Kusserow on Compliance: OCR enforcement update at the HCCA Compliance Institute

“OCR Enforcement Update” was the topic of the presentation by Iliana Peters, HHS Office for Civil Rights (OCR) Senior Adviser for HIPAA Compliance and Enforcement at the Health Care Compliance Association (HCCA) Compliance Institute. She provided an update on enforcement, current trends, and breach reporting statistics.  Peters stated that the OCR continues to receive and resolve complaints of Health Insurance Portability and Accountability Act (HIPAA) (P.L. 104-191)  violations of an increasing number.  She cited that OCR has received 150,507 complaints to date, with 24,879 being resolved with corrective action measures or technical assistance.  At the rate of reports being received, the OCR is estimating receiving 17,000 complaints in 2017.  She said that this year OCR has placed a major priority on privacy issues and will be issuing guidance on this, ranging from social media privacy, certification of electronic health record technology, and the rationale for penalty assessment. She spoke about OCR’s Phase 2 audits that are underway, involving 166 covered entities (CEs) and 43 business associates (BAs). These audits are to ensure CEs’ and BAs’ compliance with the HIPAA Privacy, Security, and Breach Notification Rules that include mobile device compliance.  They address privacy, security, and breach notification audits. It is expected that among the results of this effort will be increases in  monetary penalties this year.  Phase 3 will follow the same general approach currently being used, which includes review of control rules for privacy protection, breach notification, and security management.

In her comments about what the OCR has learned from its audits and investigations, Peters made the point that most HIPAA breaches still commonly occur as a result of poor controls over systems containing protected health information (PHI). A particular vulnerability has been mobile devices, such as laptops computers, that failed to be properly protected with encryption and password.

OCR advice

 Peters provided in her slide presentation considerable advice as what CEs and BAs should do to prevent breaches and other HIPAA-related problems. CEs and BAs should:

  • ensure that changes in systems are updated or patched for HIPAA security;
  • determine what safeguards are in place;
  • review OCR guidance on ransomware and cloud computing;
  • conduct accurate and through assessments of potential PHI vulnerabilities;
  • review for proliferation of electronic PHI (ePHI) within an organization;
  • implement policies and procedures regarding appropriate access to ePHI;
  • establish controls to guard against unauthorized access;
  • implement policies concerning secure disposal of PHI and ePHI;
  • ensure disposal procedures for electronic devices or clearing, purging, or destruction;
  • screen appropriately everyone in the work area against the OIG’s List of Excluded Individuals and Entities (LEIE);
  • ensure departing employees’ access to PHI is revoked;
  • identify all ePHI created, maintained, received or transmitted by the organization;
  • review controls for PHI involving electronic health records (EHRs), billing systems, documents/spreadsheets, database systems, and all servers (web, fax, backup, Cloud, email, texting, etc.);
  • ensure security measures are sufficient to reduce risks and vulnerabilities;
  • investigate/resolve breaches or potential breaches identified in audits, evaluations, or reviews;
  • verify that corrective action measures were taken and controls are being followed;
  • ensure when transmitting ePHI that the information is encrypted;
  • ensure explicit policies and procedures for all controls implemented; and
  • review system patches, router and software, and anti-virus and malware software.

Expert tips to meet HIPAA compliance requirements

Carrie Kusserow, MA, CHC, CHPC, CCEP, is a HIPAA expert with over 20 years of compliance officer and consultant experience. She pointed out that the OCR finds that most HIPAA breaches still commonly occur as a result of poor or lapsed controls over systems with PHI.  She noted that Iliana Peters stated that the OCR often encounters situations where established internal controls were not followed; in many cases, discoveries of breaches within organizations were not promptly investigated.  Also, most of the breaches currently being reported involve mobile devices, specifically laptop computers, and a failure to properly encrypt and password protect PHI. Kusserow offered additional tips and suggestions to those offered in the OCR presentation, particularly as it relates to mobile devices.

  • Conduct a complete security risk analysis that addresses ePHI vulnerabilities.
  • Ensure the Code of Conduct covers reporting of HIPAA violations.
  • Validate effectiveness of internal controls, policies, and procedures.
  • Maintain an up-to-date list of BAs that includes contact information.
  • Ensure identified risks have been properly addressed with corrective action measures.
  • Develop corrective action plans to promptly address any weaknesses or breaches identified.
  • Follow the basics in prevention of information security risks and PHI breaches.
  • Ensure policies/procedures  govern receipt and removal of laptops containing ePHI.
  • Verify workforce member and user controls for gaining access to ePHI.
  • Verify laptops and other mobile devices are properly encrypted and password protected.
  • Implement safeguards to restrict access to unauthorized users.
  • Review adequacy of security processes to address potential ePHI risks and vulnerabilities.
  • Ensure the hotline is set up to receive HIPAA-related calls.
  • Verify that all BAs have signed business associate agreements.
  • Train the workforce on HIPAA policies/procedures, including reporting violations.
  • Investigate complaints, allegations, and reports of non-compliance promptly and thoroughly.
  • Engage outside experts to independently verify controls are adequate and being followed.

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2017 Strategic Management Services, LLC. Published with permission.

Is statistical sampling in audits, FCA cases, and recoupment valid?

The government has used random sampling for a very long time as a way to provide sufficient evidence of valid audits and intent or “reckless disregard” False Claims Act (FCA) cases. While the government considers a random sample a valid sample, “’random’” is not necessarily ‘valid’, according to Tracy M. Field, partner, Parker, Hudson, Reiner & Dobbs, LLP and Sandra Miller, partner, Womble Carlyle, Sendridge & Rice LLP. Health care providers must manage and defend against statistical evidence derived from a government audit or presented to a court. Field and Miller presented their viewpoints and practical tips in a session on March 26, 2017, at the Health Care Compliance Association Annual Compliance Institute.

Statistics in audits

Inferential statistics include a probe audit to ensure that there is a good understanding of the population and study design, according to the presenters. By definition, inferential statistics samples items to determine what a population might look like by selecting a random sample. Providing the example of 20 quarters pulled at random from a box of coins, the presenters asked “What do you know about the population based on the sample selected?” Do the quarters represent the actual coin content of the box? Are the sampled items, in this example, coins, providing a normal distribution or a skewed distribution that could be biased? Can the 90 percent confidence interval be “correct” for very imprecise data? Their answer was that we don’t always know how many quarters versus nickels are in the box and what how that concept relates to statistical samplings in claims audits.

Multiple strata. For audits to be more precise, claims are audited by identifying multiple strata. The presenters noted that a sampling unit for an Office of Inspector General (OIG) is a claim, but they stressed that “a beneficiary’s claim is really a cluster of claims which is less precise.” In another example of government audits, the multiple strata involved Current Procedural Terminology® (CPT®) codes but the audits did not take into account the payment variables or the number of claim lines sampled.

Error rates. According to the presenters, the government threshold for error rates is 5 percent in settlements. In addition, for Discovery Samples, OIG uses a 5 percent error rate to determine the full sample size, however, error rates can vary, specifically in Provider Reimbursement Review Board cases. Presenters recommended that providers speak to their legislators regarding audit issues and error rates.

Statistical sampling in False Claims Act cases

In FCA cases, statistics are used to prove the intent of the provider and establish damages. The presenters referred to court cases as they identified questions for providers to ask including whether the case involve medical necessity of the services, whether a realtor can use statistical sampling to prove both liability and damages, whether the sampling reflects patients that may need more rehabilitation, and whether patients are individually considered?

The presenters specifically pointed out the arguments in the brief of the U.S. ex rel Michael and Whitesides v. Agape case before the fourth circuit court, where the defendants argued that “statistical evidence is poorly adapted to providing the falsity and knowledge of elements of FCA liability generally, […] particularly in this case, which involves clinical judgments, such as whether a patient is terminal ill, which is “a highly individualized, context- specific, and uncertain.” In addition, the brief noted that “courts have consistently rejected attempts to use statistical sampling to prove liability in fraud cases.”


The brief in the Agape case explained the recoupment process as an administrative proceeding initiated by a claims processor to recover overpayments through the reduction of future Medicare payments, is a contractual set-off and is far different from an FCA case, according to the presenters. The recovery is limited to the actual amount of the overpayment plus interest while the FCA exposes defendants to treble damages and a fine of at least $5000 per claim. The burden of proof is on the payee to prove that it is entitled to the amount paid.  Further, sampling and extrapolation in recoupment action are authorized by statute if there is evidence of sustained or high level payment error (42 U.S.C. §1395ddd(f)(3)).

Florida hospital improperly billed Medicare almost $300,000 over two years

For over two years, University of Florida Health Jacksonville did not comply with Medicare billing requirements, due to inadequate billing controls. The noncompliance resulted in overpayments of at least $273,000, according to an audit by the HHS Office of the Inspector General (OIG).


The 695-bed not-for-profit hospital submitted 11,134 inpatient claims during the audit period (January 2013 through September 2014). Medicare paid the hospital $167 million on those claims. The OIG audit evaluated 1,305 inpatient claims that were potentially at risk for billing errors. From those claims, the OIG selected a random sample of 154 paid claims, totaling $1,964,826. Although the OIG determined that the hospital complied with billing requirements for the majority of the claims (133), the audit revealed that the hospital failed to comply with Medicare billing requirements for 21 claims, resulting in a net overpayment of $63,881 for the audit period. Based upon the sample, the OIG extrapolated that the hospital improperly received overpayments of at least $273,346 between January 2013 and September 2014.


For 19 of the 154 claims, the hospital billed incorrect diagnosis-related group (DRG) codes. For example, in one case, the hospital submitted a claim with a secondary diagnosis code 599.0 (urinary tract infection), despite the fact that the patient’s medical record indicated the patient had no signs or symptoms of a urinary tract infection. In other words, the hospital had no basis to assign code 599.0. The hospital attributed the billing mistakes to human error. The noncompliance related to the DRG codes accounted for the vast majority of the errors and led to net overpayments of $47,165.

When a patient is discharged from an acute care hospital and readmitted to the same hospital on the same day for symptoms related to the prior stay, the hospital is required to combine the original and subsequent stay into a single claim. The OIG determined that for 2 of the 154 audited claims, the hospital incorrectly billed Medicare for related discharges and readmissions that occurred on the same day. The hospital attributed the improper billing to human error.


The OIG recommended that the hospital:

  • refund the estimated $273,346 in overpayments to the Medicare program;
  • identify and return similar overpayments; and
  • strengthen billing and coding controls to ensure future compliance.



The hospital objected to the findings regarding 11 of 21 inpatient claims. Additionally, although the hospital acknowledged that human error contributed to the 10 other errors, there was “no evidence to support systemic coding or billing concerns.” The hospital also challenged the OIG’s authority to extrapolate a payment error rate.