The Health Care Group’s newest partners, William S.W. Chang and Laura M. Kidd Cordova, along with Counsel Stephanie D. Willis, have authored an Alert about the 21st Health Care Fraud and Abuse Control Program (HCFAC) annual report released last Friday.  The HCFAC report is a joint effort of the U.S. Department of Justice (DOJ) and the U.S. Department of Health and Human Services (HHS) that describes the expenditures, results, and enforcement actions of the previous fiscal year.  The authors note that compared to FY 2016, other than expanded efforts to combat the opioid crisis, enforcement remained more or less consistent with prior trends.  In monetary terms, HCFAC spending slightly increased, while overall monetary recovery and returns on investment in fraud prevention efforts significantly decreased.  Interestingly, however, the proportion of overall recoveries resulting from HHS auditing activities considerably increased.

Read the rest of the Alert’s analysis of the HCFAC report and register for our webinar next Tuesday, April 17th.  During the webinar, listeners will hear Will and Stephanie, who were attorneys employed by DOJ and the HHS Office of the Inspector General (HHS-OIG), respectively, give their insights about the significance of the report for health care companies and the health care industry.

 

The Department of Health and Human Services, Office of the Inspector General (OIG), modified its Work Plan to announce that the agency will be conducting a nationwide audit of hospitals that participated in the Medicare Electronic Health Records (EHR) Incentive Program (also known as the Meaningful Use Program).  The OIG review is focusing on hospitals that received Medicare EHR incentive payments between January 1, 2011 and December 31, 2016.

The OIG’s modification to its Work Plan follows last month’s report that CMS improperly paid an estimated $729 million in Medicare EHR incentives. In our prior client alert, we flagged these findings as a potential area for significant overpayment recovery actions and noted that such actions could pose risks for incentive payment recipients. Read our entire client alert on the OIG’s nationwide audit on hospitals that participated in the EHR Incentive Program Here.

The HHS Office of Civil Rights published a new FAQ response (OCR FAQ) detailing the agency’s position that generally information blocking will violate the HIPAA Privacy and Security Rules if it affects a covered entity’s access to its own protected health information (PHI) or its ability to respond to requests for access to PHI from patients. This follows a series of similar policy documents from HHS over the past 18 months that focus on preventing business arrangements or practices that would be defined as information blocking, and thereby, frustrating the goal of interoperability. Specifically, according to the OCR FAQ:

  • An electronic health records (EHR) vendor or cloud provider’s actions to terminate a covered entity’s access to its own electronic PHI (ePHI) (e.g., in a payment dispute) would violate the HIPAA Privacy Rule because those actions would constitute an impermissible use of PHI.
  • An EHR vendor or cloud provider’s refusal to ensure the accessibility and usability of a covered entity’s ePHI upon demand by the covered entity or to return a covered entity’s ePHI upon termination of the agreement, in the form and format that is reasonable in light of the agreement, would violate the HIPAA Security Rule.
  • A business associate may not deny a covered entity access to the PHI the business associate maintains on behalf of the covered entity if necessary to provide individuals with access to their PHI under the HIPAA Privacy Rule.
  • A covered entity that agrees to terms within a business associate agreement (BAA) that would prevent the covered entity from ensuring the availability of its own PHI as required would not be in compliance with the HIPAA Privacy and Security Rules.

OCR has increasingly ramped up its enforcement of violations of the HIPAA Privacy and Security Rules related to noncompliant BAAs, so the new OCR FAQ signals that information blocking provisions could be the source of future enforcement actions.

Continue Reading Blocking Access to Health Information May Violate HIPAA

The Office of the Inspector General of the Department of Health and Human Services (OIG) last week replaced a 20-year old policy statement, and issued guidance on the criteria the agency will use to evaluate whether to exclude certain individuals and entities from billing or “participation in” Federal health programs under its permissive exclusion authority. The new guidelines supersede and replace the OIG’s December 24, 1997 policy statement and set forth “non-binding” criteria that the OIG may consider in exercising this authority under circumstances involving fraud, kickbacks and other prohibited conduct. The newly-memorialized policy is yet another effort by the agency to encourage healthcare providers to implement robust compliance mechanisms that can timely identify and voluntarily self-disclose to the government any unlawful conduct.

Under Sections 1128(b)(1)-(b)(15) of the Social Security Act (the “Act”), the Secretary, by delegation to the OIG, has discretion to exclude individuals and entities based on a number of grounds. This so-called “permissive exclusion” authority grants significant discretion to the OIG.  The new policy provides guidelines for permissive exclusions that are based on Section 1128(b)(7) of the Act, which permits the OIG to exclude persons from participation in any Federal health care program if the OIG determines that the individual or the entity has engages in fraud, kickbacks and other prohibited activities.

Continue Reading OIG Updates Policy on Permissive Exclusions Based On Fraud and Kickbacks

On November 16, 2016, CMS posted the final rule to implement the Comprehensive Care for Joint Replacement (CJR) model, which is a new Medicare payment model intended to hold acute care hospitals financially accountable for the quality and cost of a CJR episode of care and incentivize increased coordination of care among hospitals, physicians, and post-acute care providers. The regulations are effective on January 15, 2016, and applicable on April 1, 2016 when the first model performance period begins.

Under the CJR model, acute care hospitals in certain selected geographic areas will receive retrospective bundled payments for episodes of care for lower extremity joint replacement (LEJR) or reattachment of a lower extremity. An episode of care begins with an admission to a participant hospital of a beneficiary who is ultimately discharged under Medicare Severity-Diagnosis Related Group (MS-DRG) 469 (Major joint replacement or reattachment of lower extremity with major complications or comorbidities) or 470 (Major joint replacement or reattachment of lower extremity without major complications or comorbidities) and ends 90 days post-discharge in order to cover the complete period of recovery for beneficiaries. All related items and services paid under Medicare Part A and Part B for all Medicare fee-for-service beneficiaries are included in the episode, except for certain exclusions.

Continue Reading CMS Issues Comprehensive Care for Joint Replacement (CJR) Model Final Rule

The federal government has spent billions to promote adoption and “meaningful use” of health information technology (HIT). There is growing government interest in ensuring that HIT is used to support patient care, but doing so requires electronic exchange of information. Congress, the Department of Health and Human Services (HHS), and States have taken action to identify and prevent “information blocking”—interference with the exchange or use of electronic health information—by health care providers, hospitals, technology developers, and service providers. And there likely will be more guidance, statutory and regulatory changes, and enforcement by federal agencies and states in the coming year.

Congress Requests Information and Takes Action

On December 21, 2014, Congress raised concerns about health information blocking, claiming that such activities “frustrate Congressional intent” under the Health Information Technology for Economic and Clinical Health (HITECH) Act, “devalue taxpayer investments,” and make HIT “less valuable and more burdensome” to hospitals and health care providers. Congress urged the Office of the National Coordinator for Health Information Technology (ONC) at HHS to certify only HIT that does not block health information exchange. Congress also requested ONC publish a detailed report on the scope of health information blocking and a strategy to address it, within 90 days.

Continue Reading Health Information Blocking Leads to New Requirements and May Lead to Enforcement Actions

The Department of Justice (DOJ) has further focused its sights on individual executives as responsible parties for corporate misconduct.  On September 9, 2015, Deputy Attorney General Sally Quillian Yates issued a strongly worded seven-page memorandum to all U.S. Attorneys and the Assistant Attorneys General of DOJ’s various divisions nationwide titled “Individual Accountability for Corporate Wrongdoing” (the “Memorandum”).  Overall, the Memorandum imposes further expectations that government attorneys will investigate the acts of individual executives and management personnel before providing cooperation credit to or allowing the resolution of a civil or criminal case against a corporate entity.  Moreover, the Memorandum serves as a tacit warning to defense counsel that it will be even harder to negotiate concessions for corporate liability without providing information about potentially responsible individuals that is satisfactory to the investigating agencies.

Continue Reading DOJ’s Memo on Individual Accountability Tears at the Corporate Veil

Every year, the Department of Justice (DOJ) and the Department of Health and Human Services Office of the Inspector General (OIG) report the results of their fraud prevention and recovery efforts to Congress.  As recounted in the recently released Health Care Fraud and Abuse Control Program (HCFAC) report, the overall amount recovered in FY 2014 was $1 billion less than what the agencies reported in 2013 ($4.3 billion).  Nevertheless, the report touted the $2 increase in the return on investment from DOJ and OIG’s fraud and abuse investigations overall (from $5.70 to $7.70).  The HCFAC report shows that, despite losing $62.1 million in funding beginning in FY 2013 due to sequestration, both DOJ’s and OIG’s antifraud work remains potent  and is growing more sophisticated.

Here is an overall comparison of the FY 2014 and FY 2013 reports:

DOJ Activities FY 2013 FY 2014
New Criminal Investigations 1,013 924
New Civil Investigations 1,083 782
Health Care Fraud Convictions 718 734
Total Allocation $573,667,581 $571,702,217

 

OIG Activities FY 2013 FY 2014
New Criminal Actions 849 924
New Civil Actions 458 529
Individuals Excluded from Federal Health Care Programs 3,214 4,017
Total Allocation $487,381,848 $485,824,633

Continue Reading FY 2014 HCFAC Report Shows Increasing DOJ and OIG Fraud-Fighting Efficiency

On October 16, 2014, the Centers for Medicare & Medicaid Services (“CMS”) and the Office of the Inspector General (“OIG”) announced the continuation of the Accountable Care Organization (“ACO”) fraud and abuse waivers for an additional year. The Affordable Care Act (“ACA”) authorized creation of the Shared Savings Program to facilitate development of ACOs in Medicare. The ACA also allows for a waiver of certain fraud and abuse laws to provide ACOs greater flexibility in developing innovative models of care. CMS and the OIG published an interim final rule establishing waivers of the Federal self-referral law and anti-kickback statute and certain civil monetary penalty provisions for ACOs in the Shared Savings Program. This interim final rule extends the application of these waivers through November 2, 2015 unless a final waiver rule becomes effective at an earlier date. CMS explained that this extension will minimize legal uncertainty and business disruptions of ACOs. CMS also requested additional stakeholder input on the adequacy of the existing waivers.

The Office of Inspector General, Department of Health and Human Services, has recently issued guidance for those of its contractors seeking to self-disclose reportable conduct under the Federal Acquisition Regulations (“FAR”). Under federal regulations governing relationships between the federal government and its contractors, any contractors with credible evidence of a potential violation of the False Claims Act or federal criminal law involving fraud, bribery, gratuity, or conflict of interest must make a timely disclosure of such violations to the Office of Inspector General for the agency with which they contract. Failure to timely self-report these potential violations can result in the suspension of contracts or the debarment of the contractor. This requirement applies only to contractors whose contracts are governed by the FAR and which are valued at over $5,000,000.

The guidance details the information required to be included on the disclosure form, including the date the issue was discovered, detailed descriptions of any internal investigation undertaken, and a quantification of the financial harm to the government and any potential overpayments. In addition to the guidance, issued in April of 2014, OIG has provided FAQs for contractors covered by the FAR who may be considering a disclosure.

Continue Reading OIG Issues Self-Disclosure Guidance for Contractors