Kusserow on Compliance: CMS and Veterans Affairs partnering to address fraud and abuse

The Department of Veterans Affairs (VA) and CMS announced a partnership to share data, data analytics tools, and best practices for identifying and preventing fraud, waste, and abuse. The Veterans Health Administration is a large integrated health care system operated by the VA and has many issues already being addressed by CMS. Through the Veterans Health Administration, the VA is itself the provider, operating an integrated network of 168 medical centers, more than 1,000 outpatient clinics, 250 brick-and-mortar pharmacies, and seven mail-order pharmacies. The VA health system employs over 200,000 health care professionals and covers about nine million veterans in the US.

The new alliance is intended to enhance ongoing efforts between the country’s two largest public-private health-care payment organizations. This collaboration is intended to identify new and innovative ways to seek out fraud, waste, and abuse. CMS estimates that its program integrity activities saved Medicare operations $17 billion in fiscal 2015. Much of this arises from new practices and technologies that will now be shared with the VA, which will be able to capitalize on the advancements in analytics CMS has made and hopefully it will be able to close existing gaps in its own claims payment process. CMS also noted in its announcement that VA invited industry experts in November 2017 to provide information on the latest commercial sector tools and techniques to enhance VA’s fraud detection capabilities.


Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2017 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: OIG opinion on the effect of exclusion

OIG Advisory Opinion 18-01 was issued in response to a request regarding the effect of an exclusion from Medicare, Medicaid, and all other Federal health care programs. As a result of criminal conviction for health care fraud pursuant to a civil False Claims Act (FCA) settlement, the Requestor agreed to be permanently excluded. The Requestor received a good faith employment offer from a newly formed, for-profit corporation that will be offering long-term care pharmacies (the LTC Pharmacies) access to discounted rates for emergency medications that the company negotiates with local retail pharmacies. The prices the company would charge for the medications the LTC Pharmacies obtain from the local retail pharmacies would be the discounted rate the company negotiated with the local retail pharmacies, plus a mark-up. The Requestor inquired whether the engagement proposal to market its services (the Proposed Arrangement) would violate the terms of the exclusion and constitute grounds for the imposition of sanctions.

The OIG concluded that, although the Proposed Arrangement could violate the terms of the exclusion and could constitute grounds for the imposition of sanctions, the OIG would not impose such sanctions in connection with the Proposed Arrangement, based upon the following representations:

  • Neither the Requestor nor the company would directly submit claims for items or services that are paid for by any federal health care program, including any medications the LTC Pharmacies obtain from the local retail pharmacies; and would not directly or indirectly have any role in the LTC Pharmacies’ or their customers’ submission of claims to any federal health care program.
  • Neither the Requestor nor the company would submit claims to Medicare, Medicaid, or any other federal health care program for any items or services provided in connection with the Proposed Arrangement.
  • The Requestor would market the company’s services to the LTC Pharmacies and offer them the opportunity to contract with the company to receive lower prices than they normally would pay when ordering emergency medications from a local retail pharmacy.
  • Neither the Requestor nor the company would exercise any direct or indirect control over determining the volume, type, and frequency of any medications they would need or order.
  • The company would pay the Requestor a fixed salary plus a commission based on the number of LTC Pharmacy accounts the Requestor secured for the company with no compensation determined based on the volume, value, frequency, price, or selection of any medications, including federally reimbursable medications, the LTC Pharmacies or their customers would order.
  • Neither the Requestor, nor any member of the immediate family would have direct or indirect control of the company.


Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2017 Strategic Management Services, LLC. Published with permission.

CBO, JCT share methods for analyzing legislative proposals impacting health insurance coverage

The Congressional Budget Office (CBO) and the Joint Committee on Taxation (JCT) revealed in a recent report how they jointly analyze proposed legislation that would impact health insurance coverage for individuals younger than age 65, detailing how they develop analytic strategies, model a proposal’s effect, and finalize their analysis (CBO Report, February 2018).

Analytic strategy development

First, the CBO and JCT put together an analytic strategy. The agencies formally develop their strategy once the proposed legislation’s specifications become available, an official request for analysis has been made, and the CBO and JCT arrange the time to commence the analysis. However, the agencies also often work informally with Congressional staff during development of the proposal. The agencies begin by reviewing the policy specifications. The CBO and JCT consider how the proposed legislation would impact existing law and how the proposed legislation is different from earlier proposal drafts. The agencies work to verify that the Congressional staff’s intent is reflected in the language and then estimate the legislative effect by, namely, identifying how the proposal could affect health insurance coverage and the federal budget.

The CBO and JCT focus on the policy changes most likely to impact health insurance coverage or cost, ranging from the straight-forward to the more complex. Another key aspect the agencies consider is timing and what additional “administrative infrastructure” is necessary to bring about the changes of the proposed legislation—and how long it would take to do so. The timing element includes estimates of how other stakeholders (state governments, insurers, employers, etc.) would respond and how long it would take for them to implement the proposed changes. To help with their estimates, the agencies rely on past cases of legislative reform programs. Further, the agencies seek input from outside experts and existing evidence while maintaining the required confidentiality of a proposal.

Proposal effect modeling

Second, the CBO and JCT undertake modelling the impact of the proposed legislation. Primarily, the agencies rely on CBO’s health insurance simulation model (HISIM), Medicaid enrollment and cost models, and JCT’s individual tax model. These models use data on health insurance coverage information for everyone younger than 65, Medicaid enrollment and expenditures, and detailed tax return information. The agencies also draw estimates based on information HISIM cannot project, namely, the behavior of states, employers, and insurers. These initial projections are incorporated as inputs into HISIM (state, employer, and individual enrollee behavior) or assessed outside HISIM (insurer behavior). CBO and JCT also use HISIM to estimate stakeholder responses to new coverage options. Medicaid enrollment and cost projections use HISIM estimates in addition to a more detailed Medicaid model and other methods. JCT usually provides estimates of proposed tax liability changes using its individual tax model.


Finally, both the CBO and JCT engage in rigorous review of their respective analysis results in order to ensure objectivity and proper analysis. Specifically, they examine results of one or more years out of the 10-year projection period to ensure that the analysis is being computed as intended and compare results against previous analyses. The agencies also inspect for programming errors or unexplained results. The CBO and JCT consider changes to the results if there were different critical inputs. The agencies prepare a formal written estimate and explanation thereof and, before releasing it to Congress and the public, agency staff carefully review the report.

Perfecting cybersecurity through better training and testing

Various types of training and testing of health care professionals and staff can be used by health care entities to perfect their cybersecurity programs, according to a Health Care Compliance Association (HCCA) webinar presented by Steve Snyder of Smith Moore Leatherwood, LLP.

Snyder believes that perfecting cybersecurity training and testing is made especially challenging due to the uniqueness of the cybersecurity threat. Snyder listed the primary factors making cybersecurity unique, including:

  • the people trying to penetrate are adversarial and usually off-shore;
  • cyberattacks are evolving rapidly, with attacks designed to respond to new defenses;
  • cybersecurity involves highly technical concepts, which make staff hesitant to embrace safeguards; and
  • cybersecurity is outside the core competency for most of the staff to be trained and tested.


Snyder believes that cybersecurity training must take a long term view, be about learning and reminding, have the objective of conditioning behavior, and must evolve over time as circumstances and threats change.

Opportunities for training, according to Snyder, could be when new job functions are created, when introducing new procedures, or when reinforcing integral work functions. He listed the possible training scenarios and their pros and cons as:

  • External programs offered by third parties. These programs offer specialized knowledge and instruction but can be costly, rely on the competency of others, and may suffer from the lack of familiarity of the third-party with the organization.
  • Internal learning management systems (LMS). These internal systems, relying on online or classroom training, can develop custom content and make tracking compliance easy. However, they require internal expertise and can create a record of noncompliance for government investigators.
  • This method can be particularly effective for conveying best practices to staff members in a new role. However, it requires competent mentors and is not ideal for new and evolving issues that the mentor is unfamiliar with.
  • Passive measures (e-mail reminders, etc.). This method is easy, cheap, and is agile enough to address emerging issues. However, it is easy for staff to ignore and therefore it is hard to access effectiveness.
  • Training tips. Snyder’s cybersecurity training tips included the following:
  • Start with objectives (such as increasing reporting of possible cyber incidents) and work back to prevention methods.
  • Try to find objective metrics (such as the rate of reporting vs. known incidents).
  • Make it digestible by staff (we live in a sound bite society).
  • Show a tangible purpose (clicks = malware = detriment to business).
  • Use varying approaches as people learn differently.
  • Make it interesting by using gamification, simulations, scoring, ranking, competitions, etc.


Snyder believes that testing should be focused on existing knowledge and established procedures. He favors a testing program with a narrow focus and reoccurring elements. The goals of testing, according to Snyder, should insure that cybersecurity procedures are known and understood, are effective, guarantee compliance, and identify gaps in policies and procedures.

Snyder listed several types of cybersecurity testing:

  • Penetration testing (looking for breach of security from the outside).
  • Vulnerability testing from the inside (looking for known bugs, unpatched software, or legacy systems that can be exploited).
  • Simulated testing (using drills and tabletop exercises).
  • Pop quizzes (discrete staff testing).
  • Final comprehensive exams.

Final takeaway

Snyder wrapped up his presentation by stressing that in training and testing for cybersecurity, and organization should: (1) be contemplative in designing their programs, (2) use a mix of internal and external resources, and (3) assess and revisit the programs often.