Kusserow on Compliance: Recap of the OCR’s 2017 HIPAA enforcement

The HHS Office for Civil Rights (OCR) HIPAA Privacy Rule enforcement has been steadily increasing since it began the effort in 2003. Over the years, OCR has received over 175,000 HIPAA complaints and initiated nearly 1,000 compliance reviews. OCR investigations have resolved nearly 30,000 cases by requiring changes in privacy practices, taking corrective actions, or providing technical assistance to HIPAA covered entities and their business associates. OCR has been enforcing the HIPAA Rules where an investigation indicates noncompliance by the covered entity or their business associate. OCR investigations have ranged widely and included national pharmacy chains, major medical centers, group health plans, hospital chains, and small provider offices. To date, OCR has settled or imposed a civil money penalty in about 60 cases resulting in a total dollar amount of about $75,000,000. The average of enforcement penalties has been about $1.5 million per case. In another 12,000 cases, no violations were found. In another 25,000 cases, OCR intervened early and provided technical assistance to HIPAA covered entities, their business associates, and individuals exercising their rights under the Privacy Rule, without the need for an investigation. In the balance of over 100,000 cases, OCR determined that the complaint did not present an eligible case for enforcement, because of lack of jurisdiction; complaints were untimely or withdrawn by the filer; or the activity described didn’t violate HIPAA;

 

Cases that OCR closes fall into five categories:

 

  1. Resolved without investigation. OCR closes these cases after determining that OCR lacks jurisdiction, or that the complaint, referral, breach report, news report, or other instigating event will not be investigated. These include situations where the organization is not a covered entity or business associate and/or no protected health information (PHI) is involved; the behavior does not implicate the HIPAA Rules; the complainant refuses to provide consent for his/her information to be disclosed as part of the investigation; or OCR otherwise decides not to investigate the allegations.

 

  1. Technical assistance only. OCR provides technical assistance to the covered entity, business associate, and complainant through early intervention by investigators located in headquarters or a regional office.

 

  1. Investigation determines no violation. OCR investigates and does not find any violations of the HIPAA rules.

 

  1. Investigation results corrective action obtained. OCR investigates and provides technical assistance to or requires the covered entity or business associate to make changes regarding HIPAA-related privacy and security policies, procedures, training, or safeguards. Corrective action closures include those cases in which OCR enters into a settlement agreement with a covered entity or business associate.

 

  1. Other. OCR may investigate a case if (1) DOJ is investigating the matter; (b) it was as result of a natural disaster; (c) it was investigated, prosecuted, and resolved by state authorities; or (d) the covered entity or business associate has taken adequate steps to comply with the HIPAA Rules, not warranting deploying additional resources.

 

Order of frequency of issues investigated

 

  • Impermissible uses and disclosures of protected health information;
  • Lack of safeguards of protected health information;
  • Lack of patient access to their protected health information;
  • Use or disclosure of more than the minimum necessary protected health information; and
  • Lack of administrative safeguards of electronic protected health information.

 

Most common types of entities resulting in corrective actions

 

  • General hospitals;
  • Private practices and physicians;
  • Outpatient facilities;
  • Pharmacies; and
  • Health plans (group health plans and health insurance issuers).

 

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2017 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: Using experts to staff gaps in the compliance office

It is becoming increasingly common for changes in compliance programs to lead to “gaps” that can leave an organization without day to day management or support. This can result in serious problems and potential liability, especially at a time when mandatory compliance requirements are under development and there are increasing expectations for compliance by the Department of Justice (DOJ), HHS Office of Inspector General (OIG), and CMS. With the heightened enforcement environment, leaving such a gap can be risky. All this makes the problem of finding a suitable replacement of someone properly qualified in a timely manner a relatively high priority, but not an easy task. In many cases, the gap is not with the chief compliance officer, but compliance managers or other professionals in the office. In any case, the effort that goes into finding and hiring a properly experience and qualified person may be difficult and time consuming. The quick fix of designating someone internally to do the work, until a permanent replacement can be recruited, is unwise and may be downright dangerous. For smaller organizations, it is not likely there is anyone who is sufficiently qualified to carry out all the duties. It is also not good for someone to take on those duties temporarily and make decisions that may haunt them when they return to their old job. Also, making some decisions, when not properly trained or qualified, may create a potential problem for the organization. What is worse is selecting someone to take on the role of compliance officer as a temporary set of secondary duties to their current job. This will always lead the individual to continue giving priority to their regular job and do as little as possible in compliance. As such, it is not surprising that many turn to engaging temporary experts to fill the gap until suitable replacement can be found.

A properly qualified outside expert acting in a temporary capacity has a lot of advantages. They bring the experience of having served in other organizations and dealing with many of the same issues already addressed by prior jobs. Important also is that they have not be invested in any prior decisions, nor have they been aligned with any parties in the organization. Most importantly, they bring “fresh eyes” to the program. They can provide a lot of added benefits, such as:

  • Offering suggestions and giving guidance for improvements
  • Providing an independent assessment of the status of the compliance program
  • Making an assessment of high-risk areas that warrant attention
  • Giving ideas on building a firmer foundation for the compliance program
  • Reviewing adequacy of the existing code, compliance policies, and other guidance
  • Evaluating the quality and effectiveness of compliance training
  • Developing a “road map” for the incoming compliance officer to follow
  • Assisting in identifying and evaluating candidates for the permanent position
  • Assessing resources needed to effectively operate the compliance program
  • Identifying or building metrics that evidence compliance program effectiveness
  • Developing comprehensive briefings for management and board on the state of the program

 

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2017 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: GAO expects increase in fraud investigations in 2018

In report entitled “Medicare CMS Fraud Prevention System Uses Claims Analysis to Address Fraud”, the Government Accountability Office (GAO) noted that 65 percent of providers were subject to prepayment review with 654 new Fraud Prevention System (FPS) new investigations in Fiscal Year (FY) 2016. CMS is responsible for conducting program integrity activities intended to reduce fraud, waste, and abuse and they are relying upon the FPS and other CMS information technology (IT) system to meet this responsibility.  More than one out of five fraud investigations have been based on leads generated by Medicare claims data analysis.  Also, FPS edits last year resulted in the denial of 324,000 claims and saved more than $20.4 million. FPS analyzes Medicare claims to identify health care providers with suspect billing patterns for further investigation and to prevent improper payments. The analysis is done using a set of models that develop leads for investigators and execute automated payment edits. Leads are created by looking at billing patterns, such as a disproportionate number of services in a single day from a single provider.  The CMS FPS helped stopping billions of dollars in improper payments. Now 20 percent of the Zone Program Integrity Contractors (ZPIC) fraud investigations began with a FPS lead and this is expected to increase as CMS with the continued roll out of the FPS and changes program integrity contractor requirements for using FPS with the transition from ZPICs to Unified Program Integrity Contractors (UPICs)

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2017 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: Health care mergers and acquisitions due diligence

Hardly a day passes when the press does not report on a new merger or acquisition in the healthcare sector.  Some of these are monumental in scope, but most relate to individual hospitals, facilities, or entities.  The number of hospital and health system mergers and acquisitions continued their upward trend in the first quarter of 2017, with an eight percent increase from 25 to 27 transactions compared to the first quarter of 2016.  This trend is likely to continue and is stimulated by health care reform that will likely result in more consolidation and integration among hospitals and physician practices.  There are two common types of due diligence; financial and legal.  However, the highly regulated nature of the health care industry requires a third type; regulatory due diligence to avoid discovering and having to make disclosures of regulatory violations and overpayments of millions of dollars.

Financial and Legal Due Diligence

Due diligence reviews generally focuses on financial accountability and legal liabilities. An independent accounting firm focuses on reviewing and evaluating the balance sheets, income statements, audit reports, and cash flow statements and projections in measuring financial viability. There are many very competent public accounting firms that specialize in this type of work. For legal due diligence, the focus is on examining the entity’s structure; business permits and/or approvals; employment and labor law compliance; environmental law approvals, permits and compliance; contractual rights and obligations; intellectual property rights and obligations; real property law compliance; securities and financing regulatory compliance; tax exposure risks; consumer protection law and exposure risks; and/or licenses; previous and/or current litigation; media reports; and external consultants and/or advisors. There are an abundant number of law firms that provide high quality services in this type of work.  What is often missing is focusing on the potential health care regulatory and legal compliance issues.

Health Care Regulatory Due Diligence

In the health care sector, things are more complicated, wherein health care facilities are subject to a tremendous number of state and federal laws and regulations that govern how business must be conducted. As such, there are significant risks that a purchaser can inherit serious regulatory liabilities without checking to see how the entity is complying with these rules. With the right experts with experience in doing this kind of work, the time and costs for the due diligence review be only a small fraction of the costs of either a financial or legal review. The reason is simple: financial and legal due diligence involves detailed examination of a large volume of information. Regulatory compliance experts know exactly where to look for any weaknesses without having to do a “deep dive.” As such, it is difficult to imagine why a party looking to make an acquisition would not want a regulatory due diligence. High on the list for any reviews should be arrangements with referral sources—the highest enforcement priority of both the DOJ and OIG for many years—and review of the claims processing system and controls to ensure that there are not regulatory issues waiting to be discovered by CMS contractors or enforcement agencies.  In virtually all cases, problems will be identified that in very few cases would interfere with the decision to acquire, but is very likely to not only avoid a future liability but puts on the table additional tools to improve the negotiation terms and conditions.

 

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2017 Strategic Management Services, LLC. Published with permission.