Facebook  LinkedIn

June 20, 2018

Posted by: Robert Trusiak

New Guidance on HIPAA and Individual Authorization of Uses and Disclosures of PHI for Research

On June 18, 2018, the Office for Civil Rights issued new guidance on HIPAA and individual authorization of uses and disclosures of protected health information (PHI) for research. The guidance explains certain requirements for an authorization to use or disclose PHI for future research and clarifies aspects of the individual's right to revoke an authorization for research uses and disclosures of PHI.

Authorization General Requirements

With few exceptions, HIPAA requires individual authorization from patients prior to using patients’ PHI for research. A HIPAA-compliant authorization for use of PHI for research:

  • must be in plain language
  • must contain specific information regarding:
    - a description of the information to be used or disclosed that identifies the information in a specific and meaningful fashion,
    - the names or other specific identification of the persons authorized to disclose and receive the information,
    - a description of each purpose of the requested use or disclosure, and
    - an expiration date or expiration event that relates to the individual or the purpose of the use or disclosure.
  • must also include statements adequate to place the individual on notice of all of the following:
    1. the individual’s right to revoke the authorization in writing, any exceptions to the right to revoke the authorization and a description of how the individual may revoke the authorization;
    2. the ability or inability to condition treatment, payment, enrollment, or eligibility for benefits on the authorization; and
    3. the potential for information disclosed pursuant to the authorization to be subject to redisclosure by the recipient and no longer be protected by the HIPAA Privacy Rule.

Authorizations for Future Research

Authorizations for the use or disclosure of PHI for future research must include a description of each purpose of the requested use or disclosure. “Each purpose” means that such authorizations do not need to specify each specific future study if the particular studies to be conducted are not yet determined; rather, the authorization must sufficiently describe the purposes such that it would be reasonable for the individual to expect that the protected health information could be used or disclosed for such future research.

Expiration of Authorization for Future Research

Authorizations for the use or disclosure of PHI for future research must include and expiration date or event. The statement “end of the research study,” “none,” “until it is revoked by the individual” or similar language is sufficient.

Right to Revoke Authorization

Individuals should be aware that revocation of an authorization does not always mean that the individual’s information may no longer be used in the research study. A covered entity may continue to use and disclose PHI that was obtained before the individual revoked authorization to the extent that the entity has taken action in reliance on the authorization.

Click here to read the entire guidance.

May 18, 2018

Posted by: Robert Trusiak

MEASURING COMPLIANCE PROGRAM EFFECTIVENESS

Measuring compliance program effectiveness is recommended by several authorities, including the United States Sentencing Commission (see, Chapter 8 of the United States Sentencing Guidelines). The Compliance Department is not permitted to perform these audits. Audits must be performed independently, to avoid self-policing. https://www.cms.gov/Medicare/Compliance-and-Audits/Part-C-and-Part-D-Compliance-and-Audits/Downloads/Element-VI-Focused-Training-Power-Point-.pdf. However, it has been reported that only 25 percent of surveyed organizations reported using outside experts to evaluate their program, and nearly 66 percent of organizations claimed that they rely upon self-assessment tools and checklists to evidence their compliance program effectiveness.

On January 17, 2017, the Department of Health and Human Services, Office of Inspector General (OIG) addressed ways to measure the effectiveness of compliance programs. https://oig.hhs.gov/compliance/compliance-resource-portal/files/HCCA-OIG-Resource-Guide.pdf. The critical review necessary to ensure compliance programs address the fluid nature of health care risk is the best means to promote effective compliance and mitigate the opportunity for a state or federal audit.

Trusiak Law can assist you in measuring the effectiveness of your compliance program. It will be done under client/attorney privilege to avoid unnecessary disclosure. If you are interested in learning more about the way in which Trusiak Law may assist you, please contact us.

February 11, 2018

Posted by: Robert Trusiak

CONGRESS LIFTS MEDICARE THERAPY LIMITS

On February 9, 2018, Congress enacted a permanent solution to the hard cap on outpatient therapy services under Medicare Part B, ending a cycle of short-term fixes that have been necessary since its introduction in 1997 as part of the Balanced Budget Act.

The legislation that has been enacted provides a fix for the therapy cap by permanently extending the current exceptions process. Among the provisions included in the new policy:

  • The therapy cap limits for 2018 remain at $2,010 for physical therapy (PT) and speech-language pathology (SLP) services combined and $2,010 for occupational therapy (OT) services.
  • Claims that go above $2,010 (adjusted annually) still will require the use of the KX modifier for attestation that services are medically necessary.
  • The threshold for targeted medical review will be lowered from the current $3,700 to $3,000 through 2027; however, CMS will not receive any increased funding to pursue expanded medical review, so the overall number of targeted medical reviews is not expected to increase.
  • Claims that go above $3,000 will not automatically be subject to targeted medical review. Instead, only a percentage of providers who meet certain criteria will be targeted, such as those who have had a high claims denial percentage or have aberrant billing patterns compared with their peers.

Physical, speech and occupational therapists need to be cautioned that by affixing the KX modifier, the therapist is making an attestation to the Federal government that the therapy is medically necessary and that there is documentation in the medical record to support the medical necessity.

The legislation also directs CMS to create a modifier for tracking use of Medicare services provided by physical therapy and occupational therapy assistants in 2019 in an effort to collect enough data in 2020 to come up with a Medicare fee schedule rate that’s 85% of the fees paid to physical, speech and occupational therapists by 2022.

February 6, 2018

Posted by: Robert Trusiak

MEDICARE REVISES E/M SERVICE DOCUMENTATION PROVIDED BY STUDENTS

On February 2, 2018, CMS issued Transmittal 3971 revising Pub. 100-04, Medicare Claims Processing Manual, Chapter 12, Section 100.1.1, B, that allows the teaching physician to verify in the medical record any student documentation of components of evaluation and management (E/M) services, rather than redocumenting the work. The policy change applies to all students who teaching physicians supervise, including advance practice professionals. The revised policy reads as follows:

E/M Service Documentation Provided By Students

Any contribution and participation of a student to the performance of a billable service (other than the review of systems and/or past family/social history which are not separately billable, but are taken as part of an E/M service) must be performed in the physical presence of a teaching physician or physical presence of a resident in a service meeting the requirements set forth in this section for teaching physician billing.

Students may document services in the medical record. However, the teaching physician must verify in the medical record all student documentation or findings, including history, physical exam and/or medical decision making. The teaching physician must personally perform (or re-perform) the physical exam and medical decision making activities of the E/M service being billed, but may verify any student documentation of them in the medical record, rather than re-documenting this work.

Teaching physicians cannot simply co-sign the medical student’s notes; that is not enough for billing. The teaching physician has a responsibility to read and edit the student’s notes and obtain clarification from the student if needed. Teaching physicians along with the teaching hospitals should consider the level of skill and competency that their medical students need in order to accomplish the essential elements of the E/M service.

Although the policy change is specific to E/M services, it does not address documentation of procedures performed by students. A future MLN Matters from CMS may address the expectations of medical student skill and competency as well as documentation of procedures performed by students.

February 4, 2018

Posted by: Robert Trusiak

ROBERT TRUSIAK DISCUSSES COMPLIANCE REQUIREMENTS AFTER ESCOBAR, RUCKH AND THE SET ASIDE OF $347M FALSE CLAIMS ACT JURY AWARD

My comments follow and generally address the legal and compliance considerations associated w/ the set aside of a jury verdict for $347M due to FCA violations determined by a jury related to the absence of nursing home care. These views were generally addressed in an interview by me appearing in the Report on Medicare Compliance, V. 27, #3, Jan. 22, 2018. See (United States ex rel. Ruckh v Salus Rehabilitation, LLC, 2018 US Dist LEXIS 5148 [MD Fla Jan. 11, 2018, No. 8:11-cv-1303-T-23TBM].) The case was filed in 2011. DOJ declined intervention. The case commenced trial on Jan 17, 2017 w/ a jury verdict returned on February 15, 2017.

The court granted on Jan 11, 2018 the defendants motion for judgment as a matter of law overturning the jury verdict that found 446 false claims submitted to the government. A review of the opinion offers several points worthy of discussion as providers and their counsel assess risk and develop 2018 compliance strategies.

The Ruckh court determined the actual, not alleged, violations by the nursing home system were immaterial deficiencies unable to support False Claims Act liability. A review of the opinion reveals there is something for everyone—compliance officers, hospital counsel, nursing home counsel, whistleblowers and defense counsel--as Escobar continues to mature through judicial development at the district court and appellate level. The points follow:

  1. Go it alone cases continue the trend of creating law unfavorable to the govt and favorable to the defense bar. The government declined intervention in this case. The materiality discussion by the court is unhelpful for whistleblowers and government counsel; however, beneficial to the defense bar given the court’s characterization of fundamental nursing home clinical care coordination and plan of care documents as a “record-keeping deficiency”.
  2. Nursing home cases pose significant False Claims Act challenges. The federal government has a keen interest in protecting the vulnerable residents of a nursing home. The enforcement efforts thru the FCA, however, have been checkered due to the system-wide approaches occasioned by use of the FCA to redress specific incidents of neglect and abuse. The compliance takeaway is obviously not that nursing homes are insulated from anything other than CMS and state audit oversight with the modest remedial tool of a deficiency citation. The compliance takeaway should be that Medicaid Fraud Control Units probably are the most significant law enforcement risk and best equipped to redress neglect and abuse thru the use of granny cams and other covert techniques serving to support criminal, not civil, actions against abusive staff.
  3. Too big to fail. Although the opinion is ostensibly about materiality in light of the Supreme Court’s Escobar decision, a critical review of the opinion and prior filings demonstrates the case result is more about money than materiality. Quite simply, the defendants — the owners and operators of fifty three specialized nursing facilities in several states —were too big to fail. The district court in March 2017 issued a stay against enforcing the $347M judgment based on a litany of defense claims concerning the draconian consequences of enforcing the judgment; namely, the judgment enforcement will "trigger the collapse of scores of skilled nursing facilities in 17 states." Additionally, a Salus facility’s failure to pay a judgment over $500,000 will trigger a default on a loan from Midcap Financial (MidCap) totaling about $168 million, in the event that a judgment creditor begins collection or if the judgment exists for over 20 days without being stayed. MidCap provides operating capital twice a week for payroll and rent, and the facilities and their receivables are pledged as collateral. If a default is triggered, MidCap will halt lending and accelerate the loan. The court noted that halting operations will result in the closure of over 80 SNFs in Florida, jeopardizing patient health.
    Money, profits, cash calls, defaults are all irrelevant to the Escobar materiality analysis; however, the court’s opinion vacating the judgment of the jury expressly noted the “slim profit margin” of nursing home providers. Too big to fail was successfully used in 2008 during the financial crisis. Ruckh demonstrates it remains a viable defense strategy today.
  4. Hobson’s Choice. The Ruckh court, like many courts, struggled with the complexity of the Medicare system. Medicare is unique and the failure to critically understand the multifaceted complexities results in curious conclusions. For ex., the court indicated that continued payment impedes materiality apparently based on the inference that continued payment is somehow an implicit substantive government position on the allegations of wrongdoing since “the federal and state governments regard the disputed practices with leniency or tolerance “ based on continued payment.
    CMS possesses the statutory and regulatory power to suspend payments. CMS, in my govt experience, chooses to exercise or withhold the exercise of that power based on a number of legal reasons, financial reasons and clinical reasons related to patient care. For ex., is there immediate jeopardy to nursing home patients; is the provider without assets to satisfy a downstream judgment; or will the suspension jeopardize the wellbeing of patients? CMS could logically conclude in this type of case that allegations of wrongdoing, not involving immediate jeopardy to residents (e.g., stage 4 bed sores and poor nutrition and hydration throughout the system, patient death, chemical restraints) require it to balance factors and forbear from immediate suspension pending a resolution. The Ruckh decision would force the government to make the Hobson’s choice of suspending payments now, and create immediate jeopardy for residents, to preserve the ability to litigate an FCA case months or years away from trial. The law does not require such a Hobson’s choice. The irony follows: if CMS would have suspended payments, then the same defense arguments in the stay motion on the judgment would have been used to support a claim for injunctive relief by defendants against CMS to lift the suspension for the same alleged financial calamities expressed in the stay motion.
    Allegations of wrongdoing, government decisions to decline intervention, suspension of payments and continued payments are decisions based on resource constraints, harm to patients and the unremarkable and august agency view of requiring facts, not allegations, to support action. Stated otherwise, continued payment is not easily reducible to the singular notion that payments estop the government or a relator from later pursuing FCA relief based on the immateriality of the alleged fraud.
    The compliance takeaway should not be, and never be, that continued payment by Medicare, Medicaid or Tricare constitutes some type of implicit approval of the questioned practice. Compliance officers all struggle with the incantation by staff that Medicare has always paid the claim, therefore, it must be “OK”. It was important before Escobar, and remains so today, for providers of all types to ensure their claim submissions support the claim. If the underlying documentation does not support a level 5 E&M, then Escobar provides no relief to the provider. If the underlying documentation does not support the medical necessity for the admission, procedure or drug, then Escobar provides no relief to the misrepresenting provider.
  5. Complexity is not simple. Health care cases require a fluency in the complexities of Medicare and medicine. Nursing home care, or the lack thereof, is demonstrated through documentation provided to patients on certain dates and consistent with care plans to ensure the government receives—the taxpayer—the benefit of the bargain. A nursing home documents care thru a CCP—comprehensive care plan. CMS has defined the CCP as the essential communication tool to be used by the interdisciplinary team to provide coordinated services. The judicial characterization of the failure to sign and date and complete this fundamental document determining and defining nursing home care as “administrative non-compliance” or a “record-keeping deficiency” is difficult to reconcile against the basic mantra known to every medical practitioner: if it is not documented, then it didn’t happen. The compliance takeaway should be that mantra continues unabated. Complete documentation of care, prepared in accordance with state and federal rules, including signed and dated, will always be the best means to mitigate risk.
  6. The government possesses multiple non-exclusive remedies. The court also suggests the failure to exhaust administrative remedies is somehow a prerequisite to seeking FCA relief (“My guess is that under these circumstances no government answerable to the people would refuse to pay, especially in Florida and especially in the pertinent patient population, unless every administrative and other remedy was exhausted….”). The FCA obviously contains no such administrative exhaustion requirement. The government may pursue an administrative remedy to redress fraud. The govt may pursue a statutory remedy to redress fraud. The government may choose to contemporaneously exercise regulatory and statutory remedies. The FCA contains no implicit or explicit provision requiring remedy by turns.
    The compliance takeaway remains simple and straightforward: Risk due to coding, deficient care, off label promotion, physician compensation and other areas remains a multifaceted exercise due to FCA risk, Stark risk, Kickback risk, state enforcement risk and administrative risk.
  7. Same as it ever was.

What does all this mean to the health care or compliance professional?

Nothing. Stay on Task.

The federal appellate courts will fashion appropriate and legitimate factors to define materiality under Escobar and weed out outlier materiality claims. DOJ and the whistleblower bar will respond to Escobar and file complaints addressing materiality sufficient to avoid dismissal and permit discovery. Remember, providers bill imperfectly everyday despite their best efforts. Remember, no investigation ends where it starts—it generally expands to include other areas. The purpose of compliance efforts, in general, includes the avoidance of whistleblower suits and keep at bay state and federal law enforcement risks to avoid the detection and action against those risks that occur despite your best efforts.

The FCA in general, and whistleblowers in particular, will continue to be an omnipresent and significant risk to health care providers. DOJ recently reported that 12 whistleblower cases are filed every week. See https://www.justice.gov/opa/pr/justice-department-recovers-over-37-billion-false-claims-act-cases-fiscal-year-2017. The FCA will continue to be the primary govt fraud weapon to attempt to address the many and varied fact fraud and procurement fraud theories historically cognizable and successfully prosecuted by the govt or relators, including Stark, physician compensation, kickback, off label, medical necessity, overutilization and upcoding. Although Escobar will rightly continue to affect certain FCA matters, for example, licensure or ministerial approvals; Ruckh by no means portends a reduction in FCA risk for providers based on the above rationale.

January 8, 2018

Posted by: Robert Trusiak

SAMHSA ISSUES FINAL RULE UPDATING SUBSTANCE ABUSE CONFIDENTIALITY REGULATIONS

The Substance Abuse and Mental Health Services Administration (SAMHSA), part of the U.S. Department of Health and Human Services (HHS), has finalized proposed changes to the Confidentiality of Substance Use Disorder Patient Records regulation, 42 CFR Part 2, aimed at supporting payment and healthcare operations activities while protecting the confidentiality of patients.

The finalized rule, posted to the Federal Register on Tuesday, January 3, 2018, builds on changes to 42 CFR Part 2 made last year. In a final rule published last January, SAMHSA updated 42 CFR Part 2 rules by allowing patients to provide a general disclosure for substance abuse information, rather than limiting authorization to a specific provider.

The Confidentiality of Substance Use Disorder Patient Records, 42 Code of Federal Regulations Part 2 (Part 2) protects the confidentiality of records relating to the identity, diagnosis, prognosis, or treatment of any patient records that are maintained in connection with the performance of any federally assisted program or activity relating to substance use disorder education, prevention, training, treatment, rehabilitation, or research. Under Part 2, a federally assisted substance use disorder program may only release patient identifying information with the individual’s written consent, pursuant to a court order, or under a few limited exceptions.

The 42 CFR Part 2 regulations previously required the patient to consent every time their data was shared or accessed, which health information exchanges (HIEs) and healthcare organizations found difficult to implement. The final rule will permit healthcare providers, with patients’ consent, to more easily conduct such activities as quality improvement, claims management, patient safety, training, and program integrity efforts.

Major provisions of the final rule include:

  • Additional disclosures of patient identifying information are permitted, with patient consent, to facilitate payment and healthcare operations such as claims management, quality assessment, and patient safety activities.
  • Additional disclosures of patient identifying information are permitted to certain contractors, subcontractors, and legal representatives for the purpose of conducting a Medicare, Medicaid, or CHIP audit or evaluation.
  • Users of electronic health records (EHRs) are permitted to use of an abbreviated notice of prohibition on re-disclosure that is more easily accommodated in EHR text fields.

December 30, 2017

Posted by: Robert Trusiak

CMS ISSUES MEMORANDUM CLARIFYING TEXTING OF PATIENT INFORMATION AMONG HEALTHCARE PROVIDERS

In a memorandum issued December 28, 2017, the Centers for Medicare & Medicaid Services (CMS) clarified its position related to texting. In its memo, CMS stated that it “recognizes that the use of texting as a means of communication with other members of the healthcare team has become an essential and valuable means of communication among the team members.” In order to comply with existing regulations, “all providers must utilize and maintain systems/platforms that are secure, encrypted, and minimize the risks to patient privacy and confidentiality.”

In summarizing their position, CMS stated that:

  • Texting patient information among members of the health care team is permissible if accomplished through a secure platform.
  • Texting of patient orders is prohibited regardless of the platform utilized.
  • Computerized Provider Order Entry (CPOE) is the preferred method of order entry by a provider.

December 22, 2017

Posted by: Robert Trusiak

2018 COMPLIANCE PLAN WORK

First and foremost, initially look backward before looking forward and look inward before looking outward and always be mindful of the goal of any work plan.

The goal of a work plan is twofold: the obvious goal of addressing risk areas to advance fraud and abuse and HIPAA compliance as well as providing a credible narrative to regulatory and law enforcement authorities of the provider’s demonstrated commitment to compliance evidenced by audits and remittances, as appropriate. I regularly received an inconsistent message from provider’s under investigation in my former capacity as an AUSA—"we are committed to compliance.” The proof, however, was often lacking after requesting and reviewing the previous annual work plans. I often heard other projects delayed compliance efforts. I translated that to mean the provider was not actually committed to compliance and the resulting FCA settlement was intended to partly elevate the importance of compliance consistent, of course, with the facts and law.

The initial step in compiling a 2018 work plan is to critically assess your organization’s 2017 work plan, including the following areas:

  1. Look inward before looking outward. Did you completely address the 2017 deliverables? If not, then address the incomplete matters thru either inclusion in the 2018 work plan or retiring the risk area for appropriate reasons to avoid the above perception.
  2. Look inward before looking outward. Complete outstanding audits.
  3. Look inward before looking outward. Ensure hotline complaints have been addressed in a reasonable manner.
  4. Look inward before looking outward. OIG and state work plans offer valuable opportunities to assess 2018 compliance risk; however, your provider’s billing conduct is probably the best resource for addressing 2018 risk. Track high volume or high dollar private payer denials and crosswalk them into Medicare, Medicaid AND Tricare in 2018 as audit areas.
  5. Look inward before looking outward. Finalize your 2017 Security Risk Analysis as required by HITECH.
  6. Make any required regulatory year end attestations.

As far as my 2018 observations, they include the following:

  1. Be dynamic and not static. If you are auditing high risk areas on an annual basis --level 5 CPT codes, incident to, modifier 25, PATH notes, short inpatient stays—then change the audit profile to advance the opportunity to identify risk. For ex., audit different physicians or NPs, time periods, clinics.
  2. Change your mindset. Try to find the problems rather than auditing to validate the incorrect perception that all is well. For ex., when was the last time you tested the FMV valuation for relevant physician contracts to assure Stark and AKA compliance? Set it and forget it creates risk. Do you have appropriate licensure for sites? Just because you are providing services does not mean such services are authorized. For ex., outpatient therapies.
  3. Brainstorm before creating the 2018 work plan. Meet, do not have an e mail dialogue, with the relevant Directors or project managers—the foot soldiers—for purchasing, IT, the chargemaster, coding and other areas to secure their input on compliance areas. Who is no longer here? What compliance function did they perform? Who is doing it now? For ex., secure signatures for annual contracts involving physician compensation and implicating Stark.
  4. Benchmark your organization. There are public resources to address compliance deficiencies. Review and address, as appropriate. For ex., The Bureau of Compliance (BOC) in the New York State Office of the Medicaid Inspector General (OMIG) conducts assessments of Required Providers’ compliance programs. The chart below identifies the frequency (on a percentage basis) of Insufficiencies that were cited by BOC during compliance program reviews completed from January 2015 through June 30, 2017. The higher the percentage the more frequent the Insufficiency was observed. (https://omig.ny.gov/compliance/compliance-program-assessment-results)
  5. You might want to consider touching base on the issue of harassment since this topic has been so much in the news lately. Although this area may not rank high on the list of fraud and abuse concerns, it requires attention based on recent publicity. Under the OIG compliance guidance, all programs with high risks should be subject to ongoing monitoring and auditing. Human Resources (HR) is a program, and therefore should be included when considering regulatory and legal risks.
  6. Considering the number of disasters the US has had in 2017, you might want to considers stressing the need to develop a disaster plan and conduct routine drills of the plan; especially w/ a HIPAA and HITECH focus.
  7. And, as always, cybersecurity in healthcare will continue to be an issue in 2018. Do the simple before the complex. For ex., secure a list of vendors from Accounts Payable, determine who has access to phi, then cross reference against BAAs. You will find gaps. Remediate them. Regularly assess your security risk analysis in 2018. I have regularly reviewed an SRA provided by the IT vendor used by small to medium providers outsourcing their IT. I often find the vendor addresses technical safeguards, however, wholly omits the required administrative and physical safeguard assessments.

April 24, 2017

Posted by: HHS Office for Civil Rights

$2.5 million settlement shows that not understanding HIPAA requirements creates risk

The U.S. Department of Health and Human Services, Office for Civil Rights (OCR), has announced a Health Insurance Portability and Accountability Act of 1996 (HIPAA) settlement based on the impermissible disclosure of unsecured electronic protected health information (ePHI). CardioNet has agreed to settle potential noncompliance with the HIPAA Privacy and Security Rules by paying $2.5 million and implementing a corrective action plan. This settlement is the first involving a wireless health services provider, as CardioNet provides remote mobile monitoring of and rapid response to patients at risk for cardiac arrhythmias.

In January 2012, CardioNet reported to the HHS Office for Civil Rights (OCR) that a workforce member’s laptop was stolen from a parked vehicle outside of the employee’s home. The laptop contained the ePHI of 1,391 individuals. OCR’s investigation into the impermissible disclosure revealed that CardioNet had an insufficient risk analysis and risk management processes in place at the time of the theft. Additionally, CardioNet’s policies and procedures implementing the standards of the HIPAA Security Rule were in draft form and had not been implemented. Further, the Pennsylvania –based organization was unable to produce any final policies or procedures regarding the implementation of safeguards for ePHI, including those for mobile devices.

The Resolution Agreement and Corrective Action Plan may be found on the OCR website.

April 20, 2017

Posted by: HHS Office for Civil Rights

No Business Associate Agreement? $31K Mistake

The Center for Children’s Digestive Health (CCDH) has paid the U.S. Department of Health and Human Services (HHS) $31,000 to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule and agreed to implement a corrective action plan. CCDH is a small, for-profit health care provider with a pediatric subspecialty practice that operates its practice in seven clinic locations in Illinois.

In August 2015, the HHS Office for Civil Rights (OCR) initiated a compliance review of the Center for Children’s Digestive Health (CCDH) following an initiation of an investigation of a business associate, FileFax, Inc., which stored records containing protected health information (PHI) for CCDH. While CCDH began disclosing PHI to Filefax in 2003, neither party could produce a signed Business Associate Agreement (BAA) prior to Oct. 12, 2015. Additionally, neither party could produce a signed BAA prior to Oct. 2015.

The Resolution Agreement and Corrective Action Plan may be found on the OCR website.

April 3, 2017

Posted by: Robert Trusiak

HHS OIG ISSUES A NEW COMPLIANCE RESOURCE GUIDE

On March 27, 2017, the Department of Health and Human Services, Office of Inspector General (OIG) issued a new resource titled, Measuring Compliance Effectiveness: A Resource Guide. The intent of this guide is to provide numerous ideas for measuring the various elements of a compliance program.

A large number of individual compliance program metrics are listed in the guide. The purpose of the list is to give health care organizations as many ideas as possible, be broad enough to help any type of organization, and let the organization choose which ones best suit the organization's needs. The list is not a "checklist" to be applied in its entirety. An organization may choose to use only a small number of them in any given year. The OIG states that using them all or even a large number of them is impractical and not recommended. The frequency of use of any measurement should be based on factors such as the organization's risk areas, size, resources, etc.

March 3, 2017

Posted by: Robert Trusiak

HHS OIG Provides Short Compliance Presentations for Health Care Providers

The Office of Inspector General (OIG) of the Department of Health and Human Services (HHS) provides short video and audio presentations for health care providers on top health care compliance topics. These free videos and audio podcasts - averaging about four minutes each - cover major health care fraud and abuse laws, the basics of health care compliance programs, and what to do when a compliance issue arises.

The presentations can be found at https://oig.hhs.gov/newsroom/video/2011/heat_modules.asp. The topics covered include:

  • Compliance Program Basics
  • Tips for Implementing an Effective Compliance Program
  • Guidance for Health Care Boards
  • OIG’s Self-Disclosure Protocol
  • Physician Self-Referral Law
  • False Claims Act
  • Federal Anti-kickback Statute
  • How to Report Fraud to the OIG
  • Exclusion Authorities and Effects of Exclusion

February 19, 2017

Posted by: Robert Trusiak

ONC Releases Guide to Electronic Health Record Contracting

Selecting and negotiating the acquisition of an electronic health record system (EHR) is a challenging but important undertaking for any health care provider organization. The guide issued by the Office of the National Coordinator for Health Information Technology (ONC) is intended to help the health care provider understand how to manage risks via an EHR contract in order to maximize the value of a health IT investment, whether acquiring the first EHR or upgrading or replacing existing technology. It offers strategies and recommendations for negotiating best practice EHR contract terms and illustrates how legal issues might be addressed in a contract by providing example contract language.

The guide, entitled EHR Contracts Untangled, can be found at https://www.healthit.gov/sites/default/files/EHR_Contracts_Untangled.pdf

January 22, 2017

Posted by: Robert Trusiak

Significant Points for Physicians and Hospitals from the FY 2017 OIG Work Plan


MEDICARE PARTS A & B

HOSPITALS

New:

  • Hyperbaric Oxygen Therapy Services – Provider Reimbursement in Compliance with Federal Regulations
  • Incorrect Medical Assistance Days Claimed by Hospitals
  • Inpatient Psychiatric Facility Outlier Payments
  • Case Review of Inpatient Rehabilitation Hospital Patients Not Suited for Intensive Therapy

Revised:

  • Intensity-Modulated Radiation Therapy

Ongoing:

  • Outpatient Outlier Payments for Short-Stay Claims
  • Comparison of Provider-Based and Freestanding Clinics
  • Reconciliations of Outlier Payments
  • Hospitals’ Use of Outpatient and Inpatient Stays Under Medicare’s Two-Midnight Rule
  • Medicare Costs Associated with Defective Medical Devices
  • Payment Credits for Replaced Medical Devices That Were Implanted
  • Medicare Payments for Overlapping Part A Inpatient Claims and Part B Outpatient Claims
  • Selected Inpatient and Outpatient Billing Requirements
  • Duplicate Graduate Medical Education Payments
  • Indirect Medical Education Payments
  • Outpatient Dental Claims
  • Nationwide Review of Cardiac Catheterizations and Endomyocardial Biopsies
  • Payments for Patients Diagnosed with Kwashiorkor
  • Review of Hospital Wage Data Used to Calculate Medicare Payments
  • CMS Validation of Hospital-Submitted Quality Reporting Data
  • Long-Term-Care Hospitals – Adverse Events in Postacute Care for Medicare Beneficiaries
  • Hospital Preparedness and Response to Emerging Infectious Diseases

PHYSICIANS

New:

  • Medicare Payments for Transitional Care Management
  • Medicare Payments for Chronic Care Management
  • Data Brief on Financial Interests Reported Under the Open Payments Program

Ongoing:

  • Review of Financial Interests Reported Under the Open Payments Program
  • Payments for Medicare Services, Supplies, and DMEPOS Referred or Ordered by Physicians – Compliance
  • Anesthesia Services – Noncovered Services
  • Anesthesia Services – Payments for Personally Performed Services
  • Physician Home Visits – Reasonableness of Services
  • Prolonged Services – Reasonableness of Services


OTHER PART A AND PART B PROGRAM MANAGEMENT ISSUES

New:

  • Medicare Payments for Service Dates After Individuals’ Dates of Death
  • Management Review: CMS’s Implementation of the Quality Payment Program

Ongoing:

  • Accountable Care Organizations: Beneficiary Assignment and Shared Savings Payments
  • Accountable Care Organizations: Savings, Quality, and Promising Practices
  • Use of Electronic Health Records to Support Care Coordination through ACOs
  • Medicare Payments for Incarcerated Beneficiaries – Mandatory Review


MEDICAID

New:

  • Accountable Care in Medicaid
  • Ongoing:

    • Physician-Administered Drugs for Dual Eligible Enrollees
    • Medicaid Payments for Multiuse Vials of Herceptin
    • Health-Care-Acquired Conditions – Prohibition on Federal Reimbursements


    ELECTRONIC HEALTH RECORDS

    • Medicare Incentive Payments for Adopting Electronic Health Records
    • Security of Certified Electronic Health Record Technology Under Meaningful Use

    December 9, 2016

    Posted by: Robert Trusiak

    Preventing Ransomware Attacks

    Ransomware is a type of malicious software designed to block access to computer data and systems until a sum of money is paid. There is no one technology solution that can be deployed to prevent ransomware attacks from occurring, although preventive measures can be taken to limit vulnerability.

    The United States Government Interagency Guidance Document, How to Protect Your Networks from Ransomware, includes the following recommendations:

    • Implement an awareness and training program. Because end users are targets, employees and individuals should be aware of the threat of ransomware and how it is delivered.
    • Enable strong spam filters to prevent phishing emails from reaching the end users and authenticate inbound email using technologies to prevent email spoofing.
    • Scan all incoming and outgoing emails to detect threats and filter executable files from reaching end users.
    • Configure firewalls to block access to known malicious IP addresses.
    • Patch operating systems, software, and firmware on devices.
    • Set anti-virus and anti-malware programs to conduct regular scans automatically.
    • Manage the use of privileged accounts based on the principle of least privilege: no users should be assigned administrative access unless absolutely needed; and those with a need for administrator accounts should only use them when necessary.
    • Configure access controls with least privilege in mind.
    • Disable macro scripts from office files transmitted via email.
    • Implement Software Restriction Policies (SRP) or other controls to prevent programs from executing from common ransomware locations.
    • Consider disabling Remote Desktop protocol (RDP) if it is not being used.
    • Use application whitelisting, which only allows systems to execute programs known and permitted by security policy.
    • Execute operating system environments or specific programs in a virtualized environment.
    • Categorize data based on organizational value and implement physical and logical separation of networks and data for different organizational units.

    October 17, 2016

    Posted by: Robert Trusiak

    HHS OCR Guidance on HIPAA & Cloud Computing

    1. On October 7, 2016, the HHS Office for Civil Rights (OCR) issued new guidance to assist HIPAA-regulated cloud service providers (CSPs) and their customers in understanding their responsibilities under the HIPAA Rules when they create, receive, maintain, or transmit electronic protected health information using cloud products and services.
    2. The new guidance can be found on OCR’s website at: http://www.hhs.gov/hipaa/for-professionals/special-topics/cloud-computing/index.html
    3. When a covered entity engages the services of a CSP to create, receive, maintain, or transmit ePHI (such as to process and/or store ePHI), on its behalf, the CSP is a business associate under HIPAA.
    4. Further, when a business associate subcontracts with a CSP to create, receive, maintain, or transmit ePHI on its behalf, the CSP subcontractor itself is a business associate.
    5. A HIPAA covered entity or business associate may use a cloud service to store or process ePHI provided the covered entity or business associate enters into a HIPAA-compliant business associate contract or agreement (BAA) with the CSP that will be creating, receiving, maintaining, or transmitting electronic protected health information (ePHI) on its behalf, and otherwise complies with the HIPAA Rules.
    6. In addition, a Service Level Agreement (SLA) is commonly used to address more specific business expectations between the CSP and its customer, which also may be relevant to HIPAA compliance. For example, SLAs can include provisions that address such HIPAA concerns as:
      • System availability and reliability;
      • Back-up and data recovery (e.g., as necessary to be able to respond to a ransomware attack or other emergency situation);
      • Manner in which data will be returned to the customer after service use termination;
      • Security responsibility; and
      • Use, retention and disclosure limitations.
    7. If a covered entity or business associate enters into a SLA with a CSP, it should ensure that the terms of the SLA are consistent with the BAA and the HIPAA Rules. For example, the covered entity or business associate should ensure that the terms of the SLA and BAA with the CSP do not prevent the entity from accessing its ePHI in violation of 45 CFR §§ 164.308(b)(3), 164.502(e)(2), and 164.504(e)(1). (See OCR FAQ regarding impermissible blocking of covered entity access to ePHI by a business associate http://www.hhs.gov/hipaa/for-professionals/faq/2074/may-a-business-associate-of-a-hipaa-covered-entity-block-or-terminate-access/index.html.)
    8. If a CSP stores only encrypted ePHI and does not have a decryption key it is still a HIPAA business associate because the CSP receives and maintains (e.g., to process and/or store) electronic protected health information (ePHI) for a covered entity or another business associate. Lacking an encryption key for the encrypted data it receives and maintains does not exempt a CSP from business associate status and associated obligations under the HIPAA Rules. An entity that maintains ePHI on behalf of a covered entity (or another business associate) is a business associate, even if the entity cannot actually view the ePHI.
      • While encryption protects ePHI by significantly reducing the risk of the information being viewed by unauthorized persons, such protections alone cannot adequately safeguard the confidentiality, integrity, and availability of ePHI as required by the Security Rule.
      • Encryption does not maintain the integrity and availability of the ePHI, such as ensuring that the information is not corrupted by malware, or ensuring through contingency planning that the data remains available to authorized persons even during emergency or disaster situations.
      • Further, encryption does not address other safeguards that are also important to maintaining confidentiality, such as administrative safeguards to analyze risks to the ePHI or physical safeguards for systems and servers that may house the ePHI.
    9. Generally, a CSP cannot be considered a “conduit” like the postal service, which would exempt the CSP from business associate status.
      • The conduit exception is limited to transmission-only services for PHI (whether in electronic or paper form), including any temporary storage of PHI incident to such transmission.
      • Any access to PHI by a conduit is only transient in nature. In contrast, a CSP that maintains ePHI for the purpose of storing it will qualify as a business associate, and not a conduit, even if the CSP does not actually view the information, because the entity has more persistent access to the ePHI.
    10. If a covered entity (or business associate) uses a CSP to maintain (e.g., to process or store) electronic protected health information (ePHI) without first entering into a BAA with the CSP, the covered entity (or business associate) is in violation of the HIPAA Rules. 45 C.F.R §§164.308(b)(1) and §164.502(e).
    11. Health care providers, other covered entities, and business associates may use mobile devices to access electronic protected health information (ePHI) in a cloud as long as appropriate physical, administrative, and technical safeguards are in place to protect the confidentiality, integrity, and availability of the ePHI on the mobile device and in the cloud, and appropriate BAAs are in place with any third party service providers for the device and/or the cloud that will have access to the e-PHI.
    12. The HIPAA Rules require covered entity and business associate customers to obtain satisfactory assurances in the form of a business associate agreement (BAA) with the CSP that the CSP will, among other things, appropriately safeguard the protected health information (PHI) that it creates, receives, maintains or transmits for the covered entity or business associate in accordance with the HIPAA Rules. HIPAA Rules do not require CSPs that are business associates to provide documentation, or allow auditing, of their security practices by their customers who are covered entities or business associates.

    Medicare Compliance Journal

    AVVO Rating

    Call and schedule your meeting today! Contact

    Facebook  LinkedIn

    Upcoming Events

    Bonadio and Associates Compliance Boot Camps
    May 3, 2018

    Compliance & OMIG Recoupments - What to Do and Have in Place.
    May 10, 2018

    Read More

    Get Directions

    Get Directions

    Office Location

    Buffalo Office

    300 International Dr
    Williamsville, NY 14221

    Phone: +1 (716) 352-0196
    Fax: +1 (716) 626-3001
    Email: robert@trusiaklaw.com