Monthly Archives: June 2014

Is $210 Million Enough? How About $54.2 Million?

Posted by Ryan Blaney on June 25, 2014
Affordable Care Act, Fraud and Abuse, HHS, Medicaid, Medicare, OIG, Uncategorized / No Comments

Year #2 Report on Medicare Fraud Prevention System

On June 25, 2014, the Centers for Medicare & Medicaid Services (CMS) and the Department of Health and Human Services Office of Inspector General (OIG) issued and certified, as required by the Small Business Jobs Act of 2010 (SBJA) their second implementation year report  for the Fraud Prevention System (FPS) along with a press release.  By way of background, CMS is under pressure from Congress and the United States Government Accountability Office (GAO) to enhance their health care fraud, abuse and waste prevention and detection success through the use of predictive analytics technologies while at the same time monitoring the expenditures and costs by government contractors and auditors such as ZPICs to prevent fraud.  Last October, GAO published a Report concerning CMS’s Medicare Program Integrity titled, “Contractors Reported Generating Savings but CMS Could Improve Its Oversight.” 

CMS and OIG’s Report to Congress on the FPS responds to many, but not all, of GAO’s criticisms.  Here are a few of the noteworthy findings and observations in the Report:

  • CMS reports that they “identified or prevented” $210.7 million in Medicare payments attributed to FPS.  This is a return on investment of $5 to $1 for the second implementation year and an increase ROI from Year 1.
  • OIG disagrees with CMS’s use of “identified savings” to calculate the success of the FPS and instead recommends using “adjusted savings” as a measure of savings and return on investment related to the Department’s use of FPS.
  • Under OIG’s adjusted savings analysis, OIG only certified $54.2 million of the $210.7 million as attributed to the Department’s use of FPS. 
  • OIG found that the “Department’s use of its predictive analytics technologies resulted in a return on investment of $1.34 (not $5) for every dollar spent on the FPS.
  • Based on criticism received by OIG and GAO, CMS reported that they changed the methodology to require ZPICs (Zone Program Integrity Contractors) to submit provider-specific outcome data to be able to conduct more quality control reviews prior to reporting savings.
  • OIG disagreed with CMS and stated, “[A]lthough the Department has made significant progress in addressing the challenges of measuring actual and projected savings, its procedures were not always sufficient to ensure that its contractors provided and maintained reliable data to always support FPS savings.”  Interestingly, OIG initially included a much stronger statement but revised the final statement based on CMS’s objections.  The original statement was “[T]he Department could not ensure that its contractors always provided and maintained reliable data to support FPS savings.”   
  • CMS expects that future activities of the FPS will substantially increase savings by expanding the use of predictive analytics and modeling beyond identifying FRAUD and into areas of WASTE and ABUSE.   This will require more refined predictive models and modifications from insights from field investigators, policy experts, clinicians, and data analysts.  In Year 3, CMS will convene workgroups with federal agency, states, and private partners to develop and expand FPS’s capabilities.
  • In Year 3, CMS also will explore the cost-effectiveness and feasibility of expanding predictive analytics technology to Medicaid and the Children’s Health Insurance Program (CHIP).  CMS anticipates working with State Medicaid Agencies to train and explore opportunities for expanding predictive analytics. 

Practice Tip: CMS’s FPS is more fully integrated into the Medicare FPS payment system and allows CMS to monitor and deny individual claims in the prepayment stage.  ZPICs and other government contractors will continue to be the government’s “boots on the ground” but they will be armed with better information and real time data to investigate.  Providers need to take any and all inquiries by ZPICs seriously.  Anticipate more coordinated investigations by the FBI, ZPICs, States AGs, State Medicaid Fraud Agencies, and Federal agencies and faster freezing or rejections of provider claims.  Anticipate the expansion of FPS’s predictive analytics to the areas of waste and abuse. 

 

Please check back with the Health Law Informer Blog and Cozen O’Connor for additional analysis of CMS’s Second Implementation Year Report in the coming weeks. 

About The Author

Tags: , , , , ,

Attention All Health Plans: You Must Register for an HPID. Immediately!!!

Posted by Ryan Blaney on June 17, 2014
Health Plan Identifier, HIPAA, HPID / No Comments

It has been 18 years in coming, and the time is finally here. All Controlling Health Plans (CHPs) must obtain a unique Health Plan Identifier (HPID). A CHP is a health plan that controls its own business activities, actions, or policies, or is controlled by entities that are not health plans. The HPID is a unique 10-digit, all-numeric identifier that will be assigned to every qualifying health plan.

The Health Insurance Portability and Accountability Act (HIPAA) first indicated the need for HPIDs back in 1996. Almost a decade later, the Department of Health and Human Services (HHS) issued a final rule mandating HPID adoption. Now the important part: the deadline for most providers to register for an HPID is November 5, 2014. (Small health plans, those with annual claims paid of $5 million or less, have until November 5, 2015 to register.)

The primary purpose of HPIDs is standardization, which should make the exchange of electronic data more efficient and more accurate. Among other improvements, HPIDs will drastically decrease the instances of misrouted transactions or rejected transactions due to insurance identification errors. HHS has said that universal adoption of HPIDs is expected to save $6 billion over the next ten years.

While CHPs are required to register, sub-health plan affiliates may register for a HPID or may choose to use the number of its CHP parent. Self-insured group health plans that fit the definition of a CHP will be required to have an HPID. If a health plan engages a business associate to conduct standard transactions on its behalf, the business associate must use the health plan’s HPID in every field where the health plan is identified.

In addition to registering for the HPID, CHPs must disclose their HPID when requested and communicate any changes to the required data elements in the HPID Enumeration System within 30 days of the change.

The HPID will be used for all “standard transactions,” as defined by HIPAA, as well as for other lawful purposes, including: identification on health plans’ internal files; health insurance cards; cross-referencing in health care fraud and abuse files; and identification of health plans on Health Information Exchanges, and federal and state insurance exchanges.

Health Plans can complete their HPID application here.

HHS provides videos to assist Health Plans in the application process and a 111-page User Manual published by CMS here.

About The Author

Tags: , ,

Enforcement Action – FTC Is Not Backing Down and Laboratory Company Goes After a Cyber-Intelligence Company

Posted by Ryan Blaney on June 10, 2014
FTC, HIPAA / No Comments

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) is not the only government arm that enforces data breaches. The Federal Trade Commission (FTC) has broad authority to regulate the security of consumer information and hold companies liable for a failure to use adequate data security practices. In August 2013, the FTC targeted LabMD, a medical testing laboratory, which maintains personal financial and health information for nearly one million consumers. The FTC alleged that LabMD failed to “provide reasonable and appropriate security for personal information on its computer networks,” which resulted in the data of thousands of consumers being leaked on to the peer-to-peer file-sharing network LimeWire, the black-market and in the hands of illegal data brokers.

Until recently the FTC enforced its breach authority under the Act without pushback, so a company facing allegations would simply settle. However, LabMD became the second company to challenge the FTC’s enforcement of data breaches (a hotel chain company was the first to challenge the FTC’s authority). LabMD attempted to stop the investigation by filing appeals to federal district and appellate courts and the FTC. The appeals were based primarily on two arguments: (i) the FTC does not have the statutory authority to set data security standards for companies; and (ii) LabMD is already subject to the OCR’s enforcement authority under HIPAA’s security regulations, so it should not also be subject to the FTC’s enforcement authority.

Despite LabMD’s best efforts, two Eleventh Circuit judges refused to intervene before the FTC issued its final order, the FTC rejected LabMD’s motion to dismiss and it moved forward with the administrative proceedings. However, LabMD continues to fightback. Recently, LabMD filed a motion to dismiss with the FTC, and contended that the FTC had not proven that the data breach caused injury, specifically, that it did not present evidence that there was substantial harm or likely to be substantial harm to consumers as a result of the breach.

During trial, Michael Daugherty, CEO of LabMD, testified that the effect of the FTC’s allegations and subsequent probe has placed the company in a “very deep coma” and that he “can’t understate how damaging and confusing and sideswiping [the matter is] to the attitude, energy and morale of [LabMD’s] management staff.”

Interestingly, the trial has been on recess since May 30 when the administrative law judge delayed the proceeding until June 12 in response to an announcement that the House Committee on Oversight and Government Reform was investigating Tiversa Inc., the cyber-intelligence firm that played a central role in the FTC’s case against LabMD. In a separate lawsuit, LabMD is alleging that Tiversa provided the FTC with patient information files that it stole from LabMD.

When trial resumes on June 12, the focus will continue to be on whether LabMD’s data security standards that it used to protect consumers’ personal information were reasonable. It will be interesting whether developments from the Tiversa investigation impact the outcome of the trial. For more information about this proceeding go to the FTC website.

Practice Tip: Ensure that your security policies and procedures are being implemented and followed in accordance with HIPAA security requirements because inadequate security safeguards may lead to enforcement actions by the OCR and the FTC.

About The Authors

Tags: , , , , , , , , ,

Data Brokers: “Off the Radar” – FTC Calls for Greater Oversight

Posted by Ryan Blaney on June 09, 2014
Federal Trade Commission, FTC, HIPAA / No Comments

A report recently released by the Federal Trade Commission (FTC) concludes that data brokers currently operate so far below the radar screen that most consumers are unable to exercise any real control over the collection and use of their personal information. In addition to shedding light on the data broker marketplace and its practices, the report also provides recommendations to Congress about legislation that could better protect consumers and begin to regulate this poorly understood industry.

Data Brokers: A Call for Transparency and Accountability is based on an in-depth study of nine leading data brokers, companies that collect consumers’ personal information and resell or share that information with others in the form of marketing, risk management, or people search products. Combined, data brokers currently collect and store billions of bits of data about nearly every consumer in the United States. According to the FTC, “Because few consumers know about the existence of data brokers, meaningful notice from the data source provides an important opportunity for consumers to learn that their data is shared with data brokers and how to exercise control over the use of their data.”

In order to promote transparency, the Commission recommended that Congress consider legislation:

– Enabling consumers to easily identify which data brokers may have data about them and where they should go to access such information and exercise opt-out rights.

– Requiring data brokers to clearly disclose to consumers that they not only use raw data (such as a person’s name, address, age, and income range), but that they also use data they derive with that information.

– Requiring data brokers to disclose the names and/or categories of their sources of data, so that consumers are better able to determine if they need to correct their data with an original public record source; require data brokers to allow consumers to correct erroneous information in their private databases.

– Mandating that consumer-facing entities to provide a prominent notice to consumers that they share consumer data with data brokers and provide consumers with choices about the use of their data, such as the ability to opt-out of sharing their information with data brokers.

More generally, the Commission called on the data broker industry to adopt several best practices:

– Implement privacy-by-design, considering privacy issues at every stage of product development.

– Refrain from collecting information from children and teens, particularly in marketing products.

– Take reasonable precautions to ensure that downstream users of their data do not use it for eligibility determinations or for unlawful discriminatory purposes.

Cozen O’Connor’s Health Law Informer will continue to monitor Congress and the data broker industry’s response to the FTC report.

About The Authors

Tags: , , , , ,

Five Key Proposed Changes to OIG’s CMP Authority

Posted by Ryan Blaney on June 05, 2014
HHS, OIG / No Comments

In May and within a week of the Office of Inspector General of the Department of Health and Human Services (OIG) releasing a proposed rule to expand its exclusion authority, the agency also released a proposed rule (Rule) expanding its authority to impose civil monetary penalties (CMPs). OIG anticipates that “CMP collections may increase in the future in light of the new CMP authorities and other changes proposed in this [R]ule.” Over the last decade, OIG has collected more than $165 million in CMPs (between $10.2 million to $26.2 million per year).

Health care providers, suppliers and related institutions should pay particular attention to five proposed key changes:

(1) The focus on an expansion in the range of conduct for which OIG could assess CMPs to include: failing to provide OIG timely access to documents, ordering or prescribing medication or services while excluded from participation in federal health care programs, making false statements on enrollment applications to participate in federal health care programs, failing to report and return known overpayments, and making or using a false statement that is material to a false or fraudulent claim.

(2) Interpretation of the penalty as a per day penalty—for example, up to $10,000 for each day a person fails to report and return an overpayment.

(3) Imposition of CMPs on Medicare Advantage and Medicare Part D organizations (if any of their employees or contractors engaged in fraudulent activity). This broadens the general liability of these organizations for misconduct to include contracted providers or suppliers, employees and agents. Medicare Advantage and Part D organizations would also be eligible for CMPs if they enroll an individual (or his or her designee) without consent; transfer an enrollee to another plan without the enrollee’s (or his or her designee’s) consent; transfer an enrollee to make a commission; fail to comply with marketing restrictions; or employ or contract with any person who engages in prohibited conduct.

(4) Revision to the current structure of 42 C.F.R. Part 1003 because it is “cumbersome and potentially confusing for the reader” in order to “add clarity and improve transparency in OIG’s decision-making processes.” The bases for CMP assessments would be grouped into subsections by subject matter. OIG would provide a single list of factors to be considered when determining the amount of a CMP to include: the nature and circumstances of the violation, the degree of culpability of the person, the history of prior offenses, other wrongful conduct, and other matters as justice may require.

(5) An increase of the claims-mitigating factor from $1,000 to $5,000. The claims-mitigating factor acts as a threshold to help OIG determine the severity of a program violation. OIG believes that the $1,000 threshold is “lower than appropriate . . . given the changes in the costs of health care since this regulation was last updated in 2002.”

Other notable proposed changes include: the addition of a mitigating factor for “appropriate and timely corrective action” taken by a person under OIG’s Self-Disclosure Protocol; clarification that a single aggravating circumstance may result in the maximum amount allowed penalty, assessment, or exclusion; and the delegation of authority from the Department of Health and Human Services Secretary to OIG at Part 1003.150.

Comments to the Rule are due by July 11, 2014.

About The Authors

Tags: , , , , , , , , , , , , ,

Proposed Expansion of OIG’s Exclusion Authority

Posted by Ryan Blaney on June 05, 2014
ACA, Affordable Care Act, HHS, OIG / 1 Comment

In May, the Office of Inspector General of the Department of Health and Human Services (OIG) proposed a new rule (Rule) that would implement changes included in the ACA. The Rule would expand OIG’s authority to exclude individuals and entities from participation in federal health care programs, among other changes.

The Rule would build on OIG’s existing authority, but enable the agency to impose penalties for a broader array of conduct. OIG currently has the authority to exclude individuals and entities from participation in federal health care programs who are deemed “untrustworthy.” Certain bases for exclusion require OIG to impose a mandatory exclusion period of at least five years. Other bases allow OIG broad discretion to determine whether to impose an exclusion and for how long.

The Rule change includes three proposed bases for permissive exclusion: (1) conviction related to the obstruction of an audit; (2) failure to supply payment information for items or services; and (3) to make, or cause to be made, false statements, omissions, or misrepresentations of material facts in an application to participate in a federal health care program.

In addition, the Rule would give OIG the power to issue testimonial subpoenas during exclusion investigations, and remove any statute of limitations on exclusion actions stemming from false claims proceedings. The proposed removal of the statute of limitations would give the authority to impose exclusions at any time, even when the exclusion is due to violations of another statute that might have a specified time limit. OIG considered but did not finalize a similar provision in 2002. The Rule also includes a proposition to modify exclusion reinstatement rules such that individuals excluded as a result of losing their licenses could rejoin the federal health care programs earlier if they meet certain criteria.

Comments to the Rule are due on July 8, 2014.

About The Authors

Tags: , , , , , , ,