IT experts say foreign actors, human error biggest threats to health record security

Foreign hackers and human error are two of the most significant threats to protected health information (PHI) and other health records that providers and health care entities must prepare for, according to four information technology experts speaking at a conference sponsored by Becker’s Hospital Review. They all agreed that breaches and cyberattacks will continue, so health care institutions must be diligent about security systems, audits, training, insurance, and adequately responding to breaches to mitigate punishment and quickly recovery from an attack..

Weakest link 

Aaron Miri, chief information officer for Imprivita, and Michael Leonard, director at Commvault, both noted that regardless of the tools and systems put in place to ward off breaches, malware, ransomware, and other cybersecurity threats, people will always be the weakest link. Leonard noted that when it comes to an institution’s cybersecurity program, “people training has to be continuous and repetitive.”

Katherine Downing, senior director at the American Health Information Management Association (AHIMA), highlighted one type of “insider threat”—physicians who do work arounds that bypass the security features of electronic health record (EHR) systems (like texting PHI about patients to each other). Although David Miller, CEO of HCCIO Consulting, LLC, was blunter when asked what the biggest threat was to PHI and other health records—”Russia and China.”

Jurisdictions

Miri noted that providers must deal with a “wide disparity of laws” regarding the security and privacy of health information, not just federal and state laws, but, starting in May 2018, the General Data Protection Regulation (GDPR) issued by the European Union. The GDPR replaces a framework of different information security measures that mainly affected just European companies with a national network and information security strategy that will impact American life sciences and healthcare entities that collect and/or use any data concerning health, genetic data, or other types of protected health information (PHI).

Audits

Miller expressed amazement at how many health care institutions have not had a HIPAA audit in the previous two years. The HHS Office for Civil Rights (OCR) reviews organizations’ compliance with the HIPAA Privacy, Security, and Breach Notification Rules and looks for documentary proof that entities have conducted risk assessments and created and implemented policies and procedures governing areas including the shielding of PHI. Miller noted that providers must continually educate and re-educate staff on policies related to HIPAA. But he added that providers can also “take advantage of a breach situation to talk to senior management to increase security measures.”

Record retention

In addition to protecting PHI, health care entities have to make decisions about destroying records after record retention periods have ended. Katherine Downing, senior director at the American Health Information Management Association (AHIMA), noted that entities “can’t keep everything forever.” Downing noted that health care entities already have the expense of saving, backing up, and securing required health records; doing the same for older records that no longer have to be retained is just an added expense.

In the end, Miri noted that these are the questions that health care entities have to ask: What are they willing to spend to avoid a breach? What are they willing to risk regarding their reputations?

Improved probe and education program targets specific providers within a particular service

Targeted Probe and Education (TPE) is an improved medical review strategy that will focus on specific providers/suppliers within the service rather than all providers and suppliers billing a particular service, according to a CMS news release. The TPE program began as a pilot in one Medicare Administrative Contractor (MAC) jurisdiction in June 2016 and was expanded in July 2017 to three additional MAC jurisdictions. Based on the success of the pilot programs, CMS plans to expand the TPE program to all MAC jurisdictions in 2017.

Probe and Educate program

The updated medical review strategy arose from an initial medical review strategy known as Probe and Educate, which combined the review of a sample of claims with education to help reduce errors in the claims submission process, but moves from a broader review to a more targeted one. TPE claim selection differs from previous probe and education programs because the TPE claims selection is provider/supplier specific from the outset rather than a review of all providers for a specific service; thus, eliminating providers who are submitting claims that are compliant with Medicare policy from the review process.

Under the Probe and Educate program, MACs focused on review of inpatient hospital admissions related to the two midnight rule and home health eligibility requirements. MACs reviewed selected claims submitted by acute care inpatient hospital facilities, long term care hospitals, and inpatient psychiatric facilities for admissions that occur between October 1, 2013 and March 31, 2014 (see CMS issues additional guidance for “two midnight” rule for inpatient hospital admissions, Health Law Daily, November 5, 2013). MACs continued to conduct “probe and educate” reviews for inpatient stays shorter than two midnights. Under the probe and educate process outlined in an earlier CMS release, MACs reviewed claims to determine if the inpatient stay of less than two midnights was reasonable and necessary (see CMS extends RAC prohibition of reviews of stays longer than 2 midnights, Health Law Daily, February 3, 2014).

The first round of the Probe & Educate program, MACs reviewed home health agency claims to assess compliance with and to promote provider understanding of Medicare home health eligibility requirements, (see HHA claims will be reviewed to confirm understanding of eligibility requirements, Health Law Daily, November 10, 2015). In round two of the program, MACs began a one-year period of claim reviews and provider education and will start submitting additional documentation requests (ADRs) on or after December 15, 2016 (see ‘Probe and Educate’ program for home health eligibility continues, Health Law Daily, December 20, 2016).

TPE process

Based on data analysis, Medicare Administrative Contractors (MACs) will review claims (1) for items and services that pose the greatest financial risk to the Medicare Trust Fund or have a high national error rate and (2) of providers/suppliers that have the highest claim error rates or billing practices that vary significantly from their peers. Under the TPE, MACs will review the 20 to 40 claims per provider/supplier, per item or service, and per round, for a total of three rounds of review. After each round of review, the MAC will offer the provider individualized, one-on-one education to address errors within the provider’s/supplier’s claims based on the results of the review.

Removal from the review process

Providers/supplier may be removed from the review process after any of the three rounds of probe review, if they demonstrate low error rates or sufficient improvement in error rates. However, providers/suppliers with moderate and high error rates in the first round of reviews will continue on to a second round of reviews, followed by additional provider specific education and those providers/suppliers that continue to have high error rates in the second round of review and education will continue to the third round. Providers/suppliers that continue to have high error rates after three rounds of TJPE may be referred to CMS for additional action.

Know the auditors and audit process, you’ll be audited someday

Providers and suppliers will be audited by CMS at some point, so it is important to understand the various types of audits and the appeals process, according the presenter of a Health Care Compliance Association (HCCA) webinar titled “Medicare Audits & Audit Appeals—From A to Z(PIC).” Scott R. Grubman, Esq., of Chilivis Cochran Larkins & Beyer LLP, focused his discussion on recovery audit contractors (RACs) and zone program integrity contractors (ZPICs) and the various steps of the audit appeals process, from the initial determination to judicial review.

RACs

Charged with “identifying and correcting improper payments through detection and collection of overpayments,” the RAC program started as a demonstration project and completed its first audits in 2011-2013. As new RAC contracts were awarded in October 2016, RAC audits will continue into the future. RACs are paid a contingency fee (somewhere between 7 and 17 percent of the recovery), but only when a favorable reconsideration is made, so they have a financial incentive to find and recover overpayments. According to Grubman, RACs “may not work on the side of fairness for providers.” But RACs are limited in the number of claims they can audit per provider per year and must maintain a 95 percent accuracy rate and an overturn rate of less than 10 percent. RAC audits, as well as MAC audits, are desk reviews, contrary to ZPIC audits.

ZPICs

Grubman warns to be careful when going through a ZPIC audit. ZPICs are tasked, for example, to investigate potential fraud and abuse and to refer parties for CMS administrative actions or for law enforcement; conduct investigations (not just as desk audits, but through interviews and onsite visits, too) and data analysis under the CMS Fraud Prevention System; and to identify the need for administrative actions such as payment suspensions. While RACs typically look at unintentional overpayments, ZPICs respond to intentional overpayments.

Audit process

Whatever the auditor that reviews the claim, an initial determination is first made as to whether the item and services are covered and the amount payable. The auditor then notifies the provider/supplier of the decision following specific notice requirements. A provider or supplier may appeal that decision, following this chronology:

1. Redetermination. A request for a redetermination must be filed within 120 calendar days from receipt of the initial determination, and within 30 calendar days to avoid CMS starting to recoup the overpayment. (Grubman suggests starting the count on the date listed on the determination, not receipt, to avoid running into any issues.) The redetermination involves an “independent review” performed by the same contractor (but a different individual). New issues may be raised by the contractor during redetermination, but a redetermination must be issued within 60 days from receipt of request.
2. Reconsideration. Within 180 days of the redetermination (or within 60 days to avoid recoupment), a party may file a request for reconsideration, which is an independent review of the evidence and findings conducted by a qualified independent contractor (QIC). QICs are bound by national coverage determinations (NCDs), CMS rulings, precedential Medicare Council decisions, and applicable laws and regulations. (Local coverage determinations (LCDs) and CMS program guidance is not binding but given substantial deference.) A QIC has 60 days to issue its reconsideration, and if the deadline isn’t met, the appellant can escalate to the next level of appeal.
3. Administrative law judge (ALJ). If the amount at issue exceeds $160, a request for an ALJ decision may be filed within 60 days of the reconsideration (recoupment cannot be avoided). A hearing is typically held either in person, video conference, or telephone, and parties may submit evidence and/or present witnesses. An ALJ decision is a de novo review and ALJs have wide discretion over the hearing. ALJs are bound by the same NCDs and laws and regulations and must give deference to non-binding authority as with reconsiderations. An ALJ must issue a decision within 90 days, however, there exists an immense backlog in issuing decisions, which has even become the subject of a legal challenge (see Court sets a timeline for Medicare claims backlog, December 6, 2016).
4. Medicare Appeals Council. Within 60 calendar days of the ALJ’s decision, a review by the Medicare Appeals Council may be requested. The Council’s review is limited to those issues the appellant claims to disagree with. Briefs are filed by the parties but no new evidence is provided. Typically a decision is made with no oral arguments and must be made within 90 calendar days.
5. Judicial review: Within 60 calendar days of receipt of the Council’s decision, a suit may be filed in the district court where the provider/supplier resides or has its principal place of business, with the Secretary of HHS named as defendant.

Identifying ‘60-day rule’ overpayments during routine auditing

The need to identify, report, and return Medicare and Medicaid overpayments to CMS under the “60-day rule” and the ability to understand and prepare for the risks posed by routine auditing are essential for all medical providers. At a recent Health Care Compliance Association (HCCA) webinar, Jean Acevedo, LHRM, CPC, CHC, CENTC, Senior Consultant, Acevedo Consulting, Inc., and Lester J. Perling, Esq., CHC, partner, Broad and Cassel LLP, discussed these topics and offered their recommendations.

The 60-day rule

Section 6402(a) of the Patient Protection and Affordable Care Act (ACA) (P.L. 111-148) established new section 1128J of the Social Security Act, which requires providers and suppliers who submit claims to Medicare and Medicaid to report and return “identified” overpayments to CMS within 60-days or face potential liability under the federal False Claims Act. These requirements were implemented by CMS in a February 12, 2016 Final rule (81 FR 7653) (see CMS finally codifies the 60-day Parts A and B overpayment return rule, February 12, 2016; and Comments, questions, concerns? Weighing in on the 60-day overpayment Final rule, March 2, 2016).

According to Perling, the Final rule sets forth the following parameters for understanding the 60-day overpayment requirement:

  • Definition of an “identified” overpayment. Providers are responsible for overpayments that they “know or should have known”about through the exercise of “reasonable diligence.” Providers that deliberately choose not to investigate when they are made aware of the existence of potential overpayments, would be held liable under the FCA.
  • Exercising “reasonable diligence”. Reasonable diligence requires that providers (1) implement proactive compliance activities to monitor for the receipt of overpayments; and (2) undertake investigations “in a timely manner” in response to obtaining “credible information” of a potential overpayment.
  • “Timely” defined. CMS considers a “timely” investigation to be at the most six months from receipt of the credible information, except in extraordinary circumstances.
  • When does the 60-day period begin? The 60-day period does not begin to run until the provider has had a chance to undertake follow-up activities and quantify the amount of the overpayment.
  • Lookback period. The 60-day rule applies to overpayments identified within six years after they were received.
  • Repayment options. Providers may use claims adjustment, credit balance, the HHS Office of Inspector General’s (OIG) Self-Disclosure Protocol, or other appropriate processes to report or return overpayments. Regardless of the process used, the refund should include an explanation or the statistical sampling methodology used if the overpayment was extrapolated.

Routine baseline audit

Acevedo next discussed the annual baseline audit performed as part of the organization’s compliance program. She recommended that it be done under the attorney/client and work/product privileges in order to help insulate the organization from exposure.

Physical therapy case study

Acevedo next presented an audit case study of a physical therapy department. She stressed the need for the auditor (whether in-house or an outside contractor) to examine the three critical physical therapy documents: (1) the initial evaluation and plan of treatment; (2) the treatment notes; and (3) the clinician’s progress report.

In preforming the audit, she recommended that the auditor take note of the fact that health care professionals are creatures of habit and that, for example, they will either include all necessary elements in the plan of treatment, the treatment notes, and the progress report, or not (i.e., they are usually consistently good, or consistently bad at recordkeeping). She also cautioned that while this document audit may be time consuming, and it is important that the auditor be thorough and not just review the most recent treatment notes and progress reports.

If the auditor finds that therapy documents are deficient or erroneous, Acevedo suggested that the auditor STOP and do two things: (1) consider the possibility that an overpayment situation exists and the timeline that may kick in under the 60-day rule; and (2) alert the attorney and the owner of the practice. She cautioned, however, about jumping to conclusions and leaving a paper trail of written concerns that may amount to “breadcrumbs” for a government investigator or a whistleblower to follow.

Prospective v. retrospective audits

Perling stressed that whether the audit is prospective (i.e., occurs prior to submission of a claim) or retrospective (post claim submission) it does not matter as the finding of negative result or high error rate in either would potentially activate the 60-day rule requirements.

Issues to consider when auditing

Perling suggested taking the necessary steps prior to audit to create an attorney/client privilege that will be recognized and respected by any government investigator.

Perling also discussed whether the standards the auditor is relying on are authoritative or merely guidance. Perling believes that statutes and regulations are clearly authoritative, but that “not everything CMS publishes is authoritative.” For example, while CMS Manuals and Local Coverage Determinations are binding on the Medicare contractor, they are not binding on an administrative law judge. The real question, according to Perling, is “whether the Department of Justice or a whistleblower will think a standard is authoritative.”

Final thoughts

In closing, Perling and Acevedo offered three reminders: (1) educate before auditing; (2) the routine annual audit should review current compliance with standards, not past deficiencies; and (3) audits are still required for effective compliance programs. The danger, according to Acevedo, “is putting your head in the sand.”