Kusserow on Compliance: DOJ establishes new Medicare Strike Force for the Newark/Philadelphia area

The DOJ announced the formation of the Newark/Philadelphia Regional Medicare Fraud Strike Force (Regional Strike Force). The Strike Force operations are part of a joint initiative between the DOJ and HHS to focus their efforts to prevent and deter fraud and enforce current anti-fraud laws around the country. Since its inception in March 2007, the prosecutors in the 10 Medicare Fraud Strike Force locations have charged over 3,700 defendants who collectively have falsely billed the Medicare program for over $14 billion. The new Strike Force will focus its efforts on aggressively investigating and prosecuting cases involving fraud, waste, and abuse within the federal health care programs, and cases involving illegal prescribing and distribution of opioids and other dangerous narcotics. Prior to the announcement, there were only 10 cities that had such tasks forces.

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2018 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: Stark law to undergo interagency review

The CMS Administrator announced plans to convene an inter-agency group to focus on how to minimize the regulatory barriers created by Stark law, which was established in 1989 and underwent expansion in the 1990s. Providers have raised concerns from the beginning of the implementation of the Stark law. The agencies involved in the review will include CMS, OIG, HHS General Counsel, and the DOJ. The Stark law prohibits doctors from referring Medicare patients to hospitals, labs and colleagues with whom they have financial relationships unless they fall under certain exceptions. It also prevents hospitals from paying providers more when they meet certain quality measures, such as reducing hospital-acquired infections, while paying less to those who miss the goals. The result is the law is viewed as making it difficult for physicians to enter innovative payment arrangements because they are not susceptible to fair market value assessment—a Stark requirement. These prohibitions are seen as interfering with key factors related to value-based care. Unlike the Anti-Kickback Statute, which is enforced by the OIG, the Stark law is considered regulatory and falls under CMS jurisdiction. From a regulatory standpoint, there is only so much that CMS can do to make substantive changes. Any real changes in the law will have to come from Congress.

This is not the first time the CMS has tried to move the easing of rules concerning the Stark law.  In 2015, CMS published a Proposed rule relaxing aspects of the Stark law, including easing of some of the strict liability features of the law and CMS’ burden in dealing with the interpretation of key terms, requirements, and other issues. After reviewing an enormous amount of self-disclosures, CMS realized that a large part of the docket involved arrangements that may technically violate the statute but do not actually pose significant risks of abuse. Therefore, it appears that CMS seeks to reduce the number of self-disclosures reported. However, the proposed update is also intended to account for recent changes relating to health care reform and advancements in patient care and payment methodologies. CMS wanted to ensure that Stark does not inhibit Patient Protection and Affordable Care Act (ACA) (P.L. 111-148) reforms and these are the same concerns driving the latest initiative.

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2018 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: OCR releases new guidelines on software vulnerabilities and patching

The HHS Office for Civil Rights (OCR) recently released a report focuses on software bugs and patches designed to reduce the vulnerability of computer systems that put electronic personal health information (ePHI) at risk. The OCR noted that last year researchers discovered a widespread vulnerability in computer processors that were sold over the previous decade. These vulnerabilities, known as Spectre and Meltdown, allow “malware” to bypass data access controls and potentially access sensitive data. This security flaw has been present in nearly all processors produced in the last 10 years and affects millions of devices. Upon discovery of these defects, vendors scrambled to release patches that addressed this problem. Managing patches plays an important role in maintaining HIPAA Security Rule compliance and without them vulnerabilities will not be fixed. The health care sector relies on software to manage ePHI and organizations are required under the HIPAA Security Rule to use appropriate technical safeguards to ensure the security of ePHI, including the evaluation of software vulnerabilities, the assessment of potential risks, and the implementation of solutions to keep risk at a reasonable minimum. The OCR suggested the following for effective patch management:

  • Evaluate patches to determine if they apply to your software/systems.
  • Test patches on an isolated system for any unwanted side effects.
  • Once patches have been evaluated and tested, approve them for
  • Deploy patch installation on live systems.
  • Test and verify to ensure correct patch installation and no unforeseen side effects

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2018 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: Conducting compliance risk assessments

The issue of conducting compliance risk assessments continues to be a challenge for Compliance Officers. In the SAI Global’s ninth annual Compliance Benchmark Survey conducted with Strategic Management Services, nearly four out of ten responding organizations reported that the Compliance Office had responsibility for all risk management, not just for the compliance program.  As with all program managers, Compliance Officers have responsibility for risk management in the areas of their areas of responsibilities. This includes conducting risk assessments as part of ongoing monitoring.  However, there remains a lot of confusion among compliance officers and organizations regarding the whole subject. However, regardless of who assumes the responsibility for assessing risk areas, the subject should begin with how regulatory bodies define risk assessment.

Defining risk assessment 

Federal Regulations. (e) Annual review. The operating organization for each facility must review its compliance and ethics program annually and revise its program as needed to reflect changes in all applicable laws or regulations and within the operating organization and its facilities to improve its performance in deterring, reducing, and detecting violations under the Act and in promoting quality of care  (see 42 C.F.R. 483.85).

US Sentencing Commission Guidelines Manual. 2(a)(5) The organization shall take reasonable steps—(B) to evaluate periodically the effectiveness of the organization’s compliance and ethics program (§8B2.1 Nov. 2016).

OIG Compliance Guidance Documents.  The OIG has in a variety of compliance guidance documents called for compliance risk assessments. For example, in their Compliance Guidance for Nursing Faculties they “recommend that all nursing facilities evaluate their current compliance policies and procedures by conducting a baseline assessment of risk areas, as well as subsequent reevaluations. . .” How a nursing facility assesses its compliance program performance is therefore integral to its success. The attributes of each individual element of a compliance program must be evaluated in order to assess the program’s ‘‘effectiveness’’ as a whole. Examining the comprehensiveness of policies and procedures implemented to satisfy these elements is merely the first step. Evaluating how a compliance program performs during the provider’s day-to-day operations becomes the critical indicator.

When conducting a risk assessment it is necessary to determine the objectives. The following relates to ideas and tips concerning compliance program risk assessment.

Compliance program risk assessment objectives

  • Verify all the elements of the compliance program have been implemented
  • Determine whether all the elements are functioning as planned
  • Evaluate the documentation evidencing effectiveness of the program
  • Identify compliance program strengths, as well as areas warranting improvement
  • Develop a work plan to measure program improvements and address any weaknesses

Questions to ask about compliance risk areas

  • Were levels of risk and vulnerabilities assigned?
  • Is there an annual work plan to address identified high-risk areas?
  • Are their internal controls and policies addressing high-risk areas?
  • Are policies periodically reviewed and updated?
  • Do policies address applicable regulations, recent OIG Work Plans, etc?
  • Were compliance-related policies distributed to all covered persons?
  • Is there a Code of Conduct that provides compliance guidelines for employees?
  • Do employees signed receipt evidencing receipt of Code of Conduct?
  • What evidence is there that employees were trained on the Code and policies?
  • What evidence exist that employees understood and remembered lessons?

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2018 Strategic Management Services, LLC. Published with permission.