Kusserow on Compliance: Continued confusion regarding the CMS preclusion list

Those on list are prohibited from MA Plans or Part D Sponsors payment

Questions continue arise concerning the CMS Preclusion List final rule. The Preclusion List is a list generated by CMS that contains the names of prescribers, individuals, and entities that are unable to receive payment for Medicare Advantage (MA) items and service and or Part D drugs prescribed or provided to Medicare beneficiaries. The rule mandates Part D sponsors, or their pharmacy benefit managers, to screen against the Preclusion List and reject any pharmacy claim prescribed by an individual or entity on it. MA plans must deny payment for a health care item or service furnished by an individual or entity on the list. Plans and sponsors must also notify impacted beneficiaries who received care or a prescription from a provider on the Preclusion List in the last twelve months. The list includes those who are currently revoked from Medicare, are under an active reenrollment bar, and whose underlying conduct CMS has determined to be detrimental to the Medicare program; or have engaged in behavior for which CMS could have revoked the prescriber and determined the underlying conduct would have led to the revocation. Such conduct includes, but is not limited to: felony convictions and OIG exclusions. CMS indicated that individuals or entities appearing on the List of Excluded Individuals/Entities (LEIE) and/or the System for Award Management (SAM) list would also be placed on the Preclusion List.

MA plans and Part D sponsors are required to access the list through an Enterprise Identity Data Management (EIDM) account with CMS. The list is updated monthly.  The causes for most of the confusion is that only plans approved by CMS are granted access to the Preclusion List. As a result, many if not most, organizations use a vendor for sanction screening services. However, the vendors are not always given access to the List.  The way around this obstacle has been for Plans to give their vendor the list and have them include it in their screening services. Another point of confusion is that technically, it is not a sanction list. It includes many parties who have not been formally sanctioned to be included on the OIG LEIE, although many on the list are also on the LEIE.

 

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2020 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: Why encourage anonymous hotline calls?

The are in your best interest

Encouraging anonymity with hotline callers may at first seem a bad practice, however, it is not.  It is a sound policy and in the best interest of the organization. However, many believe no calls should be accepted without an individual disclosing his or her identity. Those individuals are wrong. First, the HHS OIG, Sentencing Commission, DOJ, and Sarbanes-Oxley Act all promote anonymous reporting. The OIG in its compliance guidance state “At a minimum, comprehensive compliance programs should include…a hotline, to receive complaints, and the adoption of procedures to protect the anonymity of complainants and to protect whistleblowers from retaliation.  Failing to provide for and encourage anonymity undercuts the perceived effectiveness of the compliance program. There are other positive reasons for having anonymous reporting:

  1. Not allowing anonymity discourages reporting for fear of becoming a victim of retribution or retaliation. The result is that an individual may give information to someone else like an attorney, the media, government agencies, or simply not tell anyone which may lead to a growing exposure to liability to the organization. As a rule, the more serious the complaint or allegation, the less likely callers will be willing to identify themselves.
  2. The disclosure of an individual’s identity creates a burden for the organization to protect the caller’s identity (“confidentiality) once it is known. Failure to protect identified callers may result in unprotected reprisals or retaliation and serious consequences for the organization that may draw in attorneys, government, and regulatory agencies. There are many cases of litigation for reprisals or wrongful discharge where the company was put in the awkward position of trying to evidence the call did not contribute to the adverse action or termination. This is not a burden if the caller was anonymous.
  3. It is also useful to keep in mind that many callers may want to self-disclose their identity, in order to achieve a protection as a “Whistleblower” to forestall performance or conduct-based actions by trying to invoke the organization’s non-retribution/non-reprisal policy. For some, calling the hotline may be an attempt to block the adverse personnel action.

In some cases, it is desirable, and perhaps even necessary, to learn the identity of the caller in order to properly act on the information offered. There are circumstances where having the identity is essential to act upon a serious allegation. In such cases, callers can be encouraged to identify themselves, noting that their confidentiality will be protected. As such, it is important to also have a Confidentiality Policy, along with the Anonymity Policy.  Both such policies are called for in the OIG compliance guidance documents.

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2020 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: Ninth Circuit reinstates unnecessary admissions whistleblower case

Federal Court established grounds for “medical necessity” fraud cases

A compliance high-risk area worthy of attention

On March 23, 2020, the Ninth Circuit reinstated a False Claims Act (ACA) “whistleblower” suit alleging a hospital and various physicians orchestrated medically unnecessary inpatient admissions resulting in the submission of more than $1.2 million in false claims to Medicare. This reversed the District Court ruling that FCA allegations failed because “subjective medical opinions…cannot be proved objectively false.”

The Circuit Court decision follows others that established the lack of “medical necessity” claims can proceed under the FCA. The qui tam relator in the case alleged that certain admissions to the hospital were not medically necessary and were in fact contraindicated by the patients’ medical records and the hospital’s admission criteria. As a result, the hospital allegedly submitted, or caused to be submitted, Medicare claims that falsely certified that patients’ hospitalizations were medically necessary. The relator was a nurse who reported 65 admissions that “failed to satisfy the hospital’s own admissions criteria” and noted that the admission rate from related nursing homes with was over 80 percent during the relevant time period. The nursing home operator had acquired fifty percent ownership in the hospital that resulted in a spike in admissions from those facilities. After repeatedly attempts to bring the issue to the attention of management, she was fired.

The Court held that a physician’s clinical opinion must be judged by the same standard as any other representation, including whether the physician: (1) knows the clinical opinion to be false; or (2) renders the opinion in reckless disregard of its truth or falsity. This means that a physician’s certification that inpatient hospitalization was “medically necessary” can be false or fraudulent as any opinion that is not honestly held. In short, a false certification of medical necessity can therefore give rise to FCA liability.

Compliance officers at any hospital should make this message known to the executive leadership and medical staff.

 

 

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2020 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: Increase guard on cybersecurity during COVID-19 pandemic

Many health care organizations are facing attacks by cyber-criminals who are using the COVID-19 crisis to get individuals to be less vigilant about security. Hackers are taking advantage of the fears and uncertainty about the pandemic to gain access to systems through malware. These hackers impersonate health authorities such as NIH, CDC, and FDA to get individuals to open attachments that purportedly have important information on the spread of the disease, lockdowns, and quarantine. These new phishing scams have been rapidly spreading during the crisis. As organizations move to expanded teleworking, the vulnerabilities to such attacks greatly increase. As new systems are being introduced for remote working, steps need to be taken to ensure that security and privacy controls are in place. This is particularly important because employees may lower their guard when introduced to new unfamiliar communication methods. Even government agencies are subject to attack. HHS had a cyber-attack on its computer system, intended to disrupt and undermine the response to the coronavirus pandemic. The attack involved overloading the HHS servers with millions of hits over several hours in order to impair operation of the systems. Fortunately, HHS had no degradation of the functioning of its networks.

Tips and Reminders

  1. Alert employees to beware of COVID-19 communications
  2. Re-educate employees on phishing and social engineering defense tactics
  3. Remind employees to not click on email links/attachment, or respond to inquiries
  4. Review third-party vendors’ access to information systems
  5. Authenticate access, particularly as more employees work remotely
  6. Regularly test users to make sure they are on guard
  7. Configure email servers to block zip or other files that are likely to be malicious
  8. Monitor those accessing sensitive data

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2020 Strategic Management Services, LLC. Published with permission.