SlideShare une entreprise Scribd logo

Compliance

Mark Lanterman
Mark Lanterman
1  sur  9
Télécharger pour lire hors ligne
Published by Atlantic Information Services, Inc., Washington, DC • 800-521-4323 • www.AISHealth.com An independent publication not affiliated with hospitals, government agencies, consultants or associations 3 Preliminary Checklist for Security Risk Assessment 4 Raising Employee Awareness About Cybersecurity 5 CMS and OIG Scrutiny Of Wage Index Can Cost Hospitals Millions 6 CMS Transmittals And Regulations 6 Lack of MD Training Contributes to $34.69M Oncology Settlement 8 News Briefs Contents Cybersecurity ‘Defense in Depth’ Is Key as CCOs Call It a Top Risk; Rally Employees Cybersecurity consultant Mark Lanterman was floored when he came across a website that controlled a San Francisco hospital’s heating and cooling system. Because it was out there — part of the vaunted “Internet of things” — with no user name or pass- word, anyone could manipulate it, potentially for devious purposes, such as turning the water to a scalding temperature to burn patients. The website also could be a way into the rest of the hospital’s information system, including electronic medical records. Lan- terman called to warn the hospital’s chief information officer, who brushed it off with a terse “take me off your call list.” That seemed to be that, until Lanterman mentioned the situation during a presentation, which coincidentally was attended by the husband of a hospital employee. The website came down almost immediately afterwards. “There are more avenues of attack against a hospital than probably any other orga- nization because everything is connected — your pharmacy, your patient records, your thermostat,” says Lanterman, chief technology officer for Computer Forensic Services in Minnetonka, Minn. “When you hack a hospital, you can really hurt people, and that’s why hospitals need to take this stuff seriously if they aren’t already.” Apparently many of them are. Cybersecurity/cybercrime was named the second biggest risk for 2016 by health care companies in a new survey by the Health Care Com- pliance Association (HCCA) and Society of Corporate Compliance and Ethics (SCCE), following social media compliance risks. While it’s impossible to build an impenetrable fortress, hospitals can make themselves “less appealing to a hacker,” says Rolin Peets, chief information security officer for c1Secure in Rochester, N.Y. That requires educat- Call to Compliance Leads to Hospital’s $872,925 Settlement for One MD’s Billing When an employee at Cedars-Sinai Medical Center noticed a questionable change in a patient’s medical record, the employee alerted the corporate integrity depart- ment. That set in motion an internal investigation of the billing by the physician who treated the patient and culminated in the Los Angeles hospital paying $872,925 in a civil money penalty (CMP) settlement over the behavior of that one physician. According to the HHS Office of Inspector General (OIG), the medical center submitted Medicare, Medicaid and TRICARE claims on behalf of the physician, a thoracic surgeon, for inpa- tient and outpatient services that weren’t provided as charged or weren’t supported by documentation for the level of service billed. “Cedars-Sinai found that the physician appeared at times to overstate the amount of time he spent with patients as well as the complexity of clinical services he provid- ed,” the medical center says in response to questions from RMC. “Cedars-Sinai reported the physician’s activity to [OIG].” continued on p. 7 Volume 25, Number 10 • March 14, 2016 Managing Editor Nina Youngstrom nyoungstrom@aishealth.com Assistant Editor Angela Maas Contributing Editor Francie Fernald Executive Editor Jill Brown Weekly News and Compliance Strategies on CMS/OIG Regulations, Enforcement Actions and Audits Don’t miss the valuable benefits for RMC subscribers at AISHealth. com — searchable archives, back issues, Hot Topics, postings from the editor, and more. Log in at www. AISHealth.com. If you need assistance, email customerserv@aishealth.com.
2Report on Medicare Compliance March 14, 2016 ing employees to identify hacker tricks, including social engineering tactics (e.g., phishing); implementing robust security policies and procedures; and patching and up- dating technical infrastructure, experts say. Hospitals and other health care organizations have room for improvement, Peets says. He advocates “de- fense in depth” — an old term that describes a layered approach to protecting information systems that includes technical, administrative and physical controls. “If you make it hard for hackers, they will move on to another victim.” The uphill battle of cybersecurity is it takes only one person to cause a hack through phishing. A hospital employee, for example, could click on a phony email with a link to malware because it looks legitimate — like an email from the Department of Health — or it plays to their greed, says Lanterman, citing an email being circulated now: “You have been chosen to participate in a federal government debt relief program” or others like “Congratulations, you’ve won a free iPad.” When em- ployees are sucked in and click on the links, it gives hack- ers a way to plant their malware and access the patient names and addresses, Social Security numbers, credit card numbers, dates of birth and other sensitive data. This reality is a call for “continuous security and compliance,” where systems are monitored 24/7 and training is ongoing, Peets says. “The days of one-and- done risk assessment are over. The mindset of continu- ous monitoring helps to identify and mitigate risks. It’s possible the best-laid plans will go sideways, but the more defense in depth you have in place, the better off you are.” Ransomware Is Preventable That would hold true in a type of attack known as ransomware, Peets and Lanterman say. Recently, hackers took Hollywood Presbyterian Medical Center’s network hostage before fading back into the recesses of the dark web with $17,000 in their pockets. The hackers gave the hospital the decryption key as soon as they were paid. “It should never have happened,” Lanterman says. “Patient records are very important and should be constantly backed up. Any organization should assume they will be the victim of ransomware and make sure they have a response plan in place. IT should have their systems con- figured so if it happens, IT merely restores the backup.” He knows of an energy company hit by ransomware that didn’t pay the hackers because it was prepared for an attack and had its system back up in two hours. Peets agrees, saying you back up electronic health records and other data as close to real time as possible. People, however, hold the key to cybersecurity. “Ed- ucation is the best cybersecurity money you can spend,” Lanterman contends (see box, p. 4). Employees need to be on guard against social engineering, which is a hacker technique for manipulating information out of people and then using it to “build a base of information to attack the organization,” Peets says. Suppose a hacker calls the IT help desk, posing as an employee. The hacker says he has been on vacation and forgot his password, and the IT person obliges, which leads the hacker to reset the password and worm his way into the system. “The hacker exploits the IT person’s good nature and [desire] to help someone,” says Peets. “Hacking a computer takes skill, but hacking a person not so much,” Lanterman adds. He’s worried about the worst-case scenario, which is hackers manipulating medical records or devices. They could delete patients’ allergies, for example, change pre- scriptions, delete diagnoses or even sabotage devices. Some hackers may threaten to do this in a ransomware situation, but Lanterman is also worried about the 17-year-old in his mother’s basement “who doesn’t nec- essarily understand the gravity of what he’s doing and is just showing off for a friend, and people wind up hurt.” EDITORIAL ADVISORY BOARD: JEFFREY FITZGERALD, Polsinelli PC, EDWARD GAINES, Esq., Zotec-MMP, DEBI HINSON, Chief Research and Privacy Compliance Officer, Columbus Regional Health, MARION KRUSE, FTI Healthcare, RICHARD KUSSEROW, President, Strategic Management Systems, Alexandria, Va., WALTER METZ, CPA, MS, JD, Brookhaven Memorial Hospital Medical Center, MARK PASTIN, PhD, Council of Ethical Organizations, CHERYL RICE, Corporate Responsibility Officer for Catholic Health Partners in Cincinnati, Ohio, ANDREW RUSKIN, Esq., Morgan, Lewis & Bockius LLP, BOB WADE, Esq., Krieg DeVault, D. McCARTY THORNTON, Esq., Sonnenschein Nath & Rosenthal, JULIE E. CHICOINE, JD, RN, CPC, Compliance Director, Ohio State University Medical Center, WENDY TROUT, CPA, Director Corporate Compliance, WellSpan Health Report on Medicare Compliance (ISSN: 1094-3307) is published 45 times a year by Atlantic Information Services, Inc., 1100 17th Street, NW, Suite 300, Washington, D.C. 20036, 202-775-9008, www.AISHealth.com. Copyright © 2016 by Atlantic Information Services, Inc. All rights reserved. On an occasional basis, it is okay to copy, fax or email an article or two from RMC. But unless you have AIS’s permission, it violates federal law to make copies of, fax or email an entire issue, share your AISHealth.com subscriber password, or post newsletter content on any website or network. To obtain our quick permission to transmit or make a few copies, or post a few stories of RMC at no charge, please contact Eric Reckner (800-521-4323, ext. 3042, or ereckner@aishealth.com). Contact Bailey Sterrett (800- 521-4323, ext. 3034, or bsterrett@aishealth.com) if you’d like to review our very reasonable rates for bulk or site licenses that will permit weekly redistributions of entire issues. Contact Customer Service at 800-521-4323 or customerserv@aishealth.com. Report on Medicare Compliance is published with the understanding that the publisher is not engaged in rendering legal, accounting or other professional services. If legal advice or other expert assistance is required, the services of a competent professional person should be sought. Managing Editor, Nina Youngstrom; Assistant Editor, Angela Maas; Contributing Editor, Francie Fernald; Executive Editor, Jill Brown; Publisher, Richard Biehl; Marketing Director, Donna Lawton; Fulfillment Manager, Tracey Filar Atwood; Production Editor, Carrie Epps. Subscriptions to RMC include free electronic delivery in addition to the print copy, e-Alerts when timely news breaks, and extensive subscriber- only services at www.AISHealth.com that include a searchable database of RMC content and archives of past issues. To order an annual subscription to Report on Medicare Compliance ($764 bill me; $664 prepaid), call 800-521- 4323 (major credit cards accepted) or order online at www.AISHealth.com. Subscribers to RMC can receive 12 Continuing Education Credits per year, toward certification by the Compliance Certification Board. Contact CCB at 888-580-8373.
March 14, 2016 Report on Medicare Compliance 3 Peets advises hospitals and other health care orga- nizations to have a third-party assessment of their cy- bersecurity risks. “The results of the risk assessment are prioritized based on the level of risk and provide [organi- zations] with remediation strategies and plans of action,” he says. For example, “anti-virus and anti-malware will help protect hospitals from phishing and malware, and they should have a strong spam filter at the front of their perimeter to parse questionable emails,” says Peets. And of course hospitals training employees based on their policies is a necessity. “You can’t avoid being a target, but most [cyberattacks] can be prevented through educa- tion,” Lanterman says. He suggests making employees acutely aware of ransomware and to be on guard for emails with misspellings and grammatical errors or of- fers of free goodies. If they use the cloud, hospitals should make sure their providers comply with the Statement on Standards for Attestation Engagements (SSAE) SOC 1 or SOC 2, Peets says. Are they audited and assessed on a regular basis? “If you don’t have defense in depth that includes administrative and technical controls and you go to the cloud, you are just moving your problem,” he says. Employees may be an invitation to hacker hell in other ways. At one hospital, Peets found during a recent security risk assessment that almost 30% of proximity keys assigned to ex-employees were still active. “It was a process, policy and procedure breakdown,” he says. And sometimes disgruntled employees can cause a lot of damage. That’s why penetration testing is an important, albeit small, part of a comprehensive security assessment, Lanterman says. Penetration testing is an in- tentional hack to test the system. “I act like a hacker,” he says. But sometimes when organizations do penetration testing, they forget to act like a rogue employee, he says. “There is a significant financial incentive to steal medical records,” he says. In different ways, “the greatest threat is inside the hospital.” Contact Lanterman at mlanterman@compforensics. com and Peets at RPeets@c1secure.com. View the HCCA/SCCE survey at http://tinyurl.com/j7wy2rl. G Call Bailey Sterrett at 202-775-9008, ext. 3034 for rates on bulk subscriptions or site licenses, electronic delivery to multiple readers, and customized feeds of selective news and data…daily, weekly or whenever you need it. Preliminary Checklist for Security Risk Assessment Security risk assessments under HIPAA and meaningful use (RMC 2/15/16, p. 1) continue to be a weak spot for many hospitals, experts say, even as breaches and cybersecurity climb their risk lists (see story, p. 1). This checklist was developed by Rolin Peets, chief information security officer for c1Secure in Rochester, N.Y. Contact him at RPeets@c1secure.com. YES NO NOTES If OCR were to arrive today, are you confident you could produce policy documents to support all components of the HIPAA Security Rule? Do all policy documents include both the policy statement and the current procedure in place to support each standard? Is there documentation that identifies where ePHI is located or processed, including equipment, software applications and how it is used by third party Business Associates? Is there written documentation identifying levels of access for each application by job description? Is all ePHI encrypted, within the network and in any instance of transmission? Is there a process to routinely review access reports, audit logs and security incident reports? Is your Disaster Recovery/Business Continuity Plan complete and in place, including routine drills and/or tests? Do you offer a comprehensive training program for new hires (with annual mandatory training for all staff) that includes Privacy and Security Rules for HIPAA? Do you have a process for managing your Business Associates that complies with the latest regulations? Do you have a Breach Notification process in place, fully documented, that complies with the latest regulations? Is access between public and private areas controlled? Do you have an alarm system and/or video cameras? For staff access are locks/keys, key fobs, or proximity badges in use? Can monitors/screens be seen in public areas or as clients are walking by? Are documents with PHI ever left sitting on copiers, printers or fax machines? OCR = Office for Civil Rights, ePHI = electronic protected health information
4Report on Medicare Compliance March 14, 2016 Web addresses cited in this issue are live links in the PDF version, which is accessible at RMC’s subscriber-only page at http://aishealth.com/newsletters/reportonmedicarecompliance. Raising Employee Awareness About Cybersecurity Piedmont Healthcare in Atlanta recently sent this notice to all employees to enlist their help in defending against cyberattacks. Contact Debi Weatherford, executive director of internal audit, at Debi.Weatherford@piedmont.org. This message is being sent to all Piedmont employees. …Yes YOU! Piedmont takes information security very seriously. Because of the rise of Ransomware attacks, we need to ensure that everyone inside Piedmont understands our security expectations and what you can do to help protect not only yourself but our organization. Online safety and security are shared responsibilities, and we each have an obligation to protect our identities and our information while online. Understand the risks, learn how to spot potential problems, and consider how your online actions can impact everyone’s collective security. Here are some tips to assist in being aware and secure: • Know the scams. The Piedmont Information Security team periodically sends email nuggets about trending scams to keep you aware of how to protect yourself and our organization. In this way, you’ll be armed with what you can do to avoid them. • Think before you click. Never click on links in messages from people you don’t know or only vaguely know. These phishing emails may have links that can lure you into giving personal information or download malware to your computer. You should even be wary with emails from people you do know if it looks or sounds suspicious. Hackers can create a malicious email that looks like it came from your manager, peer or close friend’s email account. • Safely peruse. Beware of phony websites. These sites may have addresses very similar to legitimate sites, and red flags may include pages with frequent misspellings, poor grammar or low resolution images. However, scammers are getting better at replicating sites. If a site asks for personal information, double check the URL and make sure it’s not asking for information it shouldn’t. • Keep it to yourself. Don’t forward suspicious email to other coworkers – it is like spreading your germs. Instead, forward the email to security.concerns@piedmont.org. • Shop safely. Don’t shop on a site unless it has the “https” and a padlock icon to the left or right of the URL. • Use common sense. You do not need to be a seasoned computer whiz to know that it’s not smart to open an attachment titled, “Claim Your Inheritance!” Using common sense while surfing the Web can protect you and Piedmont from a hungry cyber-shark. From top leadership and executives to the newest employees, cybersecurity requires the vigilance of every employee to keep data, patients, and capital safe and secure. We can defeat cyber-criminals or at least make them look for an easier target. Thank you for your support.
March 14, 2016 Report on Medicare Compliance 5 what’s allowable, he says. But they differ from traditional claim reviews and cost-report audits because the wage index is a zero-sum game. It’s budget neutral, which means the overall amount allocated for the wage index by Congress doesn’t change, says Polito. However, the amount the hospitals receive in each core-based statistical area (CBSA) — which is akin to a metropolitan statistical area — collectively will vary, depending largely on the wage index. As a result, disallowances for wages loom large. “Every single penny means something because you are competing against every other hospital and CBSA in the country,” he says. And the risk is greater than ever, he says. CMS has imposed more stringent audit guidelines on the MACs after years of a more relaxed attitude on certain wage- index line item audits. For example, “MACs are hold- ing hospitals to a standard they haven’t in the past as it pertains to acceptable documentation for the allocation of physician compensation between administrative and professional components,” he says. “There appears to be less wiggle room in terms of regulatory interpretation.” A big wage-index vulnerability: Physician Part A vs. Part B reporting. Administrative services (Part A) performed by physicians, such as medical directors, are allowable cost for hospitals, says Polito. But they must have time studies to support the time that physicians spend on administrative services (e.g., meetings) vs. patient care, he says. “You want to keep as much allow- able physician Part A cost as you can in the cost report.” Otherwise, the costs will be attributed to Part B, which is nonreimbursable for cost-report purposes. Hospitals may start seeing disallowances in this area like they’ve never experienced before, Polito says. That’s what happened to the hospital that reported $80 million for Part A physician administrative costs. “It was consis- tent and always allowable and with no real variance. It was historically audited and always accepted,” he says. And suddenly the hospital, in the wake of OIG’s and CMS’s scrutiny, faced a multi-million dollar disallow- ance, he notes. CMS and OIG Scrutiny of Wage Index Can Cost Hospitals Millions The wage index on Medicare cost reports is under the microscope of Medicare auditors and has the poten- tial to cost hospitals piles of money. The $80 million that one Northeast hospital reported as allowable physician cost for wage data — and recently had disallowed — speaks volumes about CMS’s crackdown in this area, experts say. Medicare administrative contractors (MACs), which audit cost reports, including wage data, are applying rules more stringently than they have in the past at CMS’s behest, or the hospital probably wouldn’t have lost that much money, experts say. It’s an object lesson for hospitals at a time when the HHS Office of Inspec- tor General (OIG) has set its sights on wage data in its 2016 Work Plan, and last month concluded that Danbury Hospital in Connecticut was overpaid $249,000 because it overstated wage data on its 2010 cost report. “The wage index can be a big-dollar item,” says Steve Harris, director of reimbursement at Tampa Gen- eral Hospital. “I think CMS would always say there is an opportunity for hospitals to game the wage index, which is why they mandate annual wage-index specific audits. The fact it’s also on the OIG Work Plan is one more rea- son to be vigilant about the wage index.” OIG said its previous reviews determined that hospitals often incor- rectly reported wage data, which increased Medicare payments to their geographic areas. However, Harris notes, when hospitals are too conservative in reporting items that factor into the wage index, they can deprive themselves of money to which they’re entitled. ‘Every Penny Counts’ CMS uses hospitals’ self-reported wage data, includ- ing wages, contract labor, hours and fringe benefits, to calculate the wage index. The wage index is a measure of the geographically adjusted labor costs, and it figures into DRGs, APCs and other Medicare prospective pay- ments because paying people is the lion’s share of most hospital budgets. According to OIG, “the labor share accounted for 69.6 percent of the payments in FY 2014.” Consultant Mike Polito says a 1% change in the av- erage hourly wage of a hospital’s wage index data can cause a significant swing in Medicare reimbursement — as much as $1 million. “When it comes to a hospital’s wage index data and the calculation of its average hourly wage, every penny certainly counts,” says Polito, prin- cipal owner of Third Party Reimbursement Solutions in Charlotte, N.C. MACs audit every hospital’s wage data annually, using CMS’s audit program and technical guidelines on Subscribers who have not yet signed up for Web access — with searchable newsletter archives, Hot Topics, Recent Stories and more — should click the blue “Login” button at www.AISHealth.com, then follow the “Forgot your password?” link to receive further instructions. The Industry’s #1 Source of News and Strategies on HIPAA Compliance Go to the “Marketplace” at www.AISHealth.com and click on “newsletters” for details and samples. continued 
6Report on Medicare Compliance March 14, 2016 that information from invoices, but what about consul- tants and CPAs? You can go back to vendors and do attestations documenting hours related to contracted la- bor,” Polito says, but the stakes are clearly getting higher. “The CFO needs to step in and ensure vendor contracts include language that hours and labor cost need to be provided on invoices.” Contact Harris at sharris@tgh.org and Polito at mpolito@tprsolutions.com. Read the OIG audit of Dan- bury Hospital (A-01-14-00506) at http://tinyurl.com/ hvy4hgn. G Lack of MD Training Contributes To $34.69M Oncology Settlement Claims submitted for an oncology procedure that allegedly wasn’t medically necessary or was performed by physicians without the proper training has led to a false claims settlement with 21st Century Oncology Inc. and its subsidiary, South Florida Radiation Oncology LLC. They agreed to pay $34.69 million, the Department of Justice (DOJ) and U.S. Attorney’s Office for the Middle District of Florida said March 8. 21st Century Oncology Inc., which is based in Fort Myers, Fla., is the largest physician-led integrated cancer care provider in the country and has offices in 16 states, DOJ says. The settlement resolves allegations related to 21st Century Oncology’s use of a procedure called the Gamma function, which measures the exit dose of radia- tion from patients after treatment. In the settlement, DOJ alleges that from Jan. 1, 2009, through Nov. 8, 2015, 21st Century Oncology billed Medicare and TRICARE for “four separate categories of claims” that allegedly were medically unnecessary and/or improper: (1) In 2009, the first year Gamma was implemented at all locations, some “physicians and physicists had not been properly trained to interpret and utilize Gamma function results.” (2) At new sites acquired by 21st Century Oncology after 2009, for the first 180 days Gamma was used, some “physicians and physicists were not properly trained to interpret and utilize Gamma function results.” (3) No physician reviewed Gamma function results for seven or more days after the last day patients went through radiation therapy, in connection with some claims. (4) Some claims were submitted “where no Gamma result was available due to technical failures that pro- duced no reference or quality assurance image.” When this happened, DOJ contends the “Gamma offered no value or meaning to any healthcare practitioners,” ac- cording to the settlement. His tip to reduce the risk of a Part A/B disallowance: “Take a hard look at your physicians. How are you docu- menting the split between Part A, which is the adminis- trative portion that’s allowable, and Part B, the hands-on patient care, which isn’t? Hopefully you have time stud- ies because that’s the gold seal.” Another risk area for the wage index is contract labor. Hospitals can report the clinical labor costs of contract nurses, physical therapists and other hands-on patient-care related services. Also, hospitals can include administrative and general contract labor, such as at- torneys, CPAs and consultants. In order to claim contract labor costs, there must be detailed invoices describing the services performed and the labor hours required to complete them, Polito says. Only the labor component is included in the average hourly wage and reportable on the cost report for wage index purposes. “The nuance is, how do you capture it? What is ac- ceptable? Attorneys bill by the minute so you can capture Subscribers to RMC are eligible to receive up to 12 Continuing Education Credits per year, which count toward certification by the Compliance Certification Board. For more information, contact CCB at 888-580-8373. CMS Transmittals and Federal Register Regulations March 3 – March 10 Live links to the following documents are included on RMC’s subscriber-only Web page at www.AISHealth.com. Please click on “CMS Transmittals and Regulations” in the right column. Transmittals (R) indicates a replacement transmittal. Pub. 100-04, Medicare Claims Processing Manual • July Quarterly Update to 2016 Annual Update of HCPCS Codes Used for Skilled Nursing Facility Consolidated Billing Enforcement, Trans. 3473CP, CR 9561 (March 4; eff. July 1; impl. July 5, 2016) • Updates to Chapters 4 and 5 to Correct Remittance Advice Messages, Trans. 3475CP, CR 9424 (March 4; eff./impl. June 6, 2016) Pub. 100-22, Medicare Quality Reporting Incentive Programs Manual • Fiscal Year 2017 and After Payments to Long Term Care Hospitals That Do Not Submit Required Quality Data, Trans. 55QRI, CR 9544 (March 4; eff. Jan. 1; impl. April 1, 2016) Federal Register Regulations Proposed Rule • Part B Drug Payment Model (posted March 8; Fed. Reg. publication, March 11, 2016) Corrections and Correcting Amendments • Electronic Health Record Initiative Program — Stage 3 and Modifications to Meaningful Use in 2015 Through 2017, 81 Fed. Reg. 11447 (March 4, 2016) • Comprehensive Care for Joint Replacement Payment Model for Acute Care Hospitals Furnishing Lower Extremity Joint Replacement Services, 81 Fed. Reg. 11449 (March 4, 2016) • Revisions to Payment Policies Under the Physician Fee Schedule and Other Revisions to Part B for CY 2016, 81 Fed. Reg. 12024 (March 8, 2016)
March 14, 2016 Report on Medicare Compliance 7 Hospital Settles Over MD’s Errors continued from p. 1 After the “suspicious change” in the medical re- cord came to its attention, Cedars-Sinai says it reviewed multiple years of the physician’s billing records. “The medical center determined that the physician’s billing documentation for clinical services may have been gener- ally unreliable. Although the medical center determined that the coding problems were limited in scope, it made a decision to refund 100 percent of the amounts coded by the physician (or his assistant) for clinical services.” In June 2015, OIG accepted Cedars-Sinai into the Self-Dis- closure Protocol, which generally requires entities to pay 1.5 times the amount of an alleged overpayment. Cedars-Sinai says it also reviewed the records of other physicians on the faculty but found no evidence of “similar coding irregularities.” In light of the thoracic surgeon’s errors, “Cedars-Sinai has substantially expand- ed its routine monitoring of physician coding. In addition to its existing internal coding reviews, Cedars-Sinai now also contracts with an outside, third-party company to conduct audits of coding and documentation for each employed physician.” OIG alleged the billing errors occurred from Dec. 1, 2010, through Feb. 28, 2015. At the time, the thoracic surgeon, who wasn’t identified in the settlement, was employed by Cedars-Sinai. The medical center says he is no longer a Cedars-Sinai employee or faculty member. But as a community physician, the thoracic surgeon is a member of the medical staff and can admit patients to the hospital. Although thoracic surgeons are compensated well — typically Medicare alone pays them about $300,000 to $400,000 a year, according to ProPublica.org — it’s unusual to see one physician drive a hospital settlement for almost $900,000, says Ed Gaines, chief compliance officer for Zotec Partners in Greensboro, N.C. “I haven’t seen it in 20-plus years in compliance.” It underscores the importance of the auditing and monitoring requirements of compliance programs “and constant quality assurance reviews of coding and documentation.” Medicare auditors and enforcers are focusing more on physicians, Gaines says. “There is concern within the enforcement community about the subjectivity of evaluation and management [i.e., E/M] coding and the error rates that have been reported” by certain Medicare administrative contractors (MACs) and the comprehen- sive error rate testing (CERT) contractor, he says, which recently posted 2015 improper payment rates (RMC 1/11/16, p. 4). For 2015, CERT data on Part B upcoding showed a 19.6% error rate for initial hospital visits, 13.6% for new office visits, 15.3% for critical care hospital visits and 12% for emergency room visits. Subjectivity Is a Concern The subjectivity of coding E/M services is the push me-pull you of providers vs. Medicare watchdogs. The level of an E/M service is based partly on a physician’s medical decision making, which is inherently subjec- tive, says Gaines. “One physician may think a patient’s condition is high complexity, and another may think it’s moderate complexity. It makes E/M coding art and sci- ence together.” Suppose a patient presents at the emer- gency room with flank pain. One element of medical decision making is the amount and complexity of data to be reviewed, and physicians or coders can rate it as “high moderate” or “low moderate,” Gaines explains. Low moderate would support — assuming other neces- sary elements of the history and exam were found in the documentation — a level three E/M code for the emer- gency room visit (CPT 99283), and high moderate would support a level four E/M code (CPT 99284). At times, these distinctions may seem impossibly fine to coders and physicians, he says. “People look at me and say, ‘how can we better objectively quantify the na- ture of the presenting problem and the patient’s morbid- ity/mortality or risk?’” This matters in more ways than one. The difference between 99283 and 99284 is about $40 or $50, which obviously affects both physicians on the receiving end and Medicare on the paying end. Auditors may come back and contend the coders or physicians coded a low-moderate complexity case as a high-moder- ate complexity case. But what bothers Gaines more is if it goes off the slippery slope from auditors to enforcers. “A subjective difference, if proven on audit, is an overpayment to the MAC, not reckless disregard or de- liberate indifference,” which is the standard of proof for a False Claims Act (FCA) violation, he says. “So from a Get instant compliance news! Follow RMC at: www.twitter.com/AISHealth • www.facebook.com/AISHealth • www.linkedin.com/company/atlantic-information-services In a statement, 21st Century Oncology said it “fully cooperated” with the federal government to resolve the case and that “there was no harm to any patient related to this dispute.” The company said the dispute related to “the training protocols of certain staff in the utilization of GAMMA, and was limited to its early implementation and startup activities at new facility locations across the country.” It also said it has strengthened its compliance, auditing and training programs. 21st Century Oncology did not admit liability in the settlement. The case (United States ex rel. Ting v. 21st Cen- tury Oncology and South Florida Radiation Oncology, No. 3:14-cv-723-Jax-J32JRK) was initiated by a whistleblower — Joseph Ting, a former physicist at South Florida Radia- tion Oncology. Visit http://tinyurl.com/hmsbx2t. G
8Report on Medicare Compliance March 14, 2016 u A California physician was sentenced to six months in prison in connection with a scheme to defraud patients and their insurers by implanting and charging for unapproved intrauterine devices (IUDs), the U.S. Attorney’s Office for the Eastern District of California said March 7. Paul S. Singh, who provided obstetric and gynecological services in his Tehachapi offices, prescribed birth control to women, including IUDs. Only one form of IUD with copper as its active ingredient — the ParaGard T- 380A — has been FDA approved, and it’s only sold by its manufacturer, the U.S. attorney’s office says. “According to court documents, Singh bought unap- proved IUDs on the Internet and implanted them in his patients. Rather than inform his patients or their insurers of using non-FDA approved IUDs, however, he fraudulently billed his patients and their insur- ers as if he had implanted FDA-approved IUDs, all without the permission or consent of his patients,” the U.S. attorney’s office says. Singh pocketed the payment difference. Patients who have unapproved copper IUDs may be at greater risk of pelvic inflam- matory disease, ectopic pregnancy, hysterectomy and other complications, the U.S. attorney’s office says. After his prison term is up, Singh will spend a year in home detention. Visit http://tinyurl.com/zc72mtj. u Freeman Hospital in Joplin, Mo., was overpaid $311,000, according to a Medicare compliance re- view (A-07-14-05064). The HHS Office of Inspector General (OIG) audited 225 claims submitted in 2011 and 2012 by the 346-bed teaching hospital and found errors on 45 of them. Carlos Haley, Freeman Hospi- tal’s vice president of compliance, said it disagreed with OIG’s findings on 10 of the errors. He also emphasized the hospital “has an active compliance program and strives to strictly adhere to Medicare regulations.” Visit http://go.usa.gov/cfdvx. u Recovery audit contractors (RACs) are now re- viewing fewer than 350 types of Medicare billing, down from the 800 areas they were approved to review by CMS when the program was “working at full capacity,” according to the Council for Medicare Integrity. On March 9, the council released an analy- sis of the state of the RAC program. Visit http:// tinyurl.com/zlfgfk4 or www.medicareintegrity.org. NEWS BRIEFS Call Bailey Sterrett at 202-775-9008, ext. 3034 for rates on bulk subscriptions or site licenses, electronic delivery to multiple readers, and customized feeds of selective news and data…daily, weekly or whenever you need it. compliance perspective, compliance officers should be understanding to someone making a different decision but using their reasonable judgment based on the source documentation from the provider.” He thinks OIG has been sensitive to this in the sense that it has sent a clear message that the Self-Disclosure Protocol is not the right mechanism for routine overpayments. “The proper cor- rective action there is a voluntary refund to the MAC.” But he sees potential danger lurking in cases like the Department of Justice settlements over noncompliance with the national coverage determination for implant- able cardiac defibrillators (NCD 20.4) (RMC 2/29/16, p. 3; 2/22/16, p. 6). “Is the message from the multiple hospital enforcement action that if the physician reasonably be- lieves the implantable cardiac defibrillator is medically necessary and someone in the revenue cycle function misses an NCD technically, even though they were rea- sonably trying to comply, then that is reckless disregard or deliberate ignorance, and hence FCA penalties?” In terms of compliance with E/M coding, Gaines says time is, literally, of the essence — at least for some E/M services. They are ripe for audits because the rules are black and white. With critical care, for example, phy- sicians can’t bill Medicare unless they spend a minimum of 30 minutes evaluating, managing and treating the patient and documenting accordingly. “If it’s 25 minutes, you can’t bill critical care,” he notes. One way for hospitals to monitor employed phy- sicians is to determine whether the E/M visits they report using time square with the hours in a day, week or month, says Ronald Hirsch, M.D., vice president of regulations and education at Accretive Physicians Ad- visory Services. “It would be important for a hospital to see whether it’s physically possible to spend as much time as they stated on their visits,” he says. For example, by looking at the ProPublica website, which uses CMS’s Medicare Provider Analysis and Review (MEDPAR) data, Hirsch identified a physician who billed more than 5,000 critical care visits each year for two years. “If you do the math, it would require almost eight hours a day every day of the year to provide that many visits,” Hirsch says. The physician also billed more than 2,000 other noncritical care visits. Any physician would be hard pressed to accomplish this, although it’s impossible to tell for sure without reviewing medical records, he says. E/M codes can be chosen with one of two methods: either using the elements of the history, physical and medical decision making or by time. Contact Gaines at egaines@zotecmmp.com and Hirsch at rhirsch@accretivehealth.com. G
IfYou Don’t Already Subscribe to the Newsletter, Here AreThree Easy Ways to Sign Up: 1. Return to any Web page that linked you to this issue 2. Go to the MarketPlace at www.AISHealth.com and click on “Newsletters.” 3. Call Customer Service at 800-521-4323 If you are a subscriber and want to provide regular access to the newsletter — and other subscriber-only resources at AISHealth.com — to others in your organization: Call Customer Service at 800-521-4323 to discuss AIS’s very reasonable rates for your on-site distribution of each issue. (Please don’t forward these PDF editions without prior authorization from AIS, since strict copyright restrictions apply.)

Recommandé

Healthcare Attorneys Feel the Healthcare Industry Is More Vulnerable to Cyber...
Healthcare Attorneys Feel the Healthcare Industry Is More Vulnerable to Cyber...Healthcare Attorneys Feel the Healthcare Industry Is More Vulnerable to Cyber...
Healthcare Attorneys Feel the Healthcare Industry Is More Vulnerable to Cyber...mosmedicalreview
 
HCA 530, Week 2, Hacking healthcare it in 2016 lessons the healthcare industr...
HCA 530, Week 2, Hacking healthcare it in 2016 lessons the healthcare industr...HCA 530, Week 2, Hacking healthcare it in 2016 lessons the healthcare industr...
HCA 530, Week 2, Hacking healthcare it in 2016 lessons the healthcare industr...Matthew J McMahon
 
Sarah Kim HIPAA for Small Providers
Sarah Kim HIPAA for Small ProvidersSarah Kim HIPAA for Small Providers
Sarah Kim HIPAA for Small ProvidersSarah Kim
 
Audit trails
Audit trailsAudit trails
Audit trailsDavid Battle
 
Research Report Health Informatics 05-2016_FINAL
Research Report Health Informatics 05-2016_FINALResearch Report Health Informatics 05-2016_FINAL
Research Report Health Informatics 05-2016_FINALBenjamin Wyrick
 
eHI privacy and security DC roundtable_April 2014
eHI privacy and security DC roundtable_April 2014eHI privacy and security DC roundtable_April 2014
eHI privacy and security DC roundtable_April 2014Barbara Gabriel
 
HIPAA compliance for Business Associates- The value of compliance, how to acq...
HIPAA compliance for Business Associates- The value of compliance, how to acq...HIPAA compliance for Business Associates- The value of compliance, how to acq...
HIPAA compliance for Business Associates- The value of compliance, how to acq...Compliancy Group
 
The Intersection of OCR Enforcement and Health Care Data Privacy & Security
The Intersection of OCR Enforcement and Health Care Data Privacy & SecurityThe Intersection of OCR Enforcement and Health Care Data Privacy & Security
The Intersection of OCR Enforcement and Health Care Data Privacy & SecurityPolsinelli PC
 

Recommandé

Healthcare Attorneys Feel the Healthcare Industry Is More Vulnerable to Cyber...
Healthcare Attorneys Feel the Healthcare Industry Is More Vulnerable to Cyber...Healthcare Attorneys Feel the Healthcare Industry Is More Vulnerable to Cyber...
Healthcare Attorneys Feel the Healthcare Industry Is More Vulnerable to Cyber...mosmedicalreview
 
HCA 530, Week 2, Hacking healthcare it in 2016 lessons the healthcare industr...
HCA 530, Week 2, Hacking healthcare it in 2016 lessons the healthcare industr...HCA 530, Week 2, Hacking healthcare it in 2016 lessons the healthcare industr...
HCA 530, Week 2, Hacking healthcare it in 2016 lessons the healthcare industr...Matthew J McMahon
 
Sarah Kim HIPAA for Small Providers
Sarah Kim HIPAA for Small ProvidersSarah Kim HIPAA for Small Providers
Sarah Kim HIPAA for Small ProvidersSarah Kim
 
Audit trails
Audit trailsAudit trails
Audit trailsDavid Battle
 
Research Report Health Informatics 05-2016_FINAL
Research Report Health Informatics 05-2016_FINALResearch Report Health Informatics 05-2016_FINAL
Research Report Health Informatics 05-2016_FINALBenjamin Wyrick
 
eHI privacy and security DC roundtable_April 2014
eHI privacy and security DC roundtable_April 2014eHI privacy and security DC roundtable_April 2014
eHI privacy and security DC roundtable_April 2014Barbara Gabriel
 
HIPAA compliance for Business Associates- The value of compliance, how to acq...
HIPAA compliance for Business Associates- The value of compliance, how to acq...HIPAA compliance for Business Associates- The value of compliance, how to acq...
HIPAA compliance for Business Associates- The value of compliance, how to acq...Compliancy Group
 
The Intersection of OCR Enforcement and Health Care Data Privacy & Security
The Intersection of OCR Enforcement and Health Care Data Privacy & SecurityThe Intersection of OCR Enforcement and Health Care Data Privacy & Security
The Intersection of OCR Enforcement and Health Care Data Privacy & SecurityPolsinelli PC
 
Data Breach: It Can Happen To You
Data Breach: It Can Happen To YouData Breach: It Can Happen To You
Data Breach: It Can Happen To YouCooperative of American Physicians, Inc.
 
Protecting Data in the Healthcare Industry - Storage Made Easy - Osterman Res...
Protecting Data in the Healthcare Industry - Storage Made Easy - Osterman Res...Protecting Data in the Healthcare Industry - Storage Made Easy - Osterman Res...
Protecting Data in the Healthcare Industry - Storage Made Easy - Osterman Res...Hybrid Cloud
 
Information+security rutgers(final)
Information+security rutgers(final)Information+security rutgers(final)
Information+security rutgers(final)Amy Stowers
 
Healthcare Cybersecurity Whitepaper FINAL
Healthcare Cybersecurity Whitepaper FINALHealthcare Cybersecurity Whitepaper FINAL
Healthcare Cybersecurity Whitepaper FINALSteve Knapp
 
Breach of Security Final Paper
Breach of Security Final PaperBreach of Security Final Paper
Breach of Security Final PaperAndrew Blumenreich
 
The New Era of Individual Responsibility in Health Care Fraud and Abuse
The New Era of Individual Responsibility in Health Care Fraud and AbuseThe New Era of Individual Responsibility in Health Care Fraud and Abuse
The New Era of Individual Responsibility in Health Care Fraud and AbuseSamuel M. Shapiro
 
Ijnsa050201
Ijnsa050201Ijnsa050201
Ijnsa050201IJNSA Journal
 
Cybercrime and the Healthcare Industry
Cybercrime and the Healthcare IndustryCybercrime and the Healthcare Industry
Cybercrime and the Healthcare IndustryEMC
 
3 Round Stones at the New England Health Datapalooza Oct 3, 2012
3 Round Stones at the New England Health Datapalooza Oct 3, 20123 Round Stones at the New England Health Datapalooza Oct 3, 2012
3 Round Stones at the New England Health Datapalooza Oct 3, 20123 Round Stones
 
Towards predictive medicine
Towards predictive medicineTowards predictive medicine
Towards predictive medicineThe Economist Media Businesses
 
AVAILABILITY, ACCESSIBILITY, PRIVACY AND SAFETY ISSUES FACING ELECTRONIC MEDI...
AVAILABILITY, ACCESSIBILITY, PRIVACY AND SAFETY ISSUES FACING ELECTRONIC MEDI...AVAILABILITY, ACCESSIBILITY, PRIVACY AND SAFETY ISSUES FACING ELECTRONIC MEDI...
AVAILABILITY, ACCESSIBILITY, PRIVACY AND SAFETY ISSUES FACING ELECTRONIC MEDI...ijsptm
 
AIS Article
AIS ArticleAIS Article
AIS ArticleShaun Greene
 
Business Associate Risk - HC SC Sept 2014
Business Associate Risk - HC SC Sept 2014Business Associate Risk - HC SC Sept 2014
Business Associate Risk - HC SC Sept 2014garyjohnson500
 
Hitech for HIPAA
Hitech for HIPAAHitech for HIPAA
Hitech for HIPAAdkarpinsky
 
HEALTHCARE IT: IS YOUR INFORMATION AT RISK?
HEALTHCARE IT: IS YOUR INFORMATION AT RISK? HEALTHCARE IT: IS YOUR INFORMATION AT RISK?
HEALTHCARE IT: IS YOUR INFORMATION AT RISK? IJNSA Journal
 
HIPAA and Privacy for Researchers
HIPAA and Privacy for ResearchersHIPAA and Privacy for Researchers
HIPAA and Privacy for ResearchersJason Karn
 
Technologies and procedures for HIPAA compliance
Technologies and procedures for HIPAA complianceTechnologies and procedures for HIPAA compliance
Technologies and procedures for HIPAA complianceJack Shaffer
 
4 Digital Health Trends Affecting Your Revenue Cycle
4 Digital Health Trends Affecting Your Revenue Cycle4 Digital Health Trends Affecting Your Revenue Cycle
4 Digital Health Trends Affecting Your Revenue CycleMeduit
 
Biz Jrnl 071810
Biz Jrnl 071810Biz Jrnl 071810
Biz Jrnl 071810Vim Anand
 
Healthcare Analytics
Healthcare AnalyticsHealthcare Analytics
Healthcare AnalyticsAnmol Malhotra
 
We Need to Prioritize Cybersecurity in 2020
We Need to Prioritize Cybersecurity in 2020We Need to Prioritize Cybersecurity in 2020
We Need to Prioritize Cybersecurity in 2020Matthew Doyle
 
Cost of Data Breah in Healthcare_Quinlan, Courtney
Cost of Data Breah in Healthcare_Quinlan, CourtneyCost of Data Breah in Healthcare_Quinlan, Courtney
Cost of Data Breah in Healthcare_Quinlan, Courtneycourtneyquinlan
 

Contenu connexe

Tendances

Protecting Data in the Healthcare Industry - Storage Made Easy - Osterman Res...
Protecting Data in the Healthcare Industry - Storage Made Easy - Osterman Res...Protecting Data in the Healthcare Industry - Storage Made Easy - Osterman Res...
Protecting Data in the Healthcare Industry - Storage Made Easy - Osterman Res...Hybrid Cloud
 
Information+security rutgers(final)
Information+security rutgers(final)Information+security rutgers(final)
Information+security rutgers(final)Amy Stowers
 
Healthcare Cybersecurity Whitepaper FINAL
Healthcare Cybersecurity Whitepaper FINALHealthcare Cybersecurity Whitepaper FINAL
Healthcare Cybersecurity Whitepaper FINALSteve Knapp
 
Breach of Security Final Paper
Breach of Security Final PaperBreach of Security Final Paper
Breach of Security Final PaperAndrew Blumenreich
 
The New Era of Individual Responsibility in Health Care Fraud and Abuse
The New Era of Individual Responsibility in Health Care Fraud and AbuseThe New Era of Individual Responsibility in Health Care Fraud and Abuse
The New Era of Individual Responsibility in Health Care Fraud and AbuseSamuel M. Shapiro
 
Cybercrime and the Healthcare Industry
Cybercrime and the Healthcare IndustryCybercrime and the Healthcare Industry
Cybercrime and the Healthcare IndustryEMC
 
3 Round Stones at the New England Health Datapalooza Oct 3, 2012
3 Round Stones at the New England Health Datapalooza Oct 3, 20123 Round Stones at the New England Health Datapalooza Oct 3, 2012
3 Round Stones at the New England Health Datapalooza Oct 3, 20123 Round Stones
 
AVAILABILITY, ACCESSIBILITY, PRIVACY AND SAFETY ISSUES FACING ELECTRONIC MEDI...
AVAILABILITY, ACCESSIBILITY, PRIVACY AND SAFETY ISSUES FACING ELECTRONIC MEDI...AVAILABILITY, ACCESSIBILITY, PRIVACY AND SAFETY ISSUES FACING ELECTRONIC MEDI...
AVAILABILITY, ACCESSIBILITY, PRIVACY AND SAFETY ISSUES FACING ELECTRONIC MEDI...ijsptm
 
Business Associate Risk - HC SC Sept 2014
Business Associate Risk - HC SC Sept 2014Business Associate Risk - HC SC Sept 2014
Business Associate Risk - HC SC Sept 2014garyjohnson500
 
Hitech for HIPAA
Hitech for HIPAAHitech for HIPAA
Hitech for HIPAAdkarpinsky
 
HEALTHCARE IT: IS YOUR INFORMATION AT RISK?
HEALTHCARE IT: IS YOUR INFORMATION AT RISK? HEALTHCARE IT: IS YOUR INFORMATION AT RISK?
HEALTHCARE IT: IS YOUR INFORMATION AT RISK? IJNSA Journal
 
HIPAA and Privacy for Researchers
HIPAA and Privacy for ResearchersHIPAA and Privacy for Researchers
HIPAA and Privacy for ResearchersJason Karn
 
Technologies and procedures for HIPAA compliance
Technologies and procedures for HIPAA complianceTechnologies and procedures for HIPAA compliance
Technologies and procedures for HIPAA complianceJack Shaffer
 
4 Digital Health Trends Affecting Your Revenue Cycle
4 Digital Health Trends Affecting Your Revenue Cycle4 Digital Health Trends Affecting Your Revenue Cycle
4 Digital Health Trends Affecting Your Revenue CycleMeduit
 
Biz Jrnl 071810
Biz Jrnl 071810Biz Jrnl 071810
Biz Jrnl 071810Vim Anand
 

Tendances (20)

Data Breach: It Can Happen To You
Data Breach: It Can Happen To YouData Breach: It Can Happen To You
Data Breach: It Can Happen To You
 
Protecting Data in the Healthcare Industry - Storage Made Easy - Osterman Res...
Protecting Data in the Healthcare Industry - Storage Made Easy - Osterman Res...Protecting Data in the Healthcare Industry - Storage Made Easy - Osterman Res...
Protecting Data in the Healthcare Industry - Storage Made Easy - Osterman Res...
 
Information+security rutgers(final)
Information+security rutgers(final)Information+security rutgers(final)
Information+security rutgers(final)
 
Healthcare Cybersecurity Whitepaper FINAL
Healthcare Cybersecurity Whitepaper FINALHealthcare Cybersecurity Whitepaper FINAL
Healthcare Cybersecurity Whitepaper FINAL
 
Breach of Security Final Paper
Breach of Security Final PaperBreach of Security Final Paper
Breach of Security Final Paper
 
The New Era of Individual Responsibility in Health Care Fraud and Abuse
The New Era of Individual Responsibility in Health Care Fraud and AbuseThe New Era of Individual Responsibility in Health Care Fraud and Abuse
The New Era of Individual Responsibility in Health Care Fraud and Abuse
 
Ijnsa050201
Ijnsa050201Ijnsa050201
Ijnsa050201
 
Cybercrime and the Healthcare Industry
Cybercrime and the Healthcare IndustryCybercrime and the Healthcare Industry
Cybercrime and the Healthcare Industry
 
3 Round Stones at the New England Health Datapalooza Oct 3, 2012
3 Round Stones at the New England Health Datapalooza Oct 3, 20123 Round Stones at the New England Health Datapalooza Oct 3, 2012
3 Round Stones at the New England Health Datapalooza Oct 3, 2012
 
Towards predictive medicine
Towards predictive medicineTowards predictive medicine
Towards predictive medicine
 
AVAILABILITY, ACCESSIBILITY, PRIVACY AND SAFETY ISSUES FACING ELECTRONIC MEDI...
AVAILABILITY, ACCESSIBILITY, PRIVACY AND SAFETY ISSUES FACING ELECTRONIC MEDI...AVAILABILITY, ACCESSIBILITY, PRIVACY AND SAFETY ISSUES FACING ELECTRONIC MEDI...
AVAILABILITY, ACCESSIBILITY, PRIVACY AND SAFETY ISSUES FACING ELECTRONIC MEDI...
 
AIS Article
AIS ArticleAIS Article
AIS Article
 
Business Associate Risk - HC SC Sept 2014
Business Associate Risk - HC SC Sept 2014Business Associate Risk - HC SC Sept 2014
Business Associate Risk - HC SC Sept 2014
 
Hitech for HIPAA
Hitech for HIPAAHitech for HIPAA
Hitech for HIPAA
 
HEALTHCARE IT: IS YOUR INFORMATION AT RISK?
HEALTHCARE IT: IS YOUR INFORMATION AT RISK? HEALTHCARE IT: IS YOUR INFORMATION AT RISK?
HEALTHCARE IT: IS YOUR INFORMATION AT RISK?
 
HIPAA and Privacy for Researchers
HIPAA and Privacy for ResearchersHIPAA and Privacy for Researchers
HIPAA and Privacy for Researchers
 
Technologies and procedures for HIPAA compliance
Technologies and procedures for HIPAA complianceTechnologies and procedures for HIPAA compliance
Technologies and procedures for HIPAA compliance
 
4 Digital Health Trends Affecting Your Revenue Cycle
4 Digital Health Trends Affecting Your Revenue Cycle4 Digital Health Trends Affecting Your Revenue Cycle
4 Digital Health Trends Affecting Your Revenue Cycle
 
Biz Jrnl 071810
Biz Jrnl 071810Biz Jrnl 071810
Biz Jrnl 071810
 
Healthcare Analytics
Healthcare AnalyticsHealthcare Analytics
Healthcare Analytics
 

Similaire à Compliance

We Need to Prioritize Cybersecurity in 2020
We Need to Prioritize Cybersecurity in 2020We Need to Prioritize Cybersecurity in 2020
We Need to Prioritize Cybersecurity in 2020Matthew Doyle
 
Cost of Data Breah in Healthcare_Quinlan, Courtney
Cost of Data Breah in Healthcare_Quinlan, CourtneyCost of Data Breah in Healthcare_Quinlan, Courtney
Cost of Data Breah in Healthcare_Quinlan, Courtneycourtneyquinlan
 
1 5Preparing to Conduct Business Research, Part 1Latwo.docx
1 5Preparing to Conduct Business Research, Part 1Latwo.docx1 5Preparing to Conduct Business Research, Part 1Latwo.docx
1 5Preparing to Conduct Business Research, Part 1Latwo.docxhoney725342
 
Ransomware and Emerging Cyber Threats: Why It's More Than Just An IT Problem ...
Ransomware and Emerging Cyber Threats: Why It's More Than Just An IT Problem ...Ransomware and Emerging Cyber Threats: Why It's More Than Just An IT Problem ...
Ransomware and Emerging Cyber Threats: Why It's More Than Just An IT Problem ...Steve Fantauzzo
 
Why cyber-criminals target Healthcare - Panda Security
Why cyber-criminals target Healthcare - Panda Security Why cyber-criminals target Healthcare - Panda Security
Why cyber-criminals target Healthcare - Panda Security Panda Security
 
Running head Information security threats 1Information secur.docx
Running head Information security threats 1Information secur.docxRunning head Information security threats 1Information secur.docx
Running head Information security threats 1Information secur.docxwlynn1
 
Cybercrime and the Healthcare Industry
Cybercrime and the Healthcare IndustryCybercrime and the Healthcare Industry
Cybercrime and the Healthcare IndustryEMC
 
Best 3 Cyber Threats in Healthcare Organizations Today | The Lifesciences Mag...
Best 3 Cyber Threats in Healthcare Organizations Today | The Lifesciences Mag...Best 3 Cyber Threats in Healthcare Organizations Today | The Lifesciences Mag...
Best 3 Cyber Threats in Healthcare Organizations Today | The Lifesciences Mag...The Lifesciences Magazine
 
INCIDENT RESPONSE PLAN FOR A SMALL TO MEDIUM SIZED HOSPITAL
INCIDENT RESPONSE PLAN FOR A SMALL TO MEDIUM SIZED HOSPITALINCIDENT RESPONSE PLAN FOR A SMALL TO MEDIUM SIZED HOSPITAL
INCIDENT RESPONSE PLAN FOR A SMALL TO MEDIUM SIZED HOSPITALIJNSA Journal
 
Fortified Health Security - Horizon Report 2016
Fortified Health Security - Horizon Report 2016Fortified Health Security - Horizon Report 2016
Fortified Health Security - Horizon Report 2016Dan L. Dodson
 
Hot Topics in Privacy and Security
Hot Topics in Privacy and SecurityHot Topics in Privacy and Security
Hot Topics in Privacy and SecurityPYA, P.C.
 
Peer Review FormComplete the form by inserting your answer.docx
Peer Review FormComplete the form by inserting your answer.docxPeer Review FormComplete the form by inserting your answer.docx
Peer Review FormComplete the form by inserting your answer.docxtemplestewart19
 
Addressing Cybersecurity Strategically
Addressing Cybersecurity Strategically Addressing Cybersecurity Strategically
Addressing Cybersecurity Strategically Symantec
 
(Executive Summary)MedStar Health Inc, a leader in the healthc
(Executive Summary)MedStar Health Inc, a leader in the healthc(Executive Summary)MedStar Health Inc, a leader in the healthc
(Executive Summary)MedStar Health Inc, a leader in the healthcSilvaGraf83
 
(Executive Summary)MedStar Health Inc, a leader in the healthc
(Executive Summary)MedStar Health Inc, a leader in the healthc(Executive Summary)MedStar Health Inc, a leader in the healthc
(Executive Summary)MedStar Health Inc, a leader in the healthcMoseStaton39
 
Systems AdminstratorAs your systems administrator  person I am.docx
Systems AdminstratorAs your systems administrator  person I am.docxSystems AdminstratorAs your systems administrator  person I am.docx
Systems AdminstratorAs your systems administrator  person I am.docxssuserf9c51d
 
Cyber Risk in Healthcare Industry- Are you Protected?
Cyber Risk in Healthcare Industry- Are you Protected? Cyber Risk in Healthcare Industry- Are you Protected?
Cyber Risk in Healthcare Industry- Are you Protected? Mark Merrill
 
Systems Thinking on a National Level, Part 2Drew David.docx
Systems Thinking on a National Level, Part 2Drew David.docxSystems Thinking on a National Level, Part 2Drew David.docx
Systems Thinking on a National Level, Part 2Drew David.docxperryk1
 
Running head THREAT MODELING WITH STRIDE .docx
Running head THREAT MODELING WITH STRIDE .docxRunning head THREAT MODELING WITH STRIDE .docx
Running head THREAT MODELING WITH STRIDE .docxtoltonkendal
 

Similaire à Compliance (20)

We Need to Prioritize Cybersecurity in 2020
We Need to Prioritize Cybersecurity in 2020We Need to Prioritize Cybersecurity in 2020
We Need to Prioritize Cybersecurity in 2020
 
Cost of Data Breah in Healthcare_Quinlan, Courtney
Cost of Data Breah in Healthcare_Quinlan, CourtneyCost of Data Breah in Healthcare_Quinlan, Courtney
Cost of Data Breah in Healthcare_Quinlan, Courtney
 
1 5Preparing to Conduct Business Research, Part 1Latwo.docx
1 5Preparing to Conduct Business Research, Part 1Latwo.docx1 5Preparing to Conduct Business Research, Part 1Latwo.docx
1 5Preparing to Conduct Business Research, Part 1Latwo.docx
 
Threatsploit Adversary Report January 2019
Threatsploit Adversary Report January 2019Threatsploit Adversary Report January 2019
Threatsploit Adversary Report January 2019
 
Ransomware and Emerging Cyber Threats: Why It's More Than Just An IT Problem ...
Ransomware and Emerging Cyber Threats: Why It's More Than Just An IT Problem ...Ransomware and Emerging Cyber Threats: Why It's More Than Just An IT Problem ...
Ransomware and Emerging Cyber Threats: Why It's More Than Just An IT Problem ...
 
Why cyber-criminals target Healthcare - Panda Security
Why cyber-criminals target Healthcare - Panda Security Why cyber-criminals target Healthcare - Panda Security
Why cyber-criminals target Healthcare - Panda Security
 
Running head Information security threats 1Information secur.docx
Running head Information security threats 1Information secur.docxRunning head Information security threats 1Information secur.docx
Running head Information security threats 1Information secur.docx
 
Cybercrime and the Healthcare Industry
Cybercrime and the Healthcare IndustryCybercrime and the Healthcare Industry
Cybercrime and the Healthcare Industry
 
Best 3 Cyber Threats in Healthcare Organizations Today | The Lifesciences Mag...
Best 3 Cyber Threats in Healthcare Organizations Today | The Lifesciences Mag...Best 3 Cyber Threats in Healthcare Organizations Today | The Lifesciences Mag...
Best 3 Cyber Threats in Healthcare Organizations Today | The Lifesciences Mag...
 
INCIDENT RESPONSE PLAN FOR A SMALL TO MEDIUM SIZED HOSPITAL
INCIDENT RESPONSE PLAN FOR A SMALL TO MEDIUM SIZED HOSPITALINCIDENT RESPONSE PLAN FOR A SMALL TO MEDIUM SIZED HOSPITAL
INCIDENT RESPONSE PLAN FOR A SMALL TO MEDIUM SIZED HOSPITAL
 
Fortified Health Security - Horizon Report 2016
Fortified Health Security - Horizon Report 2016Fortified Health Security - Horizon Report 2016
Fortified Health Security - Horizon Report 2016
 
Hot Topics in Privacy and Security
Hot Topics in Privacy and SecurityHot Topics in Privacy and Security
Hot Topics in Privacy and Security
 
Peer Review FormComplete the form by inserting your answer.docx
Peer Review FormComplete the form by inserting your answer.docxPeer Review FormComplete the form by inserting your answer.docx
Peer Review FormComplete the form by inserting your answer.docx
 
Addressing Cybersecurity Strategically
Addressing Cybersecurity Strategically Addressing Cybersecurity Strategically
Addressing Cybersecurity Strategically
 
(Executive Summary)MedStar Health Inc, a leader in the healthc
(Executive Summary)MedStar Health Inc, a leader in the healthc(Executive Summary)MedStar Health Inc, a leader in the healthc
(Executive Summary)MedStar Health Inc, a leader in the healthc
 
(Executive Summary)MedStar Health Inc, a leader in the healthc
(Executive Summary)MedStar Health Inc, a leader in the healthc(Executive Summary)MedStar Health Inc, a leader in the healthc
(Executive Summary)MedStar Health Inc, a leader in the healthc
 
Systems AdminstratorAs your systems administrator  person I am.docx
Systems AdminstratorAs your systems administrator  person I am.docxSystems AdminstratorAs your systems administrator  person I am.docx
Systems AdminstratorAs your systems administrator  person I am.docx
 
Cyber Risk in Healthcare Industry- Are you Protected?
Cyber Risk in Healthcare Industry- Are you Protected? Cyber Risk in Healthcare Industry- Are you Protected?
Cyber Risk in Healthcare Industry- Are you Protected?
 
Systems Thinking on a National Level, Part 2Drew David.docx
Systems Thinking on a National Level, Part 2Drew David.docxSystems Thinking on a National Level, Part 2Drew David.docx
Systems Thinking on a National Level, Part 2Drew David.docx
 
Running head THREAT MODELING WITH STRIDE .docx
Running head THREAT MODELING WITH STRIDE .docxRunning head THREAT MODELING WITH STRIDE .docx
Running head THREAT MODELING WITH STRIDE .docx
 

Compliance

  • 1. Published by Atlantic Information Services, Inc., Washington, DC • 800-521-4323 • www.AISHealth.com An independent publication not affiliated with hospitals, government agencies, consultants or associations 3 Preliminary Checklist for Security Risk Assessment 4 Raising Employee Awareness About Cybersecurity 5 CMS and OIG Scrutiny Of Wage Index Can Cost Hospitals Millions 6 CMS Transmittals And Regulations 6 Lack of MD Training Contributes to $34.69M Oncology Settlement 8 News Briefs Contents Cybersecurity ‘Defense in Depth’ Is Key as CCOs Call It a Top Risk; Rally Employees Cybersecurity consultant Mark Lanterman was floored when he came across a website that controlled a San Francisco hospital’s heating and cooling system. Because it was out there — part of the vaunted “Internet of things” — with no user name or pass- word, anyone could manipulate it, potentially for devious purposes, such as turning the water to a scalding temperature to burn patients. The website also could be a way into the rest of the hospital’s information system, including electronic medical records. Lan- terman called to warn the hospital’s chief information officer, who brushed it off with a terse “take me off your call list.” That seemed to be that, until Lanterman mentioned the situation during a presentation, which coincidentally was attended by the husband of a hospital employee. The website came down almost immediately afterwards. “There are more avenues of attack against a hospital than probably any other orga- nization because everything is connected — your pharmacy, your patient records, your thermostat,” says Lanterman, chief technology officer for Computer Forensic Services in Minnetonka, Minn. “When you hack a hospital, you can really hurt people, and that’s why hospitals need to take this stuff seriously if they aren’t already.” Apparently many of them are. Cybersecurity/cybercrime was named the second biggest risk for 2016 by health care companies in a new survey by the Health Care Com- pliance Association (HCCA) and Society of Corporate Compliance and Ethics (SCCE), following social media compliance risks. While it’s impossible to build an impenetrable fortress, hospitals can make themselves “less appealing to a hacker,” says Rolin Peets, chief information security officer for c1Secure in Rochester, N.Y. That requires educat- Call to Compliance Leads to Hospital’s $872,925 Settlement for One MD’s Billing When an employee at Cedars-Sinai Medical Center noticed a questionable change in a patient’s medical record, the employee alerted the corporate integrity depart- ment. That set in motion an internal investigation of the billing by the physician who treated the patient and culminated in the Los Angeles hospital paying $872,925 in a civil money penalty (CMP) settlement over the behavior of that one physician. According to the HHS Office of Inspector General (OIG), the medical center submitted Medicare, Medicaid and TRICARE claims on behalf of the physician, a thoracic surgeon, for inpa- tient and outpatient services that weren’t provided as charged or weren’t supported by documentation for the level of service billed. “Cedars-Sinai found that the physician appeared at times to overstate the amount of time he spent with patients as well as the complexity of clinical services he provid- ed,” the medical center says in response to questions from RMC. “Cedars-Sinai reported the physician’s activity to [OIG].” continued on p. 7 Volume 25, Number 10 • March 14, 2016 Managing Editor Nina Youngstrom nyoungstrom@aishealth.com Assistant Editor Angela Maas Contributing Editor Francie Fernald Executive Editor Jill Brown Weekly News and Compliance Strategies on CMS/OIG Regulations, Enforcement Actions and Audits Don’t miss the valuable benefits for RMC subscribers at AISHealth. com — searchable archives, back issues, Hot Topics, postings from the editor, and more. Log in at www. AISHealth.com. If you need assistance, email customerserv@aishealth.com.
  • 2. 2Report on Medicare Compliance March 14, 2016 ing employees to identify hacker tricks, including social engineering tactics (e.g., phishing); implementing robust security policies and procedures; and patching and up- dating technical infrastructure, experts say. Hospitals and other health care organizations have room for improvement, Peets says. He advocates “de- fense in depth” — an old term that describes a layered approach to protecting information systems that includes technical, administrative and physical controls. “If you make it hard for hackers, they will move on to another victim.” The uphill battle of cybersecurity is it takes only one person to cause a hack through phishing. A hospital employee, for example, could click on a phony email with a link to malware because it looks legitimate — like an email from the Department of Health — or it plays to their greed, says Lanterman, citing an email being circulated now: “You have been chosen to participate in a federal government debt relief program” or others like “Congratulations, you’ve won a free iPad.” When em- ployees are sucked in and click on the links, it gives hack- ers a way to plant their malware and access the patient names and addresses, Social Security numbers, credit card numbers, dates of birth and other sensitive data. This reality is a call for “continuous security and compliance,” where systems are monitored 24/7 and training is ongoing, Peets says. “The days of one-and- done risk assessment are over. The mindset of continu- ous monitoring helps to identify and mitigate risks. It’s possible the best-laid plans will go sideways, but the more defense in depth you have in place, the better off you are.” Ransomware Is Preventable That would hold true in a type of attack known as ransomware, Peets and Lanterman say. Recently, hackers took Hollywood Presbyterian Medical Center’s network hostage before fading back into the recesses of the dark web with $17,000 in their pockets. The hackers gave the hospital the decryption key as soon as they were paid. “It should never have happened,” Lanterman says. “Patient records are very important and should be constantly backed up. Any organization should assume they will be the victim of ransomware and make sure they have a response plan in place. IT should have their systems con- figured so if it happens, IT merely restores the backup.” He knows of an energy company hit by ransomware that didn’t pay the hackers because it was prepared for an attack and had its system back up in two hours. Peets agrees, saying you back up electronic health records and other data as close to real time as possible. People, however, hold the key to cybersecurity. “Ed- ucation is the best cybersecurity money you can spend,” Lanterman contends (see box, p. 4). Employees need to be on guard against social engineering, which is a hacker technique for manipulating information out of people and then using it to “build a base of information to attack the organization,” Peets says. Suppose a hacker calls the IT help desk, posing as an employee. The hacker says he has been on vacation and forgot his password, and the IT person obliges, which leads the hacker to reset the password and worm his way into the system. “The hacker exploits the IT person’s good nature and [desire] to help someone,” says Peets. “Hacking a computer takes skill, but hacking a person not so much,” Lanterman adds. He’s worried about the worst-case scenario, which is hackers manipulating medical records or devices. They could delete patients’ allergies, for example, change pre- scriptions, delete diagnoses or even sabotage devices. Some hackers may threaten to do this in a ransomware situation, but Lanterman is also worried about the 17-year-old in his mother’s basement “who doesn’t nec- essarily understand the gravity of what he’s doing and is just showing off for a friend, and people wind up hurt.” EDITORIAL ADVISORY BOARD: JEFFREY FITZGERALD, Polsinelli PC, EDWARD GAINES, Esq., Zotec-MMP, DEBI HINSON, Chief Research and Privacy Compliance Officer, Columbus Regional Health, MARION KRUSE, FTI Healthcare, RICHARD KUSSEROW, President, Strategic Management Systems, Alexandria, Va., WALTER METZ, CPA, MS, JD, Brookhaven Memorial Hospital Medical Center, MARK PASTIN, PhD, Council of Ethical Organizations, CHERYL RICE, Corporate Responsibility Officer for Catholic Health Partners in Cincinnati, Ohio, ANDREW RUSKIN, Esq., Morgan, Lewis & Bockius LLP, BOB WADE, Esq., Krieg DeVault, D. McCARTY THORNTON, Esq., Sonnenschein Nath & Rosenthal, JULIE E. CHICOINE, JD, RN, CPC, Compliance Director, Ohio State University Medical Center, WENDY TROUT, CPA, Director Corporate Compliance, WellSpan Health Report on Medicare Compliance (ISSN: 1094-3307) is published 45 times a year by Atlantic Information Services, Inc., 1100 17th Street, NW, Suite 300, Washington, D.C. 20036, 202-775-9008, www.AISHealth.com. Copyright © 2016 by Atlantic Information Services, Inc. All rights reserved. On an occasional basis, it is okay to copy, fax or email an article or two from RMC. But unless you have AIS’s permission, it violates federal law to make copies of, fax or email an entire issue, share your AISHealth.com subscriber password, or post newsletter content on any website or network. To obtain our quick permission to transmit or make a few copies, or post a few stories of RMC at no charge, please contact Eric Reckner (800-521-4323, ext. 3042, or ereckner@aishealth.com). Contact Bailey Sterrett (800- 521-4323, ext. 3034, or bsterrett@aishealth.com) if you’d like to review our very reasonable rates for bulk or site licenses that will permit weekly redistributions of entire issues. Contact Customer Service at 800-521-4323 or customerserv@aishealth.com. Report on Medicare Compliance is published with the understanding that the publisher is not engaged in rendering legal, accounting or other professional services. If legal advice or other expert assistance is required, the services of a competent professional person should be sought. Managing Editor, Nina Youngstrom; Assistant Editor, Angela Maas; Contributing Editor, Francie Fernald; Executive Editor, Jill Brown; Publisher, Richard Biehl; Marketing Director, Donna Lawton; Fulfillment Manager, Tracey Filar Atwood; Production Editor, Carrie Epps. Subscriptions to RMC include free electronic delivery in addition to the print copy, e-Alerts when timely news breaks, and extensive subscriber- only services at www.AISHealth.com that include a searchable database of RMC content and archives of past issues. To order an annual subscription to Report on Medicare Compliance ($764 bill me; $664 prepaid), call 800-521- 4323 (major credit cards accepted) or order online at www.AISHealth.com. Subscribers to RMC can receive 12 Continuing Education Credits per year, toward certification by the Compliance Certification Board. Contact CCB at 888-580-8373.
  • 3. March 14, 2016 Report on Medicare Compliance 3 Peets advises hospitals and other health care orga- nizations to have a third-party assessment of their cy- bersecurity risks. “The results of the risk assessment are prioritized based on the level of risk and provide [organi- zations] with remediation strategies and plans of action,” he says. For example, “anti-virus and anti-malware will help protect hospitals from phishing and malware, and they should have a strong spam filter at the front of their perimeter to parse questionable emails,” says Peets. And of course hospitals training employees based on their policies is a necessity. “You can’t avoid being a target, but most [cyberattacks] can be prevented through educa- tion,” Lanterman says. He suggests making employees acutely aware of ransomware and to be on guard for emails with misspellings and grammatical errors or of- fers of free goodies. If they use the cloud, hospitals should make sure their providers comply with the Statement on Standards for Attestation Engagements (SSAE) SOC 1 or SOC 2, Peets says. Are they audited and assessed on a regular basis? “If you don’t have defense in depth that includes administrative and technical controls and you go to the cloud, you are just moving your problem,” he says. Employees may be an invitation to hacker hell in other ways. At one hospital, Peets found during a recent security risk assessment that almost 30% of proximity keys assigned to ex-employees were still active. “It was a process, policy and procedure breakdown,” he says. And sometimes disgruntled employees can cause a lot of damage. That’s why penetration testing is an important, albeit small, part of a comprehensive security assessment, Lanterman says. Penetration testing is an in- tentional hack to test the system. “I act like a hacker,” he says. But sometimes when organizations do penetration testing, they forget to act like a rogue employee, he says. “There is a significant financial incentive to steal medical records,” he says. In different ways, “the greatest threat is inside the hospital.” Contact Lanterman at mlanterman@compforensics. com and Peets at RPeets@c1secure.com. View the HCCA/SCCE survey at http://tinyurl.com/j7wy2rl. G Call Bailey Sterrett at 202-775-9008, ext. 3034 for rates on bulk subscriptions or site licenses, electronic delivery to multiple readers, and customized feeds of selective news and data…daily, weekly or whenever you need it. Preliminary Checklist for Security Risk Assessment Security risk assessments under HIPAA and meaningful use (RMC 2/15/16, p. 1) continue to be a weak spot for many hospitals, experts say, even as breaches and cybersecurity climb their risk lists (see story, p. 1). This checklist was developed by Rolin Peets, chief information security officer for c1Secure in Rochester, N.Y. Contact him at RPeets@c1secure.com. YES NO NOTES If OCR were to arrive today, are you confident you could produce policy documents to support all components of the HIPAA Security Rule? Do all policy documents include both the policy statement and the current procedure in place to support each standard? Is there documentation that identifies where ePHI is located or processed, including equipment, software applications and how it is used by third party Business Associates? Is there written documentation identifying levels of access for each application by job description? Is all ePHI encrypted, within the network and in any instance of transmission? Is there a process to routinely review access reports, audit logs and security incident reports? Is your Disaster Recovery/Business Continuity Plan complete and in place, including routine drills and/or tests? Do you offer a comprehensive training program for new hires (with annual mandatory training for all staff) that includes Privacy and Security Rules for HIPAA? Do you have a process for managing your Business Associates that complies with the latest regulations? Do you have a Breach Notification process in place, fully documented, that complies with the latest regulations? Is access between public and private areas controlled? Do you have an alarm system and/or video cameras? For staff access are locks/keys, key fobs, or proximity badges in use? Can monitors/screens be seen in public areas or as clients are walking by? Are documents with PHI ever left sitting on copiers, printers or fax machines? OCR = Office for Civil Rights, ePHI = electronic protected health information
  • 4. 4Report on Medicare Compliance March 14, 2016 Web addresses cited in this issue are live links in the PDF version, which is accessible at RMC’s subscriber-only page at http://aishealth.com/newsletters/reportonmedicarecompliance. Raising Employee Awareness About Cybersecurity Piedmont Healthcare in Atlanta recently sent this notice to all employees to enlist their help in defending against cyberattacks. Contact Debi Weatherford, executive director of internal audit, at Debi.Weatherford@piedmont.org. This message is being sent to all Piedmont employees. …Yes YOU! Piedmont takes information security very seriously. Because of the rise of Ransomware attacks, we need to ensure that everyone inside Piedmont understands our security expectations and what you can do to help protect not only yourself but our organization. Online safety and security are shared responsibilities, and we each have an obligation to protect our identities and our information while online. Understand the risks, learn how to spot potential problems, and consider how your online actions can impact everyone’s collective security. Here are some tips to assist in being aware and secure: • Know the scams. The Piedmont Information Security team periodically sends email nuggets about trending scams to keep you aware of how to protect yourself and our organization. In this way, you’ll be armed with what you can do to avoid them. • Think before you click. Never click on links in messages from people you don’t know or only vaguely know. These phishing emails may have links that can lure you into giving personal information or download malware to your computer. You should even be wary with emails from people you do know if it looks or sounds suspicious. Hackers can create a malicious email that looks like it came from your manager, peer or close friend’s email account. • Safely peruse. Beware of phony websites. These sites may have addresses very similar to legitimate sites, and red flags may include pages with frequent misspellings, poor grammar or low resolution images. However, scammers are getting better at replicating sites. If a site asks for personal information, double check the URL and make sure it’s not asking for information it shouldn’t. • Keep it to yourself. Don’t forward suspicious email to other coworkers – it is like spreading your germs. Instead, forward the email to security.concerns@piedmont.org. • Shop safely. Don’t shop on a site unless it has the “https” and a padlock icon to the left or right of the URL. • Use common sense. You do not need to be a seasoned computer whiz to know that it’s not smart to open an attachment titled, “Claim Your Inheritance!” Using common sense while surfing the Web can protect you and Piedmont from a hungry cyber-shark. From top leadership and executives to the newest employees, cybersecurity requires the vigilance of every employee to keep data, patients, and capital safe and secure. We can defeat cyber-criminals or at least make them look for an easier target. Thank you for your support.
  • 5. March 14, 2016 Report on Medicare Compliance 5 what’s allowable, he says. But they differ from traditional claim reviews and cost-report audits because the wage index is a zero-sum game. It’s budget neutral, which means the overall amount allocated for the wage index by Congress doesn’t change, says Polito. However, the amount the hospitals receive in each core-based statistical area (CBSA) — which is akin to a metropolitan statistical area — collectively will vary, depending largely on the wage index. As a result, disallowances for wages loom large. “Every single penny means something because you are competing against every other hospital and CBSA in the country,” he says. And the risk is greater than ever, he says. CMS has imposed more stringent audit guidelines on the MACs after years of a more relaxed attitude on certain wage- index line item audits. For example, “MACs are hold- ing hospitals to a standard they haven’t in the past as it pertains to acceptable documentation for the allocation of physician compensation between administrative and professional components,” he says. “There appears to be less wiggle room in terms of regulatory interpretation.” A big wage-index vulnerability: Physician Part A vs. Part B reporting. Administrative services (Part A) performed by physicians, such as medical directors, are allowable cost for hospitals, says Polito. But they must have time studies to support the time that physicians spend on administrative services (e.g., meetings) vs. patient care, he says. “You want to keep as much allow- able physician Part A cost as you can in the cost report.” Otherwise, the costs will be attributed to Part B, which is nonreimbursable for cost-report purposes. Hospitals may start seeing disallowances in this area like they’ve never experienced before, Polito says. That’s what happened to the hospital that reported $80 million for Part A physician administrative costs. “It was consis- tent and always allowable and with no real variance. It was historically audited and always accepted,” he says. And suddenly the hospital, in the wake of OIG’s and CMS’s scrutiny, faced a multi-million dollar disallow- ance, he notes. CMS and OIG Scrutiny of Wage Index Can Cost Hospitals Millions The wage index on Medicare cost reports is under the microscope of Medicare auditors and has the poten- tial to cost hospitals piles of money. The $80 million that one Northeast hospital reported as allowable physician cost for wage data — and recently had disallowed — speaks volumes about CMS’s crackdown in this area, experts say. Medicare administrative contractors (MACs), which audit cost reports, including wage data, are applying rules more stringently than they have in the past at CMS’s behest, or the hospital probably wouldn’t have lost that much money, experts say. It’s an object lesson for hospitals at a time when the HHS Office of Inspec- tor General (OIG) has set its sights on wage data in its 2016 Work Plan, and last month concluded that Danbury Hospital in Connecticut was overpaid $249,000 because it overstated wage data on its 2010 cost report. “The wage index can be a big-dollar item,” says Steve Harris, director of reimbursement at Tampa Gen- eral Hospital. “I think CMS would always say there is an opportunity for hospitals to game the wage index, which is why they mandate annual wage-index specific audits. The fact it’s also on the OIG Work Plan is one more rea- son to be vigilant about the wage index.” OIG said its previous reviews determined that hospitals often incor- rectly reported wage data, which increased Medicare payments to their geographic areas. However, Harris notes, when hospitals are too conservative in reporting items that factor into the wage index, they can deprive themselves of money to which they’re entitled. ‘Every Penny Counts’ CMS uses hospitals’ self-reported wage data, includ- ing wages, contract labor, hours and fringe benefits, to calculate the wage index. The wage index is a measure of the geographically adjusted labor costs, and it figures into DRGs, APCs and other Medicare prospective pay- ments because paying people is the lion’s share of most hospital budgets. According to OIG, “the labor share accounted for 69.6 percent of the payments in FY 2014.” Consultant Mike Polito says a 1% change in the av- erage hourly wage of a hospital’s wage index data can cause a significant swing in Medicare reimbursement — as much as $1 million. “When it comes to a hospital’s wage index data and the calculation of its average hourly wage, every penny certainly counts,” says Polito, prin- cipal owner of Third Party Reimbursement Solutions in Charlotte, N.C. MACs audit every hospital’s wage data annually, using CMS’s audit program and technical guidelines on Subscribers who have not yet signed up for Web access — with searchable newsletter archives, Hot Topics, Recent Stories and more — should click the blue “Login” button at www.AISHealth.com, then follow the “Forgot your password?” link to receive further instructions. The Industry’s #1 Source of News and Strategies on HIPAA Compliance Go to the “Marketplace” at www.AISHealth.com and click on “newsletters” for details and samples. continued 
  • 6. 6Report on Medicare Compliance March 14, 2016 that information from invoices, but what about consul- tants and CPAs? You can go back to vendors and do attestations documenting hours related to contracted la- bor,” Polito says, but the stakes are clearly getting higher. “The CFO needs to step in and ensure vendor contracts include language that hours and labor cost need to be provided on invoices.” Contact Harris at sharris@tgh.org and Polito at mpolito@tprsolutions.com. Read the OIG audit of Dan- bury Hospital (A-01-14-00506) at http://tinyurl.com/ hvy4hgn. G Lack of MD Training Contributes To $34.69M Oncology Settlement Claims submitted for an oncology procedure that allegedly wasn’t medically necessary or was performed by physicians without the proper training has led to a false claims settlement with 21st Century Oncology Inc. and its subsidiary, South Florida Radiation Oncology LLC. They agreed to pay $34.69 million, the Department of Justice (DOJ) and U.S. Attorney’s Office for the Middle District of Florida said March 8. 21st Century Oncology Inc., which is based in Fort Myers, Fla., is the largest physician-led integrated cancer care provider in the country and has offices in 16 states, DOJ says. The settlement resolves allegations related to 21st Century Oncology’s use of a procedure called the Gamma function, which measures the exit dose of radia- tion from patients after treatment. In the settlement, DOJ alleges that from Jan. 1, 2009, through Nov. 8, 2015, 21st Century Oncology billed Medicare and TRICARE for “four separate categories of claims” that allegedly were medically unnecessary and/or improper: (1) In 2009, the first year Gamma was implemented at all locations, some “physicians and physicists had not been properly trained to interpret and utilize Gamma function results.” (2) At new sites acquired by 21st Century Oncology after 2009, for the first 180 days Gamma was used, some “physicians and physicists were not properly trained to interpret and utilize Gamma function results.” (3) No physician reviewed Gamma function results for seven or more days after the last day patients went through radiation therapy, in connection with some claims. (4) Some claims were submitted “where no Gamma result was available due to technical failures that pro- duced no reference or quality assurance image.” When this happened, DOJ contends the “Gamma offered no value or meaning to any healthcare practitioners,” ac- cording to the settlement. His tip to reduce the risk of a Part A/B disallowance: “Take a hard look at your physicians. How are you docu- menting the split between Part A, which is the adminis- trative portion that’s allowable, and Part B, the hands-on patient care, which isn’t? Hopefully you have time stud- ies because that’s the gold seal.” Another risk area for the wage index is contract labor. Hospitals can report the clinical labor costs of contract nurses, physical therapists and other hands-on patient-care related services. Also, hospitals can include administrative and general contract labor, such as at- torneys, CPAs and consultants. In order to claim contract labor costs, there must be detailed invoices describing the services performed and the labor hours required to complete them, Polito says. Only the labor component is included in the average hourly wage and reportable on the cost report for wage index purposes. “The nuance is, how do you capture it? What is ac- ceptable? Attorneys bill by the minute so you can capture Subscribers to RMC are eligible to receive up to 12 Continuing Education Credits per year, which count toward certification by the Compliance Certification Board. For more information, contact CCB at 888-580-8373. CMS Transmittals and Federal Register Regulations March 3 – March 10 Live links to the following documents are included on RMC’s subscriber-only Web page at www.AISHealth.com. Please click on “CMS Transmittals and Regulations” in the right column. Transmittals (R) indicates a replacement transmittal. Pub. 100-04, Medicare Claims Processing Manual • July Quarterly Update to 2016 Annual Update of HCPCS Codes Used for Skilled Nursing Facility Consolidated Billing Enforcement, Trans. 3473CP, CR 9561 (March 4; eff. July 1; impl. July 5, 2016) • Updates to Chapters 4 and 5 to Correct Remittance Advice Messages, Trans. 3475CP, CR 9424 (March 4; eff./impl. June 6, 2016) Pub. 100-22, Medicare Quality Reporting Incentive Programs Manual • Fiscal Year 2017 and After Payments to Long Term Care Hospitals That Do Not Submit Required Quality Data, Trans. 55QRI, CR 9544 (March 4; eff. Jan. 1; impl. April 1, 2016) Federal Register Regulations Proposed Rule • Part B Drug Payment Model (posted March 8; Fed. Reg. publication, March 11, 2016) Corrections and Correcting Amendments • Electronic Health Record Initiative Program — Stage 3 and Modifications to Meaningful Use in 2015 Through 2017, 81 Fed. Reg. 11447 (March 4, 2016) • Comprehensive Care for Joint Replacement Payment Model for Acute Care Hospitals Furnishing Lower Extremity Joint Replacement Services, 81 Fed. Reg. 11449 (March 4, 2016) • Revisions to Payment Policies Under the Physician Fee Schedule and Other Revisions to Part B for CY 2016, 81 Fed. Reg. 12024 (March 8, 2016)
  • 7. March 14, 2016 Report on Medicare Compliance 7 Hospital Settles Over MD’s Errors continued from p. 1 After the “suspicious change” in the medical re- cord came to its attention, Cedars-Sinai says it reviewed multiple years of the physician’s billing records. “The medical center determined that the physician’s billing documentation for clinical services may have been gener- ally unreliable. Although the medical center determined that the coding problems were limited in scope, it made a decision to refund 100 percent of the amounts coded by the physician (or his assistant) for clinical services.” In June 2015, OIG accepted Cedars-Sinai into the Self-Dis- closure Protocol, which generally requires entities to pay 1.5 times the amount of an alleged overpayment. Cedars-Sinai says it also reviewed the records of other physicians on the faculty but found no evidence of “similar coding irregularities.” In light of the thoracic surgeon’s errors, “Cedars-Sinai has substantially expand- ed its routine monitoring of physician coding. In addition to its existing internal coding reviews, Cedars-Sinai now also contracts with an outside, third-party company to conduct audits of coding and documentation for each employed physician.” OIG alleged the billing errors occurred from Dec. 1, 2010, through Feb. 28, 2015. At the time, the thoracic surgeon, who wasn’t identified in the settlement, was employed by Cedars-Sinai. The medical center says he is no longer a Cedars-Sinai employee or faculty member. But as a community physician, the thoracic surgeon is a member of the medical staff and can admit patients to the hospital. Although thoracic surgeons are compensated well — typically Medicare alone pays them about $300,000 to $400,000 a year, according to ProPublica.org — it’s unusual to see one physician drive a hospital settlement for almost $900,000, says Ed Gaines, chief compliance officer for Zotec Partners in Greensboro, N.C. “I haven’t seen it in 20-plus years in compliance.” It underscores the importance of the auditing and monitoring requirements of compliance programs “and constant quality assurance reviews of coding and documentation.” Medicare auditors and enforcers are focusing more on physicians, Gaines says. “There is concern within the enforcement community about the subjectivity of evaluation and management [i.e., E/M] coding and the error rates that have been reported” by certain Medicare administrative contractors (MACs) and the comprehen- sive error rate testing (CERT) contractor, he says, which recently posted 2015 improper payment rates (RMC 1/11/16, p. 4). For 2015, CERT data on Part B upcoding showed a 19.6% error rate for initial hospital visits, 13.6% for new office visits, 15.3% for critical care hospital visits and 12% for emergency room visits. Subjectivity Is a Concern The subjectivity of coding E/M services is the push me-pull you of providers vs. Medicare watchdogs. The level of an E/M service is based partly on a physician’s medical decision making, which is inherently subjec- tive, says Gaines. “One physician may think a patient’s condition is high complexity, and another may think it’s moderate complexity. It makes E/M coding art and sci- ence together.” Suppose a patient presents at the emer- gency room with flank pain. One element of medical decision making is the amount and complexity of data to be reviewed, and physicians or coders can rate it as “high moderate” or “low moderate,” Gaines explains. Low moderate would support — assuming other neces- sary elements of the history and exam were found in the documentation — a level three E/M code for the emer- gency room visit (CPT 99283), and high moderate would support a level four E/M code (CPT 99284). At times, these distinctions may seem impossibly fine to coders and physicians, he says. “People look at me and say, ‘how can we better objectively quantify the na- ture of the presenting problem and the patient’s morbid- ity/mortality or risk?’” This matters in more ways than one. The difference between 99283 and 99284 is about $40 or $50, which obviously affects both physicians on the receiving end and Medicare on the paying end. Auditors may come back and contend the coders or physicians coded a low-moderate complexity case as a high-moder- ate complexity case. But what bothers Gaines more is if it goes off the slippery slope from auditors to enforcers. “A subjective difference, if proven on audit, is an overpayment to the MAC, not reckless disregard or de- liberate indifference,” which is the standard of proof for a False Claims Act (FCA) violation, he says. “So from a Get instant compliance news! Follow RMC at: www.twitter.com/AISHealth • www.facebook.com/AISHealth • www.linkedin.com/company/atlantic-information-services In a statement, 21st Century Oncology said it “fully cooperated” with the federal government to resolve the case and that “there was no harm to any patient related to this dispute.” The company said the dispute related to “the training protocols of certain staff in the utilization of GAMMA, and was limited to its early implementation and startup activities at new facility locations across the country.” It also said it has strengthened its compliance, auditing and training programs. 21st Century Oncology did not admit liability in the settlement. The case (United States ex rel. Ting v. 21st Cen- tury Oncology and South Florida Radiation Oncology, No. 3:14-cv-723-Jax-J32JRK) was initiated by a whistleblower — Joseph Ting, a former physicist at South Florida Radia- tion Oncology. Visit http://tinyurl.com/hmsbx2t. G
  • 8. 8Report on Medicare Compliance March 14, 2016 u A California physician was sentenced to six months in prison in connection with a scheme to defraud patients and their insurers by implanting and charging for unapproved intrauterine devices (IUDs), the U.S. Attorney’s Office for the Eastern District of California said March 7. Paul S. Singh, who provided obstetric and gynecological services in his Tehachapi offices, prescribed birth control to women, including IUDs. Only one form of IUD with copper as its active ingredient — the ParaGard T- 380A — has been FDA approved, and it’s only sold by its manufacturer, the U.S. attorney’s office says. “According to court documents, Singh bought unap- proved IUDs on the Internet and implanted them in his patients. Rather than inform his patients or their insurers of using non-FDA approved IUDs, however, he fraudulently billed his patients and their insur- ers as if he had implanted FDA-approved IUDs, all without the permission or consent of his patients,” the U.S. attorney’s office says. Singh pocketed the payment difference. Patients who have unapproved copper IUDs may be at greater risk of pelvic inflam- matory disease, ectopic pregnancy, hysterectomy and other complications, the U.S. attorney’s office says. After his prison term is up, Singh will spend a year in home detention. Visit http://tinyurl.com/zc72mtj. u Freeman Hospital in Joplin, Mo., was overpaid $311,000, according to a Medicare compliance re- view (A-07-14-05064). The HHS Office of Inspector General (OIG) audited 225 claims submitted in 2011 and 2012 by the 346-bed teaching hospital and found errors on 45 of them. Carlos Haley, Freeman Hospi- tal’s vice president of compliance, said it disagreed with OIG’s findings on 10 of the errors. He also emphasized the hospital “has an active compliance program and strives to strictly adhere to Medicare regulations.” Visit http://go.usa.gov/cfdvx. u Recovery audit contractors (RACs) are now re- viewing fewer than 350 types of Medicare billing, down from the 800 areas they were approved to review by CMS when the program was “working at full capacity,” according to the Council for Medicare Integrity. On March 9, the council released an analy- sis of the state of the RAC program. Visit http:// tinyurl.com/zlfgfk4 or www.medicareintegrity.org. NEWS BRIEFS Call Bailey Sterrett at 202-775-9008, ext. 3034 for rates on bulk subscriptions or site licenses, electronic delivery to multiple readers, and customized feeds of selective news and data…daily, weekly or whenever you need it. compliance perspective, compliance officers should be understanding to someone making a different decision but using their reasonable judgment based on the source documentation from the provider.” He thinks OIG has been sensitive to this in the sense that it has sent a clear message that the Self-Disclosure Protocol is not the right mechanism for routine overpayments. “The proper cor- rective action there is a voluntary refund to the MAC.” But he sees potential danger lurking in cases like the Department of Justice settlements over noncompliance with the national coverage determination for implant- able cardiac defibrillators (NCD 20.4) (RMC 2/29/16, p. 3; 2/22/16, p. 6). “Is the message from the multiple hospital enforcement action that if the physician reasonably be- lieves the implantable cardiac defibrillator is medically necessary and someone in the revenue cycle function misses an NCD technically, even though they were rea- sonably trying to comply, then that is reckless disregard or deliberate ignorance, and hence FCA penalties?” In terms of compliance with E/M coding, Gaines says time is, literally, of the essence — at least for some E/M services. They are ripe for audits because the rules are black and white. With critical care, for example, phy- sicians can’t bill Medicare unless they spend a minimum of 30 minutes evaluating, managing and treating the patient and documenting accordingly. “If it’s 25 minutes, you can’t bill critical care,” he notes. One way for hospitals to monitor employed phy- sicians is to determine whether the E/M visits they report using time square with the hours in a day, week or month, says Ronald Hirsch, M.D., vice president of regulations and education at Accretive Physicians Ad- visory Services. “It would be important for a hospital to see whether it’s physically possible to spend as much time as they stated on their visits,” he says. For example, by looking at the ProPublica website, which uses CMS’s Medicare Provider Analysis and Review (MEDPAR) data, Hirsch identified a physician who billed more than 5,000 critical care visits each year for two years. “If you do the math, it would require almost eight hours a day every day of the year to provide that many visits,” Hirsch says. The physician also billed more than 2,000 other noncritical care visits. Any physician would be hard pressed to accomplish this, although it’s impossible to tell for sure without reviewing medical records, he says. E/M codes can be chosen with one of two methods: either using the elements of the history, physical and medical decision making or by time. Contact Gaines at egaines@zotecmmp.com and Hirsch at rhirsch@accretivehealth.com. G
  • 9. IfYou Don’t Already Subscribe to the Newsletter, Here AreThree Easy Ways to Sign Up: 1. Return to any Web page that linked you to this issue 2. Go to the MarketPlace at www.AISHealth.com and click on “Newsletters.” 3. Call Customer Service at 800-521-4323 If you are a subscriber and want to provide regular access to the newsletter — and other subscriber-only resources at AISHealth.com — to others in your organization: Call Customer Service at 800-521-4323 to discuss AIS’s very reasonable rates for your on-site distribution of each issue. (Please don’t forward these PDF editions without prior authorization from AIS, since strict copyright restrictions apply.)