1. Life Services Network
2011 Annual Meeting
March 23 – 25
Health Care Regulatory Exposures:
An Evolving Landscape
Katherine M. Keefe
Chair, Health Care Practice
Dilworth Paxson LLP
Christopher M. Breck, CIC, ARM
Managing Director of Healthcare
Alper Services, LLC
Sharon M. Livas
Sr. Vice President – Healthcare
Alper Services, LLC
2. Health Care Regulatory Exposures:
An Evolving Landscape
Illinois Workers Compensation Reform
Christopher M. Breck, CIC, ARM
Managing Director of Healthcare
Alper Services, LLC
Sharon M. Livas
Sr. Vice President – Healthcare
Alper Services, LLC
4. Illinois
Talks of Workers’ Compensation
Reform
Stakeholders
Dr’s
Business
Labor
Lawyers
Workers
Politicians
5. Illinois
Talks of Workers’ Compensation
Reform
Most Expensive Change in Rank
States 2008 vs. 2010
Montana 2-1
Alaska 1- 2
Illinois 10 -3
Oklahoma 9-4
California 13 - 5
Connecticut 20 - 6
New Jersey 16 - 7
6. Illinois
Talks of Workers’ Compensation
Reform
Current Causation
Accident need only be a causative factor
May be based on a sequence of events without
medical testimony
Aggravation of pre-existing condition
7. Illinois
Talks of Workers’ Compensation
Reform
Proposed Causation
Change work related condition to be “caused” by
work as PRIMARY factor
Current indefensible standard allowing work to
be “a” cause not “the” cause.
8. Illinois
Talks of Workers’ Compensation
Reform
Current Choice of Medical Care
Employee has choice of up to 2 treating
physicians and referrals
Proposed Choices for Medical Care
1st choice to Employer; 2nd choice to Employee
9. Illinois
Talks of Workers’ Compensation
Reform
Current AMA Standards
Not applied in IL
38 states recognize guidelines
Proposed AMA Standards
Require objective findings of disability based on
AMA guidelines
10. Illinois
Talks of Workers’ Compensation
Reform
Current Wage Differential
Lifetime benefit requires physical rather than
economic change
Unlimited Number of awards
Based on Maximum state average weekly
wage
11. Illinois
Talks of Workers’ Compensation
Reform
Proposed Wage Differential
Cap until Age 67 or 5 years post injury
Allow modification based on a material increase in
earnings
Cap benefit at max PPD rate
12. Illinois
Talks of Workers’ Compensation
Reform
Current Intoxication Defense
There is none
13. Illinois
Talks of Workers’ Compensation
Reform
Proposed Intoxication Defense
Create rebuttable presumption that there will be NO
benefits if alcohol level is . 08 or above or any other
illegal substance OR refuses testing
14. Illinois
Talks of Workers’ Compensation
Reform
Current Fee Schedule
Medical Fee Schedule 2nd highest in the country
(WCRI)
15. Illinois
Talks of Workers’ Compensation
Reform
Proposed Schedule
Reduce 15-20%
Provide reimbursement for out of state
procedures, treatments and supplies
Cap reimbursements for Implants at cost plus of
25%
16. Illinois
Talks of Workers’ Compensation
Reform
REFORM
+ EARLY INTERVENTION
+ SAFETY TRAINING
+ HIRING PRACTICES
=
LOWER COSTS AND
HEALTHY EMPLOYEES
17. Illinois
Talks of Workers’ Compensation
Reform
How does IL rank in costs?
If my blood alcohol is .06, will my Work Comp
clam be paid?
What year were the last reforms made to the
system?
18. Illinois
Talks of Workers’ Compensation
Reform
Why have medical costs increased faster in
workers compensation vs. health plans?
What can you personally do to help reforms be
adopted in Illinois?
19. Health Care Regulatory Exposures:
An Evolving Landscape
Enforcement Overview
Specific areas of regulatory risk
Acquired conditions
RAC
Privacy
Excluded Individuals
Compliance Programs
21. Overview of the Health Care Industry:
Enforcement Agencies
HHS Centers for Medicare & Medicaid Services
(CMS)
Food and Drug Administration (FDA)
Office of Inspector General (OIG)
Department of Justice (DOJ)
Federal Bureau of Investigation (FBI)
HHS Office of Civil Right (OCR)
State Attorneys General
Private Litigants
22. Centers for Medicare &
Medicaid Services (CMS)
Within HHS, administers Medicare, Medicaid,
State Children's Health Insurance Program
(SCHIP), HIPAA (transactions) CLIA, other
programs
90 million beneficiaries
$650 billion budget
"Stewards accountable for resources and
effectiveness"
23. Office of Inspector General
(OIG)
OIG mandated by law to protect integrity of HHS
programs, and health and welfare of program
beneficiaries
OIG responsible to report to Secretary of HHS and
Congress problems and recommendations
OIG duties carried out through a nationwide
network of audits, investigations and inspections
24. OIG Initiatives
Annual work plans
Self-disclosure protocol
Recently refined
Good faith disclosures
Imposes Corporate Integrity/Compliance
Agreements
Compliance Program Guidance
Provider-specific (i.e., hospital, home health,
lab, DME)
Nursing facility guidance
25. OIG 2011 Work Plan
Senior services focus includes:
Nursing home payment and oversight
Assessment of atypical antipsychotic drugs
Nursing home resident hospitalizations
Criminal background checks for nursing home
employees
Emergency preparedness
26. FALSE CLAIMS ACT
31 U.S.C. §§ 3729-2733 imposes civil liability
against a person or entity that:
Knowingly (can be shown by reckless disregard
for the truth)
Presents a false claim for payment, or
Uses a false record or statement to get a claim
paid or approved, or causes a third party to do
either of above
Treble damage award
Additional penalty for each claim between $5,000
and $11,000.
27. FCA Whistleblower ("Qui Tam")
Provisions
Private citizen whistleblower ("relator") files action
and submits to U.S. Attorney for review
Government investigates and decides whether to
intervene
If government does not intervene, relator may pursue
action on his/her own, in the shoes of the
government.
Relator may receive
up to 25% of award if government intervenes
30% if government does not intervene and relator
pursues
28. Majority of False Claim Actions Come
from Whistleblowers
Whistleblowers are
everywhere
From lower level
employees to
professionals or executive
employees
29. Computation of FCA Judgment
$334 million judgment (3/07) against AmeriGroup health plan
Illinois hired Amerigroup to administer Medicaid managed
care program
Amerigroup alleged to have avoided pregnant women and
others with expensive health conditions
False Claims Action
Whistleblower was former head of government relations;
received between 15% and 25% of award.
Judgment Total: Jury award: $48 million in damages,
trebled (x3) = $144 million, judge assessed penalty of
$10,500 on each of 18,130 claims = $190,365,000
TOTAL: $334 million.
Other costs – employee time and lawyers' fees
30. Social Security Act
Relevant Provisions
42 U.S.C. § 1320a-7: Exclusion of individuals and
entities from participation in Medicare and State
health care programs
42 U.S.C. § 1320a-7a: Civil monetary penalties
42 U.S.C. § 1320a-7b: Criminal penalties for action
involving Federal health care programs
31. Anti-Kickback Statute (criminal)
Knowingly and willfully
Offer, pay, solicit or receive
Any remuneration (in cash or in kind)
To induce (or, in exchange for)
The purchasing, ordering, or recommending of
any good or service reimbursable by the
Medicare, Medicaid or other federally funded
health care programs
Penalties: up to 5 years imprisonment, $25,000
fine, or both
32. Stark Law (civil)
Physician (including immediate family members) with a financial
relationship with an entity, may not refer Medicare or Medicaid
patient to that entity, and entity may not bill for "designated health
services." Penalties include refunding improper claims and CMPs
of up to $15,000 per claim
Designated Health Services:
Lab -Parenteral, enteral nutrition
PT -Prosthetics, orthotics
OT -Home health services, supplies
Radiology -Outpatient drugs
Radiation therapy -Inpt/Outpt hospital services
DME
33. Health Care Reform – Patient Protection
and Affordable Care Act
(“PPACA”)
Oversight and enforcement increased, including:
Fraud enforcement funding: additional $10 million
yearly for years 2011 - 2020; $250 million over
years 2011 - 2016
Subpoena and testimony powers expanded for HHS
and OIG
Medicaid exclusions expanded: states must terminate
provider excluded by Medicare or another state;
Medicaid exclusion for failure to repay
overpayments
34. PPACA Expansion of
Oversight and Enforcement
Anti-Kickback intention standard eased;
Stark self-disclosure expectations increased
Provider enrollment: program participation
screenings depending on “low”, “moderate”
or “high” risk levels
36. Emergence of "Value Based
Purchasing"
Current Medicare payment system: consumption and
quantity of care
Center of Medicare and Medicaid Services (CMS)
transforming Medicare from passive to active
purchaser
Goal: increase quality, avoid unnecessary costs
VBP drivers: Congress, MedPAC and IOM reports,
private sector
Medicare Trust Fund solvency
37. Emergence of “Value-Based
Purchasing”
Value-Based Purchasing Initiatives
Hospital Pay for Reporting
Hospital VBP Plan
VBP Nursing Home Demonstration
VBP programs will affect home health,
physicians & other providers
Against VBP backdrop, HAC rules emerged
38. Legal Basis of HAC Payment Rules
Deficit Reduction Act of 2005, Section 5001(c)
Required CMS to select at least two conditions:
High cost, high volume, or both
Assigned to higher-paying DRG if present as
secondary diagnosis
Reasonably prevented through using evidence-
based guidelines
39. Legal Basis of HAC Payment Rules
Deficit Reduction Act
October 1, 2007: Hospitals required to submit
claims data indicating whether diagnoses are
"present on admission"
October 1, 2008: No payment for care associated
with Hospital Acquired Condition (“Never
Event”) unless identified as present on
admission
Medicare hospital payment regulations specify
Hospital Acquired Conditions and include "Never
Events"
40. Initial Hospital Acquired Conditions,
including "Never Events"
Object left in body after surgery*
Air embolism*
Blood incompatibility*
Catheter-associated urinary tract infection
Decubitus ulcers
Vascular catheter-associated infection
* “Never Events”
41. Initial Hospital Acquired Conditions
(cont.)
Surgical site infection-mediastinitis after CABG
Falls-specific trauma codes
Extreme manifestations of poor glycemic control
Surgical infection post certain orthopedic, bariatric
surgeries
DVT/PE post hip, knee replacement surgeries
42. Acquired Conditions and Health
Reform: Medicare
PPACA requires Secretary of HHS to study expansion
of Medicare HAC regulations to
Rehab hospitals
Long-term acute care hospitals
Hospital outpatient departments
Skilled nursing facilities
Others
Report due to Congress by January 1, 2012
Impact on quality, safety and cost of care
43. Acquired Conditions and Health
Reform: Medicaid
By July 1, 2011, PPACA requires state Medicaid
programs to ensure that Medicaid payments are not
made for conditions covered by Medicare HAC policy
Certain Medicare HACs may be excluded if
inapplicable to Medicaid populations
February 17, 2011 proposed regulations
“Provider-Preventable Conditions,” “Other Provider-
Preventable Conditions”
Could have reasonably been prevented through
application of evidence-based guidelines
Not limited to inpatient hospital settings
45. The RAC Program: Background
Congressional Authority
Medicare Prescription Drug Improvement and
Modernization Act of 2003
Directed establishment of demonstration
program
Tax Relief and Health Care Act of 2006
Expanded claims RAC nationwide in 2010
46. The RAC Program: Key Features
To identify improper payments made on claims
for health care services provided to Medicare
beneficiaries
RAC Program is separate from/addition to existing
processes for identifying overpayments by
Medicare Affiliated Contractors (MACs)
47. The RAC Program: Key Features
Two types of RACs
Medicare Secondary Payer (MSP) RACs
Claims RACs
Affected providers include physicians, hospitals,
SNFs, inpatient rehab, clinical labs, DME
Medicare Advantage and Part D claims excluded
from RAC review
RACs receive contingency payments
48. RAC Program: Key Features
RAC Review Process
RAC review of claims data files
Look-back period—Was 4 years in
demonstration, now 3 years
RACs may not review claims already reviewed,
ongoing post-payment medical review claims,
claims under fraud, criminal investigations
Automated and Complex claims reviews
49. RAC Collection / Appeal Process
Collection same as for Medicare contractor –
identified overpayments
Recoupment via offset unless provider submits check
or valid appeal
Appeal timeframes
http://www.cms.gov/MLNproducts/downloads/
MedicareAppealsProcess.pdf
50. Medicaid RAC Program
PPACA requires states to contract with one or more
RACS by December 31, 2010 (postponed)
November 10, 2010 proposed regulations; new
implementation date with final regulations
State plan amendments due December 31, 2010
Contingency fee payments (like Medicare RACS)
State may use current Medicaid appeals process for
RAC appeals
State variations likely – look-back periods, types of
claims reviewed
52. HIPAA Basics
HIPAA applies to Covered Entities
"Covered Entities"
Health care providers who transmit electronic
standard transactions
Health plans, including employer sponsored
health benefits plans
Health care clearinghouses: entities that process
electronic data formats
53. HIPAA Basics
HIPAA also regulates "Business Associates"
(effective February 17, 2010)
A Business Associate performs functions or
activities on behalf of a Covered Entity and uses or
accesses PHI to do so.
Business Associate functions include management,
administrative, legal, actuarial, accounting and
consulting
Business Associate Agreement required between
Covered Entity and Business Associate
54. HIPAA Privacy Rule Basics
Basic Rule
No use or disclosure of PHI by Covered Entities
unless authorized by the individual or permitted
by the Privacy Rule
Permitted uses/disclosures include
For treatment, payment and health care
operations purposes ("TPO")
To the patient
Specific exceptions list in the regulations
55. HIPAA Enforcement Basics
HHS Office of Civil Rights ("OCR") enforces
HIPAA privacy and security regulations
Statutory civil monetary and criminal penalties for
HIPAA violations
No private right of action under HIPAA, however
State Attorneys General now authorized to bring
suit, in addition to U.S. Attorneys
OIG Work Plan targets hospital security controls
for PHI on portable devices, privacy and breach
response compliance
56. HIPAA Enforcement
Resolution Agreements: (Providence Health,
CVS/Caremark, Mass General)
HIPAA prosecutions
Criminal cases involving the use/disclosure of
PHI for personal gain (Gibson, Ferrer and
Machado, Ramirez)
Criminal cases involving inappropriate access
to PHI (Zhou, Holland, Miller and Griffen)
HITECH clarified that individuals may be
prosecuted
57. HIPAA Updated by HITECH
American Recovery and Reinvestment Act of
2009, February 17, 2009 (ARRA)
Title XIII, Health Information Technology for
Economic and Clinical Health Act (HITECH)
Bureaucracy for national EHR infrastructure to
set EHR standards, administer EHR stimulus
funding
Medicare and Medicaid reimbursement
methods to incent EHR adoption
New HIPAA privacy and security requirements
58. HITECH: New Federal breach
notification requirements
Prior to HITECH, covered entities were not
required to notify patients of breaches of PHI,
unless required by state law
HITECH breach regulations 45 C.F.R. 164.400-414
Effective 9/23/09, covered entities must notify
patients whose unsecured PHI has been breached
HIPAA business associate must notify covered
entity when unsecured PHI has been breached
59. Illinois Personal Information
Protection Act
Notice to IL residents of unauthorized acquisition
of computerized data that compromises the
security, confidentiality or integrity of personal
information
Personal information: first initial or name/last name
with SSN# or driver’s license #/state ID # or
account/credit/debit card # with or without access
code
Notice must be made in the “most expedient time
possible” and “without unreasonable delay”
60. "Breach" under HITECH
Not all impermissible uses or disclosures are
breaches
"Breach" = unauthorized acquisition, access, use
or disclosure of PHI which compromises the
security or privacy of the information
"Compromises" = poses a significant risk of
financial, reputational or other harm to the
individual
61. Breach risk assessment
Must be performed in order to determine whether
there is a significant risk of harm
Must be documented, as covered entity's (and
business associate's) burden of proof includes
demonstrating that a use or disclosure was not a
breach
62. Breach risk assessment under
HITECH
Data files containing
Patient names
Patient names and social security numbers
Patient names in files labeled "CHF“
Health plan identification numbers
Claims information including procedure codes
63. Breach investigations and Business
Associates
HITECH requires
BA to notify CE of breach of unsecured PHI
Notice shall include, to extent possible,
identification of each individual affected
BA to provide CE with any other available
information that CE is required to include in
individual notice
Notice must be provided without unreasonable
delay and in no case later that 60 days after
discovery of breach
64. HITECH Breach Notice Requirements
Individual Notice
To each individual whose unsecured PHI has
been breached
If 10 or more individuals for whom there is
insufficient contact information, substitute notice
required
Conspicuous website posting for 90 days
Notice in major print or broadcast media
Toll-free number active for 90 days
To next of kin or personal representative of
deceased individuals, if address known
65. HITECH Breach Notice Requirements
Individual Notice
"Without unreasonable delay," but no later than 60
days after discovery of breach
In writing, by first class mail, unless individual as
agreed in advance to email communications
By telephone, if possibility of imminent misuse of
PHI
Law enforcement delay: Upon written or oral
statement by law enforcement official that notice
or posting would impede investigation
66. Content of Individual Notice
Description of what happened, date of discovery
Types of PHI involved
Steps individual can take to protect from potential
harm
Description of what health plan is doing to
investigate, mitigate losses and protect against
further breaches
Contact for questions, including a toll-free phone
number
67. HITECH Breach Notice Requirements
Notice to the media
Breach involving more than 500 residents of a
state or jurisdiction
Prominent media outlets serving the state or
jurisdiction
Same content and timing requirements as for
individual notice
Press release indicated by OCR as expected form
of media notice
68. HITECH Breach Notice Requirements
Notice to the Secretary
If breach involves 500 or more individuals,
notice to be provided contemporaneously with
individual notice
If breach involves fewer than 500 individuals,
log must be maintained and reported annually
not later than 60 days after end of each calendar
year
Forreports of 500 or more, expect indication of
further follow-up by OCR
69. Additional requirements
Policies and procedures for compliance with
HITECH breach notice requirements
Training workforce regarding breach policies and
procedures
Sanctions for non-compliance
70. Breach response realities
Have ready to go
Data breach reporting policies and procedures,
consistent with HIPAA policies and training
requirements
Data breach response policy, pre-selected
response team
Risk assessment documentation template
Template notice letter
Data breach liability policy?
72. Excluded Individuals
Bases for exclusion from Medicare or Medicaid
program participation
Sexual assault
Patient abuse
Failure to repay HEAL loans
Criminal convictions related to program
Criminal convictions related to controlled substances
Licensure issues
73. Excluded Individuals
No Medicare, Medicaid or any other Federal health
care program payment may be made for items or
services (1) furnished by an excluded individual,
or (2) directed or prescribed by an excluded
physician (itemized claims, cost reports, fee
schedules or PPS payments)
Civil monetary penalties (CMPs) may be imposed
for submission of improper claims, including
claims submitted by an excluded individual
74. Excluded Individuals
OIG Special Advisory Bulletin
Prohibition extends to administration and
management services not directly related to
patient care
Prohibition continues to apply even if individual
changes health professions while excluded
No Federal program payment may be made to
cover individual’s salary, expenses or benefits
regardless of whether direct patient care is
provided
75. Excluded Individuals
OIG Special Advisory Bulletin
To avoid CMP liability, check OIG List of
Excluded Individuals/Entities prior to hiring or
contracting and periodically
Check Excluded Parties List System
(maintained by the GSA) also
State Medicaid list
76. Compliance Programs – Today Voluntary
OIG Compliance Guidance for Nursing Facilities
(2000; Supplemental guidance 2008)
Quality Care (staffing, training)
Accurate claims (upcoding, therapy services,
excluded individuals, anti-kickback
Involvement of board of directors and senior
officers
Annual reviews
Self-reporting
77. Compliance Programs – Soon Mandatory
PPACA Section 6102
Medicare SNFs and Medicaid NFs must have
compliance and ethics program with 3 years of
PPACA enactment
HHS and OIG to establish regulations
Organizations with 5 or more facilities must
have more formal program with written policies
and procedures
78. Compliance Programs – Soon Mandatory
SNF/NF compliance program – reasonably
designed, implemented and enforced to be
generally effective in preventing and detecting civil
criminal and administrative violations, as well as
promoting quality of care
Required components
Compliance procedures to guide employees
Assigned compliance responsibilities to senior
individuals within operating organizations
79. Compliance Programs – Soon Mandatory
Required components (cont.)
Restriction of at-risk individuals from
involvement with compliance responsibilities
Effective communications
Auditing and monitoring
Appropriate disciplinary measures, including for
failing to detect offenses
Appropriate response mechanisms