Kusserow on Compliance: OIG opinion on the effect of exclusion

OIG Advisory Opinion 18-01 was issued in response to a request regarding the effect of an exclusion from Medicare, Medicaid, and all other Federal health care programs. As a result of criminal conviction for health care fraud pursuant to a civil False Claims Act (FCA) settlement, the Requestor agreed to be permanently excluded. The Requestor received a good faith employment offer from a newly formed, for-profit corporation that will be offering long-term care pharmacies (the LTC Pharmacies) access to discounted rates for emergency medications that the company negotiates with local retail pharmacies. The prices the company would charge for the medications the LTC Pharmacies obtain from the local retail pharmacies would be the discounted rate the company negotiated with the local retail pharmacies, plus a mark-up. The Requestor inquired whether the engagement proposal to market its services (the Proposed Arrangement) would violate the terms of the exclusion and constitute grounds for the imposition of sanctions.

The OIG concluded that, although the Proposed Arrangement could violate the terms of the exclusion and could constitute grounds for the imposition of sanctions, the OIG would not impose such sanctions in connection with the Proposed Arrangement, based upon the following representations:

  • Neither the Requestor nor the company would directly submit claims for items or services that are paid for by any federal health care program, including any medications the LTC Pharmacies obtain from the local retail pharmacies; and would not directly or indirectly have any role in the LTC Pharmacies’ or their customers’ submission of claims to any federal health care program.
  • Neither the Requestor nor the company would submit claims to Medicare, Medicaid, or any other federal health care program for any items or services provided in connection with the Proposed Arrangement.
  • The Requestor would market the company’s services to the LTC Pharmacies and offer them the opportunity to contract with the company to receive lower prices than they normally would pay when ordering emergency medications from a local retail pharmacy.
  • Neither the Requestor nor the company would exercise any direct or indirect control over determining the volume, type, and frequency of any medications they would need or order.
  • The company would pay the Requestor a fixed salary plus a commission based on the number of LTC Pharmacy accounts the Requestor secured for the company with no compensation determined based on the volume, value, frequency, price, or selection of any medications, including federally reimbursable medications, the LTC Pharmacies or their customers would order.
  • Neither the Requestor, nor any member of the immediate family would have direct or indirect control of the company.


Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2017 Strategic Management Services, LLC. Published with permission.

CBO, JCT share methods for analyzing legislative proposals impacting health insurance coverage

The Congressional Budget Office (CBO) and the Joint Committee on Taxation (JCT) revealed in a recent report how they jointly analyze proposed legislation that would impact health insurance coverage for individuals younger than age 65, detailing how they develop analytic strategies, model a proposal’s effect, and finalize their analysis (CBO Report, February 2018).

Analytic strategy development

First, the CBO and JCT put together an analytic strategy. The agencies formally develop their strategy once the proposed legislation’s specifications become available, an official request for analysis has been made, and the CBO and JCT arrange the time to commence the analysis. However, the agencies also often work informally with Congressional staff during development of the proposal. The agencies begin by reviewing the policy specifications. The CBO and JCT consider how the proposed legislation would impact existing law and how the proposed legislation is different from earlier proposal drafts. The agencies work to verify that the Congressional staff’s intent is reflected in the language and then estimate the legislative effect by, namely, identifying how the proposal could affect health insurance coverage and the federal budget.

The CBO and JCT focus on the policy changes most likely to impact health insurance coverage or cost, ranging from the straight-forward to the more complex. Another key aspect the agencies consider is timing and what additional “administrative infrastructure” is necessary to bring about the changes of the proposed legislation—and how long it would take to do so. The timing element includes estimates of how other stakeholders (state governments, insurers, employers, etc.) would respond and how long it would take for them to implement the proposed changes. To help with their estimates, the agencies rely on past cases of legislative reform programs. Further, the agencies seek input from outside experts and existing evidence while maintaining the required confidentiality of a proposal.

Proposal effect modeling

Second, the CBO and JCT undertake modelling the impact of the proposed legislation. Primarily, the agencies rely on CBO’s health insurance simulation model (HISIM), Medicaid enrollment and cost models, and JCT’s individual tax model. These models use data on health insurance coverage information for everyone younger than 65, Medicaid enrollment and expenditures, and detailed tax return information. The agencies also draw estimates based on information HISIM cannot project, namely, the behavior of states, employers, and insurers. These initial projections are incorporated as inputs into HISIM (state, employer, and individual enrollee behavior) or assessed outside HISIM (insurer behavior). CBO and JCT also use HISIM to estimate stakeholder responses to new coverage options. Medicaid enrollment and cost projections use HISIM estimates in addition to a more detailed Medicaid model and other methods. JCT usually provides estimates of proposed tax liability changes using its individual tax model.


Finally, both the CBO and JCT engage in rigorous review of their respective analysis results in order to ensure objectivity and proper analysis. Specifically, they examine results of one or more years out of the 10-year projection period to ensure that the analysis is being computed as intended and compare results against previous analyses. The agencies also inspect for programming errors or unexplained results. The CBO and JCT consider changes to the results if there were different critical inputs. The agencies prepare a formal written estimate and explanation thereof and, before releasing it to Congress and the public, agency staff carefully review the report.

Perfecting cybersecurity through better training and testing

Various types of training and testing of health care professionals and staff can be used by health care entities to perfect their cybersecurity programs, according to a Health Care Compliance Association (HCCA) webinar presented by Steve Snyder of Smith Moore Leatherwood, LLP.

Snyder believes that perfecting cybersecurity training and testing is made especially challenging due to the uniqueness of the cybersecurity threat. Snyder listed the primary factors making cybersecurity unique, including:

  • the people trying to penetrate are adversarial and usually off-shore;
  • cyberattacks are evolving rapidly, with attacks designed to respond to new defenses;
  • cybersecurity involves highly technical concepts, which make staff hesitant to embrace safeguards; and
  • cybersecurity is outside the core competency for most of the staff to be trained and tested.


Snyder believes that cybersecurity training must take a long term view, be about learning and reminding, have the objective of conditioning behavior, and must evolve over time as circumstances and threats change.

Opportunities for training, according to Snyder, could be when new job functions are created, when introducing new procedures, or when reinforcing integral work functions. He listed the possible training scenarios and their pros and cons as:

  • External programs offered by third parties. These programs offer specialized knowledge and instruction but can be costly, rely on the competency of others, and may suffer from the lack of familiarity of the third-party with the organization.
  • Internal learning management systems (LMS). These internal systems, relying on online or classroom training, can develop custom content and make tracking compliance easy. However, they require internal expertise and can create a record of noncompliance for government investigators.
  • This method can be particularly effective for conveying best practices to staff members in a new role. However, it requires competent mentors and is not ideal for new and evolving issues that the mentor is unfamiliar with.
  • Passive measures (e-mail reminders, etc.). This method is easy, cheap, and is agile enough to address emerging issues. However, it is easy for staff to ignore and therefore it is hard to access effectiveness.
  • Training tips. Snyder’s cybersecurity training tips included the following:
  • Start with objectives (such as increasing reporting of possible cyber incidents) and work back to prevention methods.
  • Try to find objective metrics (such as the rate of reporting vs. known incidents).
  • Make it digestible by staff (we live in a sound bite society).
  • Show a tangible purpose (clicks = malware = detriment to business).
  • Use varying approaches as people learn differently.
  • Make it interesting by using gamification, simulations, scoring, ranking, competitions, etc.


Snyder believes that testing should be focused on existing knowledge and established procedures. He favors a testing program with a narrow focus and reoccurring elements. The goals of testing, according to Snyder, should insure that cybersecurity procedures are known and understood, are effective, guarantee compliance, and identify gaps in policies and procedures.

Snyder listed several types of cybersecurity testing:

  • Penetration testing (looking for breach of security from the outside).
  • Vulnerability testing from the inside (looking for known bugs, unpatched software, or legacy systems that can be exploited).
  • Simulated testing (using drills and tabletop exercises).
  • Pop quizzes (discrete staff testing).
  • Final comprehensive exams.

Final takeaway

Snyder wrapped up his presentation by stressing that in training and testing for cybersecurity, and organization should: (1) be contemplative in designing their programs, (2) use a mix of internal and external resources, and (3) assess and revisit the programs often.

Kusserow on Compliance: OIG summarizes investigative accomplishments from last three years

The OIG testified before the House Committee on Ways and Means and reported that in the last 3 fiscal years, its investigations have resulted in more than $10.8 billion in investigative receivables (dollars ordered or agreed to be paid to Government programs as a result of criminal, civil, or administrative judgments or settlements); 2,650 criminal actions; 2,211 civil actions; and 10,991 program exclusions. Much of this work involving the Medicare and Medicaid programs is funded by the Health Care Fraud and Abuse Control Program (HCFAC).  The HCFAC provides funding resources to the Department of Justice (DOJ), HHS, and OIG, which are often used collaboratively to fight health care fraud, waste, and abuse. Since its inception in 1997, the HCFAC has returned more than $31 billion to the Medicare trust fund.

The OIG is a lead participant in the DOJ led Medicare Fraud Strike Force, which combines the resources of Federal, state, and local law enforcement entities to fight health care fraud across the country. The Strike Force operates in nine geographic hot spots, including Miami, Florida; Los Angeles, California; Detroit, Michigan; southern Texas; Brooklyn, New York; southern Louisiana; Tampa, Florida; Chicago, Illinois; and Dallas, Texas. Strike Force teams are led by the DOJ, includes the FBI and the OIG, along with state and local law enforcement. In 2017 alone Strike Force teams accounted for over 2,000 criminal actions with about 3,000 indictments, and accounted for monetary results of around $3 billion. Since its inception in March 2007, the Strike Force has charged more than 3,000 defendants who collectively billed the Medicare program more than $10.8 billion.

The OIG also collaborates with state Medicaid Fraud Control Units (MFCUs) to detect and investigate fraud, waste, and abuse in state Medicaid programs, as well as private sector stakeholders to enhance the relevance and impact of its work to combat health care fraud, as demonstrated by its leadership in the Healthcare Fraud Prevention Partnership (HFPP) and collaboration with the National Health Care Anti-Fraud Association (NHCAA). The OIG strives to cultivate a culture of compliance in the health care industry through various educational efforts, such as Pharmacy Diversion Awareness Conferences, public outreach, and consumer education.


Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2017 Strategic Management Services, LLC. Published with permission.