New Flavor of Fraud? Hospice hastening death for financial gain.

According to Kuruvilla (2018, May 18), "A former health care executive in Texas has admitted to playing a role in an alleged $60 million Medicare fraud scheme that included disturbing practices such as overdosing hospice patients to “hasten their deaths” and maximize company profits."

Medicare reimburses hospice services on a per diem basis, meaning, the longer a patient is on hospice, the more overall reimbursement an agency will receive. Even on days where hospice staff do not visit a patient, the agency can bill Routine Home Care (RHC). More intense, skilled services, must meet criteria and are subsequently reimbursed at the higher Continuous Home Care (CHC) level. The allegations of hastening hospice patients' death via overdose is counter-intuitive on its face for those of us that follow hospice-related Medicare fraud cases. Ordinarily, Hospice providers encounter challenges in justifying the length of time a patient is on-service, the documentation supporting terminal illness, and correctly calculating the hours associated with the CHC level of care. If the Medicare Hospice Payment System is unfamiliar, a primer can be found here:

The Unknown-Unknowns of Credentialing, Privileging, and Enrollment

Are you a healthcare compliance, revenue cycle, or operations leader who would like to learn more about credentialing, enrollment and privileging? Consider joining VantagePoint HealthCare Advisors COO Susan Prior, CHC and Senior Consultant Regina Alexander, FACHE, CHC, HCS-H on June 20, 2018 for an Health Care Compliance Association (HCCA) sponsored web conference. Sue and Regina will Review the basics of privileging, credentialing, and enrollment processes, including key regulatory and payer requirements. The conference content will also explore commonly overlooked ‘unknowns’ and identify strategies to mitigate compliance risks, financial impact, and barriers to care created by inefficient or siloed credentialing and enrollment processes. Compliance professionals will take away tips for asking the ‘right’ questions about the credentialing, privileging, and enrollment processes within their own organization.

The Maryland Model

According to McKnight's Long Term Care News, CMS is allowing the State of Maryland to expand its long-standing all-payer program waiver 'beyond hospital walls'. Currently, acute facilities in Maryland are subject to global facility budgets rather than the prospective payment system. Expanding the all payer model into post-acute care makes a lot of sense given the responsibility for quality and heretofore the risk was borne primarily by hospitals.

Key Takeways: Documentation, Documentation, Documentation!

The largest health system in southeast Texas has agreed to pay $1.9 million to resolve allegations that between 2009-2014 the system billed Medicare for surgeries performed on an inpatient basis that could have been performed as outpatient or observation.

Without knowing more than the details released by the U.S. Attorney or the response from Memorial Hermann leadership, it's a pretty good guess that the lesson other healthcare providers can take away from this is the same as other cases involving use of observation status versus inpatient admissions. Ensure the documentation supporting the medical decision making is explicit and clearly supports the services rendered, or in the case of planned surgeries or admissions, clearly supports the rationale for the place of service. This is especially important for any service that Medicare allows to be performed on an outpatient basis. A close reading of the CMS policies in respect to observation services, for example, is full of caveats regarding professional judgement.

Beyond documentation, the Memorial Hermann case is just another case for compliance leaders to cite when justifying the ROI in their FY19 budget line items pertaining to proactive, internal clinical documentation and coding/billing audits.

Case in Point: If it sounds too good to be true, it might just be fraud

The saga of failing rural hospitals is made all the more distressing by the report of unscrupulous consultants seemingly swooping in to save the day, only to seal the financial fate of struggling facilities. The latest case in point comes from Missouri, where State auditors discovered a failing hospital appears to have been duped into serving as a 'shell company' for a management company that promised a solution to right their finances.

CityMD case emphasizes importance of credentialing and enrollment process

The CityMD case article follows a recent announcement from the DOJ regarding a Long Island Pediatrics practice agreeing to pay $750,000 to settle similar False Claims Act allegations in respect to improperly billing services for physicians not enrolled in the Medicaid program under the NPI of a physician who was enrolled.

The basis for the CityMD case is that the multi-site Urgent Care provider billed falsely because the Medicare claim reflected an NPI of a provider other than the individual rendering the service. Per Commins (2018, May 4), "CityMD employed a number of physicians who were not credentialed with the Medicare program at the time CityMD billed Medicare for their services"

These recent cases emphasize the importance of credentialing and enrollment processes. While operationally, short cutting the enrollment process is tempting when there are clinical shifts to cover, the financial risks are significant. Partnering with a Credentials Verification Organization (CVO), like VantagePoint HealthCare Advisors, can help providers mitigate risks and stay in compliance.

OCR wall-of-shame level data breach? Maybe not a good time to go cheap

The HIPAA Breach Notification Rule requires covered entities to notify the Office of Civil Rights (OCR) within 60 days of discovery for any data breach involving protected health information (PHI) of 500 individuals or more. The class action lawsuit filed against UnityPoint Health on May 4, 2018 demonstrates that sometimes it's not the incident itself, it's how a healthcare organization handles a breach that matters. At issue is the late notice to impacted patients and the OCR, as well as a cavalier approach to accurately identifying the nature and scope of the PHI disclosed. To pile on, the decision by UnityPoint to forgo offering individuals free credit monitoring is one of the those penny-wise and pound-foolish decisions that seems to have inspired an attorney to take up the case.

Healthcare Industry Lagging in Understanding of Security Risks

Overall, the healthcare industry performed second worst for security awareness, just ahead of the hospitality industry, with the survey highlighting several areas of weakness that could potentially be exploited by cybercriminals to gain access to healthcare networks and sensitive data.

HIPAA & 42 CFR Part 2: Something needs to change!

With the continuing integration of hospitals and outpatient services into health systems unabated, as well as mergers of providers, payers, and even retail pharmacy chains in the mix, now is the time to finally address the overlapping and conflicting requirements of HIPAA and 42 CFR Part 2. Even if a HIPAA covered entity doesn't offer services qualifying as a Part 2 program, the widespread impact of the opioid crisis has made it increasingly likely that many hospitals and medical providers have become what 42 CFR Part 2 defines as a lawful holder.  Lawful holders must figure out how to compliantly track and manage those parts of the patient medical record that contain Part 2 protected information and ensure they abide by Part 2, not HIPAA in respect to what may be a very minute part of their overall business.

Organizations that do have Part 2 programs have a different set of compliance challenges in respect to exchanging information for continuity of care. HIPAA allows this without specific patient authorization, Part 2 requires consent except in cases of bonafide emergency. HIPAA requires revocation of authorization in writing, Part 2 requires providers accept verbal revocation if the patient is unable or refuses to put it in writing. I could go on and on. The 21st Century Cures Act imposes obligations on providers to attest that they are not blocking the exchange of data or putting up barriers to Health Information Exchange (HIE). How is that going to work when Part 2 protected records are comingled in an integrated care setting? Congress is considering resolving these conflicts through the Overdose Prevention and Patient Safety Act. Hopefully partisan concerns won't gridlock this legislation and a common sense set of protections that continue to protect patient privacy and do not impede patient care will be the result.



Another Case to Support the ROI of Regular Billing Compliance Audits

The government alleges New Era double billed Medicaid for services to patients fighting methadone addiction. It claims the rehab center got paid a weekly “bundled rate” that covered intake evaluations, on-site drug abuse testing and monitoring, initial physical examinations and counseling services for individuals, groups and families.

Report: Healthcare Data Breaches- 2018 Q1

The first three months of 2018 have seen 77 healthcare data breaches reported to the Department of Health and Human Services’ Office for Civil Rights (OCR). Those breaches have impacted more than one million patients and health plan members – Almost twice the number of individuals that were impacted by healthcare data breaches in Q4, 2017.

Accidentally and Unknowingly. Three Years On?

Breaches happen. Inadvertent disclosures happen. But over 3 1/2 years?

According to HIPAA Journal, April 20, 2018:

1,071 patients who received medical services at the Des Moines Crisis Observation Center operated by Polk County Health Services Inc., have been informed that some of their protected health information has been “accidentally and unknowingly disseminated” over a period of three and a half years.

The breach was discovered on February 14, 2018, although the investigation revealed that information first started being disclosed on June 1, 2014 and continued until January 11, 2018. The types of information disclosed includes patients’ names along with Social Security numbers, home addresses, Medicaid ID numbers, admission dates, and discharge locations.

Private equity firms eye veterinarians, ophthalmologists, dentists

“As consumers, we are all used to having access to almost any product or service on our phone in minutes,” says Justin Ishbia, founder of Shore Capital Partners. “As healthcare becomes more retail-focused, we believe that the winners in healthcare are those who adapt to the demands of consumers, and those who rely solely on traditional models will be left behind. The traditional models are no longer working, and there is room to deliver high-quality care at a lower cost and build better retail-like models that treat patients like valued customers, while also reducing costs by taking advantage of economies of scale. This is happening in a variety of niches within healthcare.” 

What are you doing to evolve? VantagePoint can help. 

The HIPAA Privacy Rule 15th Anniversary - Blast from the Past & Hybrid Entities

In April 2003, sports drama ‘42’ was a hit at the box office, hip hop hit ‘In da Club’ by 50 Cent topped the Billboard charts, and the Human Genome Project was completed with 99% of the human genome sequenced to an accuracy of 99.99%. The date also marked the end of years of preparation for healthcare providers and most payers to comply with the HIPAA Privacy Rule.

Fifteenth anniversaries are traditionally symbolized with roses, rubies, or crystal. Throughout the month of April, VantagePoint is highlighting the 15th anniversary of the compliance date for the HIPAA Privacy Rule with special informational posts regarding HIPAA compliance and some of the lesser known (or understood) provisions.

An example of provisions that cause confusion include how HIPAA works for entities that have healthcare and non-healthcare related components. An example of an organization type that often experiences confusion regarding compliance with HIPAA is a college or university that offers on-site health services for students.  The Family Educational Rights and Privacy Act of 1974 (FERPA) applies to the health records maintained on students at the campus health clinics of postsecondary schools.  Entities subject to FERPA classify records as either education or treatment records, both of which are excluded from coverage under the HIPAA Privacy Rule (with some exceptions) even if the school is a HIPAA covered entity.  A school becomes a hybrid entity, subject to HIPAA, by segregating healthcare related activities into a separate component of operations.

Lack of Policies & Procedures Cited as Reason for Poor Safeguards Against FWA

According to The Denver Post, "The audit by the federal Centers for Medicare and Medicaid Services reviewed Medicaid spending at three managed care programs in the state. The review found that from 2014 through 2016 those programs had recovered less than $65,000 in overpayments to doctors, psychologists and other health care professionals billing Medicaid. During those years, the programs conducted just 19 investigations into allegations of waste, fraud or abuse, an amount the auditors found “either low or nonexistent for a managed care program of Colorado’s size.

The October 2017 audit found that Colorado has a “lack of effective policies and procedures” to guide how the programs should handle investigations, referrals and reporting requirements to the state when there are allegations of fraudulent Medicaid expenditures."

Supreme Court may revisit a False Claims Act decision

The Supreme Court may revisit a a key False Claims Act decision and the results may impact pending and new cases. According to an article published today in McKnight's Long Term Care News,  "At issue is whether a False Claims allegation automatically fails when the government continues to approve services or pay for products after learning of alleged infractions. "

Any healthcare revenue cycle professional knows that allegations or initial audit results alone don't put a stop to payment of claims by Medicare or Medicaid. If that were the case, providers who ultimately prevail in their disputes and found innocent of wrong-doing could have a hollow victory if the process ultimately bankrupted their organization. Claims payment is automated, very few claims are reviewed by an actual person before payment unless an organization is on the rare pre-payment review or the claim fails for a technical or coding reason. The operational realities of how claims are paid mitigates the effectiveness of the argument that any claim paid by the Federal or a State government after an investigation is initiated or allegations are put forth is 'approval' of the misdeed.

Former California State Contractor Sued Over Breach Of HIV Patient Privacy

According to Kaiser Health News, "A security breach by a private company that contracted with California’s public health department inadvertently allowed unauthorized access to the HIV status of 93 people, according to a lawsuit filed this week in San Francisco County Superior Court."

DOJ Announces Settlement with Banner Health to Settle False Claims Act Allegations

Not even 4 full months into 2018 and the qui tam (whistleblower) provisions of the False Claims Act continue to drive significant settlements between healthcare providers and the Department of Justice (DOJ),  as well as a proliferation of Corporate Integrity Agreements (CIA) .

The Banner Health case is complicated by several factors; however, it's a good example of why hospitals and health systems must conduct periodic internal audits of admission orders and clinical documentation associated with observation status. The use of observation status should be sparing and justified explicitly in the patient record by the medical providers. Misunderstandings regarding the intent and requirements of the two-midnight rule persist, causing some providers to hesitate to admit to inpatient, while observation status has become a fall back position for cases complicated by social factors and the pressure to 'do something'.

Good Deeds Funded by Bad Deeds

Ever wonder what happens to all dollars collected through those civil monetary penalties imposed on providers who run afoul of CMS? A $1.6 million grant, funded in part by civil monetary penalties paid for violations of the False Claims Act and other regulations, is going to help nursing homes across the state of Georgia through a project that is meant to aid in better understanding residents' needs as well as delivering more competent care.