On February 24, 2014, the Department of Health and Human Services announced its plans to conduct a pre-audit survey of up to 1,200 HIPAA “covered entities” and “business associates” to determine whether such entity is suitable for the HIPAA Audit Program conducted by the Office of Civil Rights (OCR). The pre-audit will potentially collect recent data about the number of patient visits, use of electronic information, revenue and business locations. The pre-audit information will be shared with the OCR, who is mandated to conduct audits of covered entities and business associates to assess compliance with the Privacy, Security and Breach Notification Rules under HIPAA.
Expansion of HIPAA Requirements under Final Rule
The Omnibus Final Rule, which became effective March 26, 2013, increased penalties for violations of HIPAA, signaling to affected parties heightened regulatory scrutiny. The Final Rule expanded the regulatory requirements of HIPAA in several ways. For instance, the Final Rule made business associates of covered entities directly liable for compliance with certain requirements under privacy and security rules. The Final Rule also expanded certain patient rights and adopted the HITECH breach notification requirements pertaining to unsecured protected health information. We have recently seen the Department of Health & Human Services enforce these provisions in a recent settlement with Concentra Health Services, a subsidiary of Humana. Concentra agreed to pay more than $1.7 million to HHS due to a breach in security from unencrypted stolen laptops.
Being Prepared and in Compliance
What all this means is that health providers and their business associates should be prepared by engaging in proper risk assessments to identify, evaluate and correct vulnerabilities in the protection of patient health information. In previous posts, we made the comment that it is no longer sufficient to have a compliance program in name only. We add to this by stating that regulations require covered entities to review its policies and procedures so that vulnerabilities are corrected. Boilerplate policies not reflective of the security risks present at the provider’s practice is wholly insufficient. Policies and procedures should be implemented in response to identified vulnerabilities. The public comment period regarding the HIPAA pre-audit survey closed on April 25, 2014. We will attempt to make updates on pre-audit surveys as information is made available.
Healthcare providers are confronted with a heighted regulatory landscape since the enactment of the Affordable Care Act. Congress has been patently devoted to prosecuting provider practices that conspicuously overbill Medicare or Medicaid. The ability to prosecute providers under the False Claims Act has significantly changed in recently years including recent legislation under the Fraud Enforcement and Recovery Act of 2009 and the formation by the Department of Justice and Health and Human Services of the Health Care Fraud Prevention and Enforcement Action Team (“HEAT”). On the State level, Section 6031 of the Deficit Reduction Act of 2005 created a financial incentive for States to establish legislation to prosecute individuals or entities who submit false or fraudulent claims to the Medicaid program.
In addition to these dramatic changes in the law, language in the Affordable Care Act ushered in a new era of enforcement against fraud, waste and abuse. This new era includes enhanced use of technology such as sophisticated data mining, and other fraud detection methods which has resulted in the Federal government becoming more efficient in identifying false claims. Nevertheless, the government still greatly depends on qui tam relators (private citizens who initiate false claim actions and report such claims to the government for investigation and possible prosecution). Provider liability under the Act can be massive, with penalties between $5,500 to $11,000 per false claim, plus three times the total loss to the government. Qui tam relators, can receive fifteen to thirty percent of the total recovery. Moreover, recent amendments to the False Claims Act enacted under the Affordable Care Act has widened the scope of potential claims that can be successfully initiated and sustained by qui tam relators, especially given the whistleblower protections afforded to these potential claimants. This means, in essence that there is a more definite probability of claims being initiated by past and present employees of health practices under the False Claims Act.
In the last couple of years, Congress has increased funding as part of its committed effort to fight fraud, waste and abuse in the Federal healthcare programs. Approximately $350 million through 2020 has been allocated under the Affordable Care Act toward investigation and prosecution of fraud, waste and abuse. To be found liable under the act, no proof of specific intent is required. Providers can be found liable under the act for knowingly making a false statement to have a Medicare or Medicaid claim paid or approved. The term “knowingly” can mean that the provider or entity acted in deliberate ignorance or reckless disregard of the truth of information submitted to receive payment. If a provider is accused of knowingly submitting a false claim, the provider could see all of their Medicare and Medicaid payments for care suspended by CMS if there is deemed to be a “credible allegation of fraud” as defined by the Department of Health and Human Services.
What this means is that provider practices should be diligent in their billing practices and institute and evaluate periodically proper controls regarding their revenue cycle. The penalties are too severe not to have proper policies and procedures in place. In addition, provider practices regardless of size should implement a compliance program in response to these changes in the law and heightened government enforcement actions. For more information, please contact our firm at firstname.lastname@example.org.
We have found that some are unfamiliar with the Information Technology for Economic and Clinical Health Act also known as “HITECH”. Therefore, we hope this article provides helpful information. HITECH was enacted as part of the American Recovery and Reinvestment Act in 2009 (the “Stimulus Funds”). HITECH expanded the privacy and security rules under HIPAA, including extending liability for security and privacy breaches to the business associates of covered entities under HIPPA. As such, third parties who receive protected health information from a covered entity must execute a written agreement confirming its responsibility to appropriately protect health information from data breaches. The term business associate is broadly defined to include any third party who creates or receives protected health information from a covered entity. Thus, a business associate may include IT specialists, management consultants, accountants or attorneys. Under HITECH the penalties for noncompliance are also more severe than under the original enactment of HIPPA. Finally, HITECH is known for its incentives and penalties regarding electronic medical records and its meaningful use requirements. Requirements of HITECH were implemented on January 17, 2013 under the Omnibus Final Rule. For more information, please contact our office at email@example.com.
It is no longer sufficient to simply have a compliance program. Today’s federal enforcement landscape places higher demands on Privacy and Compliance Officers not envisioned in years prior. For example, a more expansive application of HIPPA now includes severe penalties of up to $1.5 million for violations of the same HIPPA provision within a calendar year. Also, under the Omnibus Final Rule, covered health organizations can be liable for business associates that violate privacy rules under HIPPA or the HITECH ACT. Increased responsibilities of Compliance Officers reasonably include:
Internal Audits of Privacy, Security and Data Transfer Policies and Procedures
Review of Potential Data Transmission Vulnerabilities
Oversight of Business Associate Relationships and Business Associate Agreements
Management of Training and Educational Programs on privacy and security requirements under HIPPA and HITECH
Overseeing Enforcement of HIPPA and HITECH policies and procedures
Unfortunately, the responsibilities resulting from the Final Rule under HIPPA are in addition to the time required for proper review, analysis and compliance enforcement of rules concerning EMTALA, Fraud, Waste and Abuse, the False Claims Act, Stark, the Anti-Kickback statute, Conflict of Interest policies and other regulatory requirements. For this reason, health organizations should explore cost effective alternatives such as outsourcing compliance needs to legal consultants. The advantage of outsourcing compliance not only includes cost efficiency benefits, but also the ability to protect sensitive client communications through the attorney/client privilege. Legal compliance firms are better equipped to provide the evaluation and training required under constantly changing regulations such as HIPPA. For more information regarding HIPPA and HITECH please contact our legal compliance firm at firstname.lastname@example.org.