Kusserow on Compliance: CMS to issue new Medicare card to 60 million beneficiaries

New cards will no longer contain Social Security number

Over 2.5 million beneficiaries are victims of identity theft incidents

CMS is readying a fraud prevention initiative that removes Social Security numbers from Medicare cards to help combat identity theft, and safeguard taxpayer dollars.  This is being done to meet the congressional deadline for replacing all Medicare cards by April 2019 that followed the passage of the Medicare Access and CHIP Reauthorization Act of 2015 (MACRA). CMS will assign all Medicare beneficiaries a new, unique a Medicare Beneficiary Identifier (MBI) number which will contain a combination of numbers and uppercase letters. Beneficiaries will be instructed to safely and securely destroy their current Medicare cards and keep the new MBI confidential. Issuance of the new MBI will not change the benefits a Medicare beneficiary receives and will be designed to help protect against personal identity theft affects a large and growing number of seniors.  According to the DOJ, people age 65 or older are increasingly the victims of this type of crime that now are estimated to affect 2.6 million seniors a year. Two-thirds of all identity theft victims reported a direct financial loss with also the problems associated with disrupting lives, damage credit ratings, and result in inaccuracies in medical records and costly false claims.

New card will be mailed beginning in April 2018 and will use the unique, randomly-assigned MIB number to replace the Social Security-based Health Insurance Claim Number (HICN) currently used on the Medicare card.  Providers and beneficiaries will both be able to use secure look up tools that will support quick access to MBIs when they need them. There will also be a 21-month transition period where providers will be able to use either the MBI or the HICN further easing the transition.

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2017 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: Human resources management compliance jurisdiction

The great majority of internal investigations arise from complaints filed with the human resources management office (HRM) or through the compliance office hotline. Both functions have their own jurisdiction for dealing with sensitive issues, and this can raise tension and conflict if not addressed properly. HRM has a mission to assist employees in a host of ways, ranging from salaries and benefits to working conditions. It is therefore not surprising that the department is a front-line recipient of questions, concerns, complaints, and allegations related to the workplace. For all practical purposes, the primary responsibility for investigating and resolving personnel-related issues, including unfair labor practices, discrimination and harassment, lies with HRM.

Specific rules must be followed when conducting such investigations and the federal agency providing guidance and oversight is not the HHS Office of Inspector General (OIG) or the Department of Justice (DOJ), but the Equal Employment Opportunity Commission (EEOC). Furthermore, in some states, individuals conducting these types of investigations must undergo a designated number of hours of specialized training on the laws and rules governing employees in the workplace.

The sources of workplace complaints are varied, but their emergence is all but inevitable. With that in mind, it is important to have a clearly communicated and consistently applied policy detailing the specific procedure for reporting complaints. Many organizations encourage employees to utilize the “traditional” chain of command approach to reporting and resolution, while others have established more progressive open door communication policies to encourage unrestricted communication. Direct reporting to HRM is also an option for employees.  Allowing employees to report issues via an employee hotline, generally managed by the compliance officer, is yet another mechanism of reporting.  With most hotline calls have issues that fall under HRM primary jurisdiction, it requires careful coordination to guard against a matter falling between the cracks. This does not necessarily create a bright line of authority between the two functions, as many concerns raised may cross the line from being personnel issues to being compliance issues. It is essential that the compliance office and HRM maintain open communications and establish reciprocal reporting obligations for the purpose of ensuring the appropriate department is apprised of issues that are its primary concern. They must be able to coordinate investigative and resolution activity to avoid unnecessary duplication of efforts.

All of these reporting approaches provide a stream of information that can result in the need for internal inquiry or investigation. It is very important to note that, in order to have an effective reporting program that employees will actually utilize, it must be coupled with a clearly stated anti-retaliation policy. Employees must know that retaliation or attempted retaliation in response to lodging a complaint or invoking the complaint process is strictly prohibited by the organization. In August of 2016, the EEOC issued “Enforcement Guidance on Retaliation and Related Issues”, the EEOC’s first comprehensive review of retaliation since 1998. This was in direct response to the fact that retaliation is now the most frequently alleged basis of discrimination that EEOC receives.

The compliance officer focuses much attention on the Anti-Kickback Statute, Stark Laws, False Claims Act, and other fraud laws with considerable attention given to the OIG, DOJ, and state Medicaid Fraud Control Units. By contrast, the laws that most often occupy HRM interest include Title VII of the Civil Rights Act 1964; the Age Discrimination in Employment Act; the Americans with Disabilities Act; the Family and Medical Leave Act; the Fair Labor Standards Act; the Uniform Services Employment/Reemployment Rights Act; the Employee Retirement Security Act’s governing compensation and benefit plans; and the Patient Protection and Affordable Care Act (ACA) (P.L. 111-148) for employer-sponsored health benefits, among others.  The government agencies that oversee these areas are the U.S. Department of Labor, the Equal Employment Opportunity Commission (EEOC), and a variety of state agencies.  Violations can result in serious penalties.

Regarding matters that HRM must investigate and resolve, one area long overshadows (numerically) compliance matters raised to the compliance officer to handle: discrimination and unlawful harassment. Complaints to the federal EEOC and state counterparts number over 100,000 annually.  Many other complaints are received by HRM that never go so far as to be reported to outside authorities.   To meet the challenge of avoiding such complaints, HRM must implement a variety of compliance policies and train everyone on them.  These activities are familiar to compliance officers, who must do the same within their risk areas. However, in the case of some of the HRM-related laws and regulations, federal and state governments establish special rules for standards for related policies and mandatory training.  Special rules extend to the manner by which these types of cases are to be investigated and by whom, when there is a formal complaint.

One example of a compliance risk area requiring care relates to unlawful (sexual) harassment. In a series of Supreme Court cases, the High Court set forth the principle that no employer can mount an affirmative defense to allegations of unlawful harassment unless they can meet three standards: (1) they have zero tolerance policies and procedures in place; (2) all employees and managers are trained on these policies; and (3) the organization has taken steps to identify emerging issues and do not just wait until a complaint takes place.  On this last point, examples of action steps by management include screening hotline calls for any indications of emerging issues, conducting exit interviews and asking about employee work environment issues, and using training on the subject as a means to open discussion of potential problems.  In the latter case, having people stay behind to make further inquiries is more likely to open doors that public statement during formal training.

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2017 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: OCR has a record number of significant settlements so far in 2017

The HHS Office for Civil Rights (OCR) has posted about 2,000 major breaches and more than a quarter million small breaches since 2009. The common denominator for many of the cases in which there was a settlement was that the covered entity or business associate (BA) suffered one or more breaches affecting more than 500 individuals sometime between 2011 and 2013. The OCR has jumped off the 2017 year with a record number of significant settlements. The most recent is CardioNet, a wireless health services provider, who provides remote mobile monitoring of and rapid response to patients at risk for cardiac arrhythmias. The provider entered into a settlement for $2.5 million and implemented a corrective action plan for disclosure of unsecured ePHI on a laptop that was stolen from a parked car. CardioNet had an insufficient risk analysis and risk management processes in place at the time of the theft and their HIPAA Security Rule policies and procedures had not been implemented. The OCR has entered into a number of other significant settlements. Others who paid settlements for violating HIPAA requirements so far this year include Memorial Health Systems ($5.5 million); Children’s Medical Center in Dallas ($3.2 million); MAPFRE, a Puerto Rico life insurance company ($2.2 million); Presence Health in Chicago ($475,000); and Community Provider Network of Denver ($400,000). In all these cases, there was the requirement to take corrective actions.

2016 OCR Results

  • There were 329 Data Breaches greater than 500 Individuals (a new record).
  • 225 OCR Phase 2 of HIPAA compliance audits conducted of covered entities and BAs.
  • No onsite audits were conducted.
  • No findings or notifications from the audits have been made.
  • The OCR intends to use the results from these audits to prepare for a new and better tool in the future.
  • There was a large jump in fines imposed for HIPAA violations that totaled about $24 million (versus a little more than $6 and $8 million in for 2105 and 2014 respectively)

OCR in 2017

  • The OCR stated intention is to conduct only a few onsite audits in 2017.
  • To date the OCR has nearly achieved the level of 2016 in terms of penalties imposed.
  • To date about 100 data breaches impacting greater than 500 Individuals have been reported.
  • About a half million individuals have been impacted in reported data breaches so far this year.
  • Only a relatively few BAs were involved in any of the reported data breaches.

The enforcement actions most often come from the OCR when investigations into the root cause of the breach found systemic, often profound, failures of organizational programs to safeguard protected health information.  This includes the failure to perform an information security risk assessment or to have a risk management plan to address gaps in the safeguards for information systems, both required actions under the HIPAA Security Rule. Tied to this has been insufficient development of policies and procedures for HIPAA Compliance.  Other actionable problems that resulted in the OCR imposing HIPAA corrective action plans (CAP) included inappropriate delay in data breach reporting (reported after 60 days from the date of discovery); and inappropriate oversight into user set up and user management. There is also the continuing problem of organizations not implementing encryption technology on mobile devices.

Camella Boateng, a HIPAA consultant reminds everyone that the recently enacted 21st Century Cures Act amends the HITECH Act to extend an individual’s right to access their PHI to data held by business associates. As such, it is more important than ever that entities give a priority for engaging in a self-audit, so vulnerabilities can be detected and resolved before they come to the attention of the government. Furthermore, with a shifting focus toward BA, it is important to avoid any potential partner that will not commit to signing a BAA.

Strong HIPAA Compliance Program Evidence

  • HIPAA policies and procedures;
  • HIPAA requests forms for patient’s rights;
  • a complete notice of privacy practices;
  • established technical, physical, and administrative safeguards;
  • conducting a regular HIPAA risk analysis;
  • developed a risk management plan to address gaps in the safeguards for PHI;
  • strong workforce education;
  • effective user management and oversight into systems with PHI;
  • auditing practices for verification of compliance;
  • ongoing evaluation of current safeguards established by the organization;
  • strong oversight into user set up and user management;
  • implementing encryption technology on mobile devices; and
  • ensuring partners have signed BAAs.

 

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on
Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2017 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: OIG Work Plan now being updated monthly

The OIG announced that its work planning process is being modified to be more dynamic and to reflect the adjustments being made throughout the year in response to changing priorities and responding to new emerging issues. The OIG, as of June 15, 2017, will now adjust its Work Plan on a monthly basis, rather than semi-annually as has been done previously to ensure that it more closely aligns with the work planning process. The monthly updates will include the addition of newly initiated Work Plan items and the removal of completed items.

The Work Plan sets forth various audits and evaluations that are underway or planned during the fiscal year and beyond. Projects listed in the Work Plan span the Department and include CMS, public health agencies such as the Centers for Disease Control and Prevention (CDC) and National Institutes of Health (NIH), and human resources agencies such as Administration for Children and Families (ACF) and the Administration on Aging. The OIG also plans work related to issues that cut across departmental programs, including State and local governments’ use of Federal funds, as well as the functional areas of the Office of the HHS Secretary. In conducting its work, the OIG assesses relative risks in HHS programs and operations to identify those areas most in need of attention. In evaluating potential projects to undertake, the OIG considers a number of factors, including mandates set forth in laws, regulations, or other directives; requests by Congress, HHS management, or the Office of Management and Budget; top management and performance challenges facing HHS; work performed by other oversight organizations (e.g., GAO); management’s actions to implement OIG recommendations from previous reviews; and potential for positive impact.

New Projects Added

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2017 Strategic Management Services, LLC. Published with permission.