Annual report to HHS for improving Medicare, Medicaid, and related services

HHS should undertake steps to (1) guard against fraud, waste, and abuse, (2) help beneficiaries and providers, and (3) implement better payment policies, according to the Office of Inspector General’s (OIG) annual report on the top unimplemented recommendations from the previous year. While the report ranged far and wide in its recommendations, including a suggestion to the FDA to improve food safety inspections, the bulk of the report was dedicated to addressing fraud, waste, and abuse in Medicare and Medicaid (OIG Report, July 22, 2019).

Background

Each year, the OIG creates a report that focuses on what it contends are the top recommendations for improvement in HHS programs that were not implemented over the past year. This report offers suggestions to both HHS and the FDA on where they should direct their reform efforts for maximum benefit.

The OIG made the following recommendation pertaining to fraud, waste, and abuse.

Inpatient rehab facilities 

In 2013, Medicare paid $5.7 billion to inpatient rehabilitation facilities (IRF) for care to beneficiaries that was not reasonable and necessary. The errors, the OIG said, were due in part to the fact that the payments to the IRFs were not properly aligned with the costs. The current system gives the IRFs a financial incentive to admit patients inappropriately. CMS is apparently evaluating the payment system, which includes a recently issued final year 2019 IRF prospective payment system final rule to update policies and payment rates for fiscal year 2019.

‘Least costly alternative’ Part B drugs

If the least costly alternative requirement had not been rescinded for Part B drugs, Medicare would have saved $33.3 million in one year ($264.6 to $231.3 million). Once the requirement was removed, utilization patterns shifted dramatically in favor of costlier products.

Part D drug oversight

Medicare Part D spending on compounded topical drugs soared from $13.2 million in 2010 to $232.5 million in 2016. Questionable billing practices seem to be concentrated in a few metropolitan areas. OIG has identified prescribers with troubling order patterns. States are hamstrung in their ability to prevent drug overpayments. State agencies need to know the 340B ceiling prices and which Medicaid claims are associated with 340B drugs to ensure that the claims are paid correctly.

Managed care organization improvements

OIG believes that a significant amount of underreporting of fraud and abuse is occurring in Medicaid involving managed care organizations. For example, even where a managed care organization discovers fraud or abuse, OIG says that it will handle the situation by itself (terminating the contract) rather than report it to CMS. CMS must do more to ensure that the organizations identify and refer fraud and abuse to the state.

Help beneficiaries and providers

In addition, the OIG recommended that CMS analyze the impact of counting time as an outpatient toward the 3-night requirement for skilled nursing facility services (SNF). Beneficiaries with similar post-hospital care needs have different access to SNF services depending upon whether they were outpatients or inpatients because of the requirement that the beneficiary spend at least three nights as an inpatient to obtain post-hospital SNF Medicare coverage. Furthermore, CMS paid an estimated $84.2 million in improper payments between 2013 and 2015 because SNFs incorrectly determined whether the 3-night requirement was met. CMS should consider changes to make the system fairer, which could include counting time as an outpatient.

FDA

The OIG had a single recommendation for the FDA, noting that deficiencies exist in the FDA’s electronic recall data system. The FDA relies too much on voluntary corrections by facilities. Just over half the facilities that were inspected and should have received warning letters actually received warning letters. The FDA also frequently fails to conduct timely follow-up inspections to ensure compliance. The OIG suggested that the FDA act to address these shortcomings.

EpiPen® misclassification cost $1.27B over 10 years, says OIG

If the EpiPen® had been classified as brand name instead of generic for purposes of the Medicaid Drug Rebate Program, CMS would have saved $1.27 billion from 2006 to 2016, the HHS Office of Inspector General (OIG) found. This estimate is far greater than the $465 million settlement that the federal government and EpiPen’s manufacturer, Mylan Inc., entered into in October 2016 concerning the classification of the drug under the Program (see Mylan settles EpiPen Medicaid rebate dispute for $465M, Health Law Daily, October 11, 2016).

“The fact that the EpiPen overpayment is so much more than anyone publicly discussed should worry every taxpayer,” said Sen. Charles Grassley (R-Iowa). Grassley reported that CMS recently provided records showing that Mylan was made aware of the misclassification years ago but failed to act (see Federal EpiPen® spending up 463 percent, Mylan misclassified drug as generic, Health Law Daily, October 6, 2016). At the time Sen. Elizabeth Warren (D-Mass) opposed the settlement, calling it “shamefully weak” (see Warren: EpiPen® Medicaid rebate settlement shows ‘crime does pay,’ Health Law Daily, October 26, 2016).

Manufacturers generally owe a higher rebate amount for brand-name drugs than generic under the Medicaid Drug Rebate Program. The basic rebate amount for a generic drug is based on a percentage (currently 13 percent) of its average manufacturer price (AMP) (see 42 C.F.R. Sec. 447.509). The basic rebate amount for a brand-name drug is based on the greater of (1) a fixed percentage (currently 23.1 percent) of the drug’s AMP; or (2) the different between the drug’s AMP and best price. In addition to the rebate amount, manufacturers of brand-name drugs (and, beginning in 2017, manufacturers of generic drugs) pay an inflation-related rebate amount if a drug’s price has increased more than the rate of inflation.

The EpiPen controversy led Grassley to request that the OIG review the Medicaid Drug Rebate Program (see HHS Inspector General to investigate Medicaid Drug Rebate Program, Health Law Daily, December 12, 2016).

Kusserow on Compliance: OIG and DOJ raising stakes on board compliance obligations

From the days of the first compliance guidance documents from the HHS Office of Inspector General (OIG), it has called for a “top-down” compliance program, beginning at the Board level. For example, it issued a joint White Paper, titled Practical Guidance for Health Care Governing Boards on Compliance Oversight,” which emphasized holding boards more accountable for proper oversight of compliance within their organizations. Language from these pronouncements about Board obligations and use of compliance experts is now included in corporate integrity agreements (CIAs). During the 2017 Health Care Compliance Association (HCCA) Compliance Institute, speakers from the OIG discussed a number of changes in CIAs, including new mandates for Board members. The OIG believes a key factor in determining effectiveness of the compliance program is how well the Board has been meeting its fiduciary duties and responsibilities for overseeing compliance. If it finds the organization has an effective program with proper oversight by the Board, the OIG may decide that a CIA is unnecessary or mitigate terms and conditions.   However, if it finds the program is inadequate, there will be a CIA and it will include stringent requirements for the Board. Among the best practices for Boards is to include one or more members who are “compliance literate” to ask the right questions and assess program effectiveness.  A compliance-literate person is someone with experience and expertise from having been a compliance officer or a consultant to compliance programs.  Alternatively, Boards should engage compliance experts to provide advice on asking compliance officers the right questions, evaluating the answers, and determining what metrics to rely upon in determining compliance program effectiveness.  By following one or both of these steps, Boards can go a long way to ensure they are meeting their fiduciary duties and responsibilities.

The Department of Justice (DOJ) has also been ramping up to better focus on Boards meeting their fiduciary obligations in guarding against corporate wrongdoing. Its Fraud Section published “Evaluation of Corporate Compliance Programs” as guidance for compliance officers on how the adequacy of their companies’ compliance programs is evaluated by prosecutors.   They laid out a series of questions prosecutors are likely to ask in evaluating the effectiveness of compliance programs. The following highlights questions that relate to Board involvement in compliance oversight.

  • What compliance expertise does the Board have or not have to meet its fiduciary obligations?
  • How frequently does the Board meet with the compliance officer and outside experts (auditors and consultants) outside the presence of management?
  • What information does the Board receive to assist it in its compliance oversight?
  • How does the Board evaluate the compliance program effectiveness?
  • How does the Board determine resources necessary for the operation and management of the compliance program?
  • How have management and the Board followed up on identified potential problems?

Tips and suggestions for compliance officers

Compliance officers should:

  • educate the Board on its fiduciary obligations and personal consequences for not meeting them;
  • meet with the Board regularly, including in executive session without management presence;
  • ensure that the Board receives all types of relevant audit findings and remediation progress reports on a regular basis;
  • urge the Board to include one or more members who are “compliance literate” to assist in evaluating compliance program effectiveness and be able to ask the right questions; and
  • engage compliance experts to assess the program before encountering the DOJ and OIG and use results to brief the Board evidencing they are providing active compliance oversight.

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2017 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: More details on new DOJ corporate compliance guidelines

Previous blogs outlined the Department of Justice (DOJ) Fraud Section’s “Evaluation of Corporate Compliance Programs” guidance for compliance officers. Since then, many have inquired about getting more specific details on questions the DOJ is now using to determine the adequacy of compliance programs, particularly as they relate to management and Board oversight.  Subsequent to the publishing of the Evaluation, the HHS Office of Inspector General (OIG) at the recent Health Care Compliance Association (HCCA) Compliance Institute also reported modifying its corporate integrity agreements (CIAs) to increase accountability of organization leadership, including the Board, that follows a similar path to that of the DOJ.  With these changes in mind, the following recaps in more detail the DOJ list of “important topics and sample questions” it now uses when evaluating the effectiveness of corporate compliance programs. This 119-question resource offers great insights for compliance officers working to build and enhance their compliance programs. These guidelines have grown out of the DOJ’s hiring of Compliance Counsel Expert Hui Chen in November 2015. One thing to remember about these guidelines is that they relate to all industry sectors.  As such, they track with the U.S. Sentencing Guidelines, but don’t focus on the health care sector in the way the OIG compliance guidance documents do.

Filip Factors

The Principles of Federal Prosecution of Business Organizations in the United States Attorney’s Manual describes specific factors that prosecutors should consider in conducting an investigation of a corporate entity, determining whether to bring charges, and negotiating plea or other agreements. Commonly known as the Filip Factors, they include “the existence and effectiveness of the corporation’s pre-existing compliance program” and the corporation’s remedial efforts “to implement an effective corporate compliance program or to improve an existing one.” The guidance was formulated to evaluate compliance programs after violations have been discovered and examining the existing misconduct as the benchmark against which the compliance program will be evaluated. It focuses on testing existing compliance programs and outlining steps that should be taken when problems are discovered to demonstrate a pre-existing commitment to compliance. It is also intended to inform the public about federal prosecutors’ review of compliance programs under the Filip Factors. There were eleven highlighted topics covered, as noted below, along with tie-in with OIG guidance, and followed with types of questions that one can expect the DOJ to ask when it confronts corporate misconduct.

 1. Analysis and remediation of underlying misconduct. The OIG guidance stresses seeking out weaknesses identified to ensure they are addressed and prevent misconduct in the future.

  • Has the organization done an analysis to see if there was a systematic failure in compliance?
  • Did the company miss prior opportunities to detect the misconduct?
  • Has the company evaluated why those opportunities were missed?
  • What remediation was undertaken once a problem was discovered?
  • What specific changes has the company made to reduce the risk of a reoccurrence?

2. Senior and middle management. This tracks to the OIG call for “top-down” compliance programs beginning at the Board and executive levels and cascading down through all levels of management.

  • Did senior managers, through their words and actions, encourage or discourage the misconduct in question?
  • Has senior leadership taken concrete steps to demonstrate commitment?
  • Does the Board have access to the right expertise to help it perform its oversight function?

3. Autonomy and resources. Prosecutors look for signs of “autonomy,” such as whether compliance personnel have “direct reporting lines to anyone on the board of directors” and whether “relevant control personnel in the field have reporting lines to headquarters.” The OIG has been calling for this type of independence for compliance offices for decades, which permits unfiltered information to flow between the compliance officer, CEO, and Board. The DOJ also looks for signs of “empowerment,” such as instances where “specific transactions or deals . . . were stopped, modified, or more closely examined as a result of compliance concerns.”  With the relatively recent hiring of full-time compliance counsel at the Fraud Section, this has been a particular point of focus.

  • Does the compliance function have the right resources and stature within the company to perform effectively?
  • Was the compliance department involved in the training and decisions relevant to any misconduct?
  • Does the compliance department have appropriate independence?

4. Policies and procedures. Policies and procedures are a foundational component of any corporate compliance program, and the Compliance Program Guidance devotes considerable attention to this topic, as does the OIG in its guidance documents. As a threshold matter, prosecutors consider the “design and accessibility” of policies and procedures—including whether they are tailored to a company’s risk profile, have been effectively implemented and communicated, and have been evaluated to ensure usefulness. Prosecutors also consider the “operational integration” of a company’s compliance policies and procedures—including the adequacy of payment systems and other controls that should have helped detect or prevent misconduct.

  • Did the company have policies and procedures in place that prohibited the misconduct?
  • Has the company assessed whether its policies and procedures were effectively implemented?
  • Are key gatekeepers adequately trained?
  • Was the program properly integrated and were adequate controls put in place to detect misconduct?

5. Risk assessment. This factor relates to the OIG guidance relating to ongoing monitoring and auditing of high risk areas.

  • What methodology has been used to identify, analyze and address the risks the organization faced?
  • Does the company collect information and metrics to adequately assess risks?

6. Training and communications. As with the OIG guidance, there is considerable expectation that all covered persons will undergo compliance training on high risk areas, governing laws and regulations, and what to do when misconduct is believed to have occurred.

  • What training was in place and is it properly tailored for high-risk or control employees?
  • Is the training offered in the right form and language for the target employees?
  • How does the company communicate to employees about any misconduct that does occur?

7. Confidential reporting and investigation. Like the OIG, the new guidelines focus on the means by which employees and others may report potential wrongdoing, as well as how this information is acted upon by the organization.

  • Does the company have in place an effective way of collecting and analyzing allegations of misconduct?
  • Does the company ensure investigations have been properly scoped, conducted, and documented?
  • Did the investigation look to root causes of the misconduct?
  • Did the investigation go high up enough in the company?

8. Incentives and disciplinary measures. The OIG stresses consistent implementation of disciplinary action for wrongdoers, without regard to station within the organization.

  • Is there proper accountability, as demonstrated by discipline for managers under whose watch misconduct occurred?
  • Is the application of discipline consistent?
  • Is there an incentive program for good compliance and ethical behavior?
  • Can the company point to specific examples of actions taken (such as promotions or awards denied) as a result of compliance and ethics considerations?

9. Continuous improvement, periodic testing, and review. The OIG calls for compliance officers to ensure that there is an audit work plan that focuses on identified high-risk areas. Many of these high-risk areas are specifically identified in its compliance guidance documents, advisory opinions, annual work plans, etc.

  • What types of audits would have identified the misconduct at issue and were they conducted?
  • Did management and the board follow up on audit findings and failures? Does the company test its controls?
  • Does the company routinely update its compliance program and make sure it adequately addresses current risks?

10. Third party management. In the case of the OIG, considerable attention and concern is placed on arrangements with individuals in a position to influence the flow of business. It calls for an Arrangements Database that includes processes, policies, and monitoring of such agreements.

  • Does the company’s third party management process adequately analyze risk?
  • Are there appropriate controls with regard to third parties?
  • Does the company adequately respond to third-party red flags?
  • Has company suspended, terminated, or audited a third party as a result of compliance issues?

11. Mergers and acquisitions (M&A). This analysis focuses on due diligence and integration.

  • In the event misconduct is discovered after a merger, was proper due diligence conducted during the M&A process?
  • How has the compliance function been integrated into the M&A process?

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2017 Strategic Management Services, LLC. Published with permission.