Industry News

Health Care Fraud and Abuse Control Program Annual Report for 2006

On February 12, 2008, the Department of Health and Human Services (HHS) and Department of Justice (DOJ) released the Health Care Fraud and Abuse Control Program Annual Report for FY 2006 (Annual Report).
According to the Annual Report, the Federal government won or negotiated an astounding $2.2 billion in judgments and settlements in health care fraud cases and proceedings during fiscal year (FY) 2006. During FY 2006, the Medicare Trust Fund also received transfers of approximately $1.5 billion as a result of these efforts (and those of preceding years). Further, the Annual Report indicates that during FY 2006:

• U.S. Attorneys' Offices opened 836 new criminal health care fraud investigations involving 1,448 potential defendants
• Federal prosecutors had 1,677 health care fraud criminal investigations pending, involving 2,713 potential defendants, and filed criminal charges in 355 cases involving 579 defendants.
• A total of 547 defendants were convicted for health care fraud related crimes.
• DOJ opened 915 new civil health care fraud investigations and had 2,016 civil health care fraud investigations pending.

HHS Proposed Amendments Regarding HIPAA Enforcement Rules Now In Effect

On April 18, 2005 the Secretary of Health and Human Services (HHS) proposed amendments to the existing HIPAA Enforcement Rules that outline the policy for civil monetary penalties on healthcare providers or organizations that violate HIPAA regulations. These Enforcement Rule amendments have been put into effect as of October 2005. The new Enforcement Rules will increase the level of responsibility and liability regarding inquiries, investigations and any subsequent legal actions taken in the event of non-compliance – the responsibility and liability would now apply to ALL of the HIPAA simplification rules, rather than exclusively to the privacy standards (as it was before).

There will now be more strict and complex procedures that must be completed in order to adequately respond to any complaints or inquiries, the legal consequences and monetary penalties will be more severe in the event of non-compliance, and the new Enforcement Rules apply for both HIPAA privacy AND security violations.

The new rules clarify and elaborate upon the investigation process, basis for liability, determination of the penalty amount, grounds for waiver, conduct of any hearings and/or appeals processes.

In addition, these modified Enforcement Rules now state that implemented HIPAA violation penalties apply to both ACTS and OMISSIONS, whereas before it was only to “acts” of non-compliance. Now it is not only an ACTION of non-compliance that is a violation, but also if there is an OMISSION of action that could have prevented in incidence of non-compliance.

This now broadens the scope of HIPAA and of the Enforcement penalties, liability, and response procedures – the amendments will subject more healthcare providers and organizations to the Enforcement Rule.

FACTA – Fair & Accurate Credit Transactions Act

FACTA was instituted in 2003 by the federal government to amend the already-existing Fair Credit Reporting Act. FACTA is designed to protect the individual’s consumer information & reports, to prevent identity theft, improve resolution of consumer disputes, improve accuracy of consumer records, reduce the risk of consumer fraud and to make improvements in the use of/level of consumer access to credit information for healthcare and other purposes.

FACTA requirements fall under HIPAA privacy and security regulations. In addition, FACTA also relates to healthcare providers and their affiliates because consumer information & reports include not only PHI and EPHI. There are various other types of healthcare-related consumer information/reports that are not necessarily PHI or EPHI. These include:

• insurance claims
• credit checks (patient or employee)
• transmission records for either confidential medical history, payment information, fund transfer information, etc…

Healthcare providers and organizations must comply to FACTA requirements in relation to their:

• paper records
• electronic health information
• any and all employee or patient basic details – ex: address, phone, name, SIN, etc…
• credit check information
• proper disposal &/or destruction of any private information
• ensuring there is proof/documentation of due diligence for in-house or outside supplier disposal or destruction of the facility’s confidential information
• adequate security for all building, network or system access (passwords, access cards, PINs, auto-logout features, locked recycling bins, etc…)
• non-disclosure of private information verbally (making sure not to discuss personal or medical information within earshot of non-authorized individuals)
• clearly define what is considered confidential information and what isn’t
• thoroughly train all management and staff on procedures and policies
• regularly audit and assess activities and procedures