The Office of Inspector General (OIG) of the Department of Health and Human Services (HHS) has released its Work Plan for Fiscal Year 2016. The annual work plan can provide valuable insights into the OIG’s planned areas of focus for investigation and enforcement activities in the coming year. You can find our review of last year’s work plan here.

Below is our annual review of key observations on this year’s work plan. The work plan contains a number of additional areas and is worth reading to understand specific concerns in areas not mentioned below.

  1. Ambulatory Surgical Centers – Certification and Quality Oversight. A new addition to the areas typically discussed in an OIG Work Plan is a section on Medicare’s oversight system for ambulatory surgery centers (ASCs). Specifically, OIG indicated it would focus on oversight of the state agencies that handle Medicare certification surveys and ASC accreditation organizations. An on-site survey is required for ASCs to be Medicare-certified. ASCs may choose either to have the certification survey completed directly by Medicare, in which case the surveys are performed by the respective state’s Department of Health on behalf of Medicare, or a Medicare-approved private accreditation organization. The OIG also noted concern with the infrequency of Medicare certification surveys of ASC facilities. Most private accreditation organizations have policies requiring unannounced surveys every three years. However, the OIG has found that many ASCs are going five or more years without being surveyed. Finally, in the Work Plan the OIG made reference to the lack of public information on the quality of ASCs. The Office of Evaluation and Inspections is expected to conduct a national evaluation to be issued in 2017 on ASC quality oversight.
  2. Clinical Laboratory Billing Requirements and Reimbursement Rates.The Work Plan included several sections focused on Medicare billing and payment issues related to independent clinical laboratories. Specifically, the OIG intends to identify laboratories that routinely submit improper claims. The OIG will also identify those diagnostic tests for which Medicare pays more than private insurers. Increased focus on Medicare expenditures related to reimbursement for clinical laboratory testing is likely being driven by the Protecting Access to Medicare Act of 2014 (the “Act”), which will require Medicare to base reimbursement rates for laboratory tests on private insurer rates beginning in 2017. The Act will also impose new reporting requirements on clinical laboratories beginning on January 1, 2016, which will require most laboratories to report to CMS payment rates of private payors for certain tests. CMS will aggregate the reported rates in order to better ensure the Medicare Clinical Laboratory Fee Schedule reflects private market reimbursement rates. The OIG is expected to issue a report in 2016 on its analysis of Medicare expenditures and the new payment system for laboratories.
  3. Histocompatibility Laboratories. A new area of focus in the Work Plan is histocompatibility laboratories, as a result of a recent review of cost reports submitted by these types of laboratories. The cost reports indicated histocompatibility laboratories received $131 million in reimbursement between March 31, 2013, and September 30, 2014. These labs commonly perform testing related to organ transplants, including testing the ability of a donor’s tissue or organ to be accepted by a recipient. The OIG will review the cost reports more closely to determine whether all tests were reasonable, necessary and proper, as required under Medicare for reimbursement. The OIG is expected to issue a report following its review in 2016.
  4. Provider-Based Facilities. The OIG intends to continue its focus on provider-based facilities through its review of such facilities, as we discussed in our summary of the 2014 and 2015 OIG Work Plans, but these reviews will come in light of changes to such facilities included in the Bipartisan Budget Act of 2015. Provider-based facilities are hospital outpatient departments and often are located off-campus. The facilities tend to be paid more than freestanding clinics for similar Medicare services, in recognition of the generally higher levels of overhead and infrastructure necessary to qualify as a hospital-based facility. Unlike at physician practice clinics, a service at a provider-based facility is reimbursed for both a technical fee (for the hospital) and a professional fee (for the physician). These higher payments and differential treatment can increase Medicare beneficiary coinsurance liability and increase costs to the program. These concerns led Congress to exclude such off-campus facilities from receiving enhanced reimbursement starting January 1, 2017 (with limited exceptions). The OIG is revising its focus on provider-based facilities to determine the number of provider-based facilities that hospitals own and the extent to which CMS has methods to oversee provider-based billing. The OIG also plans to review the attestation process for provider-based facilities, and continue to review and compare the actual difference in payments between provider-based clinics and freestanding clinics. Hospitals operating provider-based facilities should continue to ensure that they comply with all Medicare provider-based rules and, in light of the Bipartisan Budget Act, reconsider their development of any additional provider-based facilities.
  5. Dental − Medicare Dental Claims in Hospitals. The OIG intends to continue its focus on Medicare hospital outpatient payments for dental services to determine whether such payments were made in accordance with Medicare requirements as we discussed in our summary of the 2015 OIG Work Plan. Dental services generally are excluded from Medicare coverage with certain exceptions, such as extraction of teeth to prepare the jaw for radiation treatment. Current OIG audits have suggested that hospitals are receiving Medicare reimbursement for non-covered dental services, resulting in significant overpayments. Indeed, two reports released in 2015 suggest that 97 percent and 85 percent (respectively) of outpatient claims submitted did not comply with Medicare requirements. See OIG, Kentucky and Ohio Report (July 2015) and Jurisdiction K Report (July 2015). In both samples, the majority of the improper claims involved unallowable tooth extractions and tooth socket repairs. As such, the OIG continues to investigate and review past Medicare dental billing by hospitals. Before billing any such Medicare claim, outpatient departments should verify the claim is appropriate under the Medicare program rules, since most dental services are not covered benefits.
  6. Dental − Medicaid Pediatric Dental Services. The OIG plans to continue its focus on Medicaid pediatric dental services through two work plan items that we discussed in our summary of the 2015 OIG Work Plan. First, the OIG will continue to review Medicaid payments by states for dental services to determine whether states properly claimed federal reimbursement. Past OIG reports in New York and Indiana found that a small subset of providers represented the bulk of questionable billing that raise concerns about medical necessity. See, e.g.New York Report (March 2014) and Indiana Report (November 2014). Second, the OIG will continue to review whether children enrolled in Medicaid receive all of their intended dental service benefits. Medicaid covers approximately 37 million low-income children through the program’s early and periodic screening, diagnosis and treatment program. Past OIG reports found at least three out of four children had not received all of their required screenings, and the OIG notes that children’s dental access has been a longstanding Medicaid problem. For example, in 1993 only one in five children received preventive dental services. See OIG Access and Utilization Report. Dental providers should continue their compliance efforts, including utilization review, to ensure appropriate access to medically necessary dental care and to guard against improper billing practices.
  7. Skilled Nursing − Compliance with SNF PPS Requirements. This year, the OIG has proposed conducting compliance reviews of Medicare program payments made pursuant to the skilled nursing facility (SNF) prospective payment system (PPS). The OIG’s compliance reviews will likely focus on whether therapy provided at SNFs is adequately documented as being “reasonable and necessary” and appropriately billed to the Medicare program. As it explained in the Work Plan, OIG has previously found that (i) the amounts paid by the Medicare program for SNF therapy “greatly exceed” the SNF’s actual costs, and (ii) such therapy is often billed at the highest level, even when key beneficiary characteristics remain the same.
  8. Hospice – General Inpatient Care. The OIG intends to review the general inpatient care level of the Medicare hospice benefit. Specifically, the OIG intends to review the appropriateness of hospices’ general inpatient care claims and the content of election statements for hospice beneficiaries who receive such general inpatient care. It further intends to assess whether this level of service for hospice beneficiaries is being billed when such services are not medically necessary, and review beneficiaries’ plans of care to ensure they meet key requirements for hospice care. Finally, the OIG intends to review whether Medicare payments for hospice services were made in accordance with the Medicare program’s requirements.
  9. Compliance with Home Health PPS Requirements. The OIG intends to conduct a compliance review related to Medicare program payments made pursuant to the home health prospective payment system (PPS), including documentation required in support of claims paid by Medicare. Because the Medicare program has paid at least $1 billion in improper payments related to home health benefits since 2010, and because the OIG has previously found that one in four home health agencies had questionable billing under the home health PPS, this compliance review will likely be a high priority for OIG in the coming year. Home health services specifically mentioned in the Work Plan include (i) part-time or intermittent skilled nursing care; (ii) physical, occupational and speech therapy; (iii) medical social work; and (iv) home health aide services.
  10. HIPAA – Networked Medical Devices. The Work Plan calls for increased scrutiny of protections of electronic protected health information (ePHI) with respect to “networked medical devices.” Furthermore, the OIG indicated its plan to determine the “extent to which hospitals comply with contingency planning requirements of the Health Insurance Portability and Accountability Act (HIPAA)” regarding their use of electronic health records (EHR) systems. Thus, the OIG has indicated that there will be heightened focus on the HIPAA Security Rule, which addresses the administrative, physical and technical safeguards of ePHI (45 CFR Part 160 and Subparts A and C of Part 164).

The OIG specifically indicated that it will examine whether the U.S. Food and Drug Administration (FDA) is providing sufficient oversight of “networked medical devices” in hospitals. Although the list of devices that store and transmit ePHI is vast and growing rapidly, the OIG specifically mentioned “dialysis machines, radiology systems, and medication dispensing systems that are integrated with electronic medical records (EMRs) and the larger health network.”

The OIG also stated, “Medical device manufacturers provide Manufacturer Disclosure Statement for Medical Device Security (MDS2) forms to assist health care providers in assessing the vulnerability and risks associated with ePHI that is transmitted or maintained by a medical device.” This effectively signaled that HIPAA-covered entities that use networked medical devices should document the ways in which they have considered the disclosure statements for such devices as part of their HIPAA security risk assessments and overall HIPAA compliance plans.

  1. HIPAA – Electronic Health Records Contingency Plans. With respect to EHRs, the OIG Work Plan reiterated that “the HIPAA Security Rule requires covered entities to have a contingency plan that establishes policies and procedures for responding to an emergency or other occurrence that damages systems that contain protected health information.” As a result, the OIG plans to “compare hospitals' contingency plans with government- and industry-recommended practices.”

The issues of cybersecurity with respect to medical devices will continue to grow as the proliferation of devices and EHR systems continues. Covered entities will need to be vigilant in addressing the HIPAA considerations as they use and dispose of these devices and as they continue the shift to electronic health record systems. Similarly, manufacturers of medical devices and developers of EHR systems will need to ensure that security is a fundamental part of design and production.