Continuous Compliance: An Operational Approach Must Address HIPAA

Transcription

1 Continuous Compliance: An Operational Approach Must Address HIPAA Alfonso P. Conti, MPA Manager, Grassi & Co. Claudia Hinrichsen, Esq. Partner, Health Law Partners February 27, 2013

2 Compliance in Total In general when we speak about Compliance its not just about compliance and the identification and reduction of waste, fraud and abuse. It is about total compliance that includes HIPAA and the responsibilities and efforts of all employees to maintain a special vigilance over Protected Health Information. Today we will go through each area briefly to highlight what should be happening on a daily basis.

3 Current Practices Governance Involvement with Compliance/HIPAA Quarterly Compliance Committee Meetings Continuous Compliance Education of Staff Annual Risk Assessment by Departments Work Plan Update Auditing and Monitoring Program Internally and Externally Annual reporting to Governance

4 Office of the Inspector General

5 DOJ and HHS Statistics Elimination of Fraud, Waste and Abuse: FY 2012 Government Recovery $4.2 Billion For every $1 spent on investigations $7.90 return Last four years recovery has been $14.9 Billion Top Priority of Obama Administration Using Advanced Data Analysis to identify high-billing levels. Opened 1,131 NEW criminal investigations Opened 826 NEW civil investigations 251 guilty pleas, 13 jury trials 29 guilty defendants average prison sentence

6 OIG Areas Addressed Eligibility Criteria Face to Face Plan of Care Lack of Valid Orders Lack of Signatures/stamped signatures Documentation does not support medical necessity Duplicate billing Excluded individuals and providers

7 New 2013 OIG Work Plan Home Health Face-to-Face Requirements continue Employment of Home Health Aides with Criminal Convictions Missing or Incorrect Patient Outcome and Assessment Data Home Health Prospective Payment System (PPS) Requirements Payments for Services after Beneficiaries Death Screenings of Health Care Workers Exclusions from Program Participation

8 Office of the Medicaid Inspector General (OMIG)

9 OMIG Update 2011 Significant Results Avoiding over $2.5 billion in costs Identifying more than $220 million in inappropriate payments Collaborating with other agencies Ending program participation Improving review processes Assisting Providers with Compliance Issues Conducting Provider Education New Efficient Work Plan

10 OMIG Update Reorganized the OMIG with New Business Line Teams (BLT) a multi-disciplined team More efficient More coordinated Better knowledge and skill Goals and measureable objectives Operation / action plan Communication plan

11 OMIG General Focus Effective Compliance Program Annual Certification Investigations by the BLT Increased Data Mining techniques Fraud Hotline and On-line tips

12 OMIG Investigations Enrollment and Reinstatement Investigations Pharmacy Investigations Recipient Investigations Restricted Recipient Program Prescription Fraud Collaborations with Other Agencies Immediate Exclusions

13 OMIG Recommendations To build a better compliance program there must be: Governance compliance awareness and reporting An annual self-assessment of the compliance program Risk assessment to identify potentially weak areas A comprehensive program of training management / staff A work plan that incorporates organizational, OIG and OMIG areas to focus

14 Governance Involvement Annually, governance should receive a briefing from the Compliance Officer regarding the Corporate Compliance status of the organization. Based upon the size of the organization governance maybe a part of the Committee.

15 Quarterly Compliance Committee Meetings At the minimum quarterly meetings should occur: 1 st meeting of the year 2 nd meeting of the year 3rd meeting of the year 4th meeting of the year

16 Compliance Officer Preparation Conduct a Risk Assessment Prepare and Conduct Staff Training Recommend Compliance Committee makeup Prepare an Organizational Work Plan With Compliance Committee Identify Audits and Reviews Annually Report to Governance

17 Components of Mandated Compliance Under PPACA Established written standards and procedures High level oversight of the Compliance Officer/Committee Effective training and education Effective lines of communication Well-publicized standards of discipline Routine Monitoring and auditing reviews Responding to detected offenses Organization perform periodic risk assessments

18 2013 Compliance Plan Personnel Files reviewed DOCUMENT and TRAIN Management and Staff Conduct of Exclusion Reviews Conduct Compliance Committee meetings Update policy and procedures Update Self Disclosure Protocol

19 Recent Compliance Events The global health care giant GlaxoSmithKline LLC ( GSK ) was sentenced by U.S. District Court Judge Ray W. Zobel to pay a criminal fine of $956,814,400, and criminal forfeiture in the amount of $43,185,600, for a total amount of $1 billion in connection with the criminal wrongdoing. AHS Hospital Corp., Atlantic Health System Inc., and Overlook Hospital, located in New Jersey, have agreed to pay the United States $8,999,999 to settle allegations that they violated the False Claims Act Houston Nurse - 97 months prison $5.2 million fraud Politician Espada former State Rep faces up to 10 years prison theft and conspiracy Hospital CEO MediSys faces three yrs. prison for participating in a bribery scheme of NYS Legislatures McKesson Corporation has agreed to pay the United States more than $190 million to resolve claims that it violated the False Claims Act by reporting inflated pricing information for a large number of prescription drugs, causing Medicaid to overpay for those drugs.

20 EMR Compliance Issues Increased potential for HIPAA issues, as will be discussed Billing Fraud and Abuse Issues

21 EMR Compliance, Cont. Increases in healthcare costs tied to EHR adoption? EHR changing the way providers are billing for their services. New York Times Article (September 21, 2012) Attributed a portion of the recent growth in health care costs to the increased use of EHR Faxton St. Luke s Healthcare in Utica, N.Y Baptist Hospital in Nashville, T.N. Hospitals that received government incentives to adopt electronic records showed a 47% rise in Medicare payments at higher levels from 2006 to 2010, compared with a 32% rise in hospitals that have not received any government incentives

22 EMR Compliance, Cont. HHS/DOJ Letter hospital organizations (September 24, 2012) Concern that EHRs are being used to game the system Addressed false documentation of care issues: cloning up-coding Use of templates and prompts Outlined what is being done to ensure payment accuracy and to prevent/prosecute healthcare fraud.

23 EMR Compliance, Cont. Some of the actions being enforced by CMS include: Review of billing through audits Initiating more extensive medical reviews Requiring individual verification of patient care information Addressing inappropriate increases in coding intensity in CMS payment rules Using new tools to stop Medicare payments upon suspicion of fraud in order to mine data for detection HHS, DOJ, FBI and other law enforcement agencies are monitoring these trends and will take action upon detection No actual guidance measures provided (only warning)

24 EMR Compliance, Cont. Why the increased risk? General nature of EMR Specific features of the EMR system Increased Liability: Government and commercial payment audits (overpayments) Civil monetary penalties and sanctions (False Claims; fraud) Termination of participation (Medicare; Medicaid; commercial managed care contracts)

25 EMR Compliance, Cont. Problem Areas: 1. Authorship Integrity 2. Auditing Integrity 3. Documentation Integrity

26 HIPAA MEGA Rule

27 Final HIPAA Omnibus Rule The new final HIPAA rule covers a broad range of topics, which can be roughly broken down into four major categories: Numerous revisions to the HIPAA privacy and security rules; Substantial strengthening of the HIPAA enforcement rule and incorporating an increased monetary penalty tiered structure; Significant revisions to the breach notification rule; and Modifications to the HIPAA privacy rule required by the Genetic Information Nondiscrimination Act ( GINA ).

28 Final HIPAA Omnibus Rule, Cont. The final rules will become effective on March 26, 2013, and compliance will be required by September 23, The new HIPAA rules will, at a minimum, require revisions to the Notice of Privacy Practices, business associate agreements, and privacy/security policies and procedures.

29 Final HIPAA Omnibus Rule, Cont. The rules make clear that the Office of Civil Right's recent ramp-up of HIPAA enforcement, including conducting HIPAA audits and handing down numerous substantial fines, is not merely a passing trend. The new rules underscore that Covered Entities must reassess and strengthen their HIPAA compliance, or face potential severe monetary consequences for their failure to do so.

30 HIPAA Omnibus Rule, Cont. The new rule expands HIPAA s enforcement provisions, including the application of penalties against business associates; increases the penalty cap to $1.5 million depending on level of culpability; and imposes vicarious liability on Covered Entities based on agency principles.

31 Revisions to Notice of Privacy Practices, Business Associate Agreements, and Privacy/Security Policies Revisions will need to be made prior to the compliance date (September 23, 2013). As for business associate agreements, both Covered Entities and Business Associates will need new template BAAs. The safest and easiest approach will be to distribute the new form ASAP for all new contracts, and evaluate what outstanding BA relationships you have. (There is technically an additional year to conform current BAAs).

32 Revisions to Notice of Privacy Practices, Business Associate Agreements, and Privacy/Security Policies Will require Covered Entities and Business Associates to revise policies and operational plans for assessing and dealing with responses to HIPAA breaches. Under the new rule, the definition of breach has changed. There is now a presumption of a reportable breach unless the Covered Entity can demonstrate a low probability that PHI has been compromised based on the assessment of 4 factors. Covered Entities must conduct risk assessment in all cases of possible breach.

33 Breach Risk Assessment The 4 Breach Assessment Factors : 1) The nature and extent of the PHI involved, including types of identifiers and likelihood of re-identification. 2) The unauthorized person who used/received the PHI. 3) Whether the PHI was actually acquired or viewed. 4) The extent to which the risk to the PHI information has been mitigated.

34 Revisions to Notice of Privacy Practices, Business Associate Agreements, and Privacy/Security Policies Clarifies an individual s right to obtain restrictions on disclosures of PHI to health plans for services paid out-of-pocket in full.

35 EMR Compliance / HIPAA Efforts Increased risk of liability for electronic records: Stolen laptops Lost cell phones Computer hackers Potential for greater impact per breach More serious breaches = higher penalties

36 OCR HIPAA Advice You cannot do Privacy without Security An important aspect of Security is Encryption and doable Electronic information is less vulnerable Theft is the top cause of breaches People are the weakest link in the chain State Attorney Generals enforcing HIPAA are trained Get busy Business Associates OCR listens and wants to help especially the small providers

37 RECENT HIPAA Prosecutions 2012 March 13- Blue Cross Blue Shield of Tennessee $1.5 Million a 15 Month correction plan theft of 57 unencrypted hard drives million member names April 17- Phoenix Cardiac Surgery $100,000 Unsecured use of a Internet based scheduling calendar. June 26- Alaska Department of Health and Social Services $1.7 million a three CAP theft of portable hard drive State failed to have a risk assessment. Sept 17- Massachusetts Eye and Ear Infirmary and affiliate physician organizations a three CAP $1.5 million theft of a laptop containing PHI for 3526 patients no risk assessment on moveable devices Jan 2, Idaho Hospice fined $50,000 self-disclosure breach under 500 having no Security Risk assessment

38 In Summary Organizations must conduct periodic internal reviews in both Compliance and HIPAA establish individual Work Plans! Six quick tips for a successful reviews: Perform walk-a-rounds of the organization Identify what you are going to review Decide who will conduct the review Pull & review a random sample of files Review the results and take corrective action Document and Report the process and results to GOVERNANCE 5

39 VACCINE

40 For More Information Contact Alfonso P. Conti, Manager, Grassi & Co or Claudia Hinrichsen, Esq. Partner, Health Law Partners