Health Care Enforcement and Compliance Matters

Prevention, Compliance, Advocacy

The Final HIPAA Rule: Conduits, Agents, and Subs — Oh my!

By DLA Piper on Posted in HIPAA

Contributed by Marcia Augsburger as part of the ongoing Compliance Matters series

On January 17, 2013, the Office for Civil Rights (“OCR”), Department of Health and Human Services, issued the long-awaited final rule:  “Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules.”  The final rule is effective March 26, 2013.  Covered Entities (“CEs”) and Business Associates (“BAs”) must comply with the applicable requirements by September 23, 2013.

The final rule seeks to address OCR’s findings in carrying out Executive Order 13563, which required OCR to conduct a retrospective review of existing regulations to identify ways to reduce costs and increase flexibilities under HIPAA.  The rule may or may not reduce costs, but the guidance provides more certainty for some businesses, and more flexibility for others, in interpreting privacy regulations that seemingly inhibited growth and development in the health care industry.

The rule clarifies that persons who undertake patient safety activities are BAs,[1] as are organizations such as Health Information Organization,[2] E-prescribing Gateways, or Regional Health Information Organizations that provide data transmission of PHI to a CE or its BA and that require access on a routine basis to such PHI.  As much as the rule offers certainty on these entities, however, it also offers room for argument, as OCR declined to define them with specificity.

Indeed, OCR declined to statically define any type of BA, emphasizing repeatedly the necessity of performing a factual analysis in uncertain situations, guided by principals designed to meet the overarching goals of HIPAA, HITECH and GINA.  OCR first settled a topic of some debate at health lawyers’ conferences by acknowledging that mere conduits are not BAs.

Read more about the Final HIPAA Rule after the jump

[1] This is to conform to the statutory provisions of the Patient Safety and Quality Improvement Act of 2005 (PSQIA), 42 U.S.C. 299b-21, et. seq.  PSQIA provides for the establishment of Patient Safety Organizations (“PSOS”) to receive reports of patient safety events or concerns from providers and provide analyses of events to providers.  Such reports may include PHI.  42 CFR 3.10 et seq.

[2] OCR declined requests for a more specific definition of “Health Information Organizations,” saying only that the term currently refers to organizations that govern health information exchange among organizations within a defined geographic area, but that as the industry evolves, the types of entities that fall within this definition may change.

Continue Reading

An Opportunity for the OIG and Providers

By Frank Sheeder on Posted in Administration, Enforcement, Government Initiatives, Medicaid, Medicare, OIG, Settlements

The HHS-OIG has published a Federal Register notice asking for comments to its 14 year-old Provider Self Disclosure Protocol.  This is a great opportunity for providers to make their voices heard.  We are thinking about making some comments.  Feel free to contact me if you are interested in participating.

In my opinion, the Protocol is not user-friendly in several ways.  I’ve related this many times over the years to IGs and senior members of the IG’s office.  The bottom line is that providers are reluctant to go to the OIG because the Protocol and the subsequent Open Letters do not provide enough comfort or certainty about the potential outcomes.  I know the OIG has to keep its options open in egregious cases, but the fact is that the vast majority of providers are honest, have strong compliance programs and want to do the right thing.  They are not going to disclose an issue and at the same time ”pull a fast one” on the OIG.

The notice says that the OIG has resolved over 800 voluntary disclosures in 14 years — that’s about 57 a year.  The average recovery has been $350,000.  This is confirmation that providers have not been using the protocol much at all — especially compared to the number of circumstances that could be resolved through voluntary disclosure.

If the OIG developed a kinder, gentler and more predictable approach, it’s extremely likely that providers would line up to resolve instances of potential non-compliance.  There would be all sorts of reasonable resolutions and repayments.

It’s the rare provider that is both a good-faith voluntary discloser and a true fraudster.  Why not give providers an alternative that leans more toward recognition of this reality, along with a greater tendency toward amnesty from potentially draconian consequences?  This is the kind of provider-government partnership that Inspector General Dan Levinson has been promoting, and I believe he’s on the right track.  He is smart and thoughtful, and he understands the massive compliance challenges that providers face in the current environment.  He has initiated a great opportunity for both the OIG and well-intentioned providers to rectify potential non-compliance.  If the OIG built its revised protocol on a foundation of mutual trust, collaboration and greater certainty about outcomes, providers would use it more frequently and the government would reap the benefits.

What’s your perspective?

Do Not Pay: The Government’s Newest Tool

By Frank Sheeder on Posted in Administration, Government Initiatives, Medicaid, Medicare, RACs

In previous posts and presentations, I have emphasized the critical role that data prospecting will play in the government’s efforts to prevent health care fraud, waste and abuse.  Here’s further support for the proposition.

<p>Image courtesy of <a href="http://www.freedigitalphotos.net">FreeDigitalPhotos.net</a></p>

 

The Office of Management and Budget has created a new tool called Do Not Pay.   It is complemented by a Do Not Pay Business Center, a Do Not Pay List, a Do Not Pay Data Analytics Service and a Do Not Pay Portal.  The goal is to develop a place for government agencies to access a consolidated set of databases.  The tool provides for data searching and more extensive data analytics.  It includes databases like the List of Excluded Entities/Individuals (LEIE), SSA Death Master File (DMF), Central Contractor Registry (CCR), Excluded Parties List System (EPLS, public and private) and Debt Check.  Three types of customized searches are available, according to agencies’ needs:

  • Online
  • Batch
  • Continuous monitoring

Each government agency is required to submit a draft plan for using these resources by June 30.  OMB will work with the agencies and provide comments by July 31.

Here’s an interesting point for the health care industry:  The government has already exceeded its goal to collect $2 billion in overpayments by the end of Fiscal Year 2012, which is September 30, 2012.  Why?  Because, according to the Obama Administration,  the RACs are recovering hundreds of millions of dollars.

What’s the take-away?  Prudent providers are reinforcing their government audit defense teams.  (Note I didn’t say “RAC audit.”)  Whether it’s RAC, MAC, ZPIC, the forthcoming Medicaid RACS or any of the other claims review entities, the focus on “improper payments” is here to stay, especially as the government’s health care outlays are spiraling.

 

 

HHS Inspector General Dan Levinson’s Compliance Speech

By Frank Sheeder on Posted in Administration, Culture, Enforcement, Fraud, Government Initiatives, OIG

I introduced HHS Inspector General Dan Levinson as he gave his compliance speech at the Health Care Compliance Association’s (HCCA’s) annual Compliance Institute.  He had some messages that health care compliance professionals and health industry leaders need to hear.

 

 

You can watch the speech at this link:  IG Levinson’s Compliance Speech at HCCA Compliance Institute

The Mixed-Up Audit MICs

By Frank Sheeder on Posted in CMS, Enforcement, Government Initiatives, Medicaid, OIG, RACs, Uncategorized, Waste

The Department of Health and Human Services – Office of Inspector General (HHS-OIG) recently released a report entitled Early Assessment of Audit Medicaid Integrity Contractors.  The OIG assessed the efforts of the Audit Medicaid Integrity Contractors (Audit MIC) to identify overpayments in Medicaid.  The findings show that the audit process was broken and resulted in a lot of wasted government resources, time and effort.

 

 

 

 

 

 

 

 

Here’s the background:

  • HHS-OIG analyzed 370 audits by Audit MICs between January and June 2010.
  • The potential overpayments were projected at $80 million.

Here are the findings:

  • Eighty-one percent of the audits either did not, or were unlikely to, identify overpayments.
  • Forty-two percent identified no overpayments.
  • There were no overpayment findings in 85 audits.
  • CMS discontinued 72 audits after determining that finding overpayments was unlikely.
  • Thirty-nine percent, or 144, were ongoing and unlikely to identify overpayments.  That raises a question:  Why would the government continue these audits?
  • Eleven percent of the audits, or 42, found overpayments totaling $6.9 million.
  • Only 7 of the 370 audits found overpayments greater than $100,000.
  • Of those, only 3 were over $500,000.
  • One audit, for example, had an overpayment finding of $6,012 where the potential overpayment had been identified as $2,948,137.
Why did the audit approach not work?
According to the HHS-OIG:
  • The various state and federal agencies did not work collaboratively.
  • The data used to identify audit targets was flawed and incomplete.
  • The Review MICs that identified audit targets misapplied State Medicaid program policies in 34% of the audits for which there were no identified overpayments.
  • There were duplicated efforts.
What are the take-aways (pun intended) for providers?
Enhanced enforcement to identify true fraudsters is one thing.  But targeting hundreds of providers through the use of flawed data and incorrect policy interpretations is simply one example of why providers are currently so discouraged and overwhelmed.  Once government auditors identify a target, even if it is a “false positive” (as is the case in the vast majority of the audits here), the provider still has to respond, worry about the risks and devote scarce resources to the audit.  Those are resources that could be directed toward better access to care, quality initiatives and true compliance concerns.
One has to wonder whether the processes will be any better when the Medicaid Recovery Audit Contractors begin their work.  The reality is that regardless of how competent the auditors may or may not end up being, smart providers are nonetheless getting their Medicaid houses in order — that’s where the audit and enforcement action will be in the foreseeable future.

 

End-of-Life-Care: Rife with Fraud or Quicksand for the Government?

By Frank Sheeder on Posted in Enforcement, False Claims Act, Government Initiatives, Medicare

This is insight from Carolyn McNiven, a partner in DLA Piper’s Health Care Enforcement and Compliance Practice.

The government’s intervention in a whistleblower’s federal False Claims Act case in Alabama(United States ex. Rel Dawn Richardson et al v. Golden Gate Ancillary LLC et al., 09 cv 627, ND Ala.) – which was recently made public  – signals that the government has jumped into the deep end feet first in its self-proclaimed effort to combat fraud in the hospice context.  What remains to be seen is how successful these efforts will ultimately be. 

In this case, the government alleges that Golden Gate Ancillary LLC (doing business as Aseracare Hospice) misspent millions of Medicare dollars by admitting and billing for Medicare beneficiaries whom the company well-knew were not terminally ill and did not otherwise qualify for this expensive end-of life care, and consequently caused the submission of numerous false claims to the federal government for unnecessary health care services..  One of the complaint’s allegations is that although hospice care is limited to patients with a prognosis of six months or less to live, several of the defendant’s hospice patients in fact lived longer than six months and some were well enough to be released back to skilled nursing facilities.

On first glance, these allegations are not particularly different distinctive from those levied in other Flase Claims Act cases.  However, when you stop and consider the government’s assertions more carefully – with an eye to what they will ultimately be proving –  a key distinction emerges. 

End-of-life care is materially different.  Why?  One reason is that everyone deals with end-of-life on some level – either in terms of contemplating their own death (and thinking about how they want to be treated) or in terms of dealing with dying loved ones.  As the recent furor over alleged federal death panels in the context of the health care reform debates made clear, absolutely no one, regardless of their political views, thinks it is a good idea for the government to determine who can live and die in terms of the provision of health care services.

This emotional, almost visceral, reaction to the suggestion of government involvement in such a personal issue illustrates what the government is likely to encounter in these cases.  To prevail, the government will have to prove that some individuals got end-of-life care to which they were not entitled, or put another way, care that was just too expensive. 

The problem for the government, however, is that expensive end-of-life care is something that most people want for themselves and undoubtedly hope to provide for their loved ones.  No one really wants the government telling them that they cannot have it or that their relatives do not qualify.

Second guessing end-of-life decisions of doctors and well-meaning relatives is not something that a jury or judge will do lightly.  Nor are these decisions akin to the kinds of decisions involved in more routine False Claims Act cases – such as whether a doctor cut toe nails but billed for surgery.  Those kinds of cases are unemotional and, relatively speaking, can be fairly black and white.

Any hospice defendant worth its salt can produce grieving relatives of former (now deceased) hospice residents who will be prepared to testify about how wonderful the doctors and nurses were at XYZ company to their relative during the last days of their lives. 

Evidence that patients who were in care lived beyond the expected 6 months and even were released back to Skilled Nursing Facilities is also a double-edged sword.  While one conclusion from this sort of evidence could be that the patient did not qualify for hospice in the first place, another equally plausible explanation is that the patient received such good care in the hospice setting that they became stable or improved.  Thus, a logical defense (which does not even need to be explicitly mentioned) is that the government believes a false claim was filed because a hospice provided such good care that its nurses and doctors extended a dying patient’s life.  What relative wouldn’t be thrilled that their dying relative recovered or lived longer than expected? 

In the Golden Gate case, the government appears to try to blunt this emotional reaction by teeing up an emotional argument of its own:  Medicare is paid for by US taxpayers so you, members of the jury, are subsidizing unnecessary care.  Indeed, a reference to citizens (a/k/a jurors) paying for Medicare appears repeatedly in the government’s complaint in intervention. 

 There is nothing subtle about this strategy.  What remains to be seen is whether it works.  Second guessing end-of-life care — including its necessity — is hard business fraught with shades of grey.  That being said, neither party can be confident of the outcome:  as the old adage goes, there is nothing certain except death and taxes.  This case, of course, has both.

 

 

A Compliance Officer’s Wish List for 2012

By Frank Sheeder on Posted in Culture, Enforcement, Ethics, Government Initiatives, Reform

I was visiting with some of my compliance colleagues recently and came up with an interesting Wish List for 2012: 

  • Additional resources.
  • Clearer regulations :)
  • Increased stakeholder support for compliance activities.
  • More predictable and quicker voluntary disclosure processes.
  • A better way to keep track of regulatory developments and new business arrangements.
  • Acknowledgement by regulators and enforcers that mistakes happen and not everything is fraud. 
  • More compliance involvement in proposed transactions and arrangements – before they get done.
  • The ability to learn about potential compliance concerns before they turn into more significant problems.

 What would you add to the list?

12 Enforcement and Compliance Predictions for 2012

By Frank Sheeder on Posted in Culture, DOJ, Enforcement, Government Initiatives, ICD, Implantable Cardiac Devices, Long Term Care, Medicaid, Medicare, OIG, Reform, Settlements

This has been an interesting year for the health care industry, and I believe the coming year will be even more exhilarating.  Here are my 12 enforcement and compliance predictions for 2012.  Please comment with yours.  We’ll see how we do. . . .

 

  1. Regardless of what happens with the health care reform law, the current market forces toward collaboration, integration, efficiency and quality will continue.
  2. At the same time, there will be much more Stark and Anti-kickback enforcement as the government steps up its scrutiny of hospital-physician relationships.
  3. Medicaid enforcement will increase dramatically as the federal government pressures the states and the states endeavor to deal with funding pressures.
  4. HIPAA enforcement will increase, and there will be more unfortunate and costly breaches as we implement more electronic records.
  5. The DOJ/HHS HEAT initiative will ensnare some mainstream, institutional providers.
  6. The HHS-OIG will more aggressively target hospitals through its current intensive hospital audits.
  7. Many of the Implantable Cardioverter Defibrillator (ICD) investigations of hospitals across the country will be resolved.
  8. The government and whistleblowers will increasingly target long term care, home health and community care.
  9. While there will be large hospital settlements, device and pharmaceutical companies will write the biggest checks.
  10. The HHS-OIG will seek to exclude more individuals who are associated with organizations that had compliance lapses.
  11. The Health Care Compliance Association (HCCA) will continue to grow steadily and to serve its members’ needs assiduously.
  12. There will be increased demand for strong compliance professionals as smart leaders continue to recognize their value.

What are your predictions?

 

 

A 10-Year Old’s View of Health Care Enforcement

By Frank Sheeder on Posted in DOJ, Enforcement, Fraud, Medicaid, Medicare, OIG, Reform

My Daughter’s Depiction of Health Care Enforcement — I Call it Enforcica  —

One of the more challenging and rewarding aspects of being a health care attorney is taking a complex regulated environment and breaking it down in a way that is understandable, regardless of the audience.  In the compliance world, this means communicating the rules and how to follow them, the players and their influences and motivations. 

Over the weekend, while on a long car ride, my abilities to meet this challenge were put to the test by perhaps my toughest grader: my ten-year-old daughter. 

When she asked me what was keeping me so busy at work, I gave her my regular elevator speech:

I help people who provide health care to follow the rules and I defend them when somebody says they didn’t.

Being the precocious observer that she is (and because she has heard that a few times before), she found that answer to be completely unsatisfactory.  Pushing further, she asked: “Why is it so hard to follow the rules?”  After all, she doesn’t have any problem doing so, whether at home or school.  (Fortunately, this happens to be true.) 

I then explained what’s going on right now with Medicare and Medicaid enforcement.  Loving to sketch as she does, she took my words and put them into pictures.  When we arrived at our destination, she handed me this:

Enforcica

I think the kid gets it.   But all art, whether that of a ten-year-old or a Cubist master, is subject to interpretation.

We recently took a family trip to Spain, where we saw some wonderful art, including that of Picasso.  In discussing his famous work Guernica, Picasso said:

. . . this bull is a bull and this horse is a horse… If you give a meaning to certain things in my paintings it may be very true, but it is not my idea to give this meaning. What ideas and conclusions you have got I obtained too, but instinctively, unconsciously. I make the painting for the painting. I paint the objects for what they are.

So, what do you see?  I’d be interested in your interpretive comments.  For now, I’m calling the piece Enforcica.

 

Medicaid RACs: Tool of transparency or torment?

By Frank Sheeder on Posted in Enforcement, Government Initiatives, Medicaid, RACs

The Medicaid RACs are coming soon, and prudent providers are getting ready for life in the formicarium (translated:  ant farm).

My colleage and blog co-editor, Rebecca Jones McKnight, wrote a clever and interesting Feature Focus in the December 2011 issue of the Health Care Compliance Association’s monthly publication, Compliance Today.  She wonders whether CMS is looking at Medicaid providers the way we looked at ants when we were kids.  (I’ll give you a hint:  it involved various uses of magnifying glasses . . .)  You can read it here.