CMS has published the latest Meaningful Use Incentives payments summary (through July 2013). Really just a trickle increase relative to the numbers from June.
$15,884,674,565 minus $15,507,463,743 = $376,710,822 paid out in July. This slowdown is to be expected, given that Stage 1 attestations run via calender and federal fiscal years.
The summary EP and EH tallies below:
While nearly 200,000 EPs have been paid to date, the majority of the money has gone to hospitals (an average of ~$2.332 million per EH).
No breakdowns here regarding how much of the Medicaid money is "A/I/U" -- simply "Adopt, Implement, or Upgrade" to a 2011 ONC Certified EHR system, without having to attest to having met Meaningful Use Core and Menu compliance measures.
I'd also like to see a breakdown here by EHR vendor, in particular with respect to the hospitals payments.
THREE WEEKS TO HIPAA OMNIBUS COMPLIANCE
September 23rd, 2013 is the date that all Covered Entities and their Business Associates must be in compliance with HIPAA as amended by HITECH (the rigorous "Omnibus" regulatory specifications as set forth in 45 CFR 164).
You have had five month thus far since publication of the Omnibus Rule to get your houses in order. If you have not yet started on documented compliance, you have better hope you don't get audited, because you will not make it. You may be able to put window dressing paper in place (e.g., a generic Policies and Procedures manual, a "Notice of Privacy Practices" taped to the clinic door, and some pro forma "Risk Analysis"), but actual full operational compliance on or before September 23rd will be nigh impossible to document and demonstrate at this point.
The stakes (from HHS):
Enforcement and Penalties for Noncompliance
The Standards for Privacy of Individually Identifiable Health Information (Privacy Rule) establishes a set of national standards for the use and disclosure of an individual’s health information – called protected health information – by covered entities, as well as standards for providing individuals with privacy rights to understand and control how their health information is used. The Department of Health and Human Services, Office for Civil Rights (OCR) is responsible for administering and enforcing these standards and may conduct complaint investigations and compliance reviews.
Consistent with the principles for achieving compliance provided in the Privacy Rule, OCR will seek the cooperation of covered entities and may provide technical assistance to help them comply voluntarily with the Privacy Rule. Covered entities that fail to comply voluntarily with the standards may be subject to civil money penalties. In addition, certain violations of the Privacy Rule may be subject to criminal prosecution. These penalty provisions are explained below.
Civil Money Penalties.
OCR may impose a penalty on a covered entity for a failure to comply with a requirement of the Privacy Rule. Penalties will vary significantly depending on factors such as the date of the violation, whether the covered entity knew or should have known of the failure to comply, or whether the covered entity’s failure to comply was due to willful neglect...
...Before OCR imposes a penalty, it will notify the covered entity and provide the covered entity with an opportunity to provide written evidence of those circumstances that would reduce or bar a penalty. This evidence must be submitted to OCR within 30 days of receipt of the notice. In addition, if OCR states that it intends to impose a penalty, a covered entity has the right to request an administrative hearing to appeal the proposed penalty.
- For violations occurring on or after 2/18/2009: $100 to $50,000 or more per violation (calendar year cap fo $1.5 million)
Criminal Penalties.OK, WHERE DOES OMNIBUS COMPLIANCE BEGIN?
A person who knowingly obtains or discloses individually identifiable health information in violation of the Privacy Rule may face a criminal penalty of up to $50,000 and up to one-year imprisonment. The criminal penalties increase to $100,000 and up to five years imprisonment if the wrongful conduct involves false pretenses, and to $250,000 and up to 10 years imprisonment if the wrongful conduct involves the intent to sell, transfer, or use identifiable health information for commercial advantage, personal gain or malicious harm. The Department of Justice is responsible for criminal prosecutions under the Privacy Rule.
Every CE (and BA that handles ePHI) has to designate a "security official" and a "privacy official."
Now, in a small primary care clinic, you might think "OK, Sally (the M.A. or front desk employee with a high school diploma), 'tag,' you're it."
Not gonna fly. As I noted in a prior post, Sally will be responsible for -- at a minimum -- administering and documenting myriad HIPAA Omnibus elements such as
- Administrative safeguards (which increasingly extend to BYOD policies);
- Technical safeguards;
- Physical safeguards;
- Written coherent and comprehensive policies and procedures;
- Staff HIPAA training records;
- Publication and dissemination of revised patient privacy practices;
- Breach notification procedure;
- Patient ePHI data request procedure;
- Omnibus-compliant Business Associates Agreements (BAA).
By way of extreme example, what kind of duties and chops are expected of a "privacy official" in larger settings?
From a recent Bay Area online recruitment posting:
Hospital HP Compliance Officer (Job Number 200180)'eh? Now, while Sally's small shop world will be much simpler, HIPAA Omnibus compliance is no cakewalk in any setting. (I wrote a prior HIPAA post in May of 2012, btw.)
Working for an organization with the size and resources of Kaiser Permanente Northern California means having the potential to positively affect the health and well-being of entire communities. From our financial, business, and IT experts, to our RNs, allied health professionals, and physicians, we work together to provide the best care experience to our members and the communities we serve. As one of the most diverse regions in the country, Northern California offers everything from the majestic Sierra Mountains, to breathtaking Yosemite, to world-renowned Napa Valley. Here, you'll discover the cultural and recreational diversity that makes Northern California one of the most desirable places in the world to live and work. As Northern California's largest health plan, Kaiser Permanente provides you with the resources and opportunity to build a rewarding career in an environment that supports your success. Join us.
Serves as the Hospital and Health Plan Compliance Officer, the Privacy Officer, and as a member of the Medical Center Leadership team. Responsible for the strategic development, Implementation and evaluation of compliance management systems at the Medical Center, including contract hospitals, contract services, and other non-KFH facilities. Analyzes legal, regulatory, licensing and accreditation requirements and their impact on operations and oversees the development of compliance risk mitigation and corrective action plans. Ensures that controls are in place to guarantee privacy and security, to identify fraud, waste and abuse and to ensure that state and federal regulations are addressed. Collaborates with Medical Center leadership to ensure that operating procedures, systems and standards align with compliance requirements and controls and that staff is trained on these controls. Creates and manages detailed audits of Health Plan ad Hospital managed services. Develops strong collaborative leadership relationships with TPMG, external regulatory agencies and accreditation bodies, and uses these relationships to manage risks and establish priorities and plans to address these risks.
- Ensures that the Medical Center has systems in place to achieve compliance by development of compliance management systems (such as training, policies, procedures, monitoring and auditing, among others) across all functions.
- Assists managers to adopt a culture of compliance in their daily operations.
- Oversees the development, implementation and evaluation of corrective action plans and responses to internally and externally identified compliance issues.
- Creates and manages detailed on site audits of Health Plan and Hospital managed services.
- Co-leads the Medical Center Compliance Committee with TPMG partner and provides direction in establishing legislative and regulatory compliance strategy.
- Develops an audit plan and dashboard to communicate completion of corrective actions to senior leadership.
- Serves as the Privacy Officer and oversees systems to ensure the protection and security of member and patient health information
- Ensures the integrity of the regional hotline process and conducts investigations to resolve compliance issues and complaints.
- In conjunction with Medical Center and Regional leaders, ensures that medical center service delivery changes meet requirements of state and federal regulators as well as billing requirements of Medicare and other federal coverage guidelines.
- Oversees medical center responses to external regulatory agencies such as CMS and the Federal Office of Civil Rights.
- Manages identified privacy breaches to ensure that all reports are filed, root cause analysis is performed and that controls are initiated to prevent further loss of protected health information.
- Provides oversight to the implementation of revenue cycle functions and ensures the remediation of Site of Service, Scope of Practice and billing/documentation issues.
- Responsible for identifying risk areas in the revenue cycle, including accurate coding and documentation.
- Works with Regional groups and HIM managers to implement compliance coding and documentation practices.
- Ensures that appropriately credentialed providers are supplying services to health plan and government sponsored groups.
- Leads education and implementation of new state and federal laws affecting care delivery and health plan operations.
- Eight (8) to ten (10) year of experience in hospital operations or multifaceted health care systems and multi-provider settings.
- Experience in revenue cycle, program development and strategic planning required.
- Bachelor's degree or equivalent in Health Care Administration, Business or Public Health Administration, Operations Research, Nursing, Economics or other related field required.
- Master's degree in Business, Health Care, Public Administration, JD or related field preferred.
- Certified in Healthcare Compliance (CHC) or other equivalent compliance certification preferred.
- If applicant does not have the CHC, then must complete within 12 calendar months of hire.
- Knowledge of accreditation and licensing requirements including but not limited to: The Joint Commission, NCQA, Knox Keene Act, CMS, Cal-OSHA, HIPAA, MEDI-Cal regulations and standards.
- Demonstrated skill collaborating w/ multiple groups to achieve change.
- Ability to balance priorities and manage risks.
- Ability to influence Senior Leadership.
- Must be able to work in a Labor/Management Partnership environment.
It should be noted that  the Privacy and Security officials can be the same -- educationally and experientially qualified -- person and/or that  entities falling under HIPAA Omnibus can outsource the Privacy and Security functions to qualified consultants. Either way, it will not come cheap (and, think about the problems inherent in outsourcing; e.g., how will an offsite consultant go about doing routine audit log breach detection monitoring?).
I should further note that Privacy and Security functions differ materially, with the latter being a more tech-oriented "necessary-but-insufficient" subject matter domain subsumed under the former (which extends to legal issues such as Breach redress and Consent administration that may be subject to state laws and regulations specific to location jurisdiction).
A final note goes to the fact that people with HIPAA compliance administration skills and experience aren't exactly hanging out in droves along the entrance curb at Star Nursery. The healthcare space is rife with qualified worker shortages, and this area is among the most severe.
AHRQ RESOURCE FOR MEANINGFUL USE
Eligible professionals (EPs) must attest YES to having conducted or reviewed a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1) and implemented security updates as necessary and corrected identified security deficiencies prior to or during the EHR reporting period to meet this measure.This is narrower in focus (and is a Meaningful Use Criterion specifically, not HIPAA broadly), and goes only to ePHI security (not "privacy" per se, which maps to 45 CFR 164.5 et seq. Still, it's a lot of work. Note also "...implemented security updates as necessary and corrected identified security deficiencies prior to or during the EHR reporting period..." Some on my HealthInsight REC team had argued that as long as you had remedial activities underway or planned (but not yet documentably complete), you could attest to Core 15. IIRC, we got that opinion from someone on the HITRC.
News item. Another great use of Health IT? Better fraud detection?
Mobile Doctors’ Chicago CEO and Doctor Arrested on Federal Health Care Fraud Charges; Offices Searched in Three Cities
CHICAGO — The chief executive officer of Chicago-based Mobile Doctors, which manages physicians who make house calls in six states, and one of its physicians in Chicago were arrested today on federal health care fraud charges. At the same time, federal agents executed search warrants at Mobile Doctors’ offices in Chicago, Detroit, and Indianapolis, as well as warrants to seize up to $2.568 million in alleged fraud proceeds from various bank accounts. The charges allege a scheme to fraudulently increase (also known as “upcoding”) Medicare bills for in-home patient visits that Mobile Doctors falsely claimed were more complicated and longer than they actually were. The charges also allege that Mobile Doctors’ physicians falsely certified that patients were confined to their homes, enabling home health care agencies to claim fees for additional services for patients who were not actually qualified to receive them.A decade ago I was a member of a credit risk modeling and portfolio management team at a privately held VISA/MC issuer. From one of my white papers writing up our scorecard modeling project:
Agents from the FBI, the U.S. Department of Health and Human Services Office of Inspector General, and other law enforcement agencies executed the arrest, search, and seizure warrants in connection with the charges and also a broader ongoing investigation that includes allegedly illegal billing practices for medically unnecessary tests and services not performed by a physician.
Arrested were DIKE AJIRI, 42, of Wilmette, CEO of Mobile Doctors, which he has effectively owned since 1996, and BANIO KOROMA, 63, of Tinley Park, a physician who has worked for Mobile Doctors since approximately 2007. Mobile Doctors, located at 3319 N. Elston Ave., in Chicago, arranges patient home visits and contracts with doctors who perform the visits. The physicians assign their rights to bill and collect payment to Mobile Doctors, in return for being paid directly by the company. Mobile Doctors’ website claims that its associated physicians have made more than 500,000 house calls since its inception. In addition to Chicago, the company has branches in Detroit and Flint, Mich., San Antonio and Austin, Tex., Indianapolis, Kansas City, Phoenix, and St. Louis.
Ajiri was charged with health care fraud and Koroma was charged with making false statements relating to health care benefits in a criminal complaint that was filed yesterday and unsealed today after the arrests. Both were scheduled to appear at 3 p.m. today before U.S. Magistrate Judge Mary Rowland in U.S. District Court.
The arrests and charges were announced by Gary S. Shapiro, United States Attorney for the Northern District of Illinois; Robert J. Shields, Jr., Acting Special Agent-in-Charge of the Chicago Office of the Federal Bureau of Investigation; and Lamont Pugh III, Special Agent-in- Charge of the Chicago Regional Office of the HHS-OIG. The Railroad Retirement Board Office of Inspector General is also participating in the investigation.
According to a 75-page affidavit in support of the arrest, search and seizure warrants, agents have interviewed several current and more than 25 former employees of Mobile Doctors, including some who reported allegedly fraudulent billing practices to Medicare before they were contacted by agents. Investigators have also reviewed emails and documents, claims data, patient files, and have conducted interviews with patients of Mobile Doctors and their primarycare physicians, whose statements contradict Mobile Doctors’ billing and patient records.
Mobile Doctors physicians do not perform tests such as echocardiograms, but do order such tests, which are done on Mobile Doctors’ patients by employees of In Home Diagnostics, doing business as Ultrasound2You. According to Medicare records, Ajiri is a minority partner in In Home Diagnostics, which is located in the same building as Mobile Doctors, and Mobile Doctors bills the echocardiograms so that they appear to have been done by Mobile Doctors’ physicians.
The complaint affidavit states that Ajiri signed a personal financial statement on Dec. 31, 2012, stating that he received $1.5 million in annual partnership income from a corporate entity, Mobile Doctors LLC, which has a complex ownership structure involving Ajiri and over time, one or both of his parents. Between 2008 and January 2013, bank records show that approximately $4.365 million was transferred from Mobile Doctors to an account in the name of Ajiri and his wife.
Upcoding patient visits
According to interviews with former and current Mobile Doctors physicians, branch managers, clinical coordinators, employees and patients, a typical visit that a Mobile Doctors physician has with an established patient lasts 10 to 30 minutes and is routine in nature. In contrast to those interviews, claims data shows that from 2006 through February 2013, approximately 99 percent of all established-patient visits by Mobile Doctors physicians were billed to Medicare using either of the two highest codes indicating the visits involved medical decision-making of moderate to high complexity, detailed or comprehensive interval histories or medical examinations, and/or visits that typically last at least 40 minutes.
In 2009 in Chicago, the local Medicare fee for a visit using the second-highest home visit code was approximately $122.82, while the fee for the highest code was approximately $171.25. According to a review of claims data for Railroad Retirement Board patients, every single established-patient visit Mobile Doctors billed to Medicare between January 2007 and June 2008 used the highest fee code. Between January 2007 and November 2012, approximately 93 percent of such visits were billed using the highest fee code.
The former manager of Mobile Doctors’ Chicago branch until she was terminated in 2008 told agents that Ajiri told her that the second-highest fee code was the default code for a patient visit so that it would be worth the gas and time spent. The manager said Ajiri told physicians, “I don’t pay for ones or twos,” referring to the two lower of the four applicable fee codes. At the end of one day, she said she saw Ajiri in his office “automatically” altering the billing codes and marking visits at the highest fee level on patient records submitted by physicians and assistants who accompanied them on home visits. A physician told agents that in late 2007, Ajiri did not respond to his concerns about Mobile Doctors’ billing practices and instead told the doctor that he could earn more money if he would order more tests such as electrocardiograms, according to the affidavit.
The complaint alleges that the vast majority of payments made on established-patient visit claims using the highest fee code were the result of fraudulent upcoding. From 2006 through 2012, Mobile Doctors received approximately $21.4 million in payments on claims using the second-highest code, and approximately $12.6 million in Medicare payments on claims using the highest fee code.
Falsely certifying patients as confined to their homes
The charges further allege that Mobile Doctors physicians, including Koroma, falsely certified patients as confined to their homes and requiring home health services when they were not home-bound and did not require such care. By referring patients to home health agencies that did not warrant Medicare payments, Mobile Doctors received more referrals from those agencies for services provided by its physicians. According to Medicare data, from August 2010 through July 2013, more than 200 home health agencies submitted Medicare claims for services allegedly rendered to patients for whom Koroma was identified as the referring physician. These home health agencies have been paid more than $10 million for services listing Koroma as the referring physician.
Between January 2006 and March 2013, Mobile Doctors physicians have certified or recertified for 60-day periods approximately 15,598 patients as confined to their homes and requiring home health services a total of approximately 83,133 times, many of which were allegedly false. Approximately 6,057 of these certifications were attributed since August 2007 to Koroma, with Mobile Doctors billing Medicare for approximately 17,439 patient visits he made during that time, more than any other Mobile Doctors physician.
The health care fraud count against Ajiri carries a maximum penalty of 10 years in prison and a $250,000 fine and restitution is mandatory. The false statements count against Koroma carries a maximum of five years in prison and a $250,000 fine. If convicted, the Court must impose a reasonable sentence under federal statutes and the advisory United States Sentencing Guidelines.
The government is being represented by Assistant U.S. Attorney Stephen C. Lee and Catherine Dick, assistant chief in the Fraud Section of the Justice Department’s Criminal Division. The U.S. Attorney’s Offices in Detroit, Indianapolis, and Phoenix also have assisted in the investigation.
The public is reminded that a complaint is not evidence of guilt. The defendants are presumed innocent and are entitled to a fair trial at which the government has the burden of proving guilt beyond a reasonable doubt.
The Medicare Fraud Strike Force began operating in Chicago in February 2011, and consists of agents from the FBI and HHS-OIG, working together with prosecutors from the U.S. Attorney’s Office and the Justice Department’s Fraud Section. The strike force is are part of the Health Care Fraud Prevention & Enforcement Action Team (HEAT), a joint initiative announced in May 2009 between the Department of Justice and HHS to focus their efforts to prevent and deter fraud and enforce current anti-fraud laws around the country. Scores of defendants have been charged locally in health care fraud cases since the strike force began operating in Chicago.
To report health care fraud to learn more about the Health Care Fraud Prevention & Enforcement Action Team (HEAT), go to: StopMedicareFraud.gov.
Full paper here (large PDF scan). One of my specific roles in the Risk Department was that of the Risk Department's "portfolio management" analytics lead, with duties including assessments for cardholder utilization patterns, collections strategy, and fraud detection and modeling.
I would imagine that the capabilities of the major statistical analytics platforms a decade hence (e.g., SAS, Stata, R, etc) are orders of magnitude better.
Set 'em loose on all manner of Health IT "big data."
More to come...