Kusserow on Compliance: Health care mergers and acquisitions due diligence

Hardly a day passes when the press does not report on a new merger or acquisition in the healthcare sector.  Some of these are monumental in scope, but most relate to individual hospitals, facilities, or entities.  The number of hospital and health system mergers and acquisitions continued their upward trend in the first quarter of 2017, with an eight percent increase from 25 to 27 transactions compared to the first quarter of 2016.  This trend is likely to continue and is stimulated by health care reform that will likely result in more consolidation and integration among hospitals and physician practices.  There are two common types of due diligence; financial and legal.  However, the highly regulated nature of the health care industry requires a third type; regulatory due diligence to avoid discovering and having to make disclosures of regulatory violations and overpayments of millions of dollars.

Financial and Legal Due Diligence

Due diligence reviews generally focuses on financial accountability and legal liabilities. An independent accounting firm focuses on reviewing and evaluating the balance sheets, income statements, audit reports, and cash flow statements and projections in measuring financial viability. There are many very competent public accounting firms that specialize in this type of work. For legal due diligence, the focus is on examining the entity’s structure; business permits and/or approvals; employment and labor law compliance; environmental law approvals, permits and compliance; contractual rights and obligations; intellectual property rights and obligations; real property law compliance; securities and financing regulatory compliance; tax exposure risks; consumer protection law and exposure risks; and/or licenses; previous and/or current litigation; media reports; and external consultants and/or advisors. There are an abundant number of law firms that provide high quality services in this type of work.  What is often missing is focusing on the potential health care regulatory and legal compliance issues.

Health Care Regulatory Due Diligence

In the health care sector, things are more complicated, wherein health care facilities are subject to a tremendous number of state and federal laws and regulations that govern how business must be conducted. As such, there are significant risks that a purchaser can inherit serious regulatory liabilities without checking to see how the entity is complying with these rules. With the right experts with experience in doing this kind of work, the time and costs for the due diligence review be only a small fraction of the costs of either a financial or legal review. The reason is simple: financial and legal due diligence involves detailed examination of a large volume of information. Regulatory compliance experts know exactly where to look for any weaknesses without having to do a “deep dive.” As such, it is difficult to imagine why a party looking to make an acquisition would not want a regulatory due diligence. High on the list for any reviews should be arrangements with referral sources—the highest enforcement priority of both the DOJ and OIG for many years—and review of the claims processing system and controls to ensure that there are not regulatory issues waiting to be discovered by CMS contractors or enforcement agencies.  In virtually all cases, problems will be identified that in very few cases would interfere with the decision to acquire, but is very likely to not only avoid a future liability but puts on the table additional tools to improve the negotiation terms and conditions.

 

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2017 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: October 2017 Work Plan update

This year, the OIG is updating their annual Work Plan during the year, rather than annually. The Work Plan sets forth various audits and evaluations that are underway or planned during the fiscal year and beyond. The updates will include the addition of newly initiated Work Plan items and removal of completed items. In conducting its work, the OIG assesses relative risks in HHS programs and operations to identify those areas most in need of attention. In evaluating potential projects to undertake, the OIG considers a number of factors, including mandates set forth in laws, regulations, or other directives; requests by Congress, HHS management, or the Office of Management and Budget; top management and performance challenges facing HHS; work performed by other oversight organizations (e.g., GAO); management’s actions to implement OIG recommendations from previous reviews; and potential for positive impact. In addition to working on projects that often result in audits, reviews, and reports, the OIG also engages in a number of legal and investigative activities that are separately reported.

5 New Projects Added

  1. Secretary Price’s Use of Chartered Aircraft for Federal Travel. Federal Travel Regulations provide limited instances in which chartered aircraft can be used for official Government business. OIG initiated a review of HHS Secretary Price’s use of chartered aircraft for Federal travel. He subsequently resigned and agreed to payback funds improperly expended.

 

  1. Specialty Drug Coverage and Reimbursement in Medicaid. Medicaid spending on specialty drugs has rapidly increased. There is no standard definition for specialty drugs. They may be expensive; be difficult to handle, monitor or administer; or treat rare, complex or chronic conditions. OIG plans are to determine states’ definitions of, and payment methodologies for, Medicaid specialty drugs and determine how much states paid for specialty drugs; and review strategies that states use to manage specialty drug costs, such as formularies, cost sharing, step therapy, and prior authorization.

 

  1. FDA Oversight of Risk Evaluation and Mitigation Strategies to Address Prescription Opioid Abuse. Opioid abuse and overdose deaths are at epidemic levels in the United States. The FDA has been provided legal authority to require pharmaceutical companies to develop Risk Evaluation and Mitigation Strategies (REMS), when the FDA determines that the risk of using a drug outweighs its benefit. Through the REMS program, the FDA intends to “increase the number of prescribers who receive training on pain management and safe prescribing of opioid drugs in order to decrease inappropriate opioid prescribing.” The OIG will conduct an evaluation on how the FDA determined the need for opioid REMS and determine the extent to which they have held pharmaceutical companies with required opioid REMS accountable for REMS assessments. The OIG also plans to determine the extent to which the FDA has held opioid REMS sponsors accountable for REMS goals to mitigate risks of misuse, abuse, addiction, overdose, and serious complications because of medication errors.

 

  1. Drug Traceability Test. Potentially dangerous drugs, including diverted, counterfeit, and imported unapproved drugs, can enter the supply chain and pose a threat to public health and safety. The Drug Supply Chain Security Act (DSCSA) provides the FDA and others with new tools to prevent the introduction of harmful drugs into the supply chain and to identify and remove them. DSCSA requires trading partners to exchange drug product tracing information when they take ownership of drugs, resulting in a tracing record that the FDA and others can use to investigate suspect and illegitimate drugs. Ensuring that DSCSA’s drug product tracing requirements function as intended will help the FDA respond effectively to potentially harmful drugs in the supply chain. The OIG plans to determine the extent to which selected drugs can be traced from the dispenser back to the manufacturer. This study—part of OIG’s body of work in this area—builds on the OIG’s previous examinations of trading partners’ early experiences exchanging drug product tracing information by testing the accuracy of those tracing records.

 

  1. Review of Medicare Payments for Bariatric Surgeries. Bariatric surgery is performed to treat comorbid conditions associated with morbid obesity. Medicare Parts A and B cover certain bariatric procedures if the beneficiary has (1) a body mass index of 35 or higher, (2) at least one comorbidity related to obesity, and (3) been previously unsuccessful with medical treatment for obesity. Treatments for obesity alone are not covered. The Comprehensive Error Rate Testing program’s special study of certain Healthcare Common Procedure Coding System codes for bariatric surgical procedures found that approximately 98 percent of improper payments lacked sufficient documentation to support the procedures. OIG auditors will review supporting documentation to determine whether bariatric services performed met the conditions for coverage and were supported in accordance with federal requirements.

 

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2017 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: The OIG on Health IT security

Many are not aware of the fact that the HHS OIG boasts having an A-class team that focuses on IT controls and engages in what they refer to as penetration testing or “hacking” into IT systems and networks. With 100 million health care records already compromised and medical records serving as a top target for hackers, healthcare related cybersecurity has become a high priority for the OIG. Health IT offers some unique challenges, in that health records are for a lifetime, whereas credit cards may have a shelf life, if they’re compromised, of just a day or two. This makes them very valuable for criminals that can often realize 60 times more than what a stolen credit card can yield on the dark web. Compromised health information could have wide-ranging consequences, including affecting credit and even someone filing a false tax return with the information. In addition to people’s personal information, there is concern about health care provider and managed care proprietary information.

The OIG IT audits begin with setting an audit objective, which varies according to what they are trying to accomplish. The OIG desires to provide transparent and objective assessments of the security posture of the systems within HHS and those that receive funding from HHS. The OIG engages in penetration testing, as a means to help strengthen IT vulnerabilities. By engaging in penetration testing or “hacking into” IT networks, the OIG is able to provide chief information officers, and sometimes CFOs, with information regarding particular vulnerabilities. Among the common testing of IT systems is determining whether passwords are being changed periodically.  The OIG stated guiding philosophy is that “what gets checked gets done.” By identifying vulnerabilities, they draw management attention to addressing them and raising their awareness to cybersecurity.

The OIG wants to ensure that funds for cybersecurity, and ultimate for technology, are being used judiciously, and overall the OIG is working every day to protect sensitive personal and proprietary data. The OIG is using its resources to enhance awareness around cybersecurity.  The OIG focuses much of its resources on IT controls for the Medicare enrollment database; however the OIG does not confine its work to the Medicare and Medicaid space. The OIG is also looking at IT security at NIH, Indian health hospitals throughout the country, and FDA information on drugs and medical devices. The OIG typically addresses reports to senior level personnel, such as the CEO and Chief Information Officer, and often addresses reports to state administrators for Medicare and Medicaid.

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2017 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: OIG reports the new Medicaid data system inadequate

The OIG reported that historical inadequacies in Medicaid data have hindered program integrity, research, budgeting, and policy. As a result the OIG has designated the improvement of Medicaid data as a top management HHS challenge. In 2016, the federal Government and states spent $574 billion on Medicaid, serving more than 74 million enrolled individuals. Complete, accurate, and timely Medicaid data are vital for the effective administration and oversight of the Medicaid program by states and the federal Government. The Transformed Medicaid Statistical Information System (T-MSIS) is a new data system that was developed to improve the completeness, accuracy, and timeliness of Medicaid data. The OIG provided a status update on the implementation of T-MSIS, building on its previous review of the 2013 T-MSIS pilot.

In conducting its review, the OIG analyzed the implementation status of T-MSIS using 40 states’ approved plans for data submission; and interviewed staff from CMS and 16 states about their experiences implementing T-MSIS. The OIG reported the following:

  1. States and CMS reported early implementation challenges resulted in delays with T-MSIS
  2. Technological problems and competing priorities for states’ resources caused delays
  3. The goal date for when T-MSIS will contain data from all states has been repeatedly postponed
  4. CMS expects that all states will be reporting to T-MSIS by the end of 2017
  5. 21 of 53 state programs were submitting data to T-MSIS
  6. States and CMS continue to raise concerns about completeness and reliability of the data
  7. States indicate that they are unable to report data for all the T-MSIS data elements
  8. Even with a revised data dictionary for each data element, states and CMS report concerns about states’ varying interpretations of data elements
  9. Without uniform interpretations of data elements, the data submitted will not be consistent across states, making any analysis of national trends or patterns inherently unreliable.

The OIG concluded that successfully getting all states’ data into T-MSIS requires states and CMS to prioritize T-MSIS implementation. However because of CMS’s history of delaying target dates for implementation, the OIG expressed concerned that CMS and states will delay further rather than assign the resources needed to address the outstanding challenges. The OIG further noted that without a fixed deadline, some states and CMS may not make the full implementation of T-MSIS a management priority.

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2017 Strategic Management Services, LLC. Published with permission.