Breaking Compliance News Blog

In December, the OCR published the results of the 2016-2017 Phase 2 HIPAA Audits, which included desk audits of 166 covered entities and 41 business associates. The audits sought to determine the extent to which these organizations comply with selected HIPAA rules. The OCR found:

• Only 2% of covered entities fully met the requirements for the content of the Notice of Privacy Practice. Most of these providers failed to provide a notice written in plain language.
• 57% of covered entities posted the Notice of Privacy Practices prominently on their websites (e.g. on a drop down menu on a home page, or at the top or bottom of their home page).
• 89% of covered entities failed to show they complied with the individual right of access.
• 71% of covered entities issued breach notices in a timely manner.
• 67% of covered entities provided breach notification letters that were missing required content.
• 94% of overed entities “failed to implement appropriate risk management activities sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.” For example: “In some instances, encryption was included as part of a remediation plan, but was not carried out or was not implemented within a reasonable timeframe.”
• 14% of covered entities “are substantially fulfilling their regulatory responsibilities to safeguard ePHI they hold through risk analysis activities.”

For the 14% of covered entities who failed to meet risk analysis requirements, there were some common issues:

• "Providers commonly submitted documentation of some security activities of a third party security vendor, but no documentation of any risk analysis that served as the basis of the activities.”
• “Entities offered third party template policy manuals that contain no evidence of entity-specific review or revision and no evidence of implementation.”

Are you ready?

The OCR's report did not speak highly of covered entities' HIPAA compliance. In fact, for some metrics, collective compliance was alarmingly low. How would your organization measure up?

Covered entities and business associates were given 10 business days to respond to the audit document requests. While there is not a formal HIPAA audit program underway now, providers often receive audit letters from the OCR in response to a complaint or as part of a formal investigation. Are you prepared to prove your HIPAA compliance within 10 business days (without creating new documentation)?

Improve your HIPAA compliance with MPA's 4-Part Webinar Training Series:

Fire to fire. Blind spots. Whack-a-mole. Don't know what I don't know.

These are common phrases used by compliance officers to describe their compliance efforts - particularly new ones. The truth is, every compliance program has holes.

The successful ones know where their gaps are, and have a plan to fix them.

How do you find your compliance gaps?

You will find some gaps by performing routine audits of your compliance risk areas, like HIPAA walk-throughs and medical necessity documentation reviews.

By diligently monitoring your compliance hotline and seeking feedback from your staff, you will identify even more gaps.

To discover the rest, you will need to conduct a gap analysis - also known as a compliance risk assessment, baseline assessment, or annual review.

Assessing your program

Divide your review into three pieces:

1. Review the seven compliance program elements (policies, auditing, training, communication, compliance officer & committee, disciplinary action, and investigations/corrective action)
2. Evaluate each compliance risk area (like HIPAA, billing, kickbacks, records, employee screening, etc.)
3. Analyze any data you have. Your data could include your PEPPER report, hotline call statistics, employee survey results, percentage of employees who completed compliance training, etc.

Keep the following goals in mind:

1. Verify that compliance tasks are completed. Example: Verify that your Compliance Committee met at least four times this year.
2. PROVE that the task was completed. Example: Locate Compliance Committee meetings meetings, agendas and attendance sheets.
3. Make sure you can provide this proof immediately if the OIG shows up and is waiting patiently in the next room.
4. For every compliance task, goal or requirement you evaluate, identify strengths and weaknesses - and establish a game plan for the future.

If you need help finding your gaps

The HCCA/OIG Compliance Effectiveness Roundtable document is an excellent resource for compliance program review, and is available here. This document lists examples of questions to ask when evaluating your compliance program. 

Or, let MPA assess your program and give you an action plan to fill your compliance gaps and maximize compliance.

Know your gaps? Close them with MPA's compliance and HIPAA tools.

Data uses truly are getting bigger and bigger. Compliance officers who don’t mine data might feel left in the dust. But your compliance program likely holds pockets of valuable and readily accessible data, even if you aren’t high tech.

Consider hotline calls as an example. (If you don’t have a hotline, your records of drop box or in-person compliance reports will also work). As long as you log compliance reports, you have data. Here are some examples of data you can track without software, an IT background, or a big budget:

• Number of reports each quarter or year
• % of reports that are anonymous
• Breakdown of reports by reporting method (e.g. in person, drop box, hotline)
• Breakdown of reports by risk area (e.g. HIPAA, documentation, vendor gifts)
• Breakdown of reports by department or supervisor

Once you organize your data, look for trends. Does your data tell a story? Here are some examples of stories we have discovered when analyzing compliance report data:

• Reports often increase when a provider increases its promotion of compliance awareness and encourages reporting.
• Anonymous reporting sometimes decreases as a new compliance officer gains the trust of staff.
• A surge in HIPAA complaints could indicate that staff need more HIPAA education. But, if the surge follows recent HIPAA education, it could mean staff 
  are now reporting problems they did not previously recognize.
• If complaints are concentrated in a single department, this could indicate this department needs help adhering to compliance protocols.

You won’t know your data’s story until you investigate. But collecting and organizing your data is the first step.

Wondering where you stand? NAVEX Global’s 2018 Ethics and Compliance Hotline and Incident Management Benchmark Report provides a yard stick. According to the NAVEX Global report:

• The median number of reports is 1.4 per 100 employees
• 39% of reports are collected by non-hotline methods, like walk-ins, emails, and the open door policy
• 56% of reports are anonymous (compared to 65% in 2009)

The NAVEX Global report is not specific to healthcare, and it includes worldwide data. But its statistics can provide a comparison point for those beginning to mine their own data. It would also be helpful to compare new information with your historical data (if and when you have it), and measure results against your organization’s goals.

Over time, your use of little data can lead to a better understanding of your organization, and create a big impact.

In March 2018, the OIG issued Report A-05-14-00041, Many Medicare Claim for Outpatient Physical Therapy Services Did Not Comply with Medicare Requirements. 

The OIG reviewed 300 random Medicare outpatient PT claims for services provided between July and December of 2013.

Based on its review, the OIG found:

• 61% of outpatient Medicare PT services did not comply with Medicare requirements.
• Medicare paid an estimated $367 million for these services.

The OIG identified three types of claims errors: medical necessity, coding, and documentation. Here is a breakdown of the errors by type:

Medical Necessity Errors (91 claims out of 300)

• 98%: Services not reasonable
• 33%: Services not effective
• 31%: Services did not require the skills of a therapist
• 29%: No expectation of significant improvement

Coding Errors (145 claims)

• 59%: Timed units claimed did not match units in treatment notes
• 54%: Missing modifiers
• 41%: Incorrect codes

Documentation Errors (112 claims)

• 71%: Plan-of-care deficiencies
• 66%: Treatment note deficiencies
• 8%:  Recertification deficiencies

Providers of outpatient physical therapy can expect increased claims monitoring by CMS, as well as more education from CMS.

Same song different tune?

 While this review focused on outpatient physical therapy provided in an office setting, the OIG has similar concerns about therapy provided in nursing homes.  A 2012 OIG report found errors involving coding, medical necessity, and documentation in SNFs.

In November 2012, the OIG released a report: Inappropriate Payments to Skilled Nursing Facilities Cost Medicare More than a Billion Dollars in 2009.    

The OIG found that 25% of all SNF Medicare claims were erroneous. The errors included:

• 20.3%: Claims with an inaccurate RUG (upcoded). In 57% of these claims, SNFs provided more therapy on the MDS than was documented in the medical record; and 25% of these claims involved therapy listed in the medical record that was not reasonable and necessary
• 2.5%: Claims with an inaccurate RUG (downcoded)
• 2.1%: Claims that did not meet Medicare coverage requirements (e.g. no physician order)

The OIG also found that 47% of claims involved inaccurate MDS information. The primary reporting error was the amount of therapy received or needed, followed by special care, ADLs, oral/nutrition status, and skin conditions/treatment.

What you can do

The takeaway here is: whether you are providing outpatient therapy, skilled nursing therapy – or another Medicare service involving therapy – medical necessity, documentation and coding errors remain common errors of OIG concern. Incorporating these items into your regular compliance audits will help you find and correct errors internally and improve claims accuracy.

Chemed Corporation, Vitas Hospice Services LLC, and Vitas Healthcare Corporation entered a $75 million settlement with the government to resolve false claims allegations. Vitas, the biggest for-profit provider of hospice services in the nation, allegedly “knowingly submitted or caused to be submitted false claims to Medicare for services to hospice patients who were not terminally ill” between 2002 and 2013. The DOJ also accused Vitas of awarding bonuses to employees based on the number of patients on hospice, regardless of need.

In addition, Vitas was accused of billing Medicare for continuous home care services that were not necessary, not provided, or did not meet Medicare requirements. Like with hospice services, Vitas allegedly set corporate goals for billing continuous home care services, regardless of patient need.

According to the Complaint, “Vitas regularly ignored concerns expressed by its own physicians and nurses regarding whether its hospice patients were receiving appropriate care.” Complaint, page 3. The Complaint also says the company’s own auditors knew of the problem – but changes were not made.

Let’s look at the data

 The OIG recently issued a report summarizing HHS' improper payment rates in Fiscal Year 2015. The report found a 12.09% improper payment rate for Medicare fee-for-service claims in FY2015. HHS pointed to two main causes of the improper payments:

PEPPER (Program for Evaluating Payment Patterns Electronic Report) reports were released for nursing homes and other providers in April 2015 (and are coming soon for home health in July). Last year, only half of nursing homes had accessed their reports three months after the release date.

A Missed Opportunity

That's too bad, because PEPPER is a powerful compliance tool that tells providers how the government sees them.

This report compares your SNF's Medicare Part A claims data to state, national and MAC or FI jurisdiction data. This report includes this comparative data for six Target Areas: 1) Therapy RUGs with high ADLs; 2) Nontherapy RUGs with high ADLs; 3) Change of therapy assessments; 4) Ultrahigh therapy RUGs; 5) Therapy RUGs; and 6) 90+ day episodes of care.

With PEPPER reports, the government processes providers' claims data for them and tells them if they are seen as high-risk. This report is a gift to providers and should be the first place we start when planning a compliance audit strategy.

What You Can Do

• Get online. If you haven't already, log on to www.pepperresources.org and retrieve your report. See if your report identifies you as an outlier (if you are at or above the 80th percentile, or in some cases at or below the 20th percentile) in any target areas.
• Audit. If your report shows you are an outlier, an internal audit should be conducted to identify any improper payments or non-compliant practices. CMS is quick to point out that variances from the national data do not necessarily mean billing irregularities have occurred. However, it would be wise to know whether there is a reason why the government has identified you as an outlier.
• Don't wait. PEPPER comes once a year, but our attention to it should be ongoing. Don't wait for the report to be released in April. Work with your billing department to see what reports you can run so that you can track the Target Areas as part of your compliance efforts, at least quarterly. This way, there will be no surprises in April 2016, and you can address any improper payments as they arise.

PEPPER (Program for Evaluating Payment Patterns Electronic Report) reports for Q4FY14 have been released--a few days ahead of schedule! You can access your PEPPER online.

This latest PEPPER uses statistics through September 2014, and will be available for download for approximately two years.

To download your PEPPER, the CEO, President or Administrator of the SNF needs to:

1. Visit the PEPPER Resources Portal
2. Enter your information. You will need a Patient Control Number (form locator 03a on the UB04 claim form) *or* a Medical Record Number (form locator 03b on the UB04 claim form) for a claim of a traditional fee-for-service (FFS) Medicare patient/beneficiary who was receiving services at this provider between September 1 - 30, 2014 (“From” or “Through” date on the claim is between September 1 - 30, 2014).
3. Download your PEPPER.

If you need help, review the Secure PEPPER Access Guide.

Not a SNF?

PEPPER might still be coming soon:

 And, for the first time in 2015, PEPPER will be released for home health (expected in July).

Now what?

Learn more about how to use PEPPER as part of your compliance program's auditing strategy.

The latest Program for Evaluating Payment Patterns Electronic Reports (PEPPER) reports for SNFs, from 4^th Quarter 2013, have been available since May 5. As of June 30, only 49% of SNFs have accessed their PEPPER reports. Are you one of the 49%?