Kusserow on Compliance: Compliance officers should have active roles in CIA negotiations

Laura Ellis, HHS Office of Inspector General (OIG) Senior Counsel, has a reputation for managing the most difficult and complicated corporate integrity agreements (CIAs) on behalf of the OIG. At the recent Health Care Compliance Association (HCCA) Compliance Institute, she urged compliance officers not to sit on the sidelines while a CIA is being negotiated with the OIG.   They should be actively involved in all facets of negotiation and should not wait to be involved until the agreement is signed and put into effect. She reminded everyone that once the CIA is signed, the compliance officer will be the face of the company to the OIG, not the attorneys.   From years of experience, she has found attorneys negotiating terms and conditions of a CIA often don’t have the operational experience to fully understand all the implications of what is being committed to in terms and obligation. As a result, it is not uncommon for attorneys to come back to the OIG after a CIA has been executed to try to renegotiate points.   This is triggered as result of management and the compliance officer realizing what is involved in meeting the terms and condition.   Ellis stated that the OIG is not inclined to reopen CIA negotiations.  The mistake was not having the compliance officer on the front end of negotiations and present during the negotiation process.  As the CIA settlement process takes shape, the compliance officer needs to:

  • be part of the negotiations;
  • review and comment on all drafts;
  • create a basic plan from the draft to determine what it takes to meet obligations;
  • conduct a min-gap assessment of what it takes to do what the CIA would require;
  • begin work on implementation strategies; and
  • start the process to determine resource needs to meet obligations.

Ellis also made the point that attitude matters once a CIA is in place, and compliance officers should work with the monitor in an open and honest way. A positive working relationship between the monitor and the compliance officer is to everyone’s best interest.  The earlier in the process that they get to know each other, the better.

Thomas Herrmann, J.D., was previously responsible on behalf of the OIG for negotiating CIAs and providing monitors, and subsequently gained many years of consulting experience working with more than a dozen clients with CIAs and as an independent review organization (IRO).  He says that what many fail to understand is that, although the OIG is involved in the Department of Justice (DOJ) settlement process, a different OIG attorney will be assigned as negotiator for the CIA.  Once the agreement is executed, it is passed on to a different OIG attorney to be the monitor to assure compliance with the terms of the CIA.   A very common mistake is for attorneys to deal with issues handled by someone earlier in the process, or in effect, re-litigate.  This is a big mistake.  The OIG will not re-litigate or interpret decisions made by the DOJ.  At the same time, the OIG monitor is definitely disinclined to deal with issues that were or should have been addressed with the OIG negotiator.  Herrmann goes on to explains that the OIG views the organization’s legal counsel as filling an adversarial role, but once things are executed, the OIG does not want to continue dealing with the advocate.  The focus of the relationship with the OIG should be on meeting the terms of the CIA. Herrmann sees it as a huge mistake for the legal counsel to continue making arguments or try to modify terms with the monitor, as this frequently leads to aggravation of matters and creates additional problems for the organization.  The monitor wants to deal with how the organization will meet its obligations, and that means working with the compliance officer to determine how the terms and conditions of the CIA will be fulfilled.  It behooves compliance officers to get to know their monitor as quickly as possible, evidence their commitment, and exhibit an attitude to work out what it takes to get the job done.

Carrie Kusserow has over 15 years’ compliance officer and consultant experience; in fact, she was brought in to be the compliance officer to an organization under a CIA while Laura Ellis was the monitor. Her experience with Ellis was precisely what Ellis explained during her presentation.   Maintaining the focus on meeting the obligations of the agreement is very important for credibility and permits ironing out of issues. By listening carefully and responding to Ellis’ questions openly in a forthright manner, Kusserow developed a very good working relationship.  This made work easier for everyone.  Compliance officers need to listen carefully to what the monitor expresses, working as needed and then immediately following up to report actions taken. The focus must stay on getting the job done to the satisfaction of the OIG.  It is also critical that the compliance officer at all times be “straight up” and honest with the OIG.  If this is done, then a bond of trust can be developed that can iron out details that are sure to arise. This can permit seeking non-adversarial clarification of terms and conditions. On the other hand, failing to develop a proper working relationship with the monitor can result in lack of understanding and increased work for everyone. As such, as soon as the CIA is signed, the compliance officer should come into direct contact with the OIG monitor.

Suzanne Castaldo, J.D., has worked both as a litigator and compliance consultant dealing with numerous organizations with CIAs. She confirmed what Ellis noted about attorneys negotiating with the OIG without active involvement of either management or the compliance officer. In almost every case, it has created avoidable issues.  She strongly recommends that anyone engaging a law firm to assist with CIA negotiations insist on including knowledgeable members of management and the compliance officer in all meetings with the OIG.  All terms that are being negotiated should be reviewed and assessed by them to understand all implications and resulting work obligations. Many attorneys will not find this to their liking and may argue against it.   However, not being part of this process reminds one of “arriving at the dance after it is over.”

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2017 Strategic Management Services, LLC. Published with permission.

 

Kusserow on Compliance: New analysis of OCR reports found 1800 large breaches over 7 years

In presentation at the Health Care Compliance Association (HCCA) entitled “OCR Enforcement Update,” HHS Office for Civil Rights (OCR) Senior Adviser Iliana Peters reported that the OCR continues to receive and resolve complaints of Health Insurance Portability and Accountability Act (P.L. 104-191) (HIPAA) violations of an increasing number. To date, the OCR has received 150,507 complaints, with 24,879 being resolved with corrective action measures or technical assistance.  She estimated that the OCR will receive about 17,000 complaints in 2017.

A new study published in JAMA Internal Medicine found since 2009 that 1,798 “large data breaches” involving patient information since 2009 had been reported by health care providers to the OCR.  Out of that number, 216 hospitals reported 257 data breaches, while 33 hospitals were found to have experienced multiple data breaches.  Of 141 acute care hospitals reporting breaches, 52 were major academic medical centers.  These numbers are misleading in that they represent only a small fraction of the total number of breaches, as indicated by Peters.  The reason is that smaller breaches are not required to be reported, and many breaches may not have been voluntarily reported.  The need for increased vigilance and internal controls are needed.

Latest OCR resolution

The OCR announced a resolution agreement based on the lack of a security management process to safeguard electronic protected health information (ePHI). Metro Community Provider Network (MCPN), a federally-qualified health center (FQHC), has agreed to settle potential noncompliance with the HIPAA Privacy and Security Rules by paying $400,000 and implementing a corrective action plan. MCPN filed a breach report with the OCR indicating that a hacker accessed employees’ email accounts and obtained 3,200 individuals’ ePHI through a phishing incident. As with many of the reported large breaches, the OCR found that prior to the breach incident, there was no risk analysis to assess the risks and vulnerabilities in its ePHI environment and a corresponding failure to implement any associated risk management plans to address the risks and vulnerabilities identified in a risk analysis.

Reminder tips on HIPAA compliance

As a reminder, entities should perform the following recommended steps in order to comply with HIPAA.

  1. Perform a complete a security risk analysis that addresses ePHI vulnerabilities.
  2. Engage an outside expert to independently verify that Privacy/Security Officers are meeting obligations.
  3. Properly address identified risks with corrective action measures.
  4. Follow the basics in reviewing compliance for information security risks and PHI breaches.
  5. Verify that the Code of Conduct covers reporting HIPAA violations.
  6. Ensure that policies and procedures govern receipt and removal of laptops containing ePHI.
  7. Train the workforce on HIPAA policies and procedures, including reporting violations
  8. Ensure that all business associates (BAs) have signed BA agreements (BAAs), with contact information on file.
  9. Verify that controls cover gaining access to ePHI by workforce members and users.
  10. Encrypt and password protect all laptops and mobile devices.
  11. Implement safeguards to restrict access to unauthorized users.
  12. Validate effectiveness of internal controls, policies, and procedures
  13. Review adequacy of security processes to address potential ePHI risks and vulnerabilities.
  14. Ensure that a hotline is set up to receive HIPAA-related calls.

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2017 Strategic Management Services, LLC. Published with permission.

Webinar provides multiple perspectives on FCA cases

To avoid federal False Claims Act (FCA) (31 U.S.C. §3729 et seq.) liability, providers should implement an effective compliance program, stay ahead of the government’s investigation of possible FCA violations, and fix problems first. In a Health Care Compliance Association (HCCA) webinar entitled, “False Claims Act Cases—Perspectives from Both Sides of the Aisle,” Rachel V. Rose, principal at Rachel V. Rose—Attorney at Law, PLLC, and Sean McKenna, shareholder at Greenberg Traurig LLP, provided an overview of the process for filing federal FCA complaints and how to respond to investigations and lawsuits under the FCA.

Complaints

Qui tam relators file their complaints under seal, on behalf of the government. The Department of Justice (DOJ) has 60 days to investigate and decide whether to intervene, which happens only about 10 percent of the time. Even then, the government will prosecute only the strongest aspects of the case. The presenters warned that relators should use “an abundance of caution” when discussing an FCA case or the underlying allegations with anyone other than the whistleblower’s attorney or the government agents assigned to the case, as “breaking the seal” can result in dismissal or sanctions.

False claims

The type of false claim that most frequently leads to FCA liability is a claim for services not provided. Other categories of false claims include legally false claims (express), legally false claims by implied certification, and reverse false claims. In United Health Services, Inc. v. United States ex rel. Escobar, (2016), the U.S. Supreme Court upheld the implied certification theory and relied on whether the claim was material to payment, what McKenna called a “groundbreaking approach” (see Implied certification liability confirmed, limited to material compliance violations, Health Law Daily, June 16, 2016).

Since November 2, 2015, the range of penalties for violating the FCA increased from $5,500-$11,000 to $10,781-$21,562, plus treble damages and the relator’s attorney fees. FCA violations can also lead to exclusion, “the death penalty for health care providers.” Exclusion applies only to conduct from the past 10 years (42 C.F.R. Sec. 1001.901(c); see HHS OIG’s exclusion authority loosens, allows more discretion, Health Law Daily, January 12, 2017).

In parallel proceedings, simultaneous civil/criminal/administrative investigation of the same defendants occurs. It can be federal and state/local or multi-district. Not every case is appropriate for parallel proceedings, however. Examples of common parallel matters include procurement and government program fraud, health care fraud, internet pharmacies, and antitrust investigations.

Yates memo

The past several years in health care fraud and abuse prosecutions have seen an increased focus on individual actors such as executives, as reflected in a September 9, 2015 memo from former acting attorney general Sally Yates, known as the “Yates Memo.” The Memo emphasized the DOJ’s commitment to combat fraud “by individuals” and recommended that: (1) to qualify for a cooperation credit, a corporation must provide facts relating to the individuals responsible for the misconduct; (2) investigations should focus on individuals from the inception of the investigation; (3) culpable individuals should not be released from liability absent extraordinary circumstances; and (4) DOJ attorneys should not resolve matters with a corporation without a clear plan to resolve related individual case.

Best practices

If an FCA investigation occurs, providers should evaluate all liability (civil, criminal, administrative, state, licensure, and private), determine if anyone needs separate counsel or has talked to the government, preserve documents, and compile the right team, including consultants, billing and coding experts, and statisticians.

Kusserow on Compliance: Appealing exclusions–practical advice

Attorneys and consultants frequently have sanctioned clients desperately wanting to appeal and overturn the HHS Office of Inspector General (OIG) decision on exclusion, adding them to the List of Excluded Individuals and Entities (LEIE). The desperation is driven by the fact that exclusion is tantamount to putting them out of business. Few health care providers of services and products can function without access to federal health care programs and trying to continue servicing in that area after exclusion represents further violation of law with increased penalties.

Tom Herrmann, J.D., served over 20 years in the Office of Counsel to the Inspector General and as Appellate Judge for the Medicare Appeals Counsel and is frequently engaged to assist in Medicare appeals. He explained that there is, indeed, a process for appeal on exclusion to an HHS Administrative Law Judge (“ALJ”), the HHS Departmental Appeals Board (“DAB”), and ultimately the federal courts.  However, he warns that trying to appeal exclusions imposed by the OIG is not generally advisable, in that they are rarely overturned.  This is because most exclusion actions, both mandatory and discretionary, are derivative of a prior official action, whether it is court conviction or licensure board revocation.  Upon appeal, the underlying predicate action for exclusion may not be challenged through the established administrative and judicial review process.  The governing regulations provide further that an ALJ may not “review the exercise of discretion by the OIG to exclude an individual or entity under section 1128(b) of the Act, or determine the scope or effect of the exclusion.”   Moreover, the ALJ is prohibited from setting “a period of exclusion at zero, or reduce[ing] a period of exclusion to zero, in any case where the ALJ finds that an individual or entity committed an act described in section 1128(b) of the Act.”

Furthermore, an excluded party can affect entities with who affiliated. Should a provider permit an excluded party to be involved in services, it will create a liability to that organization.  As a condition of participation in Medicare/Medicaid, it is the affirmative duty and responsibility of the organization to ensure that any provider of services or products that is included in claims submitted for payment to those programs are licensed, qualified and NOT excluded.  To engage excluded parties places in jeopardy the entity’s status as a provider.  Furthermore, it is the OIG’s position that all claims submitted that include anything from a sanctioned provided may be considered false and potentially fraudulent.  Providers should take steps to avoid being poisoned by excluded parties.  Sanction screening can be a challenge because of multiple exclusion databases and variations of names and data.

Practical tips

Organizations should consider the following:

  • The fact that most exclusions arise from court or licensing agency actions underscores the importance of sanction screening and conducting background investigations prior to engaging employees, contractors, and vendors, to ensure they have not been subject to adverse actions by these authorities.
  • Screen parties before engaging them and thereafter periodically (e.g. monthly) against the LEIE or relevant State sanction lists.
  • Ensure data used in screening is accurate and up to date. Frequently, sanctioned parties disguise their exclusion with a name change (e.g. spouse surname), variations on name (particularly significant in the case of names that are transliterated).
  • Include on any application for employment or for medical privilege a statement that they are not under investigation and have not been subject of adverse action by any duly authorized enforcement agency.
  • Check the enrollment and exclusion status of physicians and other non-physician practitioners that routinely order or prescribe, as any services ordered or prescribed by an excluded health care practitioner will not be eligible for program payments.
  • If a party is verified to be on an exclusion list, take immediate action to terminate the party; determine the monetary exposure of the services involving that party that was billed to Federal health care programs; and disclose the findings to the OIG.

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2017 Strategic Management Services, LLC. Published with permission.