Kusserow on Compliance: Three new projects added to the OIG Work Plan in April

The OIG regularly updates its Work Plan as it continues to assess relative risks in HHS programs and operations that may lead to new projects. The most recent changes involved adding six new projects to the OIG’s audits and evaluations that are planned or underway. In making these additions, the OIG considered a number of factors, including mandates set forth in laws, regulations, or other directives; requests by Congress, HHS management, or the Office of Management and Budget; top management and performance challenges facing HHS; work performed by other oversight organizations (e.g., the GAO); management’s actions to implement OIG recommendations from previous reviews; and potential for positive impact.

New Projects Added

  1. Medicaid Nursing Home Supplemental Payments will be reviewed by the Office of Audit Services for completion in fiscal year (FY) 2019. Prior OIG and GAO audits have found that Federal supplemental payments often benefit the state and local governments more than the nursing homes. The OIG plans to review the nursing home supplemental payment program’s flow of funding and determine how the funds are being used. CMS approved a nursing home supplemental payment program in certain states that pays the difference between Medicare and Medicaid rates for nursing home services. In some of these programs, local governments fund the states’ share of the supplemental payments through intergovernmental transfers.

 

  1. The OIG plans to review the extent to which drug formularies developed by Part D sponsors include drugs commonly used by dual-eligible beneficiaries as required. The Patient Protection and Affordable Care Act (ACA), under Section 3313, requires OIG to conduct this review annually. This will be the eighth report issued. The work will be performed by the Office of Evaluation and Inspections with a target completion date of FY 2018.

 

  1. Audit of CMS Medicare Overpayment Recoveries Related to Prior OIG Recommendations, targeted for completion in FY 2019. In the last couple of years, the OIG issued 153 audit reports that related to the Medicare program, containing 193 monetary recommendations totaling $648 million. Of the $648 million in recommended overpayment recoveries, CMS agreed to collect $566 million applicable to 190 recommendations. The OIG plans to determine the extent to which CMS: (1) collected agreed upon Medicare overpayments identified in OIG audit reports and (2) took corrective action in response to the recommendations in a prior audit report examining CMS’ overpayment recoveries (A-04-10-03059). In that report, OIG recommended CMS enhance its systems and procedures for recording, collecting, and reporting overpayments. The OIG also recommended that CMS provide guidance to its contractors on how to document that overpayments were actually collected.

 

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2018 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: HIPAA enforcement update

At the 2018 HCCA Compliance Institute HIPAA Policy and Enforcement Update, it was reported that since September 2009 through the end of 2017 there were 2178 reports filed with the HHS OCR involving breaches affecting 500 or more individuals. In addition to large breaches, there were over 300,000 reports of breaches of protected health information (PHI) affecting fewer than 500 individuals. Individuals affected by the large breaches were about 177 million. So far, OCR’s website has posted 38 breaches as of April 2018. In all, nearly one million patients may have had their PHI put at risk by these incidents with the number continuing to grow. The breakdown of type of large breaches includes:

  • Loss/Theft continues as the most often reported problem; nearly half of the cases.
  • Laptops and other portable storage devices represented one fourth of large breaches.
  • Hacking/IT Incidents account for about one in five reported incidents.
  • Paper records accounted for another fifth of the large breaches

10 largest 2018 incidents to date by number of patient records affected

  1. 582,174 – California Department of Developmental Services, 4/06/2018, Unauthorized Access/Disclosure Incident
  2. 279,865 – Oklahoma State University Center for Health Sciences, 1/05/2018, Hacking Incident
  3. 134,512 – St. Peter’s Ambulatory Surgery Center LLC- d/b/a St. Peter’s Surgery & Endoscopy Center, 2/28/2018, Hacking Incident
  4. 70,320 – Tufts Associated Health Maintenance Organization, Inc. reported on 2/16/2018 an Unauthorized Access/Disclosure Incident
  5. 63,551 – Middletown Medical P.C.,  3/29/201 an Unauthorized Access/Disclosure
  6. 53,173 – Onco360 and CareMed Specialty Pharmacy, 1/12/2018, Hacking Incident
  7. 36,305 – Triple-S Advantage, Inc., 2/02/2018, Unauthorized Access/Disclosure Incident
  8. 35,136 – ATI Holdings, LLC and its subsidiaries, 3/12/2018, Hacking Incident
  9. 34,637 – City of Houston Medical Plan reported on 3/22/2018 a Theft of Laptop Incident
  10. 30,799 – Mississippi State Department of Health, 3/26/2018, Unauthorized Access/Disclosure

Top 10 Recurring Compliance Issues

  1. Pattern of disclosure with sensitive paper PHI
  2. Business Associate Agreements
  3. Risk analysis issues
  4. Failure to manage identified risk, e.g. Encryption of data
  5. Lack of transmission security
  6. Lack of appropriate auditing
  7. No patching of software
  8. Insider threats from employees and contactors
  9. Improper disposal of data
  10. Insufficient data backup and contingency planning

HHS OCR calls for health care organizations to establish contingency plans to keep patient data secure and mandate that covered entities and business associates have such plans. In their March newsletter, OCR officials urged health care organizations to figure out which IT systems are critical, to understand how to function in a disaster, and to back up PHI so it can be retrieved if the original data are lost or taken offline. Once developed, the plan should be routinely tested to identify gaps and ensure updates for plan effectiveness and increase organizational awareness. The plan should be reviewed and updated on a regular basis when there are changes: technical, operational, or in personnel.

 

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2018 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: Human resources compliance—update on EEOC investigations

Most hotline complaints received relate to HR related issues, including harassment, discrimination, and unfair treatment, making this one of the most common compliance issue areas. Many employees go on to report their complaints to the Equal Employee Opportunity Commission (EEOC) that is responsible for addressing workplace harassment complaints. Media reports have focused on the long delays in resolving allegations of discrimination (1.5 years for federal employees and 500 days for the private sector). An increase of $15 million was authorized this year in the EEOCs budget, which may help with the backlog. The reason for the longer wait for federal employee complaints is that that a federal employee must first file a complaint with his or her agency’s equal employment office, which conducts an investigation. The employee may then file a lawsuit or request a hearing with an EEOC administrative judge.  The staffing level for the Commission is about 2,000, of which there are 549 investigators responding to allegations and complaints. For 2017, the Commission reported:

  • Resolution of 99,106 charges, an increase of 1,660 over 2016
  • Reduction of the inventory of pending charges by 16 percent to 61,621
  • Secured $484 million for victims of discrimination
  • 7,218 successful mediations resulting in over $163.7 million in benefits to charging parties
  • Resolution of 6,661 federal employee hearing requests with $73 million in their relief
  • Resolution of 4,284 appeals of agency decisions
  • Resolution of 85 percent of appeals over 500 days pending
  • $13.3 million in remedies secured
  • 4,500 individuals received monetary relief as a direct result of litigation resolutions
  • 184 lawsuits filed, including 124 suits on behalf of individuals

In most cases, the EEOC has found that there was not sufficient evidence to make a finding that discrimination occurred. Only about 3 percent of cases were found to have reasonable cause.  Also reported was an increase in the number of complaints being received that may be fueled in part by the emergence of the #MeToo movement.

 

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2018 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: Emerging government enforcement priorities for 2018

At the HCCA conference in April, there were several presentations regarding the government’s enforcement priorities. There were a number of emerging issues that were the subject of considerable attention: the opioid crisis, electronic health record (EHR) fraud, and telehealth/telemedicine. By far, the area given the most attention was the opioid crisis.  More than a dozen presenters included comments in their presentations on this subject, including presenters from the DOJ, OIG, CMS, and the OCR. This is not surprising in that last October the President declared this to be a national public health care crisis and marshaled regulatory and enforcement agencies to actively focus on steps to alleviate it. Other agencies not present at the HCCA are included in this effort, such as the FDA, FCC, CDC, Indian Health Service, Veterans Administration, Department of Defense TRICARE program, and others. At the federal and state level, there is increased legislative, regulatory, and enforcement actions activity related to substance abuse and behavioral health services. In January, the Attorney General announced the DEA was increasing its focus on pharmacies and prescribers who dispense unusual or disproportionate amount of such drugs. He also has created the Prescription Interdiction and Litigation (PIL) task force to aggressively deploy and coordinate all available criminal and civil law enforcement tools to address the crisis. Both DOJ and OIG presenters noted the July 2017 “take down” of 412 defendants in 41 different judicial districts. The defendants included over 100 doctors, nurses, and other medical license professionals. Together these individuals were responsible for over $1.3 billion in false billings.

The second most reported topic concerned cyber and IT security of Protected Health Information (PHI). This was a main topic in the presentation by OCR, but was alluded to in seven other presentations on cybersecurity and threats and complying with HIPAA Privacy and Security standards. The OCR reported that since 2009, there have been 2178 reports of breaches over 500 files with more than 300,000 cases of breaches affecting fewer than 500 files. The OCR has responded to over 170,000 complaints that resulted in over 25,000 cases being resolved with corrective action measures.  The OCR expects about 17,000 new complaints this year.  The top 10 recurring issues involve: (1) disclosure of sensitive paper information, (2) business associate agreements, (3) risk analysis, (4) failure to manage risks, such as with encryption, (5) lack of transmission security, (6) failure of ongoing auditing, (7) no patching of software, (8) insider threats, (9) improper disposal of records, and (10) insufficient backup of information and contingency planning.

Several sessions focused on physician arrangements and how they could implicate the Anti-Kickback Statute and Stark Laws.  Statistics from DOJ indicated the continuing trend of increased number of qui tam cases that has grown from 426 in 2015 to around 500 in 2017 with annual settlements averaging about $2.5 billion per year.

New cases involving Meaningful Use Fraud were reported with the promise that more new cases were under development.  Another area getting a lot of enforcement attention by the DOJ and OIG relate to telehealth and telemedicine. Cases surfacing now are focusing on claims arising from billings for these areas that did not qualify as such.  Only certain telehealth services are covered by Medicare and providers should take care to follow CMS guidance on what qualifies.

It is interesting to compare these priorities with results for the 2018 Compliance Benchmark Survey of compliance officers. There was no mention of the opioid crisis, as it was just an emerging national issue at the time the survey was taken. HIPAA security/cyber-security was the highest priority. It is troubling that corrupt arrangements with referral sources remains the number one regulatory and enforcement priority for the OIG and DOJ but is ranked fifth in priority to respondents. The other major and continuing enforcement priority related to claims submissions and that ranked third in priority by compliance officers.  A complementary webinar relating to this survey will be presented on May 9th.

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2018 Strategic Management Services, LLC. Published with permission.