Chapter 5

HIPAA for Allied Health Careers Chapter5 HIPAA Enforcement

LEARNING OUTCOMES After studying this chapter, you should be able to: Explain the purpose of the HIPAA final enforcement rule. Distinguish between civil and criminal cases. Describe the roles of the Office for Civil Rights (OCR) and the Department of Justice (DOJ) in the enforcement of the HIPAA privacy standards. Describe the role of the Centers for Medicare and Medicaid Services (CMS) in the enforcement of the HIPAA security, transactions, code sets, and identifiers standards. Describe the civil case procedure followed by OCR and CMS. Discuss the role of the Office of Inspector General (OIG) of the Health and Human Services Department (HHS) in enforcing HIPAA. Compare fraud and abuse. Discuss the laws that underpin the OIG’s fraud and abuse enforcement actions. Describe the purpose of an OIG Work Plan. List the recommended elements of a compliance plan.

abuse administrative law judge (ALJ) advisory opinion audit audit reports benchmark certification of compliance agreement (CCA) civil money penalties (CMP) civil violation code of conduct compliance plan compliance program guidance Key Terms

corporate integrity agreement (CIA) criminal violation Deficit Reduction Act (DRA) of 2005 Department of Justice (DOJ) excluded parties external audit False Claims Act (FCA) fraud Health Care Fraud and Abuse Control Program HIPAA final enforcement rule internal audit Office of the Inspector General (OIG) KEY TERMS (cont’d)

OIG Fraud Alert OIG Work Plan qui tam relator Stark II triggered reviews upcoding Key Terms (cont’d)

HIPAA Enforcement Agencies Office for Civil Rights (OCR) enforces HIPAA privacy rule. Department of Justice (DOJ) prosecutes criminal violations of HIPAA privacy rules. Centers for Medicare and Medicaid (CMS) enforces HIPAA nonprivacy standards. HHS Office of the Inspector General (OIG) combats fraud and abuse in health care. The HIPAA Enforcement Rule

Civil Case Procedures Voluntary compliance depends on publicity as a deterrent. Civil money penalties are applied infrequently. The HIPAA Enforcement Rule (cont’d)

Criminal Case Procedures Knowingly obtaining PHI in violation of HIPAA $50,000 1 year Offenses done under false pretenses $100,000 5 years Using PHI for profit, gain, or harm $250,000 10 years The HIPAA Enforcement Rule (cont’d)

Who Is Responsible: The Covered Entity, Business Associates, or Employees? Only covered entities can be charged with HIPAA violations. Only the enforcing agencies can bring charges. CE must follow rules regarding business associate violations. The HIPAA Enforcement Rule (cont’d)

The Health Care Fraud and Abuse Control Program HHS OIG has task of detecting fraud and abuse. DOJ prosecutes cases found. Fraud and Abuse Regulations

Federal False Claims Act Prohibits false claims. Prohibits false statements regarding a claim. Protects relators in qui tam cases. Fraud and Abuse Regulations (cont’d)

Additional Laws Antikickback Act of 1986 Stark Laws Sarbanes-Oxley Act Deficit Reduction Act (DRA) Fraud and Abuse Regulations

Definition of Fraud and Abuse Fraud is an intentional act to gain illegal financial advantage, such as upcoding. Abuse is unsound medical or business practices resulting in waste of government money. Fraud and Abuse Regulations (cont’d)

OIG Investigations, Audits, and Advice The OIG Work Plan Advisory Opinions Audit Reports OIG Fraud Alerts OIG Advisory Bulletins Excluded Parties Corporate Integrity Agreements (CIAs) Certificate of Compliance Agreement (CCA) Fraud and Abuse Regulations (cont’d)

OIG’s Civil Money Penalties Can be imposed for a wide variety of HIPAA violations. Can be imposed under the Emergency Medical Treatment and Active Labor Act that require hospitals to: Operate an emergency department Provide stabilizing treatment or an appropriate transfer for an emergency medical condition Accept appropriate transfers of individuals with emergency medical conditions Fraud and Abuse Regulations (cont’d)

Guidance on Compliance Plans Compliance program guidance has been issued by the OIG for various types of providers. Parts of a Compliance Plan The seven element of a good plan are: 1. Written policies and procedures 2. Appointment of a compliance officer and committee 3. Training 4. Communication 5. Auditing and monitoring 6. Disciplinary systems 7. Responding to and correcting errors Strategies for Compliance: The Compliance Plan

Written Policies and Procedures Code of conduct Written compliance policies and procedures Retention of records and information systems Performance evaluations Strategies for Compliance: The Compliance Plan (cont’d)

Compliance Officer and Committee: Compliance officer analyzes: Federal and state statutes Government-sponsored program regulations (Medicare and Medicaid) Medicare Carriers Manual and Coverage Issues Manual Other health plans’ regulations Current and past years’ OIG Work Plans OIG Fraud Alerts and audit reports Strategies for Compliance: The Compliance Plan

Ongoing Training Keeping staff up to date Effective Lines of Communication How noncompliant actions are reported Strategies for Compliance: The Compliance Plan

Ongoing Auditing and Monitoring Regular internal audits triggered by benchmarking External audits required by an enforcing agency Disciplinary Guidelines and Policies Policies in place that apply to all employees Corrective Action Strategies for Compliance: The Compliance Plan

Chapter 5

Chapter 5

Presentation Transcript

Chapter 5

Chapter 5

Chapter 5

Chapter 5

Chapter 5 5

chapter 5

Chapter 5

Chapter 5

Chapter 5

Chapter 5

Chapter 5

CHAPTER 5

Chapter 5

CHAPTER 5

Chapter 5

Chapter 5

Chapter 5

Chapter 5

Chapter 5

Chapter 5

Chapter 5

Chapter 5