For those of us who work in the privacy and security space this past week has been a whirlwind with focus on the ramifications of the European Court of Justice (ECJ) decision invalidating the EU-U.S. Safe Harbor Agreement. Much has been written on the EU-U.S. Safe Harbor Agreement and much more will be written in the coming weeks. See Cozen O’Connor’s Cyber Law Monitor recent blog post, The End of Safe Harbor – What Does it Mean? However, the ECJ decision was not the only news on safe harbor last week. The U.S. Department of Health and Human Services, Office of Inspector General (“OIG”) issued their thoughts on data arrangements and safe harbor, albeit a much different safe harbor than the EU-U.S. Safe Harbor Agreement. Healthcare providers and health IT vendors should pay close attention to OIG’s Alert. See October 6, 2015 OIG Alert.
OIG issued the Alert during National Health IT Week and described it as a “Policy Reminder” on Information Blocking and the Federal Anti-Kickback Statute (42 U.S.C. 1320a-7b (b)). The Federal Anti-Kickback statute prohibits individuals and entities from knowingly and willfully offering, paying, soliciting, or receiving remuneration to induce or reward referrals of business reimbursable under any Federal health care program (“FHCP”). The Alert addresses a growing trend in the industry, arrangements involving the provision of software or information technology to a referral source. Although there is a safe harbor for electronic health records (“EHR”) arrangements it “must fit squarely in all safe harbor conditions to be protected.” 42 CFR § 1001.952(y).
In its alert, OIG focused on the parameters of the safe harbor exception that allows donors to enter into a wide variety of arrangements involving EHR software, IT, and training services, provided there are no restrictions to the use, compatibility, or interoperability of donated items or services. 42 CFR § 1001.952(y)(3). OIG provided guidance on this issue in 2013, explicitly stating that if the interoperability of an item or service is restricted by the donor or anyone acting on the donor’s behalf, including the recipient, then the donation violates the exemption and thus will be actionable under the Federal anti-kickback statute.
OIG’s Alert highlights practices outlined in its 2013 guidance that would be actionable under the Federal anti-kickback statute. For example, an agreement between a donor and a recipient to limit a competitor from interfacing with the donated items or services would be actionable. Even an agreement between a donor and an EHR technology vendor to charge non-recipient providers, non-recipient suppliers, or competitors’ high fees may be actionable.
OIG also provided an open invitation to whistleblowers to report fraud by urging persons with knowledge of violations of the safe harbor to be vigilant in reporting potential violations to their office. Violations will occur when donors engage in information blocking, which refers to practices that unreasonably block the sharing of electronic health information (EHI). OIG provided three criteria in a 2015 report for identifying practices that qualify as information blocking:
- Interference with the ability of authorized people to access, exchange, or otherwise use EHI.
- Knowledge, actual or expected under the circumstances, that the practice will be considered information blocking.
- No reasonable justification for limiting sharing of EHI.
If all three criteria are met, then the practice in question is considered information blocking.
For more information on this Alert, contact Ryan P. Blaney or any member of Cozen O’Connor’s Health Care team.
About The Author
Tags: anti-kickback, Health IT, Information Blocking, Interoperability, OIG, Safe Harbor
Posted by Ryan Blaney
on June 15, 2015
After a significant number of settlement agreements between the U.S. Department of Health and Human Services Office of Inspector General (OIG), OIG decided to release a Fraud Alert reminding physicians, practices and hospitals about the significant compliance risks with medical director agreements. The June 9, 2015 Fraud Alert highlights four issues of concern in medical director agreements and relationships:
- Agreements providing for medical director compensation based upon a calculation taking into account the volume of a medical director’s referrals to the entity he or she is serving as medical director.
- Agreements providing for medical director compensation above fair market value for the services to be rendered by the medical director.
- Medical directors failing to actually render the services set forth in medical director agreements, yet still being compensated for such services.
- Agreements providing that affiliated health care entities pay for a medical director’s front office staff, thereby relieving the medical director of a financial burden such medical director would otherwise have incurred.
This Fraud Alert offers nothing new in terms of Anti-Kickback regulation and enforcement, reiterating to providers that the Anti-kickback statute generally prohibits a provider from being paid any form of remuneration for referring a patient for federal healthcare business. It appears to be a not-so-friendly reminder that “remuneration” can come in many shapes and sizes and physicians must continue to be vigilant in their negotiating and entering into medical director agreements, as well as their adherence to same. A physician considering entering into any business venture in the health care sector should proceed with caution, and always confer with a health care attorney before signing on the dotted line. The complete June 9, 2015 Fraud Alert can be found here: http://oig.hhs.gov/compliance/alerts/guidance/Fraud_Alert_Physician_Compensation_06092015.pdf.
For further information contact a member of Cozen O’Connor’s health care team.
Authored by Ryan Blaney (Washington, DC) and Marc Goldsand (Miami, FL).
About The Authors
Tags: Compensation, FMV, Fraud Alert, Medical Directors, remuneration
Posted by Chris Raphaely
on December 15, 2014
In early October, the Office of Inspector General (OIG) of the Department of Health and Human Services (HHS) released a proposed rule that included, among other provisions, a proposed gainsharing regulation (“Proposed Rule”), and a specific request for comments on a definition of what it means to “reduce or limit services” under the statutory prohibition against certain “gainsharing” arrangements among hospitals and physicians. The OIG’s goal with this Proposed Rule and subsequent final rule is to “interpret the statutory [gainsharing] prohibition broadly enough to protect beneficiaries and the Federal health care programs, but narrowly enough to allow low risk programs that further the goal of delivering high quality health care at a lower cost.” More specifically, the OIG seeks to implement a “narrower interpretation of the phrase “reduce or limit services.” Industry analysts are touting the final regulation as a potential game changer in the battle to deliver “high quality health care at a lower cost.”
The existing gainsharing civil monetary penalty statute (“Gainsharing CMP”) is a law that broadly “prohibits hospitals and critical access hospitals from knowingly paying a physician to induce the physician to reduce or limit services provided to Medicare or Medicaid beneficiaries who are under the physician’s direct care.” Violation of the Gainsharing CMP by a hospital that makes such payment, and a physician that in turn knowingly accepts the payment, results in CMPs that are no greater than $2,000 per each beneficiary for whom such payment is made.
Determining what does and what does not constitute a payment designed to reduce or limit services can be difficult, particularly because, as HHS has taken pains to point out, the statute technically prohibits payments from hospitals to physicians to limit any services, not just medically necessary services. However, as far back as 2005 the Medicare Payment Advisory Commission and the Chief Counsel to the OIG have supported gainsharing when safeguards are in place to evaluate risks posed by such programs, including “measures that promote accountability, adequate quality controls, and controls on payments that may change referral patterns,” and to date, the OIG has approved 16 gainsharing arrangements through the advisory opinion process.
More recently, under Section 3022 of the Affordable Care Act, the secretary of HHS established waivers under the Medicare Shared Savings Program (MSSP) with respect to the Gainsharing CMP under certain conditions. These waivers have limited applicability as they apply only to accountable care organizations that participate in the MSSP. The final gainsharing regulations presumably will cover all hospitals and could potentially have a much broader impact upon hospital physician compensation arrangements. Overall, the Proposed Rule and the OIG’s request for comments on what should and should not constitute prohibited payments from hospitals to physicians to reduce or limit services is yet another example of how the regulatory landscape is changing to adapt to a reimbursement model that is evolving from a fee-for-service dominated model to one in which pay-for-performance will play a much larger role.
The comment period closed under the Proposed Rule in early December, and the final rule is expected in 2015.
About The Authors
Tags: ACO, CMP, direct care, gainsharing, medicaid, medically necessary, medicare, MSSP, payments, prohibit, quality, safeguards
Posted by Robert A. Chu
on December 12, 2014
Recently, the Office of Inspector General (OIG) of the Department of Health and Human Services (HHS) released its Work Plan for Fiscal Year 2015 (“Work Plan”). The OIG protects the integrity of HHS programs by identifying fraud and abuse and by suggesting improvements to HHS programs. The Work Plan informs the public of new and ongoing reviews that OIG plans to pursue during the current fiscal year.
For Fiscal Year 2015 and beyond, OIG intends to focus on emerging payment, eligibility, management, and IT systems security vulnerabilities in the ACA programs, such as the health insurance marketplace. OIG stated that it would also focus on the efficiency and effectiveness of payment policies in inpatient and outpatient settings, for prescription drugs, and in managed care.
Some specific new items of note include: (1) identifying clinical laboratories that routinely submit improper Medicare claims, (2) reviewing the rate of and reasons for transfers from group homes or nursing facilities to emergency departments as a potential indicator of poor quality, (3) identifying Medicaid MCO payments made on behalf of deceased or ineligible beneficiaries, and (4) assessing the extent to which hospitals comply with the contingency planning requirements of HIPAA.
The Work Plan is a valuable resource annually published by the OIG for providers to identify potential compliance risk areas.
Cozen O’Connor recently published another blog of the Work Plan with the Work Plan’s specific focus on HIPAA and/or information technology that the OIG will examine and address during Fiscal Year 2015.
About The Author
Tags: Compliance, fiscal year 2015, HIPAA, hospitals, improper claims, Inpatient, labs, managed care, MCO, medicaid, medicare, outpatient, payment, work plan
Posted by Gregory M. Fliszar
on December 04, 2014
On October 31, 2014, The U.S. Department of Health and Human Services (HHS) Office of Inspector General (OIG) released its Work Plan for fiscal year (FY) 2015. The Work Plan summarizes “new and ongoing reviews of activities that OIG plans to pursue with respect to HHS programs and operations during the current fiscal year and beyond.” In the Work Plan OIG identified several areas related to HIPAA and/or information technology that it will examine and address during FY 2015.
As a new addition to the Work Plan, OIG will determine the extent to which hospitals comply with the contingency requirements of HIPAA. HIPAA’s Security Rule requires covered entities and their business associates to have in place a contingency plan that establishes policies and procedures for responding to an emergency or other event (such as, for example, natural disasters, system failures, terrorism) that damages systems containing electronic protected health information (ePHI). These policies and procedures must, at a minimum, include data backup plans, data recovery plans and plans to continue to protect the security of ePHI while operating in emergency operations mode. In the Work Plan OIG advises that it will compare contingency plans used by hospitals with government and industry recommended practices.
As part of the Work Plan, OIG will continue to examine whether the Centers for Medicare & Medicaid Services’ (CMS) oversight of hospitals’ security controls over networked medical devices is sufficient to protect ePHI. The OIG noted that computerized medical devices such as dialysis machines, radiology systems and medication dispensing systems that use hardware, software and networks to monitor a patient’s condition and transmit and/or receive data using wired or wireless communications pose a growing threat to the security and privacy of personal health information.
OIG also plans to continue to perform audits of covered entities receiving incentive payments for the use of electronic health records (EHRs) and their business associates (including cloud providers) to determine whether they are adequately protecting ePHI created or maintained by certified EHR technology. In addition, OIG will review the adequacy of CMS’ oversight of states’ Medicaid system and information controls. Prior OIG audits found that states often fail to have in place adequate security features, potentially exposing Medicaid beneficiary information to unauthorized access.
As to future endeavors, the Work Plan stated that other areas under consideration for new work include the security of electronic data, the use and exchange of health information technology, and emergency preparedness and response efforts. In addition, OIG advises that in FY 2015 and beyond, it will continue to focus on IT systems security vulnerabilities in health care reform programs such as health insurance marketplaces.
About The Author
Tags: 2015, Business Associate, cms, covered entity, EHR, ePHI, health care reform, health insurance marketplace, HHS, HIPAA, medicaid, OIG, Security Rule, work plan
Posted by Chris Raphaely
on October 16, 2014
Accountable Care Organizations
The Centers for Medicare & Medicaid Services (“CMS”) announced a new initiative, the ACO Investment Model, on October 15, 2014. Under the model, ACOs which are made up of “providers [who] lack adequate access to … capital” may receive additional funding from the CMS “to invest in infrastructure necessary to successfully implement population care management.” The eligibility criteria are as follows:
- The ACO must be accepted into and participate in the Medicare Shared Savings Program. The ACO’s first performance period in the Medicare Shared Savings Program must have started in either 2012, 2013 or 2014 or will start in 2016.
- The ACO has completely and accurately reported quality measures to the Medicare Shared Savings Program in the most recent performance year, if the ACO started in the Medicare Shared Savings Program in 2012, 2013 or 2014, excluding ACOs that will start in 2016. The ACO has a preliminary prospective beneficiary assignment of 10,000 or fewer beneficiaries for the most recent quarter, as determined in accordance with the Shared Savings Program regulations.
- The ACO does not include a hospital as an ACO participant or an ACO provider/supplier (as defined by the Shared Savings Program regulations), unless the hospital is a critical access hospital (CAH) or inpatient prospective payment system (IPPS) hospital with 100 or fewer beds.
- The ACO is not owned or operated in whole or in part by a health plan.
- The ACO did not participate in the Advance Payment Model.
About The Author
Tags: ACO Investment Model, cms, OIG, Stark Law, Waivers
Year #2 Report on Medicare Fraud Prevention System
On June 25, 2014, the Centers for Medicare & Medicaid Services (CMS) and the Department of Health and Human Services Office of Inspector General (OIG) issued and certified, as required by the Small Business Jobs Act of 2010 (SBJA) their second implementation year report for the Fraud Prevention System (FPS) along with a press release. By way of background, CMS is under pressure from Congress and the United States Government Accountability Office (GAO) to enhance their health care fraud, abuse and waste prevention and detection success through the use of predictive analytics technologies while at the same time monitoring the expenditures and costs by government contractors and auditors such as ZPICs to prevent fraud. Last October, GAO published a Report concerning CMS’s Medicare Program Integrity titled, “Contractors Reported Generating Savings but CMS Could Improve Its Oversight.”
CMS and OIG’s Report to Congress on the FPS responds to many, but not all, of GAO’s criticisms. Here are a few of the noteworthy findings and observations in the Report:
- CMS reports that they “identified or prevented” $210.7 million in Medicare payments attributed to FPS. This is a return on investment of $5 to $1 for the second implementation year and an increase ROI from Year 1.
- OIG disagrees with CMS’s use of “identified savings” to calculate the success of the FPS and instead recommends using “adjusted savings” as a measure of savings and return on investment related to the Department’s use of FPS.
- Under OIG’s adjusted savings analysis, OIG only certified $54.2 million of the $210.7 million as attributed to the Department’s use of FPS.
- OIG found that the “Department’s use of its predictive analytics technologies resulted in a return on investment of $1.34 (not $5) for every dollar spent on the FPS.
- Based on criticism received by OIG and GAO, CMS reported that they changed the methodology to require ZPICs (Zone Program Integrity Contractors) to submit provider-specific outcome data to be able to conduct more quality control reviews prior to reporting savings.
- OIG disagreed with CMS and stated, “[A]lthough the Department has made significant progress in addressing the challenges of measuring actual and projected savings, its procedures were not always sufficient to ensure that its contractors provided and maintained reliable data to always support FPS savings.” Interestingly, OIG initially included a much stronger statement but revised the final statement based on CMS’s objections. The original statement was “[T]he Department could not ensure that its contractors always provided and maintained reliable data to support FPS savings.”
- CMS expects that future activities of the FPS will substantially increase savings by expanding the use of predictive analytics and modeling beyond identifying FRAUD and into areas of WASTE and ABUSE. This will require more refined predictive models and modifications from insights from field investigators, policy experts, clinicians, and data analysts. In Year 3, CMS will convene workgroups with federal agency, states, and private partners to develop and expand FPS’s capabilities.
- In Year 3, CMS also will explore the cost-effectiveness and feasibility of expanding predictive analytics technology to Medicaid and the Children’s Health Insurance Program (CHIP). CMS anticipates working with State Medicaid Agencies to train and explore opportunities for expanding predictive analytics.
Practice Tip: CMS’s FPS is more fully integrated into the Medicare FPS payment system and allows CMS to monitor and deny individual claims in the prepayment stage. ZPICs and other government contractors will continue to be the government’s “boots on the ground” but they will be armed with better information and real time data to investigate. Providers need to take any and all inquiries by ZPICs seriously. Anticipate more coordinated investigations by the FBI, ZPICs, States AGs, State Medicaid Fraud Agencies, and Federal agencies and faster freezing or rejections of provider claims. Anticipate the expansion of FPS’s predictive analytics to the areas of waste and abuse.
Please check back with the Health Law Informer Blog and Cozen O’Connor for additional analysis of CMS’s Second Implementation Year Report in the coming weeks.
About The Author
Tags: audit, cms, Government Contractors, Medicare Program Integrity, Predictive Analytics, ZPICs
Posted by Ryan Blaney
on June 05, 2014
In May and within a week of the Office of Inspector General of the Department of Health and Human Services (OIG) releasing a proposed rule to expand its exclusion authority, the agency also released a proposed rule (Rule) expanding its authority to impose civil monetary penalties (CMPs). OIG anticipates that “CMP collections may increase in the future in light of the new CMP authorities and other changes proposed in this [R]ule.” Over the last decade, OIG has collected more than $165 million in CMPs (between $10.2 million to $26.2 million per year).
Health care providers, suppliers and related institutions should pay particular attention to five proposed key changes:
(1) The focus on an expansion in the range of conduct for which OIG could assess CMPs to include: failing to provide OIG timely access to documents, ordering or prescribing medication or services while excluded from participation in federal health care programs, making false statements on enrollment applications to participate in federal health care programs, failing to report and return known overpayments, and making or using a false statement that is material to a false or fraudulent claim.
(2) Interpretation of the penalty as a per day penalty—for example, up to $10,000 for each day a person fails to report and return an overpayment.
(3) Imposition of CMPs on Medicare Advantage and Medicare Part D organizations (if any of their employees or contractors engaged in fraudulent activity). This broadens the general liability of these organizations for misconduct to include contracted providers or suppliers, employees and agents. Medicare Advantage and Part D organizations would also be eligible for CMPs if they enroll an individual (or his or her designee) without consent; transfer an enrollee to another plan without the enrollee’s (or his or her designee’s) consent; transfer an enrollee to make a commission; fail to comply with marketing restrictions; or employ or contract with any person who engages in prohibited conduct.
(4) Revision to the current structure of 42 C.F.R. Part 1003 because it is “cumbersome and potentially confusing for the reader” in order to “add clarity and improve transparency in OIG’s decision-making processes.” The bases for CMP assessments would be grouped into subsections by subject matter. OIG would provide a single list of factors to be considered when determining the amount of a CMP to include: the nature and circumstances of the violation, the degree of culpability of the person, the history of prior offenses, other wrongful conduct, and other matters as justice may require.
(5) An increase of the claims-mitigating factor from $1,000 to $5,000. The claims-mitigating factor acts as a threshold to help OIG determine the severity of a program violation. OIG believes that the $1,000 threshold is “lower than appropriate . . . given the changes in the costs of health care since this regulation was last updated in 2002.”
Other notable proposed changes include: the addition of a mitigating factor for “appropriate and timely corrective action” taken by a person under OIG’s Self-Disclosure Protocol; clarification that a single aggravating circumstance may result in the maximum amount allowed penalty, assessment, or exclusion; and the delegation of authority from the Department of Health and Human Services Secretary to OIG at Part 1003.150.
Comments to the Rule are due by July 11, 2014.
About The Authors
Tags: assessment, claims-mitigation factor, CMP, CMP authority, corrective action, defraud, exclusion, false statements, federal health care program, medicaid, medicare, overpayments, penalty, self-disclosure protocol
Posted by Ryan Blaney
on June 05, 2014
, Affordable Care Act
In May, the Office of Inspector General of the Department of Health and Human Services (OIG) proposed a new rule (Rule) that would implement changes included in the ACA. The Rule would expand OIG’s authority to exclude individuals and entities from participation in federal health care programs, among other changes.
The Rule would build on OIG’s existing authority, but enable the agency to impose penalties for a broader array of conduct. OIG currently has the authority to exclude individuals and entities from participation in federal health care programs who are deemed “untrustworthy.” Certain bases for exclusion require OIG to impose a mandatory exclusion period of at least five years. Other bases allow OIG broad discretion to determine whether to impose an exclusion and for how long.
The Rule change includes three proposed bases for permissive exclusion: (1) conviction related to the obstruction of an audit; (2) failure to supply payment information for items or services; and (3) to make, or cause to be made, false statements, omissions, or misrepresentations of material facts in an application to participate in a federal health care program.
In addition, the Rule would give OIG the power to issue testimonial subpoenas during exclusion investigations, and remove any statute of limitations on exclusion actions stemming from false claims proceedings. The proposed removal of the statute of limitations would give the authority to impose exclusions at any time, even when the exclusion is due to violations of another statute that might have a specified time limit. OIG considered but did not finalize a similar provision in 2002. The Rule also includes a proposition to modify exclusion reinstatement rules such that individuals excluded as a result of losing their licenses could rejoin the federal health care programs earlier if they meet certain criteria.
Comments to the Rule are due on July 8, 2014.
About The Authors
Tags: audit, exclusion authority, federal health care program, Fraud and Abuse, investigation, mandatory exclusion, permissive exclusion, statute of limitations