Upload
hilary-cummings
View
216
Download
3
Tags:
Embed Size (px)
Citation preview
Beyond the Affordable Care Act: Key Regulatory Changes and their Implications for Providers
Minnesota Ambulatory Surgery Center Association Annual Conference
April 27, 2012
Jennifer Reedstrom BishopJesse Berg
FRAUD & ABUSE ENFORCEMENT: A NATIONAL PRIORITY
• “And finally, we’re going to reduce by half the amount of waste, fraud and abuse in the Medicare system, protecting your Medicare and the American taxpayer’s money.”– President Obama, June 9, 2010
• The numbers tell the story:– CBO—Medicare trust fund exhausted by 2017 – Medicare fraud estimated to cost $60 billion per year– $17 recovered for every $1 invested in fighting health
care fraud– $13.1 billion returned to Medicare trust fund under
1997 Health Care Fraud and Abuse Control Program
2
3
Overview of Presentation
• CMS Program Integrity Initiatives• OIG Focus on Exclusion• Proposed Rule on Overpayments• Stark Law Self-Disclosure Protocol• ACO Waivers for Fraud and Abuse
Laws• HIPAA Enforcement
4
The Future of Program Integrity?
5
Enrollment: Tools of the Trade
• Provider and Supplier Enrollment Regulations– 42 CFR Part 424, Subpart P (424.500’s) (Medicare)
• Establishing and maintaining billing privileges• New screening requirements
– 42 CFR Part 498 and 42 CFR 405.874• Appeals process
– Specific requirements depending on provider/supplier type:
• 42 CFR 410.33 (IDTFs)• 42 CFR 424.57 and 424.58 (DME standards and
accreditation)
– 42 CFR Part 455 (Medicaid)
6
Enrollment: Tools of the Trade
• Medicare Manual Provisions– Medicare Program Integrity Manual (CMS Pub. 100-
08)• Chapter 10 (general application processing for all types
of 855 applications)
• Chapter 15 (requirements for specific types of providers, suppliers, site verification process, appeals process)
– Medicare State Operations Manual (CMS Pub. 100-07)
• Chapter 2
• Chapter 3
7
Enrollment: Tools of the Trade
• Regulatory Development of Key Enrollment Initiatives:– Feb. 2, 2011—implementing provisions of ACA on
screening, application fees, temporary enrollment moratoria, payment suspensions and Medicaid terminations of providers/suppliers that have had billing privileges revoked (76 Fed. Reg. 5682)
– May 5, 2010—implementing provisions of ACA to require all providers/suppliers that qualify for NPI to include NPI on all applications to enroll in Medicare, Medicaid and on al claims for payment submitted under Medicare, Medicaid (75 Fed. Reg. 24437)
8
Enrollment: Tools of the Trade
• Regulatory Development of Key Enrollment Initiatives:– Jan. 2, 2009—surety bond requirements for DME
suppliers (74 Fed. Reg. 166)– Nov. 19, 2008—established re-enrollment bar of 1 to
3 years on providers, suppliers that have had billing privileges revoked; placed limitations on provider, supplier retroactive billing (73 Fed. Reg. 69726)
– Jun. 27, 2008—appeals process for CMS, MAC decisions on provider, supplier failure to meet requirements for billing privileges (73 Fed. Reg. 36448)
– Nov. 27, 2007—changes to IDTF provisions (72 Fed. Reg. 66222)
9
Enrollment: Tools of the Trade
• Regulatory Development of Key Enrollment Initiatives:– Dec. 1, 2006—performance standards for
IDTFs (71 Fed. Reg. 69624)– Apr. 21, 2006—requirements for
providers/suppliers to establish and maintain billing privileges (71 Fed. Reg. 20754)
– Oct. 11, 2000—additional standards for DME suppliers (65 Fed. Reg. 60366)
10
Pre-ACA Enrollment Initiatives
• Deactivations (42 CFR 424.540)– Done for providers/suppliers that have not submitted
claims for more than 12 months or have not reported timely changes on applicable CMS-855
– Intent to protect supplier/provider from abuse by others
– Deactivation can lead to loss of income– Concerns about groups operating in more than one
payment locality– Imposition of deactivation is not appealable
administratively
11
Pre-ACA Enrollment Issues
• Revocations (42 CFR 424.535)– Effective retroactively or prospectively– Automatic enrollment bar of 1-3 years– Causes:
• Failure to revalidate enrollment– Request never received?– Lacking letter never received– Lacking letter did not identify real problem
• Practice location not operational • Telephone contact not operational• Letters returned to MAC• Failure to report suspension of licenses• Adverse legal actions, convictions• More…
12
ACA Developments: Enrollment
• New permissive exclusion, CMP authority (up to $50,000) applicable to enrollment– Misstatements, omissions, false statements,
misrepresentations
• Medicare– Enrollment Screening
• Tiered system depending on risk of category of provider/supplier (next slides)
• Risk category increases with history of bad behavior
– Application fees
13
CMS Assignment of Provider/Supplier Types Into Risk Categories
Limited Moderate High
•Physician or non-physician practitioners and medical groups or clinics, with the exception of physical therapists and physical therapy groups
•Ambulatory surgery centers
•Competitive acquisition program/Part B vendors
•ESRD facilities
•FQHCs
•Histocompatibiilty labs
•Hospitals, including CAH
•Ambulance suppliers
•Community mental health centers
•Comprehensive outpatient rehabilitation facilities
•Hospice organizations
•Independent diagnostic testing facilities
•Independent clinical labs
•Physical therapy including physical therapy groups
•Portable x-ray suppliers
•Prospective (newly enrolling) home health agencies
•Prospective (newly enrolling) suppliers of DMEPOS
14
CMS Assignment of Provider/Supplier Types Into Risk Categories (continued)
Limited Moderate High
•Indian Health Service facilities
•Mammography screening centers
•Mass immunization roster billers
•Organ procurement organizations
•Pharmacies newly enrolling or revalidating via the CMS-855B
•Radiation therapy centers
•Religious non-medical health care institutions
•Rural health clinics
•Skilled nursing facilities
•Currently enrolled (revalidating) home health agencies
15
CMS Assignment of Level of Risk forScreening for Medicare Providers and Suppliers
Type of Screening Required Limited Moderate High
Verification of any provider/supplier requirements established by Medicare
X X X
Conduct license verifications (which may include licensure checks across states)
X X X
Database checks to verify social security number (SSN); the National Provider Identifier (NPI); the National Practitioner Data Bank (NPDB) licensure, an OIG exclusion; taxpayer identification number; death of individual practitioner, owner, authorized official, delegated official or supervising physician.
X X X
Unscheduled or unannounced site visits X X
Fingerprint-based criminal history record check of law enforcement repositories
X
16
ACA Developments: Enrollment
• Enhanced Oversight for Provisional Period– Minimum 30 days and up to 1 year for new
providers and suppliers– Enhanced oversight includes prepayment
review, payment caps during provisional period
– HHS to establish guidelines through program instructions
• Enrollment moratoria
17
ACA Developments: Enrollment
• Medicaid (42 CFR Part 455)– Monthly checks for excluded status
recommended. Required?• CMS guidance
– http://www.cms.gov/smdl/downloads/SMD061208.pdf
– http://www.cms.gov/SMDL/downloads/SMD011609.pdf
– Tiered system for enrollment screening– Site visits required for moderate to high risk
categories, others discretionary– Screening of all providers at least every 5
years
18
ACA Developments: Payment Suspensions
• Statutory background:– ACA Section 6402(h)-allows suspensions
pending investigation of credible allegations of fraud
• Medicare: adds Section 1862(o) to the Social Security Act, 42 USC 1395y(o)
– Discretionary, good cause exceptions– Mandatory consultation with OIG
• Medicaid: Amends Section 1903(I)(2) of the Social Security Act, 42 USC 1396b(I)(2)
– No FFP unless good cause not to suspend payments to these entities
19
ACA Developments: Payment Suspensions
• Regulatory background:– Medicare:
• 42 CFR Part 405, subpart C (42 CFR 405.370)
– Medicaid: • 42 CFR 447.90, Part 455
– Issued as part of the Feb. 2, 2011 Provider Enrollment Final Rules (76 Fed. Reg. 5862)
20
What is a “Credible Allegation of Fraud”?
• Not defined in ACA• Medicare: credible allegation of fraud is an
allegation from any source, including:– Fraud hotline complaints– Claims data mining– Patterns identified through provider audits, civil false
claims cases and law enforcement investigations
• Allegations are considered to be credible when “they have indicia of reliability”
• Medicaid definition also includes requirement for state certification
21
Payment Suspensions: Medicare
• 18 months maximum duration, beyond which suspension cannot continue absent special circumstances– If case has been referred to, and is being
considered by OIG; or DOJ submits written request to CMS to continue suspension
• Suspension for recovery of an overpayment might follow/extend one for investigation
• CMS consults with OIG, but ultimate authority rests with CMS
22
Payment Suspensions: Medicaid
• May be implemented without prior notice; 30 days plus 2 additional 30 days
• Deference to states in further defining “credible allegations” but recognition that standard will be lower than now existing
• No retroactive application, but upon effective date CMS expects states to suspend payments to those against whom there exist pending investigations of fraud
• Medicare’s 180 day limit for suspensions not adopted for Medicaid
23
Payment Suspensions: Medicaid
• State can decide that suspension is not in best interests of Medicaid program
• Good cause exception if provider submits written evidence that persuades the state not to pursue suspension
• No additional due process provisions, but notice of suspension should include existing appeal rights
• CMS promises close scrutiny of state performance-including documenting good cause determinations
24
OIG and Program Exclusion
25
Exclusion Statistics
• OIG has been implementing exclusions for decades:
• Over 2,662 individuals and entities excluded in FY 2011
• Over 48,000 individuals and entities currently excluded
26
Background on OIG Exclusion Authority
• Exclusions– Mandatory (SSA 1128(a)(1)-(a)(4))– Permissive (SSA 1128(b)(1)-(b)(15))
• Remedial in purpose– Protection of Federal health care programs
and beneficiaries• Improper payment• Improper/abusive practices• No further program remuneration
27
Effect of Exclusion
• Individuals and entities are excluded from:– Medicare (Title XVIII)– Medicaid (Title XIX)– Maternal and Child Health Services Block
Grants (Title V)– Block Grants to States for Social Services
(Title XX)– State Children’s Health Insurance Program
(Title XXI)– All Federal Health Care Programs
28
Effect of Exclusion
• No program payment for ANY items or services– In ANY capacity– In ANY setting (except emergency
items/services)– For ANY administrative or management
services– For ANY salary or fringe benefits– DIRECTLY to anyone– INDIRECTLY on any cost reports or
reimbursement mechanisms
29
Impact of Exclusion on Individual
• Limitations on ability to be employee or contractor or a Medicare or Medicaid provider
• Cannot order services or write prescriptions which will be billed to a Federal health care program
30
Impact of Exclusion on Employers
• Once exclusion occurs, employers may not:– Employ or contract with excluded person,
allow excluded person to direct the ordering or delivery of services or supplies, or undertake certain administrative duties
– Whether or not direct care activities are involved
– If any part of the task is reimbursed by Federal program dollars
– Some LIMITED exceptions
31
Impact on Employers
• Screening– Charged by law with knowing the exclusion
status of employees and contractors– Not required by law to check the OIG
database– But, there may be sanctions (later) if “knew
or should have known” of exclusion and submit the claim anyway
– “Affirmative duty” to check status – online database makes it feasible
– Special problem if rely on physician orders, e.g., labs, DME, imaging and home health
32
OIG Focus on Permissive Exclusion
• 1128(b)(8)—Entities Owned or Controlled by Sanctioned Person– Entity associated with an individual
• Convicted under 1128(a) or 1128(b);• Had CMP or assessment imposed under 1128A;
or • Has been excluded
– Direct or indirect ownership or control interest of 5% or more, officer, director, etc.
33
OIG Focus on Permissive Exclusion
• 1128(b)(15) – Individuals Owning or Controlling Excluded Entity– Any individual who has a direct or indirect
ownership/control interest in an excluded entity AND who knows or should have known of an action constituting the basis for exclusion or conviction
34
OIG Guidance on 1128(b)(15)
• Individuals with ownership or control interest in sanctioned entity may be excluded if they knew or should have know of the conduct that led to the sanction
• Officers and managing employees may be excluded solely based on their position with the sanctioned entity
• Presumption in favor of exclusion if owner knew or should have known of conduct
• Presumption in favor of exclusion if officer or managing employee knew or should have known of conduct
35
Exclusion of Officers/ManagersUnder Section 1128(b)(15)(A)(ii)
• In analyzing exclusion of officers and managers, OIG will consider:– Circumstances/seriousness of the offense– Individual’s role in the sanctioned entity– Individual’s actions in response to
misconduct– Information about the entity
36
Recent Examples of OIG Enforcement
• Former CEO, Chief Scientific Officer and Chief Legal Officer of Purdue
• OIG exclusion under Sections 1128(b)(1) and (b)(3) of SSA
• December 13, 2010 District Court decision– Upholds 12-year exclusions of executives
• Appealed to DC Circuit Court– Oral arguments in Dec. 2011
37
Recent Examples of OIG Enforcement
• KV Pharmaceuticals convicted of mandatory exclusion offense– “Executive “A” decided not to report manufacturing
problems to FDA
• Mark Hermelin is former CEO and substantial owner of KV
• OIG excludes Hermelin under Section 1128(b)(15)(i)
• KV subject to potential exclusion under Section 1128(b)(8)
• OIG, KV and Hermelin reach settlement– Hermelin resigns from board and divests ownership
38
ACA Developments: New Exclusion Authority
• New authority to exclude provider, supplier for false statements, misrepresentation in application, enrollment – 42 USC § 1320a-7(b)(16)
• Broadens permissive exclusion for failure to supply information by not only those who furnish, but also those who order, refer for services or certify the need for items or services – 42 USC § 1320a-7(b)(11)
• Same individuals, physicians and suppliers must permit immediate examination of records
39
2010-2011 Employer Voluntary Disclosures and Penalties
• 22 reported self-disclosures involving CMPs paid by employers who employed an individual that they knew or should have known was excluded– Penalties range from $6001.15—$308,709.00
• Elder Service Plan of the North Shore (5/20/2010):– Agreed to pay $308,709– OIG alleged that EPSNS contracted with a dentist
that ESPNS should have known was excluded from participation in Federal health care programs. ESPNS participates in the Program of All-Inclusive Care for the Elderly (PACE), which receives funding from the Medicare and Medicaid programs.
CMS Proposed Rule on Overpayment Recoveries
Overpayment Recoveries
• “Criminal health care fraud statute (42 USC § 1320a-7b(a)) makes it a felony to knowingly and willfully:– Make, cause to be made false statements in claims
for payment– Fail to disclose or conceal an event affecting initial or
continued right to lawfully retain payment
• OIG historically cited as basis for providers’ obligation to return overpayments
41
Overpayment Recoveries
• Other historic obligations to return:– Stark Law– Case law– FERA (False Claims Act)
42
Overpayment Recoveries
• ACA Statutory Provision:– Must be reported and returned to CMS,
state or contractor within the later of 60 days of “identification,” along with written notice of reason for overpayment
– Failure to return within time frame is actionable as an “obligation” under False Claims Act
43
Overpayment Recoveries
• Proposed Rule:– Applies to Part A Providers and Part B
Suppliers– Caution that there still may be liability for
other providers and suppliers• FCA• CMPL
– Future rulemaking– Operational concerns
• Manual changes• Additional sub-regulatory guidance
44
Overpayment Recoveries
• Examples of overpayments– Medicare payments for non-covered
services– Medicare payments in excess of allowable
amount for an identified covered services– Errors and non-reimbursable expenditures
in cost reports– Duplicate payments– Receipt of Medicare payment when another
payor has primary responsibility
45
Process for Returning Overpayments
•Utilize existing voluntary refund process– Renamed self-reported overpayment refund process
•Requires reporting of information specified in regulation
– description of corrective action plan to ensure error does not happen again
– timeframe and total amount of refund for period during which problem existed that caused the refund
– Statistical sampling
46
Identifying Overpayments
• Person has identified overpayment if the person has actual knowledge of the existence of overpayment or acts in reckless disregard or deliberate ignorance
• Deliberate ignorance and reckless disregard standard encourages self-directed compliance
47
Examples of “Identified”
• Provider reviews billing or payment records and learns that it incorrectly coded certain services, resulting in increased reimbursement
• Provider learns that patient death occurred prior to the service date on claim that had been submitted for payment
• Provider learns that services were provided by unlicensed or excluded individual
48
Examples of “Identified”
• Provider performs internal audit and discovers that overpayments exist
• Provider is informed by government agency of an audit and provider fails to make a reasonable inquiry
49
Stark Law Self-Disclosure Protocol
Stark Law Self-Disclosure Protocol
• Process for self-disclosure of violations of Stark Law
• Settle potential repayment obligations• Disclosure process is very detailed
– Description of violations– Full legal analysis– Detailed financial analysis– History of similar conduct
• Disclosures must be made in good faith– No advisory opinions
Stark SRDP
• CMS may still refer to DOJ and OIG• Potential reduction in settlement, but not
promises• Factors in setting settlement amount:
– Nature and extent of improper practices– Timeliness of self-disclosure– Cooperation in providing additional
information– litigation risk to CMS– ability to pay
Stark SRDP• First public one was Saint’s Medical
Center (MA) that paid $579,000 settlement
• Was discovered during merger negotiations and due diligence
• Involved failure to meet personal services exception for medical directors, call coverage services
• CMS indicated fine could be as high as $14.5 million
SRDP Statistics
• Since SRDP became effective (9/23/10), CMS received– 150 disclosures from 148 providers
• Hospital were heaviest reporters– 125 of the 150 from hospitals– Clinical labs reported 11 times– physician groups reported 8 times
• Failure to meet following exceptions:– personal services– non-monetary compensation – recruitment – space rental
54
SRDP Examples
• IA group practice paid $74,000 to resolve a failure to meet employment exception for several of its employed physicians.
• OH group paid $60 to settle violations of the in-office ancillary services exception for 2 claims that it billed to Medicare.
• CA hospital paid $6,700 to resolve violations of exceeding the Stark Law’s non-monetary compensation exception for a physician.
55
Medicare Shared Savings Program: ACO Waivers
57
Shared Savings Program – Regulatory Waivers
• ACO development and operation may appear inconsistent with fraud and abuse laws– Anti-kickback Statute– Stark Law– Civil Monetary Penalties Statute
Overview of Final Waivers
• ACO pre-participation waiver• ACO participation waiver• Shared savings distribution waivers• Compliance with Stark Law waiver• Patient incentive waiver
General Waiver Principles
• Apply uniformly to ACO, ACO participants and ACO providers/suppliers
• Self-implementing--no application or permission required
• Only required to meet criteria for one waiver
• Apply consistently across fraud & abuse laws (but only to these laws)
• No requirement for written and signed agreement
• No requirement that arrangements be fair market value or commercially reasonable
General Waiver Principles
• No regulations, just explanations of policy
• Number of waivers must be "reasonably related to the purposes" of SSP– Less prescriptive than "directly related"
standard– Incentives to attract PCPs permissible, but:
• Cannot pay per volume or value of referrals• Cannot be required to refer within ACO
Pre-participation waiver
• Good faith intent to develop ACO and submit application in particular year
• Diligent steps to meet SSP requirements, including governance and management
• ACO reasonably related to SSP• Documentation and retention
requirements• Public disclosure of arrangement • Submit statement if ACO fails to apply
Pre-participation Waiver
• Waiver may only be used during a single one year period
• Does not cover arrangements with drug or device manufacturers, distributors, HHA or DME companies
• Helpful for joint venture formation, start up costs. Would cover:– Infrastructure, network development and
management; capital investment; creating performance-based incentives
– Hiring staff; obtaining IT; creating management, quality improvement, care coordination mechanisms
• OIG/CMS list is non-exclusive
Participation Waiver
• Entered into ACO participation agreement; remains in good standing
• Governance, leadership and management requirements are met
• Reasonably related to SSP purposes• Documentation and retention• Public disclosure of arrangement• Ends 6 months after expiration or
termination
Participation Waiver
• Blanket waiver--all aspects of arrangement
• Likely to encompass most arrangements undertaken by ACOs
• No specific waiver for commercial payor ACO arrangements
• But waiver is not linked to source of ACO funds, so should apply to commercial arrangements
Shared Savings Distributions Waiver
• Participation agreement; remains in good standing
• Applies to savings earned under SSP• Savings earned during term of participation
agreement, even if distributed later• Distributed during year in which savings
were earned or used for activities reasonably related to purposes of SSP
• Payments from hospital to physician not made knowingly to induce reductions of medically necessary services to patients under physician's direct care
Compliance with Stark Law Waiver
• Waiver of AKS and gainsharing CMP for any financial relationship implicating Stark, so long as:– Participation agreement; remains in good
standing– FR reasonably related to SSP purposes– FR meets Stark exception
• Waiver ends on expiration or termination of participation agreement
Anti-beneficiary Inducement Waiver
• Waiver of AKS and anti-beneficiary inducement CMP for items/services provided (in-kind) for free or below FMV to beneficiaries if:– Participation agreement; remains in good standing– Reasonable connection with beneficiary's medical
care– Item/services are preventive or advance clinical
goals of adherence to treatment regime, drug regime, follow-up care plan or chronic disease management
• Not applicable to items/services intended to encourage beneficiaries to seek care from ACO
• Does not cover financial incentives
Program Integrity Safeguards
• Screening of ACO applicants– Program integrity history, sanctions,
affiliations with excluded providers
• Compliance plans/compliance official • Continued compliance with SSP
requirements and ACO agreement• Authorized representative certify
accuracy of statements, data provided to CMS
Program Integrity Safeguards
• Notification to beneficiaries of ACO participation
• Conflicts of interest policy• Limitations on beneficiary inducements
– No gifts for receiving services from or remaining in ACO
– Items "reasonably connected" to medical care and that advance clinical goals may be provided
• Ongoing monitoring of ACO for avoidance of at-risk beneficiaries and compliance with quality performance standards
Program Integrity Safeguards
• Prohibition on required referrals and cost shifting– Cannot condition ACO participation on
referrals of beneficiaries not assigned to ACO
– Cannot require that beneficiaries be referred only to ACO participants (limited exception)
• Record retention requirements• Termination from SSP if program
integrity requirements not met
Program Integrity Safeguards
• Marketing restrictions and CMS oversight– "general audience" materials v. customized
information – 5 day "file and use" policy for ACO marketing
materials • Must certify compliance with ACO marketing guidelines
(template language, not misleading, etc)• Deemed approved if CMS doesn't disapprove
– CMS may issue notice of disapproval at any time (even after 5 day period)
• All ACO contracts must include provision addressing compliance with SSP requirements
• Limitation on participating in other "shared savings" initiatives
HIPAA Enforcement: A Perfect Storm
HIPAA Enforcement: A Perfect Storm
• Why?– Increased regulation and greater complexity
• HITECH and HIPAA• State laws
– Increasing volumes and types of information• EHRs• Mobile devices and locations• Social media• Online treatment options
– Increasing enforcement• Enhanced penalties• Aggressive regulators
HITECH Audit Program
• HITECH required HHS to conduct periodic audits of Covered Entities & Business Associates
• 2 contracts (June, July 2011) with Booz Allen Hamilton and KPMG to engage in audits– Booz to identify “audit candidate
information”– KPMG to develop audit protocol and
conduct audits
• Audits to conclude by Dec. 31, 2012
HITECH Audit Program
• Audits to include– Site visit (interview with CIO, legal counsel,
HIM/medical records director, other leaders)• Examination of physical features, operations and
adherence to policies
– Audit report:• Best practices noted; instances of noncompliance• Raw data (completed checklists, interview notes)• Recommendations for actions to address
compliance problems• Recommendations to HHS for corrective action
7676
Federal Enforcement
• HHS required to investigate complaints if preliminary investigation indicates violation due to willful neglect– If HHS finds violation due to willful neglect, penalties
are mandatory
• Distribution of CMPs:– Proceeds from CMPs to go to OCR for purposes of
further Privacy and Security Rule enforcement activities
– Portion will be paid directly to harmed individuals• Similar to qui tam provisions in False Claims Act• HHS must issue regulations within 3 years to implement
this requirement
• HHS to conduct audits of CEs and BAs to ensure compliance with Privacy, Security Rules
7777
State Attorney General Enforcement
• AGOs authorized to bring civil action in federal court against persons who violate HIPAA if AGO has reason to believe that violation threatens or adversely affects any state resident– Unless a federal action is pending
• Can enjoin violations and obtain damages: – $100 per separate violation with a cap of $25,000 for
all identical violations within calendar year– Costs and attorneys’ fees
• AGO required to give HHS notice of suit
• HHS can intervene and take over action
• HHS can also file appeals
78
State Attorney General Enforcement
• HITECH provides state AGOs authority to bring civil actions on behalf of residents for violations of Privacy & Security Rules– AGO can obtain damages on behalf of residents and
enjoin further violations
• OCR offered free training sessions for AGOs– Dallas, TX (Apr. 4-5, 2011)– Atlanta, GA (May 9-10, 2011)– Washington, DC (May 19-20, 2011)– San Francisco, CA (Jun. 13-14, 2011)
80
Top 5 Issues in Enforcement
Year Issue 1 Issue 2 Issue 3 Issue 4 Issue 5
2010 Impermissible Uses & Disclosures
Safeguards Access Minimum Necessary
Notice
2009 Impermissible Uses & Disclosures
Safeguards Access Minimum Necessary
Complaints to Covered Entity
2008 Impermissible Uses & Disclosures
Safeguards Access Minimum Necessary
Complaints to Covered Entity
2007 Impermissible Uses & Disclosures
Safeguards Access Minimum Necessary
Notice
2006 Impermissible Uses & Disclosures
Safeguards Access Minimum Necessary
Notice
2005 Impermissible Uses & Disclosures
Safeguards Access Minimum Necessary
Mitigation
2004 Impermissible Uses & Disclosures
Safeguards Access Minimum Necessary
Authorizations
partial year 2003 Safeguards Impermissible Uses & Disclosures
Access Notice Minimum Necessary
81
Reported HIPAA Breaches in MN
Name of Covered Entity State
Business Associate Involved
Individuals Affected
Date of Breach Type of Breach
Location of BreachedInformation
Date Posted or Updated Summary
UnitedHealth Group--SACE MN 16291 1/26/2010
Unauthorized Access/Disclosure Paper 6/9/2010
UnitedHealth Group--SACE MN 735 3/2/2010
Theft, Unauthorized Access/Disclosure Paper 8/4/2010
On March 2, 2010, the covered entity, United, discovered that remittance forms containing member information that accompany paper checks were stolen. The invoices contained the protected health information of over 735 individuals. The protected health information involved member information that allowed providers to properly record claim payments and credit accounts on behalf of each member for whom United was making a payment. Following the breach, the covered entity notified its clients of the incident, placed notice in The Miami Herald, provided each member with a credit monitoring package, reviewed its payment and remittance information controls, and notified its provider call centers to remain on a high level alert to monitor all remittance payments.
82
Reported HIPAA Breaches in MN
Name of Covered Entity State
Business Associate Involved
Individuals Affected
Date of Breach Type of Breach
Location of BreachedInformation
Date Posted or Updated Summary
Mayo Clinic MN 1740 7/15/2010Unauthorized Access/Disclosure
Electronic Medical Record 9/20/2010
Following the breach, the covered entity: conducted an investigation; terminated the employee who had inappropriately accessed the PHI; re-educated its employees regarding patient privacy and access to PHI; enhanced its supervision of employees and monitoring of their access activity; notified individuals reasonably believed to have been affected and provided them with an information hotline and identity theft services at no cost, if so requested; placed a notice of the breach on its website and in the local newspaper; and submitted a breach report to OCR along with documentation of its voluntary compliance actions
UnitedHealth Group--SACE MN
CareCore National 1270 7/8/2010
Unauthorized Access/Disclosure Paper 10/7/2010
83
Reported HIPAA Breaches in MN
Name of Covered Entity State
Business Associate Involved
Individuals Affected
Date of Breach Type of Breach
Location of BreachedInformation
Date Posted or Updated Summary
Mankato Clinic MN 3159 11/2/2010 Theft Laptop
North Memorial MNAccretive Health, Inc 2,800 7/25/2011 Theft Laptop
Fairview Health Services MN
Accretive Health, Inc 14,000 7/25/2011 Theft Laptop
Fairview Health Services MN 1,215 2/19/2011 Loss Paper
United Health Group Health Plan MN
Futurity First Insurance Group 3,994 7/28/2011 Theft
Other Portable Electronic Device
InStep Foot Clinic, P.A. MN 2,600 8/28/2011 Theft
Laptop, Electronic Medical Record
84
Criminal HIPAA Enforcement
• Dr. Huping Zhou (April, 2010)– Sentenced to 4 months in prison, fined
$2000– Pled to 4 misdemeanor counts of accessing
and reading medical records – Accessed system 323 times during 3-week
period after UCLA informed him he would be let go
– No attempt to improperly use or sell the PHI
85
Criminal HIPAA Enforcement
• Dr. Richard Alan Kaye– Indicted June 21, 2011 for “wrongful
disclosure” of PHI; maximum of 5 years in prison
– Medical director of psychiatric care center at Suffolk, VA hospital
– Treated patient between Aug. 20, 2007-Sep. 4, 2007
– 3 occasions in Feb. 2008, Dr. Kaye disclosed PHI to patient’s employer
– Did so under false pretenses that patient was a serious and imminent threat
86
State Attorney General Enforcement
• Health Net (July, 2010)– Connecticut AGO settled with insurer for
$250,000• Additional $500,000 contingent fund in event lost
PHI is used illegally• Corrective action plan
– Health Net lost hard drive with over 500,000 patients’ PHI
– Health Net delayed notifying individuals for 6 months
87
State Attorney General Enforcement
• WellPoint (July, 2011)– Indiana AGO settled with insurer for
$100,000• Reimbursement of up to $50,000 per individual
for any losses resulting from identity theft
– 32,051 insurance applicants information were accessible to the public through unsecured website
– Information accessible between Oct. 23, 2009-Mar. 8, 2010.
• Consumer notified Well Point on Feb. 22, 2010• Individuals not notified by Well Point until Jun. 18,
2010
88
State Attorney General Enforcement
• Accretive Health, Inc.– July, 2011—laptop with 23,500 patients’ PHI
stolen from car– Accretive is business associate of Fairview and
North Memorial• FV and NM notified patients
– AG suit alleges Accretive violated HIPAA, state health records law, debt collection and consumer fraud statutes
– First action against business associate?– Status of HIPAA as to BAs?
Cignet Health (Feb. 2011)
• Denied 41 patients access to PHI; patients complained to OCR
• OCR written requests, calls and subpoena were ignored
• OCR obtained default judgment against Cignet
• OCR imposed $4.3 million penalty
90
UCLA-Reagan (July 2011)
• Allegations that UCLA employees repeatedly accessed ePHI of patients– Complaint filed on behalf of 2 celebrities – OCR investigation concluded that “numerous” other
patients’ ePHI improperly accessed between 2005-2008
– Alleged violations of both Privacy Rule and Security Rule
• UCLA paid $865,000 and agreed to corrective action plan and independent monitor of HIPAA compliance for 3 years– 165 employees disciplined, 2 former employees face
criminal charges
91
Mass. Gen. Hospital (Feb. 2011)
• Hospital employee left documents on subway train commute– 192 patient records (some with HIV/AIDS)
• HHS alleged violations of Privacy Rule• Mass. Gen agreed to pay $1 million and
implement CAP– P & Ps subject to HHS approval– Independent monitoring of HIPAA compliance– Submit compliance reports to HHS for 3 years
92
Questions?
Jennifer Reedstrom BishopGray Plant Mooty(612) 632-3060 [email protected]
Jesse A. BergGray Plant Mooty(612) [email protected]