Over $25 million in HIPAA-Related fines in 2018 - What's Ahead for 2019?

2018 was memorable year in the healthcare industry for a variety of reasons, including enforcement activities. The HHS OIG’s unprecedented Fraud Takedown resulted in the OIG charging more than 600 defendants in 58 federal districts with participating in fraud schemes involving about $2 billion in losses to Medicare and Medicaid. Not to be outdone, the HHS Office of Civil Rights (OCR) had a record-breaking year with respect to HIPAA violation settlements and Civil Monetary Penalties. In September 2018, a trio of hospitals gained notoriety for their settlement with the OCR over allegations related to allowing a film crew to record patients without their consent. In October 2018, the single largest penalty of the year, $16 million, was levied against Anthem for a 2015 data breach impacting 78,800,000 plan members.

If the 2018 enforcement actions and fines imposed by State Attorneys General are any type of crystal ball into what 2019 may hold, HIPAA covered entities should consider their liabilities under State law as further support for refreshing their commitments to HIPAA compliance.

VantagePoint HealthCare Advisors 2018 Holiday Food Drive Exceeds Expectations

The VantagePoint HealthCare Advisors team came together again this year to collect non-perishable food items for the Connecticut Food Bank. Collectively, the staff contributed 205lbs of food, about 60lbs more than collected in 2017. Credentialing Specialists Margaux Martinez and Ingrid McManus coordinated the collection effort and kindly performed the heavy lifting duties. Between the food and monetary donations from remote staff, VantagePoint was able to provide over 200 meals for our neighbors in need.

Welcome EKRA to the Pantheon of Healthcare Fraud Laws

Healthcare Compliance Officers with oversight responsibilities that include a reference laboratory, SUD treatment facility, recovery home or related entity have something new to add to their 2019 compliance plans. EKRA, the Eliminating Kickbacks in Recovery Act of 2018 (Section 8122 of the SUPPORT Act) went into effect as of October 24, 2018.  EKRA is an all-payor anti-kickback law intended to address improper payments for patient referrals to recovery homes, clinical treatment centers, or clinical laboratories.  According to the National Law Review, “broad language enables the federal government to monitor provider arrangements intended to generate business for any laboratory services, not only those related to individuals in treatment for substance abuse disorders, payable by a federal health care program (“FHCP”) or commercial health insurer.”

Outrage often breeds legislation. The recent high-profile fraud and abuse cases involving questionable services at sober homes and the ‘great gold rush’ of laboratories capitalizing on demand for urine toxicology screening set the stage for EKRA.

10 Cents? The Going Rate for a Breached Social Security Number

On November 3, 2018, Inova Health System initiated the process of sending the HIPAA required breach notification letters to nearly 13,000 patients. The scoped of the data breach involving Inova’s billing system included patient names, addresses, birth dates, medical record details and Social Security numbers. Treatment information of a restricted number of patients was also possibly accessed. While many patients are most fearful of their social security numbers being exposed, recent research indicates the value of the SSN is shockingly low on the black market in contrast to the havoc and worry of potential identity theft . According to a Forbes article entitled Your Electronic Medical Records Could be Worth $1000 to hackers, Yao (2017, April 14) states “How much is your life worth to hackers? On the black market, the going rate for your social security number is 10 cents. Your credit card number is worth 25 cents. But your electronic medical health record (EHR) could be worth hundreds or even thousands of dollars.”

HHS OCR to 'Tighten the Screws' on HIPAA Privacy and Security Enforcement

According to Stempniak (2018, October 29) as reported in McKnight’s Long-Term Care News, the Health and Human Services (HHS) Office of Civil Rights (OCR) receives approximately 20,000 HIPAA related complaints per year. The article further advises “Providers need to start tightening the screws on their privacy and security programs because scrutiny is about to get a little harsher.”

The Tension Between Expanding Access and Increasing Utilization

As reported in Becker’s Hospital Review, physician groups and MEDPAC have pushed back on the CMS proposal on virtual care reimbursement. According to Gooch (2018, October 10), “CMS proposed the virtual care reimbursement in its update to the 2018 Medicare Physician Fee Schedule and Quality Payment Program. Under the proposal, Medicare would pay physicians $14 per virtual check-in versus the cost of a $92 patient visit. The virtual check-in would last about five to 10 minutes. Physicians are concerned the Medicare payment would leave patients on the hook for a 20 percent cost-sharing charge.”

The article goes on to cite MEDPAC concerns regarding the convenience factor associated with direct-to-consumer telehealth solutions that on the face would appear to expand access, but have the potential to increase overall utilization. The CMS proposal, per Adminsitrator Verma is part of their Patients Over Paperwork effort and includes reimbursing providers at the rate of $14 for ‘virtual’ check-ins and these check-ins could be performed by an eligible advance practice provider (NP or PA). Administrator Verma suggests that reimbursing for virtual check-ins may reduce costs to the Medicare program by eliminating unnecessary visits. This point of view neglects to consider the evidence from prior expansions of coverage under the Physician Fee Schedule, including reimbursement above and beyond the E/M visit fee for tobacco use cessation counseling (Decision memo CAG-00241N), that demonstrates expanded access (or coverage) does not translate to direct savings. Savings from the proposed virtual visit fees may ultimately show up in less obvious and quantifiable places, like reduced ER or Urgent Care visits.

The 'Opportunity' to 'Buy Down' Coverage on the PPACA Exchanges

Hot from the CMS Newsroom on October 11, 2018:

Average 2019 premium rates for a benchmark plan represent the first decline in rates since the Federally-facilitated Exchange began in 2014.

  • The average second lowest cost silver plan (SLCSP) premium decreased by 1.5% in 2019. By comparison, the average SLCSP increased by 37% from 2017 to 2018.

  • Actual premium increases on average may be even lower, as consumers “buy-down” coverage. When faced with high premiums, consumers have the opportunity to buy-down to coverage with higher cost sharing and lower premiums.

  • Stabilizing premiums will help retain healthier people in the risk pool.

The term ‘buy-down’ coverage is a new one. Yes. When consumers are faced with a higher premium, indeed, if they don’t abandon coverage altogether, they will roll the dice with a high-deductible plan. Not a new concept and precisely the type of outcome that contributes to uncompensated care and bad debt for healthcare providers. Sound more like the ‘opportunity’ for a cost shift!

OIG Work Plan Updates: September 2018

The September 2018 additions to the HHS OIG Work Plan were limited to two, both somewhat esoteric and unlikely to impact the majority of healthcare providers.

  1. Review of Opioid Use in Indian Health Service: Consistent with prior OIG work plan items regarding Medicare Part D and Medicaid, this work plan addition will seek to “determine the extent to which beneficiaries are receiving extreme amounts of opioids through Indian Health Service (IHS), as well as IHS-employed prescribers and IHS-run pharmacies that have questionable prescribing or dispensing patterns. This review will also determine how IHS prevents and detects opioid misuse or abuse, as well as how it enforces its opioid-related policies.”

  2. Follow-up Review of Head Start Grantee: Pertains to one specific entity, not applicable to wider constituencies at this time.

New additions to the work plan of import added in August 2018 during the height of vacation season that slipped by VantagePoint scrutiny included:

  1. Physician Billing for Critical Care Evaluation & Management Services: As an exclusively time-based service, physicians must clearly document the time spent evaluating, providing direct care and managing the patient in order to qualify for reimbursement of a critical care E/M visit, per the OIG “This review will determine whether Medicare payments for critical care are appropriate and paid in accordance with Medicare requirements.”

  2. Hospitals' Compliance with Medicare's Transfer Policy With the Resumption of Home Health Services and the Use of Condition Codes: Hospitals transferring a patient to another facility or home health service are subject to a reduction in DRG payment. The OIG seeks to “determine whether Medicare appropriately paid hospitals' inpatient claims subject to the postacute care transfer policy when (1) patients resumed home health services after discharge or (2) hospitals applied condition codes to claims to receive a full DRG payment.”

The Gift that Keeps on Giving: The 21st Century Cures Act & Updates to the LCD Process

The Centers for Medicare & Medicaid Services (CMS) has posted revisions to chapter 13 of the Medicare Program Integrity Manual (PIM). This revisions were required by a provision of the 21st Century Cures Act meant to enhance the transparency of the local coverage determinations (LCD) process administered by Medicare Administrative Contractors (MACs).

Key changes include a clearer process roadmap in language that can be understood by the different constituencies eligible to request an LCD, including beneficiaries; streamlined process for requesting new LCDs; and expansion of Contractor Advisory Committee (CAC) meeting format options and individuals eligible to participate.

Silver Tsunami? A Quaint Understatement

Unlike a tidal wave, a tsunami, also known as a seismic sea wave, is characterized by a series of waves, sometimes caused by an earthquake hundreds of miles from shore. We’ve heard about the silver tsunami for years in respect to the number of baby boomers entering retirement and subsequently qualifying for Medicare. Tsunamis take folks on-shore by surprise, there really should be no surprise in the healthcare industry regarding whats happening in respect to the demand for home health and hospice services.

According to Holly (2018, September 26), “Another 1.2 million baby boomers became Medicare beneficiaries between the first quarter of last year and the close of Q1 of 2018. With the overall system, there are currently about 58 million beneficiaries, looking at both the Medicare Advantage (MA) program and traditional fee-for-service Medicare. As has widely been reported, the share of beneficiaries in Medicare Advantage plans is growing fast. About 35% of Medicare beneficiaries are currently enrolled in MA plans, but that’s projected to check in closer to 40% or higher in the not-too-distant future. More than one-third of all Medicare beneficiaries live in one of five states: California, Florida, Texas, New York or Pennsylvania. Within the next 15 years, the number of beneficiaries is expected to reach 80 million.”

Now that CMS is allowing Medicare Advantage plans to offer supplemental benefits that include the type of in-home custodial and non-emergent medical transportation support that the traditional Medicare home health benefit doesn’t allow, demand for these services will serve to reshape home health delivery models.

Medicare Advantage Season is Upon Us! Watch the Supplemental Offerings

In a low-key announcement in Spring 2018, CMS cracked open the door to allowing Part C (Medicare Advantage) plans to add non-skilled Home Health services to their 2019 supplemental benefits. October 1st is the big reveal for Part C plan sponsors, the date each year when they are permitted to post their upcoming plan year offerings ahead of open enrollment and if Anthem’s move is any indication, we’re going to see some interesting benefit packages hit the market.

Anthem’s supplemental offering for 2019 is branded as ‘essential’ or ‘everyday’ extras. Beneficiaries considering Anthem Medicare Advantage plans can elect an add-on package of services that include food delivery, non-emergent medical transportation, assistive devices, alternative medicine, adult day center services and personal home helpers. With 3 percent of all Medicare Advantage members in an Anthem plan, this is a strategic volley into a crowded and competitive marketplace.

MGH Study Highlights How Breaches Have Changed

A Massachusetts General Hospital study confirms how dramatically in 8 short years the landscape of HIPAA reportable breaches has changed.

As noted by Donovan (2018, September 26) “In 2010, the most common type of healthcare data breach was theft of physical records, but by 2017 hacking or other IT incidents accounted for the largest number of breaches, followed by unauthorized access to or disclosure of patient data. The most common type of breached media in 2010 was from laptop computers followed by paper and film records, while by 2017 network servers or emails accounted for the largest number of breaches. Overall, the greatest number of patient records were breached from network servers, the study found.”

Several factors account for the shift in breach characteristics. The great gold rush of Meaningful Use incentive eligible EHR implementations really didn’t hit it’s stride until 2012-2014. According to HealthIT.gov, by 2016 98% of eligible hospitals had adopted certified EHR technology. Sometimes systems were implemented before organizations fully understood all the HIPAA/HITECH security suppport needed to stay in compliance and frankly, HIPAA Privacy Officers were by and large caught unawares of the shift they would need to make in their focus and response to breach threats. Lastly, there is an element of paying attention to something causing an increase in reports. In recent years, the Office of Civil Rights (OCR) has penalized covered entities for delays in discovery and reporting of breaches. The result of this high profile activity is an increase in timely reports by entities that are more risk averse.

Part 2 Remains Intact

The hopes of HIM professionals, HIPAA Privacy Officers and some SUD program administrators were dashed with the decision by Congress that the bicameral version of the pending opioid legislation will not include provisions to align 42 CFR Part 2 with HIPAA in respect to the Treatment, Payment, and Operations (TPO) exclusions. As health systems increasingly diversify offerings to include services meeting the definition of a Part 2 program, the complexity of managing consents, authorizations, and routine exchange of clinical information for continuity of care will not be eased as was hoped by the stakeholders managing the intersection of HIPAA and Part 2 compliance.

Not all stakeholders are disappointed. The Legal Action Center (LAC) released a celebratory notice, stating in part, ““In the midst of the nation’s worst addiction epidemic in history, we must ensure that our policies encourage people to seek the care they need to get and stay well.”

Liquid Gold & Lincoln Law Violations: The Saga Continues

Lots of focus in compliance circles lately on the urine toxicology laboratory sector and widespread allegations of fraud, waste, and abuse. In the rush to throw every resource at managing the opioid addiction crisis, a formerly staid and boring sector of the laboratory services industry is having a moment in the spotlight. Unfortunately, the liquid gold rush is turning into a bust featuring false claims act investigations and settlements.

The latest DOJ settlement comes from the Eastern District of Kentucky against a laboratory in Woburn, Massachusetts. Calloway Laboratories, Inc. has been ordered to pay $1.3 million to settle False Claims Act and Anti-Kickback violations. According to the DOJ announcement, “As part of the settlement agreement, Calloway acknowledged that it provided free testing supplies to physicians for the purpose of inducing or rewarding referrals of urine drug testing to Calloway.  Calloway then submitted claims to Medicare and TRICARE seeking payment for the testing referred by these physicians.”

All-payer Claims Databases: Are the promises to lower costs real? or just wishful thinking?

All-payer claims databases are touted as one key to reducing overall healthcare costs because the notion is that the transparency associated with these tools will lead providers to change their behavior if they are an outlier and patients will use the associated tools to make better decisions about how they spend their healthcare dollars. So far? Not so much.

It’s tempting to view healthcare as a rational market where the customers (patients) make data driven decisions, but as Bannow (2018, September 15) points out, “Despite the rise in high-deductible health plans, the majority of Americans still are “very insulated” from the actual cost of healthcare…That's one thing that dampens the use of the tools resulting from all-payer claims databases.” The other factor is the emotion, belief systems, and non-rational thought that plays a role in healthcare decisions. If only we had a database to solve for that!

Beware. Wearables and the data transmitted are not subject to HIPAA protections....yet.

The average patient may not be super health literate on their individual chronic conditions, how their health plans work, or how to comparison shop using the emerging price transparency tools but they do know one healthcare acronym- HIPAA.

According to Donovan (2018, September 11) in an interview with Andrew Boyd, Assistant Professor in the Masters of Health Informatics program at the University of Illinois,

Health data collected by Fitbit, for example, is not governed by the HIPAA Privacy Rule. It is governed by contract law and the licensing agreement with your software provider,” Boyd noted.

“When it becomes part of the health record, that is when the security protection gets added on. But right now it appears that, for all of the patient health data generated, these devices are not governed by healthcare law,” Boyd said.

“Do people realize that the data collected by wearables is not necessarily protected by the HIPAA Privacy and Security Rules?”

While it’s probably pretty natural and expected that those on the leading edge of technical innovation might not think about something as staid and boring as HIPAA, until the healthcare industry and regulators catch up, perhaps at the very least these devices should come with appropriate warnings regarding data security and privacy?

HHS/OCR Cybersecurity Newsletter: Considerations for Securing Electronic Media and Devices

In addition to enforcing compliance with the Privacy and Security Rules, the Office of Civil Rights (OCR) within the U.S. Department of Health and Human Services issues guidance for HIPAA covered entities in the form of newsletters. The August 2018 Cybersecurity Newsletter may have gotten lost in the end-of-summer vacation and Labor Day shuffle, but given the near daily stories of data breaches resulting from internal staff errors, hackers and technical failures, the physical safeguard vulnerabilities of portable media and devices merit review.

In the newsletter, the OCR concedes healthcare organizations deploy myriad electronic devices, including hardware such as desktop workstations, laptops, smartphones, and tablets; as well as electronic media storage devices, like hard drives, USB/thumb drives, CDs/DVDs, tapes and memory cards. With the possible exception of larger hardware like servers and desktops, theft or loss is a risk. The PHI contained on devices and media can also be compromised by improper disposal. The newsletter also offers suggestions on questions covered entities should ask internally when developing policies and procedures to reduce risks of loss, theft, and/or breach of PHI through appropriate Physical Safeguards and device/media tracking.

The Issue Behind the Headline: Is Long-Term Care a Right?

For revenue cycle consultants in New England, the September 5th headline in McKnight's Long-Term Care News begs clicking to learn more, MassHealth found to be in violation of federal regulations.

The article describes a June 2018 Suffolk County Superior Court ruling against Mass Health for "violation of federal Medicaid regulations by issuing “standardized” eligibility denial notices in long-term care coverage cases for excess countable assets held in a trust." Seems pretty esoteric but the impact on SNF/Nursing Home residents as described in he article, as well as on the facilities caring for the residents, appears significant. The generic notices left the elder and their family (if they have family that is involved) without specific information to track down support to refute the determination and the facilities are left without reimbursement because the law prohibits discharging the resident for non-payment.

Increasingly, individuals and advocacy groups refer to healthcare as a right. Our laws implicitly support this view to the extent healthcare providers and hospitals accepting Medicare or Medicaid must provide emergency care without regard to ability to pay, cannot balance bill patients covered by government programs, and in states like Massachusetts, cannot evict a long-term care facility resident for lack of ability to pay in situations detailed in the McKnight's article. Healthcare delivery has also evolved into a big business. Arguably, a business unlike any other due to the aforementioned laws and more.

As the silver wave crests and the ranks of the 'oldest old' swell, long-term care demand may outstrip supply, we'll need to collectively address the question the article begs, is long-term care a right?

Vulnerable medical devices putting patients at risk

Due to the cost of replacing expensive medical devices such as infusion pumps or network connected MRIs, healthcare organizations typically keep equipment until it no longer works. Unfortunately, this means that these devices remain vulnerable and a possible opening for malicious attackers.

The fear is that, beyond freezing systems or hijacking medical records as they did during WannaCry, hackers could also actively manipulate medical equipment to harm patients by, say, administering a lethal dose of medication via an infusion pump. While newer devices aren’t ironclad, they are typically built with more robust security features.

Under a proposed new program "health-care providers would be compensated for junking old equipment, and could use the rebates toward the purchase of new devices." And, in April 2018, the FDA took steps towards incorporating a security review into any new device's premarket review with the Medical Device Safety Action Plan.