The 2016 Work Plan from the Office of Inspector General (OIG) of the Department of Health and Human Services offers insight into how healthcare providers will be scrutinized this year. The Health Insurance Portability and Accountability Act (HIPAA) Security Rule is one major concern.
- OIG will check for contingency plans related to HIPAA and electronic health records.
- The Work Plan also discusses provider-based facilities and their reimbursement rates.
- Compliance Is Still A Concern As Provider-based Facilities Lose Their Reimbursement Advantage.
The 2016 Work Plan from the Office of Inspector General (OIG) of the Department of Health and Human Services (HHS) offers risk managers insight into what areas of compliance and potential liability will be the hot topics this year, and there are concerns in several arenas.
The Work Plan is broken down into many sections, so risk managers can focus most on the part of the plan that directly affects their type of healthcare organization, explains Bart Walker, JD, a partner with the law firm of McGuireWoods in Charlotte, NC. Much of the Work Plan applies to any health system that has a range of facilities and types of patient care, he notes.
“OIG looks at what’s going on in healthcare each year and comes up with this plan that says ‘here are a hundred or so areas where we think there’s some smoke, if not fire,’” he explains. “This is the leading edge in terms of what they’re looking at.”
Among the most noteworthy parts of the plan is the OIG’s emphasis on the Health Insurance Portability and Accountability Act (HIPAA), Walker says. This year OIG will have a heightened focus on the HIPAA Security Rule (45 CFR Part 160 and Subparts A and C of Part 164), which delineates how covered entities must protect data. “I think the HIPAA material is actionable for risk managers, particularly where it concerns secure devices and network with those devices,” Walker says. “Contingency planning is another focus that risk managers should look at. There are some specific requirements in the rule that require providers to have contingency plans in place and conduct audits of their security system.”
Walker explains that the Work Plan calls for increased scrutiny of protections of electronic protected health information (ePHI) with respect to “networked medical devices.” The Work Plan also calls for regulators to determine the “extent to which hospitals comply with contingency planning requirements” of HIPAA regarding their use of electronic health records (EHR) systems. More specifically, OIG will examine whether the Food and Drug Administration (FDA) is providing sufficient oversight of networked medical devices in hospitals, Walker says. (The Work Plan is available online at http://tinyurl.com/ohc962j. See the story in this issue for a summary of the plan.)
The OIG specifically mentioned dialysis machines, radiology systems, and medication dispensing systems that are integrated with electronic medical records (EMRs) and the larger health network. “Medical device manufacturers provide Manufacturer Disclosure Statement for Medical Device Security (MDS2) forms to assist health care providers in assessing the vulnerability and risks associated with ePHI that is transmitted or maintained by a medical device,” the Work Plan notes. Walker says this language means that covered entities that use networked medical devices should document the ways in which they have considered the disclosure statements for such devices as part of their HIPAA security risk assessments and overall HIPAA compliance plans.
The Work Plan also notes a focus on HIPAA EHR contingency plans. It emphasizes that “the HIPAA Security Rule requires covered entities to have a contingency plan that establishes policies and procedures for responding to an emergency or other occurrence that damages systems that contain protected health information.” Walker expects that will lead to OIG using government- and industry-recommended practices to gauge a healthcare organization’s performance with regard to contin-gency plans.
Medicare dental claims in hospitals are another area of interest, with OIG planning to determine whether payments were made in accordance with Medicare requirements.
Walker notes that OIG audits have suggested that hospitals are receiving Medicare reimbursement for non-covered dental services, resulting in significant overpayments. He suggests that hospitals institute a system for double checking any Medicare dental claim to verify compliance.
“Provider-based facilities” also are targeted in the Work Plan. Those are facilities that are operated and reimbursed as if they were part of the affiliated hospital.
For example, a hospital might open an outpatient facility across town but still be able to bill Medicare for the outpatient care at the hospital’s Medicare rate, Walker explains. Service at a provider-based facility is reimbursed for both a technical fee billed for the hospital and a professional fee billed for the physician. That provider-based facility fee can be much more profitable than billing for that care at an ambulatory surgery center rate or similar rate, which gives the provider-based facility an edge over competitors that might be identical aside from ownership.
Additionally, the provider-based facilities increase Medicare beneficiary coinsurance liability and increase costs to the program, the Work Plan notes. “That has long been a bone of contention between hospitals and other providers, because those facilities are able to collect a higher rate from Medicare, and that makes them stronger economically when it comes to competing with other facilities,” Walker says. “Increasingly in recent years, hospitals have been accumulating other assets that are not within the hospital but treating them as provider-based. They’re not doing anything wrong because the rules are there, and if you comply with the provider-based rules, you’re eligible for provider-based reimbursement.”
OIG has scrutinized these provider-based arrangements for at least two years now because of this discrepancy in reimbursement based only on who owns the facility, Walker says. That scrutiny will increase this year as a result of the Bipartisan Budget Act of 2015, which, with some exceptions, excludes off-campus facilities from receiving enhanced reimbursement starting Jan. 1, 2017. As provider-based facilities prepare for the loss of revenue and competitive edge, OIG plans to closely monitor how they try to compensate.
Walker cautions that the OIG’s interest in compliance will not wane this year just because the enhanced reimbursement will end soon. Hospitals operating provider-based facilities should ensure that they comply with provider-based rules and not let their guard down, he says.
“A lot of hospitals and health systems will have a look at their strategies and determine whether those facilities remain economically viable,” Walker says. “This change had been considered in past budget legislation, but actually ending the enhanced reimbursement this soon was not on anyone’s radar. It pretty much came out of the blue. Now hospitals are suddenly faced with a loss of revenue or lobbying for some other way to bill for these services that is site-neutral. That’s always been the holy grail of Medicare reform.”
- Bart Walker, JD, Partner, McGuireWoods, Charlotte, NC. Telephone: (704) 373-8923. Email: email@example.com.