Beyond the Affordable Care Act: Key Regulatory Changes and their Implications for Providers Minnesota Ambulatory Surgery Center Association Annual Conference

Beyond the Affordable Care Act: Key Regulatory Changes and their Implications for Providers

Minnesota Ambulatory Surgery Center Association Annual Conference

April 27, 2012

Jennifer Reedstrom BishopJesse Berg

FRAUD & ABUSE ENFORCEMENT: A NATIONAL PRIORITY

• “And finally, we’re going to reduce by half the amount of waste, fraud and abuse in the Medicare system, protecting your Medicare and the American taxpayer’s money.”– President Obama, June 9, 2010

• The numbers tell the story:– CBO—Medicare trust fund exhausted by 2017 – Medicare fraud estimated to cost $60 billion per year– $17 recovered for every $1 invested in fighting health

care fraud– $13.1 billion returned to Medicare trust fund under

1997 Health Care Fraud and Abuse Control Program

2

3

Overview of Presentation

• CMS Program Integrity Initiatives• OIG Focus on Exclusion• Proposed Rule on Overpayments• Stark Law Self-Disclosure Protocol• ACO Waivers for Fraud and Abuse

Laws• HIPAA Enforcement

4

The Future of Program Integrity?

5

Enrollment: Tools of the Trade

• Provider and Supplier Enrollment Regulations– 42 CFR Part 424, Subpart P (424.500’s) (Medicare)

• Establishing and maintaining billing privileges• New screening requirements

– 42 CFR Part 498 and 42 CFR 405.874• Appeals process

– Specific requirements depending on provider/supplier type:

• 42 CFR 410.33 (IDTFs)• 42 CFR 424.57 and 424.58 (DME standards and

accreditation)

– 42 CFR Part 455 (Medicaid)

6


• Medicare Manual Provisions– Medicare Program Integrity Manual (CMS Pub. 100-

08)• Chapter 10 (general application processing for all types

of 855 applications)

• Chapter 15 (requirements for specific types of providers, suppliers, site verification process, appeals process)

– Medicare State Operations Manual (CMS Pub. 100-07)

• Chapter 2

• Chapter 3

7


• Regulatory Development of Key Enrollment Initiatives:– Feb. 2, 2011—implementing provisions of ACA on

screening, application fees, temporary enrollment moratoria, payment suspensions and Medicaid terminations of providers/suppliers that have had billing privileges revoked (76 Fed. Reg. 5682)

– May 5, 2010—implementing provisions of ACA to require all providers/suppliers that qualify for NPI to include NPI on all applications to enroll in Medicare, Medicaid and on al claims for payment submitted under Medicare, Medicaid (75 Fed. Reg. 24437)

8


• Regulatory Development of Key Enrollment Initiatives:– Jan. 2, 2009—surety bond requirements for DME

suppliers (74 Fed. Reg. 166)– Nov. 19, 2008—established re-enrollment bar of 1 to

3 years on providers, suppliers that have had billing privileges revoked; placed limitations on provider, supplier retroactive billing (73 Fed. Reg. 69726)

– Jun. 27, 2008—appeals process for CMS, MAC decisions on provider, supplier failure to meet requirements for billing privileges (73 Fed. Reg. 36448)

– Nov. 27, 2007—changes to IDTF provisions (72 Fed. Reg. 66222)

9


• Regulatory Development of Key Enrollment Initiatives:– Dec. 1, 2006—performance standards for

IDTFs (71 Fed. Reg. 69624)– Apr. 21, 2006—requirements for

providers/suppliers to establish and maintain billing privileges (71 Fed. Reg. 20754)

– Oct. 11, 2000—additional standards for DME suppliers (65 Fed. Reg. 60366)

10

Pre-ACA Enrollment Initiatives

• Deactivations (42 CFR 424.540)– Done for providers/suppliers that have not submitted

claims for more than 12 months or have not reported timely changes on applicable CMS-855

– Intent to protect supplier/provider from abuse by others

– Deactivation can lead to loss of income– Concerns about groups operating in more than one

payment locality– Imposition of deactivation is not appealable

administratively

11

Pre-ACA Enrollment Issues

• Revocations (42 CFR 424.535)– Effective retroactively or prospectively– Automatic enrollment bar of 1-3 years– Causes:

• Failure to revalidate enrollment– Request never received?– Lacking letter never received– Lacking letter did not identify real problem

• Practice location not operational • Telephone contact not operational• Letters returned to MAC• Failure to report suspension of licenses• Adverse legal actions, convictions• More…

12

ACA Developments: Enrollment

• New permissive exclusion, CMP authority (up to $50,000) applicable to enrollment– Misstatements, omissions, false statements,

misrepresentations

• Medicare– Enrollment Screening

• Tiered system depending on risk of category of provider/supplier (next slides)

• Risk category increases with history of bad behavior

– Application fees

13

CMS Assignment of Provider/Supplier Types Into Risk Categories

Limited Moderate High

•Physician or non-physician practitioners and medical groups or clinics, with the exception of physical therapists and physical therapy groups

•Ambulatory surgery centers

•Competitive acquisition program/Part B vendors

•ESRD facilities

•FQHCs

•Histocompatibiilty labs

•Hospitals, including CAH

•Ambulance suppliers

•Community mental health centers

•Comprehensive outpatient rehabilitation facilities

•Hospice organizations

•Independent diagnostic testing facilities

•Independent clinical labs

•Physical therapy including physical therapy groups

•Portable x-ray suppliers

•Prospective (newly enrolling) home health agencies

•Prospective (newly enrolling) suppliers of DMEPOS

14

CMS Assignment of Provider/Supplier Types Into Risk Categories (continued)

Limited Moderate High

•Indian Health Service facilities

•Mammography screening centers

•Mass immunization roster billers

•Organ procurement organizations

•Pharmacies newly enrolling or revalidating via the CMS-855B

•Radiation therapy centers

•Religious non-medical health care institutions

•Rural health clinics

•Skilled nursing facilities

•Currently enrolled (revalidating) home health agencies

15

CMS Assignment of Level of Risk forScreening for Medicare Providers and Suppliers

Type of Screening Required Limited Moderate High

Verification of any provider/supplier requirements established by Medicare

X X X

Conduct license verifications (which may include licensure checks across states)

X X X

Database checks to verify social security number (SSN); the National Provider Identifier (NPI); the National Practitioner Data Bank (NPDB) licensure, an OIG exclusion; taxpayer identification number; death of individual practitioner, owner, authorized official, delegated official or supervising physician.

X X X

Unscheduled or unannounced site visits X X

Fingerprint-based criminal history record check of law enforcement repositories

X

16


• Enhanced Oversight for Provisional Period– Minimum 30 days and up to 1 year for new

providers and suppliers– Enhanced oversight includes prepayment

review, payment caps during provisional period

– HHS to establish guidelines through program instructions

• Enrollment moratoria

17


• Medicaid (42 CFR Part 455)– Monthly checks for excluded status

recommended. Required?• CMS guidance

– http://www.cms.gov/smdl/downloads/SMD061208.pdf

– http://www.cms.gov/SMDL/downloads/SMD011609.pdf

– Tiered system for enrollment screening– Site visits required for moderate to high risk

categories, others discretionary– Screening of all providers at least every 5

years

18

ACA Developments: Payment Suspensions

• Statutory background:– ACA Section 6402(h)-allows suspensions

pending investigation of credible allegations of fraud

• Medicare: adds Section 1862(o) to the Social Security Act, 42 USC 1395y(o)

– Discretionary, good cause exceptions– Mandatory consultation with OIG

• Medicaid: Amends Section 1903(I)(2) of the Social Security Act, 42 USC 1396b(I)(2)

– No FFP unless good cause not to suspend payments to these entities

19

ACA Developments: Payment Suspensions

• Regulatory background:– Medicare:

• 42 CFR Part 405, subpart C (42 CFR 405.370)

– Medicaid: • 42 CFR 447.90, Part 455

– Issued as part of the Feb. 2, 2011 Provider Enrollment Final Rules (76 Fed. Reg. 5862)

20

What is a “Credible Allegation of Fraud”?

• Not defined in ACA• Medicare: credible allegation of fraud is an

allegation from any source, including:– Fraud hotline complaints– Claims data mining– Patterns identified through provider audits, civil false

claims cases and law enforcement investigations

• Allegations are considered to be credible when “they have indicia of reliability”

• Medicaid definition also includes requirement for state certification

21

Payment Suspensions: Medicare

• 18 months maximum duration, beyond which suspension cannot continue absent special circumstances– If case has been referred to, and is being

considered by OIG; or DOJ submits written request to CMS to continue suspension

• Suspension for recovery of an overpayment might follow/extend one for investigation

• CMS consults with OIG, but ultimate authority rests with CMS

22

Payment Suspensions: Medicaid

• May be implemented without prior notice; 30 days plus 2 additional 30 days

• Deference to states in further defining “credible allegations” but recognition that standard will be lower than now existing

• No retroactive application, but upon effective date CMS expects states to suspend payments to those against whom there exist pending investigations of fraud

• Medicare’s 180 day limit for suspensions not adopted for Medicaid

23

Payment Suspensions: Medicaid

• State can decide that suspension is not in best interests of Medicaid program

• Good cause exception if provider submits written evidence that persuades the state not to pursue suspension

• No additional due process provisions, but notice of suspension should include existing appeal rights

• CMS promises close scrutiny of state performance-including documenting good cause determinations

24

OIG and Program Exclusion

25

Exclusion Statistics

• OIG has been implementing exclusions for decades:

• Over 2,662 individuals and entities excluded in FY 2011

• Over 48,000 individuals and entities currently excluded

26

Background on OIG Exclusion Authority

• Exclusions– Mandatory (SSA 1128(a)(1)-(a)(4))– Permissive (SSA 1128(b)(1)-(b)(15))

• Remedial in purpose– Protection of Federal health care programs

and beneficiaries• Improper payment• Improper/abusive practices• No further program remuneration

27

Effect of Exclusion

• Individuals and entities are excluded from:– Medicare (Title XVIII)– Medicaid (Title XIX)– Maternal and Child Health Services Block

Grants (Title V)– Block Grants to States for Social Services

(Title XX)– State Children’s Health Insurance Program

(Title XXI)– All Federal Health Care Programs

28

Effect of Exclusion

• No program payment for ANY items or services– In ANY capacity– In ANY setting (except emergency

items/services)– For ANY administrative or management

services– For ANY salary or fringe benefits– DIRECTLY to anyone– INDIRECTLY on any cost reports or

reimbursement mechanisms

29

Impact of Exclusion on Individual

• Limitations on ability to be employee or contractor or a Medicare or Medicaid provider

• Cannot order services or write prescriptions which will be billed to a Federal health care program

30

Impact of Exclusion on Employers

• Once exclusion occurs, employers may not:– Employ or contract with excluded person,

allow excluded person to direct the ordering or delivery of services or supplies, or undertake certain administrative duties

– Whether or not direct care activities are involved

– If any part of the task is reimbursed by Federal program dollars

– Some LIMITED exceptions

31

Impact on Employers

• Screening– Charged by law with knowing the exclusion

status of employees and contractors– Not required by law to check the OIG

database– But, there may be sanctions (later) if “knew

or should have known” of exclusion and submit the claim anyway

– “Affirmative duty” to check status – online database makes it feasible

– Special problem if rely on physician orders, e.g., labs, DME, imaging and home health

32

OIG Focus on Permissive Exclusion

• 1128(b)(8)—Entities Owned or Controlled by Sanctioned Person– Entity associated with an individual

• Convicted under 1128(a) or 1128(b);• Had CMP or assessment imposed under 1128A;

or • Has been excluded

– Direct or indirect ownership or control interest of 5% or more, officer, director, etc.

33

OIG Focus on Permissive Exclusion

• 1128(b)(15) – Individuals Owning or Controlling Excluded Entity– Any individual who has a direct or indirect

ownership/control interest in an excluded entity AND who knows or should have known of an action constituting the basis for exclusion or conviction

34

OIG Guidance on 1128(b)(15)

• Individuals with ownership or control interest in sanctioned entity may be excluded if they knew or should have know of the conduct that led to the sanction

• Officers and managing employees may be excluded solely based on their position with the sanctioned entity

• Presumption in favor of exclusion if owner knew or should have known of conduct

• Presumption in favor of exclusion if officer or managing employee knew or should have known of conduct

35

Exclusion of Officers/ManagersUnder Section 1128(b)(15)(A)(ii)

• In analyzing exclusion of officers and managers, OIG will consider:– Circumstances/seriousness of the offense– Individual’s role in the sanctioned entity– Individual’s actions in response to

misconduct– Information about the entity

36

Recent Examples of OIG Enforcement

• Former CEO, Chief Scientific Officer and Chief Legal Officer of Purdue

• OIG exclusion under Sections 1128(b)(1) and (b)(3) of SSA

• December 13, 2010 District Court decision– Upholds 12-year exclusions of executives

• Appealed to DC Circuit Court– Oral arguments in Dec. 2011

37

Recent Examples of OIG Enforcement

• KV Pharmaceuticals convicted of mandatory exclusion offense– “Executive “A” decided not to report manufacturing

problems to FDA

• Mark Hermelin is former CEO and substantial owner of KV

• OIG excludes Hermelin under Section 1128(b)(15)(i)

• KV subject to potential exclusion under Section 1128(b)(8)

• OIG, KV and Hermelin reach settlement– Hermelin resigns from board and divests ownership

38

ACA Developments: New Exclusion Authority

• New authority to exclude provider, supplier for false statements, misrepresentation in application, enrollment – 42 USC § 1320a-7(b)(16)

• Broadens permissive exclusion for failure to supply information by not only those who furnish, but also those who order, refer for services or certify the need for items or services – 42 USC § 1320a-7(b)(11)

• Same individuals, physicians and suppliers must permit immediate examination of records

39

2010-2011 Employer Voluntary Disclosures and Penalties

• 22 reported self-disclosures involving CMPs paid by employers who employed an individual that they knew or should have known was excluded– Penalties range from $6001.15—$308,709.00

• Elder Service Plan of the North Shore (5/20/2010):– Agreed to pay $308,709– OIG alleged that EPSNS contracted with a dentist

that ESPNS should have known was excluded from participation in Federal health care programs. ESPNS participates in the Program of All-Inclusive Care for the Elderly (PACE), which receives funding from the Medicare and Medicaid programs.

CMS Proposed Rule on Overpayment Recoveries

Overpayment Recoveries

• “Criminal health care fraud statute (42 USC § 1320a-7b(a)) makes it a felony to knowingly and willfully:– Make, cause to be made false statements in claims

for payment– Fail to disclose or conceal an event affecting initial or

continued right to lawfully retain payment

• OIG historically cited as basis for providers’ obligation to return overpayments

41


• Other historic obligations to return:– Stark Law– Case law– FERA (False Claims Act)

42


• ACA Statutory Provision:– Must be reported and returned to CMS,

state or contractor within the later of 60 days of “identification,” along with written notice of reason for overpayment

– Failure to return within time frame is actionable as an “obligation” under False Claims Act

43


• Proposed Rule:– Applies to Part A Providers and Part B

Suppliers– Caution that there still may be liability for

other providers and suppliers• FCA• CMPL

– Future rulemaking– Operational concerns

• Manual changes• Additional sub-regulatory guidance

44


• Examples of overpayments– Medicare payments for non-covered

services– Medicare payments in excess of allowable

amount for an identified covered services– Errors and non-reimbursable expenditures

in cost reports– Duplicate payments– Receipt of Medicare payment when another

payor has primary responsibility

45

Process for Returning Overpayments

•Utilize existing voluntary refund process– Renamed self-reported overpayment refund process

•Requires reporting of information specified in regulation

– description of corrective action plan to ensure error does not happen again

– timeframe and total amount of refund for period during which problem existed that caused the refund

– Statistical sampling

46

Identifying Overpayments

• Person has identified overpayment if the person has actual knowledge of the existence of overpayment or acts in reckless disregard or deliberate ignorance

• Deliberate ignorance and reckless disregard standard encourages self-directed compliance

47

Examples of “Identified”

• Provider reviews billing or payment records and learns that it incorrectly coded certain services, resulting in increased reimbursement

• Provider learns that patient death occurred prior to the service date on claim that had been submitted for payment

• Provider learns that services were provided by unlicensed or excluded individual

48

Examples of “Identified”

• Provider performs internal audit and discovers that overpayments exist

• Provider is informed by government agency of an audit and provider fails to make a reasonable inquiry

49

Stark Law Self-Disclosure Protocol

Stark Law Self-Disclosure Protocol

• Process for self-disclosure of violations of Stark Law

• Settle potential repayment obligations• Disclosure process is very detailed

– Description of violations– Full legal analysis– Detailed financial analysis– History of similar conduct

• Disclosures must be made in good faith– No advisory opinions

Stark SRDP

• CMS may still refer to DOJ and OIG• Potential reduction in settlement, but not

promises• Factors in setting settlement amount:

– Nature and extent of improper practices– Timeliness of self-disclosure– Cooperation in providing additional

information– litigation risk to CMS– ability to pay

Stark SRDP• First public one was Saint’s Medical

Center (MA) that paid $579,000 settlement

• Was discovered during merger negotiations and due diligence

• Involved failure to meet personal services exception for medical directors, call coverage services

• CMS indicated fine could be as high as $14.5 million

SRDP Statistics

• Since SRDP became effective (9/23/10), CMS received– 150 disclosures from 148 providers

• Hospital were heaviest reporters– 125 of the 150 from hospitals– Clinical labs reported 11 times– physician groups reported 8 times

• Failure to meet following exceptions:– personal services– non-monetary compensation – recruitment – space rental

54

SRDP Examples

• IA group practice paid $74,000 to resolve a failure to meet employment exception for several of its employed physicians.

• OH group paid $60 to settle violations of the in-office ancillary services exception for 2 claims that it billed to Medicare.

• CA hospital paid $6,700 to resolve violations of exceeding the Stark Law’s non-monetary compensation exception for a physician.

55

Medicare Shared Savings Program: ACO Waivers

57

Shared Savings Program – Regulatory Waivers

• ACO development and operation may appear inconsistent with fraud and abuse laws– Anti-kickback Statute– Stark Law– Civil Monetary Penalties Statute

Overview of Final Waivers

• ACO pre-participation waiver• ACO participation waiver• Shared savings distribution waivers• Compliance with Stark Law waiver• Patient incentive waiver

General Waiver Principles

• Apply uniformly to ACO, ACO participants and ACO providers/suppliers

• Self-implementing--no application or permission required

• Only required to meet criteria for one waiver

• Apply consistently across fraud & abuse laws (but only to these laws)

• No requirement for written and signed agreement

• No requirement that arrangements be fair market value or commercially reasonable

General Waiver Principles

• No regulations, just explanations of policy

• Number of waivers must be "reasonably related to the purposes" of SSP– Less prescriptive than "directly related"

standard– Incentives to attract PCPs permissible, but:

• Cannot pay per volume or value of referrals• Cannot be required to refer within ACO

Pre-participation waiver

• Good faith intent to develop ACO and submit application in particular year

• Diligent steps to meet SSP requirements, including governance and management

• ACO reasonably related to SSP• Documentation and retention

requirements• Public disclosure of arrangement • Submit statement if ACO fails to apply

Pre-participation Waiver

• Waiver may only be used during a single one year period

• Does not cover arrangements with drug or device manufacturers, distributors, HHA or DME companies

• Helpful for joint venture formation, start up costs. Would cover:– Infrastructure, network development and

management; capital investment; creating performance-based incentives

– Hiring staff; obtaining IT; creating management, quality improvement, care coordination mechanisms

• OIG/CMS list is non-exclusive

Participation Waiver

• Entered into ACO participation agreement; remains in good standing

• Governance, leadership and management requirements are met

• Reasonably related to SSP purposes• Documentation and retention• Public disclosure of arrangement• Ends 6 months after expiration or

termination

Participation Waiver

• Blanket waiver--all aspects of arrangement

• Likely to encompass most arrangements undertaken by ACOs

• No specific waiver for commercial payor ACO arrangements

• But waiver is not linked to source of ACO funds, so should apply to commercial arrangements

Shared Savings Distributions Waiver

• Participation agreement; remains in good standing

• Applies to savings earned under SSP• Savings earned during term of participation

agreement, even if distributed later• Distributed during year in which savings

were earned or used for activities reasonably related to purposes of SSP

• Payments from hospital to physician not made knowingly to induce reductions of medically necessary services to patients under physician's direct care

Compliance with Stark Law Waiver

• Waiver of AKS and gainsharing CMP for any financial relationship implicating Stark, so long as:– Participation agreement; remains in good

standing– FR reasonably related to SSP purposes– FR meets Stark exception

• Waiver ends on expiration or termination of participation agreement

Anti-beneficiary Inducement Waiver

• Waiver of AKS and anti-beneficiary inducement CMP for items/services provided (in-kind) for free or below FMV to beneficiaries if:– Participation agreement; remains in good standing– Reasonable connection with beneficiary's medical

care– Item/services are preventive or advance clinical

goals of adherence to treatment regime, drug regime, follow-up care plan or chronic disease management

• Not applicable to items/services intended to encourage beneficiaries to seek care from ACO

• Does not cover financial incentives

Program Integrity Safeguards

• Screening of ACO applicants– Program integrity history, sanctions,

affiliations with excluded providers

• Compliance plans/compliance official • Continued compliance with SSP

requirements and ACO agreement• Authorized representative certify

accuracy of statements, data provided to CMS


• Notification to beneficiaries of ACO participation

• Conflicts of interest policy• Limitations on beneficiary inducements

– No gifts for receiving services from or remaining in ACO

– Items "reasonably connected" to medical care and that advance clinical goals may be provided

• Ongoing monitoring of ACO for avoidance of at-risk beneficiaries and compliance with quality performance standards


• Prohibition on required referrals and cost shifting– Cannot condition ACO participation on

referrals of beneficiaries not assigned to ACO

– Cannot require that beneficiaries be referred only to ACO participants (limited exception)

• Record retention requirements• Termination from SSP if program

integrity requirements not met


• Marketing restrictions and CMS oversight– "general audience" materials v. customized

information – 5 day "file and use" policy for ACO marketing

materials • Must certify compliance with ACO marketing guidelines

(template language, not misleading, etc)• Deemed approved if CMS doesn't disapprove

– CMS may issue notice of disapproval at any time (even after 5 day period)

• All ACO contracts must include provision addressing compliance with SSP requirements

• Limitation on participating in other "shared savings" initiatives

HIPAA Enforcement: A Perfect Storm

HIPAA Enforcement: A Perfect Storm

• Why?– Increased regulation and greater complexity

• HITECH and HIPAA• State laws

– Increasing volumes and types of information• EHRs• Mobile devices and locations• Social media• Online treatment options

– Increasing enforcement• Enhanced penalties• Aggressive regulators

HITECH Audit Program

• HITECH required HHS to conduct periodic audits of Covered Entities & Business Associates

• 2 contracts (June, July 2011) with Booz Allen Hamilton and KPMG to engage in audits– Booz to identify “audit candidate

information”– KPMG to develop audit protocol and

conduct audits

• Audits to conclude by Dec. 31, 2012

HITECH Audit Program

• Audits to include– Site visit (interview with CIO, legal counsel,

HIM/medical records director, other leaders)• Examination of physical features, operations and

adherence to policies

– Audit report:• Best practices noted; instances of noncompliance• Raw data (completed checklists, interview notes)• Recommendations for actions to address

compliance problems• Recommendations to HHS for corrective action

7676

Federal Enforcement

• HHS required to investigate complaints if preliminary investigation indicates violation due to willful neglect– If HHS finds violation due to willful neglect, penalties

are mandatory

• Distribution of CMPs:– Proceeds from CMPs to go to OCR for purposes of

further Privacy and Security Rule enforcement activities

– Portion will be paid directly to harmed individuals• Similar to qui tam provisions in False Claims Act• HHS must issue regulations within 3 years to implement

this requirement

• HHS to conduct audits of CEs and BAs to ensure compliance with Privacy, Security Rules

7777

State Attorney General Enforcement

• AGOs authorized to bring civil action in federal court against persons who violate HIPAA if AGO has reason to believe that violation threatens or adversely affects any state resident– Unless a federal action is pending

• Can enjoin violations and obtain damages: – $100 per separate violation with a cap of $25,000 for

all identical violations within calendar year– Costs and attorneys’ fees

• AGO required to give HHS notice of suit

• HHS can intervene and take over action

• HHS can also file appeals

78


• HITECH provides state AGOs authority to bring civil actions on behalf of residents for violations of Privacy & Security Rules– AGO can obtain damages on behalf of residents and

enjoin further violations

• OCR offered free training sessions for AGOs– Dallas, TX (Apr. 4-5, 2011)– Atlanta, GA (May 9-10, 2011)– Washington, DC (May 19-20, 2011)– San Francisco, CA (Jun. 13-14, 2011)

80

Top 5 Issues in Enforcement

Year Issue 1 Issue 2 Issue 3 Issue 4 Issue 5

2010 Impermissible Uses & Disclosures

Safeguards Access Minimum Necessary

Notice



Complaints to Covered Entity



Complaints to Covered Entity



Notice



Notice



Mitigation



Authorizations

partial year 2003 Safeguards Impermissible Uses & Disclosures

Access Notice Minimum Necessary

81

Reported HIPAA Breaches in MN

Name of Covered Entity State

Business Associate Involved

Individuals Affected

Date of Breach Type of Breach

Location of BreachedInformation

Date Posted or Updated Summary

UnitedHealth Group--SACE MN 16291 1/26/2010

Unauthorized Access/Disclosure Paper 6/9/2010

UnitedHealth Group--SACE MN 735 3/2/2010

Theft, Unauthorized Access/Disclosure Paper 8/4/2010

On March 2, 2010, the covered entity, United, discovered that remittance forms containing member information that accompany paper checks were stolen. The invoices contained the protected health information of over 735 individuals. The protected health information involved member information that allowed providers to properly record claim payments and credit accounts on behalf of each member for whom United was making a payment. Following the breach, the covered entity notified its clients of the incident, placed notice in The Miami Herald, provided each member with a credit monitoring package, reviewed its payment and remittance information controls, and notified its provider call centers to remain on a high level alert to monitor all remittance payments.

82








Mayo Clinic MN 1740 7/15/2010Unauthorized Access/Disclosure

Electronic Medical Record 9/20/2010

Following the breach, the covered entity: conducted an investigation; terminated the employee who had inappropriately accessed the PHI; re-educated its employees regarding patient privacy and access to PHI; enhanced its supervision of employees and monitoring of their access activity; notified individuals reasonably believed to have been affected and provided them with an information hotline and identity theft services at no cost, if so requested; placed a notice of the breach on its website and in the local newspaper; and submitted a breach report to OCR along with documentation of its voluntary compliance actions

UnitedHealth Group--SACE MN

CareCore National 1270 7/8/2010

Unauthorized Access/Disclosure Paper 10/7/2010

83








Mankato Clinic MN 3159 11/2/2010 Theft Laptop

North Memorial MNAccretive Health, Inc 2,800 7/25/2011 Theft Laptop

Fairview Health Services MN

Accretive Health, Inc 14,000 7/25/2011 Theft Laptop

Fairview Health Services MN 1,215 2/19/2011 Loss Paper

United Health Group Health Plan MN

Futurity First Insurance Group 3,994 7/28/2011 Theft

Other Portable Electronic Device

InStep Foot Clinic, P.A. MN 2,600 8/28/2011 Theft

Laptop, Electronic Medical Record

84

Criminal HIPAA Enforcement

• Dr. Huping Zhou (April, 2010)– Sentenced to 4 months in prison, fined

$2000– Pled to 4 misdemeanor counts of accessing

and reading medical records – Accessed system 323 times during 3-week

period after UCLA informed him he would be let go

– No attempt to improperly use or sell the PHI

85

Criminal HIPAA Enforcement

• Dr. Richard Alan Kaye– Indicted June 21, 2011 for “wrongful

disclosure” of PHI; maximum of 5 years in prison

– Medical director of psychiatric care center at Suffolk, VA hospital

– Treated patient between Aug. 20, 2007-Sep. 4, 2007

– 3 occasions in Feb. 2008, Dr. Kaye disclosed PHI to patient’s employer

– Did so under false pretenses that patient was a serious and imminent threat

86


• Health Net (July, 2010)– Connecticut AGO settled with insurer for

$250,000• Additional $500,000 contingent fund in event lost

PHI is used illegally• Corrective action plan

– Health Net lost hard drive with over 500,000 patients’ PHI

– Health Net delayed notifying individuals for 6 months

87


• WellPoint (July, 2011)– Indiana AGO settled with insurer for

$100,000• Reimbursement of up to $50,000 per individual

for any losses resulting from identity theft

– 32,051 insurance applicants information were accessible to the public through unsecured website

– Information accessible between Oct. 23, 2009-Mar. 8, 2010.

• Consumer notified Well Point on Feb. 22, 2010• Individuals not notified by Well Point until Jun. 18,

2010

88


• Accretive Health, Inc.– July, 2011—laptop with 23,500 patients’ PHI

stolen from car– Accretive is business associate of Fairview and

North Memorial• FV and NM notified patients

– AG suit alleges Accretive violated HIPAA, state health records law, debt collection and consumer fraud statutes

– First action against business associate?– Status of HIPAA as to BAs?

Cignet Health (Feb. 2011)

• Denied 41 patients access to PHI; patients complained to OCR

• OCR written requests, calls and subpoena were ignored

• OCR obtained default judgment against Cignet

• OCR imposed $4.3 million penalty

90

UCLA-Reagan (July 2011)

• Allegations that UCLA employees repeatedly accessed ePHI of patients– Complaint filed on behalf of 2 celebrities – OCR investigation concluded that “numerous” other

patients’ ePHI improperly accessed between 2005-2008

– Alleged violations of both Privacy Rule and Security Rule

• UCLA paid $865,000 and agreed to corrective action plan and independent monitor of HIPAA compliance for 3 years– 165 employees disciplined, 2 former employees face

criminal charges

91

Mass. Gen. Hospital (Feb. 2011)

• Hospital employee left documents on subway train commute– 192 patient records (some with HIV/AIDS)

• HHS alleged violations of Privacy Rule• Mass. Gen agreed to pay $1 million and

implement CAP– P & Ps subject to HHS approval– Independent monitoring of HIPAA compliance– Submit compliance reports to HHS for 3 years

92

Questions?

Jennifer Reedstrom BishopGray Plant Mooty(612) 632-3060 [email protected]

Jesse A. BergGray Plant Mooty(612) [email protected]

Documents

Beyond the Affordable Care Act: Key Regulatory Changes and their Implications for Providers Minnesota Ambulatory Surgery Center Association Annual Conference