Medicare Compliance & Reimbursement

CMS has released its first major overhaul of nursing home regulations since 1991.

The Centers for Medicare & Medicaid Services (CMS) proposed the updates in July 2015 and received nearly 10,000 public comments, Acting Administrator Andy Slavitt noted in a blog post (https://blog.cms.gov/2016/09/28/commitment-to-person-centered-care-for-long-term-care-facility-residents/). The final rule was published in the Federal Register on October 4, and Phase I regulations take effect by November 28, 2016.

The final rule guarantees the rights of patients or families to sue long-term care facilities because it bans “pre-dispute binding arbitration” clauses in nursing home contracts. During the comment period, industry groups like the American Health Care Association said they opposed this ban. Many elder care attorneys and consumer groups support the ban.

Other regulations in the 713-page rule say that long-term care facilities must:

*Provide “nourishing, palatable food” to residents.
* Develop a care plan within 48 hours of a resident’s admission.
* Develop “infection prevention and control programs” that include monitoring antibiotic use.
* Ensure that staff are trained on caring for residents with dementia and in preventing elder abuse.

To read the final rule, go to: https://www.federalregister.gov/documents/2016/10/04/2016-23503/medicare-and-medicaid-programs-reform-of-requirements-for-long-term-care-facilities.

In other news ...

Get the Latest on MACRA Medicare Card Update

MACRA is bringing with it some unexpected changes.  Medicare cards will no longer include Social Security Numbers (SSNs), as MACRA requires CMS to remove these identifiers in an effort to stop identity theft and protect the privacy of its beneficiaries. The change is effective April of 2019.

Advice and information about Medicare’s timeline and what the initiative will entail was revealed in the Sept. 29, 2016 MLN Connects Provider e-News. The program, called the Social Security Number Removal Initiative, or SSNRI for short, will go into effect starting April 2018 with the transition period running through Dec. 31, 2019.

“A new randomly generated Medicare Beneficiary Identifier (MBI) will replace the SSN-based Health Insurance Claim Number on new Medicare cards for transactions like billing, eligibility status, and claim status,” says the MLN Connects release.

With both a comprehensive overview of the SSNRI and a link for providers on how to adapt their practice management systems in preparation for the change, CMS hopes to prepare providers in advance so that the eventual conversion runs smoothly.

For a link to the MLN Connects Provider e-News, visit https://www.cms.gov/Outreach-and-Education/Outreach/FFSProvPartProg/Provider-Partnership-Email-Archive-Items/2016-09-29-eNews.html?DLPage=1&DLEntries=10&DLSort=0&DLSortDir=descending#_Toc462812247.

Prepare for HIPAA Phase 2 Audits

Beware: HIPAA “desk audits” are currently underway for covered entities (CEs). And business associates (BA) are next on the HHS Office for Civil Rights’ list as Phase 2 audits continue.

OCR recently held an informational webinar for organizations selected for the Phase 2 audits. The webinar came on the heels of OCR’s notifications (on July 11) to the 167 CEs selected to participate in the HIPAA desk audits. OCR Director Jocelyn Samuels, JD and Division Deputy Director Deven McGraw, JD, HIP led the webinar presentation, joined by OCR staffers Linda Sanches, MPH and Zinethia Clemmons, MBA, MHA, RHIA, PMP.

The webinar largely covered the desk audit process, including what to expect, the HIPAA controls, the final report, and document request, receipt and response. The session opened with an overview of the Phase 2 audit program, the random selection process, and the differences between desk audits versus onsite audits.

For CEs, the desk audits are now underway and will be ongoing until the end of the year, while the onsite audits will begin in early 2017. If your organization is undergoing a desk audit now, OCR may select you for an onsite audit.

Pay attention: The business associate (BA) desk audits begin in September, and OCR will select the pool of auditees largely based on those BAs that the audited CEs identify in their document responses. Comprehensive onsite audits for BAs will also begin early next year.

For the desk audits, OCR is limiting the scope to a total of seven controls drawn from the HIPAA Security Rule, the Privacy Rule, and the Breach Notification Rule. Notably, OCR will audit entities on either Security Rule controls or Privacy Rule and Breach Notification rule compliance. The subsequent onsite audits, however, will evaluate auditees based on a comprehensive set of HIPAA compliance controls.

Hidden trap: If your organization has multiple locations or sub-entities under the same ownership, OCR might select two or more of your locations for separate desk audits. If this happens, don’t be surprised if OCR selects one location for privacy and breach notification controls, and the other for security controls. Treating separate locations as separate CEs is intentional, according to OCR.

After reviewing submitted documentation during the desk audits, OCR will share its draft findings with you. Then, you can respond to those findings and OCR will include your written responses in the final audit report. The final audit report will also describe how OCR conducted the audit and present any findings.

OCR will announce onsite audits in late fall. OCR has noted that a CE’s “lack of cooperation with the desk audit” would be the major factor that would lead to inclusion in the onsite audit pool.

Look out: After the onsite audit process, you might not be finished. OCR could then decide to open a separate compliance review if it found significant threats to PHI privacy and security during the audit. To access more information about the Phase 2 audits, go to www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/index.html.