Centers for Medicare & Medicaid Services (CMS) has published a proposed rule that will have the net affect of increasing Medicaid payments for some services provided in a primary care setting. The propsed rule, which was published on May 11, 2012 would implement provisions of the Patient Protection and Affordable Care Act that requires that Medicaid reimbursement for certain primary care services be increased to Medicare levels instead lower Medicaid rates that have been established by the states.  The rate increases apply to primary care services provided by family medicine, general internal medicine, or pediatric medicine physicians.  The increased payment for these services will be funded by the Federal government.

Use Corporate Compliance Week To Increase Aweness of Your Compliance Program

This week (May 6-12, 2012) has been designated as Corporate Compliance and Ethics Week by the Society of Corporate Compliance and Ethics and the Health Care Compliance Association.  Corporate Compliance Week is a great time for you to reinforce the message of compliance throughout your organization.  At a minimum you should use this opportunity to publicize your program, hot-line and reporting system and anti-retaliation policy. 

Some ideas to help you leverage Corporate Compliance Week to increase the visibility if your compliance program include:

- Send E-mail to all employees announcing that it is Corporate Compliance week.

- Release a special compliance week newsletter or alert.

- Publish a quiz about information that all employees should know about the compliance program.

- Release a message on compliance from the CEO and/or Compliance Officer.

- Have a breakfast, lunch or “meet and great” with a brief message about the compliance program.

- Post signs in break and other visible areas announcing Corporate Compliance Week and your compliance program.

- Hold a raffle and have employees complete a brief questionnaire on the basics of the compliance program in order to enter.

With a little creativity, you can make the most of Corporate Compliance and Ethics Week.  Your focus should be to enforce compliance as a positive element of your corporate culture.  Reinforce the message that the organization encourages reporting of compliance concerns through its reporting system and takes information that it receives seriously.  You should also reinforce the organizations intolerance for retaliation or retribution against parties that provide compliance information.

Take this opportunity to have fun with your compliance program and put a positive face on your efforts.  Take the information that you learn through the interactions that you have with employees to make improvements to your compliance program.

 Ruder Ware has an active Corporate Compliance and Ethics practice.  We counsel clients in a variety of industries, including healthcare, transportation, banking and manufacturing on various aspects of their compliance and ethics programs.  We assist clients in assessing the effectiveness of programs and suggesting steps to take in order to increase program effectiveness.  Ruder Ware is actively involved in the Society of Corporate Compliance and Ethics and the Health Care Compliance Association.  Two of our attorneys recently attended the Midwest meeting of the SCCE.  One of our attorneys is Certified in Healthcare Compliance through the Health Care Compliance Association.

As Meaningful Use Deadlines Approach

As the meaningful use deadline approaches, many providers are scrambling to implement electronic health records.  The agreements surrounding licensing, implementation, and support of EHR systems are some of the most important agreements that a health care provider will enter.  Unfortunately, many smaller providers put little effort into negotiating terms that help assure that the product functions like it is supposed to and that the implementation takes place in a timely and efficient manner.

             We routinely become involved in the negotiation of EHR agreements.  Some of the important issues that we address include:

•  Creating an appropriate project milestone system to assure timely project flow.
• Coordination between vendors in multi-application systems.
• Requiring that functional specifications are well-defined.
• Assuring compliance with HIPAA and state laws, particularly with respect to data conversion.
• Negotiating warranties, including meaningful use warranties.
• Protecting against “runaway” implementation and support costs.

             The agreements relative to EHR implementation can be very complex.  Each vendor has their own license form and it can be overwhelming to work through the issues to determine how to best protect the interest of the provider.  Our experience in these issues will be a valuable resource to any provider addressing EHR implementation issues.

John Fisher, CHC

The current health care regulatory environment presents a high degree of risk to even the most well-intentioned provider.  Recent legal changes have made it even easier for the government to pursue what they believe to be improper activities.  The government is taking a “return on investment” approach to pursuing health care fraud and is coming out on the winning end of this game.  Reports state that the government collects approximately $15 for every $1 that they invest policing health care fraud.  In addition, Whistleblowers continue to bring a steady flow of cases against health care providers.  Even though there is a dispute over certain aspects of health care reform, the area where all ranges of the political spectrum appear to agree is on pursuing health care fraud.  Therefore, we cannot expect this climate of enforcement against health care providers to go away anytime soon.

 While the government continues with its “pay and chase” approach to health care fraud and overpayments, it is also integrating even more drastic measures into its bag of tools.  The government is now authorized to discontinue making payments to a provider altogether upon receiving any “credible allegation” of misconduct.  The allegation does not need to be proven to be true and there is not even a formal procedure to permit the provider to make its case.  Yet, the financial consequences of suspending payment can be devastating.

 Chances are very good that an individual provider will eventually have dealings with the government over some overpayment or fraud and abuse issue.  If you have not had to deal with an investigation, you are very fortunate.  Even the best intentioned providers will more likely than not need to deal with government scrutiny.  When that occurs, it serves the provider well to have an appropriately scaled compliance program that is being actively worked to identify risk areas, billing mistakes, and other possible difficulties.  Having an effective compliance program in place is the best way to turn the problem into something that is manageable, and turn it away from an enforcement action that can have grave consequences on operations and financial viability.

 At Ruder Ware, we have assembled a multidisciplinary team of attorneys to assist providers in compliance matters.  Our compliance team is lead by John H. Fisher, III, who is a seasoned health care attorney and is certified in health care compliance.  Our compliance team can assist providers through the process of structuring an appropriately scaled compliance program, reviewing existing compliance program for effectiveness, and assisting with ongoing operational issues related to compliance programs.

 Our compliance team brings a depth of experience in the wide range of compliance issues that affect various types of providers, such as the Federal False Claims Act, the Stark Law, Anti-Kickback Statute, Civil Monetary Penalties laws, and various legal and billing issues that pertain to the specific practice or provider.  We can suggest practical approaches for identifying specific risk areas and crafting plans to minimize risks in those areas.

 We are able to work with compliance departments to fashion methods for handling issues that arise through their compliance reporting systems, including the creation of corrective action plans.  We advise providers regarding identification, repayment of overpayments, and where necessary, self-disclosure of legal violations to the appropriate governmental agencies using self-disclosure protocols.

When compliance problems are identified, it is critical that providers take appropriate actions to make repayment, appropriately investigate, and craft a proper resolution that avoids reoccurring or deeper difficulties.  We are able to assist with these matters under the attorney-client privilege to determine the nature and scope of any discovered compliance concern.  We can direct investigations and take necessary steps to remedy the problem, all while maintaining client confidentiality.

As with any other legal issue, prevention is the best medicine.  Although we are equipped to assist providers as difficulties arise, we prefer to assist providers to ensure that their compliance programs are effective and appropriately tailored to the size and nature of their particular business.  Ruder Ware’s compliance team has experience conducting compliance effectiveness review and “gap analysis.”  This process involves in-depth due diligence review of matters relative to your compliance program, an assessment of the program, and specific recommendations aimed at making the compliance program more effective.

American Hospital Associations Comments

American Academy of Family Practitioners

Healthcare Financial Management Associations

Association of American Medical Colleges

 The Affordable Care Act required department of Health and Human Services to create a voluntary self-disclosure protocol relating to Stark law violations. The centers for Medicare and Medicaid services issued the disclosure protocols on September 23, 2010.

 The recent report that was issued by CMS was statutorily required. The report indicates that since September 23, 2010 a total of 148 healthcare providers have submitted disclosures relating to violations of the Stark law. 51 of these disclosures are still awaiting review by CMS.  An additional 61 disclosures are awaiting additional information from the disclosing party.

 As of the current date, CMS has resolved six disclosures through settlement. These settlements have collected approximately $783,000.

 Go to the following link for a complete copy of the CMS report on the self-disclosure protocols.

Recent enforcement actions and public comments by enforcement officials make it clear that parties who are responsible for health care fraud enforcement plan, to focus more on the Responsible Corporate Officer Doctrines (“RCO Doctrine”) as a tool to fight health care fraud.  Comments by Wisconsin Bar Health Law Seminar are just one example of the new focus on the RCO Doctrine.

            The RCO Doctrine was derived from the United States Supreme Court’s decision of U.S. v. Park.  The RCO Doctrine permits corporate officers to be held personally responsible for the criminal acts committed at the corporate level.  The RCO Doctrine is a draconian measure that can hold corporate officers liable as long as they were in a position to prevent a legal violation.  Park permits application of the doctrine even in cases where the corporate officer does not have actual knowledge of, or has not actually participated in, the alleged violation.

            Health care is one area where the RCO Doctrine is being increasingly used as an enforcement tool.  The doctrine is being actively used to pursue corporate officers who are in a position of authority regarding the alleged violation.  Some cases have even upheld the application of the RCO Doctrine against a corporate officer even when the corporation itself is acquitted of the charges.

            The RCO Doctrine can be used against virtually any corporate officer, including the CEO, president, vice president, secretary, treasurer, general counsel or virtually any other management-level functionary.  Health care is particularly susceptible to the use of the RCO Doctrine.  In many cases, enforcement officials do not want to take action that could adversely affect availability of health care services to the community.  This causes officials to focus on individuals in management.  In fact, some officials take the position that where health care fraud occurs, someone must be criminally charged.  This is a growing enforcement trend that makes health care management particularly vulnerable.  In fact, some recent cases have gone so far as to charge legal counsel with criminal violations, raising issues regarding the role of in-house legal counsel in compliance roles.

            The emergence of the RCO Doctrine places a spotlight on the duty of corporate officers to be certain that systems are in place to ensure that legal violations do not occur.  Systems should also focus on promptly remedying compliance concerns before they spin out of control.

            Health care organizations are actively using compliance programs to minimize compliance risk.  These programs should be a continued focus of health care organizations as a method to reduce legal risk.  The programs should be flexible to address areas of risk that apply to the specific organization.  Policy changes, training and actions should be taken where areas of risk are identified.

            The Affordable Care Act creates mandatory compliance program obligations on most health care organizations.  Organizations that receive $5 million or more of Medicaid revenues must adopt most elements of a compliance program.  Nursing homes will need to certify that they have compliance programs in place by 2013, with other provider types following thereafter.  Many institutions have already implemented compliance policies, but should take the opportunity to audit their programs for effectiveness.  Smaller providers such as physician practices will need to adopt compliance programs for the first time in response to the Affordable Care Act.

            A well-designed, effective compliance program may be your best defense to the possible application of the RCO Doctrine, in view of the increased focus on that doctrine by law enforcement.  When it comes to the RCO Doctrine, it is what you do not know that can hurt you.  For this reason, it is critical to develop compliance systems to ferret out possible problems and solve them before they grow into larger problems.

CMS has released a long awaited proposed rule defining provider obligations to report Medicare and Medicaid over-payments within 60 days of identification.  Section 6402 of the Patient and Program Protection Act created possible False Claims Act liability and possible program exclusion for the knowing concealment or avoidance of a repayment obligation.  The new proposed rule is intended to add definition to the general obligation that was included in the initial statutory provisions.  Section 6402 of PPACA requires providers to report and return over-payments within 60 days of identification.  The original statute broadly defined the provider obligations but did not provide specifics on several topics such as when an overpayment is deemed to be “identified” or how long providers were obligated to look back when identifying potential over-payments.

The Proposed Rule created an extremely onerous look-back period of ten years.  This means that providers will be obligated to report overpayment obligations that they discover which date back as far as ten years from the date of discovery.  The actual disclosure rules are somewhat less oppressive than the self disclosure rules that were already in place with regard to the Anti-kickback Statute and the Stark Law.  Nevertheless, many aspects of the proposed regulations, and in particular the ten year look-back rule, are likely to generate comments from affected parties. The specific requirements of the self disclosure rule leave much room for debate over several issues such as the level of detail that is required to be included in the disclosure.  There will certainly be a lot of debate at upcoming conferences that begin to dissect the specifics of the proposed regulations. 

The 60 day clock once an overpayment has been identified.  The proposed rule considers an overpayment to be “identified” when (i) there is actual knowledge that an overpayment exists, (ii) there is a reckless disregard or deliberate ignorance that an overpayment exists.  There will be a lot of debate over when someone obtains “actual knowledge.”  There will likely be even more debate over when someone begins acting in “reckless disregard” that an overpayment exists.  The “reckless disregard” standard involves an imputation of knowledge to an individual and will revolve over the facts that were present or should have been observed.  This requires a objective imputation of a subject standard of “identification.”  These areas of the law always involve much debate.  The definition that CMS chose for “identification” forces providers to be overly diligent in their proactive efforts to uncover billing inaccuracies.  Virtually any error that goes uncovered and could lead to a repayment could be imputed to the provider under the “reckless disregard” standard.  The entire standard contemplates the use of a diligent system of audits being put in place in order for a provider to demonstrate that they have not acted in deliberate ignorance or reckless disregard of the existence of an overpayment.  The standard that CMS set is just a further indication that the Federal government is attempting to push past the “pay and chase” approach of the past toward a system that requires providers to actively police themselves for errors.

To put this in perspective, failure to report an “identified” overpayment within 60 days opens the provider to liability under the False Claims Act.  The False Claims Act providers for penalties of three times the actual amount of the overpayment, plus between $5,000 and $11,000 per claim.  If a provider discovered a systematic error that may have led to a significant number of claims being overpaid, the amount of financial exposure under the False Claims Act can be very substantial; substantial to the point of presenting a grave threat to financial viability in some cases.  Under the Proposed Rule, reporting and repayment would be required for all  identified within ten years of receipt.  In the case of the discovery of a systematic billing problem, this could require repayment for the past ten years of claims.  If the False Claims Act obligation is applied to the entire look back period, the amount due grows exponentially.

If the proposed rule is finalized in its current form, it should have a very significant affect on compliance activities.  In order to meet the “reckless disregard” standard, providers will need to engage in very robust auditing and monitoring programs; in most cases much more extensive than are currently being utilized.  Some compliance officers tend to rank risk by the degree of potential consequences to the organization.  Risk identification is a function of two factors; the likelihood of a matter occurring and the degree of consequences.  What the CMS overpayment disclosure rules do, in conjunction with the False Claims Act damage computation, is to greatly increase the consequences of systematic billing errors.  The only way for a provider to prevent these errors, or at least create a plausible argument that it was taking appropriate steps to flush out errors, is to implement a robust auditing program.

Keep in mind that these rules do not only apply to large health care providers.  They also apply to individual and small physician practices and other small health care companies.  The potential impact on smaller organizations can be even more severe.  The recent health care reform law made compliance programs mandatory for most providers starting with nursing homes in 2013.  Mandatory compliance programs will extend to other types of providers as regulations are put in place.  In view of the proposed repayment regulations, providers of all size should seriously look at the areas of risk that apply to their operations and implement compliance programs that include an audit plan that is tailored to the provider’s specific risk areas.

The Office of Inspector General has encouraged health care providers to adopt compliance programs since the late 1990s.  Most larger organizations have implemented compliance programs as a way to detect and mitigate risk of non-compliance and to reduce penalties if a problem is detected.  However, many smaller providers, such as physician practices, have not adopted any type of formal compliance program.  The Patient Protection and Affordable Care Act (the “PPACA”) makes compliance programs mandatory for the first time  for all suppliers and healthcare providers enrolled in federal healthcare programs. Providers of all sizes will be required to certify that they have an effective compliance program in place as a condition of participation of federal healthcare programs.

The Office of Inspector General is charged with issuing regulations that define the core elements that providers must implement in order to certify compliance with the mandatory compliance program requirement.  The first set of regulations have been issued relative to nursing home who must certify their compliance programs as of 2013.  Regulations addressed at other provider types have not yet been issues but are expected soon. We can expect that the regulations will be similar to the guidance that has been provide by the OIG covering various industry sectors over the years.

Requirements for nursing home compliance plans have been released.  The nursing home regulations require the following:

• The adoptions of formal written compliance policies, standards and procedures that are effective at reducing the risk of compliance violations.
• The assignment of compliance responsibility to a Specific individual within the organization.  The individual should be a high ranking member of the management team and should report directly to the governing body.
• The compliance program must be adequately funded to assure its proper operations.
• Systems must be put in place to assure that authority is not delegated to individuals who may show a propensity to commit compliance violations.  For example, a program should be put in place to screen employees, staff members, vendors and others against OIG and GSA exclusions lists.
• The program elements and the ability to report compliance violations must be stressed and an atmosphere of compliance should be created.
• A strong system of anti-retaliation for individuals reporting compliance concerns must be maintained and communicated throughout the organization.
• Effective communication of the standards and procedures to all employees and required participation in training programs.
• Systems of monitoring and auditing should be put in place to help detect potential practices that could lead to compliance violations.
• Disciplinary processes must be maintained in order to enforce the compliance program.  Discipline should be coordinated with existing policies and procedures regarding employee discipline.
• The compliance program should “learn from itself.”  In other words, systems of corrective actions should be put in place that includes revisions of policies and procedures based on compliance concerns that are detected or reported.
• Continued review of the effectiveness of the compliance program should be undertaken.  Simply having a compliance program in place is not sufficient.  The organization must assure that the program is effective by continually reassessing and testing the program.

The exact date that compliance programs will become mandatory is not yet certain.  Nevertheless, enforcement activity is on a rise.  Prudent providers will take proactive efforts to reduce their compliance risks.  This includes that creation of an effective compliance program that is specifically tailored to the compliance risks associated with the specific provider.  Many smaller providers have never contemplated creating such a program in the past.  Mandatory requirements, increased enforcement activities and penalties, are all factors forcing providers to take proactive steps to reduce their exposure.  This creates a disproportionate burden on smaller providers such as small group practices.  At the same time, the OIG has in the past recognized that smaller organizations do not need to go to the same extremes as larger systems to meet their compliance obligations.  In other words, compliance programs are permitted to have a degree of scalability and allow for the size and resources of the organization.  It is critical for small providers to know where to place their compliance resources.  A “shotgun” approach will provide very little benefit.  Creating an overbroad plan that can never be operationalized does nothing more than create a roadmap leading authorities to the actions that your organization is not taking.

It is most prudent for providers of all sizes to have some level of compliance plan in place sooner rather than later.  A well focused plan scaled to your biggest risk areas is much better than a robust plan that you can never operationalize.  The point is to start with your compliance efforts and build upon them as time passes and new risk areas are identified.  Your plan should be structured to operationalize the identification of risk areas and address them as they arise in your practice.

Screening For Excluded Providers
Key Elements Of Your Compliance Program

Most hospitals and larger healthcare organizations have gone through the process of developing compliance programs and are aware of the prohibitions against entering relationships with parties who have been excluded from a federal health care program.  Smaller organizations may not be aware of their responsibilities to screen all employees, vendors and contracting parties for exclusion.

Providers, such hospitals, medical groups, ambulatory surgery centers and home health agencies are subject to civil monetary penalties for submitting claims for healthcare items or services that are provided by excluded individuals or companies.  Fines can reach as high as $10,000 per item or service.  The fines can be astronomical if goods or services are regularly provided by the excluded party.

For this reason, compliance programs will generally include policies and procedures that require screening prior to contracting or employment.  Regular periodic screening is also highly recommended.  Smaller organizations and physician practices are at the most risk of violating these provisions.  These organizations have generally not yet faced the creation of formal compliance programs; although compliance programs will be mandatory in upcoming years.

 All health care providers must establish policies and procedures to be certain that they do not contract with excluded parties.