Recently, the Illinois Supreme Court considered the consequences of violating the Biometric Information Privacy Act (“Act”). The Act has been on the books for ten years, and during that time, the use of biometric data, such as finger prints, voice prints, or facial recognition, has grown by leaps and bounds. It is possible to unlock an iPhone merely by looking at it—using facial geometry.
As health care facilities move to biometric methods of identifying staff or clients, they will need to consider the ramifications of doing so. The Act requires entities that collect biometric data to first obtain informed consent, in writing, by the individual or their representative. In addition, the entity must have a policy and procedure for destroying the biometric data in accordance with the Act.
According to the Supreme Court, failure to abide by these procedures causes damage to the person whose biometric data was gathered. As a result, the entity can face liability in the amount of $1,000 to $5,000 per violation, or actual damages, plus attorneys’ fees. Considering the real risk of identity theft in this digital age, actual damages could easily exceed the statutory amounts.
The federal government cannot agree on whether to increase or decrease regulatory burdens on nursing facilities. Yesterday, the United States House Committee on Ways and Means and the Subcommittee on Health wrote to the Centers for Medicare and Medicaid Services urging further reduction of regulatory burdens on health systems, hospitals, and nursing homes. Tomorrow, the House Committee on Energy and Commerce Subcommittee on Oversight and Investigations will hold a hearing examining federal efforts to ensure quality of care and resident safety in nursing homes.
The Ways and Means Committee’s letter noted that providers with post-acute care beds devote 8.1 full-time employees to compliance with regulatory requirements. Over half of those employees are clinical staff who could otherwise be caring for residents. The letter applauded recent efforts to reduce the regulatory burden and urged further reductions.
In contrast, the Committee on Energy and Commerce suggests that CMS isn’t doing enough to ensure quality care in the nation’s nursing homes. The Committee’s background report recites a number of news reports in which seniors died or were abused in nursing homes. Three witnesses have been invited to testify: Kate Goodrich, M.D., Chief Medical Officer of CMS; Ruth Ann Dorrill, Regional Inspector General, HHS OIG; and John Dicken, Director, Health Care GAO. Topics to be addressed include efforts made to ensure that nursing homes are meeting the federal regulatory standards and CMS’ oversight of state agencies that work with CMS to inspect nursing homes. The undertone of the Committee’s background report is that CMS needs to increase enforcement, including higher civil money penalties and exclusion from participation in federal health care programs.
It is hard to see how higher monetary penalties will improve quality care as it further reduces the resources available to care for residents.
On February 5, 2018, the Government Accountability Office, a nonpartisan investigative arm of Congress, found that there are huge gaps in regulation of assisted living facilities. The report, entitled “Medicaid Assisted Living Services: Improved Federal Oversight of Beneficiary Health and Welfare is Needed,” comes on the heels of years of discussion as to whether assisted living facilities are sufficiently regulated by individual states, or whether further federal oversight is warranted.
The suggestion of the need for federal regulation of assisted living came from GAO’s finding that more than $10 billion a year is spent from federal and state funds for assisted living services for more than 330,000 Medicaid beneficiaries. With demand for additional Medicaid assisted living funding, and the potential increase in demands of the senior population in the next 5 years, these numbers will continue to rise significantly as noted by the GAO: “Medicaid spending on long-term care is significant, representing about one quarter of Medicaid spending annually and is expected to grow with an aging population.” Continue reading GAO Report: Assisted Living Providers & Federal Regulation
In January 2018, The Office of the Auditor General for the State of Illinois published its Performance Audit (“Audit Report”) of Medicaid Managed Care Organizations (“Medicaid MCOs”) for Fiscal Year 2016. What was unleashed was a startling review of the Medicaid MCOs’ performance over FY 2016 in administering the Medicaid Program for what was then called the Integrated Care Program (“ICP”) or Medicare/Medicaid Alignment Initiative (“MMAI”) Programs. You may recall these ICP and MMAI Medicaid MCO programs in Illinois involved almost a dozen Medicaid MCOs that covered about 70% of the State of Illinois Medicaid recipients.
The Audit Report played into health care providers’ deepest fears in Illinois: showing that Medicaid Managed Care may not be working as it was intended; namely, to reduce costs and improve quality of care in the Medicaid Program in Illinois. For example, long term care providers in Illinois had to fight tooth and nail with Medicaid MCOs under the ICP and MMAI programs, experiencing cumbersome Medicaid contracts, denied claims, delayed claims, and worse yet, a prior authorization administration problem (administrative MCO delay) which in some instances prevented residents from receiving care timely. Most, but not all, of those issues are still being resolved, but providers had hoped that there was a good reason for this madness involving Medicaid MCOs: better and lower cost care for Medicaid beneficiaries. Continue reading Illinois Posts Medicaid Managed Care Performance Report
Neville M. Bilimoria
With all the regulatory changes facing nursing homes these days, it is no wonder most are behind in the world of compliance. It seems nursing homes are constantly berated with new regulations and more issues to deal with on a daily basis. The recent article in the May 22, 2017 edition of Modern Healthcare was, therefore, not a surprise: “Regulation: Nursing homes and hospice providers face looming emergency preparedness deadline.”
The article discusses the real November 15, 2017 deadline for nursing homes to comply with the emergency preparedness regulations promulgated by the Centers for Medicare & Medicaid Services (“CMS”) in September 2016. The article further discusses how most facilities are not close to complying by the November 15, 2017 deadline. The problem is that while nursing homes have historically had some emergency preparedness policies and procedures, the new CMS rules impose more robust policies, procedures, and mechanisms to be in place prior to November 15, 2017. That would require nursing homes to partner with local hospitals, police and fire departments to make sure their preparedness plans are up to date, robust, and systematically applied. The rules mandate, among other things, back-up generator contingencies, cybersecurity attack back up plans, and widespread training on a myriad of emergency preparedness policies and procedures that need to be developed by nursing homes. The rules even require disaster drills to be conducted by the nursing home in conjunction with local emergency response agencies.
Continue reading Nursing Homes Ready For Emergency Preparedness Rules?
On January 13, 2017, the Centers for Medicare and Medicaid Services (“CMS”) sent a Memorandum (“Memo”) to State survey agency directors encouraging long-term care providers to “consider cybersecurity when developing or reviewing their emergency preparedness plans.” The Memo was a follow-up to the CMS long-term care emergency preparedness rule published in the Federal Register on September 16, 2016: “Medicare and Medicaid Programs; Emergency Preparedness Requirements for Medicare and Medicaid Participating Providers and Suppliers.” Under that final rule, long-term care facilities were held to additional standards, including requirements to have emergency and standby power systems in place. Nursing homes were also required to create plans regarding missing residents that could be activated regardless of whether the facility has activated its full-scale emergency plan. The rule was spurred on by recent flooding in Baton Rouge, Louisiana, and other emergency disasters, such as Hurricane Sandy and the 2009 H1N1 pandemic, according to CMS.
Whether State surveyors will actually enforce lack of cybersecurity plans for emergency preparedness as violations remains to be seen from this Memo. But certainly, a State survey agency could impose deficiencies for failure to have a proper cybersecurity plan and/or a proper cybersecurity back‑up plan as part of a facility’s emergency preparedness going forward. It is not clear why CMS decided to send this encouragement Memo three months after the Final Rule on emergency preparedness, but it likely has something to do with the fact that 2016 was a banner year for HIPAA privacy infractions and HIPAA enforcement by the Office for Civil Rights (“OCR”), the entity responsible for HIPAA compliance. In 2016, payouts for HIPAA violations skyrocketed to record heights of $23.51 million from OCR enforcers against health care providers. That number was triple the previous record of almost $7.94 million in payouts in 2014, followed by $6.19 million in payouts in 2015.
Continue reading Cybersecurity and Emergency Preparedness for Long-Term Care
On August 5, 2016, the Centers for Medicare and Medicaid Services (CMS) published a Survey and Certification Memorandum (Notice) urging State health departments to enforce violations by nursing homes in posting patient images on social media. This development was interesting given that the Office for Civil Rights (OCR), the enforcer of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules, presumably should already be cracking down on any such violations of resident rights as a violation of HIPAA. According to Modern Healthcare, increased instances of nursing home staff inappropriately posting resident pictures on social media may have sparked this pronouncement by CMS.
Specifically, CMS will more strictly enforce, through State agencies, corrective actions to ensure that employee postings of residents in a degrading manner do not occur in the nursing home setting. Interestingly, the Notice does not discuss nursing homes reporting such employee conduct to OCR, but does indicate that employees should report such postings on social media of residents as abuse “to at least one law enforcement agency.” Continue reading Government Cracks Down On Nursing Home Use of Social Media
Recently, the American Hospital Association published in its newletter Trendwatch a detailed 16 page article entitled “The Role of Post-Acute Care in New Care Delivery Models,” December 2015. The article discusses what we have been trying to tell our post-acute care, especially nursing home clients, for years: become a valued partner of an Accountable Care Organization (“ACO”) and be ready to show your value to those ACOs, or continue to operate as you historically have at your own peril.
When ACOs first started, there was virtually no room or focus on long-term care providers being involved in an ACO. Some hospitals talked initially about home health care, but very little discussion was geared towards long-term care providers being in an ACO network because hospitals did not understand the long-term care environment. Continue reading ACOs Waking Up to the Value of Post-Acute Care Providers
In a settlement with the US DOJ in U.S. ex rel. Halpin and Fahey v. Kindred Healthcare Inc. et al., 1:11-cv-12139, Kindred Healthcare, Inc., a skilled nursing and long-term care company, has agreed to pay the federal government more than $125 million for alleged False Claims Act violations by a therapy services company, RehabCare Group, Inc., acquired by Kindred in June, 2011.
RehabCare contracts with more than 1,000 skilled nursing facilities across the country, and, along with Kindred, is alleged to have caused those facilities to submit Medicare claims for services at the highest reimbursement levels that were not actually provided, or not necessary. Two whistleblowers stand to receive almost $24 million from the settlement.
While all providers need to have strong compliance, this is a reminder that larger providers, whose operations span multiple offices, cities and states, need to be especially vigilant and install strong company-wide compliance programs.
The Centers for Medicare and Medicaid Services (CMS) released its Focused Dementia Care Surveyor Worksheets on November 27, 2015. The Worksheets were developed for a pilot project in 2014 as part of CMS’ continuing effort to reduce the use of antipsychotic medication. The Worksheets are to be used by surveyors in reviewing dementia care at post-acute care facilities. The Worksheets were released so that facilities can use these tools to assess their own practices in providing resident care.
The Worksheets contain specific topics for review, and state that failure of the facility to perform certain practices will result in a deficiency of F309. F309 addresses quality of care, and requires that each resident receive (and the facility provide) the necessary care and services to attain or maintain the highest practicable physical, mental, and psychosocial well-being, in accordance with the comprehensive assessment and plan of care.
Facilities that serve individuals with dementia should have policies and procedures based upon nationally-recognized dementia care guidelines, such as CMS’ Hand in Hand series, the OASIS program, the University of Iowa program, the VA Program (STAR), Johns Hopkins’ DICE program, Alzheimer’s Association materials, NHQCC or other QIO guidelines, Advancing Excellence medication management tools, or the AHCA toolkit.
The Worksheets also evaluate supervision, staff training, and Quality Assessment and Assurance, as well as the care provided to specific residents. All facilities that serve individuals with dementia should obtain and use the Worksheets to evaluate their own practices.