Knowledge Base Article

Prior to 2017, the Office of Inspector General’s (OIG) Work Plan was published on an annual and sometimes semi-annual basis. The OIG began updating the Work Plan on a monthly basis effective June 15, 2017. The change was made as the OIG acknowledged that the “work planning process is dynamic, and adjustments are made throughout the year to meet priorities and to anticipate and respond to emerging issues with the resources available.” The Work Plan includes items for several agencies (i.e., Centers for Medicare & Medicaid Services (CMS), Administration for Children and Families, Office of Civil Rights (OCR)). There are two recent additions to the Work Plan that I would like to share with you.

Active Work Plan Item: Impact of Expanding the Hospital Transfer Payment Policy for Early Discharges to Post-acute Care

This item (link) was added to the Work Plan in May 2021. The OIG plans to determine the impact for Medicare and hospitals if the Post-Acute Care (PAC) MS-DRG list was expanded to include all MS-DRGs. In the detail of this Work Plan item, the OIG notes that “Analysis of Medicare claims data demonstrates significant occurrences of early discharges from hospitals to PAC facilities for MS-DRGs that are not currently subject to the PAC transfer payment policy. Medicare pays a full prospective payment system (PPS) rate to hospitals for these early discharges.”

The Post-Acute Care Transfer (PACT) Policy was implemented to prevent Medicare from paying for the same care twice. This policy currently reduces reimbursement to a hospital when:

• A hospitalization codes to an MS-DRG designated as a Transfer MS-DRG,
• The patient’s length of stay (LOS) is at least 1 day less than the geometric mean length of stay (GMLOS) for the MS-DRG, and
• The patient is discharged to one of the “qualified discharges” (03-Skilled Nursing Facility (SNF), 05-Children’s Hospital or Designated Cancer Center, 06-Home with Home Health within 3 days of discharge, 50-Discharges/Transferred to Hospice Home, 51-Discharged/Transferred to Hospice, General Inpatient Care or Inpatient Respite, 62-Inpatient Rehabilitation Facilities & Units, 63-Long Term Care Hospitals, and 65-Psychiatric Hospitals & Units)

Annually, CMS publishes a list of MS-DRGs subject to the PACT policy in Table 5 of the applicable Fiscal Year IPPS Final Rule. For FY 2021 there are 765 MS-DRGs and 280 (36.6%) have been designated a PACT MS-DRG.

Discharge Dispositions hospice home (50) and hospice general inpatient care/respite (51) were added to this policy in FY 2019 as required by the Bipartisan Budget Act of 2018. At that time, CMS actuaries estimated that the change would “generate an annual savings of approximately $240 million in Medicare payments in FY 2019, and up to $540 million annually by FY 2028.” With these estimates it is no wonder the OIG has added this item to their Work Plan. The OIG has an expected issue date for a report in FY 2022.

Active Work Plan Item: Audit of the Effectiveness of HHS’s Governance to Ensure Hospitals Implement Measures to Prevent, Detect, and Recover from Cyberattacks

This item (link) was also added to the Work Plan in May 2021. As an active member of MMP’s HIPAA/HITECH Privacy Committee, I felt it was important to make our readers aware of this item. If you listen to the news, this is a very timely item as hospitals are constantly under threat of the theft of electronic protected health information (ePHI) by ransomware, malware, insider threats, and even honest mistakes.

“In October 2020, the Cybersecurity and Infrastructure Security Agency, Federal Bureau of Investigation, and Department of Health and Human Services (HHS) issued a joint cybersecurity advisory (link) regarding ransomware activity targeting the health care and public health sector. The advisory stated that threat actors have continued to develop new functionality and tools, thereby increasing the ease, speed, and profitability of ransomware attacks.”

OIG Audit Plan

• “Audit HHS's governance over its programs to determine whether HHS's Office of Civil Rights (OCR) has performed periodic audits of hospitals to assess compliance with Health Insurance Portability and Accountability Act (HIPAA) Security, Privacy, and Breach Notification rules and determine whether these audits effectively assessed ePHI protections.”
• “Determine whether CMS's certification process for participation in the Medicare program requires hospitals participating in the Medicare program to implement minimum security safeguards to prevent and detect cyberattacks, ensure continuity of patient care, and protect beneficiary data.”
• “Conduct security assessments at 10 U.S. hospitals to determine whether they have adequately implemented HIPAA security requirements or effective cybersecurity measures to prevent, detect, and recover from cyberattacks.”

The OIG has an expected issue date for a report in FY 2022.

2016-2017 OCR HIPAA Audits Industry Report

As mentioned above, the OIG plans to determine if the OCR has performed periodic audits of hospitals. On December 17, 2020, the Office for Civil Rights (OCR) released its 2016-2017 HIPAA Audits Industry Report. The Health Information Technology for Economic and Clinical Health (HITECH) Act requires HHS to periodically audit covered entities (CEs) and business associates (BAs) for compliance with the HIPAA Rules. This Industry Report was published to share overall findings from audits conducted with 166 CEs and 41 BAs. To provide insight into what was included in the audit, following is the summary of audit findings from the December HHS Press Release (link):

• Most covered entities met the timeliness requirements for providing breach notification to individuals,
• Most covered entities that maintained a website about their customer services or benefits satisfied the requirement to prominently post their Notice of Privacy Practices on their website,
• Most covered entities failed to provide all the required content for a Notice of Privacy Practices,
• Most covered entities failed to provide all the required content for breach notification to individuals,
• Most covered entities failed to properly implement the individual right of access requirements such as timely action within 30 days and charging a reasonable cost-based fee,
• Most covered entities and business associates failed to implement the HIPAA Security Rule requirements for risk analysis and risk management.

The HHS Press Release ended with the following statement from OCR Director Roger Severino, “The audit results confirm the wisdom of OCR’s increased enforcement focus on hacking and OCR’s Right of Access initiative…We will continue our HIPAA enforcement initiatives until health care entities get serious about identifying security risks to health information in their custody and fulfilling their duty to provide patients with timely and reasonable, cost-based access to their medical records.”