Hospice Oversight: 2024’s Most Impactful Regulatory Actions

Hospice News | By Jim Parker

The past year has seen a slew of regulatory developments aimed at improving quality and combatting fraud in the hospice industry.

The drive by regulators and members of Congress to strengthen oversight is fueled by two main factors. The first was two July 2019 reports on hospice quality from the Office of the Inspector General (OIG) in the U.S. Department of Health and Human Services (HHS). These spurred passage of the Helping Our Senior Population in Comfort Environments (HOSPICE) Act, which mandated the establishment of a hospice Special Focus Program (SFP), among other actions.

The second driving force was the emergence of fraudulent actors in the space in relatively large numbers, particularly concentrated in California, Nevada, Arizona and Texas.

Investigations have shown that potentially hundreds of newly licensed hospices have bilked Medicare of millions of dollars during the past several years, all while providing egregiously poor care or none at all. Some of these providers engaged in referral kickback schemes, enrolled patients who were not eligible for hospice and lied to them about being terminally ill.

In some instances, multiple hospices have been operating out of the same address without a corresponding increase in the population of eligible patients. Some individuals also hold management positions at several of these hospices simultaneously.

The Hospice Special Focus Program

Finalized in the U.S. Centers for Medicare & Medicaid Services’ (CMS) 2024 home health rule, the SFP is set for 2025 implementation.

Though the hospice community generally has voiced support for the program, many contend that the agency’s methodology for identifying hospices for the SFP is deeply flawed. Stakeholders, including hospice providers and members of Congress, have called on CMS to postpone the program and revise that algorithm.

The program will have the authority to impose enforcement remedies against hospices with poor performance based on its algorithm. Hospices flagged by the SFP also will be surveyed every six months rather than the current three-year cycle and could face monetary penalties or expulsion from the Medicare program. CMS will also make public the names of hospices selected for the SFP.

The program, set to begin Jan. 1, 2025, could potentially lead patients away from quality providers and into the arms of bad actors in the space, according to Dr. Steven Landers, newly appointed CEO of the National Alliance for Care at Home…

Read Full Article

Keeping Referral Partners Happy After Dropping Contracts With Medicare Advantage Plans

Home Health Care News | By Audrie Martin
 
Home health providers may walk away from specific health plans due to financial feasibility, administrative burdens, or misalignment with their patient care values and priorities. However, this decision can create short-term challenges with referral partners and health systems, as they may have patients enrolled in those plans.
 
“If a health plan consistently under-reimburses for services or requires excessive administrative hurdles, it may compromise the ability to deliver quality care efficiently,” Preston Lucas, chief financial officer at Interim HealthCare Great Lakes, told Home Health Care News. “Additionally, if the plan’s policies restrict access to necessary treatments or fail to support the level of care required for patients, it becomes difficult to sustain the partnership.” 
 
Founded in 1966, Interim HealthCare provides home health care, personal care and support, hospice care and medical staffing services. The Sunrise, Florida-based franchise network comprises 320 individually owned and operated offices.
 
Interim HealthCare Great Lakes operates in the Midwest and in Florida. 
 
Medicare Advantage (MA) plans often pay meager rates for home health services. Particularly as the Centers for Medicare & Medicaid Services (CMS) reduces traditional Medicare rates, that puts providers’ business sustainability in danger. 
 
Maintaining open lines of communication and emphasizing the shared goal of providing high-quality care helps mitigate the short-term consequences of leaving a health system, according to Lucas. 
 
By explaining the rationale – such as unsustainable reimbursement rates or obstacles to patient care – most partners understand the need for such decisions. Ultimately, prioritizing the best patient outcomes resonates with referral partners. 
 
“Transparency and collaboration are key,” Lucas said. “When communicating such decisions, engaging referral partners early in the process is important. This includes explaining the reasons behind the decision and offering supporting data. Above all, focusing on how the decision aligns with patient care priorities ensures the conversation remains constructive.” …

Read Full Article

OIG Audit Reveals Gaps in OCR’s HIPAA Audit Program

Alliance Daily

On November 25, 2024, the U.S. Department of Health and Human Services’ (HHS) Office of Inspector General (OIG) published findings from an audit of the Office for Civil Rights’ (OCR) HIPAA Audit Program. The report highlights significant shortcomings in OCR’s implementation and oversight of the program, raising concerns about the protection of electronic protected health information (ePHI) in the face of escalating cyber threats.

The healthcare industry has experienced an alarming rise in cyberattacks, including ransomware and data breaches, in recent years. According to OCR’s annual reports, reported breaches affecting 500 or more individuals increased by 87% between 2016 and 2022. In 2023 alone, hacking incidents accounted for 77% of reported breaches, exposing the data of over 88 million individuals. These attacks can jeopardize sensitive health information, disrupt operations, and pose risks to patient care and safety. For example, a recent data breach involving a subcontractor for the Centers for Medicare & Medicaid Services (CMS) potentially exposed the personal and health information of over 900,000 Medicare beneficiaries, highlighting the vulnerability these data breaches pose to ePHI privacy protections.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) required HHS to establish national standards for the use and dissemination of healthcare information, including for the protection of ePHI. The Health Information Technology for Economic and Clinical Health (HITECH) Act required, among other things, HHS to perform periodic audits, known as HIPAA audits, of covered entities and business associates to ensure compliance with HIPAA requirements. These audits, conducted through OCR’s HIPAA Audit Program, aim to ensure compliance with HIPAA rules, particularly amid rising cybersecurity risks in the healthcare sector.

The OIG reviewed OCR’s administration of its HIPAA Audit Program from January 16 to December 2020, which included an examination of 30 of the 207 final HIPAA audit reports and related documents produced by the agency during that period. The OIG found that although OCR fulfilled its requirement to perform HIPAA audits pursuant to the HITECH Act, these audits were limited in scope, and coupled with a lack of follow-up on serious compliance issues, raised questions about the program’s efficacy.

The OIG noted the following in its report:

1. Inadequate Audit Scope: The OIG observed that in 2016 and 2017, OCR’s HIPAA Audit Program conducted desk audits of selected entities, assessing only 8 of the 180 requirements outlined in its comprehensive audit protocol, with a focus on only two Security Rule administrative safeguards and no evaluation of physical or technical security safeguards. The OIG noted that although these safeguards were identified as risk areas in a 2012 OCR audit, the assessment of these two safeguards alone is insufficient to assess security risks within the healthcare sector and determine ePHI protection effectiveness. Moreover, the OIG found that due to the HIPAA audits’ limited scope, they likely failed to identify entities that had not implemented the physical and technical safeguards indicated in the HIPAA Security Rule to protect ePHI from common cybersecurity threats.

2. Insufficient Oversight and Follow-Up: The OIG found that OCR’s oversight of its HIPAA Audit Program was not likely to effectively improve covered entities’ cybersecurity protections. Particularly, the OIG found that OCR did not require entities to implement corrective actions for deficiencies identified during audits, raising concerns about the absence of any elements in OCR’s HIPAA audits program to address and monitor HIPAA Rules compliance. Further, OCR did not define how it would initiate compliance reviews for serious violations, resulting in potential missed opportunities to ensure its audit program was effective in helping protect ePHI information and improving entities’ cybersecurity threat preparedness.
3. Resource Limitations and Audit Frequency: OCR cited financial and staffing constraints as barriers to expanding the audit scope and enforcing corrective actions, and although it has requested additional appropriations, these efforts have not been successful. Further, since 2017, OCR has not conducted any new HIPAA audits, potentially missing an opportunity to identify audited entities’ noncompliance with HIPAA rules.

The OIG issued several recommendations to OCR:

1. Expand the scope of its HIPAA audits to assess compliance with physical and technical safeguards from the Security Rule;
2. document and implement standards and guidance for ensuring that deficiencies identified during the HIPAA audits are corrected in a timely manner;
3. define and document criteria for determining whether a compliance issue identified during a HIPAA audit should result in OCR initiating a compliance review; and
4. define metrics for monitoring the effectiveness of OCR’s HIPAA audits at improving audited entities’ protections over ePHI and periodically review whether these metrics should be refined.

OCR concurred with the first, third, and fourth recommendations, agreeing to enhance audit scope (provided the agency receives appropriate funding) and focus future audits on a variety of factors, establish follow-up criteria, and develop program metrics. However, OCR did not concur with the second recommendation, citing limitations under the HITECH Act and concerns about deterring voluntary audit participation.[1]

The findings highlight a need for healthcare providers, including those delivering care in the home, to proactively address cybersecurity risks and strengthen HIPAA compliance efforts. As OCR addresses the report’s recommendations, healthcare providers must remain vigilant in their compliance efforts amid an evolving cybersecurity landscape.

[1] OCR indicated it has sought legislation from Congress to grant it authority to seek injunctive relief, allowing collaboration with the Department of Justice to pursue remedies in federal court to enforce compliance with HIPAA Rules.

If My Dying Daughter Could Face Her Mortality, Why Couldn’t the Rest of Us?

The New York Times | By Sarah Wildman

 The first week of March 2022, I flew to Miami with my 13-year-old daughter, Orli; her 8-year-old sister, Hana; and my partner, Ian. We were, by all appearances, healthy. Robust, even.

In reality, we were at the end of a reprieve. Orli’s liver cancer had by then been assaulted by two years of treatments — chemotherapy, a liver transplant, more chemotherapy, seven surgeries. Now new metastases lit up a corner of one lung on scans, asymptomatic but foreboding. We asked her medical team if we might show her a bit of the world before more procedures. Our oncologist balked. Hence, this brief weekend away.

When we arrived at the beach Orli ran directly to the water, then came back and stretched out on a lounge chair. She turned to me and asked, “What if this is the best I ever feel again?”

Three hundred and seventy-six days later, she was dead.

In the time since she left us, I have thought often of Orli’s question. All that spring, Orli asked, pointedly, why did we think a cure was still possible, that cancer would not continue to return? Left unspoken: Was she going to die from her disease? It was a conversation she wanted to have. And yet what we found over the wild course of her illness was that such conversations are often discouraged, in the doctor’s office and outside it.

What would it have meant for Orli’s last year if her medical team had encouraged us to meet her where she was? What if we lived in a society that was able to sit with the anguish that arises for very sick children and their families? In other words: What if we were presented with something other than relentless hope? If we had been asked to really consider that Orli’s time on earth was limited, how would we have used that time?

Americans — really, Westerners — are terrified of death. We shy away from it. Death is a problem to solve, not an inevitable part of life. As the grief therapist David Kessler pointed out to me, we once visited the dead in the front parlors of private homes. Now the dead are tucked out of sight, handled by others. A bereaved family is the locus of nightmares rather than the focus of shared support.

Nowhere is this more true than with the prospect of a child’s death. Death from illness is seen as aberrant, unusual, terrifying. Death from war, gun violence, abuse is lamentable, awful — separate. Healthy children and teens are largely shielded from the critically ill. Visiting the sick, let alone the dying, is associated with the aged and infirm; a charitable act, but not integrated into our ethos. Clergy members are overburdened. Death in America is a whisper, a shame, an error. Supporting a family through the end of life is delicate. For a child, it is also obscene…

Read Full Article