Ready for an OIG Security Audit?

At HIMSS15 in Chicago I had the pleasure of speaking with my colleague, Dave Schoolcraft, regarding the OIG Security Audits. These in depth security audits conducted not by the OCR or CMS, but rather the Office of Inspector General, delve into the security systems of Eligible Hospitals (and potentially Eligible Professionals) participating in the EHR Incentive Program.

Background

The OIG in its 2014 and 2015 Work Plans identified its plan to audit participants in the EHR Incentive Programs and their business associates, including cloud service providers, “to determine whether they adequately protected electronic health information created or maintained by certified EHR technology.” This audit stretches beyond a typical meaningful use audit and is not only centered on the security of ePHI stored in the CEHRT, but also looks at relationships with downstream service providers. Though EPs and EHs that participate in the EHR Incentive Program are aware of pending audits from CMS (via Figliozzi & Company), including the necessary documentation and security risk analysis requirements, these audits may come as quite a surprise – especially the level of thoroughness the OIG pursues in these audits. Though the OIG identifies the targeted entities due to their participation in the EHR Incentive Program, these audits look nothing like a CMS audit but instead are an in-depth HIPAA security audit.

The Audit

The audit itself is conducted by OIG investigators that are knowledgeable about security infrastructure as well as HIPAA requirements. The OIG commences the audit with a phone call followed by a formal letter notifying the recipient entity of the audit. As stated in its letter “the objective of [the] audit is to assess if the [hospital’s] meaningful use requirements have protected the confidentiality, integrity and availability of electronic protected health information (ePHI) in its EHR systems.” The OIG sends out a document request/questionnaire with approximately 17 categories and subcategories that it is investigating. In addition to reviewing the responses to the document requests the OIG auditors come on-site for 2-3 weeks to conduct interviews and personally review the security infrastructure.

Sample audit questions include:

  • Review of the EHR network diagram that shows EHR network architecture including external connections.
  • Provision of a description of internal or external web sites associated with the EHR system including patient portals.
  • Analysis of existing HIPAA policies and procedures, including patch management and access controls.
  • Detailed description of EHR network devices including the manufacturer and model number, software version and primary function.

As stated in the OIG Workplan, the target of the investigation is not only the covered entity itself, but also the relationships with business associates and downstream cloud service providers.

Audit Readiness Plan

It is unknown how many audits OIG will conduct and the ultimate goal of these audits. We believe that the OIG plans on creating a roll-up report to describe the findings of these audits, rather than publishing individual reports – however this has not been verified because the OIG has denied Freedom of Information Act requests.

We recommend that covered entities prepare for these audits as follows:

  • Gather information regarding existing security infrastructure in place, including relationships about sharing PHI with business associates and downstream providers.
  • Evaluate health IT vendors to determine if they are compliant with business associate agreements – this may include asking the business associate to provide you with evidence and results from a security risk assessment.
  • Identify team members that will respond to an OIG audit request.
  • Conduct a mock audit to fully assess security.

Additional Audits

 The OIG Work Plans also identify three other related types of audits.

 

  1. OIG Audits of Medicare EHR Incentive Program. Earlier this month the OIG issued a number of multi-year audits of EHR Incentive Program participants. These audits are very similar to the CMS Meaningful Use audits conducted by Figliozzi, but are in fact not conducted by CMS. Unlike the CMS audits however, the OIG audits are multi-year and may request information from both Stage 1 and Stage 2 attestations.

 

  1. OIG Audits of Medicaid EHR Incentive Programs. OIG has conducted at least three audits of states issuing Medicaid EHR Incentive Program dollars: Louisiana, Massachusetts and Florida. Of the three audited, only Florida was found to have issued the EHR Incentive Program dollars correctly. The OIG has instructed the other states to reimburse the federal government for the incorrectly distributed funds and adjust the payment calculations for the hospitals going forward.

 

  1. OIG Audits of Contingency Plans. Pursuant to the HIPAA Security Rule, covered entities must have contingency plans in place in case of a disaster or other occurrence that damages systems that contain ePHI (45 CFR 164.308). The OIG plans to compare hospitals’ contingency plans with “government and industry recommend practices.”
  2. OIG Audits of AIU Participants.  OIG has recently issued new audits investigating AIU attestations.  For further detail related to these audits go to:  http://meaningfuluseaudits.com/oig-escalates-meaningful-use-audits-of-hospitals/.

 

Preparing for these OIG audits can be accomplished during your own internal Security Risk Analysis and can be a useful tool for verifying the accuracy and thoroughness of your own process. For more information about the OIG Security Audits or other OIG audits please contact Elana Zana or Dave Schoolcraft.

 

Increased OIG Focus on Kwashiorkor Claims

In its recently released 2014 Work Plan, the OIG has announced that it will investigate hospital billing for Kwashiorkor.  Kwashiorkor is a form of severe protein malnutrition that generally affects children living in tropical and subtropical parts of the world during periods of famine or insufficient food supply. This syndrome is characterized by retarded growth, changes in skin and hair pigment, edema, and pathologic changes in the liver.

This extreme form of malnutrition, however, is very rare in the United States, which is why Kwashiorkor billing at hospitals is a target of the OIG. Because a diagnosis of Kwashiorkor on a claim also substantially increases a hospital’s reimbursement from Medicare, the OIG stated it would review Medicare payments based on Kwashiorkor claims to determine whether the diagnosis is adequately supported by documentation in the medical record.

Recently, for example, the OIG found that Wellspan York Hospital incorrectly billed Medicare inpatient claims with Kwashiorkor, resulting in overpayments of $204,000 over two years. The hospital attributed the errors to a misinterpretation of the coding guidelines for malnutrition because of a lack of clarity in the guidance.  Other hospitals, like Mercy Medical Center, have attributed Kwashiorkor errors to encoder software which incorrectly assign diagnoses of protein malnutrition to ICD-9-CM 260 (Kwashiorkor).

In light of the increased OIG focus on Kwashiorkor claims, hospitals should strengthen its controls to ensure that coding software and staff comply with Medicare billing requirements. Additionally, if there is in fact a Kwashiorkor diagnosis, hospitals should ensure that the medical record (e.g. discharge summary) substantiates the use of a Kwashiorkor diagnosis code.

For additional information regarding Kwashiorkor billing or the 2014 OIG Workplan please contact Adam Snyder or Jefferson Lin.

 

2014 OIG Work Plan Contains New Priorities Specific to Hospitals

The Department of Health and Human Services, Office of the Inspector General (OIG) recently released its Fiscal Year (FY) 2014 Work Plan.  The Plan contains new priorities specific to Hospitals in areas related to Policies and Practices, Billing and Payments, and Quality of Care and Safety.  For a complete copy of the OIG 2014 Work Plan, please click here.

The OIG Work Plan provides a description of what the OIG will be focusing on in the coming year, giving providers insight into identifying corporate compliance risk areas and providing focus for ongoing efforts relating to compliance program activities, audits, and policy development.  Some of the hospital-specific priority areas identified as ‘New’ include the following:

A.      Policies and Practices

  1.  2 Midnight Rule: As of FY 2014, physicians should admit inpatients where they expect the patient’s care to last at least 2 nights in the hospital.  This modification is due to the OIG’s previous findings of over payments for inpatient stays, inappropriate billings and inconsistent billing practices.  OIG plans to review the impact of this new admission criteria and how billing varies among hospitals.
  2. Defective Medical Devices: OIG will review the increased costs to Medicare resulting from additional services necessitated by the use of defective medical devices.
  3. Comparison of Provider-Based and Free-Standing Clinics:  OIG will compare the payments made in provider-based settings and free-standing clinics with respect to similar procedures to determine the potential impact to the Medicare program for hospitals claiming provider-based status, and presumably, whether providers claiming provider-based status meet the criteria in 42 CFR § 413.65(d).

B.      Billing and Payments

  1.  Outpatient Evaluation and Management Services:  OIG will review payments made for outpatient E/M services to determine if they were appropriately billed as “new” or “established.”  Patients are generally considered “new” unless they were seen as a registered inpatient or outpatient within the past 3 years.
  2. Cardiac Catheterization and Heart Biopsies:  Billings for right heart catheterizations will be reviewed to determine if they were appropriately billed separate and apart from billings for heart biopsies.
  3. Payments for Patients Diagnosed with Kwashiorkor:  Due to the high level of reimbursement, billings for Kwashiorkor will be reviewed to determine whether diagnoses are supported by the medical record.
  4. Bone Marrow or Stem Cell Transplants: OIG will review procedure and diagnosis codes to determine the appropriateness of bone marrow and stem cell transplantation.

C.      Quality of Care and Safety

  1. Pharmaceutical Compounding:  In light of a recent meningitis outbreak resulting from contaminated injections of compounded drugs, OIG will review the oversight and accreditation assessment of pharmaceutical compounding in Medicare-participating acute care hospitals.
  2. Review of Hospital Privileging:  OIG will review how hospitals consider medical staff candidates prior to granting initial privileges, verification of credentials, and review of the National Practitioner Databank.

For additional information regarding the 2014 OIG Workplan or hospital/corporate compliance please contact Adam Snyder.

 

 

Stark Law Donation Exception Extended to 2021

Beating the deadline by mere days, CMS and the OIG released their final rules related to the Stark Law exception/Anti-Kickback safe harbor for EHR donation arrangements.  The new rules extend the donation arrangement exception until December 31, 2021.

The new rules become effective 90 days after publication, with the exception of the extension, which is effective on December 31, 2013.  These new rules permit existing donation arrangements to continue to operate beyond December 31, 2013, provided they remain in compliance with the Stark exception and Anti-Kickback safe harbor.

Highlights of this new rule (other than the very important extension to 2021) include:

  • The items/EHR are provided by a company (i.e. a hospital) that is not a laboratory.
  • Software is deemed interoperable if it has been certified as “certified EHR technology” as that term is used by the ONC for the meaningful use/EHR Incentive Program.
  • Elimination of the requirement that the EHR software contain eRx capabilities in order to qualify for the exception.
  • Clarification that the donor cannot limit the interoperability of the donated software with other eRx and EHR systems, which CMS interprets more broadly by providing a non-exclusive list of the types of technologies that are included in this restriction: “health information technology applications, products, or services.”

For more information about drafting donation arrangements or these final rules please contact Elana Zana or Dave Schoolcraft.

To view the HIMSS statement on the extension click here.

OIG Okays Provision of Free Services to Uninsured and Underinsured Patients

On October 15, 2013, the Office of Inspector General (OIG) released an Advisory Opinion concerning a community health services organization’s provision of free dental care to financially needy uninsured and underinsured patients that are not covered by Medicaid.

The organization was concerned that the free services violated two aspects of the Medicaid law: (1) the Social Security Act prohibits providers from billing Medicaid charges for items or services substantially in excess of the provider’s “usual charges,” and (2) the Anti-Kickback Statute prohibits providers from offering remuneration to Medicaid patients to induce them to receive services from the provider.

In the Advisory Opinion, the OIG stated that when a provider calculates its “usual charges,” it need not consider free or substantially reduced charges to uninsured or underinsured patients with financial need.  Therefore, the OIG would not seek to exclude a provider from the Medicaid program for providing discounts to financially needy uninsured and underinsured patients.

The OIG also stated that the organization’s provision of free services to financially needy uninsured or underinsured patients does not violate the Anti-Kickback Statute because the free services will not be provided to Medicaid patients.  The Anti-Kickback Statute would only be implicated if a provider used the free services as a means to induce Medicaid patients to order additional services that could be billed to the Medicaid program.

The bottom line is that providers may offer free services to uninsured or underinsured patients with financial hardship.  With that said, it is critical that providers have uniform eligibility criteria to determine whether such patients actually are financially needy.  In separate guidance released in 2004  the OIG outlined factors that providers should consider in determining financial need, including:

  • The local cost of living;
  • A patient’s income, assets, and expenses;
  • A patient’s family size; and
  • The scope and extent of a patient’s medical bills.

By applying these factors uniformly at all times, providers can ensure that their provision of free or discounted services meets OIG requirements.

If you would like more information please contact Casey Moriarty.

Critical Access Hospital Reimbursement May Be In Trouble if CMS Changes Rules

The Centers for Medicare and Medicaid Services (CMS) has signaled its intent to increase enforcement of the location requirements for critical access hospitals (CAHs).  CMS created the CAH certification program to provide additional reimbursement for hospitals in rural areas that are located more than 35 miles from another hospital, or more than 15 miles from another hospital if the area has mountainous terrain.

Prior to 2006, states could designate certain hospitals as “necessary providers” that did not have to meet the location requirements.  Many of these “necessary provider” CAHs would not meet the current locations standards for the CAH designation.

A recent report from the Department of Health and Human Services (HHS) found that CMS would have saved $449 million in 2011 if it had decertified all CAHs that were 15 or fewer miles from their nearest hospitals.   In order to take advantage of these potential savings, CMS has stated that it will seek legislative authority to remove the “necessary provider” exemption, and require all CAHs to meet the location requirements.

In addition to removing the exemption, CMS has also agreed to pursue other changes to the CAH program, including:  (1) periodically reassess CAHs for compliance with all location-related requirements; and (2) apply a uniform definition of “mountainous terrain” to all CAHs.

It is important to note that these changes would require legislative action by Congress and currently there is no such legislation to take action on these recommendations.  Nevertheless, CAHs should keep a close eye on these potential changes as they could have a huge impact on the reimbursement levels of CAHs that do not currently meet the location requirements.  Please contact Don Black or Casey Moriarty for more information.

OIG Launches New Online Submission Process for the Self-Disclosure Protocol

On July 8th, the Office of Inspector General (OIG) launched a new online submission process for the Self-Disclosure Protocol (SDP).  The SDP allows health care providers to voluntarily identify, disclose, and resolve instances of potential fraud involving federal health care programs, including Medicare and Medicaid.   The OIG has stated that individuals and entities that utilize the SDP will pay a lower amount of damages for violations than would normally be required in resolving a government-initiated investigation.

You can access the online submission process here.

The OIG hopes that the online submission tool for the SDP will streamline the process for providers that want to resolve violations without the time and expense of a government-directed investigation.  With that said, we suggest that providers have an attorney analyze any potential SDP issues prior to completing the online form.  As always, the health law attorneys at OMW are happy to help.

For more information about the SDP online submission process please contact Casey Moriarty.

OIG ISSUES SPECIAL FRAUD ALERT ON PHYSICIAN-OWNED DISTRIBUTORSHIPS

On March 26, 2013, the Office of Inspector General (“OIG”) issued a Special Fraud Alert regarding physician-owned entities or distributorships (referred to as “PODs”) that generate revenue from the use of implantable medical devices ordered by their physician-owners for use in procedures performed by such physician-owners at hospitals or ambulatory surgery centers (“ASCs”).

While the Special Fraud Alert focuses on certain characteristics of PODs that create substantial risk of fraud and abuse and potential danger to patient safety, the OIG cited other prior pronouncements and guidance it issued over the past twenty-four years regarding its long-standing concern over physician investments in entities to which they refer.  Prior OIG guidance cited included the 1989 Special Fraud Alert on joint Venture Arrangements, published in 1994  and a letter dated October 6, 2006, regarding physician investments in the medical device industry.

It is clear that the OIG believes that significant risk of patient or program abuse, including but not limited to potential violations of the Federal Anti-Kickback statute, may flow from arrangements between and among physicians, device manufacturers and other device vendors.  The Anti-Kickback statute makes it a criminal offense to knowingly and willfully offer, pay, solicit, or receive any remuneration to induce, or in return for, referrals of items or services reimbursable by a Federal health care program.

In its current Special Fraud Alert regarding physician-owned entities, the OIG recounted its view of certain questionable features regarding selection and retention of investors, solicitation of capital contributions, and distribution of profits, all of which potentially raise four general concerns typically associated with kickback arrangements:

1.  Corruption of medical judgment;

2.  Over-utilization;

3.  Increased costs to the Federal health care programs and beneficiaries; and

4.  Unfair competition.

The OIG is particularly concerned in this arena because the physician may play a significant role in the selection of the type of device and which manufacturer to use.  The OIG cautions that disclosure of financial interest may not be sufficient to cure what would otherwise amount to fraud and abuse, and identifies the following specific characteristics of arrangements that would cause concern:

— The size of the investment offered varies with anticipated volume or value of devices used by the physician.

— Distributions are made on the basis of volume as opposed to ownership interest.

— Conditioning referrals based on the use of certain devices on entities to which physicians refer.

— Arrangements that incentivize a physician’s use of certain devices or penalizes the physician for the failure to use certain devices.

— PODs ability to buyout physicians interests on favorable terms based on physician’s failure to meet certain volume requirements.

— The POD is a shell entity that is not truly engaged in the business, or provides no oversight related to distribution functions.

— Physicians fail to identify conflicts of interest through their involvement with PODs related to Hospital or ASC conflict of interest processes.

This Special Fraud Alert reiterates the OIG’s longstanding position that a physician’s ability to profit from referrals may lead to violations of the Federal Anti-Kickback statute.  Finally, the OIG reminds concerned parties that the OIG Advisory Opinion process is available.   For more information about physician-owned entities, the applicability of the Anti-Kickback statute, and the OIG Advisory Opinion process, please contact Adam Snyder or Don Black at (206) 447-7000.