Healthcare Financial Management Association (HFMA) reported that 99% of physicians who sought advanced alternative payment model (APM) bonuses in the first year (2017) did qualify. This is not surprising due to the relatively low thresholds and the fact that those who do apply do so knowing it is attainable for their group. Forthcoming changes to MACRA include the launch of an all-payer combination option, which allows clinicians to be eligible for the 5 percent APM bonus if they see patients in both Medicare and qualifying payment models offered by Medicaid managed care plans and Medicare Advantage plans. Moving forward, clinicians should continuously review their eligibility and their strategy to qualify or join models of care that offer such incentives.
Ordinarily, the loss of Medicare or Medicaid billing privileges is connected to allegations of Fraud or Abuse. Make no mistake, the fear of being placed on pre-payment review alone or having reimbursement suspended during an investigation is enough for many hospitals to justify their compliance efforts.
The case of Overland Park, Kansas-based Blue Valley Hospital is a bit different. Under Medicare rules for acute care hospitals, a facility must have an average of 2 inpatient admissions per day with an average 2-day length of stay in order to maintain status as an inpatient hospital for purposes of reimbursement. Blue Valley Hospital asserts that the requirements are arbitrary. The hospital performed outpatient surgeries at a ratio of 2:1 over inpatient surgeries in the period examined per Ellison (2018, June 12) and of the inpatient surgeries performed, patient were often discharged prior to the 2 day standard.
There is more to HIPAA compliance than privacy and security safeguards. An oft overlooked requirement is the Business Associate Agreement (BAA), and even when covered entities do have a BAA in place with a vendor, there is inconsistent follow-up regarding reviewing and if necessary, updating those agreements concurrent to contract renewals.
According to a HIPAA News report posted June 1, 2018 regarding multiple breaches at Dignity Health, one incident involved a vendor with an outdated BAA. Per the author, " The contractor in question had been used for ten years and a valid business associate agreement had been in place earlier; however, that document has no longer valid and data continued to be shared with the contractor due to a clerical mistake." Clerical errors happen; however, policies and procedures are often not in place. BAA audits is a good item for compliance professionals to consider for when formulating annual work plans and the Dignity case is a good, public example of the 'why'.
For healthcare organizations operating in multiple states, the complexity of compliance with privacy and security rules goes beyond understanding HIPAA. Add Colorado to the list of states with new laws defining special requirements for reporting breaches to the attorney general and definitions of personal information that include biometric data. While HIPAA allows for up to 60 days to provide notice to an individual regarding a breach, and also up to 60 days to report breaches of >500 individuals to the Office of Civil Rights (OCR), the new Colorado law requires notice to the individual within 30 days. Colorado is the most recent state to join the club of states with more stringent reporting rules than HIPAA requires, including most recently Alabama which enacted a 45 day time frame.
Are you a healthcare compliance, revenue cycle, or operations leader that would like to learn more about credentialing, enrollment and privileging? Consider joining Susan Prior, CHC and Regina Alexander, FACHE, CHC, HCS-H of VantagePoint HealthCare Advisors on June 20, 2018 for an Health Care Compliance Association (HCCA) sponsored web conference. Sue and Regina will Review the basics of privileging, credentialing, and enrollment processes, including key regulatory and payer requirements.
The conference content will also explore commonly overlooked ‘unknowns’ and identify strategies to mitigate compliance risks, financial impact, and barriers to care created by inefficient or siloed credentialing and enrollment processes. Compliance professionals will take away tips for asking the ‘right’ questions about the credentialing, privileging, and enrollment processes within their own organization.
Domain-based Message Authentication, Reporting and Conformance (DMARC) is a standard healthcare organizations can implement to reduce their susceptibility to cyber attacks by reducing vulnerabilities associated with spoofing. Spoofing occurs when a hacker attempts to impersonate the legitimate domain by making an email appear to come from within the organization. Despite training regarding phishing, staff still may be fooled by emails that look like they come from a legitimate domain. DMARC can be set-up to monitor email traffic and send alerts (most permissive setting) or in the most aggressive setting, block incoming emails.
Per HIPAA News (2018, May 26) "For the study, Valimail reviewed the domains of 928 healthcare companies around the globe with annual revenues over $300 million, including hospitals, medical equipment suppliers, pharmacies, physicians and health practitioners. Just 121 of those firms (13%) have adopted DMARC to secure their domains and stop email spoofing."
Observations status stays aren't included in inpatient readmissions data, and that omission may be skewing the data according to McKnight's Long Term Care News. According to Marselas (2018, June 1), " While inpatient readmission dropped by 2.3% during the study period, the researchers found the rate of readmission after an observation stay increased by 3.9%. Many patients also returned for repeat observation stays."
Medicare patients are often surprised to learn that an observation status stay does not count toward the three-day stay needed to qualify for SNF coverage. While the requirement for hospitals to provide beneficiaries with formal notice of observation status (Medicare Outpatient Observation Notice or MOON) may have mitigated that aspect of observation stay shock, concerns continue over the financial impact of 'obs' status. Beyond the patient-centric concerns, quality gains from realized through reducing inpatient readmissions are now in question.
A provision of the HITECH Act of 2009 that has yet to be implemented is establishing a mechanism for the victims of a HIPAA related breach to share in any settlement or monetary penalties assessed. The Office of Civil Rights (OCR) plans to issue notice of proposed rule making in November 2018 in an effort to satisfy this HITECH requirement. In the meantime, HIPAA covered entities may want to consider revisiting their internal efforts to comply with the Privacy and Security rules to mitigate future risk as well as consider planning for a reserve commensurate with the potential exposure if a major breach were to occur.
According to Kuruvilla (2018, May 18), "A former health care executive in Texas has admitted to playing a role in an alleged $60 million Medicare fraud scheme that included disturbing practices such as overdosing hospice patients to “hasten their deaths” and maximize company profits."
Medicare reimburses hospice services on a per diem basis, meaning, the longer a patient is on hospice, the more overall reimbursement an agency will receive. Even on days where hospice staff do not visit a patient, the agency can bill Routine Home Care (RHC). More intense, skilled services, must meet criteria and are subsequently reimbursed at the higher Continuous Home Care (CHC) level. The allegations of hastening hospice patients' death via overdose is counter-intuitive on its face for those of us that follow hospice-related Medicare fraud cases. Ordinarily, Hospice providers encounter challenges in justifying the length of time a patient is on-service, the documentation supporting terminal illness, and correctly calculating the hours associated with the CHC level of care. If the Medicare Hospice Payment System is unfamiliar, a primer can be found here: https://www.cms.gov/Outreach-and-Education/Medicare-Learning-Network-MLN/MLNProducts/downloads/hospice_pay_sys_fs.pdf
Are you a healthcare compliance, revenue cycle, or operations leader who would like to learn more about credentialing, enrollment and privileging? Consider joining VantagePoint HealthCare Advisors COO Susan Prior, CHC and Senior Consultant Regina Alexander, FACHE, CHC, HCS-H on June 20, 2018 for an Health Care Compliance Association (HCCA) sponsored web conference. Sue and Regina will Review the basics of privileging, credentialing, and enrollment processes, including key regulatory and payer requirements. The conference content will also explore commonly overlooked ‘unknowns’ and identify strategies to mitigate compliance risks, financial impact, and barriers to care created by inefficient or siloed credentialing and enrollment processes. Compliance professionals will take away tips for asking the ‘right’ questions about the credentialing, privileging, and enrollment processes within their own organization.
According to McKnight's Long Term Care News, CMS is allowing the State of Maryland to expand its long-standing all-payer program waiver 'beyond hospital walls'. Currently, acute facilities in Maryland are subject to global facility budgets rather than the prospective payment system. Expanding the all payer model into post-acute care makes a lot of sense given the responsibility for quality and heretofore the risk was borne primarily by hospitals.
The largest health system in southeast Texas has agreed to pay $1.9 million to resolve allegations that between 2009-2014 the system billed Medicare for surgeries performed on an inpatient basis that could have been performed as outpatient or observation.
Without knowing more than the details released by the U.S. Attorney or the response from Memorial Hermann leadership, it's a pretty good guess that the lesson other healthcare providers can take away from this is the same as other cases involving use of observation status versus inpatient admissions. Ensure the documentation supporting the medical decision making is explicit and clearly supports the services rendered, or in the case of planned surgeries or admissions, clearly supports the rationale for the place of service. This is especially important for any service that Medicare allows to be performed on an outpatient basis. A close reading of the CMS policies in respect to observation services, for example, is full of caveats regarding professional judgement.
Beyond documentation, the Memorial Hermann case is just another case for compliance leaders to cite when justifying the ROI in their FY19 budget line items pertaining to proactive, internal clinical documentation and coding/billing audits.
The saga of failing rural hospitals is made all the more distressing by the report of unscrupulous consultants seemingly swooping in to save the day, only to seal the financial fate of struggling facilities. The latest case in point comes from Missouri, where State auditors discovered a failing hospital appears to have been duped into serving as a 'shell company' for a management company that promised a solution to right their finances.
The CityMD case article follows a recent announcement from the DOJ regarding a Long Island Pediatrics practice agreeing to pay $750,000 to settle similar False Claims Act allegations in respect to improperly billing services for physicians not enrolled in the Medicaid program under the NPI of a physician who was enrolled.
The basis for the CityMD case is that the multi-site Urgent Care provider billed falsely because the Medicare claim reflected an NPI of a provider other than the individual rendering the service. Per Commins (2018, May 4), "CityMD employed a number of physicians who were not credentialed with the Medicare program at the time CityMD billed Medicare for their services"
These recent cases emphasize the importance of credentialing and enrollment processes. While operationally, short cutting the enrollment process is tempting when there are clinical shifts to cover, the financial risks are significant. Partnering with a Credentials Verification Organization (CVO), like VantagePoint HealthCare Advisors, can help providers mitigate risks and stay in compliance.
The HIPAA Breach Notification Rule requires covered entities to notify the Office of Civil Rights (OCR) within 60 days of discovery for any data breach involving protected health information (PHI) of 500 individuals or more. The class action lawsuit filed against UnityPoint Health on May 4, 2018 demonstrates that sometimes it's not the incident itself, it's how a healthcare organization handles a breach that matters. At issue is the late notice to impacted patients and the OCR, as well as a cavalier approach to accurately identifying the nature and scope of the PHI disclosed. To pile on, the decision by UnityPoint to forgo offering individuals free credit monitoring is one of the those penny-wise and pound-foolish decisions that seems to have inspired an attorney to take up the case.
Overall, the healthcare industry performed second worst for security awareness, just ahead of the hospitality industry, with the survey highlighting several areas of weakness that could potentially be exploited by cybercriminals to gain access to healthcare networks and sensitive data.
With the continuing integration of hospitals and outpatient services into health systems unabated, as well as mergers of providers, payers, and even retail pharmacy chains in the mix, now is the time to finally address the overlapping and conflicting requirements of HIPAA and 42 CFR Part 2. Even if a HIPAA covered entity doesn't offer services qualifying as a Part 2 program, the widespread impact of the opioid crisis has made it increasingly likely that many hospitals and medical providers have become what 42 CFR Part 2 defines as a lawful holder. Lawful holders must figure out how to compliantly track and manage those parts of the patient medical record that contain Part 2 protected information and ensure they abide by Part 2, not HIPAA in respect to what may be a very minute part of their overall business.
Organizations that do have Part 2 programs have a different set of compliance challenges in respect to exchanging information for continuity of care. HIPAA allows this without specific patient authorization, Part 2 requires consent except in cases of bonafide emergency. HIPAA requires revocation of authorization in writing, Part 2 requires providers accept verbal revocation if the patient is unable or refuses to put it in writing. I could go on and on. The 21st Century Cures Act imposes obligations on providers to attest that they are not blocking the exchange of data or putting up barriers to Health Information Exchange (HIE). How is that going to work when Part 2 protected records are comingled in an integrated care setting? Congress is considering resolving these conflicts through the Overdose Prevention and Patient Safety Act. Hopefully partisan concerns won't gridlock this legislation and a common sense set of protections that continue to protect patient privacy and do not impede patient care will be the result.
The government alleges New Era double billed Medicaid for services to patients fighting methadone addiction. It claims the rehab center got paid a weekly “bundled rate” that covered intake evaluations, on-site drug abuse testing and monitoring, initial physical examinations and counseling services for individuals, groups and families.
Administrator Seema Verma told attendees at the Health Datapalooza meeting, in Washington, D.C., last week that her agency is considering whether providers “should be required to share health data with patients as a condition of participation in Medicare.”
The first three months of 2018 have seen 77 healthcare data breaches reported to the Department of Health and Human Services’ Office for Civil Rights (OCR). Those breaches have impacted more than one million patients and health plan members – Almost twice the number of individuals that were impacted by healthcare data breaches in Q4, 2017.