The U.S. Department of Health and Human Services, Office for Civil Rights (OCR), recently entered a $400,000 Health Insurance Portability and Accountability Act of 1996 (HIPAA) settlement with Metro Community Provider Network (MCPN), a federally-qualified health center (FQHC). The settlement serves as a stark reminder that all covered entities, including FQHCs, must meet the HIPAA Security Rule requirements and that OCR is continuing to step up enforcement efforts in this area. Continue reading
A delay in timely breach notification may now cost you. The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) recently entered a settlement with Presence Health for untimely reporting a breach of unsecured protected health information (PHI). Presence discovered that its operating room schedules containing PHI for 836 individuals were missing on October 22, 2013. Under the HIPAA Breach Notification Rule, breaches like this which involve >500 individuals are required to be reported to the individuals, prominent media outlets and OCR without unreasonable delay and in no case later than 60 days. Presence did not report the breach to OCR until January 31, 2014, approximately 100 days after discovering the breach. OCR’s investigation concluded that Presence failed to notify, without unreasonable delay and within 60 days of discovering the breach, each of the 836 individuals, the media and OCR. Presence agreed to pay $475,000 to settle the potential violations.
The Press Release and Resolution Agreement are available on the OCR website.
Written by: Jacob Simpson
On January 11, 2017, the Office of Inspector General (OIG) of the Department of Health and Human Services released a final rule that incorporates statutory changes, early reinstatement provisions, and policy changes, and clarifies existing regulatory provisions to the OIG’s authorities to exclude persons and entities from participating in Federal health care programs. The Affordable Care Act of 2010 expanded the OIG’s authority to exclude various individuals and entities from participation in Federal health care programs under section 1128 of the Social Security Act (Act). The changes in the final rule to the OIG’s authority were also based on the Medicare Prescription Drug, Improvement, and Modernization Act of 2003 (MMA), which amended the OIG’s authority to waive certain exclusions under section 1128 of the Act.
A copy of the final rule is available at: http://go.usa.gov/x9Ugu
Written by: Clay J. Countryman
The Centers for Medicare & Medicaid Services (“CMS”) posted the final approved version of the Medicare Outpatient Observation Notice (“MOON”) on the CMS Beneficiary Notices Initiative website on December 8, 2016. According to CMS, all hospitals and critical access hospitals (“CAHs”) are required to provide the MOON beginning no later than March 8, 2017.
The MOON is a product of the Federal Notice of Observation Treatment and Implication for Care Eligibility Act (“NOTICE Act”), passed on August 6, 2015. The MOON standardizes notice to inform Medicare beneficiaries that they are an outpatient receiving observation services and are not an inpatient of the hospital or CAH. The notice must explain the reason that the patient is an outpatient and describe the implications of that status both for cost-sharing in the hospital and for subsequent eligibility for coverage.
Specifically, hospitals and CAHs must provide a MOON within 36 hours after observation services are initiated to Medicare beneficiaries who are placed in outpatient observation status for longer than 24 hours, must verbally discuss its contents with the patients, and obtain the required signatures. The hospital or CAH must also retain a signed copy of the MOON. Currently, the approved MOON includes a section for the hospital or CAH to explain the specific reason the patient is an outpatient instead of an inpatient. CMS has indicated that in the future, they may consider improving the MOON to include checkboxes with “common reasons for the patient’s outpatient status or suggested narratives for insertion in this section.”
A primary consequence for Medicare beneficiaries of being classified as a hospital outpatient is financial. For example, being an outpatient may affect what a beneficiary pays for treatment. When a Medicare beneficiary is a hospital outpatient, the observation stay is typically covered under Medicare Part B. Additionally, if a patient needs care from a skilled nursing facility (“SNF”) after leaving the hospital, Medicare Part A will only cover SNF care if the patient is classified as an inpatient for at least three consecutive days, not counting the day of discharge. Outpatient status would therefore not qualify a patient for Medicare Part A coverage of SNF care.
Hospitals and CAHs should ensure that appropriate policies are in place to address proper use of the MOON. Hospital and CAH employees should be educated on the required verbal explanation and signature requirements of the MOON. CMS has made available a copy of the approved MOON and accompanying instructions in both English and Spanish here. CMS expects hospitals to use “usual procedures” for delivering notice, such as “translators, interpreters and assistive technology.”
Centers for Medicare & Medicaid Services, Beneficiary Notices Initiative, https://www.cms.gov/Medicare/Medicare-General-Information/BNI/index.html?redirect=/bni/
 Medicare Program, 81 Fed. Reg. 57,046 (Aug. 22, 2016).
 Medicare Program, 81 Fed. Reg. 57,049 (Aug. 22, 2016).
Written by: Catherine Moore
Clay J. Countryman and Alec Alexander will be speaking at a workshop hosted by the Medical Group Management Association’s New Orleans chapter on September 28, 2016. Mr. Countryman will present “HIPAA Phase 2 Audits: Are you ready?” and Mr. Alexander will present “Fraud and Abuse: Compliance for Physician Practices and Recent Hot Topics. The workshop will be located at the East Jefferson General Hospital Conference Center – Esplanade I in Metairie, Louisiana. For more information or to register, click here.
The U.S. Department of Health and Human Services Office for Civil Rights (OCR) has started a second phase of audits for compliance with HIPAA Privacy, Security and Breach Notification Standards. The OCR has previously conducted an audit pilot phase and Phase 1 audits of HIPAA covered entities (i.e., healthcare providers, clearinghouses, and health plans). In this Phase 2 of the HIPAA audits, OCR will audit both covered entities and their business associates. Continue reading
The U.S. Department of Health and Human Services Office of Inspector General (OIG) released today, August 24, 2016, an updated guidance on the OIG’s views on the applicable independence and objectivity standards for Independent Review Organizations (IROs) that perform reviews required under Corporate Integrity Agreements (CIAs), such as claims reviews and cost report reviews. The OIG has previously issued guidance in 2004 and 2010 to reflect updated standards and the additional types of IRO reviews included in CIAs. This OIG guidance released today is to reflect the 2011 revisions to the GAO accounting standards.
Health care providers and other entities often enter into CIAs as a result of a settlement with the OIG related to allegations of violating certain civil false claims statutory provisions. Health care providers or entities agree to certain obligations in a CIA, including retaining an independent review organization to conduct annual reviews.
A copy is available on the OIG’s website at www.oig.hhs.gov
Written by: Clay J. Countryman
On August 5, 2016, the United States Attorney for the Middle District of Georgia announced a civil settlement in which Sweet Dreams Anesthesia, a partnership of certified registered nurse anesthetists (CRNAs), paid over $1,015,000 to resolve allegations that Sweet Dreams paid kickbacks to ambulatory surgery centers to induce Medicare and Medicaid patients by providing free anesthesia drugs and through other financial transactions. Continue reading
On July 28, 2016, the U.S. Department of Justice announced, “The Lexington County Health Services District Inc. d/b/a Lexington Medical Center located in West Columbia, South Carolina, has agreed to pay $17 million to resolve allegations that it violated the Physician Self-Referral Law (the Stark Law) and the False Claims Act by maintaining improper financial arrangements with 28 physicians.”
According to the government press release, “The United States alleged that Lexington Medical Center entered into asset purchase agreements for the acquisition of physician practices or employment agreements with 28 physicians that violated the Stark Law because they took into account the volume or value of physician referrals, were not commercially reasonable or provided compensation in excess of fair market value.
Also as part of the settlement, Lexington Medical Center will enter into a Corporate Integrity Agreement (CIA) with the Department of Health and Human Services-Office of the Inspector General (HHS-OIG) that requires Lexington Medical Center to implement measures designed to avoid or promptly detect future conduct similar to that which gave rise to this settlement.
Written by: Clay J. Countryman
In settling allegations of violating the False Claims Act (FCA), healthcare providers often enter into a Corporate Integrity Agreement with the OIG in exchange for the OIG’s agreement not to exclude the provider from participation in Medicare or other federal health care programs. Corporate Integrity Agreements (CIAs) generally require a provider to establish or supplement an existing compliance program, with detailed requirements described in the CIA. Continue reading