Category Archives: Compliance Programs

CareFirst, Third Major Health Insurer This Year To Be Hit By Cyberattack

On May 20, 2015, CareFirst BlueCross BlueShield (“CareFirst”) announced that it was the latest victim of a major cyberattack, with as many as 1.1 million plan customers affected.  Current and former CareFirst members and individuals who do business with CareFirst online who registered to use CareFirst’s websites prior to June 20, 2014 are impacted by this event.

CareFirst said that although the hackers may have acquired customer names, email addresses, birthdates, customer-created user names and subscriber identification numbers, they did not obtain sensitive financial or medical information like Social Security numbers, medical claims, credit card or employment information or passwords associated with the user names.  The company has stated that those affected by the cyberattack will be provided two free years of credit monitoring and identity theft protection.

As an explanation of how CareFirst learned of the breach, Chet Burrell, CareFirst’s chief executive, said that after cyber attacks on other insurers earlier this year, he created a task force to review the company’s information technology systems.  CareFirst then hired Mandiant, a division of FireEye, to perform a forensic review of its systems.  Last month, Mandiant determined a breach had occurred in June 2014 allowing unauthorized access to a single database with the information listed above.

Just hours after the announcement of the breach, class action law firms were already investigating the circumstances of the breach and seeking plaintiffs who may have been affected.  Now that state claims may be brought based on HIPAA as a standard of care, the suits will likely consider potential harm due to the disclosure and whether CareFirst adequately protected the information and provided timely notice.  These are the same types of claims brought in the numerous class action lawsuits after the Anthem cyber-attack in February 2015.

The cyber-attack and pending lawsuits should serve as a reminder for healthcare companies to review and properly implement their HIPAA privacy and security policies and procedures.  For more information on HIPAA, health care compliance or related issues, please feel free to contact Daniel Meier or any member of our health care practice group for a further discussion.

Guidance Released for Health Care Governing Boards

On April 20, 2015, the Office of Inspector General (the “OIG”) of the U.S. Department of Health and Human Services, the Association of Healthcare Internal Auditors, the American Health Lawyers Association, and the Health Care Compliance Association published a first-of-its-kind guide entitled “Practical Guidance for Health Care Governing Boards on Compliance Oversight.”

The guide is intended to assist governing boards of health care organizations (“Boards”) to create and carry out compliance programs. The guide addresses issues relating to a Board’s oversight and review of compliance program functions, including: (1) the roles of, and relationships between, the organization’s audit, compliance, and legal functions; (2) the mechanism and process for issue-reporting within an organization; (3) the approach to identifying regulatory risks; and (4) methods of encouraging organization-wide accountability for achievement of compliance goals and objectives.

The guide encourages Boards to create benchmarks using publicly available resources, such as the Federal Sentencing Guidelines, the OIG’s voluntary compliance program guidance, and OIG Corporate Integrity Agreements.  Although there is no such thing as a “one size fits all” compliance program, these resources can be helpful in creating a program tailored to each organization’s needs.

While recognizing that not all organizations will possess the resources to support the structure in its entirety, the guide recommends creating corporate charters that address the following functions: (1) compliance; (2) legal; (3) internal audit; (4) human resources; and (5) quality improvement. Boards should continuously evaluate the effectiveness of these charters.

The guide also encourages Boards to ensure proper reporting mechanisms are in place within the organization. If managers or other individuals within the organization are not held responsible for reporting compliance concerns to the Board, the Board will not have a complete picture of the adequacy and effectiveness of the organization’s compliance atmosphere. Therefore, Boards should consider scheduling regular sessions to hear from the organization’s management about the organization’s utilization of compliance, legal, internal audit, and quality functions.

Identifying risk areas is an integral part of any organization’s compliance program. Boards can identify high risk areas from internal and external sources. The guide recommends tracking industry trends to identify risk areas, as new payment models can lead to new incentives and new compliance concerns.

Finally, the guide recommends encouraging accountability within an organization along with compliance. Many organizations have tied an employee’s performance assessment and other incentives to adherence to the organization’s compliance program to emphasize and encourage individual accountability.

The entire guide is available on the OIG’s website. For more information on health care compliance programs, please contact any member of Benesch’s health care practice group.

One Of The Country’s Largest Hospital Organizations to Pay $98.15 Million Settlement on False Claims Act Allegations

On Monday, August 4, 2014, The Department of Justice announced that Community Health Systems (“CHS”), the nation’s largest operator of acute care hospitals, agreed to pay $98.15 million to settle nine whistleblower lawsuits alleging that the company violated the False Claims Act between January 2005 and December 2010. The whistleblowers alleged that CHS knowingly billed Medicare, Medicaid, and TRICARE for medically unnecessary inpatient admissions rather than the lower outpatient or observation rates at 119 hospitals. Additionally, allegations were made that services were rendered to patients at one of CHS’s hospitals in Laredo, Texas by a physician who was offered a medical directorship in violation of the physician self-referral law, known as the Stark Law.

Under the settlement, CHS entered into a five-year Corporate Integrity Agreement requiring it to retain independent review organizations to review the accuracy of the claims for inpatient services under federal health care programs, and to engage in significant compliance efforts over the next five years.

The allegations against CHS are particularly notable in light of new regulations such as the two-midnight rule, which took effect October 1, 2013. The two-midnight rule requires that physicians deem a patient’s condition as serious enough to require at least two overnight stays in order to qualify for Medicare reimbursement under inpatient rates. Patients who aren’t formally admitted may remain under outpatient or observation status. Emergency and internal medicine physicians often struggle to get the right designation and status for the patient. The federal government has delayed enforcement of the rule until March 31, 2015 at which time hospitals may face financial penalties if auditors determine the hospital could have met the patient’s needs in an outpatient setting.

For more information on the CHS settlement, the two-midnight rule, the Stark Law, the Anti-Kickback Statute, or related fraud and abuse issues, please feel free to contact Daniel Meier or any member of our health care practice group for a further discussion.

You can find a more extensive discussion about the CHS settlement, the impact of observation status on patients and the two-midnight rule in the following Client Bulletin.

Supplemental Special Advisory Bulletin Clarifies OIG Positions on Independent Charity Patient Assistance Programs

Introduction

The OIG has released a Supplemental Special Advisory Bulletin that “reiterates and amplifies” previous OIG Special Advisory Bulletin guidance from 2005. Pharmaceutical manufacturers and Patient Assistance Programs that provide independent, charitable support for patients’ drug expenses (PAPs) should be aware of this supplemental guidance, as the OIG notes that it may modify some previously-issued favorable advisory opinions. Specifically, in this bulletin the OIG expands on its previous guidance regarding disease funds, eligible recipients, and the conduct of donors.

Background

PAPs provide cost-sharing assistance for patients who cannot afford their prescription medications. Continue reading

OIG Proposes New Revisions to Civil Monetary Penalty Regulations

On May 12th, the Office of the Inspector General of the Department of Health and Human Services (OIG) issued a proposed rule which would amend the federal civil monetary penalty (CMP) regulations addressing new CMP authorities created under the Affordable Care Act.  The revised regulations would allow for civil penalties, assessments, and exclusion from Medicare for :

  • Failure to grant OIG timely access to records;
  • ordering or prescribing while excluded;
  • making false statements, omissions, or misrepresentations in an enrollment application;
  • failure to report and return an overpayment; and
  • making or using a false record or statement that is material to a false or fraudulent claim.

Comments on the proposed regulations can be submitted up until July 11, 2014.  The proposed rule and instructions for submitting comments can be viewed here—> Proposed CMP Regulatory Revisions

For more information on the revisions to the CMP regulations, Fraud and Abuse, Compliance, Medicare Program Integrity initiatives or related issues, please feel free to contact Ari Markenson or any member of our health care practice group for a further discussion.

CMS Implements Fingerprinting Background Checks for New DME and Home Health Providers

In a recently released MLN Matters (Number: SE1417), CMS announced that it is implementing the enhanced enrollment screening provisions of the Affordable Care Act (ACA) by requiring finger print based background checks for certain so called “high risk” providers. Currently this means that for newly enrolling Durable Medical Equipment, Prosthetic, Orthotic and Supplies (DMEPOS) suppliers and Home Health Agencies, individuals with a 5% or greater ownership interest in the provider or supplier will be subject to criminal background checks based on fingerprint identification. The procedure will also apply to providers that CMS has elevated to the high risk category pursuant to regulations. Affected providers will be notified by their MAC and be given 30 days to comply. The notification will identify contact information for the Fingerprint Based Background Check Contractor (FBBC). Continue reading

HHS DAB Upholds Revocation of Clinic’s Medicare Provider Number

On February 20, 2014, the US Department of Health and Human Services, Departmental Appeals Board upheld CMS’ revocation of the Medicare provider number of a clinic/group practice.

In Advanced Care Medical Center v CMS (Docket No. C-13-1383/Decision No. CR3124), the DAB, Civil Remedies Division upheld CMS’ revocation of Advanced Care’s Medicare provider number.

The matter began with an investigation by the Office of the Inspector General which revealed that Advanced Care entered into a contract with a doctor, allowing him to bill for services under it’s billing number in exchange for a set reimbursement, and the doctor submitted bills under Petitioner’s billing number.   Continue reading