The Health Care Group’s newest partners, William S.W. Chang and Laura M. Kidd Cordova, along with Counsel Stephanie D. Willis, have authored an Alert about the 21st Health Care Fraud and Abuse Control Program (HCFAC) annual report released last Friday. The HCFAC report is a joint effort of the U.S. Department of Justice (DOJ) and
The Department of Health and Human Services, Office of the Inspector General (OIG), modified its Work Plan to announce that the agency will be conducting a nationwide audit of hospitals that participated in the Medicare Electronic Health Records (EHR) Incentive Program (also known as the Meaningful Use Program). The OIG review is focusing on hospitals…
The HHS Office of Civil Rights published a new FAQ response (OCR FAQ) detailing the agency’s position that generally information blocking will violate the HIPAA Privacy and Security Rules if it affects a covered entity’s access to its own protected health information (PHI) or its ability to respond to requests for access to PHI from patients. This follows a series of similar policy documents from HHS over the past 18 months that focus on preventing business arrangements or practices that would be defined as information blocking, and thereby, frustrating the goal of interoperability. Specifically, according to the OCR FAQ:
- An electronic health records (EHR) vendor or cloud provider’s actions to terminate a covered entity’s access to its own electronic PHI (ePHI) (e.g., in a payment dispute) would violate the HIPAA Privacy Rule because those actions would constitute an impermissible use of PHI.
- An EHR vendor or cloud provider’s refusal to ensure the accessibility and usability of a covered entity’s ePHI upon demand by the covered entity or to return a covered entity’s ePHI upon termination of the agreement, in the form and format that is reasonable in light of the agreement, would violate the HIPAA Security Rule.
- A business associate may not deny a covered entity access to the PHI the business associate maintains on behalf of the covered entity if necessary to provide individuals with access to their PHI under the HIPAA Privacy Rule.
- A covered entity that agrees to terms within a business associate agreement (BAA) that would prevent the covered entity from ensuring the availability of its own PHI as required would not be in compliance with the HIPAA Privacy and Security Rules.
OCR has increasingly ramped up its enforcement of violations of the HIPAA Privacy and Security Rules related to noncompliant BAAs, so the new OCR FAQ signals that information blocking provisions could be the source of future enforcement actions.
The Office of the Inspector General of the Department of Health and Human Services (OIG) last week replaced a 20-year old policy statement, and issued guidance on the criteria the agency will use to evaluate whether to exclude certain individuals and entities from billing or “participation in” Federal health programs under its permissive exclusion authority. The new guidelines supersede and replace the OIG’s December 24, 1997 policy statement and set forth “non-binding” criteria that the OIG may consider in exercising this authority under circumstances involving fraud, kickbacks and other prohibited conduct. The newly-memorialized policy is yet another effort by the agency to encourage healthcare providers to implement robust compliance mechanisms that can timely identify and voluntarily self-disclose to the government any unlawful conduct.
Under Sections 1128(b)(1)-(b)(15) of the Social Security Act (the “Act”), the Secretary, by delegation to the OIG, has discretion to exclude individuals and entities based on a number of grounds. This so-called “permissive exclusion” authority grants significant discretion to the OIG. The new policy provides guidelines for permissive exclusions that are based on Section 1128(b)(7) of the Act, which permits the OIG to exclude persons from participation in any Federal health care program if the OIG determines that the individual or the entity has engages in fraud, kickbacks and other prohibited activities.
On November 16, 2016, CMS posted the final rule to implement the Comprehensive Care for Joint Replacement (CJR) model, which is a new Medicare payment model intended to hold acute care hospitals financially accountable for the quality and cost of a CJR episode of care and incentivize increased coordination of care among hospitals, physicians, and post-acute care providers. The regulations are effective on January 15, 2016, and applicable on April 1, 2016 when the first model performance period begins.
Under the CJR model, acute care hospitals in certain selected geographic areas will receive retrospective bundled payments for episodes of care for lower extremity joint replacement (LEJR) or reattachment of a lower extremity. An episode of care begins with an admission to a participant hospital of a beneficiary who is ultimately discharged under Medicare Severity-Diagnosis Related Group (MS-DRG) 469 (Major joint replacement or reattachment of lower extremity with major complications or comorbidities) or 470 (Major joint replacement or reattachment of lower extremity without major complications or comorbidities) and ends 90 days post-discharge in order to cover the complete period of recovery for beneficiaries. All related items and services paid under Medicare Part A and Part B for all Medicare fee-for-service beneficiaries are included in the episode, except for certain exclusions.
The federal government has spent billions to promote adoption and “meaningful use” of health information technology (HIT). There is growing government interest in ensuring that HIT is used to support patient care, but doing so requires electronic exchange of information. Congress, the Department of Health and Human Services (HHS), and States have taken action to identify and prevent “information blocking”—interference with the exchange or use of electronic health information—by health care providers, hospitals, technology developers, and service providers. And there likely will be more guidance, statutory and regulatory changes, and enforcement by federal agencies and states in the coming year.
Congress Requests Information and Takes Action
On December 21, 2014, Congress raised concerns about health information blocking, claiming that such activities “frustrate Congressional intent” under the Health Information Technology for Economic and Clinical Health (HITECH) Act, “devalue taxpayer investments,” and make HIT “less valuable and more burdensome” to hospitals and health care providers. Congress urged the Office of the National Coordinator for Health Information Technology (ONC) at HHS to certify only HIT that does not block health information exchange. Congress also requested ONC publish a detailed report on the scope of health information blocking and a strategy to address it, within 90 days.
The Department of Justice (DOJ) has further focused its sights on individual executives as responsible parties for corporate misconduct. On September 9, 2015, Deputy Attorney General Sally Quillian Yates issued a strongly worded seven-page memorandum to all U.S. Attorneys and the Assistant Attorneys General of DOJ’s various divisions nationwide titled “Individual Accountability for Corporate Wrongdoing” (the “Memorandum”). Overall, the Memorandum imposes further expectations that government attorneys will investigate the acts of individual executives and management personnel before providing cooperation credit to or allowing the resolution of a civil or criminal case against a corporate entity. Moreover, the Memorandum serves as a tacit warning to defense counsel that it will be even harder to negotiate concessions for corporate liability without providing information about potentially responsible individuals that is satisfactory to the investigating agencies.…
Every year, the Department of Justice (DOJ) and the Department of Health and Human Services Office of the Inspector General (OIG) report the results of their fraud prevention and recovery efforts to Congress. As recounted in the recently released Health Care Fraud and Abuse Control Program (HCFAC) report, the overall amount recovered in FY 2014 was $1 billion less than what the agencies reported in 2013 ($4.3 billion). Nevertheless, the report touted the $2 increase in the return on investment from DOJ and OIG’s fraud and abuse investigations overall (from $5.70 to $7.70). The HCFAC report shows that, despite losing $62.1 million in funding beginning in FY 2013 due to sequestration, both DOJ’s and OIG’s antifraud work remains potent and is growing more sophisticated.
Here is an overall comparison of the FY 2014 and FY 2013 reports:
|DOJ Activities||FY 2013||FY 2014|
|New Criminal Investigations||1,013||924|
|New Civil Investigations||1,083||782|
|Health Care Fraud Convictions||718||734|
|OIG Activities||FY 2013||FY 2014|
|New Criminal Actions||849||924|
|New Civil Actions||458||529|
|Individuals Excluded from Federal Health Care Programs||3,214||4,017|
On October 16, 2014, the Centers for Medicare & Medicaid Services (“CMS”) and the Office of the Inspector General (“OIG”) announced the continuation of the Accountable Care Organization (“ACO”) fraud and abuse waivers for an additional year. The Affordable Care Act (“ACA”) authorized creation of the Shared Savings Program to facilitate development of ACOs in…
The Office of Inspector General, Department of Health and Human Services, has recently issued guidance for those of its contractors seeking to self-disclose reportable conduct under the Federal Acquisition Regulations (“FAR”). Under federal regulations governing relationships between the federal government and its contractors, any contractors with credible evidence of a potential violation of the False Claims Act or federal criminal law involving fraud, bribery, gratuity, or conflict of interest must make a timely disclosure of such violations to the Office of Inspector General for the agency with which they contract. Failure to timely self-report these potential violations can result in the suspension of contracts or the debarment of the contractor. This requirement applies only to contractors whose contracts are governed by the FAR and which are valued at over $5,000,000.
The guidance details the information required to be included on the disclosure form, including the date the issue was discovered, detailed descriptions of any internal investigation undertaken, and a quantification of the financial harm to the government and any potential overpayments. In addition to the guidance, issued in April of 2014, OIG has provided FAQs for contractors covered by the FAR who may be considering a disclosure.