There are several measures OCR/HHS has taken to lessen the regulatory burden of HIPAA for health care providers amidst COVID-19. Here is the latest breakdown of important pronouncements and guidance set forth by OCR/HHS to help providers deal with COVID-19 and HIPAA compliance:
While it is good for a skilled nursing facility to be on the ACO’s “A List” of skilled nursing home providers, skilled nursing facilities need to carefully review their contracts with ACOs to make sure they are not taken advantage of or subject to increased liability. For example, recently one skilled nursing facility relationship with its ACO was so strained that it fired its ACO due to problems with patient care. See Alex Spanko, “How One Skilled Nursing Operator Navigates The Occasional Single ‘Dictatorship’ of ACOs,” Skilled Nursing News, October 16, 2019. In some cases, there were reports that ACOs are placing too much pressure on skilled nursing facilities to discharge residents earlier than indicated, or forcing facilities to provide less care in order to reduce ACO costs, often times to the detriment of residents. Continue reading Skilled Nursing Facilities, Beware of ACOs
Neville M. Bilimoria
The suggestion of the need for federal regulation of assisted living came from GAO’s finding that more than $10 billion a year is spent from federal and state funds for assisted living services for more than 330,000 Medicaid beneficiaries. With demand for additional Medicaid assisted living funding, and the potential increase in demands of the senior population in the next 5 years, these numbers will continue to rise significantly as noted by the GAO: “Medicaid spending on long-term care is significant, representing about one quarter of Medicaid spending annually and is expected to grow with an aging population.” Continue reading GAO Report: Assisted Living Providers & Federal Regulation
In January 2018, The Office of the Auditor General for the State of Illinois published its Performance Audit (“Audit Report”) of Medicaid Managed Care Organizations (“Medicaid MCOs”) for Fiscal Year 2016. What was unleashed was a startling review of the Medicaid MCOs’ performance over FY 2016 in administering the Medicaid Program for what was then called the Integrated Care Program (“ICP”) or Medicare/Medicaid Alignment Initiative (“MMAI”) Programs. You may recall these ICP and MMAI Medicaid MCO programs in Illinois involved almost a dozen Medicaid MCOs that covered about 70% of the State of Illinois Medicaid recipients.
The Audit Report played into health care providers’ deepest fears in Illinois: showing that Medicaid Managed Care may not be working as it was intended; namely, to reduce costs and improve quality of care in the Medicaid Program in Illinois. For example, long term care providers in Illinois had to fight tooth and nail with Medicaid MCOs under the ICP and MMAI programs, experiencing cumbersome Medicaid contracts, denied claims, delayed claims, and worse yet, a prior authorization administration problem (administrative MCO delay) which in some instances prevented residents from receiving care timely. Most, but not all, of those issues are still being resolved, but providers had hoped that there was a good reason for this madness involving Medicaid MCOs: better and lower cost care for Medicaid beneficiaries. Continue reading Illinois Posts Medicaid Managed Care Performance Report
Neville M. Bilimoria
With all the regulatory changes facing nursing homes these days, it is no wonder most are behind in the world of compliance. It seems nursing homes are constantly berated with new regulations and more issues to deal with on a daily basis. The recent article in the May 22, 2017 edition of Modern Healthcare was, therefore, not a surprise: “Regulation: Nursing homes and hospice providers face looming emergency preparedness deadline.”
The article discusses the real November 15, 2017 deadline for nursing homes to comply with the emergency preparedness regulations promulgated by the Centers for Medicare & Medicaid Services (“CMS”) in September 2016. The article further discusses how most facilities are not close to complying by the November 15, 2017 deadline. The problem is that while nursing homes have historically had some emergency preparedness policies and procedures, the new CMS rules impose more robust policies, procedures, and mechanisms to be in place prior to November 15, 2017. That would require nursing homes to partner with local hospitals, police and fire departments to make sure their preparedness plans are up to date, robust, and systematically applied. The rules mandate, among other things, back-up generator contingencies, cybersecurity attack back up plans, and widespread training on a myriad of emergency preparedness policies and procedures that need to be developed by nursing homes. The rules even require disaster drills to be conducted by the nursing home in conjunction with local emergency response agencies.
On January 13, 2017, the Centers for Medicare and Medicaid Services (“CMS”) sent a Memorandum (“Memo”) to State survey agency directors encouraging long-term care providers to “consider cybersecurity when developing or reviewing their emergency preparedness plans.” The Memo was a follow-up to the CMS long-term care emergency preparedness rule published in the Federal Register on September 16, 2016: “Medicare and Medicaid Programs; Emergency Preparedness Requirements for Medicare and Medicaid Participating Providers and Suppliers.” Under that final rule, long-term care facilities were held to additional standards, including requirements to have emergency and standby power systems in place. Nursing homes were also required to create plans regarding missing residents that could be activated regardless of whether the facility has activated its full-scale emergency plan. The rule was spurred on by recent flooding in Baton Rouge, Louisiana, and other emergency disasters, such as Hurricane Sandy and the 2009 H1N1 pandemic, according to CMS.
Whether State surveyors will actually enforce lack of cybersecurity plans for emergency preparedness as violations remains to be seen from this Memo. But certainly, a State survey agency could impose deficiencies for failure to have a proper cybersecurity plan and/or a proper cybersecurity back‑up plan as part of a facility’s emergency preparedness going forward. It is not clear why CMS decided to send this encouragement Memo three months after the Final Rule on emergency preparedness, but it likely has something to do with the fact that 2016 was a banner year for HIPAA privacy infractions and HIPAA enforcement by the Office for Civil Rights (“OCR”), the entity responsible for HIPAA compliance. In 2016, payouts for HIPAA violations skyrocketed to record heights of $23.51 million from OCR enforcers against health care providers. That number was triple the previous record of almost $7.94 million in payouts in 2014, followed by $6.19 million in payouts in 2015.