On November 10, 2016, the Office of Inspector General (“the OIG”) of the U.S. Department of Health and Human Services (“DHHS”) released its 2017 Work Plan. Published annually and updated throughout the year, the Work Plan identifies the OIG’s key areas of focus as it carries out its mission of protecting the integrity of programs within DHHS. The OIG is charged with ensuring the integrity of more than 100 programs administered by DHHS, including those within the Centers for Medicare and Medicaid Services, Center for Disease Control and Prevention, the Food and Drug Administration, and the National Institute of Health. The OIG Work Plan summarizes the OIG’s current activities – comprised of both new and revised activities — along with information regarding previously identified activities that have been completed, postponed, or cancelled.
The Work Plan highlights new and continuing priorities applicable to various provider types, including hospitals, nursing homes, hospices, home health, clinical laboratories, physicians and other health professionals, medical equipment suppliers and manufacturers, pharmaceutical manufacturers and other providers and suppliers.
The 2017 Work Plan is available here.
The following is a sampling of some of the new and ongoing efforts highlighted in the Work Plan:
The Office of Civil Rights (“OCR”) has issued new guidance in connection with an increase of malicious cyberattacks, namely ransomware attacks on healthcare organization’s computer systems. Ransomware is a defined by HHS as a type of malicious software whose defining characteristic is that it attempts to deny access to a user’s data, usually by encrypting the data with a key known only to the hacker until the requested ransom is paid.Read More
The Affordable Care Act (sometimes referred to as Obamacare) included a requirement for providers to report and return all Medicare and Medicaid overpayments within 60 days of identification. Although this requirement has been in effect since 2010, the Centers for Medicare and Medicaid Services (“CMS”) has proposed but failed to promulgate rules serving to further clarify this requirement. On February 12, 2016, CMS published a final rule, which went into effect March 14, 2016. The final rule applies to Part A and Part B of Medicare.
There has been a lot of discussion about major changes to North Carolina’s Certificate of Need law. As these legislative discussions continue, the State Health Coordinating Council continues its work on next year’s State Medical Facilities Plan (“SMFP”). The draft plan is available on the N.C. Division of Health Service Regulation’s website. Public hearings on this proposed SMFP were held in July. Several petitions have been submitted seeking adjustments to the new determinations in the proposed 2016 SMFP.
A summary of the need determinations in the proposed 2016 SMFP is set forth below. Petitions submitted to adjust the need determinations also are listed.
An increasing number of health care providers are outsourcing the hosting and maintenance of software applications, the storage of data, and related support services. Outsourcing can provide cost savings, rapid deployment, system scalability, other efficiencies, and appropriate data security. It also introduces additional issues into the provider’s risk management analysis, largely based on the fact that a third party rather than the provider has possession and control of vital and sensitive assets and information. Before you enter into a contract that includes a cloud computing component, you should consider some of the following:
- No business decision or activity is risk free. Risk management is a balancing process based on the particular facts and circumstances. For example, a provider may be less concerned about its inability to access its web-based job application submission portal than its electronic health record application. Not all risks are the same, and a provider should devote more attention and resources to managing its greatest risks.
- Risk management is a team sport. Effective risk management requires the participation and interaction of representatives of the intended user group, financial analysts, compliance officers, information technology and data security experts, and legal counsel experienced in advising on and negotiating the particular type of contract.
This paragraph (or some variation) finds its way into lots of contracts when one or both of the parties to the contract are participants in the health care industry:
If [Party name] provides services, the cost or value of which is $10,000 or more over a 12-month period, including contracts for both goods and services in which the service component is worth $10,000 or more over a 12-month period, then [Party name] allows the Comptroller General of the United States, HHS, and their duly authorized representatives access to [Party name]’s contract, books, documents, and records until the expiration of four years after the services are furnished under the terms of this Agreement. [Party name] will also allow access to the subcontractor’s contracts of a similar nature between subcontractors and related organizations of the subcontractor, and to their books, documents, and records.
Does it need to be in the contract? The simple rule is that, unless the contract relates to provision of services to an entity that is enrolled as a provider with Medicare (Part A), it does not need to be included. If, however, the contract does relate to services to a provider (such as a hospital, skilled nursing facility, or hospice), then the provision must be included–or Medicare can deny reimbursement for the service.