The Role of Compliance Officers in HHS OIG Regulations

The role of compliance officers in HHS OIG regulations is to ensure policies and procedures are in place to mitigate the risk of a healthcare organization violating a law protecting HHS programs and beneficiaries from fraud or abuse. It is also the role of compliance officers in HHS OIG regulations to monitor compliance with the policies and procedures, and to enforce sanctions on workforce members when they fail to comply with the policies and procedures.

While this explanation of the role of compliance officers in HHS OIG regulations may sound complicated, it is not as difficult as it seems. There are usually only five healthcare regulations enforced by the Department of Health and Human Services’ (HHS) Office of Inspector General (OIG) – these being:

  • The False Claims Act
  • The Anti-Kickback Regulations
  • The Physician Self-Referral Law
  • The HHS OIG Exclusion Statute
  • The Emergency Medical Treatment and Active Labor Act (EMTALA)

The False Claims Act

The False Claims Act protects HHS programs from being fraudulently charged for medical items or services. It is an offense to submit any claim that a healthcare organization knew or should have known was inaccurate; and, depending on the degree of intent, the penalties for violations of the False Claims Act can be civil (up to $27,894 per violation) or criminal (up to $250,000 per violation plus jail time for individuals and up to $500,000 per violation for organizations).

The role of compliance officers in HHS OIG regulations in this case is to ensure processes exist to verify the authenticity of reimbursement claims, that billing irregularities are flagged for investigation, and that security gaps are closed to prevent internal or external bad actors compromising HHS transactions. In the event that claims and billing are outsourced, the role of compliance officers is to conduct due diligence on third party service providers.

The Anti-Kickback Regulations

The anti-kickback regulations exist to prevent inducements for referrals and “paid-for” recommendations for medical items or services. The consequences of “healthcare by inducement” are not only higher reimbursement claims, but also the risk that patients may not receive the most appropriate healthcare. Consequently, penalties for violations of the anti-kickback regulations are imposed on both the payer of an inducement and its recipient.

Because it is usually individuals who succumb to inducements, it is rare that an organization is investigated for an offense against the anti-kickback regulations. However, compliance officers need to be alert to individual members of the workforce accepting non-exempt inducements. This is because any induced reimbursement claims submitted via the organization will have to be repaid to HHS if a kickback allegation against a workforce member is proven.

The Physician Self-Referral Law

The Physician Self-Referral Law (aka The Stark Law ) prohibits healthcare providers from referring patients to “designated health services” when the healthcare provider or an immediate family member has a financial interest in the designated health service. To prevent violations of this law, compliance officers will need to know if any workforce members have business interests (including indirect family business interests) outside the healthcare organization.

However, when the HHS OIG investigates a violation of the Stark Law, the perpetrators are the referring healthcare provider (i.e., a member of the workforce) and the health service that benefitted from the self-referral. The organization for whom the compliance officer works will not be responsible for repaying the proceeds of any unlawful activity. Nevertheless, workforce members violating HHS OIG fraud laws is not something compliance officers want on their CVs!

The HHS OIG Exclusions List

In 1977, the Medicare-Medicaid Anti-Fraud and Abuse Amendments gave HHS OIG the authority to exclude individuals and entities from participating in HHS programs if they were found to have violated a healthcare fraud or abuse law. Depending on the violation, an exclusion can be mandatory (typically five years) or discretionary (no minimum or maximum limits) – during which time excluded individuals and entities cannot bill HHS programs directly or indirectly.

The role of compliance officers in HHS OIG regulations in this case is to ensure that no excluded individual becomes a member of the workforce and that no goods or services are supplied by an excluded entity. Healthcare organizations that employ excluded individuals or who contract goods or services from an excluded entity can be fined up to $20,000 for each good or service unlawfully claimed plus three times the amount claimed from an HHS program.

The Emergency Medical Treatment and Active Labor Act (EMTALA)

EMTALA requires qualifying healthcare organizations that participate in HHS programs to examine an individual requesting emergency care and provide emergency treatment regardless of the individual’s insurance coverage or ability to pay. If the healthcare organization cannot provide appropriate emergency treatment, they must stabilize the individual and arrange a transfer to another healthcare organization that has appropriate treatment capabilities.

Qualifying healthcare organizations that fail to examine an individual or who fail to accept an individual transferred from another healthcare organization can be fined up to $129,233 and added to the HHS OIG Exclusions List. What can complicate the role of compliance officers in HHS OIG regulations such as EMTALA is when exemptions exist depending on location, the nature of the emergency treatment required, and the professional affiliation of healthcare workers.

How to Fulfil the Role of Compliance Officers in HHS OIG Regulations

The way to fulfil the role of compliance officers in HHS OIG regulations is to adapt existing policies and procedures to mitigate the risk of violating a healthcare fraud or abuse law. For example, most healthcare organizations are required to audit their claims and billing processes as a condition of participation in Medicare and Medicaid. Existing procedures could be adapted so that reimbursement claims are verified and irregularities are flagged in the audit process.

Similarly, with regards to conducting due diligence on third party service providers, this is a condition of HIPAA compliance when PHI is shared with a business associate – as are reasonable and appropriate measures to protect the confidentiality, integrity, and availability of electronic PHI whether it is shared with a business associate or processed inhouse. Complying with HIPAA Security Rule automatically ensures that Part 162 transactions are more secure.

With regards to identifying violations of the anti-kickback regulations, induced reimbursement claims should be flagged as part of an effective audit process, while the requirement to check individuals against the HHS OIG Exclusions List is an extra check to add to the existing Level 2 checks many healthcare organizations already have to do before engaging a new member of the workforce in order to comply with state employment laws.

As many of the policies and procedures required to fulfil the role of compliance officers in HHS OIG regulations are adaptions or extensions of existing policies and procedures, monitoring workforce compliance with the policies and procedures should not create an additional compliance burden – nor should enforcing sanctions on workforce members when they fail to comply with the policies and procedures. Nonetheless, compliance officers uncertain about how to fulfil their role with regards to HHS OIG regulations should seek independent compliance advice.

The post The Role of Compliance Officers in HHS OIG Regulations appeared first on HIPAA Journal.

What is Required for HIPAA Compliance?

What is required for HIPAA compliance is for covered entities and business associates to comply with all applicable standards and implementation specifications of the HIPAA Administrative Simplification Regulations in order to protect the privacy and security of individually identifiable health information.

Due to the complexity of the HIPAA Administrative Simplification Regulations, misunderstandings can sometimes exist about what HIPAA is, who it applies to, what is protected by HIPAA, and who is responsible for HIPAA compliance. These misunderstandings can make it difficult to determine what is required for HIPAA compliance.

What is HIPAA?

HIPAA stands for the Health Insurance Portability and Accountability Act – an Act passed in 1996 with the purpose of reforming the health insurance industry. Due to the cost of the reforms, a second Title was added to the Act which aimed to counter the cost by reducing fraud in the healthcare industry and simplifying the administration of healthcare transactions.

The Administrative Simplification Regulations are what most people refer to when discussing what is required for HIPAA compliance. The Regulations include the General Provisions and the procedures for the enforcement of HIPAA (Part 160), the standards for electric healthcare transactions (Part 162), and the Privacy, Security, and Breach Notification Rules (Part 164).

Individuals and organizations to whom HIPAA applies have to comply with all applicable standards and implementation specifications of the Administrative Simplification Regulations. This means that, if – for example – a medical office outsources its healthcare transactions to a third party, the medical office does not have to comply with the standards in Part 162 of HIPAA.

Who does HIPAA Apply To?

§160.102 of the HIPAA Administrative Simplification Regulations states that the standards and implementation specifications apply to health plans, health care clearinghouses, and health care providers that conduct or outsource transactions for which a standard exists in Part 162. Individuals and organizations that fall into these categories are called “covered entities”.

HIPAA also applies to “business associates” – third party individuals and organizations that provide a service to or on behalf of a covered entity that involves the creation, receipt, storage, or transmission of Protected Health Information (PHI). Business associates can include outsourced billing companies, cloud service providers, and medical transcriptionists.

Examples of who HIPAA does not apply to include auto insurance companies that provide health benefits as a secondary service, healthcare providers that bill patients directly, publicly funded schools, and employers in their role as an employer. HIPAA also does not apply directly to members of a covered entity’s or business associate’s workforce for reasons explained later.

What does HIPAA Protect?

One of the most common misunderstandings about HIPAA – and one of the biggest barriers to determining what is required for HIPAA compliance – is what does HIPAA protect. The misunderstanding exists due to some sources confusing what is considered PHI under HIPAA with the requirements for de-identifying PHI using the safe harbor method in §164.514(a).

To summarize what does HIPAA protect, any information relating to a patient’s health condition, treatment for the condition, or payment for the treatment is protected by HIPAA. In addition, any information that could be used to identify the patient is protected by HIPAA when it is maintained in the same designated record set as health, treatment, or payment information.

This means – for example – that a patient’s name and cellphone number are protected by HIPAA when they are maintained in the same designated record set as the patient’s health, treatment, or payment information, but they are not protected when they are maintained in a separate database that does not contain health, treatment, or payment information (i.e., for marketing purposes).

Who is Responsible for HIPAA Compliance?

Covered entities are required by §164.530(a) to designate a privacy official who is responsible for the development and implementation of policies and procedures to meet the requirements of the Privacy and Breach Notification Rules. The privacy official does not have to be an existing member of the workforce. The position can be outsourced on a temporary or permanent basis.

In addition, §164.308(a) requires covered entities and business associates to identify a security official who is responsible for the development and implementation of policies and procedures to meet the requirements of the Security Rule. Again, this position can be outsourced, or it can be combined with the responsibilities of the privacy official in a single HIPAA compliance role.

In most cases, covered entities and business associates will already have an individual or team responsible for managing compliance with other federal, state, or voluntary regulations. In many cases, what is required for HIPAA compliance can overlap with what is required for complying with other regulations – for example, the conditions of participation in Medicare, OSHA, and SOC 2.

What is Required for HIPAA Compliance by Workforce Members?

It was mentioned earlier that HIPAA does not apply directly to members of a covered entity’s or business associate’s workforce. The reason for this is that covered entities are required to provide HIPAA training to members of the workforce on the policies that are relevant to their roles. It is not necessary for every member of the workforce to be trained on every HIPAA policy.

In addition, covered entities and business associates must provide security awareness training to all members of the workforce and “ensure compliance” with their policies and procedures by implementing and applying a sanctions policy. Rather than it being necessary for workforces to comply with the HIPAA Rules, workforces are required to comply with the organization’s rules.

There is one exception to this explanation of workforce compliance with HIPAA. When HIPAA was passed by Congress in 1996, it extended §1177 of the Social Security Act to members of the workforce. In the context of what is required for HIPAA compliance by workforce members, a violation of §1177 can result in a workforce member being convicted for the wrongful disclosure of PHI.

What is Required for HIPAA Compliance? Conclusion

It is not surprising some covered entities and business associates have difficulty determining what is required for HIPAA compliance. Misunderstandings about what HIPAA is, who it applies to, and what is protected by HIPAA can be compounded by assuming members of the workforce are required to comply with HIPAA when their compliance obligations are indirect.

Organizations that are unsure of what is required for HIPAA compliance should take advantage of our HIPAA compliance checklist to compare existing privacy and security measures against the standards that apply to their activities. Thereafter, it will be possible to conduct a gap analysis and develop a healthcare compliance program that incorporates the requirements of HIPAA.

Covered entities and business associates that encounter difficulties in conducting a gap analysis, developing a healthcare compliance program, or incorporating the requirements of HIPAA into existing compliance activities are advised to review the HHS Office for Civil Rights Help Pages or speak with an independent compliance professional.

The post What is Required for HIPAA Compliance? appeared first on HIPAA Journal.

LockBit Affiliate Sentenced to 4 Years in Jail and Ordered to Pay $860,000 in Restitution

An affiliate of the notorious LockBit ransomware group has been sentenced in Canada to almost four years in jail and has been ordered to pay more than $860,000 in restitution. Mikhail Vasiliev, 34, is a Russian-Canadian national who was born in Moscow and moved to Canada more than 20 years ago. During the COVID-19 pandemic, Vasiliev became an affiliate of the LockBit ransomware operation, one of the most prolific ransomware-as-a-service groups over the past few years. Around 18 months ago, Vasiliev was arrested following a raid of his home in Bradford, Ontario. The search of his property uncovered a list of prospective and historical victims, instructions on how to deploy LockBit ransomware, the source code of the ransomware, the control panel used to deliver the ransomware, and screenshots of conversations with a core member of the LockBit Group – LockBitSupp – on the Tox messaging platform.

Vasiliev admitted to being an affiliate of the LockBit group between 2021 and 2022 and having conducted attacks on businesses in Saskatchewan, Montreal, and Newfoundland, from whom he stole data, encrypted files, and demanded ransom payments. Vasiliev pleaded guilty to eight counts, including cyber extortion, mischief, and weapons charges. Vasiliev has also been under investigation by law enforcement in the United States for around two years, and last month, the U.S. Department of Justice charged Vasiliev with conspiracy to intentionally damage protected computers and to transmit ransom demands. Vasiliev has consented to extradition to the United States and his extradition is pending. If convicted in the United States, Vasiliev faces a maximum sentence of five years in jail. The DOJ also announced charges against four other individuals suspected of working with the LockBit group.

The LockBit group is alleged to have conducted over 2,000 ransomware attacks in the United States alone and generated more than $144 million in ransom payments in its four years of operation. Several healthcare organizations have fallen victim to LockBit ransomware attacks including Capital Health in New Jersey, Saint Anthony Hospital in Chicago, and Varian Medical Systems in California. In February 2024, the group’s infrastructure was seized as part of an international law enforcement operation, and three individuals suspected of involvement with the operation were arrested in Poland and Ukraine. A few days later, the U.S. State Department announced rewards of up to $15 million for information about the leaders of the group and any information that could lead to the arrest of any individual who participated in the LockBit operation. The LockBit group restored its data leak site within a week of the takedown, set up new infrastructure, and started listing new victims on its data leak site.

The post LockBit Affiliate Sentenced to 4 Years in Jail and Ordered to Pay $860,000 in Restitution appeared first on HIPAA Journal.

HHS-OIG: Pennsylvania Improperly Claimed $551 Million in Medicaid Funds

Audits conducted by the Department of Health and Human Services Office of Inspector General (HHS-OIG) of states that claim Medicaid school-based costs with the assistance of contractors have revealed some states have claimed unallowable federal funds due to their contractors improperly conducting random moment time studies (RMTSs). Pennsylvania is the latest state to be audited by HHS-OIG, which found that approximately $590 million was claimed in federal Medicaid payments for school-based services between July 1, 2015, and June 30, 2019, $551.4 million of which was improperly claimed.

For the audit, HHS-OIG reviewed a stratified random sample of 310 random moments, each of which was coded as a health service or administrative activity. HHS-OIG also looked at the methods Pennsylvania used to allocate health services costs to Medicaid.

Based on the sample, HHS-OIG estimated that Pennsylvania claimed $182.5 million in unallowable Federal funds because it did not support that all moments used in RMTSs and coded as Medicaid-eligible were actually for Medicaid-eligible health services or Medicaid administrative activities. Pennsylvania also improperly claimed $368.9 million when it used unsupported ratios to allocate costs to Medicaid. The RMTSs conducted by contractors for Pennsylvania did not cover all days worked by staff members because they were not conducted for the first month of the school year.

HHS-OIG said that the improper claims were due to complex cost allocation methods that were developed by the state and its contractor which were difficult or impractical to support with documentation, or that CMS guidance was not followed. HHS-OIG recommended that the state refund the $182.5 million as these funds were used for unsupported Medicaid-eligible health services and Medicaid administrative activities. HHS-OIG also recommended that the state either support or refund the $368.9 million, as these funds were claimed using an unsupported cost allocation method. HHS-OIG also provided guidance to the state to help with the preparation of accurate and supportable claims.

Pennsylvania agreed with the guidance but disagreed with the monetary and procedural recommendations, specifically disagreeing with the HHS-OIG finding that the moments were not supported as Medicaid-eligible. Pennsylvania claimed that it was not required to provide documentation other than what RMTS participants provided and that it was not responsible for ensuring that all service providers were appropriately licensed. Pennsylvania also claimed that the ratios it used for allocating costs to Medicaid are accurate.

The post HHS-OIG: Pennsylvania Improperly Claimed $551 Million in Medicaid Funds appeared first on HIPAA Journal.