Audits, enforcement and alphabet soup

As Americans discovered during the banking crisis and subsequent bailouts in 2008, fraud and abuse regulation and policy are only as good as the weakest investigation and enforcement activities. As you know, in health care there are numerous regulations, and in health care facilities there are numerous policies as well. However, I’d like to turn your attention to a large upcoming change in regulatory enforcement that will likely hit a facility you may know of or work with this calendar year.

The U.S. Department of Health and Human Service (HHS) has numerous operating and staff divisions, many of which you are likely familiar with such as the Food and Drug Administration (FDA), Centers for Medicare and Medicaid Services (CMS), Centers for Disease Control and Prevention (CDC), etc. However, there are a few divisions with which you may not be familiar that I’d like to bring to the attention of clinical engineers specifically. Those are the Office for Civil Rights (OCR), the Office of the Inspector General (OIG), and the National Coordinator for Health Information Technology (ONC). These three groups have important roles that will increasingly affect your facility, your department and your activities.

The OCR, OIG and ONC have separate, distinct missions, but they overlap on privacy and security enforcement activities that affect health care technology. The OCR is charged with investigating civil rights, health information privacy, and patient safety confidentiality complaints. The OIG is charged with combating fraud, waste and abuse in HHS programs. The ONC is charged with supporting and promoting the widespread adoption of the electronic use and exchange of protected patient health information.

The activities of the ONC are most apparent in recent major health IT initiatives of Electronic Health Record (EHR) systems and ICD-10 medical classification coding standards. You may have heard the term “meaningful use” used in relation to EHR systems. These are multi-stage standards required for obtaining federal reimbursement granted by HIT adoption initiatives in the HITECH act (ARRA) of 2009. As was detailed in the discussions of the act, the U.S. has lagged behind most other developed nations in the adoption of EHR systems, and so the initiative aims to reduce the acquisition expenses for health care providers in the adoption EHR systems. However, as such reimbursement initiatives are commonly ripe for abuse and fraud, the set of requirements have been established as the criteria for which an EHR is proven to be implemented and utilized in a meaningful manner. Important to note here is that one of the first stage requirements is meeting the HIPAA standards of privacy and security for electronic health information within and throughout EHR systems.

The activities of the OIG are apparent in fraud and abuse investigations pertaining to medical ID theft, fake medical billing, patient abuse, health care facility neglect and false reimbursement claims. Historically, much of this has been through written forms-based claims, charts, bills and other medical documents. However, as the ONC HIT initiatives mentioned above begin to take effect, this is changing to the realm of computer systems and electronic health exchanges. The Government Accountability Office (GAO) has estimated health care fraud costs our industry between $30 and $100 billion annually. The OIG reports an annual Return on Investment (ROI) as a ratio between their budget and the fraud combated, for which the last number I could find reported in 2007 was a ratio of $16.4:1, which means that for every $1 the U.S. government spent on combating fraud and abuse in health care, they received over $16 back. Also of note, is that this ratio is trending upwards for at least 3 years. Think about this for a moment… in a time when our federal government is challenged with continued deficit spending, here is a federal agency that is actually returning $16 for every $1 spent! At this continued rate one would expect the level of investigation and enforcement will increase so long as that ratio stays high.

This brings me to the most pertinent division for clinical engineering and health care IT, which are the activities of the OCR. A few years ago the OCR assumed the responsibility of enforcement for the HIPAA Security Rule in addition to the HIPAA Privacy Rule for which they were already responsible. Last year two big events occurred at the OCR for you to understand. These were the award of a $9.1 million contract to the auditing firm KPMG and the appointment of a new director, Leon Rodriguez. It’s noteworthy that the bio of Director Rodriguez lists his background as a federal and state prosecutor, an attorney in a private health law firm, and as Chief of Staff and Deputy Assistant Attorney General for the Department of Justice Civil Rights Division. I find most interesting the mention that he was named “Outstanding Health Care Litigator” not very long ago in his career. Now, the $9 million contract to the audit firm is the real deal; the contract charges KPMG to develop the protocol and audit program to ensure covered entities and business associates effectively implement the statutory requirements for HIPAA privacy and security standards as amended by ARRA.

Finally, here is the biggest thing to note. In addition to KPMG developing the protocol and audit program, they will conduct site visits, interviews, operational exams and validation of policy to process and submit both audit reports and corrective action plans. According to the award notice, “The government anticipates completing 150 audits of entities varying in size and scope” by the end of 2012. To the best of my knowledge, the typical amount of HIPAA audits amounted to six or seven organizations per year. Now they expect to perform 150 by the end of this year! As I mentioned in the beginning, the odds that a provider or business associate (i.e. vendor – even an Independent Service Organization) you may know of or work with will be involved in an audit are fairly high. Furthermore, like the OIG ROI ratio, if the OCR awarded $9 million to KPMG, how much money in fines and penalties do you imagine they will expect in return? If you and your organization are not already prepared, I would highly suggest you start yesterday.

Derek Brost 1 Comment