Health Law Informer

In May, the Office of Inspector General of the Department of Health and Human Services (OIG) proposed a new rule (Rule) that would implement changes included in the ACA. The Rule would expand OIG’s authority to exclude individuals and entities from participation in federal health care programs, among other changes.

The Rule would build on OIG’s existing authority, but enable the agency to impose penalties for a broader array of conduct. OIG currently has the authority to exclude individuals and entities from participation in federal health care programs who are deemed “untrustworthy.” Certain bases for exclusion require OIG to impose a mandatory exclusion period of at least five years. Other bases allow OIG broad discretion to determine whether to impose an exclusion and for how long.

The Rule change includes three proposed bases for permissive exclusion: (1) conviction related to the obstruction of an audit; (2) failure to supply payment information for items or services; and (3) to make, or cause to be made, false statements, omissions, or misrepresentations of material facts in an application to participate in a federal health care program.

In addition, the Rule would give OIG the power to issue testimonial subpoenas during exclusion investigations, and remove any statute of limitations on exclusion actions stemming from false claims proceedings. The proposed removal of the statute of limitations would give the authority to impose exclusions at any time, even when the exclusion is due to violations of another statute that might have a specified time limit. OIG considered but did not finalize a similar provision in 2002. The Rule also includes a proposition to modify exclusion reinstatement rules such that individuals excluded as a result of losing their licenses could rejoin the federal health care programs earlier if they meet certain criteria.

Comments to the Rule are due on July 8, 2014.

Health Law Informer Author

More Posts

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) settled for the collective amount of $1,975,220 with Concentra Health Services (Concentra) and QCA Health Plan, Inc. (QCA). The settlements stem from OCR investigations in 2011 and 2012 related to each of the companies reporting a single stolen laptop; Concentra also had a laptop stolen in 2009.

In its press release, HHS stated that after further investigating Concentra it found that Concentra was aware prior to the most recent laptop theft that not all of its laptops, desktop computers, medical equipment, tablets and other devices that contained ePHI were encrypted. But despite Concentra’s discoveries as a result of risk analyses that it had conducted, it failed to remedy the critical risks and did not encrypt all of the devices. OCR also found that Concentra had insufficient security management processes. OCR’s investigation of QCA revealed that in addition to the unencrypted laptop, QCA failed to comply with numerous HIPAA privacy and security requirements for several years.

Susan McAndrew, OCR’s Deputy Director of Health Information Privacy, reiterated the significance of encryption and the obligations of covered entities and business associates to adequately secure mobile devices when she stated that OCR’s message to covered entities and business associates is simple: “encryption is your best defense against these incidents.” Ms. McAndrew’s statement is significant and a shift from the view that although security is an obligation, encryption is not required under the HIPAA Security Rule. In light of these two settlements and the Deputy Director’s commentary it is evident that OCR views encryption as an essential security safeguard for laptops, desktop computers, medical equipment, tablets and other mobile devices. In light of these two settlements and the Deputy Director’s commentary it is evident that OCR views encryption as an essential security safeguard for laptops, desktop computers, medical equipment, tablets and other mobile devices.

Concentra has agreed to pay HHS a monetary settlement of $1,725,220 and QCA has agreed to pay $250,000. Both entities have also agreed to each undertake a corrective action plan (CAP),  which CAPs include risk analyses, development of risk management plans, policy and procedure revisions, staff training and certification of staff training. Concentra’s CAP contains more onerous requirements, including the continued submission of additional documents, reports and encryption status updates to HHS. Concentra’s CAP may be more extensive than QCA’s because it already had a laptop that contained ePHI stolen in 2009 and because it failed to remedy the encryption issue it discovered during the risk analyses it performed prior to the second laptop being stolen. OCR also noted that QCA did encrypt its devices after the laptop was stolen and it discovered the breach.

For more information about the settlements and the CAPs, see the Concentra Resolution Agreement and the QCA Resolution Agreement.

Practice Tip: Audit your encryption policies and practices for all mobile devices to adequately secure your company’s mobile devices.

Health Law Informer Author

More Posts

In the largest HIPAA enforcement action to date, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) extracted $4.8 million from two leading New York institutions, New York-Presbyterian Hospital (NYP) and Columbia University (CU), despite NYP and CU’s self-disclosure of the breach. OCR charged NYP and CU jointly with failing to secure 6,800 patients’ electronic protected health information (ePHI), which resulted in a 2010 breach. NYP and CU did not learn of the breach until a complaint was filed by a representative of a deceased former NYP patient whose ePHI was found on the Internet. The patient data included status, vital signs, medications and laboratory results.

Larger, more frequent fines may be the new normal as OCR launches its major new audit program. In its press release, HHS wrote that “neither entity had conducted an accurate and thorough risk analysis that identified all systems that access NYP ePHI. As a result, neither entity had developed an adequate risk management plan that addressed the potential threats and hazards to the security of ePHI.” OCR has made clear that risk assessment will be a priority in the upcoming audits. OCR will not be satisfied with “glossy” HIPAA policies and procedures if they are not followed in practice.

To make the point even more explicit, Christina Heide, Acting Deputy Director of Health Information Privacy for OCR, said, “Our cases against NYP and CU should remind health care organizations of the need to make data security central to how they manage their information systems.”

OCR’s investigation began after NYP and CU self-disclosed an inadvertent leakage of certain ePHI to Internet search engines when a computer server was errantly reconfigured. The source of the breach was a CU physician who had tried to deactivate a personally owned computer server on the network containing information on hospital patients. NYP and CU failed to implement technical safeguards for the deactivation of computer servers, so the attempted deactivation resulted in ePHI being posted online.

NYP has agreed to pay HHS a monetary settlement of $3.3 million and CU has agreed to pay $1.5 million. Both entities have also agreed to each undertake a substantive corrective action plan (CAP), which includes a risk analysis, development of a risk management plan, policy and procedure revisions, staff training and regular progress reports. For more information about the settlements and the CAPs, see the NYP Resolution Agreement and the CU Resolution Agreement.

HIPAA Practice Tip: Now is the time to ensure that your HIPAA policies and procedures are being implemented and followed.

Health Law Informer Author

More Posts

The Department of Health and Human Services (HHS) recently released a new security risk assessment (SRA) tool for small- to medium-sized health care providers. HIPAA requires covered entities to conduct periodic assessments of the administrative, physical, and technical safeguards in their handling of protected health information. This new tool will help health care providers conduct and document risk assessments and produce a report that can be provided to potential auditors.

The tool was created jointly by the HHS Office of the National Coordinator for Health Information Technology (ONC) and the HHS Office of Civil Rights (OCR), and its release precedes OCR’s expected launch of a permanent HIPAA audit program. The OCR has previously identified security risk assessments as an area of consistent weakness among covered entities and has said it will be a particular focus for auditors.

Entities using the new tool will be asked 156 “yes” or “no” questions. Each question addresses a specific HIPAA requirement, and additional resources are provided with each question to help providers better understand the language and requirements of the associated HIPAA security rule. In the event that a provider answers “no” or cannot answer an applicable question, the provider must note the need for corrective action and implement a plan immediately.

Providers can download the SRA Tool and additional guidance here. The ONC plans to make updates and improvements to the tool after an initial period of use. Comments regarding the SRA Tool may be submitted here until June 2, 2014.

Health Law Informer Author

More Posts

The Department of Health and Human Services (HHS) is expected to launch its long-awaited HIPAA audit program sometime in 2014. The audit program will be run by HHS’ Office of Civil Rights (OCR), which is likely eager to get the program going after being criticized in a report from HHS’ Office of Inspector General (OIG) last year for not conducting sufficient audits as mandated by the HITECH Act. This public reprimand gives OCR an added incentive to make sure its HIPAA audit program is active and effective.

In terms of how the permanent audit program will operate, OCR has indicated that it will differ from the pilot program that ran from 2011 to 2012. During the pilot, 115 covered entities were audited, and each of them endured lengthy and detailed investigations into the entity’s compliance with nearly all aspects of the HIPAA rules. The director of OCR, Leon Rodriguez, has said that the plan moving forward is to audit many more entities, including business associates, but to make each audit narrower and more targeted. A note of caution, however, is that OCR has previously stated that audits that uncover significant noncompliance with HIPAA could prompt an investigation by OCR.

So what are the big areas of interest for OCR? This will become clearer as the audits get underway, but we do know at least two of the topics that have OCR’s attention: security risk analysis and business associate compliance. Director Rodriguez has said that risk analysis was an area of consistent weakness among entities audited during the pilot program and that “one focus in the audits will be on risk analysis.” Every covered entity and business associate must conduct a thorough review of the security of PHI in its organization and examine all facilities and operations to see where PHI flows in and where it flows out. Everything from computer encryption to office traffic patterns to off-hours use of mobile devices has to be analyzed and plans must be put in place to address any holes in security.

For more information about the audit program: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/protocol.html

Health Law Informer Author

More Posts

On December 11, 2013 the Centers for Medicare & Medicaid Services (CMS) published an advance notice of proposed rulemaking concerning the circumstances under which civil money penalties may be imposed for failure to comply with Medicare Secondary Payer Act (the “MSP Act”) Section 111 reporting requirements.  Section 111 of the Medicare, Medicaid, and SCHIP Extension Act of 2007 amended the MSP Act by establishing  mandatory reporting requirements for certain group health plans (GHPs) and for liability insurance (including self-insurance) no fault insurance and workers compensation (collectively NGHPs) arrangements.  The Section 111 amendments require GHPs and NGHPs to notify CMS when they pay a claim on behalf of a Medicare beneficiary.  Failure to comply with the reporting requirements resulted in a civil monetary penalty of $1,000 for each day of noncompliance.

The Strengthening Medicare and Repaying Taxpayers Act of 2012 (the “SMART Act”) amended the penalty provision of the Section 111 reporting requirements by stating that applicable plans that fail to comply with the reporting requirements may be subject to a civil monetary penalty of up to $1,000 per day of non-compliance.  Thus, the SMART Act made the penalty discretionary instead of mandatory and allowed for penalties below $1,000.  As a result,  CMS is soliciting public comments and proposals on the practices for which civil monetary penalties may or may not be imposed.  Specifically, CMS is seeking comments on how to define “noncompliance” with reporting requirements; what mechanisms and criteria should be used to evaluate whether a civil money penalty can be imposed; what methods should be used to determine the dollar amount of such a penalty; and what actions on the part of a primary payer would constitute a “good faith effort” to identify a Medicare beneficiary for purposes of reporting under the MSP Act.  Comments can be submitted to CMS until February 10, 2014.

Health Law Informer Author

More Posts

On July 29, 2013, the OIG released a memorandum report finding that Medicare paid more on average for short inpatient stays than for observation stays in 2012.  The report, Hospitals’ Use of Observation Stays and Short Inpatient Stays for Medicare Beneficiaries, OEI-02-12-00040, touches on observation versus inpatient status, which has been and continues to be a hot button issue.

Background

Medicare beneficiaries receiving care at a hospital are classified as either inpatients or observation patients.  Observation patients are outpatients who receive treatments and assessments to determine whether they require further treatment as inpatients or can be discharged.  CMS policy provides that observation services are usually needed for 24 hours or less.   Continue reading…

Health Law Informer Author

More Posts

As we’ve discussed in previous articles,[1] and as you are no doubt aware by now, the Health Insurance Portability and Accountability Act (HIPAA) recently received a significant facelift.  In addition to extending direct liability to business associates and subcontractors, the updated HIPAA regulations (Updated Regulations), which were authorized by the Health Information Technology for Economic and Clinical Health Act (HITECH), contain many new provisions to address growing privacy concerns for the increasing amount of protected health information (PHI) stored on electronic media.  Covered entities and their business associates and subcontractors must comply with the Updated Regulations by September 23, 2013.  In order to help you prepare for the September 23, 2013 compliance deadline, this article (1) explains the difference between two important compliance deadlines contained in the Updated Regulations, (2) suggests a 5-step process to efficiently update and/or create compliant HIPAA policies and procedures, and (3) discusses a few observations we’ve made as we’ve helped our clients prepare for the September 23, 2013 compliance deadline. Continue reading…

Health Law Informer Author

More Posts

On May 8, 2013, the Office of Inspector General (“OIG”) of the Department of Health & Human Services issued an updated Special Advisory Bulletin (the “Updated Bulletin”)[1]  on the effect of exclusion from participation in Medicare, Medicaid and other Federal health care programs (collectively “FHPs).  The Updated Bulletin, which replaces and supersedes guidance originally provided by OIG in a 1999 Special Advisory Bulletin (the “1999 Bulletin”), details OIG’s broad interpretation of the scope and effect of its exclusion authority under the Civil Monetary Penalties Law (“CMPL”).[2]  The Updated Bulletin addresses many of the questions OIG has received about exclusions and purports to convey insight gained from resolving self-disclosure cases since publishing the 1999 Bulletin. Continue reading…

Health Law Informer Author

More Posts

UPDATE

The Senate Health, Education, Labor, and Pensions (HELP) committee approved a bill on May 22 that largely tracks the Draft Legislation.  As outlined below, the bill would create a new category for large-scale compounders – known as “compounding manufacturers” – and give the FDA greater authority over compounding pharmacies. Continue reading…

Health Law Informer Author

More Posts