The Department of Health and Human Services (HHS) Office of Civil Rights (OCR) finally announced on March 21 that it is ready to begin Phase Two of its HIPAA audit program, which will include business associates. These audits, mandated by HITECH, will primarily be comprised of desk audits, scheduled for completion by the end of December 2016, followed by onsite audits.

OCR explained it will immediately commence Phase Two by verifying, via email, cover entities’ and business associates’ contact information. The OCR is requesting timely responses, so that it can send pre-audit questionnaires out in order to gather data from covered entities and business associates for the creation of potential audit subject pools. The data will relate to the entities’ size, type and operations. Should covered entities and business associates fail to respond to OCR’s requests, they may still be part of OCR’s potential subject pools because OCR plans to compile publicly available information about covered entities and business associates that do not respond to its requests.

The first round of desk audits will focus on covered entities, and the second round will focus on business associates. The third round will be onsite audits, with a greater focus on the HIPAA requirements. OCR explains that some covered entities and business associates who are subject to desk audits may also be subject to onsite audits. According to OCR, all covered entities and business associates are eligible to be audited. The audits will focus on identifying compliance with specific privacy and security requirements under HIPAA/HITECH, and OCR will notify auditees by letter, regarding the subject(s) of their specific audits. On the HHS website, OCR provides a sample letter for review. Subsequent to the audits, OCR will review and analyze information from audit final reports.

Importantly, if an audit report uncovers significant noncompliance with HIPAA, it could prompt an investigation by OCR. The areas of interest for OCR in Phase Two will become clearer as the Phase Two audit program gets underway, but for now, we know OCR will focus on assessing covered entities’ and business associates’ HIPAA compliance, identifying best practices and discovering risks and vulnerabilities.

More information about the Phase Two audits is available here, and you can also contact Greg Fliszar, Ryan Blaney, J. Nicole Martin or another member of Cozen O’Connor’s Health Law team.

12,915 complaints were reported in 2013 to the Department of Health and Human Services Office of Civil Rights (“OCR”) according to Illiana L. Peters, Senior Adviser for HIPAA Compliance and Enforcement.  Cozen O’Connor attended Ms. Peters’ presentation at the Safeguarding Health Information: Building Assurance through HIPAA Security conference on September 22-23, 2014.  The conference was hosted jointly by OCR and the National Institute of Standards and Technology (“NIST”).  Below are a few discussion points worth mentioning from the conference:

• Between September 2009 and August 31, 2014, OCR investigated 1176 reports involving breach of Protected Health Information (“PHI”) where more than 500 individuals were affected and approximately 122,000 reports affecting less than 500 individuals.
• According to Ms. Peters, 60% of the large breaches could have been prevented by encrypting the covered entities and business associates’ laptops and mobile devices.
• Theft and loss continues to be the most common cause of breaches but OCR expects that IT hacking will continue to rise as a significant breach risk.
• Since 2009, consumer complaints regarding HIPAA violations continue to rise.
• Covered entities and business associates should already have in place business associate agreements that have been updated for the Omnibus Rule.
• Business associates must comply with all of the HIPAA Security Rules applicable to covered entities, “PERIOD.”
• Given the known risks of hacking, theft and loss and the direct guidance from OCR, covered entities and business associates must recognize that inadequate security, inadequate physical and technical safeguards is not acceptable.
• OCR expects that covered entities and business associates will be familiar with recent corrective actions, resolution agreements such as Parkview, NYP/Columbia, Concentra, QCA, Skaget County, Adult & Pediatric Dermatology, P.C., and Affinity Health Plan, Inc.

Continue reading…

Year #2 Report on Medicare Fraud Prevention System

On June 25, 2014, the Centers for Medicare & Medicaid Services (CMS) and the Department of Health and Human Services Office of Inspector General (OIG) issued and certified, as required by the Small Business Jobs Act of 2010 (SBJA) their second implementation year report  for the Fraud Prevention System (FPS) along with a press release.  By way of background, CMS is under pressure from Congress and the United States Government Accountability Office (GAO) to enhance their health care fraud, abuse and waste prevention and detection success through the use of predictive analytics technologies while at the same time monitoring the expenditures and costs by government contractors and auditors such as ZPICs to prevent fraud.  Last October, GAO published a Report concerning CMS’s Medicare Program Integrity titled, “Contractors Reported Generating Savings but CMS Could Improve Its Oversight.” 

CMS and OIG’s Report to Congress on the FPS responds to many, but not all, of GAO’s criticisms.  Here are a few of the noteworthy findings and observations in the Report:

• CMS reports that they “identified or prevented” $210.7 million in Medicare payments attributed to FPS.  This is a return on investment of $5 to $1 for the second implementation year and an increase ROI from Year 1.
• OIG disagrees with CMS’s use of “identified savings” to calculate the success of the FPS and instead recommends using “adjusted savings” as a measure of savings and return on investment related to the Department’s use of FPS.
• Under OIG’s adjusted savings analysis, OIG only certified $54.2 million of the $210.7 million as attributed to the Department’s use of FPS. 
• OIG found that the “Department’s use of its predictive analytics technologies resulted in a return on investment of $1.34 (not $5) for every dollar spent on the FPS.
• Based on criticism received by OIG and GAO, CMS reported that they changed the methodology to require ZPICs (Zone Program Integrity Contractors) to submit provider-specific outcome data to be able to conduct more quality control reviews prior to reporting savings.
• OIG disagreed with CMS and stated, “[A]lthough the Department has made significant progress in addressing the challenges of measuring actual and projected savings, its procedures were not always sufficient to ensure that its contractors provided and maintained reliable data to always support FPS savings.”  Interestingly, OIG initially included a much stronger statement but revised the final statement based on CMS’s objections.  The original statement was “[T]he Department could not ensure that its contractors always provided and maintained reliable data to support FPS savings.”   
• CMS expects that future activities of the FPS will substantially increase savings by expanding the use of predictive analytics and modeling beyond identifying FRAUD and into areas of WASTE and ABUSE.   This will require more refined predictive models and modifications from insights from field investigators, policy experts, clinicians, and data analysts.  In Year 3, CMS will convene workgroups with federal agency, states, and private partners to develop and expand FPS’s capabilities.
• In Year 3, CMS also will explore the cost-effectiveness and feasibility of expanding predictive analytics technology to Medicaid and the Children’s Health Insurance Program (CHIP).  CMS anticipates working with State Medicaid Agencies to train and explore opportunities for expanding predictive analytics. 

Practice Tip: CMS’s FPS is more fully integrated into the Medicare FPS payment system and allows CMS to monitor and deny individual claims in the prepayment stage.  ZPICs and other government contractors will continue to be the government’s “boots on the ground” but they will be armed with better information and real time data to investigate.  Providers need to take any and all inquiries by ZPICs seriously.  Anticipate more coordinated investigations by the FBI, ZPICs, States AGs, State Medicaid Fraud Agencies, and Federal agencies and faster freezing or rejections of provider claims.  Anticipate the expansion of FPS’s predictive analytics to the areas of waste and abuse. 

Please check back with the Health Law Informer Blog and Cozen O’Connor for additional analysis of CMS’s Second Implementation Year Report in the coming weeks. 

In May, the Office of Inspector General of the Department of Health and Human Services (OIG) proposed a new rule (Rule) that would implement changes included in the ACA. The Rule would expand OIG’s authority to exclude individuals and entities from participation in federal health care programs, among other changes.

The Rule would build on OIG’s existing authority, but enable the agency to impose penalties for a broader array of conduct. OIG currently has the authority to exclude individuals and entities from participation in federal health care programs who are deemed “untrustworthy.” Certain bases for exclusion require OIG to impose a mandatory exclusion period of at least five years. Other bases allow OIG broad discretion to determine whether to impose an exclusion and for how long.

The Rule change includes three proposed bases for permissive exclusion: (1) conviction related to the obstruction of an audit; (2) failure to supply payment information for items or services; and (3) to make, or cause to be made, false statements, omissions, or misrepresentations of material facts in an application to participate in a federal health care program.

In addition, the Rule would give OIG the power to issue testimonial subpoenas during exclusion investigations, and remove any statute of limitations on exclusion actions stemming from false claims proceedings. The proposed removal of the statute of limitations would give the authority to impose exclusions at any time, even when the exclusion is due to violations of another statute that might have a specified time limit. OIG considered but did not finalize a similar provision in 2002. The Rule also includes a proposition to modify exclusion reinstatement rules such that individuals excluded as a result of losing their licenses could rejoin the federal health care programs earlier if they meet certain criteria.

Comments to the Rule are due on July 8, 2014.