In early October, the Office of Inspector General (OIG) of the Department of Health and Human Services (HHS) released a proposed rule that included, among other provisions, a proposed gainsharing regulation (“Proposed Rule”), and a specific request for comments on a definition of what it means to “reduce or limit services” under the statutory prohibition against certain “gainsharing” arrangements among hospitals and physicians. The OIG’s goal with this Proposed Rule and subsequent final rule is to “interpret the statutory [gainsharing] prohibition broadly enough to protect beneficiaries and the Federal health care programs, but narrowly enough to allow low risk programs that further the goal of delivering high quality health care at a lower cost.” More specifically, the OIG seeks to implement a “narrower interpretation of the phrase “reduce or limit services.” Industry analysts are touting the final regulation as a potential game changer in the battle to deliver “high quality health care at a lower cost.”

The existing gainsharing civil monetary penalty statute (“Gainsharing CMP”) is a law that broadly “prohibits hospitals and critical access hospitals from knowingly paying a physician to induce the physician to reduce or limit services provided to Medicare or Medicaid beneficiaries who are under the physician’s direct care.” Violation of the Gainsharing CMP by a hospital that makes such payment, and a physician that in turn knowingly accepts the payment, results in CMPs that are no greater than $2,000 per each beneficiary for whom such payment is made.

Determining what does and what does not constitute a payment designed to reduce or limit services can be difficult, particularly because, as HHS has taken pains to point out, the statute technically prohibits payments from hospitals to physicians to limit any services, not just medically necessary services. However, as far back as 2005 the Medicare Payment Advisory Commission and the Chief Counsel to the OIG have supported gainsharing when safeguards are in place to evaluate risks posed by such programs, including “measures that promote accountability, adequate quality controls, and controls on payments that may change referral patterns,” and to date, the OIG has approved 16 gainsharing arrangements through the advisory opinion process.

More recently, under Section 3022 of the Affordable Care Act, the secretary of HHS established  waivers under the Medicare Shared Savings Program (MSSP) with respect to the Gainsharing CMP under certain conditions. These waivers have limited applicability as they apply only to accountable care organizations that participate in the MSSP. The final gainsharing regulations presumably will cover all hospitals and could potentially have a much broader impact upon hospital physician compensation arrangements. Overall, the Proposed Rule and the OIG’s request for comments on what should and should not constitute prohibited payments from hospitals to physicians to reduce or limit services is yet another example of how the regulatory  landscape is changing to adapt to a reimbursement model that is evolving from a fee-for-service dominated model to one in which pay-for-performance will play a much larger role.

The comment period closed under the Proposed Rule in early December, and the final rule is expected in 2015.

Recently, the Office of Inspector General (OIG) of the Department of Health and Human Services (HHS) released its Work Plan for Fiscal Year 2015 (“Work Plan”).  The OIG protects the integrity of HHS programs by identifying fraud and abuse and by suggesting improvements to HHS programs.  The Work Plan informs the public of new and ongoing reviews that OIG plans to pursue during the current fiscal year.

For Fiscal Year 2015 and beyond, OIG intends to focus on emerging payment, eligibility, management, and IT systems security vulnerabilities in the ACA programs, such as the health insurance marketplace.  OIG stated that it would also focus on the efficiency and effectiveness of payment policies in inpatient and outpatient settings, for prescription drugs, and in managed care.

Some specific new items of note include: (1) identifying clinical laboratories that routinely submit improper Medicare claims, (2) reviewing the rate of and reasons for transfers from group homes or nursing facilities to emergency departments as a potential indicator of poor quality, (3) identifying Medicaid MCO payments made on behalf of deceased or ineligible beneficiaries, and (4) assessing the extent to which hospitals comply with the contingency planning requirements of HIPAA.

The Work Plan is a valuable resource annually published by the OIG for providers to identify potential compliance risk areas.

Cozen O’Connor recently published another blog of the Work Plan with the Work Plan’s specific focus on HIPAA and/or information technology that the OIG will examine and address during Fiscal Year 2015.

On October 31, 2014, The U.S. Department of Health and Human Services (HHS) Office of Inspector General (OIG) released its Work Plan for fiscal year (FY) 2015.  The Work Plan summarizes “new and ongoing reviews of activities that OIG plans to pursue with respect to HHS programs and operations during the current fiscal year and beyond.”  In the Work Plan OIG identified several areas related to HIPAA and/or information technology that it will examine and address during FY 2015.

As a new addition to the Work Plan, OIG will determine the extent to which hospitals comply with the contingency requirements of HIPAA.  HIPAA’s Security Rule requires covered entities and their business associates to have in place a contingency plan that establishes policies and procedures for responding to an emergency or other event (such as, for example, natural disasters, system failures, terrorism) that damages systems containing electronic protected health information (ePHI).  These policies and procedures must, at a minimum, include data backup plans, data recovery plans and plans to continue to protect the security of ePHI while operating in emergency operations mode.  In the Work Plan OIG advises that it will compare contingency plans used by hospitals with government and industry recommended practices. 

As part of the Work Plan, OIG will continue to examine whether the Centers for Medicare & Medicaid Services’ (CMS) oversight of hospitals’ security controls over networked medical devices is sufficient to protect ePHI.   The OIG noted that computerized medical devices such as dialysis machines, radiology systems and medication dispensing systems that use hardware, software and networks to monitor a patient’s condition and transmit and/or receive data using wired or wireless communications pose a growing threat to the security and privacy of personal health information. 

OIG also plans to continue to perform audits of covered entities receiving incentive payments for the use of electronic health records (EHRs) and their business associates (including cloud providers) to determine whether they are adequately protecting ePHI created or maintained by certified EHR technology.  In addition, OIG will review the adequacy of CMS’ oversight of states’ Medicaid system and information controls.  Prior OIG audits found that states often fail to have in place adequate security features, potentially exposing Medicaid beneficiary information to unauthorized access.

As to future endeavors, the Work Plan stated that other areas under consideration for new work include the security of electronic data, the use and exchange of health information technology, and emergency preparedness and response efforts.  In addition, OIG advises that in FY 2015 and beyond, it will continue to focus on IT systems security vulnerabilities in health care reform programs such as health insurance marketplaces. 

In response to the recent Ebola outbreak in West Africa and in light of patients being treated in several hospitals in the U.S., the HHS, OCR (OCR) recently issued a HIPAA Bulletin to remind us that HIPAA covered entities and business associates must maintain the privacy of protected health information (PHI) even in emergency situations (“Guidance”). According to the OCR, the Guidance serves as a reminder “that the protections of the [HIPAA] Privacy Rule are not set aside during an emergency.”

The OCR explains that the HIPAA Privacy Rule requires a balance between the protection of the privacy of PHI against the necessary uses and disclosures of such information “to treat a patient, to protect the nation’s public health, and for other critical purposes” during emergency situations.  Although the OCR introduces no new requirements under the HIPAA Privacy Rule, the Guidance lays out the circumstances under which patient information may be shared in emergencies, such as for/due to:

•  Disclosures to Family, Friends, and Others Involved in an Individual’s Care and for Notification
• Disclosures to the Media or Others Not Involved in the Care of the Patient/Notification
• Imminent Danger
• Public Health Activities (i.e., to a public health authority; at the direction of a public health authority, to a foreign government agency; and to persons at risk)
• Treatment

The OCR reminds us that most disclosures require covered entities to make “reasonable efforts to limit the information disclosed to that which is the ‘minimum necessary.’” Further, covered entities are also required to: (i) implement “reasonable” safeguards necessary to protect PHI from intentional/unintentional uses and disclosures that are impermissible under HIPAA; and (ii) continue to apply administrative, physical and technical safeguards to protect e-PHI under the HIPAA Security Rule.

Further, according to the OCR, under the Project Bioshield Act of 2004 and Section 1135(b)(7) of the Social Security Act, the Secretary of HHS may waive certain HIPAA Privacy Rule provisions during public health or other emergencies. Such limited waivers require both the President to declare an emergency or disaster and the Secretary of HHS to declare a public health emergency. Additional information regarding the limited waivers appears in the Guidance.

As Ebola remains an emergency of both national and international concern, it not surprising that federal agencies continue to publish updated Ebola guidance. This Guidance reminds all of us, especially covered entities and business associates, that even in emergency situations, patient privacy must be protected, unless the limited waiver is invoked, and if not, covered entities and business associates will face consequences for violating the HIPAA Privacy Rule. For additional information regarding the HIPAA Privacy Rule in the context of emergency situations, see the HHS website.  Also see similar guidance (Bulletin and Bulletin  published by HHS in 2005 in response to Hurricane Katrina.

On Friday October 10, 2014, the Department of Justice (DOJ) and the U.S. Department of Health and Human Services Office of Inspector General (HHS-OIG) jointly announced a $38 million settlement with a skilled nursing facility (SNF), Extendicare Health Services Inc. (Extendicare) and its subsidiary Progressive Step Corporation (ProStep). Extendicare owns and operates 146 SNFs in eleven states. Prostep offers Extendicare residents occupational, physical and speech rehabilitation services.

The settlement stemmed from allegations in two qui tam cases: United States ex rel. Lovvorn v. EHSI, et. al. C.A. 10-1580 (E.D. Pa); and United States ex rel. Gallick et al., v. EHSI et al., C.A. 2:13cv-092 (S.D. Ohio). The allegations were that Extendicare (1) “billed Medicare and Medicaid for materially substandard nursing services that were so deficient that they were effectively worthless”; and (2) “billed Medicare for medically unreasonable and unnecessary rehabilitation therapy services.” Continue reading…

12,915 complaints were reported in 2013 to the Department of Health and Human Services Office of Civil Rights (“OCR”) according to Illiana L. Peters, Senior Adviser for HIPAA Compliance and Enforcement.  Cozen O’Connor attended Ms. Peters’ presentation at the Safeguarding Health Information: Building Assurance through HIPAA Security conference on September 22-23, 2014.  The conference was hosted jointly by OCR and the National Institute of Standards and Technology (“NIST”).  Below are a few discussion points worth mentioning from the conference:

• Between September 2009 and August 31, 2014, OCR investigated 1176 reports involving breach of Protected Health Information (“PHI”) where more than 500 individuals were affected and approximately 122,000 reports affecting less than 500 individuals.
• According to Ms. Peters, 60% of the large breaches could have been prevented by encrypting the covered entities and business associates’ laptops and mobile devices.
• Theft and loss continues to be the most common cause of breaches but OCR expects that IT hacking will continue to rise as a significant breach risk.
• Since 2009, consumer complaints regarding HIPAA violations continue to rise.
• Covered entities and business associates should already have in place business associate agreements that have been updated for the Omnibus Rule.
• Business associates must comply with all of the HIPAA Security Rules applicable to covered entities, “PERIOD.”
• Given the known risks of hacking, theft and loss and the direct guidance from OCR, covered entities and business associates must recognize that inadequate security, inadequate physical and technical safeguards is not acceptable.
• OCR expects that covered entities and business associates will be familiar with recent corrective actions, resolution agreements such as Parkview, NYP/Columbia, Concentra, QCA, Skaget County, Adult & Pediatric Dermatology, P.C., and Affinity Health Plan, Inc.

Continue reading…

Year #2 Report on Medicare Fraud Prevention System

On June 25, 2014, the Centers for Medicare & Medicaid Services (CMS) and the Department of Health and Human Services Office of Inspector General (OIG) issued and certified, as required by the Small Business Jobs Act of 2010 (SBJA) their second implementation year report  for the Fraud Prevention System (FPS) along with a press release.  By way of background, CMS is under pressure from Congress and the United States Government Accountability Office (GAO) to enhance their health care fraud, abuse and waste prevention and detection success through the use of predictive analytics technologies while at the same time monitoring the expenditures and costs by government contractors and auditors such as ZPICs to prevent fraud.  Last October, GAO published a Report concerning CMS’s Medicare Program Integrity titled, “Contractors Reported Generating Savings but CMS Could Improve Its Oversight.” 

CMS and OIG’s Report to Congress on the FPS responds to many, but not all, of GAO’s criticisms.  Here are a few of the noteworthy findings and observations in the Report:

• CMS reports that they “identified or prevented” $210.7 million in Medicare payments attributed to FPS.  This is a return on investment of $5 to $1 for the second implementation year and an increase ROI from Year 1.
• OIG disagrees with CMS’s use of “identified savings” to calculate the success of the FPS and instead recommends using “adjusted savings” as a measure of savings and return on investment related to the Department’s use of FPS.
• Under OIG’s adjusted savings analysis, OIG only certified $54.2 million of the $210.7 million as attributed to the Department’s use of FPS. 
• OIG found that the “Department’s use of its predictive analytics technologies resulted in a return on investment of $1.34 (not $5) for every dollar spent on the FPS.
• Based on criticism received by OIG and GAO, CMS reported that they changed the methodology to require ZPICs (Zone Program Integrity Contractors) to submit provider-specific outcome data to be able to conduct more quality control reviews prior to reporting savings.
• OIG disagreed with CMS and stated, “[A]lthough the Department has made significant progress in addressing the challenges of measuring actual and projected savings, its procedures were not always sufficient to ensure that its contractors provided and maintained reliable data to always support FPS savings.”  Interestingly, OIG initially included a much stronger statement but revised the final statement based on CMS’s objections.  The original statement was “[T]he Department could not ensure that its contractors always provided and maintained reliable data to support FPS savings.”   
• CMS expects that future activities of the FPS will substantially increase savings by expanding the use of predictive analytics and modeling beyond identifying FRAUD and into areas of WASTE and ABUSE.   This will require more refined predictive models and modifications from insights from field investigators, policy experts, clinicians, and data analysts.  In Year 3, CMS will convene workgroups with federal agency, states, and private partners to develop and expand FPS’s capabilities.
• In Year 3, CMS also will explore the cost-effectiveness and feasibility of expanding predictive analytics technology to Medicaid and the Children’s Health Insurance Program (CHIP).  CMS anticipates working with State Medicaid Agencies to train and explore opportunities for expanding predictive analytics. 

Practice Tip: CMS’s FPS is more fully integrated into the Medicare FPS payment system and allows CMS to monitor and deny individual claims in the prepayment stage.  ZPICs and other government contractors will continue to be the government’s “boots on the ground” but they will be armed with better information and real time data to investigate.  Providers need to take any and all inquiries by ZPICs seriously.  Anticipate more coordinated investigations by the FBI, ZPICs, States AGs, State Medicaid Fraud Agencies, and Federal agencies and faster freezing or rejections of provider claims.  Anticipate the expansion of FPS’s predictive analytics to the areas of waste and abuse. 

Please check back with the Health Law Informer Blog and Cozen O’Connor for additional analysis of CMS’s Second Implementation Year Report in the coming weeks. 

In May and within a week of the Office of Inspector General of the Department of Health and Human Services (OIG) releasing a proposed rule to expand its exclusion authority, the agency also released a proposed rule (Rule) expanding its authority to impose civil monetary penalties (CMPs). OIG anticipates that “CMP collections may increase in the future in light of the new CMP authorities and other changes proposed in this [R]ule.” Over the last decade, OIG has collected more than $165 million in CMPs (between $10.2 million to $26.2 million per year).

Health care providers, suppliers and related institutions should pay particular attention to five proposed key changes:

(1) The focus on an expansion in the range of conduct for which OIG could assess CMPs to include: failing to provide OIG timely access to documents, ordering or prescribing medication or services while excluded from participation in federal health care programs, making false statements on enrollment applications to participate in federal health care programs, failing to report and return known overpayments, and making or using a false statement that is material to a false or fraudulent claim.

(2) Interpretation of the penalty as a per day penalty—for example, up to $10,000 for each day a person fails to report and return an overpayment.

(3) Imposition of CMPs on Medicare Advantage and Medicare Part D organizations (if any of their employees or contractors engaged in fraudulent activity). This broadens the general liability of these organizations for misconduct to include contracted providers or suppliers, employees and agents. Medicare Advantage and Part D organizations would also be eligible for CMPs if they enroll an individual (or his or her designee) without consent; transfer an enrollee to another plan without the enrollee’s (or his or her designee’s) consent; transfer an enrollee to make a commission; fail to comply with marketing restrictions; or employ or contract with any person who engages in prohibited conduct.

(4) Revision to the current structure of 42 C.F.R. Part 1003 because it is “cumbersome and potentially confusing for the reader” in order to “add clarity and improve transparency in OIG’s decision-making processes.” The bases for CMP assessments would be grouped into subsections by subject matter. OIG would provide a single list of factors to be considered when determining the amount of a CMP to include: the nature and circumstances of the violation, the degree of culpability of the person, the history of prior offenses, other wrongful conduct, and other matters as justice may require.

(5) An increase of the claims-mitigating factor from $1,000 to $5,000. The claims-mitigating factor acts as a threshold to help OIG determine the severity of a program violation. OIG believes that the $1,000 threshold is “lower than appropriate . . . given the changes in the costs of health care since this regulation was last updated in 2002.”

Other notable proposed changes include: the addition of a mitigating factor for “appropriate and timely corrective action” taken by a person under OIG’s Self-Disclosure Protocol; clarification that a single aggravating circumstance may result in the maximum amount allowed penalty, assessment, or exclusion; and the delegation of authority from the Department of Health and Human Services Secretary to OIG at Part 1003.150.

Comments to the Rule are due by July 11, 2014.

In May, the Office of Inspector General of the Department of Health and Human Services (OIG) proposed a new rule (Rule) that would implement changes included in the ACA. The Rule would expand OIG’s authority to exclude individuals and entities from participation in federal health care programs, among other changes.

The Rule would build on OIG’s existing authority, but enable the agency to impose penalties for a broader array of conduct. OIG currently has the authority to exclude individuals and entities from participation in federal health care programs who are deemed “untrustworthy.” Certain bases for exclusion require OIG to impose a mandatory exclusion period of at least five years. Other bases allow OIG broad discretion to determine whether to impose an exclusion and for how long.

The Rule change includes three proposed bases for permissive exclusion: (1) conviction related to the obstruction of an audit; (2) failure to supply payment information for items or services; and (3) to make, or cause to be made, false statements, omissions, or misrepresentations of material facts in an application to participate in a federal health care program.

In addition, the Rule would give OIG the power to issue testimonial subpoenas during exclusion investigations, and remove any statute of limitations on exclusion actions stemming from false claims proceedings. The proposed removal of the statute of limitations would give the authority to impose exclusions at any time, even when the exclusion is due to violations of another statute that might have a specified time limit. OIG considered but did not finalize a similar provision in 2002. The Rule also includes a proposition to modify exclusion reinstatement rules such that individuals excluded as a result of losing their licenses could rejoin the federal health care programs earlier if they meet certain criteria.

Comments to the Rule are due on July 8, 2014.

The Department of Health and Human Services (HHS) recently released a new security risk assessment (SRA) tool for small- to medium-sized health care providers. HIPAA requires covered entities to conduct periodic assessments of the administrative, physical, and technical safeguards in their handling of protected health information. This new tool will help health care providers conduct and document risk assessments and produce a report that can be provided to potential auditors.

The tool was created jointly by the HHS Office of the National Coordinator for Health Information Technology (ONC) and the HHS Office of Civil Rights (OCR), and its release precedes OCR’s expected launch of a permanent HIPAA audit program. The OCR has previously identified security risk assessments as an area of consistent weakness among covered entities and has said it will be a particular focus for auditors.

Entities using the new tool will be asked 156 “yes” or “no” questions. Each question addresses a specific HIPAA requirement, and additional resources are provided with each question to help providers better understand the language and requirements of the associated HIPAA security rule. In the event that a provider answers “no” or cannot answer an applicable question, the provider must note the need for corrective action and implement a plan immediately.

Providers can download the SRA Tool and additional guidance here. The ONC plans to make updates and improvements to the tool after an initial period of use. Comments regarding the SRA Tool may be submitted here until June 2, 2014.