State of Maryland fails OIG security audit, Medicaid data at risk

OIG performed a vulnerability assessment scan to determine if there were existing vulnerabilities on the MMIS (Medicaid Management Information System) network, devices, websites and database. And while OIG officials found the state adopted a security program for the system, there were “significant system vulnerabilities.”

Officials did not disclose details of the vulnerabilities found, but said that they were significant enough to "have allowed unauthorized access and exposed Medicaid data and the disruption of critical Medicaid operations.”

The State said there was no evidence of a breach or unauthorized access. And, while a security program was in place, the control were not sufficient to keep the systems protected. Recommendations were made to the state to update the security program and systems to meet federal requirements. 

Updates to the OIG Work Plan: August 2018 Highlights

VantagePoint monitors the monthly updates to the Office of Inspector General (OIG) work plan. The month of August is proving to be somewhat light in comparison to July with only one item posted to the Recently Updated items page (linked to the title of this post).

The August 2018 sole updated relates to the OIG's planned review focusing on the "care and well-being of all children residing in ORR-funded facilities, including the subset of children who were separated and deemed ineligible for reunification." The OIG also plans to focus on the effectiveness of the Office of Refuge Resettlement efforts to unify separated children with their parents.

CMS Finalizes Hospital Price Transparency Rule

CMS has finalized the rule requiring hospitals to post a list of their standard charges online. The list must be provided in machine readable format and updated as often as necessary to keep the list current (minimum once per year).

The healthcare industry has traditionally struggled with operationalizing price transparency. The reasons for the struggle are myriad. From the maze of contracts with health plans that dictate different terms of payment, to the general discomfort with quoting a firm price for a procedure sight unseen due to the variability of potential patient outcomes, to the variability in physician preferences and prescribing patterns for inpatients, coming up with a firm price has been a moving target. The CMS final rule requiring hospitals to post a list of standard charges is a necessary shove in the right direction but there will be pain associated with making this information available to a patient population that experiences the price of care as a co-pay or deductible and has limited perspective on the actual cost of the care they receive.

Trojan Horse? The Patients Over Paperwork Initiative

The allusion of the Trojan Horse is often used (and maybe overused) to describe situations in business or politics in which the true motivation of an initiative or proposal is wrapped in something positive or innocuous. The "Patients Over Paperwork" initiative promoted by the Centers for Medicare and Medicaid (CMS) has all the hallmarks of that mythical wooden vessel the Greeks used to gain entry into the city of Troy.

Direct-care providers [physicians, nurse practitioners, physician assistants] are understandably vulnerable to buying into the arguments that reducing documentation requirements and updating guidelines for evaluation and management services (E&M) is a benefit to patient care because ostensibly, providers will have more time to spend with patients. Fair enough. The promise of efficiency that was supposed to be inherent once a practice implements an EHR has not been fully realized and many providers are spending more time than ever on their documentation obligations. Furthermore, accurately coding E&M services can be tricky and even trickier to defend upon audit. Pretty tempting to accept this initiative on it's face and 'open the gates' to the idea that lessening the requirements for documentation will liberate time for patients.

Revising documentation requirements and E&M guidelines is a great idea, but shouldn't be construed as merely a patient-centric effort. CMS is also proposing to eliminate the higher level fees associated with the highest level of E&M visit care. Does this incentivize providers to spend more time with the patient and less on paperwork? Or does this incentivize providers to increase the volume of patients they see, rather than the quality of time spent with current patients while reducing the quality of documentation? The CMS site devoted to this initiative states the program is meant to, among other things, improve the beneficiary experience.

What is the real goal of this proposal? Eliminating the higher level of reimbursement for level 4 and 5 visits, reimbursement levels designed to compensate providers for the time and work effort associated with the most complex patients certainly feels more like an effort to reduce Medicare expenditures than a patient-centric initiative.

Electronic Health Records & Ransomware: To Pay or Not to Pay - Is that the right question?

The most recent ransomware attack to impact a healthcare organization comes from Cass Regional Medical Center in Harrisonville, Missouri. The organization experienced a ransomware attack July 9, 2018. The attack targeted the organization's communication system and prevented staff from logging onto Meditech, the facility's electronic medical record (EHR) system.

Healthcare organizations must consider the risk of a ransomware attack in the annual security risk assessments (SRA) and make plans regarding how they will respond. To pay or not to pay the ransom, that is something that should be considered in advance. In the moment, with access to the EHR and other systems locked down, patient data inaccessible, the panic of the situation and lack of prior planning may lead to a rash decision to pay, which is not necessarily the best choice.

 

Updates to the OIG Work Plan: July 2018 Highlights

Back in June 2017, the Office of the Inspector General (OIG) announced they would begin posting monthly updates to their work plan. Keeping tabs on the OIG Work Plan is a best practice for compliance and revenue cycle professionals. The items may at times appear esoteric, but the appearance of a new initiative is akin to the proverbial canary in a coal mine.

The additions posted in July 2018 include:

  • New review of CMS payment policy in respect to 3-D radiation therapy planning services. Medicare policy prohibits payments for separately billed radiation planning services when the services are billed on a different date of service. The review by the OIG is designed to determine if the prohibition had been extended to 3-D radiation therapy.
  • The HHS OIG will perform a series of audits to assess cybersecurity vulnerabilities at HHS.
  • OIG assess the effectiveness of the Health Resources and Services Administration (HRSA) oversight of the Access Increases in Mental Health and Substance Abuse Services (AIMS) grants.
  • OIG working on a report discussing the describing the impact  of additional Medicare outlier payments in balancing the reduction in DRG, DSH, and IME payments of transfer claims. This is one for hospital revenue cycle compliance folks to watch!
  • Another CMS focused audit by the OIG was added in respect to post-operative services provided in the global surgery payment period and whether global surgery fees reflected the actual number of post-operative services provided.
  • The final item added in July is a series of audits of the Substance Abuse and Mental Health Services Administration's process and oversight in respect to SAMHSA-approved accrediting bodies that have accredited Opioid Treatment Programs (OTP).

Patients Over Paperwork? Or just part of an agenda to reduce costs?

The Center for Medicare and Medicaid Services (CMS) has started the annual roll-out of proposed changes to the physician and other fee schedules. Wrapped up in the 2019 proposals, and opened for comment from the public and stakeholders, is a proposal regarding evaluation and management codes (E&M). The proposal is shrouded in the idea that it puts patients over paperwork by reducing the clinical visit documentation requirements for physicians, but ignores the reasons why there is a higher standard of documentation associated with the E&M codes that are reimbursed at higher levels because of the time and effort required to treat and evaluate the patient.

Under the proposal, all E&M visits (ie: most outpatient office visits) will be reimbursed at the same dollar amount, regardless of the level assigned to the visit and without needing to meet the current documentation standards for the level; however, providers must still code the level of the visit accurately. Beyond the concerns that we are taking a step backwards as an industry in respect to encouraging quality, detailed patient care documentation that truly tells the patient story, and that lowering documentation standards does little to support value-based care initiatives, physicians treating complex patients are financially penalized under this proposal.

Fresh Tactics - Getting new providers to supply information required for credentialing and enrollment

On Wednesday, June 20, 2018, VantagePoint HealthCare Advisors President and COO Susan Prior, CHC and Senior Consultant Regina K. Alexander, FACHE, CHC presented a live webinar, The Unknown-Unknowns of Credentialing, Privileging, and Enrollment for the Health Care Compliance Association (HCCA). The webinar drew a diverse audience, including attendees from hospitals, health systems, health plans, post-acute care, law and consulting firms. During the Q&A portion of the event, we responded to many questions; however, time ran out with questions still pending in the queue. HCCA has provided VantagePoint with the list of unanswered questions. We'll base some of our upcoming posts on these questions.

Our first unanswered question from the webinar centers on tactics to gather the data and documents necessary to credential and enroll new providers. The attendee queried, "Do you think a robust credentialing process is as manageable as we would like it? Despite changing around the wording of my welcome letters for providers they tend to miss many data points I need to properly credential and to pass along this info to eventually enroll with health plans."

Yeah. This one is tough! The questioner has already attempted to streamline his/her process by revising the welcome letter sent to new providers. While revising the letter is an approach is absolutely on VantagePoint's to-do list, and electronic applications are available to help with tracking, we'd suggest taking another look at the letter and consider the following:

  •  How long is the letter? This is the time to be succinct to avoid losing the new provider's attention or muddling the message.
  • Avoid over-explaining. The letter should open with a welcoming sentence followed by a statement regarding items required to credential/enroll. Consider a polite, yet to the point sentence explaining the most compelling reason for timely and complete submissions of the information requested.
  • Consider an even shorter letter per the previous bullet point with a checklist attached. People generally like the feeling they get from checking items off a long to-do list, so this may motivate the provider toward completion. The checklist should include all items needed to complete the credentialing & enrollment process, perhaps a brief description or specific requirements statement for each item if potentially confusing, include a box to check-off the items (like a shopping list), a box for the provider to write comments and a place for the provider to sign-off/date that all items requested are enclosed.
  • Provide an email address and phone number for questions. Welcome questions from providers during the process and be ready to explain the 'why' we need all this stuff types of questions.

One step closer to aligning 42 CFR Part 2 with HIPAA

The Overdose Prevention and Patient Safety Act was passed by the U.S. House of Representatives and is on it's way to consideration by the U.S. Senate. Among other provisions,  H.R. 6082 allows the health records of substance abuse disorder patients to be disclosed without specific written consent from patients for the purposes of treatment, payment, and healthcare operations (TPO).  Currently, the only exception to the specific consent requirement of Part 2 is a bona fide medical emergency. If passed by the Senate and signed into law, the one sticking point for most medical providers who are either Part 2 programs or lawful holders of Part 2 protected information will be unstuck because of the alignment with the HIPAA Privacy Rule. 

When it comes to claims and compliance, be payer agnostic

On Wednesday, June 20, 2018, VantagePoint HealthCare Advisors President and COO Susan Prior, CHC and Senior Consultant Regina K. Alexander, FACHE, CHC presented a live webinar, The Unknown-Unknowns of Credentialing, Privileging, and Enrollment for the Health Care Compliance Association (HCCA). The webinar drew a diverse audience, including attendees from hospitals, health systems, health plans, post-acute care, law and consulting firms. During the Q&A portion of the event, Susan and Regina responded to questions about use of locums, primary source verification for allied health professionals, and multiple questions regarding submitting claims when services have been rendered by a provider not yet enrolled.

A memorable question that bears follow-up and focus pertained to what was allowable when filing claims with commercial payers. The attendee acknowledged understanding it would not be allowable to substitute the name and NPI of a participating, enrolled provider in the 'rendering provider' box on the claim for a non-participating (or not yet enrolled) provider in respect to a claim submission to a government payer, and then asked if the same scenario is allowable with a private payer. The short answer provided on the webinar was a 'no', but the question itself reveals a more universal misunderstanding that healthcare providers can play by a different set of rules in their approach to private, commercial payers.

When it comes to claims and compliance, healthcare organizations should be payer agnostic in their attitude and approach to the basics, like the information reported on claim forms. While it's true that the Lincoln Law (False Claims Act) is enforced in respect to Medicare and Medicaid claims, the Health Care Fraud Statute (18 U.S.C. § 1347) applies to obtaining payment under false pretenses from both government AND private payers. Another consideration ancillary to submitting accurate claims is the claim as a secondary medical record. Medical records are legal documents and purposely altering the content of a claim in a manner that does not reflect the services as documented in the primary medical record could have implications under state laws. Lastly, commercial health plans build benefit structures to consider specific member-cost sharing in respect to out-of-network care. Provider groups and healthcare organizations can not only run afoul of contractual obligations by misrepresenting non-par provider services as rendered by a participating provider, if the plan is employer-sponsored, enforcement remedies are available under the  Employee Retirement Income Security Act of 1974 (ERISA).

 

99% of Physicians Seeking APM Bonuses in 2017 Qualified

Healthcare Financial Management Association (HFMA) reported that 99% of physicians who sought advanced alternative payment model (APM) bonuses in the first year (2017) did qualify.  This is not surprising due to the relatively low thresholds and the fact that those who do apply do so knowing it is attainable for their group.  Forthcoming changes to MACRA include the launch of an all-payer combination option, which allows clinicians to be eligible for the 5 percent APM bonus if they see patients in both Medicare and qualifying payment models offered by Medicaid managed care plans and Medicare Advantage plans.  Moving forward, clinicians should continuously review their eligibility and their strategy to qualify or join models of care that offer such incentives.

Conditions of Participation

Ordinarily, the loss of Medicare or Medicaid billing privileges is connected to allegations of Fraud or Abuse. Make no mistake, the fear of being placed on pre-payment review alone or having reimbursement suspended during an investigation is enough for many hospitals to justify their compliance efforts.

The case of Overland Park, Kansas-based Blue Valley Hospital is a bit different. Under Medicare rules for acute care hospitals, a facility must have an average of 2 inpatient admissions per day with an average 2-day length of stay in order to maintain status as an inpatient hospital for purposes of reimbursement. Blue Valley Hospital asserts that the requirements are arbitrary. The hospital performed outpatient surgeries at a ratio of 2:1 over inpatient surgeries in the period examined per Ellison (2018, June 12) and of the inpatient surgeries performed, patient were often discharged prior to the 2 day standard.

Business Associate Agreements: Don't Set it and Forget it!

There is more to HIPAA compliance than privacy and security safeguards. An oft overlooked requirement is the Business Associate Agreement (BAA), and even when covered entities do have a BAA in place with a vendor, there is inconsistent follow-up regarding reviewing and if necessary, updating those agreements concurrent to contract renewals.

According to a HIPAA News report posted June 1, 2018 regarding multiple breaches at Dignity Health, one incident involved a vendor with an outdated BAA. Per the author, " The contractor in question had been used for ten years and a valid business associate agreement had been in place earlier; however, that document has no longer valid and data continued to be shared with the contractor due to a clerical mistake." Clerical errors happen; however, policies and procedures are often not in place. BAA audits is a  good item for compliance professionals to consider for when formulating annual work plans and the Dignity case is a good, public example of the 'why'.

Complying with HIPAA alone won't cut it - Covered entities need to keep up with changes in state laws

For healthcare organizations operating in multiple states, the complexity of compliance with privacy and security rules goes beyond understanding HIPAA. Add Colorado to the list of states with new laws defining special requirements for reporting breaches to the attorney general and definitions of personal information that include biometric data. While HIPAA allows for up to 60 days to provide notice to an individual regarding a breach, and also up to 60 days to report breaches of >500 individuals to the Office of Civil Rights (OCR), the new Colorado law requires notice to the individual within 30 days. Colorado is the most recent state to join the club of states with more stringent reporting rules than HIPAA requires, including most recently Alabama which enacted a 45 day time frame.

Join VantagePoint for The Unknown-Unknowns of Credentialing, Privileging, & Enrollment

Are you a healthcare compliance, revenue cycle, or operations leader that would like to learn more about credentialing, enrollment and privileging? Consider joining Susan Prior, CHC and Regina Alexander, FACHE, CHC, HCS-H  of VantagePoint HealthCare Advisors on June 20, 2018 for an Health Care Compliance Association (HCCA) sponsored web conference. Sue and Regina will Review the basics of privileging, credentialing, and enrollment processes, including key regulatory and payer requirements.

The conference content will also explore commonly overlooked ‘unknowns’ and identify strategies to mitigate compliance risks, financial impact, and barriers to care created by inefficient or siloed credentialing and enrollment processes. Compliance professionals will take away tips for asking the ‘right’ questions about the credentialing, privileging, and enrollment processes within their own organization.

According to Cofense, 91% of cyber attacks begin with a phishing email

Domain-based Message Authentication, Reporting and Conformance (DMARC) is a standard healthcare organizations can implement to reduce their susceptibility to cyber attacks by reducing vulnerabilities associated with spoofing. Spoofing occurs when a hacker attempts to impersonate the legitimate domain by making an email appear to come from within the organization. Despite training regarding phishing, staff still may be fooled by emails that look like they come from a legitimate domain. DMARC can be set-up to monitor email traffic and send alerts (most permissive setting) or in the most aggressive setting, block incoming emails.

Per HIPAA News (2018, May 26) "For the study, Valimail reviewed the domains of 928 healthcare companies around the globe with annual revenues over $300 million, including hospitals, medical equipment suppliers, pharmacies, physicians and health practitioners. Just 121 of those firms (13%) have adopted DMARC to secure their domains and stop email spoofing."

Hospital Observation Status and Readmissions

Observations status stays aren't included in inpatient readmissions data, and that omission may be skewing the data according to McKnight's Long Term Care News. According to Marselas (2018, June 1), " While inpatient readmission dropped by 2.3% during the study period, the researchers found the rate of readmission after an observation stay increased by 3.9%. Many patients also returned for repeat observation stays."

Medicare patients are often surprised to learn that an observation status stay does not count toward the three-day stay needed to qualify for SNF coverage. While the requirement for hospitals to provide beneficiaries with formal notice of observation status (Medicare Outpatient Observation Notice or MOON) may have mitigated that aspect of observation stay shock, concerns continue over the financial impact of 'obs' status. Beyond the patient-centric concerns, quality gains from realized through reducing inpatient readmissions are now in question.

HIPAA Covered Entities Should Start Saving for a Rainy Day (aka Big Breach)

A provision of the HITECH Act of 2009 that has yet to be implemented is establishing a mechanism for the victims of a HIPAA related breach to share in any settlement or monetary penalties assessed. The Office of Civil Rights (OCR) plans to issue notice of proposed rule making in November 2018 in an effort to satisfy this HITECH requirement. In the meantime, HIPAA covered entities may want to consider revisiting their internal efforts to comply with the Privacy and Security rules to mitigate future risk as well as consider planning for a reserve commensurate with the potential exposure if a major breach were to occur.

New Flavor of Fraud? Hospice hastening death for financial gain.

According to Kuruvilla (2018, May 18), "A former health care executive in Texas has admitted to playing a role in an alleged $60 million Medicare fraud scheme that included disturbing practices such as overdosing hospice patients to “hasten their deaths” and maximize company profits."

Medicare reimburses hospice services on a per diem basis, meaning, the longer a patient is on hospice, the more overall reimbursement an agency will receive. Even on days where hospice staff do not visit a patient, the agency can bill Routine Home Care (RHC). More intense, skilled services, must meet criteria and are subsequently reimbursed at the higher Continuous Home Care (CHC) level. The allegations of hastening hospice patients' death via overdose is counter-intuitive on its face for those of us that follow hospice-related Medicare fraud cases. Ordinarily, Hospice providers encounter challenges in justifying the length of time a patient is on-service, the documentation supporting terminal illness, and correctly calculating the hours associated with the CHC level of care. If the Medicare Hospice Payment System is unfamiliar, a primer can be found here: https://www.cms.gov/Outreach-and-Education/Medicare-Learning-Network-MLN/MLNProducts/downloads/hospice_pay_sys_fs.pdf

The Unknown-Unknowns of Credentialing, Privileging, and Enrollment

Are you a healthcare compliance, revenue cycle, or operations leader who would like to learn more about credentialing, enrollment and privileging? Consider joining VantagePoint HealthCare Advisors COO Susan Prior, CHC and Senior Consultant Regina Alexander, FACHE, CHC, HCS-H on June 20, 2018 for an Health Care Compliance Association (HCCA) sponsored web conference. Sue and Regina will Review the basics of privileging, credentialing, and enrollment processes, including key regulatory and payer requirements. The conference content will also explore commonly overlooked ‘unknowns’ and identify strategies to mitigate compliance risks, financial impact, and barriers to care created by inefficient or siloed credentialing and enrollment processes. Compliance professionals will take away tips for asking the ‘right’ questions about the credentialing, privileging, and enrollment processes within their own organization.