Health Law Alert: HIPAA Enforcement, Medicare Overpayment Recoveries Remain Top Priority in 2013
HHS Announces First HIPAA Breach Settlement Involving Less Than 500 Patients
On January 2, 2013, the Department of Health & Human Services (HHS) Office of Civil Rights (OCR) announced that The Hospice of North Idaho (HONI) had agreed to pay HHS $50,000 and to comply with a Corrective Action Plan to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule. This is the first HIPAA breach settlement obtained by HHS that involves less than 500 patients and further confirms OCR’s commitment to enforcing the Security Rule (OCR obtained Security Rule settlements of $1.5 million and $1.7 million in June and September 2012, respectively). According to OCR Director Leon Rodriguez, “[t]his action sends a strong message to the health care industry that, regardless of size, covered entities must take action and will be held accountable for safeguarding their patients’ health information.”
OCR began its investigation after HONI self-reported to HHS that an unencrypted laptop containing the electronic protected health information (ePHI) of 441 patients had been stolen. The Security Rule requires appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information and The Health Information Technology for Economic and Clinical Health (HITECH) Breach Notification Rule requires covered entities to report a “breach” of PHI within 60 days of the breach (if involving 500 or more patients) or annually (if involving less than 500 patients).
During the course of its investigation, OCR determined that HONI did not conduct “an accurate and thorough analysis of the risk to the confidentiality of ePHI on an ongoing basis as part of its security management process” and that HONI did not “adequately adopt or implement security measures sufficient to ensure the confidentiality of ePHI that it created, maintained, and transmitted using portable devices[.]” Director Rodriguez drew particular attention to HONI’s failure to encrypt the stolen laptops, “Encryption is an easy method for making lost information unusable, unreadable, and undecipherable.” HHS has launched an effort to provide covered entities with more practical tips on ways to protect ePHI when using laptops, tablets, and smartphones. For more information visit the following web site: www.HealthIT.gov/mobiledevices.
As a result of the settlement, HONI paid HHS $50,000 and agreed to a Corrective Action Plan that requires HONI to promptly investigate any failure of an employee to comply with HONI’s privacy and security policies and to notify HHS within 30 days if HONI determines that a compliance failure has occurred.
Fiscal Cliff Resolution: Continued Focus on Overpayments; Temporary Fix to Sustainable Growth Rate
Health care was not the central focus of the recent debate about how to resolve the nation’s “fiscal cliff” crisis. However, a number of important health care provisions found their way into the “American Taxpayer Relief Act of 2012”—the formal name of the bill that at least temporarily averted out plunge off of the cliff.
Understandably, the change that grabbed most of the attention from providers was the passage of yet another one-year delay on implementation of 1997’s Sustainable Growth Rate “update.” This delay, commonly referred to as the “doc fix” postponed a 26.5% cut in Medicare Part B reimbursement. To the continued frustration of many in the provider community, Congress failed once again to come up with a permanent resolution for the Sustainable Growth Rate, a problem that ensures we will once again be talking about this issue towards the end of 2013. In fact, providers may see a 2% cut in Part B payments on March 1, depending on what Congress and the president do to address “sequestration” (the package of cuts announced in 2011, and pushed back for 2 months under the American Taxpayer Relief Act of 2012, that included funding cuts for many federal programs as part of the overall effort to address the nation’s debt ceiling).
Meanwhile, it is no secret that HHS has been focused over the past few years on expanding federal tools for recovering “overpayments” from providers. Changes from 2009’s Fraud Enforcement and Recovery Act codified the concept of a “reverse false claim” (defined to mean knowingly concealing or improperly avoiding or decreasing an obligation to pay money to the government) as conduct that is expressly actionable under the False Claims Act. 2010’s Affordable Care Act added a statutory provision requiring providers to return any overpayments within a brief 60-day timeframe. Failure to meet this deadline is also actionable under the False Claims Act. Notably, we are still waiting for CMS to finalize proposed regulations (issued in February 2012) implementing this change.
Now, under Section 638 — entitled “Removing Obstacles to Collection of Overpayments” — of the recently passed Act, Medicare contractors will have five years (as opposed to three years) to collect non-fraudulent overpayments from providers. This change is the result of a May 2012 Office of Inspector General report, “Obstacles to Collection of Millions in Medicare Overpayments.” The OIG report concluded that of approximately $416 million in collectable overpayments, CMS failed to collect $332 (or almost 80%) of the total. A key reason for this failure was that Medicare rules historically imposed a three-year statute of limitations for “no fault” overpayments. CMS guidelines had historically indicated that, in the absence of evidence to the contrary, recipients of payments are without fault if the contractor determines the amount was incorrect subsequent to the third calendar year after the year in which amounts were paid. The 2012 OIG Report recommended that CMS seek a legislative fix that expands this look-back period. Congress responded by expanding the without fault, look-back period from three to five years. According to the Congressional Budget Office, this change will translate to an additional $500 million recovered between 2013-2022.
If you have any questions about this settlement, compliance with the Security Rule or issues related to overpayments, please contact Jeremy Johnson (jeremy.johnson@lathropgpm.com / 612.632.3035) or Jesse Berg (jesse.berg@lathropgpm.com / 612.632.3374).
This article is provided for general informational purposes only and should not be construed as legal advice or legal opinion on any specific facts or circumstances. You are urged to consult a lawyer concerning any specific legal questions you may have.