Kusserow on Compliance: New OCR Guidelines

The HHS Office for Civil Rights (OCR) issued a new guidance which points out a list of 10 violations where Business Associates (BAs) can be held directly liable. The guidance points out that where BAs may not be liable, the covered entity (CE) may be still on the hook for violations of those violations. As such CEs should carefully review their BA Agreements (BAAs) to ensure that they cover requirements that don’t directly apply to BAs but are still enforceable against CEs.

The OCR also notes that large data breaches also continue to dominate the press. The OCR recently cited among recent notable breaches that an EMR and software services provider allowed hackers access to 3.5 million patient records. Touchstone Medical Imaging (TMI), agreed to pay $3 million for a breach involving one of its FTP servers that contained PHI for over 300,000 patients. LabCorp received notice from American Medical Collection Agency (AMCA), a collection firm working on its behalf, regarding unauthorized access of 7.7 million patients’ PHI stored by AMCA. This announcement followed a similar one from Quest Diagnostics, in which they reported that AMCA’s breach affected 11.9 million of its patients.

Updates on OCR enforcement actions can be found at https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/data/enforcement-highlights/index.html

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2019 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: CMS ‘guts’ SNF/LTC compliance program mandates

– CMS “bows” to industry pressure

– Objective standards replaced by subjective ones

– Designated compliance officer not to be required

– No contact person to whom “people may report suspected violations”

 

A new CMS proposed rule—“Medicare & Medicaid Programs; Requirements for Long-Term Care Facilities: Regulatory Provisions to Promote Efficiency and Transparency”—proposes to roll back and remove many compliance program related requirements for long term care facilities (LTC) participating in Medicare/Medicaid. The Proposed modifications include removing many of the compliance program requirements adopted in 2016 on the basis that they are not expressly required by statute. The stated purpose of the proposed changes is to reduce administrative burdens. This flies in the face of increased identification by CMS, OIG, GAO, DOJ, and Congress of legal and regulatory compliance violations by LTC facilities.

Enhanced compliance programs were a way of addressing these ongoing problems. Among the requirements removed were (1) designation of a compliance officer; (2) designation of a compliance liaison for operating organizations with five or more facilities; (3) annual reviews of the compliance program; (4) having an identified person to whom individuals may report suspected violations.

CMS now proposes that a LTC organization develop, implement, and maintain an effective compliance and ethics program most appropriate for size and type of the organization. This should include written compliance standards, policies, and procedures that are reasonably capable of reducing the prospect of criminal, civil, and administrative violations. The new standards are far less objective and rely more on subjective concepts that are vague and difficult to substantiate, using terms like “reasonable” and “sufficient.”  Other CMS expectations for facilities include:

  1. Providing sufficient resources for operation of the compliance program.
  2. Designating a high-level person for overall compliance program responsibility with appropriate authority to assure compliance with the regulations.
  3. Taking reasonable steps to achieve compliance with program’s standards, policies, procedures, including monitoring and auditing that is reasonably designed to detect criminal, civil, and administrative violations.
  4. Having in place and publicizing a reporting system whereby anyone could report violations by others within the organization without fear of retribution.
  5. Ensuring consistent enforcement and discipline of standards, policies, and procedures.
  6. Effectively communicating compliance standards, policies, and procedures in compliance mandatory training.
  7. Taking reasonable steps to respond detected violations and to prevent similar violations in the future.

The new CMS proposed compliance program standards are significantly different from standards issued by the U.S. Department of Justice in April 2019—new DOJ evaluation of corporate compliance program guidelineswhich are designed to be used in making prosecutorial decisions and in determining penalty guidelines. Before CMS proposed to rescind many of its previously published standards for compliance programs, the DOJ and CMS standards were consistent.

 

 

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2019 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: Increased CMS Spotlight on Nursing Facilities

CMS and states visit nursing homes on a regular basis with “survey” or “inspection” teams to determine if the nursing homes are providing the quality of care that is required by Medicare and Medicaid, as well as to identify deficiencies in meeting CMS safety requirements. When deficiencies are identified, they must be corrected, and, if serious ones are not corrected, it may lead to termination from participation in Medicare and Medicaid.

Most facilities correct their problems within a reasonable period. However, some have significantly more problems that the norm with a pattern of serious problems persisting over three or more years. Although some facilities institute enough improvement that they are in substantial compliance on one survey, significant problems often resurface by the time of the next survey. Such facilities are referred to by CMS as a “yo-yo” or “in and out” compliance history. These facilities rarely address underlying systemic problems that are giving rise to repeated cycles of serious deficiencies. To address this problem CMS created the “Special Focus Facility” (SFF) initiative that is a listing of problematic nursing homes that have had a history of serious quality issues and are included in a special program to stimulate improvements in their quality of care.

Those on the SFF list are visited in person by survey teams twice as frequently as other nursing homes (about twice per year). The longer the problems persist, the more stringent the enforcement actions, including imposition of civil monetary penalties (“fines”) or termination from Medicare and Medicaid.  Within about 18 to 24 months after a facility is identified by CMS as an SFF nursing home, CMS expects: (1) improvement & graduation off the SFF; (2) termination from participation in Medicare/Medicaid programs; or (3) extension of time on SFF because of some progress or change of ownership. For more information check the CMS website that posts SFF Nursing Homes in five (5) categories:

  1. newly added to the SFF;
  2. failing to show significant improvement since being posted on the SFF;
  3. showing significant improvement by the most recent survey, and CMS is monitoring;
  4. graduating off the SFF because they not only improved, but they sustained significant improvement for about 12 months (through two standard surveys); and
  5. terminated by CMS from participation in Medicare and Medicaid within, or voluntarily chose not to continue such participation.

To assist in improving Nursing Home quality, CMS began rating all nursing homes using a Five-Star Quality Rating System that can be found at https://www.medicare.gov/NHCompare.

 

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2019 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: What boards do and do not need to know about compliance investigations

 The board needs to know about pending compliance issues, to meet its fiduciary obligations in providing proper oversight of a compliance program. The board needs to understand the processes by which issues are investigated and resolved. Not seeking and receiving this type of information borders on dereliction of responsibilities. The board does not need and should not receive details about raw and unsubstantiated allegations without the compliance officer and legal counsel first addressing them. If details of allegations of violation of laws and regulations are provided to the board, it risks that they will be accountable for how it is investigated and resolved. These are management issues, not oversight by the board. Any reporting on allegations that are being investigated should be general in nature to assure the board that it is being addressed appropriately.  The board should meet in executive sessions without the presence of members of management to query the compliance officer about any sensitive investigations, such as those involving senior members of management. Questions by the Board to the compliance officer and legal counsel certainly should include:

  1. How many allegations of violation of law were made and investigated to what result?
  2. What policies govern the investigative processes; and are they kept current?
  3. What processes are in place to ensure that complaints and allegations are fully investigated?
  4. What evidence is there those processes are being followed?
  5. Are there adequately trained individuals capable of conducting sensitive investigations?
  6. What processes are in place to appropriate react to and remedy?
  7. What processes ensure the board will have adequate notice about developments?
  8. What disclosure processes and policies are there for reporting suspected violations of law?
  9. Are there working investigative protocols between legal counsel and compliance?
  10. Are there any allegations received of wrongdoing made against members of senior management?
  11. What have been the results of significant investigations of wrongdoing?
  12. Has substantiated wrongdoing result in remedial action?
  13. What disclosures have been made to government agencies and were they timely?
  14. Has there been any reaction as result of disclosures to government agencies?
  15. Is there evidence of enforcement agency investigations involving the organization and if so what?
  16. Were any patterns identified from allegations warranting management actions?

For more information on this subject, see compliance.com or contact former HHS IG and FBI executive, Richard Kusserow, at rkusserow@strategicm.com.

 

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2019 Strategic Management Services, LLC. Published with permission.