The Health Insurance Portability and Accountability Act (HIPAA) and the Patient Protection and Affordable Care Act (ACA) jointly create national standards for electronic transactions, code sets, and unique identifiers. The ACA introduced Administrative Simplification provisions in 2010 and now the Centers for Medicaid and Medicare Services (CMS) has launched a Compliance Review Program to ensure that HIPAA covered entities are abiding by the Administrative Simplification rules.
The Centers for Medicare and Medicaid Services (CMS) efforts to strengthen the nation’s health care through its oversight of health care programs, including Medicare, has continuously made strides to ensure its beneficiaries receive the quality and affordable health care needed. The U.S. has struggled with the quality of care provided in nursing homes to the most vulnerable citizens for years. Nursing homes have continued to remain highly regulated, but the U.S. government has failed to hold the nursing homes industry accountable for the poor quality of care provided. America’s shortage of nurses has contributed to the poor quality of care that leads to life threatening problems of Medicare beneficiaries living in nursing homes. Furthermore, despite the nursing home industry’s large profitability, and the level of hands on care that the nurses provide, the pay for staff nurses in nursing homes is less than other major employers. Thus, CMS has implemented regulations to guarantee nursing homes are properly staffed in order to improve resident care and safety by monitoring payroll-based data and holding nursing homes accountable for poor care by minimizing reimbursement for conditions that could be averted with better oversight.
In August, the U.S. Department of Health and Human Services (“HHS”) Office of Inspector General (“OIG”) made an additional focus in its Work Plan for the oversight of nursing facility staffing levels. These changes were made in the light of backlash from a July 2018 news article which reported that nearly 1,400 nursing homes had fewer qualified staff on duty than they were required or failed altogether to provide reliable staffing information to the Centers for Medicare and Medicaid Services (“CMS”).
On September 7, 2018, the United States District Court in the District of Columbia (“D.C. District Court”) vacated Medicare’s overpayment “report and return” rule as applied to Medicare Advantage Organizations (“MAOs”). The Patient Protection and Affordable Care Act (PPACA) created the requirement to report and return overpayments. The Centers of Medicare and Medicaid (CMS) issued rules to provide definitions that the PPACA did not define, create a procedure, payment options and timeframes. MAOs may no longer need to comply with CMS’ overpayment rule, but the PPACA remains intact. Providers who service Medicare beneficiaries will need to conduct the same analysis in order to comply with the PPACA “report and return” requirement.
Protected Health Information is seeing a surge of breaches on the cyber security front due to contractor error. It’s also impacting the most consumers in comparison to other data breaches and, in some cases, has the power to cause chaos in national infrastructure. Advances in technology and compliance measures can stem the tide and protect the most valuable information in consumers lives.
In a time when data breaches occur fairly frequently, whether it’s credit card information being stolen from department stores or a credit reporting bureau breach affecting hundreds of millions of customers, keeping personal information private seems to get harder every day. That fact may give patients pause when they are asked to sign up for an electronic health record account. A 2017 survey listed electronic health record management as one of patients top concerns. Changes in recent years have led to changes in compliance measures that make electronic health records security an added benefit to patients and ensure the continued increase of their adoption.
Finance Director for UnitedHealth Group brought qui tam suit against UnitedHealth Group, Inc. alleging that the organization upcoded risk adjustment data resulting in increased payments (more than $1.14 billion) to UnitedHealth Group. The Department of Justice (DOJ) intervened in the case, yet UnitedHealth Group was successful in getting the primary False Claims Act Claims dismissed by arguing that the Centers for Medicare & Medicaid Services (CMS) would not have refused to make the adjustment payments had they known of the errors in the risk adjustment. The Escobar materiality standard helps clarify threshold level of risk to Managed Care Providers in attesting to their risk adjustment payments; the falsities must have had an impact on the respective payment.
This summer I had the opportunity to intern with the Office of Inspector General for the U.S. Department of Health and Human Services (OIG) in Washington, DC. I thoroughly enjoyed my time with OIG, and I learned a great deal about health care fraud, waste, and abuse. In spending my summer with OIG, I had a glimpse into the powerful regulatory bodies that protect the health care market from abuse. As I move forward with my career in regulatory work, I will take with me the invaluable experiences and skills from my internship.
Kaitlin Lavin Executive Editor Loyola University Chicago School of Law, JD 2017 Last May, the Centers for Medicare and Medicaid Services (CMS) issued a final rule for Medicaid managed care, which told states to stop making pass-through payments to healthcare providers. Pass-through payments have played a critical role in funding safety net hospitals which …
ADAM C. SOLANDER is a Member of Epstein Becker Green’s Health Care and Life Sciences practice, in the firm’s D.C. office. Mr. Solander advises clients on data breach/cybersecurity issues across industry lines, including compliance with HITECH, HIPAA, PCI, JCAHO, CMS, ISO, NIST, and various other federal, state, and business requirements.
The following is an interview with him discussing the unique cybersecurity challenges facing the healthcare sector, and how the industry can move past HIPAA compliance to a more robust definition of privacy and security.