Ready for an OIG Security Audit?

At HIMSS15 in Chicago I had the pleasure of speaking with my colleague, Dave Schoolcraft, regarding the OIG Security Audits. These in depth security audits conducted not by the OCR or CMS, but rather the Office of Inspector General, delve into the security systems of Eligible Hospitals (and potentially Eligible Professionals) participating in the EHR Incentive Program.

Background

The OIG in its 2014 and 2015 Work Plans identified its plan to audit participants in the EHR Incentive Programs and their business associates, including cloud service providers, “to determine whether they adequately protected electronic health information created or maintained by certified EHR technology.” This audit stretches beyond a typical meaningful use audit and is not only centered on the security of ePHI stored in the CEHRT, but also looks at relationships with downstream service providers. Though EPs and EHs that participate in the EHR Incentive Program are aware of pending audits from CMS (via Figliozzi & Company), including the necessary documentation and security risk analysis requirements, these audits may come as quite a surprise – especially the level of thoroughness the OIG pursues in these audits. Though the OIG identifies the targeted entities due to their participation in the EHR Incentive Program, these audits look nothing like a CMS audit but instead are an in-depth HIPAA security audit.

The Audit

The audit itself is conducted by OIG investigators that are knowledgeable about security infrastructure as well as HIPAA requirements. The OIG commences the audit with a phone call followed by a formal letter notifying the recipient entity of the audit. As stated in its letter “the objective of [the] audit is to assess if the [hospital’s] meaningful use requirements have protected the confidentiality, integrity and availability of electronic protected health information (ePHI) in its EHR systems.” The OIG sends out a document request/questionnaire with approximately 17 categories and subcategories that it is investigating. In addition to reviewing the responses to the document requests the OIG auditors come on-site for 2-3 weeks to conduct interviews and personally review the security infrastructure.

Sample audit questions include:

  • Review of the EHR network diagram that shows EHR network architecture including external connections.
  • Provision of a description of internal or external web sites associated with the EHR system including patient portals.
  • Analysis of existing HIPAA policies and procedures, including patch management and access controls.
  • Detailed description of EHR network devices including the manufacturer and model number, software version and primary function.

As stated in the OIG Workplan, the target of the investigation is not only the covered entity itself, but also the relationships with business associates and downstream cloud service providers.

Audit Readiness Plan

It is unknown how many audits OIG will conduct and the ultimate goal of these audits. We believe that the OIG plans on creating a roll-up report to describe the findings of these audits, rather than publishing individual reports – however this has not been verified because the OIG has denied Freedom of Information Act requests.

We recommend that covered entities prepare for these audits as follows:

  • Gather information regarding existing security infrastructure in place, including relationships about sharing PHI with business associates and downstream providers.
  • Evaluate health IT vendors to determine if they are compliant with business associate agreements – this may include asking the business associate to provide you with evidence and results from a security risk assessment.
  • Identify team members that will respond to an OIG audit request.
  • Conduct a mock audit to fully assess security.

Additional Audits

 The OIG Work Plans also identify three other related types of audits.

 

  1. OIG Audits of Medicare EHR Incentive Program. Earlier this month the OIG issued a number of multi-year audits of EHR Incentive Program participants. These audits are very similar to the CMS Meaningful Use audits conducted by Figliozzi, but are in fact not conducted by CMS. Unlike the CMS audits however, the OIG audits are multi-year and may request information from both Stage 1 and Stage 2 attestations.

 

  1. OIG Audits of Medicaid EHR Incentive Programs. OIG has conducted at least three audits of states issuing Medicaid EHR Incentive Program dollars: Louisiana, Massachusetts and Florida. Of the three audited, only Florida was found to have issued the EHR Incentive Program dollars correctly. The OIG has instructed the other states to reimburse the federal government for the incorrectly distributed funds and adjust the payment calculations for the hospitals going forward.

 

  1. OIG Audits of Contingency Plans. Pursuant to the HIPAA Security Rule, covered entities must have contingency plans in place in case of a disaster or other occurrence that damages systems that contain ePHI (45 CFR 164.308). The OIG plans to compare hospitals’ contingency plans with “government and industry recommend practices.”
  2. OIG Audits of AIU Participants.  OIG has recently issued new audits investigating AIU attestations.  For further detail related to these audits go to:  http://meaningfuluseaudits.com/oig-escalates-meaningful-use-audits-of-hospitals/.

 

Preparing for these OIG audits can be accomplished during your own internal Security Risk Analysis and can be a useful tool for verifying the accuracy and thoroughness of your own process. For more information about the OIG Security Audits or other OIG audits please contact Elana Zana or Dave Schoolcraft.

 

Increased OIG Focus on Kwashiorkor Claims

In its recently released 2014 Work Plan, the OIG has announced that it will investigate hospital billing for Kwashiorkor.  Kwashiorkor is a form of severe protein malnutrition that generally affects children living in tropical and subtropical parts of the world during periods of famine or insufficient food supply. This syndrome is characterized by retarded growth, changes in skin and hair pigment, edema, and pathologic changes in the liver.

This extreme form of malnutrition, however, is very rare in the United States, which is why Kwashiorkor billing at hospitals is a target of the OIG. Because a diagnosis of Kwashiorkor on a claim also substantially increases a hospital’s reimbursement from Medicare, the OIG stated it would review Medicare payments based on Kwashiorkor claims to determine whether the diagnosis is adequately supported by documentation in the medical record.

Recently, for example, the OIG found that Wellspan York Hospital incorrectly billed Medicare inpatient claims with Kwashiorkor, resulting in overpayments of $204,000 over two years. The hospital attributed the errors to a misinterpretation of the coding guidelines for malnutrition because of a lack of clarity in the guidance.  Other hospitals, like Mercy Medical Center, have attributed Kwashiorkor errors to encoder software which incorrectly assign diagnoses of protein malnutrition to ICD-9-CM 260 (Kwashiorkor).

In light of the increased OIG focus on Kwashiorkor claims, hospitals should strengthen its controls to ensure that coding software and staff comply with Medicare billing requirements. Additionally, if there is in fact a Kwashiorkor diagnosis, hospitals should ensure that the medical record (e.g. discharge summary) substantiates the use of a Kwashiorkor diagnosis code.

For additional information regarding Kwashiorkor billing or the 2014 OIG Workplan please contact Adam Snyder or Jefferson Lin.

 

2014 OIG Work Plan Contains New Priorities Specific to Hospitals

The Department of Health and Human Services, Office of the Inspector General (OIG) recently released its Fiscal Year (FY) 2014 Work Plan.  The Plan contains new priorities specific to Hospitals in areas related to Policies and Practices, Billing and Payments, and Quality of Care and Safety.  For a complete copy of the OIG 2014 Work Plan, please click here.

The OIG Work Plan provides a description of what the OIG will be focusing on in the coming year, giving providers insight into identifying corporate compliance risk areas and providing focus for ongoing efforts relating to compliance program activities, audits, and policy development.  Some of the hospital-specific priority areas identified as ‘New’ include the following:

A.      Policies and Practices

  1.  2 Midnight Rule: As of FY 2014, physicians should admit inpatients where they expect the patient’s care to last at least 2 nights in the hospital.  This modification is due to the OIG’s previous findings of over payments for inpatient stays, inappropriate billings and inconsistent billing practices.  OIG plans to review the impact of this new admission criteria and how billing varies among hospitals.
  2. Defective Medical Devices: OIG will review the increased costs to Medicare resulting from additional services necessitated by the use of defective medical devices.
  3. Comparison of Provider-Based and Free-Standing Clinics:  OIG will compare the payments made in provider-based settings and free-standing clinics with respect to similar procedures to determine the potential impact to the Medicare program for hospitals claiming provider-based status, and presumably, whether providers claiming provider-based status meet the criteria in 42 CFR § 413.65(d).

B.      Billing and Payments

  1.  Outpatient Evaluation and Management Services:  OIG will review payments made for outpatient E/M services to determine if they were appropriately billed as “new” or “established.”  Patients are generally considered “new” unless they were seen as a registered inpatient or outpatient within the past 3 years.
  2. Cardiac Catheterization and Heart Biopsies:  Billings for right heart catheterizations will be reviewed to determine if they were appropriately billed separate and apart from billings for heart biopsies.
  3. Payments for Patients Diagnosed with Kwashiorkor:  Due to the high level of reimbursement, billings for Kwashiorkor will be reviewed to determine whether diagnoses are supported by the medical record.
  4. Bone Marrow or Stem Cell Transplants: OIG will review procedure and diagnosis codes to determine the appropriateness of bone marrow and stem cell transplantation.

C.      Quality of Care and Safety

  1. Pharmaceutical Compounding:  In light of a recent meningitis outbreak resulting from contaminated injections of compounded drugs, OIG will review the oversight and accreditation assessment of pharmaceutical compounding in Medicare-participating acute care hospitals.
  2. Review of Hospital Privileging:  OIG will review how hospitals consider medical staff candidates prior to granting initial privileges, verification of credentials, and review of the National Practitioner Databank.

For additional information regarding the 2014 OIG Workplan or hospital/corporate compliance please contact Adam Snyder.

 

 

Understanding Stark/Anti-Kickback Compliant EHR Donation Arrangements

In 2006 and extended in December 2013, CMS issued Stark and Anti-Kickback exceptions/safe harbors permitting EHR technology donation arrangements between hospitals (and other organizations) and physician groups.  This exception permitted hospitals to aid physician groups, who may be referral sources, in acquiring and implementing EHR and other health information technology.  Originally, hospitals had a seven-year window in which to engage in these donation arrangements, though in December 2013 CMS extended the donation arrangements for an additional 7 years through December 31, 2021.

The arrangement may include the non-monetary donation of “items or services in the form of software or information technology and training services.”  Key components of the exception/safe harbor include:

  • The donation is provided from an entity to a physician.
    • Change in 2013 rules, this entity cannot be a lab.
  • The software is interoperable
    • Change in  2013 rules, software is deemed interoperable if it has been certified as “certified EHR technology” as that term is used by the ONC for the meaningful use/EHR Incentive Program.
  • Donor cannot restrict or limit the use or interoperability of the technology with other eRx or EHR systems.
    • Change in 2013 rules, CMS interprets this rule more broadly by providing a non-exclusive list of the types of technologies that are included in this restriction: “health information technology applications, products, or services.”
  • Physician must pay at least 15% of the costs for the technology (which amount cannot be financed by the hospital).
  • Neither the physician nor the physician’s practice makes the receipt of the technology a condition of doing business with the donor.
  • Neither eligibility of the physician nor the amount or nature of the donation is determined in a manner that takes into account the volume or value of referrals or other business generated between the parties.
  • The donation is set forth in writing, signed by the parties, specifies the items to be provided, the donor’s costs and the physician’s contribution, and covers all EHR items and services to be provided by the donor.
  • The donor cannot have knowledge of or disregard the fact that the physician already possesses equivalent items or services.
  • The donor cannot restrict or limit the physician’s right to use the software for any patient.
  • The donation cannot include staffing of physician offices and cannot be used to primarily conduct personal business or business unrelated to the physician’s medical practice.
    • Note the donation may also include other “software and functionality directly related to the care and treatment of individual patients (for example, patient administration, scheduling functions, billing, clinical support software, etc.” (71 FR 45152).
  • The donation arrangement does not violate the Anti-Kickback statute.
  • The exception expires December 31, 2021.

Beyond crafting a donation arrangement that satisfies both the Stark law exception and Anti-Kickback safe harbor, hospitals and physicians should assess overall technology alignment strategies and the goals and framework for such donation arrangements.  Making sure that clear expectations are set in advance, including understanding implementation, roll out and support, data ownership and extraction, and utilizing the EHR technology for government incentive programs, such as meaningful use, are important topics that should be addressed by the arrangement.

For those interested in learning more about this topic and are currently attending HIMSS14, David Schoolcraft, attorney at Ogden Murphy Wallace, and Michelle Holmes, principal at ECG Management Consultants, are presenting on Wednesday at 10 AM on Using Stark/Anti-Kickback To Support Hospital/Physician IT Alignment Strategies.  For further information about designing a compliant arrangement please contact Elana Zana or Dave Schoolcraft.

 

OIG’s Report Highlights Enforcement Successes in 2014

The Office of Inspector General (OIG) recently published its Semiannual Report to the U.S. Congress. This Report summarizes the OIG’s enforcement activities from March, 2013 to September, 2013.

The Report highlights the OIG’s significant efforts in the enforcement of fraud and abuse laws.  For fiscal year (FY) 2013, the OIG is expecting total recoveries of $5.8 billion, consisting of nearly $850 million in audit receivables and about $5 billion in investigative receivables.

Additionally, for FY 2013, the OIG brought 960 criminal and 472 civil actions against individuals or entities that engaged in health-care-related offenses.   Compared with FY 2012, the number of criminal actions in FY 2013 rose by 182 cases, and the number of civil cases rose by 105 cases.

According to the OIG, these enforcement results are partially due to the successes of the Health Care Fraud Prevention and Action Team (HEAT).  HEAT is a partnership between Federal, State, and local law enforcement to identify fraudulent health care schemes.   The program combines sophisticated data analysis and investigative intelligence to move quickly against violators of fraud and abuse laws such as the False Claims Act.

There is no doubt that the OIG’s accomplishments in FY 2013 will motivate investigators to root out more health care fraud and overpayment schemes in FY 2014.  To avoid a costly investigation and potential prosecution, providers should take extra care that they are following Medicare and Medicaid laws and properly billing for services rendered to patients.

You can read the entire OIG Semiannual Report here.

For more information about health care fraud and abuse laws, please contact Casey Moriarty.

Stark Law Donation Exception Extended to 2021

Beating the deadline by mere days, CMS and the OIG released their final rules related to the Stark Law exception/Anti-Kickback safe harbor for EHR donation arrangements.  The new rules extend the donation arrangement exception until December 31, 2021.

The new rules become effective 90 days after publication, with the exception of the extension, which is effective on December 31, 2013.  These new rules permit existing donation arrangements to continue to operate beyond December 31, 2013, provided they remain in compliance with the Stark exception and Anti-Kickback safe harbor.

Highlights of this new rule (other than the very important extension to 2021) include:

  • The items/EHR are provided by a company (i.e. a hospital) that is not a laboratory.
  • Software is deemed interoperable if it has been certified as “certified EHR technology” as that term is used by the ONC for the meaningful use/EHR Incentive Program.
  • Elimination of the requirement that the EHR software contain eRx capabilities in order to qualify for the exception.
  • Clarification that the donor cannot limit the interoperability of the donated software with other eRx and EHR systems, which CMS interprets more broadly by providing a non-exclusive list of the types of technologies that are included in this restriction: “health information technology applications, products, or services.”

For more information about drafting donation arrangements or these final rules please contact Elana Zana or Dave Schoolcraft.

To view the HIMSS statement on the extension click here.

OIG Issues Unfavorable Advisory Opinion Related to Fee Arrangement

Earlier this week the OIG issued an unfavorable Advisory Opinion concerning the relationship between an Anesthesiology Group (defined as the “Requester” in the OIG opinion), a Psychiatry Group and a Hospital.  The Psychiatry Group performed electroconvulsive therapy (ECT) services at the Hospital, requiring related anesthesia services.  The Requester had an exclusive contract with the Hospital for the provision of anesthesia services.  The specific arrangements reviewed by the OIG dealt with the Hospital’s pressure on the Requester to carve out exceptions to its exclusive contract that would have the effect of allowing the Psychiatry Group to have access to a new anesthesia revenue stream.  Ultimately, the OIG determined that the Proposed Arrangement could potentially generate prohibited remuneration under the anti-kickback statute.

The Proposed Arrangement stemmed from negotiations between the Hospital and the Anesthesiology Group, which had held an 18 year exclusive relationship with the Hospital until 2011.  In late 2010 the Psychiatry Group relocated its practice, which centers around ECT services, to the Hospital; a member of the Psychiatry Group included an anesthesiologist.  In 2011 negotiations with the Anesthesia Group, the Hospital modified the exclusive relationship to allow the Psychiatry Group’s anesthesiologist to perform ECT anesthesia services, and to request the Anesthesiology Group’s coverage while he was not available.  In 2012, the Psychiatry Group requested a provision allowing it to bring in a part time anesthesiologist if the Psychiatry Group and the Anesthesiology Group could not agree on terms for those additional services.  After the 2012 contract went into effect, the Psychiatry Group notified the Anesthesiology Group that it wanted to bring in the additional anesthesiologist and asked the Anesthesiology Group to enter into the Proposed Arrangement.

The Proposed Arrangement provided that the Anesthesiology Group would provide the ECT anesthesia coverage services that were needed and would reassign all billing rights to Psychiatry Group.  In exchange the Anesthesiology Group would receive a per diem rate which the Anesthesiology Group asserts was less than fair market value and below what it would receive if it billed directly for the anesthesia services.  The Psychiatry Group would retain the difference between the amount collected and the per diem rate.  The OIG unequivocally rejected this Proposed Arrangement, finding that the per diem payment made to the Anesthesiology Group did not fall under the personal services and management contract safe harbor of the anti-kickback statute because it was not set in advance nor consistent with fair market value.  Further, the OIG determined that the fee generated for the Psychiatry Group was a door to solicit compensation for its patient referrals for ECT services:

 “The Proposed Arrangement appears to be designed to permit the Psychiatry Group to do indirectly what it cannot do directly; that is, to receive compensation, in the form of a portion of Requestor’s anesthesia services revenues, in return for the Psychiatry Group’s referrals of ECT patients to Requestor for anesthesia services. The Additional Anesthesiologist Provision gave the Psychiatry Group the ability to solicit this remuneration for its ECT patient referrals by allowing the Psychiatry Group to contract with an anesthesiologist other than Requestor if Requestor and the Psychiatry Group were not successful in negotiating the terms of an agreement for Requestor to provide ECT anesthesia services. The Proposed Arrangement therefore presents the significant risk that the remuneration Requestor would provide to the Psychiatry Group—i.e., the opportunity to generate a fee equal to the difference between the amounts the Psychiatry Group would bill and collect for Requestor’s anesthesia services, and the per diem amounts the Psychiatry Group would pay to Requestor—would be in return for the Psychiatry Group’s anesthesia referrals to Requestor. We discern no safeguards in the Proposed Arrangement that would minimize this risk.”

What perhaps might be the most interesting part of the opinion, are the OIG’s comments in concluding the opinion. Although not asked to opine on the Hospital’s relationships with the Psychiatry Group and Requester, the OIG commented in a footnote about the potential improprieties of the Hospital’s relationship with those parties:

“Although we have not been asked to opine on, and express no opinion regarding, any aspect of Requestor’s relationship with the Hospital, including the 2012 Contract or the Additional Anesthesiologist Provision, we cannot exclude the possibility that: (i) the Hospital agreed to negotiate for the Additional Anesthesiologist Provision in exchange for, or to reward, the Psychiatry Group’s continued referral of patients to the Hospital for ECT procedures; (ii) the Hospital leveraged its control over its large base of anesthesia referrals to induce Requestor to agree to the Additional Anesthesiologist Provision; and (iii) Requestor agreed to the Additional Anesthesiologist Provision in exchange for access to the Hospital’s stream of anesthesia referrals.”

This OIG opinion highlights the OIG’s continued concern regarding arrangements that allow referring providers access to new revenue streams in a manner that may be connected to the providers referrals.  Parties desiring to enter into these types of arrangements should take care to include as many safeguards (using the OIG’s language) to ensure that the payments are not related to referrals.  In the absence of such safeguards, it is pretty clear that the OIG will not look favorably upon the arrangement.

For more information about this particular OIG Opinion or the anti-kickback statute in general please contact Elana Zana or Don Black.

 

OIG Okays Provision of Free Services to Uninsured and Underinsured Patients

On October 15, 2013, the Office of Inspector General (OIG) released an Advisory Opinion concerning a community health services organization’s provision of free dental care to financially needy uninsured and underinsured patients that are not covered by Medicaid.

The organization was concerned that the free services violated two aspects of the Medicaid law: (1) the Social Security Act prohibits providers from billing Medicaid charges for items or services substantially in excess of the provider’s “usual charges,” and (2) the Anti-Kickback Statute prohibits providers from offering remuneration to Medicaid patients to induce them to receive services from the provider.

In the Advisory Opinion, the OIG stated that when a provider calculates its “usual charges,” it need not consider free or substantially reduced charges to uninsured or underinsured patients with financial need.  Therefore, the OIG would not seek to exclude a provider from the Medicaid program for providing discounts to financially needy uninsured and underinsured patients.

The OIG also stated that the organization’s provision of free services to financially needy uninsured or underinsured patients does not violate the Anti-Kickback Statute because the free services will not be provided to Medicaid patients.  The Anti-Kickback Statute would only be implicated if a provider used the free services as a means to induce Medicaid patients to order additional services that could be billed to the Medicaid program.

The bottom line is that providers may offer free services to uninsured or underinsured patients with financial hardship.  With that said, it is critical that providers have uniform eligibility criteria to determine whether such patients actually are financially needy.  In separate guidance released in 2004  the OIG outlined factors that providers should consider in determining financial need, including:

  • The local cost of living;
  • A patient’s income, assets, and expenses;
  • A patient’s family size; and
  • The scope and extent of a patient’s medical bills.

By applying these factors uniformly at all times, providers can ensure that their provision of free or discounted services meets OIG requirements.

If you would like more information please contact Casey Moriarty.

OIG Approves Venture Spawned by CMS Hospital Readmission Penalties

In a recent Advisory Opinion, the OIG approved a business venture intended to reduce preventable hospital readmissions by providing post-discharge services to patients.  The venture would sell a package of services to hospitals intended to better coordinate post-discharge care and to help patients adhere to their post-discharge plans of care.  The focus would initially be on those conditions CMS has identified as potentially triggering readmission payment penalties.

Hospitals would be charged a flat annual “set-up” fee and an additional “per patient” fee. Patients would have to elect to receive the services.  Under the service, the patient would have access to assistance 24 hours a day, seven days a week, either through a Patient Liaison or through a nurse hotline.

The OIG found a low risk of fraud or abuse under the anti-kickback law because, among other things, the program could potentially save federal money by decreasing excessive hospital readmissions.  The proposed program also was unlikely to interfere with clinical decision making since its purpose was to ensure such decision making was implemented for the benefit of the patient.

The OIG also found a low risk of any Civil Monetary Penalty violation.  The proposed program appeared to be intended to assist patients in the post-discharge period without influencing or limiting a patient’s choice of providers or suppliers.  If you have questions regarding this opinion please contact Greg Montgomery.

Critical Access Hospital Reimbursement May Be In Trouble if CMS Changes Rules

The Centers for Medicare and Medicaid Services (CMS) has signaled its intent to increase enforcement of the location requirements for critical access hospitals (CAHs).  CMS created the CAH certification program to provide additional reimbursement for hospitals in rural areas that are located more than 35 miles from another hospital, or more than 15 miles from another hospital if the area has mountainous terrain.

Prior to 2006, states could designate certain hospitals as “necessary providers” that did not have to meet the location requirements.  Many of these “necessary provider” CAHs would not meet the current locations standards for the CAH designation.

A recent report from the Department of Health and Human Services (HHS) found that CMS would have saved $449 million in 2011 if it had decertified all CAHs that were 15 or fewer miles from their nearest hospitals.   In order to take advantage of these potential savings, CMS has stated that it will seek legislative authority to remove the “necessary provider” exemption, and require all CAHs to meet the location requirements.

In addition to removing the exemption, CMS has also agreed to pursue other changes to the CAH program, including:  (1) periodically reassess CAHs for compliance with all location-related requirements; and (2) apply a uniform definition of “mountainous terrain” to all CAHs.

It is important to note that these changes would require legislative action by Congress and currently there is no such legislation to take action on these recommendations.  Nevertheless, CAHs should keep a close eye on these potential changes as they could have a huge impact on the reimbursement levels of CAHs that do not currently meet the location requirements.  Please contact Don Black or Casey Moriarty for more information.