Training Programs
Audits & Assessments
Regulatory MonitoringArchive for HHS
The Department of Health and Human Services (HHS) failed to fully implement recommendations made by the Office of Inspector General (OIG), according to the OIG’s “Compendium of Unimplemented Office of Inspector General Recommendations”, released May 29.
The OIG provided the recommendations after completing various audits pertaining to healthcare fraud and abuse.
The OIG’s priority recommendations, which are explained in more detail in the document itself, include:
- Modify payment policy for Medicare hospital bad debts (estimated savings $340 million)
- Reduce the rental period for Medicare home oxygen equipment (estimated savings $3.2 billion)
- Modify payments to managed care organizations (estimated savings $1.97 billion)
- Extend additional rebate payment provision to generic drugs (estimated savings $966 million)
- Limit enhanced payments to cost and require that Medicaid payments returned by public providers be used to offset the federal share (estimated savings $120 million)
- Ensure Medicaid reimbursement for brand-name and generic drugs accurately reflects pharmacy acquisition costs (estimated savings $1.08 billion for brand-name drugs and TBD for generic drugs)
Are RACs violating CMS’ own rules? Palomar Medical Center in Escondido, CA believes they are.
CMS requires “good cause” for reopening and reviewing claims more than one year after payment, but RACs regularly reopened claims between one and four years old during the demonstration project without just cause.
Palomar is continuing its fight against this practice; it filed a complaint against HHS in U.S. District Court Southern District of California March 24.
Palomar’s fight began in 2007 when PRG-Schultz-the RAC for California during the demonstration project-denied a 2005 claim. Palomar appealed the denial to the Administrative Law Judge level. In October 2008, the ALJ decided in Palomar’s favor. The ALJ also found that PRG-Shultz “had not shown ‘good cause’ to reopen the claim more than one year after payment, as required by Medicare regulations,” according to the complaint Palomar filed in March. The ALJ also determined it had jurisdiction to determine whether the RAC properly reopened the claim.
However, the Medicare Appeals Counsel reversed the ALJ’s decision that the reopening was improper and “held that the ALJ lacked jurisdiction to determine whether the RAC had lawfully reopened the claim,” according to a February 13 letter to Palomar.
The complaint Palomar filed in March asserts the decision to overturn the ALJ ruling violates Palomar’s right to due process and that the RAC violated Medicare rules for reopening claims in effect during the demonstration project.
Per 42 CFR § 405.980(b)(1), a contractor can reopen a claim for any reason within one year of payment, however to open a claim between one and four years post-payment, contractors must have “good cause” to do so per 42 CFR § 405.980(b)(2).
This has been a long-standing concern-many healthcare organizations believe the RACs bent CMS’ own rules during the demonstration project.
The decision whether RACs can reopen claims more than one year after payment is important to many healthcare organizations with small operating margins.
The Health and Human Services (HHS) department has named Dr. David Blumenthal as the national coordinator for health information technology, according to a March 20 Associated Press/Miami Herald news release. Blumenthal, who had most recently been the director of the Institute for Health Policy at The Massachusetts General Hospital/Partners HealthCare System, will help determine how to spend the $19 billion outlined in the American Recovery and Reinvestment Act of 2009 that President Obama signed into law on February 17.
By Dom Nicastro
HIPAA privacy and security officers received their second major wakeup call this week that HIPAA enforcement efforts are on the rise.
The Department of Health and Human Services (HHS) and the Federal Trade Commission (FTC) announced Wednesday that CVS, the nation’s largest retail pharmacy chain, will pay the U.S. government $2.25 million and take corrective action in a settlement for potential privacy breaches affecting millions of patients.
The settlement ends an investigation by the HHS Office for Civil Rights (OCR) that began with media reports that CVS used industrial trash containers to dispose of patient information outside selected stores. The containers weren’t secured and were publicly accessible, according to a February 18 HHS press release.
CVS also settled potential violations of the FTC Act with the FTC.
According to HHS, CVS Caremark Corp., the pharmacy chain’s parent company, violated the privacy of millions of its customers when it improperly disposed of patient information, such as pill bottle labels. According to HHS, CVS:
- Failed to implement adequate policies and procedures to appropriately safeguard patient information during the disposal process
- Failed to adequately train employees on how to dispose of such information properly
The announcement comes just one day after U.S. President Barack Obama signed into law the $787 billion economic American Recovery and Reinvestment Act of 2009 that includes provisions for heightened enforcement of HIPAA and stiffer penalties for privacy and security violations.
“[HHS] needed a poster child, and CVS was that poster child,” says Chris Apgar, CISSP, president of Apgar & Associates in Portland, OR.
“All of these things are culminating to totally revise HIPAA security, which I think is great,” says Kate Borten, CISSP, CISM, president of The Marblehead Group in Marblehead, MA. “The government has been saying for years one of the biggest stumbling blocks to adopting electronic health records (EHR) is patient privacy. The public has to feel confident that their information is well protected.”
According to the terms of the resolution agreement, CVS must implement a robust corrective action plan that requires:
- Privacy rule compliant policies and procedures for safeguarding disposed patient information
- Employee training on HIPAA
- Employee sanctions for noncompliance
In addition, CVS must monitor its compliance with the HHS and FTC orders by having a third party conduct assessments and report to the federal agencies. The HHS corrective action plan lasts three years; the FTC requires monitoring for 20 years.
“I think we have become lax in our compliance assurance,” says Margret Amatayakul, MBA, RHIA, CHPS, CPHIT, CPEHR, FHIMSS, president of Margret\A Consulting, LLC of Schaumburg, IL, and cofounder and member of the board of examiners of Health IT Certification.
Amatayakul says because there is not an overabundance of enforcement, complaints, or activity from patients who request their privacy rights, providers have regressed in their compliance efforts.
CVS’ settlement comes nine months after HHS tagged Providence Health & Services for $100,000 as part of a resolution agreement that also included a corrective action plan for the Seattle-based health system to settle potential HIPAA privacy and security rule violations that occurred in 2005 and 2006, according to a July 17, 2008 HHS press release.
Nor was the resolution agreement with Providence Health & Services the only major news last year surrounding HIPAA privacy and security enforcement. The Office of Inspector General (OIG) issued a largely critical report, “Nationwide Review of the Centers for Medicare & Medicaid Services Health Insurance Portability and Accountability Act of 1996 Oversight [A-04-07~05064],” reviewing CMS’ HIPAA security rule oversight, implementation, and enforcement on October 27, 2008.
In addition, the FTC’s new Red Flags rules that will help facilities prevent identity theft with proper policies and procedures become enforceable May 1.
“It’s a lot of things converging at the same time,” Borten says. “It gives us a real impetus to really take this seriously.”
Though she has yet to see the full report on the investigation, Amatayakul says CVS may have had a hard time disposing of the labels “because the labels are hard to put through a shredder. If they were on bottles that’s even more difficult to discard. Still, these are not excuses for inattention to appropriate safeguards.”
Borten reminds providers not to overlook the fundamental details of protecting patients’ privacy, such as shredding documents. “Even things that seem obvious are still tripping us up,” she notes.
Editor’s note: The HHS Resolution Agreement and Corrective Action Plan can be found on the OCR Web site.
OCR has posted new FAQs that address the HIPAA privacy rule requirements for disposal of protected health information. They can be found on the OCR Web site.
Information about the FTC consent order agreement is available at www.ftc.gov.
A consumer group aims to monitor quality of Medicare billing and get rid of waste. But an appeals court won’t let them for now, the Associated Press reports.
A federal appeals court on January 30 overturned the decision to allow the nonprofit Consumers’ Checkbook access to medical billing records under the federal Freedom of Information Act. HHS and the AMA appealed the initial 2007 ruling, and a three-judge panel, in a split decision, reversed the decision.
“The requested data does not serve any (freedom-of-information-related) public interest in disclosure,” Circuit Judge Karen LeCraft Henderson wrote for the majority, the Associated Press reports. “Accordingly, we need not balance the nonexistent public interest against every physician’s substantial privacy interest in the Medicare payments he receives.”
“The majority opinion seems to misunderstand how these data would be used,” Robert Krughoff, president of the consumer group, told the Associated Press. “It doesn’t accurately portray how the data can be used to monitor the quality of healthcare provided under the Medicare program.”
BREAKING NEWS FROM HCPRO
HHS announces final timeline for transition to ICD-10-CM
Regulation names October 1, 2013 as implementation date
The Department of Health and Human Services (HHS) announced on January 15 the final regulation to replace the ICD-9-CM code sets now used to report healthcare diagnoses and inpatient procedures with the more advanced ICD-10-CM code set currently used in other nations. The final regulation will implement the ICD-10-CM code set two years later than HHS initially proposed: October 1, 2013.
The new timeline comes as welcome news to the industry, which feared that the original proposed 2011 implementation date wouldn’t give organizations enough time to prepare for the change.
Gloryanne Bryant, BS, RHIA, RHIT, CCS, senior director of coding and health information management (HIM) compliance for Catholic Healthcare West (CHW) in San Francisco, says CHW’s recommendation was that an implementation date should have “at least three complete years, and because the implementation date would come out in January, we would foresee that moving [implementation] ahead would make more sense for everybody. So I’m pleased with the dates in the final rule.”
Dan Rode, MBA, CHPS, FHFMA, vice president of policy and government relations for The American Health Information Management Association (AHIMA) in Washington, DC, agrees. “It certainly gives people plenty of time to implement and do the testing. On the other hand, it’s not a reason to think that we can sit by for a while until we get closer to 2013. The concerns that we’ve raised about what has to be done over the next few years are still in front of us.”
“We’ve got an extra year, so let’s use it wisely,” he says.
The delay in implementation did cause some mixed feelings. Jennifer Avery, CCS, CPC-H, regulatory specialist with HCPro, Inc. in Marblehead, MA, admitted to some excitement over the proposed 2011 date. “I’m sad in a way,” she says. “This gives us a little more time to prepare. At the same time, I can’t see why prolonging it will make it any better.”
Nearly 30 years old, ICD-9-CM will run out of possible code combinations within a year. The present code set includes 17,000 codes, while ICD-10-CM includes more than 155,000 possible code combinations. This greater number of combinations allows ICD-10-CM to expand and keep up with new diagnoses and inpatient procedures. The United States is virtually the last industrialized country to adopt ICD-10-CM, according to a statement on the AHIMA Web site.
A second final rule issued concurrently with the ICD-10-CM final rule states the pending adoption of the X12 data standard, Version 5010, which includes updated standards for claims, remittance advice, eligibility inquiries, referral authorizations, and other administrative transactions that will take effect January 1, 2012. The current X12 standard, Version 4010/4010A1, cannot accommodate the use of ICD-10-CM code sets, making this change crucial. The second final rule also references Version D.0 for pharmacy transactions and NCPDP Version 3.0, a standard for the Medicaid pharmacy subrogation transaction.
Small health plans have an additional year to adopt 5010 and must be compliant with Version 3.0 by January 1, 2013.
According to the CMS press release, both regulations will be published on January 16. To view them when published, go to www.gpoaccess.gov/fr/browse.html. Click “Go” next to 2009.
Get blog updates in your e-mail
Subscribe to our free RAC Report e-zine
