On November 10, 2016, the Office of Inspector General (“the OIG”) of the U.S. Department of Health and Human Services (“DHHS”) released its 2017 Work Plan. Published annually and updated throughout the year, the Work Plan identifies the OIG’s key areas of focus as it carries out its mission of protecting the integrity of programs within DHHS. The OIG is charged with ensuring the integrity of more than 100 programs administered by DHHS, including those within the Centers for Medicare and Medicaid Services, Center for Disease Control and Prevention, the Food and Drug Administration, and the National Institute of Health. The OIG Work Plan summarizes the OIG’s current activities – comprised of both new and revised activities — along with information regarding previously identified activities that have been completed, postponed, or cancelled.
The Work Plan highlights new and continuing priorities applicable to various provider types, including hospitals, nursing homes, hospices, home health, clinical laboratories, physicians and other health professionals, medical equipment suppliers and manufacturers, pharmaceutical manufacturers and other providers and suppliers.
The 2017 Work Plan is available here.
The following is a sampling of some of the new and ongoing efforts highlighted in the Work Plan:
The Office of Civil Rights (“OCR”) has issued new guidance in connection with an increase of malicious cyberattacks, namely ransomware attacks on healthcare organization’s computer systems. Ransomware is a defined by HHS as a type of malicious software whose defining characteristic is that it attempts to deny access to a user’s data, usually by encrypting the data with a key known only to the hacker until the requested ransom is paid.Read More
The Affordable Care Act (sometimes referred to as Obamacare) included a requirement for providers to report and return all Medicare and Medicaid overpayments within 60 days of identification. Although this requirement has been in effect since 2010, the Centers for Medicare and Medicaid Services (“CMS”) has proposed but failed to promulgate rules serving to further clarify this requirement. On February 12, 2016, CMS published a final rule, which went into effect March 14, 2016. The final rule applies to Part A and Part B of Medicare.
When the North Carolina Division of Medical Assistance (“DMA”) decides to place a Medicaid provider on prepayment review, it can be the equivalent of a death sentence for a small business. The primary problem is that there are few avenues to appeal the decision to be placed on prepayment review, even when there is little or even no justification for DMA’s decision. Prepayment review then becomes a waiting game reducing cash flow and overwhelming providers with a paper chase gotcha game. Although the initial decision to place a provider on prepayment review cannot be challenged, this does not mean that a Medicaid provider has no options to challenge the prepayment review process.
The Federal Lawyer, a national magazine by the Federal Bar Association, just published an article by one of Parker Poe’s health care attorneys. The article looks at the implications of a recent Supreme Court decision and explores how Medicaid providers can still challenge rate cuts.
The article is available here.
From time to time the Parker Poe Health Care Blog will be asking experts in the health care field to serve as guest bloggers. Our first guest blogger is Daniel Carter from Ascendient. Ascendient is a Health Care Consulting firm located in Chapel Hill, North Carolina, that provides strategic health care planning and Certificate of Need advice and analysis. Ascendient has recently completed an in-depth analysis of the Certificate of Need (“CON”) law in North Carolina to determine how a potential repeal of the law would affect health care providers and consumers in the state. After reading it, we decided we should share this analysis with you. Here is a summary with a link to the full report.
Much of the debate over whether North Carolina’s Certificate of Need (“CON”) law should be repealed has focused on market theories without a great deal of focus on measurable realities. Ascendient decided to expand the perspective beyond the ideological arguments and review the data to see if it could draw some conclusions about how a potential repeal of the CON law in North Carolina would affect health care providers and consumers.
Based on an analysis of facts and objective data, we conclude that any move now to deregulate North Carolina’s healthcare system by reducing or eliminating the CON program would be premature and put already vulnerable hospitals at much greater risk as new entrants pick off their best patients without taking up the burden of indigent care.
There has been a lot of discussion about major changes to North Carolina’s Certificate of Need law. As these legislative discussions continue, the State Health Coordinating Council continues its work on next year’s State Medical Facilities Plan (“SMFP”). The draft plan is available on the N.C. Division of Health Service Regulation’s website. Public hearings on this proposed SMFP were held in July. Several petitions have been submitted seeking adjustments to the new determinations in the proposed 2016 SMFP.
A summary of the need determinations in the proposed 2016 SMFP is set forth below. Petitions submitted to adjust the need determinations also are listed.
An increasing number of health care providers are outsourcing the hosting and maintenance of software applications, the storage of data, and related support services. Outsourcing can provide cost savings, rapid deployment, system scalability, other efficiencies, and appropriate data security. It also introduces additional issues into the provider’s risk management analysis, largely based on the fact that a third party rather than the provider has possession and control of vital and sensitive assets and information. Before you enter into a contract that includes a cloud computing component, you should consider some of the following:
- No business decision or activity is risk free. Risk management is a balancing process based on the particular facts and circumstances. For example, a provider may be less concerned about its inability to access its web-based job application submission portal than its electronic health record application. Not all risks are the same, and a provider should devote more attention and resources to managing its greatest risks.
- Risk management is a team sport. Effective risk management requires the participation and interaction of representatives of the intended user group, financial analysts, compliance officers, information technology and data security experts, and legal counsel experienced in advising on and negotiating the particular type of contract.
Yesterday, the Office of Inspector General (“OIG”) published “Practical Guidance for Health Care Governing Boards on Compliance Oversight.” The guide is intended as an educational resource for the boards of healthcare entities of all sizes and is the result of a unique collaboration between the OIG and a number of private health care trade organizations. Topics covered by the guide include:
- expectation of the board with respect to compliance functions;
- appropriate relationships between audit, compliance, and legal departments within the organization;
- establishing expectations regarding reporting to the board;
- identifying and auditing potential risk areas; and
- encouraging a culture of compliance.
The guide can be found here.