in either year. Some common examples of suspected Medicare fraud or abuse identified by the SMP include:

  • Billing for services or supplies that were not provided
  • Providing unsolicited supplies to beneficiaries
  • Misrepresenting a diagnosis, beneficiary’s identity, service provided, or other facts
  • Prescribing or providing excessive or unnecessary tests and services
  • Violating the participating provider agreement with Medicare by refusing to bill Medicare for covered services or items and billing the beneficiary instead
  • Offering or receiving a kickback (bribe) in exchange for a beneficiary’s Medicare number
  • Requesting Medicare numbers at an educational presentation or in an unsolicited phone call
  • Routinely waiving co-insurance or deductibles

The OIG noted that the projects may not be receiving full credit for recoveries, savings, and cost avoidance attributable to their work. It is not always possible to track referrals to Medicare contractors or law enforcement from beneficiaries who have learned to detect fraud, waste, and abuse from the projects. In addition, the projects are unable to track the potentially substantial savings derived from a sentinel effect, whereby Medicare beneficiaries’ scrutiny of their bills reduces fraud and errors.

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2017 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: Compliance officers’ checklist—25 suggestions

Health care organizations are facing increasing risk of exposure to actions by government regulators or enforcement authorities. Government authorities are conducting aggressive investigations and taking actions to hold entities and responsible corporate executives more accountable. It is well understood that having an effective compliance program is a necessity to prevent and detect misconduct that could give rise to liabilities. Despite the abundance of guidance pertaining to corporate compliance, achieving a program that is effective in reducing the likelihood of unwanted events or actions that could give rise to liabilities remains a continuing challenge. The following are suggestions that Compliance Officers may wish to consider during the course of the year.

Ensure That…

  1. A charter for the Compliance Officer function provides proper empowerment and authority.
  2. Minutes of Board and executive oversight committee evidence proper support and oversight.
  3. A clear and consistent message is communicated to everyone that compliance applies to all, regardless of position.
  4. Program managers are engaged in ongoing monitoring over their areas, including risk identification, policies addressing those risks, training of their staff on them, and verifying they are adhering to them.
  5. The code of conduct (code) is written as the “Constitution” for the compliance program, setting forth commitments to the patients being served, staff performing the services, safety of the work environment, and adherence to applicable laws, regulations, and standards.
  6. The code is understandable by all employees; written at no higher than 10th grade level.
  7. Policies and procedures reflect in detail what must be followed to adhere to the code.
  8. Compliance program-related policies/procedures are up to date.
  9. A document management system that tracks changes, revisions, and recessions in policies.
  10. Adequate written guidance are in place for all risk-related aspects of the organization’s
  11. There is evidence that managers/executives are held responsible for supporting compliance.
  12. Adequate resources and support for the compliance program is evidenced in the record.
  13. Periodic independent assessments are made to evidence compliance program effectiveness.
  14. All deficiencies found in reviews are remediated quickly and documented.
  15. A test of the hotline to ensure calls are answered and reported promptly, accurately.
  16. Available metrics are used to confirm the hotline and other channels of communication are
  17. Compliance training and education effectively convey the commitment to compliance.
  18. There is evidence of employee understanding of compliance education programs.
  19. Employee participation in training is documented and filed.
  20. Policies address timely self-disclosures of overpayments and potential violations of law or regulation.
  21. Meaningful and consistent discipline occurs for conduct that violates the code.
  22. A process is in place to capture lessons learned from costly errors resulting from compliance weaknesses.
  23. Assessments are being conducted for all high-risk areas and corrective actions for identified weaknesses.
  24. Periodic surveys of employees to measure and evidence employee understanding of the compliance program; and in measuring the compliance culture of the organization.
  25. Compliance is included in management performance reviews and compensation.

 

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2017 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: Defending against ransomware threat

Cyber attacks have risen to dramatic levels over the last two year and are likely averaging one attack a day, with the most disturbing trend involving ransomware. A survey by the American Health Lawyers Association indicated that virtually all healthcare lawyers believe they will be involved with cyber security matters with their client and the threat will continue to increase over the coming years. Data breaches include actions by those inside the organization, as well as external attacks including phishing, hacking, and ransomware. Ransomware typically involve a sophisticated computer virus introduced into a victim’s system that encrypts the system’s data.  The attackers threaten to delete the private key needed to decrypt the files unless the owners of the information pay a ransom, typically in an untraceable digital currency such as Bitcoin. The healthcare industry, particularly hospitals, have proven to be a soft target, as they need to have immediate access to their patient information and many have paid the ransom to regain control over it. The healthcare sector is considered a “soft target” for Ransomware attacks, particularly hospitals that are the perfect mark for this kind of extortion in that they provide critical care and rely on up-to-date information from patient records. As such, compliance officers need to consider this a compliance high-risk area where ongoing monitoring and auditing applies.  Simply assuming that someone in IT is addressing this problem area can be a big mistake. At the same time, the compliance office is not responsible for the program, but is responsible to ensure that those that have that responsibility are doing their job, including IT and human resource management (HRM).

According to new studies reported, healthcare now ranks as the second highest sector for data security incidents, after business services. The “2017 Internet Security Threat Report” found that in healthcare (a) over half of emails contained spam; (b) one in 4,375 emails being a phishing attempt; and (c) email-borne ransom-ware spiked 266% over the previous year.  The Ponemon Institute further found breaches could be costing the healthcare industry $6.2 billion annually. All these studies indicate that the biggest vulnerability to cyber attacks is employees that let-down their guard when opening or responding to emails from unknown sources. Often “scammers” create the appearance of legitimate sites, including using similar names, emblems of companies and even government agencies, etc. (including the OIG and IRS). Once someone opens the door, all kinds of bad things can happen.

Practical Tips

  1. Implement policies and procedures on taking precautions against malware and train all covered persons on them.
  2. Ensure ongoing (repeated) training of employees to keep them aware and being on guard against allowing software breaches by clicking on an email link or attachment, or responding to “pfishing” inquiries.
  3. Don’t entirely rely upon employees to always do the right thing and provide assistance by configuring email servers to block zip or other files that are likely to be malicious.
  4. Restrict permissions to areas of the network by limiting the number of people accessing files on a single server, so that if a server gets infected, it won’t spread to everyone.
  5. Limit employee access to systems on a need to know standard.
  6. Security efforts should focus on those files that are most critical, patient records.
  7. Conduct a risk analysis to identify ePHI vulnerabilities and ways to mitigate or remediate these identified risks.
  8. Maintain disaster recovery, emergency operations, and frequent data backups to permit restoring of lost data in case of an attack.
  9. Move quickly on any report of an attack to prevent the malware from spreading, by disconnecting infected systems from a network; disabling Wi-Fi, and removing USB sticks or external hard drives connected to an infected computer system.

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2017 Strategic Management Services, LLC. Published with permission.

 

Kusserow on Compliance: Trustees forecast Medicare hospital trust fund solvent until 2029

The hospital trust fund forecast for Medicare’s hospital insurance trust fund found improvement in the past year due to health costs rising more slowly than expected and predictions that enrollees will use hospital services less often. The trust fund would last through 2029, one year later than what was projected last year. As in past years, the Trustees have determined that the fund is not adequately financed over the next 10 years. They projected modest surpluses to continue in 2017 through 2022, with a return to deficits thereafter until the trust fund becomes depleted in 2029. HHS Secretary Tom Price, one of four Medicare trustees, also said the hospital trust fund forecast was secure enough that it would not trigger a Patient Protection and Affordable Care Act (ACA) (P.L. 111-148) provision to make automatic cuts to the program. Those cuts are required by the ACA when spending is expected to exceed certain benchmarks. Despite the slightly improved outlook, the trustees warned that the aging of the baby boom population and rising health care costs will cause Medicare expenses to increase and deplete the trust funds.

The report noted that in 2016, Medicare covered 56.8 million people. About one third of these beneficiaries have chosen to enroll in Part C private health plans that contract with Medicare to provide Part A and Part B health services. Total expenditures in 2016 were $678.7 billion, and total income was $710.2 billion, which consisted of $700.4 billion in non-interest income and $9.8 billion in interest earnings. Assets held in special issue U.S. Treasury securities increased by $31.5 billion to $294.7 billion


Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of
Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC
, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2017 Strategic Management Services, LLC. Published with permission.