Notable recent HIPAA and coding events

A recent Department of Health and Human Services (HHS) HIPAA settlement and new guidance related to COVID-19 payments shed light on the government’s enforcement priorities.

Richard Heckert, retired chairman of DuPont, once said, “[i]f you always tell the truth, you won’t have to remember what you said.” This applies in every aspect of life, including compliance with the HIPAA Security Rule and documenting the requisite medical necessity to substantiate a particular diagnosis or treatment code. Two recent items reinforce the importance of being honest.

On July 23, 2020, the HHS Office for Civil Rights (OCR) issued a statement that it had reached a settlement with a rural healthcare provider in North Carolina for repeated failures to comply with multiple aspects of the HIPAA Security Rule. Over nine (9) years ago, the entity filed a breach report regarding the impermissible disclosure of approximately 1,263 patients’ protected health information (PHI) to an unknown email account. As OCR delved deeper into its investigation, the following longstanding and systemic issues came to light:

• the failure to conduct a risk analysis;
• the failure to implement policies and procedures; and
• the failure to provide any HIPAA training to workforce members until 2016.

As OCR Director, Roger Severino stated, “[h]ealthcare providers owe it to their patients to comply with the HIPAA Rules. When informed of potential HIPAA violations, providers owe it to their patients to quickly address problem areas to safeguard individuals’ health information.” Lying or shall I say, being less than truthful about compliance with the technical, administrative, and physical safeguard requirements of the Security Rule, as well as separate requirements of the Privacy Rule, is something that is material to government investigations. The next worse thing to lying directly to a government agent, is falsifying an annual risk analysis or failing to conduct a comprehensive one at all.

Documentation falsification in relation to medical necessity and coding, has emerged in another area – COVID-19 admissions in hospitals. On August 17, 2020, the Centers for Medicare and Medicaid Services (CMS) released an update, which addresses the implementation of Section 3710 of the CARES Act for Inpatient Prospective Payment System (IPPS) hospitals “to address potential Medicare program integrity risks.” This section enabled the HHS Secretary “to increase the weighting factor of the assigned Diagnosis-Related Group (DRG) by 20 percent for an individual diagnosed with COVID-19 discharged during the COVID-19 Public Health Emergency.”

So, what does this mean? Basically, failure to do what the guidance says can open a person up to either an HHS-OIG investigation and/or a False Claims Act lawsuit. As the update states,

To address potential Medicare program integrity risks, effective with admissions occurring on or after September 1, 2020, claims eligible for the 20 percent increase in the MS-DRG weighting factor will also be required to have a positive COVID-19 laboratory test documented in the patient’s medical record. Positive tests must be demonstrated using only the results of viral testing (i.e., molecular or antigen), consistent with CDC guidelines. The test may be performed either during the hospital admission or prior to the hospital admission.

In other words, be certain to have all of the medical necessity and testing documented before submitting a claim utilizing a code, which provides an extra 20 percent reimbursement.

As was stated at the beginning, when you tell the truth, you never have to remember what you said. Whether it is HIPAA compliance or submitting a claim, be accurate and honest. It can save a lot of “heartburn” in the long run.

About the Author

Rachel V. Rose, JD, MBA, advises clients on compliance and transactions in healthcare, cybersecurity, corporate and securities law, while representing plaintiffs in False Claims Act and Dodd-Frank whistleblower cases. She also teaches bioethics at Baylor College of Medicine in Houston. Rachel can be reached through her website, www.rvrose.com.