Breaking Compliance News Blog

Compliance officers are constantly reminded that their job is never done. That’s because compliance is an ongoing process. Take information security, for example. Just as one problem is fixed, another surfaces. Staying ahead of security risks is a never-ending challenge. MPA is constantly scouring numerous resources for insight into compliance risks.

New York-Presbyterian Hospital and Columbia University Medical Center made HIPAA history last week when they entered a combined $4.8 Million settlement with the Office of Civil Rights (OCR). This settlement is the largest we have seen under HIPAA enforcement.

Recently, U.S. Inspector General Daniel R. Levinson gave a keynote address at a compliance convention in which he focused on some important components of compliance, two of which are customization of compliance programs, and communication. 

Nurses who fail to pay their state taxes or student loans could have their state licenses pulled--at least that is the case in Missouri. Why should their employers care about this? Because Medicare and Medicaid won't pay for the services of an unlicensed nurse. That's right, claims billed for these services constitute false claims--and could cost a nursing home hefty penalties (repayment of 3 times the amount of the claim, plus $11,000 per claim, plus the SNF could become excluded from participating in Medicare and Medicaid).

The Department of Health & Human Services Office of Civil Rights (OCR), which enforces HIPAA, recently released a Security Risk Assessment (“SRA”) Tool to help providers comply with the HIPAA Security Rule. Security risk assessments are required by the HIPAA Security Rule, and are also required for providers hoping to receive payments through the Meaningful Use Program for EHR.

The HIPAA Security Rule requires covered entities and business associates to assess whether their administrative, physical and technical safeguards sufficiently protect the security of their PHI. The OCR’s SRA Tool, available for download here, walks the user through each safeguard, and is designed to help users assess each security standards and identify remediation needed. The OCR states that the SRA Tool does not transmit user information to the government.

No more excuses!

The Department of Health and Human Services (HHS) recently announced that it will conduct a “HIPAA Covered Entity and Business Associate Pre-Audit Survey." It will conduct a survey of 800 covered entities and 400 business associates to determine whether they are appropriate participants for the Office of Civil Rights (OCR) HIPAA Audit Program.

In fiscal year 2013, a record 752 whistleblower suits were filed, and the government brought in $2.9 Billion in recoveries, with whistleblowers taking home $345 Million. These numbers may have compliance officers and others within provider organizations feeling like sitting ducks, just waiting for their turn to get hit. And who can blame them with examples like these making the news:

A St. Louis doctor is facing sentencing in a federal court case involving his purchase of a misbranded drug. Though the doctor admitted buying the drug, his sentence is not for the purchase, but for lying to federal agents. The doctor told the agents he bought the drug three times, but the government claims he bought it over 50 times. The doctor pled guilty to a single charge of making a false statement to federal agents for which he is now facing a maximum five years in prison and $250,000 in fines.

On January 31, the OIG released its Work Plan for Fiscal year 2014 (which began on October 1, 2013). The Work Plan sets out the items the OIG will be reviewing during this fiscal year—and is a great tool to help Compliance Officers direct their compliance audits.

The work plan is about 100 pages, but don’t let that overwhelm you. It covers the entire health care industry, so the key is to find the pieces that apply to your organization. For example, the following items pertain to Nursing Homes: