The ROADMAP to COMPLIANCEThe Importance of Staying Current on Your Compliance Efforts

Presenter: Debra A. Geroux, CHC

September 5, 2013

WHY Do I NEED a Compliance Program?

• To identify common roadblocks to an effective compliance program

• To learn how to test the effectiveness of a program

• To identify ways to strengthen and encourage staff participation in the program

Why Do I NEED a Compliance Program? (cont.)

• Increased DOJ, OIG & OCR Enforcement• Consumers are more Knowledgeable and

Active• Whistleblowers• Federal Sentencing Guidelines• Criminal, Civil and Administrative Penalties• Top-Down Liability—Corporate

Responsibility and Director Liability• Heavy Fines & Penalties• Regulatory Exclusion is a Corporate Death

Sentence

So what is “Compliance”?

“A successful compliance program addresses the public and private sectors’ mutual goals of reducing fraud and abuse; enhancing [health care providers’] operations; improving the quality of health care services; and reducing the overall cost of health care services. Attaining these goals benefits the [healthcare industry], the government, and patients alike. Compliance programs help [healthcare providers] fulfill their legal duty to refrain from submitting false or inaccurate claims or cost information to the Federal health care programs or engaging in other illegal practices.

~OIG Compliance Supplemental Program Guidance for Hospitals (January 31, 2005), https://oig.hhs.gov/fraud/docs/complianceguidance/012705HospSupplementalGuidance.pdf

So what IS it Exactly?

• A compliance program is a management system for preventing inappropriate conduct within an organization. It provides guidance and support across the organization for employees to make appropriate decisions regarding both clinical and business practices, decisions and behaviors

Challenges to Building an Effective Compliance Program

• Management Challenges– BOD & Managerial Buy-In– Company-Wide Commitment &

Cooperation– Acceptance of the CP—internally &

externally–Understanding of each person’s Role in an

Effective Program

Challenges to Building an Effective Compliance Program (cont.)

• Administrative Challenges—Sufficient Resources– Resources—Time & Money to Keep Current

with Changing Laws & Regulations– Consistent

Enforcement/Monitoring/Evaluation– Anonymous Reporting capabilities– Thorough Education and Training of ALL– Employee Awareness and Understanding– Timeliness of Investigations and Follow-Up

OIG Major Compliance Areas

• False claims, kickbacks and referrals.• Fraudulent reimbursement activity.• Proper Coding, billing and documentation,

including strict adherence to Waiver and Write-off Policy

• Patient Privacy Rights and HIPAA Compliance• Quality of Care• Contractual Joint Ventures• Home Health Agencies

Compliance Program—Sources

US Sentencing Guidelines—USSG § 8B.2—

• adopted in 1991,the USSG still provide leniency for health care providers who adopt compliance programs (reduced penalties where there is an effective CCP

• An effective CCP may reduce the chance of a qui tam (whistle-blower) lawsuit

• Compliance Programs Can Work to Identify and Address Problems Before A Catastrophic Stage Is Reached

2010 Amendments to USSG

In 2010, the United States Sentencing Commission amended the USSG to further strengthen the role of the compliance officer. Under the Amendments, in order for a corporation to be eligible to receive a reduced sentence, the following MUST be in place at the time of a potential criminal act:•CO should have a "direct reporting obligation" to the board or subgroup thereof

– Promptly in cases of criminal or potential criminal conduct , and – At least annually regarding implementation and effectiveness of the entity’s

compliance program

•Compliance Program detected the criminal conduct before it was discovered or was reasonably likely to be discovered outside of the organization (i.e., by regulators);•The organization promptly reported the offense to the federal government;•No corporate compliance officers were involved with, condoned or were willfully ignorant of the criminal offense; and•The organization conducted an assessment of its existing compliance program, including modifications to the program as may be appropriate to prevent the occurrence of similar conduct.

Compliance Program—Sources (cont.)

OIG Compliance Guidance—12 Industry-Specific Guidance◦ Hospitals (1998 / Supplemental issued 2005)◦ Home Health Agencies (1998)◦ Clinical Laboratories (1998)◦ 3rd-Party Medical Billing Companies (1998)◦ DME-POS Industry (1999_◦ Hospice (1999)◦ Medicare+Choice Organizations (1999)◦ Nursing Facilities (2000 / Supplemental issued 2008)◦ Individual and Small Group Physician Practices (2000)◦ Ambulance Suppliers (2003)◦ Pharmaceutical manufacturers (2003)◦ Recipients of PHS Research Awards (Draft issued 200

• Historically:1. Written policies and standards of conduct2. Designation of compliance officer and

special counsel3. Effective training and education4. Effective lines of communication5. Enforcement of standards through

publicized disciplinary guidelines—consistency

6. Regular internal monitoring and auditing7. Responding to detected offenses, developing

corrective action plan

Element 1—Implementing written policies, procedures and standards of conduct• Codes of Conduct—how people should act and

known risks in your organization/industry• Look to OIG Corporate Integrity Agreements for

guidance on what has been imposed on others in your industry

• Tailor to general population & specific departments

• Identify specific conduct requirements and sanctions for violations

• Accessible to employees—post on company website or provide with employee manual

Element 2—Designate a Compliance Officer & Compliance Committee

• WHO will be responsible/accountable—CCO • DIRECT access to the TOP (senior level

officers and BOD)• Separate from General Counsel• Accessible to All employees• Responsible for Oversight and Monitoring—

includes updating program as risks/laws require

• Formalized Compliance Committee (charter outlining roles & responsibilities)

Element 3—Effective Training & Education

• Initial Training– Within first days of Employment• On-Going Training—at least ANNUALLY• General & Job-Specific (i.e., HIPAA compliance

for all, versus billing compliance for A/R)• Remedial Training• Agents & Contractors need training, too!• In-person or On-line—don’t just give them a

manual and assume they will read it!• DOCUMENT all training and education.—Who,

What, When, Where & How (and sometimes WHY).

Element 3—Education & Training (cont.)

• §6032 of the Deficit Reduction Act—Mandatory Employee Education About False Claims Act Recoverieso Applies to an entity including organizational units (a

governmental agency, organization, unit, corporation, partnership, or other business arrangement) and individuals that receives or makes Medicaid payments totaling at least $5 million annually

o Requires establishing written policies for all employees (including management), and of any contractor or agent of the entity Required to be incorporated in State’s Provider Enrollment Agreements

o Michigan State Plan adopted amendment in August 2007o “Certification of Compliance” form sent to effected providers in

FY 2007

DRA § 6032-Written Policy Requirement

• Written Policies must provide detailed information about four major topics:o the federal False Claims Act; o administrative remedies for false claims and statements; o any civil or criminal penalties under state false claims laws; and o whistleblower protections under federal and state law.

o Policies and materials must explain the role these laws play in preventing Medicaid fraud and abuse and describe the "entity's policies and procedures for detecting and preventing fraud, waste, and abuse.“

o Employee Handbook must be modified to include a specific discussion of the these topics.

Element 4—Developing Effective Lines of Communication

• Open Communications—Employees should know WHO to report to and HOW to Report Issues

• Anonymous Tip Line• Anti-Retaliation Policy—Whistleblower

Protections• Mechanism for Notification of Changes in

Policy (i.e., post in common areas, discuss at training, post on intranet or company website)

Element 5—Enforcing Standards through Well‐Publicized Disciplinary Guidelines

• Potential Consequences CLEARLY Identified (tiered system based on nature of misconduct, i.e., warning, suspension or termination)

• CONSISTENCY of Discipline—regardless of WHO is non-compliant (i.e., top-down application)

• REWARD Positive Behavior, too!

Element 6—Internal Monitoring & Auditing

• Self-monitoring (management tool for daily operations)—Not formalize/independent. Used to identify risk areas and see how operations are progressing (i.e., new rules)

• Auditing—Formalized process (Internal and external) when need for objective results and integrity is critical– Formalized and Independent

• Frequency—at least annually (formalized audit)– Billing Audits should be more frequently to detect potential “Overpayments”. Spot

check sample of 30 per month– “Overpayments” not returned promptly (60-days) are subject to FCA Liability as

“obligation” under Section 6402(a) of the ACA– If no underlying illegality, voluntary refund and report to MAC is appropriate

• Create and follow a schedule for periodic audits • Understand

Element 7—Responding promptly to detected offenses and developing corrective action

• PROTOCOL for investigating reported violations/non-compliance• Prompt, thorough and consistent investigation and resolution• Reporting protocol (i.e., Self-Disclosure Protocol, over-payments, etc.)

o April 2013 Updated OIG’s Provider Self-Disclosure Protocolo Applies to AKS/CMP Laws—CMS protocol for Stark Violationso Guidance for filing specific types of Self-Disclosure—false billing, excluded

persons and potential AKS/Stark violations, along with calculations for applicable damages

o OIG will not demand an admission of liability in settlement agreements but will expect payments above single damages, with an minimum multiplier of 1.5 times the single damages.

o Minimum settlement penalties:o $50,000 for all kickback-related violations accepted into the SDP o $10,000 minimum settlement for all others accepted SDP matters.

o “Streamlined" internal process to reduce the average time a case is pending to less than 12 months from acceptance into the SDP

Element 8—Conducting on‐going risk assessments

• Newly Mandated by the ACA• Previously was strongly suggested• Periodic Review and update—at least

annually• New York State Office of Medicaid

Inspector General (OMIG) Compliance Program Assessment Tool, www.omig.ny.gov

The 8th Element under the Affordable Care Act (ACA), P.L. 111-148

• §6102 of the ACA—SNF / NF required to develop a compliance and ethics program and participate in a quality assurance and performance improvement program by March 23, 2013.

• In addition to 7 listed Elements of the OIG Compliance Programs, ACA solidified an 8th Element—Assessment!

• Conceptually old, but now a Mandatory Element.• Under the ACA, the organization must periodically

undertake reassessment of its compliance program to identify changes necessary to reflect changes within the organization and its facilities.

• Consistent with Amended USSG

Additional Mandatory Compliance Programs under the ACA

• §6401(a)(7) of the ACAo Compliance program as a Condition of Enrollment o The Secretary of HHS in consultation with OIG to work on “core

elements”o 42 C.F.R. Parts 422 & 423—Compliance Programs for Medicare

Parts C (Medicare Advantage) and Part D (Prescription Drug Benefit Program ).

o Final Rule: Medicare Program; Policy and Technical Changes to the Medicare Advantage and Prescription Drug Benefit Program, 75 F.R. 19678 – 19826 (April 15, 2010), available at: http://www.gpo.gov/fdsys/pkg/FR-2010-04-15/pdf/2010-7966.pdf

o CMS Compliance Program Guidelines for Medicare Advantage Organizations (MAO) and Prescription Drug Plans (PDP), effective July 20, 2012), http://www.cms.gov/Medicare/Prescription-Drug-coverage/PrescriptionDrugCovContra/Downloads/Chapter9.pdf.

Certification of Compliance—A New Tool for Effectiveness (and liability)• OIG ‘s “Management Accountability and Certifications” by “Certifying Employees”-Eli Lilly Co

CIA

“For each Reporting Period, each Certifying Employee shall sign a certification that states: "I have been trained on and understand the compliance requirements and responsibilities as they relate to (department or functional area), an area under my supervision. My job responsibilities include ensuring compliance with regard to the department or functional area.) To the best of my knowledge,_ (insert name of except as otherwise described herein, the (insert name of department or functional area) of Lily is in compliance with all applicable Federal health care program requirements, FDA requirements, and the obligations of the CIA.”

• “Certifying Employees” include:–Lilly President & CEO–Executive Vice President, Global Marketing & Sales–Lily USA :

•President, U.S. Operations; •Senior Vice President, Account-Based Markets; •Senior Vice President, Health Care Professional Markets; •Vice President, Chief Marketing and Operations Officer; •All national and executive sales directors, brand leaders, and business unit leaders in the HCP Markets,•Executive Directors and directors in Account-Based Markets, and•Executive directors and directors in Marketing and Operations

NY OMIG Certification of Effectiveness

27

Joint Comm’n

New DOJ Initiative-ADA Compliance

• Barrier Free Health Care Initiative– Civil Rights Division of DOJ & USAO– ADA Enforcement– Targets Discrimination in Access to Medical Care &

Facilities– Goals:

• effective communication for people who are deaf or have hearing loss

• physical access to medical care for people with mobility disabilities• equal access to treatment for people who have HIV/AIDS.

– 19 Settlements Since October 2011

Source: http://www.ada.gov/usao-agreements.htm

Barrier Free Settlements

• Trinity Regional Medical Ctr & Trinity Health Systems (April 10, 2012)– Restitution of $198,000 to victims– $20,000 CMP to United States– Mandatory Employee Training—

• Immediately within 90 days and annually thereafter

– Creating and updating Policies & Forms– Reporting Requirements

• Log of Accommodation Requests• Log of Complaints—Notice to DOJ within 7 days• 6-month reports to DOJ of Compliance Efforts

Source: http://www.ada.gov/trinity.htm .

Other Barrier Free Settlements

• Henry Ford Health System (February 1, 2012)– $70,000 Compensation to Surviving Complainants– Training, Updated Policies & Reporting Requirements

• The Heart Center of Memphis (June 27, 2013)– $5,000 Compensatory Damages to Victim– $1,000 CMP– Training, Updated Policies & Reporting Requirements

• Center for Orthopaedic & Sports Medicine (April 1, 2013)– $15,000 Compensatory Damages for Victims– Training, Updated Policies & Reporting RequirementsSource: http://www.ada.gov/usao-agreements.htm.

Joint Commission’s Top 5 Non-Compliant Requirements in 2013

Legal Impetus for Effective Compliance

• False Claims Act (FCA)• Anti-kickback Statute (AKS)• Physician Self-Referral law (Stark”)• Civil Monetary Penalty Law (“CMP Law”)• OIG Exclusion Authority• Responsible Corporate Officer Doctrine

(RCOD)• HIPAA/HITECH

The Government’s Arsenal for Fighting Fraud--the federal False Claims Act, 18 USC §§3729-3733

• Main Provision for Liability: Section 3729(a)(1)(A) - (G) o Subsection (A)—knowingly submits a false claim to the government or causes

another to submit a false claim to the government o Subsection (B)--knowingly makes a false record or statement to get a false claim paid

by the government. o Subsection (C)—Conspiracy to violate the FCAo Subsection (G)—”Reverse” False Claims—knowingly retain money owed to the

government (retaining monies from improperly paid claims)paid in error by the get money from the government, but to avoid having to pay money to the government.

o Subsections (D), (E), and (F) are rarely invoked.

o PPACA greatly expanded the reach of the FCA by essentially eliminating the jurisdictional bar for qui tam relators (whistleblowers) and limiting “public” disclosure to those made only to federal government.

o Damages & Penalties—Between $5,500 - $11,000 for each claim plus treble (3x) the government’s damages—in no instance will government settle for less than double damages if self-disclosure is made.

False Claims Act Risks-Reckless Disregard

Ineffective Compliance Programs create requisite intent for FCA liability—the Medco, Caremark and Novartis cases

US ex rel Hunt et al v Merck-Medco Managed Care, 336 F Supp 2d 430 (ED PA 2004)

o FCA action related to Medco’s mail-order pharmacy services to federal employees

o First Complaint by government (intervention in qui tam) that included claim that lack of an effective compliance program constituted reckless disregard to sustain FCA action

o “Plaintiffs have sufficiently alleged that Medco submitted its false claims knowingly under this definition. At the very least, the Government has claimed that Medco's compliance programs were either non-existent or insufficient, in satisfaction of the ‘reckless’ requirements of § 3729(b).” 336 F.Supp.2d at 441.

FCA and the Conditions of PaymentUSA ex rel Spay v Caremark (ED PA December 20,2012):

• “Part D plan sponsors must . . . [c]ertify in their contracts that they agree to comply with all federal laws and regulations designed to prevent fraud waste and abuse. 42 CFR 423.505(h)(1)”

• “[A]s a condition for receiving payment, a Part D sponsor must certify the accuracy, completeness, and truthfulness of all data, including claims data, related to the requested payment from the government. When that claims data is generated by a subcontractor of a Part D Sponsor, such as a PBM, the subcontractor must similarly certify, as a condition of payment, the truthfulness, accuracy, and completeness of the data.”

• “This interpretation (i.e., that the data certification is a condition of payment) finds support in CMS's Prescription Drug Benefit Manual. Section 80.1, entitled ‘The False Claims Act,’ specifically references section 423.505(k)(3) and provides as follows: o Sponsors should devise their compliance programs so that their policies and procedures are

consistent with the Federal Civil False Claims Act . . . When submitting claims data to CMS for payment, Sponsors and their subcontractors must certify that the claims data is true and accurate to the best of their knowledge and belief [footnote referencing section 423.505(k)(3)]. The False Claims Act is enforced against any individual/entity that knowingly submits (or causes another individual/entity to submit) a false claim for payment to the Federal government.

o “The plain import of this language suggests that 42 CFR 423.505(k)(3) was designed precisely to make a subcontractor's certification of the truthfulness, accuracy, and completeness of claims data a condition of payment. Further, it indicates that false certification by a subcontractor of this information, which ‘causes’ the Part D Sponsor to submit a false claim for payment to the government, is grounds for an FCA claim.

False Certification of ComplianceRecent decisions discussing the false certification theory of liability and the related issue of

intent include:

• United States ex rel. Chesbrough v. Visiting Physicians Ass’n, 655 F.3d 461 (6th Cir. 2011)(in order to plead and prove “falsity” under the implied false certification theory, relators must establish that a statute or regulation conditioned payment on compliance.)

• United States ex rel. Wilkins v. United Health Group, Inc., 659 F.3d 295 (3d Cir. 2011) (ruling that compliance with Medicare marketing regulations was not a condition of government payment under federal health insurance programs, but that submitting claims to these programs while violating the AKS was actionable under the FCA).

• United States ex rel. Steury v. Cardinal Health, Inc., 625 F.3d 262 (5th Cir. 2010) (refusing to base FCA liability on the allegation that claims for payment for allegedly defective intravenous fluid pumps were “false” because they violated an implied warranty of merchantability).

• Science Applications Int’l Corp. v. United States, 626 F.3d 1257 (D.C. Cir. 2010) (explicitly accepting the implied false certification theory and noting that liability under this theory could be based on plaintiff’s showing that the contractor “withheld information about its noncompliance with material contractual requirements”).

• Rodriguez v. Our Lady of Lourdes Med. Ctr., 552 F.3d 297, 304 (3d Cir. 2008) (finding that to state a claim under the false certification theory, “it is necessary to allege not only a receipt of federal funds and a failure to comply with applicable regulations, but also that payment of the federal funds was in some way conditioned on compliance with those regulations").

• United States ex rel. Conner v. Salina Reg'l Health Ctr., 543 F.3d 1211 (10th Cir. 2008) (hospital's certifications in annual cost reports to Medicare that it was in compliance with all applicable Medicare statutes and regulations were not false certifications that violated the FCA because they were sweeping, general certifications that did not violate specific conditions of payment).

Implied Certification and the FCA• Implied certification is a rule of construction that

generally means that a claim for payment to the government (i.e. to Medicare, Medicaid, or CHIP) is legally false if that party had, and failed to meet, an ongoing obligation to comply with an underlying law — regardless of whether that party submitted a claim that was false on its face or expressly certified compliance with that law when it submitted the claim.

• Implied Certification revived under the ACA—The ACA’s amendment of the FCA to add violations of the AKS as a basis for FCA liability essentially solidifies the implied certification theory. Previously, Courts around the country were inconsistent in its application

Ineffective Compliance Programs and the FCA-The 2013 Novartis Complaint, Case No. 11 Civ 0071 (April 26, 2013)

• Novartis was well aware that its speaker programs created opportunities to provide kickbacks to doctors. In September 2010, Novartis entered into a settlement with the U.S. Department of Justice to settle False Claims Act lawsuits based in part on violations of the AKS due to illegal remuneration paid to doctors through such mechanisms as speaker programs, and signed a corporate integrity agreement with the U.S. Department of Health and Human Services Office of Inspector General agreeing to implement a rigorous compliance program.

• Even after entering into the corporate integrity agreement, Novartis’s compliance program failed to prevent kickbacks from being paid in conjunction with Novartis’s speaker programs. No individual at the company was tasked with examining its speaker program data to determine whether the programs were used for an illegitimate purpose. Furthermore, although instances of speaker program abuse were reported to Novartis, sanctions were generally mere slaps on the wrist. In some cases, sales representatives who violated Novartis’s own speaker program policies were nevertheless promoted. Even after September 2010, Novartis continued to conduct bogus speaker programs that were simply vehicles for paying kickbacks to doctors in the form of honoraria and expensive meals.

• As a consequence of its violations of the Anti-Kickback Statute , Novartis has caused the submission of numerous false claims for drugs to federal health care programs, including Medicare, Medicaid, TRICARE and the Department of Veterans Affairs health care program, resulting in millions of dollars in reimbursements. Novartis’s unlawful conduct caused those false claims to be made to and paid by the federal health care programs.

The Anti-kickback Statute (“AKS”), 42 USC 1320a-7b

• Authorizes criminal and civil penalties (CMP) against anyone who knowingly and willfully solicits, receives, offers, or pays remuneration, in cash or in kind, to induce or in return for referrals for services payable under federal healthcare programs.

• Single violation could bring $25,000 fine and imprisonment• Additionally, each violation can carry a civil penalty of

$50,000, plus treble damages• Under ACA, AKS violation can form basis for FCA liability• Safe Harbors/Exceptions for certain arrangements

Not all Illegal Arrangements are the Same—The Exceptions and Safe Harbor Protections

• AKS Safe Harbors & Statutory Exceptions (42 CFR 1001.952/42 USC § 1320a-7b(b)(3))– 10 Statutory Exceptions, including risk sharing agreements,

Discounts/price reductions, GPO and Bona Fide Employee– 22 Safe Harbors, including ACS Safe Harbor (42 CFR

1001.952(r))• Stark Exceptions: Three types of exceptions:

– Exceptions applicable only to ownership interests (direct and indirect);

– Exceptions applicable only to compensation arrangements (direct and indirect); and

– Exceptions applicable to BOTH ownership interests and compensation arrangements.

The AKS and the ASC Safe Harbors, 42 CFR 1001.952(r)

• Four slightly different ASC Safe Harbors:– Surgeon-Owned ASCs– Single-Specialty ASCs– Multi-Specialty ASCs– Hospital/Physician ASCs

• Failure to Meet the Exact Requirements of the Safe Harbor Not Necessarily Fatal– If facts present a sufficiently low risk of fraud or

abuse under the anti-kickback statute

• When in Doubt, Ask! The OIG Advisory Opinion Process

The Physician Self-Referral Law (“Stark”)

• Strict Liability Statute• Prohibits submission of claims to Medicare for any claim for

Designated Health Service (DHS), if the referral of the service is generated by a physician who has a prohibited financial relationship with the entity

• Parties (entity and physician) who violate the Stark law are subject to CMPs and Exclusion from Federal healthcare programs.

• Repayment obligation• Potential $15,000 fine for each inappropriate referral• Civil assessment of up to three times the amount of the

amount claimed• Can invoke FCA liability

The CMP Law, 42 USC § 1320a-7a; 42 CFR § 1003.102

• Penalties can range from $10,000 (FCA violations) to $50,000 (AKS violations) per act plus treble damages

• Exclusion from federal programs– Mandatory—minimum 5 years– Permissive—minimum 3 years

• Prohibited Conduct includes:– Submission of false or fraudulent claims– Stark and AKS violations (illegal remuneration)– Payments to induce reduction or limitation of services (i.e. early

discharge)– offering or giving remuneration to any beneficiary of a federal

health care program likely to influence the receipt of reimbursable items or services

– arranging for reimbursable services with an excluded entity /individual

The Rise of the Responsible Corporate Officer Doctrine (RCO Doctrine)

• United States v. Park, 421 U.S. 658, 673-674 (1975)-Liability as a responsible corporate officer does not turn upon a corporate officer’s approval of wrongdoing, but rather on whether the officer had, by reason of his or her position in the corporation, responsibility and authority either to prevent, or promptly correct, the violation at issue, and the officer failed to do so.

• Purdue and a resurgence of the RCO Doctrine—3 executives of pharmaceutical company excluded for 12 years under permissive authority based on their position in company and their misdemeanor convictions based solely on their roles in the corporation

• 2010 OIG “Guidance for Implementing Permissive Exclusions Under Section 1128(b)(15) of the the [SSA]” (http://oig.hhs.gov/fraud/exclusions/files/permissive_excl_under_1128b15_10192010.pdf)– Factors considered by OIG before imposing exclusion:– the circumstances of the misconduct and seriousness of the offense; – the individual’s role in the sanctioned entity; – the individual’s actions in response to the entity’s misconduct;– and information about the entity, including whether it has previously been convicted of a crime or found

liable, or resolved civil or administrative charges with a federal or state enforcement authority, and the size and structure of the entity and its subsidiaries.

HIPAA Compliance & the New Breach Rules

• Notable MEGA Rule Changes:– New Requirements for Business Associates,

Subcontractors and BAAs—Direct Liability for Breach

– New Standard for Breach Notification– Changes to Rules regarding Sale or Use of PHI for

commercial purposes (i.e., fundraising, marketing and sale of PHI)

– Enhanced Individual Rights—access and restrictions– Decedents Still Protected by HIPAA—50 Year rule– School Immunization Records--No Authorization

Needed for CE to provide to School Officials– Genetic Information in-line with GINA—Health Plans– Notice of Privacy Practices (NPP)

Identifying Business Associates

• Inventory Your Vendors and Independent Contractors, as the list of BAs has expanded. – Patient Safety Organizations– Data Transmission Organizations (Health Information

Organizations and e-Prescribing gateways) that routinely access PHI, but not “conduits” who merely transport or transmit information without accessing it (i.e., U.S. Mail)

– Vendors of PHI that provide services on behalf of a CE– Anyone that maintains PHI on behalf of a CE where

there is a persistent opportunity to access PHI, even if it is not actually accessed (i.e., warehouse / storage facility, cloud computing)

– Make sure BAs get assurance from Subcontractors that they will comply with Privacy & Security Rules to same extent as BA

– Checklist Template Included

So, why should CEs and BAs Care about HIPAA and Compliance Generally?• Ineffective CP = NO CP• Enhanced Penalties—tiered CMPs under

HIPAA up to $1.5M• Direct Liability of BA• Stepped up Enforcement of CEs and BAs by

OCR in 2013 and beyond• Enhanced Enforcement—Mandatory

Investigation and penalties for Willful Neglect detected in initial complaint and compliance reviews – Secretary able to forego informal resolution

and proceed directly to formal action for noncompliance

Recent HIPAA Settlement

• CBS Investigation leads to $1,215,780 HIPAA Breach Settlement and Corrective Action Plan

• Leased copiers were returned to vendor without erasing data on copier hard drives

• Estimated up to 344,579 individuals affected• “This settlement illustrates an important reminder about

equipment designed to retain electronic information: Make sure that all personal information is wiped from hardware before it’s recycled, thrown away or sent back to a leasing agent . . . HIPAA covered entities are required to undertake a careful risk analysis to understand the threats and vulnerabilities to individuals’ data, and have appropriate safeguards in place to protect this information.” ~ OCR Director Leon Rodriguez

Source: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/affinity-agreement.html.

OIG Resources for Compliance

• Physician Education:– http://oig.hhs.gov/compliance/physician-education/index.asp

• Compliance Training– https://oig.hhs.gov/newsroom/video/2011/heat_modules.asp

• Corporate Integrity Agreements– http://oig.hhs.gov/compliance/corporate-integrity-agreements/

index.asp

• OIG Compliance Guidance– http://oig.hhs.gov/compliance/compliance-guidance/index.asp

• Board of Directors Guidance– http://oig.hhs.gov/compliance/alerts/guidance/index.asp

OIG Compliance Resources (cont’d)• OIG Open letters

– http://oig.hhs.gov/compliance/open-letters/index.asp

• OIG Advisory Opinions– http://oig.hhs.gov/compliance/advisory-opinions/index.asp

• OIG Annual Work Plan– http://oig.hhs.gov/reports-and-publications/workplan/index.asp

• OIG Special Fraud Alerts– http://oig.hhs.gov/compliance/alerts/index.asp– March 26, 2013 Special Fraud Alert on Physician-Owned

Distributorships (PODs)• “OIG is concerned about the proliferation of PODs. This Special Fraud Alert

reiterates our longstanding position that the opportunity for a referring physician to earn a profit, including through an investment in an entity for which he or she generates business, could constitute illegal remuneration under the anti-kickback statute. OIG views PODs as inherently suspect under the anti-kickback statute. “

Parting Thoughts….

• Document, Document, Document. According to the government, if it isn’t documented, it didn’t happen. This is true of medical services and compliance efforts.

• Continuous Assessment & Modification is key to Effective Compliance Programs.

• Periodic reviews of contracts to ensure compliance with AKS/Stark

• A Stagnant Compliance Program is more harmful than having NONE at all…Can you say Reckless Disregard and Deliberate Indifference!

Questions & Comments

Debra A. Geroux, CHC41000 Woodward AvenueBloomfield Hills, MI 48393d 248.258.2603c 248.767.1205geroux@butzel.com