HHS-OIG Identifies Potential Misuse of HRAs and Chart Reviews by MA Companies

Posted by Steve Alder

The Department of Health and Human Services Office of Inspector General (HHS-OIG) has identified potential misuse of health risk assessments (HRAs) and HRA-linked chart reviews by Medicare Advantage (MA) companies, which may have resulted in millions of dollars in overpayments.

The Centers for Medicare and Medicaid Services (CMS) pays MA companies higher risk-adjusted payments for sicker enrollees to cover costlier care and each year, MA companies receive millions in overpayments based on unsupported diagnoses for MA enrollees. When diagnoses are reported only using enrollees’ HRAs and HRA-linked chart reviews and there are no follow-up visits, procedures, or tests, HHS-OIG is concerned that the diagnoses may be inaccurate and therefore the payments made by the CMS may be improper. Alternatively, the lack of follow-up visits and tests suggests that if the diagnoses are accurate, enrollees have not received the necessary care for serious health conditions.

HHS-OIG’s analysis of MA encounter data identified 1.7 million MA enrollees whose diagnoses were only reported using HRAs and HRA-linked chart reviews and did not include any follow-ups. Out of the 17 million MA enrollees, 19,028 enrollees had no other service records at all in 2022 apart from a single HRA. HHS-OIG estimates that around $7.5 billion in MA risk-adjusted payments were made for 2023 and that 80% of those payments were made to just 20 MA companies.

Almost two-thirds of those payments were based only on In-home HRAs and HRA-linked chart reviews, which have a higher risk of misuse as they are usually administered by MA companies and their third-party vendors rather than enrollees’ own providers. In fiscal year 2023, the CMS identified $12.7 billion in net overpayments due to plan-submitted diagnoses that were not supported by documentation in enrollees’ medical records and concerns have been raised by oversight entities that MA companies are using HRA and HRA-type assessments to maximize their risk-adjusted payments rather than to improve the care provided to enrollees. HHS-OIG says the risk-adjustment payment policy creates a financial incentive for MA companies to misrepresent health statuses and submit unsupported diagnoses to inflate their risk-adjusted payments.

HHS-OIG recommended the CMS take steps to identify and prevent misuse of HRAs and HRA-linked chart reviews. HHS-OIG suggested the CMS impose additional restrictions on the use of diagnoses reported only on in-home HRAs or chart reviews linked to in-home HRAs for risk-adjusted payments, conduct audits to validate diagnoses reported using only HRAs and HRA-linked chart reviews, and determine whether certain health conditions such as diabetes and congestive heart failure that drove payments on in-home HRAs and chart reviews are more vulnerable to misuse by MA companies. The CMS only concurred with the last recommendation.

The post HHS-OIG Identifies Potential Misuse of HRAs and Chart Reviews by MA Companies appeared first on The HIPAA Journal.

38,000 Individuals Affected by Center for Urban Community Services Cyberattack

Posted by Steve Alder

Security breaches have been reported by the Center for Urban Community Services in New York, Riverview Health in Indiana, and Smile Design Management in Florida.

The Center for Urban Community Services, New York

The Center for Urban Community Services, a New York social services organization, has notified 38,000 individuals about a network intrusion that occurred between September 4, 2023, and September 9, 2023. The intrusion was detected on September 9, 2023, and an investigation was launched, but data acquisition was not confirmed at the time. Center for Urban Community Services has now confirmed sensitive data was exfiltrated in the incident. The types of information involved varied from individual to individual and may have included names, addresses, telephone numbers, dates of birth, Social Security numbers, benefit identification numbers, health information, and prescription information. The Center for Urban Community Services is unaware of any misuse of the affected information.

Riverview Health, Indiana

Riverview Health in Noblesville, IN has discovered unauthorized access to an employee’s email account. An unidentified third party had access to the account for less than an hour on August 23, 2024, before the intrusion was detected by its security software and access to the account was blocked. The investigation confirmed that a single email account had been compromised after an employee was tricked by a social engineering scam. The window of opportunity for viewing and copying sensitive information in the account was short but it is possible that electronic files in the account may have been compromised. The files were reviewed and confirmed to contain patients’ protected health information such as name, sex, date of birth, medical record number, admission date(s), and medical information such as diagnosis.

Since social security numbers, financial information, bank account numbers, and health insurance information were not compromised, Riverview Health believes the risk of misuse of patient data is low. Riverview Health is reviewing its policies around phishing and social engineering and is evaluating methods and procedures for improving electronic access and controls. Notification letters were mailed to the affected individuals on October 24, 2024. The HHS’ Office for Civil Rights portal indicates that 1,562 individuals were affected.

Smile Design Management, Florida

Smile Design Management, a Tampa, FL-based operator of 50 dental care facilities in Florida, has discovered unauthorized access to files on its network. The breach was detected on February 22, 2024, when unusual network activity related to a third-party software solution was detected.

Third-party cybersecurity specialists were engaged to investigate the activity and confirmed unauthorized access to its network between February 22, 2024, and February 23, 2024. The review of the affected files was completed on August 15, 2024, and after verifying contact information, notification letters were sent to the affected individuals, who have been offered complimentary credit monitoring and identity theft protection services. The substitute breach notice does not state the types of information compromised in the incident.

Smile Design Management said it has implemented additional technical safeguards to prevent similar breaches in the future. The breach was reported to the HHS’ Office for Civil Rights on October 10, 2024, as involving the protected health information of 500 individuals.

The post 38,000 Individuals Affected by Center for Urban Community Services Cyberattack appeared first on The HIPAA Journal.