Healthcare Enforcement and Compliance Matters

Prevention, Compliance, Advocacy

OIG Compendium of Priority Recommendations—Are You Ready?

Posted in Medicaid, Medicare, OIG, Uncategorized

What’s Happening?

The U.S. Department of Health and Human Services (“HHS”), Office of Inspector General (“OIG”) recently released the Compendium of Priority Recommendations (the “OIG Compendium”).  This annual publication provides a summary of previously identified, but not yet implemented, opportunities to “achieve cost savings, improve program management, and ensure quality of care and safety of beneficiaries.”  Health care providers routinely pay close attention to the OIG Compendium to gain further insight into the OIG’s priorities and areas of focus.

The OIG Compendium lists 25 “Priority Recommendations” that stem from previous OIG audit and evaluation reports.  Below is a snapshot of these Priority Recommendations organized according to the six categories the OIG set forth in the OIG Compendium.  The OIG also provided over 200 “key recommendations” as part of the Priority Recommendations.  While implementation of some of the key recommendations  is already underway, the OIG listed them in this report because it stated that more progress is necessary.

  1. Medicare Policies and Payments
    1. Address wasteful Medicare policies and payment rates for clinical laboratories, hospitals and hospices
    2. Improve controls to address improper Medicare billings by community mental health centers, home health agencies and skilled nursing facilities
    3. Detect and recover improper Medicare payments for services to incarcerated, unlawfully present or deceased individuals
    4. Maximize recovery of Medicare overpayments
    5. Improve monitoring and reconciliation of Medicare hospital outlier payments
    6. Medicare Part C- Ensure that Medicare Advantage Organizations are implementing programs to prevent and detect waste, fraud and abuse
    7. Medicare Part D- Improve controls to address questionable billing and prescribing practices for prescription drugs
  2. Medicare Quality of Care and Safety Issues
    1. Hospitals- Address adverse events in hospital settings
    2. Nursing homes- Improve care planning and discharge planning for beneficiaries in nursing home settings
    3. Nursing homes- Address harm to patients, questionable resident hospitalizations and inappropriate drug use
    4. Nursing homes- Improve emergency preparedness and response
    5. Hospices- Ensure compliance with Medicare Conditions of Participation
  3. Medicaid Program Policies and Payments
    1. Federal share of Medicaid- Ensure that State claims and practices do not inappropriately inflate Federal reimbursements
    2. Improper payments- Ensure that States prevent, detect and recover improper payments and return the Federal share of recoveries to the Federal Government
    3. Medicaid drug pricing- Assist States to better align drug reimbursements with pharmacy acquisition costs
    4. Ensure that Medicaid Information Systems are fully functional
    5. Address Medicaid managed care fraud and abuse concerns
  4. Medicaid Quality of Care and Safety Issues
    1. Medicaid home and community-based care settings- Ensure that service providers comply with quality and safety requirements
    2. Preventions- Ensure that States improve utilization of preventive screening services for eligible children
  5. Oversight of Food Safety
    1. Improve oversight of dietary supplements
    2. Improve oversight of food inspections and traceability
  6. HHS Grants and Contracts
    1. Grants- Improve oversight of grantee compliance, quality assurance and conflicts of interest
    2. Contracts- Improve oversight of Medicare contractor performance and conflicts of interest
  7. HHS Financial Stewardship
    1. Reduce improper payments and fraud
    2. Correct deficiencies found in financial statement audits

Questions to Consider

  • Which elements of the OIG Compendium do you believe will receive the greatest attention?
  • Which recommendations listed in the OIG Compendium do you believe should receive the greatest attention?
  • Will you change any of your compliance monitoring activities in light of the OIG Compendium?
  • Do you think the OIG should have listed anything else in the OIG Compendium?

As always, we look forward to hearing your comments and engaging in a dialogue about these topics.

Hot Off the Press: Tool to Help Providers Conduct Security Risk Assessments

Posted in HIPAA

What’s Happening?

The Office of the National Coordinator for Health Information Technology (ONC), in collaboration with the HHS Office for Civil Rights (OCR), recently released a jointly developed tool designed to assist small and medium sized practices (one to ten healthcare providers) in conducting  security risk assessments (the “SRA Tool”). This tool can be found at

The HIPAA Security Rule mandates that covered entities and business associates assess the potential risks and vulnerabilities to the confidentiality, integrity and availability of the electronic PHI they hold and take appropriate measures to minimize those risks and vulnerabilities.  These steps are a crucial part of an entity’s Security Management Process and considered by HHS to “form the foundation upon which an entity’s necessary security activities are built.”

The Rule does not specifically outline the steps entities should take in conducting a risk analysis or dictate how often it should be done.  In previous guidance, HHS indicated that covered entities could use, but were not required to use, any of the National Institute of Standards and Technology (“NIST”) publications, such as SP 800-30 – “Risk Management for Information Technology Systems.”  Others have used the OCR Audit Program Protocol to guide them in conducting risk assessments or developed home grown tools. 

Use of the SRA Tool is not required by the Security Rule or by OCR, nor does it guarantee compliance with HIPAA or state privacy and security laws.  The purpose of this specific tool is to “assist healthcare practices in performing and documenting a Security Risk Assessment.”  Although small to medium practices are the target audience, larger organizations or practices can benefit from viewing the tool and tailoring it to their specific needs. The tool does not include provisions to assess for compliance with the Privacy Rule.

As represented, the tool is a “self-contained, operating system (OS) independent application that can be run on various environments including Windows OS’s for desktop and laptop computers and Apple’s iOS for iPad only” (which can be downloaded from Apple’s App Store at no cost – “HHS SRA Tool”).  The tool walks the user through each HIPAA requirement and asks questions about what the provider is doing to meet those requirements.  For example:

A1 – §164.308(a)(1)(i)  Standard – Does your practice develop, document, and implement policies and procedures for assessing and managing risk to its Electronic Protected Health Information (ePHI)?

Answer:  Yes or No

If no, please select from the following:  Cost, Practice Size, Complexity, Alternate Solution.   Please detail your current activities.  Please include any additional notes.  Please detail your remediation plan.

The user is invited to judge the likelihood that a particular threat could affect the practice’s ePHI and to rate the impact or level of harm that could occur if the standard or requirement stated in the question is not met.

There are a total of 156 questions in the SRA Tool.  The tool includes additional information to help the user understand and answer the questions, such as “Things to Consider,” Threats and Vulnerabilities,” and “Examples of Safeguards.”

Answers to the questions will ultimately appear in a risk assessment report.  The information entered by the user into the SRA Tool, and the report itself, are not shared (by the App) with the OCR or any other person/organization, but are solely intended for the practice.  The OCR recommends securing the downloaded tool (and user responses) by “password protecting or encrypting the folder where it will be stored.”

Questions to Consider

  • Will the ONC/OCR develop a Risk Assessment tool for larger providers and business associates?
  • Why do you think they focused on small to medium practices?
  • Have you tried to download and use the App?

As always, we look forward to hearing your comments and engaging in a dialogue about this topic.

The Compliance Poem

Posted in Culture

It has been a while since our last post — seems like all of us in the health care world are overly occupied.  A good time to provide encouragement (and maybe some levity)  to compliance professionals.  So here goes. . . .

The Compliance Poem

Compliance Professional
Where might you be?
Defending RAC audits?
Avoiding OIG?

The health care sphere
Is speedily spinning around
Challenges up
Resources down

We’re innovating now
Not one but us all
Trying to catch hold
Of that shiny red ball

The urge to merge
The best laid plans
Impose consternation

To so many questions
Answers we seek
Regs so confounding
One’s heart can’t be weak

But don’t worry dear friend
You’re in good company here
We’re in it together
It’s a noble career

And keep this in mind
It should give you great glee
The Seven Elements
Can indeed set you free

Redouble your efforts
Get a seat at the table
Be a compliance proponent
As much as you’re able

Your cause is noble
Great value you bring
Because doing right
Is still the right thing

The Final HIPAA Rule: Conduits, Agents, and Subs — Oh my!

Posted in HIPAA

Contributed by Marcia Augsburger as part of the ongoing Compliance Matters series

On January 17, 2013, the Office for Civil Rights (“OCR”), Department of Health and Human Services, issued the long-awaited final rule:  “Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules.”  The final rule is effective March 26, 2013.  Covered Entities (“CEs”) and Business Associates (“BAs”) must comply with the applicable requirements by September 23, 2013.

The final rule seeks to address OCR’s findings in carrying out Executive Order 13563, which required OCR to conduct a retrospective review of existing regulations to identify ways to reduce costs and increase flexibilities under HIPAA.  The rule may or may not reduce costs, but the guidance provides more certainty for some businesses, and more flexibility for others, in interpreting privacy regulations that seemingly inhibited growth and development in the health care industry.

The rule clarifies that persons who undertake patient safety activities are BAs,[1] as are organizations such as Health Information Organization,[2] E-prescribing Gateways, or Regional Health Information Organizations that provide data transmission of PHI to a CE or its BA and that require access on a routine basis to such PHI.  As much as the rule offers certainty on these entities, however, it also offers room for argument, as OCR declined to define them with specificity.

Indeed, OCR declined to statically define any type of BA, emphasizing repeatedly the necessity of performing a factual analysis in uncertain situations, guided by principals designed to meet the overarching goals of HIPAA, HITECH and GINA.  OCR first settled a topic of some debate at health lawyers’ conferences by acknowledging that mere conduits are not BAs.

Read more about the Final HIPAA Rule after the jump

[1] This is to conform to the statutory provisions of the Patient Safety and Quality Improvement Act of 2005 (PSQIA), 42 U.S.C. 299b-21, et. seq.  PSQIA provides for the establishment of Patient Safety Organizations (“PSOS”) to receive reports of patient safety events or concerns from providers and provide analyses of events to providers.  Such reports may include PHI.  42 CFR 3.10 et seq.

[2] OCR declined requests for a more specific definition of “Health Information Organizations,” saying only that the term currently refers to organizations that govern health information exchange among organizations within a defined geographic area, but that as the industry evolves, the types of entities that fall within this definition may change.

Continue Reading

An Opportunity for the OIG and Providers

Posted in Administration, Enforcement, Government Initiatives, Medicaid, Medicare, OIG, Settlements

The HHS-OIG has published a Federal Register notice asking for comments to its 14 year-old Provider Self Disclosure Protocol.  This is a great opportunity for providers to make their voices heard.  We are thinking about making some comments.  Feel free to contact me if you are interested in participating.

In my opinion, the Protocol is not user-friendly in several ways.  I’ve related this many times over the years to IGs and senior members of the IG’s office.  The bottom line is that providers are reluctant to go to the OIG because the Protocol and the subsequent Open Letters do not provide enough comfort or certainty about the potential outcomes.  I know the OIG has to keep its options open in egregious cases, but the fact is that the vast majority of providers are honest, have strong compliance programs and want to do the right thing.  They are not going to disclose an issue and at the same time “pull a fast one” on the OIG.

The notice says that the OIG has resolved over 800 voluntary disclosures in 14 years — that’s about 57 a year.  The average recovery has been $350,000.  This is confirmation that providers have not been using the protocol much at all — especially compared to the number of circumstances that could be resolved through voluntary disclosure.

If the OIG developed a kinder, gentler and more predictable approach, it’s extremely likely that providers would line up to resolve instances of potential non-compliance.  There would be all sorts of reasonable resolutions and repayments.

It’s the rare provider that is both a good-faith voluntary discloser and a true fraudster.  Why not give providers an alternative that leans more toward recognition of this reality, along with a greater tendency toward amnesty from potentially draconian consequences?  This is the kind of provider-government partnership that Inspector General Dan Levinson has been promoting, and I believe he’s on the right track.  He is smart and thoughtful, and he understands the massive compliance challenges that providers face in the current environment.  He has initiated a great opportunity for both the OIG and well-intentioned providers to rectify potential non-compliance.  If the OIG built its revised protocol on a foundation of mutual trust, collaboration and greater certainty about outcomes, providers would use it more frequently and the government would reap the benefits.

What’s your perspective?

Do Not Pay: The Government’s Newest Tool

Posted in Administration, Government Initiatives, Medicaid, Medicare, RACs

In previous posts and presentations, I have emphasized the critical role that data prospecting will play in the government’s efforts to prevent health care fraud, waste and abuse.  Here’s further support for the proposition.

<p>Image courtesy of <a href=""></a></p>


The Office of Management and Budget has created a new tool called Do Not Pay.   It is complemented by a Do Not Pay Business Center, a Do Not Pay List, a Do Not Pay Data Analytics Service and a Do Not Pay Portal.  The goal is to develop a place for government agencies to access a consolidated set of databases.  The tool provides for data searching and more extensive data analytics.  It includes databases like the List of Excluded Entities/Individuals (LEIE), SSA Death Master File (DMF), Central Contractor Registry (CCR), Excluded Parties List System (EPLS, public and private) and Debt Check.  Three types of customized searches are available, according to agencies’ needs:

  • Online
  • Batch
  • Continuous monitoring

Each government agency is required to submit a draft plan for using these resources by June 30.  OMB will work with the agencies and provide comments by July 31.

Here’s an interesting point for the health care industry:  The government has already exceeded its goal to collect $2 billion in overpayments by the end of Fiscal Year 2012, which is September 30, 2012.  Why?  Because, according to the Obama Administration,  the RACs are recovering hundreds of millions of dollars.

What’s the take-away?  Prudent providers are reinforcing their government audit defense teams.  (Note I didn’t say “RAC audit.”)  Whether it’s RAC, MAC, ZPIC, the forthcoming Medicaid RACS or any of the other claims review entities, the focus on “improper payments” is here to stay, especially as the government’s health care outlays are spiraling.



HHS Inspector General Dan Levinson’s Compliance Speech

Posted in Administration, Culture, Enforcement, Fraud, Government Initiatives, OIG

I introduced HHS Inspector General Dan Levinson as he gave his compliance speech at the Health Care Compliance Association’s (HCCA’s) annual Compliance Institute.  He had some messages that health care compliance professionals and health industry leaders need to hear.



You can watch the speech at this link:  IG Levinson’s Compliance Speech at HCCA Compliance Institute

The Mixed-Up Audit MICs

Posted in CMS, Enforcement, Government Initiatives, Medicaid, OIG, RACs, Uncategorized, Waste

The Department of Health and Human Services – Office of Inspector General (HHS-OIG) recently released a report entitled Early Assessment of Audit Medicaid Integrity Contractors.  The OIG assessed the efforts of the Audit Medicaid Integrity Contractors (Audit MIC) to identify overpayments in Medicaid.  The findings show that the audit process was broken and resulted in a lot of wasted government resources, time and effort.









Here’s the background:

  • HHS-OIG analyzed 370 audits by Audit MICs between January and June 2010.
  • The potential overpayments were projected at $80 million.

Here are the findings:

  • Eighty-one percent of the audits either did not, or were unlikely to, identify overpayments.
  • Forty-two percent identified no overpayments.
  • There were no overpayment findings in 85 audits.
  • CMS discontinued 72 audits after determining that finding overpayments was unlikely.
  • Thirty-nine percent, or 144, were ongoing and unlikely to identify overpayments.  That raises a question:  Why would the government continue these audits?
  • Eleven percent of the audits, or 42, found overpayments totaling $6.9 million.
  • Only 7 of the 370 audits found overpayments greater than $100,000.
  • Of those, only 3 were over $500,000.
  • One audit, for example, had an overpayment finding of $6,012 where the potential overpayment had been identified as $2,948,137.
Why did the audit approach not work?
According to the HHS-OIG:
  • The various state and federal agencies did not work collaboratively.
  • The data used to identify audit targets was flawed and incomplete.
  • The Review MICs that identified audit targets misapplied State Medicaid program policies in 34% of the audits for which there were no identified overpayments.
  • There were duplicated efforts.
What are the take-aways (pun intended) for providers?
Enhanced enforcement to identify true fraudsters is one thing.  But targeting hundreds of providers through the use of flawed data and incorrect policy interpretations is simply one example of why providers are currently so discouraged and overwhelmed.  Once government auditors identify a target, even if it is a “false positive” (as is the case in the vast majority of the audits here), the provider still has to respond, worry about the risks and devote scarce resources to the audit.  Those are resources that could be directed toward better access to care, quality initiatives and true compliance concerns.
One has to wonder whether the processes will be any better when the Medicaid Recovery Audit Contractors begin their work.  The reality is that regardless of how competent the auditors may or may not end up being, smart providers are nonetheless getting their Medicaid houses in order — that’s where the audit and enforcement action will be in the foreseeable future.


End-of-Life-Care: Rife with Fraud or Quicksand for the Government?

Posted in Enforcement, False Claims Act, Government Initiatives, Medicare

This is insight from Carolyn McNiven, a partner in DLA Piper’s Health Care Enforcement and Compliance Practice.

The government’s intervention in a whistleblower’s federal False Claims Act case in Alabama(United States ex. Rel Dawn Richardson et al v. Golden Gate Ancillary LLC et al., 09 cv 627, ND Ala.) – which was recently made public  – signals that the government has jumped into the deep end feet first in its self-proclaimed effort to combat fraud in the hospice context.  What remains to be seen is how successful these efforts will ultimately be. 

In this case, the government alleges that Golden Gate Ancillary LLC (doing business as Aseracare Hospice) misspent millions of Medicare dollars by admitting and billing for Medicare beneficiaries whom the company well-knew were not terminally ill and did not otherwise qualify for this expensive end-of life care, and consequently caused the submission of numerous false claims to the federal government for unnecessary health care services..  One of the complaint’s allegations is that although hospice care is limited to patients with a prognosis of six months or less to live, several of the defendant’s hospice patients in fact lived longer than six months and some were well enough to be released back to skilled nursing facilities.

On first glance, these allegations are not particularly different distinctive from those levied in other Flase Claims Act cases.  However, when you stop and consider the government’s assertions more carefully – with an eye to what they will ultimately be proving —  a key distinction emerges. 

End-of-life care is materially different.  Why?  One reason is that everyone deals with end-of-life on some level – either in terms of contemplating their own death (and thinking about how they want to be treated) or in terms of dealing with dying loved ones.  As the recent furor over alleged federal death panels in the context of the health care reform debates made clear, absolutely no one, regardless of their political views, thinks it is a good idea for the government to determine who can live and die in terms of the provision of health care services.

This emotional, almost visceral, reaction to the suggestion of government involvement in such a personal issue illustrates what the government is likely to encounter in these cases.  To prevail, the government will have to prove that some individuals got end-of-life care to which they were not entitled, or put another way, care that was just too expensive. 

The problem for the government, however, is that expensive end-of-life care is something that most people want for themselves and undoubtedly hope to provide for their loved ones.  No one really wants the government telling them that they cannot have it or that their relatives do not qualify.

Second guessing end-of-life decisions of doctors and well-meaning relatives is not something that a jury or judge will do lightly.  Nor are these decisions akin to the kinds of decisions involved in more routine False Claims Act cases – such as whether a doctor cut toe nails but billed for surgery.  Those kinds of cases are unemotional and, relatively speaking, can be fairly black and white.

Any hospice defendant worth its salt can produce grieving relatives of former (now deceased) hospice residents who will be prepared to testify about how wonderful the doctors and nurses were at XYZ company to their relative during the last days of their lives. 

Evidence that patients who were in care lived beyond the expected 6 months and even were released back to Skilled Nursing Facilities is also a double-edged sword.  While one conclusion from this sort of evidence could be that the patient did not qualify for hospice in the first place, another equally plausible explanation is that the patient received such good care in the hospice setting that they became stable or improved.  Thus, a logical defense (which does not even need to be explicitly mentioned) is that the government believes a false claim was filed because a hospice provided such good care that its nurses and doctors extended a dying patient’s life.  What relative wouldn’t be thrilled that their dying relative recovered or lived longer than expected? 

In the Golden Gate case, the government appears to try to blunt this emotional reaction by teeing up an emotional argument of its own:  Medicare is paid for by US taxpayers so you, members of the jury, are subsidizing unnecessary care.  Indeed, a reference to citizens (a/k/a jurors) paying for Medicare appears repeatedly in the government’s complaint in intervention. 

 There is nothing subtle about this strategy.  What remains to be seen is whether it works.  Second guessing end-of-life care — including its necessity — is hard business fraught with shades of grey.  That being said, neither party can be confident of the outcome:  as the old adage goes, there is nothing certain except death and taxes.  This case, of course, has both.



A Compliance Officer’s Wish List for 2012

Posted in Culture, Enforcement, Ethics, Government Initiatives, Reform

I was visiting with some of my compliance colleagues recently and came up with an interesting Wish List for 2012: 

  • Additional resources.
  • Clearer regulations :)
  • Increased stakeholder support for compliance activities.
  • More predictable and quicker voluntary disclosure processes.
  • A better way to keep track of regulatory developments and new business arrangements.
  • Acknowledgement by regulators and enforcers that mistakes happen and not everything is fraud. 
  • More compliance involvement in proposed transactions and arrangements — before they get done.
  • The ability to learn about potential compliance concerns before they turn into more significant problems.

 What would you add to the list?