Breaking Compliance News Blog

PEPPER Reports are here: Don't be outnumbered

Posted by Margaret Scavotto, JD, CHC on 4/24/19 8:00 AM

The latest PEPPER (Program for Evaluating Payment Patterns Electronic Report) reports have been released for SNF, LT, IRF, IPF, CAH and hospice providers. You can access your PEPPER online. Home health providers and partial hospitalization programs can expect their PEPPERs to arrive in July 2019.

This latest PEPPER uses statistics for October 1, 2017 through September 30, 2018. To download your PEPPER, the Chief Executive Officer, President, Administrator, Compliance Officer, or Quality Assurance/Performance Improvement Officer needs to:

  1. Visit the PEPPER Resources Portal
  2. Enter your information. Note: A patient control number (UB04 form locator 03a) or medical record number (UB04 form locator 03b) from a claim for a traditional Medicare FFS beneficiary with a claim "from" or "through" date between July 1 - Sept. 30, 2018, will be required.
  3. Download your PEPPER!

If you need help, review the Secure PEPPER Access Guide.

Will you get your PEPPER? You should.

Last year, on average, less than half of providers viewed their PEPPER reports. For example:

  • IL:   50.79%
  • CA: 44.93%
  • NY: 44.86%

(% of SNFs that accessed their PEPPER reports in the state between April 16, 2018 and March 20, 2019). 

Providers who who don't download their PEPPERs are missing out on some valuable data.

Why PEPPER matters

Your PEPPER report can help you compare your organization to other providers, and determine whether you have been identified as an outlier at risk for improper payments. PEPPER considers a provider to be an outlier if its Target Areas are at or above the 80th percentile, or at or below the 20th percentile, depending on the area. If your PEPPER shows you are an outlier, an internal audit should be conducted to identify any improper payments or non-compliant practices. CMS is quick to point out that variances from the national data do not necessarily mean billing irregularities have occurred. However, it would be wise to determine why the government has identified you as an outlier.

In other words, the government is mining your data and evaluating your claims—and so should you. By incorporating PEPPER data into your compliance auditing strategy, you can identify potential areas of non-compliance that could make you a government target. And of course, a "good" PEPPER should not give you false confidence about your claims – MPA recommends conducting documentation reviews to ensure claims are appropriate, even if you aren't an outlier.

Don’t wait

PEPPER comes once a year, but our attention to it should be ongoing. Don't wait for the report to be released in April. Work with your billing department to see what reports you can run internally to track the Target Areas as part of your compliance efforts. This way, there will be no surprises in April 2020.

Read More

Topics: PEPPER

Compliance and HIPAA Training Handbooks are Here!

Posted by Margaret Scavotto, JD, CHC on 4/16/19 9:17 AM

MPA's Compliance and HIPAA training handbooks for healthcare staff are here!


Help your staff get HIPAA right, all day, every day.

MPA noticed that most HIPAA training doesn't cover the top calls we get: snooping, selfies, social media, and other common breaches.

This HIPAA training handbook won't tell your staff that HIPAA was enacted in 1996 - because that won't help your staff make good HIPAA decisions on a daily basis. This handbook will, however, provide common sense HIPAA information your staff need to succeed in healthcare.

Each chapter is accompanied by a mini-quiz to test staff knowledge.

Learn more.


Help your staff get compliance right, all day, every day.

MPA noticed that most compliance training does not cover the daily risks most healthcare staff encounter - or is written in legalese that is challenging for many healthcare employees.

This training handbook won't tell your staff that OIG stands for "Office of Inspector General," because that isn't going to help most of your staff understand compliance. This handbook will break down compliance concepts in simple, understandable chapters to help them do their jobs in a way that follows your compliance program. 

Each chapter is accompanied by a mini-quiz to test staff knowledge.

Learn more.

Read More

Topics: Compliance Basics, Training and Education, HIPAA, Culture of Compliance, MPA's Compliance Store

There's no HIPAA for cats, by the way.

Posted by Margaret Scavotto, JD, CHC on 4/2/19 11:18 AM

Last week, my husband and our five year old daughter took our dog to the vet for a check-up. When they came home, my five year old was very excited to tell me that she got to talk to Dr. Julie about Abby's tooth cleaning and Jack's nail trimming.

Abby and Jack are my mother's cats, who, in case it isn't obvious, also see Dr. Julie.

I was astounded! Until my husband reminded me: "There's no HIPAA for cats, Margaret."

That's right. Of course!

But this got me thinking. If Abby and Jack were people, we would have a pretty big problem on our hands. My mother lives four minutes away. So do my nephews. So do my aunt and uncle. There's some overlap in doctors and dentists in our family (in addition to veterinarians). We bump into each other all over town.

And yet, thanks to HIPAA, we all expect and trust that our medical information will be kept private. Can you imagine it any other way? Can you imagine the chaos that would ensue if everyone discussed everyone else's tooth cleanings and nail trimmings all over town, as if we were cats?

Aristotle said what separates humans from the animals is rationality. I think it's HIPAA, too.


Read More

Topics: HIPAA

HIPAA Alert: Dozens of Northwestern employees potentially fired for accessing Jussie Smollett's records

Posted by Margaret Scavotto, JD, CHC on 3/19/19 12:50 PM

CBS 2 (Chicago) reported that potentially 60 Northwestern Memorial Hospital employees were terminated for accessing Jussie Smollett's medical records, without authorization, during a hospital stay following a highly publicized assault. 

One terminated Northwestern employee reported she was fired after she "went into the charting system and started to search [Smollett]'s name." The fired employee did this out of "morbid curiosity." Others were potentially terminated for asking if the actor was admitted to the hospital under an alias. 

Northwestern has not commented on the alleged firings, and we do not know for sure whether the firings occurred; if so, how many firings occurred; and whether HIPAA was violated.

But we do know that all healthcare providers struggle with the challenge of unauthorized access of patient records (also known as snooping). It happens with celebrities, and other high profile patients: car accident victims, employee relatives and friends, co-workers, and hometown heroes.

What you can do:

  • Admit high profile patients under an alias.
  • Limit access with your EHR controls.
  • Monitor access regularly. Increase monitoring when you have a high-profile patient.
  • Use alerts to warn users and your compliance team when access is exceeded.
  • Have your breach analysis policy and decision tree nearby for when access is exceeded.
  • Train staff on the consequences of exceeding accesses. One "morbid curiosity" click could cost them their job.

Need help reminding your staff not to snoop medical records? HIPAA Every Day, MPA's HIPAA training handbook for healthcare employees, addresses snooping.

Read More

Topics: HIPAA

I’ll have a brown sugar rosemary latte and a HIPAA breach, please.

Posted by Margaret Scavotto, JD, CHC on 3/12/19 8:43 AM

The other day I stopped by my favorite local coffee shop for an afternoon pick-me-up. I ordered my guilty pleasure – a brown sugar rosemary latte – and sat down in the only available seat on the lobby couch to wait.

A few minutes later, a young woman came in and sat down next to me, opened her laptop, and began clack-clacking away (a common occurrence, as this coffee place is known as an unofficial co-working space).

I got up to get my latte, sat back down, and noticed that the woman was on the phone. I began reading an article about a recent HIPAA breach (in a moment you will learn the irony in this), and tried not to be distracted by her call. But, I couldn’t help but notice she seemed to be talking about a patient. She mentioned the patient’s name and birthday, and then scheduled an appointment for him. She went on to do this for several other patients. Then she called a few patients to check on their condition and well-being. I also couldn’t help but notice that she was typing information into some kind of EMR database.

If this was a cartoon, my head would have exploded at this moment.

When my disbelief faded into the reality that this person – perhaps some kind of case worker or social worker – was in fact discussing patients and their health care information – I had a sinking feeling in my stomach. Does this really happen? Am I on some kind of brainy reality TV show for HIPAA professionals? How could two people sitting on the same couch have such different reactions to these phone calls? How could I be so appalled – and this woman be oblivious and even pleased to be accomplishing so much?

I’ll tell you why: awareness and training.

I think about HIPAA all the time. I follow HIPAA settlements and headlines daily, blog about them, and build training programs and policies around them. So, I see HIPAA everywhere.

I don’t know what kind of HIPAA training my couch neighbor has had. It could be she was trained extensively and chose to ignore the advice. Or perhaps it is more likely that she wasn’t trained on HIPAA – or at least, not recently – and not on protecting patient privacy when working remotely.

What about your staff? Would they know what to do?


Read More

Topics: Training and Education, HIPAA, Culture of Compliance

Margaret Scavotto writes for HCCA: Compliance When Nobody is Watching

Posted by Margaret Scavotto, JD, CHC on 2/13/19 8:54 AM

Compliance When Nobody is Watching

by Margaret Scavotto, JD, CHC

Everyone knows an effective compliance program needs leaders, policies, training, audits, reporting, investigations, corrective action, and discipline.

You probably already have these elements in place. You have policies and training to help your employees do the right thing. You have audits to verify that your employees are following compliance policies (and doing the right thing). 

Read more here.

For Compliance Today: Copyright 2019 Compliance Today, a publication of the Health Care Compliance Association (HCCA).


Read More

Topics: Culture of Compliance

Stay informed in 2019

Posted by Margaret Scavotto, JD, CHC on 2/5/19 11:31 AM

MPA scours OIG and OCR enforcement updates and news headlines so you don't have to.

Every month, we summarize enforcement trends and bring you the latest compliance and HIPAA developments, and deliver them to your inbox in our Monthly Compliance News Report.

Not yet a subscriber? Use coupon code NEWYEAR to save 25% off the price when you sign up.  

You can read a sample report here.

Read More

Topics: Compliance Basics

10,000 steps to compliance

Posted by Margaret Scavotto, JD, CHC on 1/23/19 7:51 AM

Don’t be discouraged by the title - this story is actually (hopefully) encouraging.

When I first got my Fitbit, I learned I averaged 5,000 to 6,000 steps a day. A few times a week I’d get far more than that, but my weekday average could be better.

Around Thanksgiving 2018, I decided to pick up the pace and set a goal of reaching 10,000 steps a day - no matter what.

I went to Zumba at the Y (7,000 steps), walked around my in-laws’ pond (1,000 steps), walked up and down the stairs at my office (100 steps), and danced around the kitchen (as many steps as it took).

I hit 10,000 steps 14 days in a row. And then I kept going. I of course have an off day every now and then. But overall, I feel better when I find the time to get 10,000 steps. And over time, it’s become easier to work this into my day.

What does this have to do with compliance?

Compliance professionals often tell me: I start working on compliance, but then I get distracted and weeks go by. I start working on an audit and then something else comes up and by the time I get back into the audit, I have to re-learn the entire process. I want to spend more time on compliance, but there is just so much else to do.

The problem here is that compliance needs to be part of our daily routine, no matter what. 

By consistently reaching a small goal (10,000 steps a day), I achieved a bigger goal: I lost 10 pounds. Compliance is the same way. If you commit to working on compliance consistently - even slowly but surely - over time, you will be rewarded with bigger results.

Here are some ways you can commit to compliance every day – and achieve big goals over time:

  • In 5 minutes, you can go over a compliance tip, question or flash card with an employee, making a positive connection with compliance and reinforcing compliance knowledge.
  • In 10 minutes, you can walk the halls and increase your visibility as Compliance Officer.
  • In 20 minutes, you can conduct a HIPAA walk-through audit of a department.
  • In 30 minutes, you can review a policy with an employee.

Make room for small tasks, and watch your compliance program meet big goals in 2019.

Read More

Topics: Compliance Officer & Committee, Compliance Basics, Culture of Compliance

*Free Webinar* MPA and Wolters Kluwer present: Creating a Culture of Compliance

Posted by Margaret Scavotto, JD, CHC on 1/17/19 7:52 AM

Every compliance program needs policies, training, reporting, leadership and audits to succeed – but it’s not enough. Federal guidance makes clear that an effective compliance program requires a strong culture to support it. Practical experience also teaches us that culture will make or break a compliance program.


We will walk through steps providers can take at the employee, management and board levels to cultivate a compliance culture that takes your company in a direction of employee trust, internal reporting, audits with integrity, and compliance strength.

  • Using examples from the headlines, we will walk through real-world fact patterns and decisions that shaped compliance culture.
  • Learn to identify steps providers can take to promote a positive culture of compliance, as well as strategies to counteract negative culture forces. Approaches will include board involvement, staff training, accountability and incentives, and more.
  • Learn conventional and unconventional strategies for building your own culture of compliance.
Wolters Kluwer Legal & Regulatory U.S. is pleased to partner with Above the Law for CLE accreditation.*  Upon the conclusion of each webinar an informal certificate of completion will be issued by Wolters Kluwer Legal & Regulatory U.S. Attendees will also receive an official certificate via email from Above the Law's third party CLE provider, Marino Law. 

*CLE available for NY, NJ and CA. A Uniform Certificate of Attendance for CLE credit will be issued for all other states.

Read More

Topics: Training and Education

Stay informed in 2019

Posted by Margaret Scavotto, JD, CHC on 1/15/19 6:27 AM

MPA scours OIG and OCR enforcement updates and news headlines so you don't have to.

Every month, we summarize enforcement trends and bring you the latest compliance and HIPAA developments, and deliver them to your inbox in our Monthly Compliance News Report.

Not yet a subscriber? Use coupon code NEWYEAR to save 25% off the price when you sign up.  

You can read a sample report here.

Read More

Topics: Compliance Basics

    Privacy Policy           Terms of Use