Kusserow on Compliance: Understanding and addressing whistleblowers

The vast majority of the cases resolved by the Civil Division of the Department of Justice (DOJ) were cases brought by “whistleblowers” under the qui tam provision of the False Claims Act (FCA). Whistleblowers are responsible for an even higher percentage of cases resulting in OIG Corporate Integrity Agreements (CIAs). Although most compliance officers are well aware of this program, many remain unclear as to how the process works. Tom Herrmann, J.D., who served over 20 years in the Office of Counsel to the OIG and as an Appellate Judge for the Medicare Appeals Board, explained that Congress permitted a whisltleblower called the “Relator” to file a case with the DOJ under the FCA.  Since this provision of law went into effect in 1986, there have been over 10,000 qui tam cases filed with a current average of one such case being filed every day of the year. The intent was to create incentives for private parties to detect and pursue fraud under the FCA. In return for reporting this information, Relators receive a portion (usually about 15 to 25 percent) of any recovered damages.  Once the lawsuit is filed, it is placed “under seal”, meaning that it is kept secret from everyone but the government, in order to give the DOJ enough time to investigate the allegations in deciding whether to join (“intervene”) in the case. Intervention by the DOJ occurs only in about one in five qui tam lawsuits, leaving whistleblowers the option to pursue cases on their own, however the chances of success are much lower than in cases when the government joins. Most successful qui tam cases are resolved through settlement negotiations rather than a court trial, although trials may occur.

Kash Chopra, J.D., noted that the overwhelming number of cases that result in a CIA, arise from whistleblowers and these, in turn, are based upon violations of the federal Anti-Kickback Statute (AKS). It is the government’s position that all claims arising from a corrupt arrangement violating the AKS or in some cases, the Stark Law, are considered fraudulent. This is even when the services rendered were needed and provided appropriately.  She advises here clients that the best ways to manage the whistleblower risk is to ensure that they are channeled through internal communication channels and their complaints are promptly evaluated, investigated, and resolved.  It is worth considering the following:

  1. Using outside experts to independently audit arrangements with physicians and evaluate compliance communication channel effectiveness.
  2. Ensuring a 24/7 hotline operated externally by experts in recognizing health care compliance issues.
  3. Reviewing/updating hotline-related polices/procedures (confidentiality, anonymity, non-retaliation, duty to report, etc.).
  4. Making sure that the duty to report suspected wrongdoing is explained in the Code, policies and training.
  5. Having trained and competent people on hand to conduct prompt and competent investigations of matters raised through the hotline.
  6. Moving quickly to use CMS and OIG self disclosure protocols when there is credible evidence of violations; and not wait until the DOJ gets involved.

For more information on this subject, Kashish Parikh-Chopra can be reached at kchopra@strategicm.com or via telephone at (703) 535-1413.

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2018 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: Emerging government enforcement priorities for 2018

At the HCCA conference in April, there were several presentations regarding the government’s enforcement priorities. There were a number of emerging issues that were the subject of considerable attention: the opioid crisis, electronic health record (EHR) fraud, and telehealth/telemedicine. By far, the area given the most attention was the opioid crisis.  More than a dozen presenters included comments in their presentations on this subject, including presenters from the DOJ, OIG, CMS, and the OCR. This is not surprising in that last October the President declared this to be a national public health care crisis and marshaled regulatory and enforcement agencies to actively focus on steps to alleviate it. Other agencies not present at the HCCA are included in this effort, such as the FDA, FCC, CDC, Indian Health Service, Veterans Administration, Department of Defense TRICARE program, and others. At the federal and state level, there is increased legislative, regulatory, and enforcement actions activity related to substance abuse and behavioral health services. In January, the Attorney General announced the DEA was increasing its focus on pharmacies and prescribers who dispense unusual or disproportionate amount of such drugs. He also has created the Prescription Interdiction and Litigation (PIL) task force to aggressively deploy and coordinate all available criminal and civil law enforcement tools to address the crisis. Both DOJ and OIG presenters noted the July 2017 “take down” of 412 defendants in 41 different judicial districts. The defendants included over 100 doctors, nurses, and other medical license professionals. Together these individuals were responsible for over $1.3 billion in false billings.

The second most reported topic concerned cyber and IT security of Protected Health Information (PHI). This was a main topic in the presentation by OCR, but was alluded to in seven other presentations on cybersecurity and threats and complying with HIPAA Privacy and Security standards. The OCR reported that since 2009, there have been 2178 reports of breaches over 500 files with more than 300,000 cases of breaches affecting fewer than 500 files. The OCR has responded to over 170,000 complaints that resulted in over 25,000 cases being resolved with corrective action measures.  The OCR expects about 17,000 new complaints this year.  The top 10 recurring issues involve: (1) disclosure of sensitive paper information, (2) business associate agreements, (3) risk analysis, (4) failure to manage risks, such as with encryption, (5) lack of transmission security, (6) failure of ongoing auditing, (7) no patching of software, (8) insider threats, (9) improper disposal of records, and (10) insufficient backup of information and contingency planning.

Several sessions focused on physician arrangements and how they could implicate the Anti-Kickback Statute and Stark Laws.  Statistics from DOJ indicated the continuing trend of increased number of qui tam cases that has grown from 426 in 2015 to around 500 in 2017 with annual settlements averaging about $2.5 billion per year.

New cases involving Meaningful Use Fraud were reported with the promise that more new cases were under development.  Another area getting a lot of enforcement attention by the DOJ and OIG relate to telehealth and telemedicine. Cases surfacing now are focusing on claims arising from billings for these areas that did not qualify as such.  Only certain telehealth services are covered by Medicare and providers should take care to follow CMS guidance on what qualifies.

It is interesting to compare these priorities with results for the 2018 Compliance Benchmark Survey of compliance officers. There was no mention of the opioid crisis, as it was just an emerging national issue at the time the survey was taken. HIPAA security/cyber-security was the highest priority. It is troubling that corrupt arrangements with referral sources remains the number one regulatory and enforcement priority for the OIG and DOJ but is ranked fifth in priority to respondents. The other major and continuing enforcement priority related to claims submissions and that ranked third in priority by compliance officers.  A complementary webinar relating to this survey will be presented on May 9th.

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2018 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: OCR has a record number of significant settlements so far in 2017

The HHS Office for Civil Rights (OCR) has posted about 2,000 major breaches and more than a quarter million small breaches since 2009. The common denominator for many of the cases in which there was a settlement was that the covered entity or business associate (BA) suffered one or more breaches affecting more than 500 individuals sometime between 2011 and 2013. The OCR has jumped off the 2017 year with a record number of significant settlements. The most recent is CardioNet, a wireless health services provider, who provides remote mobile monitoring of and rapid response to patients at risk for cardiac arrhythmias. The provider entered into a settlement for $2.5 million and implemented a corrective action plan for disclosure of unsecured ePHI on a laptop that was stolen from a parked car. CardioNet had an insufficient risk analysis and risk management processes in place at the time of the theft and their HIPAA Security Rule policies and procedures had not been implemented. The OCR has entered into a number of other significant settlements. Others who paid settlements for violating HIPAA requirements so far this year include Memorial Health Systems ($5.5 million); Children’s Medical Center in Dallas ($3.2 million); MAPFRE, a Puerto Rico life insurance company ($2.2 million); Presence Health in Chicago ($475,000); and Community Provider Network of Denver ($400,000). In all these cases, there was the requirement to take corrective actions.

2016 OCR Results

  • There were 329 Data Breaches greater than 500 Individuals (a new record).
  • 225 OCR Phase 2 of HIPAA compliance audits conducted of covered entities and BAs.
  • No onsite audits were conducted.
  • No findings or notifications from the audits have been made.
  • The OCR intends to use the results from these audits to prepare for a new and better tool in the future.
  • There was a large jump in fines imposed for HIPAA violations that totaled about $24 million (versus a little more than $6 and $8 million in for 2105 and 2014 respectively)

OCR in 2017

  • The OCR stated intention is to conduct only a few onsite audits in 2017.
  • To date the OCR has nearly achieved the level of 2016 in terms of penalties imposed.
  • To date about 100 data breaches impacting greater than 500 Individuals have been reported.
  • About a half million individuals have been impacted in reported data breaches so far this year.
  • Only a relatively few BAs were involved in any of the reported data breaches.

The enforcement actions most often come from the OCR when investigations into the root cause of the breach found systemic, often profound, failures of organizational programs to safeguard protected health information.  This includes the failure to perform an information security risk assessment or to have a risk management plan to address gaps in the safeguards for information systems, both required actions under the HIPAA Security Rule. Tied to this has been insufficient development of policies and procedures for HIPAA Compliance.  Other actionable problems that resulted in the OCR imposing HIPAA corrective action plans (CAP) included inappropriate delay in data breach reporting (reported after 60 days from the date of discovery); and inappropriate oversight into user set up and user management. There is also the continuing problem of organizations not implementing encryption technology on mobile devices.

Camella Boateng, a HIPAA consultant reminds everyone that the recently enacted 21st Century Cures Act amends the HITECH Act to extend an individual’s right to access their PHI to data held by business associates. As such, it is more important than ever that entities give a priority for engaging in a self-audit, so vulnerabilities can be detected and resolved before they come to the attention of the government. Furthermore, with a shifting focus toward BA, it is important to avoid any potential partner that will not commit to signing a BAA.

Strong HIPAA Compliance Program Evidence

  • HIPAA policies and procedures;
  • HIPAA requests forms for patient’s rights;
  • a complete notice of privacy practices;
  • established technical, physical, and administrative safeguards;
  • conducting a regular HIPAA risk analysis;
  • developed a risk management plan to address gaps in the safeguards for PHI;
  • strong workforce education;
  • effective user management and oversight into systems with PHI;
  • auditing practices for verification of compliance;
  • ongoing evaluation of current safeguards established by the organization;
  • strong oversight into user set up and user management;
  • implementing encryption technology on mobile devices; and
  • ensuring partners have signed BAAs.

 

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on
Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2017 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: Summary of OIG fraud and abuse actions first half of 2017

The HHS OIG issued their Semi-Annual report for first half of fiscal year (FY) 2017 and summarized key accomplishments, significant problems, abuses, deficiencies, and investigative outcomes relating to the administration of HHS programs and operations that were disclosed during the reporting period. The following summarizes reported statistical accomplishments.

Criminal Actions (468). OIG reported 468 criminal actions against individuals or entities that engaged in crimes against HHS programs and 461 civil actions, which include false claims and unjust-enrichment lawsuits filed in Federal district court, civil monetary penalties (CMP) settlements, and administrative recoveries related to provider self-disclosure matters.  During the first half of FY 2017, OIG reported expected investigative recoveries of over $2.04 billion.

Health Care Strike Force (152 Criminal Actions). The Health Care Fraud Strike Force teams brought charges against 45 individuals or entities, 152 criminal actions, and $267 million in recoveries through investigations.

State Medicaid Fraud Control Units (MFCUs) (1,564 Criminal Actions).  The OIG has oversight responsibility for MFCUs and administers grants that provide federal funding for their operations. There are 50 MFCUs (in 49 States and the District of Columbia) totaled almost $259 million. The MFCUs employed 1,965 individuals. MFCUs reported 18,730 investigations, of which 15,509 were related to Medicaid fraud and 3,221 were related to patient abuse and neglect, including misappropriation of patients’ private funds. The cases resulted in criminal charges or indictments involving 1,721 individuals, including 1,249 for fraud and 472 for patient abuse and neglect. In total, 1,564 convictions were reported in FY 2016, of which 1,160 were related to Medicaid fraud and 404 were related to patient abuse and neglect. Civil judgments and settlements for FY 2016 totaled 998, and monetary recoveries in civil cases totaled over $1.5 billion. During this reporting period, OIG special agents partnered with MFCUs in conducting joint investigations on 714 criminal cases.

Program Exclusions (1,422). During this semiannual reporting period, OIG excluded 1,422 individuals and entities from Medicare, Medicaid, and other federal health care programs. Most of the exclusions resulted from convictions for crimes relating to Medicare or Medicaid, for patient abuse or neglect, or as a result of license revocation. OIG is also responsible for reinstating providers who apply and have met the requirements of their exclusions.

Sanction Authorities and Other Administrative Actions (1,504).  OIG sanctions include the exclusion of individuals and entities from federal health care programs and the imposition of CMPs for submitting false and fraudulent claims to a federal health care program or for violating the Anti-kickback statute, the Stark law, or the Emergency Medical Treatment and Labor Act (EMTALA), also known as the patient dumping statute. During this semiannual reporting period, OIG imposed 1,504 administrative sanctions in the form of program exclusions or administrative actions for alleged fraud or abuse or other activities that posed a risk to federal health care programs and their beneficiaries.

Civil Monetary Penalties Law (CMPL) ($26 million0. The CMPL authorizes OIG to impose administrative penalties on and assessments against a person who, among other things, submits, or causes to be submitted, claims to a federal health care program that the person knows, or should know, are false or fraudulent. In addition to administrative penalties and assessments, OIG can also exclude individuals for engaging in conduct prohibited by the CMPL. During this semiannual reporting period, OIG concluded cases involving more than $26.3 million in CMPs and assessments.

Self-Disclosure Programs ($23 million). Health care providers, suppliers, or other individuals or entities subject to CMPs can apply for acceptance into the Provider Self-Disclosure Protocol, a program created in 1998, to voluntarily disclose self-discovered evidence of potential fraud. During this semiannual reporting period, self-disclosure cases resulted in more than $23 million in HHS receivables.

 

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2017 Strategic Management Services, LLC. Published with permission.