What Keeps You Up at Night? Issues of Fraud and Abuse Compliance - - PowerPoint PPT Presentation

39 Offices in 19 Countries

What Keeps You Up at Night?

Issues of Fraud and Abuse Compliance Series Proper Recordkeeping in a Heightened Enforcement Environment April 18, 2013

2

Thomas E. Zeno Of Counsel Cincinnati, OH Emily E. Root Senior Associate Columbus, OH India K. Brim Associate Washington, DC Andrew G. Jack Associate Columbus, OH

Introductions

3

Overview

• Case Studies
• Importance of Recordkeeping Policies
• Types of Records
• Format of Records
• Legal Requirements for Recordkeeping
• Components of an Effective Recordkeeping Policy
• Collection and Destruction of Records
• Security Issues
• Common Pitfalls and Challenges

4

39 Offices in 19 Countries

Case Studies

5

Case Studies

Synthes, Inc.

• Manufactures devices like hip screws for spine/soft-tissue injury
• Acquired by Johnson & Johnson in 2012 for $19.7 billion

The FDA Warning Letter

• Issued February 16, 2012
• Investigation Period: June-September 2011
• Problems:
• Failure to establish and maintain procedures for receiving, reviewing,

and evaluating complaints

• Failure to maintain a record of the investigation of a complaint
• Failure to notify FDA within 30 days after receiving a report or
• therwise becoming aware of a malfunctioning device

6

Case Studies

Broward Health

• Provides services in health system with more than 30 facilities

The Office of Inspector General Subpoena

• In 2011, OIG demanded records concerning contracts,

negotiations, and agreements with 27 doctors

• Kind of documents sought included:
• Tax returns
• Financial data
• Information regarding compensation, patient referrals, and hospital

admissions since January 2000

• Required Broward Health to prove steps taken, like employee

training, to ensure that anti-kickback laws were not violated

7

Case Studies

CVS Pharmacy, Inc.

• America’s leading retail pharmacy with more than 7,300

locations The Civil Settlement

• On April 3, 2013, the U.S. Attorney’s Office in Oklahoma and the

DEA announced a settlement with CVS for $11 million to resolve allegations of deficient record-keeping in regard to prescriptions for controlled substances

• Allegations / Deficiencies
• Pharmacies filling prescriptions for physicians whose DEA number

had expired

• Prescriptions filled using a valid DEA number, but the number

belonged to a physician different than the prescriber

8

39 Offices in 19 Countries

Importance of Recordkeeping Policies

9

Importance of Recordkeeping Policies

Be Prepared

• Know what is available
• Know who has it
• Know who is responsible for maintaining it
• Retain useful information about the document

10

Importance of Recordkeeping Policies

Contain Expenses

• Paper
• Facility space
• Storage costs
• Electronic
• Storage costs
• Computer equipment costs
• Backup tapes/disks

11

Importance of Recordkeeping Policies

Costs of Missing Evidence

• Civil discovery sanctions
• Monetary sanctions
• Paying the other sides’ legal fees
• Adverse presumptions
• Adverse judgment
• Incurring government’s disfavor
• What you can’t produce quickly, does not exist
• Loss of credibility
• Undermines position on the merits
• Adverse decision

12

Importance of Recordkeeping Policies

Best Practices

• Policy should be pre-defined
• Policy should be standardized, with differences based on
• perational need
• Different retention periods should be defined based on the

function of the document

• Explain in writing the bases for the document retention policy
• Audit for compliance
• Regularly review/update the policy

13

39 Offices in 19 Countries

Types of Records

14

Types of Records

Patient-Related Documents Corporate Records Legal Files Information Services Financial Records HR Records Education and Training

15

Types of Records

Patient-Related Documents:

• Medical records
• HIPAA notice of privacy practices; privacy and security

policies and procedures; accounting of disclosures

• Authorizations for use and disclosure of PHI
• Patient requests for restrictions on use and disclosure
• Patient requests for alternative means of communication
• Patient requests for access and amendments to PHI
• Medicaid and Medicare claim support documentation

General Corporate Records:

• Articles of Incorporation and organizational chart
• Code of Regulations
• Minute Books

16

Types of Records

Legal Files:

• Litigation files
• Legal memoranda and opinions
• IP registrations and records
• Licensure
• Accreditation
• Business associate agreements
• Compliance audit reports

Information Services:

• Email

17

Types of Records

Financial Records:

• Tax returns
• 1099 Forms
• Accounts payable records
• Purchase orders, bills, invoices

HR Records:

• Employee personnel files
• Employee medical files
• Employee investigation files
• Contracts for independent contractors
• Citizenship and immigration records
• Payroll records
• Employee benefit plan documentation
• Summaries of occupational injuries and illnesses

18

Types of Records

Education and Training:

• Employee training records
• Agenda
• Handouts
• Sign-in sheets
• Continuing Education program records
• Agenda
• Handout
• Sign-in sheets
• Evaluations
• Completion certificates

19

39 Offices in 19 Countries

Format of Records

20

Format of Records

Paper Records Electronic Records Pros

• Does not involve the use
• f sophisticated

technology

• Easily accessible and

transferable

• Take up less space
• Legible and easy to read

Cons

• Filing errors
• Limited accessibility (if
• ff-site storage)
• Limited storage space
• Must keep up with

changing technology

• Must ensure that

disaster recovery system is constantly tested/updated

21

39 Offices in 19 Countries

Legal Requirements for Recordkeeping

22

Legal Requirements

CMS HIPAA OSHA FMLA ERISA

23

Medicare Conditions of Participation

Hospital must have a medical record service that has administrative responsibility for medical records.

• 42 C.F.R. § 482.24 -
• Record maintained for every individual evaluated or treated
• Accurate, promptly completed, properly filed and retained, and

accessible

• Personnel sufficient to keep the records as required
• Containing information
• to justify admission and continue hospitalization,
• support the diagnosis,
• describe patient’s progress and response to medications and services

24

The Stark Law

Exception to the referral prohibition related to compensation arrangements — the “personal services arrangements exception”

• 42 C.F.R. § 411.357(d) -
• Among other things, arrangement must cover all services

furnished by physician (or family member) to the entity

• Sufficient if all agreements between the entity and the physician

(or family member) cross-referenced in master list of contracts

• Master list:
• Maintained and updated centrally;
• Available for review by Health and Human Services upon request; and
• Maintained in a manner that preserves historical record of contracts

25

HIPAA

Covered Entities must:

• Have appropriate administrative, technical, and physical safeguards to

protect the privacy of Protected Health Information (PHI)

• Provide a process for individuals to make complaints regarding its

policies and procedures

• Document all complaints received and their dispositions
• Document training provided to workforce on the policies and

procedures with respect to PHI

• Provide individuals right of access to inspect and obtain a copy of PHI

(limited exceptions)

26

The Physician Payments Sunshine Act

• CMS issued Final Rule on February 1, 2013
• Manufacturers of drugs, devices, biologicals, or medical supplies

covered under Medicare, Medicaid or CHIP

• Report annually to CMS
• Certain payment or other transfers of value made to physicians and

teaching hospitals

• Report must include:
• Name of the covered recipient
• Primary business address of the covered recipient
• Amount of the payment or other transfer of value
• Date of each payment or other transfer of value
• Form of each payment or other transfer of value
• Nature of each payment or other transfer of value
• If desired, a statement with additional context for the payment

27

State Laws

Ohio Revised Code § 4731.228 [effective March 22, 2013]

• “Health care entities” must notify each patient treated within two

years preceding the date of a physician’s termination

• Statement that physician is no longer practicing as an employee
• Physician’s name and contact information
• Date of termination
• Contact information for alternative physicians
• Contact information regarding patient’s medical records
• Entities must establish processes to:
• Track patient contact information
• Know which patients are seen by which physicians

28

39 Offices in 19 Countries

Components of an Effective Recordkeeping Policy

29

Components of an Effective Policy

Records Inventory and Classification

• Conduct a complete, accurate inventory (whether paper or

electronic)

• Compile a descriptive list of each record series or system, including

the location of the records and other pertinent data

• Identify vital records

Retention Schedules

• Determine the lifecycle of the records
• In writing
• Reflecting needs of the organization

30

Components of an Effective Policy

Storage and Conversion

• Develop a filing and storage strategy adequate to the organization
• Do we have a specific “preservation hold” procedure in the event of

litigation?

• Who has access to the records? Sensitive and/or vital records?
• What are the procedures for transferring records?
• What is the environmental condition of the storage facilities?
• Electronic and paper record systems should mirror each other

31

Components of an Effective Policy

Disaster Prevention and Recovery Planning

• Written, approved and implemented for the prevention or

mitigation of loss of records during an emergency or disaster

• Include a method to retrieve records during a disaster or

emergency

• Ensure that records can withstand fire, flood, vandalism,

computer viruses and hackers

• Physical security; passwords
• Considerations with the “cloud”
• Consider the stability and quality of the storage environment and

location

32

Components of an Effective Policy

Disposition of Records

• Determine how to properly destroy records (e.g., recycling,

shredding, incinerating, deleting, electronic removal)

• Determine which records must be permanently preserved

Regular Review, Audit and Update

• Outside audit function may be most effective

33

39 Offices in 19 Countries

Collection and Destruction of Records

34

Collection and Destruction of Records

Routine Destruction

• Have a policy
• Consider requirements to actually erase electronic data
• Document training of people involved in destruction
• Audit actual destruction practices

35

Collection and Destruction of Records

Hiring Contractors

• Use established, reputable contractors
• Contract terms to consider
• Notice of potential data breaches
• Indemnity (liability and costs of notice)

36

Collection and Destruction of Records

Litigation/Investigation Holds

• Have a policy
• Identify potential custodians and document locations
• Document the hold (to custodians and IT)
• Reinforce no writing on the records
• Use electronic means of locking down records
• Make copies of operational documents
• Send periodic hold reminders
• Release the hold at the end of the

proceedings

37

Collection and Destruction of Records

Document Collection

• Coordinate with in-house or outside counsel on a collection plan
• No writing on the documents
• Maintain information about the documents:
• Identity of the custodian
• Physical location of the documents
• Records as kept in the ordinary course of business
• Platform information for electronic documents
• Electronic metadata

38

Collection and Destruction of Records

Document Chain of Custody

• What is a chain of custody?
• Chronological outline documenting the collection, movement and

protection of data or information

• What should the chain of custody show?
• Where the record came from
• Whether the record has been preserved in tact (i.e., original state)
• Whether the record has been handled in a way that is compliant with

legal and regulatory guidelines and other good practices

• Ensure that the record of its handling can be certified
• Why is it important to develop a chain of custody?
• May be necessary to prove (especially in potential litigation or

government investigation) the legal integrity of records

– Who, when, and where

39

39 Offices in 19 Countries

Security Issues

40

What To Do in the Event of a Data Breach

A “breach” means the acquisition, access, use, or disclosure

• f protected health information in a manner which

compromises the security or privacy of the Protected Health Information. Three Exceptions:

• Unintentional acquisition, access, or use of PHI by a workforce

member

• Inadvertent disclosure of PHI from a person authorized to access

to another person authorized to access PHI

• Good faith belief that unauthorized individual would not have

been able to retain information

41

• Report the breach immediately to the Privacy and Security

Officer (and provide detailed documentation)

• Notify law enforcement
• Perform a fact-specific risk assessment to determine whether the

use or disclosure of PHI poses a significant risk of financial, reputational, or other harm to the individual

• Notify each individual whose unsecured PHI has been (or is

reasonably believed to have been) accessed, acquired, used, or disclosed as a result of the breach

• Provide media notification in some cases
• Notify the Secretary of Health and Human Services

What To Do in the Event of a Data Breach

42

Please join us for our upcoming webinar on handling data breaches.

What To Do in the Event of a Data Breach

43

39 Offices in 19 Countries

Common Pitfalls and Challenges

44

Common Pitfalls and Challenges

Outdated Policies

• Technology changes
• Legal requirements change
• Operational needs change

45

Common Pitfalls and Challenges

Upgraded Systems

• Consider ways to maintain access for records retention period
• Address changes in litigation/investigation hold planning

46

Common Pitfalls and Challenges

Retrieving “Personal” Files and Home Computers

• Identify and collect during exit interviews of personnel
• Specific requests are most useful
• Add to check list of items to be returned

47

Common Pitfalls and Challenges

Unusual Documents

• Data stored by medical devices
• Text messages
• Instant message
• Voicemails
• Calendars (paper and electronic)
• Photos
• Social Media – see our prior webinar on this topic, “How to

Handle the Bad Email or Social Media Post”

• Available at: http://www.squiresanders.com/what_keeps_you_up_at_night_

fraud_and_abuse_compliance_webinar_series_part_iii/

48

39 Offices in 19 Countries

Questions?

49

Thank You

Thank you for joining our webinar. Please feel free to contact us with questions, comments, potential topics, or any other issues.

Thomas E. Zeno T +1 513 261 1202 thomas.zeno@squiresanders.com Emily E. Root T +1 614 365 2803 emily.root@squiresanders.com India K. Brim T + 1 202 626 6288 india.brim@squiresanders.com Andrew G. Jack T +1 614 365 2833 andrew.jack@squiresanders.com