The OIG 2014 Work Plan – Thoughts and Observations on Nursing Homes

By on February 24, 2014

On Jan. 31, the Office of Inspector General (OIG) released its 2014 Work Plan, in which it announces and discusses the projects it intends to focus on in the coming year.  I plan to do a number of posts on the Work Plan, but I want to start with an industry that receives surprisingly little attention in the document – nursing homes.

OIG only announced five areas of focus with respect to nursing homes.  The first concerns Medicare Part A billing.  OIG noted that it previously observed skilled nursing facilities (SNFs) increasingly billing for higher levels of therapy even though beneficiary characteristics remained the same; it also explained that SNFs had a high (25 percent) billing error HC BLOG_nursing home2rate.  There are two main takeaways from this.  Nursing homes need to really examine their billing practices and procedures and ask themselves if there are any systems or protocols that might improve accuracy.  And, it’s my experience that a high care level claim isn’t so much unnecessary on its face, it’s that the provider doesn’t keep or record enough information to prove that it was.  Therefore, insofar as high care level services are being billed, SNFs might think about expanding their recordkeeping practices to ensure that enough documentation is present to justify the claim.

OIG’s second area of focus involves questionable billing practices for nursing homes submitting Medicare Part B claims.  The agency specifically references stays during which benefits are exhausted or the three-day prior inpatient requirement is not met.  Obviously, that doesn’t give us much to go on.

The third area of focus is a little more specific, though probably inapplicable to most providers.  OIG indicates that it intends to focus on state agency verification of deficiency corrections.  Federal regulation requires nursing homes cited for deficiencies to provide state regulators with a plan of correction to explain how they will correct the problems.  The Centers for Medicare & Medicaid Services (CMS) State Operations Manual further requires states to verify that the cited deficiencies have been corrected.  In the Working Plan, OIG cautioned that “one State survey agency did not always verify that nursing homes corrected deficiencies.”  It’s unclear which state that was, or whether it was only the one state.  Nonetheless, I expect most states will crack down on post-correction verification.  This has two related ramifications.  When devising a plan of correction, it is essential that nursing homes be realistic.  Chances are, state surveyors will put nursing homes’ feet to the fire to make sure they take the steps they say they will.  Also, nursing homes should make sure they follow through and do what they say they will on the timetable promised.

OIG’s fourth targeted area is interesting.  It wants to evaluate the results of the CMS National Background Check Program (NBCP).  This program essentially gives states money at a 3:1 federal-state ratio (not to exceed $3 million) to help providers run comprehensive background checks on their employees.  States that participate in this program include Alaska, California, Connecticut, Delaware, Florida, Illinois, Kentucky, Missouri, New Mexico, North Carolina, Oklahoma, Rhode Island, and Utah as does the District of Columbia.  It’s interesting that the list of states is so small.  CMS has handed out tens of millions of dollars over the past several years, and most states – including Colorado – already require background checks for employees of long-term care (LTC) facilities.  The NBCP requires a more comprehensive background check system, but that seems like a lot of money to leave on the table for something states will do most of anyway.  In any event, I wouldn’t be surprised to see Colorado and a bunch of other states opt in to the NBCP or CMS make it mandatory.

The fifth area of focus involves Medicare patient hospital admissions as a result of manageable or preventable conditions at nursing facilities.  This was the subject of a 2013 OIG Report.  It’s hard to come up with a good recommendation for this one.  On the one hand, it’s probably a good thing when an LTC facility and a doctor err on the side of caution and hospitalize an ill or injured resident – to do otherwise would risk a treatable condition deteriorating.  On the other hand, though, if CMS or OIG is going to start tracking hospitalizations on a facility-by-facility basis and scrutinizing those facilities that have too high of a rate, erring on the side of caution may have real regulatory consequences.  I suppose the best thing to say is this is an issue that needs to be closely monitored going forward.

Image courtesy of Flickr by Pictures by Ann

Filed under Medicare, Nursing Home Regulations

Text Messaging and HIPAA Compliance Risks

By on February 10, 2014

Like everyone else, health care workers have become accustomed to the convenience of communicating by text message.  Although using text messages can make communications more efficient in the health care setting, transmitting protected health information (PHI), including photographs, in text messages raises Health Insurance Portability and Accountability Act compliance risks.  Some of the compliance risks include the following:

  • Many people do not password-protect a mobile device, making it easy for another user to access PHI stored in texts.  This access can occur when the device is shared, lost, or stolen.
  • Text messages often are not encrypted, unlike e-mail.
  • The use of personal mobile devices to send texts or photographs is common, unlike email, which most often is sent on work-issued computers or tablets.
  • Text messages can remain on a mobile device indefinitely.

HC BLOG_textingThe U.S. Department of Health & Human Services (HHS) and the Office of the National Coordinator for Health Information Technology (ONC) have gathered tips to safeguard PHI when using mobile devices.  They make the following suggestions about how to protect and secure information on mobile devices, which applies to developing a policy on transmitting PHI by text message.

  • Use a password or other user authentication.
  • Install and enable encryption.
  • Install and activate remote wiping and/or remote disabling.
  • Maintain physical control of the mobile device.
  • Delete all stored health information before discarding or reusing the mobile device.

HHS and ONC have resources to assist in updating or developing policies for mobile device use.  They recommend the following five steps for policy planning.  These steps can assist health care organizations in developing a policy on using text messages to transmit PHI.

1.   Decide whether mobile devices will be used to access, receive, transmit or store PHI.

2.   Conduct a risk analysis to identify risks and perform a risk analysis periodically whenever there is a new mobile device, a lost or stolen device, or suspicion of compromised health information.  After conducting a risk analysis, document:

  • which mobile devices are used to communicate with your organization’s internal networks or system; and
  • what information is accessed, received, stored, and transmitted by or with the mobile device.

In addition, organizations should review HHS “HIPAA Security Series: Basics of Risk Analysis and Risk Management” for guidance on conducting a risk analysis.

3.   Identify your organization’s mobile device risk management strategy, including privacy and security safeguards.   The risk management strategy should include evaluation and maintenance of the mobile device safeguards you put in place.

4.   Develop, document, and implement your policy.  HHS and ONC suggest that the organization consider the following.

  • mobile device management, including identifying and tracking devices;
  • whether personal mobile devices can be used and whether they can be used to connect to the organization’s internal network or system;
  •  whether the device can be used away from the organization;
  • whether the device can be used to text;
    • security/configuration settings on mobile devices;
    • restrictions on information that can be stored on mobile devices;
  • procedures for addressing misuse of mobile devices; and
  • recovery and deactivation to wipe or disable lost or stolen devices or devices of employees who leave the organization.

5.   Provide training on mobile device use.

Image courtesy of Flickr by Jhaymesisviphotography

Filed under HIPAA

DHHS Promulgates Rule Giving Patients Right to Receive Results Directly From Lab

By on February 5, 2014

Earlier in the week, the Department of Health & Human Services announced a new rule under the Health Insurance Portability and Accountability Act (HIPAA) and the Clinical Laboratory Improvements Amendment of 1988 (CLIA) giving patients the right to access test results directly from a diagnostic laboratory, instead of making them go through the physician who ordered the results.  The final rule is available here.

The quick summary of the new rule is that if a covered laboratory (which is a laboratory that conducts one or more transactions electronically – so pretty much any laboratory) keeps test results electronically, it must share those with the tested individual or his or her personal representative; if it does not have results stored electronically, it must make an electronic copy in a mutually agreeable format.  Non-CLIA labs are exempt, as well as a handful of other entities and tests.

One major objection to the new rule is that many patients are ill-equipped to understand the test results without consulting with their physicians, and as such, they may be apt to overreact to seemingly abnormal results or false positives.  I understand where this is coming from.  Years ago, I contracted a nasty case of pneumonia training for the Boston Marathon in the dead of winter in Chicago.  This was the first (and only) time I had ever had pneumonia, and I became worried that I wasn’t recovering as fast as I’d like.  I went to a specialist, who ordered a comprehensive breathing test to make sure it wasn’t asthma.  At the lab, I blew into a bunch of tubes.  After one test, the lab tech shook her head and asked if I was a heavy smoker.  I said no, and she got a deeply concerning look on her face.  I, of course, freaked out.  The day the results were supposed to be available, I called the pulmonologist to get the bad news.  Guess what?  The results were totally normal, for someone who was recovering from pneumonia.  (I eventually started to feel normal, but it took months.)

And that’s the problem.  There are any number of conditions that can make otherwise abnormal lab results perfectly acceptable.  I’m not saying that it’s enough to make the new rule a bad one; DHHS certainly didn’t think so.  It emphasized that physicians will still be expected to consult with their patients about the results, and noted that most labs report that patients ask for the direct results only after they have already spoken with their physicians about them.  I’m not entirely sure that’s responsive – the fact that physicians still will advise their patients doesn’t really address the concern that some patients will get the results before having that conversation, and even if most patients tend to wait until they talk to the physician before directly requesting the results, some evidently do not.  But I’ll set those qualms aside.  The rule is here to stay.

It is important to make one point, though.  Given that patients are able to call the lab and get their results directly, physicians ordering tests need to do a good job up front communicating to the tested individual as to the expected results and the results that are cause for concern.  For example, in my case, the pulmonologist should have told me that given my recent pneumonia, she expected my results might show diminished lung function (assuming I had the right to directly access them), and that would be completely normal.

If you have that conversation up front, it can save a lot of stress and concern on the part of the patient, and perhaps even unnecessary testing for those eager beaver patients who don’t want to wait to consult their doctor about potentially concerning results.

Filed under CLIA, HIPAA