When an attorney at UofL Health in Kentucky was tricked by a phishing email, he called the compliance officer to report himself as “an idiot.” Fortunately, it was only a test—a fake phishing email the health system sends out randomly to test employees’ ability to resist the insidious attempts by hackers to access computer networks.
“I thought it was funny, but appreciated the fact that he knew he was duped and he took it seriously,” says Shelly Denham, senior vice president of compliance, risk and audit services at UofL Health. “I think he truly learned a valuable lesson from that exercise.” Even when they’re attuned to phishing, people may click on the links, another reason why phishing, ransomware, cybersecurity and data privacy are very high on the risk list at UofL and other health care organizations. “It will be a huge focus this year,” Denham says.
Welcome to 2020, the year that may be a turning point for data privacy and security. For starters, new state laws take effect in California and New York state and apply both to companies in those states and that have consumers there, while the HHS Office for Civil Rights (OCR) pushes ahead with its Right-of-Access Initiative. “I think there will be a culture shift in the way people view their data,” says attorney Jami Vibbert, with Venable in New York City. “You might see an uptick in individuals seeking to exercise individual rights, which may or may not happen under the California Consumer Privacy Act (CCPA), but might happen under HIPAA.”
That’s just one inflection point for compliance and enforcement. There are other developments that will test health care organizations, including a regulation that went into effect Jan. 1 on patient discharge planning and a program integrity rule that will be phased in. Others that go live next year—on Medicare documentation and price transparency—require compliance preparation this year, compliance experts say. Meanwhile, Medicare beneficiaries continue to flock to Medicare Advantage, which worries physician advisers because they say more arbitrary denials will follow. Compliance experts predict a resurgence this year of audits of short stays and other areas with high error rates on the 2019 Medicare fee-for-service improper payment rate report. Enforcement of the False Claims Act will continue, powered by whistleblowers, but there will be some ripple effects because of the Supreme Court decision in Azar v. Allina Health Services, et al. and the interplay between the Granston memo  and the Supreme Court decision in Universal Health Services vs. United States ex rel. Escobar in 2016.
As compliance officers juggle competing priorities, they may get more support from board members. Two 2019 decisions from the Delaware Chancery Court expanded the seminal 1996 decision In re Caremark, which was one of the first cases to recognize that boards must make a good-faith effort to implement an oversight system and monitor it, says attorney Paula Sanders, with Post & Schell in Harrisburg, Pennsylvania. The new decisions, about Clovis Oncology and Blue Bell Creameries, “expanded the expectations of boards of directors in the context of having an effective compliance program,” she explains. They should be a wake-up call for board members who are still cavalier about compliance and reinforce their duty to examine the effectiveness of the compliance program. That includes asking senior leaders whether the information they get from managers is reliable and addresses the company’s risks, Sanders says. As the decision in the Clovis Oncology derivative litigation states, “When a company operates in an environment where externally imposed regulations govern its ‘mission critical’ operations, the board’s oversight function must be more rigorously exercised.”
Privacy, Security Conversations Are Shifting
With the grave threats posed by hackers, cybersecurity is finally moving from an IT-focused conversation to an enterprise business risk conversation, says Brian Selfridge, a partner in Meditology Services. That’s a recognition that security breaches have consequences beyond HIPAA fines, he says. For example, in October, DCH Health System in Alabama temporarily diverted all but the most critical hospital patients, reportedly for about 10 days, after it was a victim of a ransomware attack through phishing. The cybercriminals “disrupted access to computer systems at DCH Regional Medical Center, Northport Medical Center and Fayette Medical Center,” DCH said on its website. In response, four patients filed a class-action lawsuit against DCH on Dec. 23, alleging because of the ransomware attack, which locked down their medical records, plaintiffs and the class members had “to forego medical care” and their private information “is in the hands of data thieves.”
Ransomware is also evolving. While hackers usually hold data hostage and release it when they get paid, they’re now “threatening to release the data publicly,” Selfridge says. Health care organizations are particularly vulnerable to hackers “because data is going in a lot more places than ever before,” including medical devices and platforms, document archiving and imaging, and cloud-hosted clinical and business support applications. There’s more they can do to protect themselves, including patching and segmenting devices. “That way, when we get a ransom of a device, it may not affect our critical systems,” he says.
Companies may rise to the occasion this year, partly to comply with new state laws, including in California, where the CCPA took effect Jan. 1, and in New York, where the Stop Hacks and Improve Electronic Data Security (Shield) Act takes effect in March. CCPA is a data privacy and security law, with new rights for people to delete their personal information and opt out of data selling, and requirements for companies to disclose the data they’re collecting and implement a security risk mitigation program. The Shield Act requires businesses to implement a data security program and expands the definition of personal information to include health information.
‘This Is a Larger Theme of Data Governance’
“What I’ve seen ramp up at the end of 2019 and will be a big deal in 2020 is a lot of change in how regulators view data security when it relates to health information,” Vibbert says. CCPA also allows patients and other consumers to sue companies privately for breaches, says attorney Thora Johnson, with Venable in Baltimore. “There will be a more substantial hook for private litigants and state attorneys general to bring action against companies storing medical information,” Vibbert adds. It should encourage companies to perform meaningful HIPAA security risk assessments and document them. California also has a new Internet of Things (IoT) law to improve safeguards of medical and other devices that don’t store data, such as pacemakers, she says. Meanwhile, OCR has already brought two right-of-access enforcement actions, Johnson says. “I think there will be a collective conscious culture shift” between HIPAA, CCPA and other state laws, and the General Data Protection Regulation, Europe’s comprehensive data protection and privacy framework, which applies to American companies in certain circumstances, Vibbert notes.
That feeling may intensify because of “legitimate uneasiness about data going to big organizations that aren’t traditional health care organizations,” Selfridge says. Case in point: Ascension partnering with Google in Project Nightingale. The health system will use Google’s cloud platform and G-Suite patient records, which allows Google to have access to patient records from Ascension hospital patients in 21 states, according to The Wall Street Journal. “HIPAA is not big enough to deal with it,” Selfridge says. “This is a larger theme of data governance.” OCR, however, is investigating Project Nightingale.
The Year of Medicare Advantage
For better or worse, “this will be the year of Medicare Advantage,” says Phillip Baker, M.D., medical director of case management at Self Regional Healthcare in South Carolina. As enrollment in Medicare Advantage (MA) edges up, hospitals have to brace for more denials, he says. In particular, “clinical validation audits will get worse.” Baker, who lodged a complaint with CMS against Cotiviti, which audits providers on behalf of MA plans, contends they void diagnoses in ways that contradict Coding Clinic and ICD-10 Official Guidelines for Coding and Reporting. For example, auditors deny codes for morbid obesity and body mass index, saying they have no impact on a hospital stay. When auditors remove the lone complication and comorbidity (CC) or major CC, the DRG reimbursement drops. This should worry hospitals, with the percentage of Medicare beneficiaries enrolled in MA up to 34% last year, Baker says. “We will be fighting more clinical validation audits because that’s where the money is.” He adds that facilities will be struggling “to get care paid as inpatient since the MA plans regularly attempt to only authorize payment even for multiple-day hospital stays as outpatient observation.”
In fee-for-service Medicare, auditors are now free to review total knee arthroplasties (TKAs) under the two-midnight rule because, as of Jan. 1, they have been off the inpatient-only list for two years. Medicare administrative contractors (MACs) may review them under Targeted Probe and Educate (TPE) for the appropriateness of inpatient admissions, but if they find high error rates, recovery audit contractors (RACs) will be allowed to resume reviews of TKAs. But it won’t stop there, says attorney Jessica Gustafson, with The Health Law Partners in Farmington Hills, Michigan. She predicts RACs will resume reviews of all short stays in a high-profile reversal. After RACs became politically unpopular because of their aggressive denials of inpatient admissions, CMS required them to spread their audits more evenly across provider types and stop frontline patient-status reviews, which were shifted to quality improvement organizations (QIOs), she says.
“I would expect short stays to be at the forefront of auditing activity across all auditing bodies because it was the top inpatient denial” in 2019, according to the Medicare fee-for-service improper payments report, she says.
That wouldn’t come as a shock to Ronald Hirsch, M.D., vice president of R1 RCM. “Medicare has been sitting on the two-midnight rule way too long, and at some point, they will let the RACs loose,” he says. “Maybe this is the year.” CMS has not yet announced a replacement for the two QIOs that did short-stay reviews after suddenly shutting them down last year. As a result, Hirsch says, “hospitals have been getting complacent. They’re not being as diligent at reviewing short stays to see if they should be self-denied.” That’s playing with fire, because when a new QIO and possibly the RACs rise, they can look at claims going back six months, he says.
The improper payment data also forecasts more audits of inpatient psychiatric stays, sepsis and spinal fusions, Gustafson says. Hirsch predicts a focus on inpatient rehabilitation facilities (IRFs) because of the report, which cites a 34.9% error rate. “There will be pressure on IRFs to really ensure their admissions are completely compliant” with Medicare criteria (e.g., preadmission screening within 48 hours of admission, clear documentation of the need for physician supervision).
Are Observation, Vertebroplasty on Chopping Block?
Hospitals also should be on the lookout in 2020 for observation denials, some of which may be tied to errors on the Medicare Outpatient Observation Notice (MOON), Hirsch says. Although the MOON is a condition of participation, he has gotten word that at least one MAC has denied claims for changing MOON language, which CMS prohibits. In terms of observation services, MACs may deny observation claims when patients are there longer than 48 hours. “CMS said no patient in medically necessary observation should pass a second midnight without being admitted,” Hirsch explains.
This year also may bring a slew of claim denials for kyphoplasty and vertebroplasty, he says. Two new local coverage determinations—a final from Noridian and a draft from Novitas—“have requirements that in my opinion are not standard practice” and will be hard to comply with, Hirsch says. For Medicare coverage, the LCDs require a multidisciplinary team, including a radiologist and neurologist, to agree on the medical necessity of the procedure. The inclusion of those two specialties makes no sense to him. Radiologists document the existence of a compression fraction, “but I doubt any radiologist would consider being part of that decision-making process, because it’s not part of their training, and likewise with a neurologist,” Hirsch says. “I suspect the majority of hospitals that do [the procedures] will not be looking at the LCDs, they will not get radiologists or neurologists [involved] and, if they are audited, will be denied.”
The HHS Office of Inspector General focused a lot on post-acute care and MA in 2019, but it released four provider compliance audits of hospitals very late in the year, all with large extrapolated overpayment findings—Texas Health Presbyterian Hospital Dallas, Carolinas Hospital System, Northwest Medical Center and St. Vincent Hospital. Stay tuned for more.
TPE audits will keep on keeping on, experts say. “We have about 12 going on now,” Baker says. On the inpatient side, the MAC is auditing spinal fusion and MS-DRGs (psychoses, heart failure and shock with CC and MCC and major joint lower extremity without CC or MCC). On the outpatient side, audits focus on multiple chemotherapy drugs, hyperbaric oxygen therapy, neuromuscular reeducation and therapeutic exercise. Baker says the outpatient physical therapy audit has baffled him. The clinic was paid $16.10 per encounter, and although it had a 36% denial rate on the first round—some documentation was missing, and some plans of care weren’t signed—Baker says there isn’t a return on investment for Medicare or the clinic. “The entire audit loss was $487,” and it would cost more than $500 to fix the claims. But to stay out of the MAC’s crosshairs generally, hospitals and other providers must reduce their error rates.
Prior authorization comes to Medicare July 1 for five procedures, including blepharoplasty and vein ablation, but it won’t stop there. “CMS wants to do them a lot more broadly for a lot more services, and that may be something compliance officers want to think about,” says attorney Judy Waltz, with Foley & Lardner in San Francisco. She suggests reviewing other procedures with high denial rates and canceling dubious claims.
On a brighter note, Gustafson says things are moving along at the Office of Medicare Hearings and Appeals (OMHA) because more hearings are being scheduled with administrative law judges. “We have a bunch of appeals coming up,” she says. A federal court ordered OMHA and CMS to resolve the appeals backlog by the end of 2022. According to an American Hospital Association Medicare Appeals Dashboard, 292,517 appeals were pending at the end of fiscal year 2019—a 31.4% reduction from the November 2018 court order.
New Regulations Push the Envelope
In 2020, hospitals should brace for enrollment changes because of a final 2019 CMS program-integrity regulation that could put hospitals’ billing privileges in jeopardy. The regulation, which is designed to keep bad actors out of Medicare, requires providers to disclose “affiliations” with other providers, including medical staff affiliated with the hospital. In its initial implementation of the rule, CMS will identify affiliates who have been suspended or excluded from Medicare, Medicaid or the Children’s Health Insurance Program (CHIP); owe the programs money; or had their billing privileges denied or revoked. If CMS determines the provider’s affiliates present a significant risk to Medicare, it has the authority to revoke the hospital’s enrollment based on that affiliation. To pull this off, CMS promised subregulatory guidance and will redesign the 855 enrollment form. “It’s important for compliance officers right now to consider how the affiliation rules will impact them down the line,” Waltz says. She thinks hospitals should revisit their credentialing process and rewrite their bylaws to ensure physicians and other practitioners don’t get privileges if they would be considered by CMS to pose an “undue risk” of fraud, waste or abuse, as described in the regulation. This will be tricky because there’s no public databases to check for revocations, payment suspensions or debt, “and the information may have to be gleaned on a voluntary basis, with recourse if there is an error or omission in the affiliate’s disclosure,” Waltz says.
The new Medicare discharge planning regulation is another 2020 challenge. Among other things, it requires hospitals to give patients quality data and resource use on skilled nursing facilities (SNFs), IRFs and other post-acute care providers in an easily digestible format, but the data is either “not easy to interpret or not useful,” Hirsch says. “The way most hospitals do it now is hand patients a list of local SNFs with overall star ratings, and that doesn’t meet the spirit of the law or the letter of the law.” Hirsch thinks hospitals will turn to technology to make the information meaningful. They can give patients and their families a tablet with proprietary tools (e.g., SilverSearch) to can help them research SNFs, IRFs and other PAC providers.
Meanwhile, as 2020 got underway, SNFs and nursing facilities found themselves in limbo with respect to compliance program requirements. The Affordable Care Act required long-term care (LTC) facilities, including SNFs, to adopt compliance programs, and CMS gave the blow by blow in the third of a three-part 2016 overhaul of LTC regulations. The compliance program regulation was scheduled to take effect in November 2019, but in a July 2019 proposed regulation, CMS delayed it for a year and scaled it way back. The problem is, CMS never finalized the regulation or issued guidance for surveyors on the original version. “My advice is all companies should have effective compliance programs in place regardless of what CMS does from a survey perspective,” Sanders says.
The FCA Machinery Will Grind On
Enforcement of the False Claims Act (FCA) will hit the usual suspects, including physician compensation. “What makes a sexy kickback case is the same today as it was 10 years ago,” says attorney Gabriel Imperato, with Nelson Mullins Broad and Cassel in Fort Lauderdale, Florida. The dollars will keep rolling in from FCA cases. The Department of Justice (DOJ) announced Jan. 9 that it collected $2.6 billion in FCA health care settlements and judgments in fiscal year 2019.
Imperato suggests providers also look out for kickback cases in the compounding pharmacy and durable medical equipment marketing space. Otherwise, he expects more garden-variety FCA cases (e.g., upcoding, inappropriate supervision). The opioid crisis will remain at the top of the enforcement agenda, added former federal prosecutor Robert Trusiak, an attorney in Buffalo, New York. “2020 requires health care providers to engage in critical introspection to address any historical compliance prescribing concerns, as well as ensure appropriate auditing for opioid prescribers on a going forward basis,” he says.
Allina Case Will Complicate Enforcement
It’s possible FCA lawsuits will hit drug pricing. “I can envision any number of ways there could be litigation, including FCA cases, with regard to actual costs and prices paid” at different levels of the pharmaceutical food chain “and the actual, rather than ostensible, value of what is sought to actually be billed to the government,” says attorney Stuart Gerson, with Epstein Becker & Green in Washington, D.C. Whatever the target, DOJ will face new challenges as it pursues FCA lawsuits in the wake of the 2019 Supreme Court decision in the Allina case, Gerson says. The Supreme Court ruled that CMS is required to use the rulemaking process, with its notice and comment period, to make “substantive” changes to policies that affect payment. “The Supreme Court has shown a willingness not to defer to agency interpretations, and that will only continue,” Gerson says. “CMS and FDA will have less leeway to interpret statutes and will have to rely on arguments based on literal readings of statutes.” That makes it harder to pursue enforcement actions when providers deviate from guidance rather than laws or regulations.
“Allina has potentially massive implications for these cases,” Trusiak said. DOJ recently revised the Justice Manual to acknowledge that civil or criminal violations must be based on regulations subject to notice and comment, and a recent CMS memo said the agency can’t base enforcement actions on guidance, such as Medicare manual provisions, unless it’s rooted in laws or regulations.
The intersection of the Granston memo, which is DOJ’s policy on the dismissal of FCA cases filed by whistleblowers, and the Supreme Court decision in Escobar will cause the dismissal of more FCA cases, Imperato says. In the January 2018 memo, Michael Granston, director of DOJ’s civil fraud section, said “the department should consider moving to dismiss where a qui tam complaint is facially lacking in merit—either because relator’s legal theory is inherently defective or relator’s factual allegations are frivolous.” This policy memo was significant because DOJ often declines to intervene in whistleblower cases, but almost never dismissed cases before the Granston memo, Imperato says. If DOJ declines to intervene in a case, then whistleblowers have the option to prosecute the cases on their own without DOJ. However, when DOJ dismisses a FCA case, there’s no longer an option for whistleblowers to pursue the case. DOJ’s motivation for dismissing cases, rather than just declining to intervene, often involves avoidance of getting bogged down in the case through discovery when whistleblowers proceed on their own. This possibility became more likely in the wake of the 2016 Supreme Court decision in the Escobar case, he says.
The decision states that FCA liability attaches when “the defendant submits a claim for payment that makes specific representations about the goods or services provided, but knowingly fails to disclose the defendant’s noncompliance with a statutory, regulatory, or contractual requirement” if the noncompliance is “material” to the government’s payment decision. As a result of that ruling, discovery in non-intervened cases can become burdensome for the government even though it has declined to intervene in the case, Imperato says. That’s because the defense of these cases often requires the government to produce information through discovery (i.e., depositions and production of documents) to determine if the compliance issue was “material” to the payment decision by the government and/or if the government knew of the noncompliant activity, but paid the claim anyway, Imperato says.
Preparing for Documentation Changes, Transparency
Some monumental changes are coming to hospitals in 2021, and compliance experts say it’s time to start preparing. One welcome change is CMS’s adoption of the American Medical Association’s brand-new documentation guidelines for office/outpatient evaluation and management services. Next year, physicians can’t use Medicare’s 1995 or 1997 documentation guidelines to code CPT codes 99202-99215 and the associated prolonged services codes, says Valerie Rock, a principal with PYA in Atlanta. They will base their codes on either medical decision-making or time. This is simpler and spares physicians all the counting of reviews of systems, exam elements, etc., but they have to absorb the new CPT medical decision-making framework, she says. “The complexity is remembering all the elements of medical decision-making, so physicians have to get really savvy about the requirements of those pieces,” Rock explains. Meanwhile, this year other documentation changes take effect. CMS finalized a proposal to free physicians from documenting services that are already documented by other members of the medical team (e.g., nurse practitioners, residents).
While it doesn’t appear the welcome mat is out for the price transparency regulation, hospitals are brain storming compliance with it. CMS requires hospitals to publicly post five sets of charges for all items and services, including payer-specific negotiated charges and the discounted cash price. Although the American Hospital Association and others are challenging the regulation in court, it may survive. “Hospitals will spend the course of the year seeing how it applies,” says attorney Joel McElvain, with King & Spalding in Washington, D.C. There are a lot of questions that still must be answered, he says. For example, what if hospitals are paid on value-based contracts? “The rule isn’t clear on what you should do,” he says. And what if the transparency mandate conflicts with another legal obligation? For example, the Emergency Medical Treatment and Labor Act “discourages posting of price information in the context of emergency services. Now you have one rule that says you must post pricing information and another rule that says you must not. How do you thread that needle? The agency and hospitals have to sort that out before the rule goes live Jan. 1,” McElvain says.
New Year’s Resolution for Compliance Officers
Boston attorney Torrey Young foresees more enforcement of newer delivery models. For example, with the growth in telemedicine, including Medicare’s 2020 coverage of remote patient monitoring, auditors and investigators will crack down on providers that don’t comply with Medicare regulations. This also may eventually apply to providers that miss the mark with OIG’s new proposed safe harbors for value-based enterprises and end-stage renal disease (ESRD) telehealth technology, assuming they’re finalized, says Young, with Foley & Lardner. The ESRD safe harbor, for example, would allow providers to give patients in-home dialysis telehealth technology if certain criteria are met (e.g., the treating provider must contribute “substantially” to the ESRD telehealth services). “It provides potential growth for ESRD, but the question is, if you have technology that doesn’t fit squarely within [the safe harbor], is there potential for enforcement?” However, falling outside a safe harbor doesn’t automatically subject companies to enforcement, Young notes.
For compliance officers everywhere, here’s a New Year’s resolution that’s “almost guaranteed to make them happy,” says attorney David Glaser, with Fredrikson & Byron in Minneapolis. It should be their goal to ask all employees to sign a form twice annually, attesting to the truth of one of these two statements: “I have compliance concerns” (with room to explain), and “I don’t believe there are any current compliance issues.” These forms show the government your organization is trying to detect and solve problems, he says. “From the intent standpoint, it is extremely helpful, and substantively, it helps uncover stuff,” Glaser explains. It also would undermine the credibility of whistleblowers who alleged they complained about violations and were ignored.
There’s also a continuing push for compliance programs “to be more proactive from a risk mitigation perspective,” Denham says. “You don’t want to address issues only as they occur. Every compliance officer would probably tell you the same thing.”