Billions in ‘transfers of value’ to physicians, hospitals by industry get DOJ attention

In calendar year (CY) 2015, over $7.5 billion in “transfers of value” were made by pharmaceutical companies to physicians and hospitals through the federal Open Payments program, which in turn has caused the Department of Justice (DOJ) to focus on this area while investigating fraud in the health care system. In an HCCA sponsored seminar titled “Sunshine, Open Payments, and Potential Conflicts of Interest,” Senior Compliance Executive C.J. Wolf, M.D., of Healthicity, noted that under the Open Payments program, CMS has now accumulated over 28 million records of transfer of value. Within this vast repository of data, CMS uses it to uncover outliers in payments, and as a result, industry and providers, alike, are very interested in how the open payment system affects their operations.

Open Payments

Under Section 6002 of the Affordable Care Act (ACA), manufacturers must disclose to CMS payments made to physicians and teaching hospitals. Manufacturers and group purchasing organizations must also report ownership and investment interests held by physicians. The HHS Office of Inspector General (OIG) included these aspects into its list of priorities in its 2017 Work Plan, with Medicare and Medicaid payments high on the list (see Focus remains on Medicare, Medicaid payments in 2017 OIG Work Plan, Health Law Daily, November 10, 2016).

The 2017 Work Plan also stressed that the OIG will also determine how much Medicare paid for drugs and durable medical equipment, prosthetics, orthotics, and supplies (DMEPOS) ordered by physicians who had financial relationships with manufacturers and group purchasing organizations.

Wolf noted the DOJ has taken a keen interest in this area of open payments, as evidenced by actions such as Teva Pharmaceuticals USA, Inc., and its subsidiary IVAX, LLC, agreeing to pay a total of $27.6 million to the federal government and the State of Illinois in a settlement regarding allegations of false billing practices under the False Claims Act (see Teva Pharmaceutical to pay federal and state government $27.6 million to resolve false billing allegations, Health Law Daily, March 11, 2014).

Conflicts of interest

There are 11 payment “categories” that must be reported under the Open Payments program: (1) consulting fees, (2) honoraria, (3) gift, (4) entertainment, (5) food and beverage, (6) travel and lodging, (7) education, (8) charitable contribution, (9) royalty or license, (10) grant, and (11) research.

As part of the transparency initiatives under the ACA, the dollars that physicians receive from industry is reported and documented. Physicians and providers should be aware that these categories touch upon even compensation for serving as faculty or as a speaker for a non-accredited and noncertified continuing education program.

Because the Open Payments program also includes ownership interests that physicians or their immediate family members have in various companies and the data is then made available to the public each year, reporting often is paramount.

Experts weigh in on LTC requirements for patient care, provider compliance

On October 4, 2016, CMS issue a Final rule making extensive changes to long term care facilities (LTCFs) requirements of participation (ROP) with the goal of aligning LTCF requirements with current clinical practice standards to improve resident safety and the quality and effectiveness of the care and services delivered to residents. Kris D’Ann Maples, in-house counsel at Hillcrest Health Services and Lyn Bentley, MSW, Vice President, Quality and Regulatory Affairs, American Health Care Association (AHCA), addressed significant provisions of the new rules that will impact health care providers at the 2017 Health Care Compliance Association Compliance Institute on March 26, 2017.

The Final rule

The new requirements (81 FR 68688, October 4, 2016) represent the first significant revision of LTCF requirements for Medicare and Medicaid since 1991. The revised requirements are aimed at reducing unnecessary hospitalizations and health care acquired infections, improving behavioral health care, safeguarding LTCFs residents from the use of unnecessary psychotropic drugs, enhancing care planning, and improving quality assurance and performance improvement. In addition to the changes to the requirements, CMS is developing a new survey process that will go into effect November 2017. The new survey process incorporates the new requirements and merges with the quality indicator system. The LTC rules take effect in three phases. Phase 1 took effect November 28, 2016, Phase 2 will take effect November 28, 2017, and Phase 3 is scheduled for November 28, 2018.

Maples told attendees to be on the alert to changes in the regulations prior to implementation dates based on the current administration’s plan to abolish the Patient Protection and Affordable Care Act (ACA) (P.L. 111-148). Section 6102(b) of the ACA amended Social Security Act Sec. 1128I, and mandated the operating organization have a compliance and ethics program in place. Such programs must be effective in preventing and detecting criminal, civil, and administrative violations under the Social Security Act and promoting quality of care consistent with the regulations promulgated by the HHS Secretary working with the HHS Office of Inspector General (OIG).

Themes of the rule

Bentley noted that the Final rule reflects the dramatic cultural and technology changes over three decades. She recommended providers closely read the new definitions CMS included in the Final rule, emphasizing that CMS has changed the definition of a number of terms. Among the themes identified by Bentley are patient centered-care, facility based-responsibility, quality of care and quality of life, and the changing patient population, which includes patients with behavioral health issues. Regarding facility-based responsibilities, Bentley pointed out that LTCFs must know the center, patients and staff, which requires a competency-based approach.

Residents’ rights

Bentley added that the new rule that requires LTCFs to establish a grievance policy, notify residents how and where to file a grievance, and identify a grievance officer who would be responsible for grievance process. Among the grievance officer’s responsibilities are receiving and tracking grievances, leading investigations, maintaining confidentiality, meeting documentation requirements, and issuing decisions to the resident. In addition, the grievance officer must coordinate with state and federal agencies and meet state and federal laws and regulations (42 C.F.R. Sec. 483.10(j)). The regulation also includes additional notification requirements.

Significant is use of the word “willful” in the definition of abuse as it relates to the regulation addressing freedom from abuse, neglect, and exploitation (42 C.F.R. Sec. 483.12). Bentley specifically pointed out that “willful” in the definition means that “the individual acted deliberately, not that the individual intended to inflict injury or harm.” According to the Bentley, the term “willful” as used in the definition could raise serious questions about behavior that would not be considered abuse. For example, if a nurse is bathing a patient in one bed and she sees the patient in nearby bed about to fall, while preventing the patient about to fall from falling, the other patient might try to get out of bed and fall. In this case, the nurse’s actions were deliberate and there was no intention to inflict injury or harm to the patient that she was bathing.

Compliance and Ethics rules

New regulations (42 C.F.R. Sec. 483.85) require the operating organization for each LTCF to have a compliance and ethics program that meets certain requirements in the rule by November 28, 2017 (Phase 2), and the other requirements implemented by November 28, 2019 (Phase 3). Maples explained that the Final rule codifies the OIG compliance program guidance from 2000 and 2008 and that compliance will be part of the survey process going forward.

Maples identified the minimum components of a compliance program, which must be in place by November 28, 2017. These components include:

1. written compliance and ethics standards; policies and procedures that reduce the prospect of criminal, civil, and administrative violations under the law and promote quality of care;
2. corrective/disciplinary standards that outline consequences of committing violations, are enforced consistently, and provide consequences for failure to detect or report a violation;
3. the designation of a “high level” individual” in the organization who oversees compliance and ethics program;
4. sufficient resources and authority given the designated high level individual to reasonably assure program standards are met;
5. effectively communicate standards policies and procedures, including mandatory training; and
6. taking reasonable steps after a violation.

According to Maples, by the Phase 3 effective date, LTCFs must have had an annual review of the program to make any changes to reflect changes in applicable laws and regulations and improve performance promoting quality of care and deterring False Claims Act violations. LTCFs that have five or more facilities must conduct annual compliance training for all staff member, designate a compliance officer whose major responsibility in operating the compliance program requires the individual to report directly to the organizations governing body and cannot report to the general counsel, chief operating officer, or chief operating officer.

Physician practices get tips for effective communication, training, vetting

Compliance officers often encounter problems ensuring physician compliance within physician practices and face difficulties when communicating with physician practice groups. When addressing physician practice issues, Betty Baber-Kinsey, Physician Practice Compliance Officer, Tenet Healthcare, considers such things as how to get in front of potential issues before they occur, how physicians are employed, how to vet new products or new procedures, and coding and prescribing issues. Baber-Kinsey addressed these various issues at the 2017 Health Care Compliance Association Compliance Institute on March 26, 2017.

Effective communication

A compliance officer dealing with multiple physician practices is likely to face difficulties communicating across in part due to the makeup, size, and locations of the practices, Baber-Kinsey said. One decision that has to be made is whether the message is delivered in person or remotely. Baber-Kinsey suggested four methods of communication across practices. Messages can cascade down from the top executives or the board of directors to management and then staff, can be delivered through videos, or through web-ex sessions. Baber-Kinsey also recommended monthly recurring calls and bi-weekly operations calls. She noted that monthly practice managers meetings are recorded and minutes are taken.

Training

Baber-Kinsey stressed that training was all about the buy-in. She approaches training in three ways: live training, computer courses with a test, and video training. Training topics include conflicts of interest, vendor relationships, the Yates Memo, and the Physician Payments Sunshine Act (Section 6002 of the Patient Protection and Affordable Care Act (ACA) (P.L. 111-148) codified at Social Security Act Sec.1128G). Baber-Kinsey pointed out that video training works for new hires, for staff annual refresher training, and in specialized or targeted sessions. For annual refresher training she suggested incorporating multiple topics to reach all levels of employees within the practice, including physicians, clinical staff, billers, and coders. She suggested including videos from other sources to let the staff being trained know the issue is universal and does not apply only to them. It is important to include humor, she added.

Vetting new physicians

Baber-Kinsey uses a physician practices onboarding checklist to ensure that physicians are properly vetted. The checklist enables her to “know what they are getting before the [physicians] walk through the door.” The checklist provides who, what, and when or, as she put it, the “What, Documented, Billed.” The vetting process takes about 18 weeks. The first four weeks are involve business development and due diligence including credentialing and information technology (IT) assessments. Weeks 5 – 8 involve credentialing, human resources (HR) and IT operations. Weeks 9 – 12 involve operations, HR, and start of marketing. Weeks 13 – 16 involves operations and completion of credentialing. Baber-Kinsey emphasized that onboarding process is not finished until a billing clearance audit is completed and within goal, which means that the physician’s billing error rate is 5 percent or less.

Alternative lines of business

The latest trend for physicians is providing an alternative line of business, according to Baber-Kinsey.An alternative line of business means any items and/or products that may not fit into traditional lines of service for the primary or specialty care practice,” according to Baber-Kinsey. Examples of alternative lines of business include supplements, cosmetic procedures and services, and oncology infusion. Baber-Kinsey recommends getting in front of the alternative line of business before a physician is hired. Tenet Healthcare has a policy and procedure that addresses new and alternative lines of business.

Kusserow on Compliance: OCR enforcement update at the HCCA Compliance Institute

“OCR Enforcement Update” was the topic of the presentation by Iliana Peters, HHS Office for Civil Rights (OCR) Senior Adviser for HIPAA Compliance and Enforcement at the Health Care Compliance Association (HCCA) Compliance Institute. She provided an update on enforcement, current trends, and breach reporting statistics.  Peters stated that the OCR continues to receive and resolve complaints of Health Insurance Portability and Accountability Act (HIPAA) (P.L. 104-191)  violations of an increasing number.  She cited that OCR has received 150,507 complaints to date, with 24,879 being resolved with corrective action measures or technical assistance.  At the rate of reports being received, the OCR is estimating receiving 17,000 complaints in 2017.  She said that this year OCR has placed a major priority on privacy issues and will be issuing guidance on this, ranging from social media privacy, certification of electronic health record technology, and the rationale for penalty assessment. She spoke about OCR’s Phase 2 audits that are underway, involving 166 covered entities (CEs) and 43 business associates (BAs). These audits are to ensure CEs’ and BAs’ compliance with the HIPAA Privacy, Security, and Breach Notification Rules that include mobile device compliance.  They address privacy, security, and breach notification audits. It is expected that among the results of this effort will be increases in  monetary penalties this year.  Phase 3 will follow the same general approach currently being used, which includes review of control rules for privacy protection, breach notification, and security management.

In her comments about what the OCR has learned from its audits and investigations, Peters made the point that most HIPAA breaches still commonly occur as a result of poor controls over systems containing protected health information (PHI). A particular vulnerability has been mobile devices, such as laptops computers, that failed to be properly protected with encryption and password.

OCR advice

 Peters provided in her slide presentation considerable advice as what CEs and BAs should do to prevent breaches and other HIPAA-related problems. CEs and BAs should:

  • ensure that changes in systems are updated or patched for HIPAA security;
  • determine what safeguards are in place;
  • review OCR guidance on ransomware and cloud computing;
  • conduct accurate and through assessments of potential PHI vulnerabilities;
  • review for proliferation of electronic PHI (ePHI) within an organization;
  • implement policies and procedures regarding appropriate access to ePHI;
  • establish controls to guard against unauthorized access;
  • implement policies concerning secure disposal of PHI and ePHI;
  • ensure disposal procedures for electronic devices or clearing, purging, or destruction;
  • screen appropriately everyone in the work area against the OIG’s List of Excluded Individuals and Entities (LEIE);
  • ensure departing employees’ access to PHI is revoked;
  • identify all ePHI created, maintained, received or transmitted by the organization;
  • review controls for PHI involving electronic health records (EHRs), billing systems, documents/spreadsheets, database systems, and all servers (web, fax, backup, Cloud, email, texting, etc.);
  • ensure security measures are sufficient to reduce risks and vulnerabilities;
  • investigate/resolve breaches or potential breaches identified in audits, evaluations, or reviews;
  • verify that corrective action measures were taken and controls are being followed;
  • ensure when transmitting ePHI that the information is encrypted;
  • ensure explicit policies and procedures for all controls implemented; and
  • review system patches, router and software, and anti-virus and malware software.

Expert tips to meet HIPAA compliance requirements

Carrie Kusserow, MA, CHC, CHPC, CCEP, is a HIPAA expert with over 20 years of compliance officer and consultant experience. She pointed out that the OCR finds that most HIPAA breaches still commonly occur as a result of poor or lapsed controls over systems with PHI.  She noted that Iliana Peters stated that the OCR often encounters situations where established internal controls were not followed; in many cases, discoveries of breaches within organizations were not promptly investigated.  Also, most of the breaches currently being reported involve mobile devices, specifically laptop computers, and a failure to properly encrypt and password protect PHI. Kusserow offered additional tips and suggestions to those offered in the OCR presentation, particularly as it relates to mobile devices.

  • Conduct a complete security risk analysis that addresses ePHI vulnerabilities.
  • Ensure the Code of Conduct covers reporting of HIPAA violations.
  • Validate effectiveness of internal controls, policies, and procedures.
  • Maintain an up-to-date list of BAs that includes contact information.
  • Ensure identified risks have been properly addressed with corrective action measures.
  • Develop corrective action plans to promptly address any weaknesses or breaches identified.
  • Follow the basics in prevention of information security risks and PHI breaches.
  • Ensure policies/procedures  govern receipt and removal of laptops containing ePHI.
  • Verify workforce member and user controls for gaining access to ePHI.
  • Verify laptops and other mobile devices are properly encrypted and password protected.
  • Implement safeguards to restrict access to unauthorized users.
  • Review adequacy of security processes to address potential ePHI risks and vulnerabilities.
  • Ensure the hotline is set up to receive HIPAA-related calls.
  • Verify that all BAs have signed business associate agreements.
  • Train the workforce on HIPAA policies/procedures, including reporting violations.
  • Investigate complaints, allegations, and reports of non-compliance promptly and thoroughly.
  • Engage outside experts to independently verify controls are adequate and being followed.

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2017 Strategic Management Services, LLC. Published with permission.