According to King (2019, March 7), “In 2005, level five ED visits made up about 10% of all ED visits to hospitals, according to a MedPAC analysis of cost statistics from the CMS. But in 2017, the number of level five visits increased to 30%.” Currently, CMS has no national guideline for reporting ED visits; therefore, auditing ED Medicare claims is challenging. Hospitals are permitted to establish internal policies and procedures based on American Hospital Association, the American College of Emergency Physicians or other guidelines for coding. MedPAC is also expected to propose claims for Medicare patients ultimately receiving non-emergency care in emergency room settings should be coded and billed similar to an outpatient clinic visit.
The HIPAA Privacy Rule requires Covered Entities enter into written contracts with Business Associates. A Business Associate Agreement (BAA) outlines the expectations of the Covered Entity with respect to how the Business Associate will protect the privacy of protected health information (PHI). The HITECH Act and the Omnibus Final Rule expanded the liability of Covered Entities for breaches by Business Associates. Furthermore, per §13410 of the HITECH Act, a Business Associate is now directly liable for uses and disclosures of PHI that are not in accordance with its BAAs or HIPAA’s rules. According to data available at the U.S. Department of Health and Human Services Office for Civil Rights Breach Portal, Business Associates were responsible for forty-four (44) of the 280 incidents reported in CY2018 for breaches impacting 500 or more individuals.
The absence of a HIPAA compliant BAA with any eligible vendor places a Covered Entity at risk for being found out of compliance with 45 CFR 164.504(e). To emphasize the importance of compliance, the HHS Office of Civil Rights (OCR) released the phase two (2) audit protocol in 2016 and subsequently updated in July 2018. The updated protocol focuses on Covered Entity and Business Associate compliance with select requirements, including the presence of compliant agreements.
Examples of penalties imposed by the HHS OCR as the result of absent or deficient BAAs include:
April 20, 2017: Center for Children’s Digestive Health (CCDH) fined $31,000 for being unable to produce a valid BAA prior to October 12, 2015 for a vendor CCDH had exchanged PHI with since 2003.
December 4, 2018: Advanced Care Hospitalists PL (ACH) settles with OCR and pays $500,000 over allegations of sharing PHI with an unknown vendor without a BAA.
February 7, 2019: Cottage Health pays $3 million to settle multiple allegations regarding lack of compliance with HIPAA Rules, including failing to obtain a written BAA with a vendor maintaining ePHI on its behalf.
Business Associate Agreements are often an after thought during the contracting process because the primary focus is on the terms and conditions, as well as operational aspects of the contract and getting the project implemented. Complicating the matter with respect to managing compliance with HIPAA BAA requirements is legacy agreements that may have not been updated with HITECH provisions, incomplete execution of agreements, lack of a central repository, and inconsistent breach notification expectations. The trend in OCR enforcement actions as highlighted above is reason enough for Covered Entities and Business Associates alike to prioritize BAA related clean-up projects.
CMS Administrator Seema Verma made news in healthcare industry circles with her impassioned speech at HIMSS19 regarding data sharing and interoperability. Administrator Verma touted the accomplishments of CMS in this arena, including Blue Button 2.9 and Medicare claims data being made available to 40 million beneficiaries. Verma went on to propose that commercial payer take CMS lead by sharing health claims data and other important information electronically with their patients , something that may become a requirement if proposed rules are adopted.
Interoperability, Health Information Exchange (HIE), and data sharing appear to be the hot topics making news at HIMSS19. Additional announcements included the long-awaited 21st Century Cures Act data-blocking guidance from the ONC. All this focus on exchanging data and providing more patient access begs the question of what is really meant by ‘data’ and how in practice the increased access to it will really empower patients.
The words ‘data’ and ‘information’ are often used interchangeably but the distinction matters insofar as utility. Merriam Webster defines Data as (1) factual information (such as measurements or statistics) used as a basis for reasoning, discussion, or calculation, (2) information in digital form that can be transmitted or processed , and (3) information output by a sensing device or organ that includes both useful and irrelevant or redundant information and must be processed to be meaningful. Alternatively, Merriam Webster defines Information as (1) the communication or reception of knowledge or intelligence and (2) knowledge obtained from investigation, study, or instruction.
The definitions matter with respect to assertions regarding patient access/empowering patients and EHRs, interoperability, and HIE because pure data alone is not particularly useful to patients; whereas information (by definition) is useful. EHRs contain both codified data and unstructured data. The unstructured data, generally found in narrative format reports like office visit notes, consultations, and discharge summaries provide useful information to patients because the author (physician or APP) had synthesized all the data (lab values, vitals, radiology studies etc.) into a summary of findings, care interventions, and with diagnosis that conveys meaning, all in a human-readable format. While it’s admirable that CMS has made claims data accessible to beneficiaries, what is the utility? A professional claim form has 33 boxes, most of the entries are codes. Is this useful to the average patient? Or does it simply meet #3 in Merriam Webster’s definition of data- useful and irrelevant that must be processed to be meaningful.
All ONC certified EHR technology that met Meaningful Use criteria must be capable of exchanging certain minimum elements of codified data and diagnostic test results. CMS has touted accomplishments around unleashing data, and the ONC has issued proposed guidance around data blocking. From data, information should (eventually) flow. Perhaps it is the first step to get somewhere actually ‘meaningful’ as the HITECH Act framers intended?
Hackers stole nearly 447 million consumer records containing personally identifiable information (PII) last year. According to Weisbaum (2019, February 4), “Data breaches are now a normal, everyday occurrence”. One cause cited for the seemingly daily reports of data breaches is the use of Facebook logon credentials increasingly used as a token to access multiple platforms.
2018 was also a record year for both number of patients impacted by healthcare data breaches, as well as the dollar value of fines imposed by the HHS Office of Civil Rights (OCR). In 2018, OCR HIPAA-related fines and settlements totaled $28,683,400. According to OCR data, with the exception of 2015, since 2009, the number of healthcare data breaches has steadily increased each year.
2018 was memorable year in the healthcare industry for a variety of reasons, including enforcement activities. The HHS OIG’s unprecedented Fraud Takedown resulted in the OIG charging more than 600 defendants in 58 federal districts with participating in fraud schemes involving about $2 billion in losses to Medicare and Medicaid. Not to be outdone, the HHS Office of Civil Rights (OCR) had a record-breaking year with respect to HIPAA violation settlements and Civil Monetary Penalties. In September 2018, a trio of hospitals gained notoriety for their settlement with the OCR over allegations related to allowing a film crew to record patients without their consent. In October 2018, the single largest penalty of the year, $16 million, was levied against Anthem for a 2015 data breach impacting 78,800,000 plan members.
If the 2018 enforcement actions and fines imposed by State Attorneys General are any type of crystal ball into what 2019 may hold, HIPAA covered entities should consider their liabilities under State law as further support for refreshing their commitments to HIPAA compliance.
The VantagePoint HealthCare Advisors team came together again this year to collect non-perishable food items for the Connecticut Food Bank. Collectively, the staff contributed 205lbs of food, about 60lbs more than collected in 2017. Credentialing Specialists Margaux Martinez and Ingrid McManus coordinated the collection effort and kindly performed the heavy lifting duties. Between the food and monetary donations from remote staff, VantagePoint was able to provide over 200 meals for our neighbors in need.
Healthcare Compliance Officers with oversight responsibilities that include a reference laboratory, SUD treatment facility, recovery home or related entity have something new to add to their 2019 compliance plans. EKRA, the Eliminating Kickbacks in Recovery Act of 2018 (Section 8122 of the SUPPORT Act) went into effect as of October 24, 2018. EKRA is an all-payor anti-kickback law intended to address improper payments for patient referrals to recovery homes, clinical treatment centers, or clinical laboratories. According to the National Law Review, “broad language enables the federal government to monitor provider arrangements intended to generate business for any laboratory services, not only those related to individuals in treatment for substance abuse disorders, payable by a federal health care program (“FHCP”) or commercial health insurer.”
Outrage often breeds legislation. The recent high-profile fraud and abuse cases involving questionable services at sober homes and the ‘great gold rush’ of laboratories capitalizing on demand for urine toxicology screening set the stage for EKRA.
On November 3, 2018, Inova Health System initiated the process of sending the HIPAA required breach notification letters to nearly 13,000 patients. The scoped of the data breach involving Inova’s billing system included patient names, addresses, birth dates, medical record details and Social Security numbers. Treatment information of a restricted number of patients was also possibly accessed. While many patients are most fearful of their social security numbers being exposed, recent research indicates the value of the SSN is shockingly low on the black market in contrast to the havoc and worry of potential identity theft . According to a Forbes article entitled Your Electronic Medical Records Could be Worth $1000 to hackers, Yao (2017, April 14) states “How much is your life worth to hackers? On the black market, the going rate for your social security number is 10 cents. Your credit card number is worth 25 cents. But your electronic medical health record (EHR) could be worth hundreds or even thousands of dollars.”
The Association of Certified Fraud Examiners (ACFE) is recognizing November 11th - 17th as International Fraud Awareness Week. While the tools provided on the ACFE website are not specific to the healthcare industry, the fraud check-up tool could be adapted by compliance officers as a nice adjunct to existing OIG and CMS resources.
According to Stempniak (2018, October 29) as reported in McKnight’s Long-Term Care News, the Health and Human Services (HHS) Office of Civil Rights (OCR) receives approximately 20,000 HIPAA related complaints per year. The article further advises “Providers need to start tightening the screws on their privacy and security programs because scrutiny is about to get a little harsher.”
As reported in Becker’s Hospital Review, physician groups and MEDPAC have pushed back on the CMS proposal on virtual care reimbursement. According to Gooch (2018, October 10), “CMS proposed the virtual care reimbursement in its update to the 2018 Medicare Physician Fee Schedule and Quality Payment Program. Under the proposal, Medicare would pay physicians $14 per virtual check-in versus the cost of a $92 patient visit. The virtual check-in would last about five to 10 minutes. Physicians are concerned the Medicare payment would leave patients on the hook for a 20 percent cost-sharing charge.”
The article goes on to cite MEDPAC concerns regarding the convenience factor associated with direct-to-consumer telehealth solutions that on the face would appear to expand access, but have the potential to increase overall utilization. The CMS proposal, per Adminsitrator Verma is part of their Patients Over Paperwork effort and includes reimbursing providers at the rate of $14 for ‘virtual’ check-ins and these check-ins could be performed by an eligible advance practice provider (NP or PA). Administrator Verma suggests that reimbursing for virtual check-ins may reduce costs to the Medicare program by eliminating unnecessary visits. This point of view neglects to consider the evidence from prior expansions of coverage under the Physician Fee Schedule, including reimbursement above and beyond the E/M visit fee for tobacco use cessation counseling (Decision memo CAG-00241N), that demonstrates expanded access (or coverage) does not translate to direct savings. Savings from the proposed virtual visit fees may ultimately show up in less obvious and quantifiable places, like reduced ER or Urgent Care visits.
Hot from the CMS Newsroom on October 11, 2018:
Average 2019 premium rates for a benchmark plan represent the first decline in rates since the Federally-facilitated Exchange began in 2014.
The average second lowest cost silver plan (SLCSP) premium decreased by 1.5% in 2019. By comparison, the average SLCSP increased by 37% from 2017 to 2018.
Actual premium increases on average may be even lower, as consumers “buy-down” coverage. When faced with high premiums, consumers have the opportunity to buy-down to coverage with higher cost sharing and lower premiums.
Stabilizing premiums will help retain healthier people in the risk pool.
The term ‘buy-down’ coverage is a new one. Yes. When consumers are faced with a higher premium, indeed, if they don’t abandon coverage altogether, they will roll the dice with a high-deductible plan. Not a new concept and precisely the type of outcome that contributes to uncompensated care and bad debt for healthcare providers. Sound more like the ‘opportunity’ for a cost shift!
The September 2018 additions to the HHS OIG Work Plan were limited to two, both somewhat esoteric and unlikely to impact the majority of healthcare providers.
Review of Opioid Use in Indian Health Service: Consistent with prior OIG work plan items regarding Medicare Part D and Medicaid, this work plan addition will seek to “determine the extent to which beneficiaries are receiving extreme amounts of opioids through Indian Health Service (IHS), as well as IHS-employed prescribers and IHS-run pharmacies that have questionable prescribing or dispensing patterns. This review will also determine how IHS prevents and detects opioid misuse or abuse, as well as how it enforces its opioid-related policies.”
Follow-up Review of Head Start Grantee: Pertains to one specific entity, not applicable to wider constituencies at this time.
New additions to the work plan of import added in August 2018 during the height of vacation season that slipped by VantagePoint scrutiny included:
Physician Billing for Critical Care Evaluation & Management Services: As an exclusively time-based service, physicians must clearly document the time spent evaluating, providing direct care and managing the patient in order to qualify for reimbursement of a critical care E/M visit, per the OIG “This review will determine whether Medicare payments for critical care are appropriate and paid in accordance with Medicare requirements.”
Hospitals' Compliance with Medicare's Transfer Policy With the Resumption of Home Health Services and the Use of Condition Codes: Hospitals transferring a patient to another facility or home health service are subject to a reduction in DRG payment. The OIG seeks to “determine whether Medicare appropriately paid hospitals' inpatient claims subject to the postacute care transfer policy when (1) patients resumed home health services after discharge or (2) hospitals applied condition codes to claims to receive a full DRG payment.”
The Centers for Medicare & Medicaid Services (CMS) has posted revisions to chapter 13 of the Medicare Program Integrity Manual (PIM). This revisions were required by a provision of the 21st Century Cures Act meant to enhance the transparency of the local coverage determinations (LCD) process administered by Medicare Administrative Contractors (MACs).
Key changes include a clearer process roadmap in language that can be understood by the different constituencies eligible to request an LCD, including beneficiaries; streamlined process for requesting new LCDs; and expansion of Contractor Advisory Committee (CAC) meeting format options and individuals eligible to participate.
Unlike a tidal wave, a tsunami, also known as a seismic sea wave, is characterized by a series of waves, sometimes caused by an earthquake hundreds of miles from shore. We’ve heard about the silver tsunami for years in respect to the number of baby boomers entering retirement and subsequently qualifying for Medicare. Tsunamis take folks on-shore by surprise, there really should be no surprise in the healthcare industry regarding whats happening in respect to the demand for home health and hospice services.
According to Holly (2018, September 26), “Another 1.2 million baby boomers became Medicare beneficiaries between the first quarter of last year and the close of Q1 of 2018. With the overall system, there are currently about 58 million beneficiaries, looking at both the Medicare Advantage (MA) program and traditional fee-for-service Medicare. As has widely been reported, the share of beneficiaries in Medicare Advantage plans is growing fast. About 35% of Medicare beneficiaries are currently enrolled in MA plans, but that’s projected to check in closer to 40% or higher in the not-too-distant future. More than one-third of all Medicare beneficiaries live in one of five states: California, Florida, Texas, New York or Pennsylvania. Within the next 15 years, the number of beneficiaries is expected to reach 80 million.”
Now that CMS is allowing Medicare Advantage plans to offer supplemental benefits that include the type of in-home custodial and non-emergent medical transportation support that the traditional Medicare home health benefit doesn’t allow, demand for these services will serve to reshape home health delivery models.
In a low-key announcement in Spring 2018, CMS cracked open the door to allowing Part C (Medicare Advantage) plans to add non-skilled Home Health services to their 2019 supplemental benefits. October 1st is the big reveal for Part C plan sponsors, the date each year when they are permitted to post their upcoming plan year offerings ahead of open enrollment and if Anthem’s move is any indication, we’re going to see some interesting benefit packages hit the market.
Anthem’s supplemental offering for 2019 is branded as ‘essential’ or ‘everyday’ extras. Beneficiaries considering Anthem Medicare Advantage plans can elect an add-on package of services that include food delivery, non-emergent medical transportation, assistive devices, alternative medicine, adult day center services and personal home helpers. With 3 percent of all Medicare Advantage members in an Anthem plan, this is a strategic volley into a crowded and competitive marketplace.
A Massachusetts General Hospital study confirms how dramatically in 8 short years the landscape of HIPAA reportable breaches has changed.
As noted by Donovan (2018, September 26) “In 2010, the most common type of healthcare data breach was theft of physical records, but by 2017 hacking or other IT incidents accounted for the largest number of breaches, followed by unauthorized access to or disclosure of patient data. The most common type of breached media in 2010 was from laptop computers followed by paper and film records, while by 2017 network servers or emails accounted for the largest number of breaches. Overall, the greatest number of patient records were breached from network servers, the study found.”
Several factors account for the shift in breach characteristics. The great gold rush of Meaningful Use incentive eligible EHR implementations really didn’t hit it’s stride until 2012-2014. According to HealthIT.gov, by 2016 98% of eligible hospitals had adopted certified EHR technology. Sometimes systems were implemented before organizations fully understood all the HIPAA/HITECH security suppport needed to stay in compliance and frankly, HIPAA Privacy Officers were by and large caught unawares of the shift they would need to make in their focus and response to breach threats. Lastly, there is an element of paying attention to something causing an increase in reports. In recent years, the Office of Civil Rights (OCR) has penalized covered entities for delays in discovery and reporting of breaches. The result of this high profile activity is an increase in timely reports by entities that are more risk averse.
The hopes of HIM professionals, HIPAA Privacy Officers and some SUD program administrators were dashed with the decision by Congress that the bicameral version of the pending opioid legislation will not include provisions to align 42 CFR Part 2 with HIPAA in respect to the Treatment, Payment, and Operations (TPO) exclusions. As health systems increasingly diversify offerings to include services meeting the definition of a Part 2 program, the complexity of managing consents, authorizations, and routine exchange of clinical information for continuity of care will not be eased as was hoped by the stakeholders managing the intersection of HIPAA and Part 2 compliance.
Not all stakeholders are disappointed. The Legal Action Center (LAC) released a celebratory notice, stating in part, ““In the midst of the nation’s worst addiction epidemic in history, we must ensure that our policies encourage people to seek the care they need to get and stay well.”
Lots of focus in compliance circles lately on the urine toxicology laboratory sector and widespread allegations of fraud, waste, and abuse. In the rush to throw every resource at managing the opioid addiction crisis, a formerly staid and boring sector of the laboratory services industry is having a moment in the spotlight. Unfortunately, the liquid gold rush is turning into a bust featuring false claims act investigations and settlements.
The latest DOJ settlement comes from the Eastern District of Kentucky against a laboratory in Woburn, Massachusetts. Calloway Laboratories, Inc. has been ordered to pay $1.3 million to settle False Claims Act and Anti-Kickback violations. According to the DOJ announcement, “As part of the settlement agreement, Calloway acknowledged that it provided free testing supplies to physicians for the purpose of inducing or rewarding referrals of urine drug testing to Calloway. Calloway then submitted claims to Medicare and TRICARE seeking payment for the testing referred by these physicians.”
All-payer claims databases are touted as one key to reducing overall healthcare costs because the notion is that the transparency associated with these tools will lead providers to change their behavior if they are an outlier and patients will use the associated tools to make better decisions about how they spend their healthcare dollars. So far? Not so much.
It’s tempting to view healthcare as a rational market where the customers (patients) make data driven decisions, but as Bannow (2018, September 15) points out, “Despite the rise in high-deductible health plans, the majority of Americans still are “very insulated” from the actual cost of healthcare…That's one thing that dampens the use of the tools resulting from all-payer claims databases.” The other factor is the emotion, belief systems, and non-rational thought that plays a role in healthcare decisions. If only we had a database to solve for that!