Transcript Overview of the Laws, Rules & Regulations associated with

“What Are the Top 10 Steps You Can Take to
Improve Your Compliance Efforts in 2014?”
Sponsored by:
Plano Office Managers Association
February 20, 2014
Presented by
Robert W. Liles, Esq.
Liles Parker PLLC
(202) 298-8750
www.lilesparker.com
Washington, DC
1
Presentation Outline
Compliance Tip #1: Get Back to Basics – Develop, Implement and Adhere to an
Effective Compliance Plan.
Compliance Tip #2: Carefully Screen Your Employees, Contractors and Business
Associates.
Compliance Tip #3: Conduct Due Diligence Before Establishing a New
Business Relationship.
Compliance Tip #4: Know the Benefits and Disadvantages of Participating in HHSOIG’s Updated Self-Disclosure Protocol.
Compliance Tip #5: Reduce Your Chances of Responding to a Criminal Referral,
Suspension or Revocation Action.
Compliance Tip #6: Recognize the Increased Risk of Enforcement Since the Passage of
the Affordable Care Act.
Compliance Tip #7: Increased Risk Associated with Breaches of HIPAA Privacy
Requirements.
2
Presentation Outline
Compliance Tip #8: Don’t Ignore the Increased Collection and
Investigative Actions by Private Payor SIUs.
Compliance Tip #9: Reinforce Your Medicaid Program Integrity
Efforts.
Compliance Tip #10: Increased Likelihood of Qui Tam and / or
Government False Claims Act Cases Against
Providers.
3
Compliance Tip #1: Get Back to Basics – Develop, Implement, and
Adhere to an Effective Compliance Plan:
•
If you don’t have a Compliance Plan in place – get one NOW! If you
already have a Compliance Plan, review, update and follow it.
 An effective compliance plan is a living, breathing document. In order to be
effective, it must become an integral part of your organization. It cannot simply
lay dormant until an auditor shows up or a violation occurs.
 Through an ongoing application of the plan’s policies and procedures on a
daily basis, active compliance can be achieved. This will streamline your
organization’s business operations, reduce the likelihood of statutory
violations, help to mitigate any damages resulting from a breach, and serve as
evidence that your organization is doing it’s best to fully comply with
applicable rules and regulations.
 When compliance begins to be a part of the daily culture of your organization,
you will achieve the maximum results and rewards.
4
Compliance Tip #1: Get Back to Basics – Develop, Implement, and
Adhere to an Effective Compliance Plan:
•

Virtually all health care providers can realize tangible, lasting benefits by
implementing an effective Compliance Program. These benefits include, but
are not limited to:
(1) Proactive approach. Your organization’s adherence to the provisions of an
effective Compliance Plan is a proactive way to make sure that your company
is meeting all of its statutory and regulatory obligations.
 (2) Evidence of a good faith effort to follow the rules. The existence of, and
adherence to, an effective Compliance Plan serves as evidence of a good faith
effort to comply with applicable laws and regulations.
 (3) Sentencing guidelines. Should the government ultimately choose to pursue
criminal charges against you or your organization, your use of an effective
Compliance Plan will be favorably credited under the points system set out
under the Federal Sentencing Guidelines.
5
Compliance Tip #1: Get Back to Basics – Develop, Implement, and
Adhere to an Effective Compliance Plan:
•
When evaluating a practice and developing an appropriate Compliance Plan,
we are sometimes asked — “Is there a downside to having a Compliance Plan
in place?” Arguably, the only thing worse than not having a Compliance Plan is
having one in place and not following its provisions.
 Don’t fall victim to consultants who discourage the implementation of an
effective Compliance Plan or Compliance Program. Consultants promoting this
idea rely on the argument that since you did not “know” that a practice was
improper, it will be more difficult to hard you liable for a violation. This
argument is misplaced. Under the civil False Claims Act, “knowingly” is
defined as (a) actual knowledge, (b) deliberate ignorance or (c) reckless
disregard. Therefore, ignoring the issue is tantamount to sticking your head in
the proverbial sand, like an ostrich. This is the same as acting in “deliberate
ignorance.” This approach would clearly qualify as having knowledge under
the False Claims Act.
 Get back to basics. Work through each of the seven elements, conduct a
“GAP” analysis and pay back any monies that you owe.
6
Compliance Tip #2: Carefully Screen Your Employees,
Contractors and Business Associates:
•
A physician’s office can’t limit its screening activities to only “new
employees.”
•
The Compliance Officer in a physician’s office is responsible for “[e]nsuring
that the HHS–OIG’s List of Excluded Individuals and Entities, and the General
Services Administration’s (GSA’s) List of Parties Debarred from Federal
Programs have been checked with respect to all employees, medical staff and
independent contractors.” (HHS-OIG Compliance Program for Individual and
Small Group Physician Practices, October 2000, Fed. Reg. 59441).
 In Texas, HHS-OIG is very aggressive in its approach towards compliance.
It
expects “[a]ll [Medicaid] service providers [to] check OIG’s exclusion list
monthly.” First pioneered by New York State, this trend (of requiring monthly
screening checks) is steadily being adopted by states around the country.
 The screening of employees, contractors and business associates is perhaps
the quickest and easiest compliance measure that you can accomplish after
leaving this class (if you have not already screened your staff).
7
Compliance Tip #2: Carefully Screen Your Employees, Contractors
and Business Associates:
•
What is the scope of an exclusion action?
 “Excluded persons are prohibited from furnishing administrative and
management services that are payable by the Federal health care programs.
This prohibition applies even if the administrative and management services
are not separately billable. For example, an excluded individual may not serve
in an executive or leadership role (e.g., chief executive officer, chief financial
officer, general counsel, director of health information management, director of
human resources, physician practice office manager, etc.) at a provider that
furnishes items or services payable by Federal health care programs. Also, an
excluded individual may not provide other types of administrative and
management services, such as health information technology services and
support, strategic planning, billing and accounting, staff training, and human
resources, unless wholly unrelated to Federal health care programs.”
“Updated: Special Advisory Bulletin on the Effect of Exclusion from Participation in
Federal Health Care Programs.” Issued May 8, 2013
8
Compliance Tip #3: Conduct Due Diligence Before Establishing a
New Business Relationship.
•
What due diligence steps have you taken to better ensure that a
business associate will act appropriately and will not improperly use
or release patient data?
 As part of your due diligence, a physician should determine whether a
business associate has taken steps to protect any financial and / or PHI
that has been entrusted to their care.
 Business associates with effective security measures in place represent
less of a risk than those without appropriate and active security measures
in place to protect the integrity of information shared with them.
 Where will the business associate be storing your data?
 What due diligence steps will they be taking when hiring staff?
 Don’t forget “Cloud Service Provider” concerns.
9
Compliance Tip #4: Know the Benefits and Disadvantages of
Participating in HHS-OIG’s Updated Self-Disclosure Protocol.
•
•
10
Eligibility criteria under the updated protocol. Under OIG’s
Updated 2013 Provider Self-Disclosure Protocol, all health care
providers, suppliers, or other individuals who are receiving
funds from or submitting claims to Medicare, Medicaid, or any
other federal health care program subject to OIG’s Civil
Monetary Penalty (CMP) authority are eligible to participate in
the program. In addition, self-disclosure is not limited to any
particular industry, medical specialty, or type of service.
Notably, entities that are currently subject to a government
inquiry or are working under a Corporate Integrity Agreement
(CIA) are not precluded from participating in the self-disclosure
program.
Compliance Tip #4: Know the Benefits and Disadvantages of
Participating in HHS-OIG’s Updated Self-Disclosure Protocol.
•
Overview of the benefits of participation. There are a multitude of benefits
to be derived from participating in the OIG’s “Provider Self-Disclosure
Protocol.” As these benefits reflect, OIG has diligently worked to truly
encourage and reward providers choosing to self-disclose violations of
federal criminal, civil, and / or administrative law. Some of these benefits
include:

This provides an indication to OIG that a robust and effective
compliance plan currently exists within the provider’s practice;

A presumption against requiring integrity agreement obligations in
exchange for a release of OIG’s permissive exclusion authorities in
resolving a self-disclosure protocol matter;

Paying a lower multiplier on single damages than is normally
required when resolving Government-initiated investigations;
11
Compliance Tip #4: Know the Benefits and Disadvantages of
Participating in HHS-OIG’s Updated Self-Disclosure Protocol
•
12
Overview of the benefits of participation, continued.

Mitigating potential exposure to suits under the FCA;

Allows a provider to participate in a streamlined OIG
internal process, which reduces the average time a case is
pending to less than 12 months from the time the case is
accepted into the self-disclosure protocol;

Changed timeframes to submit the findings of a completed
internal investigation and damages calculation from 90 days
from acceptance into the self-disclosure protocol to 90 days from
the date of the initial submission, a change from the 1998 SelfDisclosure Protocol;
Compliance Tip #4: Know the Benefits and Disadvantages of
Participating in HHS-OIG’s Updated Self-Disclosure Protocol.
•
Overview of the benefits of participation (most of the below
benefits could be achieved under the original 1998 protocol).









13
Better situated to give positive, balanced impression;
Provision of benefits within 30 days under the FCA;
Reduction of chances of permanent exclusion;
Result in benefits under the sentencing guidelines;
If you found the errors, someone may also find them;
Reduction of opportunities for a qui tam complaint;
“Good Corporate Citizen” label;
Possible avoidance of outside investigation; and
Maintenance of a greater degree of control over the review
being conducted, minimize expenses incurred and reduce
the amount of disruption caused by an internal review.
Compliance Tip #4: Know the Benefits and Disadvantages of
Participating in HHS-OIG’s Updated Self-Disclosure Protocol.
•
Eligible conduct / Ineligible conduct.
14

As the Updated Provider Self-Disclosure Protocol expressly
provides, the protocol is specifically designed to address
violations of federal criminal, civil and / or administrative law.

In making a disclosure, the disclosing provider
acknowledge that the conduct is a potential violation.

In fact, the disclosing party must specifically identify the laws that
were potentially violated.

Broad references to various federal laws, rules or regulations are
not permitted.
must
Compliance Tip #4: Know the Benefits and Disadvantages of
Participating in HHS-OIG’s Updated Self-Disclosure Protocol.
•
Eligible conduct / Ineligible conduct, continued.

Mere overpayments or errors that do not involve a
violation of federal criminal, civil, or administrative law are
not meant to be covered by the protocol.

Health care providers are directed to take overpayments
and errors, where there is no violation of law, directly to
the provider’s Medicare contractor for resolution.
 Providers also cannot use the protocol to request an
opinion from OIG regarding whether an actual or potential
violation has occurred.
15
Compliance Tip #4: Know the Benefits and Disadvantages of
Participating in HHS-OIG’s Updated Self-Disclosure Protocol.
•
Eligible conduct / Ineligible conduct, continued.
16

Finally, providers may not use the self-disclosure protocol to
disclose an arrangement that involves only liability under the
physician self-referral law (e.g., Stark), unless there is
accompanying potential liability under the federal anti-kickback
statute (AKS) for the same arrangement.

Furthermore, the Centers for Medicare and Medicaid Services
(CMS) has proposed that the period for repayment of an
identified overpayment will be tolled for a disclosing provider.

As a condition to acceptance into the self-disclosure protocol
process, the disclosing provider must agree to waive and not to
plead any statute of limitations, laches or similar defense to any
administrative action filed by the agency relating to the
disclosed conduct.
Compliance Tip #4: Know the Benefits and Disadvantages of
Participating in HHS-OIG’s Updated Self-Disclosure Protocol.
•
The following information must be submitted when making a selfdisclosure under the protocol.
17

The name, address, type of health care provider, provider
identification number(s), and tax identification number(s) of the disclosing
party and the government payors (including Medicare contractors) to which
the disclosing party submits claims or a statement that the disclosing party
does not submit claims.

If the disclosing party is an entity that is owned or controlled by, or is
otherwise part of a system or network, an organizational chart, a description
or diagram describing the pertinent relationships; the names and addresses
of any related entities; and any affected corporate divisions, departments, or
branches.
Compliance Tip #4: Know the Benefits and Disadvantages of
Participating in HHS-OIG’s Updated Self-Disclosure Protocol.
•
The following information must be submitted when making a
self-disclosure under the protocol, continued.
18

The name, street address, phone number, and E-mail
address of the disclosing party’s designated representative for
purposes of the voluntary disclosure.

A concise statement of all details relevant to the conduct
disclosed including, at minimum, the types of claims,
transactions, or other conduct giving rise to the matter; the
period during which the conduct occurred; and the names of
entities and individuals believed to be implicated, including an
explanation of their roles in the matter.

A statement of the federal criminal, civil, or administrative laws
that are potentially violated by the disclosed conduct.
Compliance Tip #4: Know the Benefits and Disadvantages of
Participating in HHS-OIG’s Updated Self-Disclosure Protocol.
•
The following information must be submitted when making a
self-disclosure under the protocol, continued.
19

The federal health care program(s) affected by the
disclosed conduct.

An estimate of the damages to each federal health care
program relevant to the disclosed conduct, or a
certification that the estimate will be completed and
submitted to OIG within 90 days of the date of submission.
When a disclosing party can determine the amount of
actual damages to Federal health care programs, the
actual damages amount must be provided instead of an
estimate.

A description of the disclosing party’s corrective action
upon discovery of the conduct.
Compliance Tip #4: Know the Benefits and Disadvantages of
Participating in HHS-OIG’s Updated Self-Disclosure Protocol.
•
The following information must be submitted when making a
self disclosure under the protocol, continued.
20

A statement of whether the disclosing party has
knowledge that the matter is under current inquiry by a
government agency or contractor. If the disclosing entity
has knowledge of a pending inquiry, it must identify any
involved
government
entity
and
its
individual
representatives. The disclosing party must also
disclose whether it is under investigation or other inquiry
for any other matters relating to a federal health care
program and provide similar information relating to those
other matters.

The name of an individual authorized to enter into a
settlement agreement on behalf of the disclosing party.
Compliance Tip #4: Know the Benefits and Disadvantages of
Participating in HHS-OIG’s Updated Self-Disclosure Protocol.
•
The following information must be submitted when making a
self-disclosure under the protocol, continued.

21
A certification by the disclosing party, or, in the case of an
entity, an authorized representative on behalf of the
disclosing party, stating that to the best of the individual’s
knowledge, the submission contains truthful information
and is based on a good faith effort to bring the matter to
the government’s attention for the purpose of resolving
potential liability to the government and to assist OIG in its
resolution of the disclosed matter.
Compliance Tip #4: Know the Benefits and Disadvantages of
Participating in HHS-OIG’s Updated Self-Disclosure Protocol.
•
The following guidelines are to be followed when the self
disclosure involves false billings.


22
If a provider discloses that it has submitted improper claims to
federal health care programs, the provider must review and
estimate the improper amount paid by the federal health care
programs and then prepare a report of its findings. These
improper payment amounts or “damages” must be verified by
OIG. The disclosing provider’s calculation of damages must
also include a review of either:
 All the claims affected by the disclosed matter; or
 A statistically valid random sample of the claims that can be
projected to the population of claims affected by the matter.
Importantly, this review should be conducted by a qualified
individual, such as a statistician, accountant, auditor,
consultant, and / or medical reviewer.
Compliance Tip #4: Know the Benefits and Disadvantages of
Participating in HHS-OIG’s Updated Self-Disclosure Protocol.
•
The following information must be submitted if a selfdisclosure involves a violation of the anti-kickback statute and
Stark.


If a provider desires to self disclose only a Stark violation, it is
supposed to go through CMS’ Stark self-disclosure protocol.
If an alleged violation involved anti-kickback violations OR antikickback violations ALONG WITH Stark violations, the
following information must be submitted:
(1) The parties’ identities involved in the arrangement(s);
(2) The parties’ relationship to one another to the extent that the
relationship affects their potential liability;
(3) The payment arrangements;
(4) The dates during which each suspect arrangement occurred; and
(5) Specific legal analysis of why the arrangement(s) violate the AKS.
23
Compliance Tip #4: Know the Benefits and Disadvantages of
Participating in HHS-OIG’s Updated Self-Disclosure Protocol.
•
How can self-disclosures be made?
 Health care providers choosing to participate in the self- disclosure
program may make their disclosure in writing to:
Chief of the Administrative and Civil Remedies Branch
Office of Inspector General
Department of Health and Human Services
330 Independence Avenue, S.W.
Cohen Building, Room 5527
Washington, DC 20201

24
Disclosures may also be submitted through the OIG’s website. However,
at this time, self-disclosure by facsimile or other means is not being
accepted by OIG.
https://oig.hhs.gov/compliance/self-disclosure-info/index.asp.
Compliance Tip #4: Know the Benefits and Disadvantages of
Participating in HHS-OIG’s Updated Self-Disclosure Protocol.
•
Limitations to OIG’s self-disclosure protocol.
 When faced with the realization that your practice or clinic has
engaged in wrongful conduct that has resulted in improper
billings to one or more government health care programs, it is
important to remember one of life’s first lessons —
“If it doesn’t belong to you, give it back.”

25
Having said that, depending on the nature of the improper
billings and the facts in a given case, there may be alternatives
to the self-disclosure protocol. For instance, a health care
provider may ultimately choose to return any monies owed
directly to their area Medicare Administrative Contractor (MAC)
rather than through the protocol process.
Compliance Tip #4: Know the Benefits and Disadvantages of
Participating in HHS-OIG’s Updated Self-Disclosure Protocol.
•
Limitations to OIG’s self-disclosure protocol, continued.
 By
its provisions, the Updated Provider Self-Disclosure
Protocol does not cover errors or overpayments. Therefore, by
choosing to participate in the program, what are you saying
about the conduct at issue?

When you participate, you will be required to explain why you
believe a federal civil, criminal, or administrative law has been
violated and to cite the specific law violated. Are you prepared
to do that?
 You are going to be asked to identify the individuals responsible
for the improper conduct and to identify the statutory violation
the individual has committed.
 You are going to be asked if disciplinary action was taken.
disciplinary action was taken, who was it against?
26
If
Compliance Tip #4: Know the Benefits and Disadvantages of
Participating in HHS-OIG’s Updated Self-Disclosure Protocol.
•
Limitations to OIG’s self-disclosure protocol, continued.
 There




are no promises or guarantees inherent in the
protocol and you may still be excluded from the Medicare
program.
OIG cannot waive rights of third parties — other federal
agencies and private payors can still come at you.
The internal investigation you conducted could serve as a
roadmap for prosecutors.
Admissions against interest may be used against you.
Neither OIG nor DOJ is limited to investigating only what
you disclosed.
The investigation may be expanded to other billing areas.
27
Compliance Tip #4: Know the Benefits and Disadvantages of
Participating in HHS-OIG’s Updated Self-Disclosure Protocol.
•
Limitations to OIG’s self-disclosure protocol, continued.
 Be prepared to share all audit work papers.
 OIG may ask you to waive attorney-client
privilege, to
assure honesty and the forthright nature of the disclosure.
28
•
•
Compliance Tip #5: Reduce Your Chances of Having to Respond to a
Criminal Referral, Suspension or Revocation Action:
Referral for criminal investigation and prosecution.
Referral for revocation action. Over the last year, the number of revocation
actions recommended by contractors has significantly increased.
issues of concern include:
Particular
changes
Failure to properly notify CMS and / or the appropriate Medicare contractor of
in address.
Failure to cooperate during a site visit.
•
Referral for suspension action. Additional changes to HHS’ administrative
authorities under the Health Care Reform Act include:
authorized
Under the Health Care Reform Act, HHS-OIG (in consultation with CMS), is
to suspend Medicare / Medicaid payments to a provider or a
supplier “pending an investigation of a credible allegation of fraud.”
As set out in CMS’ “Proposed” Rule published September 23, 2010:
“We are proposing to revise § 405.370 to add a definition of what constitutes
a ‘‘credible allegation of fraud,’’ to include an allegation from any source,
including but not limited to fraud hotline complaints, claims data mining,
patterns identified through provider audits, civil false claims cases, and law
enforcement investigations. Allegations are considered to be credible when
they have an indicia of reliability...”
Is your practice prepared to work through a period of “suspension”?
29
Compliance Tip #6: Recognize the Increased Risk of Enforcement
Since the Passage of the Affordable Care Act.
•
Health Care Reform Act changes to the Federal Anti-Kickback Statute:




30
Changes to the Federal Anti-Kickback Statute make it much easier for
the government to show knowledge and intent requirements under the
statute.
In the past, due in part to conflicting case holdings, violations of the
Anti-Kickback Statute were sometime difficult for the government to
show because some Federal Courts interpreted the “knowing”
(knowledge) and “willful” (intent) requirements as mandating that the
government must show that a provider had specific knowledge that
their actions activity violated the anti-kickback statute and that there
was a specific intent to violate the law.
Under the ACA, a person may now violate the Anti-Kickback Statute
without specific knowledge OR a specific intent to violate the law.
Notably, similar changes were made to the Criminal Health Care Fraud
Statute.
Compliance Tip #6: Recognize the Increased Risk of Enforcement
Since the Passage of the Affordable Care Act.
•
Recent changes to the False Claims Act:
Enforcement
Changes to the False Claims Act were passed last year under the Fraud
and Recovery Act (FERA) which made it clear that any person
who knowingly concealed or knowingly and improperly avoided an “obligation
to pay” would be liable under the False Claims Act’s reverse false claims
provisions.
Health
Changes to the False Claims Act were also subsequently covered in the
Care Reform bill passed last March. Importantly, the Health Care Reform
Act defined “overpayments” as “any funds that a person receives or retains”
under Medicare or Medicaid, to which they are not entitled.
reported
The Health Care Reform Act further provides that all overpayments must be
and refunded within 60 days of being identified.
What does
“identified” mean?
after
Moreover, the legislation made it clear that a repayment retained by a person
the deadline for reporting and returning the “overpayment” is an
“obligation” for purposes of the False Claims Act.
The bottom line is clear – should you identify an overpayment, it must be repaid
within 60 days or the provider may be liable under the False Claims Act. .
31
Compliance Tip #6: Recognize the Increased Risk of Enforcement
Since the Passage of the Affordable Care Act.
•



32
Permissive exclusion authorities have been expanded:
Prior to recent changes under the ACA, there were are already both
mandatory and permissive bases for exclusion from participation in
Medicare.
HHS-OIG can exclude any individual or entity that knowingly makes or
causes to be made a false statement or omission in an application,
agreement, bid or contract to participate or enroll as a provider or
supplier under a Federal health care program.
In light of the importance of an accurate application for participation,
providers are advised to engage the assistance of legal counsel or other
qualified entity when completing the application.
Compliance Tip #6: Recognize the Increased Risk of Enforcement
Since the Passage of the Affordable Care Act.
• Increased HEAT activity and enforcement:
 Recoveries are at an all-time high: FY 2012, the government recovered a historic
$4.2 billion and has returned a record-breaking $14.9 billion dollars to taxpayers
between 2009 and 2012, up from $6.7 billion dollars over the prior four years.
 Prosecutions are up: Charges have been brought against more than 1,400
defendants who collectively have falsely billed the Medicare program more than
$4.8 billion since 2007. In 2012, the Department of Justice opened 1,311 new
criminal health care fraud investigations involving 2,148 defendants.
 Sentences are longer: Under the Affordable Care Act, criminals convicted of fraud
now face 20 to 50 percent longer sentences for crimes that involve more than $1
million in losses. The law also establishes penalties for obstructing a fraud
investigation or audit.
 Targeting improves: Starting June 2011, CMS began screening all fee-for-service
Medicare claims through the new Fraud Prevention System. Similar to the
technology used by credit card companies, the Fraud Prevention System applies
predictive analytic technology to claims prior to payment to identify aberrant and
suspicious billing patterns.
33
Compliance Tip #6: Recognize the Increased Risk of Enforcement
Since the Passage of the Affordable Care Act.
• Increased HEAT activity and enforcement, continued:
 Senior Medicare Patrols: In 2012, the Secretary awarded 54 states and territories
with funding to support the Senior Medicare Patrol programs. Last year, these
programs taught more than 2 million beneficiaries how to look for Medicare fraud.
Local Senior Medicare Patrol offices provide assistance when such issues are
identified, so that mistakes are corrected and suspected fraud referred to the
appropriate authorities. Since 1997, more than 1.5 million seniors and their
caregivers have contacted the Senior Medicare Patrol to ask questions or report
potential fraud.
 Enhanced Provider Screening and Enrollment Requirements: CMS has
implemented powerful anti-fraud tools from the Affordable Care Act. Providers and
suppliers wishing to participate in Medicare, Medicaid, and the Children’s Health
Insurance Program (CHIP) who may pose a higher risk of fraud or abuse are now
required to undergo a higher level of scrutiny.
34
Compliance Tip #7: Increased Risk Associated
with Breaches of HIPAA Privacy Requirements:


HIPAA / HITECH privacy violations.







35
Penalties: Failure to comply with HIPAA can result in civil and criminal
penalties (42 USC § 1320d-5).
Civil Penalties – CVS was fined $2.25 million for failure to properly
dispose of protected information.
Criminal Penalties – Earlier this year, a physician in Los Angeles, CA,
was sentenced to four months in prison after admitting he improperly
accessed and read electronic medical records of celebrities and
others.
Disclosures of Breach: Last year, there were a record number of breaches
affecting 500 or more individuals.
Most involved hard copy and / or electronic protected health
information (about 1/4 typically involve paper records and 3/4 typically
involve electronic records).
The vast majority of breaches involved theft or loss of the records.
Many of these thefts could have been avoided with appropriate
security measures.
Business Associate Concerns / Training.
Omnibus Final Rule Issues.
Compliance Tip #7: Increased Risk Associated with
Breaches of HIPAA Privacy Requirements.
HIPAA / HITECH privacy violations – case examples.

Physician Revises Faxing Procedures to Safeguard PHI
Covered Entity: Health Care Provider
Issue: Safeguards
A doctor's office disclosed a patient's HIV status when the office mistakenly
faxed medical records to the patient's place of employment instead of to the
patient's new health care provider. The employee responsible for the
disclosure received a written disciplinary warning, and both the employee
and the physician apologized to the patient. To resolve this matter, OCR also
required the practice to revise the office's fax cover page to underscore a
confidential communication for the intended recipient. The office informed
all its employees of the incident and counseled staff on proper faxing
procedures.
36
Compliance Tip #7: Increased Risk Associated with Breaches of
HIPAA Privacy Requirements.
HIPAA / HITECH privacy violations – case examples.

Dentist Revises Process to Safeguard Medical Alert PHI
Covered Entity: Health Care Provider
Issue: Safeguards, Minimum Necessary
An OCR investigation confirmed allegations that a dental practice
flagged some of its medical records with a red sticker with the word
"AIDS" on the outside cover, and that records were handled so that
other patients and staff without need to know could read the sticker.
When notified of the complaint filed with OCR, the dental practice
immediately removed the red AIDS sticker from the complainant's
file. To resolve this matter, OCR also required the practice to revise
its policies and operating procedures and to move medical alert
stickers to the inside cover of the records. Further, the covered
entity's Privacy Officer and other representatives met with the
patient and apologized, and followed the meeting with a written
apology.
37
Compliance Tip #7: Increased Risk Associated with Breaches of
HIPAA Privacy Requirements.
HIPAA / HITECH privacy violations – case examples.

38
Private Practice Provides Access to All Records, Regardless of
Source
Covered Entity: Private Practice
Issue: Access
A private practice denied an individual access to his records on the
basis that a portion of the individual's record was created by a
physician not associated with the practice. While the amendment
provisions of the Privacy Rule permit a covered entity to deny an
individual's request for an amendment when the covered entity did
not create that the portion of the record subject to the request for
amendment, no similar provision limits individuals' rights to access
their protected health information. Among other steps to resolve the
specific issue in this case, OCR required the private practice to
revise its access policy and procedures to affirm that, consistent
with the Privacy Rule standards, patients have access to their record
regardless of whether another entity created information contained
within it.

Compliance Tip #7: Increased Risk Associated with Breaches of
HIPAA Privacy Requirements.
HIPAA / HITECH privacy violations – case examples.
 HITECH amended HIPAA enforcement violations to include a tiered penalty
structure and mandatory penalties for “willful neglect.”
 As of 2009, HHS must base its penalty determination on the nature and
extent of the violation and whether the violation has been corrected. HHS
must also consider whether the violator knew he or she was committing a
violation and the level of correction within the organization.
 The range of CMPs depends on whether an individual is a first time or a
repeat violator. Agencies sometimes may waive or reduce an excessive
penalty or may settle a case if the entity becomes compliant.
39
Compliance Tip #7: Increased Risk Associated
with Breaches of HIPAA Privacy Requirements.
HIPAA / HITECH – Civil Monetary Penalties.

Civil Monetary Penalties Tiers Include:
A
B
C
D
40
Applies if the offender did not know, and by exercising reasonable diligence would not have known, that he or
she violated the law. The penalty ranges from $100 to $50,000 per violation, except that the total imposed on
the person for all such violations of an identical requirement or prohibition during a calendar year may not
exceed $1.5 million.
Applies if the violation was due to reasonable cause and not willful neglect. Specifically, the offender knew, or
by exercising reasonable diligence would have known, that the act or omission was a violation, but the
offender did not act with willful neglect. The penalty is $1,000 to $50,000 per violation, except that the total
amount imposed on the person for all such violations of an identical requirement or prohibition during a
calendar year may not exceed $1.5 million.
Applies if the violation was due to willful neglect but was corrected. Specifically, the violation was the result
of conscious, intentional failure or reckless indifference to fulfill the obligation to comply with HIPAA.
However, the offender corrected the violation within 30 days of discovery. The penalty is $10,000 to $50,000
per violation, except that the total amount imposed on the person for all such violations of an identical
requirement or prohibition during a calendar year may not exceed $1.5 million.
Applies if the violation was due to willful neglect and was not corrected. Specifically, the offender consciously
acted with intentional failure or reckless or indifference to fulfill its obligation to comply with HIPAA, and the
offender did not correct the violation within 30 days of discovery. The penalty is at least $50,000 per violation,
except that the total amount imposed on the person for all such violations of an identical requirement or
prohibition during a calendar year may not exceed $1.5 million.
Compliance Tip #8: Don’t Ignore the Increased Collection and
Investigative Actions by Private Payor SIUs:

Private payor contractual enforcement actions and referrals to DOJ are
serious

It is rare to find a case where only Medicare was adversely affected by a
provider’s improper billing practices.

Private payors are participating in Health Care Fraud Working Group
meetings with DOJ and Federal agents.

While the government generally receives – rather than shares –
information, once a case is filed or indicted the information becomes
“public” and can readily be shared with the private payors “Special
Investigation Units.”

Private payors are “riding in the wake” of the government’s case so to
speak.
41
Compliance Tip #9: Reinforce Your Medicaid Program
Integrity Efforts:

•
Medicaid RACs.
(1) ACA Requirement -- Under the Affordable Care Act, every State was required
to establish a new Medicaid RAC program. While these programs are still in the
process of formation, Medicaid providers should take care to ensure that all
Medicaid billings are appropriately handled.
Medicaid Integrity Contractors (MICs).
(1) Review MICs – Analyze Medicaid claims data to identify irregular claims and
billing vulnerabilities. Review MICs identify possible provider “leads” so that
Audit MICs can target their audit activities.
(2) Audit MICs – Conduct post-payment audits of Medicare providers and
identify alleged overpayments.
(3) Education MICs – Work with the Review and Audit MICs to educate health
care providers, State Medicaid officials and others about Medicaid program
integrity issues.
42
Compliance Tip #10: Increased Likelihood of Qui Tam and / or
Government False Claims Act Cases Against Providers:

Increased number of qui tams based on overpayments.

Now, more than ever before, it is important that you
carefully review your Compliance Plan and ensure that any
and all risks are carefully assessed as part of your
ongoing efforts to remain compliant.

Both the Federal and State governments are recovering
enormous funds as a result of whistleblower cases and
government-leg cases filed under the Federal or State
False Claims Act.
43
QUESTIONS
This outline is provided as general information only. It does not
constitute legal advice and should not be used as a substitute for
seeking legal counsel. Robert W. Liles is an attorney in the
Washington, DC Firm of Liles Parker. The Firm has offices in:
McAllen, TX / Houston, TX / Baton Rouge, LA
Washington, DC
Mr. Liles may be contacted at (202) 298-8750 or by e-mail at
[email protected]
Firm Websites / Blogs:
www.lilesparker.com
www.zpicaudit.com
44