United States: Highlights From The 2016 OIG Work Plan: Part II

The Office of Inspector General (OIG) of the Department of Health and Human Services (HHS) has released its Work Plan for Fiscal Year 2016. The annual work plan can provide valuable insights into the OIG's planned areas of focus for investigation and enforcement activities in the coming year. You can find our review of last year's work plan here.

Continuing our discussion from our previous alert, below are the remaining five key observations on this year's work plan. All 11 points are discussed on our website.

7. Skilled Nursing − Compliance with SNF PPS Requirements. This year, the OIG has proposed conducting compliance reviews of Medicare program payments made pursuant to the skilled nursing facility (SNF) prospective payment system (PPS). The OIG's compliance reviews will likely focus on whether therapy provided at SNFs is adequately documented as being "reasonable and necessary" and appropriately billed to the Medicare program. As it explained in the Work Plan, OIG has previously found that (i) the amounts paid by the Medicare program for SNF therapy "greatly exceed" the SNF's actual costs, and (ii) such therapy is often billed at the highest level, even when key beneficiary characteristics remain the same.

8. Hospice – General Inpatient Care. The OIG intends to review the general inpatient care level of the Medicare hospice benefit. Specifically, the OIG intends to review the appropriateness of hospices' general inpatient care claims and the content of election statements for hospice beneficiaries who receive such general inpatient care. It further intends to assess whether this level of service for hospice beneficiaries is being billed when such services are not medically necessary, and review beneficiaries' plans of care to ensure they meet key requirements for hospice care. Finally, the OIG intends to review whether Medicare payments for hospice services were made in accordance with the Medicare program's requirements.

9. Compliance with Home Health PPS Requirements. The OIG intends to conduct a compliance review related to Medicare program payments made pursuant to the home health prospective payment system (PPS), including documentation required in support of claims paid by Medicare. Because the Medicare program has paid at least $1 billion in improper payments related to home health benefits since 2010, and because the OIG has previously found that one in four home health agencies had questionable billing under the home health PPS, this compliance review will likely be a high priority for OIG in the coming year. Home health services specifically mentioned in the Work Plan include (i) part-time or intermittent skilled nursing care; (ii) physical, occupational and speech therapy; (iii) medical social work; and (iv) home health aide services.

10. HIPAA – Networked Medical Devices. The Work Plan calls for increased scrutiny of protections of electronic protected health information (ePHI) with respect to "networked medical devices." Furthermore, the OIG indicated its plan to determine the "extent to which hospitals comply with contingency planning requirements of the Health Insurance Portability and Accountability Act (HIPAA)" regarding their use of electronic health records (EHR) systems. Thus, the OIG has indicated that there will be heightened focus on the HIPAA Security Rule, which addresses the administrative, physical and technical safeguards of ePHI (45 CFR Part 160 and Subparts A and C of Part 164).

The OIG specifically indicated that it will examine whether the U.S. Food and Drug Administration (FDA) is providing sufficient oversight of "networked medical devices" in hospitals. Although the list of devices that store and transmit ePHI is vast and growing rapidly, the OIG specifically mentioned "dialysis machines, radiology systems, and medication dispensing systems that are integrated with electronic medical records (EMRs) and the larger health network."

The OIG also stated, "Medical device manufacturers provide Manufacturer Disclosure Statement for Medical Device Security (MDS2) forms to assist health care providers in assessing the vulnerability and risks associated with ePHI that is transmitted or maintained by a medical device." This effectively signaled that HIPAA-covered entities that use networked medical devices should document the ways in which they have considered the disclosure statements for such devices as part of their HIPAA security risk assessments and overall HIPAA compliance plans.

11. HIPAA – Electronic Health Records Contingency Plans. With respect to EHRs, the OIG Work Plan reiterated that "the HIPAA Security Rule requires covered entities to have a contingency plan that establishes policies and procedures for responding to an emergency or other occurrence that damages systems that contain protected health information." As a result, the OIG plans to "compare hospitals' contingency plans with government- and industry-recommended practices."

The issues of cybersecurity with respect to medical devices will continue to grow as the proliferation of devices and EHR systems continues. Covered entities will need to be vigilant in addressing the HIPAA considerations as they use and dispose of these devices and as they continue the shift to electronic health record systems. Similarly, manufacturers of medical devices and developers of EHR systems will need to ensure that security is a fundamental part of design and production.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.