EisnerAmper Blog

An EisnerAmper Health Care Services Blog

HIPAA Settlement Underscores the Vulnerability of Unpatched and Unsupported Software

 Permanent link

December 17, 2014


McLafferty_MikeMichael J. McLafferty, CPA, MBA, FACHE, FHFMA, FACMPE

Anchorage Community Mental Health Services (“ACMHS”) has agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Security Rule with the Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”).  ACMHS will pay $150,000 and adopt a corrective action plan to correct deficiencies in its HIPAA compliance program.  ACMHS is a five-facility, nonprofit organization providing behavioral health care services to children, adults, and families in Anchorage, Alaska.

OCR opened an investigation after receiving notification from ACMHS regarding a breach of unsecured electronic protected health information (ePHI) affecting 2,743 individuals due to malware compromising the security of its information technology resources.  OCR's investigation revealed that ACMHS had adopted sample Security Rule policies and procedures in 2005, but these were not followed.  Moreover, the security incident was the direct result of ACMHS failing to identify and address basic risks, such as not regularly updating their IT resources with available patches and running outdated, unsupported software.

"Successful HIPAA compliance requires a common sense approach to assessing and addressing the risks to ePHI on a regular basis," said OCR Director Jocelyn Samuels.  "This includes reviewing systems for unpatched vulnerabilities and unsupported software that can leave patient information susceptible to malware and other risks."

ACMHS cooperated with OCR throughout its investigation and has been responsive to technical assistance provided to date.  In addition to the $150,000 settlement amount, the agreement includes a corrective action plan and requires ACMHS to report on the state of its compliance to OCR for a two-year period.  The Resolution Agreement can be found on the OCR website.

PQRS Negative Payment Letters Sent

 Permanent link

December 17, 2014

By Nancy Clark, CPC, CPC-H, CPB, CPMA, CPC-I

Clark_NancyThe Centers for Medicare and Medicaid Services (“CMS”) recently sent letters to group practices and eligible professionals (“EPs”) who did not satisfactorily report PQRS quality data measures in 2013 and will receive a negative 1.5% payment adjustment on their Medicare Part B payments starting Jan. 1, 2015.

PQRS, the Physician Quality Reporting System, is a program that uses a combination of incentive payments and negative payment adjustments to promote reporting of quality information.  Calendar year 2015 will be the first in which a negative impact is noticed.  In 2016, the negative adjustment will be 2% of the allowed fee schedule.

PQRS has also offered incentives for participation, but these incentives are diminishing as the penalties are implemented.  Groups and EPs who believe they are inappropriately penalized have the option of appealing with CMS through an informal review process by Feb. 28, 2015. There’s more information on how to file for an informal review here.

Fingerprint-Based Security Measures for Medicare Providers

(Medicare and Medicaid) Permanent link

November 25, 2014

By Nancy Clark, CPC, CPC-H, CPB, CPMA, CPC-I 

Clark_NancyThe recently published 2015 Office of Inspector General (OIG) Work Plan indicates that enhanced provider security screening is now in place and will be reviewed by the OIG.

In August, the Centers for Medicare and Medicaid Services (CMS) began implementation of 42 CFR Part 1007, which was originally published in the Federal Register in 2011.   The new security provision was implemented on August 6, and includes fingerprinting-based background checks.  The contract for fingerprinting was awarded to Accurate Biometrics, in Chicago, Illinois

Medicare Administrative Contractors (MACs) have started sending letters to providers, listing all owners who require fingerprinting.  Providers must respond within 30 days from the date of the letter.  Failure to respond could result in either revocation of Medicare billing privileges or denial of Medicare enrollment applications.

These security background checks are now required for all individuals with a 5% or greater ownership interest in an organization and those that fall into the “high-risk” category.  High risk individuals include newly-enrolled Durable Medical Equipment Prosthetics Orthotics and Supplies (DMEPOS) suppliers and home health care agencies (HHAs).

CMS is implementing other new measures in an effort to prevent fraud, waste and abuse resulting from weaknesses in the Medicare enrollment process.  These include background checks and an automated provider screening process for providers and home health agency workers.  For more information, see MLN Matters® Number SE1417.

Office of the Inspector General – 2015 Work Plan

 Permanent link

By Michael J. McLafferty, CPA, MBA, FACHE, FACMPE, FHFMA

 McLafferty_MikeOIG 2015 Work Plan

On October 31, 2014, the Office of the Inspector General (“OIG”) published in Work Plan for 2015. The annual plan suggests areas that the OIG intends to review and audit. The OIG typically focuses on activities it believes resulted from overutilization of services and potential fraud. Providers use the OIG Work Plan as a guide to prepare for potential audits and areas to review the effectiveness of their internal controls. The law firm of Hall Render has prepared a comprehensive summary of the OIG’s 2015 Work Plan. The 2015 OIG Work Plan is available here.


 Permanent link

November 12, 2014

By Steven Bisciello, MBA, CMPE

Bisciello_StevenLast week, $840 million dollars was earmarked by the Secretary of Health and Human Services (HHS), Sylvia M. Burwell, toward the Transforming Clinical Practice Initiative. The goal is to create and support networks developed to help physicians have timely access to health information and ultimately result in improved health outcomes. The investment is over the next four years and will support 150,000 clinicians.

Providers are being asked to redesign their practices, getting away from the patient volume model and moving towards a patient health outcome model.

These models will subsequently spawn coordinated health care networks which will include group practices, health care systems and others.

This model is being geared to help providers share patient health information safely within the network, to coordinate care and further improve the quality and delivery of care.  This strategy is also designed to reduce costs through this information sharing and coordination of care amongst the different providers and ultimately reduce hospital readmissions.

Some examples of this strategy include: Creation of shared patient portals where patients can communicate with their “team” of providers; allotting providers more access to pharmacies and patient medication information, to ensure and assist patients in medicating properly; and implementing and utilizing Electronic Medical Records (EMRs) to allow for safe, quicker sharing of patient health information amongst the provider team.

Participating provider practices and health care organizations will receive technical assistance and support from their peers to better provide synergetic patient care in a timely and efficient manner.

This will also prepare providers ahead of time to achieve success in a forthcoming health care arena, one that measure success and reimburse on value and outcomes.

Find out more about the Transforming Clinical Practice Initiative

CMS Introduces Modifiers to Combat Abuse

 Permanent link

October 22, 2014

By Nancy Clark, CPC, CPC-H, CPB, CPMA, CPC-I

Clark_NancyThe Office of Inspector General (OIG) has identified continued abuse of modifier 59, Distinct Procedural Service.  This modifier indicates when physicians’ services that are usually considered integral to each other may be reported separately for additional payment.  Frequently, this modifier is applied to services that should not be billed separately and the provider inappropriately receives reimbursement.  Transmittal 1422 states that the 2013 Comprehensive Error Rate Testing (CERT) data projected a $320 million error rate in physician claims and $450 million in facility claims appended with modifier 59. The Centers for Medicare and Medicaid Services (CMS) indicate that four new modifiers will be implemented in January 2015 in an attempt to better identify inappropriate claims. 

These new Healthcare Common Procedure Coding System (HCPCS) modifiers, referred to collectively as -X{EPSU} modifiers, are considered subsets of modifier 59:

  • XE indicates a Separate Encounter, A Service That Is Distinct Because It Occurred During A Separate Encounter  
  • XP indicates a Separate Practitioner, A Service That Is Distinct Because It Was Performed By A Different Practitioner    
  • XS indicates a Separate Structure, A Service That Is Distinct Because It Was Performed On A Separate Organ/Structure  
  • XU indicates an Unusual Non-Overlapping Service, The Use Of A Service That Is Distinct Because It Does Not Overlap Usual Components Of The Main Service

CMS believes that by identifying specific reasons for utilizing modifier 59, it will be easier to filter claims that may be billed inappropriately.  Provider education is crucial for submitters to understand when a service can be appropriately “unbundled.”  Nonetheless, we can expect frequent audits of claims with both modifier 59 and the new subset modifiers.  Ensure that documentation substantiates distinct services whenever claims are submitted, or expect to forfeit payment and undergo potentially time-consuming audits.

Physician Open Payments Are Online at the CMS Website

 Permanent link

October 7, 2014


By Michael J. McLafferty, CPA, MBA, FACHE, FHFMA, FACMPE

McLafferty_MikeThe first batch of Open Payments data connecting your physicians to financial arrangements with certain businesses was published online September 30. Your physicians’ financial data may not be on the CMS website now even if it was collected, but that doesn’t mean it won’t be there eventually.

The data collection mandated by the federal Sunshine Act and performed from Aug. 1 to Dec. 31, 2013, is broken into three categories:

  • General payment details including all payments or other transfers of value from applicable group purchasing organizations (GPOs) or manufacturers to physicians and teaching hospitals that have nothing to do with research agreements or protocols;
  • Research payment details for those payments or transfers of value that do involve research agreements or protocols; and
  • Physician ownership information about physicians who have an ownership or investment interest in a manufacturer or GPO.

Your data could be there but ‘de-identified’

The data your doctors’ financial partners submitted may not be identifiable, or tied to your providers, in this edition of Open Payments.

About 4.4 million records have been collected, but CMS estimates that 40% of them — which would come to 1.76 million records — have been stripped of identifying details, or “de-identified,” while 199,000 other records are not published at all.

All the records were checked against the National Plan & Provider Enumeration System (NPPES); the Medicare Provider Enrollment, Chain and Ownership System (PECOS); and a private database to confirm the connection between the physicians and teaching hospitals and the payment information, CMS explained on a press call September 30. Records that were fully confirmed against physician names, national provider identifiers (NPIs) and licenses are published and the physicians are identified; those that were not confirmed have been published without identifying the physician.

Also de-identified are records for which providers entered a dispute in the review period but did not have 45 days to pursue it as the law allows

Of the unpublished records, 190,000 are not available because the GPOs or manufacturers requested that the information be held for reasons relating to ongoing research, as the law allows, while 9,000 are unpublished because a dispute lodged by a provider is ongoing.

CMS says the agency expects the de-identified 2013 data will be updated during the next reporting cycle in 2015 so that the physicians are identified.

Beware of Big Files

The Open Payments website has a download library and a “data visualization” tool to help you navigate the data — including a search feature for looking for individual doctors or teaching hospitals.

The online files are big. The largest identified data for general payments is 1.4 gigabytes, and CMS warns that you may have trouble importing these large files into regular spreadsheet programs such as Excel.

If you have an IT team, you can use a database server such as MySQL to put the big file into a database and then develop a simple user interface for you to view and work with the files, suggests Sean Vogt, director of operations at Greenview Data in Ann Arbor, Mich. Alternately, you can use a commercial file editor such as Vedit which Greenview developed, to split the files into parts that can fit into Excel, he says.


EisnerAmper is an independent member of PKF North America.
PKF North America is an independent member of PKF International.