On December 10, 2020, the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) issued a Notice of Proposed Rulemaking (“NPRM”) to modify the HIPAA Privacy Rule. HHS stated that the proposed modifications, which are being issued as part of HHS’s “Regulatory Sprint to Coordinated Care,” are aimed at removing barriers to coordinated care, strengthening individuals’ access to their own medical information, and reducing unnecessary administrative burdens. Proposed changes to the HIPAA Privacy Rule in the NPRM include: Continue reading “HHS Issues Proposed Changes to the HIPAA Privacy Rule”
There are several measures OCR/HHS has taken to lessen the regulatory burden of HIPAA for health care providers amidst COVID-19. Here is the latest breakdown of important pronouncements and guidance set forth by OCR/HHS to help providers deal with COVID-19 and HIPAA compliance:
On July 23, 2019, the U.S. Senate Finance Committee held a hearing where a representative of the Government Accountability Office testified on elder abuse in nursing homes. At the hearing, reported at GAO-19-671T, the GAO representative discussed the June 2019 GAO report entitled “Improved Oversight Needed to Better Protect Residents from Abuse” (GAO-19-433).
The GAO analysis of CMS data found that, while relatively rare, abuse deficiencies cited in nursing homes more than doubled, increasing from 430 in 2013 to 875 in 2017, with the largest increase in severe cases. In light of the increased number and severity of abuse deficiencies, GAO testified that, while it is imperative that CMS have strong nursing home oversight in place to protect residents from abuse, there are several oversight gaps that may limit the agency’s ability to do so. The gaps include:
- Information on abuse and perpetrator type is not readily available. CMS does not require state survey agencies to record the type of abuse and perpetrator and, when this information is recorded, it cannot be easily analyzed. Without this information, CMS lacks key information and, therefore, cannot take actions—such as tailoring prevention and investigation activities—to address the most prevalent types of abuse or perpetrators.
- Facility-reported incidents lack key information. CMS has not issued guidance on what nursing homes should include when they self-report abuse incidents to state survey agencies. This contributes to delays in state agency investigations and the inability to prioritize investigations for quick response.
- Gaps in CMS processes can result in delayed referrals to law enforcement. CMS requires a state survey agency to make a referral to law enforcement only after abuse is substantiated—a process that can often take weeks or months. As a result, law enforcement investigations can be significantly delayed. GAO reported that delay in receiving referrals limits law enforcement’s ability to collect evidence and prosecute cases—for example, bedding associated with potential sexual abuse may have been washed, and a victim’s wounds may have healed.
The report on which the GAO testimony was based made several recommendations, including that CMS:
- require state survey agencies to submit data on abuse and perpetrator type;
- develop guidance on what abuse information nursing homes should self-report; and
- require state survey agencies to immediately refer to law enforcement any suspicion of a crime.
GAO reported that the Department of Health and Human Services concurred with GAO recommendations.
Some in the health care provider sector have raised concern about confusing definitions of the term “abuse,” pointing out that the CMS definition that applies to various types of providers differs from the definition in the Elder Justice Act of 2010, which requires nursing home reporting of certain types of incidents. As a result, while a nursing home would be obliged to report an incident under the Elder Justice Act, another type of health care provider may not be mandated to do so.
In fall 2019 another GAO report concerning abuse matters is due to be published. It is expected to compare federal abuse reporting requirements for nursing homes and assisted living residences.
Of course, it remains to be seen whether Congress or CMS will act soon to address issues raised by GAO.
Recently, the Illinois Supreme Court considered the consequences of violating the Biometric Information Privacy Act (“Act”). The Act has been on the books for ten years, and during that time, the use of biometric data, such as finger prints, voice prints, or facial recognition, has grown by leaps and bounds. It is possible to unlock an iPhone merely by looking at it—using facial geometry.
As health care facilities move to biometric methods of identifying staff or clients, they will need to consider the ramifications of doing so. The Act requires entities that collect biometric data to first obtain informed consent, in writing, by the individual or their representative. In addition, the entity must have a policy and procedure for destroying the biometric data in accordance with the Act.
According to the Supreme Court, failure to abide by these procedures causes damage to the person whose biometric data was gathered. As a result, the entity can face liability in the amount of $1,000 to $5,000 per violation, or actual damages, plus attorneys’ fees. Considering the real risk of identity theft in this digital age, actual damages could easily exceed the statutory amounts.
Last month I wrote about the hearing to be held by the House Committee on Energy and Commerce Subcommittee on Oversight and Investigations regarding federal efforts to ensure quality of care and resident safety in nursing homes.
The Director of Health Care for the GAO focused his opening remarks on the GAO study of nursing homes that concluded in 2015. The next year, CMS instituted sweeping regulatory changes. So it remains to be seen how CMS’ new requirements of participation will impact the issues found in the GAO report. Ruth Ann Dorrill, Regional Inspector General, HHS OIG noted that the OIG previously made two recommendations to CMS to improve quality of care in nursing homes. First, to provide guidance to nursing homes about detecting and reducing harm to be included in facility Quality Assurance and Performance Improvement programs. Second, to instruct State Agencies to review facility practices for identifying and reducing adverse events, and link related deficiencies specifically to resident safety practices. CMS implemented these recommendations on adverse events in nursing homes as of August 2018.
The focus on deficiencies by the State Agencies is disappointing. Deficiencies result in civil money penalties, further reducing the resources available to care for nursing home residents. Ms. Dorrill testified that nursing home residents often have care needs similar to patients in hospitals. However, nursing homes are not reimbursed at the same rate as hospitals and, yet, are expected to provide similar care. It seems as though the residents are getting lost in the ever increasing cycle of regulation and enforcement. Regulatory oversight sounds good on paper, but does it work?
On April 23, 2018, the Administrator of the Centers for Medicare and Medicaid Services (“CMS”) adopted a new ruling conceding the jurisdiction of the Provider Reimbursement Review Board (“PRRB”) in certain circumstances over costs or items “self-disallowed” by the provider. In Ruling No. CMS-1727-R (the “Ruling”), the Administrator announced that the PRRB has jurisdiction over a provider’s appeal regarding Medicare payment for an item that the provider did not include in its cost report when the following circumstances exist:
- The appeal is pending on or after April 23, 2018, or was initiated on or after that date; and
- The cost reporting period under appeal ended on or after December 31, 2008, and began before January 1, 2016; and
- The provider had a good faith belief that the item was not allowable under Medicare regulations or payment policy.
This Ruling represents a retreat from regulations adopted in 2008, which required that in order to appeal an item to the PRRB, a provider must either claim Medicare payment for the item in its cost report or include the item as a protested amount in the cost report. CMS took the position that a provider could not be “dissatisfied” with the Medicare contractor’s determination of Medicare reimbursement, as required by the statute for a PRRB appeal, if the contractor made no determination on the item because it was not included in the cost report, even if reimbursement was prohibited under Medicare policy. The Ruling indicates that CMS is retreating from this position because of the 2016 decision of the U.S. District Court for the District of Columbia in Banner Heart Hospital v. Burwell, which held that the PRRB had jurisdiction over the hospitals’ challenge to Medicare outlier payment regulations despite the hospitals’ failure to claim protested amounts related to their challenge. The district court found that a cost report claim for additional outlier payments would have been futile because the Medicare contractor had no authority or discretion under the outlier payment regulations to make payment as sought by the hospitals. The Ruling states that CMS has decided to apply the holding in Banner Heart in similar administrative appeals.
The Ruling does not entirely do away with the requirement of including an item in the cost report in order to pursue Medicare reimbursement for it in a subsequent appeal. First, the Ruling applies only if the cost reporting period under appeal began before January 1, 2016. This end date is not coincidental—for periods beginning on or after January 1, 2016, CMS has simply shifted the requirement that an item be included in the cost report from being a prerequisite for PRRB jurisdiction to being a so-called “general substantive requirement” for Medicare payment. Second, the Ruling applies only where the provider had a good faith belief that the item was not allowable. The Ruling indicates that “a provider would rarely be able to demonstrate a good faith belief that an item is not allowable when that item is actually allowable under a Medicare payment regulation or other policy.”
Unfortunately, the Ruling may muddy the waters regarding the use of protested amounts in the Medicare cost report. The Ruling acknowledges that providers sometimes claim items through protested amounts “out of concern that a cost report claim for reimbursement of an item deemed non-allowable might raise program integrity questions.” Notwithstanding the Ruling, “a provider still may elect to self-disallow a specific item deemed non-allowable by filing the pertinent parts of its cost report under protest.” But the Ruling then states as follows:
“However, if the PRRB… were to determine that, despite the provider’s self-disallowance of the specific item under appeal, the Medicare contractor actually had the authority or discretion to make payment for the specific item at issue in the manner sought by the provider on appeal and the provider did not demonstrate a good faith belief that such item is not allowable, then the [PRRB] shall apply the Third implementation step for this Ruling.”
Under the third implementation step, the provider’s appeal of the item is to be dismissed for failure to meet the “dissatisfaction” requirement for jurisdiction. One problem with this statement is that providers sometimes claim items as protested amounts where the Medicare contractor has disallowed the item in previous cost report audits for lack of sufficient documentation. The adequacy of documentation to support reimbursement is one area where the Medicare contractor would seem to have discretion to allow payment. Why would CMS want to discourage providers from taking a cautious approach in claiming items in the cost report that have been disallowed in previous audits?
Christopher L. Crosswhite practices in the area of healthcare law, concentrating on Medicare and Medicaid law and regulations, Medicare reimbursement controversies and appeals, and healthcare fraud and abuse provisions.
In January 2018, The Office of the Auditor General for the State of Illinois published its Performance Audit (“Audit Report”) of Medicaid Managed Care Organizations (“Medicaid MCOs”) for Fiscal Year 2016. What was unleashed was a startling review of the Medicaid MCOs’ performance over FY 2016 in administering the Medicaid Program for what was then called the Integrated Care Program (“ICP”) or Medicare/Medicaid Alignment Initiative (“MMAI”) Programs. You may recall these ICP and MMAI Medicaid MCO programs in Illinois involved almost a dozen Medicaid MCOs that covered about 70% of the State of Illinois Medicaid recipients.
The Audit Report played into health care providers’ deepest fears in Illinois: showing that Medicaid Managed Care may not be working as it was intended; namely, to reduce costs and improve quality of care in the Medicaid Program in Illinois. For example, long term care providers in Illinois had to fight tooth and nail with Medicaid MCOs under the ICP and MMAI programs, experiencing cumbersome Medicaid contracts, denied claims, delayed claims, and worse yet, a prior authorization administration problem (administrative MCO delay) which in some instances prevented residents from receiving care timely. Most, but not all, of those issues are still being resolved, but providers had hoped that there was a good reason for this madness involving Medicaid MCOs: better and lower cost care for Medicaid beneficiaries. Continue reading “Illinois Posts Medicaid Managed Care Performance Report”
New U.S. Department of Justice (DOJ) statistics released in January 2018 show that False Claims Act (FCA) whistleblowers who are not joined by the DOJ in their lawsuits reaped $898 million in proceeds in 2017, far greater than the $425 million initially reported by the DOJ. However, in a coincidental turn of events, just hours after the new statistics were released a Florida federal court judge overturned a $350 million FCA verdict against a nursing home operator, Salus Rehabilitation, LLC. Accordingly, the DOJ statistics will likely be revised again to reflect 2017 proceeds of $548 million for whistleblowers.
The ruling in the Salus Rehabilitation case is itself worthy of attention. The Salus whistleblower alleged record-keeping violations and a scheme to boost Medicare and Medicaid reimbursement by exaggerating the medical needs of nursing home residents. Overriding a jury verdict, U.S. District Court Judge Steven D. Merryday ruled that a whistleblower’s allegations that the provider defrauded Medicaid were not sufficient to sustain a hefty FCA judgment. He wrote “… the evidence and the history of this action establish that the federal and state governments regard the disputed practices with leniency or tolerance or indifference or perhaps with resignation to the colossal difficulty of precise, pervasive, ponderous, and permanent record-keeping in the pertinent clinical environment.”
In making his ruling, Judge Merryday relied heavily on Universal Health Services v. Escobar, a 2016 U.S. Supreme Court ruling that established a set of requirements that must be met before a FCA judgment can be brought against a provider. Among the requirements are that the government and whistleblowers must show the government would not have paid the underlying claims if it knew of the regulatory violations alleged. The Escobar decision found that continued government reimbursement after fraud allegations are made is strong evidence that the allegations are not material. Judge Merryday noted that in the Salus case the government continued to pay for services rendered and stated that the whistleblower did not provide enough evidence to prove that Medicaid reimbursement would have stopped even if the government were aware of paperwork problems at the Salus facility. Clearly, the Salus decision is a victory for providers.
On January 3, 2018, the Substance Abuse and Mental Health Services Administration (SAMHSA) finalized revisions to the Confidentiality of Substance Use Disorder Patient Records regulations, found in 42 CFR Part 2. The new final rule implements the changes proposed a year ago by SAMHSA in its supplemental notice of proposed rulemaking (SNPRM), which was issued alongside the first major changes to the federal regulations governing Part 2 covered data since 1987. After receiving public comment on the SNPRM, SAMHSA has finalized provisions relating to the disclosure of patient-identifying substance use information for payment and healthcare-related purposes and the disclosure of patient-identifying substance use information for the purposes of carrying out a Medicaid, Medicare or Children’s Health Insurance Program (CHIP) audit or evaluation. The new final rule also permits lawful holders to issue an abbreviated notice of the prohibition on redisclosure to accommodate electronic health record systems with standard character limitations on free text fields.
Neville M. Bilimoria
With all the regulatory changes facing nursing homes these days, it is no wonder most are behind in the world of compliance. It seems nursing homes are constantly berated with new regulations and more issues to deal with on a daily basis. The recent article in the May 22, 2017 edition of Modern Healthcare was, therefore, not a surprise: “Regulation: Nursing homes and hospice providers face looming emergency preparedness deadline.”
The article discusses the real November 15, 2017 deadline for nursing homes to comply with the emergency preparedness regulations promulgated by the Centers for Medicare & Medicaid Services (“CMS”) in September 2016. The article further discusses how most facilities are not close to complying by the November 15, 2017 deadline. The problem is that while nursing homes have historically had some emergency preparedness policies and procedures, the new CMS rules impose more robust policies, procedures, and mechanisms to be in place prior to November 15, 2017. That would require nursing homes to partner with local hospitals, police and fire departments to make sure their preparedness plans are up to date, robust, and systematically applied. The rules mandate, among other things, back-up generator contingencies, cybersecurity attack back up plans, and widespread training on a myriad of emergency preparedness policies and procedures that need to be developed by nursing homes. The rules even require disaster drills to be conducted by the nursing home in conjunction with local emergency response agencies.