Some Board Members at UMMS Violated COI Policy

According to a June 12, 2019 report prepared for University of Maryland Medical System by Nygren Consulting, LLC, senior leaders made deals with board members that weren’t always competitively bid or declared necessary by the full board. Among these agreements included a consulting arrangement with the audit and compliance committee chairman that included a $15,000/month retainer and the process used to execute the agreement did not comply with the organization’s procurement policies. In another case, the former CEO facilitated the UMMS purchase of then-Baltimore Mayor Catherine Pugh’s self-published book series, Health Holly. That arrangement, worth approximately a half million dollars, is being investigated by the U.S. Attorney’s Office for the District of Maryland.

Internal organizational dynamics, including the division of compliance versus legal department span of control and the length of tenure of the CCO can contribute to gaps in monitoring activities and educating board members. Engaging an impartial, outside entity to conduct a compliance program effectiveness review is one method healthcare organizations can use to detect the types of inappropriate senior leader/board member arrangements and board COI policy inconsistencies identified as root causes in the UMMS case.

Medicare Online System Changes – Is Your Organization Ready?

In an effort to improve identification and security controls, CMS is adding an extra layer of protection to their online applications and rolling out phased Multi-Factor Authentication (MFA) beginning in September.  MFA is a security measure that requires a user to enter more than one method of verification to authenticate their identity prior to accessing a system.  All system users, including providers, authorized and delegated officials and designated support staff will be required to associate a MFA device such as a cell phone or email address to their account within the next month.  Impacted electronic systems include I&A (Identity & Access), NPPES, PECOS and EHR/HITECH (EHR incentive program).      

This change will have wide-ranging implications for all system users and will prompt providers and organizational representatives to take a more active role in the enrollment, maintenance and reporting process.

The I&A system is the launching pad for all electronic system access points.  An I&A account and login is the gateway that will enable a provider or organization (and their authorized representatives) to manage enrollments, reassignments, information, and submit changes for NPPES, PECOS and HITECH activities.  With CMS implementing these security features, all users will need to authenticate themselves each time they sign into the I&A system to update their password (be mindful - passwords have a 60-day shelf life), change user assignments, or manage connections.  Additionally, as time progresses, users will need to authenticate themselves each time they sign into NPPES , PECOS and HITECH.

CMS has established the following timeline for these changes, with the goal of all access points for I&A, NPPES and PECOS being fully incorporated under MFA by June 2020:

I&A – September 2019

NPPES – December 2019

PECOS – April 2020

HITECH - TBD  

 

Upcoming Lorman Webinar Features VantagePoint Senior Consultant

The Challenges of the Hybrid Medical Records… Its Impact on Clinical, Coding, and Fiscal Outcomes
September 18, 2019
1:00PM EST - 2:30PM EST

The Health Information Technology for Economic and Clinical Health Act (HITECH) was signed into law on February 17, 2009 with the goal of promoting widespread adoption and meaningful use of Electronic Health Records (EHRs). While hybrid medical records were recognized initially as a natural but transitory phase leading to fully electronic records, a decade after the HITECH Act, hybrid medical records persist as the reality for pockets of health care providers across the continuum of care. Through the lens of typical scenarios health care organizations and provider types still utilizing hybrid medical records experience, Regina Alexander, FACHE, CHC, HCS-D, HCS-H will share the revenue cycle, clinical, and compliance implications of hybrid medical records. Practical insights shared will also help attendees identify opportunities to minimize risk in their own organizations.

Attendees of the 90-minute live presentation may submit for 1.5 CEUs ACHE Qualified Education Credit. The live webinar is also approved for 1.5 points toward HFMA certification maintenance and for CLE credits in the States detailed on the Lorman site announcement linked below.

Register online: http://www.lorman.com/405343?discount_code=U4201137&p=15999
Call: 866-352-9539

VantagePoint HealthCare Advisors has been authorized by Lorman to share a discount code with our connections.
Discount code: U4201137
Priority code: 15999

HHS OIG Report Highlights 25 Unimplemented Recommendations to Reduce FWA

The Office of Inspector General (OIG) within the U.S. Department of Health and Human Services (HHS) recently released their list of top unimplemented recommendations. The HHS OIG recommendations are based on the department’s observations culled from conducting their auditing and enforcement function to protect the integrity of government health care programs.

Unimplemented HHS OIG recommendations that if implemented by CMS would most directly impact healthcare provider financial, operations, and compliance programs includes:

  • The HHS OIG has found persistent confusion exists regarding time counted toward 3-day hospital admission requirement among SNF providers. CMS should reanalyze the potential impacts of counting time spent as an outpatient toward the 3-night requirement for SNF Medicare coverage.

  • Based on audit recoveries, the HHS OIG recommends TCMS should implement the statutory requirement for $50,000 surety bonds for Home Health Agencies enrolled as Medicare providers and consider doing the same for other provider types.

  • The HHS OIG has observed there are limited options to sanction hospice providers with serious deficiencies and recommends CMS should seek statutory authority to establish additional remedies for hospices with poor performance.

  • Due to payment incentives that have resulted in admissions that did not meet medical necessity requirements, the HHS OIG recommends CMS should reevaluate the IRF payment system, which could include seeking legislative authority to make any changes necessary to more closely align IRF payment rates and costs.

False Claims Act settlements reach $750 million mark for first 6 months of 2019

The U.S. Department of Justice has settled cases for more than $750 million in under the False Claims Act in the first half of 2019. The pace and dollar amount of settlements indicate 2019 settlements are on track to exceed 2018 activity. According to Business Insurance News, “The DOJ secured most of its FCA recoveries from enforcement actions involving health care and life sciences entities. It said cases alleging violations of the Anti-Kickback Statute and the Stark Law, which generally prohibit various types of remunerative arrangements with health care providers, continued to predominate.”

CMS publishes 2018 Open Payments Data

On June 28, 2019, The Centers for Medicare and Medicaid Services (CMS) published 2018 program year Open Payments data, along with newly submitted and updated payment records for previous program years. Collectively, eligible manufacturers and group purchasing organizations reported $9.35 billion in payments and ownership and investment interests conferred to physicians and teaching hospitals between January 1 and December 31, 2018. The total amount is comprised of 11.40 million total data records attributed to 627,392 physicians and 1,180 teaching hospitals. The public can view the data at OpenPaymentsData.CMS.gov

Unknown- Unknowns: Hidden Risks of Credentialing, Privileging & Enrollment

Verifying the credentials of and enrolling new providers in health plans requires collecting extensive information from them and the efficiency (or inefficiency) of the process can make or break the provider’s first impression of the organization. Beyond annoying the new provider an organization worked so hard to recruit; fragmented credentialing, privileging and enrollment processes also create compliance risks, barriers to care, and claim denials. Former U.S. Secretary of Defense Donald Rumsfeld famously mused, “There are known knowns. These are things we know that we know. There are known unknowns. That is to say, there are things that we know we don't know. But there are also unknown unknowns. There are things we don't know we don't know.” Through our work as both a consulting firm and a certified Credentials Verification Organization (CVO) providing services for all types of healthcare organizations, including physician groups, hospitals, systems, and health plans, VantagePoint HealthCare Advisors has encountered clients generally experiencing one or more ‘unknown-unknowns’ in the realm of credentialing or enrollment prior to engaging us.

Moonlighting

            Are your organization’s providers moonlighting somewhere or even moonlighting within your organization? The Cambridge English Dictionary defines moonlighting as additional paid work, “especially without telling your employer”. For operational efficiency and to provide comprehensive care, many specialties and types of facilities may elect to employ providers for just a few hours each month. Urgent Care Centers, Federally Qualified Health Centers, Walk-in Centers, and Substance Abuse Treatment clinics frequently employ moonlighters. Organizations that are unaware of their providers side-gigs face an increased risk a moonlighting provider may have an “issue” at his or her other job, leading the moonlight employer to experience compliance exposure due to malpractice claims, license or DEA lapses, or exclusion from a government payer. The risks associated with the moonlighting ‘unknown’ can include loss of accreditation or even recoupment of all government payments for all services provided.

            Moonlighting within the same organization is an ‘unknown’ risk for health systems and provider groups with locations in several states or multiple locations in the same state with different tax identification numbers (TINs), particularly if credentialing and enrollment process are not centralized or coordinated. For example, while it may seem like a quick fix to employ a physician from another hospital or provider group (different TIN) within the same system to cover clinical shifts on weekends, unless the moonlighting provider is enrolled with health plans at that location and under the TIN of the moonlight employer, any claims with the moonlighting provider as rendering may deny. The multi-state issue comes into play in respect to DEA licenses and State medical licensing. Even if a provider from within the same organization is covering another location across State lines for just one shift a month and he or she happens to have a valid license to practice in that State, he or she may only have a DEA license tied to the full-time practice State and not the ‘moonlighting’ State and the Federal DEA may also only be for the full-time State address.

            More commonly, providers moonlight for another organization or provider group. Sometimes the provider shares this information with the full-time employer, but not always, making this a perennial unknown. While each organization employing the same provider must follow their own policies and procedures for privileging, the moonlighting employer may be able to preempt a full credentialing with health plans if the moonlighting provider is already participating with their full-time employer. Unfortunately, much effort and time can be wasted when all that needed to happen was ‘linking’ the moonlighter to the roster of participating providers. Another ‘unknown’ risk of moonlighting lies with maintaining CAQH profiles. If more than one CVO or employer is changing or updating information in the provider’s CAQH profile, conflicts and employment information discrepancies can result.

Prescribing

            Are your organization’s newly credentialed providers prescribing for patients before their payer enrollments are confirmed? Organizations and physician groups are understandably eager to onboard newly contracted providers as soon as possible to fill urgent clinical coverage needs. While the credentialing and privileging process can be expedited and condensed to a few weeks in an urgent situation, the Medicare and Medicaid enrollment timeline is fixed at 30-45 days and the commercial health plan enrollment process can stretch to 90 days or more for newly licensed providers or those transferring from another State. Payers may agree to backdate enrollment effective dates for the purpose of claim payment, but the courtesy doesn’t apply to ordering, prescribing, or referring.

            A license to prescribe meets the requirements of State law; however, unless the provider is fully enrolled with the payer, the payer is not obligated to reimburse for any care or referrals, including therapy, pharmaceuticals, or durable medical equipment (DME), that the provider prescribed for the beneficiary or plan member prior to a confirmed enrollment. The burden of appealing the denial falls to the patient in these cases, which isn’t an ideal outcome if patient satisfaction is a priority.

Claim Denials

            ‘Provider Not Enrolled’-type claim denials come in many flavors and most aren’t really about enrollment. Managing denials usually falls to billing staff, but how much do they know about the organization’s credentialing and enrollment processes? Are denials worked in a silo? Clues that enrollment processes are siloed or communication with the billing office may be broken include 'non-credentialed' staff or similar being a common denial reason for newly on-boarded and payer approved providers. Or worse yet, one claim is denied as “provider not enrolled” for a patient that has been seeing the provider (who has been with the group for five years) every three months for the last year.

 Denial codes aren’t universal, nor always appropriately applied by the payer. Different denial reason descriptions from the same payer can seem to communicate the same idea but aren’t enrollment related at all. For example, ‘Provider not active for plan on DOS’ and ‘Provider not eligible to be paid for this procedure/service on this DOS’ may sound like the same issue, but revenue cycle staff shouldn’t assume the root cause is the same. The first could be enrollment related while the second may indicate that the service was inclusive within another procedure.

Hybrid or Paper-based Processes

            Credentialing and enrollment processes require providers submit documentation containing personal information that if exposed could lead to identity theft of the clinician. Who is making sure the information stored in multiple places and mediums (paper, spreadsheets on desktops, network wide applications) is protected while still being accessible? Beyond paper being cumbersome to manage and a potential security concern, hybrid processes involving various methods create compliance risks in respect to lack of audit trails, timely recredentialing or revalidations, ensuring the facility has current licensure for each clinician, as well as that there have been no changes to malpractice claims nor OIG exclusions.

            Electronic systems have a distinct advantage over paper or spreadsheet tracking methods in respect to keeping up with revalidation for PECOS and Medicaid. The five-year revalidation timeline isn’t necessarily five years to the day of initial enrollment. At VantagePoint, we’ve observed an organization can enroll three new providers simultaneously and the revalidations will be due on different dates. Provider recredentialing for commercial payers runs on a three-year cycle but doesn’t necessarily coincide with the date a provider is first enrolled with an organization if that provider has been previously linked to another organization’s contract (or is moonlighting!). VantagePoint’s credentialing specialists have noted from experience that it’s entirely possible to enroll a ‘new’ provider to an organization and then recredentialing for that same provider must be completed just a few months later. For larger organizations with frequent turnover or dozens to hundreds of providers, hybrid or paper processes are too cumbersome to efficiently manage and comply with the timeliness required for the recredentialing and revalidation cycle.   

Eliminating Unknowns

            Size and type of organization influences the complexity and work effort associated with maintaining effective credentialing and enrollment processes. Moonlighting, prescribing prior to enrollment, claim denials, and paper-based/hybrid processes are potential ‘unknowns’ representing a veritable kitchen sink full of compliance risks, barriers to care, and claim denials.  With industry changes such as narrowing networks, mergers, and other disruptions it is important to not only keep up with the changes but anticipate enhanced scrutiny and mitigate it. VantagePoint’s experience partnering with all types of healthcare organizations, including physician groups, hospitals, systems, and health plans confirms that the strategy of deploying a comprehensive credentialing program that includes primary source verification can improve patient satisfaction, reduce unnecessary expenses related to legal issues, ensure best practice revenue cycle management, support compliance efforts, and most importantly, eliminate ‘unknowns’.

About the Author:

Susan Prior, CHC, is President & Chief Operating Officer of VantagePoint. She is responsible for VantagePoint’s daily operations, including credentialing, enrollment, and primary source verification (PSV) services.       

Home Health PDGM Winners and Losers: State Level Data

With just over 6 months until the new Patient Driven Grouping Model (PDGM) goes into effect, the home health industry is awash in a sea of comparative data. State-level comparisons of 2017 CMS, and HHGM PPS data project overall reimbursement for home health services to fall under PDGM in some states and rise incrementally in others.

For example, states expected to experience the most significant payment reductions under PDGM in 2020 if 2017 case mix trends hold true include: Colorado (-11.3%), Idaho (-11.4%), South Dakota (- 11.2%), Utah (- 9.2%), Florida (-8.4%), Nevada (-8%), and Wyoming (-6.4%). Potential winners, those states whose data indicates the projected highest increased overall home health revenue based on 2017 data, include Mississippi (+ 7.8%), New York (+ 5.2%), Oklahoma (+6.5%), California (+ 4.7%), and Louisiana (+ 6.7%). With respect to regional impact, New England States data shows more consistency: Connecticut (+ 1.2%), Massachusetts (+ 3.1%), Maine (-0.9%), New Hampshire (+ 0.8%), Vermont (+ 4.8%), and Rhode Island (- 1.5%)

2019 Verizon Data Breach Investigation Report Findings

HIPAA Journal recently summarized key findings of the annual Verizon Data Breach Investigation Report. While the report is not specifically focused on healthcare, the trends at a macro level do seem to align with the types of breaches and cyber vulnerabilities that the healthcare industry news is rife with week after week.

Relevant findings include:

  • Financially motivated breaches fell from 76% to 71%

  • Phishing is involved in 32% of breaches and 78% of cyber-espionage incidents

  • 90% of malware arrived via email

  • 60% of web application attacks were on cloud-based email servers

  • Most email threats and BEC attacks only resulted in data breaches because multi-factor authentication had not been implemented

  • 52% of cyberattacks involve hacking

  • 34% of attacks involved insiders

Lack of ICD-10-CM Coding Expertise May Come Back to Haunt Some Home Health Agencies

Much has been written about the potential for negative financial impact of the CMS Home Health Patient Driven Groupings Model (PDGM) set to take effect on January 1, 2020, particularly for Home Health Agencies (HHA) with a high percentage of revenue from therapy services. Indeed, it feels like the predictions of doom and gloom circa 2014-2015 surrounding the transition to ICD-10-CM all over again. It feels that way in part due to the drumbeat of industry articles, webinars, and guidebooks coming out to capitalize on the transition to PDGM.

In the swirl and hand wringing surrounding the transition to PDGM, the comparison to the ICD-10-CM transition is apt. Just as post-acute healthcare providers were left behind in the great gold rush of Meaningful Use incentives and are subsequently rushing to catch up in the era of interoperability because of under-investing in EHR technology; post-acute healthcare providers in general under-invested in developing internal ICD-10-CM expertise. This was a rational act, particularly on the part of HHAs, based on how Medicare has processed HHA claims.

While CMS has maintained a ‘Questionable Encounters’ (QE) list based on diagnosis codes that do not support home health services, imprecise primary diagnosis code, inaccurate sequencing or missing assignment of comorbidity codes on the claim has not had a significant impact on claim acceptance or reimbursement under the current HHGM model. Under PDGM, imprecise or incorrect coding of primary diagnosis and missing or inaccurate secondary diagnosis, depending on the issue, can result in claims returned for re-coding, lower reimbursement due to missing out on comorbidity adjustments, and an impact on the case mix for the episode. Indeed, some analysis of the current HHGM QE data indicates approximately 60% of home health episodes are currently billed with a HHGM QE diagnosis and these codes do not have a clinical grouping under PDGM.

Home Health Agencies have a lot to do before the transition to PDGM on January 1, 2020. While PDGM factors such as episode timing and referral source are important to analyze and plan for the revenue impact, and the OASIS still looms large as a factor with respect to resource use and patient functional impairment level, if HHAs do little else, having a plan to improve existing internal diagnosis coding expertise through training ASAP and/or adding certified coders to the mix may be just enough to avoid the most immediate anticipated consequences of the transition.

Barriers and Uncertainty Stymie Growth of Telehealth Services

While government and commercial payer reimbursement for telehealth services has expanded significantly in recent years, there is a gap between the number and specialities of physicians expressing interest in offering the service and those who have followed through. According to Leventhal (2019, April 16), “Physician barriers to telehealth include: uncertainty around reimbursement, questions about clinical appropriateness, lack of physician buy-in, poor leadership support.”

CMS has relaxed some of the requirements for Medicare reimbursement of telehealth services through expanded definitions of originating site and eligible geographic areas; however, providers must be cognizant of the compliant use and documentation required to support the billable codes (see Medicare Learning Network publication ICN 901705, January 2019).

The Unknown-Unknowns of Credentialing, Privileging and Enrollment

Verifying the credentials of and enrolling new providers in health plans requires collecting extensive information from them and the efficiency (or inefficiency) of the process can make or break the provider’s first impression of the organization. Beyond annoying the new provider an organization worked so hard to recruit; fragmented credentialing, privileging and enrollment processes also create compliance risks, barriers to care, and claim denials. Former U.S. Secretary of Defense Donald Rumsfeld famously mused, “There are known knowns. These are things we know that we know. There are known unknowns. That is to say, there are things that we know we don't know. But there are also unknown unknowns. There are things we don't know we don't know.” Through our work as both a consulting firm and a certified Credentials Verification Organization (CVO) providing services for all types of healthcare organizations, including physician groups, hospitals, systems, and health plans, VantagePoint HealthCare Advisors has encountered clients generally experiencing one or more ‘unknown-unknowns’ in the realm of credentialing or enrollment prior to engaging us.

Moonlighting

            Are your organization’s providers moonlighting somewhere or even moonlighting within your organization? The Cambridge English Dictionary defines moonlighting as additional paid work, “especially without telling your employer”. For operational efficiency and to provide comprehensive care, many specialties and types of facilities may elect to employ providers for just a few hours each month. Urgent Care Centers, Federally Qualified Health Centers, Walk-in Centers, and Substance Abuse Treatment clinics frequently employ moonlighters. Organizations that are unaware of their providers side-gigs face an increased risk a moonlighting provider may have an “issue” at his or her other job, leading the moonlight employer to experience compliance exposure due to malpractice claims, license or DEA lapses, or exclusion from a government payer. The risks associated with the moonlighting ‘unknown’ can include loss of accreditation or even recoupment of all government payments for all services provided.

            Moonlighting within the same organization is an ‘unknown’ risk for health systems and provider groups with locations in several states or multiple locations in the same state with different tax identification numbers (TINs), particularly if credentialing and enrollment process are not centralized or coordinated. For example, while it may seem like a quick fix to employ a physician from another hospital or provider group (different TIN) within the same system to cover clinical shifts on weekends, unless the moonlighting provider is enrolled with health plans at that location and under the TIN of the moonlight employer, any claims with the moonlighting provider as rendering may deny. The multi-state issue comes into play in respect to DEA licenses and State medical licensing. Even if a provider from within the same organization is covering another location across State lines for just one shift a month and he or she happens to have a valid license to practice in that State, he or she may only have a DEA license tied to the full-time practice State and not the ‘moonlighting’ State and the Federal DEA may also only be for the full-time State address.

            More commonly, providers moonlight for another organization or provider group. Sometimes the provider shares this information with the full-time employer, but not always, making this a perennial unknown. While each organization employing the same provider must follow their own policies and procedures for privileging, the moonlighting employer may be able to preempt a full credentialing with health plans if the moonlighting provider is already participating with their full-time employer. Unfortunately, much effort and time can be wasted when all that needed to happen was ‘linking’ the moonlighter to the roster of participating providers. Another ‘unknown’ risk of moonlighting lies with maintaining CAQH profiles. If more than one CVO or employer is changing or updating information in the provider’s CAQH profile, conflicts and employment information discrepancies can result.

Prescribing

            Are your organization’s newly credentialed providers prescribing for patients before their payer enrollments are confirmed? Organizations and physician groups are understandably eager to onboard newly contracted providers as soon as possible to fill urgent clinical coverage needs. While the credentialing and privileging process can be expedited and condensed to a few weeks in an urgent situation, the Medicare and Medicaid enrollment timeline is fixed at 30-45 days and the commercial health plan enrollment process can stretch to 90 days or more for newly licensed providers or those transferring from another State. Payers may agree to backdate enrollment effective dates for the purpose of claim payment, but the courtesy doesn’t apply to ordering, prescribing, or referring.

            A license to prescribe meets the requirements of State law; however, unless the provider is fully enrolled with the payer, the payer is not obligated to reimburse for any care or referrals, including therapy, pharmaceuticals, or durable medical equipment (DME), that the provider prescribed for the beneficiary or plan member prior to a confirmed enrollment. The burden of appealing the denial falls to the patient in these cases, which isn’t an ideal outcome if patient satisfaction is a priority.

Claim Denials

            ‘Provider Not Enrolled’-type claim denials come in many flavors and most aren’t really about enrollment. Managing denials usually falls to billing staff, but how much do they know about the organization’s credentialing and enrollment processes? Are denials worked in a silo? Clues that enrollment processes are siloed or communication with the billing office may be broken include 'non-credentialed' staff or similar being a common denial reason for newly on-boarded and payer approved providers. Or worse yet, one claim is denied as “provider not enrolled” for a patient that has been seeing the provider (who has been with the group for five years) every three months for the last year.

 Denial codes aren’t universal, nor always appropriately applied by the payer. Different denial reason descriptions from the same payer can seem to communicate the same idea but aren’t enrollment related at all. For example, ‘Provider not active for plan on DOS’ and ‘Provider not eligible to be paid for this procedure/service on this DOS’ may sound like the same issue, but revenue cycle staff shouldn’t assume the root cause is the same. The first could be enrollment related while the second may indicate that the service was inclusive within another procedure.

Hybrid or Paper-based Processes

            Credentialing and enrollment processes require providers submit documentation containing personal information that if exposed could lead to identity theft of the clinician. Who is making sure the information stored in multiple places and mediums (paper, spreadsheets on desktops, network wide applications) is protected while still being accessible? Beyond paper being cumbersome to manage and a potential security concern, hybrid processes involving various methods create compliance risks in respect to lack of audit trails, timely recredentialing or revalidations, ensuring the facility has current licensure for each clinician, as well as that there have been no changes to malpractice claims nor OIG exclusions.

            Electronic systems have a distinct advantage over paper or spreadsheet tracking methods in respect to keeping up with revalidation for PECOS and Medicaid. The five-year revalidation timeline isn’t necessarily five years to the day of initial enrollment. At VantagePoint, we’ve observed an organization can enroll three new providers simultaneously and the revalidations will be due on different dates. Provider recredentialing for commercial payers runs on a three-year cycle but doesn’t necessarily coincide with the date a provider is first enrolled with an organization if that provider has been previously linked to another organization’s contract (or is moonlighting!). VantagePoint’s credentialing specialists have noted from experience that it’s entirely possible to enroll a ‘new’ provider to an organization and then recredentialing for that same provider must be completed just a few months later. For larger organizations with frequent turnover or dozens to hundreds of providers, hybrid or paper processes are too cumbersome to efficiently manage and comply with the timeliness required for the recredentialing and revalidation cycle.    

Eliminating Unknowns

            Size and type of organization influences the complexity and work effort associated with maintaining effective credentialing and enrollment processes. Moonlighting, prescribing prior to enrollment, claim denials, and paper-based/hybrid processes are potential ‘unknowns’ representing a veritable kitchen sink full of compliance risks, barriers to care, and claim denials.  With industry changes such as narrowing networks, mergers, and other disruptions it is important to not only keep up with the changes but anticipate enhanced scrutiny and mitigate it. VantagePoint’s experience partnering with all types of healthcare organizations, including physician groups, hospitals, systems, and health plans confirms that the strategy of deploying a comprehensive credentialing program that includes primary source verification can improve patient satisfaction, reduce unnecessary expenses related to legal issues, ensure best practice revenue cycle management, support compliance efforts, and most importantly, eliminate ‘unknowns’.

About the Author:

Susan Prior, CHC, is President & Chief Operating Officer of VantagePoint. She is responsible for VantagePoint’s daily operations, including credentialing, enrollment, and primary source verification (PSV) services.       

MedPAC to Recommend CMS Revisit Emergency Department Coding

According to King (2019, March 7), “In 2005, level five ED visits made up about 10% of all ED visits to hospitals, according to a MedPAC analysis of cost statistics from the CMS. But in 2017, the number of level five visits increased to 30%.” Currently, CMS has no national guideline for reporting ED visits; therefore, auditing ED Medicare claims is challenging. Hospitals are permitted to establish internal policies and procedures based on American Hospital Association, the American College of Emergency Physicians or other guidelines for coding. MedPAC is also expected to propose claims for Medicare patients ultimately receiving non-emergency care in emergency room settings should be coded and billed similar to an outpatient clinic visit.

Business Associate Agreements: Is BAA Compliance on Your 2019 Work Plan?

The HIPAA Privacy Rule requires Covered Entities enter into written contracts with Business Associates. A Business Associate Agreement (BAA) outlines the expectations of the Covered Entity with respect to how the Business Associate will protect the privacy of protected health information (PHI). The HITECH Act and the Omnibus Final Rule expanded the liability of Covered Entities for breaches by Business Associates. Furthermore, per §13410 of the HITECH Act, a Business Associate is now directly liable for uses and disclosures of PHI that are not in accordance with its BAAs or HIPAA’s rules. According to data available at the U.S. Department of Health and Human Services Office for Civil Rights Breach Portal, Business Associates were responsible for forty-four (44) of the 280 incidents reported in CY2018 for breaches impacting 500 or more individuals.[1]

The absence of a HIPAA compliant BAA with any eligible vendor places a Covered Entity at risk for being found out of compliance with 45 CFR 164.504(e). To emphasize the importance of compliance, the HHS Office of Civil Rights (OCR) released the phase two (2) audit protocol in 2016 and subsequently updated in July 2018.[2] The updated protocol focuses on Covered Entity and Business Associate compliance with select requirements, including the presence of compliant agreements.

Examples of penalties imposed by the HHS OCR as the result of absent or deficient BAAs include[3]:

  • April 20, 2017: Center for Children’s Digestive Health (CCDH) fined $31,000 for being unable to produce a valid BAA prior to October 12, 2015 for a vendor CCDH had exchanged PHI with since 2003.

  • December 4, 2018: Advanced Care Hospitalists PL (ACH) settles with OCR and pays $500,000 over allegations of sharing PHI with an unknown vendor without a BAA.

  • February 7, 2019: Cottage Health pays $3 million to settle multiple allegations regarding lack of compliance with HIPAA Rules, including failing to obtain a written BAA with a vendor maintaining ePHI on its behalf.

Business Associate Agreements are often an after thought during the contracting process because the primary focus is on the terms and conditions, as well as operational aspects of the contract and getting the project implemented. Complicating the matter with respect to managing compliance with HIPAA BAA requirements is legacy agreements that may have not been updated with HITECH provisions, incomplete execution of agreements, lack of a central repository, and inconsistent breach notification expectations. The trend in OCR enforcement actions as highlighted above is reason enough for Covered Entities and Business Associates alike to prioritize BAA related clean-up projects.

[1] https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf

[2] https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/protocol/index.html

[3] https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/index.html

Data versus Information: CMS, ONC, and the Push for Freer Flow of Data

CMS Administrator Seema Verma made news in healthcare industry circles with her impassioned speech at HIMSS19 regarding data sharing and interoperability. Administrator Verma touted the accomplishments of CMS in this arena, including Blue Button 2.9 and Medicare claims data being made available to 40 million beneficiaries. Verma went on to propose that commercial payer take CMS lead by sharing health claims data and other important information electronically with their patients , something that may become a requirement if proposed rules are adopted.

Interoperability, Health Information Exchange (HIE), and data sharing appear to be the hot topics making news at HIMSS19. Additional announcements included the long-awaited 21st Century Cures Act data-blocking guidance from the ONC. All this focus on exchanging data and providing more patient access begs the question of what is really meant by ‘data’ and how in practice the increased access to it will really empower patients.

The words ‘data’ and ‘information’ are often used interchangeably but the distinction matters insofar as utility. Merriam Webster defines Data as (1) factual information (such as measurements or statistics) used as a basis for reasoning, discussion, or calculation, (2) information in digital form that can be transmitted or processed , and (3) information output by a sensing device or organ that includes both useful and irrelevant or redundant information and must be processed to be meaningful. Alternatively, Merriam Webster defines Information as (1) the communication or reception of knowledge or intelligence and (2) knowledge obtained from investigation, study, or instruction.

The definitions matter with respect to assertions regarding patient access/empowering patients and EHRs, interoperability, and HIE because pure data alone is not particularly useful to patients; whereas information (by definition) is useful. EHRs contain both codified data and unstructured data. The unstructured data, generally found in narrative format reports like office visit notes, consultations, and discharge summaries provide useful information to patients because the author (physician or APP) had synthesized all the data (lab values, vitals, radiology studies etc.) into a summary of findings, care interventions, and with diagnosis that conveys meaning, all in a human-readable format. While it’s admirable that CMS has made claims data accessible to beneficiaries, what is the utility? A professional claim form has 33 boxes, most of the entries are codes. Is this useful to the average patient? Or does it simply meet #3 in Merriam Webster’s definition of data- useful and irrelevant that must be processed to be meaningful.

All ONC certified EHR technology that met Meaningful Use criteria must be capable of exchanging certain minimum elements of codified data and diagnostic test results. CMS has touted accomplishments around unleashing data, and the ONC has issued proposed guidance around data blocking. From data, information should (eventually) flow. Perhaps it is the first step to get somewhere actually ‘meaningful’ as the HITECH Act framers intended?

2018: A Record Year for Healthcare and Consumer Data Breaches

Hackers stole nearly 447 million consumer records containing personally identifiable information (PII) last year. According to Weisbaum (2019, February 4), “Data breaches are now a normal, everyday occurrence”. One cause cited for the seemingly daily reports of data breaches is the use of Facebook logon credentials increasingly used as a token to access multiple platforms.

2018 was also a record year for both number of patients impacted by healthcare data breaches, as well as the dollar value of fines imposed by the HHS Office of Civil Rights (OCR). In 2018, OCR HIPAA-related fines and settlements totaled $28,683,400. According to OCR data, with the exception of 2015, since 2009, the number of healthcare data breaches has steadily increased each year.

Over $25 million in HIPAA-Related fines in 2018 - What's Ahead for 2019?

2018 was memorable year in the healthcare industry for a variety of reasons, including enforcement activities. The HHS OIG’s unprecedented Fraud Takedown resulted in the OIG charging more than 600 defendants in 58 federal districts with participating in fraud schemes involving about $2 billion in losses to Medicare and Medicaid. Not to be outdone, the HHS Office of Civil Rights (OCR) had a record-breaking year with respect to HIPAA violation settlements and Civil Monetary Penalties. In September 2018, a trio of hospitals gained notoriety for their settlement with the OCR over allegations related to allowing a film crew to record patients without their consent. In October 2018, the single largest penalty of the year, $16 million, was levied against Anthem for a 2015 data breach impacting 78,800,000 plan members.

If the 2018 enforcement actions and fines imposed by State Attorneys General are any type of crystal ball into what 2019 may hold, HIPAA covered entities should consider their liabilities under State law as further support for refreshing their commitments to HIPAA compliance.

VantagePoint HealthCare Advisors 2018 Holiday Food Drive Exceeds Expectations

The VantagePoint HealthCare Advisors team came together again this year to collect non-perishable food items for the Connecticut Food Bank. Collectively, the staff contributed 205lbs of food, about 60lbs more than collected in 2017. Credentialing Specialists Margaux Martinez and Ingrid McManus coordinated the collection effort and kindly performed the heavy lifting duties. Between the food and monetary donations from remote staff, VantagePoint was able to provide over 200 meals for our neighbors in need.

Welcome EKRA to the Pantheon of Healthcare Fraud Laws

Healthcare Compliance Officers with oversight responsibilities that include a reference laboratory, SUD treatment facility, recovery home or related entity have something new to add to their 2019 compliance plans. EKRA, the Eliminating Kickbacks in Recovery Act of 2018 (Section 8122 of the SUPPORT Act) went into effect as of October 24, 2018.  EKRA is an all-payor anti-kickback law intended to address improper payments for patient referrals to recovery homes, clinical treatment centers, or clinical laboratories.  According to the National Law Review, “broad language enables the federal government to monitor provider arrangements intended to generate business for any laboratory services, not only those related to individuals in treatment for substance abuse disorders, payable by a federal health care program (“FHCP”) or commercial health insurer.”

Outrage often breeds legislation. The recent high-profile fraud and abuse cases involving questionable services at sober homes and the ‘great gold rush’ of laboratories capitalizing on demand for urine toxicology screening set the stage for EKRA.

10 Cents? The Going Rate for a Breached Social Security Number

On November 3, 2018, Inova Health System initiated the process of sending the HIPAA required breach notification letters to nearly 13,000 patients. The scoped of the data breach involving Inova’s billing system included patient names, addresses, birth dates, medical record details and Social Security numbers. Treatment information of a restricted number of patients was also possibly accessed. While many patients are most fearful of their social security numbers being exposed, recent research indicates the value of the SSN is shockingly low on the black market in contrast to the havoc and worry of potential identity theft . According to a Forbes article entitled Your Electronic Medical Records Could be Worth $1000 to hackers, Yao (2017, April 14) states “How much is your life worth to hackers? On the black market, the going rate for your social security number is 10 cents. Your credit card number is worth 25 cents. But your electronic medical health record (EHR) could be worth hundreds or even thousands of dollars.”